Tag Archives: security

Comcast is leaking the names and passwords of customers’ wireless routers

By Devin Coldewey

Comcast has just been caught in a major security snafu: revealing the passwords of its customers’ Xfinity-provided wireless routers in plaintext on the web. Anyone with a subscriber’s account number and street address number will be served up the wi-fi name and password via the company’s Xfinity internet activation service.

Security researchers Karan Saini and Ryan Stevenson reported the issue to ZDnet.

The site is meant to help people setting up their internet for the first time: ideally, you put in your data, and Comcast sends back the router credentials while activating the service.

The problem is threefold:

  1. You can “activate” an account that’s already active
  2. The data required to do so is minimal and it is not verified via text or email
  3. The wireless name and password are sent on the web in plaintext

This means that anyone with your account number and street address number (e.g. the 1425 in “1425 Alder Ave,” no street name, city, or apartment number needed), both of which can be found on your paper bill or in an email, will instantly be given your router’s SSID and password, allowing them to log in and use it however they like or monitor its traffic. They could also rename the router’s network or change its password, locking out subscribers.

This only affects people who use a router provided by Xfinity/Comcast, which comes with its own name and password built in. Though it also returns custom SSIDs and passwords, since they’re synced with your account and can be changed via app and other methods.

What can you do? While this problem is at large, it’s no good changing your password — Comcast will just provide any malicious actor the new one. So until further notice all of Comcast’s Xfinity customers with routers provided by the company are at risk.

One thing you can do for now is treat your home network as if it is a public one — if you must use it, make sure encryption is enabled if you conduct any private business like buying things online. What will likely happen is Comcast will issue a notice and ask users to change their router passwords at large.

Another is to buy your own router — this is a good idea anyway, as it will pay for itself in a few months and you can do more stuff with it. Which to buy and how to install it, however, are beyond the scope of this article. But if you’re really worried, you could conceivably fix this security issue today by bringing your own hardware to the bargain.

I’ve contacted the company for comment and will update when I hear back.

Source:: TechCrunch Gadgets


Follow Tim on Twitter @tl1000rzx2
Or check out my other Tablet Site: THE Tablet Test Server
Or perhaps you need web hosting for a mere $5.95/month?.
Shop Our Sponsor


Shop Our Sponsor


HP Laptops at Super Low Prices!

FCC investigates site that let most US mobile phones’ location be exposed

By Cyrus Farivar

Enlarge / Sen. Ron Wyden (D-Oregon), as seen on April 18, 2018. (credit: New America / Flickr)

The Federal Communications Commission has taken preliminary steps to examine the actions of LocationSmart, a southern California company that has suddenly found itself under intense public and government scrutiny for allowing most American cell phones’ locations to be easily accessed.

As Ars reported Thursday, LocationSmart identifies the locations of phones connected to AT&T, Sprint, T-Mobile, or Verizon, often to an accuracy of a few hundred yards, reporter Brian Krebs said. While the firm claims it provides the location-lookup service only for legitimate and authorized purposes, Krebs reported that a demo tool on the LocationSmart website could be used by just about anyone to surreptitiously track the real-time whereabouts of just about anyone else.

“I can confirm the matter has been referred to the Enforcement Bureau,” wrote FCC spokesman Neil Grace in a Friday afternoon email to Ars.

Read 8 remaining paragraphs | Comments

Source:: Ars Tecnica


Follow Tim on Twitter @tl1000rzx2
Or check out my other Tablet Site: THE Tablet Test Server
Or perhaps you need web hosting for a mere $5.95/month?.
Shop Our Sponsor


Shop Our Sponsor


HP Laptops at Super Low Prices!

Service leaked locations of US cell phones for free, no password required

By Dan Goodin

Enlarge / An image from the LookSmart website. (credit: LocationSmart)

A little-known service has been leaking the real-time locations of US cell phone users to anyone who takes the time to exploit an easily spotted bug in a free trial feature, security news site KrebsOnSecurity reported Thursday.

LocationSmart, as the service is known, identifies the locations of phones connected to AT&T, Sprint, T-Mobile, or Verizon, often to an accuracy of a few hundred yards, reporter Brian Krebs said. While the firm claims it provides the location lookup service only for legitimate and authorized purposes, Krebs reported that a demo tool on the LocationSmart website could be used by just about anyone to surreptitiously track the real-time whereabouts of just about anyone else.

