In what’s turning out to be the zero day that keeps on giving, researchers are still finding ways to exploit an unpatched denial of service vulnerability that exists in the way Windows implements the Server Message Block protocol. Details around the bug aren’t a mystery. Laurent Gaffié, the security researcher who found the vulnerability, made exploit code for the vulnerability public on GitHub when he disclosed it on February 2. Researchers are claiming that there’s a handful of easier ways to exploit it however. Gaffié’s proof of concept relies on tricking a victim to connect to a malicious SMB server instance, something that could prove challenging for an attacker. Experts with Dell SecureWorks said Monday that it could be more effective for attackers to combine Gaffié’s attack with a redirect to SMB vulnerability from 2015 to crash a victim’s machine. The redirect to SMB vulnerability, first uncovered by researchers at Cylance in April 2015, affected all versions of Windows when it was announced. If exploited, victims could be forwarded to a file:// protocol on a malicious server. That would have prompted Windows to automatically attempt authentication via SMB to the server and logged encrypted user credentials that could be cracked offline. Microsoft disputed the bug in 2015 and said that several factors – namely successfully luring a person to enter data into a fake website – would need to come together in order for an attack to work. To combine the vulnerability with Gaffié’s proof of concept, a scenario would require two systems, researchers say. An attacker would have to run the SMB zero day proof of concept code on one system and use the other for the redirect to SMB attack. After putting the malicious redirect-smb.php file on that web server’s public directory, the attacker would have to trick a user into clicking it on a Windows 10 system running Internet Explorer. From there, the link would redirect a victim’s system to the attacker’s SMB server, the denial of service attack would be initiated, and a blue screen of death would be displayed. According to SecureWorks researchers Mitsuyoshi Ozaki and Hironori Miwa, an attacker could also hide the SMB DoS exploit in a hyperlink, or an inline image, to trick users. While the vectors wouldn’t work for every browser – exploits didn’t work for Firefox or Chrome when they tested – they could be used against the latest version of Edge and Internet Explorer, Ozaki and Miwa claim. An attacker could also exploit the zero day through unvalidated redirects, HTTP header injection or via cross-site scripting, the researchers warn. Each attack functions more or less the same way and gives an attacker a different way to try and get the victim to click a link or redirect. The same advice that the United States Computer Emergency Readiness Team gave at the beginning of the month around the vulnerability is still valid, SecureWorks researchers said. In an advisory pushed after the vulnerability was disclosed, US-CERT said to mitigate the vulnerability concerned organizations should consider blocking outbound SMB connections, on TCP ports 139 and 445 along with UDP ports 137 and 138, from the local network to external networks. When pressed at the beginning of February Microsoft said that it considers the vulnerability – a remotely triggered DoS bug in SMB for Windows 8.1, Windows 10, Windows Server 2012 R2, and Windows Server 2016 – low risk. Despite the vulnerability’s “low risk,” it was still assumed Microsoft would fix the flaw with February’s Patch Tuesday security updates. Instead Microsoft elected to skip the release. The company never disclosed exactly why it postponed the round of patches, instead saying that it “discovered a last minute issue that could impact some customers.” Gaffié – who disclosed the bug to Microsoft in November – released details around the bug a week before he assumed it was going to be patched. He never thought Microsoft would sit on the patch. “I decided to release this bug one week before the patch is released, because it is not the first time Microsoft sits on my bugs,” he said at the time. “I’m doing free work here with them (I’m not paid in anyways for that) with the goal of helping their users. When they sit on a bug like this one, they’re not helping their users but doing marketing damage control, and opportunistic patch release. This attitude is wrong for their users, and for the security community at large.” A second vulnerability, a flaw in Windows’ GDI library discovered by Google’s Project Zero researchers, also remains unpatched. That vulnerability, called “high severity” by Google, affects Microsoft’s Internet Explorer and Edge browsers. Microsoft is expected to fix both issues in two weeks as part of March’s Patch Tuesday update. The post Unpatched SMB Zero Day Easily Exploitable appeared first on Gigacycle Computer Recycling News. from https://news.gigacycle.co.uk/unpatched-smb-zero-day-easily-exploitable/
0 Comments
