STE WILLIAMS

Marriott has today revealed that its Starwood guest reservation database has been subject to unauthorised access “since 2014”. The scope of the data breach is huge, covering nearly five years and approximately 500 million guests.

The company has created a website to deal with the breach at info.starwoodhotels.com (note that at the time of writing it redirects to answers.kroll.com).

Who’s affected?

The company warns that if you made a reservation at one of its Starwood brands in the last five years then you are at risk:

If you made a reservation on or before September 10, 2018 at a Starwood property, information you provided may have been involved.

According to Marriott, its Starwood brands include: Starwood branded timeshare properties, W Hotels, St. Regis, Sheraton Hotels Resorts, Westin Hotels Resorts, Element Hotels, Aloft Hotels, The Luxury Collection, Tribute Portfolio, Le Méridien Hotels Resorts, Four Points by Sheraton and Design Hotels.

What data is at risk?

It seems that different guests may be subject to different levels of exposure, according to how much data they shared. Until you have successfully confirmed your level of exposure with Marriott, you should assume the worst.

Information put at risk by the breach includes “some combination of” name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (“SPG”) account information, date of birth, gender, arrival and departure information, reservation date, communication preferences, payment card numbers and payment card expiration dates.

Although payment card numbers were encrypted, thieves may have stolen the information required to decrypt them.

What happened?

Marriott has not revealed what events or security failures occurred (it may not yet know), but it has released some details about how it discovered the breach.

The company says that on 8 September 2018 it was alerted to an unauthorised attempt to access the Starwood guest reservation database. Security experts called in to deal with the incident revealed that unauthorised access to the Starwood network started as far back as 2014, two years prior to Marriott’s acquisition of Starwood.

On 19 November 2018, Marriott learned that a recent attempt to encrypt and exfiltrate data from the network had included data from the Starwood guest reservation database.

As you can see from what Marriott has revealed so far, it can be difficult for everyone concerned to tell the difference between data that has been put at risk and data that has actually been stolen.

Until they can confirm otherwise, victims would be prudent to assume they amount to the same thing.

What to do?

Website and call centres

If you think you may be affected, make a point of checking the official breach website regularly, particularly its frequently asked questions section. Remember, it’s likely that Marriott is still learning about the breach and adapting to the situation it finds itself in.

Marriott says it has established a dedicated, multilingual call centre that will be open seven days a week. You can find your local call centre number by clicking on the large Call Centre Information link on the main page of the breach website.

Emails

Marriott has begun sending emails to affected guests whose email addresses are in the stolen database. This represents a huge potential opportunity for email scams, so the company has sensibly set out some guidelines to help you identify if an email is genuine:

• The email will come from [email protected]
• It will not contain attachments or requests for information
• It will only link to the official website

Web monitoring

Marriott is offering victims in the USA, UK and Canada a free, one year subscription to something it calls WebWatcher, which it describes as a service that monitors “internet sites where personal information is shared”.

Don’t Google it. If you Google WebWatcher you won’t find the monitoring service, you’ll find lots of links to spyware of the same name. Don’t sign up for that!

Do follow the links to country-specific versions of the official breach site. You cannot sign up for monitoring from the main breach page, you have to go to the all-but-identical versions of the page for the US, UK or Canada.

On those pages you’ll find local call centre phone numbers and large, grey (and surprisingly easy to miss) Enroll Now buttons. They link to an enrolment form for Kroll’s ID monitoring service, and they look like this:

Precautions

• Review your accounts. Review your bank or payment card accounts for suspicious activity, and if you’re a member of Marriott’s Starwood Preferred Guests program, monitor your SPG account for suspicious activity too.
• Beware of scams. Criminals may look to exploit anxious victims with fake websites or phishing emails, messages and phone calls. These may be well disguised so don’t click on any links, and verify anything you encounter by heading directly to the official breach website or calling the official call centre numbers.
• Report ID theft. If you think you’re a victim of identity theft, or if your stolen information has been misused, contact your national data protection authority or local law enforcement.
• Change your password if you have a Starwood Guest Account. If you used the same password on other websites or services, change those too. Choose different, strong passwords for each one.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/ECxkMNBbUoc/

Administrators overseeing lab environments would be well advised to double-check their network setups following the disclosure of serious flaws in a line of oscilloscopes.

