Encryption system used to exploit protected Wifi networks

Everyone knows that they could be a potential target for cyber-crime; as it often appears in the news almost every day. But just how vulnerable is an individual? CERT recently made a statement about how your Wifi network could be exploited if proper precautions are not taken.

On October 16th, 2017, the Computer Emergency Readiness Team made an announcement that addresses the protection of your sensitive information. In short, its advice is to update all your devices when security advancements are available. The reason for this is that a widely used encryption system used on wireless networks can lead to a breach of your credit card information, emails, passwords, etc.

Essentially, the system allows a hacker to gain access to the internet traffic that occurs between computers. Once in, the hacker can manipulate the data that is recovered. Depending on the target’s network configurations, it is even possible for the attacker to inject malware into the network. The unsettling part about this encryption system is that it has the capability of effecting a very wide range of devices including Android, Apple, Linux, and Windows.

Companies such as Intel, Microsoft, Google, and Apple have heeded this advice and have released updates that will help protect people with their devices from this issue.

– Jared Albert

 

Advertisements

Equifax: The Work Number

Everyone has heard about the Equifax security breach that had compromised an unknown number of Americans. but not everyone has heard about another of Equifax’s services: The Work Number

Screen Shot 2017-10-09 at 8.03.01 AM

The Work Number is a service that provides an individual’s detailed salary and employment history. It was designed to provide automated employment and income verification to employers. It can also provide proof of income should someone be applying for a loan.

With such a large database of private information and the above image the first thing you see when going to: www.theworknumber.com/Employees you would expect a large number of security protocols defending it. Initially, yes, but after the recent Equifax breach, maybe not so much.

To access he information requires one to input their employer’s code, which would be easy to look up if the Equifax system wasn’t down for maintenance. Then it asks for a “User ID” which in most cases it your SSN or a portion of it. Finally it asks for your “PIN” which is defaulted to be some variation of your Date of Birth (mm/dd/yyyy or yyyy/mm/dd). After gaining access is does require you to change the PIN and set up half a dozen security questions for verification. Then it allows you to access any of your income or employer history on its database.

The troubling thing about this is that in the Equifax security breach some of the major pieces of information stolen was DOB and SSN, allowing someone to access your information as long as they could learn who your current employer is, in order to get the employer code. After they gain access to the Work Number, a potential hacker can change your PIN and set up security questions and lock you out of the whole system.

-Spencer Mycek

source: Krebsonsecurity

How Equifax got Hacked

I’m sure almost everyone has heard about the Equifax data breach at this point, but what we haven’t really known at this point was how exactly the hack was done. Information was just recently released by the hackers themselves to a writer on the website spuz.me. What we know know is this breach is entirely Equifax’s fault.

Basically, Equifax had many “management panels” on their servers, each with a different function. Some of these panels were even publicly available to see, can be found on the IoT searching site shodan.io. In these panels, there was barely any security. The password for one of them was “admin:admin” Now the hackers confirmed not all the passwords were that easy, but the private keys for the panels were actually stored in the panels themselves. Not only that, but over 300 employee admin usernames and passwords were stored in plaintext in a javascript file.

The hackers are currently asking for 600BTC (~$2.2 million at the time of writing) for a full public dump of the data, or 4BTC (~$15k) for 1 million entries of the data. At the time of writing, no money has been sent to the bitcoin address.

It’s very scary how bad the security practices were in this scenario. This is a credit agency after all, and their security was laughable. How many other huge corporations out there have practices this bad? I guess only time will tell.

– Noah Kalinowski

Source

“Equifax Data Breach Could Affect half the U.S. Population”

Equifax is a very large credit reporting company who has experienced a cyber attack over the summer. The attack was discovered on July 29 but didn’t become public information until last Thursday, the 5th of September. This data breach could have affected 143 million people. The information that was exposed includes social security numbers, address, and birthday information. Equifax is also saying 209,000 credit cards were exposed including some from the UK and Canada. A big problem with this attack is Equifax was a service used to protect from identity theft but now the integrity of the site has been compromised by this attack.

Once Equifax discovered the breach they began working with private security companies to figure out what happened and how they should go about fixing it. The FBI is also investigating the attack to try and find who is responsible. Another big problem with this breach is it could affect you even if you have never been a customer of Equifax. Equifax collects info. from credit card companies to create credit scores so it is possible your card is one of the ones exposed.

The hack has been reported to have been caused by a vulnerability from a “website application” Not much has been said on the details of the hack. Another problem has popped up from this attack. Equifax has created a website to enter your information and see if you have been exposed to this attack. According to George Weidman Founder of the security firm Shevirah “It’s teaching people entirely the wrong things about using the internet securely”. If this new website has vulnerabilities it could expose even more people.

-Levi Walker

Sources:

http://abcnews.go.com/Technology/wireStory/equifax-data-breach-49724230

https://www.nbcnews.com/tech/security/massive-equifax-data-breach-could-impact-half -s-population-n799686

China’s Real-Name Policy

Starting October 1st, 2017, the Cyberspace Administration of China (CAC) will enforce new rules, forcing website operators and service providers to request and verify real names and other personal info from users when they register for accounts, and must report any illegal content to the authorities. While this may prevent people from spreading lies about the government or starting uprisings, it will most definitely do more harm than good.

The CAC has created a list containing what would be considered unlawful and forbidden from being posted online, and includes but is not limited to:

  • Opposing the principles defined in the Constitution
  • Spreading rumors, disrupting social order, and destroying social stability
  • Spreading pornography, gambling, violence, murder…
  • Insulting or slandering others and infringing upon others
  • Any other content that is prohibited by laws and administrative regulations

To sum it up, anything remotely offensive or negative towards others or the government is now considered illegal and punishable by law. VPNs have also been banned, so Chinese citizens have no choice but to abide by these laws or avoid the internet entirely, which in this day and age is something that’s incredibly difficult to do.

512px-National_Emblem_of_the_People's_Republic_of_China.svg

On top of censorship, the “Real-Name Policy” poses a tremendous security issue. The more websites someone signs up for, the more they put themselves at risk of having their personal information stolen. Originally, this Real-Name Policy only applied to large websites such as WeChat and Weibo that will have better security in place, but after October 1st it will be required by all websites, including smaller websites with less secure databases. This could result in a hierarchy or monopoly of sorts, as people will only use trusted and well-known websites in fear of having their information stolen. Either way, there will always be a possibility of having personal info stolen, causing the internet to be more dangerous than before this safety law was passed.

-Chris Heine

 

Sources:

https://thehackernews.com/2017/08/china-real-name-registration.html

http://thediplomat.com/2017/08/chinas-new-wave-of-internet-censorship-name-verification-for-online-commenting/

Picture from Wikipedia