Server? What server? Site forgotten for 12 years attracts hacks, fines

By John E Dunn

A web server set up by an enterprising student for a conference in 2004 and then forgotten about has left the University of Greenwich nursing a £120,000 ($160,000) fine from Britain’s Information Commissioner (ICO).

Forgetting about a web server isn’t generally a good idea, but this was a particularly dangerous oversight because it had been linked to a database containing the personal data of 19,500 University staff, students, alumni, and conference attendees.

The data also included more intimate personal data of 3,500 people covering learning difficulties, staff sickness, food allergies, and extenuating circumstances put forward by students during their studies.

You can probably guess where this is heading – eventually cybercriminals chanced upon the forgotten server and did their worst.

The initial breach is thought to have occurred in 2013, before it was broken into several times during 2016 with the help of an SQL flaw and some uploaded PHP exploits that opened the way to the databases holding the good stuff.

Eventually, one of the attackers posted the data to Pastebin in January 2016, at which point the breach became public knowledge.

What went wrong? That’s the unsettling bit because on one level – at least from the perspective of 2004 – not much.

The University’s Computing and Math’s School (CMS) had held a training conference and one of the academics involved asked a student to build a web microsite. The site included a facility for conference academics to upload documents anonymously via URL, something that attackers would eventually use to their advantage.

Nobody remembered (or had the job of) shutting this down once the conference had finished and so it sat there for years as new vulnerabilities were discovered, patches were applied, skills were improved on all sides and attacks on web servers became everyday occurrences.

Read more at https://nakedsecurity.sophos.com/2018/05/22/server-what-server-site-forgotten-for-12-years-attracts-hacks-fines/

TeenSafe phone monitoring app leaks teens’ iCloud logins in plaintext

By Lisa Vaas

A security researcher has discovered at least two servers hosted by a “secure” monitoring app for iOS and Android, TeenSafe, that were up on Amazon Web Services (AWS) for months without the need for a passcode to get at their data.

The mobile app, TeenSafe, bills itself as being a “secure” monitoring app built by parents, for parents. It lets parents view their kids’ text messages, monitor who they’re calling and when, to track their phones’ current and historical locations, to check their browsing histories, and to see what apps they’ve installed.

The leaky servers were discovered by Robert Wiggins, a UK-based security researcher who searches for public and exposed data. The company took one server down after being contacted by ZDNet. The other server apparently held only non-sensitive data: likely, test data.

Data from more than 10,000 accounts were exposed.

Wiggins said that the unprotected servers were letting anybody see Apple user IDs, parents’ email addresses, unique phone IDs, users’ attempts to “find my iPhone” and passwords stored in plaintext.

Wiggins said that if Android data were being exposed, he didn’t come across it.

The security researcher told the BBC that the data was viewable because TeenSafe lacked basic security measures, such as a firewall, to protect it.

Read more at https://nakedsecurity.sophos.com/2018/05/22/teensafe-phone-monitoring-app-leaks-teens-icloud-logins-in-plaintext/

DrayTek router user? Patch now to keep the crooks out…

By Paul Ducklin

Network hardware vendor DrayTek has announced a security hole in its Vigor range of routers.

About 20 different models are affected, most of which seem to have firmware patches available already, so if you have a DrayTek Vigor, please go and check right away if you’re affected.

DrayTek hasn’t given precise details of how the attack works, which is probably a good thing, but it seems to involve what’s known as Cross Site Request Forgery (CSRF).

That’s where a crook can trick your browser into sending commands to websites you’re still logged in to, behind your back. In this case, the website in question is the web interface of your router.

We have become aware of security reports with DrayTek routers related to the security of web administration when managing DrayTek routers. In some circumstances, it may be possible for an attacker to intercept or create an administration session and change settings on your router.

It seems that cybercriminals have been tricking some DrayTek Vigor routers into altering DNS settings via the router configuration interface, switching your DNS server from the one you usually use to an imposter server operated by the crooks.

Read more at https://nakedsecurity.sophos.com/2018/05/22/draytek-router-user-patch-now-to-keep-the-crooks-out/

Mugshots.com’s alleged owners arrested for extortion

By Lisa Vaas

On 2 September, 2013, a California resident, Jesse T., was arrested and booked into the Sonoma County Jail.

As is standard procedure, police took his mugshot and his fingerprints. He was released 12 days later without being charged for a crime.

Jesse T. estimates that he went on to submit 100 applications for jobs in the electrical field, construction, manufacturing, and labor. He got nary a nibble: zero response, no return calls, no acknowledging emails, no invitations to come in for an interview

A year after his arrest, a friend told him she’d searched for him online and found his mugshot. Was he in prison? Jesse T. was astonished and embarrassed. What was she talking about?

Google yourself, she said.

What he found: the arrest information had been published to a site called Mugshots.com. The site listed his full name, address, gender, and the charge for which Jesse T. had been arrested. It lacked any mention of the fact that he hadn’t been charged or convicted. Also on the site, he found a link to unpublisharrest.com. That led him to a phone number. When he called the 800 number, a man told him he’d need to fork over $399 to have his mugshot taken down.

“That’s illegal,” said Jesse T. The man laughed and hung up. Jesse T. called a total of five times, but all he got was a recording. Then, he got a call from an unlisted number. He turned on his recorder and answered.

According to court documents, this is the transcript from that call, which Jesse T. presented to police:

Jessie T.: Hello?

Unknown male: This third time tell you f**king bitch we never answer your calls again you’ve been permanently published faggot bitch.

Jessie T.: Hey, I’d like my stuff removed.

Call ended.

This is the business model: Mugshots.com publishes people’s mugshots, without their knowledge or consent, and then it extorts them for removal of the content.

But last week, Jesse T. was presented with a juicy fillet of poetic justice. Care for karma sauce?

Read more at https://nakedsecurity.sophos.com/2018/05/22/mugshots-coms-alleged-owners-arrested-for-extortion/