Author Archives: Graham CLULEY

Hackers phish Butlin’s holiday camp chain, access customers’ personal data

Fabled British holiday camp chain Butlin’s has admitted that it has suffered a data breach that may have exposed details of 34,000 guests.

Personal information contained within the records accessed by hackers includes names, booking reference numbers, arrival dates, home addresses, email addresses, and telephone numbers.

According to be a BBC News report, the attack is said to have happened in the last three days, and it is currently unclear the precise number of affected guests.

The company, which has sites in Skegness, Bognor Regis, and Minehead, is at pains to point out in an advisory posted on its website that no financial information has been compromised, and says it will be contacting affected guests in the next few days.

Obviously as the hackers appear to have made off with holidaymakers’ contact details, Butlin’s customers would be wise to be cautious of any approaches (via phone or letter) that might request further personal information, such as financial details, perhaps under the disguise of offering compensation.

Fraudsters could also attempt to trick unsuspecting customers into clicking on dangerous links, that may attempt to phish further information from them.

The holiday camp company says that the hackers managed to gain access to its data after successfully phishing an employee via email.

If that’s the case then there will undoubtedly be speculation that the company did not have additional layers of authentication properly in place to prevent access to its systems by unauthorised parties – even if passwords were successfully phished.

The normal way to do this is with some form of two-factor authentication (2FA), where a six digit code generated by an authentication app or token is entered alongside a static username and password.

Having multi-factor authentication in place is one of the ways in which companies can make it harder for remote hackers to access their sensitive data. In addition, systems can be put in place to warn workers than an email originated from outside the company, or to spot unusual data access. Furthermore, a good enterprise password manager can enforce the use of strong, unique passwords – and reduce the likelihood of them being entered on bogus phishing sites.

Butlin’s managing director Dermot King said that “Butlin’s take the security of our guest data very seriously and have improved a number of our security processes.”

Butlin’s has set up an email address for concerned customers to contact if they have any questions: dataenquiries@butlins.com

The data breach has been reported to the UK’s Information Commissioner’s Office (ICO) which has confirmed it is looking into the incident.

26.5 million Comcast Xfinity customers had their partial home addresses and SSNs exposed

Poor security measures have reportedly put the personal details of over 26.5 million Comcast Xfinity customers at risk, a researcher has revealed.

The post 26.5 million Comcast Xfinity customers had their partial home addresses and SSNs exposed appeared first on The State of Security.

Smashing Security #090: Fortnite for Android, and the FCC’s DDoS BS

Smashing Security #090: Fortnite for Android, and the FCC's DDoS BS

Fortnite players are told they’ll have to disable a security setting on Android, the FCC finally admits that it wasn’t hit by a DDoS attack, and Verizon’s VPN smallprint raises privacy concerns.

All this and much much more is discussed in the latest edition of the award-winning “Smashing Security” podcast hosted by computer security veterans Graham Cluley and Carole Theriault, joined this week by David Bisson.

Reddit hacked – but don’t give up on 2FA just yet

As you’ve probably heard in the news, Reddit has been hacked.

The immensely popular website says that it discovered a data breach in June, after an attacker compromised some employee accounts.

The employees’ accounts were protected with SMS-based two-factor authentication (2FA), which meant that any attacker did not only have to steal a worker’s password, but also intercept the authentication token sent to their mobile phone.

Breaking into the accounts, the hacker was able to access databases and logs, including an unknown number of usernames and related email addresses, as well as encrypted passwords from a database dating back to the site’s early days in 2007.

Other data accessed included Reddit source code, internal logs, configuration files and other employee workspace files.

Perhaps the most worrying aspect for those Reddit users who joined after 2007, is that the hacker might be able to associate their username with their email address. After all, anonymity is one of the features that draws many users to Reddit, especially if participating in discussion groups on sensitive subjects or personal issues.

Reddit says that the reason some email addresses might be linked to users is because the hacker accessed logs containing the email digests the site sent between June 3 and June 17, 2018. In the United States, such email digests are enabled by default.

