Way to go VTech.

One month ago a hacker revealed that he had broken into the toymaker VTech and retrieved a lot of information that was disturbing. Apparently, VTech had been storing  images, chat logs, home addresses, emails, names, genders and even birthdays of every customer. This would include the parents and their children who the products were most likely being used by.  Around 4,000,000 parents and 200,000 of the children using the products information was readily available for anyone who knew what they were doing. The hacker did not relinquish the way he was able to break into VTech, probably in an attempt to keep this information secret from people who want it but do not know how to hack, but has commented that he retrieved 190GB worth of photos and shared 3832 images with motherboard, a blogging site, with all the faces blocked out.VTech has yet to concretely say what their exact reasoning was but the wording of their attempt to justify it was so that they can send the password to the user directly. You know because that is such a GREAT idea, instead of just having them reset their password every time they forgot it because the company made it entirely impossible for them to access it on their own and with ease, I will just send you it back. The person that thought this was a good idea should get fired, like, two years ago.

https://nakedsecurity.sophos.com/2015/12/01/photos-of-kids-and-parents-chatlogs-audio-files-stolen-in-vtech-breach/

Advertisements

Security in Healthcare

According to a recent survey, Healthcare is the latest favourite of the hacking community. There’s a shortage of security professionals in the healthcare business, and while many respondents involved in tech are worried about personal records and other data, the ones who aren’t involved in tech, while worried, do not believe their corporations to have been hit.

The tech respondents have a right to be worried. Recently, it’s come to light that Healthcare experiences 340% more security attacks and incidents than any other sector, and advanced malware is suspected in 1 of every 600 attacks, making Healthcare four times more likely to be hit by advanced malware than any other sector.

There are many ways that hackers can get in. With the digitalization of patient records, as well as the addition of wearable technology, such as smart watches and smartphones, hackers are finding many new avenues to break into the system. While security for wearable technology is a separate issue, Jonathan Collins, a principal analyst for ABI Research says that they can pave the way for easier access to Healthcare records.

By Kathleen H. Justen

http://www.technewsworld.com/story/82638.html

Are baby monitors the new targets for hackers?

Rapid 7 released reports the beginning of this month describing newfound vulnerabilities in baby monitors. Theses faulty monitors, from several different manufactures, were found to leak predictable information, backdoor credentials and privilege escalation. Hackers have the ability to tap into these baby monitors since little security measures are taken to protect the content stored or tied to them.

According to this article by Richard Adhikari “Backdoor credentials — the vulnerability most frequently found — showed up in five products from different manufacturers.” This finding tells me that manufactures do not have proper restrictions on encrypting information on these monitors.

So what’s the big deal if hackers have access to the baby monitors in your house, it’s not like a great deal of financial or personal information is tied to it right? No, it’s not like they are accessing that type of information but what can be leaked by hacking into these monitors include: video and audio from the device; from a live stream or previously recorded clips, according to Mark Stanislav, senior security consultant for global services at Rapid7. No parent aware of these capability cyber intruders have would allow for a device in their home in which a stranger could watch their child.

“In the race to market and bring products to consumers, inattention to security is likely to be an issue”, said Craig Spiezle, executive director of the Online Trust Alliance. It is morally wrong for companies to make production of their product more important that the security of the device. Manufacturers “need to look at the risk and vulnerability and areas for abuse…. they need to design in the ability to patch or remediate once the product leaves their factory”, alleged Craig Spiezle. The problem only gets worse if you consider other uses of these defective products in the business sphere, compromised devices could be used to spy on people in their offices.

Source: http://www.technewsworld.com/story/82449.html

Author: Richard Adhikari has written about high-tech for leading industry publications since the 1990s and wonders where it’s all leading.

By: Lisa Hornak

Apple Malware Theft

Today Apple had what quickly becoming know as their largest account theft, due to malware. Palo Alto Networks and Weip Tech came across a server that held over 225, 000 valid user names and passwords that had been stolen via a new malware family named KeyRaider in the iOS.

The malware only effects users with jailbroken iOS devices has struck users in 18 countries. According to Claud Xiao, “The malware hooks system processes through MobileSubstrate, and steals Apple account usernames, passwords and device GUID by intercepting iTunes traffic on the device.”

KeyRaider is also stealing Apple’s push notifications and private keys, but it’s also sharing the App store’s purchasing information. These stolen credentials eventually allow users to make purchases for free using iOS jailbreak tweaks.

They’ve also been locking down devices, and holding them for ransom. It disables unlocking operations, and demands a ransom without going through the Apple push servers.

According to Jonathan Sander (the Lieberman Software VP), and Tim Erlin (Tripwire’s Director of IT Security and Risk Strategy), jailbreaking your iPhone paints a target on your back, and in this case it was taken advantage of.

~ Kathleen Justen

http://www.esecurityplanet.com/mobile-security/225000-apple-credentials-stolen-via-ios-malware.html

Apple Releases ‘Rootpipe’ Patch

Apple released a software patch this past week to address a security hole created by a hidden backdoor API known as Rootpipe. Rootpipe was discovered in October of 2014. It leaves a vulnerability in OS X that has existed since at least release 10.7. The API can be exploited to gain root privileges.

A patch has been released this past week to address the issue. Latest updates to the OS X operating system will include this patch. However, Apple will not be releasing a patch for any system running below version 10.10. Of three billion internet users NetMarketShare data shows that around 3.1 percent of them are using Mac OS versions with the vulnerability, 10.7/8/9 that will not be patched. Forbes estimates that conservatively this will mean that two percent of three billion internet users will remain vulnerable to the exploit, around sixty million computers.

Although the vulnerability was discovered last October it has been part of Mac OS X since 2011 when version 10.7 was originally released. Mac users should update their software as soon as possible to patch this as well as around eighty other security issues.

Jacob R Hooker

Edit: An earlier version of this article misstated the world’s estimated three billion internet users as Mac users and has been updated to correct the error.

Source:

http://www.forbes.com/sites/thomasbrewster/2015/04/09/apple-leaves-rootpipe-backdoors-in-3-per-cent-of-all-pcs-on-the-planet/?ss=Security

http://www.securityweek.com/apple-finally-patches-%E2%80%9Crootpipe%E2%80%9D-privilege-escalation-flaw-os-x