Tag Archives: WiFi

Security News Bites for the Week Ending January 25, 2019

Oklahoma Government Data Left Unprotected

The Oklahoma Department of Securities left data going back to at least 1999 unprotected online.  Data exposed included state agency passwords and login information, data on FBI investigations, information on thousands of securities brokers and other information.  The state says it was unprotected for “a limited duration”.  They are investigating.  Source: The Hacker News.

 

NOYB Files More GDPR Complaints

None of Your Business, the non-profit founded by Austrian privacy activist, lawyer and Faceboook-thorn-in-their-side has filed 10 complaints with the Austrian Data Protection Authority.

They say that companies are not fully complying with the requirements of GDPR in providing data to requestors and some companies didn’t even bother to reply at all.  For the most part, they said that companies did not tell people who they shared data with, the source of the data or how long they stored it for.

Beware, this is only the beginning of challenges for companies that have built their business models on selling your data.  The press release also shows the MAXIMUM potential fine (not likely), which ranges from 20 million to 6.3 billion Euros.  Source: NOYB .

 

Another Zero Click WiFi Firmware Bug

Security researcher Denis Selianin has released the code for a WiFi firmware bug he presented a paper on last year.  The code works on ThreadX and Marvell Avastar WiFi driver code and allows an attacker to take over a system even if the device is not connected to WiFi.  Affected devices include the Sony Playstation 4, Microsoft Surface, Xbox One, Samsung Chromebook, Galaxy J1 and other devices.  All it takes is for the device to be powered on.

I am not aware of a patch for the firmware of WiFi devices to fix this and likely, for most WiFi devices, the risk will remain active until the device winds up in a landfill or recycling center, even if a patch is released.  Source:  Helpnet Security.

 

Apple Releases Patches For iPhone, Mac and Wearables

Apple has released patches for the iPhones (and other i-devices) that include several remote code execution bugs (vulnerabilities that can be exploited remotely) including FaceTime, Bluetooth and 8 bugs in the Webkit web browser.  The iOS kernel had 6 vulnerabilities patched that allowed an attacker to elevate his or her privilege level.

The macOS had similar patches since much of the same software runs on the Mac, but there were Mac unique bugs as well.

Rounding out the patch set were patches for the Apple watch and Apple TV.

At one time Apple software was simpler and therefore less buggy, but over time it has gotten more complex and therefore more vulnerable.  Source: The Register.

Data Analytics Firm Ascension Reveals 24 Million Mortgage Related Documents

Ascension, a data analytics firm, left a stash of 24 million mortgage related documents exposed.  it is not clear who owns the data belonging to tens of thousands of loans, but it appears that the originators of the loans include Citi, Wells, Capital One and HUD.  Ascension’s parent company Rocktop, owns a portfolio of 46,000 loans, but we don’t know if these are theirs.

While they think the loan documents were only exposed for a few weeks, that is certainly enough time for a bad guy to find them.  After all, a researcher found them. Now Ascension is having to notify all of the affected parties and I am sure that the lawsuits will begin shortly.

If this isn’t a poster child for making sure that your VENDOR CYBER RISK MANAGEMENT PROGRAM is in order, I don’t know what to say.

This could be a third party cyber risk problem *OR* it could be a fourth party cyber risk problem.  In either case, if your vendor cyber risk management house is not in order, it will likely be YOUR problem.  Now would be a good time to review your program.  Source:  Housingwire.

Russian Hackers Attacking Hotel WiFi Again

The security firm FireEye has said that they have moderate confidence that a campaign targeting hotels in Europe are the work of the Russian hacking group APT28.

One way the attack works is to send a phishing email to hotel staff with an infected Word document with a name related to a hotel reservation form.  If a user opens the attachment and runs the embedded macro, the hacker owns the hotel network.

At that point, it tries to move around the hotel network using several techniques – even using the NSA hacking tool EternalBlue that was at the center of the WannaCry attack recently.

What it is looking for is the computers controlling WiFi for hotel guests and staff.

While FireEye didn’t see guest credentials being stolen in this attack, they did see that in an attack from last year.

The hackers listen for guest’s or staff’s computers attempting to connect to network shares.  If it sees that, the hackers respond like they were those shares and once that happens, the target’s computer sends it’s credentials in order to access those spoofed shared drives.  At that point they have the user’s userid and hashed password, which they can take home and crack offline.

This is only an indication that hacker groups from around the world are using exploits learned over time to create better attack mechanisms and WiFi, especially business travelers using hotel WiFi,  is a very juicy target.

From a hotel guest standpoint, here are several suggestions:

  1. If you can avoid it, do not use hotel WiFi.  It is even more risky than using WiFi at your local Starbucks and you know what I think about doing that.
  2. If you must have Internet access, use your phone as WiFi hotspot if it allows it.  At least that way you won’t be infected by a compromised hotel WiFi server.
  3. Use a portable WiFi “Puck”.  All of the carriers sell them and if the use is intermittent, a prepaid plan may be less expensive.
  4. Use a WiFi bridge.  This portable device does exactly what it says.  You connect your phone or laptop to the bridge and then the bridge connects to the hotel WiFi.  Since the bridge does not run a standard operating system with all of it’s potential vulnerabilities, it will be very difficult to infect the bridge with standard Windows or Linux exploits.  These are available on Amazon for less than $50.
  5. Use a portable WiFi firewall like the Tiny Hardware Firewall.  This is the most complex and expensive solution at around $100, but also the most flexible.  It will support a VPN and also a TOR connection if you choose to go that route.

Bottom line – anything other than hotel WiFi.

While this particular attack is new (starting in July) and has not YET been seen in the United States, that is likely only a matter of time.  Being prepared for what is sure to come seems like a good plan.

Information for this post came from  KnowBe4.

In Flight WiFi Probably No Safer Than Any Other Public, Non Password Protected WiFi Hotspot

Sometimes you read something and it just ruins your mood.

For fellow business travelers, this will be one of those posts.

I guess I was burying my head in the sand up until now.  This makes perfect sense even though I wasn’t thinking it through.

The WiFi on a plane, whether it is GoGo like on American or United or Global Eagle like on Southwest, is just another non password protected public WiFi hotspot and subject all of the possible attacks that the WiFi hotspot in your local coffee shop or deli is.

USA Today columnist Steven Petrow learned that the hard way recently.  Following a recent flight, he was approached by a man who showed him some of his emails from sources for a story he was writing.

Hopefully the story was not confidential because if there is anything that Snowden told us that you should take to heart, if you want any chance of an email being private you need to use and end to end encryption solution like PGP or Absio.  DO NOT rely on ANYTHING that your mail provider tells you is secure.  IT IS NOT.  Period.  End of conversation.  It is just. not. secure.

This particular attack is simple and maybe could be fixed, but there may be a conflict of interest.  Read on.

When you are on a public WiFi you give up a lot of information.  A lot of the traffic you are sending is not encrypted.  A lot of email is sent unencrypted all the way from sender to receiver.

But in this case, it is a case of this guy creating a fake WiFi hotspot and then getting the reporters computer to connect to it.  Since there is no password on it, if you force the reporter’s computer/phone/tablet to disassociate from the real hotspot, and the new (fake) hotspot has a stronger signal – with no password required – his computer will just automatically connect to it and now the hacker is in the middle of every conversation.

Even if the traffic is encrypted, he can execute a man in the middle attack, decrypt the traffic in his fake hotspot and reencrypt it and send it on it’s way.  Except for a few websites, like ones that pin certificates, that will work and since airplane WiFi is so slow anyway, who the hell would notice.

I have noticed before – especially at hotels – that they intentionally do decrypt at their proxy gateway and many times your browser gives you a warning.  That is the first sign to disconnect from the hotel WiFi.

I actually carry my own WiFi puck with me that I pay for separately just to avoid having to use hotel WiFi.  I also carry a Tiny Hardware Firewall ($100 a year including their VPN service).  You can also use your phone, but my puck is from a different carrier than my phone, so I get two chances to get crappy cell service – or a 50/50 chance of getting decent cell service, depending on whether you are an optimist or pessimist.

For those who wear tin foil hats – at least sometimes – you could say this is a conspiracy.  Gogo said, in a filling with the FCC, that they worked closely with law enforcement to incorporate functionalities and protections that would serve public safety and national security.

I would read this to mean that they worked with the feds to make sure that the feds could see anything they wanted to see, sans warrant.  If it isn’t protected, eavesdropping is likely OK.  You shouldn’t expect anything to be private.  It is just listening to the airwaves.

But that reporter was sure surprised that his sources weren’t private any more.

And, when you are connected to the hacker’s fake WiFi, it is certainly possible that the hacker could inject malware into your computer.  No guarantee, but definitely possible.  Maybe even likely.

So much for working on the plane, while online.  Offline is still good.  BUT MAKE SURE YOU DISABLE THE WIFI SO THAT IT DOESN’T BEACON OUT TO THE HACKER AND CONNECT SILENTLY.

Don’t say I didn’t tell you.

Information for this post came from Ars Technica.