Skip to content

Nick L

Crooks stole my bikes after cycling app blabbed my address

Quote

An IT manager in Manchester, England, says thieves stole his bikes after a smartphone cycling app pinpointed the location of his garage.

Mark Leigh, 54, of Failsworth, said his two bicycles – worth £500 ($750) and £1,000 ($1,500) – were nicked shortly after he made his address and details of his bikes public on the popular biking app Strava, the Manchester Evening News reports.

The app includes an optional privacy setting that conceals the exact location of your home, but Leigh was not aware of this switch when he shared details of his bike rides via the software. Strava encourages people to publish their routes and journey times to make the application more engaging among enthusiasts.

Unfortunately, doing so tips off crooks as to where bikes are kept and when they are not in use.
….
All of which is a timely reminder to people over why they should be careful about what apps they use, what information they share, and why it’s worthwhile spending a bit of time digging into the privacy settings that many apps now offer.

….and this guy was an IT “expert” (??)

If you let in the Feds, you’ll let in anyone

Quote

Juniper’s VPN security hole is proof that govt backdoors are bonkers

Juniper’s security nightmare gets worse and worse as experts comb the ScreenOS firmware in its old NetScreen firewalls.

Just before the weekend, the networking biz admitted there had been “unauthorized” changes to its software, allowing hackers to commandeer equipment and decrypt VPN traffic.

In response, Rapid7 reverse engineered the code, and found a hardwired password that allows anyone to log into the boxes as an administrator via SSH or Telnet.

Now an analysis of NetScreen’s encryption algorithms by Matthew Green, Ralf-Philipp Weinmann, and others, has found another major problem.

“For the past several years, it appears that Juniper NetScreen devices have incorporated a potentially backdoored random number generator, based on the NSA’s Dual EC DRBG algorithm,” wrote Green, a cryptographer at Johns Hopkins University in Maryland, US.

“At some point in 2012, the NetScreen code was further subverted by some unknown party, so that the very same backdoor could be used to eavesdrop on NetScreen connections. While this alteration was not authorized by Juniper, it’s important to note that the attacker made no major code changes to the encryption mechanism – they only changed parameters.”

The Dual EC DRBG random number generator was championed by the NSA, although researchers who studied the spec found that data encrypted using the generator could be decoded by clever eavesdroppers.

ScreenOS uses the Dual EC DRBG in its VPN technology, but as a secondary mechanism: it’s used to prime a fast 3DES-based number generator called ANSI X9.17, which is secure enough to kill off any cryptographic weaknesses introduced by Dual EC. Phew, right? Bullet dodged, huh?

No. In Juniper’s case there’s a problem. The encrypted communications can still be decoded using just 30 or so bytes of raw Dual EC output. And, lo, conveniently, there’s a bug in ScreenOS that will cause the firmware to leak that very sequence of numbers, undermining the security of the system.

Also, worryingly, ScreenOS does not use Dual EC with the special constant Q defined by the US government – it uses its own value.

Armed with those 30 bytes of seed data, and knowledge of Juniper’s weird Dual EC parameters, eavesdroppers can decrypt intercepted VPN traffic.

….
Green points out that this is a classic example of why backdoors are a bad idea all round. It’s something politicians and law enforcement officials may want to ponder the next time they call for mandatory government access to encrypted communications.

If they are going to build backdoors into encryption, such as by fiddling with the mathematics or sliding in convenient bugs, someone else is going to find the way in.

Hello children, my I steal your personal data?

Quote

Up to 3.3 million Hello Kitty users have had their personal data exposed due to a database breach at the brand’s online community SanrioTown.com, a security researcher has discovered….The exposed records include users’ names, birthdates, gender, nationality, email addresses, unsalted SHA-1 password hashes, and password hint questions.

“While having sensitive details exposed is bad enough for adults, when the information relates to a child it’s far worse.

“If someone managed to compromise a child’s identity, the fraud might not be detected for years because most parents don’t monitor their child’s credit record,” noted Salted Hash writer Steve Ragan.

In addition to the primary Sanriotown database, two additional backup servers containing mirrored data were also compromised, it said.

The earliest known date of publication for the private information was 22 November this year

Sanrio, as well as the ISP being used to host the database itself, have all been notified, reported the site.

Earlier this month Toymaker VTech admitted that millions of kiddies’ online profiles were left exposed to hackers – much higher than the 220,000 first feared. ®

Best to keep toys that require “membership” on the no-go list. That includes the likes of Farcebook

Balware hijacks PC’s boot process to gain stealth, persistence

Quote

Bootkit targeting banks and payment card processors hard to detect and remove.

Malware targeting banks, payment card processors, and other financial services has found an effective way to remain largely undetected as it plucks sensitive card data out of computer memory. It hijacks the computer’s boot-up routine in a way that allows highly intrusive code to run even before the Windows operating system loads.

