Patrick Klepek has a terrific read up on Waypoint about his investigation into Sony’s incompetent security practices around user accounts, and the social engineering crews that steal them:
$1,200. That’s how much someone is asking for a PlayStation Network account I’ve been investigating for the past few weeks. “Secure,” the person calls it, claiming the account will “never be touched” by the original owner again. “He won’t be getting it back,” they claim. More than a thousand dollars? That’s a little rich for my blood, and so I counteroffer: $700.
He also has a few updates on twitter for after you’ve read the article.
There are two big computer vulnerabilities that were announced recently, Spectre and Meltdown attacks. These are significant because they affect almost every desktop, laptop, smartphone, tablet, and game console. Almost anything with a processor can be exploited to give attackers passwords and whatever other private information is on a device.
The attacks work because of the way that computer processors attempt to speculatively work ahead of their current point in executing a computer program. My understanding is that even code executed in your web browser could execute these attacks.
There are already patches available through Apple operating systems, Microsoft’s Windows, some Android devices, and many Linux operating systems.
The workarounds that operating systems are implementing may slow these devices down because the attacks utilize performance features of the processors, but the performance effects of the mitigation might not be noticeable outside of specific workloads.
These aren’t normal software vulnerabilities, where a patch fixes the problem and everyone can move on. These vulnerabilities are in the fundamentals of how the microprocessor operates.
It shouldn’t be surprising that microprocessor designers have been building insecure hardware for 20 years. What’s surprising is that it took 20 years to discover it. In their rush to make computers faster, they weren’t thinking about security. They didn’t have the expertise to find these vulnerabilities. And those who did were too busy finding normal software vulnerabilities to examine microprocessors. Security researchers are starting to look more closely at these systems, so expect to hear about more vulnerabilities along these lines.
Garrett M. Graff has this article for Wired about the Mirai botnet denial-of-service attack, saying that it was powered by angry Minecraft server operators and players:
As the 2016 US presidential election drew near, fears began to mount that the so-called Mirai botnet might be the work of a nation-state practicing for an attack that would cripple the country as voters went to the polls. The truth, as made clear in that Alaskan courtroom Friday—and unsealed by the Justice Department on Wednesday—was even stranger: The brains behind Mirai were a 21-year-old Rutgers college student from suburban New Jersey and his two college-age friends from outside Pittsburgh and New Orleans. All three—Paras Jha, Josiah White, and Dalton Norman, respectively—admitted their role in creating and launching Mirai into the world.
Originally, prosecutors say, the defendants hadn’t intended to bring down the internet—they had been trying to gain an advantage in the computer game Minecraft.
VDOS was an advanced botnet: a network of malware-infected, zombie devices that its masters could commandeer to execute DDoS attacks at will. And the teens were using it to run a lucrative version of a then-common scheme in the online gaming world—a so-called booter service, geared toward helping individual gamers attack an opponent while fighting head-to-head, knocking them offline to defeat them. Its tens of thousands of customers could pay small amounts, like $5 to $50, to rent small-scale denial-of-service attacks via an easy-to-use web interface.
A similar service was used to attack the ioquake3 master server in the past. It was surprisingly easy for it to be launched on an ongoing basis.
Go to the Updates tab in the Mac App Store to apply it now, you won’t even need to reboot. Apple has more details about the update at this link.
Here’s the post from yesterday with the details of the vulnerability.
If you have any trouble with file sharing after applying this security patch Apple has another fix for that, oops.
There’s a vulnerability in the latest version of macOS High Sierra (10.13.1) that may let anyone with physical access to a Mac log in and gain system administrator (root) access. Or, if they already have an account, upgrade their access to the system administrator (root) level.
You can work around the issue by setting a root password as described in this support document from Apple. They’re working on fixing it.
The vulnerability works like this:
- At any login or a privilege escalation dialog a user types in the username root
- The user hits the login button or enter a few times in quick succession
- The system enables the root user account and assigns it no password.
This is incredibly bad for Apple to have a vulnerability this easy to exploit, and it’s ridiculous that it was also apparently publicly available on Apple’s developer forums weeks ago.
Bloomberg’s Eric Newcomer:
Hackers stole the personal data of 57 million customers and drivers from Uber Technologies Inc., a massive breach that the company concealed for more than a year. This week, the ride-hailing firm ousted its chief security officer and one of his deputies for their roles in keeping the hack under wraps, which included a $100,000 payment to the attackers.
Compromised data from the October 2016 attack included names, email addresses and phone numbers of 50 million Uber riders around the world, the company told Bloomberg on Tuesday. The personal information of about 7 million drivers was accessed as well, including some 600,000 U.S. driver’s license numbers. No Social Security numbers, credit card information, trip location details or other data were taken, Uber said.
Quartz’ Keith Collins:
Many people realize that smartphones track their locations. But what if you actively turn off location services, haven’t used any apps, and haven’t even inserted a carrier SIM card?
Even if you take all of those precautions, phones running Android software gather data about your location and send it back to Google when they’re connected to the internet, a Quartz investigation has revealed.
Since the beginning of 2017, Android phones have been collecting the addresses of nearby cellular towers—even when location services are disabled—and sending that data back to Google. The result is that Google, the unit of Alphabet behind Android, has access to data about individuals’ locations and their movements that go far beyond a reasonable consumer expectation of privacy.
Quartz observed the data collection occur and contacted Google, which confirmed the practice.
Google claimed they weren’t doing anything with the data received from Android devices, and says they’ll stop doing it (at the end of the month) now that they’ve been caught by Quartz.
I’m not sure why anyone should trust Google’s word about what they were doing with this information when they explicitly use location information to target ads and were pulling this shit with no way for a user to disable it.
You can bet that companies like Google (photos), Facebook and their subsidiaries such as Instagram, and Twitter, also scrape location information whenever you upload photos to their services by reading the EXIF data attached to every photo. You can download apps like Metapho on iOS to remove the EXIF information from your photos before you share them.
Yesterday, Gizmodo reported that Uber had been granted an entitlement for their iOS app that allowed them to capture an image of an iPhone’s screen at any time, even when the Uber app was not the active app on the phone. This is a big deal, because users don’t typically expect than an iPhone app that is not active might have the ability to eavesdrop on anything they are doing.
I have long felt that the sandboxing infrastructure on both iOS and Mac should be used to more accurately convey to users specifically what the apps they install are capable of doing. Currently the sandboxing system is used primarily to identify to Apple what a specific app’s privileges are. The requested entitlements are used to inform Apple’s decision to approve or reject an app, but the specific list of entitlements is not easily available to users, whose security is actually on the line.
This is absolutely fucking ridiculous. Fuck Uber. Apple should be ashamed for working with them at any level. Allowing an app to covertly record your screen without any prompting is exactly the kind of thing that Apple’s iOS app review process should prevent.
Uber claims they didn’t do anything wrong with this ability, the security researchers told Gizmodo that they didn’t detect anything going on with this code.
There are companies that are less trustworthy than Uber, but few have the opportunity to be as evil on such a large scale. Enabling them to do anything more than operate at a basic level on your platform is a mistake. At this point Apple should block them entirely and attempt to help the Taxi industry to reform and compete with Uber. Not that Apple would ever would, but still that would be the best thing to come out of this. The next best thing would be the improvements to the entitlement system that Jalkut suggests.
I wouldn’t even bother to wonder what Uber are doing on Android, where security is a fucking joke and carriers are still selling devices running ancient versions of that operating system that are affected by dozens of security vulnerabilities. This is especially true for pay-as-you-go phones sold cheaply at places like Walmart, Target, and so on. Those carriers and stores are endangering their customers by continuing to sell these devices.
To check if your information was stolen in that Equifax attack you have to attempt to sign up for a year of free credit monitoring through a service called TrustedID Premier that Equifax is providing
out of the goodness of their hearts in order to get you subscribed to something you’ll have to pay for eventually:
- Go here
- Click on the button that says “Begin Enrollment”
- Enter the information you’re asked for.
If you’re given a date to enroll in the service your information was possibly stolen, it isn’t very clear if that is a guarantee or not. As over one hundred million accounts worth of data were stolen, it is extremely likely that yours will be too.
If you actually want this service you’ll have to come back to the same site on that day you’re given in order to sign up, because they’re staggering the sign-ups with this shitty enrollment program.
These services can’t really do much to protect you from people using your social security number and other personal information in order to sign up for services like cell phone plans and damaging your credit. The only thing that can actually prevent damage to your credit is getting your credit frozen which then makes doing anything that involves credit a nightmare.
This is an absolutely garbage response from Equifax to anyone affected by this attack. Credit agencies are some of the worst businesses and their executives should all be shot into the sun.
At this point my strategy is to just assume that my social security number is freely available to anyone who wants it and I constantly monitor the credit bureaus to check for any new accounts opened in my name.
The only legitimate place to get a free credit check is through AnnualCreditReport.com. Many other places attempt to sign you up for a monitoring service that also can’t do anything to protect you in the event that your information is stolen. I also use a service called Credit Karma that pulls reports once a month. Their business is to provide you with credit card offers (that you should never sign up for) in exchange for the data. They’re scum too, but at least they’re upfront about what kind of scum they are.
Bloomberg’s Anders Melin:
Three Equifax Inc. senior executives sold shares worth almost $1.8 million in the days after the company discovered a security breach that may have compromised information on about 143 million U.S. consumers.
The credit-reporting service said late Thursday in a statement that it discovered the intrusion on July 29. Regulatory filings show that three days later, Chief Financial Officer John Gamble sold shares worth $946,374 and Joseph Loughran, president of U.S. information solutions, exercised options to dispose of stock worth $584,099. Rodolfo Ploder, president of workforce solutions, sold $250,458 of stock on Aug. 2. None of the filings lists the transactions as being part of 10b5-1 pre-scheduled trading plans.
Equifax said in the statement that intruders accessed names, Social Security numbers, birth dates, addresses and driver’s-license numbers, as well as credit-card numbers for about 209,000 consumers. The incident ranks among the largest cybersecurity breaches in history.