Tag: Recent News

New “MailSploit” Allows Email Spoofing

Phishing attacks just got a whole lot easier.

A German security researcher named Sabri Haddouche has recently discovered a set of email vulnerabilities that have been collectively dubbed “Mailsploit.”  At the root, these vulnerabilities stem from the way most email systems interpret addresses encoded with a 1992 standard called RFC-1342.

The standard is that all information in an email header must be an ASCII character. If a non-ASCII character is encountered, it gets converted. Unfortunately, a shockingly large number of email clients (33 and counting) make no effort to check the header afterward for malicious code.

Also, if the RFC-1342 decoded header encountered a null-byte, or two or more email addresses, the only address that would be read would be the one that preceded the null-byte, or the first valid email address encountered.

The email clients vulnerable to this type of attack include:

  • Apple Mail
  • Mail for Windows 10
  • Microsoft Outlook 2016
  • Mozilla Thunderbird
  • Yahoo! Mail
  • AOL Mail

And many others, but Haddouche notes that Gmail is unaffected by the exploit.

There are two ways a hacker can use Mailsploit. First and most obvious to the eye is the fact that it can be used to spoof an email address, making it appear to be from someone you know, which, of course, has the impact of making it much more likely that you’ll click on any links embedded in the body of the message.

Secondly, and potentially even more troubling, is the fact that the exploit can be used to inject malicious code directly onto the recipient’s machine, which can easily give the hacker sending the email full control of the target’s system.

Worst of all, though, is the fact that while Haddouche contacted all of the companies found to offer vulnerable email clients, only eight of them have released a patch to correct the issue. Twelve vendors opted to triage the bug, but gave no information on if or when the issue might be patched, and twelve others made no reply at all.

Mozilla and Opera (both vulnerable) flatly refused to address the problem, which they see as a server-side issue.

Your IT staff’s job just got a whole lot harder.

Yet Another Credit Card Breach For Hyatt

Hotel giant Hyatt is in the crosshairs again, having suffered its second data breach in two years. Hyatt’s security team recently confirmed the breach as having occurred between March 18 and July 2 of 2017.

While the company has yet to release any information detailing the number of impacted users, simply stating that it was a “small percentage of guests,” we do know that the following information was stolen:

• Credit card numbers
• Cardholder names
• Expiration dates
• And internal verification codes

Of note, no other personal information was obtained, so your name, address, birthdate, etc. remain safe.

It’s also known that the breach impacted 41 of Hyatt’s facilities, spread over 11 countries, including the United States, Brazil, China, Colombia, Guam, India, Indonesia, Japan, Malaysia, Mexico, Puerto Rico, Saudi Arabia and South Korea.

Per Chuck Floyd, Hyatt’s President of Operations:

“Based on our investigation, we understand that such unauthorized access to card data was caused by the insertion of malicious software code from a third party onto certain hotel IT systems. Our enhanced cybersecurity measures and additional layers of defense implemented over time helped to identify and resolve the issue.

We worked quickly with leading third-party cybersecurity experts to resolve the issue and strengthen the security of our systems in order to help prevent this from happening in the future.

As a result of implemented measures designed to prevent this from happening in the future, guests can feel confident using payment cards at Hyatt hotels worldwide.”

Interestingly, this statement is eerily similar to the one he was forced to issue last year after the first of the two data breaches.

While it’s understandable to try and put things in the best possible light after an attack like this, the words begin to ring hollow if the attacks keep happening, and it may be more difficult for Hyatt to regain consumer trust after this second incident.

Files Containing Nearly 1.5 Billion Passwords Leaked On The Internet

Researchers from the security firm 4iQ have made a disturbing discovery on the dark web. A massive repository has been discovered that contains a staggering 1.4 billion usernames and passwords in plain text.

The repository is well organized, with each letter of the alphabet having its own directory to facilitate rapid search, and 4iQ has tested a subset of the data it contains and found an alarming percentage of the usernames and passwords to be viable.

