library – Page 136 – STE WILLIAMS

SMS company exposes millions of text messages, credentials online

library
crime | hacking | security

Researchers have found yet another massive database inadvertently exposed online, leaking millions of records.

This time, it was a database of SMS messages from enterprise texting services provider TrueDialog, and the people that found it claim that the exposure could have compromised tens of millions of people.

Researchers Noam Rotem and Ran Locarat at vpnMentor first found the database on Microsoft’s Azure cloud platform on 26 November 2019. It displayed what they described as a “massive amount of private data”, including tens of millions of SMS text messages. Also in public view were millions of account usernames and passwords, they said.

Founded in 2008, Texas-based TrueDialog provides SMS solutions for businesses, enabling them to send mass texts for marketing purposes, along with sector-specific applications such as student SMS notifications for the education industry.

According to a blog post on the vpnMentor website, the database contained 604 GB of data comprising nearly a billion entries. These included email addresses, usernames, passwords stored in plain text, and some other passwords using base64 encoding (which is a system used to preserve data integrity during transmission, rather than a password protection encryption mechanism).

Aside from the account logins, the researchers also found message content, the full names of recipients and TrueDialog account holders, and phone numbers. They added:

We also found in the database logs of internal system errors as well as many http requests and responses, which means that whoever found it could see the site’s traffic. This could by itself had exposed vulnerabilities [sic].

The leaky system logs could also have given competitors a look at TrueDialog’s backend systems and potentially a way to gain a competitive edge over the company, vpnMentor’s blog post suggested. It also warned that anyone who accessed the data could have taken over user accounts and engaged in corporate espionage by snooping on account holders’ SMS texts or even stealing leads generated by the SMS system.

An improperly configured Elasticsearch database was to blame, according to vpnMentor. This database is not designed to be accessible via a URL, but administrators can manually set it up for remote access. Inappropriate data disclosures via poorly configured Elasticsearch databases are a common occurrence.

This appears to be what happened here, as the researchers were able to access the database via the browser and change search parameters to expose the database schema. They also found information linking the database to TrueDialog in the form of the company’s host ID, api.truedialog.com.

TrueDialog chief executive John Wright told us:

We were notified on Thursday that for a short period text message logs between our business customers and individuals were potentially accessible on one of our Azure servers. The data was located at a non-published network port which is now secured. We have internally found no evidence that the data was downloaded or viewed by anyone other than the security analyst who notified our company that the data was potentially accessible.

He added:

Our initial analysis revealed that approximately 97 percent of the message logs at issue were records of one-way bulk text alerts and generic replies, such as recurring text subscriptions and opt-out requests, which contained no personally identifiable information. Although our review of the data is still ongoing, we have so far been able to determine that 99.6 percent of the total message logs contain no personally identifiable information.

Note that this response doesn’t directly address vpnMentor’s claim that it found PII including account holder details in the database.

Wright continued:

We have initiated an external security audit to further assess this incident and our safeguards to detect and prevent unauthorized access to our business records. We are continuing to review the remaining message log data and will notify relevant parties in the event we learn any additional facts that would trigger additional concerns under applicable law.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/Srdi-OEg2qo/

UK parcel firm Yodel plugs tracking app’s random yaps about where on map to snap up strangers’ tat

library
crime | hacking | security

Parcel wrangler Yodel has corked up a security hole in which random user data leaked to people using its Android app.

The glitch was spotted by security researcher Ax Sharma. He contacted us having failed to get any action out of Yodel when he informed the company via Twitter and web chat.

The problem is not well timed, with online shopping and related white van activity hitting its seasonal peak in the run-up to Christmas.

Sharma told us he had noticed that every time he refreshed the application, he was shown a different – apparently random – set of packages that were not destined for his address.

The glitch showed users fairly sensitive information beyond package location, including the sending retailer, the package’s destination and – crucially – any special instructions for the driver.

Sharma noted that the app also allowed users access to further menu options on strangers’ entries, meaning they could theoretically reschedule or cancel deliveries – or even redirect parcels to another address.

Sharma contacted Yodel on Saturday afternoon but said he was told there was “no security problem”. He then blogged about the issue here.

A couple of Twitter users were also seeing other people’s parcels over the past week and there are reviews on the Play store noting the security hole too.

One Twitter user said: “I have other people’s deliveries on my Yodel app today too! Couldn’t work out for the life of my how I had so many deliveries coming then realised they were in Dartford, Borehamwood etc when I’m in Edinburgh!”

The app was last updated on 18 November, and we cannot see reviews complaining about it leaking customer details before that date.

