Skip to content

Monthly Archives: December 2015

Crooks stole my bikes after cycling app blabbed my address

Quote

An IT manager in Manchester, England, says thieves stole his bikes after a smartphone cycling app pinpointed the location of his garage.

Mark Leigh, 54, of Failsworth, said his two bicycles – worth £500 ($750) and £1,000 ($1,500) – were nicked shortly after he made his address and details of his bikes public on the popular biking app Strava, the Manchester Evening News reports.

The app includes an optional privacy setting that conceals the exact location of your home, but Leigh was not aware of this switch when he shared details of his bike rides via the software. Strava encourages people to publish their routes and journey times to make the application more engaging among enthusiasts.

Unfortunately, doing so tips off crooks as to where bikes are kept and when they are not in use.
….
All of which is a timely reminder to people over why they should be careful about what apps they use, what information they share, and why it’s worthwhile spending a bit of time digging into the privacy settings that many apps now offer.

….and this guy was an IT “expert” (??)

If you let in the Feds, you’ll let in anyone

Quote

Juniper’s VPN security hole is proof that govt backdoors are bonkers

Juniper’s security nightmare gets worse and worse as experts comb the ScreenOS firmware in its old NetScreen firewalls.

Just before the weekend, the networking biz admitted there had been “unauthorized” changes to its software, allowing hackers to commandeer equipment and decrypt VPN traffic.

In response, Rapid7 reverse engineered the code, and found a hardwired password that allows anyone to log into the boxes as an administrator via SSH or Telnet.

Now an analysis of NetScreen’s encryption algorithms by Matthew Green, Ralf-Philipp Weinmann, and others, has found another major problem.

“For the past several years, it appears that Juniper NetScreen devices have incorporated a potentially backdoored random number generator, based on the NSA’s Dual EC DRBG algorithm,” wrote Green, a cryptographer at Johns Hopkins University in Maryland, US.

“At some point in 2012, the NetScreen code was further subverted by some unknown party, so that the very same backdoor could be used to eavesdrop on NetScreen connections. While this alteration was not authorized by Juniper, it’s important to note that the attacker made no major code changes to the encryption mechanism – they only changed parameters.”

The Dual EC DRBG random number generator was championed by the NSA, although researchers who studied the spec found that data encrypted using the generator could be decoded by clever eavesdroppers.

ScreenOS uses the Dual EC DRBG in its VPN technology, but as a secondary mechanism: it’s used to prime a fast 3DES-based number generator called ANSI X9.17, which is secure enough to kill off any cryptographic weaknesses introduced by Dual EC. Phew, right? Bullet dodged, huh?

No. In Juniper’s case there’s a problem. The encrypted communications can still be decoded using just 30 or so bytes of raw Dual EC output. And, lo, conveniently, there’s a bug in ScreenOS that will cause the firmware to leak that very sequence of numbers, undermining the security of the system.

Also, worryingly, ScreenOS does not use Dual EC with the special constant Q defined by the US government – it uses its own value.

Armed with those 30 bytes of seed data, and knowledge of Juniper’s weird Dual EC parameters, eavesdroppers can decrypt intercepted VPN traffic.

….
Green points out that this is a classic example of why backdoors are a bad idea all round. It’s something politicians and law enforcement officials may want to ponder the next time they call for mandatory government access to encrypted communications.

If they are going to build backdoors into encryption, such as by fiddling with the mathematics or sliding in convenient bugs, someone else is going to find the way in.

Hello children, my I steal your personal data?

Quote

Up to 3.3 million Hello Kitty users have had their personal data exposed due to a database breach at the brand’s online community SanrioTown.com, a security researcher has discovered….The exposed records include users’ names, birthdates, gender, nationality, email addresses, unsalted SHA-1 password hashes, and password hint questions.

“While having sensitive details exposed is bad enough for adults, when the information relates to a child it’s far worse.

“If someone managed to compromise a child’s identity, the fraud might not be detected for years because most parents don’t monitor their child’s credit record,” noted Salted Hash writer Steve Ragan.

In addition to the primary Sanriotown database, two additional backup servers containing mirrored data were also compromised, it said.

The earliest known date of publication for the private information was 22 November this year

Sanrio, as well as the ISP being used to host the database itself, have all been notified, reported the site.

Earlier this month Toymaker VTech admitted that millions of kiddies’ online profiles were left exposed to hackers – much higher than the 220,000 first feared. ®

Best to keep toys that require “membership” on the no-go list. That includes the likes of Farcebook

Balware hijacks PC’s boot process to gain stealth, persistence

Quote

Bootkit targeting banks and payment card processors hard to detect and remove.

Malware targeting banks, payment card processors, and other financial services has found an effective way to remain largely undetected as it plucks sensitive card data out of computer memory. It hijacks the computer’s boot-up routine in a way that allows highly intrusive code to run even before the Windows operating system loads.

The so-called bootkit has been in operation since early this year and is part of “Nemesis,” a suite of malware that includes programs for transferring files, capturing screens logging keystrokes, injecting processes, and carrying out other malicious actions on an infected computer. Its ability to modify the legitimate volume boot record makes it possible for the Nemesis components to load before Windows starts. That makes the malware hard to detect and remove using traditional security approaches. Because the infection lives in such a low-level portion of a hard drive, it can also survive when the operating system is completely reinstalled.

Great read. In one of comments to the article it was noted that secure boot would mitigate this kind of an attack (win7 onward), but as note “That said, this attack is against a population with a penchant for running ancient, decrepit systems so they may be vulnerable for some time going forward. Inexcusable, really, but they’ll react only after losing enough money. ”

That made me laugh as it is not just the banks that short change Cyber Security, it is by in large the majority of businesses.