Timesdelhi.com

November 19, 2018
Category archive

Security

A leaky database of SMS text messages exposed password resets and two-factor codes

in berlin/california/Delhi/Florida/Hack/India/Politics/search engine/Security/SMS/telcentris by

A security lapse has exposed a massive database containing tens of millions of text messages, including password reset links, two-factor codes, shipping notifications and more.

The exposed server belongs to Voxox (formerly Telcentris), a San Diego, Calif.-based communications company. The server wasn’t protected with a password, allowing anyone who knew where to look to peek in and snoop on a near-real-time stream of text messages.

For Sébastien Kaul, a Berlin-based security researcher, it didn’t take long to find.

Although Kaul found the exposed server on Shodan, a search engine for publicly available devices and databases, it was also attached to to one of Voxox’s own subdomains. Worse, the database — running on Amazon’s Elasticsearch — was configured with a Kibana front-end, making the data within easily readable, browsable and searchable for names, cell numbers and the contents of the text messages themselves.

An example of one text message containing a user’s phone number and their Microsoft account reset code. (Image: TechCrunch)

Most don’t think about what happens behind the scenes when you get a text message from a company, whether it’s an Amazon shipping notification or a two-factor code for your login. Often, app developers — like HQ Trivia and Viber — will employ technologies provided by firms like Telesign and Nexmo, either to verify a user’s phone number or to send a two-factor authentication code, for example. But it’s firms like Voxox that act as a gateway and converting those codes into text messages, to be passed on to the cell networks for delivery to the user’s phone.

After an inquiry by TechCrunch, Voxox pulled the database offline. At the time of its closure, the database appeared to have a little over 26 million text messages year-to-date. But the sheer volume of messages processed through the platform per minute — as seen through the database’s visual front-end — suggests that this figure may be higher.

Each record was meticulously tagged and detailed, including the recipient’s cell phone number, the message, the Voxox customer who sent the message and the shortcode they used.

Among our findings from a cursory review of the data:

  • We found a password sent in plaintext to a Los Angeles phone number by dating app Badoo;
  • Several Booking.com partners were sent their six-digit two-factor codes to log in to the company’s extranet corporate network;
  • Fidelity Investments also sent six-digit security codes to one Chicago Loop area code;
  • Many messages included two-factor verification codes for Google accounts in Latin America;
  • A Mountain View, Calif.-based credit union, the First Tech Federal Credit Union, also sent a temporary banking password in plaintext to a Nebraska number;
  • We found a shipping notification text sent by Amazon with a link, which opened up Amazon’s delivery tracking page, including the UPS tracking number, en route to its destination in Florida;
  • Messenger apps KakaoTalk and Viber, and quiz app HQ Trivia use the service to verify user phone numbers;
  • We also found messages that contained Microsoft’s account password reset codes and Huawei ID verification codes;
  • Yahoo also used the service to send some account keys by text message;
  • And, several small to mid-size hospitals and medical facilities sent reminders to patients about their upcoming appointments, and in some cases, billing inquiries.

“Yeah, this is very bad,” said Dylan Katz, a security researcher, who reviewed some of the findings.

The exposure to personal information and phone numbers notwithstanding, the ability to access two-factor codes in near-real-time could have put countless number of accounts at risk of hijack. In some cases, websites will only require a phone number to reset an account. With access to the text message through the exposed database, hijacking an account could take seconds.

“My real concern here is the potential that this has already been abused,” said Katz. “This is different from most breaches, due to the fact the data is temporary, so once it’s offline any data stolen isn’t very useful.”

Kevin Hertz, Voxox’s co-founder and chief technology officer, said in an email that the company is “looking into the issue and following standard data breach policy at the moment,” and that the company is “evaluating impact.”

Many companies, including Facebook, Twitter and Instagram, have rolled out app-based two-factor authentication to thwart SMS-based verification, which has long been seen as vulnerable to interception.

If ever there was an example, this latest exposure would serve well.

News Source = techcrunch.com

Mozilla adds website breach notifications to Firefox

in data breach/data security/Delhi/Europe/Firefox/Firefox Monitor/Firefox Quantum/Have I Been Pwned/India/Mozilla/Politics/Security/security breaches/Troy Hunt/web browser by

Mozilla is adding a new security feature to its Firefox Quantum web browser that will alert users when they visit a website that has recently reported a data breach.

When a Firefox user lands on a website with a breach in its recent past they’ll see a pop up notification informing them of the barebones details of the breach and suggesting they check to see if their information was compromised.

“We’re bringing this functionality to Firefox users in recognition of the growing interest in these types of privacy- and security-centric features,” Mozilla said today. “This new functionality will gradually roll out to Firefox users over the coming weeks.”

Here’s an example of what the site breach notifications look like and the kind of detail they will provide:

Mozilla’s website breach notification feature in Firefox

Mozilla is tying the site breach notification feature to an email account breach notification service it launched earlier this year, called Firefox Monitor, which it also said today is now available in an additional 26 languages.

