Monday, 22 September 2014

How Vodafone Australia left customers' mobile voicemail accounts exposed to hacking

Shubham Shah discovered a security flaw in the way Vodafone handled voicemail. Shubham Shah discovered a security flaw in the way Vodafone handled voicemail. Photo: Peter Rae
An 18-year-old security researcher from Sydney who found a flaw in Optus' mobile voicemail service has found another vulnerability, this time in Vodafone Australia's voicemail system.
The flaw was only resolved after Fairfax Media raised a series of questions about the vulnerability, which also exposed Vodafone customers to identity theft through unauthorised access to online services such as Google, which use two-factor authentication via a phone call.
The Vodafone flaw allowed anyone to "bruteforce" a target's voicemail PIN using easily accessible technology and gain access to the phone subscriber's voicemail messages.
Huey Peard, 17, helped identify the flaw. Huey Peard, 17, helped identify the flaw.
The practice of brute forcing involves hackers using software to try multiple PIN combinations to gain access to a service. Typically secure systems employ bruteforce protection that will lock hackers out after a certain number of incorrect attempts, but Vodafone's Australian system had no such protection.
The flaw also allowed outsiders to retrieve Vodafone customers' two-factor authentication codes, or tokens, used to access their Google, Yahoo and other online accounts.
These codes – which come in handy as a second layer of security when online log-in credentials are stolen – are usually sent via text message but can also be sent via a phone call and end up in voicemail.
In order to bypass two-factor authentication, hackers needed a user's online password, which security experts point out is relatively easy to retrieve these days with the high number of breaches occurring daily on the internet and password reuse. They also needed to engage the user's phone so that the code could be left in their voicemail.
There is no evidence to suggest hackers made use of the flaw on any of Vodafone's 4.9 million customer accounts. It was corrected in June but Fairfax waited until global carriers could secure their infrastructure before revealing it.
The researcher, Shubham Shah, is due to present his findings at the Ruxcon security conference in Melbourne next month alongside his friend and high school student Huey Peard, 17, one of the founding members of Gibson Security. Last year the group published exploits found in disappearing photo-sharing app Snapchat. The revelations allowed another group to release usernames and mobile numbers of 4.5 million Snapchat users online.
"We were made aware of research that identified a security issue with our visual voicemail service," Eyman Ahmed, head of information security at Vodafone, said in a statement. "Vodafone's technical team responded to the matter within a matter of hours, and has updated its systems to address it. We thank the researcher for responsibly disclosing this issue to us so that we could address it and ensure our customers remain protected."
But Mr Shah said the fix Vodafone implemented was not well thought out. It involved, he said, locking out hackers - as well as users - from their voicemail after five incorrect PIN attempts. This meant anyone could lock a user out, requiring them to call support to reset their voicemail PIN.
The vulnerability was linked to the carrier's visual voicemail offered to customers using Apple's iPhone.  It's understood the four other global markets where Vodafone offers visual voicemail were not affected.
To notify others telcos about the flaw, Mr Shah informed the GSM Association (GSMA), a group whose members include global telecommunications companies.
James Moran of the GSMA said the group was "very grateful" for Mr Shah's co-operation and confirmed that operators were sent a security alert last week.
As the flaw potentially affects certain configurations of the visual voicemail system, Mr Shah also notified Apple, who acknowledged his findings.
"Thank you for contacting Apple Product Security," a company representative told him. "We appreciate you keeping us informed of your research, and hope your presentation goes well."

TOR users become FBI's No.1 hacking target after legal power grab

The FBI wants greater authority to hack overseas computers, according to a law professor.
A Department of Justice proposal to amend Rule 41 of the Federal Rules of Criminal Procedure would make it easier for domestic law enforcement to hack into the computers of people attempting to protect their anonymity on the internet.
The change in search and seizure rules would mean the FBI could seize targets whose location is "concealed through technological means", as per the draft rule (key extract below). Concealed through technological means is legal speak for hosted somewhere on the darknet, using Tor or proxies or making use of VPN technology.
Authority to Issue a Warrant. At the request of a federal law enforcement officer or an attorney for the government: (6) a magistrate judge with authority in any district where activities related to a crime may have occurred has authority to issue a warrant to use remote access to search electronic storage media and to seize or copy electronically stored information located within or outside that district if: (A) the district where the media or information is located has been concealed through technological means; or (B) in an investigation of a violation of 18 U.S.C. § 1030(a)(5), the media are protected computers that have been damaged without authorization and are located in five or more districts.
The DoJ has said that the amendment is not meant to give courts the power to issue warrants that authorise searches in foreign countries.
However the "practical reality of the underlying technology means doing so is almost unavoidable", according to Ahmed Ghappour, a visiting professor at UC Hastings College of the Law.
Ghappour argues that the proposals would result in "broadest expansion of extraterritorial surveillance power since the FBI’s inception".
Asked whether the FBI enhanced extraterritorial power might encroach on the NSA's turf, Ghappour told El Reg that the issue goes further than that and might also affect the US State Department and CIA. "Uncoordinated unilateral 'cyber' ops by FBI may interfere with US foreign affairs (or covert ops)," he said. Security experts think Ghappour may well be onto something on this point.
"Malware from the FBI to, say, Syria could very well trigger congressional investigations," noted Matthew Green, an assistant research professor who lectures in computer science and cryptography at Johns Hopkins University, in an update to his Twitter account.
The FBI reportedly used malware to identify users sharing child abuse images on the dark net as part of its bust of Freedom Hosting last year. In addition, LulzSec kingpin-turned-FBI snitch Hector Xavier “Sabu” Monsegur reportedly led cyber-attacks against foreign governments while under FBI control, so there's evidence that the FBI is already involved in overseas cyber-ops of one form or another. Viewed from this perspective, the proposed DoJ changes would involve regulating actions and operations that are already taking place.
Professor Ghappour - who also serves as director of the Liberty, Security and Technology Clinic – has put together a detailed blog post at ‪‬ breaking down the DoJ's proposal here.

