STE WILLIAMS

US mobile phone companies appear to be selling their customers’ private data – including their full name, phone number, contract details, home zip code and current location to third parties – all in the name of security.

Security researcher Philip Neustrom found and linked to demo sites run by two mobile authentication companies – Danal and Payfone – that showed both companies have access to a surprising amount of personal information, including real-time location data, about millions of people.

Both companies claim to have the consent of users but that was news to many – including other security researchers – who tested the demo sites and were amazed to find their private details appear on screen. Both sites have since been taken down, and a presentation that Danal gave to ATT on its system has also been removed.

Dan Kaminsky, best known for a finding a critical flaw in the DNS, tweeted: “Huh. Confirmed that worked. Also had my address from around 15 years ago.” But SwiftOnSecurity perhaps best summed up the response for many: “what the fuuuuuuuuuuuuuuuuuuuuuuuuuck.”

The companies appear to be using ATT’s Mobile Identity API, which was announced in 2013 as a way to “help businesses make mobile transactions safer and easier”. The service is intended to provide additional security for doing secure things like online banking through their phones: the idea being that it provides a double check by allowing them to cross-reference login details with mobile contract and location data.

Since many online banking apps only require a single password (as opposed to, say, two-factor authentication), the double check can be a valuable way to ensure hackers aren’t accessing people’s bank accounts.

Consent

Danal and Payfone are obliged to receive the consent of users before they allow companies to use their service – but the demos have put a huge question mark on whether that is the case.

Do cops need a warrant to stalk you using your cellphone records? US Supremes to mull it over

READ MORE

Payfone insists that there is a “very rigorous framework of security and data privacy consent”. But the fact that the information was readily available through an online demo had led many to speculate just how rigorous that framework really is.

The demos used your phone’s IP address and only allow you to look up data on your own account. You can’t, for example, type in someone else’s name and gain access to their personal information. But if you are a customer of Danal or Payfone, you can access that data by simply stating that you have the user’s consent. It is unclear how rigorous that check is or if companies simply default to stating consent has been given.

It’s also not clear how anyone can check whether a third party feels they have given their consent to have their personal data accessed, or how they can opt out or decline to provide consent in future.

It’s also not clear whether other mobile companies have a similar arrangement – supplying all their users’ details to third parties that pay them, and then pushing off consent requirements to the companies below them. With a clear financial incentive to provide data on as many people as possible, confidence is not high that anyone in the chain is imposing strict requirements.

Regulation?

There is precedent that such an arrangement will fall foul of regulators. Back in 2016, Verizon was fined $1.35m for its use of “supercookies” that injected unique identifiers into every data request made by phone users and let the company track its users. That enabled the company to build a comprehensive profile of its customers which was then used to attract advertisers. Even if users opted out of Verizon’s ad-tracking program, they were still tracked by the supercookies.

Verizon had started using the supercookies in 2012, were investigated by the Federal Communications Commission (FCC) in 2014, and the agreement was reached in 2016. But the fine was considered very small by privacy campaigners and the level of concern was such that some lawmakers promised to introduce new legislation outlawing it.

In addition to the fine, Verizon was told (PDF) by the FCC to inform all its customers that the supercookie existed and give them a simple option to have the tracker removed. It was also told it would have to actively seek permission from its millions of users before it could share the data it has amassed with third parties.

Rules that would have made it illegal for mobile and cables companies to introduce such schemes – both the use of supercookies and the third-party API data sharing that Danal and Payfone seem to be using – were due to come into effect earlier this year but were shot down at the last minute by FCC chair Ajit Pai, and then later pulled out by Republican Congressmen using an arcane law.

The use of location data is also especially sensitive at the moment with the courts debating what rules exist around such data and what legal standards have to be reached to grant access to it. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/10/16/danal_payfone_mobile_personal_data/

Miscreants have made off with payment card details of “a small number of clients” following a data breach at Pizza Hut.

In an email to affected customers seen by Bleeping Computer, the fast-food chain wrote: “Pizza Hut has recently identified a temporary security intrusion that occurred on our website.

“We have learned that the information of some customers who visited our website or mobile application during an approximately 28-hour period (from the morning of October 1, 2017, through midday on October 2, 2017) and subsequently placed an order may have been compromised.

“The security intrusion at issue impacted a small percentage of our customers and we estimate that less than one per cent of the visits to our website over the course of the relevant week were affected.”

However, some criticised the company for failing to inform customers immediately after the attack.

