Internet Security, Abuse, Data Harvesting, Etc.

[LFC]

A company that created a password manager was hacked, exposing passwords of tens of thousands of users.

s many as 29,000 users of the Passwordstate password manager downloaded a malicious update that extracted data from the app and sent it to an attacker-controlled server, the app-maker told customers.

In an email, Passwordstate creator Click Studios told customers that bad actors compromised its upgrade mechanism and used it to install a malicious file on user computers. The file, named “moserware.secretsplitter.dll,” contained a legitimate copy of an app called SecretSplitter, along with malicious code named "Loader," according to a brief writeup from security firm CSIS Group.

The Loader code attempts to retrieve the file archive at https://passwordstate-18ed2.kxcdn[.]com/upgrade_service_upgrade.zip so it can retrieve an encrypted second-stage payload. Once decrypted, the code is executed directly in memory. The email from Click Studios said that the code “extracts information about the computer system, and select Passwordstate data, which is then posted to the bad actors’ CDN Network.”

Security practitioners regularly recommend password managers because they make it easy for people to store long, complex passwords that are unique to hundreds or even thousands of accounts. Without use of a password manager, many people resort to weak passwords that are reused for multiple accounts.

The Passwordstate breach underscores the risk posed by password managers because they represent a single point of failure that can lead to the compromise of large numbers of online assets. The risks are significantly lower when two-factor authentication is available and enabled because extracted passwords alone aren’t enough to gain unauthorized access. Click Studios says that Passwordstate provides multiple 2FA options.

[LFC]

Apple is the victim of a ransomware attack on one of their suppliers.

On the day Apple was set to announce a slew of new products at its Spring Loaded event, a leak appeared from an unexpected quarter. The notorious ransomware gang REvil said they had stolen data and schematics from Apple supplier Quanta Computer about unreleased products and that they would sell the data to the highest bidder if they didn’t get a $50 million payment. As proof, they released a cache of documents about upcoming, unreleased MacBook Pros. They've since added iMac schematics to the pile.

The connection to Apple and dramatic timing generated buzz about the attack. But it also reflects the confluence of a number of disturbing trends in ransomware. After years of refining their mass data encryption techniques to lock victims out of their own systems, criminal gangs are increasingly focusing on data theft and extortion as the centerpiece of their attacks—and making eye-popping demands in the process.

“Our team is negotiating the sale of large quantities of confidential drawings and gigabytes of personal data with several major brands,” REvil wrote in its post of the stolen data. “We recommend that Apple buy back the available data by May 1.”

For years, ransomware attacks involved the encryption of a victim's files and a simple transaction: pay the money, get the decryption key. But some attackers also dabbled in another approach—not only did they encrypt the files, but they stole them first and threatened to leak them, adding additional leverage to ensure payment. Even if victims could recover their affected data from backups, they ran the risk that the attackers would share their secrets with the entire Internet. And in the past couple of years, prominent ransomware gangs like Maze have established the approach. Today incorporating extortion is increasingly the norm. And groups have even taken it a step further, as is the case with REvil and Quanta, focusing completely on data theft and extortion and not bothering to encrypt files at all. They're thieves, not captors.

“Data encryption is becoming less of a part of ransomware attacks for sure,” says Brett Callow, a threat analyst at the antivirus firm Emsisoft. “In fact ‘ransomware attack’ is probably something of a misnomer now. We’re at a point where the threat actors have realized that the data itself can be used in a myriad of ways.”

[LFC]

Apple's AirDrop which allows files to be transferred between Apple devices, particularly phones, is leaking name and phone number information.

AirDrop, the feature that allows Mac and iPhone users to wirelessly transfer files between devices, is leaking user emails and phone numbers, and there's not much anyone can do to stop it other than to turn it off, researchers said.

