Security Archives

Do You Own a Tesla? It’s Vulnerable to Hacking

Andrew Orr · March 10, 2020

Security experts found that Teslas are vulnerable to certain kinds of hacks. One expert, Brian DeMuth, said there are no easy ways to prevent it, but you can take some measures.

There are a few things that can reduce the risk if you are willing to accept diminished functionality in the car. For example, the telematics unit can be removed from the vehicle to eliminate attacks over the cellular network, but this also will prevent mobile apps and other remote functionality from working. Removing the telematics unit could also trigger warnings and other errors to appear in the instrument cluster or infotainment system.

News

Microsoft and 35 Countries Take Down ‘Necurs’ Botnet

Andrew Orr · March 10, 2020

Microsoft, along with partners in 35 countries have taken down the Necurs botnet, responsible for infecting over nine million computers.

Link

Patch Your Netgear Router Because it Could Get Hacked

Andrew Orr · March 6, 2020

Netgear is pushing out security patches for its networking products this week. They contain flaws that could open them up to hackers.

Modem/routers:

D6200, D6220, D6400, D7000, D7000v2, D7800, D8500

Range extenders:

PR2000

Routers:

JR6150, R6120, R6220, R6230, R6250, R6260, R6400, R6400v2, R6700, R6700v2, R6700v3, R6800, R6900, R6900P, R6900v2, R7000, R7000P, R7100LG, R7300DST, R7500v2, R7800, R7900, R7900P, R8000, R8000P, R8300, R8500, R8900, R9000, RAX120, RBR20 (Orbi), RBS20 (Orbi), RBK20 (Orbi), RBR40 (Orbi), RBS40 (Orbi), RBK40 (Orbi), RBR50 (Orbi), RBS50 (Orbi), RBK50 (Orbi), XR500, XR700

Podcast

Security Friday – TMO Daily Observations 2020-03-05

Kelly Guimont · March 6, 2020 · Add Comment

Andrew Orr joins host Kelly Guimont for Security Friday! Hardware flaws, This Week in Who Has Your Data, and the latest in ending encryption.

VIew all episodes

News

Serious Flaw in Intel Chips Lets Attackers Decrypt Hard Drives

Andrew Orr · March 6, 2020

A flaw found in Intel chips lets attackers decrypt your hard drive, among other things. It can’t be fixed, only mitigated with patches.

Link

Someone Hacked J.Crew Last Spring and we Only Find Out Today

Andrew Orr · March 4, 2020

According to a notice [PDF] from J.Crew, someone hacked the company last year. For some reason we’re only finding out about it today, a year later.

“The information that would have been accessible in your jcrew.com account includes the last four digits of credit card numbers you have stored in your account, the expiration dates, card types, and billing addresses connected to those cards, and order numbers, shipping confirmation numbers, and shipment status of those orders,” J.Crew’s data breach notification explains.

You know, sometimes when I write about this stuff, like Facebook doing every bad thing under the sun with our data, I stop and think: “Am I just a cynical a**hole?” Then, when yet another idiot company has a data breach, I realize, no I’m just reporting reality. These companies deserve to be named and shamed.

News

Locked Apple Notes Aren’t as Secure as You Think

Andrew Orr · March 4, 2020

Forensic company BlackBag, a Cellebrite company, recently found that locked Apple Notes are temporarily stored in an insecure state.

News

Let’s Encrypt Revokes Certificates After Finding a Bug

Andrew Orr · March 3, 2020

Let’s Encrypt announced on Saturday, February 29 that it discovered a bug in its Certification Authority Authorization (CAA) code.

Link

How to Create a Honeypot URL With URL Canary

Andrew Orr · February 28, 2020

A service I recently discovered is URL Canary. It creates a honeypot URL that you can then put in a location such as your cloud storage. It alerts you if that URL has been accessed.

URL Canary will catch automated robots and crawlers, as well as manual human attackers. The only time it won’t catch an attacker is if they don’t see the canary, or they don’t find it sufficiently-compelling and opt not to visit it. Since you have control of the URL and the domain name, you can make your canaries as compelling as possible for your specific use case.

There’s a similar service I know of called CanaryTokens.

Link

MI5 Chief Wants ‘Exceptional Access’ to Encrypted Messages

Andrew Orr · February 28, 2020

Sir Andrew Parker is the head of MI5, the UK’s domestic security service. He wants tech firms to provide “exceptional access” to encrypted messages.

In an ITV interview to be broadcast on Thursday, Sir Andrew Parker says he has found it “increasingly mystifying” that intelligence agencies like his are not able to easily read secret messages of terror suspects they are monitoring.

Bah, this is smoke and mirrors. As the head of a security agency he knows that restricting backdoors to the good guys is impossible.

Link

Someone Stole Clearview AI’s List of Clients

Andrew Orr · February 26, 2020

Clearview AI gained notoriety for partnering with law enforcement on facial recognition, using its database of billions of scraped images from the web. But someone just stole its list of clients.

…Clearview AI disclosed to its customers that an intruder “gained unauthorized access” to its list of customers, to the number of user accounts those customers had set up, and to the number of searches its customers have conducted. The notification said the company’s servers were not breached and that there was “no compromise of Clearview’s systems or network.”

Meanwhile, law enforcement on end-to-end encryption: “Who needs that kind of encryption, other than maybe the military? We don’t even — in law enforcement — use encryption like that.”

Link

HackerOne Punished Researchers Who Disclosed PayPal Bugs

Andrew Orr · February 24, 2020

HackerOne is a bug bounty platform that connects companies with security researchers. Recently, when researchers used the platform to disclose six PayPal vulnerabilities, they were punished.