The Dridex banking Trojan has been updated and now sports a new injection method for evading detection based on the technique known as AtomBombing. Researchers with IBM X-Force identified the new Dridex v4 sample earlier this month and said it is already in use in active campaigns against U.K. banks. They said it’s only a matter of time before cybercrime gangs begin targeting U.S. financial institutions. “Over the long reign of Dridex v3, we have seen some significant changes implemented into the malware’s operations, such as modified anti-research techniques, redirection attacks and fraudulent M.O. changes. It is not surprising to see a new major version released from this gang’s developers,” according to an X-Force report on Dridex v4 released Tuesday. As with previous campaigns, Dridex exhibits typical behavior of monitoring a victim’s traffic to bank sites and stealing login and account information. The biggest change is tied to Dridex v4’s code injection method. Code injection, researchers point out, is one of the most closely monitored processes by antivirus and other security solutions. Current injection techniques by previous versions of Dridex have become too common and easy to spot, they said. That’s forced cyber gangs to leverage AtomBombing in a new version of Dridex. AtomBombing is a different approach to code injection that doesn’t rely on easy-to-spot API calls used by previous versions of Dridex. The AtomBombing technique, first spotted in October 2016 by enSilo researchers, allows Dridex v4 to inject code sans the aforementioned API calls. “AtomBombing makes use of Windows’ atom tables and the native API NtQueueApcThread to copy a payload into a read-write memory space in the target process,” according to the report authors. “It then uses NtSetContextThread to invoke a simple return-oriented programming chain that allocates read/write/execute memory, copies the payload into it and executes it. Finally, it restores the original context of the hijacked thread.” Atom tables are a function of the Windows operating system that allows applications to store and access temporary data and to share data between applications. An attacker can write malicious code into an atom table and force a legitimate program to retrieve it from the table, researchers describe. What makes Dridex v4 different from other AtomBombing attacks is that attackers only use “the technique for writing the payload, then used a different method to achieve execution permissions, and for the execution itself,” according to co-authors of the X-Force report Magal Baz and Or Safran. Where Dridex v4 differs is at the tail end of the AtomBombing technique where “Dridex simply calls NtProtectVirtualMemory from the injecting process to change the memory where the payload is already written into the read/write/execute (memory).” That cues up Dridex to use the Windows asynchronous procedure to call GlobalGetAtomA, which executes the payload, X-Force said. “The last stage is the execution of the payload. To avoid calling CreateRemoteThread, Dridex again uses APC. Using an APC call to the payload itself would be very suspicious,” said researchers. Alternatively, Dridex v4 uses “the same GlobalGetAtomW method to patch GlobalGetAtomA, hooking it to execute the payload.” X-Force said this specific implementation of AtomBombing is a first of its kind in the context of banking Trojans and designed to cloak the malware’s activities. Other enhancements to Dridex v4 include a modified naming algorithm, enhanced encryption for its configuration and an updated persistence mechanism. “The changes to Dridex’s code injection method are among the most significant enhancements in v4,” wrote researchers. “The adoption of a new injection technique shortly after its discovery demonstrates Dridex’s efforts to keep up with the times and the evolution of security controls.” Over the years, cybercrimnals behind the different versions of the Dridex Trojan have been extremely persistent. While campaigns have fluctuated in volume, innovation into the malware has been consistent. In January, researchers at Flashpoint said they spotted a new variant of the Dridex Trojan with a technique that can bypass Windows User Account Control (UAC). In 2015, an older version of Dridex started using an evasion detection technique called AutoClose that involved phishing messages that contained macros-based attacks that did not execute until the malicious document was closed. The post Dridex Trojan Gets A Major ‘AtomBombing’ Update appeared first on Gigacycle Computer Recycling News. from https://news.gigacycle.co.uk/dridex-trojan-gets-a-major-atombombing-update/ Google Project Zero’s 90-day disclosure policy bites Microsoft again as a zero-day Edge/IE vulnerability is made public before a patch is available. The post Edge and IE vulnerability disclosed by Project Zero appeared first on Gigacycle Computer Recycling News. from https://news.gigacycle.co.uk/edge-and-ie-vulnerability-disclosed-by-project-zero/ More than two million voice messages, many of them from children, along with the personal information of more than 800,000 registered users was swiped from an exposed MongoDB instance storing data collected from a internet-connected toy called CloudPets. These IP-enabled teddy bears allow children to send and receive messages through the toy to and from others over the Internet. Parent company Spiral Toys had been notified by two security researchers working independently of each other, and only after a public disclosure published last night by Troy Hunt did it finally surface and deflected blame. CEO Mark Myers told Network World it was a minimal issue and that an attacker would only be able to access recordings if they were able to guess the user’s password. Spiral Toys, however, had minimal password requirements if a video, below, shared by Hunt is any indication, meaning that it would