STE WILLIAMS

An engineer recruited by the Dutch intelligence agency AIVD helped bring to Iran’s Natanz nuclear facility the malware via USB that ultimately infected systems there and sabotaged centrifuges, according to an exclusive report from Yahoo News.

One of the key missing puzzle pieces to the Stuxnet saga — how the malware got into Iran’s secured Natanz facility — finally has been uncovered: An Iranian engineer recruited by AIVD, the Dutch intelligence agency, installed the malware weapon onto systems in the uranium-enrichment plant, Yahoo News reported this week in an exclusive.

According to the report, the “mole” posed as a mechanic performing services at Natanz under a phony cover company. Sources told Yahoo News that the engineer was recruited by AIVD on behalf of the CIA and Israel’s Mossad intelligence agency. The mole also provided intelligence that that assisted Stuxnet developers targeting the plants’ systems.

“[T]he Dutch mole was the most important way of getting the virus into Natanz,” one of the sources reportedly said.

The engineer either installed Stuxnet via the USB drive or infected another engineer’s system to unknowingly infect them while programming the control systems, according to the report.

Read more here.

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “‘It Saved Our Community’: 16 Realistic Ransomware Defenses for Cities.”

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/report-iranian-mole-carried-stuxnet-to-iranian-nuclear-facility/d/d-id/1335715?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

The forum for the techie-darling comic strip XKCD was still offline on Monday afternoon after Troy Hunt’s breach site, Have I Been Pwned, reported on Sunday that 562,000 of the forum’s accounts had been breached sometime in August.

New breach: XKCD had 562k accounts breached last month. The phpBB forum exposed email and IP addresses, usernames a… twitter.com/i/web/status/1…

—
Have I Been Pwned (@haveibeenpwned) September 01, 2019

A breach notice on the echochamber.me/xkcd forums echoed Hunt’s message: portions of the forums’ phpBB user table showed up in a cache of leaked data, it said. The forum exposed usernames, email addresses, passwords salted and hashed using the obsolete MD5 hashing function, and IP addresses.

To translate: MD5 is a hashing function, and it’s not a good one. For over a decade, it’s been recognized as not producing truly random hashes and there have been far, far better solutions for storing passwords for decades.

As Naked Security’s Mark Stockley said back when he ditched his Yahoo account, the final nail in the coffin was the fact that Yahoo said, in its December 2016 mega-breach announcement, that it was hashing passwords with MD5 (and, in some cases, encrypted or unencrypted security questions and answers).

Was Yahoo bolstering the not-so-random randomness of MD5 hashing by using it in the context of a more complex “salt, hash and stretch” password storage routine, like PBKDF2, bcrypt or scrypt?

Yahoo didn’t say – not a good sign. So out the window went Mark’s Yahoo account.

These things matter because hashing on its own isn’t good enough. A hashing function is a one-way street: Hashing is a mathematical function that encodes a secret, taking an alphanumeric string such as a password and using it to produce another string, called a digest.

You can calculate the digest easily using the password, but you can’t go backwards: you can’t calculate the password by using the digest.

That makes it great for storing passwords securely. When a user logs in using their password, the web application can quickly hash it. If the digest matches the one on file, the user gains access. Yet if anyone steals the password database, they can’t read it. (Although hashing is fundamental to good password security, there’s more to it than that – for a detailed primer, see how to store your users’ passwords safely.)

Unfortunately, as we learned back in June, not all CMS software packages use hashing properly. Three researchers from the Department of Digital Systems at the University of Piraeus in Greece tested several CMS products to see how well they hashed user passwords. The answer:

We have discovered that many CMS use outdated hash functions.

phpBB, however, was one of the good ones: phpBB is the open-source message board software on which XKCD runs its forums. The researchers said that the CMS was among the most secure systems from a hashing perspective because it used bcrypt, a password hashing function that’s resistant to GPU-based parallel computing cracks.

(At least some of?) XKCD passwords were salted/hashed

Unlike Yahoo and it’s hear-no-md5-evil, speak-no-md5 evil silence on salting/hashing/stretching, XKCD forums said that the breached passwords that showed up in Have I Been Pwned were, in fact, salted and hashed.

