Nest turns up the temperature on password reusers

By Lisa Vaas

Google’s Nest division of smart-home gadgets recently notified some users about a data breach that involved their credentials. For that, it deserves a pat on the back.

In a security notice sent to one user and published by the Internet Society, Nest told the user to change their password and turn on two-step verification (2SV), also known as multiple- or two-factor authentication (MFA or 2FA).

Whether you call it MFA, 2FA or 2SV, it’s an increasingly common security procedure that aims to protect your online accounts against password-stealing cybercrooks.

So why do we want to pat Nest on the back? Because the breach wasn’t a matter of Nest’s own password database getting breached or, say, from an employee being careless.

Rather, Nest spotted the password because it cropped up in a list of breached credentials, meaning two things: 1) the users whom Nest emailed have been reusing passwords, and 2) Nest’s been proactively keeping an eye out to protect them from their own password foibles.

As Online Trust Alliance Director Jeff Wilbur said in an Internet Society post on Thursday, it’s not clear how Nest figured out that the password had been compromised. Maybe Nest was alerted by security researcher Troy Hunt’s recently updated Pwned Passwords service (part of his “have i been pwned?” site)?

The service lets you enter a password to see if it matches more than half a billion passwords that have been compromised in data breaches. A hashed version of the full list of passwords can also be downloaded to do local or batch processing, Wilbur noted.

If we said it once, we’ve reused our don’t-reuse-passwords advice a thousand times. We’re not apologizing, though, since password reuse really is such an atrocious idea.

We know that cybercrooks use breached credentials to see if they work on a variety of third-party sites, be it Facebook, Netflix or many others – including online banking sites.

That, in fact, is why both Facebook and Netflix prowl the internet looking for your username/password combos to show up in troves of leaked credentials.

Read more at https://nakedsecurity.sophos.com/2018/05/14/nest-turns-up-the-temperature-on-password-reusers/

Is Google’s Duplex AI helpful or plain creepy?

By John E Dunn

Last week, Google CEO Sundar Pichai used the company’s annual I/O event to demo an experimental new feature of Google Assistant.

It consisted of two ordinary-sounding one-minute voice conversations, one to book a hair appointment, the other to make a restaurant reservation.

The unusual aspect of those conversations – which Google said were not staged – is that in both the caller was a computer powered by its Duplex AI technology capable of talking and responding to human beings on the other end using natural language.

The clever (or creepy) bit is that had Pichai not told audience members about the AI they would have been unlikely to have detected it.

Computer-generated voice systems are supposed to be stilted, synthesized, and limited in their responses, but this one sounded convincingly human in every way right down to its reassuringly disfluent use of “mhmm” and “um” as part of its chatter.

Duplex is robust enough that Google will start offering it to a small number of Voice Assistant Android users this summer, which they’ll use to make simple reservations like the ones in the demo.

As I/O attendees applauded, and online watchers wondered aloud whether Duplex might be good enough to pass the famous Turing test, the doubters offered a less optimistic assessment of Google’s cleverness.

Might criminals use voice AI to deceive people? What are the implications of people delegating social interaction to machines?  Will it put millions of service industry workers out of a job?

Then there are nuanced ethical issues Google faces from day one, such as do people have a right to know they are talking to a machine?

Read more at https://nakedsecurity.sophos.com/2018/05/14/is-googles-duplex-ai-helpful-or-plain-creepy/

Remote code execution bug found in GPON routers, but how bad is it really?

By Maria Varmazis

An anonymous researcher, via vpnMentor, recently disclosed two vulnerabilities in several older models of Dasan-made GPON routers. The first is an authentication bypass, which can be used to trigger the second vulnerability, which allows remote code execution (RCE).

The first vulnerability can be triggered simply by appending the string ?images/ to a URL ending in .html or /GponForm/, which allows the attacker to bypass the authentication process, and from there, trigger the remote code execution.

These vulnerabilities proved to be a tempting target for attackers who would love nothing better than to take control of these vulnerable routers and add them to their botnets.

In fact, within a day of the disclosure, there were reports of the vulnerabilities being exploited in the wild. Just a few weeks later, it looks like at least five botnets, including Mirai, are working to take advantage of these bugs, according to researchers at Netlab 360.

Just how big of an impact might these vulnerabilities have? It’s the topic of debate between the researcher who found the vulnerability and Dasan, which sold the routers to ISPs in several countries.

In a blog post, the researcher states that the vulnerability is present in all GPON routers they tested, potentially resulting in “an entire network compromise.” By citing a simple Shodan search for GPON devices, they determine that over a million devices are potentially affected.

But Dasan doesn’t agree with the researcher’s findings. In an official statement, Dasan says the vulnerability is present in only two series of routers released nine years ago which, given their age, are no longer supported. Dasan’s own estimates put the number of devices affected under 240,000 – a far cry from the original researcher’s estimate of nearly a million.

Read more at https://nakedsecurity.sophos.com/2018/05/14/remote-code-execution-bug-found-in-gpon-routers-but-how-bad-is-it-really/

2 million lines of source code left exposed by phone company EE

By Lisa Vaas

EE, which at 30 million customers is the UK’s largest mobile network, was formerly known as Everything Everywhere.

Unfortunately, the name has proved prescient: it reportedly did, in fact, leave everything for anyone anywhere to find by non-securing a critical code repository so that anyone could log in with the default username and password. As in, “admin” was both the user name and password for getting into the downloadable portal software, according to a security researcher with the Twitter handle “Six”.

As first reported by ZDNet, on Thursday, Six tweeted a screen capture that he said shows (redacted) access keys to authorize EE’s employee tool. “You trust these guys with your credit card details, while they do not care about security, or customer privacy,” Six said.

The researcher said that after waiting “many many weeks” for a reply from the company, he decided to publicly disclose the vulnerability. His motive was reportedly to “educate the wider masses about security, and how overlooked it is across the industries.”

The code repository contained two million lines of the source code behind EE’s systems, including systems that contained employee data.

Six said that he had discovered a SonarQube portal on an EE subdomain. SonarQube is an open-source platform that offers continuous code auditing to perform automatic reviews and which EE uses to seek out vulnerabilities across its website and customer portal.

Read more at https://nakedsecurity.sophos.com/2018/05/14/2-million-lines-of-source-code-left-exposed-by-phone-company-ee/