Firefox users can click through to Monitor when they get a pop up about a site breach to check whether their own email was involved.

As with Firefox Monitor, Mozilla is relying on a list of breached websites provided by its partner, Troy Hunt’s pioneering breach notification service, Have I Been Pwned.

There can of course be a fine line between feeling informed and feeling spammed with too much information when you’re just trying to get on with browsing the web. But Mozilla looks to sensitive to that because it’s limiting breach notifications to one per breached site. It will also only raise a flag if the breach itself occurred in the past 12 months.

Data breaches are an unfortunate staple of digital life, stepping up in recent years in frequency and size along with big data services. That in turn has cranked up awareness of the problem. And in Europe tighter laws were introduced this May to bring in a universal breach disclosure requirement and raise penalties for data protection failures.

The GDPR framework also generally encourages data controllers and processors to improve their security systems given the risk of much heftier fines.

Although it will likely take some time for any increases in security investments triggered by the regulation to filter down and translate into fewer breaches — if indeed the law ends up having that hoped for impact.

But one early win for GDPR is it has greased the pipe for companies to promptly disclose breaches. This means it’s helping to generate more up-to-date security information which consumers can in turn use to inform the digital choices they make. So the regulation looks to be generating positive incentives.

News Source = techcrunch.com

Judge orders Amazon to turn over Echo recordings in double murder case

in Delhi/India/Politics/privacy/Security by

A New Hampshire judge has ordered Amazon to turn over two days of Amazon Echo recordings in a double murder case.

Prosecutors believe that recordings from an Amazon Echo in a Farmington home where two women were murdered in January 2017 may yield further clues to their killer. Although police seized the Echo when they secured the crime scene, any recordings are stored on Amazon servers.

The order granting the search warrant, obtained by TechCrunch, said that there is “probable cause to believe” that the Echo picked up “audio recordings capturing the attack” and “any events that preceded or succeeded the attack.”

Amazon is also directed to turn over any “information identifying any cellular devices that were linked to the smart speaker during that time period,” the order said.

Timothy Verrill, a resident of neighboring Dover, New Hampshire, was charged with two counts of first-degree murder. He pleaded not guilty and awaits trial.

When reached, an Amazon spokesperson did not comment — but the company told the Associated Press last week that it won’t release the information “without a valid and binding legal demand properly served on us.”

New Hampshire doesn’t provide electronic access to court records, so it’s not readily known if Amazon has complied with the order, signed by Justice Steven Houran, on November 5.

A court order signed by New Hampshire Superior Court on November 5 ordering Amazon to turn over Echo recordings. (Image: TechCrunch)

It’s not the first time Amazon has been ordered to turn over recordings that prosecutors believe may help a police investigation.

Three years ago, an Arkansas man was accused of murder. Prosecutors pushed Amazon to turn over data from an Echo found in the house where the body was found. Amazon initially resisted the request citing First Amendment grounds — but later conceded and complied. Police and prosecutors generally don’t expect much evidence from Echo recordings — if any — because Echo speakers are activated with a wake word — usually “Alexa,” the name of the voice assistant. But, sometimes fragment of recordings can be inadvertently picked up, which could help piece together events from a crime scene.

But these two cases represent a fraction of the number of requests Amazon receives for Echo data. Although Amazon publishes a biannual transparency report detailing the number of warrants and orders it receives across its entire business, the company doesn’t — and refuses — to break down how many requests for data it receives for Echo data.

In most cases, any request for Echo recordings are only known through court orders.

In fact, when TechCrunch reached out to the major players in the smart home space, only one device maker had a transparency report and most had no future plans to publish one — leaving consumers in the dark on how these companies protect your private information from overly broad demands.

Although the evidence in the Verrill case is compelling, exactly what comes back from Amazon — or the company’s refusal to budge — will be telling.

News Source = techcrunch.com

Mozilla ranks dozens of popular ‘smart’ gift ideas on creepiness and security

in Delhi/Gadgets/Hardware/India/Mozilla/Politics/Security by

If you’re planning on picking up some cool new smart device for a loved one this holiday season, it might be worth your while to check whether it’s one of the good ones or not. Not just in the quality of the camera or step tracking, but the security and privacy practices of the companies that will collect (and sell) the data it produces. Mozilla has produced a handy resource ranking 70 of the latest items, from Amazon Echos to smart teddy bears.

Each of the dozens of toys and devices is graded on a number of measures: what data does it collect? Is that data encrypted when it is transmitted? Who is it shared with? Are you required to change the default password? And what’s the worst case scenario if something went wrong?

Some of the security risks are inherent to the product — for example, security cameras can potentially see things you’d rather they didn’t — but others are oversights on the part of the company. Security practices like respecting account deletion, not sharing data with third parties, and so on.

