Archive for Hacked

PC Plus App Update Forces You To Delete And Re-Add Membership Cards

Posted in Commentary with tags on March 10, 2017 by itnerd

Hot off a incident where a security issue led to points being stolen, though it’s apparently the users fault for having weak passwords, Loblaw has pushed out updates for the PC Points app for Android and iOS. Now, what’s interesting is this statement in the release notes for the app. A screen shot from the Android version of the app is below:

Capture

You’ll note that the very last line requires you to delete and replace any PC Plus card in your digital wallet. My guess is that they are trying to invalidate any cards that were created from accounts that were pwned. But you have to wonder if this is also connected with an attempt to quietly beef up their security so that Loblaw does not get pwned again. Whatever the reason, if you’re a PC Plus user, you should likely get the update and remove and replace your cards ASAP.

Advertisements

WikiLeaks Does Massive Data Dump On CIA Hacking Tools And Ops

Posted in Commentary with tags , on March 7, 2017 by itnerd

WikiLeaks today released documents that shed light on the CIA’s hacking tools and internal operations. What’s key about this is that absolutely no platform is safe from the CIA as documented by BetaNews:

WikiLeaks has unleashed a treasure trove of data to the internet, exposing information about the CIA’s arsenal of hacking tools. Code-named Vault 7, the first data is due to be released in serialized form, starting off with “Year Zero” as part one. A cache of over 8,500 documents and files has been made available via BitTorrent in an encrypted archive. The plan had been to release the password at 9:00am ET today, but when a scheduled online press conference and stream came “under attack” prior to this, the password was released early. Included in the “extraordinary” release are details of the zero day weapons used by the CIA to exploit iPhones, Android phones, Windows, and even Samsung TVs to listen in on people. Routers, Linux, macOS — nothing is safe. WikiLeaks explains how the “CIA’s hacking division” — or the Center for Cyber Intelligence (CCI) as it is officially known — has produced thousands of weaponized pieces of malware, Trojans, viruses and other tools. It’s a leak that’s essentially Snowden 2.0.

I take two things out of this data dump. First, nothing is secure. Absolutely nothing. That should scare you. Second, some of these tools that are now in the public domain, really bad people are going to get their hands on them. That should scare you even more.

It should be interesting to see how this is explained by the US Government.

#Fail: VP Pence Tweets About Clinton’s Personal Email Usage… As His Personal Email Gets Pwned By Hackers

Posted in Commentary with tags , on March 3, 2017 by itnerd

 

From the “be careful what you tweet about” department comes this story. Vice President Mike Pence was very critical of Hilary Clinton’s use of a private e-mail server for government business during the election. So much so, he tweeted about it:

Here’s the problem. Pence according to reports that surfaced today was using an AOL account for government business. What’s worse is that it got pwned by hackers. While that apparently is not illegal in Indiana, it really does make Pence look like a hypocrite. Something that Twitter has been all to happy to point out:

The take home is that you should watch what you tweet as the potential exists that it can come back to bite you. And when it does, Twitter will not show you any mercy.

CloudPets Woes Worsen With News Of A Bluetooth Exploit

Posted in Commentary with tags on March 1, 2017 by itnerd

 

If having their database leaked and ransomed isn’t enough, CloudPets has a new problem to worry about. Their toys can be pwned remotely from a webpage via the Bluetooth Web API which is not exactly secure says Context Information Security who put out a report on the matter.

Here’s how the exploit works. Create a webpage to connect to CloudPets toy via Bluetooth. The browser opening the page has to be within Bluetooth range of the CloudPets toy for it to work. You must also allow the browser to pair with the toy. Then start recording from the toys built-in microphone. You can also play sounds through it. A proof of concept webpage is online, and code is on GitHub which means evil doers will have real exploit pages online shortly.

Here’s a video of the pwnage in action:

Clearly CloudPets doesn’t care about the security of their users. If you have one of these toys, put it in the rubbish bin right now. It’s clearly insecure and you should not have it anywhere near your kids.

Data From Kids Toys Leaked And Ransomed

Posted in Commentary with tags on February 28, 2017 by itnerd

I’ve written about kids toys and their relative insecurity for a while now and I will cite these examples why you may not want to give your kids a connected toy as a gift. Now comes the worst example of this that I have seen via security researcher Troy Hunt:

CloudPets allow parents to record a message for their children on their phones, which then arrives on the Bluetooth connected stuffed toy and is played back. Kids can squeeze the stuffed animal’s paw to record a message of their own, which is sent back to the phone app. The Android app has been downloaded over 100,000 times, though user reviews are poor, citing a difficult interface, frequent bugs, and annoying advertising. Hunt and the researchers he collaborated with found that the central database for CloudPets’ voice messages and user info was stored on a public-facing MongoDB server, with only basic hashes protecting user addresses and passwords. The same database apparently connected to the stored voice messages that could be retrieved by the apps and toys. Easy access and poor password requirements may have resulted in unauthorized access to a large number of accounts. The database was finally removed from the publicly accessible server in January, but not before demands for ransom were left.

Not cool. If I were a parent and I bought this toy, I’d dump it. I really do not believe that the people who make these toys have your security in mind when they put them on the market. Until they can prove that they do, they should be avoided by parents.

 

Loblaw Resets The Passwords Of ALL PC Points Users For Security Reasons

Posted in Commentary with tags on February 21, 2017 by itnerd

It seems that the hack of the Loblaw PC Points rewards program isn’t going away as every member of the rewards program have gotten e-mails over the weekend that Loblaw has reset their passwords. Meaning that even if they reset their passwords when the hack became public, they’ll have to do it again. Plus the PC Points website has this message communicating the same thing:

capture

This is an indication that the company feels that passwords are the issue and likely continue to be an issue. As a result, they’ve taken this step to try and make the problem go away. Though you have to wonder if after making their users do this, will it address the issue or will this problem simply resurface.

I’ll be keeping an eye out to see what happens.

Arby’s Pwned By Malware…. Credit Card Info Swiped

Posted in Commentary with tags , on February 9, 2017 by itnerd

Today is clearly the day for hacks. The latest company to disclose that they’ve been pwned by hackers is fast food chain Arby’s. Apparently hackers used malware to swipe credit card data according to security expert Brian Krebs:

A spokesperson for Atlanta, Ga.-based Arby’s said the company was first notified by industry partners in mid-January about a breach at some stores, but that it had not gone public about the incident at the request of the FBI.

“Arby’s Restaurant Group, Inc. (ARG) was recently provided with information that prompted it to launch an investigation of its payment card systems,” the company said in a written statement provided to KrebsOnSecurity.

“Upon learning of the incident, ARG immediately notified law enforcement and enlisted the expertise of leading security experts, including Mandiant,” their statement continued. “While the investigation is ongoing, ARG quickly took measures to contain this incident and eradicate the malware from systems at restaurants that were impacted.”

Arby’s said the breach involved malware placed on payment systems inside Arby’s corporate stores, and that Arby’s franchised restaurant locations were not impacted.

I really don’t think anyone knows the difference between franchised and corporate locations and as a result customers will steer clear of both. But the use of malware to swipe credit card data isn’t new. Just ask Home Depot who got hit by this a while back. But these attacks are clearly on the rise and companies need to ensure that they are defending themselves against this threat.