The so-called bootkit has been in operation since early this year and is part of “Nemesis,” a suite of malware that includes programs for transferring files, capturing screens logging keystrokes, injecting processes, and carrying out other malicious actions on an infected computer. Its ability to modify the legitimate volume boot record makes it possible for the Nemesis components to load before Windows starts. That makes the malware hard to detect and remove using traditional security approaches. Because the infection lives in such a low-level portion of a hard drive, it can also survive when the operating system is completely reinstalled.

Great read. In one of comments to the article it was noted that secure boot would mitigate this kind of an attack (win7 onward), but as note “That said, this attack is against a population with a penchant for running ancient, decrepit systems so they may be vulnerable for some time going forward. Inexcusable, really, but they’ll react only after losing enough money. ”

That made me laugh as it is not just the banks that short change Cyber Security, it is by in large the majority of businesses.

Malware caught checking out credit cards in 54 luxury hotels

Quote

Add Starwood – owner of the Sheraton, Westin, W hotel chains – to the ranks of resorts infiltrated by credit card-stealing malware.

The luxury hotel chain said on Friday that 54 of its North American locations had been infected with a software nasty that harvested banking card information from payment terminals and cash registers.

Starwood said the 54 compromised hotels [PDF] were scattered throughout the US and Canada, and were infected from as early as November of 2014 to June 30 of this year. Malware was found in payment systems in gift shops, restaurants, and sales registers.

Data stolen by the software could include customer names, credit card numbers, card security codes, and expiration dates. Starwood said that customer addresses, reservation data, and reward card information were not exposed in the breach.

When will the business community take security seriously? My experience working with businesses is that few do. Small businesses are the worse, but you never hear about that. Yet their data, including customer data, is being hoovered up faster than you can imagine. That said, mid and large enterprises are not much better. Attacks are one every few seconds on average on a typical firewall that we manage.

Hillary Clinton: Stop helping terrorists, Silicon Valley – weaken your encryption

Sorry Hillary, you are just proving yourself as clueless as ever.

There remains no evidence the attackers used encryption to communicate. The Paris police found unencrypted text messages concerned the attack, and a public Facebook post from one of the attackers has also been uncovered. Early reports that the attackers used PlayStation 4s to communicate surreptitiously have also been dismissed.
it now appears that the attackers communicated via unencrypted SMS and did little to hide their tracks. On top of that, as Ryan Gallagher at the Intercept notes, some of the attackers were already known to law enforcement and the intelligence community as possible problems. But they were still able to plan and carry out the attacks. Even more to the point, Gallagher points out that after looking at the 10 most recent high profile terrorist attacks, the same can be said for each of them: sources: 1) 2)

Time and again throughout history, governments have used fear to strip people of their rights and increase their power. This is no different. This is a failure of intelligence. These thugs are smart and use face to face communications more than anything else. Studies (read more) have shown that the US Gov’s massive hoovering of data has had the perverse affect of making them more blind to what is really happening – than the other way around.

And I leave leave you this: If the gov weakens encryption, how long will it take for other miscreants to find the holes and exploit them for nefarious reasons? No long. That is why corporations are pushing back. Hillary, if you want to lead, better do your homework instead of pandering to fear.

Beware of ads that use inaudible sound to link your phone, TV, tablet, and PC

Quote

Privacy advocates are warning federal authorities of a new threat that uses inaudible, high-frequency sounds to surreptitiously track a person’s online behavior across a range of devices, including phones, TVs, tablets, and computers.

The ultrasonic pitches are embedded into TV commercials or are played when a user encounters an ad displayed in a computer browser. While the sound can’t be heard by the human ear, nearby tablets and smartphones can detect it. When they do, browser cookies can now pair a single user to multiple devices and keep track of what TV commercials the person sees, how long the person watches the ads, and whether the person acts on the ads by doing a Web search or buying a product.

Cross-device tracking can also be performed through the use of ultrasonic inaudible sound beacons. Compared to probabilistic tracking through browser fingerprinting, the use of audio beacons is a more accurate way to track users across devices. The industry leader of cross-device tracking using audio beacons is SilverPush. When a user encounters a SilverPush advertiser on the web, the advertiser drops a cookie on the computer while also playing an ultrasonic audio through the use of the speakers on the computer or device. The inaudible code is recognized and received on the other smart device by the software development kit installed on it. SilverPush also embeds audio beacon signals into TV commercials which are “picked up silently by an app installed on a [device] (unknown to the user).” The audio beacon enables companies like SilverPush to know which ads the user saw, how long the user watched the ad before changing the channel, which kind of smart devices the individual uses, along with other information that adds to the profile of each user that is linked across devices.

