crime – Page 260 – STE WILLIAMS

MoviePass Leaves Credit Card Numbers, Personal Data Exposed Online

library
crime | hacking | security

Thousands of customers’ credit card numbers, MoviePass card numbers, and sensitive data were left in an unprotected database.

MoviePass, a struggling film subscription service, has another problem on its plate: Security researchers discovered an unsecured company database exposing thousands of customers’ personal and payment information. The database has since been taken offline.

Compromised data includes names, email addresses, credit card numbers, expiration dates, billing information, and mailing addresses. Many exposed held MoviePass customer card numbers, which appear on subscribers’ payment cards. Members who pay a monthly fee can use these cards to pay to watch movies in theaters.

Mossab Hussein, a security researcher with security company SpiderSilk, found the exposed server on one of MoviePass’ subdomains, TechCrunch reports. The database held 161 million records and counting; 58,000 of those records contained payment card data. Hussein initially emailed MoviePass CEO Mitch Lowe, but when the executive didn’t respond to his message, the researcher contacted TechCrunch. MoviePass took the server down after the publication reached out.

After working with Hussein to review sample datasets, TechCrunch reports exposed records contain sufficient information to commit credit card fraud. In a sample of 1,000 records, more than half had a MoviePass member card number, balance, and expiration. The server also contained records of failed login attempts. None of the data on the server was encrypted.

It has not been confirmed how long the data was exposed or whether any attackers attempted to access and abuse it. “Leaving 58,000-plus records containing payment card data unencrypted on a publicly accessible database is concerning,” says DivvyCloud CTO Chris DeRamus. “However, the fact that MoviePass initially ignored the vulnerability when it was notified is even worse.”

This marks the latest in a series of debacles for MoviePass, which has faced customer losses and several internal problems after rapid growth last year. While it’s possible this growth caused MoviePass to overlook security, this type of careless mistake can lead to long-term problems.

“When a company experiences a surge in popularity, they tend to quickly begin building software and expanding their ecosystem to focus on implementing new functionality and getting it to production, oftentimes while neglecting to consider security implications or needs,” says Nabil Hannan, managing principal for financial services at Synopsys.

Hannan says it’s “very concerning” to see MoviePass stored sensitive data in plaintext without a password.

Related Content:

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “How to Avoid Technical Debt in Open Source Projects.“

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/cloud/moviepass-leaves-credit-card-numbers-personal-data-exposed-online/d/d-id/1335594?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

MoviePass Leaves Credit Card Numbers, Personal Data Exposed Online

library
crime | hacking | security

Thousands of customers’ credit card numbers, MoviePass card numbers, and sensitive data were left in an unprotected database.

Hannan says it’s “very concerning” to see MoviePass stored sensitive data in plaintext without a password.

Splunk Buys SignalFx for $1.05 Billion

library
crime | hacking | security

Deal will yield ‘one platform that can monitor the entire enterprise application lifecycle,’ Splunk CEO says.

Big data-analysis vendor Splunk today announced that it will purchase cloud monitoring vendor SignalFx for $1.05 billion.

SignalFx provides real-time monitoring and metrics for cloud infrastructures and applications. “As the world continues to move towards complex, cloud-first architectures, Splunk and SignalFx is the new approach needed to monitor and observe cloud-native infrastructure and applications in real time, whether via logs, metrics or tracing,” said Karthik Rau, founder and CEO of SignalFx.

Splunk will pay 60% in cash and 40% in its common stock for the acquisition, which is pegged to close in the second half of fiscal 2020.

Doug Merritt, President and CEO, Splunk, said in a statement: “SignalFx will support our continued commitment to giving customers one platform that can monitor the entire enterprise application lifecycle.”

Splunk Buys SignalFx for $1.05 Billion

library
crime | hacking | security

Deal will yield ‘one platform that can monitor the entire enterprise application lifecycle,’ Splunk CEO says.

Big data-analysis vendor Splunk today announced that it will purchase cloud monitoring vendor SignalFx for $1.05 billion.

