Car Tracking Device Company Had Its Passwords Leaked

We’ve seen a lot of hacking attacks so far this year, but the successful breach of SVR Tracking may take the prize as the most invasive attack of 2017.

If you’re not familiar with the company, SVR Tracking provides a vehicle tracking service. This is accomplished by mounting a small, unobtrusive device on your car in an area where an unauthorized driver is unlikely to notice or look.

Once the device is attached, it reports the vehicle’s location back to the app database in two-minute intervals when the vehicle is in motion, and in four-hour intervals when the vehicle is stationary. One-hundred and twenty days of vehicle location information is available to anyone with the proper login credentials.

On September 18, researchers from Kromtech Security Center discovered files in an unsecured Amazon S3 bucket containing login credentials for more than half a million SVR Tracking accounts. Note that the total number of vehicles this could impact is likely far higher than half a million, because the app is frequently used by companies that manage entire fleets of vehicles, so one account may have dozens (or more) vehicles associated with it.

The exposed files contained account names, passwords, vehicle maintenance reports, dealer contracts and more.

There are two primary ways that a hacker could profit from this information. First and most obvious is that if you know exactly where a vehicle is, and when it’s likely to be sitting idle for hours at a time, then it’s incredibly easy to steal it.

Second, and less obvious, is that knowing where a vehicle goes allows hackers to build a detailed profile about the person driving the car, which can be used to provide better email targeting for attacks down the road.

In any case, the offending files have now been removed and the server locked down, but there’s no way of knowing how many unauthorized people accessed those files while they were publicly visible. If you use the SVR Tracking app, just to be safe, you should change your password immediately.

Windows 10 Gets New Set Of Recommended Security Standards

Microsoft has introduced a new set of standards designed to make computers running Windows 10 more secure.

Obviously, these standards are not industry requirements, and most of the off-the-shelf PCs you can buy will struggle to meet all of these requirements. In time, of course, that could change, but as things stand now, if you’re interested in making your computer as safe and secure as it possibly can be, this is a road you’ll have to go down on your own and make the necessary mods and additions to your existing equipment. Here’s the summary, in a nutshell:

• 7th generation AMD or Intel Processors, because these contain MBEC (Mode-Based Execution Control)
• 64-bit processor architecture to take advantage of VBS (Virtualization-Based Security)
• Support for AMD-Vi, Intel VT-d, or ARM64SMMUs (this, to take advantage of Input-Output Memory Management Unit device virtualization)
• Purchase a Trusted Platform Module, if one is not already built into your existing chipset
• Make use of Platform Boot Verification to prevent the loading of firmware that was not designed by the manufacturer of your system
• A minimum of 8GB of RAM
• Use a system that implements UEFI (Unified Extensible Firmware Interface) 2.4 or above
• Systems should also support the Windows UEFI Firmware Capsule Update specification
• All drivers used should be Hypervisor-based Code Integrity compliant

At first blush, this list seems a bit daunting, but the cost requirements to better secure the Windows 10 PCs on your network are really not as bad as they first appear. In fact, it is possible to find a few off-the-shelf PCs that meet the newly published security standards, so if you’re ready to replace some of your network equipment, you do have at least a few options that don’t require you to custom build.

In any case, although it’s true that the new standards aren’t a magic bullet, they will certainly go a long way toward making your network as a whole more secure, making them a welcome addition indeed.

Paypal-Owned Company Sees Breach Of 1.6 Million Customers

TIO Networks, a cloud-based, multi-channel bill payment platform purchased by Paypal for $233 million in 2017, was breached earlier this year, exposing PII (Personally Identifiable Information) for an estimated 1.6 million of the service’s users.

TIO Networks primarily does payment processing and accounts receivables for cable, utility, wireless and telecom companies in North America. If you do business with TIO, it’s possible that your company or personal information may have been compromised.

So far, neither Paypal nor TIO Networks has released any significant details about the breach, so we do not yet have any indication of how it happened, who was responsible or exactly which of their customers had their information exposed. Paypal did release a brief statement concerning the incident, which said, in part:

“The PayPal platform is not impacted in any way, as the TIO systems are completely separate from the PayPal network, and PayPal’s customers’ data remains secure.”

The statement went on to say that as soon as PayPal identified the breach, they took action by “initiating an internal investigation of TIO and bringing in additional third-party cybersecurity expertise to review TIO’s bill payment platform.”

For their part, TIO Networks has suspended all operations until the investigation into the matter has been completed, and has begun notifying impacted customers. In addition to that, as is common with situations like these, they’re also working with Experian to provide a year’s worth of free credit monitoring for people who were affected.

A part of TIO’s statement about the incident reads as follows: “At this point, TIO cannot provide a timeline for restoring bill pay services, and continues to recommend that you contact your biller to identify alternative ways to pay your bills….We sincerely apologize for any inconvenience caused to you by the disruption of TIO’s service.”