STE WILLIAMS

Three of the Bank of England’s cyber specialists have joined NCC Group to lead a newly established threat assurance unit at the UK-based security consultancy firm.

In their new roles within NCC’s new Centre for Evolved Next-generation Threat Assurance (CENTA), Phillip Larbey, Anthony Long and Fiona Paterson will be advising governments, regulators and regulated institutions on cyber resilience and best practice. Larbey, former head of sector for the Bank of England’s cyber functions, has been appointed as associate director of NCC Group and managing principal of CENTA.

Larbey’s role will include leading a team that advises clients such as foreign central banks and institutions on risk management, cyber resilience and complying with regulatory frameworks.

Paterson led on cyber resilience policy at the Bank of England for the last two years, a job that involved developing a close working knowledge of the threat landscape, as well as cyber capabilities for government agencies.

Long previously led for the design, delivery and continued development of the CBEST testing programme across retail, international banks and the insurance market.

CENTA will provide a global advisory service, assisting relevant institutions with the “preparation, design, implementation and support” of cyber resilience and evolved security testing regulatory regimes. It will also offer staff training, testing project management, analysis of root-causes and assistance with correction and remediation, as well as providing ongoing, regulator-standard reviews and security audits.

Larbey, associate director of NCC Group and managing principal of CENTA, said: “We will be working in alignment with the geo-political forums to advise on and support government departments, central banks, regulators and other institutions in upholding the highest of standards when it comes to cyber risk management and the continued compliance with regulatory frameworks.”

The appointments are a tonic for NCC Group, which has gone through a turbulent year financially that resulted in profit warnings following the cancellation of three hefty contracts and the postponement of a fourth.

Earnings before income tax, depreciation and amortisation at NCC Group came out at £27.6m in 2017 compared to £39.7m last year and the £45.5m initially forecast for FY2016/17. A slowdown in the assurance division was blamed for the shortfall which resulted in losses of £53.4m in the year to 31 May 2017 compared to profits of £11.4m in previous year (financial statement, pdf).

NCC offers cybersecurity consulting and managed security services as well as software escrow and verification services.

Ben Jepson, director for risk management and governance at NCC Group, said: “Governments and regulators are some of the most at-risk and highly regulated institutions, and we created CENTA to offer a dedicated advisory practice to help enhance their resilience to cyber threats. Phillip, Anthony and Fiona each bring with them unrivalled expertise and a broad network of contacts, which will be invaluable in achieving our mission of raising security standards worldwide.” ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/09/15/ncc_bofe_hires/

Google has had to pull 50 malware-laden apps from its Play Store after researchers found that virus writers had once again managed to fool the Chocolate Factory’s code checking system.

The malware was dubbed ExpensiveWall by Check Point security researchers because it was found in the Lovely Wallpaper app. It carries a payload that registers victims for paid online services and sends premium SMS messages from a user’s phone and leaves them to pick up the bill. It was found in 50 apps on the Play Store and downloaded by between 1 million and 4.2 million users.

The malware is a strain that the researchers first spotted in the Play Store in January, but with one crucial difference. This time the authors had encrypted and compressed the malware, making it impossible for Google’s automated checking processes to spot.

Once downloaded, the malware asks for permission to access the internet and send and receive SMS messages. It then pings its command and control server with information on the infected handset, including its location and unique identifiers, such as MAC and IP addresses, IMSI, and IMEI numbers.

The servers then send the malware a URL, which it opens in an embedded WebView window. It then downloads the attack JavaScript code and begins to clock up bills for the victim. The researchers think the malware came from a software development kit called GTK.

“Check Point notified Google about ExpensiveWall on August 7, 2017, and Google promptly removed the reported samples from its store,” the researchers note. “However, even after the affected Apps were removed, within days another sample infiltrated Google Play, infecting more than 5,000 devices before it was removed four days later.”