Yodel told The Reg last night: “Following an investigation into the issue we can confirm that it is now resolved, with the Yodel app running again as normal.”

It would not elaborate on the nature of the error.

And, of course, it told us, it takes data protection… “very seriously“.

Yodel garners regular gongs as the UK’s least favourite courier company, although it would probably point out that it does not get much credit for delivering several hundreds of thousands of parcels a day successfully. ®

AWS has new tool for those leaky S3 buckets so, yeah, you might need to reconfigure a few things

library
crime | hacking | security

re:Invent At its re:Invent event under way in Las Vegas, Amazon Web Services (AWS) dropped the veil on a new tool to help customers to avoid spewing data stored on its S3 (Simple Storage) service to world+dog.

“Access Analyzer for S3 is a new feature that monitors your access policies, ensuring that the policies provide only the intended access to your S3 resources,” the cloud giant said.

Customers can enable Access Analyzer via a new option in the console for IAM (Identity and Access Management). The tool will then alert you when a bucket (an area of storage in S3) is configured to allow public access or access to other AWS accounts. The implication of the tool, of course, is that this is sometimes done accidentally via misconfigured policies or access control lists (ACLs).

A new single-click option will block public access – hopefully letting you avoid unauthorised use of the data before it is too late. The tool will also let you see which policy or ACL allows the access so that you know what to fix.

The AWS Access Analyzer for S3 (click to enlarge)

Some S3 buckets are, of course, deliberately public – as resources for a website, for example, or downloads to deploy or support an application. In this case, you can mark them within the tool to acknowledge that this is working as intended.

At the re:Invent shindig, senior principal engineer Becky Weiss presented at a packed session on the fundamentals of AWS security. She explained that “there are security patterns that repeat everywhere in AWS” and divided the subject into three parts. The first is IAM, used to control access to cloud infrastructure. “Every AWS service uses IAM,” she said. The second is KMS (Key Management Service), used to control data encryption. The third is VPC (Virtual Private Cloud), used to control access to a customer’s virtual network.

Weiss gave concise explanations of how IAM policies work in AWS, and what you do if you need to allow access from one AWS account to resources which belong to a different account. AWS uses Organizations to make it easier to manage multiple accounts.

She also introduced VPC private and public subnets, security groups, which are firewall rules controlling access to these subnets, and VPC endpoints, which let you manage network access to resources outside the VPC such as AWS serverless resources like S3.

Securing AWS resources is challenging because of the number of different services and the scale of their usage. The starting point is to understand the security patterns which AWS has provided, and which Weiss did a good job of outlining.

These are all things that every AWS customer should understand, but at the end of the session your correspondent overheard one attendee say to another: “So basically we need to reconfigure everything.”

As users enable the new Access Analyzer, our hunch is that no small number of alerts will be pinging. ®

Russian FaceApp selfie-slurper poses ‘potential counterintelligence threat’, FBI warns

library
crime | hacking | security

Netizens who fire up FaceApp for fun may be unknowingly putting national security at risk, according to the FBI.

In a recent letter (PDF) to US Senator Charles Schumer (D-NY), the Feds said the Russia-based face-aging tool released to much fanfare this past summer could conceivably be used by the Kremlin for intelligence.

“The FBI considers any mobile application or similar product developed in Russia, such as FaceApp, to be a potential counterintelligence threat, based on the data product collects, its privacy and terms of use policies, and the legal mechanisms available to the Government of Russia that permit access to data within Russia’s borders,” wrote Jill Tyson, assistant director of the FBI’s office of congressional affairs.

Back when the app first hit it big in July of this year, there were questions about the way FaceApp handled the images users submitted to the service. FaceApp has countered that it only briefly collected the images (usually for less than 48 hours) for its internal testing and no data is actually stored in Russia.

Still, the FBI says, the broad terms of service, combined with the FSB’s ability to directly pull data from any Russian ISP, mean that people who use the service could unwittingly be providing the Kremlin with intelligence.

Tempted to play with that Chinese Zao app for deep-fake frolics? Don’t bother if you want to keep your privacy

“If the FBI assesses that elected officials, candidates, political campaigns, or political parties are targets of foreign influence operations involving FaceApp, the FBI would coordinate notifications, investigate, and engage the Foreign Influence Task Force, as appropriate,” Tyson said.

The FBI’s letter was in response to a request Schumer issued back in July asking both the Bureau and the FTC to look into FaceApp, noting that “it would be deeply troubling if the sensitive personal information of US citizens was provided to a hostile foreign power actively engaging in cyber hostilities against the United States.”

