Monthly archives for December, 2017

A popular virtual keyboard app leaks 31 million users’ personal data

The app maker’s database wasn’t protected with a password, leaving exposed its users’ most private information.

Personal data belonging to over 31 million customers of a popular virtual keyboard app has leaked online, after the app’s developer failed to secure the database’s server.

The server is owned by Eitan Fitusi, co-founder of AI.type, a customizable and personalizable on-screen keyboard, which boasts more than 40 million users across the world.

But the server wasn’t protected with a password, allowing anyone to access the company’s database of user records, totaling more than 577 gigabytes of sensitive data.

The database appears to only contain records on the app’s Android users.

The discovery was found by security researchers at the Kromtech Security Center, which posted details of the exposure alongside ZDNet. The data was only secured after several attempts to contact Fitusi, who acknowledged the security lapse this weekend. The server has since been secured, but Fitusi did not respond when we asked for comment.

ZDNet obtained a portion of the database to verify.

Each record contains a basic collected data, including the user’s full name, email addresses, and how many days the app was installed. Each record also included a user’s precise location, including their city and country.

Other records are significantly more detailed. The app has a free version, which per its privacy policy collects more data than the paid version, which the company uses to monetize with advertising.

More complete records also include the device’s IMSI and IMEI number, the device’s make and model, its screen resolution, and the device’s specific Android version.

A large portion of the records also included the user’s phone number and the name of their cell phone provider, and in some cases their IP address and name of their internet provider if connected to Wi-Fi. Many records contain specific details of a user’s public Google profile, including email addresses, dates of birth, genders, and profile photos.

We also found several tables of contact data uploaded from a user’s phone. One table listed 10.7 million email addresses, while another contained 374.6 million phone numbers. It’s not clear for what reason the app uploaded email addresses and phone numbers of contacts on users’ phones.

Several tables contained lists of each app installed on a user’s device, such as banking apps and dating apps.

It’s not unusual for on-screen keyboards to have wide-ranging access to some of the highest levels of Android permissions. Android will warn users that keyboards “may be able to collect all the text that you type, including personal data like passwords and credit card numbers.” AI.type is no exception, with read access to contact data, text messages, photos and video access and other on-device storage, record audio, and full network access.

For its part, AI.type says on its website that user’s privacy “is our main concern.” Any text entered on the keyboard “stays encrypted and private,” says the company.

But the database wasn’t encrypted. We also found evidence that text entered on the keyboard does get recorded and stored by the company, though to what extent remains unclear.

The company also promises to “never share your data or learn from password fields,” but we saw one table containing more than 8.6 million entries of text that had been entered using the keyboard, which included private and sensitive information, like phone numbers, web search terms, and in some cases concatenated email addresses and corresponding passwords.

Bob Diachenko, head of communications at Kromtech Security Center, warned of the dangers of using free apps.

“Theoretically, it is logical that anyone who has downloaded and installed the Ai.Type virtual keyboard on their phone has had all of their phone data exposed publicly online,” he told ZDNet. “This presents a real danger for cyber criminals who could commit fraud or scams using such detailed information about the user.”

“It raises the question once again if it is really worth it for consumers to submit their data in exchange for free or discounted products or services that gain full access to their devices,” he added.

“It is clear that data is valuable and everyone wants access to it for different reasons,” he said. “Some want to sell the data they collect, others use it for targeted marketing, predictive artificial intelligence, and cyber criminals want to use it to make money in more and more creative ways.”


This ransomware asks victims to name their own price to get their files back

The attackers behind this form of file-encrypting malware — which has similarities with Locky — think that if the victim can set their own price, they’re more likely to pay.

A new form of ransomware, which shares similarities with Locky, allows its victims to negotiate the price for retrieving their encrypted files.

Scarab ransomware was first uncovered in June, but during November, it was suddenly distributed in millions of spam emails, according to researchers at Fortinet. The emails were distributed by Necurs, the botnet infamous for spreading the highly-successful Locky ransomware.

The file-encrypting malware is deployed when the victim runs a VBScript application contained within a malicious email, which retrieves Scarab from payload websites. Researchers at PhishMe said the script contains similarities to the mechanism used to deliver Locky.

Those behind Scarab have also chosen to fill the source code of the ransomware with what appear to be references to Game of Thrones character Jon Snow.

Once installed and executed on the victim’s computer, the malware will connect to a website that provides the attacker with the victim’s IP address and other machine information — likely to aid the attacker in keeping track of victims.

Even if the machine is taken offline during the process, the ransomware still encrypts the files with the .scarab file extension and presents the victim with a ransom note.

But rather than demanding a set fee to release the files, the attackers behind Scarab ask the victims to email them in order to negotiate a payment in bitcoin — the cryptocurrency often used by attackers to collect ransom payments.

