Massive SMS Flaw Gives An Attacker Full Access To Your Accounts For $16

from the whoops-a-daisy dept

So last year, when everybody was freaking out over TikTok, we noted that TikTok was likely the least of the internet's security and privacy issues. In part because TikTok wasn't doing anything that wasn't being done by thousands of other companies in a country that can't be bothered to pass even a basic privacy law for the internet. Also, any real security and privacy solutions need to take a much broader view.

For example, while countless people freaked out about TikTok, none of those same folks seem bothered by the parade of nasty vulnerabilities in the nation's telecom networks, whether we're talking about the SS7 flaw that lets governments and bad actors spy on wireless users around the planet or the constant drumbeat of location data scandals that keep revealing how your granular location data is being sold to any nitwit with a nickel. Or the largely nonexistent privacy and security standards in the internet of broken things. Or the dodgy security in our satellite communications networks.

Point being, hysteria over the potential threat of a Chinese app packed with dancing tweens trumped any real concerns about widespread, long-standing security vulnerabilities and privacy issues, particularly in telecom. This week this apathy was once again on display after reporters found that a gaping flaw in the SMS standard lets hackers take over phone numbers in minutes by simply paying a company to reroute text messages. All for around $16:

"I didn't expect it to be that quick. While I was on a Google Hangouts call with a colleague, the hacker sent me screenshots of my Bumble and Postmates accounts, which he had broken into. Then he showed he had received texts that were meant for me that he had intercepted. Later he took over my WhatsApp account, too, and texted a friend pretending to be me.

Looking down at my phone, there was no sign it had been hacked. I still had reception; the phone said I was still connected to the T-Mobile network. Nothing was unusual there. But the hacker had swiftly, stealthily, and largely effortlessly redirected my text messages to themselves. And all for just $16."

Carriers told the reporter they couldn't replicate the problem and that they'd done their best to lock it down (not that there's any level of transparency or regulatory accountability that would let somebody verify that claim). The hackers involved disagree. This wasn't a SIM hijack, another problem we really haven't done enough about. In this case, the hacker used a service from a company dubbed Sakari, which sells SMS marketing and mass messaging services, to reroute the reporter's messages to them. With little in the way of serious screening of more nefarious users, apparently.

That in turn opens the door to having all your online accounts compromised, all without the target being any the wiser. It's a relatively trivial attack to accomplish, and exposes a general lack of any meaningful authentication process to ensure it isn't exploited by bad actors. As an aside, there's a tool you can now use to confirm whether your text messages have been compromised. Meanwhile, security researchers warn that there are so many SMS vulnerabilities now, it's time to stop using SMS for sensitive security purposes.

Meanwhile, the failure by regulators and industry to police and prevent the flaw also (once again) showcases how Ajit Pai's decision to turn the FCC into a mindless rubber stamp for industry had a much broader impact than just killing net neutrality, says Senator Ron Wyden:

"It’s not hard to see the enormous threat to safety and security this kind of attack poses. The FCC must use its authority to force phone companies to secure their networks from hackers. Former Chairman Pai’s approach of industry self-regulation clearly failed," Senator Ron Wyden said in a statement after Motherboard explained the contours of the attack."

While everybody professes to be concerned about internet security and privacy, we're routinely only paying lip service to the concept. The internet of things is seen more as something funny than a massive security and privacy headache. The Trump TikTok hysteria saw more press and national attention than any of a laundry list of more problematic telecom flaws. Having a basic privacy law for an era in which there are a dozen major hacks, breaches, or data leaks every week is treated as something that's optional. As is functional, basic regulatory oversight at agencies like the FCC.

Most modern security and privacy problems require holistic, collaborative efforts between government, the media, industry, and activists. Instead, more often than not, knee jerk clickbait hysteria has us routinely distracted from much broader problems we seem intent on doing little too little to address.

Filed Under: 2fa, security, sms

What Stevie Ray Vaughan Can Teach Us About Security Design

from the instructive-parable dept

The SolarWind intrusion, with the revelation that part of the architecture included, at least for a while, a really weak default password, and the hack of the water treatment plant with a similar password reuse problem, reminded me of this story I heard not long ago about another instance of poor security design.

