T-Mobile Web Portal Exposed 74 Million Accounts, and and More Security News This Week
Credit to Author: Lily Hay Newman| Date: Sat, 26 May 2018 13:00:00 +0000
At the beginning of the year, revelations about a new type of processor vulnerability had far-reaching implications for devices all over the world, and this week researchers disclosed yet another of these so-called "speculative execution" flaws in Intel, AMD, and ARM chips.
And then, in other massive-scale incidents discovered this week, analysts found a new strain of malware called VPNFilter that a sophisticated hacking group has been using to compromise home and small business routers—and at least half a million devices are already infected.
Also this week, the FBI admitted that its official figure was drastically overstated for number of mobile devices it could not gain access to because of data protections like encryption. The revelation reignited controversy about the true scope of what the FBI calls the "Going Dark" problem.
In other news: WIRED took a deep look at the state of predictive policing in Los Angeles, and heard from some of the communities it impacts most; Facebook expanded its two-factor authentication offerings so users can set it up with third-party apps instead of only with their phone numbers; and the story of a woman whose Amazon Echo sent snippets of a private conversation to a random person in her contact list was a jarring reminder of the privacy risks of smart speakers—but not necessarily a reason to give yours up. Oh, and researchers at Columbia University have developed a new way to hide secret messages in chunks of text by imperceptibly altering heights, widths, and curvatures of individual letters.
But wait, there's more. As always, we’ve rounded up all the news we didn’t break or cover in depth this week. Click on the headlines to read the full stories. And stay safe out there.
A security researcher reported in April that a T-Mobile customer support portal employees use to check user information wasn't protected by a login screen or any type of authentication protection. Since the portal is publicly accessible at "promotool.t-mobile.com," anyone could have used the tool to enter mobile numbers and return customer data like names, addresses, account numbers, verification PINs, and even certain tax information in some cases. T-Mobile has about 74 million customers, and the company added a credential login to protect the tool after receiving the alert from security researcher Ryan Stevenson. Per its bug bounty program, T-Mobile awarded Stevenson $1,000 for the discovery. A T-Mobile spokesperson told ZDNet that, "The bug bounty program exists so that researchers can alert us to vulnerabilities, which is what happened here," which is great, but meanwhile an incredibly simple mistake exposed data from tens of millions of people.
At the beginning of his presidency, Donald Trump continued using his personal, consumer-grade Android phone in spite of receiving an ultra-secure smartphone from the White House. This was not a smart idea from a personal or national security standpoint. Now, 16 months later, two senior administration officials told Politico this week that the President still isn't abiding by all recommended smartphone security protections. He now uses at least two government-issued iPhones, one that only makes calls (but has its camera enabled) and one that only has the Twitter app and access to some news sites. The limitations and siloing are positive steps, but Trump refuses to change out the Twitter phone every month like security officials suggest, because he finds it "too inconvenient." Politico reports that Trump has at times gone five months without allowing the Twitter phone to have a security check. During his presidency, officials say that Barack Obama handed in all of his smartphones every 30 days for evaluation.
The Defense Department's Cyber Command, which deals broadly with DoD operations in cyberspace, has a confidential data and intelligence-sharing agreement with the global financial sector's Financial Services Information Sharing and Analysis Center industry group. FS-ISAC shares anonymized threat data with Cyber Command that includes information about hacking tools and attack methods used against financial institutions. The existence of such a collaboration is not surprising given the digital threats the financial sector faces every day and the government's increasing reliance on the private sector for information about critical infrastructure. But Project Indigo is likely also a source of information for the US's cyber offensive operations in addition to informing defense decisions.
The security firm Kaspersky Lab makes an excellent anti-virus product and employs some of the best threat analysts and digital intelligence researchers in the world. But the company was also founded by a KGB-trained entrepreneur, Eugene Kaspersky, and is headquartered in Russia. As such, it has never been able to totally squelch rumors that it is really a Kremlin-guided operation. And over the past 18 months, a series of incidents—including revelations that Russian spies have manipulated Kaspersky Anti-Virus to steal NSA source code—have stoked fears that the company is untrustworthy. In December, Congress and the Trump administration established a ban on Kaspersky products within the government. Find out more about the company in this deep dive on Kaspersky's SAS security conference, which was held in Cancun, Mexico this year.