be relatively simple for a determined attacker to crack the passwords. Myers also said that his company outsources server management, and that the third party is to blame for the shoddy security. A request for comment from Threatpost was not returned in time for publication. [embedded content] MongoDB instances have been targeted heavily since January with attackers accessing unprotected databases, copying data and then deleting the information before leaving behind a ransom note demanding payment in Bitcoin. “People that hunt for these kinds of data normally silently go in, get the data and leave without tripping alarm bells,” said Victor Gevers of the GDI Foundation who has been instrumental in exposing this new extortion trend. “That has been going on for years. Since January this year, there are new destructive open system attacks that simply wipe everything and then leave a ransom note.” Gevers also found the CloudPets data exposed online and notified the toy maker on Dec. 30 and 31 via three emails, a message to the Spiral Toys Twitter account and in a LinkedIn invite to Myers, none of which were acknowledged, he said. He also filed a ticket in Spiral Toys’ support area with ZenDesk, which he said sends an automated reply that the support request has been received. Hunt’s timeline is similar, though he also tried to contact the toymaker via its WHOIS record contact and its hosting provider Linode on Dec. 30, 31 and Jan. 4. Hunt said that on Jan 7 the original databases were deleted and a ransom demand called “PLEASE_READ” was left behind similar to other attacks against MongoDB installations. A day later, another ransom demand was left called “README_MISSING DATABASES,” and another called “PWNED_SECURE_YOUR_STUFF_SILLY.” As has been the trend in other MongoDB attacks, hackers will access the same database over and over again swapping out ransom notes and demands. The researchers speculate that it’s likely the data was accessed and possibly copied out numerous times before it was deleted. “This database was open to the world because of MongoDB’s unsafe default settings which are accessible to all with full admin rights (if you don’t lock it down),” Gevers said. “In January, there were these MongoDB ransack/ransom attacks and also this database server became a victim on the 12th of January and the staging database was deleted. “But it has been open for a long time (according to Shodan history files) so enough people must have copied the entire database which is pretty common with open systems,” Gevers said. “I have seen a lot of log files during the ransom attacks so I know from experience how quickly open systems are found, how quickly data gets exfiltrated.” The disturbing part aside from the technical stumbles is that numerous parties accessed and copied personal messages between parents and children. Anyone can use a mobile app to send messages to the CloudPets teddy bear, which then can be listened to by the child, who can then reply through the bear. The child’s response is sent back to the mobile app. Hunt said in his report that the databases were on a publicly facing network segment without authentication required and had been indexed by the Shodan search engine. Hunt was informed of the breach by a friend, he explains in his disclosure. He verified the data was legitimate and quickly surmised that the data had been accessed by many parties. Gevers, meanwhile, said that 821,396 registered users, 371,970 friend records, and 2,182,337 voice messages were in the database that was wiped. Hunt explained in his report that through an investigation of how the mobile app communicates with the Spiral Toys server, he discovered that domain is the same IP address as the exposed databases, meaning that production and staging servers were on the same physical box. He also learned that the company stores uploaded data such as voice messages and profile pictures on an Amazon S3 bucket that was accessible just by knowing the file path. That profile also contains other personal data such as children’s names, relationships to other users authorized to share messages with a child. “Once again, an Amazon S3 bucket with no specific authorization required, merely knowledge of the file path which is obviously stored in the app itself (returned via the API),” Hunt wrote. “Based on how CloudPets position their toys, you can imagine the sorts of voice messages the system contains. “The services sitting on top of the exposed database are able to point to the precise location of the profile pictures and voice recordings of children,” he wrote. Gevers, meanwhile, shared one of his emails to Spiral Toys with Threatpost. In it he explains the problem and provides evidence of how many records were exposed. He also provides them with advice for locking down their MongoDB instance and to inform customers of the situation. “I hope that SpiralToys does what is in the best interests of their customers and that is to inform them about this breach and give a good and solid advice what to do (remind them about weak passwords or password reuse),” Gevers said. “Transparency and being helpful should be your highest priority when you deal with sensitive data leaks as these.” The post Children’s Voice Messages Leaked in CloudPets Database Breach appeared first on Gigacycle Computer Recycling News. from https://news.gigacycle.co.uk/childrens-voice-messages-leaked-in-cloudpets-database-breach/ For the past few weeks attackers have been probing networks for switches that can potentially be hijacked using the Cisco Smart Install (SMI) protocol. Researchers from Cisco’s Talos team have now released a tool that allows network owners to discover devices that might be vulnerable to such attacks. The Cisco SMI protocol is used for so-called zero-touch deployment of new devices, primarily access layer switches running Cisco IOS or IOS XE software. The protocol allows newly installed switches to automatically download their configuration via SMI from an existing switch or router configured as an integrated branch director (IBD). The director can copy the client’s startup-config file or replace it with a custom one, can load a particular IOS image on the client and can execute high-privilege configuration mode commands on it. Because the SMI protocol does not support any authorization or authentication mechanism by default, attackers can potentially hijack SMI-enabled devices. This is an abuse of a feature that works as intended, so there is no vulnerability to be patched, but Cisco has published a security advisory and blog post with information about how customers can detect and block such attacks. The company has provided a new IPS (intrusion prevention system) signature and Snort rules to detect the use of Smart Install in customer networks. The recent Smart Install scanning activity observed in the wild might be related to the recent release of an open-source tool called the Smart Install Exploitation Tool (SIET). Customers who don’t need the Cisco Smart Install functionality should simply disable the feature in their switches. Those who do need it, should follow Cisco’s mitigation advice. The team from Cisco Talos has developed and released its own scanning tool that customers can use to find switches with Smart Install enabled on their networks. The tool is called the Smart Install Client Scanner and was published on GitHub. The post This tool can help you discover Cisco Smart Install protocol abuse appeared first on Gigacycle Computer Recycling News. from https://news.gigacycle.co.uk/this-tool-can-help-you-discover-cisco-smart-install-protocol-abuse/ When researchers demonstrated the first practical collision attack for the cryptographic hash function SHA-1 last week, they also identified related vulnerabilities impacted by the now-compromised algorithm. According to the SHAttered research post, co-authored by Google and a host of cryptography experts, the popular Apache Subversion repository is vulnerable to corruption via SHA-1 collided files. Researchers also warned that git, a version control system for software used by developers, is also vulnerable to SHA-1 related attacks. According to researchers, in the case of git, because it strongly relies on SHA-1 for the identification and integrity checking of all file objects and commits, there is a window of opportunity for an attack. “It is essentially possible to create two git repositories with the same head commit hash and different contents, say a benign source code and a back-doored one. An attacker could potentially selectively serve either repository to targeted users. This will require attackers to compute their own collision,” according to the SHAttered report. “The sky isn’t falling,” said Linux kernel creator Linus Torvalds in a blog post over the weekend. “There’s a big difference between using a cryptographic hash for things like security signing, and using one for generating a ‘content identifier’ for a content-addressable system like git,” he wrote. Torvalds noted that the nature of the SHA-1 git attack would be easy to mitigate against as well. “If you host your project on something like http://github.com or kernel[.]org, it’s already sufficient if the hosting place runs the checks every once in a while–you’ll get notified if somebody poisoned your well,” Torvalds wrote. According to Kevin Bocek, chief security strategist for Venafi, running checks might not be sufficient enough, however. “While Torvalds argues that the necessary hacks for this would be obvious since they’d introduce changes to code, flaws in open source code can go unnoticed for years. Several recent high-profile vulnerabilities, such as Heartbleed, did just that,” Bocek said. Torvalds touches on this concern in his post. “The git internal data structures are actually very transparent too, even if most users might not consider them so. There are places you could try to hide things in (in particular, things like commits that have a NUL character that ends printout in ‘git log’), but ‘git fsck’ already warns about those kinds of shenanigans,” he wrote. Even if flaws went unnoticed, Torvalds said, “Git will eventually transition away from SHA-1″. There’s a plan, it doesn’t look all that nasty, and you don’t even have to convert your repository.” He didn’t mention a timeline in his post only noting, “it’s not like this is a critical ‘it has to happen now thing’.” Apache Subversion Vulnerable Too As part of its SHAttered report, researchers are also warning the popular Apache Subversion (SVN) repository, used by software developers of FreeBSD, SourceForge and CodePlex, is vulnerable to corruption if SHA-1 collided files are added to the repository. “Subversion servers use SHA-1 for deduplication and repositories become corrupted when two colliding files are committed to the repository. This has been discovered in WebKit’s