Splunk will pay 60% in cash and 40% in its common stock for the acquisition, which is pegged to close in the second half of fiscal 2020.

Google’s Nest webcam needs patching after flaws found

library
crime | hacking | security

After last week’s heated debate about whether Google Nest owners should be able to turn off their webcam’s recording LED, this week they have something more conventional to worry about – security flaws.

The list of vulnerabilities recently discovered by Cisco Talos researchers relate to one model, the Nest Cam IQ Indoor camera.

As $249 webcams go, this one has plenty of features, including a 4K resolution sensor, facial recognition, noise and echo cancellation, and Google’s Voice Assistant integration to control other Nest products.

There are eight CVE-level vulnerabilities in total, five relating to the Weave protocol binary built into the camera (used to set it up), and three in the Openweave interface (this being the open source version of Weave).

Three (CVE-2019-5043, CVE-2019-5036, CVE-2019-5037) could be used to bring about denial-of-service, two allow code execution (CVE-2019-5038, CVE-2019-5039) two make possible information disclosure (CVE-2019-5034, CVE-2019-5040) and one (CVE-2019-5035) is described as a “pairing brute force vulnerability.”

However, the two with the highest severity scores are CVE-2019-5035 and CVE-2019-5040 – the first potentially allowing device takeover, the second potentially allowing data from the device to be intercepted.

It’s unlikely that these flaws could be exploited remotely and a few of them would require some effort even from the local network.

Updating

According to Google, the Nest Cam IQ will update itself automatically as long as it is connected to the internet, but users should bear in mind that:

We push updates to Nest cameras in batches. Because we don’t push the update to all Nest cameras at the same time, you might not get it immediately.

While updating can’t be initiated manually, it is possible to check the firmware version by selecting a camera using the Nest app, tapping on Settings in the top right corner, selecting Technical Info and looking for the current version.

The updated version is 4720010. If you see anything earlier than this, that means updating hasn’t happened yet.

And don’t forget, if you’re using a second-hand Nest webcam – make sure the previous owner can’t use it to spy on you either.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/b8ycfMnDE9o/

Ransomware disrupts 22 Texas government departments

library
crime | hacking | security

On August 16, Texas local government became the latest victim of the expanding global racket that is ransomware.

We’d like to offer more detail on the incident but, so far, the Texas Department of Information Resources (TDIR) has said very little beyond the fact that 22 departments (originally said to be 23 but adjusted) were affected.

Perhaps that’s not surprising – when ransomware visits 22 departments in a single state, the security staff are likely to have their hands full restoring services.

What we do know is that, so far, two victims have come forward: the cities of Borger and Keene.

The mayor of Keene, Gary Heinrich, told NPR that the ransom demand was $2.5 million.

Henrich indicated that it was a supply chain attack:

They got into our software provider, the guys who run our IT systems. A lot of folks in Texas use providers to do that, because we don’t have a staff big enough to have IT in house.

Some reports indicate that the ransomware used was a generic type known as ‘.JSE’ (after the extension that appends encrypted files), while another points the finger at something called ‘Sodinokibi’ (REvil), whose appearance was recently covered by NS.

Naturally, the attack was highly targeted:

At this time, the evidence gathered indicates the attacks came from one single threat actor.

Whatever unfolded in those departments last week, we can infer the seriousness of events from the list of US agencies that were namechecked in the official TDIR press release:

The Texas Department of Information Resources
The Texas Division of Emergency Management
The Texas Military Department
The Texas AM University System’s Security Operations Center/Critical Incident Response Team
The Texas Department of Public Safety
Computer Information Technology and Electronic Crime (CITEC) Unit

And that’s without counting the US Department of Homeland Security, Federal Emergency Management Agency (FEMA), and the FBI.

How did something that once attacked isolated police departments and universities grow into a problem menacing entire layers of state government and even, on several terrible occasions, the administration of entire cities?

Extortion epidemic

While US government is far from being the only target of ransomware crime, the sheer number of attacks affecting this sector is no coincidence.

As well as being one of the largest governments on earth, the US is one the most complex, covering a web of federal, state, city, county, municipality, and township administrations, which vary by state.

Such complexity makes defense against ‘devil takes the hindmost’ threats such as ransomware inherently difficult. Attackers only need to find one vulnerable system in a single office. Once behind firewalls, such threats can easily spread quickly.

Hitting public organisations is also astute – the public pressure to get them working again is huge, something the attackers know works in their favour.

Texas’s own figures suggest that so far in 2019, ransomware has cost its counties $3.25 million, cities $2.5 million, and its education sector another $1.8 million. Unreported ransomware could be as high as additional $5 million (these numbers don’t include the toll on individuals and businesses).

And it’s not only Texas. In June, it was Louisiana schools, causing a state of emergency to be declared.

In May, the city of Baltimore was hit by an attack that might have been aided by the infamous EternalBlue vulnerabilities.

Others victims have included Georgia’s court system, a Florida city so badly affected it reportedly paid a $600,000 ransom, and Monroe College in New York.

It must now be dawning on officials that every and any public institution in the US is at risk of an incident similar to those seen in Texas at some point.

How to protect yourself from ransomware

Pick strong passwords. And don’t re-use passwords, ever.
Make regular backups. They could be your last line of defense against a six-figure ransom demand. Be sure to keep them offsite where attackers can’t find them.
Patch early, patch often. Ransomware like WannaCry and NotPetya relied on unpatched vulnerabilities to spread around the globe.
Lock down RDP. Criminal gangs exploit weak RDP credentials to launch targeted ransomware attacks. Turn off RDP if you don’t need it, and use rate limiting, 2FA or a VPN if you do.
Use anti-ransomware protection. Sophos Intercept X and XG Firewall are designed to work hand in hand to combat ransomware and its effects. Individuals can protect themselves with Sophos Home.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/sXMvstdTRNU/

HOAX ALERT! Facebook ‘deadline’ on making your content public is fake

library
crime | hacking | security

Don’t forget – Facebook is full of chain letter hoaxes, and in spite of what they all breathlessly proclaim in exclamation-cluttered, improperly capitalized and weird-syntax-strewn legalese fiction, copying and pasting them will NOT protect your posts from a fictional Facebook “All Content Is Ours” grab.

Nonetheless, the Facebook hoaxers would have you believe otherwise: yet again, the platform is being flooded with a flim-flam nonsense chain letter, claiming that everything you post on Facebook will suddenly become public – “starting tomorrow!!!”

Your friends have probably shared it. Your family has probably shared it. Maybe you shared it, just trying to be helpful? At any rate, it’s likely that if you’re on Facebook, you’ve seen these posts by the bucketful.

As is typical, the wording varies a bit, but they’re spouting the same sort of nonsense…

In internet years, this one’s as old as the hills. It’s as old as dirt. It’s as old as the hills that produced the dirt from Methuselah’s sandal treads: Snopes debunked it in 2012.

We’ve written about variations on this particular hoax multiple times – back when it crawled out of the primordial ooze in 2012, again in 2015 and then again in 2016.

This is the full text of one variation that’s been spreading this week:

Don’t forget tomorrow starts the new Facebook rule where they can use your photos. Don’t forget Deadline today!!! It can be used in court cases in litigation against you. Everything you’ve ever posted becomes public from today Even messages that have been deleted or the photos not allowed. It costs nothing for a simple copy and paste, better safe than sorry. Channel 13 News talked about the change in Facebook’s privacy policy. I do not give Facebook or any entities associated with Facebook permission to use my pictures, information, messages or posts, both past and future. With this statement, I give notice to Facebook it is strictly forbidden to disclose, copy, distribute, or take any other action against me based on this profile and/or its contents. The content of this profile is private and confidential information. The violation of privacy can be punished by law (UCC 1-308- 1 1 308-103 and the Rome Statute. NOTE: Facebook is now a public entity. All members must post a note like this. If you prefer, you can copy and paste this version. If you do not publish a statement at least once it will be tacitly allowing the use of your photos, as well as the information contained in the profile status updates. FACEBOOK NOR ANYONE ELSE DOES NOT HAVE MY PERMISSION TO SHARE PHOTOS OR MESSAGES

