Japanese Pension System Hack Affects 1.25 Million

Japanese Pension System Hack Affects 1.25 Million

The Japanese National Pension System was hacked and according to the announcement on Monday, 1.25 million Japanese have been affected by this breach. According to the Japan Times, the breach was due to an employee opening an attachment on an email that contained a virus. The computers that were initially affected by the hack were connected to the fund’s central database which keeps all of the fund’s member information.

What strikes me about the initial report was the level of detail that the Japanese were willing to discuss as to how they were going to fix the problem, and what steps they had taken initially. When companies within the US have a breach,  the typical response is just a statement to the press about how they are taking “appropriate actions” to secure customer information blah blah blah. The Japanese Pension system said that they were restricting employee access to the internet, and had removed all infected machines from the corporate network. The officials also said that 500,000 of the 1.25 million cases, that passwords had not been set, which was a violation of the fund’s internal rules.   The President of the Japan Pension Service apologized for the leak and said affected people will be given new pension ID numbers.

I understand that this is a rule violation, but the users of the pension system are probably less trained or qualified on computers than the typical 18-25 year population. If they knew that there were 500,000 records without passwords, shouldn’t they have forced passwords to be set by denying access to the funds?  This is a very common practice with companies today and is the responsible thing to do. Chase or Bank of America do not let you have a weak or default password, because they have mutual self interest in keeping your money safe. Otherwise they would be held liable in case of theft etc.

Overall the Japanese Pension System responded swiftly, apologized, and took corrective action which most companies could take note from.  They did not deny or pass blame, they accepted their role in the situation, and did what they could to make it right. This is an unfortunate circumstance in which consumers were the victims of cyber-crime, yet has some silver linings. American companies could learn more than just a thing or two from the Japanese when it comes to handling a cyber-attack and public relations.

iOS Bug Crashes iPhone Twitter App & More

iOS Bug Crashes iPhone Twitter App & More

As media outlets all over the world have been reporting, there is a strange iOS bug that has been crashing iPhones. Up until now, it was reported to be affecting the Messages App on iPhones when recieving an SMS (text) or iMessage.

I was doing some digging into the issue after I wrote about this yesterday, and found that this is not confined to the messaging app. The Twitter and PushBullet Apps are affected by this bug with varying results.

When testing the results on twitter, I sent the message that causes the crash on iPhones via direct message and if the user receiving the crash message has alerts or banners turned on, the iPhone immediately crashes.  Once it reboots, you can access the Twitter app without problem, but the crash is still annoying. To prevent this from happening at all, just turn off banner or alert notifications for Twitter by going to Settings>Notifications>Twitter.

PushBullet is a bit different. This is not an application that you send messages to other people, but to yourself from other devices. You can send items from Chrome to your iphone seemlessly, and I use this app all the time. When receiving the message in this instance however, the pushbullet app crashes and the only way to be able to use the app on your phone again is by deleting the message from a browser at www.pushbullet.com. I discovered this when trying to test various apps, and ultimately bricked my PushBullet App myself. It really is an amazing App that I plan to continue using, just not for shooting myself in the foot while conducting “research.”

I have sent Twitter and PushBullet staff this information as well as Apple, and will update this post with their responses as I get them. As many readers already have, you can email bryan @ seelysecurity.com or follow me on Twitter, CyberDust, Linkedin or Facebook.com.

iOS Bug Crashing iPhones With A Single Text Message

iOS Bug Crashing iPhones With A Single Text Message

Update – 6:45pm – The problem very much still exists. Use the code below for educational purposes, with the recipients consent please.

Last night MacRumors.com reported that a new bug has been discovered that affects all users of the popular iPhone.

The bug affects the iMessage and SMS app on the iPhone, and when a user sends a specific string of characters to an iPhone it can cause an immediate reboot of the iPhone. The bug was first reported in a Reddit.com thread and has quickly spread around the globe in hopes that there is a solution to the problem.

The specific message contains specific Arabic characters and symbols:

Power
لُلُصّبُلُلصّبُررً ॣ ॣh ॣ ॣ

and if sent to users of iPhones, it can cause the message app to crash and reboot the phone. Once you reboot the phone and attempt to open the message app in list view, the app will crash again.

The Reddit.com user that discovered and wrote about the issue was “sickestdancer98”, and his explanation was

I can tell you it is due to how the banner notifications process the Unicode text. The banner briefly attempts to present the incoming text and then “gives up” thus the crash. On a jailbroken device, this ultimately leads to safe mode. However, on a stock iOS device, there is no safe mode hence the respring after the crash. That is why this only happens when you are not in the message because the banner is what truly crashes the entire system. Is this a possible vulnerability? Maybe. Has this been around already? Roughly since iOS 6. Can it be fixed/patched? That, my friends, is up to Apple. I hope I cleared things up a little bit if it did help in anyway, shape, or form.

Based on my testing with a couple of iPhones, the quickest way to solve the problem is to go to the photo app, and send a photo to the person who sent you the iMessage / text and then go back into the messages app and delete the conversation.