One wrote on Twitter: “Hey @pizzahut, thanks for telling me you got hacked 2 weeks after you lost my cc number. And a week after someone started using it. #timely”

Nicola Fulford, head of data protection and privacy at tech specialist law firm Kemp Little, noted that the Information Commissioner’s Office advises organisations to report personal data breaches that may cause “serious harm” to individuals affected by data breaches.

Under the current law there is no obligation to notify, she said. “However, when the General Data Protection Regulation applies from May 25, 2018, it will be mandatory for organisations to notify data breaches that risk harm to individuals. Failure to do so means companies could face significant fines, €10m (£7.5m) or up to 2 per cent of worldwide turnover.”

The Register has asked Pizza Hut for a statement and further details of the incident. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/10/16/pizza_hut_data_breach/

Updated A promo for the upcoming Association for Computing Machinery security conference has set infosec types all a-Twitter over the apparent cryptographic death of the WPA2 authentication scheme widely used to secure WiFi connections.

The authors of the paper have everything ready except the details of their disclosure: acceptance at the ACM Conference on Computer and Communications Security (CCS) for their paper Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2, a timeslot (during the afternoon of Wednesday, November 1), a so-far-empty GitHub repository, and a placeholder Website at krackattacks.com.

So it seems Mathy Vanhoef of KU Leuven and Frank Piessens of imec-DistriNet are confident they really have done serious damage to WPA2 (the pair had previously verified vulnerabilities in WPA-TKIP, recovered cookies protected with RC4, and in 2015 improved their TKIP attacks).

According to Iron Group CTO Alex Hudson, disclosure is due sometime on Monday, October 16 during European hours.

In the meantime, the name of the ACM paper is a hint at what’s going on: Vanhoef and Piessens have attacked the handshake sequence WPA2 uses to choose encryption keys for a session between client and base station.

As Hudson notes, the attacker would have to be on the same base station as the victim, which restricts any attack’s impact somewhat.

There’s also a hint in this paper [PDF] Vanhoef and Piessens gave to Black Hat back in August. The slide below shows what part of the handshake the pair were working on.

‘Krackattacks’ is the culmination of a long project attacking Wi-Fi protocols

So: get yourself some extra coffee this morning, dear readers, and wait for Krackattacks to drop. ®

Update: The CVE (Common Vulnerabilities and Exposures) numbers for Krack Attack have been reserved. They are CVE-2017-13077, CVE-2017-13078, CVE-2017-13079, CVE-2017-13080, CVE-2017-13081, CVE-2017-13082, CVE-2017-13084, CVE-2017-13086, CVE-2017-13087, and CVE-2017-13088.

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/10/16/wpa2_inscure_krackattack/

A Dutch electronics engineer reckons Japanese auto-maker Subaru isn’t acting on a key-fob cloning vulnerability he discovered.

Tom Wimmenhove claims to have discovered that Subaru’s electronic keys don’t use a random number. The “rolling code” instead merely increments codes.

Wimmenhove says he’s built a cloning device (described here on GitHub) and used it on a 2009 Subaru Forester, but believes it would also work on a 2006 Baja, Forester models from 2005 to 2010, Impreza models from 2004 to 2011, the “Legacy” sedan’s 2005 to 2010 models and the Outback from 2005 to 2010.

His test rig is only worth about US$25, comprising a Raspberry Pi, a DBV-T USB dongle to provide the radio receiver, and rpitx software (here) that turns the RPi into a transmitter. A suitable antenna is required so the receiver can detect signals at 433 MHz.

Because the key fobs simply increment the rolling code exchanged between car and key, all an attacker needs is to be close enough to capture the code used when the owner locks the car; incrementing that code lets the attacker unlock the car.

Here’s Wimmenhove’s demonstration:

Youtube Video

The attack has another nasty aspect: the attacker can brick the owner’s key fob with an integer overrun: “increasing the rolling code with a sufficiently high value [will] effectively render the user’s key fob unusable”, Wimmenhove writes.

Subaru has been contacted for comment. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/10/16/subaru_key_fobs_vulnerable_says_engineer/

Linus Torvalds release notification for Linux 4.14’s fifth release candidate contains an interesting aside: the Linux Lord says fuzzing is making a big difference to the open source operating system.

Torvalds’ announcement says Linux kernel 4.14 is coming along nicely, with this week’s release candidate pleasingly small and “fairly normal in a release that has up until now felt a bit messier than it perhaps should have been.”

This week’s most prominent changes concern “… more fixes for the whole new x86 TLB [translation lookaside buffer – Ed] handling due to the ASID [address space ID – Ed] changes that came in this release.”

“The other thing perhaps worth mentioning,” Torvalds opines, “is how much random fuzzing people are doing, and it’s finding things.”

