Hackers exploited poor coding practices at an Ottawa-based third-party contractor to access and eventually publish more than 20,000 usernames and passwords of Bell Canada’s small business customers on a website.

Canada’s largest phone company is being criticized for allowing the third-party contractor access to sensitive account information, which became vulnerable after IT workers introduced security holes that bypassed Bell’s own security and encryption systems. Even worse, security experts say, Bell apparently stores customer usernames and passwords in a plain text format, accessible to any hacker.

Bell has refused to comment on the security lapse or its ongoing investigation, but the hackers are talking.

“Nullcrew” claimed responsibility for the breach on Twitter, including screenshots that suggest the group used a well-known SQL (structured query language) exploit that allowed the hackers to fish for information contained in Bell’s database.

Hackers often use automated scripts to hunt sites for security exploits and often don’t know whether they will get a handful of useless data or a treasure trove like Bell’s customer records.

Trustwave Holdings, a security company based in Chicago, Ill., said in a 2013 report that poor coding practices have made the SQL injection attack a threat for more than 15 years.

“Outsourcing IT and business systems saves money only if there’s no attack,” the Trustwave report said. “Many third-party vendors leave the door open for attack, as they don’t necessarily keep client security interests top of mind.”

“Nullcrew’s” attack also discarded any pretense of encouraging clients to use passwords that are easy to remember but hard for others to guess, since Bell stored the data in an easily readable format.

Nullcrew said it alerted Bell to its security lapse more than two weeks before publishing their find online. An additional screenshot showed a Bell online customer service representative perplexed about the hacker group’s claims and likely never passed the information on to Bell’s security department.

Bell suspended the affected passwords over the weekend and is notifying customers about the security breach.

Klobuchar

After months of fruitless discussions with cell phone carriers, the U.S. Senate is moving closer towards legislation that would stop phone companies from blocking “kill switch” technology that could disable lost or stolen phones, discouraging would-be thieves.

Sen. Amy Klobuchar (D-Minn.) sent letters this week to Verizon Wireless, AT&T, Sprint and T-Mobile asking the carriers to do more to protect customers from phone theft.

Klobuchar is concerned wireless companies may be blocking cell phone manufacturers from enabling anti-theft technology customers could activate to disable missing phones and prevent unauthorized access or reactivation without the customer’s consent.

“Mobile devices aren’t just telephones anymore – increasingly people’s livelihoods depend on them,” Klobuchar said. “That’s why we need to do more to crack down on criminals who are stealing and reselling these devices, costing consumers billions every year. The wireless industry needs to step up to the plate and address these thefts, and make sure consumers have the most advanced security technology at their fingertips.”

The technology is already widely available internationally and has dramatically reduced smartphone theft by eliminating most of the resale value of the expensive devices, which are rendered useless once the phone is disabled.

Apple has contractual control over its products unlike most cell phone manufacturers.

But American carriers have so far refused permission to allow manufacturers like Samsung to introduce the feature in North America. Apple has successfully introduced a “kill switch” on many of its latest devices thanks to favorable contractual language that limits outside interference with the software Apple develops for its wireless devices. Other manufacturers are generally required to bow to carrier demands.

“I think that this is motivated by profit,” San Francisco district attorney George Gascon told CNN. Gascon reported he had seen e-mails from carriers that rebuffed Samsung’s efforts to introduce the technology in the American market.

Companies like AT&T claim that a “kill switch” feature could be exploited by hackers and make restoring service extremely difficult. But manufacturers and proponents of kill switch technology dismiss that argument, claiming the process is easily reversible once a customer enters a correct name and password. Critics believe carriers are motivated by the potential loss of millions from the sale of insurance plans, replacement phones, and the increased revenue earned from the reactivation of stolen phones.

With more than 1.6 million smartphones stolen or lost annually, carriers sell more than $800 million of replacement phones worth at least $500 each. Wireless phone companies also profit selling insurance plans priced at $7 or more monthly that offer free or discounted, typically refurbished cell phone replacements. Most customers never use the insurance plans, earning providers an extra $84 a year in revenue per customer.