In a recent fan Q&A on Facebook, Bill Gibson, the drummer for Huey Lewis and the News, told a story about his friendship with Stevie Ray Vaughan. Stevie Ray Vaughan and his band Double Trouble had opened for the News for a while in the mid-1980s, and in that time Bill and Stevie had become good friends. Back at the hotel one evening after a show in New York City it came up that Bill had seen Jimi Hendrix perform something like seven times. Stevie, a guitarist who idolized Hendrix, was in awe. He wanted to hear everything about what it was like seeing Hendrix play, so he grabbed some beer and they settled in for an evening of Bill telling Stevie everything he remembered.

By 3:00 AM they were out of beer, so they went down to Stevie's tour bus parked out in front of the hotel to get some more. He opened the bus with his key and started looking for the cooler he kept it in. "That's odd," Bill recalls Stevie musing, "The cooler is usually kept in this spot over here." Eventually he found a cooler elsewhere, removed the needed beer, and they left to go back up to finish their conversation.

The next day they discovered why they'd had trouble finding the cooler. At the time, most bands were touring in buses that all came from the same company. That all looked the same. And that all were opened by the exact same key. Thus the reason that Stevie could not find the cooler where he expected it to be was because they were not on the bus where they expected to be. Instead of being on Stevie's bus, it turns out they were actually on UB40's bus that, unbeknownst to them, had just pulled up that night while they'd been ensconced in the hotel talking. Which Stevie's key had opened. And on which the UB40 band had apparently been sleeping the whole time Stevie and Bill were there inadvertently pilfering their beer…

So let this story be a lesson to security designers, people who really should be employing security designers, and pretty much everyone else who likes to reuse their passwords: When the security credentials for one resource can be used to gain access elsewhere, especially in a way you did not anticipate, there's really not that much security to be had.

And in most such cases it will likely be so much more than UB40's beer that's now been put at risk.

Filed Under: bill gibson, security, security design, shared passwords, stevie ray vaughn, ub40

Thousands Of Security Cameras, Archived Footage Exposed After Surveillance Company Verkada Is Hacked

from the unsecured-security-cameras-are-the-best-security-theater dept

Put enough cameras up and pretty soon they become tasty targets for malicious hackers.

A group of hackers say they breached a massive trove of security-camera data collected by Silicon Valley startup Verkada Inc., gaining access to live feeds of 150,000 surveillance cameras inside hospitals, companies, police departments, prisons and schools.

Some of the more notable targets include Tesla factory cameras and security cameras deployed by Cloudflare. The hackers also apparently have access to archived video from these sources. Verkada has responded by disabling all internal administrator accounts -- something it probably should have done back when it was making news for doing the same thing, only without the participation of outside hackers.

Last year, a sales director on the company's sales team abused their access to these cameras to take and post photos of colleagues in a Slack channel called #RawVerkadawgz where they made sexually explicit jokes about women who worked at the company, according to a report in IPVM, which Motherboard independently verified and obtained more information about.

"Face match… find me a squirt," the sales director wrote in the company Slack channel in August 2019, according to one screenshot obtained by Motherboard.

Now, the same sort of thing can be done by anyone with access to the compromised system. The hackers involved here claim to be operating somewhat altruistically.

The data breach was carried out by an international hacker collective and intended to show the pervasiveness of video surveillance and the ease with which systems could be broken into, said Tillie Kottmann, one of the hackers who claimed credit for breaching San Mateo, California-based Verkada. Kottmann, who uses they/them pronouns, previously claimed credit for hacking chipmaker Intel Corp. and carmaker Nissan Motor Co. Kottmann said their reasons for hacking are “lots of curiosity, fighting for freedom of information and against intellectual property, a huge dose of anti-capitalism, a hint of anarchism -- and it’s also just too much fun not to do it.”

Add to that list "too easy." According to Kottmann, the hackers gained access to a "Super Admin" account after finding a username and password publicly exposed. That access has since been revoked (along with all other internal admin accounts), but the footage served up to reporters showed everything from eight hospital staffers restraining a patient to police officers grilling suspects.

Then there's the facial recognition tech grafted onto Verkada's cameras.

Verkada's website advertises that "all" of its cameras include "Smart Edge-Based Analytics," referring to the cameras' facial recognition, person identification, and vehicle analysis tools.