The tool was billed as a demonstration prospective customers could use to see the approximate location of their own mobile device. It required interested people to enter their name, email address, and phone number into a Web form. LocationSmart would then text the phone number and request permission to query the cellular network tower closest to the device. It didn’t take long for Robert Xiao, a security researcher at Carnegie Mellon University, to find a way to work around the authorization requirement.

Read 5 remaining paragraphs | Comments

Source:: Ars Tecnica


Follow Tim on Twitter @tl1000rzx2
Or check out my other Tablet Site: THE Tablet Test Server
Or perhaps you need web hosting for a mere $5.95/month?.
Shop Our Sponsor


Shop Our Sponsor


HP Laptops at Super Low Prices!

Decade-old Efail attack can decrypt previously obtained encrypted e-mails

By Dan Goodin

Enlarge (credit: Sebastian Schinzel)

Unfixed bugs in widely used e-mail programs make it possible for attackers to obtain the plaintext of messages that are encrypted using the PGP and S/MIME standards, researchers said early Monday morning. The attacks assume that an attacker has possession of the encrypted e-mails and can trick either the original sender or one of the recipients to open an invisible snippet of one of the intercepted messages in a new e-mail.

The flaws, some of which have existed for more than a decade, are part of a series of vulnerabilities dubbed Efail described by a team of European researchers. The vulnerabilities allow attackers to exfiltrate e-mail plaintexts by embedding the previously obtained cipher text into unviewable parts of an e-mail and combining it with HTML coding. Earlier on Monday, the researchers issued an advisory recommending PGP and S/MIME users disable the encryption in their e-mail clients but had planned to wait until Tuesday to provide technical details of the vulnerabilities. Within hours, the researchers published the paper, which is titled Efail: Breaking S/MIME and OpenPGP Email Encryption using Exfiltration Channels.

The most serious vulnerabilities have resided in Thunderbird, macOS Mail, and Outlook for more than 10 years and remain unfixed at the moment, the researchers said. Flaws in the way the programs handle e-mails with multiple body parts make it possible to embed invisible snippets of previously obtained encrypted text in new e-mails. By also including the Web address of an attacker-controlled server, the newly sent emails can cause the programs to send the corresponding plaintext to the server. The surreptitious exfiltration works against both the PGP and S/MIME standards.

Read 4 remaining paragraphs | Comments

Source:: Ars Tecnica


Follow Tim on Twitter @tl1000rzx2
Or check out my other Tablet Site: THE Tablet Test Server
Or perhaps you need web hosting for a mere $5.95/month?.
Shop Our Sponsor


Shop Our Sponsor


HP Laptops at Super Low Prices!

Critical PGP and S/MIME bugs can reveal encrypted e-mails. Uninstall now

By Dan Goodin

Enlarge (credit: Elsamuko)

The Internet’s two most widely used methods for encrypting e-mail–PGP and S/Mime–are vulnerable to hacks that can reveal the plaintext of encrypted messages, a researcher warned late Sunday night. He went on to say there are no reliable fixes and to advise anyone who uses either encryption standard for sensitive communications to remove them immediately from e-mail clients.

The flaws “might reveal the plaintext of encrypted emails, including encrypted emails you sent in the past,” Sebastian Schinzel, a professor of computer security at Münster University of Applied Sciences, wrote on Twitter. “There are currently no reliable fixes for the vulnerability. If you use PGP/GPG or S/MIME for very sensitive communication, you should disable it in your email client for now.”

Schinzel referred people this blog post published late Sunday night by the Electronic Frontier Foundation. It said: “EFF has been in communication with the research team, and can confirm that these vulnerabilities pose an immediate risk to those using these tools for email communication, including the potential exposure of the contents of past messages.”

Read 4 remaining paragraphs | Comments

Source:: Ars Tecnica


Follow Tim on Twitter @tl1000rzx2
Or check out my other Tablet Site: THE Tablet Test Server
Or perhaps you need web hosting for a mere $5.95/month?.
Shop Our Sponsor


Shop Our Sponsor


HP Laptops at Super Low Prices!