To improve functionality between Uber’s app and the Apple Watch, Apple allowed Uber to use a powerful tool that could record a user’s iPhone screen, even if Uber’s app was only running in the background, security researchers told Gizmodo. After the researchers discovered the tool, Uber said it is no longer in use and will be removed from the app.Setup Timeout Error: Setup took longer than 30 seconds to complete.The screen recording capability comes from what’s called an “entitlement”—a bit of code that app developers can use for anything from setting up push notifications to interacting with Apple systems like iCloud or Apple Pay. This particular entitlement, however, was intended to improve memory management for the Apple Watch. The entitlement isn’t common and would require Apple’s explicit permission to use, the researchers explained. Will Strafach, a security researcher and CEO of Sudo Security Group, said he couldn’t find any other apps with the entitlement live on the App Store.“It looks like no other third-party developer has been able to get Apple to grant them a private sensitive entitlement of this nature,” Strafach said. “Considering Uber’s past privacy issues I am very curious how they convinced Apple to allow this.”

Source: Researchers: Uber’s iOS App Had Secret Permissions That Allowed It to Copy Your Phone Screen

Incredibly, this same division makes it simple to access detailed salary and employment history on a large portion of Americans using little more than someone’s Social Security number and date of birth — both data elements that were stolen in the recent breach at Equifax.

At issue is a service provided by Equifax’s TALX division called The Work Number. The service is designed to provide automated employment and income verification for prospective employers, and tens of thousands of companies report employee salary data to it. The Work Number also allows anyone whose employer uses the service to provide proof of their income when purchasing a home or applying for a loan.

The homepage for this Equifax service wants to assure visitors that “Your personal information is protected.”

“With your consent your personal data can be retrieved only by credentialed verifiers,” Equifax assures us, referring mainly to banks and other entities that request salary data for purposes of setting credit limits.

Sadly, this isn’t anywhere near true because most employers who contribute data to The Work Number — including Fortune 100 firms, government agencies and universities — rely on horribly weak authentication for access to the information.

To find out how easy it is to view your detailed salary history, you’ll need your employer’s name or employer code. Helpfully, this page lets you look that up quite easily (although if you opt to list employers alphabetically by the first letter of the company name, there are so many entries for each letter that I found Equifax’s database simply crashes half the time instead of rendering the entire list).

What’s needed to access your salary and employment history? Go here, and enter the employer name or employer code. After that, it asks for a “user ID.” This might sound like privileged information, but in most cases this is just the employees’s Social Security number (or a portion of it).

At the next step, the site asks visitors to “enter your PIN,” short for Personal Identification Number. However, in the vast majority of cases this appears to be little more than someone’s eight-digit date of birth. The formats differ by employer, but it’s usually either yyyy/mm/dd or mm/dd/yyyy, without the slashes.

Successful validation to the system produces two sets of data: An employee’s salary and employment history going back at least a decade, and a report listing all of the entities (ostensibly, the aforementioned “credentialed verifiers”) that have previously requested and viewed this information.

Until last week, a bug on a T-Mobile website let hackers access personal data such as email address, a customer’s T-Mobile account number, and the phone’s IMSI, a standardized unique number that identifies subscribers. On Friday, a day after Motherboard asked T-Mobile about the issue, the company fixed the bug.

The flaw, which was discovered by security researcher Karan Saini, allowed malicious hackers who knew—or guessed—your phone number to obtain data that could’ve been used for social engineering attacks, or perhaps even to hijack victim’s numbers.

“T-Mobile has 76 million customers, and an attacker could have ran a script to scrape the data (email, name, billing account number, IMSI number, other numbers under the same account which are usually family members) from all 76 million of these customers to create a searchable database with accurate and up-to-date information of all users,” Saini, who is the founder of startup Secure7, told Motherboard in an online chat. (T-Mobile said that, in fact, the company has 70 million customers, not 76).

“That would effectively be classified as a very critical data breach, making every T-Mobile cell phone owner a victim,” he added.
[…]
Karsten Nohl, a cybersecurity researcher who has done work studying cellphone security, told Motherboard that, theoretically, by knowing someone’s IMSI number, hackers or criminals could track a victim’s locations, intercept calls and SMS, or conduct fraud by taking advantage of flaws in the SS7 network, a backbone communications network that is notoriously insecure. Still, Nohl added that “there is no obvious way to make money easily with just an IMSI,” so it’s hard to tell whether such an attack would be attractive to cybercriminals.
[…]
a blackhat hacker who asked to remain anonymous warned Motherboard that the recently patched bug had been found and exploited by other malicious hackers in the last few weeks.

“A bunch of sim swapping skids had the [vulnerability] and used it for quite a while,” the hacker told me, referring to the criminal practice of taking over phone numbers by requesting new SIM cards impersonating the legitimate owners by socially engineering support technicians.

To prove their claim, the hacker sent me my own account’s data.

Source: T-Mobile Website Allowed Hackers to Access Your Account Data With Just Your Phone Number

On the positive side, T-Mobile gave the discoverer a bug bounty and tried to close the hole with an update. On the negative side, their patch didn’t close the hole.

In November 2016, the Australian Signals Directorate (ASD) was alerted by a “partner organisation” that an attacker had gained access to the network of a 50-person aerospace engineering firm that subcontracts to the Department of Defence.

Restricted technical information on the F-35 Joint Strike Fighter, the P-8 Poseidon maritime patrol aircraft, the C-130 transport aircraft, the Joint Direct Attack Munition (JDAM) smart bomb kit, and “a few Australian naval vessels” was among the sensitive data stolen from a small Australian defence contractor in 2016.

The secret information was restricted under the International Traffic in Arms Regulations (ITAR), the US system designed to control the export of defence- and military-related technologies, according to Mitchell Clarke, an incident response manager at the ASD who worked on the case
[…]
The victim’s network was small. One person managed all IT-related functions, and they’d only been in the role for nine months. High staff turnover was typical.

There was no protective DMZ network, no regular patching regime, and a common Local Administrator account password on all servers. Hosts had many internet-facing services.

Access was initially gained by exploiting a 12-month-old vulnerability in the company’s IT Helpdesk Portal, which was mounting the company’s file server using the Domain Administrator account. Lateral movement using those same credentials eventually gave the attacker access to the domain controller and the remote desktop server, and to email and other sensitive information.

“This isn’t uncommon,” Clarke said. “Only about 12 months old, if you look at government, that’s not that out of date, unfortunately.”

The attacker needn’t have bothered with that, however. The ASD’s investigation found that internet-facing services still had their default passwords, admin::admin and guest::guest.

An important aspect of this incident is that a small company, with resources that were clearly inadequate given the sensitivity of the data they held, still managed to obtain and hold ITAR certification.

According to Clarke, an application for ITAR certification is usually only “two or three pages”, and asks only basic questions about organisations’ security posture.

Source: Secret F-35, P-8, C-130 data stolen in Australian defence contractor hack | ZDNet