It's not clear which of Verkada's 24,000 customers were using these functions but they appear to be built-in. And its list of customers -- also exposed in the breach -- includes schools, banks, bars, breweries, churches, condo complexes, museums, airports, a Salvation Army Center, as well as the previously mentioned companies, hospitals, and prisons.

And, as was briefly noted earlier, Verkada's system allows customers to search recorded video by face, allowing users to compile screenshots of every instance in which the searched face was captured by the cameras.

Surveillance is a growth market. Amass enough market share and someone's going to want to see what you've collected. Verkada's use of admin accounts was already problematic given what we know about the mindset of some of its administrators. Giving admins access to all customer cameras and recordings may make it easier to address user problems, but without better security, it's also irresponsible.

Filed Under: cybersecurity, hackers, iot, privacy, security, security cameras
Companies: verkada

Hacked Florida Water Plant Found To Have Been Using Unsupported Windows 7 Machines And Shared Passwords

from the sigh dept

By now, you have likely heard about the recent hack into a Florida water treatment plant which resulted in the attacker remotely raising the levels of sodium hydroxide to 100 times the normal level for the city's water supply. While those changes were remediated manually by onsite staff, it should be noted that this represents an outside attacker attempting to literally poison an entire city's water supply. Once the dangerous part of all of this was over, attention rightfully turned to figuring out how in the world this happened.

The answer, as is far too often the case, is poor security practices at the treatment plant.

According to an advisory from the state of Massachusetts, employees with the Oldsmar facility used a computer running Windows 7 to remotely access plant controls known as a SCADA—short for “supervisory control and data acquisition”—system. What’s more, the computer had no firewall installed and used a password that was shared among employees for remotely logging in to city systems with the TeamViewer application.

If you're not in the IT space, this is base level stuff. Have your computer systems on operating systems that are under active support and are being patched. That is doubly so for any systems that are critical, or which have access to critical systems. And to not have any client security, such as a local software firewall, on such a machine is IT malpractice. On top of the above, it appears that TeamViewer hadn't been actively used by the staff there for nearly six months. So there, again, was poor administration of the environment, with an antiquated remote access application not being removed from the production environment.

Instead, the save in all of this came from the meatware that was fortunately sitting at the machine and actively watching.

The breach occurred around 1:30pm, when an employee watched the mouse on his city computer moving on its own as an unknown party remotely accessed an interface that controlled the water treatment process. The person on the other end changed the amount of lye added to the water from about 100 parts per million to 11,100ppm. Lye is used in small amounts to adjust drinking water alkalinity and remove metals and other contaminants. In larger doses, the chemical is a health hazard.

Christopher Krebs, the former head of the Cybersecurity and Infrastructure Security Agency, reportedly told a House of Representatives Homeland Security committee on Wednesday that the breach was “very likely” the work of “a disgruntled employee.”

It's a water treatment plant for an entire city. In an era where there is an extreme lack of trust in government, dumb stuff like this acts as a supercharger.

Filed Under: florida, scada, security, shared passwords, water plant, windows 7

Chastity Penis Lock Company That Was Hacked Says It's Now Totally Safe To Put Your Penis Back In That Chastity Lock

from the fool-me-once dept

While we've covered the Internet of Broken Things for some time, where companies fail to secure the devices they sell which connect to the internet, the entire genre sort of jumped the shark in October of last year. That's when Qiui, a Chinese company, was found to have sold a penis chastity lock that communicates with an API that was wide open and sans any password protection. The end result is that users of a device that locks up their private parts could enjoy those private parts entirely at the pleasure of nefarious third parties. Qiui pushed out a fix to the API... but didn't do so for existing users, only new devices. Why? Well, the company stated that pushing it out to existing devices would again cause them to all lock up, with no override available. Understandably, there wasn't a whole lot of interest in the company's devices at that point.

But fear not, target market for penis chastity locks! Qiui says it's now totally safe to use the product again!

Now, the European distributor of the chastity cage, which is called CELLMATE, wants everyone to know that it's safe to use the device after the release of a new app, which it says fixed the vulnerabilities in the API used to control it.

