How bad can text security be? One company just showed us.

Credit to Author: Evan Schuman| Date: Wed, 18 Dec 2019 05:46:00 -0800

There is nothing more quintessentially mobile than text messages, the most commonly used communication method today. That’s why it was very unsettling that a security research house found — and the vendor at issue essentially confirmed — that a massive number of text messages were stored in plaintext, with no security at all. In short, the texts from what the security research firm estimated were “hundreds of millions of people” were open to any thief or stalker who wanted to look.

The company involved, an Austin-based business called TrueDialog, would likely be unknown to almost all of those users. TrueDialog is a marketing firm offering SMS products and services to other companies — a lot of companies. That will make it hard for consumers to even know if their texts were victimized. Text message users were able to text back, giving the impression of having two-way conversations with businesses.

The security research firm, VPNMentor, has posted a copy of its report, which delves into extensive details about the TrueDialog database it found.  

“The TrueDialog database is hosted by Microsoft Azure and runs on the Oracle Marketing Cloud in the USA. When we last looked at the database it included 604 GB of data. This included nearly 1 billion entries of highly sensitive data,” the report noted.

“Millions of email addresses, usernames, cleartext passwords, and base64 encoded passwords (which are easy to decrypt) were easily accessible within the database. …

“We also found in the database logs of internal system errors as well as many http requests and responses, which means that whoever found it could see the site’s traffic. This could [have] by itself exposed vulnerabilities. …

“The account credentials were not only left unprotected but in cleartext as well. This means that anyone who accessed the database would be able to log in to the company account, change the password, and do an incredible amount of damage. …

“It would be easy for a corporate spy to read confidential messages that were sent by a rival company. That data could include marketing campaigns, roll out dates for a new product, new product designs or specs and much more. 

“This leak also exposed records regarding sales leads for potential customers of TrueDialog users. Users are buying leads from external parties and if these leads came to leak, they could lose a lot of money.”

When VPNMentor contacted TrueDialog, the vendor never responded but, somehow, the problematic database was taken offline. So we looked to TrueDialog’s site for some insights into how this could have happened. No such answers were found, but there was an interesting section where TrueDialog — with a masterful display of chutzpah — touted its powerful security mechanisms.

Under a header called “Enhanced Security,” a marketing page on the site says: “Another benefit of native SMS integration is enhanced security and better control over data access. Built for large organizations, enterprise-grade SMS texting features make system administration easier. Because they use the same security protocols as other Microsoft applications, data security breaches or containment issues are minimized.

“Most importantly, data never resides on questionable 3rd-party servers.

“On-premise MS Dynamics installations utilize local data processing and storage servers while cloud-based setups reside on Microsoft’s trusted, ultra-secure network.

“Administrators rest easy knowing critical data is protected and always available.”

Really? Their customers can rest easy knowing that their critical data is left exposed to the world? Maybe they meant “rest easy” as a euphemism for wanting to kill themselves?

There are three issues here: One, we have companies hiring companies to handle some of their texts, without insisting on seeing enterprise-level security behind it. Two, consumers are using this service that is ostensibly from Company X. They have a certain amount of trust in Company X, and that is why they are using the texting option. And yet Company X is not taking charge. And three, why does the U.S. not have penalties for such a massive dereliction of security duties?

Some of this is quite frustrating. Consider a consumer or student who does not trust the brand’s reputation, so that consumer/student asks to opt out. In this situation, even the act of trying to opt out caught more people in this horrid situation.

The very nature of texting is not especially safe, but is encrypting the stored data and adding some passwords so much to ask?

http://www.computerworld.com/category/security/index.rss