Archive for Security

Stop Using Text Messages For Authentication RIGHT NOW

Posted in Commentary with tags on March 18, 2021 by itnerd

This week, a stunning story from Vice revealed how easy it is for an attacker to steal your text messages and do evil things with them. Let me illustrate how easy it is:

  • Pay a trivial sum of money.
  • Convince a VoIP wholesaler that they’re a reseller.
  • Sign a form swearing that they’re allowed to route messages to your number to another number.
  • Pwnage

Why is this important? It’s important because a lot of people use text messages as a means to do two-factor or multi-factor authentication for websites and other online accounts. Which means that if someone has access to your text messages, they have access to any account that uses text messages for authentication.

While that sounds scary, and it should sound scary, there are ways to protect yourself from this. You should be using a dedicated two-factor authentication app that requires physical access of your hardware—typically your phone—to finish the login process for an account. An example of this would be Microsoft Authenticator or Google Authenticator which bypass text messages to deliver the codes required for two-factor or multi-factor authentication. It also means that the bad guys need physical access to your phone to try and break into your online accounts. Quite simply, that’s not going to happen.

But there’s one slight problem. What if the service that you need to use only use text messages for authentication? Then I guess you are kind of stuck. Sort of. You can use a service like this one to monitor if, or when, your phone number’s texts are routed elsewhere. And a really, really strong password helps too. Along with not using obvious answers for your security questions.

Do you have any other suggestions that can help all of us keep our online accounts safe? If you do, leave them in the comments and share your thoughts.

Someone Just Tried To Phish Me To Get My Email Credentials….. So I Went Down The Rabbit Hole To See What Their Scheme Was

Posted in Tips with tags on February 9, 2021 by itnerd

I was having a busy morning that had just calmed down when I got an email that looked like this:

Now I redacted some info as it seems that James Hayes appears to be a real person and I don’t want to embarrass him as it appears that his email has either been pwned by hackers or has been taken over by hackers. Likely the latter as I will illustrate in a second. But the fact is that this to me looks like a classic phishing email. I verified that by using the “Quick Look” function:

Again, I’ve redacted some info to protect the real James Hayes.

The quality of the English (or more accurately the lack of quality) reinforces my opinion that this is a phishing email. I assumed that if I emailed James Hayes to inform him that his email was hacked, he would take action. However, I got an almost instant response from him…. Or more accurately someone pretending to be him:

This further reinforces the fact that this is a phishing email as the English isn’t any better and it wants my “valid EMAIL” to view whatever “document” he sent me. But in the interest of science, I went down the rabbit hole. Opening the link in Chrome brought me to the page that I saw in Quick Look. Clicking on “REVIEW DOCUMENT” took me to this page:

Now this isn’t a web page that belongs to Microsoft as evidenced by the URL above. It is a page that is clearly intended to fool you into thinking that this is a web page that belongs to Microsoft so that the miscreants behind this phishing attack can grab your email credentials. To further go down this rabbit hole, I used an throwaway email address that I have specifically for testing out stuff like this. But it’s tied to the Microsoft Authenticator app which enables multi factor authentication. What that means is that if this is a legitimate Microsoft page, which I already know it isn’t, Microsoft Authenticator on my iOS device should immediately alert me to enter my second factor to let me access this document that I supposedly have to review. If it doesn’t do that, then I know it is a phishing attack. The thing is that the scumbags behind this attack still won’t be able to get in and I can just change the password later because I have Microsoft Authenticator. So I did that, first with an incorrect password and here’s the result:

The first interesting thing is that the word invalid is spelled “inValid” which further supports that this is a phishing page. The second thing is that it somehow knew that I had entered a incorrect password. That was interesting. So I entered my actual password and sure enough, Chrome served this up to me.

Proof positive that this is a phishing site. My guess is that they were after my email account to launch more involved email attacks. Like trying to scam money for example as attacks on Office 365 accounts to do that among other things are a trend at the moment. But they won’t be able to use my throwaway account due to the fact that I’ve used multi factor authentication to stop that from happening. Plus I have changed the password. Now because I have Microsoft Authenticator installed, I can see what the miscreants do and what IP address they come from so that maybe I can figure out who they are. I’ll keep you posted on what I find out. But if you get an email like the one I got, don’t click on anything. Simply delete it and move on with your day as that is the best way to protect yourself from something like this.