Reddit’s response to this is somewhat disappointing.

It says it plans to contact any users affected by the breach related to the 2007 database, but has made no such promises regarding the unknown (but potentially considerable) number of users who may have had their email address linked to their accounts.

Instead the company simply offers the rather lame suggestion of thinking about “whether there’s anything on your Reddit account that you wouldn’t want associated back to that address. You can find instructions on how to remove information from your account on this help page.”

And, of course, it’s a good idea to change your password to something unique and hard to crack if you believe it may have been compromised, and to enable 2FA.

Hang on? 2FA? Isn’t that what was exploited to break into the Reddit employees’ accounts?

Well, yes. But the 2FA offered to Reddit users isn’t based upon a SMS that can potentially be intercepted. Instead, users are offered the ability to get a Time-based One-Time Password (TOTP) generated by an authentication app.

SMS-based 2FA has been frowned upon in recent years, as attacks have become more common.

So-called “SIM swap” fraud (where scammers trick phone carriers into giving them control of your phone number) are not uncommon, and there are plenty of examples of identity thieves hijacking cellphone accounts in their pursuit of virtual currency – all because they have been able to intercept 2FA tokens sent via SMS.

But for all the criticism that SMS-based 2FA receives from computer security experts, I think we would be unwise to consider it utterly disastrous.

Yes, it would be better if users had a hardware token or a means of authenticating themselves which did not require receiving an SMS message, but SMS-based 2FA is certainly better than no 2FA at all.

Many attempts to break into accounts *will* be prevented by SMS-based 2FA, and most criminals will simply move on to another target who hasn’t bothered to defend their online life with an additional level of authentication.

In summary, harden your online accounts with multi-factor authentication. And if the only protection offered to you is SMS-based, use that rather than nothing at all. It may not stop a particularly determined attacker, but it will still give your accounts a higher level of defence than that used by most internet users.

Smashing Security #089: Data breaches, ransomware, Bitcoin robberies, and typewriters

Smashing Security #089: Data breaches, ransomware, Bitcoin robberies, and typewriters

Ransomware rears its head again, Dixons Carphone reveals its data breach was almost 1000% worse than they previously thought, a man is accused of stealing five million dollars worth of cryptocurrency through hijacking mobile phones, and a Canadian guy called Norman is rushing to get the typewriters out of storage.

All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by journalist Geoff White.

Prison inmates hacked tablets to earn $225,000 in credits

364 inmates in five of Idaho’s state prisons have exploited vulnerabilities in the JPay tablets they use to read email and access video games in order to boost their credit balances.

But what is a JPay tablet? And why would you want one if you are locked up in prison?

Well, if you find yourself in the unpleasant predicament of being incarcerated in prison, one of the many undesirable consequences is that you may well feel disconnected from the outside world.

But panic not, because correctional facilities across the United States are equipped with JPay video phone kiosks and email terminals that allow inmates to keep in touch with loved ones (at a price). The only challenge, aside from the cost of earning credits for low paid prisoners, is that the devices can be popular and there can be long queues.

To get around that problem inmates can purchase a prison-issued JPay tablet, manufactured by technology firm Securus who also make the kiosks, through which they can access their messages, listen to music, and play videogames.

As Wired explains, these tablets aren’t themselves connected to the internet, but they can help avoid the lengthy queues at kiosks to read and write messages.

But what about the cost of sending messages? In Idaho, a single message costs just under 50 cents to send (you have to pay double if you want to attach a file). If you want to download a music file that may set you back $3.50.

It soon mounts up, especially when your prison wage may only be bringing in between 10 and 90 cents an hour.

And that was the incentive for 364 inmates to exploit a vulnerability in their JPay tablets to collectively accrue almost a quarter of a million dollars in their accounts.

Details of the flaw have not been made public by JPay, but a spokesperson for the Idaho Department of Correction said that the fraud could not be described as accidental:

“This conduct was intentional, not accidental. It required a knowledge of the JPay system and multiple actions by every inmate who exploited the system’s vulnerability to improperly credit their account.”

