January 29, 2019

Japanese government will try to hack its citizens’ IOT devices

By Lisa Vaas

Starting next month, the Japanese government is going to try its hand at credential stuffing the country’s Internet of Things (IoT), including gizmos at both the enterprise network level down to citizens’ “oops, never changed the default password!” webcams and everything in between.

Credential stuffing is when attackers grab login credentials that have been breached, then e-wander around plugging them into other places, trying to find out where else those same credentials have been used. Because a lot of users have the bad habit of reusing the same passwords across several websites, the tactic is successful far too often.

According to NHK, Japan’s national public broadcasting organization, the government approved of the first-of-its-kind venture on Friday.

The plan: in mid-February, staff at the National Institute of Information and Communications Technology (NICT) will generate user IDs and passwords and use them to try to break into a randomly selected batch of about 200 million IoT devices, such as routers and webcams.

Then, the owners of the breached devices will be told to bolster their cybersecurity.

The aim is to shrink the surface area available to attackers in the run-up to the Tokyo Olympics and Paralympics in 2020. That’s not a bad idea: after all, some systems went down around the time of the opening ceremony for the Winter Olympics in Pyeongchang, South Korea, last year.

Read more at https://nakedsecurity.sophos.com/2019/01/29/japanese-government-will-try-to-hack-its-citizens-iot-devices/

Facebook to tie together WhatsApp, Instagram and Facebook Messenger

By Lisa Vaas

Facebook plans to take all of its chat apps – Messenger, WhatsApp and Instagram – and smoosh them into one interconnected chat blob, in spite of having promised to retain the independence of WhatsApp and Instagram when it bought them.

The New York Times reported on Friday that the plans come directly from CEO Mark Zuckerberg. It cited four anonymous sources involved in the effort, which will reportedly entail keeping the three as standalone apps but stitching their technical infrastructure together so that users of each app can talk to each other more easily.

The plan also includes slathering the end-to-end encryption of WhatsApp – which keeps anyone, including Facebook itself, from reading the content of messages – onto Messenger and Instagram. At this point, Facebook Messenger supports end-to-end encryption in “secure connections” mode: a mode that’s off by default and has to be enabled for every chat. Instagram has no end-to-end encryption on its chats at all.

The move will tie together the world’s biggest message networks: the resulting chat blob will encompass more than 2.6 billion users.

The NYT’s sources said that the plan is in the early stages at this point and that Facebook’s goal is to wrap up the integration by early 2020. Tying together the apps will be involved: the reconfiguration will require thousands of Facebook employees to rework how the three apps function “at their most basic levels,” said the sources.

Read more at Facebook plans to take all of its chat apps – Messenger, WhatsApp and Instagram – and smoosh them into one interconnected chat blob, in spite of having promised to retain the independence of WhatsApp and Instagram when it bought them.

The New York Times reported on Friday that the plans come directly from CEO Mark Zuckerberg. It cited four anonymous sources involved in the effort, which will reportedly entail keeping the three as standalone apps but stitching their technical infrastructure together so that users of each app can talk to each other more easily.

The plan also includes slathering the end-to-end encryption of WhatsApp – which keeps anyone, including Facebook itself, from reading the content of messages – onto Messenger and Instagram. At this point, Facebook Messenger supports end-to-end encryption in “secure connections” mode: a mode that’s off by default and has to be enabled for every chat. Instagram has no end-to-end encryption on its chats at all.

Read more at https://nakedsecurity.sophos.com/2019/01/29/facebook-to-tie-together-whatsapp-instagram-and-facebook-messenger/

Apple scrambles to fix FaceTime eavesdropping bug

By Paul Ducklin

Apple is scrambling to fix an embarrassingly dangerous “snooping” bug in its popular FaceTime app.

In the meantime, Apple has apparently disabled the Group Facetime feature entirely, preferring to inflict a service outage than to leave the exploitable privacy hole gaping open.

The bug was reported on well-known Mac news site 9to5Mac, and how to abuse it is widely known.

In the simplest terms, the bug goes like this:

  • Call someone from your contacts using FaceTime.
  • Their phone will ring.
  • Use the “Add Person” option to include a new participant in the chat, namely yourself.

That might sound pointless, considering that you are, rather obviously, already part of the call.

In fact, it seems that this sequence of events is so pointless that no one ever tested it, because what happens is that both you and the person who hasn’t answered the call yet get added into the conversation…

…and you can immediately hear the audio feed from the person who hasn’t answered the call yet.

Read more at https://nakedsecurity.sophos.com/2019/01/29/apple-facetime-eavesdropping-bug/

Thieves’ names and descriptions made public on B&Q database

By Danny Bradbury

When people find unsecured Elasticsearch databases online, they often contain sensitive customer information.

Not so with UK-based DIY giant B&Q, which reportedly suffered its own breach this week. Instead of customer data, an exposed Elasticsearch instance gave up information on around 70,000 shoplifters, according to Australian security researcher Lee Johnstone.

The exposed data included the names of thieves, along with the product codes of the things they had attempted to steal, the total price of the losses, and location data for the stores. Also included were detailed descriptions of people and their vehicles.

According to Johnstone’s report, the instance was operated by TradePoint, the arm of B&Q that focuses on trade-only sales.

He said that it was operating an internal program to track incidents of theft across its stores, along with information about the offenders. The retailer stored all this information in an Elasticsearch database that was connected to the public internet, and without any form of authentication.

Johnstone reports on just one juicy record from the exposed database, reporting an offender that got away. It reads:

Offender ran out of the fire exit with nest thermostats. The male on this occasion got away. There is no CCTV footage covering this area. No CCTV coverage of the theft or witnesses.

Read more at https://nakedsecurity.sophos.com/2019/01/29/bqs-dodgy-database-divulges-data-on-70000-diyers/

Credential-stuffing attack prompts Dailymotion password reset

By John E Dunn

Video-sharing website Dailymotion is resetting the account passwords of an unknown number of users after being hit by a “large-scale” credential-stuffing attack.

As is often the case with password reset announcements, the technical detail of what happened and how many users were affected remains sketchy.

According to an email circulating on Twitter that was sent to some users, and a brief announcement on the company’s US website, Dailymotion’s security team detected the attack on user credentials on 19 January:

The attack consists in ‘guessing’ the passwords of some dailymotion accounts by automatically trying a large number of combinations, or by using passwords that have been previously stolen from web sites unrelated to dailymotion.

What marks the Dailymotion incident out as unusual is that more than a week later the company is still battling the same attack.

Underlining this, Dailymotion said it had informed the French information commissioner, CNIL (Commission nationale de l’informatique et des libertés), which implies that the attack might have had some success.

Repelling credential stuffing is not easy. Attackers use botnets to distribute the attacks across large numbers of computers that can be hard to distinguish from legitimate traffic and even harder to block.

Read more at https://nakedsecurity.sophos.com/2019/01/29/credential-stuffing-attack-prompts-dailymotion-password-reset/

How my Instagram account got hacked

By Matt Boddy

Every so often I receive an unsolicited friend request on social media from an attractive woman doing a suggestive pose in her profile picture.

I’m not just showing off that I get the occasional friend request from an attractive lady. The person in the profile picture of these accounts probably looks nothing like the person requesting to follow or befriend me.

Quite often these are hijacked accounts used by a cybercriminal to exploit your sexual desires.

I’m going to share a deep dark secret with you

Today it’s Data Privacy Day, and to celebrate I’m going to tell you the story of how my leaked data was used against me by hackers to login to my Instagram account.

In April 2012, Instagram was launched on Android devices. When the popularity of the Android app grew, I signed up to an account and uploaded a single picture to see what the fuss was about. I then removed the app and didn’t sign into the app again until 2015.

Read more at https://nakedsecurity.sophos.com/2019/01/28/how-my-instagram-account-got-hacked/

ACS

Advanced Computer Services of Central Florida

Centrally located in Winter Haven, we serve residential and business clients in and around Polk County.

9 Camellia Drive
Winter Haven, FL 33880
863-229-4244

Our Promise to You

Plain language, no tech-talk

We will never try to over-sell you a product you don't need.


Advanced Computer Services of Central Florida is your local, hometown computer service and repair company that can do more than just fix your PC.  We offer highly skilled professionals who can be counted on to give you sound advice on upgrades, software and hardware, commercial & residential networks, hardwire or secure wireless.

No trip charges within Polk County

No after-hours or weekend fees

$45.00/hr Residential

$65.00/hr Commercial - free system evaluation