Google’s comment scanning is as bad as Bouncer

It appears that Google missed warnings about the malware infection. The user comments section of at least one of the infected apps was filled with outraged users noting that it was carrying a malicious payload and it appears that the apps were being promoted on Instagram.

Cases of malware infecting Google’s Play Store are becoming depressingly common. Just last month it was banking malware and a botnet controller, in July commercial spyware made it in, advertising spamming code popped up in May (preceded by similar cases in March and April), and there was a ransomware outbreak in January.

By contrast, Apple’s App Store appears to do a much better job at checking code, and malware is a rarity in Cupertino’s app bazaar. While some developers complain that it can take a long time to get code cleared by Apple, at least the firm is protecting its customers by doing a thorough job, although Apple’s small market share also means malware writers tend not to use iOS for their apps.

By contrast, Google’s Bouncer automated code-checking software appears to be very easily fooled. Google advised users to only download apps from its Store, since many third-party marketplaces are riddled with dodgy apps, but that advice is getting increasingly untenable.

It’s clear something’s going to have to change down at the Chocolate Factory to rectify this. A big outbreak of seriously damaging malware could wreak havoc, given Android’s current market share, and permanently link the reputation of the operating system with malware, in the same way as Windows in the 90s and noughties. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/09/15/malware_outbreak_googles_play_store/

Google’s Chrome browser will soon label file transfer protocol (FTP) services insecure.

Google employee and Chrome security team member Mike West yesterday announced the plan on the Chromium.org security-dev mailing list.

“As part of our ongoing effort to accurately communicate the transport security status of a given page, we’re planning to label resources delivered over the FTP protocol as ‘Not secure’.”

“We didn’t include FTP in our original plan,” West wrote, referring to the decision to mark HTTP as insecure. Adding FTP to Chrome’s naughty list was decided upon because “its security properties are actually marginally worse than HTTP (delivered in plaintext without the potential of an HSTS-like upgrade). Given that FTP’s usage is hovering around 0.0026% of top-level navigations over the last month, and the real risk to users presented by non-secure transport, labelling it as such seems appropriate.”

As we noted when covering Debian’s decision to dump its FTP archive, the protocol was published in 1971. Age alone doesn’t make it a bad protocol, but it was designed for gentler times. It’s therefore hard to disagree with Google’s decision.

West points out that the Linux Kernel archive has also binned FTP, with ftp://ftp.kernel.org/ taken offline on March 1st, 2017, in favour of HTTPS. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/09/15/chrome_to_label_ftp_sites_insecure/

Your daily round-up of some of the other stories in the news 

FTC confirms Equifax investigation

The Federal Trade Commission said on Thursday that it was opening a probe into the huge data breach that saw the details of some 143m people compromised, Reuters reported.

The rare statement – the FTC hardly ever acknowledges that it’s investigating any organisation – came the day after the FTC was asked by Mark Warner, a Democratic member of the Senate Banking Committee, to look at the credit reporting agencies’ security practices.

The FTC said on Thursday: “The FTC does not typically comment on ongoing investigations. However, in light of the intense public interest and the potential impact of this matter, I can confirm that FTC staff is investigating the Equifax breach.”

As we’ve reported on Naked Security today, it’s been a tough day for Equifax, with the confirmation that the breach came as a result of an unpatched vulnerability, and the news that it had had to take a portal offline in Argentina after researchers found it leaking customer details.

Bitcoin price tumbles as crackdown bites

The price of Bitcoin was falling on Thursday after China’s second largest exchange said – as expected – it would stop trading at the end of September in response to reports that Beijing is set to ban trading in cryptocurrencies. China has already banned Initial Coin Offerings (ICOs), a risky financial instrument being used by start-ups to raise funds.

At the time of writing (18:30BST) Bitcoin was trading at $3,378.98, falling after BTC China said in a tweet that it would stop trading for all customers based in China on September 30.

Cryptocurrency investors had their woes compounded when Russia’s central bank said at a banking conference in Sochi that Moscow shared Beijing’s views, reported Bloomberg. Bank of Russia deputy governor Dmitry Skobelkin told reporters: “China doesn’t recognise cryptocurrency as payment and forbids ICOs. Our views are absolutely similar. In our view, it’s a sort of financial pyramid that may collapse at any moment.”

Skobelkin’s comments followed condemnation of Bitcoin from Jamie Dimon, the chief executive of JPMorgan, who said on Tuesday in New York that it is “a fraud”. “If we had a trader who traded Bitcoin I’d fire him in a second for two reasons,” he was reported by the FT as saying. “One, it’s against our rules. Two, it’s stupid,” he said, adding that it was “worse than tulip bulbs“.

HBO chief teases Game of Thrones finale news

HBO has learned its lesson: after the hack that apparently led to 1.5TB of data stolen, including episodes of Game of Thrones that were leaked online before they were broadcast, it is filming “multiple versions” of the season 8 finale.

Casey Bloys, HBO president of programming, told an audience of college students and staff in Pennsylvania that even the stars of the series won’t know how it ends until the final cut is transmitted.

“They’re going to shoot multiple versions so that nobody really knows what happens,” he said, adding: “You have to do that on a long show. Because when you’re shooting something, people know. So they’re going to shoot multiple versions so that there’s no real definitive answer until the end.”

Catch up with all of today’s stories on Naked Security

Follow @NakedSecurity
Follow @katebevan

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/WCcf6S3v-qI/

Cloudflare Internet Summit The United States needs to define a new set of international rules that decides what the cyber equivalent of a missile attack is.

So says Avril Haines, former deputy head of the CIA and deputy national security advisor to the Obama Administration.

Speaking at the Cloudflare Internet Summit in San Francisco Thursday, Haines reflected on the nature of cybersecurity when it comes to national security – an issue that has become increasingly important in recent years, especially with respect to Russian interference in the US political system.

The United States is more vulnerable than any other country in the world to a cyberattack, warns Haines, because so much of it is dependent on the internet. The problem is that while there is a long history and body of work on what represents an attack in the real world, there is still no agreement on what is acceptable and what is not in the online world.

“In the cyber realm, we are trying to figure out what constitutes ‘use of force’,” notes Haines, “but we are nowhere near that yet.”

Part of the problem is that no one – particularly the sophisticated United States – wants to agree that something represents an attack when they could also be accused of the same thing.

“If we say something is ‘use of force,’ it can be used against us,” Haines says. “We need a framework where we can go to other countries and say ‘this is a problem, you should join us’.”

Currently a big part of the problem is that cyberattacks are seen in some ways like intelligence, and espionage has traditionally been viewed as a kind of game that shouldn’t invoke nation-state responses. Which leads to the question: what kind of cyberattack is sufficiently bad to send in the tanks?

Haines addresses the Cloudflare Internet Summit

Boom

In Haines’ mind, the answer to that is when a cyberattack has the same impact as a bomb would have: taking out a critical piece of infrastructure. But she warns that while it is easy to see the cyberworld as a battlefield, in reality it is just part of a larger overall conflict.

“We need to make sure we don’t imagine that the only responses to cyber are in cyber,” she says. In other words, the cyberworld and real world interact and we should not view them separately.

Nevertheless, when pushed on the “send the tanks in” question, she flags what Russia did to Georgia – and currently what it’s doing to Ukraine – as an example of where cyberattacks may cross the line as they are part of a larger strategy to pressure and damage a nation state.

Although the topic is complex and highly variant, Haines nevertheless remains optimistic that a set of rules covering the cyberworld that expand long-held norms over conflict into the virtual world can be broadly defined.

She points to the Law of the Sea – a very clear but complicated set of rules that define what guidelines and laws apply outside of normal national borders – as an example of how a seemingly impossible framework can be designed and made to work, as it is in everyone’s interests not to end up in constant conflict all around the world.

It’s just in the security and intelligence worlds that the internet is redrawing the way the world works, however.

Haines feels that the impact of virtual communities – where we all connect with and spend more time with people far outside of our own physical worlds – is going to bring with it “another evolution of our political institutions.”

There will be an increasing reliance on non-state actors, she predicts. The question then becomes: are those non-state actors subject to the kind of rules that traditional systems are, in order to protect people and societies?

And by non-state actors she doesn’t mean just terrorist groups, but also large companies (many of whom, she notes, have foundations that do similar work that governments used to do), and things like Bitcoin.

Snowden

As for the impact of the internet on the intelligence community itself, Haines notes that it has become increasingly difficult for intelligence agencies to “bring something new to the table.”

She told an anecdote about a former head of the CIA who, when he retired, thought he would miss the president’s daily briefing. But then he started reading The New York Times, and found that he received almost the same quality of information and analysis.

In the internet world, information is much, much easier to find.

As to the biggest impact on intelligence in recent years – Edward Snowden’s massive dump of information about what the security services are really up to – Haines notes: “I wish it hadn’t taken Snowden to start the conversation.”

She then provides some intelligence services and real-world perspectives: “One of the problems is that we always have the conversation in the light of an attack. There is this demand for perfection from the intelligence community – that there can never be an attack – and that makes it really difficult. They feel that pressure any time anything goes wrong.”

The hard truth is that a difficult conversation needs to be had, says Haines. “There are some values such as privacy where we have to discuss whether we are willing to live with a certain amount of risk [in order to maintain a high level of privacy]. We have to get comfortable with that.” ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/09/14/cloudflare_summit/

By now, everyone is aware of the Equifax data breach affecting up to 143m people in the USA, UK and Canada.

Sophos CISO Norm Laudermilch has put together four simple steps that you can take to make sure your family gets through this with identities and finances intact.

1. Check your credit report

Check your credit report immediately to make sure that you haven’t already been compromised.

In the USA everyone is entitled to one free credit report each year, from each of the major reporting agencies. Free report links can be found on each of their websites. You can go to the Annual Credit Report website to get reports from all three in one swoop instead of having to call them separately.

Unfortunately, the high volume of site visitors may cause delays. In that scenario, you can call 1-877-322-8228. Deaf and hard of hearing consumers can access the TTY service by calling 711 and referring the Relay Operator to 1-800-821-7232.

Instructions for checking your credit reports in the USA are available from the usa.gov’s Credit Reports and Scores page.

If you are in the UK, follow the instructions on how to check your credit reports on the gov.uk site.

Canadian citizens can order free credit reports from Equifax and TransUnion.

2. Ask Equifax if you’ve been affected

Equifax has provided a website dedicated to providing information about the breach and a tool for people in the USA to check if they have been affected by it. Equifax has not provided a similar facility for people in the UK and Canada yet. We will update this guidance when they do but in the meantime, it’s probably best to assume that you have been affected.

3. Consider ID theft protection

Consider using an identity theft protection service if you have been affected. Identity theft protection services LifeLock and IdentityGuard are both offering discounts and free months if you’ve been affected by a breach. Equifax is also offering its own TrustedID Premier service free for a year. Rumours that consumers waive their right to take part in future legal action if they sign up for the services are not true:

To confirm, enrolling in the free credit file monitoring and identity theft protection products that we are offering as part of this cybersecurity incident does not prohibit consumers from taking legal action … we will not apply any arbitration clause or class action waiver against consumers for claims related to the free products offered in response to the cybersecurity incident or for claims related to the cybersecurity incident itself.

4. Freeze your credit file

Freeze your credit with all four reporting agencies. A credit freeze stops the agencies from releasing your information to new creditors without authorization. While this doesn’t solve the problem of our leaked personal data, it does limit the potential impact of an identity theft incident. Fees for this service vary from state to state.

There are drawbacks: you will have to “thaw” the freeze for valid purchases like buying a new car or home. It is not a slick process – but the advantages outweigh the annoyances.

