Archive for May 1, 2023

Here We Go Again… T-Mobile Has Yet Again Been Pwned By Hackers

Posted in Commentary with tags on May 1, 2023 by itnerd

I have honestly lost count at the number of times that T-Mobile has been pwned by hackers. Though the last time that they got pwned was earlier this year. But whatever the count is, you can add one to it as T-Mobile has been pwned again. Here’s the details from Bleeping Computer:

T-Mobile disclosed the second data breach of 2023 after discovering that attackers had access to the personal information of hundreds of customers for more than a month, starting late February 2023.

Compared to previous data breaches reported by T-Mobile, the latest of which impacted 37 million people, this incident affected only 836 customers. Still, the amount of exposed information is highly extensive and exposes affected individuals to identity theft and phishing attacks.

“In March 2023, the measures we have in place to alert us to unauthorized activity worked as designed and we were able to determine that a bad actor gained access to limited information from a small number of T-Mobile accounts between late February and March 2023,” the company said in data breach notification letters sent to affected individuals just before the weekend, on Friday, April 28, 2023.

Ani Chaudhuri, CEO, Dasera had this comment:

T-Mobile’s recent data breach, which affected 836 customers and exposed extensive personal information, underscores the importance of robust data security platforms. Although this breach was not as large as previous incidents, it still leaves affected individuals vulnerable to identity theft and phishing attacks.

T-Mobile has experienced several data breaches in recent years, with the latest incident in 2023 marking their ninth disclosure since 2018. Despite facing multiple challenges, T-Mobile has consistently demonstrated a strong commitment to addressing and mitigating the impact of these breaches on its customers. Their rapid and proactive responses, such as resetting account PINs, offering free credit monitoring and identity theft detection services, and maintaining open communication with affected individuals, showcase the company’s dedication to safeguarding customer data and prioritizing security. This track record highlights T-Mobile’s resilience and ability to adapt in an ever-evolving digital landscape where data security is paramount. However, this incident also highlights an opportunity to enhance data security measures further.

One way to improve data security is by implementing comprehensive platforms that empower businesses to leverage structured and semi-structured data throughout their lifecycle safely. These platforms should offer automated data security and governance controls, continuous visibility, risk detection, and mitigation, all while aligning with business goals and ensuring seamless integration, unmatched security, and regulatory compliance.

Businesses can adopt a secure, data-driven growth strategy that minimizes risk and maximizes value by deeply understanding the four data variables – data infrastructure, data attributes, data users, and data usage. In the case of T-Mobile, a data security platform that effectively manages structured data usage could have mitigated the recent breach’s impact.

As the digital landscape evolves rapidly, businesses must prioritize data security to maintain a competitive edge. While T-Mobile’s response to the recent breach was commendable, this incident serves as a reminder that there is always room for improvement in data security measures. By adopting comprehensive data security platforms, businesses can better protect customer information and prevent future breaches.

Okay. So it’s a low number this time around. That’s not the issue. The real issue is that they keep getting pwned. It’s as if they’re not even trying to keep customer data safe. And even if that’s not the case, do you really want to be with a phone carrier who get pwned as often as T-Mobile does?

Magecart Skimmers getting better at Stealing Credit Card Details

Posted in Commentary with tags on May 1, 2023 by itnerd

According to a new report by Malwarebytes, MageCart skimmers are upping their game when hijacking legitimate online stores’ payment pages, and displaying a high quality customized web element known as a modal to act as the checkout page to steal customers’ credit card information. Some of the fake forms are better than the authentic pages.

The hackers’ payment modal forms are well designed and offer relevant details of the retailer. They are often more realistic than the original site, and better yet, it’s not a third-party check-out which consumers are more distrusting of. 

From the user’s perspective, once their details are entered on the modal, it displays a bogus loader, then a fake error which redirects the buyer to the real payment URL. At this point the data is compromised and, lastly, to avoid exposing the operation, the skimmer drops a cookie to prevent reloading of the malicious modal. Over the past couple months Malwarebytes observed that the trend of using these stealthy, custom modal forms is on the rise.

Roy Akerman, Co-Founder & CEO, Rezonate had this comment:

   “This technique is more than a decade old. Poor security controls and overall hygiene of websites have been a constant challenge. Protocols such as 3D-Secure 2.0 and Mastercard Securecode are 2 examples for ways to avoid any tampering during the purchase stage, regardless of whether the website was breached, or any MITM (man-in-the-middle) attempts from a compromised endpoints able to hijack a session and steal information. 