The spokesperson confirmed that of the 364 prisoners involved, 50 had successfully credited their accounts by over $1,000. The largest amount credited to any single inmate was just under $10,000.

JPay has recovered over $65,000 worth of credits, and inmates have been suspended from downloading music and games until the company has been compensated for its losses. The prisoners are, however, still able to send and receive emails in the meantime, although some of their privileges could be lost.

Lets just hope that the emails they’re sending aren’t “Letter from Idaho”-type scams designed to generate some urgent income to pay back the company they defrauded.

Senator calls on US Government to start killing Adobe Flash now

For some companies eradicating Adobe Flash content is going to be a significant job. And it may be an even bigger challenge for very large organisations, such as the US Government.

The post Senator calls on US Government to start killing Adobe Flash now appeared first on The State of Security.

Smashing Security #088: PayPal’s Venmo app even makes your drug purchases public

Smashing Security #088: PayPal’s Venmo app even makes your drug purchases public

Websites still using HTTP are marked as “not secure” by Chrome, 85,000 Google employees haven’t been phished for a year, and if you’re buying drugs via PayPal’s Venom app you should say goodbye to privacy.

All this and much much more is discussed in the latest edition of the award-winning “Smashing Security” podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by Scott Helme.

Here’s why Twitter will lock your account if you change your display name to Elon Musk

Here's why Twitter will lock your account if you change your display name to Elon Musk

There’s bad news if your name really is “Elon Musk”.

You’re going to have to jump over some additional hurdles to convince Twitter that you should be allowed to change your display name to the one you share with the boss of Tesla and SpaceX.

Read more in my article on the Hot for Security blog.

UK university domains spoofed in massive fraud campaign targeting suppliers

Be on your guard if your company has received an order which appears to come from a UK university email address.

That’s the advice of Action Fraud, the UK’s national reporting service for fraud and financially-motivated cybercrime, after it saw a marked rise in the number of domains being registered that look very similar to genuine universities.

The domains are being registered by online criminals, who are using them to create lookalike email addresses with the intention of placing high-value orders with suppliers.

As Action Fraud explains, the criminals are using the bogus email addresses to commit distribution fraud.

Distribution fraud is where criminals make an order to a supplying company (often overseas) via email, posing as a well-known organisation. The ploy is often convincing because they will use an email address that looks similar to the genuine organisation and steal their branding.

Action Fraud says that in the current case, fraudsters are registering domains that are similar to genuine university domains such as xxxxacu-uk.org, xxxxuk-ac.org and xxxacu.co.uk.

Placing orders for a large quantity of expensive products (such as food, pharmaceuticals, or IT equipment), the fraudsters will avoid payment in advance by using faked purchase orders, bank transfer confirmation documentation, or by giving the organisation’s real address for invoicing.

However, the criminals ask for the delivery to be made to an address that does not belong to the spoofed organisation, or in some cases will contact the delivery driver en route to give them a new delivery address.

The end result is that the delivery is taken by the criminals without a payment being made, and any invoices a supplier sends to the organisation’s real address go unpaid.

Victims are said to have lost over £350,000 in total.

“This type of fraud can have a serious impact on businesses. This is why it’s so important to spot the signs and carry out all the necessary checks, such as verifying the order and checking any documents for poor spelling and grammar,” said Pauline Smith, director of Action Fraud.

Action Fraud offers some sensible advice on how to avoid being duped by criminals posing as a legitimate business making an order:

  • Ensure that you verify and corroborate all order requests from new customers. Use telephone numbers or email addresses found on the retailers website – do not use the details given on the suspicious email for verification purposes.
  • If the order request is from a new contact at an organisation that’s an existing customer, verify the request through an established contact to make sure it is legitimate.
  • Check any documents for poor spelling and grammar – this is often a sign that fraudsters are at work.

This isn’t the first time that British universities have found their identities “cloned” by criminals.

