Facebook pays for exploit to catch a predator, voting software security under the microscope...

Roundup We all made it through another week – and here's a treat: another Register security roundup.

OmniBallot takes heat in uni security assessment

The eggheads at MIT produced a report [PDF] detailing their probing of OmniBallot, a web-based ballot-issuing and voting system made by Democracy Live for US state elections – and warned the software doesn't do enough to ensure the integrity of its technology. There are no checks to make sure ballot or vote-altering malware is not present on the voter's computer or handheld device, or the servers running the OmniBallot backend, for instance.

"We find that OmniBallot uses a simplistic approach to internet voting that is vulnerable to vote manipulation by malware on the voter’s device and by insiders or other attackers who can compromise Democracy Live, Amazon, Google, or Cloudflare," the team wrote. "In addition, Democracy Live, which appears to have no privacy policy, receives sensitive personally identifiable information — including the voter’s identity, ballot selections, and browser fingerprint — that could be used to target political ads or disinformation campaigns."

Mind you, there were no actual security vulnerabilities found. In a statement, Democracy Live told us: "The report did not find any technical vulnerabilities in OmniBallot. The authors take issue with online technologies in general relating to the transmission of ballots. The report does note that OmniBallot has been used primarily for voters with disabilities, or voters who cannot vote in person such as those stationed overseas in the military.

"We agree with the authors of the report that a vote verification tool would add further security to the system. Democracy Live supports this recommendation and will be offering a vote verification option to future deployments of OmniBallot."

Honda hit by ransomware

Auto giant Honda saw much of its network go down last week thanks to what was eventually revealed to be a ransomware attack. Initially described only as a technical difficulty, its IT network down on Monday.

At this time Honda Customer Service and Honda Financial Services are experiencing technical difficulties and are unavailable. We are working to resolve the issue as quickly as possible. We apologize for the inconvenience and thank you for your patience and understanding.

— Honda Automobile Customer Service (@HondaCustSvc) June 8, 2020

These "technical difficulties" were later revealed to be the result of a ransomware infection attributed to the Snake malware crew. The outage temporarily took down some of Honda's US production facilities and knocked out its customer service operation for more than a day. No loss of customer personal information was reported.

FBI taps Facebook to collar sex harasser using exploit

After the FBI snared a child predator in southern California, it emerged Facebook played a role in the take-down.

According to Vice, back in 2017 the antisocial network, in cooperation with the Feds, paid a security outfit $100,000+ to develop a zero-day exploit for the Tails operating system that routes connections via Tor – and operating system used by Buster Hernandez, aka Brian Kil, to threaten, extort, and stalk children on Facebook. Specifically, the exploit was seemingly stashed in a video file shared with Hernandez via Dropbox, and when opened in his Tails environment, executed code that sent his true public IP address to the Feds, allowing agents to unmask and snare him.

Hernandez, 28, was charged with dozens of counts of sexual exploitation of minors, making online threats, and demanding intimate pictures. In one message, he told a victim: "I am coming for you. I will slaughter your entire class and save you for last."

In February, he pleaded guilty to 41 counts.

Facebook files suit against domain imposters

The Social Network has kicked off a legal campaign against an India-based registrar it believes is allowing criminals to register Facebook-targeted phishing sites.

The House of Zuck claimed Compsys Domain Solutions Private was letting scammers sign up for domains like like: facebook-verify-inc.com and videocall-whatsapp.com knowing full well those domains would be used to set up phishing sites or push malware.

"We filed suit after we reached out to Compsys about these domain names and did not receive any response," said Facebook. "Registrars and proxy services have a responsibility to take down deceptive and malicious websites."

F**kin' magnets, how do they hack?

The latest source of data leakage? The magnetometer in your smartphone and other devices.

Lukasz Olejnik has found that the embedded magnetometer sensor in many handhelds can be employed to spy on activities via a browser API. This includes things you might expect, such as tracking movements, and less likely things, including figuring out what apps are being run on the device.

"Due to how modern mobile hardware is built and works, magnetic field readings may even allow the discovery of what the user is doing: which application is in use, or even which website the user is visiting (so web browsing history leak)," Olejnik explained. "This may be made possible by establishing the fingerprints of various apps in use, or the fingerprint of the visited websites - based on the disturbances in the magnetic field caused by the changes in the CPU, for example by the high workload caused by device use."

California man charged for SIM-swap attacks

The FBI has collared and charged a 20-year-old man from the San Francisco Bay Area with performing SIM-swapping scams on "at least" 20 victims.

Richard Li is accused of calling up mobile carriers and convincing them to transfer a target's phone number to a SIM card on a phone he controlled. The swapped-out SIMs were then, it is claimed, used to steal the authentication codes needed to reset the passwords on the victim's bank and cryptocurrency accounts. If convicted, Li faces up to five years behind bars.

Feds say banking app attacks are on the rise

The FBI has issued an alert over what it says is a sharp increase in criminals targeting mobile banking apps.

The Feds reckon that, with so many people still under lockdown or isolating thanks to the pandemic, the use of mobile apps for banking has gone through the roof and, as a result, more miscreants are trying to take advantage by spreading both fake banking apps and trojans described as other applications.

"The FBI advises the public to be cautious when downloading apps on smartphones and tablets, as some could be concealing malicious intent," the alert noted.

"Cyber actors target banking information using banking trojans, which are malicious programs that disguise themselves as other apps, such as games or tools."

Knoxville knocked offline by ransomware

Yet another local government has been crippled by a ransomware attack.

This time, it's the city of Knoxville, Tennessee, in the States that is dealing with an infection that has taken out some of its city services, though emergency response services are not impacted. It is reported the city has had to cut communications between various departments in order to contain the malware outbreak.

The source of the attack and the family of ransomware used was not given. The city does not believe any citizen or employee information was taken by the attackers. ®