A Billion Users, 600,000 GPS Trackers, and a Hacked Bank

Security can be a difficult concept, especially when it collides with convenience. There are lots of gadgets that can make life easier and since we are more mobile and our tech is also, connecting remotely to gadgets has become a standard. Unfortunately, this means that security needs to be part of the equation, and many people don’t understand it. Or at least they act like they don’t want to understand it. On the other hand, there are people who do whatever they can and still get victimized.

Is Your GPS Giving Too Much Data Away?

This story is an example. Trying to keep track of pets, children or items is why people invest in GPS trackers. However, just being able to track wasn’t enough. Now we want to communicate with the wearers either by voice or text. The default password of 123456, combined with end-users not appreciating the risks of not changing it results in this happening:

“One command that might come in handy sends a text message to a phone of the attacker’s choice. An attacker can use it to obtain the phone number tied to a specific account. From there, attackers on the same network could change the GPS coordinates the tracker was reporting or force the device to call a number of the attacker’s choice and broadcast any sound within range of its microphone. Other commands allowed devices to return to their original factory settings, including the default password, or to install attacker-chosen firmware.”

Thus the desire to protect or track a loved one or pet is easily subverted due to poorly implemented security. This story shows that through no fault of their own, approximately 1.2 billion users had their information exposed:

“a wide open Elasticsearch server containing four billion user accounts across more than 4TB of data.
A total count of unique people across all data sets reached more than 1.2 billion people, making this one of the largest data leaks from a single source organization in history. The leaked data contained names, email addresses, phone numbers, LinkedIn and Facebook profile information,” explained Vinny Troia, chief of threat intelligence at Data Viper.
The discovered Elasticsearch server containing all of the information was unprotected and accessible via web browser at http://35.199.58.125:9200. No password or authentication of any kind was needed to access or download all of the data.”

Hackers Have It Easy

This story shows that banks can be attacked successfully by even the very unsophisticated. The attacker was able to get a foothold on the network via a phishing email. At one point he was discovered but he had a backup plan that allowed him to maintain a presence on the network even after they thought the network was clean. He was able to make off with “several hundred thousand pounds sterling” (as of 12/4/19 the conversion rate is 1.31 to 1 [pounds to dollars]). An interesting comment on the robber’s choice of banks:

Why was this bank a target? Phineas Phisher scanned the internet for all the vulnerable VPN appliances he had an exploit for, grepped through the reverse DNS results for banks, and decided “Cayman” sounded like fun. “I didn’t propose to hack a specific bank,” the how-to guide says, “I just wanted to hack whatever bank I could, which turned out to be a much easier task.”

So what can we gain from these three stories?

• From the GPS story, we need to learn that when we buy something that can communicate, we need to take the responsibility to secure it properly. Most vendors will not do that for us and their view of security may be hazardous to our security. For some insight on this see https://foundation.mozilla.org/en/privacynotincluded/. This website offers an analysis of how well some things you might buy respect your privacy. See https://www.pentestpartners.com/internet-of-things/ if you want to learn more about how bad things are with IoT devices

• From the breach story, we need to learn to pay attention to security events. https://www.Haveibeenpwned.com is one website where you can see if your information has been leaked. If your email address shows up there, you need to change your password for the listed companies if you haven’t done so already. If you are getting free credit monitoring as a result of a breach, you should have already changed your password for that company.

• From the bank robber story, we need to learn that even larger businesses still can be compromised if the employees are not careful. Phishing is still the gateway to the company network. Do you know how to spot phishing emails? Do your employees know? Phishing emails have progressed well past the Nigerian prince days. Business email compromises (BEC) are on the rise as phishers get more sophisticated. We all need to be vigilant.

If you have questions about the security of your network or devices, give Ashton Technology Solutions a call at 216 397-4080.