Author Archives: Graham CLULEY

Toyota Australia driven offline by cyber attack, as heart hospital hit by ransomware

Car maker Toyota admitted earlier today that it had suffered what appears to have been a malware attack at its facilities in Melbourne, Australia, which knocked out its website and other communications.

The post Toyota Australia driven offline by cyber attack, as heart hospital hit by ransomware appeared first on The State of Security.

139 US bars, restaurants and coffeeshops infected by credit-card stealing malware

North Country Business Products (NCBP), a provider of point-of-sales systems, has revealed that 139 of their clients have been hit by a malware infection that stole the payment card details of consumers.

Retailers at dozens of locations across the United States which used NCBP’s hardware and software to process payments may have been affected by the attack which is thought to have started on January 3 2019, and continued until January 24th.

Affected outlets include – amongst others – branches of Dunn Brothers Coffee, Someburros, Holiday Inn, and Zipps Sports Grill. Details potentially stolen by the unnamed malware include cardholder’s name, credit card number, expiration date, and CVV security code.

THere’s nothing really that consumers can do to avoid being hit by malware that has hit Point-of-Sales devices other than pay in cash.

Visitors to NBCP’s website are currently being greeted by a link to a stark announcement about the data breach.

The problem is, you’ve probably never heard of NCBP. It’s extremely unlikely that you know whether a restaurant, coffee shop or bar that you visited relied upon NCBP’s point-of-sales technology or not.

And the problem for NCBP is that although it can reach out to the 139 restaurants that it believes may have had their point-of-sales systems compromised, it has no way of contacting the actual customers who made purchases with the debit and credit cards.

After all, when you buy a coffee it’s normal to make a payment with your card. It’s not likely that you were asked for your address.

It seems to me that there are only two ways you’re likely to find out that you discover you have been impacted by the North Country Business Products security breach.

You’ll either notice (or have your bank notice) some suspicious purchases on your credit or debit card, or you’ll have visited the NCBP’s website and checked the long list of known establishments and locations included in the breach.

And just how likely is it that people will even hear about this breach, let alone go to check if they have purchased something from one of the affected restaurants?

If you do believe that you might have had your payment card details compromised, you may choose to place a security freeze on your credit file, stopping anyone else from accessing your financial details.

Smashing Security #116: Stalking debtors, Facebook farce, and a cyber insurance snag

Smashing Security #116: Stalking debtors, Facebook farce, and a cyber insurance snag

How would *you* track someone who owed you money? What was the colossal flaw Facebook left on its website for anyone to exploit and hijack accounts? And what excuse are insurance companies giving for not paying victims of the NotPetya malware millions of dollars?

All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by Joe Carrigan of the Information Security Institute at Johns Hopkins University.

Google in hot water after not revealing it had hidden a secret microphone in home alarm product

As if some folks weren’t concerned enough about the infiltration of potentially privacy-busting devices into the home, Google has admitted it did not disclose that it hid a secret microphone inside one of its products.

Owners of the Nest Secure were surprised earlier this month to read an announcement from Google that it was adding a new voice control feature to its home alarm product:

“Starting today, we’re adding a feature to Nest Secure to do just that: the Google Assistant will be available on your Nest Guard, so you can ask it questions like, “Hey Google, do I need an umbrella today?” before you set your alarm and leave the house.* Nest Guard is the brains of your Nest Secure; it contains a keypad and all the smarts that power the system. It’s usually placed in a spot with lots of traffic (like the front doorway) making it useful as you come and go.”

Why the surprise? Well, until then nobody had known that the Nest Secure alarm was capable of listening to anything.

Sure, it could sense motion in your household, it could know if a door or window was open, and even allow you to remotely turn your home alarm on. But nobody knew, and Google chose never to tell anyone, that there was a microphone hidden within the device.

A microphone that could be enabled via a software update.

Google says it goofed by keeping the microphone secret:

“The on-device microphone was never intended to be a secret and should have been listed in the tech specs. That was an error on our part.”

It went on to explain to Business Insider that it’s not unusual for security systems to have built-in microphones:

“The microphone has never been on and is only activated when users specifically enable the option.”

“Security systems often use microphones to provide features that rely on sound sensing. We included the mic on the device so that we can potentially offer additional features to our users in the future, such as the ability to detect broken glass.”

And I accept that there are good reasons why some people may want their home security systems to have microphones. But it seems underhand of me for a company to build a microphone into its device and not tell anyone about it.

With a growing tide of concern over IoT security and privacy, and the amount of personal data gobbled up by tech giants, it seems very shortsighted for Google to have overlooked revealing the existence – even if unused – of a hidden listening device.

