Almost half of the fight travelers around the world were found exposed to a critical security vulnerability discovered in online flight ticket booking system that allowed remote hackers to access and modify their travel details and even claim their frequent flyer miles.
Israeli network security researcher Noam Rotem discovered the vulnerability when he booked a flight on the Israeli airline ELAL, successful exploitation of which just required victim’s PNR (Passenger Name Record) number.
The vulnerability resided in the widely used online flight booking system developed by Amadeus, which is currently being used by nearly 141 international airlines, including United Airlines, Lufthansa and Air Canada.
After booking a flight with ELAL, the traveler receives a PNR number and a unique link that allows customers to check their booking status and related information associated with that PNR.
Rotem found that merely by changing the value of the “RULE_SOURCE_1_ID” parameter on that link to someone else’s PNR number would display personal and booking-related information from the account associated with that customer.
Using disclosed information, i.e. booking ID and last name of the customer, an attacker can simply access the victim’s account on
and “make changes, claim frequent flyer miles to a personal account, assign seats and meals, and update the customer’s email and phone number, which could then be used to cancel/change flight reservation via customer service.”
“Though the security breach requires knowledge of the PNR code, ELAL sends these codes via unencrypted email, and many people even share them on Facebook or Instagram. But that’s just the tip of the iceberg,” the researcher said in his blog post.
Don’t have PNR numbers of your victims? Don’t worry.
Rotem also figured out that the Amadeus portal was not using any brute-force protection that eventually allowed attackers to attempt every alphanumeric uppercase complications using a script, as shown, to find all active PNR numbers of customers of any Amadeus-linked airline website.
“After running a small and non-threatening script to check for any brute-force protections, none of which were found, we were able to find PNRs of random customers, which included all of their personal information,” Rotem added.
You can see the video demonstration provided by the researcher to know how a simple script devised by him guessed the PNR numbers and was able to find active numbers in Amadeus.
Since the Amadeus booking system is being used by at least 141 airlines, the vulnerability could have affected hundreds of millions of travelers.
After discovering the vulnerability, Rotem immediately contacted ELAL to point out the threat and suggested the airline to introduce captchas, passwords and a bot protection mechanism in order to prevent brute-force attempts.
Amadeus has now fixed the issue, and the Rotem’s script can no longer identify active PNRs as demonstrated in the above video.
Upon contacting Amadeus, the company replied, “At Amadeus, we give security the highest priority and are constantly monitoring and updating our systems. Our technical teams took immediate action, and we can now confirm that the issue is solved.”
Amadeus also added that the company has also added a Recovery PTR to strengthen security further and “prevent a malicious user from accessing travelers’ personal information.”
Developers of phpMyAdmin, one of the most popular and widely used MySQL database management systems, today released an updated version 4.8.4 of its software to patch several important vulnerabilities that could eventually allow remote attackers to take control of the affected web servers.
about the latest security release on its blog, informing website administrators about this significant update.
phpMyAdmin is a free, open-source administration tool for managing MySQL databases using a simple graphical interface over the web-browser.
Almost every web hosting service pre-installs phpMyAdmin with their control panels to help webmasters easily manage their databases for websites, including WordPress, Joomla, and many other content management platforms.
Besides many bug fixes, there are primarily three critical security vulnerabilities that affect phpMyAdmin versions before release 4.8.4, phpMyAdmin revealed in its latest advisory.
phpMyAdmin vulnerabilities are as described below:
1.) Local file inclusion (CVE-2018-19968) —
phpMyAdmin versions from at least 4.0 through 4.8.3 includes a local file inclusion flaw that could allow a remote attacker to read sensitive contents from local files on the server through its transformation feature.
“The attacker must have access to the phpMyAdmin Configuration Storage tables, although these can easily be created in any database to which the attacker has access. An attacker must have valid credentials to log in to phpMyAdmin; this vulnerability does not allow an attacker to circumvent the login system.”
phpMyAdmin versions 4.7.0 through 4.7.6 and 4.8.0 through 4.8.3 includes CSRF/XSRF flaw that could allow attackers to “perform harmful SQL operations such as renaming databases, creating new tables/routines, deleting designer pages, adding/deleting users, updating user passwords, killing SQL processes, etc.” just by convincing victims into opening specially crafted links.
3.) Cross-site scripting (XSS) (CVE-2018-19970) —
The software also includes a cross-site scripting vulnerability in its navigation tree, using which an attacker can inject malicious code through a specially-crafted database/table name.
Since phpMyAdmin has now released its latest version 4.8.4 to address all reported flaws, website administrators and hosting providers are highly recommended to install the update immediately.