Copy, Paste and Breathe

Where do you even start with dissecting this dung beetle ball? I guess the bogosity of the legal claims is as good a place as any…

You can’t copy and paste your way out of ToS

Taking control of your online content is nowhere near as simple as copying and pasting a blob of text onto your Facebook wall. The law simply doesn’t work that way. Using any website to store content or personal details requires compliance with the site’s terms of service. If you want to wade through Facebook’s ToS, here you go.

Before you can use Facebook, you have to accept its legal terms, including its privacy policy and its terms and policies. After you’ve done so, you can’t alter the agreement. Nor can you restrict Facebook’s rights just by citing the Uniform Commercial Code (UCC). Here’s from Snopes’s 2012 debunking, which is still relevant seven years later:

One of the common legal talismans referenced [in the chain letter] is UCC Section 1-308, which has long been popular among conspiracy buffs who incorrectly maintain that citing it above your signature on an instrument will confer upon you the ability to invoke extraordinary legal rights.

Well, what about that Rome Statute?

You’d be wise to question what the heck the Rome Statute actually is. I did, and as far as I can tell, it’s a reference to the Rome Statute of the International Criminal Court, which established four core international crimes: genocide, crimes against humanity, war crimes, and the crime of aggression.

Whether Facebook’s use of your content constitutes any of those crimes is a topic for another day. For today’s hoax debunking, suffice it to say that the “problem” this non-solution is supposed to address doesn’t exist. Facebook isn’t claiming copyright to your personal information, photographs, or other material. Nor has the platform announced any plans that would make all Facebook posts public (even previously deleted ones), regardless of a user’s privacy settings.

At least two of the many times this chain letter has come around, Facebook has reassured users that they…

…own the intellectual property (IP) that is uploaded to the social network, but depending on their privacy and applications settings, users grant the social network ‘a non-exclusive, transferable, sub-licensable, royalty-free, worldwide license to use any IP content that you post on or in connection with Facebook (IP License).’

Furthermore, we can breathe without being reminded

There are plenty of other red flags signifying that this chain letter is bogus, including improper English usage. For example, “Deadline” shouldn’t be capitalized. The proper sentence construction would also include an article, i.e., “Don’t forget Deadline today!!!”, should say, “the deadline.” Finally, regarding the three exclamation points that end that non-sentence???!!! That’s classic hoax usage, trying to amp up your adrenaline so you’ll jump when they snap their spammy fingers.

Copy, Paste and Breathe? We suggest instead that you Report It as Spam, Don’t Post It, Delete It If You Have Posted It, and You Likely Can Breathe Just Fine Without Some Hoaxer Telling You To.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/lfUd1_3k5mA/

Webcam woes – world’s oldest online camera struggles with security

library
crime | hacking | security

These days, webcams are everywhere.

I’ve got one in my laptop, two in my phone, and even one that I can mount on my bicycle, though admittedly its battery doesn’t last very long when it’s filming and streaming at the same time.

You’ll find webcam technology where you might expect it, such as in security cameras; where you might not have known you needed it, such as in doorbells; and very creepily where you definitely don’t want it, such as hidden away sneakily in a smoke alarm in the bedroom of your BB.

Indeed, webcams are so widespread these days that they’ve turned into low-cost, low-margin consumer products that regularly, if unsurprisingly, turn out to have cybersecurity flaws that could put your privacy – perhaps even your most intimate privacy – at risk.

Security concerns over webcams are sufficiently common, in fact, that industry heavyweights including James Comey, who was Director of the FBI at the time, Mark Zuckerberg, CEO of Facebook, and Whitfield Diffie, one of the pioneers of public-key cryptography, have all suggested putting a strip of sticky tape over your laptop webcam.