Amazon and Google are market leaders when it comes to home assistants, and there are millions of folks who have excitedly placed them in their homes. However, there are also plenty of folks who shudder at the thought of what they view as devices spying on them, and their strongly-held opinions should be respected.

Why real-time intelligence matters for managing third-party risk

Why real-time intelligence matters for managing third-party risk

Graham Cluley Security News is sponsored this week by the folks at Recorded Future. Thanks to the great team there for their support!

As leading companies in every industry today are undergoing digital transformation, the lines are blurring between any one organization and its partners, suppliers, vendors, and other third parties.

In this new report, ESG examines how these business relationships can introduce new risks that need to be identified and managed “as if these third parties were part of the enterprise itself.”

Download your copy now of “Third-Party Risk: Why Real-Time Intelligence Matters”

About Recorded Future

Recorded Future delivers the only complete threat intelligence solution powered by patented machine learning to lower risk. We empower organizations to reveal unknown threats before they impact business, and enable teams to respond to alerts 10 times faster. To supercharge the efforts of security teams, our technology automatically collects and analyzes intelligence from technical, open web, and dark web sources and aggregates customer-proprietary data.

Recorded Future delivers more context than threat feeds, updates in real time so intelligence stays relevant, and centralizes information ready for human analysis, collaboration, and integration with security technologies. 91 percent of the Fortune 100 use Recorded Future.


If you’re interested in sponsoring my site for a week, and reaching an IT-savvy audience that cares about computer security, you can find more information here.

HOTforSecurity: 450,000 usernames and passwords stolen from Coinmama cryptocurrency broker

Coinmama, a site that is supposed to “make it fast, safe and fun” to buy Bitcoins and Etherium with a credit card, has suffered a data breach that has resulted in almost half a million customers having their personal details breached.

Coinmama says that it believes the breached data involves approximately 450,000 email addresses and hashed passwords of users who registered for accounts up until August 5th, 2017.

In an advisory published on its website, Coinmama linked the data leak to a wider wave of breaches that has affected at least 30 different websites (including MyFitnessPal, Houzz, and Coffee Meets Bagel) and impacted hundreds of millions of users.

The data is being sold on underground criminal websites in batches for tens of thousands of dollars.

In the latest data bundle offered by the hacker calling themselves Gnosticplayers, Coinmama’s 450,000 records are being offered alongside:

  • 57 million records stolen from interior design site Houzz
  • 40 million records stolen from video streaming site YouNow
  • 18 million records stolen from travel booking site Ixigo
  • 5 million records stolen from multiplayer online game Stronghold Kingdoms
  • 4 million records stolen from tabletop role-playing gaming site Roll20
  • 1.8 million records stolen from file sharing site Ge.tt
  • 1 million records stolen from pet care delivery service PetFlow

The Coinmama-related data is currently being offered by the hacker for 0.351 Bitcoin (US $1358), with the promise of as many as 70,000 cracked passwords.

Clearly, Coinmama users would be wise to change their password at the earliest opportunity – particularly if they created their account before August 2017. Furthermore, it makes sense – as with all data breaches which may lead to passwords being exposed – to ensure that the same password is not being reused anywhere else on the internet.

Interestingly, security researchers have noticed that many of the databases breached by Gnosticplayers appear to have been running the same software: PostgreSQL.

There is considerable speculation that the hacker may have exploited a vulnerability in the open source PostgreSQL software to trick websites into spilling their precious data.

According to TechCrunch, the coders who work on PostgreSQL are not aware of any current security holes – patched or unpatched – that might have been exploited by the hacker to steal the data.

“There are many factors that need to be taken into consideration when securing a database system that go beyond the database software. We have often found that data breaches into a PostgreSQL database involve an indirect attack vector, such as a flaw in an application accessing PostgreSQL or a suboptimal policy around data management,” said Jonathan Katz. “When it comes to vulnerabilities, the PostgreSQL community has a dedicated security team that evaluates and fixes issues and, in the spirit of open source collaboration, transparently reports on and educates our users about them.”

However the hacker is gaining access to so much sensitive data on so many websites, it would seem sensible to me for businesses who are running PostgreSQL to take a close look at their infrastructure.

After all, it’s better to find the security holes in your website yourself rather than wait for a malicious hacker to break in.