It should be noted that this data isn’t from a new, previously unknown breach, but rather, an aggregation of data stolen from 252 previous breaches. The CTO of 4iQ, Julio Casal, had this to say about the discovery:

“None of the passwords are encrypted, and what’s scary is that we’ve tested a subset of these passwords and most of them have been verified to be true. The breach is almost two times larger than the previous largest credential exposure, the Exploit.in combo lists that exposed 797 million records. This new breach adds 385 million new credential pairs, 318 million unique users, and 147 million passwords pertaining to those previous dumps.”

The usernames and passwords come from a wide range of sources including Runescape, Minecraft, RedBox, Badoo, Zoosh, Last.FM, YouPorn, Netflix, MySpace, LinkedIn, Pastebin, Bitcoin and many others.

What’s even worse is that as large as this collection is, it’s really just the tip of the spear. A shocking percentage of users have the bad habit of using the same credentials across multiple web properties, so it’s a statistical certainty that many of the passwords contained in this file will allow hackers access to much more than just the web properties the passwords were stolen from.

If you’re not yet in the habit of changing your passwords on a regular basis, you should begin doing so immediately, and if you’re one of the hundreds of millions of people who use the same password on multiple sites, it’s well past time to break that habit.

Android Bug Found In Adaptive Icons

Do you use apps that employ the new “Adaptive Icons” feature introduced in Android Oreo? If so, be aware that there’s a serious flaw in the code that could send your device into an infinite bootloop, leaving you no alternative but to restore the device to factory default settings, which will almost certainly result in at least some lost data.

It’s important to underscore the fact that this bug does not impact Android Oreo at all in its default state. Rather, it can be triggered by apps that use the Adaptive Icons feature.

The bug was discovered by a developer going by the name of Jcbsera, who wrote an app called “Swipe for Facebook.” His app, when installed, creates a conflict by introducing two files with the same file name, which creates a circular reference.

The only way around the problem relies on you having done some serious prep work in advance of installing the app, which includes having USB debugging enabled and uninstalling the app via ADB, a combination of conditions unlikely to be met by many users.

The bug wasn’t picked up on in testing because all testing was conducted on the emulator built into Android Studio, which did not allow the bug to manifest.

Note that if you’ve installed this app, you do not need to launch it in order to send your device into an infinite loop. That happens automatically, once the installation is complete.
Google has been notified, and plans are already in place to patch the issue in the upcoming release of Android Oreo 8.1.

This interesting, but ultimately unnecessary feature has already caused thousands of users to lose data by forcing them to restore to factory defaults. Just be aware of it so that it doesn’t happen to you, and update to version 8.1 as soon as it is available.

New Facebook Messenger App For Kids Raises Privacy Questions

On the surface, the new Facebook For Kids messenger app looks like a solid win that should put the minds of parents all over the world at ease.

The company conducted extensive interviews and assembled a Blue-Ribbon panel of experts to help them craft the new tool, aimed at children ages 6-12. The app itself is user friendly and filled with bright, cheerful primary colors that appeal to kids, but there are problems, or, at the very least, valid concerns.

For one thing, Facebook has made no mention of how it plans to monetize its new app, other than to say that it won’t contain any advertising. It’s not difficult to imagine some possibilities, however and none of them good.

For another, the company essentially used scare tactics to get parents to sign their kids up for the service, saying essentially that kids are going to chat online anyway, and if they don’t use Facebook’s new offering, they are at greater risk of talking to a child predator.

Then, there’s the issue that Facebook requires the child’s full name, and behind the scenes, the app is busily mapping out the child’s social network – who his parents are, the friends of both the children and their parents and so on.

According to the company, it has no plans to turn children’s accounts into full-fledged Facebook profiles, but given the amount of data being collected, it’s not hard to imagine them offering a one-click export function that would turn these accounts into regular Facebook accounts on the day the child turns 13.