The user is unaware of the audio beacon, but if a smart device has an app on it that uses the SilverPush software development kit, the software on the app will be listening for the audio beacon and once the beacon is detected, devices are immediately recognized as being used by the same individual. SilverPush states that the company is not listening in the background to all of the noises occurring in proximity to the device. The only factor that hinders the receipt of an audio beacon by a device is distance and there is no way for the user to opt-out of this form of cross-device tracking. SilverPush’s company policy is to not “divulge the names of the apps the technology is embedded,” meaning that users have no knowledge of which apps are using this technology and no way to opt-out of this practice. As of April of 2015, SilverPush’s software is used by 67 apps and the company monitors 18 million smartphones.

Now that SilverPush and others are using the technology, it’s probably inevitable that it will remain in use in some form. But right now, there are no easy ways for average people to know if they’re being tracked by it and to opt out if they object. Federal officials should strongly consider changing that.

Unplug your PC mic when not used, get smart about Android and iPhone (IOS) permissions and limit access to sound recorder/mic to only the dialer and trusted apps. Of course it should not be this way. It should be all off by default. And as I said before: You pay for this date data rape.

User data plundering by Android and iOS apps is as rampant as you suspected

Quote

Apps in both Google Play and the Apple App Store frequently send users’ highly personal information to third parties, often with little or no notice, according to recently published research that studied 110 apps.

The researchers analyzed 55 of the most popular apps from each market and found that a significant percentage of them regularly provided Google, Apple, and other third parties with user e-mail addresses, names, and physical locations. On average, Android apps sent potentially sensitive data to 3.1 third-party domains while the average iOS app sent it to 2.6 third-party domains. In some cases, health apps sent searches including words such as “herpes” and “interferon” to no fewer than five domains with no notification that it was happening.

“The results of this study point out that the current permissions systems on iOS and Android are limited in how comprehensively they inform users about the degree of data sharing that occurs,” the authors of the study, titled Who Knows What About Me? A Survey of Behind the Scenes Personal Data Sharing to Third Parties by Mobile Apps, wrote. “Apps on Android and iOS today do not need to have permission request notifications for user inputs like PII and behavioral data.”

The personal information most commonly transmitted by Android apps was a user’s e-mail address, with 73 percent of the apps studied sending that data. In total, 49 percent of Android apps sent users’ names, 33 percent transmitted users’ current GPS coordinates, 25 percent sent addresses, and 24 percent sent a phone’s IMEI or other details. An app from Drugs.com, meanwhile, sent the medical search terms “herpes” and “interferon” to five domains, including doubleclick.net, googlesyndication.com, intellitxt.com, quantserve.com, and scorecardresearch.com, although those domains didn’t receive other personal information.

Also concerning were Android apps that sent third parties potentially sensitive combinations of data. Facebook, for example, received users’ names and locations from seven of the apps analyzed in the study—American Well, Groupon, Pinterest, RunKeeper, Tango, Text Free, and Timehop. The domain Appboy.com received the data from an app called Glide.

And you pay for this wholesale rape your privacy!

Firefox finally comes to iOS

Quote

At long last, Firefox has come to iOS. Rather unusually, this is the first version of the Firefox browser that does not use the Gecko layout engine, instead using iOS’s built-in WebKit-based layout engine. …..There are two big reasons that you might want to use Firefox for iOS: you’re a Firefox user on your desktop PC and want to avail yourself of synchronised bookmark and tab histories; or you buy into the idea that Mozilla is a better and safer shepherd of your Web surfing experience.

Comcast resets 200k cleartext passwords,

Quote

Zimbra mail server exploit claimed as source of dump

A hacker has tried to sell 200,000 valid cleartext Comcast credentials he claims he stole in 2013 from the telco’s then-vulnerable mailserver.

The telco has reset passwords for the affected accounts after news surfaced of the credentials being sold on the Python Market hidden marketplace.

Of the total pool of 590,000 accounts for sale for US$1,000, the company says around a third were accurate.

It told the Chicago Tribune the data was probably obtained through phishing, malware, or a breach of a third party site.

But the hacker responsible for the selling of the credentials, known as Orion, told Vulture South he obtained the credentials when he popped a Comcast mail server in December 2013.

He said the breach yielded 800,000 Comcast credentials of which 590,000 contained cleartext passwords.

Comcast has been contacted for comment.

“So in 2013 December the f****s at NullCrew came across an exploit for Zimbra which Comcast used at this domain *****.comcast.net ,” Orion says.

“NullCrew only got [about] 27k emails with no passwords lol while I got 800k with only 590k users with plaintext passwords.”

I do not whether to laugh or cry at all the businesses that think they are secure using the likes of Comcast and Verizon email. What is even worse is the firewalls these outfits provide. They are as bad as no firewall at all.