HOTforSecurity

Hacker arrested for wave of fake bomb and shooting threats against schools

Hacker arrested for wave of fake bomb and shooting threats against schools

FBI agents have arrested a 20-year-old man alleged to have been part of a hacking gang which not only launched distributed denial-of-service (DDoS) attacks, but also launched a wave of chilling bomb and shooting threats against thousands of schools in the United States and United Kingdom.

Read more in my article on the Tripwire State of Security blog.

Smashing Security #115: Love, Nests, and is 2FA destroying the world?

Smashing Security #115: Love, Nests, and is 2FA destroying the world?

Is two factor authentication such a pain in the rear end that it’s costing the economy millions? Do you feel safe having a Google Nest in your home? And don’t get caught by a catfisher this Valentine’s Day.

All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by B J Mendelson.

VFEmail suffers ‘catastrophic’ attack, as hacker wipes email service’s primary and backup data

VFEmail suffers 'catastrophic' attack, as hacker wipes email service's primary and backup data

There will be many angry customers of VFEmail who will be distraught at the thought that years’ worth of irreplaceable personal and business correspondence may have been wiped out. It’s understandable that some might turn their fury towards VFEmail.

But VFEmail is a victim too.

Automatic 4K/HD for Youtube extension pulled from Chrome Store for pop-up ad abuse

A popular browser extension has been removed by Google from the Chrome Web Store after it started spamming users with irritating pop-up advertisements.

The “Automatic 4K/HD for Youtube” extension, used by over 4 million Chrome users to force YouTube into playing videos at high quality, was recently updated to display ads for another Chrome extension.

Ironically, as ZDNet describes, the Chrome extension it began to aggressively advertise was one that purported to be an ad-blocker.

The unwanted ads took advantage of Chrome’s desktop notification feature, in breach of Google’s developer policies.

Disgruntled users left poor reviews on the extension’s page on the Chrome Web Store, warning others who might be considering installing the code, and turned to social media as they attempted to discover the source of the unwanted ads.

Eventually they identified that the “Automatic 4K/HD for Youtube” extension was responsible for the nuisance pop-up ads.

The inevitable concern, whenever a browser extension begins to behave in an out-of-character fashion, is that it might have been hijacked by someone else with malicious intent.

In the past a number of browser extensions and plugins have either been purchased from their original creators (or even, in some cases, hijacked by hackers) who have seized the opportunity to behave maliciously on users’ desktops.

As I’ve described before, many people don’t recognise the potential security risk of browser extensions, because of the power they can have over the webpages you visit.

An ad blocker, for instance, can read and change all your data on any websites you land on. It has to have that ability to let it block website ads. When you install a browser extension, you’re placing a lot of trust in it never turning evil.

The threat of rogue extensions is not theoretical, but very real.

Late last year, for instance, researchers warned that a state-sponsored attack thought to have originated from North Korea was targeting academic institutions through a malicious browser extension called “Font Manager” in the Chrome Web Store.

And just last month, a fake “Flash Player” extension in the Chrome Web Store was found to be stealing payment card details entered in web forms.

Fortunately, in the case of “Automatic 4K/HD for Youtube” it doesn’t appear that it was planning anything outright malicious, but the aggressive pop-up ads have fallen foul of Google – which has now removed the offending extension from the Chrome Web Store.

Update your iOS devices now against the FaceTime eavesdropping bug

Last week a bug became such big news that it broke out of the technology press, and into the mainstream media – generating headlines around the globe.

The reason? A bizarre bug had been discovered in the way iPhones and iPads handled Group FaceTime calls meant that someone could potentially listen and even see you *before* you answered an incoming call.

As news of the flaw spread like wildfire on social media, Apple said it would fix the problem “later in the week” and made a change server-side that temporarily disabled all Group Facetime calls to prevent others from being at risk (much to the irritation of those hoping to prank their friends.)

The bad news for Apple grew as it not only failed to release a patch within its original estimate, but it was also revealed that a 14-year-old boy had separately discovered the problem a couple of weeks earlier, and had received no response when he attempted to report the bug to the tech giant.

Two members of the US Congress wrote to Apple CEO Tim Cook, demanding answers as to why the company had not acted immediately when the vulnerability was discovered, and how it was planning to address any harm caused to consumers.

House Energy and Commerce Committee Chairman Frank Pallone and Representative Jan Schakowsky claimed that Apple was failing to be transparent about what they described as a “serious issue.”

Meanwhile, New York Governor and Attorney General announced that they would be launching a probe into Apple’s failure to warn consumers.

Personally I do think that Apple dropped the ball somewhat in failing to take the 14-year-old’s bug report seriously when they first received it, but I find it hard to accept that the company didn’t act quickly when it understood the privacy-breaching nature of the problem.

