MiSafe’s Child-Tracking Smart-Watches Are Not-So-Safe!

MiSafe’s Child-Tracking Smart-Watches Are Not-So-Safe!

Apparently MiSafe location tracking smart-watches that parents lean onto for their children’s safety are not so safe after all as they are fairly vulnerable to hacking.

Evidently, a security researcher stumbled upon the fact that neither the data stored in the smart-watches nor the child’s account was being encrypted by the device.

And what happened as a result was that the researcher could not only have a sneak peek into the activities of the particular child but could also make prank calls pretending to be the child’s parents.

The product was vehemently reprimanded by the researchers because of the problematic issues it entailed.

MiSafe’s Kid’s watcher Plus was repeatedly tried to contact by the researchers about the smart-watch crisis but in vain.

The smart-watch which was brought to public’s knowledge when it was released in 2015 uses the GPS sensor (Global Positioning System) and a mobile data connection of 2G speed to track down the child’s whereabouts that makes use of a smartphone application.

In fact, a digital safe-zone could be created, which if surpassed by the child, would initiate an alert signal for the parents.

Two-way calls could also be initiated and two people together can tap into their kid’s activities.

When the device’s security extent was evaluated it was discovered that the application’s communication could be easily forged via some computer software. ID numbers could be fairly altered to crawl into someone else’s account.

The process laid bare the personal information inside the device which encompassed the child’s photograph, their name, gender, height weight, age, parents’ phone numbers and the watch’s sim card number.

When some other units of the same product were tested it was found out that the past and present locations of the person with the watch on them could be easily tracked, also the safe-zoning could be modified to activation during the child’s advancing to the area rather than retreating. 

Initially the watch was designed to accept calls only from parties that were authorized but given the few glitches that security aspect could be dodged.

The above mentioned activity could be done via applications that fake the caller ID numbers. All the hacker need to have is the parents’ number.

According to researchers, this could turn out to be a destructive tactic as the child could be manipulated to leave the house for a certain desolate place.

Over 13,800 of these precarious devices are still being used out there.

Reportedly, several other cases with the same predicament have been highlighted before, but the MiSafe’s products are specifically hazardous.

 It’s being said that such a perilous product should never have gotten to the market and that eBay has already removed the product from its online store list. 

Infowars Hit With Card Skimming Malware

As indicated by ZDNet and Dutch security researcher, Willem de Groot, the malware capable of furtively recording payment card details was removed on the 14th of November from the Infowars online store after ZDNet contacted the company's staff.

The site was a recent victim of an especially awful Magecart infection, which hoovered up the details of around 1,600 clients.

Magecart is a strain of malware that objectives online retail stages. Working by quietly recording the payment card details put together by the clients, and after that sending them to a remote server, where they can be utilized for Visa misrepresentation (credit card fraud) , or sold on to various other offenders on the black market.

The malware was covered inside a block of Google Analytics code, and was live for only 24 hours before it was removed says de Groot.

The malware, present on each Infowars store page, just activated itself on the site's checkout pages. As indicated by ZDNet, the code scratched all substance found inside the checkout forms each 1.5 seconds, not before transmitting it to a remote server situated in Lithuania.

As per Jones, Infowars is cautioning clients to be watchful about unapproved installments on their cards. The company additionally trusts that the genuine number of influenced clients might be lower than 1,600, because of a few people re-requesting things amid a similar time period.

An announcement given to ZDNet by Alex Jones considered the hack a " act of industrial and political sabotage," and said that it was "probably carried out by leftist stay behind networks (sic) hiding inside US intelligence agencies.”
The full Alex Jones statement is available below:

This criminal hack is an act of industrial and political sabotage. The corporate press is claiming that a Magento plugin to the shopping cart was the point of entry, but that is not true. Infowarsstore.com has never installed that plugin. We use some of the top internet security companies in the nation and they have reported to us that this is a zero-day hack probably carried out by leftist stay behind networks hiding inside US intelligence agencies.

Magento's top security people have done a site-wide scan and found no security vulnerabilities. And we believe security features we will not mention, appear to have blocked them from getting anyone's credit card numbers.

The hack took place less than 24 hours ago; it is undoubtedly the hacker or hacker group that then reported this to the establishment corporate press in an attempt to scare business away from Infowarstore.com.

Only 1600 customers may have been affected. Most of those were re-orders so their information would not be accessible. Nevertheless, our customer-supporter base is being contacted so they can watch for any unusual charges to their account and rectify them.