At the top of the list are items getting most of it right — this Mycroft smart speaker, for instance, uses open source software and the company that makes it makes all the right choices. Their privacy policy is even easy to read! Lots of gadgets seem just fine, really. This list doesn’t just trash everything.

On the other hand, you have something like this Dobby drone. They don’t seem to even have a privacy policy — bad news when you’re installing an app that records your location, HD footage, and other stuff! Similarly, this Fredi baby monitor comes with a bad password you don’t have to change, and has no automatic security updates. Are you kidding me? Stay far, far away.

All together 33 of the products met Mozilla’s recently proposed “minimum security standards” for smart devices (and got a nice badge); 7 failed, and the rest fell somewhere in between. In addition to these official measures there’s a crowd-sourced (hopefully not to be gamed) “creep-o-meter” where prospective buyers can indicate how creepy they find a device. But why is BB-8 creepy? I’d take that particular metric with a grain of salt.

News Source = techcrunch.com

Meet the Magecart hackers, a persistent credit card skimmer group of groups you’ve never heard of

in Delhi/India/Politics/Security/skimmers by

There have been few hacker groups that have been responsible for as many headlines this year as Magecart.

You might not know the name, but you probably haven’t missed their work — highly targeted credit card skimming attacks, hitting Ticketmaster and British Airways, as well as consumer electronics giant Newegg and likely many more sites that have been silently hacked to scrape consumer credit card data at the checkout.

Nobody knows those attacks better than Yonathan Klijnsma, a threat researcher at security firm RiskIQ, who’s been tracking Magecart for more than a year.

In a new report published with risk intelligence firm Flashpoint, Klijnsma has exposed the inner workings of the hackers — a group of groups, rather than a single entity — all with different modus operandi and targets, which he described as a “thriving criminal underworld that has operated in the shadows for years.”

“Magecart is only now becoming a household name,” the researcher said.

Chief among Klijnsma’s findings is that there are at least six distinct groups operating Magecart skimming scams, each taking their own approach. Group 1 began as early as 2014 by targeting thousands of sites with attacks and single-use servers for hosting the malware and storing the collected data, while Group 2 and Group 3 expanded their reach and honed their attacks to hook their card skimming malware on a greater range of payment providers. Group 4 took the bulk of the victims — more than 3,000 sites hacked — with its scattergun approach, grabbing as many cards as it could from as many sites as it could.

The groups have been going where the money is — breaking into websites using known server vulnerabilities, injecting card payment skimming code and siphoning off credit card numbers, names and security codes on an attacker-controlled server, often for months at a time.

If they get caught, they just move on to their next victim.

Magecart’s most high-profile victims were the work of Group 5, which carried out supply chain attacks by hitting third-party code providers — like customer service chat boxes — that are installed on thousands of sites and carrying the group’s malware with it, expanding the group’s reach on a massive scale. It was Group 5 that RiskIQ blames on targeting many of Ticketmaster’s global sites. Group 6, meanwhile, also began highly selective attacks that only targeted major players — including British Airways and Newegg.

Between the half-dozen groups that RiskIQ has identified so far, at least 6,400 sites have been affected.

And that’s just the start.

Once a steady stream of credit card numbers come in, the hackers will sell the data — often on the dark web, making it easier to hide their activities from the law.

Magecart’s credit card skimming cycle. (Image: RiskIQ/Flashpoint)

Klijnsma warned that there will be many more card skimming groups and many more websites affected — larger and lesser-known sites alike that have yet to be discovered.

Case in point: Earlier this year, little-known New Jersey-based electronics retailer TechRabbit disclosed a data breach. Like so many other sites, it went largely unnoticed — except, upon closer inspection, the breach had all the hallmarks of Magecart. Willem de Groot, a security researcher cited in the Magecart report, confirmed on Twitter — and independently verified by TechCrunch — that the site had been hit again months later.

We reached out to the company’s chief executive, Joel Lerner, to inform him of the card skimming malware. “Who is TechCruch [sic] and what do you know about TechRabbit?” he said.

After several emails back and forth, including a screenshot sample of the malware on the site’s checkout pages, he expressed concern but stopped responding.

Klijnsma conceded that although his research has given an unprecedented insight into how the Magecart groups work, “that doesn’t mean we will be able to spot every instance and every attack,” he said. There are likely many more sites affected by card skimming malware — as of yet undetected. “We’d like to call on the industry and everyone who encounters these attacks to help take it down,” he said.

To combat the threat from Magecart, RiskIQ and other cybersecurity firms can sinkhole domains associated with Magecart infrastructure, pulling them offline and out of operation.

Klijnsma said it requires a layered approach — like website owners improving their security with security patches and segregating servers. “You don’t catch this with just one security control but rather you stack them and try to catch it at at least one of these steps,” he said.

“Basically any vector is game among these groups with some groups utilizing all of them to reach their goal of breaching a target,” he said.

News Source = techcrunch.com

1 2 3 45
Go to Top