Within hours of videos spreading rapidly on social media, and the first news reports of how to exploit the vulnerability, Apple had shut down all Group FaceTime calls – preventing others from abusing the bug.

And yes, obviously in an ideal world it would have had an iOS patch ready to roll out the next day – but the worst thing in the world would have been for Apple to have been rushed into issuing a fix that didn’t properly remediate the issue or – worse – introduced yet more flaws.

Sometimes it takes a while for code to be properly tested and quality controlled. As there was a no way for anyone to exploit the bug with Group FaceTime disabled it seems reasonable to me that Apple has only now issued an updated to iOS, iOS 12.1.4, which fixes the problem.

The update also fixes a number of other security issues, including two zero-day flaws discovered by researchers working for Google.

For many iPhone and iPad users the update will be automatically installed, but – if you want to make sure that you are protected – follow these instructions:

Click on Settings > General > Software Update, and choose Download and Install

And as for Grant Thompson, the 14-year-old high school student who first discovered the flaw? He appears to have been credited in Apple’s security bulletin about the flaw, just as any other security researcher would be.

Smart kid.

Smashing Security #114: Darknet Diaries, death, and beauty apps

Smashing Security #114: Darknet Diaries, death, and beauty apps

Jack Rhysider from the “Darknet Diaries” podcast joins us to chat about his interview with the elusive Hacker Giraffe, how a death is preventing cryptocurrency investors from reaching their money, and how ‘beauty camera’ apps are redirecting users to phishing websites and stealing their selfies.

All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast hosted by computer security veterans Graham Cluley and Carole Theriault.

Twitter follow bots cut off from API, as accounts disabled for spreading misinformation from Iran and elsewhere

Angry twitter thumb

ManageFlitter, Statusbrew, and Crowdfire have had their access to the Twitter API revoked for allegedly helping users abuse the service, aggressively and repeatedly following and unfollowing large numbers of other accounts - a tactic frequently employed by Twitter spammers.

Meanwhile, Twitter and Facebook share details of the accounts they have shut down after finding they were spreading misinformation in the run-up to the US midterm elections.

HOTforSecurity: Hackers hit Airbus, steal personal details of employees

Aircraft manufacturer Airbus is investigating a security breach that has seen hackers steal personal information from its systems.

In a statement published on its website, Airbus admitted that systems used by its commercial aircraft business had been accessed by an unauthorised party, and personal data related to European employees had been stolen.

According to the manufacturer of the A380, no customer data was accessed by the hackers, and production has not been affected.

What isn’t at all clear at the moment is whether Airbus was specifically targeted, or whether the breach was more the work of an opportunistic hacker.

However, the fact that information about employees was accessed is definitely a cause of concern. Malicious hackers and fraudsters might seek to weaponise such information by targeting particular individuals or assembling convincing emails that target individuals that pretend to come from colleagues.

Airbus says that it is continuing to investigate whether any specific data was targeted.

Airbus’s statement makes no mention of precisely what types of data were accessed by the intruders, but if – for instance – password credentials were included in the haul then that would be of serious concern.

If that were the case, not only might the accounts of Airbus workers be potentially at threat of compromise by the intruders, but there would also be the risk that workers had reused the same passwords at different places online – opening opportunities for other breaches.

It is a sad truth that many people make the mistake of using work credentials for non-work-related services. If you feel it’s something you might be guilty of, take the sensible step of investing in a decent password manager.

Not only will it help store your passwords securely, but it will also reduce the likelihood of you making poor password choices by offering you an easy way to generate a complex, unique password for every online service you require.

Airbus says it is strengthening its existing cybersecurity measures, and taking action to mitigate the incident’s potential impact.

The company says that it has notified affected employees and data protection authorities about the incident, something it is required to do within 72 hours of becoming aware of a data breach under European GDPR regulations.

Other members of the airline industry who have found themselves having to admit in the last year that they have have suffered at the hands of cybercriminals include Boeing, Cathay Pacific and British Airways.



HOTforSecurity

Smashing Security #113: FaceTime, Facebook, faceplant

Smashing Security #113: FaceTime, Facebook, faceplant

FaceTime bug allows callers to see and hear you *before* you answer the phone, Facebook’s Nick Clegg tries to convince us the social network is changing its ways, and IoT hacking is big in Japan.

All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by John Hawes from AMTSO.

User of the world’s biggest DDoS-for-hire website? Police say they’re coming after you

When police shut down the notorious website webstresser.org last year and arrested its administrators, a clear message was sent to the site’s 151,000 users: you’re next.