Trend Micro Incorporated a global leader in cybersecurity solutions, today released its 2019 predictions report, warning that attackers will increase the effectiveness of proven attack methods by adding more sophisticated elements to take advantage of the changing technology landscape. The report, Mapping the Future: Dealing with Pervasive and Persistent Threats , highlights the growing threats faced by consumers and organizations that are exacerbated by the increasingly connected world.
Start the conversation, or Read more at Al Bawaba.
Bitglass has released its 2018 BYOD Security Report. The analysis is based on a survey of nearly 400 enterprise IT experts who revealed the state of BYOD and mobile device security in their organizations.
According to the study, 85 percent of organizations are embracing BYOD. Interestingly, many organizations are even allowing contractors, partners, customers, and suppliers to access corporate data on their personal devices.
Amidst this BYOD frenzy, over half of the survey’s respondents believe that the volume of threats to mobile devices has increased over the past twelve months.
Key findings
Organizations are embracing BYOD, making it available to employees (76 percent), contractors (27 percent), partners (25 percent), customers (22 percent), and suppliers (19 percent).
51 percent of respondents believe the number of threats targeting mobile devices has increased in the past year. Unfortunately, only 30 percent of firms are confident that they are properly defending against malware on personal and mobile devices.
30 percent of enterprises cite company security concerns as the leading inhibitor to BYOD adoption; specifically, they are worried about data leakage (61 percent), unauthorized data access (53 percent), and the inability to control uploads and downloads (53 percent).
One in five organizations lacks visibility into basic, native mobile apps (like email) on personal devices.
Only 56 percent of companies can employ key functionality like remote wipe for removing sensitive data from endpoints.
“While most companies believe mobile devices are being targeted more than ever, our findings indicate that many still lack the basic tools needed to secure data in BYOD environments,” said Rich Campagna, CMO of Bitglass. “Enterprises should feel empowered to take advantage of BYOD’s myriad benefits, but must employ comprehensive, real-time security if they want to do so safely and successfully.”
Amazon Web Services, to their credit, are trying to prevent this from happening.
For one, all newly created S3 buckets and objects (files and directories in the bucket) are by default private, i.e. not publicly accesible by random people via the Internet. Secondly, changes implemented earlier this year made it possible for customers to easily identify S3 buckets that are publicly accessible due to Access Control Lists (ACLs) or policies that allow read/write access for any user:
But even that’s not enough, so the company is rolling out a new security feature: Amazon S3 Block Public Access.
About Amazon S3 Block Public Access
This new feature allows account owners/administrators to centrally block existing public access (whether made possible via an ACL or a policy) and to make sure that newly created items aren’t inadvertently granted public access.
The feature allows four new options:
They allow account users to protect against future attempts to use ACLs to make buckets or objects public, to override current or future public access settings for current and future objects in the bucket, to disallow the use of new public bucket policies, and to limit access to publicly accessible buckets to the bucket owner and to AWS services.
The options can be configured to affect the entire account or selected buckets. Options set at the bucket level cannot override account-level settings.
“If an AWS account is used to host a data lake or another business application, blocking public access will serve as an account-level guard against accidental public exposure,” AWS Chief Evangelist Jeff Barr explained.
The feature can be accessed from the S3 Console, the command-line interface, the S3 APIs, and from within CloudFormation templates.
Vulnerabilities in mPOS (mobile point-of-sale) machines could allow malicious merchants to defraud customers and attackers to steal payment card data, Positive Technologies researchers have found.
The use of mPOS devices has seen huge growth over the last few years as the barriers to entry to be provided a device and start accepting card payments are effectively zero. Like ATMs and traditional POS, they are at the end point of payment infrastructure, meaning they are very attractive and accessible to criminals for both the testing of these devices and in the movement of fraudulent money.
mPOS vulnerabilities
The vulnerabilities have been discovered in a number of market-leading mPOS devices popular in both the U.S. and Europe: Square, SumUp, iZettle, and PayPal.
mPOS devices work by communicating through a Bluetooth connection to a mobile application, which then sends data to the payment provider’s server. By intercepting the transaction it is possible to manipulate the amount value of magstripe transactions.
A fraudulent merchant can gain access to the traffic, modify the amount that is presented to the customer on the card reader, forcing the customer to authorize an entirely different amount without being aware. Still only 58.5 percent of debit and credit cards in the U.S. are EMV-enabled, and, lower still, 41 percent of transactions are made in this way, making attacks against magstripe a very significant threat.
A number of the mPOS devices were also vulnerable to Remote Code Execution (RCE) attacks. With this vulnerability, it is possible to gain access to the whole operating system of the reader.
In addition, it is possible to send arbitrary commands to some of the readers and influence the purchaser’s behavior. For example, fraudulent merchants can force customers to use a more vulnerable payment method (such as magstripe) or say that a payment was declined, encouraging the customer to make multiple payments.
