Search This Blog

Showing posts with label Security Experts. Show all posts

Credit Scores of Americans were Exposed Through Experian API

 

According to a researcher, almost every American's credit score was leaked due to an API platform used by the Experian credit bureau that was left accessible on a lender's website without even basic security safeguards. Experian, for its part, dismissed security experts' fears that the problem could be structural. 

The Experian Connect API is a platform that helps lenders to simplify FICO-score queries. According to a published article, Bill Demirkapi, a sophomore at Rochester Institute of Technology, was looking for student loans when he came across a lender who would verify his eligibility with only his name, address, and date of birth. Demirkapi was taken aback and wanted to look into the code, which revealed that the tool was driven by an Experian API, he said.

“No one should be able to perform an Experian credit check with only publicly available information,” Demirkapi told Krebs On Security, which was the first to break the story of the leak. “Experian should mandate non-public information for promotional inquiries, otherwise an attacker who found a single vulnerability in a vendor could easily abuse Experian’s system.” 

Demirkapi said he was able to create a command-line tool called "Bill's Cool Credit Score Lookup Utility" that allowed him to automate lookups even after entering all zeros in the fields for date of birth. Krebs said he was able to use the API link to get “risk factors” from Experian that clarified possible vulnerabilities in a person's credit background, in addition to raw credit scores. He ran a credit check for his buddy "Bill," who had “Too many consumer-finance company accounts,” according to his mid-700s credit score.

Demirkapi refused to reveal the identity of the lender or the website where the API was revealed to Experian. He declined because he believes there are hundreds, if not thousands, of firms using the same API, and that all of those lenders are leaking Experian's customer data in the same way. “If we let them know about the specific endpoint, they can just ban/work with the loan vendor to block these requests on this one case, which doesn’t fix the systemic problem,” he explained. 

“We have been able to confirm a single instance of where this situation has occurred and have taken steps to alert our partner and resolve the matter,” Experian said in a written statement. “While the situation did not implicate or compromise any of Experian’s systems, we take this matter very seriously. Data security has always been, and always will be, our highest priority.”

Security experts recorded more than 500,000 attacks on smart devices in 2 hours


Avast experts conducted an experiment installing in Russia (in Moscow and Khabarovsk) and in other countries of the world more than 500 trap servers (Honeypots), posing as IoT devices, such as streaming devices, webcams or routers. With this, the experts wanted to prove how many potential attacks smart home devices face.

More than 500 traps were scanned by potential attackers 561,003 times in two hours, and five devices located in Russia were scanned 5,370 times in two hours. Honeypots traps were located in Russia, Mexico, France, Germany, South Korea, Australia, the United Kingdom, Australia, Japan, Spain, Ireland, Singapore, the United States, and India. According to the research, the three main countries from which the attacks came were the US, the Netherlands and Japan.

It is worth noting that Avast researchers chose typical connected devices with open ports to make attackers believe they were connecting to real routers, smart TVs, Webcams, or other smart devices.

The purpose of the trap was to calculate the activity of cyber criminals and study the methods of attackers who believe they attack real devices with real data. Avast traps were programmed with open ports such as TCP: 23 (telnet Protocol), TCP: 22 (ssh Protocol), TCP: 80 (HTTP Protocol), which are usually found in Internet-connected devices such as routers, security cameras and smart TVs.

According to Avast research, streaming devices are among the top 5 most vulnerable in the home, and two-thirds of routers in Russia have weak credentials or software vulnerabilities.

According to Michal Salat, Director of the Avast Threat Analysis Department, most people do not pay much intention to the vulnerabilities of home devices such as smart speakers, TVs or light bulbs, as they believe that they can not become a target of cybercriminals.

"For many people, it probably doesn't matter if their devices are used to attack other people, but they should know that hackers can also target them".

An attacker needs only one hacked device to take control of the entire home network. A vulnerable coffee maker can become the front door for a hacker to spy on households with a smart speaker and a security camera. In addition, connected devices may contain GPS data, so that an attacker will receive information about the exact location of the device.

Expert warns cyber threats to worsen with tech advances


Technological advances like Artificial Intelligence, Internet of Things, Automatic Cards and others will throw up new challenges for cyber security and all countries must unite to foresee and combat them, a leading Israeli cyber security expert said on Monday.

"The Internet was not designed for security, hence it is inherently insecure since everything is hackable. It is more difficult to be a cyber security personnel than a hacker. The hacker has to succeed only once, where the the cyber security personnel has to succeed always to remain safe, within many rules and regulations," Menny Barzilay, the CEO, Cyber Research Centre of Tel Aviv University and CEO of Cytactic, said.

He pointed out how "smart people" from different countries are joining hands to commit cyber crimes and hence there is "a need for super-smart people" from around the world to join as cyber security experts.

"Cyber threats don't create a sense of urgency, unlike a bomb threat, and we cannot feel it in our senses. It is therefore more difficult to convince people that the 'cyber' threat is real," said Barzilay, addressing a panel discussion on cyber security at Nehru Science Centre (NSC) via videoconference.

The discussion was also attended by Israeli Consul-General in Mumbai, Yaakov Finkelstein, security experts from the Mumbai Police and students.

Recalling an incident of cyber attack on Sony Corporation after the release of its film, "The Interview", Barzilay said that corporates are not prepared to face cyber crimes and the government must support them during such cyber hits.

"Billions of devices, part of Internet of Things implies they are prone to hacking, a smart device means being vulnerable, it will also affect our privacy. Big companies have lot of data about users and can manipulate them for private gains, something which allegedly happened in the US elections," he said.

Apple Mac Book vulnerable to hack using Battery

Ethical Hacker Charlie Miller has find a way to hack the MacBook using the battery.

"Laptop battery contains its own monitoring circuit which reports the status of the battery to the OS. It also ensure that the battery does not overcharge even when the laptop is turned off." Digitizor report reads.


He identified the battery chips are shipped with default password.  It means the hacker who finds the default password and learns to control the firmware is able to control them to do anything he wants.

 "You could put a whole hard drive in, reinstall the software, flash the BIOS, and every time it would reattack and screw you over. There would be no way to eradicate or detect it other than removing the battery." Digitizor quoted as Miller saying.