Check Point Security Report Says That Amazon Alexa Were Subject To Extensive Levels Of Pwnage

Posted in Commentary with tags , on August 17, 2020 by itnerd

A report from Check Point Security researchers paints a pretty scary picture of how secure smart home devices are. Specifically Amazon Alexa products:

Our findings show that certain Amazon/Alexa subdomains were vulnerable to Cross-Origin Resource Sharing (CORS) misconfiguration and Cross Site Scripting. Using the XSS we were able to get the CSRF token and perform actions on the victim’s behalf.

These vulnerabilities would have allowed an attacker to:

  • Silently install skills (apps) on a user’s Alexa account
  • Get a list of all installed skills on the user’s Alexa account
  • Silently remove an installed skill
  • Get the victim’s voice history with their Alexa
  • Get the victim’s personal information

In effect, these exploits could have allowed an attacker to remove/install skills on the targeted victim’s Alexa account, access their voice history and acquire personal information through skill interaction when the user invokes the installed skill.

Successful exploitation would have required just one click on an Amazon link that has been specially crafted by the attacker.

Now all of those issues have been fixed. But it really makes one think twice about having these devices in their homes as it seems really wrong that a third party company is doing the sort of due diligence that the makers of this gear should be doing. The thing is that companies who create these devices have to have security as the top priority if these companies want consumers to buy their gear. Thus the best way for you to get the most secure smart home gear is to demand and expect better from these companies.

Study Shows That Every Router Has Flaws…. Here’s How To Minimize Your Risk

Posted in Commentary with tags on July 7, 2020 by itnerd

Most people think that home routers are “plug in and forget” items that allow them to get their devices onto the Internet with having to think about it any further. Except that they aren’t “plug in and forget” devices. They provide security for your home network, which means that you have to make sure that the firmware is up to date. That also requires that the vendor of the router is on top of security threats and the like, and that they are putting out firmware for you to install.

That’s where this study from the Fraunhofer Institute for Communication comes in. It involved 127 routers from seven manufacturers and found the following:

  • The researchers compared the firmware images from each tested router with known vulnerabilities and exploits, and the findings were disturbing. Many of the routers were found to be affected by hundreds of known vulnerabilities. Not a single router tested found to be without at least one known vulnerability. And 46 of the routers tested had not received an update in the last year. And 22 had not updated in the last two years. In the worse case, some routers were found to have not been updated in five years.
  • Even when routers had received updates, 50 were found to used hard-coded qualifications: The username and password were encoded into the router as a default, meaning that attackers could easily gain access.

Then there’s the question of who makes security a top priority. Here’s the answer:

Nonetheless, vendors seem to prioritize security differently. Especially AVM does a better job than the other vendors regarding most of the security aspects. However, AVM routers are not flawless as well. ASUS and Netgear do a better job on some aspects than D-Link, Linksys, TP-Link and Zyxel.

Now while I could quibble about aspects of this study, I think the study paints a pretty stark picture. And router companies need to up their game. But until they get around to doing that, here’s my advice to minimize your risk:

  1. Buy a router from a company that is known to have frequent updates to their products, and who has a track record for updating their products over the long term.
  2. Check for updates frequently and apply them ASAP. Because hackers are not looking for routers that are up to dat. They’re looking for the ones that aren’t.
  3. Check the router logs from time to time to make sure that there’s no funny business goin on in terms of someone trying to break into your network.

TikTok Doesn’t Belong On Your Phone Because It Is A Privacy & Security Nightmare Says Security Researcher

Posted in Commentary with tags , , on July 3, 2020 by itnerd

According to a security researcher who posted to Reddit, TikTok is one app that if you value your privacy and security, you need to delete ASAP. Here’s why:

TikTok is a data collection service that is thinly-veiled as a social network. If there is an API to get information on you, your contacts, or your device… well, they’re using it.

