Tag: Security

T-Mobile Site Leaked Data On Millions Of Customers

<img class=”alignnone size-full wp-image-7947 alignleft” src=”https://www.securepc-wi.com/wp-content/uploads/2018/07/t-mobile-site-resized.jpg” alt=”” width=”300″ height=”225″ />ZDNet Researcher Ryan Stevenson recently found a big problem on T-Mobile’s website regarding an unprotected API.  As a result of the flaw, untold millions of T-Mobile’s customers’ account information was left exposed and completely unprotected.  Literally anyone who stumbled across the site and tried to abuse it could access a wide range of customer information with no password required.

<strong>This includes, but is not limited to:</strong>
<ul>
<li>Customer name</li>
<li>Phone number</li>
<li>Mailing Address</li>
<li>Account Number</li>
<li>The status of the account (current, past due, suspended, etc.)</li>
</ul>
In an unknown number of cases, tax IDs and PINs were also exposed.

T-Mobile has a bug bounty program and pays a bounty to anyone who discovers a flaw that impacts the company.  Stevenson received a $1,000 reward for discovering the issue, and subsequent research revealed that the flaw had been present on the company’s website since October, 2017 or prior.

T-Mobile’s handling of the incident has been less than stellar so far.  Although they have acknowledged the existence of the issue and have already moved to correct it, the company has issued no information relating to how many customer records were exposed.

There is no evidence that any of the exposed records were inappropriately accessed. Typically, when an incident like this occurs, the company in question provides details relating to the scope and scale of the incident, informs all potentially impacted customers and usually provides a year of free credit and identity monitoring.  So far, none of that has occurred.

While it’s certainly possible that the company may take these steps in the future, we were both surprised and disappointed that they had not already done so, especially given the fact that this was essentially a self-inflicted wound.  Here’s hoping that in the days ahead, they do something to earn back the lost trust.

FBI Advises Users To Reboot Their Routers

Cisco’s Talos Security Team has identified a new threat, and it’s a nasty one impacting more than half a million consumer-grade routers in the US.  According to the Talos Team’s report, the new malware is impacting a broad cross-section of routers made by TP-Link, QNAP, Netgear, Mikrotik, and Linksys.

Known as “VPNFilter,” the malware currently infecting routers appears to be the first stage in a multi-phase attack, with the first segment allowing the hackers to collect a wide range of communications data and slave the device to launch attacks on others.  The code also contains a kill command that allows the hackers to destroy the device at will.

As of now, the FBI has already taken swift action and has seized a domain used by the hackers as a means to deliver the later stages of the attack. They report that the primary and secondary means of further infection have been dismantled.  They also report, however, that the hackers still have a fallback method of infection, which relies on sending “poisoned” data packets to each infected device.

Based on an evaluation of the code and the presence of redundant mechanisms for delivering the later stages of the infection, the code has been traced to a Russian hacking group with deep ties to the Russian government.  The group is known by a variety of names, including Fancy Bear, Sofacy, APT 28, and Pawn Storm.

On the heels of seizing the domain, the FBI released a statement that includes:

“The FBI recommends any owner of small office and home office routers reboot the devices to temporarily disrupt the malware and aid the potential identification of infected devices.  Owners are advised to consider disabling remote management settings on devices and secure with strong passwords and encryption when enabled.  Network devices should be upgraded to the latest available versions of firmware.”

Can Computer Data Be Stolen Through Power Lines?

If you have an air-gapped computer, you probably think you’re safe.  You may think that barring physical access to the machine, no hacker could possibly steal the data on that machine.  Unfortunately, you’d be incorrect.

Security researchers from the Ben Gurion University of the Negev, in Israel, have discovered a new way of stealing data using power lines.  While that may sound like science fiction, it’s actually real and a genuine threat, even to computers thought to be highly secure.

If you’re not familiar with the term, an air gapped computer is one that is isolated from local networks and the internet.  Because it’s not connected to anything, these machines have long been regarded as the ultimate in data security and are used by governments and corporations to store their most sensitive data.