What’s most disheartening of all is the fact that the company could have chosen another, far less intrusive route. Rather than requiring the child’s full name and the establishment of a familial relationship, the app could have been nested directly under the parent’s account, with a nickname or even a colorful symbol used to denote the child. This approach would have been far less data intensive and far less intrusive.

How well the new app will be received remains to be seen, much like the long-term consequences of its launch.

Firefox Doubles Its Speed With Latest Release

The new version of Firefox is out, and if you’ve moved away from the browser in recent years, it may be time to give it another look.

Dubbed “Quantum,” Firefox’s latest offering has been completely redesigned, and has a lot to like, not the least of which is its raw speed. This latest version is twice as fast and now handily beats Google Chrome in speed tests, thanks in no small part to its next-gen CSS engine, and the fact that it is the first browser to fully utilize the power of multicore processors.

It also consumes 30 percent less memory and positively sips battery power, making it a great choice for laptop and smartphone users.

In addition to that, the revamped browser offers improved tracker blocking, built-in screenshot functionality and of particular interest, support for WebVR, which enables webmasters to take full advantage of the capabilities offered by virtual reality headsets.

You can get Mozilla’s latest offering from their website right now if you’re a PC user, though you’ll have to wait a bit if you’re on a smartphone. The latest release is scheduled to appear on the Google Play Store in a matter of days, but there is, as yet, no ETA on when it will be appearing in Apple’s App Store.

Speed is life in business, and if you’re looking to squeeze out a bit more efficiency and performance from the machines on your network, the new Firefox browser is definitely worth checking out. It’s only a matter of time before the other major players catch up, but until they do, Firefox’s Quantum browser looks to be the new reigning king of the hill and represents a big win for mobile users, given the power savings on offer. Kudos to Mozilla for an exceptional update!

Data Breach Costs Hilton $700,000 In Settlement

Hilton Hotels is in hot water, having recently been fined a hefty $700,000 in an agreement with the states of New York and Vermont over the company’s mishandling of a pair of recent data breaches.

According to official statements released by investigators, the company was found to have made two glaring errors: failing to maintain reasonable data security, and failing to notify victims of the data breach in a timely manner.

This second was seen as being particularly egregious, given that the company waited more than nine months before notifying its customers of the first of the two breaches. Eric T. Schneiderman, the Attorney General of the state of New York, said:

“Businesses have a duty to notify consumers in the event of a breach and protect their personal information as securely as possible.

Lax security practices like those we uncovered at Hilton put New Yorkers’ credit card information and other personal data at serious risk. My office will continue to hold businesses accountable for protecting their customers’ personal information.”

According to the particulars of the agreement, New York State will receive $400,000 of the damages, and Vermont will receive $300,000.

The lesson here is as simple as it is painful. If you don’t take proper precautions and implement reasonable security when it comes to protecting your customers’ data or inform your impacted customers in a timely fashion, you’ll eventually pay the consequences.

Those consequences took two forms. First and most obvious to the eye is the hefty fine itself. Although Hilton is a large corporation with deep pockets, $700,000 isn’t exactly pocket change, and it’s bound to sting. Second, the company lost an enormous amount of face with its customers and tarnished its image and reputation. The lost trust arising from their mishandling will take far longer to rebuild than it will for the company to make up the financial loss represented by the fine.

File this one away under how not to handle a data breach.

Latest Store With Payment Breach Is Forever 21

Unfortunately, another high-profile data breach has surfaced. The latest company to fall victim is US-based fashion retailer Forever 21, operating more than 800 stores in 57 countries.

The company became aware of the breach when they were notified of “unauthorized access to data from payment cards that were used at certain Forever 21 store locations.”

The investigation into the incident is ongoing, and we don’t have full details yet, but here’s what we know so far:

• Although the company had attempted to bolster security by implementing a token and encryption-based system that was designed to protect transaction data on the company’s point-of-sale system, an implementation issue at some store locations left POS equipment vulnerable, and these were the devices the hackers gained access to.

• Anyone who shopped at a Forever 21 location between March and October 2017 may have been impacted.

