The Daily Swig Web security digest

‘I don’t want to live in a world where younger generations grow up without privacy’

James Walker | 23 February 2018 at 16:00

Top infosec trends in the social media spotlight this week…

Spyware developer Retina-X Studios hit the headlines once again this week, amid reports that the company has suffered its second breach in under a year.

The Florida-based firm was thrust into the spotlight last April, after Motherboard interviewed a hacker who claimed to have wiped the company’s servers.

Although Retina-X’s computer and smartphone monitoring software is ostensibly for parental and work purposes, Motherboard said the 2017 hack exposed the fact that many individuals have been surreptitiously installing spyware on their partners’ phones.

Less than one year on, the same hacker is purported to have hit Retina-X once again – this time deleting one terabyte of data from the company’s servers:

According to Motherboard, the spyware allows individuals to have full access to their target’s smartphone or computer, including being able to view photos and text messages, see the websites they visit, and even track their location.

“None of this should be online at all,” the hacker was quoted as saying. “I really find this category of software disturbing.”

He added: “Edward Snowden has said that privacy is what gives you the ability to share with the world who you are on your own terms… I don’t want to live in a world where younger generations grow up without that right.”

Retina-X has refuted the claims that it has been subject to a hack.

In IoT news, Austrian cybersecurity firm SEC Consult has discovered a raft of vulnerabilities in the popular Mi-Cam range of video baby monitors:

Based on data extracted from Mi-Cam’s cloud API and Google Play store data, researchers at SEC Consult said the flaws left an estimated 52,000 user accounts exposed to ill-intentioned hackers.

“A number of critical API calls can be accessed by an attacker with arbitrary session tokens because of broken session management,” said Johannes Greil, head of the SEC Consult Vulnerability Lab.

“Information retrieved by this feature is sufficient to view and interact with all connected video baby monitors for the supplied UID.”

Elsewhere, security experts have warned the UK government that the rollout of a new type of smart energy meter will leave households vulnerable to cyber-attacks:

Speaking to the Financial Mail on Sunday last week, Nick Hunn of wireless analysis firm WiFore said criminals have the capability to compromise the new SMETS 2 smart meters, allowing them to artificially inflate meter readings and intercept payments.

Over in Australia, Troy Hunt has launched an expanded database of compromised passwords gleaned from the Have I Been Pwned? website:

Version two of the Pwned Passwords dataset now features more than 500 million entries – distilled down from a master list of three billion passwords, which included duplications.

In a blog post describing how the list can be used by organizations to better protect their systems, Hunt cited the National Institute of Standards and Technology’s digital identity protocol, which urges federal agencies to ensure that passwords obtained from previous breaches are disallowed in their own applications:

This makes a lot of sense when you think about it: if someone is signing up to a service with a password that has previously appeared in a data breach, either it’s the same person reusing their passwords (bad) or two different people who through mere coincidence, have chosen exactly the same password.

In reality, this means they probably both have dogs with the same name or some other personal attribute they're naming their passwords after (also bad).

The launch of Pwned Passwords 2 will no doubt help organizations further improve their web application security, but the industry’s renewed efforts to put an end to password duplication comes at the worst possible time for online dating site, Words of Heart.

In an interesting twist to standard dating applications, Words of Heart matches love-seekers with others who have used the same password.

News of the dating site started to spread last week. And although April Fool’s Day is still over a month away, the site’s developer has since admitted that Words of Heart was created as a joke.

Many were duped into thinking the site was legitimate, while others were more than happy to play along with the notion that the security-conscious among us are destined for a life of password manager-induced loneliness: