Skip to content

Monthly Archives: April 2016

Kuwaiti Government will DNA Test Everyone


There’s a new law that will enforce DNA testing for everyone: citizens, expatriates, and visitors. They promise that the program “does not include genealogical implications or affects personal freedoms and privacy.”

I assume that “visitors” includes tourists, so presumably the entry procedure at passport control will now include a cheek swab. And there is nothing preventing the Kuwaiti government from sharing that information with any other government.


United Air – Very Late Arrival at Security


United Airlines has renovated the security on its frequent flyer scheme “MileagePlus” by requiring users to answer one of five security questions and enter a password when they log on.
The airline sent emails to customers requesting they update their security from weak, short PINs to complex passwords.
The new codes require two special characters, a number, and five letters to reach the minimum of what United deems a strong password.
United customers will still need to use their PINs when they ring United customer contact centres until the changes are complete.
Users have 30 days to make the changes.
Five pull-down security questions need to be filled from pre-selected answers, reducing the chance users will lock themselves out. Those whose childhood dreams were journalism and to play the Huang won’t find their answers within, however.


Lenovo’s file-sharing app uses hardwired password ‘12345678’ … or no password at all



Lenovo ShareIT users, get patching: the PC maker’s file-sharing app is pretty much unsecured.

The software runs on Windows and Android devices, and creates a Wi-Fi hotspot allowing data to be exchanged – from phone to PC, PC to phone, etc. But the wireless network is pretty much unsecured on both platforms.

In ShareIT for Windows, the Wi-Fi uses “12345678” as a hardcoded password, while in Android, there’s no password at all. If someone logs into the Wi-Fi hotspot on Windows, they can browse, but not download, files on the machine.

Core Security, which found the design flaw, also note that file transfers in Windows and Android aren’t encrypted. If an attacker was logged into the hotspot on either side of a file transfer, traffic sniffing would yield a copy of the transfer.

The vulnerable versions are ShareIT for Windows version and ShareIT for Android 3.0.18_ww. The bugs are designated CVE-2016-1489, CVE-2016-1490, CVE-2016-1491, and CVE-2016-1492.

Lenovo’s latest versions are available here. Get ’em.

That’s not the only issue. Their machines have come through with so much crapware lately that out of the box they are slower than the old XP machines we are replacing.


Panama papers’ came from e-mail server hack at Mossack Fonseca


Money-shuttling firm lost 2.6 TB of data and didn’t even notice

The staggering, Wikileaks-beating “Panama Papers” data exfiltration has been attributed to the breach of an e-mail server last year.

The leak of documents from Panama-based, internationally-franchised firm Mossack Fonseca appears to confirm what has long been suspected but rarely proven: well-heeled politicians, businesses, investors, and criminals use haven-registered businesses to hide their wealth from the public and from taxmen.

Bloomberg says co-founder Ramon Fonseca told Panama’s Channel 2 the leaked documents are authentic and were “obtained illegally by hackers”.

According to The Spanish, the whistleblower (here in Spanish) accessed the vast trove of documents by breaching Mossack Fonseca’s e-mail server, with the company sending a message to clients saying it’s investigating how the breach happened, and explaining that it’s taking “all necessary steps to prevent it happening again”.

The company added that it’s engaged security consultants to close the horse-long-gone stable door.

I love it! Law firm involved in a highly secretive operation cannot even do the basic steps to secure their servers. Of course I am not surprised, IT (ICT) security has been deemed more of an annoyance than a top priority at so many businesses. “Why me worry?” is the word of the day.  Probably had an ISP el cheapo “firewall” device.



Surprise! Magic Kinder app could let hackers send vids to your kids


Security watchers have warned of massive privacy problems with the Magic Kinder App for children.

A lack of encryption within the Magic Kinder smartphone app and other security shortcomings open the doors for all sorts of exploits, they claim.

Hacktive Security alleges that a malicious user could “read the chat of the children, send them messages, photographs and videos or change user profile info such as date of birth and gender,” as explained in detail in a blog post here.

The Android app – which has clocked in at more than 500,000 downloads – was developed by a subsidiary of Ferrero International, the firm behind Nutella, Kinder and Ferrero Rocher.

The mobile software aims to offer “strategic, educational games and quizzes to improve children’s skills and development”.

Ferrero has yet to respond to a request for comment.

Joe Bursell, marketing manager at independent security consultancy Pen Test Partners, said that the app Magic Kinder App is riddled with basic security problems.

“These are not subtle, hard-to-find issues,” Bursell told El Reg. “You’d see those IDs in the proxy within minutes of testing and the first thing you would do is manually increment/decrement them.”

“There are no authorisation checks on any of the requests. This means that anyone can: send a message to your kids, read your family diary, and change other data about people, e.g. gender.”

“Also, it doesn’t use encryption,” Bursell added.

Probably laden with spyware to hoover up all sorts family data.