Linus Torvalds’ lifestyle tips for hackers: Be like me, work in a bathrobe, no showers before noon

READ MORE

Fuzzing is the practice of having code process considerable quantities of data, in order to observe any errors that produces.

“We’ve always done fuzzing (who remembers the old ‘crashme’ program that just generated random code and jumped to it? We used to do that quite actively very early on), but people have been doing some nice targeted fuzzing of driver subsystems etc, and there’s been various fixes (not just this last week either) coming out of those efforts. Very nice to see.”

Torvalds has been on his best behaviour lately, with his list comments tending to the witty rather than the sweary.

Last week, however, he asked kernel developer Dimitry Yukov “Do you believe in fairies and Santa Claus?” Torvalds did so to point out that there is a “_way_ higher than the likelihood” of both being real than Yukov’s approach to memory dependency management being succesful.

What? Santa and fairies aren’t real?

You’ve broken our hearts, Linus. Broken. Our. Hearts. At least you didn’t say anything mean about Unicorns. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/10/16/linus_torvalds_says_fuzzing_is_improving_linux_kernel_security/

An advisory from Cisco issued last Friday, October 13th, gave us the heads-up on a local privilege escalation vulnerability in the Advanced Linux Sound Architecture (ALSA).

The bug is designated CVE-2017-15265, but its Mitre entry was still marked “reserved” at the time of writing. Cisco, however, had this to say about it before release:

“The vulnerability is due to a use-after-free memory error in the ALSA sequencer interface of the affected application. An attacker could exploit this vulnerability by running a crafted application on a targeted system. A successful exploit could allow the attacker to gain elevated privileges on the targeted system.”

The bug first went public when the patch was merged to the ALSA git tree, according to this discussion at SUSE’s Bugzilla.

Turned up by ADLab of Venustech, the use-after-free is triggered by a slip in snd_seq_create_port().

That routine “creates a port object and returns its pointer, but it doesn’t take the refcount, thus it can be deleted immediately by another thread. Meanwhile, snd_seq_ioctl_create_port() still calls the function snd_seq_system_client_ev_port_start() with the created port object that is being deleted, and this triggers use-after-free”.

While it’s only exploitable locally, the privilege escalation is what earned the bug a “high” severity rating, and of course everybody using a downstream distribution that embeds the vulnerable ALSA will have to push patches. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/10/15/advanced_linux_sound_architecture_vulnerable_to_privilege_escalation/

Analysis David Kent, of Spring, Texas, USA, was sentenced to prison earlier this month for hacking Rigzone.com, a oil and gas industry website he founded and sold to employment data biz DHI Group, in an effort to build a second site, Oilpro.com, into an acquisition target.

Kent is expected to report to prison in Texas for a year and a day just after Thanksgiving, and to pay $3.29 million in restitution. The criminal case against Kent has been concluded, at great personal cost, his attorney, James Munisteri, of Gardere Wynne Sewell LLP, explained in a phone interview with The Register.

What remains is DHI’s civil lawsuit against Kent and the counterclaims by Kent and other individual involved in the affair.

Kent is trying to get the civil suit against him thrown out, on the basis that DHI, which operates Dice.com in addition to Rigzone and other job-oriented websites, alleged engaged in its own hacking of now defunct Oilpro.

Kent’s countersuit, filed in Houston, Texas, accuses DHI of violating the Computer Fraud and Abuse Act, the Digital Millennium Copyright Act, breach of contract and trademark infringement, among other claims.

DHI raised the possibility that its data collection practices may be unlawful in its February 2016 10-K financial filing, though it’s unclear whether this can be interpreted as anything more than just cautionary boilerplate.

Kent’s complaint asserts its more than a possibility, charging DHI with breaching Oilpro.com’s terms of service by crawling and copying its data – not exactly what one would call actual hacking.

Scraping

In statement to the court, Kent said, “On or around June 16, 2015, I personally saw on Dice Open Web that DHI was, in fact, displaying information from Oilpro member profiles that could only have been obtained by DHI scraping Oilpro’s website, in violation of Oilpro Terms and Conditions.”

DHI is seeking damages beyond the $3.3m agreed to resolve the criminal complaint against Kent. According to court documents and to Munisteri, Brian Campbell, veep and general counsel for DHI, has asked for $20m in damages in the civil case.

“That’s a 100 per cent complete fiction,” said Munisteri. “It’s a 100 per cent crazy wild complete fiction. Twenty million dollars assumes that all of the resumes on the Dice website were taken. But they weren’t.”