AirDrop uses Wi-Fi and Bluetooth Low Energy to establish direct connections with nearby devices so they can beam pictures, documents, and other things from one iOS or macOS device to another. One mode allows only contacts to connect, a second allows anyone to connect, and the last allows no connections at all.

A matter of milliseconds
To determine if the device of a would-be sender should connect with other nearby devices, AirDrop broadcasts Bluetooth advertisements that contain a partial cryptographic hash of the sender's phone number and email address. If any of the truncated hashes matches any phone number or email address in the address book of the receiving device or the device is set to receive from everyone, the two devices will engage in a mutual authentication handshake over Wi-Fi. During the handshake, the devices exchange the full SHA-256 hashes of the owners' phone numbers and email addresses.

Hashes, of course, can't be converted back into the cleartext that generated them, but depending on the amount of entropy or randomness in the cleartext, they are often possible to figure out. Hackers do this by performing a "brute-force attack," which throws huge numbers of guesses and waits for the one that generates the sought-after hash. The less the entropy in the cleartext, the easier it is to guess or crack, since there are fewer possible candidates for an attacker to try.

The amount of entropy in a phone number is so minimal that this cracking process is trivial since it takes milliseconds to look up a hash in a precomputed database containing results for all possible phone numbers in the world. While many email addresses have more entropy, they, too, can be cracked using the billions of email addresses that have appeared in database breaches over the past 20 years.

"This is an important finding since it enables attackers to get hold of rather personal information of Apple users that in later steps can be abused for spear phishing attacks, scams, etc. or simply being sold," said Christian Weinert, one of the researchers at Germany's Technical University of Darmstadt who found the vulnerabilities. "Who doesn't want to directly message, say, Donald Trump on WhatsApp? All attackers need is a Wi-Fi-enabled device in proximity of their victim."

[pg]

That's a NO SHIT. Yes, PG is back.

Interesting- I JUST got a message from Apple as I started this post, stating it "wants to make changes". Just enter your password etc. and all will be fine.

Goodness- Big Brother watches, listens and is always there. Almost everywhere you go.

[goldenvalley]

AirDrop is being discontinued at the end of May. The new iOS for iPhones has a privacy setting to use that is supposed to stop apps from tracking the phone.

[LFC]

Apr 30, 2021 16:20:18 GMT goldenvalley said:

AirDrop is being discontinued at the end of May. The new iOS for iPhones has a privacy setting to use that is supposed to stop apps from tracking the phone.

Whoa! I've used AirDrop a number of times in my home between me and my wife or me and my Mac. I wonder if there will be a secure replacement.

[goldenvalley]

Apr 30, 2021 19:46:40 GMT LFC said:

Apr 30, 2021 16:20:18 GMT goldenvalley said:

AirDrop is being discontinued at the end of May. The new iOS for iPhones has a privacy setting to use that is supposed to stop apps from tracking the phone.

Whoa! I've used AirDrop a number of times in my home between me and my wife or me and my Mac. I wonder if there will be a secure replacement.

I don't know.  I just happened to send a big power point deck and had to use AirDrop to accomplish it.  Received a pop up box saying AirDrop would no longer be operational after May.  

[RichTBikkies]

Apr 28, 2021 0:59:02 GMT pg said:

That's a NO SHIT. Yes, PG is back.

Why the change in moniker? Have you become impractical in your advancing years, or have you come of age? (I speak metaphorically).

[LFC]

The security of some of our critical infrastructure is ... lacking.

A top fuel pipeline operator that carries refined gasoline and jet fuel from Texas up the East Coast to New York said on Saturday it was forced to shut down its 5,500 mile-long system after a cyber attack that involved ransomware.

Colonial Pipeline said in a statement late Friday that it had taken certain systems offline — a move that halted all pipeline operations in an effort to contain the attack on its computer networks.

By Saturday afternoon the pipeline operator, which says it carries 45 percent of the East Coast’s fuel supplies, reported that it had “since determined that this incident involves ransomware,” and that a third-party cybersecurity firm was launching an investigation into the matter.