Here’s what the researchers had to say about their discovery:

“As a part of the targeted attack, the adversary may infiltrate the air-gapped networks using social engineering, supply chain attacks, or malicious insiders.  Note that several APTs discovered in the last decade are capable of infecting air-gapped networks (e.g. Turlal, RedOctober and Fanny).

However, despite the fact that breaching air-gapped systems has been shown feasible, the exfiltration of data from an air-gapped system remains a challenge.”

Up until now, anyway.

The researchers have dubbed this new technique “PowerHammer,” and it accomplishes the task of siphoning data from air-gapped systems by creating fluctuations in the flow of electrical current to create a Morse-code-like pattern, which can be used to create a simple binary system.

That accomplished, the only other thing that’s needed is a piece of hardware to monitor the flow of electricity as it passes through power lines and then, decode the signal.  According to the research team, data transfer speeds of up to 1000bps can be achieved.

This should scare the daylights out of anyone in data security.

Embedded Sound Waves Could Damage Your Computer

It seems like a new attack vector emerges on a weekly basis, and this week is no exception.  The latest threat:  Emails containing specialized audio files whose acoustic vibrations can damage your computer’s hard drive. This is possibly damaging to the point of causing system failure, data corruption, and making it impossible to successfully reboot your machine.

As the researchers point out, “Intentional acoustic interference causes unusual errors in the mechanics of magnetic hard disk drives in desktop and laptop computers, leading to damage to integrity and availability in both hardware and software such as file system corruption and operating system reboots.  An adversary without any special-purpose equipment can co-opt built-in speakers or nearby emitters to cause persistent errors.”

It should be noted that as scary as this type of attack sounds, in practice, it is of limited value.  An increasing percentage of laptops and desktop PCs sold today come with SSDs for storage, which are not vulnerable to this type of attack.

In addition to that, not just “any” sound will do.  For the attack to be successful, the acoustic vibrations have to be strong enough to do real harm, and quiet enough that the attack is difficult to detect, lest it be aborted immediately.  The combination of those two factors make it unlikely that this one will gain widespread attention from the hacking community.  Nonetheless, it pays to be both mindful and vigilant, especially if you have an older PC or work in an office with older equipment.

The research team who discovered the new attack vector have created a new sensor fusion model that could be delivered through a firmware update.  Once updated, it would prevent unnecessary head parking in the hard drive, thus limiting the potential damage the attack could cause.  So far, there has been no word that PC manufacturers are considering making the necessary changes to their firmware.  Time will tell.

Hacked Routers Being Used To Spread Malware

Beware of compromised routers spreading malware.  This is according to both Kaspersky Labs and a recently released government report.

Using hacked routers to spread malware is nothing new.  Security insiders have known about it for years. However, since 2008, the number of instances where routers are being used to push malicious code has been steadily increasing. Researchers are observing marked increases in their use by APTs (Advanced Persistent Threat) around the world.

APTs are nothing new either, although their ranks have been growing in recent years.  Many are state-sponsored hacking groups with virtually unlimited resources. Some are simply tight-knit groups of hackers banding together under a single banner.

Many people view hackers as lone wolves and that there are millions of lone wolves hacking networks across the globe.  Increasingly though, these are becoming minor actors on the world stage.  The real threat is now well-organized groups of hackers who can execute highly coordinated globe-spanning attacks and create botnets comprised of tens, or even hundreds of thousands, of compromised computers.

In addition to identifying and calling attention to a little-known attack vector, the recent announcement underscores an important weakness in current cybersecurity thinking.  Most people are still laboring under the faulty assumption that they’re facing individual hackers operating out of a dark room in someone’s basement.

While those types of threats are no doubt present, it’s false to assume that’s where the biggest danger lies.  If you get hacked, it’s just as likely (perhaps even more likely) that you’re actually facing a well-organized group who may have more resources at their disposal than your entire IT department.  While you’re preparing to fight a skirmish, the barbarians are coming to your gates with an army.  Most people are simply planning to fight the wrong type of battle, and that could prove to be a devastating mistake.