We’ve been alerted that portions of the PHPBB user table from our forums showed up in a leaked data collection. The data includes usernames, email addresses, salted, hashed passwords, and in some cases an IP address from the time of registration.

But it’s unclear just how many passwords were salted and hashed. IT Pro reports that the records appear to “mostly” be hashed using the far more secure bcrypt algorithm, although “some accounts are still encrypted via the older, less secure md5 encryption method.”

A mix of different hashes like this normally indicates that the password hashing code has been updated at some point, but not all the existing users have been moved on to the new, more secure algorithm, perhaps because they’re inactive.

Flaw in phpBB/no flaw in phpBB??

An earlier version of the breach notification that was up on Sunday suggested that the leak may have been enabled by an attacker scanning for a vulnerability in phpBB:

It is likely that it was gathered up in some automated scan taking advantage of a vulnerability in the forum software.

…but given that the breach notification was amended at some point to ditch the possibility of this flaw in phpBB, such a flaw has presumably been ruled out.

According to Hunt, 58% of the addresses were already in his trove of breached accounts.

Has the Correct Horse Battery been stapled?

It’s impossible not to note the irony of XKCD being targeted and that there’s even a hint of a possibility that the security of its password storage might come into play. As it is, the comic’s musings/teachings on password entropy are a constant touchstone in conversations about how to pick a proper password: the correct horse battery staple strip about password strength is a classic.

But regardless of how the passwords got breached, we can turn to another XKCD strip – this one about password reuse – for the “What to do?” answer. We can also get it from the XKCD forums’ notification.

Namely, if you’re an echochamber.me/xkcd forums user, you should immediately change your password for any other accounts on which you used the same or a similar password.

Using the same passwords on multiple sites leaves you a sitting duck. Here’s how to pick a proper one, and by that we mean one that’s both strong and unique for each site:

(No video? Watch on YouTube. No audio? Click on the [CC] icon for subtitles.)

And if a website gives you the option to turn on two-factor authentication (2FA or MFA), do that too. Here’s an informative podcast that tells you all about 2FA, if you’d like to learn more:

LISTEN NOW

(Audio player above not working? Download MP3 or listen on Soundcloud.)

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/YDE5xjmhFxY/

How would you prepare to rob a bank? You’d scope out the location, suss out the quietest times, and use clothing to conceal your identity. But would you leave your phone at home? Judging by news that surfaced last week, you probably should – at least if it has Google’s software on it.

The Verge reports that FBI agents issued the search and advertising giant with a warrant in November 2018, seeking its help with a bank robbery the month before.

The robbery took place at 9:02am on 13 October 2018 at the Great Midwest Bank in Hartland, Wisconsin. Two robbers entered the building, one of them waving a handgun and forcing staff to the floor. He filled a plastic bag with cash and demanded the key to the vault. He took three drawers of cash from the vault, and then both robbers left the building by the back door. The whole thing took just seven minutes.

Investigators, hitting a brick wall, turned to Google. The search warrant said:

Google collects and retains location data from Android-enabled mobile devices when a Google account user has enabled Google location services. The company uses this information for location-based advertising and location-based search results. This information is derived from GPS data cell site/cell tower information, and Wi-Fi access points.

It added:

It is probable that the unknown suspects of this investigation had cellular telephones which utilized either Google’s Android or Apple OIS [sic] operating systems.

This is what’s known as a reverse location search warrant.

Phones running Google software with Location History turned on regularly check in with the company’s servers and log where the phone’s user is. Law enforcement officials can request a list of all accounts accessed in the vicinity at the time of the crime. Google provides these only as anonymous IDs, but that might still be enough to find anonymous IDs that look suspicious. They can then request the personal information related to those IDs.

It’s a practice that has been growing as police turn to technology to find perpetrators. It relies on data that Google holds in Sensorvault, a vast database that stores location data provided by its applications.

Requests of this type don’t guarantee an arrest. The criminals may not have used Android phones, or Google apps on their other devices – if they had devices on them at all. Or, they may have turned off Location History on their Google accounts, which prevents Google from logging their locations.