Last year, Newcastle University warned that fraudsters had created what appeared to be a professional-looking website, posing as the university in an attempt to steal prospective pupils’ personal information including passport details and payment card information.

HOTforSecurity: UK university domains spoofed in massive fraud campaign targeting suppliers

Be on your guard if your company has received an order which appears to come from a UK university email address.

That’s the advice of Action Fraud, the UK’s national reporting service for fraud and financially-motivated cybercrime, after it saw a marked rise in the number of domains being registered that look very similar to genuine universities.

The domains are being registered by online criminals, who are using them to create lookalike email addresses with the intention of placing high-value orders with suppliers.

As Action Fraud explains, the criminals are using the bogus email addresses to commit distribution fraud.

Distribution fraud is where criminals make an order to a supplying company (often overseas) via email, posing as a well-known organisation. The ploy is often convincing because they will use an email address that looks similar to the genuine organisation and steal their branding.

Action Fraud says that in the current case, fraudsters are registering domains that are similar to genuine university domains such as xxxxacu-uk.org, xxxxuk-ac.org and xxxacu.co.uk.

Placing orders for a large quantity of expensive products (such as food, pharmaceuticals, or IT equipment), the fraudsters will avoid payment in advance by using faked purchase orders, bank transfer confirmation documentation, or by giving the organisation’s real address for invoicing.

However, the criminals ask for the delivery to be made to an address that does not belong to the spoofed organisation, or in some cases will contact the delivery driver en route to give them a new delivery address.

The end result is that the delivery is taken by the criminals without a payment being made, and any invoices a supplier sends to the organisation’s real address go unpaid.

Victims are said to have lost over £350,000 in total.

“This type of fraud can have a serious impact on businesses. This is why it’s so important to spot the signs and carry out all the necessary checks, such as verifying the order and checking any documents for poor spelling and grammar,” said Pauline Smith, director of Action Fraud.

Action Fraud offers some sensible advice on how to avoid being duped by criminals posing as a legitimate business making an order:

  • Ensure that you verify and corroborate all order requests from new customers. Use telephone numbers or email addresses found on the retailers website – do not use the details given on the suspicious email for verification purposes.
  • If the order request is from a new contact at an organisation that’s an existing customer, verify the request through an established contact to make sure it is legitimate.
  • Check any documents for poor spelling and grammar – this is often a sign that fraudsters are at work.

This isn’t the first time that British universities have found their identities “cloned” by criminals.

Last year, Newcastle University warned that fraudsters had created what appeared to be a professional-looking website, posing as the university in an attempt to steal prospective pupils’ personal information including passport details and payment card information.



HOTforSecurity

Smashing Security #087: How Russia hacked the US election

Smashing Security #087: How Russia hacked the US election

Regardless of whether Donald Trump believes Russia hacked the Democrats in the run-up to the US Presidential election or not, we explain how they did it. And Carole explores some of the creepier things being done in the name of surveillance.

All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast by computer security veterans Graham Cluley and Carole Theriault.

Free eBook: If your friend was put in charge of a cyber budget, what advice would you give them?

Free ebook: If your friend was put in charge of a cyber budget, what advice would you give them?

Graham Cluley Security News is sponsored this week by the folks at Nehemiah Security. Thanks to the great team there for their support!

If your friend was put in charge of measuring cyber risk at a large company, what advice would you give them?

Nehemiah Security created this guide to advance the risk management conversation amongst cyber professionals.

Many would claim they are able to pinpoint technical cyber risks. But few would profess a high level of confidence that they always deploy their resources to the biggest risks facing the company. Fewer still would say they effectively communicate this to their board.

This eBook will change the way you approach and frame cyber risk conversations within your business.

Download the eBook today!


If you’re interested in sponsoring my site for a week, and reaching an IT-savvy audience that cares about computer security, you can find more information here.