  • Phone hardware (cpu type, number of course, hardware ids, screen dimensions, dpi, memory usage, disk space, etc)
  • Other apps you have installed (I’ve even seen some I’ve deleted show up in their analytics payload – maybe using as cached value?)
  • Everything network-related (ip, local ip, router mac, your mac, wifi access point name)
  • Whether or not you’re rooted/jailbroken
  • Some variants of the app had GPS pinging enabled at the time, roughly once every 30 seconds – this is enabled by default if you ever location-tag a post IIRC
  • They set up a local proxy server on your device for “transcoding media”, but that can be abused very easily as it has zero authentication

The stuff that I’ve listed above is pretty bad. But it gets worse:

Here’s the thing though.. they don’t want you to know how much information they’re collecting on you, and the security implications of all of that data in one place, en masse, are f**king huge. They encrypt all of the analytics requests with an algorithm that changes with every update (at the very least the keys change) just so you can’t see what they’re doing. They also made it so you cannot use the app at all if you block communication to their analytics host off at the DNS-level.

For what it’s worth I’ve reversed the Instagram, Facebook, Reddit, and Twitter apps. They don’t collect anywhere near the same amount of data that TikTok does, and they sure as hell aren’t outright trying to hide exactly whats being sent like TikTok is. It’s like comparing a cup of water to the ocean – they just don’t compare.

This is just downright scary. And this Reddit thread is gaining attention. Security company Zimperium had its own look at TikTok and it says its a security risk. Anonymous has said to “delete this Chinese spyware now.” The Pentagon advises that TikTok should be deleted from phones. Something that the US Army has taken heed of. And while this likely has more to do with a border issue between China and India, the latter has banned a pile of Chinese apps, which includes TikTok.

The point is that it’s pretty clear that TikTok is a security risk of epic proportions. If you value your security, I would read the Reddit thread and then make your own decision as to if TikTok deserves a place on your smartphone. Or your kids smartphone for that matter.

Beware! A New Type Of Dangerous Mac Ransomware Is Making The Rounds

Posted in Commentary with tags on July 2, 2020 by itnerd

Wired has a story on a new type of Mac ransomware that is out there. Now if you don’t download pirated software, this isn’t a threat to you. At least not at the moment. But that is likely to change given how sophisticated this ransomware is:

The threat of ransomware may seem ubiquitous, but there haven’t been too many strains tailored specifically to infect Apple’s Mac computers since the first full-fledged Mac ransomware surfaced only four years ago. So when Dinesh Devadoss, a malware researcher at the firm K7 Lab, published findings on Tuesday about a new example of Mac ransomware, that fact alone was significant. It turns out, though, that the malware, which researchers are now calling ThiefQuest, gets more interesting from there. In addition to ransomware, ThiefQuest has a whole other set of spyware capabilities that allow it to exfiltrate files from an infected computer, search the system for passwords and cryptocurrency wallet data, and run a robust keylogger to grab passwords, credit card numbers, or other financial information as a user types it in. The spyware component also lurks persistently as a backdoor on infected devices, meaning it sticks around even after a computer reboots, and could be used as a launchpad for additional, or “second stage,” attacks. Given that ransomware is so rare on Macs to begin with, this one-two punch is especially noteworthy.

Though ThiefQuest is packed with menacing features, it’s unlikely to infect your Mac anytime soon unless you download pirated, unvetted software. Thomas Reed, director of Mac and mobile platforms at the security firm Malwarebytes, found that ThiefQuest is being distributed on torrent sites bundled with name-brand software, like the security application Little Snitch, DJ software Mixed In Key, and music production platform Ableton. K7’s Devadoss notes that the malware itself is designed to look like a “Google Software Update program.” So far, though, the researchers say that it doesn’t seem to have a significant number of downloads, and no one has paid a ransom to the Bitcoin address the attackers provide. […] Given that the malware is being distributed through torrents, seems to focus on stealing money, and still has some kinks, the researchers say it was likely created by criminal hackers rather than nation state spies looking to conduct espionage.

Clearly this is pretty sophisticated stuff and the means of distributing it will likely become more targeted over time as I cannot see the authors of this ransomware sticking with the method of hoping that you will download pirated software. I say that because whoever designed this clearly has something more “interesting” in mind.

Here’s some general advice for you. Back you your files every single day. That way if you get infected by ransomware, you can just nuke the computer and restore your files and go on with your life without paying the ransom. Which by the way, paying the ransom is something that you should never, ever do as it only encourages the scumbags who make ransomware. And you might not get your files back either. Which means that you handed these scumbags your money for no good reason.

