iOS Group FaceTime Oversight Bypasses Access to Contact Information

With the release of iOS 12.1 for Apple’s mobile devices came the exciting (and much-desired) ability to have group video calls with their built in app, FaceTime. However, this new addition brought about an exploit that can allow any attacker to easily bypass a device’s lock screen password and view all the contact information stored on it. It was discovered by Jose Rodriguez (Twitter: @VBarraquito), a Spanish security researcher who is well-known for discovering a variety of bypass methods, including one that previously allowed information to be viewed through the photo sharing feature on the lock screen camera.

The exploit is fairly simple to execute once an attacker has the target device in their possession, and if it is set up with certain features. Firstly, the phone number of the target device is needed, which is fairly simple if it has Siri enabled. With a different device of their own, they just need to:

  • Call the target device.
  • Tap the FaceTime icon on the call screen to have it routed through there instead.
  • Go to add contacts once the call begins.
  • If the target device happens to have 3D touch enabled, a heavy press on the screen on any contact name will bring up the full list of their contact information.

As of right now, it is not yet known if Apple is working on an update to patch the exploit, given how recent the update itself is. With how easy it is for the average person to use, it should hopefully be high on their priority list. Many users who tend to multitask more on their phones, such as those that work for large companies, will tend to have 3D touch and Siri enabled for their ease of usage, thus making them more likely to fall victim to the exploit, especially given how often they may be in public spaces and could potentially have their device stolen.

Source
Post by Allan Sun

HSBC Data Breach

Today, HSBC Bank disclosed that they had a data breach between the dates of October 4th and October 14th. The amount of people affected by this breach is undisclosed, but only Americans have had their data compromised. The kinds of information that was leaked may include: full name, mailing address, phone number, email address, date of birth, account numbers, account types, account balances, transaction history, payee account information, and statement history.

To rectify this, HSBC has said that they are going to enhance their authentication processes for their online banking and will offer affected customers a year long subscription to a “credit monitoring and suspicious activity alerting product”. These gifts and claims sort of fall flat, as they do not have good history with their security. According to Wired, they weren’t using “up to date encryption standards for online banking” and according to a Swansea University researcher, they were ranked in the bottom five of banks based on “the technical measures used by their respective websites” as of me writing this.

The way the breach occurred hasn’t been stated yet, but Ilia Kolochenko, the CEO and founder of High-Tech Bridge, has said that “as it would appear that only US customers have been affected, that could point to the breach occurring by way of an authorized third-party or careless employee”.

This breach definitely results from these accusations that Wired and the Swansea University researcher said, as potential hackers could have seen this informations and decided to attack them next, as they had reported lower levels of security as opposed to other targets.

– Jacob Peverly

Sources:

Burgerville’s data breach

At some point in 2017 or 2018, the restaurant chain Burgerville experienced a security breach. The only way Burgerville learned of the issue is when the FBI notified them on August 22 of this year. At first, it was seen as a “brief intrusion that no longer existed”. However by September 19, (almost a whole month later), the company realized that the breach was active, and was targeting customer’s financial information. Burgerville does not specify what kind of malware it was or where it was detected, though the source article adds that it could be at a point-of-sale system, where people physically swipe/scan/insert their cards.

Data that was stolen includes credit/debit card information: names, card numbers, expiration dates, and CVV security numbers. Burgerville also does not know how many people could have been affected by this, though they warn everyone who used cards from September 2017 through September 2018 to watch their accounts for false purchases. Anyone who used a card to purchase anything at any one of their locations during the last year can have their credit info compromised.

“This was a sophisticated attack in which the hackers effectively concealed all digital traces of where they have been,” states Burgerville. Although no direct evidence was given, the data breach is attributed to Fin7, also known as Carbanak group, another Eastern European hacking network that has successfully done cyberattacks on over 100 US companies.

In August, three Ukrainian members of Fin7 were arrested in Europe, where Fin7 is believed to operate. Despite the arrests, Fin7 is still actively deploying malware on corporate networks. According to the US Department of Justice, this is not the first time Fin7 has targeted a US restaurant chain. Other victims include Chipotle Mexican Grill, Chili’s, Arby’s, Red Robin, and Jason’s Deli.

Although the chain made the initial mistake of underestimating the breach, they pulled in an external cybersecurity company to stop the breach, remove malware, and take preventative measures. “The operation had to be kept confidential until it was completed in order to prevent the hackers from creating additional covert pathways into the company’s network,” Burgerville said in a written statement. Burgerville completed the operation to seal the breach on September 30.

Source articles: 

https://www.zdnet.com/article/burgerville-customer-credit-card-info-stolen-in-data-breach-laid-at-fin7s-feet/

https://www.oregonlive.com/business/index.ssf/2018/10/burgerville_reports_major_cred.html

 

Michael Abdalov

Fired Chicago Schools Employee Causes Data Breach

Recently, a temporary worker at Chicago Public Schools was fired from her job and is alleged to have stolen a personal database in retaliation. The personal database contained the information of approximately 70,000 people. The information which was stolen included, names, employee ID numbers, phone numbers, addresses, birth dates, criminal histories, and any records associating individuals with the Department of Children and Family services.

She allegedly copied the database then proceeded to delete it from the Chicago Public School’s system. Those affected by this breach included employees, volunteers and others affiliated with Chicago Public Schools. Luckily, the breach was discovered before any information was used or spread in any way by the former employee. The individual is now being charged with one felony count of aggravated computer tampering/disrupting service and four counts of identity theft.

This incident is an example of a very essential part of computer security, no matter how many security measures are put in place to guard a system somebody, like a disgruntled employee, can still cause a security breach. The lesson to be learned is to keep a close eye on employees, especially those which show red flags, and to be careful what data/databases certain employees are authorized to use, view and modify.

Written by: Craig Gebo

Source: https://www.securitymagazine.com/articles/89553-fired-chicago-schools-employee-causes-data-breach

Adult Sites Database Breached

 

In fairly recent news, eight adult websites had their databases breached and downloaded to a total file size of 98 megabytes. Now judging from that number, one could assume that this is not the most large-scale breach however it is still relevant. What was breached is as follows, IP addresses of users, hashed passwords, names and 1.2 million unique email addresses. Robert Angelini, the man behind it all claims that the figure is inaccurate as the website had only somewhere to the tune of 100k posts on it. The site has been since taken down for maintenance until the security vulnerability is fixed. He urges users to change their passwords. It is said that if the website cannot be secured then it will remain down forever.

Capture

This breach is compared to the breach of Ashley Madison in that the users could be blackmailed due to the nature of the website. The nature of the website of course being to post naked pictures of one’s spouse which is definitely of questionable ethics. The difference of course being the scale of the breach with Ashley Madison dumping 36 million users.

For those who have been breached, there are similar takeaways from other breaches, change your password and please don’t reuse passwords. Blackmail could be avoided by signing up for services like this with a disposable email account . Also, the password hashes that were dumped were hashed with Descrypt, a hash function created in 1979. A password hash posted to twitter by Troy Hung, the guy behind https://haveibeenpwned.com/ was cracked in 7 minutes by hashcat. In conclusion this illustrates the risks people may not know that they are putting themselves at by putting personal information on insecure websites.

– Loudon Mehling

https://arstechnica.com/information-technology/2018/10/hack-on-8-adult-websites-exposes-oodles-of-intimate-user-data/