IoT vendor Orvibo gives away treasure trove of user and device data

By Danny Bradbury

Two billion items of log data from devices sold by China-based smart IoT device manufacturer Orvibo was found by researchers at web privacy review service vpnMentor, who discovered the data in an exposed ElasticSearch server online.

Orvibo has been selling products for smart homes, businesses, and hotels since 2011, ranging from HVAC systems through to home security, energy management, and entertainment systems. The back-end database appears to have been logging system events from lots of them.

Researchers Noam Rotem and Ran Locar found logs from Orvibo devices in China, Japan, Thailand, the US, the UK, Mexico, France, Australia, and Brazil, vpnMentor said in its report.

This data provides insights into the lives of Orvibo’s customers, creating potential security risks, it warned.

With over 2 billion records to search through, there was enough information to put together several threads and create a full picture of a user’s identity.

The logs discovered by the vpnMentor team contained various pieces of personal information, including email addresses, usernames, user IDs, and passwords. Orvibo’s developers had used the notoriously insecure MD5 hashing mechanism to protect the passwords. It had also failed to use a salt, which is a random string combined with the password that makes hashed passwords far more difficult to recover.

The log data also included codes required for users to reset their accounts. The company said:

With this code accessible in the data, you could easily lock a user out of their account, since you don’t need access to their email to reset the password.

The code enables people to reset their email addresses too, meaning that an attacker could deny a user any chance of regaining their passwords.

Read more at https://nakedsecurity.sophos.com/2019/07/03/iot-vendor-orvibo-gives-away-treasure-trove-of-user-and-device-data/

Georgia’s court system hit by ransomware

By Lisa Vaas

Georgia’s court system has been hit with may be the fourth Ryuk ransomware strike against state and local agencies in the past month and a half.

At the time of publishing this article, the site was still down.

According to Atlanta’s Channel 11 News, officials confirmed on Monday that at least part of the court system’s network had been knocked offline by a ransomware attack.

Details about the extent of the damage haven’t been publicly disclosed, but officials say it’s much less severe than the attack against Atlanta that destroyed years of police dashcam video last year, as well as freezing systems. Six days after it was hit, Atlanta was still rescheduling court dates, police and other employees were still writing out reports by hand, and residents couldn’t go online to pay their water bills or parking tickets.

The earlier attack against Atlanta involved SamSam ransomware – a high-profile ransomware that was typically used in targeted attacks where attacker’s break into a victim’s network and launch ransomware manually, to cause maximum damage and disruption.

The crooks demanded what was then roughly $52,000 worth of bitcoin. That paled in comparison to the $2.6 million worth of emergency contracts the city initiated to claw back its systems, and to the six figure ransoms demanded in similar targeted attacks by other gangs.

The nature of this latest attack on Georgia’s court system hasn’t yet been determined. Authorities said the extortionists’ note didn’t specify a specific ransom amount or demands. Although the attack doesn’t appear to be as crippling as the SamSam one from last year, they took the court network offline to stay on the safe side, authorities said.

While little details were available as of Tuesday afternoon, there’s a hint that the Georgia assault might involve Ryuk ransomware.

Read more at https://nakedsecurity.sophos.com/2019/07/03/georgias-court-system-hit-by-ransomware/

Miami police body cam videos up for sale on the darkweb

By Lisa Vaas

This can’t be a good day for Miami police.

We’ve known for a while that many webcams are a security train wreck, and that doesn’t change just because a police officer straps one on.

Now, unsurprisingly, police body cam footage has been found sloshing around online.

It’s not just that about a terabyte of videos from Miami Police Department body cams was leaked and stored in unprotected, internet-facing databases, according to the security outfit that found them. It’s that they were leaked and then sold, according to Jason Tate, CEO of Black Alchemy Solutions Group, who told The Register that his team had found the footage listed for sale on the darkweb.

Tate first tweeted about the discovery on Saturday, including a sample video, which has since been removed.

Tate said that the data is coming from five different cloud service providers. Besides Miami Police, there’s video leaking from city police departments “all over the US”, he said.

It seems these 5 providers have city contracts all over.

Read more at https://nakedsecurity.sophos.com/2019/07/03/miami-police-body-cam-videos-up-for-sale-on-the-darkweb/

Patch Android! July 2019 update fixes 9 critical flaws

By John E Dunn

Depending on when users receive it, this week’s Android July 2019 patch update will fix 33 security vulnerabilities, including 9 marked critical, and 24 marked high.

If you own a Google Pixel device, that will be within a day or two, leaving everybody else on the 2019-07-01 and 2019-07-05 patch levels (what these dates mean is explained here) running Android 7, 8 or 9 to wait anything from weeks to months to catch up.

As usual, July’s batch of fixes covers flaws in significant parts of Android, including system, framework, library, and Qualcomm’s numerous components, including closed-source software.

However, as has been the case for some months, it’s the media framework that provides a disproportionate amount of the patching action in the form of three remote code execution (RCE) bugs marked critical.

These are CVE-2019-2107, CVE-2019-2106 (affecting Android 7 and 8), and CVE-2019-2109 (which only affects Android 9).

Another RCE critical is CVE-2019-2111 in the Android system, with the remaining critical flaws all connected to Qualcomm’s closed-source components.

Read more at https://nakedsecurity.sophos.com/2019/07/03/patch-android-july-2019-update-fixes-9-critical-flaws/