"Our product and brand (CELLMATE) has received quite a bit of negative attention because of this publication. Now, you can think 'negative publicity is also publicity,' but unfortunately it turned out completely different for the CELLMATE," Dennis Jansen, who works for Desudo, a distributor of the CELLMATE device, told Motherboard in an email, referring to our first story on the hack. "This wrongly created the image that our product could be hacked, after which the genitals of the wearer would be permanently locked up. Although such a situation was not even realistic at the time of publication (as you can read and see here), this story has made current and potential users unfairly frightened of our product. You will understand that this has had absolutely no positive effect on the attention and interest in using the CELLMATE."

A couple of things to note here. First, this whining about press coverage is roughly as tone deaf as it could possibly be. Second, while an emergency release accessible with a screwdriver may indeed by a thing, it seems not every user of the device is aware of that, given that at least one victim claims he had to use bolt cutters which left him bleeding. "It fucking hurt," he told Motherboard. Which, yeah.

But perhaps most important to this story is that anyone that actually wants to see the third party pen test for the API can go pound sand. Pen Test Partners, who originally discovered and reported the flaw, was reportedly brought in to assess the third party pen test as well. Asked if they would sign off that the device was now safe to use, reps from the company basically shrugged.

The founder of Pen Test Partners, Ken Munro, and the researcher who audited the CELLMATE, Alex Lomas, both confirmed to Motherboard that they did receive the third-party assessment and that the document says the issues are now resolved. But they also said they can't confirm the results, as they have not audited the device and its app and API since last year.

"I don't think I can comment more about the safety or otherwise of the product at this stage, I think people hopefully have enough information to make their own judgements," Lomas told Motherboard in an online chat.

Not exactly a ringing endorsement, obviously. The point is that the reputation cost for any company that allows this kind of vulnerability doesn't normally put a company in the position of trust for these kinds of fixes. That lack of trust likely becomes supercharged when people's naughty bits are involved. What's really needed here, should the companies and their distributors want to restore trust with the public, is transparency. Sadly, that doesn't seem to be in the offering.

Filed Under: chastity lock, iot, security
Companies: qiui

ADT Tech Spied On Women For Four Years Before Getting Caught By Accident

from the what's-the-opposite-of-security dept

Another day, another example of why we might want to actually pass at least a basic privacy law for the internet era. The latest problem bubbled up over at home security vendor ADT, after a technician was caught using home security cameras to spy on people for years. More specifically, the tech accessed customer video cameras in 200 homes some 9,600+ times over a period of four years. His preferred targets were attractive women he spied on while they were having sex, bathing, or getting dressed. This was, as US Attorney Prerak Shah was quick to note, a grotesque abuse of trust:

"This defendant, entrusted with safeguarding customers’ homes, instead intruded on their most intimate moments,” said Acting U.S. Attorney Prerak Shah. “We are glad to hold him accountable for this disgusting betrayal of trust."

The tech simply added his email address to the authorization list for the company's ADT Pulse accounts, which lets home security customers access cameras when not at home. ADT's now facing three different lawsuits for failing to "implement adequate procedures that would prevent non-household members from adding non-household email addresses." Aka, they didn't engage in some basic due diligence to ensure that employees couldn't abuse the system. The federal charges were brought some five months after the first lawsuit was filed.

One of the interesting bits is that he appeared to have only been caught by accident, and could easily still be engaging in the same behavior today if not for one attentive subscriber:

"The lawsuit also claims the flagrant security breach was discovered not by the company, but 'by luck and happenstance.' A customer, reporting a technical issue, inadvertently revealed the unwanted third-party access," the lawsuit claims. "But for that event, ADT would be unaware of this invasive conduct."

So no basic security measures to prevent employees from abusing their authority. No system to notify users when somebody new was added to the email access list for video cameras they provide. ADT didn't even know this was going on -- and if not for a customer being attentive it probably still would be. And this is a security company! It's notably worse for the parade of "internet of thing" companies that decided we needed to hook every home device up to the internet with zero willingness to embrace or fund basic privacy and security standards.

In ADT's case, the company is busy trying to dodge responsibility by throwing complaining customers into binding arbitration, a lopsided process that pretends to be better than traditional class actions, but usually winds up with the companies in question getting little more than a wrist slap. When you know that repeated privacy and security violations can be brushed aside with a modicum of billable legal hours, you're not inclined to try very hard. It's far easier, and less expensive, to half-ass it, then have your lawyers water down already flimsy after-the-fact penalties.