The question is, should the cops be able to request this information, and should Google give it to them? The problem isn’t that the FBI might catch two criminals. The danger is that a misinterpretation of the data could point investigators to the wrong person. The data only highlights the location of the device used to access an account, and that doesn’t always mean the location of the account holder.

In one case, police arrested Arizona resident Jorge Molina for murder based, in part, on a reverse location warrant. They had to release him a week later after witnesses confirmed that he was elsewhere during the murder. Investigators later noticed that at one point his account was registered on multiple devices, and that his former stepfather had access to one of these devices.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/jfyUzpPb6Ww/

Launched on Friday and viral practically right off the bat, the brand-new, AI-outfitted, deepfake face-swapping app Zao can swap users’ photos to those of celebrities zippity quick.

And just as fast as greased lightning, the app got itself banned from China’s top messaging app service, WeChat, after its meteoric rise in China’s app stores was countered by a fierce privacy backlash.

Sina Technology reports that on Sunday, the company behind the Zao mobile app had posted onto Weibo – China’s Twitter-like microblogging service – an apology and a request to please give it some time to figure out privacy issues.

Forbes gave this translation:

We thoroughly understand the anxiety people have towards privacy concerns. We have received the questions you have sent us. We will correct the areas we have not considered and require some time.

Regardless of that apology and a tweak to Zao’s originally “we own your stuff forever” terms of service, that same day, WeChat banned the posting of any external links shared from Zao, saying that…

The app has security risks.

The Yr-content-R-Ours Frevr ToS

Zao’s original terms of service (ToS) allowed users to upload video clips for face-swapping with TV and movie stars, but the app maker would be keeping that stuff forever and doing whatever it wanted with it. This is what the ToS originally said, according to KrAsia:

Before uploading and posting your content, you grant us (Zao, Zao-related firms and Zao users) a worldwide, royalty-free, irrevocable, perpetual, transferable sub-licensable license to use.

Wang Jun, a lawyer at Beijing TA Law Firm, told Sina Tech News that from a legal standpoint, the clause wasn’t valid. According to industry observers, that kind of language is a CYA clause: an attempt to shift liability for any possible content rights violations onto users who might upload footage over which they don’t own copyright claim.

It’s certainly possible to do so, as was discovered by a French security researcher who goes by the Twitter alias Elliot Alderson (a reference to the Mr. Robot TV show). Zao was only available to Chinese people when it debuted, but the researcher said that they’d managed to get an account. The researcher posted an uploaded clip from the TV show The Big Bang Theory, featuring what one assumes is their face, pasted over that of character Sheldon Cooper:

It’s time for a thread about #ZAO, the new Chinese app which blew up since Friday. The app is accessible only to Ch… twitter.com/i/web/status/1…

—
Elliot Alderson (@fs0c131y) September 02, 2019

Over the weekend, Zao updated its ToS, adding a special notification that states that it wouldn’t use uploaded content in any other forms besides face-swapping without user’s permission, and that Zao would erase data from its servers if users delete their uploads, KrAsia reports.

Faceprint theft

Besides issues of who owns, or is liable for, user-uploaded content, another aspect of the backlash that greeted Zao has to do with the widespread adoption of facial scan payment in China. If users are uploading their photos to a public platform such as Zao, might that set them up for financial identity theft?

Alipay, one of China’s biggest digital payment platforms, on Sunday responded to Zao’s appearance by reassuring users that its security checks for facial recognition payment couldn’t be fooled by current face-swapping apps.

Besides, insurance would cover any potential losses from ID theft, Alipay said. KrAsia quoted a statement on the matter that Alipay posted to Weibo:

Even if there is a very minor probability that an incident of identity theft occurs, such a loss will be fully covered by insurance.

Cold comfort? Insurance coverage is irrelevant when it comes to scenarios in which identity theft leads to damage that’s not strictly financial – for example, use of deepfakes in nonconsensual porn.

Such usage was recently criminalized in the US state of Virginia. Other states, and Congress, are considering or have already passed similar laws.

FaceApp redux

Users’ reactions to Zao’s ToS sound an awful lot like those that arose after somebody noticed, in July, the same type of language in the ToS of an app called FaceApp. Like Zao, it too is a face-swapping app. You might have seen friends posting (very convincing) photos of themselves created by the mobile app after FaceApp aged them prematurely.

Launched in 2017, FaceApp (which isn’t associated with Facebook) is an iOS and Android app from Russian company Wireless Lab that lets you upload a selfie and then manipulates it for you, changing your facial expression, age, and even your gender.

It quietly went about churning out those manipulated images until somebody noticed that the company was claiming complete rights to the photos it processed. Then, it went viral, and outrage set the internet abuzz. Not just because of the Draconian grab for the rights of users content, but also because FaceApp’s location in Russia raised questions regarding how and when the company provides access to the data of US citizens to third parties, including, potentially, to foreign governments.

The app, and its being based in Russia, piqued interest high up: Senator Chuck Schumer wrote to the chair of the Federal Trade Commission (FTC), demanding that the FTC and the FBI look into the app’s national and security risks.

Concern over Zao’s ownership by Momo

If ToS and potential identity theft aren’t enough reasons for the privacy-minded to take quick notice of Zao – a whole lot faster than anybody noticed similar problems with FaceApp – its ownership provides yet another, Chinese media reports.

Zao is backed by Momo, a location-based mobile social app that lets strangers meet each other through videos, text, voice, photos, and their proximity via geographic location data. It’s a way to help you build “true, effective, and healthy social relationships,” Momo says – or perhaps a fake and potentially dangerous relationship with a stalker who can see your personal data and exactly where you are.

Zao’s ratings have reportedly dropped in the App Store since the privacy/copyright issues arose over the weekend.

Users obviously adore these photo-manipulation deepfake apps. They keep coming out, and they keep going viral. What’s encouraging to see in the continued progression of such apps: people are actually taking the time to read the terms and conditions.

Let’s keep that up!

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/Jf1X-mppWbo/

Fresh from secretary-general Jens Stoltenberg’s repeated promises to hack back at cyber-attackers, NATO is now preparing to run a large-scale cyber exercise to test its infosec defences.

NATO’s Exercise Cyber Coalition 19 is intended to bring together doers of all things digital from the alliance’s 27 member countries in order to test them against a realistic scenario where Russia a threat actor with state-level resources starts picking on a NATO country’s next-door neighbour.

With between 700 and 900 military infosec specialists scheduled to test their skills against the most challenging scenarios that NATO’s Communications and Information Agency (NCIA) can dream up, the exercise will hopefully serve as a deterrent to Russia threat actors with state-level resources.

Referring to Stoltenberg’s recent declaration that NATO will “deter and defend against any aggression towards allies, whether it takes place in the physical world or the virtual one,” Lieutenant Commander Robert Buckles, the US Navy officer directing the exercise, told The Register: “The aim of the exercise is to stay below [the] threshold.”

Experts have previously described the problem with NATO’s “an attack on one is an attack on all” policy in cyberspace. Warlike actions in the real world – invading territory, sinking ships, bombarding soldiers and civilians – are very different from warlike, or potentially warlike, actions online.

“Obviously,” said Lt Cdr Buckles, “that decision about where that threshold is, is not something that we’re seeking to find in the exercise. But we’re pretty confident that the storylines we play out are below that.”

NATO’s infosec bods will be on the lookout for low-level but annoying attacks such as “cyber intrusion, espionage, maybe defacement, deterioration of the network, or masking or affecting communications within the network,” according to Lt Cdr Buckles. On top of that, the exercise will also model things like “attacks on a water treatment system or train system,” to add some urgency from the civilian perspective.

Cyber Coalition 19 will be taking place in December over a dedicated sandbox-style network, which Lt Cdr Buckles referred to as a “cyber range”. Flinging virtual bricks at each other across this network will be techies from NATO’s 27 members, as well as representatives from Finland, Sweden, Switzerland, Ireland and Japan.

Finland and Sweden are the two most interesting attendees; Sweden in particular regards Russia as a military threat, while Finland has been a staunch critic of Russian aggression and expansionism.

With Cyber Coalition 19 specifically focusing on a scenario where NATO “is asked through a UN resolution to go and provide a safe and secure environment” in a “non-NATO nation”, the hope of Western commanders is that state-backed threat actors will sit up, pay attention – and leave the West’s allies alone. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/09/03/nato_ex_cyber_coalition_19/

Tens of thousands of servers around the world are believed to be hosting a vulnerability that would allow an attacker to remotely commandeer them.

The team at Eclypsium says it has discovered a set of flaws it refers to as USBAnywhere that, when exploited, would potentially allow an attacker to take over the baseboard management controller (BMC) for three different models of server boards: the X9, X10, and X11.

BMCs are designed to be a sort of always-on remotely accessible “computer within the computer” that allow admins to connect to a server over the network and perform critical maintenance tasks, like updating the OS or firmware.

Ideally, BMCs are locked down within the network in order to prevent access by anyone outside of the company. In some cases, larger companies even opt to use their own BMC firmware that is fine-tuned for their datacenters and applications.

In a few cases, however, those BMCs are left open to the internet and can be managed over a web interface – usually very easily since they aren’t typically designed with security in mind. Here is where the vulnerabilities discovered by SuperMicro come in.

The target of the attack is the virtual media application that Supermicro uses for its BMC management console. This application allows admins to remotely mount images as USB devices, a useful tool to manage servers but also a security liability.

“This means attackers can attack the server in the same way as if they had physical access to a USB port, such as loading a new operating system image or using a keyboard and mouse to modify the server, implant malware, or even disable the device entirely,” Eclypsium said.

“The combination of easy access and straightforward attack avenues can allow unsophisticated attackers to remotely attack some of an organization’s most valuable assets.” The team found four different flaws within the virtual media service (on TCP port 623) of the BMC’s web control interface.

They included the use of plaintext authentication and unauthenticated network traffic, as well as weak encryption and an authentication bypass flaw in the X10 and X11 platforms that allows new clients on the virtual media service to run with the old client’s permissions.

Can we talk about the little backdoors in data center servers, please?

READ MORE

According to Eclypsium, the easiest way to attack the virtual media flaws is to find a server with the default login or brute-force an easily guessed login. In other cases, the flaws would have to be targeted.

“If a valid administrator had used virtual media since the BMC was last powered off, the authentication bypass vulnerability would allow an attacker to connect even without the proper username and password,” the report explains.

“Given that BMCs are intended to be always available, it is particularly rare for a BMC to be powered off or reset. As a result, the authentication bypass vulnerability is likely to be applicable unless the server has been physically unplugged or the building loses power.”

What’s worse, Eclypsium believes that tens of thousands of servers contain this vulnerability and are open to the internet. A quick Shodan search on port 623 turned up 47,339 different BMCs around the world.

Fortunately, there is a fix out. Eclypsium said it has already contacted Supermicro and the vendor has released an update to fix the vulnerabilities. Organizations are advised to contact their server vendor and make sure they are running the latest version of the BMC firmware. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/09/03/supermicro_server_flaw/

Lock up your WordPress – a recent malvertising campaign targeting vulnerable plugins is now trying to backdoor sites by creating rogue admin accounts.

In July when web firewall company WordFence (aka Defiant) first noticed the campaign, it was attempting to hijack sites to push popup ads, tech support scams and malicious Android apps.

Plugins targeted included vulnerable versions of Coming Soon Page Maintenance Mode, which followed attacks in April and May on the Yellow Pencil Visual CSS Style Editor and Blog Designer.

Six weeks on, perhaps encouraged by the number of vulnerable sites they found, the attackers have upgraded their attacks to take complete control of sites vulnerable to their attacks.

A new vulnerable plugin, Bold Page Builder, has also been added to the exploitation list, which attackers reportedly started targeting on 22 August.

Rogue one

Anyone with a vulnerable plugin is now at risk of having their site backdoored by a rogue user account with administrator privileges. As before, the attackers attempt to infect vulnerable sites with malicious JavaScript code that’s run whenever a user visits an affected page.

The moment of weakness occurs if the user:

1. Has previously visited an infected page
2. Is a WordPress administrator on the infected site
3. Is currently logged in to the site

If these conditions are met the code silently abuses the logged-in administrator’s ability to create new users, issuing an AJAX request to create a rogue administrator account named wpservices.

What could the attackers do with the access this rogue account gives them?

Pretty much anything they want.

What to do

The takeaway from this is that WordPress plugins represent a major security headache for site owners and need to be updated quickly, as soon as new software becomes available.