On Friday, SEC Consult said it had uncovered a set of high-impact vulnerabilities in electronic testing equipment made by Siglent Technologies.

In particular, the bug-hunters examined the Siglent SDS 1202X-E Digital line of Ethernet-enabled oscilloscopes and found the boxes were lacking even basic security protections.

Among the flaws found by researchers was the use of completely unauthenticated and unguarded TCP connections between the oscilloscopes and any device on the network, typically via the EasyScopeX software, and the use of unencrypted communications between the scope and other systems on the network.

“Two backdoor accounts are present on the system,” the researchers explained. “A Telnet service is listening on port 23 which enables an attacker to connect as root to the oscilloscope via LAN.”

As a result, anyone who had local network access would be able to get onto the device and tamper with it.

Siglent did not respond to a request for comment on the matter.

Chalk this up as yet another example of the dangers brought on by the growing market for connected internet-of-things devices.

Pong, anyone? How about Pong on a vintage oscilloscope?

READ MORE

Normally, an oscilloscope would be the last thing an admin would have to worry about, however as new connectivity is bolted onto devices that traditionally operated in isolation, it is inevitable that some otherwise basic security measures will be overlooked.

Aside from the obvious dangers of allowing an attacker to use the compromised devices as a starting to point for attacks on other network devices, SEC Consult noted that someone could also use the vulnerabilities to mess with the oscilloscope’s own readings – offering a handy route for sabotage.

“Any malicious modification of measurement values may have serious impact on the product or service which is created or offered by using this oscilloscope,” SEC Consult said of the flaw. “Therefore, all procedures which are executed with this device are untrustworthy.”

That point is particularly noteworthy as observers have noted a marked increase in industrial espionage and IP theft attacks in recent years. It is not beyond the realm of possibility that a company wanting to hamper the progress of a rival, or a state-sponsored group that wanted to disrupt RD, would look to mess with engineering equipment of a targeted facility. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/11/30/pwned_via_oscilloscope/

Kaspersky Lab won’t be getting its day in court after all, as the Washington DC Court of Appeals rejected its case against the American government.

The appeals court panel upheld a US District Court ruling that Kaspersky could not bring suit against the US government in hopes of overturning the 2017 order that blocked government agencies from using its software.

The decision [PDF] all but ends Kaspersky’s hopes of getting the ban on its products lifted and allowing federal agencies to once again purchase its antivirus and security offerings.

In striking down the motion, the three-judge panel agreed with the lower court’s decision that Congress has the right to block the purchase of a specific vendor’s software if it has legitimate security concerns. This is a key point, as Kaspersky has contended the move was a form of extrajudicial punishment rather than a safety measure.

“Indeed, although Kaspersky argues that Congress enacted section 1634 to further that body’s undisclosed punitive intentions, the company does not dispute, as a general matter, that protecting federal computers from cyber-threats qualifies as a legitimate nonpunitive purpose,” the court noted.

The judges go on to dismiss Kaspersky’s argument that it was being unfairly singled out as a possible security risk by the government, noting the company’s close relationship with a Russian government known to be actively targeting the US for network attacks and data theft.

Pain in the brain! Kaspersky warns of hackable brain implants

READ MORE

“Kaspersky identifies no cyber-product as vulnerable to malicious exploitation as Kaspersky’s,” the court found.

“And although the company accurately points out that many cyber-companies operate in Russia, we conclude that Congress, based on the evidence before it, could have reasonably determined that Kaspersky’s Russian ties differ in degree and kind from these other companies’.”

Kaspersky, meanwhile, said that it was disappointed with the ruling and maintained the security shop was “still the good guys fighting cybercrime all over the world.”

“The DC Circuit Court’s decision is disappointing, but the events of the past year that culminated in this decision were almost expected, and not just by our company, but by the cybersecurity industry in general,” wrote co-founder, CEO, and company namesake Eugene Kaspersky.

