Data of millions of eBay and Amazon shoppers exposed

Researchers have discovered another big database containing millions of European customer records left unsecured on Amazon Web Services (AWS) for anyone to find using a search engine.

A total of eight million records were involved, collected via marketplace and payment system APIs belonging to companies including Amazon, eBay, Shopify, PayPal, and Stripe.

Discovered by Comparitech’s noted breach hunter Bob Diachenko, the AWS instance containing the MongoDB database became visible on 3 February, where it remained indexable by search engines for five days.

Data in the records included names, shipping addresses, email addresses, phone numbers, items purchased, payments, order IDs, links to Stripe and Shopify invoices, and partially redacted credit cards.

Also included were thousands of Amazon Marketplace Web Services (MWS) queries, an MWS authentication token, and an AWS access key ID.

Because a single customer might generate multiple records, Comparitech wasn’t able to estimate how many customers might be affected.

About half of the customers whose records were leaked are from the UK; as far as we can tell, most if not all of the rest are from elsewhere in Europe.

How did this happen?

According to Comparitech, the unnamed company involved was a third party conducting cross-border value-added tax (VAT) analysis.

That is, a company none of the affected customers would have heard of or have any relationship with:

This exposure exemplifies how, when handing over personal and payment details to a company online, that info often passes through the hands of various third parties contracted to process, organize, and analyze it. Rarely are such tasks handled solely in house.

Amazon queries could be used to query the MWS API, Comparitech said, potentially allowing an attacker to request records from sales databases. For that reason, it recommended that the companies involved should immediately change their passwords and keys.

Amazon began investigating the breach on the day it was disclosed to them with the third-party company involved shutting down the database on 8 February.

While there is no evidence anyone accessed the data during the days it was left unsecured it is impossible to be sure of that.

It’s simply the latest example of how easy it is to leave sensitive data sitting in an unsecured state on cloud storage platforms.

Previous examples discovered by Comparitech and Diachenko include:

The number of these breaches seems to be growing in scope and number in the last year. The current defence against them right now is simply that researchers publicise them before the criminals do. That needs to change before real damage is done.


Latest Naked Security podcast

Firefox 74 offers privacy and security updates

Just a month after shipping version 73 of its Firefox browser, Mozilla has released version 74 with a range of privacy and security enhancements. These include a privacy tweak to the way it handles the WebRTC multimedia streaming protocol.

Mozilla had promised some of its changes months or even years ago, but an unexpected addition is mDNS ICE, which improves privacy in peer-to-peer communications.

ICE stands for Interactive Connectivity Establishment, and it’s a technique used in VoIP and peer-to-peer connections within network address translation (NAT) environments. NAT boxes remap IP address spaces between networks. They enable you to use addresses on your local network (like 192.168.1.100) that don’t clash with those on the wider internet.

ICE uses ‘candidates’ that provide alternatives for connections in a NAT environment. These candidates, which contain IP address and port information, increase the chance of successful connections on unmanaged networks by helping the other party find its way to the right computer behind a NAT connection.

The problem with that, as this IETF draft explains, is that ICE candidates expose private IP addresses to web applications by default, creating potential privacy issues. This applies to WebRTC, which is a browser-based peer-to-peer real-time communications standard. You can use WebRTC for video conferencing or monitoring IP cameras without needing to install separate applications.

Firefox 74 fixes the problem by using multicast DNS (mDNS) with ICE to create a random ID that cloaks a computer’s IP address. That makes WebRTC communications more private.

Another big change concerns sideloading. This is the practice of automatically installing extensions without users taking action. In Firefox 74, users must manually install the extensions that they want, and they can also remove previously sideloaded extensions using the add-ons manager (although they’ll have to do this manually). Developers will still be able to push updates to previously-sideloaded extensions, Mozilla said.

The company explained that this doesn’t apply to those pushing out their own Firefox distributions, such as some Linux distros. Neither will it apply to Firefox Extended Support Release (ESR). Enterprises can continue to sideload extensions in Firefox browsers managed by policies.