Upon posting the FBI letter on Monday, Schumer said those fears were validated.

“This year when millions were downloading #FaceApp, I asked the FBI if the app was safe,” Schumer tweeted.

“Well, the FBI just responded. And they told me any app or product developed in Russia like FaceApp is a potential counterintelligence threat.” ®

Sponsored:
Your Guide to Becoming Truly Data-Driven with Unrivalled Data Analytics Performance

Article source: https://go.theregister.co.uk/feed/www.theregister.co.uk/2019/12/03/fbi_faceapp_warning/

Europol wipes out 30,000+ piracy sites, three suspects cuffed to walk the legal plank

library
crime | hacking | security

Europol says its latest piracy takedown netted three arrests and more than 30,000 website takedowns.

The operation was part of an 18-country joint effort involving the European police agency and local cops targeting sites that trafficked in both pirated digital content (streaming video, media files, and cracked software downloads) and sale of counterfeit real-world goods and pharmaceuticals.

In total, Europol says it was able to shut down 30,506 domains. They also arrested three people, seized 26,000 pieces of clothing and perfume, grabbed 363 litres of alcohol (about 10 Reg holiday parties), an unspecified number of hardware devices, and upwards of €150,000 in bank and online payment accounts.

The arrests come as part of the ‘In Our Sites’ (IOS) operation, and ongoing anti-piracy effort that Europol runs with EU member states. This effort also enlisted the help of police in South America, Hong Kong, China, Eastern Europe, and the US.

“In Our Sites’ (IOS), launched in 2014, is the continuation of a recurrent joint global operation that has increased significantly year-on-year,” Europol said in announcing the takedown.

Europol said it was making the arrests “with the aim of making the internet a safer place for consumers, by getting even more countries and private sector partners to participate in this operation and providing referrals.”

UK ISPs must block access to Nintendo Switch piracy sites, High Court rules

The timing on the takedown is relevant, particularly as the bust includes thousands of hardware and luxury items. With the holiday shopping season now having formally kicked off, police have been warning consumers against buying counterfeit items and dodgy goods from untrusted online retailers.

Police in the US and Europe have some form in announcing piracy crackdowns on Cyber Monday as a way to remind people to avoid pirated and counterfeit stuff.

“Counterfeiters look to make profits by making fake versions of the hottest products as soon they are available on the market,” US Customs and Border Protection said on Monday.

“Each time you buy a counterfeit good, a legitimate company loses revenue.” ®

Sponsored:
How to Process, Wrangle, Analyze and Visualize your Data with Three Complementary Tools

Article source: https://go.theregister.co.uk/feed/www.theregister.co.uk/2019/12/02/europol_30000_piracy_sites/

Welcome back from the holiday, Americans! Here’s who leaked data while you were away

library
crime | hacking | security

Thanksgiving is an ideal time to either hack (IT admins need holidays too) or to drop news of hacks (because no one’s reading much news) so here’s your roundup of the weekend’s shenanigans.

In the past few days, researchers have disclosed breaches at mobile carrier TrueDialog, music streamer MixCloud, and Adobe’s Magento Marketplace service. Millions of people are thought to be affected.

TrueDialog exposes “massive” activity database

The research team at VPNmentor took credit for the discovery and disclosure of a database owned by business comms provider TrueDialog. They report that the data of millions of users, including the content of SMS messages, was left out in the open after an Azure-hosted database was mistakenly set to public availability.

“This was a huge discovery, with a massive amount of private data exposed, including tens of millions of SMS text messages,” reported the VPNmentor team.

“Aside from private text messages, our team discovered millions of account usernames and passwords, PII data of TrueDialog users and their customers, and much more.”

TrueDialog provides SMS services to its customers, mostly businesses and educational institutions. The Texas-based company partners with phone carriers to offer things like alerts and large-scale marketing campaigns, as well as campus alerts and student admissions.

Those are the sort of SMS communications that were exposed, along with account details (email addresses, passwords in either plaintext or base64,) and contact information. VPNmentor says that, in total, the exposed database was 604GB in size and included data on tens of millions of people.

“It’s difficult to put the size of this data leak into context. Tens of millions of people were potentially exposed in a number of ways,” the report reads.

“It’s rare for one database to contain such a huge volume of information that’s also incredibly varied.”

TrueDialog confirmed the incident to The Register and said that while it is still investigating, currently it is believed that VPNmentor’s team were the only people to spot the database before it was pulled from the public.

