Skip to content

iKettle Leaks! (…WiFi Passwords)

iKettle_Breach

Quote

A security man has mapped and hacked insecure connected kettles across London, proving they can leak WiFi passwords.

The iKettle is designed to save users precious seconds spent waiting for water to boil by allowing the kitchen staple to be turned on using a smartphone app.

Pen Test Partners bod Ken Munro says hackers can make more than a cuppa, however: armed with some social engineering data, a directional antenna, and some networking gear they can “easily” cause the iKettle to spew WiFi passwords.

….

Munro says the state of internet of things security is “utterly bananas” and akin to the quality of infosec in the year 2000.

AVG – You’re the Product!

No Free Lunch
Well it seems like the Free Anti-Malware outfit AVG is ready to cash in

Quote

Security software firm AVG has defended changes in its privacy policy, due to come into effect on Thursday (15 October), allowing it to collect and resell users’ anonymised web browsing and search history.

AVG is not selling data to advertisers – yet – but if and when it does so it will “cleanse” the data so users can’t be individually targeted, according to Anscombe.

The security software firm says it will not sell personal information such as names, emails, addresses, or payment card details, and will try to “anonymize the data we collect and store it in a manner that does not identify you.”

However, effectively anonymising user data is a difficult task – especially in the era of big data, correlation and user behaviour. For example, researchers from Harvard University recently achieved a 100 per cent success rate in de-anonymising patients from their supposedly anonymised healthcare data in South Korea.

Furthermore, even if AVG can fully anonymise the data being sold to advertisers and affiliated brands, the issue remains that it’s uncomfortable (at best) for a security company to collect data on users before selling it off to third parties.

There is no free lunch. Like Gmail and other freebies – you’re the product!

Card Breach Hits America’s Thrift Stores

Quote

America’s Thrift Stores, which operates 18 donation-based thrift stores across five states, is the latest organization to discover it has been hit by a cyberattack.

The company recently learned it was a victim of a data breach that originated through software used by a third-party service provider.

America’s Thrift Stores confirmed it has been working with an independent external forensic expert, as well as the U.S. Secret Service, to investigate the breach, which it believes affected sales transactions between Sept. 1, 2015 and Sept. 27, 2015.

The malware-driven security breach resulted in the theft of customers’ payment card numbers and expiration dates, but America’s Thrift Stores confirmed the U.S. Secret Service does not believe customer names, phone numbers, addresses or email addresses were compromised in the attack.

“This breach allowed criminals from Eastern Europe unauthorized access to some payment card numbers,” the company’s CEO, Kenneth Sobaski, said in a statement.

“This virus/malware is one of several infecting retailers across North America.”

According to security blogger Brian Krebs, sources at several banks reported a pattern of fraud on payment cards used to make purchases at America’s Thrift Stores, meaning the cybercriminals may have used “data stolen from the compromised point-of-sale devices to counterfeit new cards.”

As PYMNTS reported yesterday (Oct. 12), the costs of cybercrime for businesses is rising at an alarming rate, with U.S. companies feeling the brunt of the financial burden.

In the latest report on the true costs of cybercrime, Hewlett-Packard issued a report in tandem with Ponemon via the latter’s Institute on Cyber Crime earlier this month. The report states that the U.S. is especially hard hit by hacking, as cyberattacks cost U.S. firms, on average, $15.4 million annually, which is double the $7.7 million global average (which is a bump of 1.9 percent over last year, after adjusting for currency changes). For the U.S., the latest average costs represent a significant jump from the $12.7 million seen in 2014.

Google Malvertising App

Quote

Android apps that should be innocuous are pimping smut by way of slack supervision of their advertising networks, with two app authors complaining to The Register that the root of the problem lies with The Chocolate Factory.

The authors of two popular Sydney public transport apps told us Google’s app monetisation service AdMob is failing to catch disallowed advertisements that should be easy to spot for the world-dominating ad-and-click network.

Malvertising is a rising problem because users are turning to ad blockers as a security precaution, both to protect against malware and to keep material they deem inappropriate out of their eyeballs. The latter outcome is made necessary by ads like those below, which The Register has observed in the Arrivo and TripView public transport timetable apps, both of which are likely to pop up on minors’ phones.

If, as it seems to this untutored eye, the ad got past filters by presenting its text as an image with extra space to defeat character recognition, Google deserves its backside kicked through all the letters of its Alphabet. Twice per letter, once per language.

Let’s get physical…

Almost everyone worries about computer security in one way or another.  Much is written about network security, of course, and lots of attention is payed to file and operating system security, often as it relates to viruses.

Security of your physical computing assets, however, is just as important, and perhaps more important.  If someone has physical access to one of your assets, say a desktop computer, laptop, server or router, then, given enough time, they can compromise that asset.  Without sufficient physical security, all of the time, attention and resources spent on other security matters can be wasted.

For example, someone who has physical access to a device that uses a hard drive can, in a sometimes surprisingly short period of time, clone a hard disk of your device, and then study that at their leisure at another location.  You might not even know anyone was there.   As another example, they could replace your passwords, giving the perpetrator access to all or a portion of your environment while locking you out at the same time.

It is a truism that you cannot hold out forever against someone who can gain physical access to your environment, and someone who has access can of course do untold damage simply by destroying computing assets.  However that does not mean that you cannot or should not take steps to protect your computing environment.  On the other hand, as with all things computer security, there is a risk/cost trade off (more on that in another upcoming blog).

So, if you haven’t done so in a while, it might be a good idea to take stock of the physical security of your computing environment, with respect to access and damage.

For access, you should consider questions like: Who has access to each device? Should the device protected by some sort of physical barrier to prevent access?  Are there multiple levels of physical security?   For example, if you are in a large corporation, your first layer of physical security might be a locked building with a guard. A second layer might be locating critical computing assets on a floor whose elevator requires a key to access that floor.  Finally, you might put particularly critical devices in a room whose door uses a keypad, fingerprint or even a retinal scanner, and log all access.

And don’t forget to consider that dropped ceiling or raised floor as you think about a high security area.  A locked door might not be as secure as you thought if someone can go over it via a dropped ceiling or under it via a raised floor.

Regarding damage, aside from a beserker with a sledge hammer, one big risk is fire. Of course, if the entire building burns down it isn’t likely that your computing assets will survive.  However, what if a smaller fire triggers the sprinkler system?  What will happen to your computers?

Naturally, the list of things that good physical security might entail is a lot longer than a short article can cover.  But this article can perhaps serve as a jumping off point to a review of the physical security of your computing assets.

What’s in a Boarding Pass Barcode? A Lot

Quote

The next time you’re thinking of throwing away a used boarding pass with a barcode on it, consider tossing the boarding pass into a document shredder instead. Two-dimensional barcodes and QR codes can hold a great deal of information, and the codes printed on airline boarding passes may allow someone to discover more about you, your future travel plans, and your frequent flyer account.

Earlier this year, I heard from a longtime KrebsOnSecurity reader named Cory who said he began to get curious about the data stored inside a boarding pass barcode after a friend put a picture of his boarding pass up on Facebook. Cory took a screen shot of the boarding pass, enlarged it, and quickly found a site online that could read the data.

“I found a website that could decode the data and instantly had lots of info about his trip,” Cory said, showing this author step-by-step exactly how he was able to find this information.

“Besides his name, frequent flyer number and other [personally identifiable information], I was able to get his record locator (a.k.a. “record key” for the Lufthansa flight he was taking that day,” Cory said. “I then proceeded to Lufthansa’s website and using his last name (which was encoded in the barcode) and the record locator was able to get access to his entire account. Not only could I see this one flight, but I could see ANY future flights that were booked to his frequent flyer number from the Star Alliance.”

The information contained in the boarding pass could make it easier for an attacker to reset the PIN number used to secure his friend’s Star Alliance frequent flyer account. For example, that information gets you past the early process of resetting a Star Alliance account PIN at United Airline’s “forgot PIN” Web site.

More Stuff for the shredder!

Cisco security disable big distributor of “ransomware”

Quote

Cisco Systems Inc (CSCO.O) said it had managed to disrupt the spread of one of the most pernicious systems for infecting Internet users with malicious software such as so-called ransomware, which demands payment for decrypting users’ data.

The investigators from Cisco’s Talos security unit were looking at the Angler Exploit Kit, which analysts at several companies say has been the most effective of several kits at capturing control of personal computers in the past year, infecting up to 40 percent of those it targeted.

They found that about half of computers infected with Angler were connecting to servers at a hosting provider in Dallas, which had been hired by criminals with stolen credit cards. The provider, Limestone Networks, pulled the plug on the servers and turned over data that helped show how Angler worked.

The research effort, aided by carrier Level 3 Communications (LVLT.N), allowed Cisco to copy the authentication protocols the Angler criminals use to interact with their prey. Knowing these protocols will allow security companies to cut off infected computers.

“It’s going to be really damaging to the attacker’s network,” Talos manager Craig Williams told Reuters ahead of the release of the report.

Cisco said that since Limestone pulled the plug on the servers, new Angler infections had fallen off dramatically.

Limestone’s client relations manager told Reuters his company had unwittingly helped the spread of Angler before the Cisco investigation.

Often sold in clandestine Internet forums or in one-to-one deals, exploit kits combine many small programs that take advantage of flaws in Web browsers and other common pieces of software. Buyers of those kits must also arrange a way to reach their targets, typically by sending spoof emails, hacking into websites or distributing malicious advertisements.

Once they win control of a target’s computer, exploit kit buyers can install whatever they want, including so-called ransomware. This includes a number of branded programs, also sold online, that encrypt users’ computer files and demand payment to release them.

Talos estimated that if three percent of infected users paid the ransom averaging $300, the criminals that had used the Limestone servers to spread Angler could have made about $30 million a year.

Good job Cisco!

Verizon’s hidden Super Cookie to get larger role

Verizon_Hack
Verizon purchased AOL earlier this year and now is breathing new life in their invasive (lack of) privacy policy

Quote

The Relevant Mobile Advertising program uses your postal and email addresses, certain information about your Verizon products and services (such as device type), and information we obtain from other companies (such as gender, age range, and interests). The separate Verizon Selects program uses this same information plus additional information about your use of Verizon services including mobile Web browsing, app and feature usage and location of your device. The AOL Advertising Network uses information collected when you use AOL services and visit third-party websites where AOL provides advertising services (such as Web browsing, app usage, and location), as well as information that AOL obtains from third-party partners and advertisers.
We do not share information that identifies you personally as part of these programs other than with vendors and partners who do work for us. We require that these vendors and partners protect the information and use it only for the services they are providing us.

That is BS Verizon, you collect “postal and email addresses”… “gender, age range, and interests” what else do you, need to identify the user. His/her shoe size?

Quote

Privacy advocates say that Verizon and AOL’s use of the identifier is problematic for two reasons: Not only is the invasive tracking enabled by default, but it also sends the information unencrypted, so that it can easily be intercepted.

“It’s an insecure bundle of information following people around on the Web,” said Deji Olukotun of Access, a digital rights organization.
Verizon, which has 135 million wireless customers, says it is will share the identifier with “a very limited number of other partners and they will only be able to use it for Verizon and AOL purposes,” said Karen Zacharia, chief privacy officer at Verizon.

In order for the tracking to work, Verizon needs to repeatedly insert the identifier into users’ Internet traffic. The identifier can’t be inserted when the traffic is encrypted, such as when a user logs into their bank account.