There's a New Social Network for Leakers and Whistleblowers

The world probably doesn't need another social network, but a new one launched earlier today that focuses on vetting people while still preserving anonymity could potentially fill a niche for whistleblowers, sources, and leakers.
Called 'Heard,' its key feature is its 'Verified not Identified' badges system, which will tell journalists and others that a source does indeed work for the government, or a big tech firm, or some sort of organization, even though they choose to remain anonymous.
"Instead of the all-or-nothing approach to identity, our system gives users another option of revealing only those badges that are relevant to the conversation," Heard cofounder Dave Vronay told me.
Those badges are awarded to users based on their credentials, such as their occupation and expertise, once it has been verified that the information is correct by what they are calling Badge Providers.

It's like using a burner cell phone.

At the moment, the verification process only works for one title: "tech industry insider," and it has been set up by Heard itself.
It does this by checking if you have an email address from one of the 20 biggest tech companies. If so, it sends a code to that address. You're then asked to upload a specific file to a server that doesn't know who you are but can give you the "badge" that'll stay with you on your Heard profile, Vronay says.
Heard will eventually allow companies and individuals to create their own Badge Providers, meaning that all sorts of job titles and "insiders" could potentially be vetted by the site. By making this a third-party process, Vronay says Heard has plausible deniability if law enforcement asks for its records.
"Heard has no idea how you managed to convince the provider to give that badge to you. At the same time, the Badge Provider has no idea who you are in Heard," Vronay said.
This system will, in theory, allow people to post with authority on a topic that requires it, without necessarily revealing their full identity to the public.
Vronay says that, eventually, badges might be given in person for highly sensitive jobs and government workers.
"This might be something that a major news agency sets up," he said.
Vronay hopes that with enough third-party use of Heard, companies would have their own presence on the site anyway, meaning that getting an official badge from Microsoft, for example, could be done through them.
This, however, is where a healthy dose of skepticism should come in. Heard only works if there's some sort of incentive for companies to want their employees on it, and that usefulness isn't immediately apparent at the moment. There's also the possibility, of course, that anonymity could be destroyed if a company looked into its employees' emails to see who joined Heard.
As for what might be leaked on Heard, Vronay thinks it's "particularly suitable for industry rumors, where many badged people can pile on and vote up reliable content. So things like new iPhone leaks, upcoming mergers or layoffs" could be exposed on Heard.
"The advantage of Heard is that you can make these single-use accounts that are badged. It is like using a burner cell phone," Vronay said.
We've seen lots of companies try to make it easier for whistleblowers to leak documents—and Heard might very well catch on. But given how whistleblowers have operated thus far, maybe you shouldn't hold your breath.

Your location info is too revealing: data boffins

A group of researchers partly supported by SAP has taken a look at one of the big problems with so-called “anonymised” data: the way spatial correlations in mobile data can be used to re-identify individuals in large data sets.
Location data is the big problem, the Singapore-led group says: even if the resolution of a phone's GPS records is reduced in a stored dataset, following a user's track (trajectory in the paper) for long enough will easily identify that user.
“Removing identifiers from location information, or reducing the granularity of the location or time, does not prevent disclosure of personally identifiable information,” the paper states. “Individuals are highly re-identifiable with only a few spatio-temporal points”.
Just how revealing location trajectories are is revealed in their analysis of 56 million records: “with two random points, more than 60 per cent of the trajectories are unique”, they write.
The researchers say anonymisation of mobile datasets is improved if the “trajectories” – literally, the “where the user has been” location datasets – are reduced. This way, they write, anonymity can be better protected, without trashing the utility of the dataset.
The researchers, Yi Song of the National University of Singapore (working under an SAP internship), Daniel Dahlmeier of SAP and Stephane Bressan of the National University of Singapore, note that the longer a user's location data can be strung into a trajectory, the easier it is to identify that user. In other words: a couple of location data points is nowhere near as useful as 24-hours' worth of the user's movements.
Trajectory-cutting to preserve anonymitySplitting a user's trajectory can help preserve anonymity
The attraction of their approach, they hope, is that only one parameter needs to be adjusted to give users better anonymity: the time window that trajectories are cut into. That's a simple enough operation that they believe it will be scalable to very large data sets

Five Ways to Avoid Wasting Time During a Breach Investigation

After a security incident is detected tremendous resources are spent in the forensic investigation trying to figure out what exactly happened and what data, if any, was compromised. If the forensic investigation doesn’t yield definitive results fairly quickly the organization is left with no choice but to assume the worst.
Worst case scenarios generally result in a dramatic increase in potential liability, as well as incurring more brand and customer damage than is warranted.
However, good preparation and a few basic security controls can dramatically reduce the amount of time wasted during forensic investigations, helping the organization quickly identify what happened, how it happened and who was behind the attack.

1. Build a Clean System

There’s no easy way to determine if an attack was successful and it’s even more difficult to quickly determine the scope and scale of what was compromised. The only reliable approach is to build a clean system and then compare it to all other systems in order to identify the changes.
Once a clean image is built, automated comparison of the clean image to systems on the network can quickly show the differences between the clean image and the potentially compromised infrastructure. Next, signs of malicious activity can be identified and these systems can be quarantined.

2. Classify Assets to Business Relevance

Business context matters during every breach investigation. Big changes on non-mission critical assets, like the printer in HR, may not merit significant time and attention. On the other hand, even small changes on mission critical assets should be investigated carefully.
After a breach, all systems are subject to review and audit. Post breach consultants often spend an inordinate amount of time trying to figure out the business purpose of systems with vague or non-existing business classification information.
In this scenario, an unpatched Windows machine is a meaningless piece of information, whereas a server that is part of the ecommerce infrastructure that hasn’t been patched or hardened for more than six months has the business relevance needed for forensics. All systems need business relevance data that is consistently collected, maintained and available for audit.

3. List Authorized Users and Their Privileges

Once a security breach is confirmed a huge amount of time is spent trying to figure out if the security incident matters and if so, who did it. Significant time can be saved if you spend the time required to create and maintain up-to-date user authorization policies and current asset classification before the breach.
The goal of forensic activities is to identify the actor, internal or external and the method used for the compromise, and finally, the scope of the impact so appropriate remediation action can be applied. In order to find the bad actor, a current list of authorized users and the assets they can access is a crucial resource.
Tools exist that can automate this but they are only as effective as the business process underlying them. Tracking down who did what with precision requires keeping access controls up-to-date with each change in employment, termination dates and especially third-parties and contractors.

 4. Put Login Failures into Context

Reviewing login failures is like looking for a needle in a stack of needles. It gets even worse because in and of themselves, they really don’t tell you anything but you can’t afford to ignore them either.
A better approach is to correlate login failures with other suspicious activity. Many companies are now connecting asset vulnerability and identity context to their log information and correlating this data to identify truly suspicious activity.
For example, some companies are able to create an automated watch list of terminated employees and correlate it to activity. Some companies can also correlate suspicious changes (outside change windows, for example) and configuration policy failures (such as opening FTP or unauthorized ports) against other network activity to detect anomalous behavior.
Forensics experts repeatedly report that activities like this that are present during a breach, but most businesses never connect the data in various security technology silos.

5. Improve Tool Integration

Poor integration of security technologies leaves many organizations with an error-prone process that requires manually correlating thousands of events or changes. Suspicious changes identified by one security tool must be confirmed through reports in different data formats from multiple other tools.
Better tool integration automatically correlates data, dramatically reducing the time and resources required to confirm suspicious activity. This is an emerging area within security. To help their customers truly get ahead of security risks, vendors need to connect key pieces of information across the security technology stack. The blind spots created by missing integration are often how the bad guys get in.
Every company, even those with formidable security resources, is vulnerable to a cyberattack. Security teams need to stop thinking about “if” and plan for “when” because prevention really is only half the battle.
Best practices are generally perceived as beneficial but boring and they are rarely accorded the urgency they deserve on the long list of things that security and IT teams need to do. Strategic investment in these basic controls is worth the time; it will improve cyberattack prevention and save time during the critical hours and days after a security breach.

Home Depot breach exposes a whopping 56M credit cards

Home Depot said Thursday that 56 million unique credit cards were put at risk of theft as a result of a security breach earlier this year in what could be the largest credit card exposure yet.
"Criminals used unique, custom-built malware to evade detection," the hardware store chain said in a statement Thursday. "The malware had not been seen previously in other attacks."
The company said that the malware, which it believes was present in Home Depot store systems between April and September 2014, has been eliminated from its systems and any terminals identified with malware were taken out of service. Additionally, Home Depot has rolled out enhanced encryption of payment data in all US stores.
Home Depot revealed last week that it was investigating "unusual activity" related to customer data but didn't actually say that it had been the victim of a credit card breach at that time.
The possibility of a breach was raised by security reporter Brian Krebs, who reported that "multiple banks" had seen evidence that Home Depot may be the source of a large cache of stolen customer credit and debit cards put up for sale on black markets.
The company said today that only credit card data was breached and "there is no evidence that debit PIN numbers were compromised."
The hack into Home Depot recalls a similar security breach at retail giant Target. Late last year hackers obtained credit card data of 40 million Target customers and the personal information for an additional 70 million customers.
Since the Target hack, there has been an apparent uptick in security breaches at retail locations. Over the past few months, arts and crafts retail chain Michaels Stores, department store Neiman Marcus, and restaurant chain P.F. Chang's all revealed they were victims of security breaches aimed at stealing customers' credit card information.
Home Depot is offering free identity protection services, including credit monitoring, to any customer who used a payment card at a Home Depot store from April 2014 to now.
"We apologize to our customers for the inconvenience and anxiety this has caused, and want to reassure them that they will not be liable for fraudulent charges," Home Depot chairman and CEO Frank Blake said in a statement. "From the time this investigation began, our guiding principle has been to put our customers first, and we will continue to do so."

ATM Fraud, U.K. Leading Example

ATMs have been a convenient way for customers to access quick cash out of their accounts, but with all the ATM-related cybercrime stories, just how safe are they?
ATM scams have been around for a long time.
The latest evolution in ATM scams involve hackers using malware in Windows-based ATMs.
“The malware they are using is very effective at overcoming the ATM protections in place,” says Graham Mott, director of the U.K.’s ATM network, the LINK scheme. “We live in an international age. Crimes cross borders. Criminals are always looking for new techniques. So, it’s not the criminal who is migrating; it’s the technique that is migrating.”
The U.K. connects all of their 65,000 ATMs through LINK scheme, giving them a broad view of attacks and techniques used by hackers.
“The advantage is we are seeing all financial transactions which occur among financial institutions,” Mott says. “So it gives us a very good opportunity to see where attacks are happening and to see what the techniques are.”
Staying ahead of hackers new techniques and trying to anticipate and counter attacks is the approach companies need to take, Mott adds.
Mott will be a feature presenter at Information Security Media Group’s Fraud Summit in London on September 23.
Using malware to attack ATM machines is not a new technique being utilized by hackers. When looking at ATM-related cybercrime practices this year, Ploutus ATM malware is by far the most discussed.
Skimming techniques have been applied in many ATM hacks around the world. Thieves install devices on ATMs to steal card information. When an ATM has been tampered with, it can be very hard to detect.
Here are some links providing tips for ATM security: 
Skimtacular: All-in-One ATM Skimmer
10 Consumer Tips for ATM Safety and Security
4 Tips to Protect You from ATM Thieves
How to Spot (and Stop) ATM Skimmers

Twitter Vulnerability Allows Hacker to Delete Credit Cards from Any Twitter Account

An Egyptian Security Researcher, Ahmed Mohamed Hassan Aboul-Ela, who have been rewarded by many reputed and popular technology giants including Google, Microsoft and Apple, have discovered a critical vulnerability in Twitter’s advertising service that allowed him deleting credit cards from any Twitter account.
Initially, Aboul-Ela found two different vulnerabilities in, but both the flaws was having the “same effect and impact.” First flaw exists in the Delete function of credit cards in payments method page,[account id]/payment_methods
By choosing the Delete this card function, an ajax POST request is sent to the server. The post parameters sent in request body are:
  • Account: the twitter account id
  • ID: the credit card id and it’s numerical without any alphabetic characters
All I had to do is to change those two parameters to my other twitter account id and credit card id , then reply again the request and I suddenly found that credit card have been delete from the other twitter account without any required interaction,” Aboul-Ela wrote.
The page response was “403 forbbiden” but in actual, the credit card was deleted from the account.
Aboul-Ela found another similar flaw in, but according to him, the impact of the this vulnerability was higher than the previous one.
When he tried to add an invalid credit card to his twitter account, it displayed an Error message “We were unable to approve the card you entered” and serve “Dismiss” button. Clicking on the button, the credit card was disappeared from his account.
“I thought it have the same effect of deleting, so I tried to add invalid credit card again and intercepted the request,” he said.
Unlike first vulnerability, the account parameter doesn’t exists, only credit card Id is used. He modified the credit card Id in the URL and body to his credit card Id from other twitter account and then replied the request.