Charter Spectrum Security Flaw Exposes Private Data Of Millions Of Subscribers

from the Another-day,-another-scandal dept

Last year you'll recall that the cable and broadband industry lobbied the government to kill off broadband privacy rules at the FCC. The rules were fairly basic, requiring that ISPs and cable operators clearly disclose what data is being collected and sold, but also provide working opt out tools for users who didn't want to participate. The rules also contained restrictions requiring that consumers opt in to more sensitive data collection (financial), as well as some requirements that ISPs and cable ops adhere to standard security procedures, and quickly inform consumers when their private data was exposed by a hacker.

In recent months, the cable industry has been showcasing how it's simply not very good at keeping its websites secure. Comcast, for example, has seen three privacy breaches in almost as many months, with security researcher Ryan Stevenson discovering numerous, previously-unreported vulnerabilities that potentially exposed the the partial home addresses and Social Security numbers of more than 26.5 million Comcast customers.

Not to be outdone, now Buzzfeed has found that a vulnerability on the Charter Communications (Spectrum) website made it possible for just about anyone to take over customers’ accounts without a password. According to the report, this flaw was again discovered by Stevenson (who goes by the monicker Phobia), and involved tricking a Spectrum website that let subscribers create a Time Warner Cable (the company Charter just acquired) ID.

If a targeted customer hadn't yet registered for such an ID, a website flaw let a hacker trick the website into creating one by replacing their own IP address with the customer’s using the “X-forwarded-for” technique, a relatively trivial affair:

"The registration website tried to verify subscribers’ identities by asking for their zip codes and phone numbers. But according to the security researcher Phobia, the zip code didn’t need to be correct to proceed to the next page. Only the phone number associated with the account needed to be accurate. Additionally, Ceraolo found that hackers could use a brute-force software program in the phone number field (in other words, repeatedly try different 10-digit combinations), because the Spectrum website did not limit the number of attempts. That means it would be relatively easy for a hacker to take over someone’s account even without an accurate phone number."

Once the bogus ID was created, the hacker subsequently had access to oodles of private user account data, including billing address, email, and account number. That data could, in turn, be used as the cornerstone of social engineering and phishing efforts to glean even more customer information. Not all of Charter's total 23 million customers are impacted; only a smaller subset of the company's 14 million "legacy," pre-merger Time Warner Cable subscribers were impacted. The company also claims that it has no evidence to suggest that these flaws were actually exploited.

But we're still likely talking about millions of potential subscribers, and Charter won't specify just how many users may have had their private data exposed. And if Stevenson's recent track record is any indication, there's plenty more flaws likely waiting in the wings to be discovered.

Filed Under: breaches, broadband, flaws, privacy
Companies: charter, charter spectrum

Third Comcast Website Flaw Exposes User Data In As Many Months

from the it's-Comcastic dept

Comcast has been dinged for a third significant website privacy vulnerability in almost as many months. Back in May, a bug in Comcast's website used to activate the company's Xfinity-branded routers opened the door to letting attackers trick the website into displaying the home address where the router is located, as well as the Wi-Fi name and password. Then last June, security researchers discovered that an API used by Comcast could be tricked into returning a swath of private customer data, including account numbers, a user's account address, and numerous details about a user's account, including what services are subscribed to.

Comcast's now back in the news again, with BuzzFeed reporting that yet another security flaw in Comcast's website has potentially exposed customer information. Security researcher Ryan Stevenson (who also discovered the previous two vulnerabilities) found that two new, previously-unreported vulnerabilities exposed the the partial home addresses and Social Security numbers of more than 26.5 million Comcast customers.

One of the flaws let an attacker exploit an "in home authentication" portal set up by Comcast that let customers pay their bills without logging in. The portal asked users to verify their identity by showing them partial snippets of four potential home addresses. While this was designed to be convenient, it opened the door to a potential hacker spoofing a Comcast user's IP address to obtain sensitive data. Once alerted, Comcast fixed the vulnerability and required that users enter their cable and broadband credentials to pay their bills.

The other flaw was potentially more damning, since it exposed the last four digits of Comcast users' social security numbers:

"In the second vulnerability that Stevenson discovered, a sign-up page through the website for Comcast’s Authorized Dealers (sales agents stationed at non-Comcast retail locations) revealed the last four digits of customers’ Social Security numbers. Armed with just a customer’s billing address, a hacker could brute-force (in other words, repeatedly try random four-digit combinations until the correct combination is guessed) the last four digits of a customer’s Social Security number. Because the login page did not limit the number of attempts, hackers could use a program that runs until the correct Social Security number is inputted into the form."

Comcast, for its part, states that the vulnerabilities have been patched:

"We quickly investigated these issues and within hours we blocked both vulnerabilities, eliminating the ability to conduct the actions described by these researchers. We take our customers’ security very seriously, and we have no reason to believe these vulnerabilities were ever used against Comcast customers outside of the research described in this report."

Which is all well and good, but given the volume of sensitive data collected by telecom giants that also sell home phone service, wireless, security service, broadband, TV, and an ocean of other services, the number of website flaws in recent months remains troubling. Especially for a company that spent millions lobbying to kill FCC broadband privacy protections last year; protections that, among other things, required that ISPs be more transparent about what data is collected and sold, and quickly and transparently inform customers when their private data may have been improperly accessed.

