Archive for NEWS

Maintenance Mode aims to keep phone data private during repairs

One of the biggest data related headaches you’ll face with a mobile device is what do to in the event of a repair. When you have to send your phone in for a fix, what happens to your data? In many cases, the repair technicians will simply scrub the phone by default unless you ask them not to. In cases of the latter, though, how do you keep everything safe? You have no guarantee that the technician won’t sneak a peek at files, folders, passwords, logins, your browsing history…you name it, it’s on there.

A timeless problem, and one often met with a resigned sigh, a backup, and a pre-repair phone wipe “just in case”. It’s a reasonable concern. Even if it is very unlikely that the person doing the fixing is remotely interested in your day-to-day life, you’re still trusting your personal data and private information in the hands of a complete stranger.

New solutions are being applied to this incredibly common, yet oddly invisible tech problem in the form of Samsung’s new “maintenance mode.”

From repair to maintenance

You may have heard of this new mode by another name. Back in July when word first spread, it was known as repair mode. Anyone digging into the Battery and Device Care options would see a new option to make all of your personal info, apps, and files invisible to the tech looking at the phone. At the time, this option was only available on specific models and also only in South Korea. Similarly, it was assumed this new option would roll out to other regions and devices.

Sure enough, this has proven to be the case and we now have a slow global rollout of this new privacy retaining addition. We also have a name change, in the form of Maintenance Mode, and some more details as to how it operates.

How does Maintenance Mode work?

When activated, “Maintenance Mode” essentially creates a temporary, disposable user account on the phone. Access to everything on there previously is restricted for as long as someone else has hold of your device. From the new mode’s splash screen:

“In maintenance mode, your personal data including pictures, messages, and accounts, can’t be accessed and only preinstalled apps can be used. You’ll need to unlock your phone to turn off maintenance mode. When you do, everything will go back to the way it was when maintenance mode was first turned on. Changes made while maintenance mode is on, such as downloaded data or settings changes, aren’t saved. Back up your data.”

This last line is good advice. You should always back your data up anyway before handing over your phone, just in case it can’t be fixed. It’s also likely that some people may mistake Maintenance Mode as an additional way of backing up data as opposed to “just” shielding it from prying eyes, so this messaging is entirely worth it.

To use or not to use

Regardless of new tech features for your device, you should always weigh the pros and cons of handing something over with personal details on it, versus just backing up and wiping. New and cool privacy features tend to take a bit of a tech grilling as more people see what they can and can’t do with them. If you’re worried about someone figuring out a way to exploit maintenance mode, for example, you may want to just wait a while and see if anything untoward happens first. Again, while this is probably a minor risk for most people, awful people do awful things with your private data if they feel like they can get away with it.

For everyone else, this might be a new phone addition which goes some way to easing a data deletion headache. It’s definitely no fun to reinstall and reauthorize a whole mobile ecosystem when you get your device back. Perhaps this tips the fatigue odds a little bit back in your favor.

Posted in: NEWS

Leave a Comment (0) →

Medibank customers’ personal data compromised by cyber attack

Australian health care insurance company Medibank confirmed that the threat actor behind a cyberattack on the company had access to the data of at least 4 million customers.

Although Medibank at first said that there was “no evidence that customer data has been accessed,” a week later their investigation shows that the threat actor had access to all Medibank customers’ personal data and significant amounts of health claims data.

Stolen data

The cybercrime investigation shows that the criminal had access to:

  • All ahm customers’ personal data and significant amounts of health claims data
  • All international student customers’ personal data and significant amounts of health claims data
  • All Medibank customers’ personal data and significant amounts of health claims data

This does not necessarily mean that all these data have been stolen, but Medibank has been contacted by the threat actor claiming to have stolen 200GB of data. They provided a sample of records for 100 policy records which are believed to come from the ahm and international student systems.

The provided data sample includes first names and surnames, addresses, dates of birth, Medicare numbers, policy numbers, phone numbers and some claims data. It also includes the location of where a customer received medical services, and codes relating to their diagnosis and procedures.

The claim that the attackers have stolen other information, including data related to credit card security, has not yet been verified.