Subversion repository and independently confirmed by us,” the SHAttered report warned. Nick Sullivan, cryptography expert at Cloudflare, points out the Apache Subversion flaw only becomes a vulnerability when the rep-sharing feature that deletes duplicate files is turned on. If two different files are placed into the same repository that have the same hash the rep-sharing feature will be corrupted and not work, he said. “The worst you could do as an attacker would be to cause people interacting with a repository to not be able to use certain third-party tools or any tool that uses the rep-share tool,” Sullivan said. It’s important not to conflate the issues of the onerous task of finding a new SHA-1 collision and how SHA-1 collided files can be used in SVN repositories to corrupt them, he said. “This is a story about SHA-1 being used as an identifier in SVN. How expensive it is to find a new (SHA-1) collision is irrelevant to this bug because all you need to do is use the collision that already exists,” he said. The post Torvalds Downplays SHA-1 Threat to Git appeared first on Gigacycle Computer Recycling News. from https://news.gigacycle.co.uk/torvalds-downplays-sha-1-threat-to-git/ A company that sells internet-connected teddy bears that allow kids and their far-away parents to exchange heartfelt messages left more than 800,000 customer credentials, as well as two million message recordings, totally exposed online for anyone to see and listen. Since Christmas day of last year and at least until the first week of January, Spiral Toys left customer data of its CloudPets brand on a database that wasn’t behind a firewall or password-protected. The MongoDB was easy to find using Shodan, a search engine makes it easy to find unprotected websites and servers, according to several security researchers who found and inspected the data. The exposed data included more than 800,000 emails and passwords, which are secured with the strong, and thus supposedly harder to crack, hashing function bcrypt. Unfortunately, however, a large number of these passwords were so weak that it’s possible to crack them, according to Troy Hunt, a security researcher who maintains Have I Been Pwned and has analyzed the CloudPets data. ![]() During the time the data was exposed, at least two security researchers, and likely malicious hackers, got their hands on it. In fact, at the beginning of January, during the time several cybercriminals were actively scanning the internet for exposed MongoDB’s databases to delete their data and hold it for ransom, CloudPets’ data was overwritten twice, according to researchers. Two researchers warned Motherboard of this security breach independently in the last few weeks. With their help, Motherboard was able to verify that the breach was legitimate. As we’ve seen time and time again in the last couple of years, so-called “smart” devices connected to the internet—what is popularly known as the Internet of Things or IoT—are often left insecure or are easily hackable, and often leak sensitive data. There will be a time when IoT developers and manufacturers learn the lesson and make secure by default devices, but that time hasn’t come yet. So if you are a parent who doesn’t want your loving messages with your kids leaked online, you might want to buy a good old fashioned teddy bear that doesn’t connect to a remote, insecure server. Read more: The Looming Disaster of the Internet of (Hackable) Things “It only takes one little mistake on behalf of the data custodian […] and every single piece of data they hold on you and your family can be in the public domain in mere minutes,” Hunt wrote in a blog post about the incident. “If you’re fine with your kids’ recordings ending up in unexpected places then sobeit, but that’s the assumption you have to work on because there’s a very real chance it’ll happen.” News of the breach of CloudPets comes just a few days after Germany warned parents that an internet-connected doll could spy on their children and forced it out of the stores. This is also the latest in a growing string of embarrassing security incidents for toymakers, the worst one being that of Hong Kong-based VTech, which lost the personal data of 6.3 millions children and 4,854,209 parents, including selfies they took and private chats they had. Spiral Toys, which appears to be based in California, could not be reached for comment. Multiple emails to different addresses were not answered, and no one from the company answered an of the phone numbers associated with them. The company appears to be in financial trouble and might be going bankrupt, given that its stock value is around zero. The CloudPets database is making the rounds in the internet underground, according to both Hunt and Victor Gevers, the chairman of the non-profit GDI Foundation which discloses security issues to affected victims. Gevers saw the database while it was exposed online at the end of last year, and said it contained data on 821,396 registered users, 371,970 friend records (profile and email) and 2,182,337 voice messages. The voice messages themselves were not in the database, according to the researchers. But Hunt found out that they were stored in an Amazon S3 bucket that doesn’t require authentication. So as long as hackers could guess the URL of the files, they could listen to the messages. Hunt said he believes that was definitely possible. Moreover, many customers used incredibly