Munisteri said DHI has admitted they don’t know of any customers they lost as a result of Kent’s actions. He contends that Kent’s unauthorized access – copying profiles from Rigzone for email addresses to solicit oil and gas industry professionals to join Oilpro.com – had basically no impact on DHI.

A letter to New York District Judge Denise Cote last week from Dan Cogdell and David Spears, two other attorneys representing Kent, states that DHI in sworn testimony acknowledged that it lost no members, no customers, no income, and no market value from Kent’s actions.

Munisteri attributed DHI’s damage claim to greed. “Dice is just trying to seek more money even though they’ve been overpaid for whatever damages they did incur,” he said.

Those damages, he argued, should be zero.

“There are really no damages,” Munisteri insisted, suggesting that company incurred no cost beyond using salaried employees to patch code that had known issues since 2010, when DHI, then called Dice Holdings, purchased Rigzone from Kent for $51m.

A DHI spokesperson declined to comment. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/10/14/david_kent_oilpro_latest/

If there’s anything worse than container security, it would appear to be container ship security.

Ken Munro, a researcher for UK-based Pen Test Partners, has been exploring maritime satellite communication systems used to keep ships connected while at sea. His findings don’t inspire much confidence. Munro, in a blog post today recounting his research, describes ships as floating industrial control systems that were traditionally isolated but are now always connected to the internet.

Industrial control systems (ICS), which evolved without much thought for network-based attacks, have struggled for decades to adapt to the constant state of siege on the internet.

Munro believes the security of ship IT systems is worse still. “Personally, I think ship security is behind broader ICS security,” he said. “The change is as a result of these satcom terminals being online all the time. In the past, just like ICS, ship systems were isolated from the internet.”

Munro said there have been plenty of ship security incidents reported. “One that springs to mind is a mobile drilling platform off the coast of Africa that developed a tilt and had to be evacuated,” he said. “On investigation, the control system had been ‘hacked’. I use the quotes as I suspect it was simply missing or default creds and an exposed control system GUI.”

Using Shodan.io, a search engine for finding devices on the internet, Munro looked for several popular brands of maritime satcom systems, including Cobham, Inmarsat, and Telenor kit, along with older brands that had been acquired, on the assumption they’d be running outdated firmware.

admin/1234

He opted not to test the default user and password configuration for some systems (usually admin/1234), noting that most of the recent maritime hacking reports have involved missing authentication or default creds in comms terminals that allowed someone in. He doesn’t really consider such failures hacking, even if the resulting disruption may be the same.

By searching for ‘html:commbox,’ he found various terminal commands for KVH’s ship-to-shore network manager CommBox. Pulling up an actual CommBox login page, Munro found the connection was poorly secured with no HTTPS protection. The system presented a link to a queryable user database and it revealed network configuration data merely by mousing over the UI.

With the crew data, Munro was able to quickly find a crew member’s social network profile, giving him all the data he’d need to conduct a targeted phishing attack. If he had ties to a ship-hijacking pirates, he could provide the vessel’s location, alongside crew data, via the automatic identification system (AIS) used to track ships.

In short, if these security holes were in the ship’s hull, the vessel would be resting at the bottom of the sea.

Munro says satcom boxes need to implement TLS, password complexity must be enforced for user accounts, and comms hardware needs secure firmware.

“There are many routes onto a ship, but the satcom box is the one route that is nearly always on the internet,” he said. “Start with securing these devices, then move on to securing other ship systems. That’s a whole different story.” ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/10/13/it_at_sea_makes_data_too_easy_to_see/

Two members of the US House of Representatives today introduced a law bill that would allow hacking victims to seek revenge and hack the hackers who hacked them.

The Active Cyber Defense Certainty Act (ACDC) [PDF] amends the Computer Fraud and Abuse Act to make limited retaliatory strikes against cyber-miscreants legal in America for the first time. The bill would allow hacked organizations to venture outside their networks to identify an intruder and infiltrate their systems, destroy any data that had been stolen, and deploy “beaconing technology” to trace the physical location of the attacker.

“While it doesn’t solve every problem, ACDC brings some light into the dark places where cybercriminals operate,” said co-sponsor Representative Tom Graves (R-GA).

“The certainty the bill provides will empower individuals and companies use new defenses against cybercriminals. I also hope it spurs a new generation of tools and methods to level the lopsided cyber battlefield, if not give an edge to cyber defenders. We must continue working toward the day when it’s the norm – not the exception – for criminal hackers to be identified and prosecuted.”