“We’re sure that the issues involved in our litigation go far beyond technical aspects of US constitutional law; they include real-world problems concerning everyone: a progression of protectionism and balkanization in a world of understated cyber-rivalry and highly sophisticated international cyber-threats.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/11/30/court_rejects_kaspersky/

They’re also honoring unsubscribe requests as soon as they’re made, according to the Online Trust Alliance.

A survey of North America’s top 200 retailers released this week by the Internet Society’s Online Trust Alliance found they have made great progress in managing emails on their websites.

In fact, 84% of retailers have clear and conspicuous unsubscribe links on their websites, says Jeff Wilbur, the OTA’s technical director.

Now in its fifth year, the “2018 Email Marketing Unsubscribe Audit” also found 100% of the retailers use authentication tools like SPF and DKIM, 71% have DMARC records, and another 35% use DMARC enforcement. All of these tools have become generally accepted in the security industry for tracking and stopping email spoofing.

Another good number, according to Wilbur, is that 89% of retailers said they stop sending messages right after an unsubscribe request was submitted, as opposed to the permitted 10-day period.

“That’s really a big one,” Wilbur says. “People just want to know if they don’t want the site to send them any more messages that they will stop sending them.”

Vince Romney, director of information security at cosmetics company Younique Products, says the OTA survey mirrors many of the trends he has been seeing.

For starters, unsubscribe requests from users are being honored right away, he says. Younique has been using SPF and DKIM authentication built into Mimecast to filter emails and prevent spoofing, Romney added, plus the company has a very clear unsubscribe option on its website.

He also pointed out that many other retailer have stepped up their incident response activities. When he came on as security director in March, Younique started using AlienVault, which in effect serves as a SIEM for the company.

Related Content:

• Adidas US Website Hit by Data Breach
• Payment Security Compliance Takes a Turn for the Worse
• Retail Sector Second-Worst Performer on Application Security
• Securing Retail Networks for an Omnichannel Future

 

Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Steve Zurier has more than 30 years of journalism and publishing experience, most of the last 24 of which were spent covering networking and security technology. Steve is based in Columbia, Md. View Full Bio

Article source: https://www.darkreading.com/retailers-make-big-strides-in-offering-clear-unsubscribe-links--/d/d-id/1333380?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

‘Tis the season for holiday crafted phishes, scams, and a range of cyberattacks. Experts list the hottest holiday hacks for 2018.

(Image: Andranik123 – stock.adobe.com)

It’s the most wonderful time of the year – for holiday cheer, of course, but also for cybercriminals who use the season as leverage to manipulate their victims.

Like holiday music playing in department stores and decorations adorning your neighborhood, themed cyberattacks start around Thanksgiving and continue through Christmas. “These scams ride the wave of the holiday season, when users are more inclined to purchase online,” explains Jerome Dangu, co-founder and CEO of Confiant, which has analyzed seasonal cyberattacks.

Most criminals aim to capitalize on the shopping frenzy that is the holiday season, and methods vary from victim to victim. Consumers are hit with fake delivery notices in phishing emails and credit card fraud; brands are targeted with malvertising campaigns and watering-hole attacks.

Holiday season cyberattacks are on pace to escalate by nearly 60% this season, states Carbon Black’s Threat Analysis Unit (TAU) in this year’s “Holiday Threat Report.” Analysts considered the 2017 season for comparison: After Thanksgiving, notable security alerts spiked on Black Friday/Cyber Monday and continued at elevated levels through year’s end.

Think you’re safe after Christmas? Think again. The high point for seasonal crime happens in the days following Dec. 25, when people are taking advantage of post-holiday deals.

Here, cybercrime experts describe the threats that are top of mind for them during this year’s holiday season. Read on to learn more about what you and your employees should watch for.

Article source: https://www.darkreading.com/endpoint/holiday-hacks-6-cyberthreats-to-watch-right-now/d/d-id/1333382?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Fifteen US prison inmates have been indicted for posting pictures of girls on dating sites and sextorting hundreds of military personnel who fell for the phony profiles after sending nude photos to their victims. To cap off the scam, the prisoners posed as the girls’ fathers and threatened to report them for disseminating child abuse imagery.

Law enforcement authorities held a press conference about the fraud ring in front of a state prison in Columbia, South Carolina, on Wednesday. According to a local paper, the Greenville News, authorities said that the prisoners had used contraband mobile phones to scam a total of 442 servicemen out of more than $560,000.

The indictments include charges of conspiracy to commit wire fraud, extortion and money laundering.

The bust was coordinated by a slew of law enforcement agencies, including from the military: the Naval Criminal Investigative Services (NCIS), US Army Criminal Investigations Command, US Air Force Office of Special Investigations, Department of Defense Criminal Investigative Services, IRS Criminal Investigative Services, the US Marshals Service, the South Carolina Department of Corrections, the South Carolina Law Enforcement Division and the US Attorney’s Office.

The prisoners allegedly used smuggled cellphones to log onto multiple dating websites and pretend to be 18- or 19-year-old girls. Court documents allege that after communicating with their victims, the inmates would eventually send nude photos to service members. Then, another prisoner would allegedly contact the marks, pretending to be an irate father and telling them that the “girl” they’d been communicating with was their underage daughter.

Pay up, or I’ll call the police on you, the fake fathers would threaten. At other times, inmates posed as police officers and threatened to arrest the servicemen unless they forked over payment, according to the indictments.

One of the indictments describes how inmate Wendell Wilkins allegedly claimed that the money was needed for “counseling and medical bills for the trauma that his underage daughter suffered from the sexually explicit text messages.”

According to NCIS special agent Drew Goodridge, the agencies are still investigating another 250 people for the ongoing probe, which began in January 2017 with the code name “Operation Surprise Party.” The prisoners allegedly had a network of helpers on the outside: the unsealed indictments allege that the prisoners recruited family and friends to set up a network of bank accounts, money transfer services, online payment services and prepaid debit cards to access and spend the money.

Although the fraud victims accepted photos of the girls – photos the prisoners had found online – no service member from the Navy or the Marines will be charged, according to Goodridge. They were just victims he said, having been led to believe that the photos were of 18- or 19-year-olds.

We can only imagine how terrified they must have been after being told by a fake authority figure that the girls in the photos were actually underage and that they could be reported for trafficking in child abuse imagery.

Goodridge:

Military members would pay, fearful that they might lose their careers over possessing what they were led to believe was child pornography.

This is just another example of how smuggled cellphones enable prisoners to keep breaking the law: they may be behind bars, but they’re still among us virtually, said Bryan Stirling, the state’s prison system director.

Stirling said that the state prison system has erected 50-foot-tall netting around many prisons to try to limit the number of cellphones that get tossed over the fence. It’s also running a pilot project at one prison to filter cell signal access so that only those with approved numbers can get a signal. So far, it’s proved successful, he said, but it’s too expensive to implement more widely.

Stirling:

Unfettered access to the outside world needs to stop. We need relief, and we need it now.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/YCK-q_bWh5E/

The US Department of Justice has charged eight men from Russia and Kazakhstan with running a vast ad-fraud scheme that milked a total of $36 million from advertisers.

Three of the accused – Aleksandr Zhukov, Sergey Ovsyannikov and Yevgeniy Timchenko – have been arrested in different countries pending extradition to the US, with Boris Timokhin, Mikhail Andreev, Denis Avdeev, Dmitry Novikov, and Aleksandr Isaev still at large, an announcement said.

The fraud centred on two systems that resembled expertly crafted digital money trees.

Methbot

The first, which ran between September 2014 and December 2016, dubbed ‘Methbot’ by discoverers White Ops in 2016, was a 1,900-strong farm of datacentre servers rented to host 5,000 bogus websites.

Not only was the traffic to these sites fictitious – the gang went to some lengths to simulate real users visiting these domains from fake geographic locations – but the sites themselves were spoofed versions of real sites including CNN, the New York Times, CBS Sports, and Fox News.

The sites were then added to legitimate ad networks where unsuspecting ad buyers could pay to advertise on them.

It’s been reported that ads were shown on as few as 10% of the visits Methbot’s fake users made to its fake websites (which means most of the Methbot activity was just ). Presumably this technique was meant to keep the fraud below the radar of suspicious ad networks.

When ads were shown, advertisers would bid against each other algorithmically to decide which ad was shown on any given visit to the site. Once the bid had been won an ad displayed, the bot’s browser would click on it and the advertiser would pay the fake Methbot site for successfully generating a click.

To make that interaction appear more human, the system could even stop and restart videos.

Estimated fraud: at least $7 million.

3ve (‘Eve’)

The second part of the operation, dubbed 3ve, was a more conventional but hugely profitable clickfraud botnet comprising 1.7 million computers infected with the Kovter malware that ran between December 2015 and October this year.

3ve’s purpose was simply to quietly generate as much entirely fake traffic as possible to adverts that would earn the gang money, an ambition it succeeded in fulfilling and then some.

Estimated fraud: another $29 million

In total, that’s $36 million siphoned from networks for ads and videos nobody watched on sites that never existed.

Does ad-fraud matter?

If this sounds like a victimless crime, that’s simply because the ad networks paying out all this money have not been named. Ultimately, the money stolen came from a company buying ad space, whose costs are eventually passed on to consumers.

Around a month ago, the FBI, assisted by Google and the group’s nemesis White Ops, worked together on one of the US authorities’ periodic botnet takedowns.

Swiss bank accounts were seized, domains and servers went dark, which sounds rather easy until you read that just to kill 89 servers, officials had to visit 11 different US hosting providers in a short space of time.

What this does for the image of internet advertising is an open question, but it’s clear that the sums involved are drawing in fraudsters by the thousand.

A 2016 estimate by the World Federation of Advertisers warned that if left unchecked the problem could grow into a $50 billion black hole by 2025.

That’s a lot of money to fuel more advanced malware, ambitious criminal gangs, as well as inevitable counter-measures such as browser adblocking to shield eyeballs from advertising.

Frighteningly, it also dwarfs the sums stolen by Methbot and 3ve, which raises an obvious question: are there even bigger, badder ad-fraud networks still out there?

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/KPA5Ic6CbXw/

Marriott has today revealed that its Starwood guest reservation database has been subject to unauthorised access “since 2014”. The scope of the data breach is huge, covering nearly five years and approximately 500 million guests.

The company has created a website to deal with the breach at info.starwoodhotels.com (note that at the time of writing it redirects to answers.kroll.com).

Who’s affected?

The company warns that if you made a reservation at one of its Starwood brands in the last five years then you are at risk:

If you made a reservation on or before September 10, 2018 at a Starwood property, information you provided may have been involved.

According to Marriott, its Starwood brands include: Starwood branded timeshare properties, W Hotels, St. Regis, Sheraton Hotels Resorts, Westin Hotels Resorts, Element Hotels, Aloft Hotels, The Luxury Collection, Tribute Portfolio, Le Méridien Hotels Resorts, Four Points by Sheraton and Design Hotels.

What data is at risk?

It seems that different guests may be subject to different levels of exposure, according to how much data they shared. Until you have successfully confirmed your level of exposure with Marriott, you should assume the worst.

Information put at risk by the breach includes “some combination of” name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (“SPG”) account information, date of birth, gender, arrival and departure information, reservation date, communication preferences, payment card numbers and payment card expiration dates.

Although payment card numbers were encrypted, thieves may have stolen the information required to decrypt them.

What happened?

Marriott has not revealed what events or security failures occurred (it may not yet know), but it has released some details about how it discovered the breach.

The company says that on 8 September 2018 it was alerted to an unauthorised attempt to access the Starwood guest reservation database. Security experts called in to deal with the incident revealed that unauthorised access to the Starwood network started as far back as 2014, two years prior to Marriott’s acquisition of Starwood.

On 19 November 2018, Marriott learned that a recent attempt to encrypt and exfiltrate data from the network had included data from the Starwood guest reservation database.

As you can see from what Marriott has revealed so far, it can be difficult for everyone concerned to tell the difference between data that has been put at risk and data that has actually been stolen.

Until they can confirm otherwise, victims would be prudent to assume they amount to the same thing.

What to do?

Website and call centres

If you think you may be affected, make a point of checking the official breach website regularly, particularly its frequently asked questions section. Remember, it’s likely that Marriott is still learning about the breach and adapting to the situation it finds itself in.

Marriott says it has established a dedicated, multilingual call centre that will be open seven days a week. You can find your local call centre number by clicking on the large Call Centre Information link on the main page of the breach website.

Emails

Marriott has begun sending emails to affected guests whose email addresses are in the stolen database. This represents a huge potential opportunity for email scams, so the company has sensibly set out some guidelines to help you identify if an email is genuine:

• The email will come from [email protected]
• It will not contain attachments or requests for information
• It will only link to the official website

Web monitoring

Marriott is offering victims in the USA, UK and Canada a free, one year subscription to something it calls WebWatcher, which it describes as a service that monitors “internet sites where personal information is shared”.

Don’t Google it. If you Google WebWatcher you won’t find the monitoring service, you’ll find lots of links to spyware of the same name. Don’t sign up for that!

Do follow the links to country-specific versions of the official breach site. You cannot sign up for monitoring from the main breach page, you have to go to the all-but-identical versions of the page for the US, UK or Canada.

On those pages you’ll find local call centre phone numbers and large, grey (and surprisingly easy to miss) Enroll Now buttons. They link to an enrolment form for Kroll’s ID monitoring service, and they look like this:

Precautions

• Review your accounts. Review your bank or payment card accounts for suspicious activity, and if you’re a member of Marriott’s Starwood Preferred Guests program, monitor your SPG account for suspicious activity too.
• Beware of scams. Criminals may look to exploit anxious victims with fake websites or phishing emails, messages and phone calls. These may be well disguised so don’t click on any links, and verify anything you encounter by heading directly to the official breach website or calling the official call centre numbers.
• Report ID theft. If you think you’re a victim of identity theft, or if your stolen information has been misused, contact your national data protection authority or local law enforcement.
• Change your password if you have a Starwood Guest Account. If you used the same password on other websites or services, change those too. Choose different, strong passwords for each one.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/ECxkMNBbUoc/

US hotel chain Marriott has admitted that a breach of its Starwood subsidiary’s guest reservation network has exposed the entire database – all 500 million guest bookings over four years, making this one of the biggest hacks of an individual org ever.

“On September 8, 2018, Marriott received an alert from an internal security tool regarding an attempt to access the Starwood guest reservation database in the United States,” said the firm in a statement issued this morning. “Marriott learned during the investigation that there had been unauthorized access to the Starwood network since 2014.”

Around 327 million of those guest bookings included customers’ “name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (‘SPG’) account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences.”

For an unspecified number, encrypted card numbers and expiration dates were also included, though Marriott insisted there was AES-128 grade encryption on these details, saying: “There are two components needed to decrypt the payment card numbers, and at this point, Marriott has not been able to rule out the possibility that both were taken.”

This could be read as a reference to salting and hashing though no further detail was supplied. We have contacted Marriott to double-check and will update this article if we hear back from them.

Having identified the breach, on 19 November Marriott and its investigators found an encrypted database online in an unspecified location. After decrypting it, they discovered a full copy of the entire Starwood guest reservation database.

Affected hotel brands include:

• W Hotels
• St. Regis
• Sheraton Hotels Resorts
• Westin Hotels Resorts
• Element Hotels
• Aloft Hotels
• The Luxury Collection
• Tribute Portfolio
• Le Méridien Hotels Resorts
• Four Points by Sheraton
• Design Hotels that participate in the Starwood Preferred Guest (SPG) program
• Starwood branded timeshare properties

Arne Sorenson, Marriott’s prez and chief exec, said in a canned statement he “deeply regrets” this incident took place, adding that the company has set up a “dedicated website and call centre”.

Law enforcement in the US has been notified. The hotel chain is emailing customers now to inform them.

That customer information website is here (its info.starwoodhotels.com URL resolves to the domain of security firm Kroll) and it includes an offer to enrol affected customers into the Webwatcher personal info breach monitoring system. Those emails, said the firm, will come from the address [email protected] and “will not contain any attachments or request any information from you, and any links will only bring you back to this webpage”.

Affected or potentially affected customers are being warned to change their passwords and not use easily guessed ones.