“We were notified on Thursday that for a short period text message logs between our business customers and individuals were potentially accessible on one of our Azure servers,” CEO John Wright told El Reg.

“The data was located at a non-published network port which is now secured. We have internally found no evidence that the data was downloaded or viewed by anyone other than the security analyst who notified our company that the data was potentially accessible.”

MixCloud punter profiles put up for sale

UK music streaming service MixCloud is said to be investigating after it was reported that the details on 21 million users are being flagged for sale on the dark web.

Just what could be done with this pilfered data (usernames, email addresses, hashed passwords) isn’t quite clear. The passwords are said to have been securely encoded, and no payment data is included.

Still, those who have a Mixcloud account will want to change up their password and if those credentials were re-used on other sites (don’t do this) those logins should also be updated.

Adobe warns of Magento Marketplace breach

Recently, Adobe began notifying developers on its Magento Marketplace plug-in store that someone had managed to break into a system containing account details, but no payment card information.

Russian bloke charged in US with running $20 million stolen card-as-a-service online souk

“On November 21, we became aware of a vulnerability related to Magento Marketplace. We temporarily took down the Magento Marketplace in order to address the issue,” Magento said in announcing the incident.

“The Marketplace is back online. This issue did not affect the operation of any Magento core products or services.”

The exposed data included name email address, account name, billing/shipping address, and, in some cases, the percentage of plug-in sales that Magento had paid out to third-party developers. ®

Sponsored:
How to Process, Wrangle, Analyze and Visualize your Data with Three Complementary Tools

Article source: https://go.theregister.co.uk/feed/www.theregister.co.uk/2019/12/02/cyber_monday_data_loss/

FBI: FaceApp image-slurper poses possible ‘counterintelligence threat’ from Russia

library
crime | hacking | security

Netizens who fire up FaceApp for fun may be unknowingly putting national security at risk, according to the FBI.

Tempted to play with that Chinese Zao app for deep-fake frolics? Don’t bother if you want to keep your privacy

Upon posting the FBI letter on Monday, Schumer said those fears were validated.

“This year when millions were downloading #FaceApp, I asked the FBI if the app was safe,” Schumer tweeted.

“Well, the FBI just responded. And they told me any app or product developed in Russia like FaceApp is a potential counterintelligence threat.” ®

Sponsored:
How to Process, Wrangle, Analyze and Visualize your Data with Three Complementary Tools

Article source: https://go.theregister.co.uk/feed/www.theregister.co.uk/2019/12/03/fbi_faceapp_warning/

Microsoft Fixes Flaw Threatening Azure Accounts

library
crime | hacking | security

Researchers detail a bug they found in some of Microsoft’s OAuth 2.0 applications.

Researchers from CyberArk today outlined a vulnerability they discovered this fall in some Microsoft OAuth 2.0 applications that could allow an attacker to hijack Azure accounts. Microsoft fixed the flaw late last month.

The weaknesses lie in OAuth settings in Microsoft’s Portfolios, O365 Secure Score, and Microsoft Service Trust applications, and could be abused by an attacker to grab admin accounts and basically “own” Azure accounts. OAuth is a popular authorization protocol that allows users to share information about their accounts among third-party applications and websites.

“The OAuth applications trust domains and sub-domains are not registered by Microsoft, so they can be registered by anyone (including an attacker). These apps are approved by default and are allowed to ask for ‘access_token,'” CyberArk said in a blog post about the vuln. “The combination of these two factors makes it possible to produce an action with the user’s permissions – including gaining access to Azure resources, AD resources and more.”

Poll Results: Security Pros Make The (Hypothetically) Ultimate Data Decision

library
crime | hacking | security

What if you could protect only one category of your organization’s data?

So much data to protect, so little time. Or budget. Or expertise. And so CISOs and other security pros prioritize, starting with the most business-critical intelligence and working down from there.

But … what if prioritizing wasn’t an option? What if only one type of data could get all the budget and attention, leaving all others to fall by the wayside?

It’s a hypothetical bound to make even those security decision-makers with nerves of steel a little woozy. Yet we couldn’t help ourselves. And so we asked: If you could protect only one category of your organization’s data, what would it be?

With 2019 on track to break the record for the most data breaches and exposed records ever, according to Risk Based Security, it’s little wonder why nearly two-thirds of the 197 people who answered our “Tough Choices” poll were on the same page: Protect PII!

It’s understandable. The costs of a data breach can be felt in the forms of business disruption, revenue losses from system downtime, damage to a company’s reputation, and the cost of lost customers, according to Limor Kessem, global executive security advisor at IBM Security.