Israeli Company Claims That It Can Gather An Individual’s Cloud-Hosted Data From Apple, Google, Microsoft & More

Posted in Commentary with tags on July 19, 2019 by itnerd

Israel based NSO Group is making noise today by making some stunning claims. The Financial Times has details, but let me boil it down for you. In short this company has been telling its government customers that its Pegasus malware can now extract far more data about any given individual. Specifically, it can snag data on the person’s smartphone, as well as covertly retrieve all of the information that person has stored on servers owned by Apple, Google, Microsoft, Facebook and Amazon. This is a stunning revelation, assuming that this is true of course. Which it could be because this is the same group who hacked WhatsApp back in May. That forced an emergency patch to be issued by Facebook who owns WhatsApp.

Now both Apple, Amazon and Microsoft have put out statements saying they’re investigating this threat. And the word on the street is that Apple has blocked previous versions of this malware before. So this may be either a non-factor very quickly. or it might be the start of a game of cat and mouse that has users of these devices in the middle.

UPDATE: Mike Beck, Global Head of Threat Analysis for Darktrace reached out to me with this comment:

“This news highlights the reality of the cyber arms industry – private organisations, of which NSO is one example, are developing and selling spyware which is then often used by government agencies to catch sophisticated criminals. It stands to reason that national governments who are not equipped with large national intelligence budgets will look to the private sector to provide this capability.

However, if private sector companies are authorised to develop cyber weapons, outside of the accountability of government institutions, there are concerns about how these tools can be used. In the wrong hands, we could see this malware used to collect intelligence on average citizens and even used against nation-states, as part of cyber-warfare.

As the world’s attitude towards cyber-security matures, we can expect international law to control the use of these weapons. Meanwhile the likes of Apple, Google and Facebook will need to demonstrate that they can identify security threats and intervene rapidly, before user data is breached. AI will be a necessary ally to achieve this, given the complexity of today’s threat landscape, and the volume and diversity of the data systems that require protecting.”




Zoom Fixes Vulnerability After Saying That It Wouldn’t Fix It…. But This Isn’t Over Yet

Posted in Commentary with tags , on July 10, 2019 by itnerd

Yesterday I wrote about a pretty bad vulnerability with the Zoom videoconferencing product where a malicious web page could be used to take control of the video camera on a Mac. On top of that it was also discovered that when you install Zoom on a Mac, it installs a web server without your knowledge, and said web server can reinstall Zoom if you get rid of it without user interaction.

Now all of this was pretty bad. But the response by Zoom initially was worse via this ZDNet article:

Video conferencing company Zoom has defended its use of a local web server on Macs as a “workaround” to changes that were introduced in Safari 12.

The company said in a statement that it felt running a local server in the background was a “legitimate solution to a poor user experience, enabling our users to have seamless, one-click-to-join meetings, which is our key product differentiator”.

Well, I guess the blowback from that was epic because by that evening, Zoom had pushed out an emergency update that did the following:

  • The local web server will be completely removed on that device once the update is completed.
  • Zoom is adding a new option to the Zoom menu bar that will allow users to manually and completely uninstall the Zoom client, including the local web server.

Seeing as they took such quick action, the cynic in me says that they could have addressed this at any time but chose not to until this blew up. This is further bolstered via this statement from the company’s blog:

We appreciate the hard work of the security researcher in identifying security concerns on our platform. Initially, we did not see the web server or video-on posture as significant risks to our customers and, in fact, felt that these were essential to our seamless join process. But in hearing the outcry from some of our users and the security community in the past 24 hours, we have decided to make the updates to our service. In response to these concerns, here are details surrounding tonight’s planned Zoom patch and our scheduled July release this weekend:

Just for fun, look this blog entry and see how haphazard the company’s response is. It looks like a really really bad exercise in crisis management. Also, based on how the company responded, you have to wonder if Zoom should be the company that provides your organization video conferencing services.

In any case, the fun isn’t over yet. In an update to his original Medium post, Jonathan Leitschuh who is the guy that discovered this flaw is now sayingthat the vulnerability that plagued Zoom for Mac is also present in Ringcentral which is basically a white labeled version of Zoom. Thus if you run Ringcentral, consider yourself warned that this vulnerability exists with that product as well.

Marriott Is Looking At A $123 Million Fine For Their Massive Data Breach In 2018

Posted in Commentary with tags , on July 10, 2019 by itnerd

You might recall that the Marriott hotels chain got hit with a massive data breach in which I was personally affected because I have stayed at a few of their hotels in the last few years. Well, Marriott is looking at a massive fine because of it thanks to the UK Information Commissioner’s Office (ICO):

Following an extensive investigation the ICO has issued a notice of its intention to fine Marriott International £99,200,396 for infringements of the General Data Protection Regulation (GDPR).

The proposed fine relates to a cyber incident which was notified to the ICO by Marriott in November 2018. A variety of personal data contained in approximately 339 million guest records globally were exposed by the incident, of which around 30 million related to residents of 31 countries in the European Economic Area (EEA). Seven million related to UK residents.

It is believed the vulnerability began when the systems of the Starwood hotels group were compromised in 2014. Marriott subsequently acquired Starwood in 2016, but the exposure of customer information was not discovered until 2018. The ICO’s investigation found that Marriott failed to undertake sufficient due diligence when it bought Starwood and should also have done more to secure its systems.

The £99,200,396 fine translates to roughly $123 million USD. And if the agency who is handing out this fine sounds familiar, it’s the same group of people that wants to serve up a massive fine on British Airways because of their data breach.  Now like British Airways, Marriott has said that it would contest the fine. But the fact that these fines are being handed out is a good thing. Companies that handle personal data need to understand that if they screw up and lose control of this data, they will be held accountable and it will hurt. So I am all for these mega fines being handed out as it sends a message that companies cannot ignore.

Zoom Has A Serious Vulnerability That Can Trigger Video Calls With Almost Zero User Interaction

Posted in Commentary with tags , on July 9, 2019 by itnerd

Security researcher Jonathan Leitschuh has discovered a serious vulnerability with the highly popular Zoom Video Conferencing service. In a Medium post, Leitschuh demonstrated that simply visiting a webpage allows the site to forcibly initiate a video call on a Mac with the Zoom app installed. Which of course is not good. There was another issue that he discovered that allowed any web page to do a denial of service attack on the Mac. But that was patched leaving the original vulnerability in play. Leitschuh disclosed the problem to Zoom in late March and gave the company 90 days to fix the issue. But it wasn’t fixed and thus he’s going public.

But there’s more to this story. When you install Zoom on a Mac, it installs a localhost web server as a background process. The purpose of this web server is to accept requests regular browsers wouldn’t. Such as whatever Zoom needs to do to facilitate video conferencing. What gets my attention is that this service can re-install the Zoom client on a Mac without requiring any user interaction besides visiting a web page. Which is very sketchy in my mind. That means that uninstalling Zoom won’t solve this issue. And it also sounds kind of malware like. 

Now you can mitigate this attack vector by disabling the setting that allows Zoom to turn on your Mac’s camera when joining a meeting. But the real fix is to uninstall everything related to Zoom and not use it at all. The  bottom of the Medium post includes a series of Macintosh Terminal commands that will uninstall the web server completely. I would strongly suggest that you go that route as that’s the best way to protect yourself.

Now what does Zoom have to say about this? Well in this ZDNet article, they had this to say:

Video conferencing company Zoom has defended its use of a local web server on Macs as a “workaround” to changes that were introduced in Safari 12.

The company said in a statement that it felt running a local server in the background was a “legitimate solution to a poor user experience, enabling our users to have seamless, one-click-to-join meetings, which is our key product differentiator”.

That to be blunt is total crap. They should be completely aware that now that this is public, there will be attacks inbound using this vulnerability. On top of that, the bad press from this is guaranteed to drive customers away from using their service. I’ve already had a few inquiries from clients of mine and my advice is simple. Don’t use Zoom for videoconferencing purposes until they can demonstrate that it is secure and they don’t need to do the sorts of things that they were caught doing so that their users can have a “seamless” experience.

UPDATE: In a blog post, Zoom says that there is no indication this vulnerability was ever taken advantage of because if a person did click on a malicious link, it would be readily apparent that a video call started (and thus their webcam was hijacked) because the Zoom client user interface runs in the foreground upon launch. Which may be true but isn’t the point anymore. The point is that they reacted poorly to this issue. Having said that, the company did say a fix was inbound. I’d love to know if that fix addresses all the issues that I raised in this article. Because if it doesn’t, I’ll continue to recommend that you avoid Zoom because of the potential risk that it poses.