Information Technology

Oculus Quest
Those wishing to use an Oculus device will soon be forced to have a Facebook account in order to log into their VR profile.
From October, the Facebook-owned company will require its users to log in via the social media platform and merge any existing Oculus accounts with accounts from Facebook. From January 2023, all un-merged Oculus accounts will be shuttered.
Anyone using an Oculus device for the first time will need a Facebook account to proceed.
“If you’re an existing user and choose not to merge your accounts, you can continue using your Oculus account for two years,” Oculus wrote in a blog post announcing the mandate.
“If you choose not to merge your accounts at that time, you can continue using your device, but full functionality will require a Facebook account. We will take steps to allow you to keep using content you have purchased, though we expect some games and apps may no longer work.”
Oculus said some games and apps may no longer work because they include features that require a Facebook account.
“All future unreleased Oculus devices will require a Facebook account, even if you already have an Oculus account,” it continued.
Oculus is touting the mandate as one making it easier to find, connect, and play with friends in VR.
“We know that social VR has so much more to offer, and this change will make it possible to integrate many of the features people know and love on Facebook,” the post said. “It will also allow us to introduce more Facebook powered multiplayer and social experiences coming soon in VR.”
With the privacy of its users always front of mind for the Zuckerberg empire, users can choose what information about their VR activity is posted to Facebook, Oculus said.
See also: How to protect your privacy from Facebook
“Using a VR profile that is backed by a Facebook account and authentic identity helps us protect our community and makes it possible to offer additional integrity tools,” the post said. “For example, instead of having a separate Oculus Code of Conduct, we will adopt Facebook’s Community Standards as well as a new additional VR-focused policy. This will allow us to continue to take the unique considerations of VR into account while offering a more consistent way to report bad behaviour, hold people accountable, and help create a more welcoming environment across our platforms.”
Oculus said that when a user logs in using a Facebook account, Facebook will use information related to the use of VR and other Facebook products to “provide and improve your experience”. It will also be used to show the user personalised content, including ads.
Facebook this year is ending sales of the Oculus Go, the low-end virtual reality headsets that deliver 3DOF (three degrees of freedom) tracking.
It said it is abandoning the relatively cheap device because users have made it clear “that 6DOF feels like the future of VR”, the company said in June.  
Oculus was scooped up by Facebook in March 2014, for approximately $2 billion.
At the time of the acquisition, Mark Zuckerberg said that while mobile is the platform of today, his company is getting ready for the platforms of tomorrow.
“Oculus has the chance to create the most social platform ever, and change the way we work, play, and communicate.”

MORE FROM THE VR WORLD More

A lesser-known technology known as “mailto” links can be abused to launch attacks on the users of email desktop clients.
The new attacks can be used to secretly steal local files and have them emailed as attachments to attackers, according to a research paper published last week by academics from two German universities.
Attacking mailto links
The “vulnerability” at the heart of these attacks is how email clients implemented RFC6068 — the technical standard that describes the ‘mailto’ URI scheme.
Mailto refer to special types of links, usually supported by web browsers or email clients. These are links that, when clicked, they open a new email compose/reply window rather than a new web page (website).
RFC6068 says that mailto links can support various parameters. When used with mailto links, these parameters will pre-fill the new email window with predefined content.
For example, a mailto link like the one below will open a new email compose window with the destination email already pre-filled with “bob@host.com,” a subject line of “Hello,” and an email text of “Friend.”
Click me!
The RFC6068 (mailto) standard supports a large set of parameters for customizing mailto links, including rarely used options that can be used to control the email’s body text, reply-to email address, and even email headers.
However, even the standard itself warns software engineers against supporting all parameters, recommending that apps only support a few “safe” options.

