Friday, 20 April 2018

T-Mobile Austria stores passwords as plain text, Outlook gets message crypto, and more

Roundup While Facebook caught most of the security-related flak this week, there were other infosec stories out there.
Here's a summary of stuff happening, beyond what we've already covered.

Don't get pwned. Word. Dude

Microsoft, which used to be a byword for insecure software until Bill Gates' trustworthy computing memo that turned the biz around, has added more defense mechanisms to its key suites this week: Redmond has upgraded the security for some Office 365 apps, if you're using a paid-for subscription.

For a start, Microsoft has added password protection for links shared on its OneDrive cloud storage system. Competitor Dropbox did this a while back, and it's about time Redmond followed suit.

Ditto its changes to Outlook, which now claims to have end-to-end message encryption. People using Outlook.com, Outlook for iOS and Android, or Windows Mail can send encrypted messages between themselves transparently – there's no need to click on stuff to decrypt, etc. If you send an encrypted message to someone without the above software or service, then they can "choose to receive a one-time passcode or re-authenticate with a trusted provider before viewing the email," Microsoft Office exec Kirk Koenigsbauer said.

Word, Excel, and PowerPoint are also getting an upgrade, with automatic scanning of links embedded in documents. The new code will check out the URLs to make sure that they aren't on Redmond's databases of dodgy websites and pages.

But one big, and very welcome change by Microsoft could do a lot to quell the scourge of ransomware that has become so prevalent over the last year. The Files Restore feature for paid subscribers allows you to restore OneDrive contents from a backup that covers the last 30 days of use, meaning if some malware has scrambled your files, you can retrieve intact copies. And the system can detect when the ransomware struck, and automatically restore to the last good safe checkpoint.


Another blow for ransomware

For nearly a year now, businesses around the world have been stymied by the LockCrypt ransomware, a particularly nasty strain of the criminal code.

Researchers at Malwarebytes Labs took a deep dive into the code and discovered that the creators had made a bit of a boo boo. Rather than using a proven encryption system, the writers had rolled their own and weren't that good at it.

"The authors did not make the best choice for the random generator," the eggheads report. "Rather than using a cryptographically strong one, they went for the GetTickCount function."

As a result it now looks likely that a number of LockCrypt-infected PCs can now get their files back using suitable recovery tools. Until, that is, the code is refreshed, and the whole cat and mouse game begins again.


Yet another piece of stupidity

Funny, though, the bad LockCrypt code is it hasn't been the worst cockup of the week. As we were going to press, a conversation on Twitter showed a quite astonishing display of hubris.

A customer was questioning if rumors that T-Mobile Austria was storing customer passwords in plain text, leaving the credentials like sitting ducks for hackers. Whoever was manning T-Mobile Austria's Twitter account confirmed that this was the case, but that there was no need to worry because "our security is amazingly good."


Claudia Pellegrino
@c_pellegrino

Does T-Mobile Austria in fact store customers’ passwords in clear text @tmobileat? @PWTooStrong @Telekom_hilft https://twitter.com/SeloX_AUT/status/981406875811008513 …


T-Mobile Austria

@tmobileat
Hello Claudia! The customer service agents see the first four characters of your password. We store the whole password, because you need it for the login for http://mein.t-mobile.at ^andrea

Eric™
@Korni22

Replying to @tmobileat and 3 others
Well, what if your infrastructure gets breached and everyone’s password is published in plaintext to the whole wide world?


T-Mobile Austria

@tmobileat
@Korni22 What if this doesn't happen because our security is amazingly good? ^Käthe


That line is going to bite T-Mobile Austria in the backside, if or when they next get hacked. To be fair, it's late at night in Europe and the Twitter account was probably being handled by an overworked social media worker, but it's not a good look. Especially when people started digging further and found various security shortcomings. The whole thread is a mind job.

But that doesn’t excuse the plain-text password storage. T-Mobile USA confirmed it does not store passwords in plain text.


Finnish f**kup

Such stupidity pushed back a story we'd planned to Finnish on. Geddit?

The Finnish Communications Regulatory Authority has issued an alert after the New Business Center in Helsinki, a company set up to advise companies on how best to get their businesses off the ground, got hacked. Information on 130,000 user accounts and their plaintext passwords were stolen in what's thought to be the third largest data loss in numbers of users in Finnish history.

"Details of the business plans may also include information leaked," the Finnish authority stated in an advisory.

"It is currently not known that the disclosed information would be freely accessible to anybody on the Internet. However, it is likely that the disclosed information has spread to cybercriminals." ®


News in brief

We've been writing about SS7 attacks for a while now, in which miscreants with access to any phone company's internal infrastructure redirect calls and text messages away from victims on the other side of the world. This allows crooks to hijack online accounts by intercepting password-reset tokens and two-factor authentication codes. If you're interested in how these sorts of capers work, Alejandro Corletti Estrada of Spanish infosec biz DarFe has put together a 68-page guide on everything you wanted to know about exploiting SS7 but were too afraid to Google it and read thousands more pages of documentation.
Brit teen Saleem Rashid has published a rather in-depth guide to silently backdooring Ledger's hardware cryptocurrency wallets. If you have physical access to the wallet, either while it's shipping to a new customer or left unattended on a desk, or you can trick someone into installing malicious firmware on the gizmo, it is possible to tamper with the device to steal funds, Rashid claimed. One of the main sticking points is that Ledger's hardware uses two microcontrollers, one to do the secure stuff, and the other to control the LCD and USB interfaces. The secure side can't guarantee it is being given official Ledger firmware to run from the non-secure controller. France-based Ledger reckons it has addressed this design oversight with version 1.4 of its software, which you should install.
AT&T has bagged a $3.3bn tech infrastructure supply contract from the NSA, despite rival DXC offering to do the job for $750m less, documents released at the end of last month reveal. The exact work is classified. Essentially, Uncle Sam's snoops thought AT&T's technology was better than DXC's, and worth the premium.

source: the register.co.uk
Legal disclaimer: The insight, recommendations and analysis presented here are based on corporate filings, current events, interviews, corporate press releases, and what we've learned as financial journalists. They are presented for the purposes of general information only, and all the information belongs to the original publishers. These may contain errors and we make no promises as to the accuracy or usefulness of the information we present. You should not make any investment decision based solely on what you read here.

Creamcoin Marketcap