Security News Bites for the Week Ending February 8, 2019
Text Messaging for Two Factor Authentication is Under Attack
We have talked on occasion about a basically theoretical attack against text messages as the second factor for authentication. It is likely that the feds know more than they are telling us about that since the National Institute of Standards and Technology has deprecated the use of text messaging for two factor for new systems.
Now we are seeing a large, in the wild, attack against real two factor authentication, specifically in banking.
Britain’s National Cyber Security Centre (NCSC), part of their GCHQ spy-guys, admitted that they are aware that this is being exploited. As are the telephone carriers.
The attack vector still requires a very sophisticated hacker because it requires the attacker to compromise some phone company and inject fake SS7 commands into the system for the targeted phone number. Hard, but far from impossible.
Still, in light of this being a real-world-empty-your-bank-account kind of attack, financial institutions should begin the transition away from text messaging to two factor apps (like Google Authenticator and others) to protect client accounts sooner rather than later. Source: Motherboard.
Unnamed Energy Company (Duke) Fined $10 Million for Security Lapses
An unnamed energy company received the largest fine of its type ever at $10 million for security lapses, including letting unauthorized people into secure areas and allowing uncleared computers to connect to secure networks, sometimes for months at a time.
The fine covers 130 violations.
The reason the company is unnamed is that it is likely the list of identified vulnerabilities is not complete and the identified holes are not all closed.
The WSJ reports that the company is Duke Energy. So much for keeping their name out of the media.
This certainly could explain why many people say that the bad guys already “own” our energy utilities. Source: Biz Journals.
Another Cryptocurrency Debacle
I keep saying that attacks on Cryptocurrency will not be on the math (encryption) but rather on the systems and software.
This week QuadrigaCX filed for the Canadian version of bankruptcy protection saying that they stored the vast majority of their assets in offline storage wallets and the only person who had the key was their CEO, who died suddenly.
They claim to have lost access to $145 million in a variety of cryptocurrencies and do not have the money to repay their customers.
Some users and researchers are skeptical of this story (really, no backup? To over $140 million)? Seems hard to swallow.
The researchers, after looking at the block chain, say that they can find no evidence that QuadrigaCX has anything close to $100 million in Bitcoin and perhaps the founder’s death was faked as an exit scam.
Assuming this all plays out the way it seems, customers are going to be waving bye-bye to $145 million of their cold, hard crypto coins. Source: The Hacker News.
Apple to Release iOS 12.1.4 to Fix Facetime Bug This Week
In what has got to be the worst iPhone bug in a long time – one that allowed hackers to eavesdrop on iPhone users by exploiting a Facetime bug until Apple deactivated group calls on Facetime worldwide – Apple seems to be slow to respond. Uncharacteristically. Very. Slow.
My guess is that the problem was technically hard to fix even though it was technically easy to exploit. In any case, iOS 12.1.4 should be out this week and it is supposed to fix the security hole. Source: ZDNet .
Online Casino Leaves Data on 100+ Million Bets Unprotected
Security Researcher Justin Paine found a public Elastic Search database unprotected online.
Contents include information such as name, address, birthdate, email, phone, etc. as well as bet information such as winnings amount. When ZDnet reached out to the companies involved – there seems to be multiple companies with some common ownership and based in Cyprus and operating under a Curacao gaming license, they did not immediately reply, but the server went dark.
The company, Mountberg Limited, did reach out later thanking Justin for letting them know, but not making any statement about their client’s data. Source: ZDNet .
Germany Tells Facebook Not to Combine User Data Without Explicit Permission
The Europeans are not happy with U.S. big tech.
In a ruling NOT related to GDPR, Germany’s Federal Cartel Office (FCO) says that Facebook cannot combine Instagram, Whatsapp and third party data into the user’s Facebook profile without explicit user permission and having the user check a box that says, something like, “we are going to do some stuff; you should read our 19 page description” is not adequate.
The regulator says that by doing this Facebook is abusing its monopoly power. Facebook, not surprisingly disagrees and says that the regulator is out of line. Stay tuned. If this rule stands, it could have a big impact on all companies that aggregate data from third parties without fully telling their clients. Source: BBC .