Nearly Twenty Months Vulnerable

What’s latest on the list of ever growing computing security concerns? Well, nothing too kind, that’s for certain. Early last month a security flaw involving the United Kingdom’s online card carrier, Moonpig, was leaked on the internet. (Moonpig has three million customers.)

While it is standard for security issues, vulnerabilities, and risks to be revealed, something in particular makes the Moonpig’s situation a peculiar one. If not peculiar, then definitely vexing to say the last. According to sources, Moonpig’s methods of authentication leave much to be desired.

Since August 2013 — yes, that is correct, the year 2013, Moonpig has supposedly known about the insecure protection of user information on their website. This still unresolved monstrosity pretty much translates into the idea that the standard user has the ability to pretend to be someone else. Under the pretense as this other user, the system then gives the user access to account details, from home addresses and names to credit card tidbits.

Screen Shot 2015-02-22 at 9.58.09 PM

(Screenshot of Moonpig statement found on Paul Price’s blog)

This credit card information discloses the card’s last four digits, expiration, and card holder. Equally concerning is that Price reveals many companies create user identities consisting of user address, birthday, and final four credit card digits.

Under a secure system, Moonpig’s app should run an authentication process to crosscheck the request is being made by the account’s holder– good wonders, customer protection! Essentially, spoofing another user shouldn’t permit them to still gain this data access.

In a true exposition of catering to the customer, Moonpig has no such authentication. Of course, the fact this has been a fatal flaw since August 2013 becomes icing on the cake. (A definite lie of a cake, if you follow.) In any case, there have been no news updates from Moonpig since January. Granted, the upwards of a year and three quarters already creates quite the statement.

The original discoverer of Moonpig’s blatant lack of concern comes from security researcher Paul Price’s blog. Eventually he decided to go public the week of January 5. Although its API is currently down, who’s to say what has and hasn’t happened to customer information.

– Misha (mxb4099)

——–

Paul’s blog, for more technical detail: http://www.ifc0nfig.com/moonpig-vulnerability/

Read about the handy dandy “GetCreditCardDetails” method included.

Original Article Found: http://www.mirror.co.uk/news/technology-science/technology/moonpig-security-flaw-leaves-3-4926441

Further Reading:

“Rather than securely sending information protected by an individual’s username and password, the API sent every request protected by the same credentials…”

————-

Interesting side note; while I wasn’t sure a whole article was fit to be dedicated to the ‘security’ flaw of the newly released Rasberry Pi 2, it’s worth noting it has the innocent bug of crashing when its photo is taken.

https://nakedsecurity.sophos.com/2015/02/11/most-adorable-bug-raspberry-pi-2-crashes-when-you-take-a-photo-of-it/

 

Malware Found On Major Hard-Drives

Security researchers at Kaspersky Labs have discovered spyware hidden within the firmware of hard-drives made by Seagate, Western Digital, Toshiba, Mircron and Samsung. Kaspersky Labs found victims in thirty different countries such as, China, Russia, and Iraq. The victims fall into multiple categories, such as governments, military, Islamic activists, and mass media.

The organization responsible for these attacks are called the Equation Group by Kaspersky. While researchers at Kaspersky have not disclosed the country that Equation belongs to, they have speculated that Equation Group are also be responsible of Stuxnet, a National Security Agency spy program targeting the Iranian nuclear program. Therefore closely linking the Equation Group and the NSA.

The spyware is able to collect and copy data of the infected computers and is activated when the infected PC starts. It also has the ability to map out the network of the infected computer.

Lead researcher states that this would not be possible without the source code of the hard-drives. By looking through the source code for vulnerabilities, the hard drives could be exploited. While many of the hard-drive manufacturers have commented that they would not release their source code, Equation Group still managed to acquire it.

victim map

Links:

https://securelist.com/files/2015/02/Equation_group_questions_and_answers.pdf

-Zhi-Han Ling

Customer Records Stolen from 2nd Largest US Health Insurer

Hackers were able to access customer and employee records of Anthem, the second largest health insurer in the US. According to Anthem, the hackers were able to access names, birthdays, addresses, and SSNs, however based on the current information they did not access medical or financial information.

The breach was only discovered a little over a week ago when the systems administrator noticed queries being run on the database using his own credentials.

Based on information shared by an Athem spokeswoman, the company only encrypts data that is being transferred to or from the database meaning that the data stolen was not encrypted. Anthem relies on “other measures, including elevated user credentials, to limit access to the data when it is residing in a database.” However the attack relied on stolen employee credentials, no one is sure whether or not encrypting the data would have prevented the attack.