The cost to freeze your credit varies by what state you’re in. 

Here’s how you can freeze your credit file:

• Equifax: Enter all of your personal information, enter the code verification shown on the screen, accept the terms of use, and hit “Submit” at the bottom of the screen. Pay the fee using a credit card on the next screen. Make sure to write down the “thaw” PIN that is generated because you’ll need that to undo this process later.
• Experian: Enter all of your personal information, accept the terms of use, and hit “Submit” at the bottom of the screen, pay the fee on the next screen, and remember to write down your PIN.
• TransUnion: Click on “Register” to the right and create an account, then follow the directions on the screen, pay your fee, write down your PIN.
• Innovis: Click the button for “Request a Security Freeze”, fill out the personal information and click “Submit Request” at the bottom of the page.

Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/wOZKTT7Z9S0/

Equifax today posted an announcement on their website with more information about what they believe is the source of the massive breach.

There are two key statements of interest for us, so let’s take a look:

We know that criminals exploited a US website application vulnerability.

This isn’t terribly surprising: Verizon’s DBIR research has repeatedly shown that web applications are the most common attack target by a large margin. The targets are plentiful, their security generally a bit more lax, and research has shown that the vulnerability/patch gap is even greater for web apps than it is for most other application types. But more on that gap in a moment.

The vulnerability was Apache Struts CVE-2017-5638

Wince. This Struts vulnerability (not to be confused with the more recent Return of Struts) was a nasty server-side remote code execution bug made known to the public in March of this year. Naked Security’s Paul Ducklin did a marvelous deep-dive into how it works in this blog post, but the key point is this:

Without logging in, without fetching the original web form page in the first place, and without even having any form data to upload, a crook may be able trigger this bug simply by visiting the web page listed in the action field of any of your web forms.

If you use Struts 2 somewhere in your network, and still haven’t applied the latest patch, you really ought to, because this vulnerability is easy to exploit by anyone who wants to try.

It’s possible that Equifax’s vulnerable servers weren’t specifically targeted but merely caught in a wide net cast by attackers looking to pwn any unpatched Apache servers they could find. Still, given this vulnerability was known in March and Equifax’s breach is timed for somewhere in May, that’s a more than two-month time span of a vulnerable server left wide open to attackers.

The Equifax breach is, unfortunately, a great example of attackers taking advantage of the dreaded gap between vulnerability discovery and vulnerability remediation. Various researchers have looked into the time it takes the average organization to patch a vulnerability, and the number hovers between 60 to 150 days, depending on the research source.

This means that criminals taking advantage of vulnerabilities tend to have time on their side, and they generally act within 40 to 60 days. So in many cases, the bad guys have about two months of wiggle room before a vulnerability they’re using gets patched. And it looks like in Equifax’s case, that little bit of wiggle room was all the attackers needed to carry out one of the biggest data breaches in history.

The general wisdom when news of a bad bug makes the rounds is to patch as quickly as possible. The asterisk to all this is that this advice is not news to almost any IT professionals — in an ideal world, patches would be tested and then deployed flawlessly the moment they became available thanks to ample resources, and the patch wouldn’t break any processes and the nasty vuln would be gone away, simple as that.

But the reality is always more complicated of course: patches don’t get deployed as quickly as they should because the to-do list of patches to be fixed is already quite long.

And sometimes fixing a security vulnerability can have all sorts of unforeseen issues in production systems that could necessitate rolling the patch back (another nightmarish scenario) — even if the patch was tested first before deployment, which it isn’t always. In the case of Struts, with this being a server-side vulnerability, it’s possible that patching meant taking key systems offline to deploy a fix, which can be a political and logistical quagmire.

When a particularly nasty bug makes the headlines — such as Heartbleed — the patch for that bug may get pushed to the top of the priority pile thanks to the spotlight shone on it (especially from a very concerned C-level exec), but often less-glamorous but just-as-dangerous bugs are added to the lengthening queue, and there’s an element of risk acceptance and hope: What are the chances that this bug will come to bite my systems in the time it takes me to patch?