Without kill switch technology and other theft prevention measures, the incentive to steal valuable smartphones continues to increase. As the price of sophisticated smartphones continues to increase, they are a prime target in street crime incidents. In San Francisco, 67% of robberies are related to mobile devices, according to the police department. Ten percent of phone owners have had a phone stolen, according to a Harris poll.

For now, the industry has only agreed to develop a voluntary database of phones reported lost or stolen. But participating carriers are largely American, allowing crooks to bypass the list by exporting phones overseas where they are quickly reactivated.

Klobuchar wants carriers to go on the record about kill switch technology, and her letter requested a formal response to three questions:

• Whether companies received offers from handset manufacturers to install “kill switch” technology;
• Have companies introduced the technology and, if not, why not;
• How companies will introduce such technology in the future.

[flv]http://www.phillipdampier.com/video/CNN Kill Switch Smartphones 11-20-13.flv[/flv]

CNN reports American cell phone companies aren’t interested in allowing customers to remotely disable their lost or stolen cell phones. (0:43)

Sen. Schumer

That new Internet-enabled television in your living room may be allowing virtual Peeping Toms to watch and listen to you because manufacturers never bothered with adequate security measures to keep unwanted guests out.

Sen. Charles Schumer (D-N.Y.) is calling on major television manufacturers to create a uniform security standard to stop the hacking before it becomes widespread.

A security research group recently highlighted security flaws in so-called “smart” TVs that make it simple for anyone to hack the television’s internal microphone and embedded camera originally designed for video chatting. The security group warned that almost anyone could begin eavesdropping within minutes of identifying a vulnerable television — most lacking any significant security measures to prevent unauthorized video spying.

“You expect to watch TV, but you don’t want the TV watching you,” said Schumer. “Many of these smart televisions are vulnerable to hackers who can spy on you while you’re watching television in your living room. Our computers have access to firewalls and other security blocks but these televisions do not and that’s why manufacturers should do everything possible to create a standard of security in their internet-connected products.”

The security vulnerability exists because many modern “smart” TVs are now connected to the Internet. To enhance the social experience, many of these televisions are equipped with microphones and unobtrusive video cameras similar to those found in a laptop. But many consumers do not realize these devices could allow anyone on the outside to activate the camera and microphone unbeknownst to the owner and quietly watch and listen in on what is happening inside a home.

Particularly vulnerable

Samsung televisions starting with the 2012 model year were called particularly vulnerable to hacking. Researchers found they could not only access cameras and microphones, they could also tap into the television’s web browser, steal user accounts and passwords, and redirect consumers to hacked websites designed to capture personal information including credit card numbers and bank account information.

Some manufacturers have not taken responsibility for the security flaws, suggesting worried consumers put black electrical tape over the camera or unplug the TV when not in use. Samsung has issued patches for many of the affected devices and promises more changes in future models.

Schumer called current measures inadequate and too often leave the burden solely on consumers. He wants an industry security standard implemented that includes a firewall and other security measures that keep unwanted visitors out without forcing consumers to disable features they paid to have on their television.

[flv width=”368″ height=”228″]http://www.phillipdampier.com/video/WTEN Albany Schumer Says TV Could Be Watching You 8-4-13.mp4[/flv]

Your Internet enabled television set may be vulnerable to hacking. WTEN in Albany reports Sen. Schumer wants manufacturers to create a uniform security standard to keep unwelcome visitors out of your living room. (2 minutes)

A Samsung femtocell offered by Verizon Wireless.

The wireless industry’s push to offload wireless traffic to microcells and other short-range femtocell base stations has opened the door for hackers to intercept voice calls, SMS text messages and collect enough identifying information to clone your phone.

Researchers from iSec Partners demonstrated femtocell vulnerability last month at the Black Hat conference in Las Vegas, successfully recording phone calls, messages, and even certain web traffic using a compromised $250 Samsung “network extender” sold to consumers by Verizon Wireless.

Once anyone gets within 15-20 feet of a femtocell using compatible network technology (CDMA or GSM), their device will automatically attempt to connect and stay connected to a potentially rogue cell signal repeater as long as the person remains within 50 feet of the base station. Many phone owners will never know their phone has been compromised.