Until its takedown, webstresser.org was believed to the world’s biggest marketplace for the hiring of distributed denial-of-service (DDoS) attacks.

For as little as 15 euros a month, Webstresser’s customers could pay for DDoS attacks to be launched against websites – swamping them with traffic, and knocking them offline.

The site made it possible for individuals with little or no knowledge to launch crippling DDoS attacks. In all, it’s said that cybercriminals used Webstresser to launch over four million attacks, including major DDoS attacks targeting gambling sites, gaming sites, police forces, and top banks.

Thankfully, international law enforcement’s “Operation Power Off” put an end to Webstresser’s activities in April 2018, arresting the site’s administrators and commandeering its infrastructure.

That action by police didn’t just see the website replaced with a seizure notice, but also the confiscation of a treasure trove of information about the site’s 151,000 registered users.

Today Europol announced that police forces around the world are actively tracking down the site’s users.

In the UK, for instance, a number of Webstressers users have recently been visited by police, and over 60 personal electronic devices have been seized for analysis. There are also said to be live operations against other DDoS criminals – with over 250 users of webstresser.org and other booter services soon facing action.

In the Netherlands meanwhile, an initiative known as “Hack_Right” has been launched which aims to tackle the problem of young first-time offenders who naively engage in cybercrime without recognising the seriousness of what they were doing.

The initiative, which is aimed at young offenders between the ages of 12 and 23, attempts to change the perpetrators’ behaviour, help them avoid a criminal record, and perhaps turn them towards a career as an ethical hacker instead.

One Dutch user of webstresser.org has already gone through the “Hack_Right” process.

If you have hacking skills and you use those skills to do harm, there’s a chance that you will be caught and that could have repercussions for the rest of your life.

Don’t direct your computer knowledge towards committing crime. Instead, use your skills to do something positive – develop a cool app, write a helpful code library, publish some research, create a popular website, help mitigate against security threats.

You may not be lucky enough to be offered a place on a “Hack_Right” course. You may end up going to prison. If you’re clever enough to commit a cybercrime, you should be clever enough to recognise that what you are doing could result in your losing your liberty, and causing unnecessary distress and heartbreak to your friends and family.

Passwords at risk for users who fall for voicemail phishing emails

Security researchers are warning of a new wave of phishing emails which are using an unusual disguise in their attempt to both bypass scanners at email gateways and dupe unsuspecting users.

The post Passwords at risk for users who fall for voicemail phishing emails appeared first on The State of Security.

Smashing Security #112: Payroll scams, gold coin heists, web giants spanked

Smashing Security #112: Payroll scams, gold coin heists, web giants spanked

Business email compromise evolves to target your company’s payroll, how the world’s largest gold coin was stolen from a Berlin museum, and are internet giants feeling the heat yet over data security?

All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by people hacker Jenny Radcliffe.

Angry ex-employee blamed for hack of WordPress plugin developer, and email to customers warning of security hole

This weekend, users of the popular WordPress translation plugin WPML (also known as WordPress MultiLingual) received an email from a hacker claiming to expose serious security vulnerabilities in the software that allegedly put the customers’ own websites at risk.

In the mass email, sent from WPML’s own servers, the hacker claimed that two of his own websites had been breached due to “a bunch of ridiculous security holes” in WPML’s code. He went on to warn recipients that their own websites could be at risk.

I’m able to write this here because of the very same WPML flaws as this plugin is used on wpml.org too.

Please take this with the warm recommendation of triple-enforcing your security on websites where you use WPML if you must use it. Make frequent backups and monitor your websites closely. Do not leave sensible information laying around in the database or on the server. Use only WPML components and features that you really need. Or ask for your money back.

In a statement on its website, WPML acknowledged that it had been hacked and that it believed the perpetrator to be a former employee.

However, the company disputed the hacker’s claim that there were security holes in the WPML WordPress plugin, and instead claimed that the attacker had accessed its infrastructure by using an old SSH password and backdoor that he had left for himself whilst he worked for the firm.

Even if that’s true, there’s still cause for some concern. After all, if a hacker was able to mass-mail up to 600,000 customers from WPML’s own systems, it’s easy to imagine how a more maliciously-minded attacker might use the same capabilities to send out a phishing campaign or malicious links designed to infect users’ computers.

Another nightmare scenario would be if the widely-used plugin’s code was tampered with by an attacker, potentially putting thousands of other websites at risk of exploitation. WPML says that it has verified its plugin’s code has not been compromised.

