What Kanye West can teach us about passcodes

By John E Dunn

Kanye West did something incredibly unwise during his visit to the White House this week that had nothing to do with making the media and a famously impatient President Trump sit through a 10-minute expletive-laced monologue.

Pulling out an iPhone XS to show the assembled throng a picture of the hydrogen-powered aircraft that “our president should be flying in,” West casually unlocked it using the passcode ‘000000’.

Famous people occasionally make security mistakes like this in public, and every time the reaction is the same – ridicule mixed with surprise.

Ridicule because 000000 seems like the sort of passcode anyone could guess, and surprise that West allowed himself to be filmed revealing this naive weakness.

Others are simply bemused that West didn’t use Face ID or Touch ID.

Read more at https://nakedsecurity.sophos.com/2018/10/12/what-kanye-west-can-teach-us-about-passcodes/

35 state attorneys general tell FCC to pull the plug on robocalls

By Lisa Vaas

A bipartisan group of 35 state attorneys general are tearing their hair out over robocallers. They’re telling the Federal Communications Commission (FCC) to implement technology that will identify illegally spoofed calls and authenticate legitimate ones, the sooner the better.

In a letter sent to the FCC on Tuesday, the AGs submitted comments in response to a public notice issued by the Consumer and Governmental Affairs Bureau seeking to refresh the record on how the FCC can further empower service providers to block illegal calls.

The AGs said that the situation is beyond what law enforcement can handle on its own. The states’ respective consumer protection offices are receiving and responding to tens of thousands of consumer complaints every year from people getting plagued by robocalls.

More often than not, such calls travel through “a maze of smaller providers,” the AGs said. If the caller can be found at all, they’re usually located overseas, making enforcement difficult. That’s why investigations and enforcement actions can’t serve as the sole solution, they said.

Last year, the FCC released the 2017 Call Blocking Order, which included rules allowing providers to block spoofed calls – as in, calls that pretend to come from consumers’ phones or, even more sneaky, from neighbors’ phones, with area codes that mirror their targets’ area codes. The order allowed providers to block calls from numbers on do-not-originate lists and from numbers that are invalid, unallocated, or unused.

Read more at https://nakedsecurity.sophos.com/2018/10/12/35-state-attorney-generals-tell-fcc-to-pull-the-plug-on-robocalls/

Experian credit-freeze PINs could be revealed by a simple trick

By Lisa Vaas

Last year was a rough time for consumers whose personal information was handled with, shall we say, less than due diligence by the credit bureaus.

In an aftershock following the epic Equifax data-quake last year, it was revealed that the PINs used to protect frozen credit files (frozen by victims to protect themselves from the effects of the breach) were woefully bad.

Now, the latest news shows that at least one other credit bureau – Experian – is also undermining its own PIN security. This time, knowledge-based authentication questions were set up in a way that gave away credit freeze PINs.

Equifax and Experian under fire last year

In September 2017, Equifax disclosed its massive breach – one that affected about half of the population of the US and a mess of Canadians and Brits. We recommended that people put a freeze on their credit files.

Read more at https://nakedsecurity.sophos.com/2018/10/12/experian-credit-freeze-pins-could-be-revealed-by-a-simple-trick/

Payment skimmers sneaking on to websites via third party code

By John E Dunn

With all the recent fuss about the alleged hacking activities of Russian intelligence, one could be forgiven for missing the unfolding story of ‘Magecart’.

It’s not clear whether Magecart is a loosely-affiliated cybercrime group or just the modus operandi of a few disparate cybercriminals using the same toolkit.  Whatever it is, it’s been blamed for several high-profile payment card breaches this summer, including TicketMaster.

In the latest development, security company RiskIQ says it recently stopped Magecart from pulling off a cyberattack that could have affected a sizeable group of companies using the Shopper Approved customer rating plug-in on their websites.

According to the company, attackers somehow compromised Shopper Approved’s servers to implant malicious JavaScript pointing to a domain under Magecart’s control. Why? To skim card numbers and data as it is entered by customers into payment forms.

Almost the perfect crime?

This is almost the perfect crime because the host website is unlikely to notice the skimming until defrauded customers (or a security company) tell them, not least because it’s inside a third-party plug-in.

Read more at https://nakedsecurity.sophos.com/2018/10/12/payment-skimmers-sneaking-on-to-websites-via-third-party-code/

Instagram tests sharing your location history with Facebook

By Lisa Vaas

For those Facebook users who still cling to the notion that they can limit Facebook’s tracking of our lives like it’s an electronic bloodhound, you should be aware that its Instagram app has been prototyping a new privacy setting that would enable location history sharing with its parent company.

It was first spotted by bug finder Jane Manchun Wong:

Instagram, as a "Facebook Product", is testing Facebook Location History in their app. It allows tracking the hist… twitter.com/i/web/status/1…

—

Jane Manchun Wong (@wongmjane) October 04, 2018

As you can see in Wong’s screen grab, the “Learn More About Location History” section in the prototype notes that the setting will enable Facebook to build a history of precise locations on your device, even when you’re not logged in to the app.

It’s all about letting users “explore what’s around you,” the prototype says. You can translate “explore” as “buy stuff in nearby stores whose ads we can pepper you with.” The geo-tagged data will show up in users’ Activity Log on their Facebook Profiles, including daily maps of where you’ve been.

Read more at https://nakedsecurity.sophos.com/2018/10/11/instagram-tests-sharing-your-location-history-with-facebook/

Millions at risk from default webcam passwords

By Danny Bradbury

Remember all those webcams that got infected by the Mirai IoT botnet two years ago? Well, Hangzhou Xiongmai Technology Co. Ltd (Xiongmai) – the Chinese manufacturer that made many of them – is back with another vulnerability that puts millions of devices across the world at risk yet again.

Xiongmai eventually fixed the vulnerability in its products that enabled the Mirai authors to compromise an unknown number of devices and bring the internet to a standstill. That doesn’t mean that the company’s products are watertight, though. The new vulnerability creates the opportunity for new attackers to make yet another large and powerful IoT botnet.

The vulnerability lies in a feature called XMEye P2P Cloud, which is enabled on all Xiongmai devices by default. It lets people access their devices remotely over the internet, so that they can see what’s happening on their IP cameras or set up recording on their DVRs.

Using a variety of apps, users log into their devices via Xiongmai’s cloud infrastructure. This means that they don’t have to set up complex firewall port forwarding or UPnP rules on their home routers, but it also means that it opens up a hole in the user’s network. That places the onus on Xiongmai to make the site secure. But it didn’t.

A technical advisory from SEC Consult, a cybersecurity consulting company that investigated the service, recently turned up a litany of security problems.

Read more at https://nakedsecurity.sophos.com/2018/10/11/millions-at-risk-from-default-webcam-passwords/