Coming in at a distant second, 20% of poll-takers said they’d protect their IP over all other types of data, followed by classified government info (11%) and other data covered by security/notification mandates (3%).

Tough choices, for sure — and one you’ll hopefully never have to make.

Take The Edge’s new poll.

The Edge is Dark Reading’s home for features, threat data and in-depth perspectives on cybersecurity. View Full Bio

Article source: https://www.darkreading.com/edge/theedge/poll-results-security-pros-make-the-(hypothetically)-ultimate-data-decision/b/d-id/1336497?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

StrandHogg Vulnerability Affects All Versions of Android

library
crime | hacking | security

The bug enables malware to pose as any legitimate Android app, letting attackers track messages, photos, credentials, and phone conversations.

A newly discovered vulnerability in the Android operating system could let attackers abuse legitimate apps to deliver malware. In doing so, they could track users without their knowledge.

Researchers with Norwegian app security company Promon dubbed the bug “StrandHogg,” an old Norse term for a Viking coastal raiding tactic. A successful attacker could exploit the vulnerability to take over a legitimate application and run malicious processes without the user’s knowledge. StrandHogg has already been exploited in the wild, does not need root access to run, and affects all versions of Android, including Android 10, released in September.

If successful, the vulnerability could grant attackers access to private SMS conversations, photos, and login credentials. They could track a victim’s movements, make and/or record phone calls, and spy through the smartphone’s camera and microphone, the experts report.

Promon researchers found StrandHogg when its customer, an Eastern European security firm, noticed a trend of money being siphoned from accounts at Czech banks. They traced the root of the problem to StrandHogg, a vulnerability that can be exploited to trick Android users into thinking they’re using a legitimate app while interacting with the overlay of a malicious one.

The researchers teamed up with US security firm Lookout, which confirmed 36 malicious apps are exploiting StrandHogg. All of the 500 most popular Android apps are at risk of having their processes abused by the vulnerability. Promon CTO Tom Lysemose Hansen says the bug has been undergoing analysis throughout the spring and summer, though malicious apps could have been exploiting the flaw long before this.

Researchers determined 60 separate financial firms are being targeted with apps designed to exploit this vulnerability. Among the 36 malicious apps exploiting StrandHogg are variants of the BankBot banking Trojan, which has been seen in attacks all over the world since 2017.

How It Works
StrandHogg exists in the Android OS, specifically in the way it switches from process to process for different applications. The weakness is in Android’s multitasking system, or its ability to run several apps at the same time and switch from app to app on the screen. Android control setting taskAffinity lets any app, even malicious, take on any identity in the multitasking system.

As a result, malicious apps can request any permission while pretending to be legitimate. An attack could be designed to ask for permissions that seem natural for the targeted apps. By doing this, adversaries could lower the chance of victims realizing something is wrong. Users have no indication they’re granting permission to a malicious app and not the authentic one.

“If it wanted to harvest different permissions – say it wants access to SMS and doesn’t have that permission when downloaded – then, for example, it can wait until the end user clicks the SMS app and, at that point, take control, ask the user to give permissions, and as the end user clicks the app it provides those permissions,” says Hansen. “The end user would believe he gave [permissions] to the SMS app ,but [he] really gave it to the malware app.”

(Image: Promon)

The malicious applications exploiting StrandHogg don’t directly come from Google Play. Victims have to first download the legitimate application, which serves as a dropper to download future malware, Hansen explains. When the user taps the icon of a legitimate app, the interface of a malicious app instead appears on screen to request permissions or credentials, he continues.

“Just by looking at the first app, it can be very, very difficult to see something is wrong,” Hansen adds.

The malware analyzed by Promon was installed through several dropper apps and hostile downloaders distributed on Google Play, researchers explain in a blog post on their findings. While these apps have since been taken down, dropper apps continue to be published and often fly under the radar, generating millions of downloads before they’re spotted and deleted.

Promon reported the bug to Google over the summer. While the affected apps have been removed, the StrandHogg has not yet been fixed for any version of Android, researchers say. After 90 days, the problem had still not been addressed.

“We appreciate the researchers work, and have suspended the potentially harmful apps they identified,” a Google spokesperson said in response. “Google Play Protect detects and blocks malicious apps, including ones using this technique. Additionally, we’re continuing to investigate in order to improve Google Play Protect’s ability to protect users against similar issues.”

Related Content:

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “A Cause You Care About Needs Your Cybersecurity Help.”

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/strandhogg-vulnerability-affects-all-versions-of-android/d/d-id/1336498?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple