STE WILLIAMS

Exclusive Huawei bungled its response to warnings from an ISP’s code review team about a security vulnerability common across its home routers – patching only two models rather than all of its products that used the same flawed firmware.

Years later, those unpatched Huawei gateways, still vulnerable and still in use by broadband subscribers around the world, were caught up in a Mirai-variant botnet that exploited the very same hole flagged up earlier by the ISP’s review team.

The Register has seen the ISP’s vulnerability assessment, given to Huawei in 2013, that explained how a programming blunder in the firmware of the Chinese giant’s HG523a and HG533 broadband gateways could be exploited by hackers to hijack the devices. The report recommended the remote-command execution hole be closed.

After receiving the security assessment, which was commissioned by a well-known ISP, Huawei told the broadband provider it had fixed the vulnerability, and had rolled out a patch to HG523a and HG533 devices in 2014, our sources said. However, other Huawei gateways in the HG series, used by other internet providers, suffered from the same flaw because they used the same internal software, and remained vulnerable and at risk of attack for years because Huawei did not patch them.

One source described the bug as a “trivially exploitable remote code execution issue in the router.”

The vulnerability, located in the firmware’s UPnP handling code, was uncovered by other researchers in more Huawei routers years later. These were then patched by the manufacturer, suggesting the Chinese giant was tackling the security hole whack-a-mole-style, rolling out fixes only when someone new discovered and reported the bug.

One at a time, please – don’t all rush in

El Reg has studied Huawei’s home gateway firmware, and found blocks of code, particularly in the UPnP component, reused across multiple device models, as you’d expect. Unfortunately, Huawei has chosen to patch the models one by one as the UPnP bug is found and reported again and again, rather than issuing a comprehensive fix to seal the hole for good across all its vulnerable gateways.

And there was good reason for Huawei to close the hole at once across all devices using its buggy firmware: miscreants were exploiting the flaw. “Some time between 2013 and 2017 this issue was then also rediscovered by some nefarious types who used it as part of the exploitation pack to [hijack] consumer home routers as part of the Mirai botnet,” a source told us.

Four years after the ISP’s review team privately disclosed the UPnP command-injection vulnerability to Huawei in 2013, and a year after the infamous Mirai botnet takedown of Dyn DNS in 2016, infosec consultancy Check Point independently found the same vuln, the one quietly patched in the HG523a and HG533 series, still lurking in another of the Chinese goliath’s home routers: the HG532.

The Israeli outfit told us it went public with its discovery of the bug, CVE-2017-17215, on December 21, 2017, only after Huawei “had notified customers and developed a patch”, adding that it first “spotted malicious activity on 23rd November 2017”.

Huawei publicly acknowledged the security hole in the HG532 on November 30, 2017, suggesting that “customers take temporary fixes to circumvent or prevent vulnerability exploit or replace old Huawei routers with higher versions”.

Last summer, a security researcher discovered that the same Huawei routers in which Check Point had found the UPnP vuln, the HG532 series, were being used to host an 18,000-strong botnet created using a variant of the Mirai malware. A botnet that could have been avoided if Huawei had patched the broadband boxes when it quietly updated the related HG523a and HG533 devices in 2014.

British government policy is that while Huawei network equipment is not secure enough for government networks, officials say it is acceptable to expose the general public to the potential risks present in Huawei gear. Meanwhile, the US government has banned Huawei equipment from its federal agency networks, a move the Chinese corporation is suing to overturn.

UPnP vulnerability described

Routers affected by the UPnP vuln included Huawei’s HG523a, HG532e, HG532S, and HG533 models. For the HG533, firmware version 1.14 was reviewed by the ISP’s security assessors, and for the HG523a, version 1.12. The other two models, the HG532e and HG532S, were probed by Check Point. These were white-label products distributed by internet providers.