weak passwords such as 123456 or “cloudpets,” (in part probably because the app allowed users to create accounts even with as short a password as “qwe,” as this video shows), making it trivial to log into their accounts and listen to the saved messages. To make matters worse, the data was exposed two months ago, and since then, the company hasn’t notified the victims, nor disclosed the breach. “They were very irresponsible.” “They were very irresponsible because they had to know about this. I have been ringing so many doorbells,” Gevers told Motherboard. “People make mistakes. It’s the action that follows up which defines your character. Handling serious data leaks like this proves a lack of the right personality and then you should not be in this industry or in any in which you are responsible for such data.” Gevers said he found the database online in late December and tried to alert the company of the risks of leaving such data exposed online. However, he couldn’t get any answer from CloudPets nor its parent company Spiral Toys. Eventually, hackers wiped the open database as part of widespread ransom attacks on open databases on January 12, according to Gevers. “I have been trying to reach through email, Linkedin, Zendesk, Twitter,” Gevers told Motherboard in an online chat. “I even tried to reach the people via the private email. Never got a response.” Jason Pagel, a student in a workshop that Hunt taught last week and a father to a 6-year-old girl, found out about the breach thanks to Hunt, and was appalled by the leak. “My bigger concern is that someone may be able to use this information to send inappropriate messages to my 6 year old daughter,” pagel told Motherboard via email. “[My parents] certainly won’t be sending any more messages to their granddaughter through this. And while I doubt we will throw the toy away, it’s effectively been reduced to a way overpriced stuffed animal.” Get six of our favorite Motherboard stories every day by signing up for our newsletter . The post Internet Of Things Teddy Bear Leaked Two Million Parent And Kids Message Recordings appeared first on Gigacycle Computer Recycling News. from https://news.gigacycle.co.uk/internet-of-things-teddy-bear-leaked-two-million-parent-and-kids-message-recordings/ BARCELONA — Homeowners worried about cybersecurity attacks on IP-connected devices like lights, baby monitors, home security systems and cameras, will soon be able to take advantage of a $200 network monitoring device called Dojo. The device, called a pebble, was shown at Mobile World Congress here this week and will go on sale online in April. While the Dojo device isn’t intended to provide enterprise-level security, it could be used to help, in a small way, in warding off massive attacks like the one that used the Mirai botnet which took advantage of unsecure, consumer-grade cameras and other devices last October. ![]() The Dojo by Bullguard is a home security device that analyzes IP packets as they arrive through a Wi-Fi router. Yossi Atias, co-founder and CEO of Dojo-Labs, now a part of U.K.-based security provider BullGuard, said it will be the first product of its kind to hit the market, although security software companies Norton and McAfee are expected to offer competitive consumer products later this year. The Dojo hardware connects with a cable to a home’s Wi-Fi router to intercept IP packets and block real-time cyberattacks. It uses artificial intelligence and machine learning to customize a security policy for each device on the network, the company said. Atias demonstrated how the device connects to a smartphone app and alerts a homeowner when an attack on a device occurs. Settings allow a user to block the online attack remotely. The device can also prevent privacy issues by alerting a homeowner if a television or a child’s toy or other object could be monitoring conversations that companies want to use for marketing purposes, Atios said. Nearly two years ago, it was discovered that Samsung TVs could be used to listen to homeowners with a voice command feature. The device runs on a Linux OS. The $199 price includes one year of service. After that, the service costs $10 a month. The post Here’s a new way to prevent cyberattacks on home devices appeared first on Gigacycle Computer Recycling News. from https://news.gigacycle.co.uk/heres-a-new-way-to-prevent-cyberattacks-on-home-devices/ If you own a stuffed animal from CloudPets, then you better change your password to the product. The toys — which can receive and send voice messages from children and parents — have been involved in a data breach involving more than 800,000 user accounts. The breach, which grabbed headlines on Monday, is raising concerns from security researchers because it may have given hackers access to voice recordings from the toy’s customers. But the company behind the products, Spiral Toys, is denying that any customers were hacked. “Were voice recordings stolen? Absolutely not,” said Mark Myers, CEO of the company. Security researcher Troy Hunt, who tracks data breaches, brought the incident to light on Monday. Hackers appear to have accessed an exposed CloudPets’ database, which contained email addresses and hashed passwords, and they even sought to ransom the information back in January, he said in a blog post. The incident underscores the danger with connected devices, including toys, and how data passing through them can be exposed, he