However, WPML does admit that the alleged ex-employee did manage to steal the names and email addresses of customers, send an unauthorised email on WPML’s behalf, deface WPML’s online store, and publish a bogus blog post containing the same content as the email.

The company says that in response to the attack it has rebuilt its website and ensured that access to administrator accounts is now controlled by two-factor authentication (2FA). Furthermore, WPML says that it has “minimized the access that the web server has to the file system.”

WPML further underlined in its advisory that no payment information had been compromised, and that the popular WordPress plugin does not contain a vulnerability. Customers have been advised to reset their passwords.

From the sound of things, WPML may have a pretty strong idea of the identity of its hacker. One would anticipate, therefore, it is going to share their information with law enforcement so a proper investigation into the data breach can take place.

Learn how Starbucks combats credential stuffing & account takeover (ATO)

Learn how Starbucks combats credential stuffing & account takeover (ATO)

Graham Cluley Security News is sponsored this week by the folks at Shape Security. Thanks to the great team there for their support!

“These are not kids in mom’s basement attacking us.”

Nearly five million people around the globe buy Starbucks coffee from their mobile app every single day. Forty percent of those purchases are paid using Starbucks’ gift card/stored value system, making the app a ripe target for account takeover (ATO).

Starbucks was one of the first enterprises to identify the growing threat of credential stuffing and mass ATO attacks. The security team tried using WAFs and CDN-provided bot solutions, but found those methods were no match for ever-evolving attackers.

Watch Shape’s discussion with Starbucks to learn how the two companies partnered to help combat ATO and hear answers to questions including:

  • How have attackers evolved at Starbucks over the past three years?
  • How can we leverage a collective defense to turn the tide on attackers?
  • How does Starbucks balance security with user friction?

Shape Security is defining a new future in which excellent cybersecurity not only stops attackers, but also reduces friction for good customers. Shape disrupts the economics of cybercrime by making it too expensive for attackers to commit online fraud, while also enabling enterprises to more easily transact with genuine customers.

The Shape platform, covered by 55 patents, stops the most dangerous application attacks enabled by bots and cybercriminal tools, including credential stuffing (account takeover), fake account creation, and unauthorized aggregation.


If you’re interested in sponsoring my site for a week, and reaching an IT-savvy audience that cares about computer security, you can find more information here.

Smashing Security #111: When rivals hack, and ‘extreme’ baby monitors

Smashing Security #111: When rivals hack, and 'extreme' baby monitors

Why a business spat resulted in Liberia falling off the internet, how the US Government shutdown is impacting website security, and the perplexing world of extreme IoT devices.

All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by special guest Zoë Rose.

Unlock the power of threat intelligence with this practical guide. Get your free copy now

Unlock the power of threat intelligence with this practical guide. Get your free copy now

Graham Cluley Security News is sponsored this week by the folks at Recorded Future. Thanks to the great team there for their support!

At Recorded Future, we believe every security team can benefit from threat intelligence. That’s why we’ve published “The Threat Intelligence Handbook.”

It’s aimed at helping security professionals realize the advantages of threat intelligence by offering practical steps for applying threat intelligence in any organization.

Download your free copy now.

About Recorded Future

Recorded Future delivers the only complete threat intelligence solution powered by patented machine learning to lower risk. We empower organizations to reveal unknown threats before they impact business, and enable teams to respond to alerts 10 times faster. To supercharge the efforts of security teams, our technology automatically collects and analyzes intelligence from technical, open web, and dark web sources and aggregates customer-proprietary data. Recorded Future delivers more context than threat feeds, updates in real time so intelligence stays relevant, and centralizes information ready for human analysis, collaboration, and integration with security technologies. 91 percent of the Fortune 100 use Recorded Future.


If you’re interested in sponsoring my site for a week, and reaching an IT-savvy audience that cares about computer security, you can find more information here.

Huge prizes up for grabs for anyone who can hack a Tesla

If you’re going to the CanSecWest conference in Vancouver this March you’ll have the chance to participate in the Pwn2Own ethical hacking contest. As usual hackers will be working hard to crack the security of browsers and operating systems from Apple, Microsoft, Google, Mozilla, Oracle and VMware.

But this things are a little different. Because this year, for the first time ever, a popular car will be amongst the products hackers will be trying to exploit.

A sacrificial Tesla Model 3 will be on-site, inviting hackers to win big in Pwn2Own’s new automotive category.

The top Tesla-hacking prize up for grabs is $250,000 for anyone who finds a way to run unauthorised code on three of the high-tech car’s critical components: the gateway, the autopilot, or the VCSEC.