   “Assuming the look and feel is flawless, and you had a reason to go into that site, and did not receive a phishing email/smishing SMS as a trigger point, you could also try first to fake your credit info as a first step and see if you hit an alert/or are able to passthrough.“

This is making it very, very difficult to know if a site has been compromised by a threat actor. Mr. Akerman’s advice is good, but I have to wonder how long before threat actors take that into consideration and make it impossible to spot a compromised site.

UPDATE: Baber Amin, COO, Veridium added this comment:

   “Magecart or online skimming is the compromise of online shopping carts and checkout process. Bad actors can inject malware into ill maintained ecommerce sites. 

   “Additionally, all the security offered by EMV and contactless cards is nullified, when the user voluntarily enters the CC information at checkout. Not only that, but they also enter information that can be used for Identity Theft, e.g. email address, shipping address, possibly a username and a password, etc.

  • It is important for website administrators to stay up-to-date with their content management system’s patches and plugins. 
  • Buying from reputable online vendors is the best option for end users
    • If possible, use virtual cards online
    • Use unique usernames and passwords on each site if you must create an account
    • If they offer PayPal during checkout, use it, as it creates an indirect level of payment
    • A better solution is to use services like Apple Pay and Google Pay, which replace sensitive information with arbitrary tokens (Tokenization). These services provide a more secure and convenient experience, as they use tokenization to protect sensitive information.  Since these tokens disappear after each authorization, they cannot be reused if stolen.  The other advantage of these services is that they work both in person and for online shopping.  EMV or chip cards are reduced to the security of the older non chip card when paying online, as there is no chip reader available”

WordPress Won’t Be Sharing Your Posts To Twitter Because Of Elon Musk’s API Price Hike

Posted in Commentary with tags , on May 1, 2023 by itnerd

Many people who are on the WordPress platform rely on being able to share their posts onto Twitter via functionality built into WordPress Jetpack. But those days are effectively over as WordPress no longer supports posting to Twitter and has pointed the finger at Elon Musk and his API price hike as the reason:

In early April, we experienced an unexpected suspension of our Twitter API access. This access is what powers Jetpack Social, which in turn helps you automatically share your blog posts to Twitter. Though the service was restored that same day, it turns out that there were bigger changes looming on the horizon. 

Twitter decided, on short notice, to dramatically change the terms and pricing of the Twitter API. We have attempted to work with Twitter in good faith to negotiate new terms, but we have not been able to reach an agreement. As a result, the Twitter connection on Jetpack Social will cease to work, and your blog posts will no longer be auto-shared to Twitter.

You will still be able to share your posts to Twitter manually by pasting the post link into the body of your tweet. 

Now I turned this functionality off when I more or less abandoned Twitter. But those who rely on this functionality for marketing purposes are going to be very unhappy campers. Though there is good news, if you want to call it that:

In addition, you can still auto-share your posts to Tumblr, Facebook, and Linkedin. In the near future, we are adding the ability to auto-share to Instagram and Mastodon. We are continuing to release new features in Jetpack Social, so keep an eye on the Jetpack blog for more updates.  

Now I have been auto posting to Mastodon (where you can find me at @The_IT_Nerd@noc.social by the way) since the start of the year via a third party plug in. But it will be nice to have native Jetpack functionality. That way people can move their followers from Twitter to Mastodon much easier. Seeing as Twitter is becoming an increasingly hostile place under Elon.

Apple Releases Rapid Security Update For iOS and macOS… But It Doesn’t Work On iOS… #Fail [UPDATE: It Appears To Be Fixed]

Posted in Commentary with tags on May 1, 2023 by itnerd

Apple for just over a year has had the ability to release something called a “Rapid Security Update” to iOS and macOS devices. The Rapid Security Update is intended to provide important security changes between the regular software updates. For example, Apple may find an actively exploited vulnerability and decide to release one of these to address it. Overall this is a good thing.

Today Apple released a Rapid Security update for iOS 16.4.1 and macOS 13.3.1. On my iPhone I got this:

But when I tried to install it, I get this:

Now I was connected to the Internet on my iPhone the entire time, yet this error message popped up. Now this may be due to server load. Or it may be because Apple’s QA, which hasn’t been all that great for a long time has dropped the ball yet again. Who knows? And for the record, I have not tried this on my Mac as I am concerned that something bad might happen. But I will say this. Apple can’t have a “Rapid Security Update” that nobody can install as that completely defeats the purpose of these updates. Thus Apple needs to sort this out quickly as this really looks really bad on them.