Previously, Verizon had been sending the undeletable identifier to every website visited by smartphone users on its network 2014 even if the user had opted out. But after ProPublica revealed earlier this year that an advertising company was using the identifier to recreate advertising cookies that users had deleted, Verizon began allowing users to truly opt-out, meaning that it won’t send the identifier to subscribers who say they don’t want it.
Verizon users are still automatically opted into the program.

“I think in some ways it’s more privacy protective because it’s all within one company,” said Verizon’s Zacharia. “We are going to be sharing segment information with AOL so that customers can receive more personalized advertising.”

A recent report by Access found that other large carriers such as AT&T and Vodafone are also using a similar technique to track their users.
In order for Verizon users to opt-out, they have to log into their account or call 1-866-211-0874.

Remember, as a Verizon subscriber, you are paying Verizon to farm your data and use it make more money. Furthermore, the unencrypted streams leave you & your phone open to hacking and all the issues that can cause. Verizon and their ilk are despicable.

Not PCI DSS Compliant: Experian

Quote

Hackers broke into a server and made off with names, driver license numbers, and other personal information belonging to more than 15 million US consumers who applied for cellular service from T-Mobile.

The breach was the result of an attack on a database maintained by credit-reporting service Experian, which was contracted to process credit applications for T-Mobile customers, T-Mobile CEO John Legere said in a statement posted online. The investigation into the hack has yet to be completed, but so far the compromise is known to affect people who applied for T-Mobile service from September 1, 2013 through September 16 of this year. It’s at least the third data breach to affect Experian disclosed since March 2013.

“Obviously I am incredibly angry about this data breach and we will institute a thorough review of our relationship with Experian, but right now my top concern and first focus is assisting any and all consumers affected,” Legere wrote. “I take our customer and prospective customer privacy VERY seriously. This is no small issue for us. I do want to assure our customers that neither T-Mobile’s systems nor network were part of this intrusion and this did not involve any payment card numbers or bank account information.”

 

I am not sure where to file this: perhaps Cyber Hypocrisy? Wow, if the Credit Card companies do not take cyber seriously, then we are all in deep do do.

Spyware from Apple iTunes, Google Play, and Microsoft App Store

Quote

“Many trusted applications downloaded from Apple iTunes, Google Play, and Microsoft App Store are spying, snooping and stealing,” said Cybersecurity Expert Gary S. Miliefsky, CEO of SnoopWall, Inc.

See: https://www.youtube.com/watch?v=Q8xz8xKEFvU

This video has gone viral with nearly 6 million views, yet malicious flashlight app downloads have reached nearly 1 billion devices.

During FinDEVr, Miliefsky will demonstrate how popular apps are eavesdropping on bank accounts stealing PINs and credentials and monitoring check deposit from the largest banks in America. Consumers must be made aware of the fact that their smartphones are natural targets; that malware exists in trusted apps; and that ALL major mobile banking applications are susceptible to this exploitation.”

One of the big issues I see in the mobile space is the phone manufacturers & providers themselves. Their updates often contain spyware to sell more services, the operating systems themselves are not secure, especially with Android, and there is no easy application level control that allows users to select which apps can talk to the internet and which cannot (like a good workstation based firewall). Google Apps (GAPPS) are one of the biggest offenders. But they are not alone.

This is a big part of the Cyber Security problem and not just in mobile. Systems are insecure in many ways by design so manufacturers can collect as much data as they can and sell it advertisers and/or use it themselves to sell more. Windows 10 OS s a good case in point. Unfortunately, those same vehicles use by manufacturers to get user data are also used by nefarious actors to do the same and then use the data for identity and credit card theft and other criminal pursuits.

I think the ultimate solution for Mobile, at least in the non Apple market, will be a complete divorce from hardware and operating system. CyanogenMod and other open source projects have started in this direction. Will this take off? I think it will be very difficult as there is so much money at stake form both the Phone Manufacturers that want to sell more kit and the Phone Carriers that are in bed with them to sell more services and collect as much info as they can on users. I also think the average user will still want a turn-key easy to use solution. That said, a secure feature rich phone is not difficult, just at the moment not as profitable.