Cyber Advisors Blog

In the Know - Cyber Security Update - Week of September 17th - September 24th

Posted by Eric Brown on Sep 24, 2017 7:03:17 PM

iStock-518729653 (1).jpg

Pattern recognition easily defeats Android passwords, more Amazon S3 buckets exposed, GPS coordinates on an Instagram post lead to a Most Wanted Arrest, and WI-FI theft causes the FBI to raid the wrong home. 

We continue with our theme of improving our security posture by looking at some quick ways to keep our own personal WI-FI from being hacked.

For those in the Twin Cities:

We are having a Cyber Security Fall Forum at Utipils Brewery on October 17th, Craft beer, soda, food and an afternoon of Cyber Security!  Register here:  http://connect.cyberadvisors.com/brew-and-bytes-fall-securitforum

  1. Pattern based passwords to secure Android phones are easily defeated.

Researchers at the US Naval Academy and University of Maryland Baltimore County published a study detailing how easy it is for a casual observer to pick up and remember an Android unlock pattern with ease.   In person, tests showed six point Android unlock patterns can be reproduced 86% of the time after just one viewing.  Six digit pins however were only reproducible 20% of the time after a single viewing.

The researchers say the reason for this is that our brains are adept at picking up and remembering patterns.  For those who like using patterns to protect their Android, the researchers suggest turning off pattern visibility, which leaves feedback lines along the path that your finger traced.   With visual feedback off, on average, 60% of subjects could guess the correct pattern after a single in person viewing.

Research Paper:
https://www.usna.edu/Users/cs/aviv/papers/avivACSAC2017.pdf

2. Three more Amazon S3 buckets exposed – SVR, Viacom and Verizon join a lengthy list.

Two more billion-dollar organizations and a private firm join the ranks of companies that have irresponsibly left sensitive data exposed to the internet.

 SVR – a vehicle tracking company:
Kromtech Security Research Center found 540,642 SVR accounts with email addresses, passwords, VIN (Vehicle Identification Numbers), and some license plates were publicly available on an Amazon S3 bucket.  The exposed data included contracts with more than 400 car dealers that use SVR services.  According to SVR’s website, the tracking unit provides “continuous vehicle tracking, every two minutes when moving” and a “four hour heartbeat when stopped.”

 “In the age where crime and technology go hand in hand, imagine the potential danger if cyber criminals could find out where a car is by logging in with the credentials that were publicly available online and steal that car?” said Kromtech’s Bob Diachenko.

 Verizon Wireless:
Kromtech Security Research Center found a bucket containing internet-exposed files named “VZ Confidential’ and ‘Verizon Confidential’.  These files contained internal usernames and passwords which would allow access to other parts of Verizon’s internal network and infrastructure.  Another folder contained production logs, server architecture description, passwords and login credentials.

Viacom:
UpGuard researchers found what appears to be the primary or backup configuration of Viacom’s IT infrastructure managed by their Multiplatform Compute Services Group MCS.

The Multiplatform Compute Services (MCS) group supports the infrastructure for hundreds of Viacom’s online properties, including MTV, Nickelodeon, Comedy Central, Paramount, and BET. We are responsible for provisioning, configuring, and monitoring thousands of systems (mostly CentOS) and the applications, which run on them, as well as troubleshooting problems within the environment.

Researchers surmise that the data contained in the S3 bucket are incremental backup files.  According to UpGuard “The data contained in seventy-two .tgz files in the bucket appears to be an incremental backup scheme. When decompressed, each .tgz file is revealed to contain a number of folders, such as “manifests,” “configs,” “keys,” and “modules,” as well as a number of files indicating the use of Puppet, a server provisioning and automation suite.”

While no personal data was exposed, the information is quite valuable to malicious actors, providing the blueprints to Viacom’s IT architecture and master key to its server configurations.

SVR:  https://mackeepersecurity.com/post/auto-tracking-company-leaks-hundreds-of-thousands-of-records-online
Verizon S3 exposure:  https://mackeepersecurity.com/post/verizon-wireless-employee-exposed-confidential-data-online
Viacom:  https://www.upguard.com/breaches/cloud-leak-viacom

3.  GPS Coordinates on Instagram Post leads to Most Wanted arrest

A criminal on Texas’ most wanted list was arrested by LAPD after posting an Instagram video displaying an arsenal of weapons. 

Christopher Ricardo Gonzalez aka Little Chris, suspected for a string of violent crimes, was captured after the LAPD was able to determine his location from an Instagram post he posted of himself displaying a collection of guns.

The issue of Instagram users landing in trouble after inadvertently revealing their location is a recurring phenomenon.  The criminal who robbed Kim Kardashian in Paris said he tracked her using her location on social networks.

ABC Article:
http://abc7chicago.com/instagram-live-video-of-weapons-leads-to-10-most-wanted-murder-suspects-arrest/2435874/

4.  Neighbor hacks Wi-Fi, steals internet, causes FBI raid

Three college students at UC Davis were abruptly awakened by the pounding of FBI officers one morning and accused of downloading child pornography.  

These students were the unfortunate victims of their next-door neighbor, a man who had cracked their Wi-Fi password and used their internet connection for his nefarious online activities. 

More Info:
http://www.sacbee.com/news/local/crime/article164803532.html

Protecting your own wireless access

Wi-Fi operating on 2.4 GHz (older and most common frequency) can penetrate up to 150 feet indoors and twice that outside.  If you live in close proximity to others, your signal could reach multiple dwellings. 

A few things you can do to increase your Wi-Fi privacy

  1. Use WPA2 += AES & disable WPS (WI-FI protected setup)
  2. Change your wireless password twice a year (make password 16 characters or longer)
  3. Update firmware on your router/modem to the latest version
  4. Consider enabling a guest network for visitors. Only enable this network when visitors are present.
  5. If your devices suport it, consider disabling 2.4 GHz and use 5GHz which has a range of about 1/3 of 2.4GHz.  Also, if you don't need the full power of the radios, decrease their output power which will increase their lifespan.

If you haven’t updated your router/modem in a while or changed your password recently today is a good day to start!

Info on the differences between WI-FI encryption over the years:
https://www.howtogeek.com/167783/htg-explains-the-difference-between-wep-wpa-and-wpa2-wireless-encryption-and-why-it-matters/

 

 

Topics: Cyber Security