Cyberattacks and volatile weather top risks for Indian corporate: Study

Marsh, a global leader in insurance broking, and RIMS, the risk management society, collaborated on a study which revealed that large-scale cyber-attacks and extreme weather are the top risks for India Inc. In the study conducted across 19 industries, risk professionals, C-suites executives and others identified cyber-attacks as the topmost risk at 88%, data fraud or theft at 85%, volatile weather at 84%, severe energy price shock at 81% and major financial failure at 81%.

Titled ‘Marsh RIMS - State of Risk Management in India’, the report sheds light on the maturity of risk management functions in corporate India. It addresses areas such as the top risks Indian corporates face, the maturity level of risk management in organisations, the key areas of risk management that require improvement, the risks of adopting emerging technologies, and key recommendations for risk executives.

‘Excellence in Risk Management’ series is published by Marsh annually in several geographies. This report on Indian scenario was launched at the recent RIMS’ first risk management forum in India.

A little over a third (37%) respondents believed cyber-attacks are highly prevalent now due to India’s growing dependency on data and digitisation efforts. In May 2018, the Indian Computer Emergency Response Team (CERT-In) found that over 22,000 Indian websites, including 114 government portals, were hacked between April 2017 and January 2018.

Shedding light on the maturity of risk management functions in corporate India, this elaborate survey observed three separate time frames to assess the said risks; an already significant concern; will be a significant concern in one to three years; and a significant concern after three years.

A few other identified risks that are foreseen are financial crises in key economies, which stands at 80%, water crises and shortfall of critical infrastructure at 76%, and failure of urban planning and failure of national governance at 72%.

Huntsville Hospital job applicants’ information could be at risk after data breach

Huntsville Hospital in Alabama is reporting the information of job applicants who applied to the facility may be at risk after a breach at a recruiting firm it uses. The breach could affect thousands across the country, but if you've applied to the hospital it could impact you too.

The hospital’s online application vendor Jobscience is a cloud computing firm that helps to staff and recruiting organizations.

The hospital sent the following release Thursday afternoon: “Regrettably, we’ve learned that Jobscience, Inc., the vendor which we’ve used for online employment application services since 2006, had a data breach which may have involved information from individuals who applied for jobs at Huntsville Hospital. Because of this, notification letters are being sent to the affected persons.”

“Although we have no indication that any information has been misused in any way, out of an abundance of caution, we are offering identity theft protection to those job applicants whose Social Security Number may have been compromised. The hospital no longer uses the services of Jobscience," the hospital said in the release.

Huntsville Hospital sent out letters to employees and applicants letting them know that their information could have been breached and identity protection services are offered to anyone who may have been compromised by the incident.

Burr Ingram, a spokesperson for Huntsville Hospital, says there is no indication that any information has been misused in any way but there is a possibility.

Jobscience has not commented on this matter so far.

Authentication Flaw in DJI Drone Web App Let Attackers Gain Control

Researchers have found a critical authentication flaw in the DJI drone web app which poses a serious threat to the security of business giants and to the solo clan as well. Once exploited, the vulnerabilities discovered were reported to trigger remote hacks gaining access to DJI's web store, synced cloud server data, and FlightHub
Security Vulnerability Found in the DJI Drone Web App

As discovered by the researchers at Check Point Research, a critical authentication flaw has existed in the DJI drone web app which when exploited allowed attackers to access targeted user’s DJI account without any alarm going off.

The security vulnerability was nestled in the authentication process of DJI which allowed the attacker to sneak around protections and get access to the victim’s account in the manner as follows – referenced from Check Point Reports
DJI uses a cookie that the attacker can obtain to identify a user and create tokens, or tickets, to access their platforms. Through the use of this cookie, an attacker is able to simply hijack any user's account and take complete control over any of the user's DJI Mobile Apps, Web Account or DJI FlightHub account."
How the exploit unfolds?

To set the execution of the attack in motion is far from a complex mechanism, simply clicking on an infectious link that the attacker publishes on the DJI forum will have your account held hostage. 

The attack type is known to be a cross-site scripting attack which provides unethical access to the victim’s account from where the attackers can sneak sensitive data such as multimedia captured by the drone, its flight logs, camera view, profile information, and live map.

DJI’s take on the security crisis

A DJI which has battled with security issues lately, this time welcomed the findings by the researchers with open arms as DJI's Mario Rebello, vice president, and the country manager was recorded saying, "We applaud the expertise Check Point researchers demonstrated through the responsible disclosure of a potentially critical vulnerability,” in a statement. He said, “This is exactly the reason DJI established our bug bounty program in the first place."
Appropriately responding to the findings by the Check Point Reports, DJI acknowledged the escalated risk factor of the bug but also attributed low probability to the flaw easing the concerns of the users. Alongside, they also confirmed that the flaw remained unexploited.