But it wasn’t always like that.

The first webcam server was Cambridge University’s famous Trojan Room Coffee Pot.

(Technically, it wasn’t a webcam in its early days because it came online before the University had its first web server, and it used its own network protocol rather than HTTP, but we’ll grant it webcam status retrospectively, right back to the first time it captured an image for others to see.)

Quentin Stafford-Fraser, who wrote the client-side software that users ran to see if there was coffee available, is the Coffee Pot’s unofficial biographer, and quips that:

The image was only updated about three times a minute, but that was fine because the pot filled rather slowly, and it was only greyscale, which was also fine, because so was the coffee.

The Coffee Pot went online in 1991, serving 128×128 pixel images at 0.05fps for 10 years before it was decommissioned for ever:

New kid on the block

These days, the longest-running webcam is a comparative newcomer that dates back a mere 25 years.

The San Francisco FogCam started in 1994, a project at San Francisco State University by two students who go by the handles Webdog and Danno (Jeff Schwartz and Dan Wong IRL).

The project even has its own Twitter feed.

Unlike Cape Town’s Noon Gun feed that we wrote about a few years ago, which tweets BANG! every time the gun goes off (it really does!), @FogCam just carries occasional news about the FogCam service itself.

There wasn’t an awful lot for @FogCam to say – it charted the ups and downs (literally and figuratively) of the device and its server, and its occasional moves around campus, with messages such as:

FogCam back up again. Replaced that aged G4 which would no longer start up after a power outage.

—
Webdog and Danno (@FogCam) January 03, 2013

FogCam has had to move to a new location on campus. We now have a view of the Campus Quad and C. Chavez Student Center.

—
Webdog and Danno (@FogCam) November 21, 2015

A couple of years ago, it tweeed the portentous implication that it was living on borrowed time, or at least in a borrowed office or street pole:

FogCam is back up and running at its current location until a more permanent home can be found. You are seeing a view of Holloway Avenue.

—
Webdog and Danno (@FogCam) September 21, 2017

Sadly, that time is now running out and the FogCam will be no more at the end of August 2019:

After 25 years, Fogcam is shutting down forever at the end of August. Webdog Danno thank our viewers and San Fran… twitter.com/i/web/status/1…

—
Webdog and Danno (@FogCam) August 18, 2019

Bay Area publication SFGate quoted Jeff Schwartz himself as follows:

We felt it was time to let it go The bottom line is that we no longer have a really good view or place to put the camera. The university tolerates us, but they don’t really endorse us and so we have to find secure locations on our own.

That’s certainly a different sort of webcam security than we normally write about – it’s not that the camera might be hacked, but that someone might make off with it.

Well, Dear Readers, what do you think about that?

What should Webdog and Danno do next to fill the (void *)?

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/kuaRj48g53g/

Sorry script kiddies, hacktivism isn’t cool anymore: No one cares about stuff that’s easy-peasy to defend against

library
crime | hacking | security

The youthful doings of US presidential wannabe Beto O’Rourke are in sharp decline, according to threat intel biz Recorded Future, which reckons folk have fallen out of love with hacktivism.

The company’s Insikt Group division said that over the past two decades hacktivism has been associated with everything from the infamous Lulzsec hacking crew to state-sponsored groups providing plausible deniability for their handlers, such as Guccifer 2.0.

One of the earliest hacktivist crews was CDC, the Cult of the Dead Cow, which shot out of the history books and back to modern-day relevance earlier this year when US Democrat senator O’Rourke admitted having been a member of the collective. Yet it appears his is not an example that has resonated with today’s politically aware technofolk.

Recorded Future reckoned that it was tracking 28 active hacktivist groups in 2016, a figure that has dropped to just seven today.

