Airplane boarding display leaks passenger data

Symantec researcher Candid Wueest spotted Airport boarding gate displays putting passengers at risk by leaking booking codes.

Wueest followed an IP address from a boarding gate display to access a landing page listing debug information listing databases containing information about the next flights which could be used to hack into passenger accounts, according to a Jan. 10 blog post.

An attacker would only need to guess a passenger’s last name and their booking reference codes, also known as passenger name record (PNR) locators, to access details about the flight and other passengers on the same booking including full names, email addresses, telephone numbers, frequent flyer numbers, postal addresses and, for intercontinental flights, passport details and dates of birth.

Wueest said the information was available to anyone that knew about the publicly accessible server. The airline has since patched the flaw.

SOURCE: Robert Abel | SCMagazine

​New Zealand online dating site data leaked

Personal information including usernames, passwords, e-mail address, gender, date of birth, country of residence and photos, as well as sexual preferences of over 1.5 million online dating users were found in an unsecured MongoDB database by MacKeeper researchers accessible on the internet. The data was found to belong to a New Zealand based company that runs haveafling.mobi, haveafling.co.nz, haveanaffair.co.nz, haveanaffair.mobi, hookupdating.mobi and the mobile application “Hook Up Dating.

In response to MacKeeper’s notification to the company, they claimed that the database is mostly dummy data used to test migrating data from SQL to MongoDB. The researchers are not okay with this claim considering the massive number of accounts.

Also, a one by one analysis of a random selection of more than 300 records shared with ZDNet proves otherwise.

The company is taking the leak lightly claiming that only the researchers had accessed the data. They did not invalidate the affected passwords and only notified users to change their password because they were upgrading their system for security reasons.

Remote Control Vulnerability in Tesla cars fixed

Researchers at Tencent’s Keen Security Lab had found a security flaw in Tesla cars that allowed control of car brakes and other less critical components from a remote location by attackers. They responsibly disclosed the flaw to Tesla’s security team which confirmed the flaw and has now issued fixes for it in it’s latest firmware version.

Tesla has urged car owners to update their car’s firmware to the latest version to stay immune from exploitation of the remote control flaw.

The researchers were able to open various Tesla cars’ sunroof, turn on the blinkers, move the car seat, and open doors, all while the cars were in parking mode. They also managed to control windshield wipers, fold the side rearview mirrors, open the trunk, and manipulate the brakes from a remote location 12 miles away.

Backdoors in Xiaomi Smartphones

indexA computer science student, Thijs Broenink has found that one of the pre-installed apps that come with Xiaomi smartphones ‘AnalyticsCore (AnalyticsCore.apk)‘ is an app that sends device information (IMEI, MAC address, Model, Nonce, Package name and signature) to Xiaomi as well as checks for updates daily from Xiaomi’s server and install them. He made the discovery when out of curiosity, he reverse-engineered the pre-installed apps to see what they actually do.

Broenink found that the download of update is done over HTTP which means it could be tampered with in transit and replaced with a malicious file. The access granted by the app also gives Xiaomi the power to silently replace signed apps within 24 hours on all devices sold by them.

In response, a Xiaomi spokesperson told The Hacker News that a successful attack on the “self-upgrade” feature by a random attacker is impossible, as the MIUI’s (Xiaomi’s Android firmware for mobile devices) checks the signature of the Analytics.apk app during installation, and will not install any app that has not be signed by Xiaomi. He also noted that “Starting from MIUI V7.3 released in April/May, HTTPS was enabled to further secure data transfer, to prevent any man-in-the-middle attacks,”

To completely block access for this app, users can use an ad-blocking app with root access to blacklist Xiaomi related webservers as uninstalling the app does not work because it reinstalls itself after a while.

Microsoft brings Tuesday Patches to an end

microsoft-patch-tuesday-header

Yesterday’s Patch Tuesday is meant to be the last traditional Windows Patch Tuesday. Microsoft is changing its patch release model. The new model will have all patches for a month bundled together and users will not be able to pick and choose which updates to install.

Microsoft has said this will start with Windows 10 but will be affect other operating systems as well in due course.

Security teams should be prepared to make changes to their patching methods as soon as Microsoft implements its new patch release model.

Possible data breach of VoIPtalk

Voice over IP provider, VoIPtalk has warned its customers of a possible breach of their login credentials. The email notice stated that the company’s security systems discovered strange activity: “activity involving online attempts to exploit vulnerabilites in our infrastructure to obtain customer data” according to SC Magazine.

The company is threading the lane of caution to notify its customers even though there is no strong evidence of successful breach by attackers.

Pegasus was sold for lawful use only

what-is-malware-as-a-serviceThe NSO Group, an organization that reportedly specializes in ‘cyber-war’ which combined three iOS zero-day vulnerabliities into Pegasus malware claims that the malware was only sold to governnments under signed agreements to be used in a lawful manner. Spokesperson of the group, Zamir Dahbash told the Washington Post that “Specifically, the products may only be used for the prevention and investigation of crimes.” But according to SCMagazine, researchers suspect that the malware was used to target an activist, Ahmed Mansoor, who originally sent the malware to Lookout and Citizen Lab for examination.

Uses who fear that they have been infected by Pegasus can use Lookout mobile apps to check their devices. All users are encouraged to update their devices to iOS 9.3.5.