Skip to content

Monthly Archives: November 2015

Malware caught checking out credit cards in 54 luxury hotels

Quote

Add Starwood – owner of the Sheraton, Westin, W hotel chains – to the ranks of resorts infiltrated by credit card-stealing malware.

The luxury hotel chain said on Friday that 54 of its North American locations had been infected with a software nasty that harvested banking card information from payment terminals and cash registers.

Starwood said the 54 compromised hotels [PDF] were scattered throughout the US and Canada, and were infected from as early as November of 2014 to June 30 of this year. Malware was found in payment systems in gift shops, restaurants, and sales registers.

Data stolen by the software could include customer names, credit card numbers, card security codes, and expiration dates. Starwood said that customer addresses, reservation data, and reward card information were not exposed in the breach.

When will the business community take security seriously? My experience working with businesses is that few do. Small businesses are the worse, but you never hear about that. Yet their data, including customer data, is being hoovered up faster than you can imagine. That said, mid and large enterprises are not much better. Attacks are one every few seconds on average on a typical firewall that we manage.

Hillary Clinton: Stop helping terrorists, Silicon Valley – weaken your encryption

Sorry Hillary, you are just proving yourself as clueless as ever.

There remains no evidence the attackers used encryption to communicate. The Paris police found unencrypted text messages concerned the attack, and a public Facebook post from one of the attackers has also been uncovered. Early reports that the attackers used PlayStation 4s to communicate surreptitiously have also been dismissed.
it now appears that the attackers communicated via unencrypted SMS and did little to hide their tracks. On top of that, as Ryan Gallagher at the Intercept notes, some of the attackers were already known to law enforcement and the intelligence community as possible problems. But they were still able to plan and carry out the attacks. Even more to the point, Gallagher points out that after looking at the 10 most recent high profile terrorist attacks, the same can be said for each of them: sources: 1) 2)

Time and again throughout history, governments have used fear to strip people of their rights and increase their power. This is no different. This is a failure of intelligence. These thugs are smart and use face to face communications more than anything else. Studies (read more) have shown that the US Gov’s massive hoovering of data has had the perverse affect of making them more blind to what is really happening – than the other way around.

And I leave leave you this: If the gov weakens encryption, how long will it take for other miscreants to find the holes and exploit them for nefarious reasons? No long. That is why corporations are pushing back. Hillary, if you want to lead, better do your homework instead of pandering to fear.

Beware of ads that use inaudible sound to link your phone, TV, tablet, and PC

Quote

Privacy advocates are warning federal authorities of a new threat that uses inaudible, high-frequency sounds to surreptitiously track a person’s online behavior across a range of devices, including phones, TVs, tablets, and computers.

The ultrasonic pitches are embedded into TV commercials or are played when a user encounters an ad displayed in a computer browser. While the sound can’t be heard by the human ear, nearby tablets and smartphones can detect it. When they do, browser cookies can now pair a single user to multiple devices and keep track of what TV commercials the person sees, how long the person watches the ads, and whether the person acts on the ads by doing a Web search or buying a product.

Cross-device tracking can also be performed through the use of ultrasonic inaudible sound beacons. Compared to probabilistic tracking through browser fingerprinting, the use of audio beacons is a more accurate way to track users across devices. The industry leader of cross-device tracking using audio beacons is SilverPush. When a user encounters a SilverPush advertiser on the web, the advertiser drops a cookie on the computer while also playing an ultrasonic audio through the use of the speakers on the computer or device. The inaudible code is recognized and received on the other smart device by the software development kit installed on it. SilverPush also embeds audio beacon signals into TV commercials which are “picked up silently by an app installed on a [device] (unknown to the user).” The audio beacon enables companies like SilverPush to know which ads the user saw, how long the user watched the ad before changing the channel, which kind of smart devices the individual uses, along with other information that adds to the profile of each user that is linked across devices.

The user is unaware of the audio beacon, but if a smart device has an app on it that uses the SilverPush software development kit, the software on the app will be listening for the audio beacon and once the beacon is detected, devices are immediately recognized as being used by the same individual. SilverPush states that the company is not listening in the background to all of the noises occurring in proximity to the device. The only factor that hinders the receipt of an audio beacon by a device is distance and there is no way for the user to opt-out of this form of cross-device tracking. SilverPush’s company policy is to not “divulge the names of the apps the technology is embedded,” meaning that users have no knowledge of which apps are using this technology and no way to opt-out of this practice. As of April of 2015, SilverPush’s software is used by 67 apps and the company monitors 18 million smartphones.

Now that SilverPush and others are using the technology, it’s probably inevitable that it will remain in use in some form. But right now, there are no easy ways for average people to know if they’re being tracked by it and to opt out if they object. Federal officials should strongly consider changing that.

Unplug your PC mic when not used, get smart about Android and iPhone (IOS) permissions and limit access to sound recorder/mic to only the dialer and trusted apps. Of course it should not be this way. It should be all off by default. And as I said before: You pay for this date data rape.

User data plundering by Android and iOS apps is as rampant as you suspected

Quote

Apps in both Google Play and the Apple App Store frequently send users’ highly personal information to third parties, often with little or no notice, according to recently published research that studied 110 apps.

The researchers analyzed 55 of the most popular apps from each market and found that a significant percentage of them regularly provided Google, Apple, and other third parties with user e-mail addresses, names, and physical locations. On average, Android apps sent potentially sensitive data to 3.1 third-party domains while the average iOS app sent it to 2.6 third-party domains. In some cases, health apps sent searches including words such as “herpes” and “interferon” to no fewer than five domains with no notification that it was happening.