The pipeline company said it was “taking steps to understand and resolve this issue,” and had contacted law enforcement and federal agencies but did not specify when its pipelines would be back up and running.

“At this time, our primary focus is the safe and efficient restoration of our service and our efforts to return to normal operation,” the company said.

The Cyber and Infrastructure Security Agency said in a separate statement on Saturday that the shutdown “underscores the threat that ransomware poses to organizations regardless of size or sector.”

“We encourage every organization to take action to strengthen their cybersecurity posture to reduce their exposure to these types of threats,” CISA said.

[goldenvalley]

May 8, 2021 23:03:41 GMT LFC said:

The security of some of our critical infrastructure is ... lacking.

A top fuel pipeline operator that carries refined gasoline and jet fuel from Texas up the East Coast to New York said on Saturday it was forced to shut down its 5,500 mile-long system after a cyber attack that involved ransomware.

Colonial Pipeline said in a statement late Friday that it had taken certain systems offline — a move that halted all pipeline operations in an effort to contain the attack on its computer networks.

By Saturday afternoon the pipeline operator, which says it carries 45 percent of the East Coast’s fuel supplies, reported that it had “since determined that this incident involves ransomware,” and that a third-party cybersecurity firm was launching an investigation into the matter.

The pipeline company said it was “taking steps to understand and resolve this issue,” and had contacted law enforcement and federal agencies but did not specify when its pipelines would be back up and running.

“At this time, our primary focus is the safe and efficient restoration of our service and our efforts to return to normal operation,” the company said.

The Cyber and Infrastructure Security Agency said in a separate statement on Saturday that the shutdown “underscores the threat that ransomware poses to organizations regardless of size or sector.”

“We encourage every organization to take action to strengthen their cybersecurity posture to reduce their exposure to these types of threats,” CISA said.

It's strange to say but I'm glad this was the work of criminals seeking money rather than a hostile government seeking domination.     And if money is at stake, then perhaps the corporate world will be willing to pay to have more secure systems...or will they whine and get the federal government to spend tax dollars securing them?

[AnBr]

May 9, 2021 17:02:48 GMT goldenvalley said:

It's strange to say but I'm glad this was the work of criminals seeking money rather than a hostile government seeking domination.     And if money is at stake, then perhaps the corporate world will be willing to pay to have more secure systems...or will they whine and get the federal government to spend tax dollars securing them?

Silly girl. Why do you ask questions that you already know the answer to?

[LFC]

Vizio's business in harvesting the personal data of people who bought their TVs is a booming business.

Over the past several years, TV-maker Vizio has achieved a reputation among home theater enthusiasts as the company that makes TVs that provide superior picture quality relative to their cost. While the most expensive TVs from Samsung and LG beat Vizio's in quality assessment by reviewers, Vizio is widely regarded as one of the best bang-for-buck brands.

But for consumers, those competitive prices may come with a downside: becoming subject to targeted advertising and monetized personal data collection. As reported previously on Engadget, Vizio just posted its first public earnings report, wherein it revealed that profits from the part of its business that is built around collecting and selling user data as well as targeting advertising at users totaled $38.4 million in the quarter.

That's less than the $48.2 million of profit generated by device sales in the same quarter, but data and advertising profits grew significantly year over year while actual device sales grew comparatively slowly. These digital products are still nowhere close to device sales in total revenue, however; the data and ad-related business unit (dubbed Platform+) added up to only 7.2 percent of global revenue.

Still, that was enough to improve the financial picture for the California-based company's long-delayed stock market debut. CNBC reports that Vizio's TV-device business has actually shrunk in recent years. As any business must, Vizio has sought to find additional sources of revenue to offset that slip. Its streaming platform, SmartCast, and other advertising and data-related operations made much of the difference for the company as it sought to convince investors to buy stock in its offering.

Device sales rose just 7 percent year over year, but Platform+ grew 133 percent in the same period.

[LFC]

Ireland had their healthcare system taken hostage.

Ireland has shut down most of the major IT systems running its national health care service, leaving doctors unable to access patient records and people unsure of whether they should show up for appointments, following a “very sophisticated” ransomware attack.

Paul Reid, chief executive of Ireland’s Health Service Executive (HSE), told a morning radio show that the decision to shut down the systems was a “precautionary” measure after a cyberattack that impacted national and local systems “involved in all of our core services.”

Some elements of the Irish health service remain operational, such as clinical systems and its COVID-19 vaccination program, which is powered by separate infrastructure. COVID tests already booked are also going ahead.

However, the system for processing referrals from GPs and of close contacts is down, the HSE tweeted, adding that those in need of testing should go to walk-in centers, which would prioritize symptomatic cases.

“This is having a severe impact on our health and social care services today, but individual services and hospital groups are impacted in different ways. Emergency services continue, as does the @ambulancenas [National Ambulance Service],” health minister Stephen Donnelly wrote on Twitter.

No group has yet claimed responsibility for the attack, though Reid said on Friday morning that it involved “Conti, human-operated ransomware,” referring to the type of software used. He added that the HSE had not yet been served with a ransom demand.

“We are at the very early stages of fully understanding the threat, the impact, and trying to contain it,” he said, adding that the HSA was receiving assistance from the Irish police force, defense forces, and third-party cyber support teams.

[LFC]

Americans pay more for poorer internet access than most industrialized nations. The Biden administration is looking to do something about this. The pushback is fierce as you can imagine. I expect the industry ads from some bogusly named group like Protect Fair Internet Access to start popping up soon.

Biden administration officials are not convinced by the broadband industry's claims that Internet prices aren't too high, according to a report today by Axios.

The White House announced on March 31 that President Biden "is committed to working with Congress to find a solution to reduce Internet prices for all Americans." Though Biden hasn't revealed exactly how he intends to reduce prices, the announcement set off a flurry of lobbying by trade groups representing ISPs to convince Biden and the public that Americans are not paying too much for Internet access. ISPs even claim that prices have dropped, despite government data showing that the price Americans pay has risen four times faster than inflation.

A Biden official told Axios that the ISPs have not made a convincing case. "A senior administration official told Axios the bulk of the evidence shows prices have gone up recently and prices are higher than they are for comparable plans in Europe," Axios wrote. "Biden noted the high cost of Internet service in March, and the official told Axios, 'I don't think we've seen anything since he made those comments to make us feel like we were wrong about that. We're still committed to taking some bold action to make sure that we bring those prices down for folks.'"

The pressure coming from broadband lobby groups suggests that industry officials believe rate regulation is a real possibility. "They're absolutely on edge," one aide told Axios. "They are concerned at the highest levels over the prospect of rate regulation."

Instead of believing the ISPs' claims about prices, the White House is apparently paying close attention to research that shows prices are rising—in part due to a lack of competition. The White House "highlighted a working paper from Berkeley Law professor Tejas Narechania," which "finds that broadband providers offer slower service for the same price in areas where they lack competition, and proposes a model statute for rate regulation of a basic tier broadband service in areas without competition," Axios wrote. The administration also "pointed to a recent working paper from New York University finance professor Thomas Philippon that found Americans pay more for Internet service than consumers in other countries."

[goldenvalley]

May 17, 2021 18:13:08 GMT LFC said:

Americans pay more for poorer internet access than most industrialized nations. The Biden administration is looking to do something about this. The pushback is fierce as you can imagine. I expect the industry ads from some bogusly named group like Protect Fair Internet Access to start popping up soon.

I hope something can be done about that.  My son spent about half of the last 3 years in Europe and realized how over charged the US is compared to the countries he lived in.  He's been complaining about it ever since he returned to the States.