Ultimately it’s a gamble with customer data, and when the gamble fails it’s customers that suffer most.

Follow @NakedSecurity
Follow @mvarmazis

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/cI3FUwXFMcA/

It’s Microsoft patch time again, which this month sees admins coming face-to-face with 81 CVE-ranked vulnerabilities, 27 rated “critical”, with an interesting zero-day for added excitement.

Assessing which of these patches should be the priority will depend on your perspective. It’s always tempting to start with the headline zero-day, which this month is an interesting example in a year that has, so far, seen 17 in Microsoft’s products.

Designated CVE-2017-8759, it’s a serious remote code execution flaw in .NET, researchers noticed being exploited through malicious Microsoft Office RTF documents intended for Russian-speaking targets. Other document types probably featured too.

The intrigue is that the exploit was noticed in July being wielded by what is surely the world’s most notorious commercial spyware, FinSpy, aka FinFisher or WingBird.

Ostensibly sold to governments as “lawful intercept” software for spying on criminals, it’s also widely known to have been used to spy on citizens for political purposes. It’s a bit of a chameleon, and in 2013 was accused of trying to spread itself by masquerading as Firefox, which ended with Mozilla sending makers Gamma International a cease and desist.

The chances of the average Naked Security reader encountering FinSpy is small – it’s targeted malware – but that shouldn’t stop everyone applying the patch for it as soon as possible.

Just to underline the importance of this, earlier this year FinSpy was outed for exploiting another zero-day, CVE-2017-0199, which was simultaneously being used by the Latenbot crimeware. The message is clear: a zero-day is bad news and countering it should always be a high priority.

Office 365 already mitigates the exploit associated with the newer zero day for customers using the suite’s Advanced Threat Protection (ATP) but that’s really a secondary defence.

As a background aside, the number of zero-days uncovered in Microsoft products has been pretty stable in recent years at 15 in 2013, 12 in 2014, 13 in 2015, and 11 in 2016. This year looks as if it might tick up to as many as 20.

Other zero days

The bulletin lists three other important zero-days that haven’t (as far we know) been exploited, which are: CVE-2017-8723 (an Edge browser bypass loading through malicious a website), CVE-2017-9417 (a Broadcom chipset flaw relating to HoloLens), and CVE-2017-8746 (a bypass of Device Guard affecting PowerShell sessions).

‘BlueBorne’ super-flaw

Another worth noting is CVE-2017-8628, the ‘BlueBorne’ Bluetooth driver flaw, which was actually quietly patched in July but which the company has only now mentioned. This is really the Windows element of a clutch of vulnerabilities affecting Bluetooth across a range of platforms.

The bulletin total includes one Adobe Flash vulnerability across a wide range of Microsoft products. There are also 14 affecting Edge, three affecting Internet Explorer, 11 for Office, nine different aspects of Windows’ graphics components, and seven Hyper-V, with an assortment of flaws in the kernel.

Most of the worst Remote Code Execution (RCE) action is in the Edge and IE browsers, and the scripting engine that links these to Office, which along with the zero days should be the focus of attention.

The important bulletins covering critical vulnerabilities are MS17-006, MS17-007, MS17-008, MS17-009, MS17-010, MS17-011, MS17-012, MS17-013 and MS17-023.

Follow @NakedSecurity
Follow @JohnEDunn

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/3jJYwbYcjG0/

As Equifax deals with the fallout of its data breach earlier this month, it’s also receiving a lot more scrutiny from security researchers than it might be used to – and according to security reporter Brian Krebs, there are other parts of Equifax’s security that are wanting.

Unfortunately, according Krebs, it looks like there was a web portal used by Equifax employees in Argentina to manage customer complaints that had all-too-simple login credentials — admin as a username, admin as a password.