“Your phone will associate to a femtocell without your knowledge,” said Doug DePerry from iSEC Partners. “This is not like joining a Wi-Fi network. You don’t have a choice. You might be connected to ours right now.”

During the demonstration, the presenters were able to record both sides of phone conversations and compromise the security of Apple’s iMessage service. All that was required was to trick Apple’s encrypted messaging service to default to exchanging messages by plain text SMS. Phones were also successfully cloned by capturing device ID numbers over Verizon’s cell network. Once cloned, when the cloned phone and the original are connected to a femtocell of any kind, at any location, the cloned unit can run up a customer’s phone, text, and data bill.

“Eavesdropping was cool and everything, but impersonation is even cooler,” DePerry said.

Although the very limited range of femtocells make them less useful to track a particular person’s cell phone over any significant distance, installing a compromised femtocell base station in a high traffic area like a restaurant, mall, or entertainment venue could allow hackers to quietly accumulate a large database of phone ID numbers as people pass in and out of range. Those ID numbers could be used to eventually clone a large number of phones.

iSEC Partners believe femtocells, as designed, are a bad idea and major security risk. Although Verizon has since patched the vulnerability discovered by the security group, DePerry believes other vulnerabilities will eventually be found. He worries future exploits could be used to activate networks of compromised femtocells controlled by unknown third parties used to snoop and steal from a larger user base.

iSEC says network operators should drop femtocells completely and depend on implementing security at the network level, not on individual devices like phones and cell phone extenders.

AT&T’s femtocells support an extra layer of security, so they are now unaffected by hacking. But that could change eventually.

“It’d be easy to think this is all about Verizon,” said Tom Ritter, principal security engineer at iSec Partners. “But this really is about everybody. Remember, there are 30 carriers worldwide who have femtocells, and [that includes] three of the four U.S. carriers.”

iSec Partners is working on “Femtocatch,” a free tool that will allow security-conscious users to automatically switch wireless devices to “airplane mode” if they ever attempt to connect to a femtocell. The app should be available by the end of August.

A handful of broadcasters in California, Michigan, Montana and New Mexico interrupted their regularly scheduled programs earlier this week to warn audiences that zombie attacks were underway and residents should avoid the undead at all costs.

This ‘War of the Worlds‘ scenario did not frighten radio and television audiences, but caught stations off-guard, because the Emergency Alert System messages received over the Internet were programmed to broadcast live over the air with no intervention on the part of the living.

“Local authorities in your area have reported the bodies of the dead are rising from their graves and attacking the living,” said one message, which went out as both a scrolling text message and a voice alert. “Do not attempt to approach or apprehend these bodies as they are considered extremely dangerous.”

The Federal Communications Commission on Tuesday warned the nation’s broadcasters to lock down the equipment that monitors for EAS warnings and rebroadcasts them to the public.

The zombie reports managed to find their way to the airwaves in Los Angeles and Michigan Monday. On Tuesday, the messages were delivered across New Mexico on several of the state’s PBS stations.

How are the hackers getting in?

“Before a year or two ago, the EAS systems were hooked up through phone lines, now they’re hooked up to the Internet,” said Karole White, president-CEO of the Michigan Broadcaster’s Association. “We feel fortunate they were not able to get into the entire Emergency Alert System – that’s the good news. The bad news is they got in at all.”

An equipment vendor suspects affected stations never changed the default password supplied with the equipment that inserts warning messages into broadcasts. The FCC agreed, warning broadcasters:

EAS Participants must change all passwords on their CAP EAS equipment from default factory settings, including administrator and user accounts.
EAS Participants are also urged to ensure that their firewalls and other solutions are properly configured and up-to-date.

The hacker or hackers have not yet been found by federal authorities. If convicted, the person(s) responsible face hefty federal fines.

[flv width=”640″ height=”380″]http://www.phillipdampier.com/video/KRQE Albuquerque Zombie attack announced on local TV 2-13-13.mp4[/flv]

KRQE in Albuquerque reports a hacker attack on the state’s largest public broadcaster delivered fake zombie warnings over the Emergency Alert System earlier this week. (3 minutes)