The use of an email address suggests the attackers aren’t as sophisticated as those behind other forms of ransomware. However, they do seem to be working to the theory that if they allow the victim to set their own price for the ransom, they’re more likely to receive a payment.

“The negotiation process encouraged by the Scarab ransomware is particularly interesting. While entering into negotiations definitely makes it more likely that a ransom of some kind will be paid, it also allows them to fluctuate demands depending on the value of bitcoin at that time,” said Aaron Higbee, co-founder and CTO of PhishMe.

Researchers suggest the rise in the value of bitcoin has played a part in the shift to using this tactic. A fee of around one bitcoin was often set as the ransom demand during 2016, when the value of bitcoin was under $1000. At the time of writing, one bitcoin is worth over $16,000.

Attackers are likely to understand the average victim isn’t going to have the funds to pay this fee, so by allowing the victim to suggest a price, those behind Scarab are more likely to guarantee a payday for their criminal work.

Those behind Scarab also attempt to show they can be trusted to hold up their end of the malicious deal with the use of a common tactic of ransomware distributors: offering to decrypt some files for free. They also provide instructions on how to obtain bitcoin in order so that they can receive payment from victims.

However, these aren’t acts of community spirit. The attackers are criminals who are looking for profit by extorting a payment out of the unfortunate victim — a reality hammered home by the ransom note, which says: “Decryption of your files with the help of third parties may cause an increased price.” The attackers also add that by trying to use decryption tools, the victim “can become a victim of a scam”.

Researchers are currently unsure if Scarab will be a temporary ransomware campaign — like Jaff — or if it will become a long-standing threat like Locky.


Uber says data breach compromised 380K users in Singapore

Ride-sharing company reveals 380,000 in Singapore were affected by the massive data breach that compromised 57 million accounts globally, but says no fraud or misuse has been tied to these users.

Uber says an estimated 380,000 users in Singapore were impacted by the 2016 data breach that compromised 58 million accounts globally, but finds no incidents of fraud related to the attack.

The ride-sharing operator posted a statement on its website Friday with the update, noting that the figure was “an approximation rather than an accurate and definitive count”. The number was determined from data extracted from its app or online site and based on codes assigned to specific countries, which might not always correspond with where the user actually lived, it explained.

Uber said it had taken “immediate steps to secure the data” when the breach was uncovered and blocked further unauthorised access. It added that affected customers need not take any action since there was no indication the breach had resulted in any fraudulent transactions.

“Our outside forensics experts have not seen any indication that trip location history, credit card numbers, bank account numbers, or dates of birth were downloaded,” it said. “We have seen no evidence of fraud or misuse tied to the incident. We are monitoring the affected accounts and have flagged them for additional fraud protection.”

Reports emerged last month that some customers in Singapore found charges made to their Uber accounts and credit cards for rides they never took, including transactions made in the UK and US and in foreign currencies. The company said then that these were not linked to the global data breach, since details related to credit card numbers or bank account numbers were not believed to have been compromised in the attack.

Uber admitted to have concealed the data breach for more than a year, paying off hackers US$100,000 to delete the data and keep quiet about the incident.

In a note commenting on Uber’s latest statement in Singapore, Sanjay Aurora, Asia-Pacific managing director for security vendor Darktrace, said the onus was on companies to safeguard their customers’ data.

“The reality is that there is only so much individuals can do. Ultimately, the responsibility lies with the companies that are entrusted with users’ sensitive data to defend it against cyberattacks,” Aurora said.

“Time and time again, we have seen attacks of this scale–and larger–plague the news. The reality is that such breaches, whether Uber, Equifax, or Yahoo, could have been resolved at an early stage [and] well before real damage was done,” he said, touting the need for artificial intelligence in helping companies identify and combat security threats.

Singapore authorities had said they were investigating Uber’s security incident and would determine if the US company had breached local data protection laws. They also underscored the need for Uber to be transparent and to cooperate with local authorities.


NSA employee pleads guilty after stolen classified data landed in Russian hands

The classified data was later collected by Kaspersky software running on the staffer’s home computer.

A former National Security Agency hacker has admitted to illegally taking highly classified information from the agency’s headquarters, which was later stolen by Russian hackers.

Nghia Pho, 67, a Maryland resident who worked for the NSA’s Tailored Access Operations, the agency’s elite hacking unit, entered a guilty plea on Friday to charges of willful retention of national defense information.

The Justice Dept. confirmed the news in a statement on Friday. The New York Times was first to report the news.

Documents released by the Justice Dept. accuse Pho of removing top secret information from the agency over a five yer period through March 2015.