Not just current customers

Medibank has promised it will commence making direct contact with the affected customers to inform them of this latest development, and to provide support and guidance on what to do next. There may be some surprises, because not all affected people are current customers. Australian law required Medibank to hold onto past customers’ data, which was why former clients could be caught out by this breach. Relevant laws in the country require the company to keep the health information of adults for at least seven years and for individuals younger than 18 until that individual is at least 25 years old.

What to do?

Medibank and ahm customers can contact Medibank by phone (for ahm customers 13 42 46 and for Medibank customers 13 23 31) or visit the information page on the website for any updates.

Until the investigation has verified the full extent of the stolen data, it is hard to establish whether your data have been stolen. So far it has been confirmed international students have been affected. Of which there are many, since private health insurance is a requirement when they start a study in Australia.

Medibank provides comprehensive support package for customers who have had their data stolen which includes:

  • Financial support for customers who are in a uniquely vulnerable position as a result of this crime. They will be supported on an individual basis.
  • Free identity monitoring services for customers who have had their primary ID compromised
  • Reimbursement of fees for re-issue of identity documents that have been fully compromised in this crime

And they are offering all customers access to:

  • Specialist identity protection advice and resources from IDCARE
  • Medibank’s mental health and wellbeing support line

This and any new information can be found on Medibank’s webpage about the cybersecurity incident.

As always, when personal data have been stolen it is advisable to deploy some extra vigilance when it comes to phishing attempts that could very well use some of the stolen information to gain credibility.

Posted in: NEWS

Leave a Comment (0) →

Malformed signature trick can bypass Mark of the Web

Mark of the Web (MOTW)—the technology that ensures Windows pops a warning message when trying to open a file downloaded from the Internet—is back in the news, but unfortunately not in a good way.

Bleeping Computer reports that a recently uncovered (but somewhat old) bug has been unearthed which helps people with bad intentions to leapfrog MOTW alerts. This has, apparently, already been observed in ransomware attacks.

MOTW was originally an Internet Explorer security feature. It broadened out into a way for your Windows devices to raise a warning when interacting with files downloaded from who-knows-where. Over time, it even contributed to preventing certain types of files from running. It’s a versatile, helpful thing. We most recently talked about it when 7-Zip decided to support MOTW.

If you open a file flagged with MOTW, at the bare minimum you should see one of several messages, depending on if you’re looking at file properties, or attempting to open a file which you’ve downloaded. It might be this:

This file came from another computer and might be blocked to help protect this computer.

Alternatively, you might see this one instead:

While files from the internet can be useful, this file type can potentially harm your computer. If you do not trust the source, do not open this software.

Microsoft Office will also use MOTW as a way of deciding if Protected View activates.

Bypassing MOTW

It seems that signed files are the key to this conundrum. Files can be cryptographically signed in order to confirm who created them, and to confirm that they have not been changed since they were signed. (As Microsoft points out, this doesn’t assert that a file is safe, only that it has not been tampered with.)

So far, so good. How does this result in MOTW bypasses, though? Well, first of all it seems this has been an issue for several years. To be more specific, this probably became a bug around the release of Windows 10.

The problem is that a malformed signature results in the various possible warnings to notify of bad times ahead going AWOL. You will simply never see them:

According to an interview with Will Dormann on Bleeping Computer, the problem appears to be related to SmartScreen, introduced in Windows 10.

It’s never a good thing when malware authors are able to turn security features on their head and use them against the people sitting in front of their device. Making yourself less safe by disabling a setting like SmartScreen just to ensure you see a warning that you should see anyway, and is also supposed to keep you safe, isn’t a trade off that anyone should need to make. Fingers crossed that this one is resolved as soon as possible.

Posted in: NEWS

Leave a Comment (0) →

iPhone zero-day. Update your devices now!

It’s time to update your Apple devices to ward off a zero-day threat discovered by an anonymous researcher.

As is customary for Apple, the advisory revealing this attack is somewhat threadbare, and doesn’t reveal a lot of information with regard to what’s happening, but if you own an iPad or iPhone you’ll want to get yourself on the latest version.

The zero-day is being used out in the wild, and Apple holding back the specifics may be enough to slow down the risk of multiple threat actors taking advantage of the issue, known as CVE-2022-42827. However, Apple’s lack of detail means it’s not possible to explain what to watch out for if you think your device may have been compromised.

The vulnerability affects the kernel code, the core of the software that operates the device. It can be abused to run remote code execution attacks, which can lead to issues like crashing and / or data corruption. According to Apple, the issue impacts:

  • iPhone 8 and later
  • iPad Pro (all models)
  • iPad Air 3rd generation and later
  • iPad 5th generation and later
  • iPad mini 5th generation and later

At time of writing, there is very little you can do other than fire up your Apple product and make your way to the updates section. There is no reason to panic, but no need to delay either.

How to update your device

It’s entirely possible that your device is already set to update automatically. If so, then you shouldn’t have to worry about this one: Your device will do it all for you. If not, and your device is on the list above, don’t worry. The route to updating your iPhone or iPad is very standard across the board, no matter which specific flavour you happen to be running:

  1. Plug into a power source and enable Wi-Fi

  2. Select Settings > General, and then Software Update.

  3. Select your desired update(s) and begin the install process.

Automatic updates can be applied like so:

  1. Settings > General > Software Update

  2. Select Automatic Updates, and then enable Download iOS Updates

  3. Turn on Install iOS Updates.

Finally, for Rapid Security Response updates (which ensures important security fixes are applied as soon as possible):

  1. Settings > General > Software Update

  2. Select Automatic Updates

  3. Enable the Security Responses & System Files option

There have been numerous publicly documented zero-day attacks aimed at Apple products this year. While most of these tend to be quite targeted and specific, there is absolutely no harm in getting into the habit of updating. It doesn’t just help to protect you from issues such as the one above, but many other potentially less serious issues too.

Stay safe out there!

Posted in: NEWS

Leave a Comment (0) →

Point-of-sale malware used to steal 167,000 credit cards

In the 19 months between February 2021 and September 2022, two point-of-sale (POS) malware operators have stolen more than 167,000 payment records, mainly from the US, according to researchers at Group-IB. The researchers were able to retrieve information about infected machines and compromised credit cards by analyzing a command and control (C2) server used by the malware.

POS malware is designed to steal debit and credit card data from POS machines in retail stores. It does this by harvesting the temporarily unencrypted card data from the machine’s memory. Due to improved security measures against this type of theft in most countries, this type of malware isn’t as widely used as it once was, although it never disappeared completely.

The malware

The researchers found badly configured control panels for two different strains of POS malware, MajikPOS and Treasure Hunter. A possible explanation is that the operatros started out using Treasure Hunter and adapted MajikPOS at a later time. This is likely because the source code for MajikPOS has been circulating on the Dark Web and it offers additional features compared to Treasure Hunter.

The basic ability of all POS malware is the same—to steal sensitive card payment details from the RAM of a POS device where the data can be found in an unencrypted form. But different families offer other options when it comes to persistence and processing stolen data.

The machines targeted by the malware were found by scanning for remote desktop applications like RDP and VNC, and then guessing their passwords. Successfully guessing their passwords gave the attackers the same access to those computers as they would get if they were actually sat in front of them.

During the investigation, Group-IB specialists analyzed around 77,400 unique card dumps from the MajikPOS panel and about 90,000 from the Treasure Hunter panel. Most of the stolen cards were issued by US banks, and most of the infected POS terminals are located in the US.

The average price for a single card dump is around $20, so if the threat actors were able to sell the stolen dumps on an underground market, they could have made in excessive of $3 million.

Credit identity theft

Credit identity theft happens when a scammer steals your credit card data and uses it to make fraudulent purchases or obtains a credit card or loan under your name. According to the FTC, people who suspect they are the victim of credit identity theft should contact their bank or credit card company to cancel their card and request a new one. If you get a new card, don’t forget to update any automatic payments with your new card number.

To find out if you are a vicitm:

  • Review your transactions regularly, to make sure no one has misused your card.
  • If you find fraudulent charges, call the fraud department and get them removed.
  • Check your credit report at annualcreditreport.com.

Mitigation

All the usual, basic (and effective) security advice applies to POS device owners. If you operate POS machines:

  • Implement a plan for patching software in a timely manner
  • Protect passwords with two-factor authentication, preferably FIDO 2
  • Use a strong password policy and rate limiting to further protect passwords
  • Run endpoint security software with EDR to detect malware and intruders
  • Assign access rights according to the Principle of Least Privilege
  • Segment networks to slow down lateral movement

Posted in: NEWS

Leave a Comment (0) →
Page 3 of 311 12345...»