If that were not bad enough, the portal also made no real effort to secure employee contact information or credentials, as employee passwords were not only stored in plaintext, but generally, they were simply the employee’s first initial and full last name, or some combination thereof. Not terribly hard to guess.

And if that were not bad enough, the portal also stored customer data, including customer DNI numbers, in plaintext. The DNI, the national identification number for Argentina, is assigned at birth and unchangeable, and not something that you want to land in the wrong hands.

Hold Security, the company that made this discovery, worked with Krebs on this disclosure, and Krebs notified Equifax of this issue on 12 September.

Krebs reports that Equifax pulled the entire portal the same day as it investigates the scope of the issue. It’s not known if any of the customer data was breached before this discovery, or if Hold Security figured out this issue before a criminal did, but the researchers were able to pull up 14,000 customer records.

Attackers know that their methods often don’t have to be sophisticated to be effective, as many organizations still don’t have a lock on the basics.

Default passwords are a boon to attackers, as many people don’t know or don’t remember to change them — from consumers using web-enabled devices at home to system administrators of massive industrial applications. And storing passwords in plain text is inexcusable (for the right way look at Paul Ducklin’s guide to storing passwords safely).

Again, it’s not known if any customer data was breached, though certainly it was put at risk.

This portal in Argentina didn’t look like it had received any kind of attention or basic security hygiene check, as many of the issues reported by Hold and Krebs are alarmingly simple. Even a system with “just” 14,000 customer records deserves proper care and attention to key security practices.

Follow @NakedSecurity
Follow @mvarmazis

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/FF2T7aN1OpA/

Iceland’s home delivery service exposed sensitive customer information for months until the problem was plugged this week, a UK security researcher discovered.

Paul Moore went public with his findings after failing to get the retailer to act even 12 months after first reporting the issue. Public disclosure finally prompted action from Iceland where private reminders had failed, he said. The flaws were resolved shortly after Moore went public on Wednesday.

The issue revolved around home delivery confirmation sheets and an associated Iceland-run website. When customers placed an order with Iceland for delivery, the driver handed them this sheet… which customers had to sign to accept delivery.

Too much information: Iceland’s home delivery sheet [source: redacted picture from Paul Moore]

Moore noticed to his consternation that this sheet contained all other customer names, addresses and telephone numbers on that delivery route.

That was bad enough, however there was also an IP address at the top right of the sheet (http://54.75.255.8) and this led to an insecure site.

“This is the login portal for Iceland’s scheduling system. It requires a username password. However, clicking the ? tells you the password is the 4 digit store number (on the sheet they hand you!),” Moore said.

Iceland home delivery site [source: Paul Moore]

All someone would have needed at this point to access sensitive data on the site was a username but this too could be guessed, Moore explained.

“A quick look at the source code reveals a now defunct ‘secret question’ feature. It also has this line… “store_number : $(‘#id_username’).val()” … suggesting the username should be the store number too. Amazingly, entering both “0287” as both username password logs you straight in, providing access to everything.”

Nasty.

Fortunately the security vulnerability was plugged hours after it went public.

Iceland told Moore that it had applied a fix so external users couldn’t access the site any more (it is IP-limited now). The UK supermarket, which specialises in frozen goods, is also said to be working on changing the way its ePOS system works across the stores too, so they’ll no longer need delivery sheets.

In response to queries from El Reg, Iceland sent a statement acknowledging the now resolved issue and thanking Moore for bringing the problem to its attention.

We are confident that only a limited amount of data, and a limited number of stores, were affected and we implemented the necessary changes as soon as we were made aware of the issue yesterday [Wednesday] morning.

The privacy of our customers is of great importance to us and we will continue to do our utmost to ensure that this is properly protected.

Moore credited Iceland for acting quickly after he went public while faulting the retailer for not acting on private reports of problems despite repeated reminders on his part sent through multiple channels of communication. Even flagging up the issue to data privacy watchdogs at the ICO failed to move things along. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/09/14/iceland_breach/