Few hacks of individual firm’s customer data have come close to the scale of this one. The Yahoo! breach in 2013 saw three billion email accounts breached, while Carphone Dixons, the UK electronics retail chain, managed to lose control of 5.9 million sets of payment card data. In the US, the US Government Office for Personnel Management (which handles sensitive files on millions of government workers) had the personal data of 21 million employees’ breached by hackers. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/11/30/marriott_starwood_hotels_500m_customer_records_hacked/

Boffins from Michigan State University in the US and National Chiao Tung University in Taiwan have found that the Wi-Fi calling services offered by ATT, T-Mobile US, and Verizon suffer from four security flaws that can be exploited to attack mobile phone users, leaking private information, harassing them, or interfering with service.

In a research paper distributed through preprint service ArXiv on Thursday, eight computer scientists – Tian Xie, Guan-Hua Tu, Bangjie Yin, Chi-Yu Li, Chunyi Peng, Mi Zhang, Hui Liu, and Xiaomin Liu – dismiss existing Wi-Fi calling security mechanisms. They say that defenses like storing private keys on SIM cards, 3GPP Authentication and Key Agreement, IPSec for call signaling and voice/text packets, and switching to cellular networks to defend against Wi-Fi denial of service attacks fall short.

“Given these security mechanisms, which have been well studied in the VoLTE [Voice over LTE] and cellular networks for years, it seems that the Wi-Fi calling should be as secure as the VoLTE,” the researchers state in their paper. “Unfortunately, it is not the case. We have identified several security threats in the Wi-Fi calling services deployed by T-Mobile, Verizon and ATT in the US.”

They attribute the flaws to “design defects of Wi-Fi calling standards, implementation issues of Wi-Fi calling devices, and operational slips of cellular networks.” And to underscore the need to improve the security of Wi-Fi calls, they point out that Wi-Fi calling is expected to surpass VoLTE and VoIP (e.g. Skype) services this year in terms of usage time.

In the attack scenario described by the researchers, the victim is a mobile user who connects to a Wi-Fi access point with a device that has a Wi-Fi calling service. Specifically, the boffins tested eight smartphone models – Samsung Galaxy S6/S7/S8/J7, Apple iPhone 6/7/8, and Google Nexus 6P – with Wi-Fi calling from ATT, T-Mobile, and Verizon.

The attacker can be anyone with a networked device on the same subnet as the victim. For their experiment, the researchers used a software-based Wi-Fi access point on a MacBook Pro 2014 laptop and an ASUS RT-AC1900 Wi-Fi access point on several university networks, including Michigan State University, New York University, University of California Berkeley, and Northeastern University.

Insecure

The first flaw identified involves the 3GPP Wi-Fi network selection mechanism, which does not exclude insecure Wi-Fi networks when choosing a network for connection. By definition, it’s disadvantageous to choose to connect to an insecure network if security is a concern.

The second is that devices making Wi-Fi calls lack defenses against ARP (Address Resolution Protocol) spoofing/poisoning attacks, which the researchers say is often a precursor to a man-in-the-middle attack. A successful attack could allow an adversary to intercept the network packets associated with a Wi-Fi calling device.

The third flaw found has to do with the way the three US carriers’ implement IPSec protection, which turns out to be vulnerable to side channel attacks that can leak private information. Because Wi-Fi calling is the only service carried over IPSec in this scenario, it’s possible to infer the Wi-Fi call events that occur (e.g. making/receiving a call).

The fourth vulnerability, say the researchers, is a design defect in the way Wi-Fi calling standards work. Wi-Fi calling protocols are set up to only consider the quality of Wi-Fi links when initiating a connection. But once a functional link is established, a Wi-Fi calling device won’t switch to the cellular network if Wi-Fi packets keep getting dropped. This allows an adversary to force Wi-Fi callers to remain on a malicious Wi-Fi network with degraded service.

A practical mitigation for these attacks, the researchers say, involves running a VPN on mobile devices. Upgrading Wi-Fi calling standards would be a more comprehensive fix but that won’t happen quickly.

The boffins say they’ve informed the telecom companies and device makers about their findings and are awaiting a response. Google, they say, answered already, classifying the DoS vulnerability as a low-severity issue to be fixed at the next opportunity.

The Register asked ATT, T-Mobile US, and Verizon for comment. We’ve yet to hear back. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/11/30/wifi_calling_services_insecure/