When our analysts discovered six vulnerabilities in PayPal…we were met with non-stop delays, unresponsive staff, and lack of appreciation…When we pushed the HackerOne staff for clarification on these issues, they removed points from our Reputation scores, relegating our profiles to a suspicious, spammy level.

This happened even when the issue was eventually patched, although we received no bounty, credit, or even a thanks…We’ll assume that HackerOne’s response is representative of PayPal’s response.

News

Location Data Can Leak Through iOS Clipboard, Apple Doesn’t View it as a Problem

Andrew Orr · February 24, 2020

Researchers found that location data can be leaked to apps on iOS and iPadOS via the clipboard. Apple doesn’t see it as a problem.

Podcast

Security Friday: Data Breaches, DNS – TMO Daily Observations 2020-02-21

Kelly Guimont · February 21, 2020 · Add Comment

Andrew Orr joins host Kelly Guimont for Security Friday, discussing a new data breach and keeping your ISP from selling your web history.

VIew all episodes

Link

SlickWraps Was Hacked, But Hasn’t Done Anything About It

Andrew Orr · February 21, 2020

SlickWraps makes skins for iPhones and Androids. It was recently hacked, but fortunately by a white hat hacker without malicious intentions. The story behind it is fascinating, especially because the company has blocked him and so far has failed to do anything about it.

To say I went to great lengths to treat SlickWraps equitably would be an understatement. Candidly, after the staggering number of primitive security flaws exhibited by their administrators (e.g. the vulnerability to Dirty COW, an exploit which was patched in 2016), I question whether they deserved the leniency I am about to describe.

Update: Other people are hacking the company too. One of them sent emails to SlickWraps customers, telling them to tweet and email the company, which responded to the incident on Twitter.

Link

Defense Information Systems Agency Suffers Data Breach

Andrew Orr · February 20, 2020

Between May and July 2019 sensitive data like Social Security Numbers were stolen from servers belonging to the Defense Information Systems Agency (DISA), a U.S. defense agency. Earlier this month it notified victims.

The Defense Information Systems Agency has begun issuing letters to people whose personally identifiable information may have been compromised in a data breach on a system hosted by the agency. While there is no evidence to suggest that any of the potentially compromised PII was misused, DISA policy requires the agency to notify individuals whose personal data may have been compromised.

Deep Dive

What Do Bank-Level Encryption and Military-Grade Encryption Mean?

Andrew Orr · February 20, 2020

Two phrases that you’ll often hear in security are “bank-level security” and “military-grade encryption.” But what do they mean?

Link

Iran Hackers Put Backdoors in VPN Servers

Andrew Orr · February 17, 2020

A new report finds that hackers from Iran have been putting backdoors in VPN servers around the world in the “Fox Kitten Campaign.” It sounds like affected companies provide VPN for enterprise, rather than consumers. ZDNet suggests Pulse Secure, Palo Alto Networks, Fortinet, and Citrix.

Though [sic] the campaign, the attackers succeeded in gaining access and persistent foothold in the networks of numerous companies and organizations from the IT, Telecommunication, Oil and Gas, Aviation, Government, and Security sectors around the world.

Podcast

Security Friday, Backup Tips – TMO Daily Observations 2020-02-14

Kelly Guimont · February 14, 2020 · Add Comment

Charlotte Henry and Andrew Orr join host Kelly Guimont for Security Friday, discussing security news, malware protection, and backup tips.

VIew all episodes

Podcast

Huawei Backdoors, iPad Multitasking – TMO Daily Observations 2020-02-13

Kelly Guimont · February 13, 2020 · Add Comment

Charlotte Henry and Bryan Chaffin join host Kelly Guimont to discuss Huawei’s access to 5G networks, and Bryan “shows” Split-Screen on iPad.

VIew all episodes

Link

US Reportedly Gave Allies Evidence of Huawei Backdoors

Andrew Orr · February 12, 2020

Although the U.S. hasn’t shared it publicly, it claims to have found actual evidence of Huawei backdoors.

The United States has long claimed that Huawei can secretly access networks through the networking gear it sells to telcos, but the goverment previously argued that it doesn’t need to show any proof. US officials still are not providing such evidence publicly but have begun sharing their intelligence with other countries.

The best part is that, according to The Wall Street Journal, the origin of this report, these backdoors were intentionally put into place for law enforcement. And yet, the DoJ wants Apple to put backdoors in iOS that they swear can only be accessed by law enforcement, and definitely not foreign state hacking groups.

News

Search Warrant Reveals Apple Scanning Emails for Child Abuse Images

Andrew Orr · February 11, 2020

Andrew wrote that Apple scans uploaded iCloud content for child abuse imagery, and a search warrant reveals it scans emails too.

News

Apple Joins FIDO Alliance, an Authentication Group

Andrew Orr · February 11, 2020

The FIDO Alliance is an industry group to develop authentication standards as an alternative to passwords. Apple recently joined the group.

Link

Chinese Military Charged With Equifax Data Breach

Andrew Orr · February 10, 2020

Four Chinese military hackers have been charged with breaking into Equifax’s network and stealing the data of tens of millions of Americans.

The accused hackers exploited a software vulnerability to gain access to Equifax’s computers, obtaining log-in credentials that they used to navigate databases and review records. The indictment also details efforts the hackers took to cover their tracks, including wiping log files on a daily basis and routing traffic through dozens of servers in nearly 20 countries.

Reminder that Equifax executives did insider trading based on the breach. They are criminals.