March 5, 2019

Comcast security nightmare: default ‘0000’ PIN on everybody’s account

By Lisa Vaas

In 2017, Comcast launched Xfinity Mobile: a wireless service that runs on Verizon wireless and Comcast’s own Wi-Fi hotspots.

To make it easy for customers to port their existing phone numbers over from other carriers, the company used a shortcut: no PINs needed. Oh, except for one, default PIN of “0000,” that is, which made it super simple easy for crooks to hijack people’s phone numbers.

The glaring security gaffe came to light after multiple customers reported that their numbers had been ported without authorization, that the hijackers had switched the numbers to their own accounts, and that the crooks then carried out identity theft.

One of the ripped-off customers wrote to a Washington Post columnist who addresses readers’ tech problems. From the column, which appeared on Thursday:

‘This is a security hole large enough to drive a truck through,’ reader Larry Whitted in Lodi, Calif., wrote last week.

As a customer of Comcast’s Xfinity Mobile phone service, Whitted says someone was able to hijack his phone number, port it to a new account on another network and commit identity fraud. The fraudster loaded Samsung Pay onto the new phone with Whitted’s credit card – and went to the Apple Store in Atlanta and bought a computer, he said.

The core of the problem: Comcast doesn’t protect its mobile accounts with a unique PIN. (Comcast’s help site for switching carriers suggests this is to make things easier: ‘We don’t require you to create an account PIN, so you don’t need to provide that information to your new carrier.’) The default it uses instead is…. 0000.

To port your phone number, you need two things: your Comcast mobile account number, and a PIN that should, in theory, verify that it’s really you, the legitimate account holder, looking to port your own number. Comcast apparently sought to make it easier for customers by appearing to make the process PIN-less. But it didn’t make the PIN go away: reportedly, it just set a default PIN of 0000 for all customers … a PIN that customers couldn’t change.


Update now! Critical Adobe ColdFusion flaw now being exploited

By John E Dunn

Adobe has issued an urgent out-of-band patch for a critical flaw in the ColdFusion web development platform it says is being exploited in the wild.

The company’s APSB19-14 bulletin is light on detail but describes the issue as a “file upload restriction bypass” affecting ColdFusion 2018 update 2 and earlier, 2016 update 9 and earlier, and 17 and earlier:

This attack requires the ability to upload executable code to a web-accessible directory, and then execute that code via an HTTP request.  Restricting requests to directories where uploaded files are stored will mitigate this attack.

Who’s affected?

According to a blog by one of those credited by Adobe for reporting the issue, Charlie Arehart, updating should be a particular concern to ColdFusion servers that allow file uploads to a web-accessible folder, have any code that does the same in ColdFusion Markup Language (CFML), and have not disallowed files with server-executable extensions.

Wrote Arehart:

I also know what was done specifically to perpetrate the attack, and the very negative consequences of what happened once the server of a client of mine was attacked. You don’t want this to happen to you.

Cybercriminals have a history of developing exploits for the platform, aware perhaps that not all admins get around to patching it as quickly as they should.


Windows IoT Core exploitable via ethernet

By Danny Bradbury

Microsoft’s Internet of Things (IoT) version of Windows is vulnerable to an exploit that could give an attacker complete control of the system, according to a presentation given by a security company over the weekend.

At the WOPR Summit in New Jersey, SafeBreach security researcher Dor Azouri demonstrated an exploit that will allow a connected device to run system-level commands on IoT devices running Microsoft’s operating system.

Windows IoT is effectively the successor to Windows Embedded. The lightweight version of Windows 10 is designed with low-level access for developers in mind and also supports ARM CPUs, which are extensively used in IoT devices. According to the Eclipse Foundation’s 2018 IoT Developer Survey, the operating system accounts for 22.9% of IoT solutions development, featuring heavily in IoT gateways.

How it works

The attack comes with some caveats. According to the whitepaper published yesterday, it only works on stock downloadable versions of the Core edition of Windows IoT, rather than the custom versions that might be used in vendor products. An attacker can also only launch the exploit from a machine directly connected to the target device via an Ethernet cable.


Apple gets bug for free, while HackerOne declares first $1m bug hunter

By Lisa Vaas

Get ready for bug bounty whiplash: on one end of the spectrum, we’ve got the world’s first $1 million bug bounty hunter, according to HackerOne and on the other we’ve got a German teenager who caved and gave Apple a bug for free after refusing to do so in protest of the company’s invite-only/iOS-only bounties.

As far as the rich kid story goes, HackerOne announced on Friday that 19-year-old Santiago Lopez, a self-taught hacker from Argentina, has made history as the first hacker to make $1 million from bug bounties.

That would be cumulative, mind you, not a one-time uber bug. Lopez has been at this a long time, and he’s racked up a long list of bug kills.

Lopez goes by the handle @try_to_hack on HackerOne, an online platform that companies use to receive and manage vulnerability reports. Lopez, who’s been hacking and scoring bug bounties since 2015, has reported over 1,670 valid unique vulnerabilities to companies such as Verizon Media Company, Twitter, WordPress, Automattic, and HackerOne, as well as to private programs.

$42 million paid out since HackerOne debuted

In its 2019 annual report, which it released on Friday, HackerOne said that it paid out $19 million in bounties in 2018: an amount that’s close to the total bounty payouts for all preceding years combined.



Advanced Computer Services of Central Florida

Centrally located in Winter Haven, we serve residential and business clients in and around Polk County.

9 Camellia Drive
Winter Haven, FL 33880

Our Promise to You

Plain language, no tech-talk

We will never try to over-sell you a product you don't need.

Advanced Computer Services of Central Florida is your local, hometown computer service and repair company that can do more than just fix your PC.  We offer highly skilled professionals who can be counted on to give you sound advice on upgrades, software and hardware, commercial & residential networks, hardwire or secure wireless.

No trip charges within Polk County

No after-hours or weekend fees

$45.00/hr Residential

$65.00/hr Commercial - free system evaluation