TicketFly Customer Information May Have Been Hacked

<img class=”alignnone size-full wp-image-7987 alignleft” src=”https://www.securepc-wi.com/wp-content/uploads/2018/07/ticketfly-hacked-resized.jpg” alt=”” width=”300″ height=”225″ />Another week, another high-profile data breach, but this one can be filed under “Missed Opportunity.”  The site in question is “TicketFly,” which is a web-based event ticket sales website owned by a company called Eventbrite. The TicketFly website was down since May 31st, and the normal homepage had been replaced by an image of Guy Fawkes with the message “Your Security Down I’m Not Sorry.”

The page formerly contained links that pointed to compromised customer information, but those have subsequently been removed by the company, which is still scrambling to recover.

Unfortunately, TicketFly was given every opportunity to avoid the incident altogether.  The hacker responsible for taking the site down goes by the handle “IsHakdz,” and claims that he contacted TicketFly, warning them of serious security flaws that would allow a hacker to take control of the site and all of the company’s databases.  He asked for 1 Bitcoin to reveal the technical details.  When the company failed to respond, he decided to show them he was serious, and did exactly as he claimed he could do.

While you might question the hacker’s actions, his motives seemed pure enough, and the reality is that many companies have “Bug Bounty” programs where they pay researchers who find critical security flaws.  The bounty payouts are typically less than a bitcoin, but the idea is the same.  Unfortunately, TicketFly didn’t have such a program and even after having been warned of the flaws in their system, they took no meaningful action until the hacker forced them to do so.

While it’s not impossible to envision a scenario in which this hacker would resell the data he was able to get his hands on, the actions of this particular individual seem to point in the opposite direction.  Even so, if you’ve made a purchase on the TicketFly database, it’s better to be safe than sorry, and carefully monitor the payment card you used to make the purchase. It goes without saying that you should change your TicketFly password immediately.

Massive Malware Attack Stemmed From Bittorent App

According to a Microsoft security researcher, a massive malware attack attempted to install a cryptocurrency mining software on more than 400,000 computers in less than twelve hours.  The failed campaign is noteworthy because of the attack vector used.  It was a supply chain attack implemented by compromising Bittorrent, a highly popular program used to share and download files.

Until recently, security professionals discounted the very possibility of supply chain attacks, regarding them as highly improbable occurrences.  The sad truth, however, is that they’re becoming increasingly common.  Over the past couple of years, we’ve seen a growing number of them, including CCleaner, which is a popular disk-maintenance program.  A poisoned version of it was delivered to more than two million of the software’s users.

In another supply chain attack, M.E. Doc (a tax and accounting application which is widely used in the Ukraine) was tainted and contained the NotPetya wiper worm, and shut down computers all over the world just last year.

Then there was a collection of Android apps that came preinstalled on phones from not one, but two different manufacturers that allowed hackers unfettered access to the data on those phones.  In fact, this is actually the second time Bittorrent has been hijajcked.  Last year, a tainted version of the client installed ransomware on Macintosh computers around the world.

Fortunately, this latest attack was not successful, although Microsoft researcher reported that Windows Defender blocked more than 400,000 attempts to infect computers between March 1st and March 6th, with the actual Bittorrent infection occurring sometime between February 12 and February 19.  In this instance, the threat was regional, with most of the computers being located in Russia, Turkey, and the Ukraine.

While this was the latest supply chain attack, it certainly won’t be the last. Worst of all, these kinds of attacks are notoriously hard to prevent because updates coming from trusted sources are often installed without question.

Major Server Ring Distributing Malware Taken Down

Score one for the good guys.  A researcher from BrilliantIT was recently able to figure out how infected computers would connect to EITest’s command and control server, and using that information, was able to bring down their entire network.

If you haven’t heard of EITest before, the true significance of that statement might not be registering.

EITest first appeared in 2011.  In its original incarnation, it was little more than an annoyance.  It was a collection of compromised servers used to direct web traffic to poisoned websites, where the owners could infect unsuspecting users with their homegrown malware.