Sources:

China’s Great Firewall

Beginning in 1989, the People’s Republic of China, ruled by the Communist Party of China mandated censorship. Subjects varied over the many years, yet in the early 2000’s an internet censorship system was developed. The system is often referred to as the “The Great Firewall of China” and has blocked numerous sites and keywords, including the following (to name some); Google (Search, Google +, Maps, Docs, Drive, Sites, Picasa), Youtube. Facebook, Twitter, and Dropbox. Simply, the firewall is being used to block access to material critical of the Chinese government and control what information can be found on the internet (CNET). Recently, the filtering has become more strict so that officials may block unwanted material and services and it is now becoming more difficult for those who understand the use of VPNs (Virtual Private Networks) and their services to access websites. (Example: Astrill). In 2012, China temporarily cut VPN access almost completely, despite now it has not taken on any extreme actions. According to the Washington Post it is unclear whether it is because the government officials widely use these services or if it fears the public backlash. With this control of internet traffic and services, the effect has left businesses suffering with accessibility and research / use of data. Not only did it affect China, it affected the United States IT companies, especially Microsoft.

China may be dealing with a censorship, but what does that mean for us? This rise of censorship is becoming a concern for Internet users elsewhere in the world. With the heightened development of this firewall, web browsers all over the world trust the Chinese government to tell it which websites are genuine, leaving matters dangerous as Chinese hackers target foreign web services to steal user data. An example of this was the most recent hack on Microsoft Outlook.
About a week ago, foreign business groups including the American Chamber of Commerce in China and the US Chamber of Commerce wrote to the Chinese government protesting new rules that would force companies in banking and telecommunication sectors to use secure and controllable IT services in which the Chinese government have the ability to monitor which threatens to widen restrictions and includes security testing of intellectual property (local encryption algorithms) that comply with Chinese national standards, and limit the flow of cross-border commercial data. To anyone who obtains the keys, the hardware and software become vulnerable to Chinese hackers within the international companies. All of this essentially means is that the Internet may no longer be immune and turn against users anywhere in the world, giving governments the ability to take control by the use of source code and keys.

Links:

http://www.washingtonpost.com/blogs/worldviews/wp/2015/02/02/why-internet-users-all-around-the-world-should-be-worried-about-chinas-great-firewall/

http://www.wsj.com/articles/chinas-great-firewall-gets-taller-1422607143

http://www.washingtonpost.com/world/asia_pacific/is-this-north-korea-chinese-netizens-squirm-as-party-tightens-grip-on-internet/2015/01/28/79cfc809-21ea-4437-9d4b-5ece2cfc75f6_story.html

http://www.cnet.com/news/china-reinforces-its-firewall-doubles-down-on-socia-media/

http://www.zdnet.com/article/china-sets-new-regulations-for-foreign-tech-companies/

https://en.greatfire.org/

IP Camera Security and You!

NCIS haX0rs

Do you have a device in your house that just a few years ago wasn’t connected to the Internet? Does your fridge have its own Twitter account? Can your thermostat tell you your energy consumption from the other side of the planet? As the Internet of Things grows each day, the security risks of these devices increases. The fear your washing machine is watching too many Pay Per View programs while you are away is a scary thought for some. However it’s not too far off. These devices are made to work and pushed to production quickly to meet quarterly numbers. Such is the story of the Foscam Wireless IP security camera.

A nanny from Houston, Texas was changing 1 year old baby Samantha Durchholz when she heard a man speaking to her. There was no man in the home, but there was a voice coming from the family’s IP Camera. The nanny though it was her employer joking around, but as KXAN Houston reports, “It was a trick, but the baby’s parents weren’t in on it. A stranger managed to hack into the family’s password-protected Wi-Fi system and take control of the camera in the little girl’s bedroom”. This is not the only time a Foscam camera has been compromised. Early last year a similar incident happened to the same Foscam model. A man connected to the IP enabled camera and started shouting at 10 month old Allyson saying “Wake up Allyson, you little (expletive)” reports NBC News Keith Wagstaff. Foscam released a statement saying to make sure the firmware is up to date and the default password is easier than “123456”.

As the Internet of things grows, the security concern for these connected devices needs to be taken seriously. It’s great that I am able to monitor my property remotely and with ease, however when companies don’t spend the time and energy on making sure you are the only one accessing the device is critical. These are new threats to personal privacy that 5 years ago we didn’t focus on because we didn’t have WiFi enabled fridges. The bottom line is security must be proactive, not reactive. Also companies shouldn’t hard code passwords into their firmware.

Written By: Nikko Williard | February 2, 2015 | CSEC-101


http://www.nbcnews.com/tech/security/man-hacks-monitor-screams-baby-girl-n91546

http://kxan.com/2015/01/28/man-spooks-nanny-after-hacking-into-baby-monitor/