Firefox 74 also officially deprecates versions of TLS before 1.2. Mozilla vowed to nix TLS 1.0 and 1.1 in Firefox back in 2018 and is delivering on schedule. TLS 1.0 turned 21 years old in January and has some shortcomings. According to the IETF, versions 1.0 and 1.1 don’t support current recommended cipher suites, leading some governments to ban them for applications altogether. The IETF has recommended v1.2 since 2008, so it’s probably about time that we ditched the others.

If a website tries to use a pre-1.2 version of TLS, Firefox 74 will now show an error page. If you’re intent on dealing with an insecure web page, though, you can go ahead because there’s an override button – for now.

The latest version of Firefox brings a handful of other changes including the addition of an allowlist to the browser’s Facebook Container. This extension isolates Facebook, allowing people to contain their activity on the social media site without letting it track them via other websites that they visit. Sometimes they might want another site to talk to Facebook about them, if it’s connected to their Facebook site as an app. This change lets people add custom sites to a list of exceptions.

Mozilla also fixed 12 security flaws in the browser, all with a severity rating of high or less.

Given that this release comes four weeks after the last, it now seems that we can’t call the Firefox release date ‘fortytwosday’ anymore, in line with its past 42-day release cycle and, of course, in honour of Hitchhiker’s Guide to the Galaxy (which is 42 this month). Don’t Panic – we’ll think of something. How about 28 Days Later?


Latest Naked Security podcast

Intel patches graphics drivers and offers new LVI flaw mitigations

Intel’s March security updates reached its customers this week and on the face of it, the dominant theme is the bundle of flaws affecting the company’s Graphics drivers.

There are 17 of these all told, including six high-severity flaws, starting with CVE-2020-0504, a buffer overflow leading to a denial of service flaw whose CVSS score of 8.4 suggests the need for urgent attention.

Intel doesn’t offer much detail on the individual flaws beyond the fact they allow the usual trio of privilege escalation, information disclosure and denial of service, all of which require local access.

Beyond this lie fixes for another 11 flaws affecting product lines including SmartSound, BlueZ, the Max 10 FPGA, the NUC firmware, and the Programmable Acceleration Card (PAC) N3000.

However, the star flaw of the month is CVE 29, the Load Value Injection (LVI) weakness (CVE-2020-0551) publicised this week by a diverse group of mainly academic security researchers.

Following in the footsteps of a series of chip-level flaws with impressive names (Spectre, Meltdown, Fallout, ZombieLoad, RIDL, CacheOut), this one is what might light-heartedly be called a ‘NOBWAIN’ (Not a Bug With an Impressive Name).

According to the researchers, LVI is unlike previous side-channel processor attacks:

Instead of directly leaking data from the victim to the attacker, we proceed in the opposite direction: we smuggle – ‘inject’ – the attacker’s data through hidden processor buffers into a victim program and hijack transient execution to acquire sensitive information, such as the victim’s fingerprints or passwords.

Reported to Intel last April, it’s a novel technique which could, for example, be used to steal data from Software Guard eXtension (SGX) enclaves, a secure memory location inside post-2015 Intel processors used to store things like encryption keys, digital certificates, and passwords.

There is no simple fix for LVI, researchers claimed, but Intel said it would, from this week, release mitigations for the SGX platform and software development kit from this week. Beyond that, it downplayed the issue:

Due to the numerous complex requirements that must be satisfied to successfully carry out the LVI method, Intel does not believe LVI is a practical exploit in real-world environments where the OS and VMM are trusted.

The full list of affected processors can be found on Intel’s website, essentially all processors that come with SGX.

For now, because LVI is a theoretical exercise, it isn’t an issue the average Intel user needs to worry about. There are no known exploits of this, or any of the previous hardware flaws found since Spectre and Meltdown were made public more than two years ago.