At this point, three significant pieces of information are missing. We do not yet know exactly which stores were impacted, nor how many of Forever 21’s customers may have seen their credit card information exposed, or what level of access the hackers may have had to the transaction data. We also don’t yet know if the group responsible got any personally identifiable information from the affected terminals.

The company’s official announcement regarding the breach included the following statement:

“Forever 21 immediately began an investigation of its payment card systems and engaged a leading security and forensics firm to assist. We regret that this incident occurred and apologize for any inconvenience. We will continue to work to address this matter.”

If you’ve shopped at any Forever 21 location during the timeframe mentioned above, be aware that your payment data may have been compromised. For now, the best thing you can do is monitor your credit card statements closely for any unusual activity and report it immediately if you find it.

Malware Infections Grow 4X In Just One Quarter

The world’s hackers have been busy according to the latest report by Comodo security, which tracks the total number of threats around the globe, quarter by quarter. The latest statistics are alarming, showing a massive jump in the total number of malware infections reported in the third quarter of 2017. Reports show nearly 400 million infections.

What’s worse is that the infections have spread to literally every corner of the globe. No nation is completely safe.

Digging more deeply into the statistics offered by Comodo, we find that the top five countries for malware infections this quarter were:

  • Russia
  • The United States
  • Poland
  • The United Kingdom
  • And Germany

These five nations combined accounted for fully 80 percent of the total number of infections reported.

Breaking the infections down by type, we find the following as the top 5:

  • Trojans (13.7 million)
  • Viruses (5.4 million)
  • Worms (2.8 million)
  • Backdoors (553,000)
  • And Packed Malware (284,000)

Diving even more deeply into the statistics yields more good information, including the fact that poorer nations tend to be afflicted more often by viruses and worms as these nations tend to use older, unpatched or unlicensed software. These types of infections tend to run rampant in Southeast Asia, Southeastern Europe, Africa and South America.

The report also details that the number of large-scale email phishing attacks is on the rise, due in no small part to the recent popularity of Locky and other strains of ransomware, with the largest phishing attack having been conducted from August to September 2017. According to the report:

“This attack was unique in its combination of sophistication and size, backed by a botnet spread across more than 11,000 IP addresses in 133 countries in just the first stage of the attack. Also, the malware was designed to avoid detection by sandboxing and artificial intelligence technologies common in many endpoint protection systems.”

All in all, it’s a fascinating, though disturbing read, and points to the rapidly increasing sophistication of the world’s hackers that will no doubt continue to spell trouble for security professionals around the globe.

Granting Photo Access In iPhone Might Allow Unauthorized Photographing

An Austrian software engineer named Felix Krause has made a disturbing discovery about iPhones using iOS11. Once an app has been given permission to access the device’s camera, it can take pictures and videos without alerting the user and upload them to the internet in real time.

Unfortunately, there are a lot of apps that users grant camera permissions to. Basically, any time you upload an avatar or post a picture with an app, you’ve got to give it camera permissions to do that.

Krause documented his findings in a short video presentation. As long as an app with camera permissions was in the foreground, it could snap photos literally every second, all without the user being alerted to what was going on.

Krause was quick to point out that he wasn’t naming names, and so far, at least, there are no known instances of malicious apps abusing this flaw, nor are any legitimate apps misusing it to anyone’s knowledge. The simple fact that it is possible, though, opens the door to a whole host of malicious apps that could, and that’s disturbing.

For the moment, there are really only two ways to address the issue: either go in and modify all your apps’ permissions so that they no longer have camera access, or use lens covers to make it so that your front and back cameras can’t record anything unless you specifically want them to.

Longer term, there are a number of things Apple could do to address the issue. The two simplest fixes would be introducing expiring permissions for apps to allow for more precise user controls, or introducing LED lights that would activate any time the camera was in use, thus giving the user a clear visual marker.

In any case, for the moment, it’s important to know that your phone may be watching and/or recording you.