Filed Under: flaws, passwords, privacy, security, xfinity
Companies: comcast

Report Confirms Deep Flaws Of Automated Facial Recognition Software In The UK, Warns Its Use In The US Is Spreading

from the mind-the-step-change dept

Techdirt has written many stories about facial recognition systems. But there's a step-change taking place in this area at the moment. The authorities are moving from comparing single images with database holdings, to completely automated scanning of crowds to obtain and analyze huge numbers of facial images in real time. Recently, Tim Cushing described the ridiculously high level of false positives South Wales Police had encountered during its use of automated facial recognition software. Before that, a post noted a similarly unacceptable failure rate of automated systems used by the Metropolitan Police in London last year.

Now Big Brother Watch has produced a report bringing together everything we know about the use by UK police of automated facial recognition software (pdf), and its deep flaws. The report supplements that information with analyses of the legal and human rights framework for such systems, and points out that facial recognition algorithms often disproportionately misidentify minority ethnic groups and women.

The UK situation is fairly well known. There's been less coverage of automated facial recognition systems in the US, and the Big Brother Report offers some comments from experts about what is happening there. For example, Clare Garvie from the Georgetown Law Center on Privacy and Technology, writes:

Face recognition surveillance -- identifying people in real-time from live video feeds -- risks being an imminent reality for many Americans. Are we comfortable with a society where face recognition allows police to identify anyone with a driver’s license, without suspicion or consent? Are we comfortable with a society where the government can find anyone, at any time, by continuously scanning the faces of people on the sidewalk? Face recognition fundamentally changes the nature of privacy in public spaces. As government agencies themselves have cautioned, face recognition surveillance 'has the potential to make people feel extremely uncomfortable, cause people to alter their behaviour, and lead to self-censorship and inhibition,' chilling the exercise of the rights protected under the First Amendment and calling into question the scope of protections offered by the Fourth Amendment.

Alongside its report, Big Brother Watch has launched the "Face Off" campaign calling for the UK public authorities to stop using automated facial recognition software with surveillance cameras, and to remove the thousands of images of unconvicted individuals from the UK's Police National Database. Given the UK authorities' world-famous love of CCTV and surveillance, it's unlikely they will take much notice.

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+

Filed Under: face recognition, flaws, uk

Microsoft Tries To Silence Revelation Of Bing Cashback Flaws; Leads To Revelation Of Other Problems

from the touchy-microsoft dept

I'd been meaning to write this up for about a week, but finally got it around to it, just in time to add some additional info. First up, though, comes the news that Microsoft's legal department demanded a blogger remove a blog post about flaws in Bing's Cashback offer (Microsoft's attempt to bribe users to search via Bing instead of Google). One of the methods for the cashback offer involved pixel tracking, and blogger Samir Meghani noted that this was easily gamed to post fake transactions to your account. He also noted problems with the way Microsoft used sequential IDs, allowing potential scammers to "deny cashback rebates to legitimate users by using up available order ID numbers." Instead of dealing with these flaws, Microsoft lawyers sent a cease-and-desist and forced the blog post offline. I'm actually quite surprised this hasn't received a lot more attention.

In the legal nastygram, Microsoft's lawyers claimed that because Meghani had tested the flaws out himself, he was likely guilty of violating "various laws relating to computer intrusion, unauthorized access and unauthorized use of information," while suggesting that his actions could result in criminal charges. That's ridiculous, of course. He didn't actually scam the company -- he was just exposing a flaw. This is legal bullying to silence someone for pointing out a rather basic security flaw in Microsoft's program.

But, of course, even though Meghani was silenced on that issue, it doesn't mean he has to be silent on all of the flaws in Bing's Cashback program, so his latest (found via Slashdot) is that various retailers that offer "cashback" via Bing purchases are showing higher prices if you search via Bing. In fact, the price people can pay if they do certain searches on Bing is higher than if they'd gone direct:

So, if I go directly to butterflyphoto.com, I pay $699 with 0% cashback. If I use Bing Cashback, I pay $758 with 2% cashback, or $742.84. Using Bing cashback has actually cost me $43.84, giving an effective cashback rate of -6.27%. Yes, negative cashback! Is this legal? False advertising? I don't know, but it's pretty sketchy.

The problem doesn't end there. Using Bing has tainted my web browser. Butterfly Photo set a three month cookie on my computer to indicate that I came from Bing. Any product I look at for the next three months may show a different price than I'd get by going there directly. Just clicking a Bing link means three months of potentially negative cashback, without me ever realizing it. I'm actually afraid to use their service even just to write this, because it may cost me money in the future. If you've been thinking about trying out Bing Cashback, you may want to rethink that.

Microsoft responded and called this "an isolated instance" that it had missed with its tools that try to prevent merchants from gaming the system this way. Still, perhaps rather than sending out legal nastygrams and PR pablum to people discussing these things, Microsoft should focus on actually making sure that Bing's Cashback bribery program actually works correctly and safely.

Filed Under: bing, bribes, cashback, cease and desist, flaws, security
Companies: microsoft