The niner noteworthy stories of 2017 (week 28)

These are the noteworthy stories, in no particular order, that peaked my interest for this week.

Blue Cross? Blue crass: Health insurer thought it would be a great idea to mail plans on USB sticks

Very sound advise in this article indeed. I have seen this happening with USB knobs that were given out to colleagues, the only thing the knob did was to act as a keyboard and launch a browser with a specific URL attached. No harm done/
It was however too obvious how this marketing stunt could have been hijacked as practically everyone, including colleagues on the security consultancy practice, pushed the USB plug into their company laptops and hit the button without thinking about it for one instant. The level of trust was probably generated as they got the knob from a colleague or they were present on their desk when arriving in the morning.
A recipe for disaster for sure. And yes we tried and failed to reprogram the chips inside those knobs, pity as that would have been a lot of fun.
source: The Register (external link)

More than 100m records potentially lost in huge telecoms breach

Speed to market over good security and privacy. Besides that, what are those government ID numbers even doing with a private company?
Potential maybe, but if people can verify this and can do this with unique data like specific e-mail addresses used for very specific cases, then this looks more then just potential.
Breaches are unfortunately more and more commonplace, the only reason I am writing about this one is because of the scale as well as the links to the Adhaar system on which I wrote before.
source: Naked Security (external link)

Another day, another mass domain hijacking

I doubt that DNSSec would have helped here, if they can change the the related DNS servers they can also chang change the records linked to the DNSSec properties to match their own crypto keys and certificate. Although it does make the take-over somewhat more difficult.
It also greatly depends on if the browsers themselves actually validate the DNSSec properties as well.
As for the E-mails of that Swiss insurance firm, since electronic mail is not a good medium to transfer sensitive or personal information there should not have been any difference even if the miscreant had setup a mail-server as well. At least from a privacy point-of-view, but sensitive data is broader then that obviously.
One last note: again it seems that credentials were compromised and again it looks like single-factor username and password. Which certainly for this level of access should have never been enough to obtain access privileges making this possible in the first place.
source: The Register (external link)

New Ransomware Threatens to Send Your Internet History & Private Pics to All Your Friends

Or simply don’t take sexy selfies and store them on your phone. `Anyway, another week and another Android malware article. Not really surprising when 99 percent of all mobile malware is targeting this operating system.
One other thing that is important is not to grand permissions to apps they clearly don’t need to operate.
Ultimately side-loading code into apps, like what is done here, should be blocked and not allowed. This is asking for trouble, certainly combined with checks of apps in app stores after instead of before they are available for download.
source: The Hacker News (external link)

IoT Devices Plagued by Lesser-Known Security Hole

Actually, I know that doesn’t happen too often, I have no further comment with this one. Just read it and be amazed.
This will certainly not be the first and or the last time that older protocols lead to security trouble, they were simply never designed with security in mind and certainly not to be connected to the Internet openly.
source: Dark Reading (external link)

German military aviation command launches cyber threat initiative

Those connected planes will indeed form a risk to the aviation sector. Not only the constant connected ones, also older models that have USB ports for maintenance data and related functionality.
The question however is if this is something airlines need to be bothered with in the first place. I believe it is the responsibility of the airframe manufacterorers, specifically Boeing and Airbus as the largest ones, to take IT security serious in their plane designs. Airlines should mandate this of course.
Techniques like air gaps must be deployed as well as other security measures. Besides that, do we really need Internet protocols in these kind of systems? We have seen what moving to commodity hardware and networks has done to the industrial sector, let’s hope the aviation sector doesn’t make the same mistakes.
source: Reuters UK (external link)

Biometric data stolen from corporate lunch rooms system

I can understand why it may be difficult to secure the individual machines. But why are these machines accessible from the Internet?
And this all in a bit to “safe money”. Well you see what the end result is if you don’t take care of the total security posture. As specially if biometric data is thrown into the mix as well.
Credit monitoring then is the least you can offer your victims. As you can’t offer them new fingerprints, the effects unfortunately will be lifetime lasting for all customers concerned.
This also shows precisely why I am glad that biometric data has become a special category under the GDPR.
source: The Register (external link)

Flight Centre leaks fliers’ passport details to ‘potential suppliers’

Comment by the spokesperson: “There are a few reasons why we believe the risk is relatively low. Firstly, the suppliers involved were looking to develop products for us and to establish longer term relationships (they still are). Secondly, we noticed our error fairly quickly. Thirdly, we were engaging with these potential suppliers via a formal process, so they were familiar to us.”
If you read between the lines you could suggest that because they were already in talks with those companies to let them develop product, they would need to share that production data with them somewhere in the future anyway so this human error caused breach wasn’t actually that bad.
All too often production data is used in testing and acceptance environments or even in development where, in all three cases, it should actually never be at all.
Besides if you are still in contract negotiations, who says those potential partners can be trusted? Okay, they acted quickly they say, I have to give them that much.
I wonder how much more we would have known under the new breach notifications mandate.
source: The Register (external link)

22,000 people accidentally signed up to clean toilets because people don’t read Wi-Fi terms

Whilst this prank is very hilarious and it is fortunate that nobody needs to really do those 1000 hours of community service, although it would be good for society, I doubt that this company is really GDPR compliant.
Terms of service don’t hold the privacy notice and certainly not the consent requests related to direct marketing and automatic profiling clauses. Those really need to be served up separately and in a clear, concise and understandable language.
Secondly, the consent construction here looks like it is provided before access is granted and if you don’t agree with the terms you won’t be allowed to use the “free” wifi service. This is another nail in the coffin of Purprle’s claimed GDPR compliance as consent is not valid if it is obtained as precondition to providing a service.
The prank itself does nicely show that people don’t read terms of service or privacy notices, however that’s mostly because nearly all of them are unreadable and too long in general. It does also show that purple, at least at the time of writing of the linked article, doesn’t really understand what data protection regulations ask of a marketing firm.
source: Mashable (external link)

Bonus article

Why Security Experts Are Pissed That ‘1Password’ Is Pushing Users to the Cloud

This push towards the cloud has nothing to do with better security or privacy for their customers, it has everything to do with revenue. Unfortunately they are not the only company that is moving or has moved from a ones off license fee to a subscription model.
One of the biggest software vendors, nothing to do with security, Adobe changed all it’s software packages to cloud-only subscription models. In the long run that’s more profitable they think, it is also far more expansive for users too.
And yes, cloud providers will have to be trusted to be secure, something which other cloud-based password managers have shown to have trouble with for sure.
source: Motherboard (external link)