Pho held some of the highest levels of security clearance at the agency, including sensitive compartmented information and “need to know” clearance, reserved for only a fraction of the agency’s staff.

Although the documents don’t make it clear exactly what specific classified data and records were taken — beyond hard copy and digital files stored in Pho’s residence — several earlier reports have pointed to hacking tools developed for offensive operations launched by the NSA, such as targeting foreign networks and systems for conducting surveillance.

News of the breach was first reported by The Wall Street Journal earlier this year, which said hackers working for Russian intelligence had obtained classified NSA data.

The hackers targeted the then NSA employee in 2015 when he opened the classified work on his home computer running Kaspersky antivirus software. Russian hackers are said to have targeted the employee after they identified the NSA files through the antivirus software.

The company’s founder Eugene Kaspersky previously said he believes that his company’s products were exploited to obtain files from Pho’s computer.

Kaspersky admitted to collecting and uploading the classified data to its servers in Moscow, but only after several kinds of malware were found on Pho’s computer. (Other antivirus products often upload suspicious data to its servers to analyze.)

Kaspersky, a Moscow-based security company, has repeatedly denied working with the Kremlin to conduct espionage. Eugene Kaspersky told ZDNet this week that his company would “move the business out” of the country if the Russian government asked it to spy.

Pho is expected to be sentenced in April, where he may receive the maximum sentence of ten years in prison. According to the Times, prosecutors are not asking for more than eight years.

The case is one of several major breaches at the NSA since the Edward Snowden disclosures in 2013.

Pho is among three employees to be charged, including Harold Martin, an NSA contractor, who was indicted for removing terabytes of secret data from the agency’s headquarters, and Reality Winner, another contractor, who was indicted this year for leaking classified secrets to news site The Intercept.

Another major breach of data included the agency’s trove of highly classified hacking tools, which were later used to launch a large scale, global ransomware attack. Earlier this year, hackers used the tools to silently infect Windows computers with a backdoor to then launch the WannaCry ransomware.

This week, ZDNet revealed the fifth and most recent breach of NSA data in as many years, including new details about the Ragtime surveillance program, which targets Americans’ data.


Snoopers Charter: Government forced to backtrack on data access

The UK’s controversial mass surveillance legislation will have to be tweaked to comply with EU law, but critics say the changes don’t go far enough.

The UK government has been forced to revise parts of its controversial surveillance legislation.

Under the Investigatory Powers Act 2016, nicknamed the ‘Snoopers Charter’, communications companies can be required to retain customers’ communications data for up to 12 months. The government describes communications data as the who, where, when, how, and with whom of a communication, but does not include what was written or said.

But in December last year the European Court of Justice (ECJ) ruled that the powers of the UK’s surveillance legislation were too wide and did not comply with EU law.

In response to the ECJ ruling, the government now plans to make a number of changes, such as introducing a new independent body to authorise communications data requests. Previously, senior police were able to authorise requests.

The use of communications data will also be restricted to investigations into serious crime that would carry a sentence of six months or more. To get access to web surfing data, authorities need to be investigating a crime that carries a sentence of at least a year.

Additional safeguards will be added that must be taken into account before a Data Retention Notice can be given to a telecoms company, and it will be made clearer when people should be notified if their data is accessed.

However, the government insisted that the judgment does not apply to the retention or acquisition of data for national security purposes “as national security is outside of the scope of EU law”. A consultation on the changes is underway, and will run for the next seven weeks.

The UK government argues that communications data is used in 95 percent of serious and organised-crime prosecutions, and has figured in every major counter-terrorism investigation over the last decade. Critics argue that rather than introducing surveillance of the entire population, the authorities would be more effective by targeting suspects more closely.

In a statement, privacy campaigners the Open Rights Group (ORG) called the change a “major victory”.

“Adding independent authorisation for communications data requests will make the police more effective, as corruption and abuse will be harder. It will improve operational effectiveness, even if less data is used during investigations and trust in the police should improve,” said the ORG’s executive director Jim Killock.

The ORG and other privacy campaigners met with the government this week, and Home Office staff warned that without communications data, police would have to rely on more intrusive surveillance techniques. But Killock said it’s better to have suspects placed under targeted surveillance measures, rather than having the population at large kept under tabs through retained communications data.

“The world has trade offs, and we would suggest that this is a good one,” he said.


National Credit Federation leaked US citizen data through unsecured AWS bucket

Tens of thousands of customers of the credit repair service are believed to be affected.

The National Credit Federation (NCF) has become the latest in a long list of companies to leave the sensitive, private data of customers exposed for all to see online.

According to Chris Vickery, UpGuard Director of Cyber Risk Research, the Tampa, Fla.-based credit repair firm left 111GB of internal customer information on an Amazon Web Services S3 cloud storage bucket configured to allow public access without restriction.