In 2013, EITest’s owners got savvy, relentlessly grew their network to more than 52,000 compromised machines and started renting their network out to hackers around the world to drive traffic to their poisoned websites. This unleashed a torrent of wildly destructive malware.  Ever since, it’s been a thorn in the side of IT professionals everywhere.

Using the crack discovered by BrilliantIT, researchers were able to redirect all traffic to a sinkhole, effectively shutting the network down altogether.

Since then, it appears that the hackers have made one halfhearted attempt to regain control of their network, and then apparently gave up on the idea.

While this is undeniably good news, EITest isn’t the only traffic distribution network on the Dark Web, and even if the hackers have given up on the idea of recovering access to their old network, there’s nothing stopping them from building a whole new one.  That’s not to undercut the significance of the victory here, but rather, merely to point out that it’s a temporary win and reprieve, at best.  They’ll be back.  They always come back.

Good news is rare on the security front, and when it is found, we should all take a moment to celebrate.  Kudos to the team at BrilliantIT!

Intel Taking Additional Steps To Prevent Security Flaws

By now, you’ve almost certainly heard of “Spectre,” one of two recently discovered security flaws that impact every chip made by Intel in the last ten years.

The story of Spectre, and Intel’s response to it has been an interesting one.  In response to the flaw’s discovery, Intel rushed a firmware patch, but quickly had to take it back and recommend that users not install  it, because it created as many problems as it solved.

Intel has since released a better, more stable patch, but hasn’t stopped there.  The company recently revealed that it is introducing various hardware protections against Spectre-like vulnerabilities that may be detected in the future.

According to Intel’s CEO, Brian Krzanich, “(We have) redesigned parts of the processor to introduce new levels of protection through partitioning.  As we bring these new products to market, ensuring that they deliver the performance improvements people expect from us is critical.  Our goal is to offer not only the best performance, but also the best secure performance.”

While that is welcome news for people planning to make purchases in the near future, owners of existing Intel-powered equipment will still have to have to rely on firmware updates for Spectre protection. This unfortunately comes with the tradeoff of a hit to CPU performance.

In tandem with that update, the company also announced that as of now, they have firmware updates available for all of its products launched within the last five years.  This coupled with their recent partnership with Microsoft to help deliver Spectre updates to their legions of impacted customers should provide peace of mind, even with the expected hits to system performance.

Unfortunately, with new variants of Spectre and Meltdown being discovered on a regular basis, this is likely not the last we’ll hear about this issue.

Researchers Find Major Vulnerabilities In Banking Apps

Do you do your banking online?  If so, there’s bad news in the form of a report recently released by the security firm “Positive Technologies.”

The company tested a variety of websites using a proprietary tool they developed in-house, which scans websites for security flaws.  While flaws were found across a wide range of industries, literally every banking site Positive Technologies tested was found to have serious security flaws.

The particulars varied from one bank to the next, but the security flaws included:

  • XML external entity errors
  • Arbitrary file reading and modification flaws
  • Expired or nonexistent SSL certificates
  • Poor or nonexistent encryption

Some banking websites were so flawed that a hacker could execute a ‘man in the middle’ attack and execute malicious code to infect the user’s machine. They could potentially make off with all their money and with more than enough information to steal their identity.

Some 80 percent of sites tested were found to be vulnerable to XSS (cross-site scripting) attacks.

Regardless of the specific vulnerability, the big, terrifying takeaway from the Positive Technologies report is simply this:  Of the financial sites they tested, 100 percent of them were found to have vulnerabilities.

These are the people who are tasked with safeguarding your money, and they’re obviously not doing enough to keep their websites secure.

Firewalls and basic detection protocols are simply not enough.  The hackers of the world have matured and gotten better at what they do, and security professionals simply haven’t been improving as quickly.  This is the reason we’re seeing such a massive spike in high profile data breaches.  The reason is that each year is a new, record-breaking year, beating out the one before, often by a wide margin.

Until that changes, everyone is at risk.  Given how important the internet has become to international commerce and modern life, that’s simply unacceptable.