Average cost of a data breach exceeds $3.8 million, claims report

Data breaches are getting more expensive. That’s one of the findings of a new global study by the Ponemon Institute that examines the financial impact of a corporate data breach. So what is the actual cost of a data breach? Well, obviously it varies depending on the nature of the organisation that has lost control […]… Read More

The post Average cost of a data breach exceeds $3.8 million, claims report appeared first on The State of Security.

Smashing Security #086: Elon Musk submarine scams and 2FA bypass

Smashing Security #086: Elon Musk submarine scams and 2FA bypass

Crypto scamming Thai cave scoundrels! $25 million to make anti-fake news videos! TimeHop data breach! Phone number port out scams!

All this and much much more is discussed in the latest edition of the award-winning “Smashing Security” podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by B J Mendelson.

New iOS security feature can be defeated by a $39 adapter… sold by Apple

Yesterday Apple released a brace of updates for its software – fixing bugs and patching security holes in the likes of MacOS, watchOS, tvOS, Safari, iTunes for Windows, iCloud for Windows, and iOS for iPhones and iPads.

The update for iOS, bringing it to version 11.4.1, is particularly interesting as it includes a new feature – “USB Restricted Mode.”

USB Restricted Mode is designed to disable an iPhone or iPad’s Lightning port, preventing it from transferring data, one hour after the device was last locked.

You can still charge your device after its Lightning port has been disabled, but you need to enter a smartphone’s password if you wish to use the port to transfer data to and from device.

A support advisory from Apple shares more details:

“Starting with iOS 11.4.1, if you use USB accessories with your iPhone, iPad, or iPod touch, or if you connect your device to a Mac or PC, you might need to unlock your device for it to recognize and use the accessory. Your accessory then remains connected, even if your device is subsequently locked.”

“If you don’t first unlock your password-protected iOS device — or you haven’t unlocked and connected it to a USB accessory within the past hour — your iOS device won’t communicate with the accessory or computer, and in some cases, it might not charge. You might also see an alert asking you to unlock your device to use accessories.”

Which sounds, of course, like bad news for law enforcement and intelligence agencies who may want to crack into a locked iPhone using tools like GrayKey. GrayKey, and similar tools, use the Lightning port to help anyone with physical access crack their way into a locked device – without having to manually guess the passcode.

Unfortunately for Apple, and customers who like to believe that their phone is private, a workaround has been discovered whereby police could prevent an iPhone or iPad entering USB Restricted Mode if they act quickly enough.

Researchers at Elcomsoft discovered that the one hour countdown timer can be reset simply by connecting the iPhone to an untrusted USB accessory:

“In other words, once the police officer seizes an iPhone, he or she would need to immediately connect that iPhone to a compatible USB accessory to prevent USB Restricted Mode lock after one hour. Importantly, this only helps if the iPhone has still not entered USB Restricted Mode.”

And where might you find such a compatible USB accessory that can prevent USB Restricted Mode from kicking in?

Look no further than Apple’s own online store, where the company will happily sell you a Lightning to USB 3 Camera Adapter for a mere $39. Chances are that there are even cheaper accessories which will do the job just as well.

Apple has successfully made the window of opportunity smaller for anyone (whether they be a member of law enforcement or not) to crack into an iPhone, but this discovery means that they have not closed it completely.

Apple will need to continue to strengthen the security and privacy of its mobile devices if it wishes to maintain its edge over many Android smartphones. Nice try with iOS 11.4.1 Apple, but we need you to do more.

Looking for another great cyber podcast? CyberTangent is your new home with expert guests every episode

Looking for another great cyber podcast? CyberTangent is your new home with expert guests every episode

Graham Cluley Security News is sponsored this week by the folks at Nehemiah Security. Thanks to the great team there for their support!

Nehemiah Security’s “CyberTangent” is a podcast focused on topics like Security Risk Management, Cyber Risk Analytics, Malware Hunting, and more.

This specific episode of “CyberTangent” features our favorite guest, Graham Cluley himself! In this episode, we get to know Graham a little better, starting with how he got into the cybersecurity space and ending with his “love language.”

Start listening now to “CyberTangent”!


