March 25, 2019

Thousands of API and cryptographic keys leaking on GitHub every day

By Danny Bradbury

Researchers have found that one of the most popular source code repositories in the world is still housing thousands of publicly accessible encryption keys.

Over 100,000 code repositories on source code management site GitHub contain secret access keys that can give attackers privileged access to those repositories (repos) or to online service providers’ services.

Researchers at North Carolina State University (NCSU) scanned almost 13% of GitHub’s public repositories over nearly six months. In a paper revealing the findings, they said:

We find that not only is secret leakage pervasive – affecting over 100,000 repositories – but that thousands of new, unique secrets are leaked every day.

The credentials that developers routinely publish on their GitHub repos fall into several categories. These include SSH keys, which are digital certificates that automatically unlock online resources. Another is application programming interface (API) keys (also known as tokens). These are digital keys that enable developers to access online services ranging from Twitter to Google Search directly from their programs. The researchers found a mixture of these keys for services including Google, Twitter, Amazon Web Services, Facebook, MailChimp, online telephony service Twilio, and credit card processing companies Stripe, Square, and Braintree.


Update now! WordPress hackers target Easy WP SMTP plugin

By John E Dunn

Two hacking groups have been spotted targeting websites running unpatched versions of the WordPress plugin Easy WP SMTP.

Easy WP for SMTP, which has more than 300,000 installs, is marketed as a plugin that lets WordPress sites route their bulk emails via a reputable SMTP server as a way of ensuring they aren’t spamholed by suspicious email providers.

Unfortunately, version 1.3.9 is vulnerable to a security flaw that allows attackers to set up ordinary subscriber accounts with hidden admin powers or hijack sites to serve malicious redirects.

According to WordPress firewall developer Defiant (formerly WordFence), the problem lies with the Import/Export functionality added to 1.3.9:

The new code resides in the plugin’s admin_init hook, which executes in wp-admin/ scripts like admin-ajax.php and admin-post.php.

This does not check the user capability, which means any logged-in user, including a subscriber, could trigger it.

It’s not clear from the plugin changelog how long 1.3.9 has been in use but a second firewall company, Ninja Technologies, said it first picked up attacks exploiting the weakness “since at least March 15.”

One campaign appears to be exploiting the vulnerability to grab admin privileges, while a second the second sends visitors to malicious sites before…

Injecting malicious <script> tags into all PHP files on the affected site with the string “index” present in their name. This obviously affects files named index.php, but also happens to impact files like class-link-reindex-post-service.php, present in Yoast’s SEO plugin.


New ratings point to keyless cars that can stand up to relay attacks

By Lisa Vaas

Do you dislike the idea of standing in an empty driveway that should be occupied by your car, obediently waiting to unlock after you chirp-chirp your keyfob at it?

If so, you might want to take a gander at the security ratings for new cars put out by Thatcham Research, a nonprofit insurer research center in the UK.

Thatcham rated 11 cars that were launched so far in 2019 and plans to continue to assess new cars for security. It rated six of those 11 cars as being poor for security.

Specifically, it’s looking at those wireless keys: matchbox-sized fobs that have proven woefully susceptible to what’s known as relay attacks.

That’s when thieves use two relay devices that are capable of receiving, and extending, wireless signals from the car through walls, doors and windows, to reach the fob inside a car owner’s house. The relay devices are cheap to pick up online.

Standing next to the car, they just have to scan for signals transmitted by the wireless keys and then amplify them to open the cars, hop in and drive off.

Is your car a wireless sitting duck?

When the German General Automobile Club (ADAC) tested 237 keyless cars from 30 brands in January this year, it found that nearly all of them – 230 – are vulnerable to relay attack.


Sacked IT guy annihilates 23 of his ex-employer’s AWS servers

By Lisa Vaas

An employee-from-hell has been jailed after he got fired (after a measly four weeks), ripped off a former colleague’s login, steamrolled through his former employer’s Amazon Web Services (AWS) accounts, and torched 23 servers.

The UK’s Thames Valley Police announced on Monday that 36-year-old Steffan Needham, of Bury, Greater Manchester, was jailed for two years at Reading Crown Court following a nine-day trial.

Needham pleaded not guilty to two charges of the Computer Misuse Act – one count of unauthorized access to computer material and one count of unauthorized modification of computer material – but was convicted in January 2019.

As the Mirror reported during Needham’s January trial, the IT worker was sacked after a month of lousy performance working at a digital marketing and software company called Voova in 2016.

In the days after he got fired, Needham got busy: he used the stolen login credentials to get into the computer account of a former colleague – Andy “Speedy” Gonzalez – and then began fiddling with the account settings. Next, he began deleting Voova’s AWS servers.

The company lost big contracts with transport companies as a result. Police say that the wreckage caused an estimated loss of £500,000 (about $700,000 at the time). The company reportedly was never able to claw back the deleted data.


Microsoft Windows 7 patch warns of coming patchocalypse

By Danny Bradbury

Microsoft has issued a patch to remind Windows 7 users that they’ll soon have no patches.

The update tells users that they won’t be able to get support for Windows 7 after 14 January 2020, and it’s effectively a nudge to upgrade to a later operating system (Microsoft has been pressuring people for a long time to upgrade to Windows 10).

What does end of support really mean?

Each version of Windows goes through different support stages. In mainstream support, it gets all the updates and patches you’d expect, but this phase eventually ends, at which point the operating system version switches to extended support. This still provides security updates, but non-security updates are no longer available for desktop consumer-products. Enterprises can only get them with extended hotfix support.

Mainstream support for Windows 7 without Microsoft’s Service Pack one (SP1) addition ended on 9 April 2013. Those users that had installed SP1 still found mainstream support ending on 13 January 2015. Since that time, Windows 7 SP1 users have been on extended support. The end of support that Microsoft is talking about on 14 January 2020 is the end of that extended support, which is a little like running off a cliff, security-wise.


Spycam sex videos of 1,600 motel guests sold to paying subscribers

By Lisa Vaas

We’ve heard before about hotel owners or Airbnb creep-hosts who’ve set up hidden webcams to capture videos of people having sex, but it seems there are also scumbags selling the live-streamed or prerecorded videos to paying subscribers.

The Korea Herald reported on Wednesday that police have arrested two people for setting up the spycams used to secretly film about 1,600 motel guests over the past year, and that the Seoul Metropolitan Police Agency’s cyber investigation unit had also booked two people for selling the videos.

The Korea Herald, and/or Seoul police, didn’t specify how they got tipped off, but however that happened, the investigation uncovered wireless IP cameras set up at 42 motel rooms at 30 motels in 10 cities in the North and South Gyeongsang and Chungcheong Provinces between 24 November 2018 and 2 March – as in, this was going on up until a few weeks ago.

Tiny hidden cameras

Investigators found “ultra-mini” webcams equipped with what the newspaper said were 1mm lenses – which I take to mean, based on optics-focused discussions like this, that the cameras were teensy. All the better to hide from you, my dear, tucked away in TV set-top boxes and wall sockets, among other hiding places.


Scammer pleads guilty to fleecing Facebook and Google of $121m

By John E Dunn

Large, worldly tech companies would never fall for a wire transfer invoice scam, would they?

The truth is that any company can fall prey if the fraud is convincing enough – as shown by the case of 50-year-old Lithuanian, Evaldas Rimasauskas, who this week pleaded guilty to conspiring with others to fleece $121 million (£93 million) out of industry giants Facebook and Google.

Arrested in Lithuania two years ago, Rimasauskas orchestrated a phishing campaign, according to US authorities between 2013 and 2015, in which employees of the two companies were emailed spoofed invoices that appeared to come from Taiwanese computer maker, Quanta Computer.

The scammers even went as far as registering a company in Latvia under the same name to make the funds request look more plausible, as well as forging invoices using fake embossed corporate stamps.

In total, payments of $23 million from Google and as much as $98 million from Facebook ended up in banks accounts in Latvia and Cyrus, from where they were wired to bank accounts in Slovakia, Lithuania, Hungary, and Hong Kong.

The very thing that might normally arouse suspicion – the size of the invoices – was on this occasion what made them seem normal to two large companies that did regular business with the Asian supplier.

Just as small-time phishing scams are designed for the sort of person they hope to defraud so larger ones adopt the same tactic, but reconfigured to fool the invoice departments at big companies.


Change your Facebook password now!

By Paul Ducklin

Oh, feet of clay!

Facebook has just admitted that it has found many places – hundreds of millions of places, maybe – where it saved users’ passwords to disk in raw, unencrypted form.

In jargon terms, they’re known as plaintext passwords and it means that instead of seeing a password scrambled into a hashed form such as 379f153­1753a7c43­ab4f4faace­212451, anyone looking at the stored data will see the actual password, right there, just like that.

Like that: 123456789, or that: mypassword99, or that: jw45X$/­6FsT8.

Plaintext passwords used to be commonplace, decades ago, but it’s become technically, socially and even morally irresponsible to save raw passwords over the years, a bit like drink-driving has become not only a statutory offence but also outright unacceptable on the road.

In other words, it used to be the norm; then it was the thing you only did if you thought you wouldn’t get caught; and today it’s something that gets the book thrown at you, given that it’s so easy to get it right and so risky to get it wrong.

How did Facebook make such a basic mistake?

The good news is that the wrongly stored passwords don’t seem to be part of Facebook’s externally-accessible authentication system.

In other words, the Facebook gateway servers that let outside users log in aren’t festooned with raw copies of everyone’s passwords.



Advanced Computer Services of Central Florida

Centrally located in Winter Haven, we serve residential and business clients in and around Polk County.

9 Camellia Drive
Winter Haven, FL 33880

Our Promise to You

Plain language, no tech-talk

We will never try to over-sell you a product you don't need.

Advanced Computer Services of Central Florida is your local, hometown computer service and repair company that can do more than just fix your PC.  We offer highly skilled professionals who can be counted on to give you sound advice on upgrades, software and hardware, commercial & residential networks, hardwire or secure wireless.

No trip charges within Polk County

No after-hours or weekend fees

$45.00/hr Residential

$65.00/hr Commercial - free system evaluation