[andydp]

Here’s a review of the audit of the Colonial pipeline:

One quote from the article should clue us in:

An eight grader could hack this system.

BOSTON (AP) — An outside audit three years ago of the major East Coast pipeline company hit by a cyberattack found “atrocious” information management practices and “a patchwork of poorly connected and secured systems,” its author told The Associated Press.

“We found glaring deficiencies and big problems,” said Robert F. Smallwood, whose consulting firm delivered an 89-page report in January 2018 after a six-month audit. “I mean an eighth-grader could have hacked into that system.”




apnews.com/article/va-state-wire-technology-business-1f06c091c492c1630471d29a9cf6529d

[LFC]

Great, a company in charge of a critical piece of infrastructure and they effectively put out a big "EXTORT ME!" sign for all the hackers to see.

[indy]

Early in my career I did a lot of computer security related work, before the term cybersecurity was ever used, often evaluating hardware platforms for major manufacturers for their suitability in financial and military uses. Some days it took all the will power I could muster not to use that knowledge for (very lucrative!) evil.

[andydp]

May 18, 2021 12:15:15 GMT LFC said:

Great, a company in charge of a critical piece of infrastructure and they effectively put out a big "EXTORT ME!" sign for all the hackers to see.

Sadly, this is a common situation in corporate circles. While this was happening the system at Rensselaer Poly in Troy was compromised. Unlike Colonial, RPI has a pretty strong system. But you can see tough or not, they’re all vulnerable.

[Bact PhD]

May 18, 2021 12:55:50 GMT andydp said:

But you can see tough or not, they’re all vulnerable.

Urrg. Back in late fall, we received not one, but TWO notices within about a 3- week span about data breaches affecting… Dear Son! The first was a financial house that has info on the entire family, the other was the contractor/payment processor for the county public school lunch program, and he’s been out of the public school system for several years! Hello, credit freeze for a while! A few months earlier, it was the dentist’s office sending out the notifications.

[LFC]

Android is patching up 4 vulnerabilities that are currently being used in the wild.

Unknown hackers have been exploiting four Android vulnerabilities that allow the execution of malicious code that can take complete control of devices, Google warned on Wednesday.

All four of the vulnerabilities were disclosed two weeks ago in Google’s Android Security Bulletin for May. Google has released security updates to device manufacturers, who are then responsible for distributing the patches to users.

Google’s May 3 bulletin initially didn’t report that any of the roughly 50 vulnerabilities it covered were under active exploitation. On Wednesday, Google updated the advisory to say that there are “indications” that four of the vulnerabilities “may be under limited, targeted exploitation.” Maddie Stone, a member of Google’s Project Zero exploit research group, removed the ambiguity. She declared on Twitter that the “4 vulns were exploited in-the-wild” as zero-days.

Both of these paragraphs are disturbing. The first seems to show Google being caught completely flat-footed. The second shows that cyber-warfare is here and anything attached to the internet is vulnerable.

There are no other details about the in-the-wild attacks. Google representatives didn’t respond to emails asking how users can tell if they’ve been targeted.

The skill required to exploit the vulnerabilities has led some researchers to speculate that the attacks are likely the work of nation-state-backed hackers.

[LFC]

Google is giving Android some of the tracker blocking features that Apple just released. They've got a tough line to walk since they are simultaneously competing in the mobile phone market but also pushers of gobs of trackers that are being used today.

So, what will Android users be getting that iPhone users already have?

• Phones will have visual indicators when cameras or microphones are being used. Those are nice if you’re paranoid that apps are watching or listening to you when you’re not aware, though useless if you’re so paranoid that you won’t believe the indicators in the first place.
• Android will tell users when apps use information from their clipboards. That is, when you copy something (say, your password from a password manager app) and then paste it into something else (like the app that is asking for your password), Android will tell you that your clipboard is being accessed. That might sound like a minor thing, but apps having secret access to user clipboards and users lacking the ability to restrict clipboard permissions have been a security issue for a while, especially considering the sensitive information people might have on them (like passwords).
• Android is also giving users the option to give apps access to their approximate location. Previously, apps got their precise location only, even if the app didn’t need such specific information to function. Precise location data is great for apps like Uber when you want to tell your driver exactly where you are and where you want to go, but location data companies have been caught taking advantage of it and even selling it to military contractors.

