Naked
now browsing by tag
HPE warns of impending SSD disk doom – Naked Security
Source: National Cyber Security – Produced By Gregory Evans
Techies are used to worrying about the longevity of their data storage. Hard drive heads used to have a nasty habit of crashing before laptops introduced software to protect them from drops and power surges. ‘Data rot‘ can damage your DVD storage, and magnetic tape can suffer as its substrates and binders degrade.
But what about the firmware, which contains the instructions for reading and writing from the media in the first place? That’s now an issue too, thanks to HPE. It had to recall some of its solid-state drives (SSDs) last week after it found that they were inadvertently programmed to fail.
The company released a critical firmware patch for its serial-attached SCSI (SAS) SSDs, after revealing that they would permanently fail by default after 32,768 hours of operation. That’s right: assuming they’re left on all the time, three years, 270 days, and eight hours after you write your first bit to one of these drives, your records and the disk itself will become unrecoverable.
The company explained the problem in an advisory, adding that an unnamed SSD vendor tipped it off about the issue. These drives crop up in a range of HPE products. If you’re a HPE ProLiant, Synergy, Apollo, JBOD D3xxx, D6xxx, D8xxx, MSA, StoreVirtual 4335, or StoreVirtual 3200 user and you’re using a version of the HP firmware before HPD8, you’re affected.
You might hope that a RAID configuration might save you. RAID disk implementations (other than RAID 0, which focuses on speed), mirror data for redundancy purposes, meaning that you can recover your data if disks in your system go down. However, as HPE points out in its advisory:
SSDs which were put into service at the same time will likely fail nearly simultaneously.
Unless you replaced some SSDs in your RAID box, they’ve probably all been operating for the same amount of time. RAID doesn’t help you if all your disks die at once.
This bug affects 20 SSD model numbers, and to date, HPE has only patched eight of them. The remaining 12 won’t get patched until the week beginning 9 December 2019. So if you bought those disks a few years ago and haven’t got around to backing them up yet, you might want to get on that.
HPE explains that you can also use its Smart Storage Administrator to calculate your total drive power-on hours and find out how close to data doomsday your drive is. Here’s a PDF telling you how to do that.
Unfortunately, HPE didn’t include the same kind of warning that Mission Impossible protagonist Jim Phelps got at the beginning of every episode: “This tape will self destruct in five seconds”.
But then, 117,964,800 seconds is a little harder to scan. In any case, your mission, should you choose to accept it, is to back those records up.
The post HPE warns of impending SSD disk doom – Naked Security appeared first on National Cyber Security.
View full post on National Cyber Security
Kids’ smartwatch security tracker can be hacked by anyone – Naked Security
Source: National Cyber Security – Produced By Gregory Evans
For researchers at testing outfit AV-Test, the SMA M2 kids’ smartwatch is just the tip of an iceberg of terrible security.
On sale for around three years, superficially it’s not hard to understand why the model M2 might appeal to anxious parents or carers.
Costing only $32, it pairs with a smartphone so that adults can track the real-time location of kids via GPS, GSM or Wi-Fi using a simple mapping app and online account. Add a SIM and it can be used to make voice calls and there’s even an SOS button children can press in the event of an emergency.
The colour screen, cartoon icons, and baby-blue or pink colour scheme is almost guaranteed to appeal to younger children.
The punchline?
AV-Test’s investigations reveal that the M2 also happens to be an unmitigated security disaster.
Naked Security has covered numerous security screw-ups over the years but it’s hard to imagine a more face-palming charge sheet than that levelled at the makers of the M2 by AV-Test.
To illustrate the point, the testers use the example of a girl called Anna who lives in Dortmund, Germany.
She vacations with her grandparents in a coastal town called Norderney, where she regularly visits the local harbour around 2 o’clock to spot seals for an hour.
The company knows all of this because Anna is wearing an M2 smartwatch which has been leaking this information along with that of another 5,000 children via a public system whose security would be non-existent for any competent hacker.
AV-Test was able to find the names and addresses of these children, their age, images of what they looked like, as well as voice messages transmitted from the watch.