If you’re interested in sponsoring my site for a week, and reaching an IT-savvy audience that cares about computer security, you can find more information here.

Smashing Security #085: Doctor Who, Facebook patents, and Bob’s Burgers

Smashing Security #085: Doctor Who, Facebook patents, and Bob's Burgers

Doctor Who’s TARDIS has sprung a data leak, Facebook’s creepy patents are unmasked, and an app to keep women safe on dates has surprising origins.

All this and much much more is discussed in the latest edition of the award-winning “Smashing Security” podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by Maria Varmazis.

Get FREE threat intelligence on hackers and exploits with the Recorded Future Cyber Daily

Graham Cluley Security News is sponsored this week by the folks at Recorded Future. Thanks to the great team there for their support!

Recorded Future provides deep, detailed insight into emerging threats by automatically collecting, analyzing, and organizing billions of data points from the Web.

And now, with its FREE Cyber Daily email all IT security professionals can access information about the top trending threat indicators - helping you use threat intelligence to help make better decisions quickly and easily.

Which means that you will be able to benefit from a daily update of the following:

  • Information Security Headlines: Top trending news stories.
  • Top Targeted Industries: Companies targeted by cyber attacks, grouped by their industries.
  • Top Hackers: Organizations and people recognized as hackers by Recorded Future.
  • Top Exploited Vulnerabilities: Identified vulnerabilities with language indicating malcode activity. These language indicators range from security research (“reverse engineering,” “proof of concept”) to malicious exploitation (“exploited in the wild,” “weaponized”).
  • Top Vulnerabilities: Identified vulnerabilities that generated significant amounts of event reporting, useful for general vulnerability management.

Infosec professionals agree that the Cyber Daily is an essential tool:

“I look forward to the Cyber Daily update email every morning to start my day. It’s timely and exact, with a quick overview of emerging threats and vulnerabilities. For organizations looking to strengthen their security program with threat intelligence, Recorded Future’s Cyber Daily is the perfect first step that helps to prioritize security actions.” - Tom Doyle, CIO at EBI Consulting.

So, what are you waiting for?

Sign up for the Cyber Daily today, and starting tomorrow you’ll receive the top trending threat indicators.


If you’re interested in sponsoring my site for a week, and reaching an IT-savvy audience that cares about computer security, you can find more information here.

Hitherto unknown marketing firm exposed hundreds of millions of Americans’ data

Hitherto unknown marketing firm exposed hundreds of millions of Americans' data

The detailed personal information of 230 million consumers and 110 million business contacts – including phone numbers, addresses, dates of birth, estimated income, number of children, age and gender of children - has been left exposed for anyone on the internet to grab.

Read more in my article on the Tripwire State of Security blog.

Ticketmaster breached for months, personal data stolen by hackers

Ticketmaster has warned customers that their personal information may have been compromised, after malicious code was discovered running on its website.

Up to 40,000 UK customers who purchased, or attempted to purchase, tickets between February and June 23, 2018 are thought to be affected. In addition, international customers who purchased, or attempted to purchase, tickets between September 2017 and June 23, 2018 may also be at risk.

Personal information compromised includes names, addresses, email addresses, telephone numbers, payment details and login details.

Which is all bad news of course, but how did the breach happen in the first place?

It appears that the malware was introduced to Ticketmaster’s site via a piece of external third-party code from Inbenta, a technology company that provides online chatbot and support ticketing services for websites.

As soon as Ticketmaster recognised the issue it disabled Inbenta’s code across all of its websites.

In a statement, Inbenta said that the source of the data breach was a “single piece of Javascript code” that had been customised specifically for Ticketmaster’s purposes. The code, Inbenta says, it is not in use on any other company’s websites.

Inbenta says it has now resolved the vulnerability, but not before attempting to pass some of the blame onto Ticketmaster for using its risky code on a payment page:

“Ticketmaster directly applied the script to its payments page, without notifying our team. Had we known that the customized script was being used this way, we would have advised against it, as it incurs greater risk for vulnerability. The attacker(s) located, modified, and used this script to extract the payment information of Ticketmaster customers processed between February and June 2018.”

