T-Mobile Austria stores passwords as plain text, Outlook gets message crypto, and more
Warning: Contains extreme stupidity
Here's a summary of stuff happening, beyond what we've already covered.
Don't get pwned. Word. Dude
Microsoft, which used to be a byword for insecure software until Bill Gates' trustworthy computing memo that turned the biz around, has added more defense mechanisms to its key suites this week: Redmond has upgraded the security for some Office 365 apps, if you're using a paid-for subscription.
For a start, Microsoft has added password protection for links shared on its OneDrive cloud storage system. Competitor Dropbox did this a while back, and it's about time Redmond followed suit.
Ditto its changes to Outlook, which now claims to have end-to-end message encryption. People using Outlook.com, Outlook for iOS and Android, or Windows Mail can send encrypted messages between themselves transparently – there's no need to click on stuff to decrypt, etc. If you send an encrypted message to someone without the above software or service, then they can "choose to receive a one-time passcode or re-authenticate with a trusted provider before viewing the email," Microsoft Office exec Kirk Koenigsbauer said.
Word, Excel, and PowerPoint are also getting an upgrade, with automatic scanning of links embedded in documents. The new code will check out the URLs to make sure that they aren't on Redmond's databases of dodgy websites and pages.
But one big, and very welcome change by Microsoft could do a lot to quell the scourge of ransomware that has become so prevalent over the last year. The Files Restore feature for paid subscribers allows you to restore OneDrive contents from a backup that covers the last 30 days of use, meaning if some malware has scrambled your files, you can retrieve intact copies. And the system can detect when the ransomware struck, and automatically restore to the last good safe checkpoint.
Another blow for ransomware
For nearly a year now, businesses around the world have been stymied by the LockCrypt ransomware, a particularly nasty strain of the criminal code.
Researchers at Malwarebytes Labs took a deep dive into the code and discovered that the creators had made a bit of a boo boo. Rather than using a proven encryption system, the writers had rolled their own and weren't that good at it.
"The authors did not make the best choice for the random generator," the eggheads report. "Rather than using a cryptographically strong one, they went for the GetTickCount function."
As a result it now looks likely that a number of LockCrypt-infected PCs can now get their files back using suitable recovery tools. Until, that is, the code is refreshed, and the whole cat and mouse game begins again.
Yet another piece of stupidity
Funny, though, the bad LockCrypt code is it hasn't been the worst cockup of the week. As we were going to press, a conversation on Twitter showed a quite astonishing display of hubris.
A customer was questioning if rumors that T-Mobile Austria was storing customer passwords in plain text, leaving the credentials like sitting ducks for hackers. Whoever was manning T-Mobile Austria's Twitter account confirmed that this was the case, but that there was no need to worry because "our security is amazingly good."
Hello Claudia! The customer service agents see the first four characters of your password. We store the whole password, because you need it for the login for https://t.co/vJapgJ50qc ^andrea— T-Mobile Austria (@tmobileat) April 4, 2018
@Korni22 What if this doesn't happen because our security is amazingly good? ^Käthe— T-Mobile Austria (@tmobileat) April 6, 2018
That line is going to bite T-Mobile Austria in the backside, if or when they next get hacked. To be fair, it's late at night in Europe and the Twitter account was probably being handled by an overworked social media worker, but it's not a good look. Especially when people started digging further and found various security shortcomings. The whole thread is a mind job.
But that doesn’t excuse the plain-text password storage. T-Mobile USA confirmed it does not store passwords in plain text.
Such stupidity pushed back a story we'd planned to Finnish on. Geddit?
The Finnish Communications Regulatory Authority has issued an alert after the New Business Center in Helsinki, a company set up to advise companies on how best to get their businesses off the ground, got hacked. Information on 130,000 user accounts and their plaintext passwords were stolen in what's thought to be the third largest data loss in numbers of users in Finnish history.
"Details of the business plans may also include information leaked," the Finnish authority stated in an advisory.
"It is currently not known that the disclosed information would be freely accessible to anybody on the Internet. However, it is likely that the disclosed information has spread to cybercriminals." ®
News in brief
- The Kubernetes team has described how it fixed CVE-2017-1002101, which "allowed containers using subpath volume mounts to access files outside of the volume." If you haven't applied the patch yet, please do so.
- It looks as though Apple's Meltdown security fix in iOS 11 leaks the location of a kernel function, allowing miscreants to defeat the kernel's address space layout randomization – a security mechanism that thwarts exploits and jailbreaks.
- We've been writing about SS7 attacks for a while now, in which miscreants with access to any phone company's internal infrastructure redirect calls and text messages away from victims on the other side of the world. This allows crooks to hijack online accounts by intercepting password-reset tokens and two-factor authentication codes. If you're interested in how these sorts of capers work, Alejandro Corletti Estrada of Spanish infosec biz DarFe has put together a 68-page guide on everything you wanted to know about exploiting SS7 but were too afraid to Google it and read thousands more pages of documentation.
- Brit teen Saleem Rashid has published a rather in-depth guide to silently backdooring Ledger's hardware cryptocurrency wallets. If you have physical access to the wallet, either while it's shipping to a new customer or left unattended on a desk, or you can trick someone into installing malicious firmware on the gizmo, it is possible to tamper with the device to steal funds, Rashid claimed. One of the main sticking points is that Ledger's hardware uses two microcontrollers, one to do the secure stuff, and the other to control the LCD and USB interfaces. The secure side can't guarantee it is being given official Ledger firmware to run from the non-secure controller. France-based Ledger reckons it has addressed this design oversight with version 1.4 of its software, which you should install.
- AT&T has bagged a $3.3bn tech infrastructure supply contract from the NSA, despite rival DXC offering to do the job for $750m less, documents released at the end of last month reveal. The exact work is classified. Essentially, Uncle Sam's snoops thought AT&T's technology was better than DXC's, and worth the premium.
Sponsored: Becoming a Pragmatic Security Leader