In a blog post, Vickery said the discovery was made on Oct. 3, 2017.

Information on the server, potentially impacting tens of thousands of customers, included customer names, addresses, dates of birth, driver’s license and Social Security card scans, credit blueprints containing detailed financial histories, and full credit card and bank account numbers.

In addition, credit reports from Equifax, Experian, and TransUnion were found in the repository, and in some cases, multiple copies were discovered.

This is a huge amount of information which could be used by frausters and criminals to conduct identity theft and destroy their victim’s finances.

In order to access this information, all anyone needed to do was to enter the repository’s URL and download the files they wanted.

“National Credit Federation data was left entirely accessible to anybody accessing the repository’s URL, highlighting the vital urgency for enterprises to secure their data and validate their configurations against any such exposures,” the security researcher said. “This highly concentrated level of exposure, thoroughly revealing customer credit history several times over, serves to highlight the myriad dangers a single exposure can unleash.”

It is possible that up to 47,000 NCF customers have been impacted. The researcher says that the bucket’s subdomain, “crm-mvp,” likely refers to either customer relationship or customer record management, and the contents appear to back this theory as there are 47,000 files — most of them PDF and text files — which contain the information of customers.

“A conservative estimate of the number of NCF customers affected by this exposure would be below forty thousand individuals, all of whom needed help in restoring their finances,” Vickery says. “In short, these are people who needed and asked for assistance in getting their lives back on track, and were repaid, through a process still unknown, by having the information they furnished revealed online.”

Until UpGuard notified NCF of the discovery, the repository was in a state of constant update.

However, there is no indication at the moment that any attackers found and exploited this security failure.

This is far from the first time that deeply sensitive and confidential information concerning US citizens has been leaked online.

Earlier this year, credit giant Equifax admitted to a data breach, which exposed the data of roughly 145 million customers, including names, social security numbers, birth dates, home addresses and some driving license details, eventually costing the company $87.5 million in damage control.

Last year, a US government subcontractor, Potomac Healthcare Solutions, used an unsecured server to hold sensitive details belonging to active military healthcare professionals, which Vickery found to be open for the world to see.

In related news, this week, the contents of a hard drive belonging to a division of the US National Security Agency (NSA) was exposed online. The virtual disk image contained over 100GB of data relating to a military project dubbed “Red Disk,” and was left on an unlisted but public Amazon Web Services server.


PayPal’s TIO Networks reveals data breach impacted 1.6 million users

The company says evidence of “unauthorized access” has appeared during a recent investigation.

PayPal’s recently-acquired payment processor TIO Networks has revealed that up to 1.6 million customers have had their information stolen in a recent data breach.

Last week, the Vancouver, Canada-based TIO Networks said that following the suspension of operations, evidence has been uncovered of a data breach due to “unauthorized access.”

In a statement, the company said that unknown attackers were able to gain access to “locations that stored personal information of some of TIO’s customers and customers of TIO billers.”

In total, up to 1.6 million customers may have had their information leaked, which could include personally identifiable information (PII) or potentially financial data.

No details on the type of information exposed have yet been revealed; however, PayPal says the unauthorized access was “ongoing.”

PayPal acquired TIO Networks in July 2017 in a deal worth $238 million. TIO Networks operates under PayPal’s umbrella but acts as a separate company, processing over $7 billion in consumer bill payments in 2016, supporting roughly 16 million customer bill pay accounts.

In November, PayPal announced the suspension of TIO Networks’ operations due to “PayPal’s discovery of security vulnerabilities on the TIO platform and issues with TIO’s data security program that do not adhere to PayPal’s information security standards.”

TIO’s platform, thankfully, has not been integrated into PayPal’s business, which means users of the latter have not been impacted by the latest disclosure.

PayPal launched an internal investigation into the newly-acquired firm’s business and hired a third-party cyberforensics company to review the TIO bill payment platform after suspending operations, revealing the data breach.

TIO Networks has begun notifying those potentially impacted by the security issue and Paypal has signed up credit reporting agency Experian to provide free monitoring for 12 months to customers which have been verified as victims.

“At this point, TIO cannot provide a timeline for restoring bill payment services, and continues to recommend that you contact your biller to identify alternative ways to pay your bills,” TIO Networks says. “We sincerely apologize for any inconvenience caused to you by the disruption of TIO’s service.”


System Requirements

Both OsMonitor Server and Client can work on Windows XP, Windows Server 2003/08/12/2016, Windows 7, Windows 8/8.1, Windows 10. Include 32 bit and 64 bit.

Customer Review

We are now using your monitoring software, OsMonitor. It is a great software, we are able to block non-business website, monitor activities of our users, website visited and even snap shots. Majority of our need is provided by your software.