added. In the case of CloudPets, the brand allegedly made the mistake of storing the customer information in a publicly exposed online MongoDB database that required no authentication to access. That allowed anyone, including hackers, to view and steal the data. On the plus side, the passwords exposed in the breach are hashed with the bcrypt algorithm, making them difficult to crack. Unfortunately, CloudPets placed no requirement on password strength, meaning that even a single character such as letter “a” was acceptable, according to Hunt, who was given a copy of the stolen data last week. As a result, Hunt was able to decipher a large number of the passwords, by simply checking them against common terms such as qwerty, 123456, and cloudpets. “Anyone with the data could crack a large number of passwords, log on to accounts and pull down the voice recordings,” Hunt said in his blog post. Security researcher Victor Gevers from the GDI Foundation said he also discovered the exposed database from CloudPets and tried to contact the toy maker in late December. However, both Gevers and Hunt said the company never responded to their repeated warnings. On Monday, California-based Spiral Toys, which operates the CloudPets brand, claimed the company never received the warnings. “The headlines that say 2 million messages were leaked on the internet are completely false,” Myers said. His company only became aware of the issue after a reporter from Vice Media contacted them last week. “We looked at it and thought it was a very minimal issue,” he said. A malicious actor would be able to access a customer’s voice recording only if they managed to guess the password, he said. “We have to find a balance,” Myers said, when he addressed the toy maker’s lack of password strength requirements. “How much is too much?” He also said that Spiral Toys had outsourced its server management to a third-party vendor. In January, the company implemented changes MongoDB requested to increase the server’s security. Spiral Toys hasn’t been the only company targeted. In recent months, several hacking groups have been attacking thousands of publicly exposed MongoDB databases. They’ve done so by erasing the data, and then saying they can restore it, but only if victims pay a ransom fee. In the CloudPets incident, different hackers appear to have deleted the original databases, but left ransom notes on the exposed systems, Hunt said. Although the CloudPets’ databases are no longer publicly accessible, it appears that the toy maker hasn’t notified customers about the breach, Hunt said. The danger is that hackers might be using the stolen information to break into customer accounts registered with the toys. But Myers said the company found no evidence that any hackers broke into customer accounts. To protect its users, the company is planning on a password reset for all users. “Maybe our solution is to put more complex passwords,” he said. The post Smart teddy bears involved in a contentious data breach appeared first on Gigacycle Computer Recycling News. from https://news.gigacycle.co.uk/smart-teddy-bears-involved-in-a-contentious-data-breach/ Engineers at South Korea’s SK Telecom have developed a tiny chip that could help secure communications on a myriad of portable electronics and IOT devices. The chip is just 5 millimeters square — smaller than a fingernail — and can generate mathematically provable random numbers. Such numbers are the basis for highly-secure encryption systems and producing them in such a small package hasn’t been possible until now. The chip, on show at this week’s Mobile World Congress in Barcelona, could be in sample production as early as March this year and will cost a few dollars once in commercial production, said Sean Kwak, director at SK Telecom’s quantum technology lab. The device works by exploiting something called quantum shot noise, he said. Inside the chip, two LEDs produce photons that bounce off the inner walls of the chip and are detected by a CMOS image sensor that’s also built inside the chip. The shot noise is a result of that detection and is random in nature. Random numbers are incredibly important in cryptography because they are used to generate encryption keys. If the numbers are not absolutely random then sophisticated analysis could be used to determine the original number and break the encryption. The ability to generate truly random numbers inside such a small package could significantly improve security of smartphones, intelligent cars and IOT devices. In the latter, the low-cost nature of the products often means developers use quasi-random number generators or even a fixed key that never changes over the life of the device. SK Telecom has been active in quantum encryption and security systems since 2011, when it formed a lab at its R&D center in Seongnam, near Seoul. On Monday, the company kicked off a push to develop interoperability standards for quantum encryption systems. The post This tiny chip could revolutionize smartphone and IOT security appeared first on Gigacycle Computer Recycling News. from https://news.gigacycle.co.uk/this-tiny-chip-could-revolutionize-smartphone-and-iot-security/ |
ABOUT USFree, secure collections for I.T recycling and CESG approved data erasure for individuals, businesses and large-scale projects. I.T Asset Disposal | Computer Recycling | Re-marketing & Cashback | Secure Data Erasure. Archives
May 2017
Categories |