Image: Müller et al.
Some email clients were supporting dangerous mailto parameters
But in a research paper named “Mailto: Me Your Secrets” [PDF], academics from Ruhr University Bochum and the Münster University of Applied Sciences said they found email client apps that support the mailto standard with some of its most exotic parameters that allow for attacks on their users.
In particular, researchers looked at the mailto “attach” or “attachment” parameters that allow mailto links to open new email compose/reply windows with a file already attached.
Academics argue that attackers can send emails containing boobytrapped mailto links or place boobytrapped mailto links on websites that, when clicked, could surreptitiously append sensitive files to the email window.
If the user composing the email does not spot the file attachment, attackers could receive sensitive files from the user’s system, such as encryption (PGP) keys, SSH keys, config files, cryptocurrency wallet files, password stores, or important business documents — as long as they’re stored at file paths known by an attacker.
Academics said they tested several versions of this data exfiltration technique, such as:
Using exact paths for the desired files.
Using wildcard characters (*) to attach/steal multiple files at once.
Using URLs for internal network shares (\company_domainfile).
Using URLs pointing the victim to an attacker’s rogue SMB server, so the victim leaks its NTLM authentication hash to the attacker (\evil.comdummyfile).
Using IMAP links to steal email messages from a user’s entire IMAP email inbox (imap:///fetch >UID >/INBOX).
The research team said it tested 20 email clients for their attack scenario and found that four clients were vulnerable. This list included:
Evolution, the default email client for the GNOME desktop environment on Linux (see CVE-2020-11879)
KMail, the default email client for KDE desktop environments on Linux (see CVE-2020-11880)
IBM/HCL Notes on Windows (see CVE-2020-4089)
Older versions of Thunderbird on Linux (now patched)
All the found issues were reported to the respective development teams and patched this spring and summer, according to the above-linked CVEs.
Additional research on attacking encrypted PGP and S/MIME
However, the research team’s full paper was not focused on documenting the implementations of the mailto URI scheme in email clients. This is a small portion of the paper that we chose to highlight in this article.
In their paper, academics primarily focused on finding bugs in email clients that could be abused to bypass (not break) email encryption technologies such as PGP and S/MIME.
Researchers said they were successful in finding three new attack techniques that leveraged bugs in email clients to steal PGP private keys from victims, which would then allow attackers to decrypt the victim’s entire communications.
The three new attack classes are listed below, with item 3) being the technique we described above in greater detail (as this technique can be used to steal more than encryption keys, such as all sorts of other files):
Key replacement – Email clients may automatically install certificates contained in S/MIME communications. Such a feature, if available, can be misused to silently replace the public key used to encrypt messages to a certain entity.
Dec/Sig oracles – Using standard mailto parameters, email clients can be tricked to decrypt ciphertext messages or to sign arbitrary messages, and exfiltrate them to an attacker-controlled IMAP server, if the email client supports automatically saving message drafts.
Key exfiltration – If implemented by the email client, an attacker can create a specially crafted mailto URI scheme, in order to force the inclusion of the OpenPGP private key file on disk into an email to be sent back to the attacker.
All in all, academics said that eight of the 20 email clients they tested for their research project were vulnerable to at least one of the three attacks listed above. Please see the figure and its legend below for a breakdown of what email client apps are vulnerable to what, and how.

Image: Müller et al. More

Image: Ukraine Cyber Police

Law enforcement in Ukraine has announced today the arrest of a cybercrime gang who ran 20 cryptocurrency exchanges where they laundered more than $42 million in funds for criminal groups.
The group, which authorities said had three members, has been operating from Ukraine’s Poltava region since 2018. According to Ukrainian officials, the group has advertised its services on underground criminal forums, where they offered to convert cryptocurrency from criminal activities into fiat (real-world) currency for other groups, helping criminals launder their ill-gotten profits.
The arrests took place in late June, earlier this year, but new details have been released today in joint press releases by Binance and Ukraine Cyber Police. Binance, who collaborated in the investigation, said the group collaborated with ransomware gangs, and also spread ransomware themselves.
The Bulletproof Exchanger Project
Today’s arrest also marks the first fruits of “Bulletproof Exchanger,” an internal Binance project that the company started earlier this year.
The project’s goal is to identify hubs of malicious activity in the cryptocurrency ecosystem, track down the operators, and work with authorities to arrest and shut them down.
“‘Bulletproof exchanger’ is a general term used internally to refer to a high-risk exchanging service that serves as a cash-out point for criminal activity, such as ransomware,” the Binance security team told ZDNet in an email last week.
“We kept running into exchangers like these in our day to day investigative work and historically rogue cashout points have played an important role in the underground criminal economy (i.e. BTC-E), which is why we decided to devote research efforts to study this problem,” it said.
Acting on this decision, Binance said it began building a database of various signals and data sets earlier this year, such as user data, DNS records, open-source intelligence feeds, law enforcement requests, and blockchain analytics.
Help from TRM Labs
Once Binance had a full database at its disposal, the company partnered with TRM Labs, a blockchain analysis firm specialized in detecting fraud.
Binance said TRM Labs came in and combed through “a massive amount of blockchain transaction data to analyze and correlate with suspicious activity on [Binance’s] platform” and eventually identify a first bulletproof exchanger and one of its clients, a ransomware gang.
“For this particular group, the strength of the signals which their accounts were eliciting gave us high confidence they were involved in nefarious activities and prompted the need for further investigation,” the Binance security team said.
Leveraging a memorandum of understanding (MoU) the company signed with Ukrainian officials last year, Binance safely passed its findings to Ukrainian law enforcement, who began an investigation into the illegal exchanges and the group behind them earlier this year.
“Some cases can take years,” the Binance security team told ZDNet. “It was a perfect storm in this case, and we were able to move very fast, approximately three months from the time the case was opened to the time of takedown.”
Bulletproof Exchanger Project to continue
Binance says that its Bulletproof Exchanger Project will continue to operate going forward and that it hopes to track down similar criminal cash-out points and cybercrime groups in the near future.
“Fighting money laundering, ransomware, and other malicious activity is of critical importance to the well-being of the [cryptocurrency] community and industry growth,” Binance said. More

US Army says many North Korean hackers are actually located outside the hermit kingdom, in countries like Belarus, China, India, Malaysia, and Russia. More

Google to hand out new label based on its own metrics. More

Carnival Corp says it suffered a ransomware attack on Saturday, August 15, and that hackers stole some of its data. More

This is the first step towards Chrome and Edge getting Windows CFG support. More

Accountability in AI is a tricky topic. The key is for companies to build and deploy responsible AI systems from the get go, to minimize overall risk, preempt your AI system from performing in an illegal, unethical, or unintended way. More