However, it’s clear that chip designers have some work on their hands building defences against these attacks into future hardware. These days, buyers largely upgrade to achieve higher processor performance. It now looks as if security might soon be just as compelling a reason.


Latest Naked Security podcast

Analytics firm’s VPN and ad-blocking apps are secretly grabbing user data

A popular analytics platform has been secretly installing root certificates on mobile devices so it can suck up users’ data from its 20 or more ad-blocker and virtual private network (VPN) mobile apps, according to a BuzzFeed News investigation.

Both Google and Apple have hosed down their app stores to cleanse them of at least some of the apps from the company, Sensor Tower, which is used by developers, venture capitalists, publishers, and others to track the popularity, usage trends, and revenue of apps – analytics that you can sample in its Twitter postings.

The apps, which have more than 35 million downloads, neither let users know about their connection to Sensor Tower nor reveal that their data is being gobbled up by its products.

Some of the apps are no longer available, but BuzzFeed News said it recently traced a handful of apps in the Google Play store to Sensor Tower, including Free and Unlimited VPN, Luna VPN, Mobile Data, and Adblock Focus. Two of the apps – Adblock Focus and Luna VPN – were also available in Apple’s App Store. After BuzzFeed News contacted Apple, the company removed Adblock Focus. Similarly, Google removed Mobile Data after getting a heads-up. Both companies have said that their investigations are ongoing.

BuzzFeed News says that it managed to hunt down the apps’ owner after discovering code authored by developers who work for Sensor Tower. One clue was an online résumé belonging to a Sensor Tower developer that says he built “Android apps to power the Sensor Tower analytics platform.” His GitHub username shows up in the code of multiple apps. Another Sensor Tower developer says, on his personal site, that he’s…

Working on awesome top secret iOS Projects.

So much for trying to block ads

After they’re installed, the VPN and ad-blocker apps prompt users to install a root certificate so that the certificate issuer can access all traffic and data passing through a phone. Sensor Tower says it only collects “anonymized” usage and analytics data that it integrates into its products.

If that sounds like a consolation, think again: a recent study showed that it’s even easier to identify people from their anonymized data than was previously assumed. That’s saying a lot, given that we’ve known for years that surprisingly accurate inferences can be made about shoppers, even from their extremely vague purchasing data.

Randy Nelson, Sensor Tower’s head of mobile insights, told BuzzFeed News that the company kept its ownership of the apps hush-hush “for competitive reasons.” He says that Sensor Tower is now taking steps to make its connection to the apps “perfectly clear.”

Nelson said that the “vast majority” of the apps cited in the investigation are now defunct, while a few are “in the process of sunsetting.”

Sure, many are now defunct – mostly because their policy violations got them yanked. Apple removed a dozen from its App Store, an Apple spokesperson said. The company removed Adblock Focus after BuzzFeed got in touch and said that as of Monday, it was still investigating Luna VPN.

Installation of root certificate privileges is restricted by both Google and Apple, given the security risks they pose. BuzzFeed News says that Sensor Tower’s apps bypass the root restrictions by prompting users to install a certificate through an external website after an app is downloaded.

There’s no such thing as a free lunch

We’ve posed, and answered, this riddle in the past: When is a VPN not private?

Usually, when you’re not paying for it.

Granted, maybe that’s not true all the time – Opera, for example, brought back its free VPN service to its Android browser a year ago.

But we’ve seen “free” VPNs make money off users in other ways. In the case of Hotspot Shield, that meant being required to look at ads or having at least some of your personal data – location, browsing habits, purchasing history, etc. – collected and sold to third parties for marketing. In August 2017, such practices led to a complaint being issued against the company with the US Federal Trade Commission (FTC) over “unfair and deceptive trade practices”.

As well, in May 2019, the US Department of Homeland Security (DHS) warned that foreign adversaries are interested in exploiting VPN services. In other words, foreign spies might be hiding in your VPN.