As Thomas Brewster at Forbes explains, the gateway is a key piece of hardware in the Tesla through which data communications flow.

The VCSEC, meanwhile, controls security features such as the alarm, and access to the charge port and trunk.

And autopilot? Well, you know what the Tesla’s autopilot is. And just how important it is that that particular famous part of the vehicle’s infrastructure is not vulnerable to compromise.

If that’s too tricky, then there is still a handsome $100,000 waiting for anyone who can subvert Tesla’s key fob (or phone used as a key) to run unauthorised code, unlock the vehicle, or start its engine.

Smaller prizes are on offer for researchers who discover a way to run code on the Tesla’s modem, tuner, WiFi, Bluetooth, or infotainment systems.

According to the Pwn2Own competition organisers, participants eager to win the “Modem or Tuner”, “Wi-Fi or Bluetooth”, and “Gateway, Autopilot, or VCSEC” prizes must achieve code execution “by communicating with a rogue base station or other malicious entity.”

Meanwhile, attacks on the infotainment system need to be launched from the on-site Tesla, and must achieve code execution by browsing to malicious content.

Oh, and did I mention the first successful researcher will have the opportunity to drive a brand new Tesla Model 3 away at the end of the competition?

Truth be told, you’ll most likely already have access to a Tesla to experiment on if you’re going to be in with any chance of successfully hacking the one at Pwn2Own.

The good news is that if you are thinking of hacking your Tesla, as of last year you no longer have to worry about voiding your warranty if you accidentally brick your vehicle. In September 2018, the company confirmed it was supporting “safe harbor” which legitimises good-faith security research, and allows owners to hack their own cars provided they remain within its bug bounty rules.

Other companies have in the past attempted to censor the publication of security research using legal threats.

Fuller details of the Pwn2Own competition, and add-on prizes for achieving persistence after a reboot, can be found in the Pwn2Own blog post.

The DDoS attacker rescued by a Disney cruise ship is sentenced to over 10 years in prison

A 34-year old man has been sentenced to more than 10 years in prison, after being found guilty of launching a massive denial-of-service attack against Boston Children’s Hospital.

The sentencing of Martin Gottesfeld, from Somerville, Massachusetts, comes almost three years after he attempted to escape to Cuba – a plan that failed after his speedboat broke down in the choppy sea, and he was picked up by a Disney cruise liner.

Gottesfeld’s troubles began when he heard about the case of Connecticut teenager Justina Pelletier, who was admitted to Boston Children’s Hospital in 2013. The hospital and Pelletier’s parents disagreed about how she should be treated, and eventually she was removed from her parents’ custody.

The case received widespread attention in the media and online, as the teenage girl’s parents argued that she had been “medically kidnapped”.

Publicity about the case spurred an internet campaign under the banner of #FreeJustina, and Gottesfeld, in the name of the Anonymous hacking collective, posted a YouTube video in March 2014 calling for action against the hospital.

That video, in turn, shared links to a Pastebin account – doxing the home address and phone numbers of a judge and doctor involved in Pelletier’s case, and making a clear threat:

“This will be your first and final warning. Failure to comply will result in retaliation which you will not be able to withstand. Free Justina and return her home to her family. The voice of the people will be heard.”

Gottesfeld linked to the information from his Twitter account, where he frequently posted about the #FreeJustina campaign.

At the same time, Gottesfeld launched a distributed denial-of-service (DDoS) attack against Wayside Youth & Family Support Network, a facility offering children mental health counselling. Pelletier was a resident of the facility having been by then discharged from hospital, but still not released into the care of her parents.

The following month Gottesfeld launched another DDoS attack, this time crippling the systems of Boston Children’s Hospital. Prosecutors claimed that the attack knocked the hospital’s internet systems offline for two weeks, disrupting fundraising campaigns and communication between patients and medical staff.

Perhaps unsurprisingly, FBI investigators were able to link Gottesfeld to the YouTube account. For his part, Gottesfeld claims he deliberately didn’t bother covering his tracks as he didn’t believe he had done anything wrong.

In the early morning of October 1, 2014, FBI investigators searched Gottesfeld’s home, seizing computer equipment.

As the investigation into the DDoS attacks proceeded over the coming months, Gottesfeld realised the seriousness of the case against him – and in February 2016 fled with his wife Dana to Miami. Their plan? To buy a boat off Craigslist, and sail it to Cuba where they would be beyond the reach of US authorities.