It's why properly staffing and funding our privacy regulators, and having a basic privacy law where the expectations are clear and the penalties are notable (and consistently enforced) seems like a no brainer. Though it's still amazingly not clear how many national privacy scandals are necessary before we finally figure out that our existing "solution" of apathy, wrist slaps, binding arbitration, and intentional policy gridlock aren't working very well.

Filed Under: doj, iot, privacy, security, surveillance
Companies: adt

Internet-Connected Chastity Cages Hit By Bitcoin Ransom Hack

from the the-future-is-not-what-we-were-promised dept

If you hadn't noticed yet, the internet of things is a security and privacy shit show. Millions of poorly secured internet-connected devices are now being sold annually, introducing massive new attack vectors and vulnerabilities into home and business networks nationwide. Thanks to IOT companies and evangelists that prioritize gee-whizzery and profits over privacy and security, your refrigerator can now leak your gmail credentials, your kids' Barbie doll can now be used as a surveillance tool, and your "smart" tea kettle can now open your wireless network to attack.

So of course this kind of security and privacy apathy has extended to more creative uses of internet-connected devices. Case in point: last October, security researchers found that the makers of an IOT chastity cage -- a device used to prevent men from being able to have sex -- (this Amazon link has the details) had left an API exposed, giving hackers the ability to take remote control of the devices. And guess what: that's exactly what wound up happening. One victim and device user say he was contacted by a hacker who stated he wouldn't be able to free his genitals from the device unless he ponied up a bitcoin ransom.

Luckily his genitals weren't in the device at the time, though it's not clear other users were as lucky:

"A victim who asked to be identified only as Robert said that he received a message from a hacker demanding a payment of 0.02 Bitcoin (around $750 today) to unlock the device. He realized his cage was definitely "locked," and he "could not gain access to it." "Fortunately I didn’t have this locked on myself while this happened," Robert said in an online chat."

Given the often nonexistent security on internet of things devices, such problems aren't particularly uncommon in devices like not-so-smart thermostats. It's also a major problem in many hospitals where big medical conglomerates haven't been willing to pony up the money necessary to keep lifesaving technology private and secure. That said, "I had to pay some kid in the Ukraine $750 so I could access my own genitals" is a new wrinkle many hadn't seen coming.

It's just yet another reminder that you shouldn't connect everything to the internet just because you can. And you shouldn't endeavor to engage in such innovation unless you're willing to spend the money and take the time to ensure you're adhering to basic security and privacy standards. Whether a heart monitor or a sex toy, most companies still aren't after ten years of headlines like this. And despite some promising headway being made in policy, our response to the security dumpster fire that is the IOT remains a pretty hot, discordant mess.

Filed Under: bitcoin, chastity cage, hack, iot, ransomware, security

Malware Merchant NSO Group Caught Leaving Harvested Location Data Exposed

from the oh-well-'little-people'-aren't-the-end-users-so-who-cares dept

Israeli surveillance tech firm NSO Group is something else. (Pejorative, yo.) It set up shop in a contested country where it's not all that paranoid to say everyone is out to get them. (But it's still a little paranoid, if not a lot racist.) That being said, Israel doesn't have a lot of nearby allies. And its ongoing conflict with Palestine hasn't made it any new friends.

You'd think a government contractor operating out of this space would be more judicious with its sales efforts. But finding new customers seems to be more important to NSO Group than defending its own country against attacks. NSO has sold its pervasive surveillance products -- ones that leverage popular messaging apps to create spy-holes in end-to-end encryption -- to anyone who wants them, including those that would turn these tools against Israeli citizens, journalists, and activists.

NSO has enabled a global war on dissent and criticism. It's not the only company that takes a hands-off approach to sales -- justifying the money in its pocket with claims it's nothing more than an exploit-hawking middleman. This has earned it some justifiable disdain. It has also earned it lawsuits, including one filed by a company too big to ignore: Facebook.

Multiple governments have purchased exploits from NSO, resulting in a worldwide war on journalists and activists. This makes NSO richer. But it doesn't make the company any smarter. NSO and Israel briefly joined forces to engage in domestic surveillance, utilizing NSO's malware to facilitate COVID contact tracing -- an effort swiftly blocked by an Israeli court.

NSO hasn't slowed down its surveillance efforts -- the ones deployed by its customers. But it has again managed to generate unfavorable headlines and coverage. The company, whose offers of contact tracing were rejected by an Israeli court, hasn't dialed back its efforts to place people under surveillance -- supposedly for the public good.

But its exploits have their own security flaws. While it was trying to sell governments its contract tracing goods, it failed to secure some of the data it had been gathering in hopes of vertically integrating its spy tech and its "concern" for the general population's health. Zack Whittaker reports for TechCrunch:

NSO, a private intelligence company best known for developing and selling governments access to its Pegasus spyware, went on the charm offensive earlier this year to pitch its contact-tracing system, dubbed Fleming, aimed at helping governments track the spread of COVID-19. Fleming is designed to allow governments to feed location data from cell phone companies to visualize and track the spread of the virus. NSO gave several news outlets each a demo of Fleming, which NSO says helps governments make public health decisions “without compromising individual privacy.”

But in May, a security researcher told TechCrunch that he found an exposed database storing thousands of location data points used by NSO to demonstrate how Fleming works — the same demo seen by reporters weeks earlier.

NSO has responded to the hole it didn't close until notified by TechCrunch -- months after the first notification by the security researcher. It says the data seen in the breach isn't "real and genuine data."

Well, we'll see if that's true. At this point, this appears to be bullshit. As Whittaker notes, NSO's statement conflicts with news reports about NSO's use of location data sold to it by third-party brokers who gather location info from phone apps. NSO used this data to "train" its contact tracing AI. It's still "real and genuine data," even if NSO wasn't (yet!) using it in real-word applications.

TechCrunch asked researchers at Forensic Architecture, an academic unit at Goldsmiths, University of London that studies and examines human rights abuses, to investigate. The researchers published their findings on Wednesday, concluding that the exposed data was likely based on real phone location data.

Whatever the real-world applications by NSO, the fact is NSO utilized data of thousands of individuals from multiple countries (Rwanda, Israel, Saudi Arabia, UAE, Bahrain) to train an AI it was pitching to world governments -- a pitch that likely did not inform potential end users NSO would be buying data in bulk from brokers who are generally unconcerned about local data privacy laws.

NSO may be trying to rehabilitate its image by offering its considerable surveillance power to the fight against COVID, but its efforts show it's really still just in the business of collecting everything it can while expanding its user base to whoever's willing to buy -- even if it includes foreign enemies.

A failure to secure a database -- even if it's only filled with "trial" data -- is a monumental self-own. This indicates NSO isn't nearly as careful as it should be, considering the wealth of data/communications it helps government agencies siphon from targets' devices. When millions of people around the world are just grist for the surveillance mill, it rarely seems imperative to protect the data you've harvested from them. The only thing that matters to NSO is surveillance and the profit made. Collateral damage doesn't affect its bottom line -- not when there's a host of human rights violators lining up to buy your goods.

Filed Under: data breach, exploits, hacking, location data, security, surveillance
Companies: nso group

Dutch Prosecutors Say One Man Got Into Trump's Twitter Account With 'MAGA2020!' Password

from the p@ssw0rd! dept

This sort of thing will never stop amazing me. For any American President, one would assume they would have all kinds of advisers on all matters regarding security and best practices when it comes to the systems and technology they use. I'm old enough to remember when everyone freaked out over Barack Obama using a Blackberry, but at the time I hand-waived any such concerns under the assumption that there were checks in place to make such technology secure.

So how in the world did Donald Trump, often called America's first Twitter President, manage to have his Twitter account accessed using a laughably predictable password and 2-factor authentication?

Dutch prosecutors have found a hacker did successfully log in to Donald Trump's Twitter account by guessing his password - "MAGA2020!" But they will not be punishing Victor Gevers, who was acting "ethically".

Mr Gevers shared what he said were screenshots of the inside of Mr Trump's account on 22 October, during the final stages of the US presidential election. But at the time, the White House denied it had been hacked and Twitter said it had no evidence of it.

For what it's worth, both the White House and Twitter are both still claiming that they don't see any evidence that Gevers did in fact access Trump's Twitter account. That being said, Gevers is said to have provided evidence for what he'd done to Dutch police and the prosecutors there seem utterly convinced that Gevers did precisely what he said he had.

Dutch police said: "The hacker released the login himself.

"He later stated to police that he had investigated the strength of the password because there were major interests involved if this Twitter account could be taken over so shortly before the presidential election."

They had sent the US authorities their findings, they added.

For any other president, this sort of unauthorized access would be frustrating and somewhat concerning. For this president, however, who routinely announces hirings and firings of government employees via Twitter, and occasionally even announces American policy that way, it's horrifying. Someone who was actually nefarious could have created all kinds of chaos at the very least, or precipitated real life wars at worst, just by tweeting out from Trump's account. Imagine a world where a bad actor accesses Trump's account and tweets "America has declared war on North Korea. The battle begins in hours." It's not inconceivable that Seoul would be lost under North Korean artillery... or worse.

It's also worth noting that Gevers claims this isn't the first time he got access to Trump's account.

Earlier this year, Mr Gevers also claimed he and other security researchers had logged in to Mr Trump's Twitter account in 2016 using a password - "yourefired" - linked to another of his social-network accounts in a previous data breach.

The best people are apparently not advising the president on how to keep his vaunted Twitter account secure.

Filed Under: donald trump, hacking, maga2020, netherlands, passwords, security, victor gevers

Security Researcher Reveals Solarwinds' Update Server Was 'Secured' With The Password 'solarwinds123'

from the [checks-luggage-combination] dept

As was noted here earlier, up to 18,000 customers of globally-dominant network infrastructure vendor SolarWinds may have been compromised by malicious hackers. The hackers -- presumed to be operating on behalf of the Russian government -- deployed tainted updates (served up by SolarWinds) that gave them backdoors to snoop on internal communications and exfiltrate sensitive data.

The attack was so widespread and potentially catastrophic, the DHS's cyber wing issued an emergency directive that stated the only way to mitigate damage was to airgap devices and uninstall affected Orion software. Meanwhile, SolarWinds filed an update with the SEC detailing the extent of the damage. It was limited, but only if you consider 18-33,000 potential infections "limited." It's only a small percentage because Solarwinds's customer base is so large. The company boasts 300,000 customers, among them several government agencies and all five branches of the military. (It's not boasting much these days. It has memory-holed its "Customer" page during this trying time.)

Unfortunately, the directive from CISA was delivered a bit too late. CISA itself was compromised by the hack, something acknowledged by the DHS less than 24 hours after its dire directive was issued.

The fallout from this hacking -- which may have begun as early as March of this year -- will continue for a long, long time. But this latest news -- delivered by Zack Whittaker -- adds another layer of irony to the ongoing debacle. Orion is Solarwinds' one-stop shop for IT software. It promises to secure customers' IT infrastructure by bundling in the company's network security products.

No doubt the company claims to take security seriously. But while users are being subjected to password requirements that demand them to utilize most of the alphabet and multiple shift key presses, internal security isn't nearly as restrictive. Here's the "OMFG are you goddamn kidding me" news via Reuters, which first broke the news of the malicious hacking.

Security researcher Vinoth Kumar told Reuters that, last year, he alerted the company that anyone could access SolarWinds’ update server by using the password “solarwinds123”.

All five branches of the military. The NSA. The IRS. The USPS. DHS. The Treasury Department. Nearly every Fortune 500 company. All ten of the top ten telcos. The list goes on and on. And with this access, attackers could move laterally, using compromised credentials to eavesdrop on mutuals of targeted entities. And all of this "secured" by a password so simple an idiot could have created it.

We're fucked. And we're fucked by people making far more money than we are who take our security far less seriously than we do. Say what you will about the security ambivalence of the general public, but it's the "experts" who endanger us with lax security measures who do the most damage. If Joe Blow fails to secure his email account, he's probably only going to hurt himself. When a multinational vendor can't be bothered to gin up a decent password, entire government agencies become a plaything for malicious hackers.

Filed Under: dhs, hackers, infrastructure, passwords, security
Companies: solarwinds