More updates as I get them.

UPDATE: I tested the macOS “Rapid Security Update” which is actually called the “Rapid Security Response Update” and it worked fine. So it seems that only the iOS version is messed up. But the reason behind it being messed up is that it seems that the iOS version is being limited by Apple as per this:

Why Apple isn’t being more forthright about this, I have no idea. Oh wait. It’s Apple. They aren’t forthright about anything.

UPDATE #2: At 3:25 PM EST, I was finally able to get this update installed on my iPhone. I figured that it was a fluke. So I got my wife to try it and she was able to install it right away. So whatever the issue was Apple has appeared to have fixed it.

By the way, the version of iOS you will get after the update is 16.4.1 (a). The version of macOS that you will get after the update is 13.3.1. (a).

China’s ‘Evasive Panda’ Found Hijacking Updates For Espionage Purposes 

Posted in Commentary with tags on May 1, 2023 by itnerd

Researchers at Eset discovered downloads of the Evasive Panda backdoor, MgBot, had been included in the update channels of otherwise legitimate applications. The campaign appeared aimed at stealing credentials and data for cyber espionage purposes and has been ongoing for two years. The attacks were able to target specific individuals in China and Nigeria, otherwise delivering uninfected updates to everyone else. 

 “During our investigation, we discovered that when performing automated updates, a legitimate application software component downloaded MgBot backdoor installers from legitimate URLs and IP addresses,” intelligence analyst Facundo Munoz wrote in the post.

Researchers observed the highest number of infected updates coming from an updater for the Tencent QQ Windows client:

 “Given the targeted nature of the attacks, we speculate that attackers would have needed to compromise the QQ update servers to introduce a mechanism to identify the targeted users to deliver them the malware, filtering out non-targeted users and delivering them legitimate updates,” Munoz wrote.

Roy Akerman, Co-Founder & CEO, Rezonate:

   “Despite increased investment in supply chain defenses, attackers continue to bypass controls and drop malware with legitimate processes and applications. Tencent’s QQ Windows client has been used for a long time now as a way to socially engineer and distribute malware in a targeted manner. This approach enables a wide reach across the entire platform as well as offering the shield of authenticity. 

   “We’re seeing the targeting of accounts happening more often vs. the traditional spray and pray, to meet a specific objective. A layered defense, continuous education of employees and monitoring of identity behavior for abuse of privileges are more critical than ever.”

This illustrates how dangerous some of these threat actor groups are as packaging this backdoor as part of a legitimate update is pretty crafty. It shows that more needs to be done at both the technology and human level to stop attacks like these from being successful.

FDA Warns Of Vulnerability In Illumina Sequencing Instruments

Posted in Commentary with tags on May 1, 2023 by itnerd

In a letter to health care providers and laboratory personnel, the FDA said that the Universal Copy Service software in US biotechnology company Illumina sequencing instruments could be exploited to let an unauthorized user do the following:

  • Take remote control
  • Alter settings, configurations, software, or data on the instrument or a customer’s network
  • Impact data intended for use in clinical diagnosis, leading to no results, incorrect results, or manipulated results.

At the time of the letter, neither the FDA nor Illumina had received any reports indicating the vulnerability had been exploited and it is unclear how many customers were affected but sequencers installed was more than 22,000 as of January. 

Illumina CTO Alex Aravanis said in a statement on LinkedIn that the issue was found during “ongoing efforts to assess potential vulnerabilities and exposures” and they have developed a software to fix it.

This follows a separate Illumina cybersecurity vulnerability announced in June 2022.

Roy Akerman, Co-Founder & CEO, Rezonate had this to say:

   “Healthcare providers continue to be a main target for attackers and therefore need to be on top of their game in terms of preventative actions, continuous patching, and further ability to monitor and detect attempts to exploit and compromise identity and data. While traditional endpoints and network protection have improved for the past years, IOT devices continue to lag behind in terms of visibility and effective controls which the Healthcare system is highly dependent on for critical procedures and diagnosis.”

The good news is that this issue was disclosed so that it can be addressed. And it illustrates that everyone in general and health tech companies specifically need to make sure that issues like this far less likely to make it out the door so that we are all safer as a result.