The couple purchased a speedboat for US $5000, abandoned their car, and immediately set off across the ocean for what they believed to be the sanctuary of Cuba. But after hours of battling rough waves, their boat broke down. They were stranded, with no boats or land in sight. And they had told no-one of their plan.

Attempts to restart the boat failed, and eventually Gottesfeld admitted defeat – putting a distress call out on the radio which was thankfully heard by “The Disney Wonder”, an 11-deck cruise ship carrying hundreds of tourists.

In terrible weather conditions, Martin and Dana Gottesfeld were brought safely onboard where they were held in a cabin, with guards stationed outside.

Authorities in the Bahamas contacted the FBI office in Boston, and when the cruise ship returned to the US mainland, Gottesfeld and his wife were arrested and handcuffed.

The hacker’s dream of escape to Cuba was in tatters.

On Thursday, Gottesfeld was sentenced to 121 months in prison, and ordered to pay nearly US $443,000 in restitution.

“Make no mistake, your crime was contemptible, invidious and loathsome,” said US District Judge Nathaniel Gorton.

To reads more about the case, and Gottesfeld’s background, I strongly recommend reading this article in Rolling Stone.

There’s no doubt that Gottesfeld did many foolish things, but when you read more about the case (Check out this excellent article in Rolling Stone which explores his background) you can’t help but conclude that he had ultimately good intentions that were catastrophically misdirected.

A prison sentence of over 10 years for the DDoS attacks that Martin Gottesfeld perpetrated feels very harsh to me.

Gottesfeld says he plans to appeal his sentence. I can’t condone what he did, but I wish him well for the future.

Reddit users locked out of accounts after ‘security concern’

Reddit users locked out of accounts after 'security concern'

A large number of Reddit users are being told that they will have to reset their passwords in order to regain access to their accounts following what the site is calling a “security concern.”

The lockout has occurred as Reddit’s security team investigates what appears to have been an attempt to log into many users’ accounts through a credential-stuffing attack.

Read more in my article on the Tripwire State of Security blog.

Reddit users locked out of accounts after “security concern”

A large number of Reddit users are being told that they will have to reset their passwords in order to regain access to their accounts following what the site is calling a "security concern."

The lockout has occurred as Reddit's security team investigates what appears to have been an attempt to log into many users' accounts through a credential-stuffing attack.

The post Reddit users locked out of accounts after “security concern” appeared first on The State of Security.

Smashing Security #110: What? You can get paid to leave Facebook?

Smashing Security #110: What? You can get paid to leave Facebook?

Twitter and the not-so-ethical hacking of celebrity accounts, study discovers how you can pay someone to quit Facebook for a year, and the millions of dollars you can make from uncovering software vulnerabilities.

All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by Maria Varmazis.

Town of Salem hack exposes details of 7.6 million gamers

Just before Christmas, hackers managed to break into a database belonging to a popular online game and steal the details of over seven million players.

BlankMediaGames, makers of the browser-based game “Town of Salem”, has sent an email to players warning that personal information stolen by the hackers may include email addresses, full names, postal addresses, usernames, encrypted passwords, forum activity, IP address, and game activity.

Fortunately, BlankMediaGames uses a third-party to handle payments and so does not have access to payment information, ridding the hackers of their ability to directly monetise the hack.

Nonetheless, there’s plenty of opportunity for the hackers to still exploit the stolen data. For instance, phishing campaigns could be sent out to players pretending to come from the game, using gamers’ names and email address to make the message look more convincing.

And you shouldn’t think that just because your “Town of Salem” was “encrypted” that it hasn’t been compromised. In a forum post, BlankMediaGames reveals that the passwords “were stored as a salted MD5 hash”.

MD5 is considered to be a relatively weak algorithm for hashing passwords, and the lack of stronger protection may open easy opportunities for hackers to crack some of the passwords.

In short, you would be wise to reset your Town of Salem password *and* also ensure that you are not reusing the same password anywhere else on the internet.

BlankMediaGames says it has removed three suspicious PHP files from its server that allowed the hackers to gain access, and has asked its hosting provider to run a malware check across all of its servers.

Furthermore, it says it has put in place additional security measures to protect players better in future, and is liaising with law enforcement.

Whether that will be enough to ally the fears of gamers remains to be seen.

One clear lesson that all companies could learn from this incident is the need to recognise that a security breach can happen at any time.

It appears that despite emails and calls to BlankMediaGames between Christmas and New Year from individuals who knew about the breach, nothing has been said publicly until now.

BlankMediaGames is, of course, a small company. But online firms cannot afford to rest when it comes to security issues. There’s a reason why hackers often like to strike during the holidays or at the weekend.