“The results of this study point out that the current permissions systems on iOS and Android are limited in how comprehensively they inform users about the degree of data sharing that occurs,” the authors of the study, titled Who Knows What About Me? A Survey of Behind the Scenes Personal Data Sharing to Third Parties by Mobile Apps, wrote. “Apps on Android and iOS today do not need to have permission request notifications for user inputs like PII and behavioral data.”

The personal information most commonly transmitted by Android apps was a user’s e-mail address, with 73 percent of the apps studied sending that data. In total, 49 percent of Android apps sent users’ names, 33 percent transmitted users’ current GPS coordinates, 25 percent sent addresses, and 24 percent sent a phone’s IMEI or other details. An app from Drugs.com, meanwhile, sent the medical search terms “herpes” and “interferon” to five domains, including doubleclick.net, googlesyndication.com, intellitxt.com, quantserve.com, and scorecardresearch.com, although those domains didn’t receive other personal information.

Also concerning were Android apps that sent third parties potentially sensitive combinations of data. Facebook, for example, received users’ names and locations from seven of the apps analyzed in the study—American Well, Groupon, Pinterest, RunKeeper, Tango, Text Free, and Timehop. The domain Appboy.com received the data from an app called Glide.

And you pay for this wholesale rape your privacy!

Firefox finally comes to iOS

Quote

At long last, Firefox has come to iOS. Rather unusually, this is the first version of the Firefox browser that does not use the Gecko layout engine, instead using iOS’s built-in WebKit-based layout engine. …..There are two big reasons that you might want to use Firefox for iOS: you’re a Firefox user on your desktop PC and want to avail yourself of synchronised bookmark and tab histories; or you buy into the idea that Mozilla is a better and safer shepherd of your Web surfing experience.

Comcast resets 200k cleartext passwords,

Quote

Zimbra mail server exploit claimed as source of dump

A hacker has tried to sell 200,000 valid cleartext Comcast credentials he claims he stole in 2013 from the telco’s then-vulnerable mailserver.

The telco has reset passwords for the affected accounts after news surfaced of the credentials being sold on the Python Market hidden marketplace.

Of the total pool of 590,000 accounts for sale for US$1,000, the company says around a third were accurate.

It told the Chicago Tribune the data was probably obtained through phishing, malware, or a breach of a third party site.

But the hacker responsible for the selling of the credentials, known as Orion, told Vulture South he obtained the credentials when he popped a Comcast mail server in December 2013.

He said the breach yielded 800,000 Comcast credentials of which 590,000 contained cleartext passwords.

Comcast has been contacted for comment.

“So in 2013 December the f****s at NullCrew came across an exploit for Zimbra which Comcast used at this domain *****.comcast.net ,” Orion says.

“NullCrew only got [about] 27k emails with no passwords lol while I got 800k with only 590k users with plaintext passwords.”

I do not whether to laugh or cry at all the businesses that think they are secure using the likes of Comcast and Verizon email. What is even worse is the firewalls these outfits provide. They are as bad as no firewall at all.

Wi-Fi blocking at hotels and convention centers

Quote

The Federal Communications Commission yesterday issued proposed fines against two companies in its latest actions against Wi-Fi blocking at hotels and convention centers.

Each company has been accused of blocking personal Wi-Fi hotspots that let consumers share mobile data access with other devices such as laptops and tablets. Hilton and M.C. Dean must pay the fines within 30 days or file written statements seeking reduction or cancellation of the penalties. We’ve contacted both Hilton and M.C. Dean this morning but have not heard back.
..
The FCC last year received a complaint against a Hilton hotel in Anaheim, California that the company “blocked Wi-Fi access for visitors at the venue unless they paid a $500 fee.” More complaints against other Hilton properties followed, and in November 2014, the FCC issued Hilton a letter of inquiry seeking information about its Wi-Fi management practices at various Hilton-owned hotel chains.

“After nearly one year, Hilton has failed to provide the requested information for the vast majority of its properties. Hilton operates several brands, including Hilton, Conrad, DoubleTree, Embassy Suites, and Waldorf Astoria properties,” the FCC said. Hilton’s response “contained corporate policy documents pertaining only generally to wireless management practices (which did not discuss Wi-Fi blocking) and provided Wi-Fi management records pertaining only to the single Hilton-brand property named in the complaint,” the FCC said in a Notice of Apparent Liability.
..
Hilton did not provide information or documents regarding its other properties. The company “stated that providing the omitted material ‘would be oppressive and unduly burdensome,’ and questioned the Bureau’s authority to investigate potential Wi-Fi blocking at other Hilton-brand properties,” according to the FCC.

In addition to the fine, the FCC ordered Hilton to file full responses to all of its previous requests for information.

M.C. Dean is the exclusive Wi-Fi provider at the Baltimore Convention Center and “charges exhibitors and visitors as much as $1,095 per event for Wi-Fi access,” the FCC said.

The FCC last year received a complaint that M.C. Dean was blocking personal hotspots, and it sent Enforcement Bureau field agents to the venue “on multiple occasions and confirmed that Wi-Fi blocking activity was taking place,” the commission said.

“During the investigation, M.C. Dean revealed that it used the ‘Auto Block Mode’ on its Wi-Fi system to block consumer-created Wi-Fi hotspots at the venue. The Wi-Fi system’s manual describes this mode as ‘shoot first, and ask questions later.’ M.C. Dean’s Wi-Fi blocking activity also appears to have blocked Wi-Fi hotspots located outside of the venue, including passing vehicles,” the FCC said.

What charming corporate citizens.