Big Brother’s Car Insurance Discount
Car insurance companies have had tracking-based discounts for years now. They usually use a small device that connects to a car’s OBD-II port to collect speed, location, and other telemetry to send back to the insurance provider over a cellular modem. In exchange for your data, you get a discount on your insurance premiums. But is that information kept securely and privately? Since we’re writing about this, you can probably guess the answer.
Italian FOSS enthusiast and software developer Andrea Scarpino wasn’t happy with his insurance provider’s closed source software, so he began reversing it to reimplement his own, and discovered something amazing. Due to lack of authentication on the API, an attacker could retrieve the last 20 recorded GPS locations of a customer using only their car license number. But that was just the tip of the iceberg. With a bit more exploring, Andrea discovered that an attacker could get a customer’s full name, recorded location history, and real-time location too, just by entering their license number. Andrea reported these vulnerabilities to the company, which fixed the issues, but received no bounty.
This reminds us that personal information is becoming more valuable by the day, and companies are looking for new clever ways to get as much as they can. While a sizeable discount on insurance might be worth it to some, it’s important to remember that this personal information can be very sensitive. Even if customers are fine with their insurance provider tracking their location, they also have to be confident that their data won’t leak from a breach or misconfigured server. The only way to keep this information private is to not share it, so think carefully before plugging a homing beacon into your car.
Even More Password Leaks!
At this point we’re all used to the periodic breach of some popular service exposing millions of passwords, but this time around we have something more interesting. Instead of a single source being breached, researchers have discovered a leaky MongoDB database not obviously connected to any single corporation. What’s more, is that the database doesn’t have password hashes as would be used in a production system, but the passwords are stored in plaintext. The approximately 243.6 million unique email accounts in the database are largely from previous breaches, but all gathered together into a single location.
This points to a few things. First, it’s incredibly important to change your login credentials after a breach. We’ve recommended using password managers before, so call this your weekly reminder. Second, it’s a proof-of-concept that attackers can weaponize data breaches, combining them into massive credential sets like this to be used as a tool in subsequent attacks. It’s not clear what this database is being used for, if anything, but speculation ranges from massively-scaled account hijacking systems, to well-maintained source dictionaries for password cracking.
Users looking to protect themselves should:
- Use a password manager to generate unique passwords for each website
- Change their password as soon as possible if the service is breached
Obligatory WannaCry Post
The WannaCry ransomware that’s been wreaking havoc worldwide has attracted plenty of attention over the past week. You can find articles about how terrible it is and how much damage it’s caused anywhere, so we thought we’d point out something a bit more technical.
Cryptographically, the WannaCry ransomware is designed well. Some ransomware authors have made rookie mistakes that left their ransomed files easily recoverable, but we don’t seem to have any such luck here. Each infected machine has its own 2048-bit RSA keypair generated, with the private key being encrypted by the ransomware author’s public key before it’s stored. Then, each file has its own AES key generated to encrypt the file, with the AES key encrypted by the machine’s public key before it is stored alongside the encrypted file.
Essentially, a user that is infected with WannaCry must either break RSA/AES, or pay the ransomware authors. However, Windows XP users might have lucked out thanks to a documented misbehavior of the Windows API not fully destroying the secret key material on Windows XP.
As if the worm behavior weren’t bad enough, there really doesn’t seem to be an easy way to recover files encrypted by WannaCry. The only effective measures are preventative ones that need to have already been done:
- Regularly make and test backups of important systems and data – and make sure the backup drive isn’t left plugged in
- Install security updates as soon as possible after they are released
- Segment systems and networks externally and internally with firewalls, following defense-in-depth and least-privilege practices