Check Point summarised the vulnerability, which affects all four models, back in 2017 as follows:

From looking into the UPnP description of the device, it can be seen that it supports a service type named ‘DeviceUpgrade’. This service is supposedly carrying out a firmware upgrade action by sending a request to ‘/ctrlt/DeviceUpgrade_1’ (referred to as controlURL) and is carried out with two elements named ‘NewStatusURL’ and ‘NewDownloadURL’.

The vulnerability allows remote administrators to execute arbitrary commands by injecting shell meta-characters “$()” in the NewStatusURL and NewDownloadURL…

And the ISP’s report, dated 2013 and seen by The Register, echoed that, stating:

An unauthenticated command execution vulnerability was discovered in the UPNP interface visible from the LAN on the Huawei Wireless Routers.

The UPNP schema, defined at http://192.168.1.1:37215/desc/DevUpg.xml describes the “Upgrade” action, which takes two arguments, “NewDownloadURL” and “NewStatusURL”.

The “NewStatusURL” parameter is vulnerable to command injection when commands are introduced via backticks. Injected commands are run with root privileges on the underlying operating system. No authentication credentials are required to exploit this vulnerability.

Our sources, who asked to remain anonymous, confirmed the issue Check Point found was the same one described in the internal ISP report into the HG523a and HG533 firmware.

That would mean Huawei knew of the security weakness in 2013, claimed it was fixed in 2014, yet didn’t fully address it in other routers until 2017 when Check Point got wind of it.

The flawed UPnP service can be accessed from the LAN by local machines, and, depending on the default configuration, can face the public internet for anyone or any botnet to find.

The ISP-commissioned review, incidentally, documented exploiting the command-injection hole using backticks, while Check Point demonstrated exploiting the flaw using shell meta-characters. The end result is the same: shell commands can be inserted into URL parameters passed to the UPnP service running on the router by a hacker, which are executed with root-level privileges.

Specifically, the URLs are used directly on the command line to invoke a program on the device that handles security updates, without any sanity checks or sanitization; injecting commands into the URLs ensures they are executed as the updater program is invoked.

Audit … Our own analysis of the flawed code in Huawei’s firmware. On the left is the dodgy function in the HG533, and on the right, the HG532. The HG533 was quietly patched in 2014 following the ISP review, whereas the HG532 was fixed in 2017 after Check Point spotted it – despite both running functionally the same 32-bit MIPS code (click to enlarge).

A technical analysis of the security screw-up can be found, here.

In a statement, Huawei told The Register:

On November 27, 2017 Huawei was notified by Check Point Software Technologies Research Department of a possible remote code execution vulnerability in its HG532e and HG532S routers. The vulnerabilities highlighted within the report concerned these two routers only. Within days we issued a security notice and an update patch to rectify the vulnerability.

A 2014 report by one of our customers evaluated potential vulnerabilities in our HG523a and HG533 routers. As soon as these issues were presented to us, a patch was issued to fix them. Once made available to our customers, the HG533 and HG523a devices experienced no issues.

The Chinese corp did not address why it had patched the code vulnerability in some products back in 2014 but not fixed the same flaw in other routers until it was pointed out to the firm years later.

This is not the first time Huawei’s networking kit has been placed under the spotlight: the 2017 annual report by British code reviewers from the Huawei Cyber Security Evaluation Centre (HCSEC) obliquely criticised Huawei’s business practices around older elements reaching end-of-life while still embedded within Huawei products that had a longer expected lifespan.

The same team is expected to again criticise the Chinese manufacturer in this year’s report over its security practices. ®

Sponsored:
Becoming a Pragmatic Security Leader

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/03/28/huawei_mirai_router_vulnerability/

TP-Link’s all-in-one SR20 Smart Home Router allows arbitrary command execution from a local network connection, according to a Google security researcher.

On Wednesday, 90 days after he informed TP-Link of the issue and received no response, Matthew Garrett, a well-known Google security engineer and open-source contributor, disclosed a proof-of-concept exploit to demonstrate a vulnerability affecting TP-Link’s router.

The 38-line script shows that you can execute any command you choose on the device with root privileges, without authentication. The SR20 was announced in 2016.

Via Twitter, Garrett explained that TP-Link hardware often incorporates TDDP, the TP-Link Device Debug Protocol, which has had multiple vulnerabilities in the past. Among them, version 1 did not require a password.

Huawei’s half-arsed router patching left kit open to botnets

READ MORE

“The SR20 still exposes some version 1 commands, one of which (command 0x1f, request 0x01) appears to be for some sort of configuration validation,” he said. “You send it a filename, a semicolon and then an argument.”

Once it receives the command, says Garrett, the router responds to the requesting machine via TFTP, asks for the filename, imports it to a Lua interpreter, running as root, and sends the argument to the config_test() function within the imported file.

The Lua os.execute() method passes a command to be executed by an operating system shell. And since the interpreter is running as root, Garret explains, you have arbitrary command execution.

However, while TDDP listens on all interfaces, the default firewall prevents network access, says Garrett. This makes the issue less of a concern that remote code execution flaws identified in TP-Link 1GbE VPN routers in November.

Even so, vulnerability to a local attack could be exploited if an attacker manages to get a malicious download onto a machine connected to an SR20 router.

TP-Link did not immediately respond to a request for comment.

Garrett concluded his disclosure by urging TP-Link to provide a way to report security flaws and not to ship debug daemons on production firmware. ®

Sponsored:
Becoming a Pragmatic Security Leader

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/03/28/tplink_router_flaw/

The Azure Security Center for IoT provides teams with an overview of IoT devices and helps monitor their security properties.

Microsoft today announced Azure Security Center for IoT, a new set of programs and capabilities to help security teams monitor the security properties of industrial-connected devices.

Its debut, along with several other security updates focused on the Internet of Things (IoT) ahead of the 2019 Hannover Messe industrial manufacturing show, arrives at a time when manufacturing firms are digitizing their operations and want to better integrate security to protect processes and data.

The Azure Security Center for IoT provides users with a view of IoT security posture and helps implement best practices and mitigate threats across IoT hubs, compute, and data. Managers can pinpoint missing security configurations in IoT devices, the edge, and the cloud; check for open ports on IoT devices; confirm their SQL databases are encrypted; and remediate threats.

Azure Security Center for IoT links to Microsoft’s Azure IoT Hub, a cloud-based IoT platform that helps connect and manage devices to develop IoT applications. This will make IoT security data directly available inside the hub, Microsoft reports in a blog post on today’s updates.

Microsoft is also upping the capabilities of Azure Sentinel, the cloud-native security information and event management (SIEM) system it unveiled at the RSA Conference last month. Security operations teams often depend on SIEM tools to detect and mitigate advanced threats. Now Azure Sentinel users can combine IoT security data with security data from across their organizations and detect and respond to threats throughout the business, from IoT devices to Azure to Office 365 and on-prem systems.

The idea behind this announcement is to help manufacturers shrink the attack surface for Azure IoT tools running throughout their operations, and to address problems before they worsen.

Another noteworthy update in IoT news: Microsoft is expanding its Azure IP Advantage benefits to IoT devices connected to Azure and devices running on Azure Sphere and IoT. The program, first announced in February 2017, protects Azure cloud customers from intellectual property lawsuits. At the time, it made 10,000 Microsoft patents available to Azure customers.

Now Azure IP Advantage will also provide “uncapped indemnification coverage” for customers of Microsoft Azure Sphere and Windows IoT. Access to those 10,000 patents can help Azure users power their IoT devices without having to defend themselves against IP lawsuits.

Further, Microsoft is offering 500 patents to startups in the LOT Network, an organization that provides businesses with access to patents from member organizations. Companies in the LOT Network include big tech names such as Amazon, Facebook, Google, Microsoft, and Netflix.

As part of their free membership, approved startups can obtain and own Microsoft patents. However, as Microsoft corporate VP and deputy general counsel Erich Andersen told TechCrunch, in order to qualify, companies will have to spend a minimum of $1,000 on Azure per month.

Related Content:

• 7 Low-Cost Security Tools
• Inside Cyber Battlefields, the Newest Domain of War
• 6 Things To Know About the Ransomware That Hit Norsk Hydro
• New Shodan Tool Warns Organizations of Their Internet-Exposed Devices

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/analytics/microsoft-tackles-iot-security-with-new-azure-updates/d/d-id/1334278?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

A new report by the Ponemon Institute shows 45% of organizations have a comprehensive encryption policy in place.

More organizations are encrypting their data, according to a new study. The 2019 Global Encryption Trends Study just released by the Ponemon Institute found that use of encryption among enterprises has reached an all-time high.

While crime novels and mainstream news stories tend to focus on the dangers of hackers, the survey reports that IT executives fear sensitive data threats from employee errors (54% report this as their primary concern) more than fear external hackers (30%) and malicious insiders (21%) combined.

Organizations are responding to this worry by implementing enterprise encryption policies, with 45% of companies reporting that they have a comprehensive encryption policy in place. And the biggest challenge these companies face in implementing their encryption policy? Discovery, or just knowing what data exists that needs to be protected, is listed as the main challenge for 69% of those responding.

For more, read here. 

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/application-security/enterprise-data-encryption-hits-all-time-high/d/d-id/1334280?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Prepare today for the quantum threats of tomorrow.

With all the grand speculation and hype tied to quantum computing, the technology seems more like it belongs in the realm of science fiction rather than your daily tech newsfeed. But this isn’t science fiction. Tech companies around the world are racing to bring quantum computers into the mainstream of business processes to unlock new capabilities, services, and revenue models.

However, as quantum computers are beginning to gain traction and soon will be moving out of RD environments, government agencies and security experts are already sounding the alarm for the potential harm such breakthrough technology could be capable of wreaking in the area of data security.

A quantum computer is based on the superposition principle — that a qubit (a bit in a quantum computer) can exist in the state of a 0, a 1, or both states at once. Today, the largest publicly available quantum computer from IBM Q (an IBM initiative to build quantum computers for business and science) has 20 qubits — so it can exist in 2²⁰ or just over a million states at once. When technologists double this to 40 qubits, that becomes just over a trillion states at once. This could be a powerful tool for breaking data encryption; instead of trying one combination at a time sequentially, the quantum computer can try a very large number at the same time. Experts suggest that a computer with 2,000 to 4,000 qubits would be enough to defeat conventional strong encryption standards within a reasonable time.

Luckily for the data security industry, a quantum computer is made of a collection of high-end refrigeration and other large-science experimental gear — because, well, it is cutting-edge experimental physics. When first invented, a 5MB disk drive was as big as two large vending machines. Now you can put a million times more data on a thumb drive that fits in your pocket. The constant in computing is that things get smaller, faster, and cheaper, but for now, quantum computing is a large, expensive, and finicky physics lab resident.

The security industry is gearing up to upgrade standards to protect against quantum attacks. But there are a couple of methods available to protect against this threat right now. Today, best practices in security require multiple levels of protection. Advanced persistent threats (APTs) involve malicious code being installed on a server inside the security perimeter, so once the hacker has defeated the firewalls, the malicious code is inside and looks for vulnerable servers. Every server should use encryption to prevent data extraction or corruption. You can’t put a quantum computer onto a corporate server because, remember, it’s a physics lab, not a piece of portable code. Therefore, you need to protect data right at the source — on the servers. It is important to protect data with proper access policies that ties to process, applications, and users with unique encryption for different data sets. This reduces APT-initiated process’s ability to access data in the first place, and unique encryption makes it even more difficult to decrypt all the data together.

But what if a cybercriminal or nation-state hacker extracts data or keys and transports them to a quantum computer facility? IBM and others already have made small quantum computers available to the public. And if you compare an emerging technology such as TensorFlow for machine learning, you will see that you can already provision very large capacities of highly optimized TensorFlow on Amazon Web Services, so it’s likely that a public cloud provider will offer quantum computing as a service once the technology has matured.

To face this threat, adopting a comprehensive approach to protecting data on servers includes:

• Proper management of keys, including hierarchical keys to enable key rotation.
• Applying firewall-like rules for data access, restricting access by user ID and application.
• Reporting any unauthorized or suspicious attempts to access data. Good reporting and alerting can prevent loss of data after a single key or server has been compromised but before critical data is sent out for quantum-powered code breaking.

Encrypting and spreading the data across multiple servers or clouds provides additional protection, meaning that if one is compromised, the data is still secure and can be recovered from the uncorrupted servers, while the threat is being identified and neutralized.

Particularly, organizations need to have cryptographic agility, which is the capacity for an IT system to promptly shift from existing cryptographic methods without significant changes to system infrastructure. In fact, according to NIST guidelines, becoming crypto-agile is no longer optional. Here are a few steps organizations can take to become crypto-agile:

• Implement a cryptographic control center that functions as an interface to manage cryptographic policies for every application.
• Establish an abstraction layer that acts as an API to hide cryptographic information. This ensures that application programmers can continue development without any clear disruptions to cryptographic solutions. When a security team needs to update an encryption solution, all they have to do is update the abstraction layer, thus eliminating the need to educate programmers on complex details of cryptography.
• Conduct a full assessment of cryptography used by various information systems, and implement a centralized crypto key management system. This gives administrators the flexibility to manage application keys through automated protocols.

Regular use of quantum mechanics in computing is still far from common, but according to a recent report from the National Academies of Sciences, Engineering, and Medicine, companies need to speed up preparations for the time when quantum technology can crack conventional defenses.

While there may not be an immediate danger of sensitive data being breached by someone with quantum computing technology, all organizations should have the beginnings of a quantum resilience data protection plan in place because the race to the first quantum computer is fierce. Fortune 500 companies, including IBM, Google, Microsoft, and Intel, are increasingly plugging away on quantum technology, and countries (including China) are investing billions of dollars into research and development, ensuring the era of quantum computing is quickly approaching. My advice: Begin protecting against tomorrow’s — or 2029’s — threats today.

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Pankaj Parekh was appointed Chief Product and Strategy Officer (CPSO) of SecurityFirst in August 2018. He is responsible for the long-range vision to set the direction for the company’s products, as well as running the development, testing, and delivery organizations for … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/quantum-computing-and-code-breaking/a/d-id/1334251?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Dozens of pro athletes and musicians fell for a phishing scam that pilfered their Apple accounts and credit cards.

A Dacula, Georgia, resident had pled guilty to one count of computer fraud and one count of aggravated identity theft in a hacking scheme where he stole credit card information from the Apple accounts of big-name rappers and NBA and NFL players. 

Kwamaine Jerell Ford, 27, employed thousands of phishing emails targeting college and professional athletes and rapper musicians in which he spoofed legitimate Apple customer service email accounts, according to the US Department of Justice. He posed as an Apple customer support representative asking the targets to send their usernames and passwords or other account security information to reset their Apple accounts.

Dozens of the targets – no one was named publicly by the DoJ – fell for the scam. Ford then took over their Apple accounts, stealing credit card numbers and using those accounts to purchase air travel, hotels, and furniture, and to transact money transfers to online accounts.

“The high profile victims in this case are an example that no matter who you are, hackers like Ford are trying to get your personal information,” said Chris Hacker Special Agent in Charge of FBI Atlanta. “This case demonstrates the need to be careful in protecting personal information and passwords, especially in response to suspicious e-mails. Hopefully this is a lesson for everyone, not just the victims in this case.”

Ford, who began his social engineering and hacking scheme in March 2015, faces sentencing on June 24.

Read more here.  

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/risk/man-pleads-guilty-to-hacking-apple-accounts-of-nfl-and-nba-players-rappers-/d/d-id/1334281?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Companies could be leaving themselves vulnerable by not using third-party data backup tools, a new report finds.

IT organizations are taking a big risk by relying on Office 365 to deliver all the backup they need, according to a new report released today by Barracuda.

Based on responses from more than 1,000 IT professionals, business executives, and backup administrators, Barracuda found that 40% of IT organizations surveyed don’t use third-party backup tools to protect Office 365 data.

Greg Arnette, director of data protection platform strategy at Barracuda, points out that while Microsoft does offer a resilient SaaS infrastructure to ensure availability, it does not protect data for historical restoration for long, and its service-level agreements don’t protect against user error, malicious intent, or other data-destroying activity.

“Microsoft will protect your data for an outage in a data center environment,” Arnette says. “But they will not detect threats such as account takeovers and ransomware. Those kind of attacks will look like the actions of a typical end user. The backup vendors are now doing more detection using cloud-based APIs to keep track of what changes over time.”

According to the study, deleted emails are not backed up on Office 365 in the traditional sense. Rather, they are kept in the recycle bin for a maximum of 93 days before they’re deleted forever. For SharePoint and OneDrive, deleted information gets retained for a maximum of 14 days by Microsoft, and individuals must open a support ticket to retrieve it. SharePoint and OneDrive are unable to retrieve single items/files; they must restore an entire instance. It’s unlikely that such short retention policies meet most compliance requirements.

“There’s an assumption that if the data is in SaaS, it’s automatically backed up, but that’s not the case,” says Christophe Bertrand, a senior analyst at the Enterprise Strategy Group who covers data protection. “Just because it’s in the cloud doesn’t mean that you don’t have to back it up. You are still responsible for protecting the data, making it recoverable and archiving it, especially email.”

The Barracuda study also found that while 64% of global organizations say they back up data to the cloud, a sizeable 36% still don’t. The reason for this is unclear, according to the report, although there could be latent security concerns over doing so.

“We see this as a checkpoint in time where the industry is shifting to a cloud mentality,” Arnette says.

Related Content: 

• Microsoft, Amazon Top BEC’s Favorite Brands
• Millions of Office 365 Accounts Hit with Password Stealers
• Office 365 Missed 34,000 Phishing Emails Last Month
• Vade Secure Launches Native, AI-Based Email Security Add-On for Office 365

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Steve Zurier has more than 30 years of journalism and publishing experience, most of the last 24 of which were spent covering networking and security technology. Steve is based in Columbia, Md. View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/40--of-organizations-not-doing-enough-to-protect-office-365-data/d/d-id/1334283?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Diehard Firefox user? Devoted resister of the Google-in-every-nook-and-cranny Android mobile environment?

Mozilla to the rescue!

On Tuesday, Mozilla, the maker of Firefox, announced that it’s brought its free password manager, Firefox Lockbox, to Android users, bringing what it says will be cross-platform happiness to Firefox users who have dozens, or even hundreds, of logins stored in their browsers.

Today, many of those logins are the same ones used in the apps you download on mobile, so we’ve been working on making your various online identities work on your terms.

Mozilla already has an iOS version of Firefox Lockbox – one that it’s recently optimized for iPad. Bringing it to Android is…

…the next step in our efforts to give people the advantage when it comes to keeping them safe online with trusted tools and services from Firefox.

Automagical autofill

Mozilla says that Lockbox works with Android autofill to make it a seamless transition from using your Firefox desktop browser to your mobile browser. It automatically fills in the passwords saved on desktop to get into your apps, be it Facebook, Yelp, Netflix or anything else, on your mobile device.

Lockbox is a simpler version of other, more feature-rich password managers, such as LastPass, BitWarden, 1Password and Dashlane. Granted, it only works with the Firefox browser, but it’s purportedly pretty easy to get up and running without any extra set-up: you use your mobile Firefox account, and it auto-imports the passwords you’ve already stored in your desktop Firefox browser.

You can easily unlock the app using your fingerprint or Face ID, as well.

I say “purportedly” because there are (a minority of) users complaining on the Google Play store about mobile Firefox failing to sync with the desktop version. Outside of that kind of frustration, Lockbox for Android should fetch usernames and passwords for all your accounts from your desktop browser, just like the iOS version does.

Syncing between devices is done with 256-bit encryption.

This makes Firefox Lockbox a good option for those of us who don’t want to/can’t remember our passwords or lug around a suitcase stuffed full of sticky notes we scribbled them onto, and who don’t want to be bothered with transferring all their logins into a standalone password manager.

Currently, it’s just your basic password manager

We like password managers. They’re not perfect, but they’re better than password reuse that leads to hijacked accounts. Having said that, be aware that Lockbox doesn’t offer some of the slick features of more replete password managers, which can generate unique, tough-to-guess passwords. Nor does it offer to save usernames and passwords when you sign up for a new site.

Mozilla told CNET that those features are in the works, though:

Currently, there is no password generator for new accounts. For today’s launch, we are bringing additional value to Firefox users by improving their login experiences. We are exploring options for future features, and what might resonate best with Firefox users.

In the meantime, if you’re not signing in to your mobile Firefox account with a finger or face, you’re hopefully doing so with a good, strong password, be it mobile or desktop, because…

Teensy-weensy keyboards ≠ itsy-bitsy passwords

You need unique, mother-loving Megalodon-strong passwords, even if you’re pecking away at a Barbie-doll-sized keyboard. If you’re registering online with a mobile and trying to avoid finger fatigue, you might be tempted to pick a pipsqueak password – some 6-digit crud such as “!23456”, say.

Mobile password managers can help avoid both the finger fatigue and the flimsy password creation it all too often leads to. They can save you from a lot of typing and a load of password-reusing.

Password managers make creating, storing and using a slew of strong passwords much easier. True, they’re not infallible. There have been issues reported recently about password managers not scrubbing passwords from memory once they’re no longer being used, but we still believe that the advantages outweigh the issues, which will likely be tidied up through updates anyway.

But you still have to create, remember and use a proper password to secure the password manager, be it on desktop or mobile.

To cook one up, check out our video:

(No video? Watch on YouTube. No audio? Click on the [CC] icon for subtitles.)

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/NKJAL-azGvk/

The US Federal Trade Commission (FTC) on Tuesday demanded that the country’s largest broadband providers hand over their privacy policies and explain what data they collect from consumers, why, who they share it with, and how consumers can change or delete it.

In launching this broad inquiry into consumer data-handling practices, the FTC sent orders demanding answers from ATT, Verizon, T-Mobile, Xfinity, and Google Fiber.

One of the purposes of the investigation is to figure out how consumers’ data gets used to fuel targeted advertising. From the FTC’s press release:

The FTC is initiating this study to better understand Internet service providers’ privacy practices in light of the evolution of telecommunications companies into vertically integrated platforms that also provide advertising-supported content. Under current law, the FTC has the ability to enforce against unfair and deceptive practices involving Internet service providers.

As it is, the lines have been blurring between digital media, social networking, search, and internet services provision, along with the many advertising bucks all those offerings present. Both Facebook and Google have dabbled in becoming ISPs, and even Amazon has reportedly mulled it over.

Besides digital players wanting to pull on their ISP pants, it goes the other way, too. When the FTC talks about the telecom industry’s evolution into vertically integrated platforms, it’s also talking about an industry that’s seen, for example, major content acquisitions by Verizon, with its purchase of AOL/Yahoo, and by ATT, which last year acquired Time Warner as well as the advertising technology company AppNexus.

The buckets of data the FTC is after includes, according to its press release:

• The categories of personal information collected about consumers or their devices, including the purpose for which the information is collected or used; the techniques for collecting such information; whether the information collected is shared with third parties; internal policies for access to such data; and how long the information is retained;
• Whether the information is aggregated, anonymized or deidentified;
• Copies of the companies’ notices and disclosures to consumers about their data collection practices;
• Whether the companies offer consumers choices about the collection, retention, use and disclosure of personal information, and whether the companies have denied or degraded service to consumers who decline to opt-in to data collection; and
• Procedures and processes for allowing consumers to access, correct, or delete their personal information.

The orders went out on Tuesday, and the broadband providers have 45 days to respond.

This is the first time the FTC has flexed the new oversight muscle over broadband providers it acquired following the Federal Communications Commission’s (FCC’s) repeal of net neutrality, the rules for which went into effect last year.

The FCC said it welcomes the inquiry. Spokeswoman Tina Pelkey said it’s a good idea to have a single agency to police internet privacy:

We welcome this step by the Federal Trade Commission to examine broadband providers’ privacy practices. It could not have occurred without the FCC’s Restoring Internet Freedom Order, and the FTC’s focus on the evolution of broadband providers into ‘vertically integrated platforms that also provide advertising-supported content’ highlights the advantages of having a single agency able to police the entire Internet ecosystem with respect to the important issue of privacy.

The Hill reached out to the broadband providers for their take. Verizon said that it’s reviewing the FTC’s inquiry, while Margaret Boles, a spokeswoman for ATT, sent this statement:

Our customers’ privacy is important to us, and the FTC plays a critical role in privacy regulation. In fact, we continue to support comprehensive federal legislation to protect consumers’ data throughout the internet ecosystem, and the FTC is the logical agency to enforce that legislation. If the FTC has any questions for us, we will respond appropriately.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/oKf11KydwlQ/

A hosting company took down a database operated by a spying app this week after it was found displaying thousands of intimate images and recordings online.

MobiiSpy, an Android app that can be used to track what people do on their phones, left over 95,000 images and 25,000 audio recordings on a publicly accessible database according to a report by Motherboard on 22 March.

Although the database didn’t include names or contact information, it did contain call records and photos that could be used to identify the phones’ owners.

According to researchers, the app’s developer had hardcoded the database URL directly into the app, which lets the operator read the target’s phone contacts and texts and even trigger remote recordings without the target’s knowledge.

The breach was so bad that Motherboard couldn’t name the company while the databases were still up.

Security researcher Cian Heasley found the database and notified the publication, which then tried to get the vendor to take it down. The company’s owner, John Nguyen, reportedly wouldn’t respond to emails sent to multiple addresses.

Meanwhile, the app was still in use and the pictures and audio recordings were stacking up every day. When Motherboard originally reported the story, the data had been publicly available for at least six weeks.

Motherboard also tried to alert GoDaddy, which is the domain registrar for the Mobiispy.com website, but the company reportedly said there wasn’t much it could do. At the time of publishing this article, the MobiiSpy website is inaccessible.

Codero, the hosting company that housed the exposed databases on its computers, wouldn’t return reporters’ emails, the publication said. However, it did leap into action after Motherboard published the story and finally taking down the database.

Dodgy app vendors 0 – Internet 2

This is the second case of negligent app developers failing to step up this month. Earlier this week, we wrote about React Apps Pty, whose Family Locator app enabled people to track family members online. It had failed to respond to journalist or researcher mails after leaving its database publicly exposed. That database included real-time user location data along with other personal information. Microsoft eventually intervened and took the site offline.

Aside from the fact that it was spewing peoples’ intimate data onto the internet for anyone to see, the MobiiSpy app was designed to track unwitting users. Archived versions of the site offered customers the chance to:

MobiiSpy makes it super easy for you to keep a monitor on your children and employees anywhere and all the time.

and…

Silently track text messages, GPS locations, call recorder, track WhatsApp without rooting.

This means that the highly-sensitive data could have been collected not only from children but from anyone else that the customer decided to stalk, without their consent or subsequent knowledge that their names, photos and other information has been made public. It’s difficult to imagine a more egregious breach of privacy, or a less forgivable lack of response on the developers’ part.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/oeQZ7SNrnos/