Although it’s obviously trying to pass the buck, Inbenta certainly has a point. Embedding third-party Javascript onto an online payments page introduces risks. After all, if the third-party code gets compromised there is a danger that online criminals could use it to secretly steal payment card information.

Ticketmaster says that it has emailed all customers who it believes are affected by the security incident, and is offering 12 months’ free identity monitoring for those who have been impacted.

Potential victims are also advised to keep a close eye on their bank account transactions for signs of suspicious activity.

But aside from the financial risks, Ticketmaster customers would also be wise to look out for phishing scams, where an attacker might exploit the situation by sending out bogus emails purporting to come from the company.

Curiously, digital bank Monzo claims that it warned TicketMaster that data had been compromised three months ago, in early April. In a blog post, the firm says that it met with members of Ticketmaster’s security team on 12 April, and were told that an internal investigation would take place.

“Over the course of Thursday 19th April and Friday 20th April, we sent out six thousand replacement cards to customers who had used their Monzo cards at Ticketmaster. We let them know that we were replacing their cards through their Monzo app, but didn’t name Ticketmaster as the reason at the time.”

“Throughout this period we were in direct contact with Ticketmaster. On Thursday 19th April, they told us an internal investigation had found no evidence of a breach and that no other banks were reporting similar patterns.”

And yet Ticketmaster’s official statements say that it only discovered it had a serious security issue on June 23rd.

Smashing Security #084: No! My voice is not my password

Smashing Security #084: No! My voice is not my password

Who’s been collecting the voice prints of millions of people saying “My voice is my password”? Why has it become tougher for law enforcement to scoop up cellphone data? And who’s been turning up your central heating?

All this and much much more is discussed in the latest edition of the award-winning “Smashing Security” podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by John Hawes from AMTSO.

Twitter gets physical – with support for hardware security keys

Twitter has given millions of users a way of making their accounts even harder to hack, with the introduction of support for physical keys.

Most Twitter users protect their accounts in the traditional way: username and password. As with any other internet account, such security is vulnerable to a number of threats including phishing or a user unwisely choosing the same password that they use elsewhere on the internet.

This is the primary reason that so many Twitter accounts have been compromised by hackers over the years.

High profile victims have included FC Barcelona, CNN, Burger King, Google CEO Sundar Pichai, Wikipedia’s Jimmy Wales, and Mark Zuckerberg.

One of the most notorious hijackings of a Twitter account occurred in 2013, when the Syrian Electronic Army managed to gain control of Associated Press’s Twitter account and posted a message saying that there had been an explosion at the White House and Barack Obama had been injured.

That bogus report knocked 61 billion dollars (briefly) off the Dow Jones Index.

If you’re sensible you have taken better steps than just a password to protect your Twitter account, and enabled two-step verification in the form of “Login Verification”. That adds an extra hurdle to the login process by asking for a code generated by a third-party app such as Google Authenticator and Authy to be be entered.

For most people, this level of protection is probably enough.

But what if you want to go even further, and wish to ensure an even high level of physical security to your Twitter account?

If that’s you then you’ll be interested to read news buried inside a blog post detailing Twitter’s latest steps to combat spam and abuse on the site.

Twitter has revealed that you can now use a physical USB security key which supports the universal two-factor (U2F) standard when signing in for login verification.

The small keyfobs require the logging-in user to physically press a button to confirm the identity, and because it will only work on the real Twitter website it provides a high level of protection against phishing sites.

Other websites which support FIDO U2F hardware keys – which are the same size and shape as a typical USB thumb drive – include Google, Facebook, Dropbox, GitHub, and SalesForce.

The security solution isn’t, of course, appropriate for all Twitter accounts. For instance, if you have a Twitter account which is shared by multiple users then you’ll face an obvious challenge ensuring that they all have access to the same physical security key.

All the same, it’s good to see Twitter’s security infrastructure continuing to mature, and methods being provided to better protect those accounts which might be considered most at risk.