I never thought of it this way. It’s basically the cyber version of being allowed to murder someone for entering your property. https://t.co/vu1TxqQIMK

— MalwareTech (@MalwareTechBlog) October 13, 2017

Congress has been mulling such laws for a while but many security professionals are worried that such legislation will lead to IT departments and individuals going into full vigilante mode, and causing massive collateral damage. But the bill’s sponsors say that safeguards have been built in.

For a start, the legislation only allows hacking of computers on American soil, which instantly limits its usefulness given that even domestic hacking attacks typically route through overseas servers. In other words, you could be hacked in California by someone, possibly in America, using a system in France, and you wouldn’t be able to retaliate under the law.

Companies are also financially liable for any damage they cause to innocent computer users, providing those users can find out who borked their systems.

This is a classic example. Oracle accused SAP of exporting their support database. In theory they could hack in and destroy it. 🐿🐿🐿 https://t.co/mG71AtK2VQ

— Beaumont Porg, Esq. (@GossiTheDog) October 13, 2017

Before hacking back, the IT department would have to submit some homework to the FBI’s National Cyber Investigative Joint Task Force so the Feds can make sure national boundaries are being respected and that any action wouldn’t interfere with an ongoing investigation.

“The Active Cyber Defense Certainty Act gives specific, useful tools to identify and stop cyberattacks that have upended the lives of hundreds of millions of Americans,” said cosponsor Representative Kyrsten Sinema (D-AZ).

“The recent Equifax data breach shows that cyber vulnerabilities can have real financial and personal implications for Arizona families and businesses. It is our responsibility to find and advance solutions that safeguard the privacy of Arizonans while protecting the security of their data. I look forward to continuing thoughtful conversations as we move forward.”

As an additional safeguard, the legislation is time limited and will expire after two years. If enacted, the US Department of Justice would have to address Congress once a year to keep them updated on cyber-sorties carried out under the law.

The proposed act is in its early stages, and it must jump over various hurdles and survive the committee stages to make it onto the law books. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/10/13/us_hack_back_law/

Combines Android ransomware with capability to change users device PINs.

Android users downloading a fake Adobe Flash Player from a malicious website may find themselves victimized by a unique strain of Android ransomware called DoubleLocker, ESET researchers disclosed today.

DoubleLocker, which was discovered in the wirld in August, will not only encrypt users’ Android device data, but it takes the additional step of changing the device PIN, according to Lukas Stefanko, ESET malware researcher.

“The most interesting thing here is that it uses a dangerous combination of three aspects we have not seen before: accessibility services, which performs a click on the user’s behalf; it encrypts data; and it can reset a PIN for a user’s device,” Stefanko told Dark Reading.

DoubleLocker was created based on mobile banking malware that misuses accessibility services to gain control over the infected device.

The bogus Adobe Flash player, asks to activate a bogus version of “Google Play Service” through the malware’s accessibility service. 

“There are no exploited vulnerabilities, they’re just using the system as it is designed,” Stefanko says.

Once DoubleLocker secures accessibility permissions, it leverages them to snag administrator rights for the device and establishes itself as the default Home application without the user’s approval.

As the default home app, or launcher, DoubleLocker is activated after the user presses the home button. It then changes the PIN and sets it to a random value that is not stored on the device or sent out, according to ESET’s report. As a result, neither the user or security teams can recover the PIN. If a user pays the ransom, the attacker remotely resets the PIN and unlocks the device.

DoubleLocker can also act as traditional ransomware and encrypt files in the primary storage directory on the device. Users will realize they have been attacked if they find the “.cryeye” filename extension, according to ESET.

To Pay or Not to Pay

DoubleLocker demands 0.0130 Bitcon, or roughly $54, in ransom, and victims are ordered to make a payment within 24 hours. If they do so, they get their data back.

Meanwhile, there is a way to reset a hijacked PIN, according to ESET’s report.

Devices that have not been rooted and are without a mobile device management system that can reset the PIN can be restored with a factory reset. While that will remove the PIN lock screen, it will also delete whatever data was on the device.

For devices that are rooted and have debugging enabled in the settings, a user can connect the device by the Android Debug Bridge (ADB) and remove the file where the PIN is stored, ESET advises.

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Related Content:

• ‘Dogspectus’ Breaks New Ground For Android Ransomware
• SLocker Ransomware Variants Surge
• Key New Security Features in Android Oreo

 

Dawn Kawamoto is an Associate Editor for Dark Reading, where she covers cybersecurity news and trends. She is an award-winning journalist who has written and edited technology, management, leadership, career, finance, and innovation stories for such publications as CNET’s … View Full Bio

Article source: https://www.darkreading.com/mobile/doublelocker-delivers-unique-two-punch-hit-to-android--/d/d-id/1330134?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple