Tag Archives: Comcast

Security News for the Week Ending November 8, 2019

Comcast Testing Encrypted DNS While Lobbing Against It

Encrypted DNS (either DoH or DoT) has become a political hotbutton.  Recently Vice reported that Comcast is spending hundreds of thousands of dollars lobbying against it.  Mozilla is writing to Congress saying that what Comcast is saying is not true and most interestingly, Comcast is testing its own DoT and DoH services.  Apparently, what is important is that they can continue to sell your data and not much else.  Source: Vice

Smart Speakers Can Be Hacked By Laser

Researchers have DEMONSTRATED the ability to talk to your Alexa or Siri by silently pointing a laser at the microphone and modulating the laser so that the microphone thinks you are talking to it.  This will work through a window.  In one test they were able to control an iPad from 33 feet,  In another test, they were able to control a device from over 300 feet away.

The amount of mischief this could potentially cause is large.

The temporary solution is to hide your smart speaker so that no one can point a laser at it from outside your home, for example, and tell it to buy stuff or unlock the door or whatver.  Source: Wired

Facebooktwitterredditlinkedinmailby feather

Security News for the Week Ending October 25, 2019

Database Leaked 179 GB of Personal Data of military personnel, officials and hotel customers.

I wish this was a new story.  Autoclerk, a Best Western service that manages reservations, revenue, loyalty programs, payment processing and other functions for the hotel chain. left an elastic search database exposed.

Hundreds of thousands of guest reservations were exposed including names, home addresses, dates of birth, travel dates and other information.

The reason why government and military personnel are affected is that a government contractor that deals in travel reservations was sucked into the breach.  Source: SDNet.

 

San Bernadino Schools Hit By Ransomware

A message on the school district’s web site says not to worry, all of your data is secure.   (it’s just that it has all been encrypted by a hacker).    Phones are working but email is not working.   Schools in Flagstaff closed last month for several days while officials got things under control after a ransomware attack there.  Source: ABC

 

Russia Using “False Flags” to Confuse Security Experts

Researchers are still dissecting the attack on the 2018 Olympics in South Korea.  Russia inserted false signals and other misdirections in order to may people think that the attack came from China or North Korea.  This does point out that if you are willing to spend millions of dollars, you likely can figure out quite about a cyber attacker.  The story is so complex that one of the researchers wrote a book, Sandworm, which will be available on Amazon on November 5, 2019.  Source: WaPo

 

Amazon’s Web Services DDoSed for 10 Hours This Week

For about 10 hours earlier this week parts of Amazon were effectively offline.  Amazon’s DNS servers were being hammered by a DDoS attack.  This meant that Amazon backend services such as S3 may have failed for websites and apps that attempted to talk to those services.  The outage started around 0900 east coast time so it impacted users throughout the work day on Tuesday October 22, 2019.   For developers and businesses this is just one more reminder that nothing is bullet proof if the bullet is large enough.  Even though Amazon has an amazing about of bandwidth and infrastructure, it can get taken down.

Other services that were affected included RDS (database), Simple Queue Service, Cloudfront, Elastic Compute Cloud, and Elastic Load Balancing.  Amazon did offer some ways to mitigate the damage if it happens again – see the link below.  As a business you need to decide how much cost and effort you are willing to expend to mitigate rare occurrences like this.  Source: The Register.

 

Comcast is Lobbying Against Browsers Encrypting DNS Requests

Here is a big surprise.  As the browser vendors (Chrome and Firefox) add the ability to support encrypting your DNS requests to stop people from spying on you, one of the biggest spies, Comcast, is lobbying against this.  They say that since Google would be able to see the data, that puts too much power in Google’s hands.  Ignore for the moment that Firefox is not using Google as a DNS provider and also ignoring that Google is offering  users at least 4 different encrypted DNS providers.  Lets also consider that encrypted DNS is not even turned on by default.  The much bigger issue is that Comcast will not be able to see your DNS requests and therefore will not be able to sell your web site visit data.  But of course, we would not expect them to be honest about why.  Source: Motherboard.

Facebooktwitterredditlinkedinmailby feather

News Bites for Friday May 25, 2018

FCC Investigates Securus

Now that LocationSmart who’s data was used illegally by a Sheriff to track other law enforcement officers and was then hacked is out of the closet, their somewhat shady but possibly completely legal business practices are no longer in the shadows and the FCC has begun an investigation.  We shall see if the FCC does anything – stay tuned.  They say that they are working to verify that their data was always used with people’s consent.  If it was, I bet the consent was pretty subtle (Source: Ars Technica).

Comcast/Xfinity Web Site Leaks Customer Info

A bug in Comcast’s Xfinity web site that customers use to set up their Internet connection leaks customer address and WiFi network name and password, which, apparently, Comcast stores unencrypted.  All it takes is the account number and the house number of the street address.  IF the customer is providing his own router, then Comcast does not know that information and would not be able to leak it.  The “bug” will return the user’s address and password, among other info, even if the service has previously been activated.  Comcast says that there is nothing more important than their customer’s security;  they removed the feature from their web site after they were told about it (Source: ZDNet).

Apple Allows Users To See Their Own Data on Eve of GDPR

Two days before the law forced them to, Apple has debuted a new web site called PRIVACY.APPLE.COM .  Right now it only works where they have to do it or face a fine of up to $9 billion.  That is a pretty good motivator.  Apple says it will be available later in other places.  Among the data that you will be able to see is :

  • App Store, iTunes Store, iBook Store, and Apple Music activity
  • Apple ID account and device information
  • Apple online store and retail store activity
  • AppleCare support history, repair requests, and more
  • Game Center activity
  • iCloud bookmarks and Reading List
  • iCloud Calendars and Reminders
  • iCloud Contacts
  • iCloud Notes
  • Maps Report an Issue
  • Marketing subscriptions, downloads and other activity
  • Other data

Source: Cult of Mac

Chinese Hackers Find Over a Dozen Bugs in BMW Cars

Chinese security researchers have disclosed 14 vulnerabilities in a host of BMW vehicles including the 3 series, 5 series, 7 series, i series and X series.

4 flaws require physical access; another 4 can be exploited with indirect physical access.  Some of them can be exploited remotely via the entertainment system, the telematics system while others exist in the head unit.

Some of the bugs can be patched “over the air”, but others require the owner to bring the car into the dealer to fix.

One thought.  Given these researchers work for the Chinese government, how many vulnerabilities did they find and not tell us about?  That is not a far fetched scenario (Source: The Hacker News).

Facebooktwitterredditlinkedinmailby feather

ISPs Plan To Use Your WiFi Router To Create Public Hotspots

Juniper Research says that one in three home routers will be PUBLIC WiFi hotspots in the US and Europe by 2017.  ISPs such as Comcast and Cablevision have already started this process.

The ISPs say that the public use of your router won’t affect your speeds, but people are somewhat dubious.

The bigger issue is likely that these routers are typically models that cost the ISPs about $10-$20.  Do YOU think the security of such a router is going to be bullet proof?  I don’t.  Sorry.

Even if the routers require an upgrade, it likely won’t be patched on a regular basis.  Hackers will likely start war driving to see who’s router is acting as a public WiFi hotspot and target those boxes for attack.

In addition, ISPs are neither asking your permission nor obtaining your approval prior to doing this.

You should be able to see the public WiFi access point in the list of available hotspots from your phone.

In many ISP routers, you have access to the control panel and can turn off WiFi.  Whether that turns off the public hotspot is unclear.  I decided long ago to buy my own personal WiFi hotspot, so I don’t use my ISP’s WiFi.  Therefore, when I unscrewed and removed the antenna, it doesn’t affect me, but it beats the crap out of the distance their hotspot will support, no matter what they do.  You can’t beat out physics.

The ISPs are doing this to provide a service to their customers of “WiFi anywhere”.  I understand the concept, but I certainly would not recommend using that public WiFi any more than I would use public WiFi elsewhere.

If that home router has been hacked, both the public and private side of that router will likely be compromised, and a lot of home routers have been hacked.

Stay tuned as the ISPs roll this out.  No telling how this will play out.

 

Information for this post came from Network World.

Facebooktwitterredditlinkedinmailby feather