Is your hard drive exposed online?

By Danny Bradbury

Over 13,500 internet-connected storage devices have been exposed online by users who failed to set access passwords for them, it emerged last week.

The affected drives all use the Internet Small Computer Systems Interface (iSCSI), which is an implementation of the older SCSI interface that connected disk drives directly to computers.

iSCSI, which was standardized in 2000, enabled that protocol to operate over IP connections so that devices could connect to drives across local area networks, or wide-area connections including the general internet.

Today, people use iSCSI to connect to a range of devices including the kinds of network-attached storage (NAS) drives that you’d find in a small office, and larger banks of network storage devices in datacenters.

iSCSI is also a common way for computers to connect to virtual machines (VMs). These are software files containing entire operating systems that run on a thin layer of software rather than directly on a physical server, making it possible to run many of them on a single computer at once. VMs are the basis for modern cloud computing, which relies entirely on virtualised resources.

Here’s the problem with putting things on the internet, though: They’re usually easy to find and connect to. If you put something like an iSCSI device online and then fail to secure it with login credentials, it means that it’s publicly available for anyone to access.

Read more at https://nakedsecurity.sophos.com/2019/04/03/mass-misconfiguration-exposes-13500-online-drives/

2m credit cards ripped off from restaurant chain, sold on the dark web

By Lisa Vaas

Earl Enterprise – the owner behind a slew of US restaurant chains – confirmed on Friday that one or more hackers had installed credit card slurping malware on point-of-sale (PoS) systems at a half dozen of its restaurant brands.

The company said that potentially affected restaurants include its brands Buca di Beppo, Earl of Sandwich, Planet Hollywood, Chicken Guy!, Mixology and Tequila Taqueria. It’s set up a look-up tool at this site that lets you search for affected locations by city, state and brand.

The company said that the malware was designed to capture payment card data, which may have included credit and debit card numbers, expiration dates and, in some cases, cardholder names.

The dates of potentially affected transactions vary by location, though overall, customers who used their payment cards at the potentially affected locations between 23 May 2018 and 18 March 2019 might have been affected. The malware didn’t affect orders paid for online through third-party applications or platforms.

Earl Enterprise said that the breach has now been contained and that it’s working with two cybersecurity firms on an internal investigation, as well as with federal law enforcement. It’s working “diligently” with security experts on further remediation, it said, and plans to closely monitor its systems and take additional security measures “to help prevent something like this from happening again in the future.”

Earl Enterprise first got a heads-up about the PoS malware back in February, when security journalist Brian Krebs contacted the company to let it know that he’d found a big cache of credit and debit card numbers belonging to the company’s customers that were being sold on the Dark Web.

Read more at https://nakedsecurity.sophos.com/2019/04/03/2m-credit-cards-ripped-off-from-restaurant-chain-sold-on-the-dark-web/

Patch Android now! April updates fixes three critical flaws

By John E Dunn

Android’s April update just landed and this month the headline story is two critical CVE-level patches among a total of 11 affecting anyone with handsets running versions 7, 8, and 9.

The good news is that as far as Google knows, none of this month’s flaws are being exploited. That could change, of course, which is why getting the updates should be a priority as soon as they become available from this week.

The first two criticals are identified as CVE-2019-2027 and CVE-2019-2028, affecting all versions 7.x, 8.x, and 9.0 of the core AOSP, the part of the OS that is universal to anything running Android.

Both are Remote Code Execution (RCE) vulnerabilities in the oft-patched media framework, either of which could allow an attacker to “execute arbitrary code within the context of a privileged process.”

The final critical bug is CVE-2019-2029, another RCE affecting all versions from 7.x and up that will be shipped to users on the 2019-04-05 patch level (see below for an explanation of what that means).

The other eight AOSP flaws are all marked high priority, including six elevation of privilege (EoP) flaws and three information disclosure.

Qualcomm

As usual, Qualcomm gets a small blizzard of fixes, 30 of which are in open-source components and another 44 in proprietary software. The first group includes one critical along with others rated high. The second includes six criticals with the rest marked high priority.

Read more at https://nakedsecurity.sophos.com/2019/04/03/patch-android-now-april-updates-fixes-three-critical-flaws/

Government spyware hidden in Google Play store apps

By Lisa Vaas

We’ve seen malicious government cyberweapons leaked out of the National Security Agency (NSA) and injected via ransomware, but security researchers recently found government spyware squatting in plain sight, pretending to be harmless vanilla apps on Google’s Play store.

This time around, the malware doesn’t come from the NSA. Rather, it allegedly comes from the Italian government, which apparently purchased it from a company that sells surveillance cameras.

According to Motherboard, this is the first time that security researchers have seen malware produced by the surveillance company, known as eSurv.

It was discovered in a joint investigation carried out by Motherboard and researchers from Security Without Borders – a non-profit that often investigates threats against dissidents and human rights defenders.

Security Without Borders published a technical report of their findings on Friday:

We identified previously unknown spyware apps being successfully uploaded on Google Play Store multiple times over the course of over two years. These apps would remain available on the Play Store for months and would eventually be re-uploaded.

They’re calling the malware Exodus, after the name of the command and control servers the apps connected to.

The connection with Italy was apparently made due to snippets of Italian text in the code, such as mundizza, a dialect word from Calabria that means trash or garbage, and RINO GATTUSO, a famous retired footballer from Calabria, the region where eSurv is based.

Read more at https://nakedsecurity.sophos.com/2019/04/02/government-spyware-hidden-in-google-play-store-apps/

TP-Link router zero-day offers your network up to hackers

By Paul Ducklin

Just last week, we talked in the Naked Security podcast about what you can do if you’re stuck with a router with security holes that you can’t easily fix.

One way this can happen is if your ISP won’t let you connect at your end unless you use a router provided by them.

These “forced routers” are typically locked down so you can’t update them yourself, and may even have remote access permanently enabled so that your ISP can wander in at will.

Our recommendation, when you’re faced with someone else’s router in your own home, is simply to treat it as if it were miles away at the other end of your phone line or cable connection, back in the ISP’s data center or the phone company’s local exchange where you can’t see it.

Buy a second router (or get yourself the free Sophos XG Firewall Home Edition), plug the ISP’s router LAN (internal) port into the WAN (external) port of the device you look after yourself, and pretend the ISP’s equipment doesn’t exist.

Don’t bother with the Wi-Fi and firewall parts of the ISP’s router – just treat it as a straight-up modem that interconnects your home ethernet network with the phone, cable or fiber network used by your ISP.

Read more at https://nakedsecurity.sophos.com/2019/04/02/tp-link-router-zero-day-that-offers-your-network-up-to-hackers/

Are there viable alternatives to Facebook and Twitter?

By Maria Varmazis

The thinking goes that the reason so many of us who hate social networks are still stuck using them is because it’s simply where everyone else is (which is certainly the case with me).

If only everyone would make a mass migration to some other kind of service altogether, then perhaps we could finally regain some control over our data without stepping out of our social lives. But are there actual alternatives available?

Spoiler alert: Indeed there are, so let’s take a look at them and what kind of benefits they might offer over the usual suspects. Do these alternatives protect user privacy and data, and are they user-friendly enough for everyone to use or just techy pipe dreams?

Decentralized social network – what does that mean?

There is growing interest in social networks that prioritize putting control back in the hands of users. Two of the more popular “alternative” social platforms are Mastodon and Diaspora – platforms that run a constellation of decentralized, or federated, communities.

Instead of going to a central site like Twitter.com or Facebook.com, users join separate “instances” (Mastodon) or “pods” (Diaspora) to make connections to other like-minded members.

This means members can join a smaller local community where they have their own specific rules, and moderate membership to make their social village feel like an online home, but they can also still interact with other members in other instances or pods if they choose to.

In other words, a Mastodon or Diaspora user has a smaller home base where they’re likely spending most of their time, but they’re not fenced in if they want to wander elsewhere into the bigger world.

Read more at https://nakedsecurity.sophos.com/2019/04/02/are-there-viable-alternatives-to-facebook-and-twitter/

Possible Toyota data breach affecting 3.1 million customers

By John E Dunn

Several Toyota companies have announced that they might have suffered data breach attempts, with one affecting 3.1 million Toyota and Lexus customers.

In a brief account describing the most significant of these, the Japanese parent company said that on 21 March attackers gained “unauthorized access on the network” which led them to customer data belonging to eight sales subsidiaries in the country.

Toyota said it is still investigating what data might have been breached, or even whether any data has been breached:

We have not confirmed the fact that customer information has been leaked at this time, but we will continue to conduct detailed surveys, placing top priority on customer safety and security.

So far, it has at least managed to establish that…

…The information that may have been leaked this time does not include information on credit cards.

Clearly, the company isn’t taking any chances and has decided to tell its customers something now rather than sitting on bad news.

Normally a data breach affecting Japanese Toyota subsidiaries wouldn’t get that much attention if it weren’t for the fact that it fits a larger pattern of attacks against the company.

Read more at https://nakedsecurity.sophos.com/2019/04/02/possible-toyota-data-breach-affecting-3-1-million-customers/