You can find more details on how to set up your Twitter account so it requires security key verification on Twitter’s website.

Tesla saboteur caused extensive damage and leaked highly sensitive data, claims Elon Musk

Tesla CEO Elon Musk believes that the company is the victim of deliberate sabotage perpetrated by an employee.

According to CNBC, the high profile executive sent an email to Tesla employees this weekend alleging that there was a saboteur in the company’s ranks who had changed code in an internal product, logged into systems without authorisation, and leaked “large amounts of highly sensitive Tesla data to unknown third parties.”

In his email to staff, Musk says that the company is attempting to determine if the alleged saboteur was acting alone or working in cahoots with outsiders.

I was dismayed to learn this weekend about a Tesla employee who had conducted quite extensive and damaging sabotage to our operations. This included making direct code changes to the Tesla Manufacturing Operating System under false usernames and exporting large amounts of highly sensitive Tesla data to unknown third parties.

The full extent of his actions are not yet clear, but what he has admitted to so far is pretty bad. His stated motivation is that he wanted a promotion that he did not receive. In light of these actions, not promoting him was definitely the right move.

However, there may be considerably more to this situation than meets the eye, so the investigation will continue in depth this week. We need to figure out if he was acting alone or with others at Tesla and if he was working with any outside organizations.

The nature of the data leaked, and details of which internal systems were accessed and tampered with were not made public. However, news of the “saboteur” email to Tesla staff comes hot on the heels of revelations of a “small fire” that halted the firm’s body production line on Sunday night.

In a separate email Musk called on staff to remain vigilant and adopt the maxim of former Intel chief Andy Grove:

Could just be a random event, but as Andy Grove said, “Only the paranoid survive.” Please be on the alert for anything that’s not in the best interests of our company.

Tesla recently announced it was slashing its workforce by at least nine per cent. It’s natural to speculate that if someone is sabotaging systems or leaking data that they might be a disaffected employee.

US Government warns of more North Korean malware attacks

With Donald Trump and Kim Jong Un exchanging handshakes and smiles at the Singapore security summit earlier this month, you may have been fooled into thinking that all was cordial between the United States and North Korea.

Look under the surface, however, and things may be rather different.

For instance, just days after the two countries signed a joint agreement at their unprecedented talks, the US Department of Homeland Security has issued a warning about more malware being used by the North Korean government against US organisations.

The malware, dubbed “Typeframe”, is thought to be related to other attacks previously attributed to the Hidden Cobra hacking gang (also sometimes called “Lazarus” or “Guardians of the Peace”).

The hacking group has become notorious for its use of Remote Access Trojans (RATs), DDoS botnet attacks, keylogging spyware, and data-wiping malware in attacks against foreign companies.

Most recently, Chile’s second largest bank, has confirmed that in late May it suffered a serious malware attack that breached its systems and disrupted its services.

That attack saw attackers use Hidden Cobra’s disk-wiping malware to distract attention, while some US $10 million was stolen via the SWIFT money transferring system.

If the attack was indeed the work of North Korea, it would be the latest in a long series of attacks on SWIFT which have allegedly stolen hundreds of millions of dollars for the pariah state.

And in the past, the US Government has even blamed Hidden Cobra for the notorious WannaCry ransomware attack, a claim which North Korea predictably denied.

In their latest report, the Department of Homeland Security’s United States Computer Emergency Readiness Team (US-CERT) does not share details of how many computers may have been infected by Typeframe, or what industries may have been targeted.

However, it does share a technical analysis of 11 malware samples (Windows executables files, and a Microsoft Word document) that attempt to download and install spyware, connect to command and control servers, and meddle with victims’ firewalls to allow incoming connections.

All of the malware samples appear to have been compiled before the Singapore security summit was announced.

To better defend against the Typeframe attacks, organisations are being urged by US-CERT to look for indications of compromise – detailed within the report – by reviewing network logs for IP addresses, and using a variety of network signatures and host-based rules.