“Insikt Group assesses with high confidence that nation-state entities have increasingly used hacktivism in association with strategic campaigns, by coordinating with legitimate hacktivists of like mind, and false-flag operations made to appear as unassociated, independent hacktivist activity,” it said in a report titled “Return to Normalcy: False Flags and the Decline of International Hacktivism”.

As for the reason behind this sharp drop, the company said it’s simple: nobody’s talking about hacktivists any more.

“Insikt Group assesses with medium confidence that this is in part due to a decline in amplifying discussions (e.g. news articles and social media shares) around hacktivism-related cyberattacks,” it concluded.

Long-time Reg readers will recall groups like the Syrian Electronic Army, whose specialism was hijacking social media accounts and daubing virtual graffiti over anything it could get its hands on. Since the world has become more interested in securing itself than giggling at the misfortunes of others who took less care over their own security arrangements, so the popularity of defacement attacks has fallen off a cliff.

In addition, that same security-mindedness demonstrated by the modern world has also made hacktivism less appealing simply because it’s harder to do something eye-catching.

“The number of large enterprises susceptible to SQL injection attacks or DDoS floods have decreased, likely due to more mature website structures and the use of DDoS protection services like Akamai and Cloudflare,” said Recorded Future. “Although some hacktivist actors are highly skilled, more often than not, many members of a hacktivist organization are not skilled and are forced to rely upon simple and outdated tools and techniques that are easily defeated by competent network defenders.”

Attack methods seen by Insikt Group haven’t changed much over the years either. The company lists hoary old techniques such as DDoSing, XSSing, spearphishing, “utilisation of commodity spyware” and brute-forcing of login creds as means of illicitly accessing targets’ IT infrastructure. While the crossover with state-backed hacker crews does leave potential for custom-built tools to be caught up in analysis of attack techniques, it’s not likely, in Recorded Future’s view.

Modern hacktivists haven’t been all that great. One who was rescued by a Disney cruise ship after trying and failing to escape justice was banged up for 121 months earlier this year, while a mass murderer’s manifesto was being spread in malware-laced format in an apparent attempt by hacktivists to lash out at sympathisers. Even back in 2015, at the height of hacktivism’s collective exploits, we at El Reg were bemoaning its loss of innocence.

It’s certainly a far cry from the days of green-leaning hacktivsts targeting oil companies in protest at Arctic exploration plans. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/08/21/hacktivism_in_decline_recorded_future/

Microsoft: Reckon our code is crap? Prove it and $30k could be yours

library
crime | hacking | security

Having finally pushed out the first Beta preview of its Chromium-based browser, Microsoft has launched a bounty programme aimed at getting researchers to kick the tyres on its latest and greatest.

Up to $30k is available to researchers who find what Microsoft deems “critical and important” vulnerabilities in the Beta and Dev channels of Chromium Edge. The Canary channel is excluded because, well, it seems hardly fair to poke holes in daily builds that are, by definition, not fit for public consumption.

Interestingly, up to $15k is available to anyone who discovers critical remote code execution and “design issues” in the original EdgeHTML version still lurking in the Slow Ring of the Windows 10 Insider Preview.

Just think, if a few dozen researchers are lured by that $15k, it could double the not-just-downloading-Chrome usage of old Edge overnight.

Snark aside, Microsoft really wants researchers to start thumping Chromium Edge, and has stated that a 2X multiplier is available via the Researcher Recognition Program and the company will pay out as soon the reproduction and assessment has been completed of each submission.

Of course, with Edge being Chromium-based, Chrome’s own reward programme is a consideration, so Microsoft is keen on reports that reproduce on Edge rather than Chrome. Severity, impact and “report quality” are also factors, so “Yo browser sucks, Micro$oft” is unlikely to go down well.

Microsoft is also looking for reports from macOS Edge users in addition to those running the browser on fully patched versions of Windows 7 SP1 and 8.1.

It isn’t clear what that means after January 2020, when poor old Windows 7 is due a visit from an engineer in a high-viz jacket, carrying an axe. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/08/21/microsoft_edge_bounty/