Researchers at CheckMarx recently discovered some serious security flaws in the popular LeapPad Ultimate tablet.
The tablet was designed by LeapFrog to provide kids in the UK and Europe with a safe environment to access games, videos and educational apps.
The researchers had this to say about their discovery:
"The first thing we found is that some of LeapFrog's communications aren't encrypted. It's using very simple HTTP protocol, storing information in clear text and allowing an attacker to become a man-in-the-middle."
The researchers built a proof of concept app that allowed them to spoof the existing connection and force the device onto a rogue network. From there, they were able to inject malicious scripts into the rogue network and use them to access a variety of sensitive information from the system, such as the child's name, gender, birth year and birth month.
The researchers also noted that this attack methodology could allow hackers to steal information about the parents of the kids using the device, including their email addresses, phone numbers and access to payment card information.
Mari Sunderland, the VP of Digital Product Management at LeapFrog, issued a formal statement for the company, which read, in part, as follows:
"We thank CheckMarx for bringing these security issues to our attention, as the safety of the children who use our products is our top priority. When you know that the main users of your device will be children, the standards you need to put on your R&D need to be the highest: Military grade. Vendors should be very responsible and understand that privacy issues for children are much worse. All this needs to be taken into account to make sure your solution is as safe as possible."
It's a wonderful sentiment, and one hopes that LeapFrog's next solution will be more robust.
Grim news comes out of Russia, as reported by Microsoft. The tech giant has been tracking the activities of a Russian hacking group that goes by the name of Strontium. Their other names include APT28 and Fancy Bear.
Microsoft has confirmed that the group was behind a new attack that took place in April of this year (2019).
This is the group that claimed responsibility for both the attack on the Democratic National Committee during the run up to the 2016 election and the NotPeya attacks against the Ukraine in 2017.
In addition to targeting political groups in Europe and North America, Strontium members have been upping the stakes by compromising large numbers of popular IoT devices such as VOIP phones, printers, security cameras and the like. They have been using those devices to breach corporate networks.
The company had this to say about their recent findings:
"The investigation uncovered that an actor had used these devices to gain initial access to corporate networks. In two of the cases, the passwords for the devices were deployed without changing the default manufacturer's passwords, and in the third instance the latest security update had not been applied to the device.
Once the actor had successfully established access to the network, a simple network scan to look for other insecure devices allowed them to discover and move across the network in search of higher-privileged accounts that would grant access to higher-value data."
Fortunately, Microsoft was able to stop this attack in its tracks early on, but the motives behind it remain cloudy and uncertain. Even so, Microsoft has committed itself to closely monitoring the activity of this group in particular. In the past year, they have sent out more than 1,400 notifications to global corporations and nation states about the activities of the group.
It is incredibly likely that this group will be at the forefront of whatever attacks the Russians have planned to influence the outcome of the 2020 US Presidential election.
Hardly a week goes by that we don't see another major data breach making the headlines.
The latest company to fall victim to hackers is CafePress.
They are well-known on the internet for offering a platform where users can create their own customized coffee mugs, tee shirts and the like.
The company didn't make a formal announcement about the breach, and users only became aware of it when they started getting notifications from Troy Hunt's "Have I Been Pwned" service. Once word started leaking out, Hunt joined forces with security researcher Jim Scott, who had worked with Hunt in the past tracking down other data breaches.
Working together, they discovered a de-hashed CafePress database containing nearly half a million accounts was being sold on black hat forums. The researchers could not confirm, however, if these records were related to the most recent breach, or some previous one.
In any case, as they probed more deeply, they discovered that the company was actually hacked back in February of this year (2019), and that it was a significant breach. That breach exposed more than 23 million user records. Based on their findings, the hack exposed email addresses, names, passwords, phone numbers and physical locations.
To date, CafePress has not made a formal announcement about the matter, nor acknowledged the breach in any way. Although if you are a CafePress user, you will be forced to reset your password the next time you log on.
While that's a good step, it's completely at odds with the company's clumsy handling of the issue. Password resets are not breach disclosures and notifications, and shouldn't be treated as such. File this away as an example of how not to handle a breach if your company is hacked.
Not long ago, both Google and Apple found themselves in hot water when it came to light that both companies had been making use of third-party partners to review Siri recordings.
As the companies explained at the time, their goal was to make their voice recognition software more efficient and more effective.
After they found themselves at the center of a controversy over it, Apple has announced that they have formally suspended the program worldwide while they conduct a review.
A company spokesman had this to say:
"We are committed to delivering a great Siri experience while protecting user privacy. While we conduct a thorough review, we are suspending Siri grading globally. Additionally, as part of a future software update, users will have the ability to choose to participate in grading."
In a similar vein, Google announced that it was putting its evaluation program on hold in Europe only for three months.
Johannes Casper, the Hamburg Commissioner for Data Protection and Freedom of Information, had this to say with regards to Google's current policy and a possible conflict with Europe's GDPR data-protection laws:
"The use of language-assistance systems in the EU must follow the data-protection requirements of the GDPR. In the case of the Google Assistant, there are currently significant doubts. The use of language-assistance systems must be done in a transparent way, so that an informed consent of the users is possible. In particular, this involves providing sufficient information and transparently informing those affected about the processing of voice commands, but also about the frequency and risks of mal-activation."
Kudos to the EU for making a big enough deal about this to rein Apple and Google in. Here's hoping that pro-privacy forces ultimately prevail worldwide. As good as Google Assistant and Siri are, it's important that safeguards are put in place to help preserve privacy.
Apple has partnered with Goldman Sachs and their long-awaited "Apple Card" begins rolling out in limited fashion. The card becomes available to all iPhone owners in the United States toward the end of August.
According to CEO Tim Cook, a random selection of people who signed up to be notified about the Apple Card are getting an early-access sneak peek.
However, the company has been tight-lipped about exactly how many people are being invited into the preview group.
If you're one of the lucky winners, know that the sign-up process will involve upgrading to iOS 12.4 and entering your address, your birthday, income level and the last four digits of your Social Security number. That information is sent on to Goldman Sachs, which will approve or deny your credit application in real time and in under a minute.
Note that part of the approval process also involves a TransUnion credit check, so if you have that information locked, you'll need to unlock it (at least long enough to get approval).
Once you've been approved, your card will show up in your Apple Wallet immediately and be available for use. If you want one, you can request a physical card from Apple for free during the setup and it will arrive in the mail in a few days.
The cool thing about the physical card is the fact that it has an NFC tag on it, so you can activate it simply by tapping the phone against it.
Also note that you'll have three different credit card numbers associated with your Apple Card:
Also note that unlike the other credit cards in your wallet, this one has no expiration date or security code. You can lock the card at any time from the app, though. Welcome to Apple's Brave New World!