New scam

[XFool]

"Is this one of the most convincing scams yet? Watch out for the email pretending to be from Facebook offering you £70 to do a survey"

http://www.thisismoney.co.uk/money/beat ... urvey.html

[Julian]

It really is a jungle out there. According to that article there are bogus links in the email (a request to complete a survey) and...

It is unclear what the links in the website would take you to, but it is likely an attempt to install malware or siphon personal information – or both.

Siphoning personal info is pretty easy/obvious but on the "install malware" bit how easy is that to do nowadays via a drive-by contact, i.e. the user doesn't get tricked into explicitly downloading and installing something? With a fully patched mainstream browser (IE, Edge, Chrome, Firefox etc) are there still vulnerabilities whereby some malicious jpg or other seemingly innocent component in an ad or elsewhere on a web page can manage to do code execution on the browser to install malware or have those loopholes been, as far as we know, all closed now so that definite user action is required to install malware?

I'm assuming Flash has been disabled in the visiting browser for my hypothetical scenario since Flash has made me nervous for years now.

- Julian

[Infrasonic]

^^ If you follow the tech security press closely one of the major issues is that some of the more esoteric exploits remain hidden for years due to the fact that they are initiated by well funded state actors employing high level specialists, who are good at covering their tracks...

There was a very smartly coded 'eastern europe' router exploit recently discovered that had been floating around for years, Mikrotik got caught up in it and TBF to them they issued a firmware update immediately.

So we're into Rumsfeld known unknowns and unknown unknowns territory here...

Virtualisation of browsers is coming, in addition to the already in place sandboxing.
All of this adds to overhead though CPU/RAM wise, witness Chrome's recent spectre fixes.

[Julian]

^^ If you follow the tech security press closely one of the major issues is that some of the more esoteric exploits remain hidden for years due to the fact that they are initiated by well funded state actors employing high level specialists, who are good at covering their tracks...
...
Virtualisation of browsers is coming, in addition to the already in place sandboxing.
All of this adds to overhead though CPU/RAM wise, witness Chrome's recent spectre fixes.

Indeed. I'm probably being far too naive but I'm actually less worried about state actors(*) since I assume they will use their dark arts to spy on persons of interest rather than try to grab my bank account or credit card details to steal my money.

I did see that stuff about the Chrome fix for spectre, in fact I am typing into the spectre fixed version of Chrome right now. For my very undemanding general browsing use I can't say that I see any performance issues but do accept that there is a hit (if you tell me there is), it's just that it's below my threshold of being noticable probably helped by the fact that my PC is pretty over-specified for general browsing tasks.

- Julian

(*) I actually witnessed a state actor, or rather an ex one, using his dark arts in public. There was some banter between a couple of technical guys in our office with one claiming that his latest security-hardened version of Solaris was rock solid and another guy, who we happened to have recruited from GCHQ a few months earlier, saying that he could get into the system in less than a minute. The other guy told him that he was talking rubbish and didn't believe him at which point the ex-GCHQ guy said "look at your screen" and there was a terminal window popped up, running with root privilege, displaying the message "Hello <victims-name>". That was the one indiscretion I ever saw from that ex-GCHQ guy in the three years that I worked with him and could have probably landed him in jail but it was quite funny to see the victim's reaction. The ex-GCHQ guy obviously never let anyone know how he did it, presumably a known-to-GCHQ but not yet publicly-known vulnerability in Solaris.

[Infrasonic]

I'm keeping a close eye on...https://brave.com/features/
It's just got Tor integration.

On Android I currently use Ghostery browser as my 'anonymous'.

[Infrasonic]

Indeed. I'm probably being far too naive but I'm actually less worried about state actors(*) since I assume they will use their dark arts to spy on persons of interest rather than try to grab my bank account or credit card details to steal my money.

Hmmm, much of the financial fraud is coming from Russian mafia groups 'hiring' high level computer scientists, mathematicians et al.
The breakup of the USSR saw many academics become destitute, very easy to flip someone with no money...
Read Bill Browder's 'Red Notice' for a real eye opener on what's really going on over there in terms of state/mafia collusion across the board.

I have two relatives that lived through Stalin's WW11 Russia and wrote books about it, harrowing stuff. Putin is Stalin 2.0...

[Infrasonic]

https://www.theregister.co.uk/2018/07/2 ... bank_hack/

Hackers stole almost $1m from a Russian bank earlier this month after breaching its network via an outdated router.

PIR Bank was looted by the notorious MoneyTaker hacking group, according to Group-IB, the Moscow-based security firm called in by the bank to handle incident response.

Funds were stolen on 3 July through the Russian Central Bank's Automated Workstation Client (an interbank fund transfer system similar to SWIFT), transferred to 17 accounts at major Russian banks and cashed out. Cybercrooks tried to ensure persistence in the bank's network through "reverse shell" programs in preparation for subsequent attacks, but these hacking tools were detected and expunged before further mischief could be wrought.

Cont.

...According to Group-IB, up until December last year MoneyTaker had conducted 16 attacks in the US, five attacks on Russian banks and one attack on a banking software company in the UK. The average damage caused by one attack in the US amounted to $500,000. In Russia, the average amount of money withdrawn is $1.2m per incident. In addition to money, the cybercriminals habitually steal documents about interbank payment systems needed to prepare for subsequent attacks.