One nice thing that Android 12 will have that iOS doesn’t: a privacy dashboard that tells users which apps have accessed which permissions and when. According to Google’s mock-ups, users can see a list of which apps have used things like their location data, camera, and microphone. Apple’s iOS does this to a certain extent (you can see which apps have used your locations services within the last 24 hours), but not for all permissions, and it’s not laid out as simply and cleanly as Android’s.

But what’s perhaps most notable is the iOS 14 privacy features Android 12 won’t have. These include so-called “privacy nutrition labels,” which are of dubious value to consumers, but still indicate that it’s important to the company that they be informed, and the ability to deny apps the ability to track users across other apps through its App Tracking Transparency.

[goldenvalley]

I guess a privacy dashboard is nice. Knowing something happened after the fact does little good really. Who wants to spend time monitoring that? I'll stick with Apple.

[LFC]

IMHO this piece is a bit slanted but it has good information on the current arguments going on in court between Apple and Epic Games.

Mac computers have an official Apple App Store, but they also allow downloading software from the internet or a third-party store. Apple has never opened up iOS this way, but it’s long touted the privacy and security of both platforms. Then Epic Games sued Apple to force its hand, saying that if an open model is good enough for macOS, Apple’s claims about iOS ring hollow. On the stand yesterday, Federighi tried to resolve this problem by portraying iPhones and Macs as dramatically different devices — and in the process, threw macOS under the bus.

Federighi outlined three main differences between iOS and macOS. The first is scale. Far more people use iPhones than Macs, and the more users a platform gets, the more enticing that audience becomes to malware developers. Federighi argued iOS users are also much more casual about downloading software, giving attackers better odds of luring them into a download. “iOS users are just accustomed to getting apps all the time,” he said, citing Apple’s old catchphrase: “There’s an app for that.”

The second difference is data sensitivity. “iPhones are very attractive targets. They are very personal devices that are with you all the time. They have some of your most personal information — of course your contacts, your photos, but also other things,” he said. Mobile devices put a camera, microphone, and GPS tracker in your pocket. “All of these things make access or control of these devices potentially incredibly valuable to an attacker.”

That may undersell private interactions with Macs; Epic’s counsel Yonatan Even noted that many telemedicine calls and other virtual interactions happen on desktop. Still, it’s fair to say phones have become many people’s all-purpose digital lockboxes.

The third difference is more conceptual. Federighi basically says iOS users need to be more protected because the Mac is a specialist tool for people who know how to navigate the complexities of a powerful system, while the iPhone and iPad are — literally — for babies.

Some of the comments are pretty good as well.

I use iOS specifically because of the walled garden.

It’s also nice to not have to fix my parent’s iPhones like their computers because of this.

Same experience here, a few months ago I had to remote into my mom’s MacBook to clear out malware that was redirecting her web search traffic. I have absolutely no idea how she even got it.

Never had to do anything like that with her iPhone or iPad.

I thought this was a good comment on what Apple is facing. We already know that Google has taken bashing over their failures to fully police their own app store. And when viruses get reported on all they say is who made the phone and how many people it impacted with perhaps a glancing reference to those infected having had to explicitly downloaded the virus. They never say "if they just didn't undertake a highly risky action."

And if the App Store were opened up to third-party stores, who will people blame when things go wrong?

Apple.

[Deleted]

Fuck Epic Games! Leave my beloved Apple products alone.

Last count I have 7 distinct types of Apple devices. Stop messing around. Fuck you again, Epic Games.