In a development that would be ironic if it weren’t so serious, they were able to discover children’s current locations. Warns AV-Test’s Maik Morgenstern:
We picked out Anna as much as we could have picked Ahmet from London or Pawel from Lublin in Poland.
Authentication fail
The epic fail starts with the fact that communication with the online system is unencrypted and its authentication is weak.
Although an authentication token is generated and sent to requests to the Web API to prevent unauthorized access, this token is not checked on the server side and is therefore inoperative.
Perhaps worse, the smartphone app’s poorly secured web API makes it possible to borrow any user’s account ID and log into that account.
An attacker could not only track and contact a child but lock legitimate adults out of the account.
Remember, this is a device that is supposed to be a security tracker for carers that turns out to do the same job for anyone.
This is surely worse than no security trackers because at least using nothing wouldn’t lull its users into a false sense of security.
What to do
If you own one of these watches, our advice would be to stop using it immediately.
It’s not clear how many children might be wearing one – AV-Test detected users in Turkey, Poland, Mexico, Belgium, Hong Kong, Spain, the UK, The Netherlands, and China – but it’s likely to be a lot more than the 5,000 the researchers identified.
The maker, SMA, has been told of the flaws while the product’s German distributor has removed it from sale.
The troubling part of this story is that AV-Test has been looking at this type of children’s smartwatch for some years, and this is only the latest and worst example in a sector that seems to have treated security as little more than a tick box – if it looks secure then it probably is.
Indeed, Naked Security has covered security problems with this class of device many times before. In 2017, Germany even reportedly banned the devices over spying worries. Then there’s this week’s case of the baby monitor hacked by a stranger.
Until IoT products like this can demonstrate better security, it’s wise to shop with great caution.
The post Kids’ smartwatch security tracker can be hacked by anyone – Naked Security appeared first on National Cyber Security.
View full post on National Cyber Security
Pressure mounts for federal privacy law with second bill – Naked Security
Source: National Cyber Security – Produced By Gregory Evans Pressure is gathering for a federal privacy law in the US with the introduction of a second bill that would protect consumer data. The Consumer Online Privacy Rights Act from Washington Senator Maria Cantwell not only outlines strict privacy and security rules, but also establishes a […] View full post on AmIHackerProof.com
Ransomware attack freezes health records access at 110 nursing homes – Naked Security
Source: National Cyber Security – Produced By Gregory Evans
Happy Thanksgiving: your elder loved one’s life may be at risk.
About 110 nursing homes and acute-care facilities have been crippled by a ransomware attack on their IT provider, Virtual Care Provider Inc. (VCPI), which is based in the US state of Wisconsin and which serves up data hosting, security and access management to nursing homes across the country.
The attack was still ongoing on Monday, when cybersecurity writer Brian Krebs first reported the assault.
Krebs says it involves a ransomware strain called Ryuk, known for being used by a hacking group that calculates how much ransom victimized organizations can pay based on their size and perceived value.
Whoever it was who launched the attack, they got it wrong in this case. VCPI chief executive and owner Karen Christianson told Krebs that her company can’t afford to pay the roughly $14 million Bitcoin ransom that the attackers are demanding. Employees have been asking when they’ll get paid, but the top priority is to wrestle back access to electronic medical records.
The attack affected virtually all of the firm’s core offerings: internet service, email, access to patient records, client billing and phone systems, and even the internal payroll operations that VCPI uses to pay its workforce of nearly 150. Regaining access to electronic health records (EHR) is the top priority because without that access, the lives of the seniors and others who reside in critical-care facilities are at stake.
This is dire, Christianson said:
We’ve got some facilities where the nurses can’t get the drugs updated and the order put in so the drugs can arrive on time. In another case, we have this one small assisted living place that is just a single unit that connects to billing. And if they don’t get their billing into Medicaid by December 5, they close their doors. Seniors that don’t have family to go to are then done. We have a lot of [clients] right now who are like, ‘Just give me my data,’ but we can’t.
As Krebs notes, recent research suggests that death rates from heart attacks spike in the months and years following data breaches or ransomware attacks at healthcare facilities. A report from Vanderbilt University Owen Graduate School of Management posits that it’s not the attacks themselves that lead to the death rate rise, but rather the corrective actions taken by the victimized facilities, which might include penalties, new IT systems, staff training, and revision of policies and procedures.
Ironically, those corrective measures introduce a long, slow learning curve. From the report:
Corrective actions are intended to remedy the deficiencies in privacy and security of protected health information. However, enhanced security measures may introduce usability – which we define as the ease of use – problems. New security procedures typically alter how clinicians access and use clinical information in health information systems and may disrupt the provision of care as providers require additional time to learn and use the new or modified systems.
Ryuk strikes again
The ransomware flavor used against the nursing homes was Ryuk: an especially pernicious variant used not only to prey on our elders, but also on kitties and doggies. This week, we found out that Ryuk was used in a ransomware attack that affected hundreds of veterinary hospitals.
Ryuk has also been used in ransomware attacks against organizations including the city of New Bedford in Massachusetts, the Chicago Tribune, and cloud hosting provider DataResolution.net.
How long has the attack been going on?
Krebs reports that Ryuk was unleashed inside VCPI’s networks around 1:30 a.m. CT on 17 November. It could have been lying in wait for months or years, however, as the intruders mapped out the internal networks and compromised resources and data backup systems in preparation for the ultimate attack.
Christianson said that VCPI will publicly document the attack – “when (and if)” it’s brought under control. For now, it’s focusing on rebuilding systems and informing clients, even in the face of the data kidnappers having seized control of the firm’s phone systems at one point, when it tried to sidestep their damage:
We’re going to make it part of our strategy to share everything we’re going through. But we’re still under attack, and as soon as we can open, we’re going to document everything.
How to protect yourself from ransomware
- Pick strong passwords. And don’t re-use passwords, ever.
- Make regular backups. They could be your last line of defense against a six-figure ransom demand. Be sure to keep them offsite where attackers can’t find them.
- Patch early, patch often. Ransomware like WannaCry and NotPetya relied on unpatched vulnerabilities to spread around the globe.
- Lock down RDP. Criminal gangs exploit weak RDP credentials to launch targeted ransomware attacks. Turn off Remote Desktop Protocol (RDP) if you don’t need it, and use rate limiting, two-factor authentication (2FA) or a virtual private network (VPN) if you do.
- Use anti-ransomware protection. Sophos Intercept X and XG Firewall are designed to work hand in hand to combat ransomware and its effects. Individuals can protect themselves with Sophos Home.
For more advice, please check out our END OF RANSOMWARE page.
The post Ransomware attack freezes health records access at 110 nursing homes – Naked Security appeared first on National Cyber Security.
View full post on National Cyber Security
Splunk customers should update now to dodge Y2K-style bug – Naked Security
Source: National Cyber Security – Produced By Gregory Evans
If you’re a Splunk admin, the company has issued a critical warning regarding a showstopping Y2K-style date bug in one of the platform’s configuration files that needs urgent attention.
According to this week’s advisory, from 1 January 2020 (00:00 UTC) unpatched instances of Splunk will be unable to extract and recognise timestamps submitted to it in a two-digit date format.
In effect, it will understand the ‘year’ up to 31 December 2019, but as soon as this rolls over to 1 January 2020, it will mark it as invalid, either defaulting back to a 2019 date or adding its own incorrect “misinterpreted date”.
In addition, beginning on 13 September 2020 at 12:26:39 PM UTC, unpatched Splunk instances will no longer be able to recognise timestamps for events with dates based on Unix time (which began at 00:00 UTC on 1 January 1970).
Left unpatched, the effect on customers could be far-reaching.
What platforms like Splunk do is one of the internet’s best-kept secrets – turning screeds of machine-generated log data (from applications, websites, sensors, Internet of Things devices, etc) into something humans can make sense of.
There was probably a time when sysadmins could do this job but there are now so many devices spewing so much data that automated systems have become a must.
This big data must also be stored somewhere, hence the arrival of cloud platforms designed to do the whole job, including generating alerts when something’s going awry or simply to analyse how well everything’s humming along.
Bad timing
As with any computing system, however, Splunk depends on events having accurate time and date stamps. Without that, it has no way of ordering events, or of dealing meaningfully with the world in real time.
According to Splunk, in addition to inaccurate event timestamping this could result in:
- Incorrect rollover of data buckets due to the incorrect timestamping
- Incorrect retention of data overall
- Incorrect search results due to data ingested with incorrect timestamps
- Incorrect timestamping of incoming data
It gets worse:
There is no method to correct the timestamps after the Splunk platform has ingested the data. If you ingest data with an un-patched Splunk platform instance, you must patch the instance and re-ingest the data for timestamps to be correct.
In short, there’s no quick way to back out of a problem which will only grow with every passing hour, day and week that it’s allowed to continue.
The problem lies with a file called datetime.xml used by Splunk to extract incoming timestamps using regular expression syntax. It sees this and assumes two-date years up to and including 19, but not 20 onwards.
What to do
Leaving aside Splunk cloud customers who should receive the update automatically, there are three ways to patch the bug for all operating systems, the company said.
- Download an updated version of
datetime.xmland apply it to each of your Splunk platform instances - Make manual modifications to existing
datetime.xmlon your Splunk platform instances - Upgrade Splunk platform instances to a version with an updated version of
datetime.xml
The complication is that applying the new file, or editing it manually, requires customers to stop and restart Splunk, a disruptive process when applied to more than one Splunk instance. Editing the datetime.xml should also be done with great care.
Although reminiscent of the famous Millennium Y2K bug predicted to affect computer systems on 1 January 2000, this class of bugs has popped up on other occasions since then.
A recent example is the GPS date issue that hit older satellite navigation systems earlier this year.
A variation on the same date/GPS problem affected Apple iPhone 5 and iPhone 4s in October, which meant that owners had to update their devices by 3 November 2019 or suffer app synchronisation problems.
The post Splunk customers should update now to dodge Y2K-style bug – Naked Security appeared first on National Cyber Security.
View full post on National Cyber Security
Naked Security needs an intern! Here’s how to apply – Naked Security
Source: National Cyber Security – Produced By Gregory Evans We are looking for a student to join our team for a 12-month internship at our Abingdon, UK, headquarters. If you’re currently studying marketing, business or another relevant field, and have strong written, project management and organisational skills, we want you! As part of the Content […] View full post on AmIHackerProof.com
OneCoin crypto-scam lawyer found guilty of worldwide $400m fraud – Naked Security
Source: National Cyber Security – Produced By Gregory Evans A Florida lawyer who boasted of making “50 by 50” – as in, $50m by the age of 50 – is now facing a potential 50+ years behind bars for money laundering and lying to banks about funds flowing from OneCoin, a cryptocoin Ponzi scheme that […] View full post on AmIHackerProof.com
Official Monero site delivers malicious cash-grabbing wallet – Naked Security
Source: National Cyber Security – Produced By Gregory Evans On 18 November, somebody swapped out the legitimate command line wallet binaries for the Monero (XMR) cryptocurrency and replaced them with software that stole users’ funds. The malicious versions of the Linux and Windows binaries were first spotted by a user on Monday who noticed that […] View full post on AmIHackerProof.com
Iran’s APT33 sharpens focus on industrial control systems – Naked Security
Source: National Cyber Security – Produced By Gregory Evans Iran’s elite hacking group is upping its game, according to new evidence delivered at a cybersecurity conference this week. The country’s APT33 cyberattack unit is evolving from simply scrubbing data on its victims’ networks and now wants to take over its targets’ physical infrastructure by manipulating […] View full post on AmIHackerProof.com
Instagram stalker app Ghosty yanked from Play store – Naked Security
Source: National Cyber Security – Produced By Gregory Evans
Ever wanted to view hidden profiles on Instagram? To stalk users who’ve chosen to make their profiles private?
Up until Tuesday morning, you could do that by using a stalker service called Ghosty. Here’s what the app developer promised on versions available on Google Play and Apple’s App Store:
Ghosty – View Hidden Instagram Profile. You can view all the profiles you want to view including hidden profiles on Instagram. You can download or share photos or videos from your Instagram profiles to your gallery. In addition, you will soon be able to access many new features related to your instagram account.
“Soon” won’t come for the app, the logo for which was the profile of snooper extraordinaire Sherlock Holmes. Ghosty was removed from Google’s Play store after Android Police found the service creating what the publication called a “stalker paradise.” Nor could I find it on Apple’s store.
In that stalker paradise/privacy dystopia, anyone could view the many private profiles Ghosty amassed by signing up users who handed over their own accounts’ data – including whatever private accounts those users follow.
As Android Police tells it, this was the deal you had to make with the devil: in order to view whatever private accounts Ghosty had managed to crowd-source, you handed over your Instagram login credentials. You also had to invite at least one other person to Ghosty in order to view private profiles. Thus did Ghosty keep expanding the pool of content it could show its users: if any of those users followed a private account, that profile got added to the content Ghosty would make available.
Android Police noted that when it looked into the app, the media outlet managed to skip past that invitation step and was still able to view at least one private profile.
Not only was the service brazenly exploiting users’ desires to get at private accounts; it was also charging them for bundles or flinging ads at them.
Ghosty isn’t new; it appeared on the Play Store in April 2019. It had been downloaded over half a million times as of 13 November.
That’s a long time for an app to be amassing content while breaking Instagram’s rules. The relevant terms of service clause that forbids what Ghosty was up to:
You can’t attempt to buy, sell, or transfer any aspect of your account (including your username) or solicit, collect, or use login credentials or badges of other users.
As Android Police points out, during the half year that Ghosty was operating, neither Facebook (Instagram’s owners) nor Google apparently did anything about it – at least, not until now.
On Saturday, a Facebook spokesperson sent a statement to Android Police saying that no, Ghosty wasn’t exploiting Instagram’s application programming interface (API), as has been done by at least one other Instagram follower app that was recently yanked. But then, why would Ghosty even need Instagram’s API, when users were simply handing over their logins to enable the service to get at the private profiles the users follow?
The Instagram spokesperson said that the company would send a cease and desist letter:
We will be sending a cease and desist letter to Ghosty ordering them to immediately stop their activities on Instagram, among other requests.
We are investigating and planning further enforcement relating to this developer.
Last week, Apple pulled another Instagram-watching app from its store. That one, called Like Patrol, was reportedly charging users a yearly fee of $80 in exchange for access to their Instagram friends’ activities on the platform, including which posts they liked and from whom. It was also reportedly offering notifications of a person’s interactions with users of specific genders. None of that information required the consent of the person being monitored.
Android Police reports that following Facebook’s cease and desist letter, Ghosty disappeared from Google’s Play store. It’s not clear whether the developer made it go poof! or if Google pulled the app.
FTC cracks down on stalker apps
The removals of Ghosty and Like Patrol follow close on the heels of the Federal Trade Commission (FTC) having settled charges with the stalker app maker Retina-X Studio in October.
Retina-X Studio, (former) maker of the snooper tools PhoneSheriff, TeenShield, SniperSpy and Mobile Spy, put the kibosh on the products in March 2018 as a result of two hacks: the first in April 2017 and the second in February 2018.
A breach of a spyware app means that data for both the snooper users and their surveillance targets get compromised, and with these tools, that’s saying a lot: Retina-X’s tools were used to track targets’ call logs (including deleted ones), text messages, photos, GPS locations, and browser histories, as well as to eavesdrop on victims, wherever they might be.
Fortunately, the FTC has said that it’s going to be paying close attention to what spyware apps get up to. Retina-X was the first stalker app the FTC has ever gone after, but it likely won’t be the last, going by what the Commission had to say about its determination to…
…hold app developers accountable for designing and marketing a dangerous product.
The post Instagram stalker app Ghosty yanked from Play store – Naked Security appeared first on National Cyber Security.
View full post on National Cyber Security
D5 Creation