Once you have done that, you can prevent it from happening again by going to Settings > Notifications > Messages and changing your settings to the settings pictured here.

Uncheck the “show in lockscreen” and turn off  banner notifications, which prevents the iPhone’s banner from crashing the phone.

Apple’s engineers are aware of the issue and will hopefully have an update shortly.

If you are experiencing any issues with your iPhone and restoring functionality, visit an Apple store or feel free to reach out to bryan @ seelysecurity.com for assistance.

 

I Have Your Password

I Have Your Password

As much as we like to imagine hackers as psychics, evil geniuses, or Ethan Hunt breaking into Langley, most actual hacking is far different.  In reality, perhaps the best analogy of the three is as a psychic.  Not a supernatural psychic, but more like a mall psychic:  using a combination of basic logic and cold reading skills.

“Pictured here:  only 19% of all hacking.”

Most hackers gain access to improper materials simply by uncovering the password needed to access the information.  And if they don’t actually cull it from its source (which, really, is cheating), then they usually guess it.

This is not an uncommon thing, do you remember Sarah Palin? Back in 2008 this exact thing happened when her free Yahoo Mail account was “hacked.” Wired.com covered the method used in “Palin E-mail Hacker Says It Was Easy”

“As detailed in the postings, the Palin hack didn’t require any real skill. Instead, the hacker simply reset Palin’s password using her birthdate, ZIP code and information about where she met her spouse — the security question on her Yahoo account, which was answered (Wasilla High) by a simple Google search.”

As funny or light-hearted as this might sound, this hack had serious consequences for the Palin family in the wake of the breach.

In her book “Going Rogue”, Palin wrote that the McCain campaign confiscated her kids’ phones, and she and her friends and family had to cancel personal and business accounts that had been exposed by the hack; as a result, she could no longer contact her kids.  By the time it was over, some people had doubts about her intelligence and fitness to govern.

Seven years later, things don’t seem to be getting any better. South Korea is experiencing the “Palin problem” on a massive scale; their passwords are getting hacked.  According to this recent article:

“Internet users in Korea are notoriously more exposed to security risks than their counterparts in other countries, partly because their password hints are too easy to guess.”

According to the article, too many Koreans suggested questions such as “the city where you were born” and “what’s your favorite food”.  Apparently the answer to the first question is “Seoul” nearly 40% of the time.  The article doesn’t say their most popular favorite food, though I encourage you to guess “rice” if you’re a racist.

http://english.chosun.com/site/data/html_dir/2015/05/22/2015052201606.html

Here are some other security questions you should stay away from if you do not want your password swindled, along with the common answer.  As the article suggests, the dangerous questions vary by country.

South Korea:

“Who is your least favorite dictator?“ (Kim Jung-Un)

“How many doors does your Kia Sorrento have?”  (4)

“What is your favorite classic sitcom grossly mischaracterizing the American army experience?  (Seinfeld)

North Korea:

“Spell ‘Pyongyang’.”  (Pyongyang)

“What is your favorite Kim Jung-Un superpower?”  (Invisibility)

“What physical sensation are you most experiencing right now?”  (Hunger)

Japan:

“What is your favorite alcoholic beverage?” (Sake)

“Which emotion best describes your attitude toward your performance at work?”  (Overriding sense of shame)

Canada:

“What is your favorite kind of leaf?”  (Maple)

“What’s your favorite kind of bacon?”  (Back)

“What is your favorite place to get coffee?” (Tim Horton’s)

“Which Star Trek character do you most like to depict on our defaced currency?”  (Spock)

“Do you mind if I borrow your password and steal all of your confidential information?”  (Sure; no worries.)

Ireland:

“What is your favorite color?”  (Green)

“What is your favorite holiday?”  (St. Patrick’s Day)

“What is your favorite whiskey?”  (Wet)

Switzerland:

“What is your favorite kind of cheese?” (Swiss)

“What is your favorite kind of chocolate?” (Swiss)

“What is your favorite kind of army knife?” (Swiss)

Vatican City:

“What is your favorite dead language?”  (Latin)

“With what major religion do you most identify?”  (Catholicism)

“What does your significant other do for a living?”  (Altar Boy)

France:

“What was the name of your first pet?”  (Fifi)

“Voulez-vous couchez avec moi ce soir?”  (Oui)

“What was your favorite childhood activity?”  (Smoking or Drinking Wine (tie))

USA:

“Who is your favorite President?”  (That old white guy)

“What is the last thing you said to a police officer?”  (Ouch)

“How obese are you?”  (Morbidly)

Of course, these were all quite silly; some of them arguably even edgy.  Do you have your own funny suggestions?  Email them to bryan@seelysecurity.com.
Be sure to include your name, email address, the street where you grew up, the name of your first pet, and the name of your third grade teacher.

Or, if you want to find out if someone else already has your credit card number, email it to me and I’ll tell you.