WordPress is such a popular platform that all WordPress site operators should assume that their sites are the subject of constant scans, probes and automated hacking attempts.

In recent months, we’ve reported on a raft of plugins being targeted by hackers, including Easy WP SMTP, Abandoned Cart for WooCommerce, and WP GDPR Compliance.

It’s a trend that shows no sign of ebbing.

Campaigns like this work by exploiting known vulnerabilities in WordPress plugins and, as ever, prevention is better than cure. So, check regularly to ensure your plugins are up to date and make sure that your WordPress core software is set up to update itself automatically with security fixes.

You might want to read Naked Security’s guide on how to avoid being one of the “73%” of WordPress sites vulnerable to attack too.

If you’re concerned that you might have been a victim of this campaign, WordFence have published a list of vulnerable plugins and Indicators of Compromise (IOCs).

As already noted, the giveaways for the latest attack are currently the user wpservices using the email [email protected]. The attackers can change this (and the list of plugins they’re targeting) at their leisure, of course.

Recovering a compromised site is beyond the scope of this article but if you find yourself needing to do it you’ll wish you had full, regular, off-site backups. So, if you don’t have that set up for your site already, do it now, before you need it!

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/O3jHDYTQtss/

On Call Welcome to On Call, The Register’s weekly dive into the mailbag of woe from those faced with recalcitrant users or, occasionally, an overly helpful operator.

Today’s story comes from a reader that the Reg‘s patented pseudoriser has called “Nick” and could be regarded as somewhat of a riposte to last week’s Asset Tag shenanigans.

Rather than finding a PA careful not to hand out any potentially naughty numbers, Nick found himself in quite the opposite situation.

Nick’s story is bang up to date, so there can be no “it was acceptable in the 80s”-type excuses for what follows. You have been warned.

“I was part of the infrastructure team,” Nick told us, and “I overheard a service desk call where someone called up for a password reset.” So far so good… “which was done with no checks.”

So far so not so good.

Curious, Nick asked the service desk manager what the actual process was for resetting a password since this seemed a little, er, casual. He was told: “Oh, it’s out of date. It was written when we were in one building and says we get people to come in person.”

With expansion to multiple buildings, the face-to-face reset had become a pain. However, rather than update the process to something more practical and a teensy bit more secure, the service desk team had come up with an even better wheeze, as Nick explained:

“I was told that it was not a risk really as they would recognise the voice.”

Just let that sink in for a moment.

Nick and a chum in the infosec team retired to “the pub-shaped meeting room” where Nick regaled his friend with his discovery. The infosec chap was blessed with a rich Scottish accent and decided to test Nick’s claim: “He called up… and asked for my password to be reset.”

“Which the service desk drone did.”

Nick then sauntered back to the office and headed to the Service Desk Manager. In his own Southern Counties accent he asked why he could no longer log in.

“But you called for a reset,” said the manager. “Not me!” replied Nick. This was the cue for the infosec chap to put in an appearance, replete with Scots brogue.

“The service desk manager was asked to pull up the call recording and after she listened to it, emailed her team to tell them the new process for password resets.

“I gave my notice in the next day.”

Nick had more reason than most to be sensitive about those password resets. As a prequel, he also told us about an earlier incident while he was working for a small MSP, which looked after a number of businesses.

“We got a call asking for some passwords to be reset ‘because people had left’ and for access to their email to be given to the caller.”

Something was a bit whiffy about the call, “as it looked like half the company was on the list.”

The team dutifully double-checked by attempting to get in touch with their primary contact at the company. It appeared that person had left, so the MD was put on the line.

“It turned out the guy who called was a director who was leaving and was trying to steal a load of data.”

Ouch.

Ever taken a call and refused to take action no matter how much like the Boss the caller sounded? We hope so. But if not, perhaps a swift email to On Call will ease your conscience? ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/08/30/on_call/

Facebook has insisted that losing control of the private key used to sign its Facebook Basics app is no biggie despite totally unrelated apps from other vendors, signed with the same key, popping up in unofficial repositories.

Targeted mainly at third-world countries, Facebook Basics is the latest incarnation of Internet.org and Free Basics. The idea was to offer free access to Facebook-owned internet properties (and only Facebook-owned ones) with the intention of getting the great unconnected hooked on The Social Network, WhatsApp and Instagram.

So it was that last week the Android Police website, something between an online souk and an occasional tech blog, informed the world that “random APKs” were being uploaded to its Android app mirror site – with Facebook’s key signature. The site maintains its own APK repository, parallel to the Google Play store.

“In the last month, we’ve spotted third-party apps using a debug signing key which matched the key used by Facebook for its Free Basics Android app,” wrote Android Police. The site’s owner, Artem Russakovskii, said he reported the key compromise to Facebook after spotting unrelated APKs with the same key signature. He also claimed that because he tweeted about it publicly after reporting it, Facebook had refused to pay out a bug bounty.

For its part, Facebook quietly released a new version of Facebook Basics in mid-August, signed with a new key, which at the time of writing has had just over 100,000 downloads.

A Facebook spokesbeing told The Register: “We were notified of a potential security issue that could have tricked people into installing a malicious update to their Free Basics app for Android if they chose to use untrusted sources. We have seen no evidence of abuse and have fixed the issue in the latest release of the app.”

Nowhere on the Google Play store entry for the latest version of the app is there anything suggesting that it’s a newly re-signed update to mitigate the loss of the key. In fact, nowhere at all is there anything suggesting a Facebook private key somehow found its way into the public domain.

A Google search with the SHA-1 hash of the old key returns some results to dodgy third-party sites and apps which are definitely not Facebook Basics.

The standard advice is not to install apps from anywhere other than the official app stores. Indeed, someone using the Google Play store wouldn’t have been affected by this at all, and one would hope even Google might notice a key being recycled between app makers.

Non-internet-savvy people – such as the target market for Facebook Basics – could easily have been tricked into installing a wholly illegitimate version of the app which would have otherwise passed muster, complete with what looked like a legitimate Facebook key.

If you have any friends or relatives using Facebook Basics, now is a good time to double check it was downloaded from the Google Play store. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/09/02/facebook_basics_app_key_compromised/

Teletext Holidays managed to leave more than 200,000 customer phone call recordings exposed on an unsecured AWS server, according to reports.

A total of 532,000 files were exposed on AWS servers belonging to Truly Travel, the company that trades as Teletext Holidays, of which 212,000 were recordings of live news.

Verdict, the news site that first reported the breach, said the calls were recorded between April and August 2016. They involved Britons ringing up Teletext Holidays to make bookings, change them, complain and do all the other things people do when they phone a company with which they have a booked service.

“In conversations where a holiday is booked, customers also tell the Teletext Holidays employees partial card details. This includes the type of card, name on card and expiry date,” reported the site.

While basic security measures were implemented, in that customers were told to input card numbers using the handset, the unique audio tones generated by pressing keypad buttons would make it straightforward to recover the 16-digit number and expiry date.

In a statement, Truly Travel said: “We are in the process of reporting the matter to the ICO, and we will fully comply with our wider legal obligations. The company is taking all appropriate steps to ensure that this situation does not occur in the future.”

Malcolm Taylor, director of cyber advisory services at threat intel firm ITC Secure, opined that customer details being contained in audio files didn’t lessen the severity of the data breach or lower Teletext Holidays’ culpability.

“Aside from the painfully obvious ‘please don’t store unencrypted data in unencrypted data stores and be at all surprised when it leaks’, this makes the point very well that the actual medium in which data is stored is irrelevant,” said Taylor. “The fact that these were voice files makes no difference to the value of the data to hackers. It all has a dollar value and is saleable online, and will be for sale already.”

Insecure AWS buckets are meant to be things of the past. While the tech world and his dog regularly bellows “secure your damn buckets” at the industry, Amazon itself has been making slow but steady pace on introducing dashboard alerts for admins charged with overseeing S3 buckets – something it first did in 2017.

Regardless, many companies still leave their S3 buckets unsecured and popular tools such as Shodan are still being used to identify them even now; to the point where Magecart malware purveyors find open buckets and then introduce payment-card-data-stealing nasties to them. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/09/02/teletext_holidays_200k_call_recordings_s3_bucket/