October 23, 2019
US nuclear weapons command finally ditches 8-inch floppies
By John E Dunn
Imagine a computer system based on the 1970’s-era IBM Series/1 and 8-inch floppy drives and most people would assume you’re describing a museum piece kept alive by enthusiasts.
And yet, such a computer system ranks as one of the most important in the world – so critical in fact that nobody has wanted to change or upgrade it since it was built nearly half a century ago.
It sits in bunkers across the US, part of the command centres that run the country’s nuclear missile deterrent on behalf of the Strategic Automated Command and Control System (SACCS).
Surprised? You shouldn’t be. But what matters is that SACCS finally spies a hardware upgrade as part of a $400 billion, 10-year program to modernise the US’s military nuclear technology.
This program has been public knowledge for a while but a detail that might have escaped public attention is the recently reported intention to ditch 8-inch floppies in favour of a contemporary, presumably encrypted, storage equivalent.
Read more at https://nakedsecurity.sophos.com/2019/10/22/us-nuclear-weapons-command-finally-ditches-8-inch-floppies/
Travel database exposed PII on US government employees
By Danny Bradbury
A property management company owned by hotel chain Best Western has exposed 179 GB of sensitive travel information on thousands of travelers, researchers said this week.
The breach, which exposed the users of many other travel services, also reportedly put sensitive US government employees at risk.
Researchers at vpnMentor, Noam Rotem and Ran Locar, were conducting a large web mapping project, port scanning IP blocks to find vulnerabilities. In a description of the breach, they explained how they stumbled upon an Elasticsearch database running on an AWS instance. The database was completely unsecured and unencrypted, they said.
After some digging, the researchers found that the database belonged to Autoclerk, which sells server-and cloud-based property management software. In August 2019, Best Western Hotel & Resorts Group bought the company to add Autoclerk’s software to its own technology stack, making it easier for its property management systems to talk to the central reservation systems used by travel agents.
The database contained information from third-party travel and hospitality platforms that used Autoclerk to communicate with each other and exchange data.
The researchers said:
The leak exposed sensitive personal data of users and hotel guests, along with a complete overview of their hotel and travel reservations. In some cases, this included their check-in time and room number. It affected 1,000s of people across the globe, with millions of new records being added daily.
Read more at https://nakedsecurity.sophos.com/2019/10/23/travel-database-exposed-pii/
Storing your stuff securely in the cloud
By Maria Varmazis
How much of your stuff goes into the cloud? Probably a lot more than you realize.
Not just your files, photos, videos, but also your app settings, notes, reminders, and if you use a password manager, possibly your password vault too.
If you work in any kind of collaborative organization – from corporate life to family life – you probably do a lot of work in shared online documents that you pass around, maybe even share the credentials. I’m not here to wag a finger at you, this is just reality for many of us. What’s important is to understand the risks in what we’re doing and what we can do to mitigate them.
As the saying goes, the cloud is just someone else’s computer. So the risk with storing things in the cloud is that you’re giving up your own local control over your files. This means there is a risk, however small, that someone else can access them, maliciously or accidentally.
Some examples of unauthorized entrants can include:
- An attacker who hacks their way into the cloud server where your files are stored
- An employee of that cloud company who has more access to customers’ files than they should
- A colleague who has since left your organization, but still has access to your files
Maybe that former colleague doesn’t care about being able to access their old files, or perhaps they’ve gone on to work for a competitor. Maybe that attacker is only able to gain access to a bunch of old Word documents you’ve forgotten about, or perhaps they’ve found an unencrypted collection of all your financial password.
Read more at https://nakedsecurity.sophos.com/2019/10/22/storing-your-stuff-securely-in-the-cloud/
Vatican launches smart rosary – complete with brute-force flaw
By Danny Bradbury
At some point, most software developers have probably hit ‘run’, crossed their fingers and prayed, but last week the Vatican took it to a whole new level. It released its new digital rosary – complete with show-stopping logic bug.
Deciding that the 21st century might be a nice place to visit, the Vatican started by testing out this whole wearable technology thing with an electronic rosary. It’s called the Click to Pray eRosary and it targets “the peripheral frontiers of the digital world where the young people dwell.” (The Vatican News actually talks like this.)
Traditional rosaries are meditative beads that you use to count off multiple prayers, and they’ve been around since at least the 12th century, according to scholars. Wearable as a bracelet, the new electronic version, released on 15 October, springs into life when users activate it by stroking its touch-sensitive cross.
The $110 device syncs with Click to Pray, which is the official prayer app of the Pope’s Worldwide Prayer Network. It tracks the user’s progress as they work through different sets of themed prayers. Oh, it also tracks your steps, too, for those that want to exercise both body and soul.
Unfortunately, it seems that holy software developers are as fallible as the rest of us. Two researchers noticed flaws with Click to Pray that divulged sensitive information.
In a blog post last Friday, Fidus Information Security exposed a brute-force flaw in the app’s authentication mechanism. It lets you log in via Google and Facebook – no problem there – but it’s the alternative that caused the issue: access with a four-digit PIN.
When a user resets their account using Click to Pray’s app, it uses an application programming interface (API) to make the request to the server, which then sends the PIN to the user’s email. The server also returns the PIN in its response to the API request, meaning that someone accessing the API directly could get the user’s PIN without having access to their email.
Read more at https://nakedsecurity.sophos.com/2019/10/22/vatican-developers-commit-cardinal-coding-sin/
Woman ordered to type in iPhone passcode so police can search device
By Lisa Vaas
An Oregon appeals court last week decided that a woman who was high on meth when she crashed into a tree, seriously injuring one adult and five children passengers, can be forced to unlock her iPhone.
It’s not a violation of her Fifth Amendment rights against self-incrimination, the court said on Wednesday, because the fact that she knows her phone passcode is a “foregone conclusion.” Oregon Live reports that the court’s rationale is that police already had reason to believe that the phone in question is hers, given that they found it in her purse, the court said.
The foregone conclusion standard keeps cropping up in these compelled-unlocking cases. It allows prosecutors to bypass Fifth Amendment protections if the government can show that it knows that the defendant knows the passcode to unlock a device.
The woman in question, Catrice Cherrelle Pittman, was sentenced to 11 years in prison in March 2017.
According to court documents, at the time Pittman drove off the road and into a tree in June 2016, at the age of 27.
She pleaded guilty to second-degree assault, third-degree assault and driving under the influence of intoxicants (DUII). Prosecutors had wanted to use evidence from Pittman’s iPhone to help them build a case that she was also allegedly dealing meth, but that charge was later dismissed.
Read more at https://nakedsecurity.sophos.com/2019/10/22/woman-ordered-to-type-in-iphone-passcode-so-police-can-search-device/
Google chief warns visitors about smart speakers in his home
By Lisa Vaas
Apparently caught off-guard by a question from the BBC, Google hardware chief Rick Osterloh made up a privacy etiquette rule on the spot last week when he said that yes, homeowners should tell guests that they’ve got smart speakers running in their homes.
At any rate, that’s what he does, he said.
Here’s his reported response after being asked whether homeowners should tell guests about smart devices, such as a Google Nest speaker or an Amazon Echo display, being in use before they enter a building:
Gosh, I haven’t thought about this before in quite this way.
It’s quite important for all these technologies to think about all users… we have to consider all stakeholders that might be in proximity.
After a bit of mulling, Osterloh said that the answer is yes, and that he himself discloses the use of the always-listening devices, which record conversations when they hear their trigger words… or by something that more or less sounds like one of their trigger words. Or by a burger advertisement. Or, say, by a little girl with a hankering for cookies and a dollhouse.
Not only should a homeowner disclose the presence of the devices, Osterloh said. The devices themselves should also – “probably” – let people know when they’re recording:
Does the owner of a home need to disclose to a guest? I would and do when someone enters into my home, and it’s probably something that the products themselves should try to indicate.
“Probably?” One would imagine that Google learned about the necessity of its gadgets disclosing their surveillance when it went through prolonged discussion of such questions with regards to whether its Google Glass always indicated that it was capturing images.
Back in 2014, before Google Glass got taken out of the running as a consumer product, Google went on the defensive with a list of “Google Myths”. Google would have had us believe that Glass would indicate that it’s on and recording by virtue of its green camera-on light.
Read more at https://nakedsecurity.sophos.com/2019/10/22/google-chief-warns-visitors-about-smart-speakers-in-his-home/