Meetup Vulnerabilities: Escalation of Privilege and Redirection of Funds

Application Security News – December 9 – 15, 2013

In this week’s AppSec digest, NSA agents spy on World of Warcraft Orcs, Facebook acts like a Nosy Nancy, Gmail auto-downloads all your advertise – I mean images, and CryptoLocker copycats emerge. Get informed about the latest news in security and start your week out fresh.

NSA Surveillance Efforts Included World of Warcraft, Second Life

It’s not an edition of AppSec news without a new leak on NSA’s seemingly endless surveillance on citizens both in-state and abroad, so here goes:  This week, details emerged describing a long-term infiltration by both the NSA and Britain’s GCHQ into popular video games including World of Warcraft, Second Life in an effort to seek out terrorists using the online games as a way to communicate with one another.

The massive virtual communities offered within the Xbox Live console network were described in the NSA document as “target-rich communications” in which possible terrorists could be hiding in plain sight. Apparently, so many undercover agents from the NSA, FBI, and other security agencies were operating within the networks that a “de-confliction” group helped ensure the agents weren’t, in fact, spying on each other.

Perhaps the most concerning revelation about the monitoring effort is the lack of hard evidence as to whether or not terrorist organizations actually used the video games as a method of communication. While internal memos dated from 2009 noted that the games were “essentially unregulated” and so “will almost certainly be used as a venue for terrorist laundering…propaganda and recruitment,” no major proof ever came to light, according to the report.

Read the full article on the NSA Gamers here.

“Nosy Nancy” Facebook Study Calls Users On Their Self-Censorship

A Facebook Data Scientist and a Data Science Ph.D. student from Carnegie Mellon just published a study that blows the lid off two things: how much we self-censor our Facebook posts, and how much data Facebook keeps about its users.

Adam Kramer of Facebook and Sauvik Das from Carnegie Mellon collected the Facebook data of 3.9 million users over a period of 17 days to track the patterns of our last minute status edits. The scientists found that 71% of users “exhibited some level of last minute self-censorship” during their study, which observed status updates, posts on friend’s timelines, an comments on other peoples posts.

Apparently, Facebook’s code automatically reports metadata back to Facebook when we type on Facebook – no matter whether we hit the send button or not. The researchers claim in their report that Facebook only receives data that a user deleted what they typed – not the actual content, fortunately. But the fact that Facebook was collecting data that many users, myself included, didn’t think was being collected is never all that comforting, especially these days, when we’ll take all the privacy we can get.

Read the Self-Censorship on Facebook study here.

Google Auto-Adds Images, Upsetting Privacy Advocates

A new Gmail feature has managed to frustrate email marketers, security researchers and those advocating user privacy alike. Google had updated their email client to automatically display all images accessed by Gmail apps on desktop, iOS an Android. No longer will users need to press the “display images below” button on each email: it is now the default.

The Gmail blog by Product Manager John Rae-Grant explains the new update by saying that Gmail will have already scanned the images to filter out known viruses or malware. Emails will be ‘safe’ by the time we open them, according to the post, and images will be cached through Google’s secure proxy servers.

The move has been met with mixed reviews. Email marketers aren’t so enthusiastic about not getting as much data back on who downloads the images, which effectively tells them which customers are listening, and more detailed information like IP addresses, locations, and more. On the other hand, advertisers are excited about the prospect of having all their well-crafted images finally load automatically in their customer’s inboxes, not to mention more accurate feedback on the number of unique email opens. The latter is a strange move for Google in terms of protecting their users privacy, and one that has been met with concern from privacy advocates.

Read more: Images Now Showing, via The Official Gmail Blog

CryptoLocker Copycat Shows Up On The Market

The amount of press dedicated to the vicious CryptoLocker malware must have appealed to other malicious hackers, as evidenced by the discovery of a new ransomware mimicking the original. The original malware was served through various methods; most usually a rogue link in an email, which when pressed would activate the malware to delete and encrypt all the infected computers files. A pop-up would emerge, demanding the victim pay a certain amount of Bitcoins in return for the files – or else. People in Europe, Russia, and the U.S. fell victim to CryptoLocker attacks, including an embarrassed police department.

The new version, ‘creatively’ called Locker comes at a better ‘value’ for its victims, possibly because it’s easier to penetrate. Locker demands a little less money – about $150 – in return for the same goods: your own files safely back on your computer.  Security Company IntelCrawler apparently uncovered this most recent copycat, which, the company says, is weaker than CrytpoLocker. The company also says they’re working on a solution to help the victims recover their files without donating their funds for them.

CryptoLocker was thought to be targeting small businesses and only time will tell how many of them have actually fallen prey to the malicious attack. At the bottom of this post are some ways to protect yourself from any kind of ransomware attack.

Read more about the Copycat ransomware here.

Jump to Category