We’ve said it before, and we’ll say it again. In the words of Naked Security’s Paul Ducklin, there’s nothing magical about VPNs:

A VPN doesn’t magically improve security. All it really does is to make your VPN provider into your new ISP – your “first hop” on the internet. That first hop is the one place where a single provider gets to see all your traffic, whether it’s encrypted or not. You need to trust your VPN provider. A lot.

Swap the phrase “ad-blocker app” or “any supposedly free app at all” for “VPN,” and the equation resolves, once again, to “beware.”


Latest Naked Security podcast

Necurs zombie botnet disrupted by Microsoft

Microsoft announced on Tuesday that it was in on the busting-up of Necurs: one of the world’s biggest, baddest, busiest botnets.

Some consider Necurs to be the largest botnet ever, with estimates from 2017 indicating that, at the time, it consisted of more than 6,000,000 infected computers. It’s metastasized in the last three years: Microsoft said that the malware has now infected more than nine million computers globally.

The majority of infected computers looked like they were in India, but almost every country in the world seemed to be affected. Necurs has been used to pump out multiple flavors of nastiness worldwide, with the notable exception of Russia: the malware deliberately avoided infecting computers set up to use a Russian keyboard.

Up until it temporarily went offline around December 2016, it was inflicting malware that included Locky ransomware. It got its wind knocked out for a few months, but when Necurs came back in March 2017, it started belching out a huge pump-and-dump scam.

In its blog post, Microsoft said that, along with partners, it’s been spending the past eight years tracking and planning to knock the knees off Necurs. Microsoft says that coordinated legal and technical steps to disrupt the network of zombified computers will…

…help to ensure the criminals behind this network are no longer able to use key elements of its infrastructure to execute cyberattacks.

Unsurprisingly, given that it’s tiptoed around computers using Russian keyboards in the past, Necurs is thought to be operated by Russian crooks. Besides the ransomware and the spam, the botnet has also been used as an attack dog, sent to jump on other computers on the internet and to steal credentials for online accounts, people’s personally identifiable information (PII), and other confidential data.

Microsoft says that Necurs’ operators also sell or rent access to their zombie computers to other crooks – what’s known as a botnet-for-hire service. The botnet has also been used to distribute financially targeted malware and cryptomining. It also has the capability of being used to launch a distributed denial of service (DDoS) attack. Its operators haven’t flipped the switch on that – yet. They could activate that capability at any time, Microsoft says.

Necurs has been a powerful force of yuck: Microsoft says that during one 58-day period, its staff watched as one Necurs-infected computer sent a total of 3.8 million spam emails to over 40.6 million potential victims.

How did they castrate that bull?

The trick was to grab it by its algorithm. Microsoft says it’s been heading up activities that will keep the crooks behind Necurs from registering new domains to execute attacks in the future – a feat that was accomplished by analyzing how Necurs systematically generates new domains through an algorithm.

From its post:

We were then able to accurately predict over six million unique domains that would be created in the next 25 months. Microsoft reported these domains to their respective registries in countries around the world so the websites can be blocked and thus prevented from becoming part of the Necurs infrastructure. By taking control of existing websites and inhibiting the ability to register new ones, we have significantly disrupted the botnet.

Microsoft also had help from the courts: on 5 March, the US District Court for the Eastern District of New York issued an order enabling the company to seize the US-based infrastructure Necurs uses to distribute malware and infect computers.

The next step is to partner with ISPs to scrub Necurs malware off of victimized computers: an effort that also involves partnering with law enforcement, government Computer Emergency Response Teams (CERTs), ISPs and government agencies. Microsoft says it’s working with domain registries, government CERTs and law enforcement in Mexico, Colombia, Taiwan, India, Japan, France, Spain, Poland and Romania, among others.

Want to make sure you’re free of malware? Microsoft suggests you head over to its Safety Scanner: a tool that helps to remove malware from Windows systems. Sophos also has its free Virus Removal Tool, as well as free tools for protecting both Windows and Mac systems.


Latest Naked Security podcast

go top