What to do?
The vulnerabilities were disclosed to all of the vendors and manufacturers, and Positive Technologies is assisting the affected parties to close the issues that were identified.
“These days it’s hard to find a business that doesn’t accept faster payments. mPOS terminals have propelled this growth, making it easier for small and micro-sized businesses to accept non-cash payments,” noted Leigh-Anne Galloway, Cyber Security Lead at Positive Technologies.
“Currently there are very few checks on merchants before they can start using an mPOS device and less scrupulous individuals can therefore, essentially, steal money from people with relative ease if they have the technical know-how. As such, providers of readers need to make sure security is very high and is built into the development process from the very beginning.”
Fellow researcher Tim Yunusov says that anyone who is making a payment on an mPOS device should not make the transaction via magstripe, but instead use chip and pin, chip & signature, or contactless.
“Merchants should also assess the risk of any device they plan on integrating into their business. Those using cheaper devices need to take steps to mitigate the risk. There is no need to still be reliant on magstripe transactions. While the market for most of these products is currently not very mature, the popularity is growing so it is imperative that security is made a priority,” he added.
Though more router manufacturers are making routers easier to set up and configure—even via handy little apps instead of annoying web-based interfaces—most people probably don’t tweak many options after purchasing a new router. They log in, change the name and passwords for their wifi networks, and call it a day.
While that gets you up and running with (hopefully) speedy wireless connectivity, and the odds are decent that your neighbor or some random evil Internet person isn’t trying to hack into your router, there’s still a lot more you can do to boost the security of your router (and home network).
Advertisement
Before we get into our tips, one quick caveat: Wireless routers all have different interfaces, different ways they name their settings, and different settings you can adjust. For this article, I’ll be poking around the interface of a TP-Link Archer C7. You’ll want to explore around your router’s web-based configuration screen (or app) to make sure you’ve adjusted all the right settings, but it’s possible you won’t be able to do everything we’ve detailed below.
Accessing your router’s settings
If your router doesn’t have an easy-to-use app for configuring its settings—like what you typically encounter when buying a mesh-networking system—you’ll probably access its settings by pulling up a web browser (on a device that’s connected to your router) and typing in your router’s IP address:
On a Windows system, pull up the command prompt and type in ipconfig. The IP address that’s listed as your default gateway is likely your router’s IP address.
If you’re on a Mac, pull up System Preferences > Network, and click on Advanced in the bottom-right corner. Click on the TCP/IP option toward the top of the next window and look for your router’s IP address.
If you’re on your iPhone, tap on Settings, then Wi-Fi, and tap on the “i” icon next to the wifi network you’re connected to. Your router’s IP address should be listed right there.
Step One: Update your firmware
Some routers bury firmware updates deep in their settings menus; some might even notify you about a new firmware update the moment you log into their apps or web-based user interfaces. However you find the option, you’re going to want to make sure that your router is running the most up-to-date firmware.
Advertisement
If you’re lucky, your router will be able to download new firmware updates directly from its manufacturer. You might have to click on a button (or two) to start this process, or this might happen automatically—routers that do the latter are great, because most people don’t really think about “checking to see if my favorite tech gear has updated firmware” on a regular basis, if ever.
It’s also possible that your router will require you to upload new firmware yourself. If so, you’ll have to download the right firmware from the router’s manufacturer—likely on a support page for your router—and manually update the router by browsing for this firmware file and starting the update process yourself. You’ll have to do this each time you want to update your router with new firmware, which means you’ll have to check for new firmware fairly regularly, perhaps a few times a year. It’s a laborious process that’s easily forgotten, but it’s also important if you want to keep your router protected from external threats.
Change your router login and password
If you’re still using “admin / admin,” “admin / password,” or some variant of generic words to log into your router, change that. Even if your router manufacturer has given you a quirkier password that presumably differs for everybody, it’s important to use a login and password that’s tough to guess or brute-force.
Even if you’re stuck using “admin” as a user name to log in, make your password something complex, not something anyone can look up via a quick web search.
Use WPA2 to secure your wireless network
It almost goes without saying, but don’t use WEP when you’re setting up a password for your wifi network. Passwords “protected” with the WEP encryption are a lot easier to brute-force attack than those encrypted with WPA2. Even though you probably don’t have someone hanging out on your street corner, wardriving everyone’s wireless networks, there’s no reason to not use the stronger WPA2 protocol—unless you have an old device that simply can’t handle WPA2, which is unlikely. And whatever you do, don’t run an open (password-free) wifi network. My god.
Turn off WPS
On paper, WPS—or Wi-Fi Protected Setup—sounds great. Instead of having to type in a long, reasonably complex wifi password on a device, you can just type in a smaller PIN number, likely printed directly on your router.
Advertisement
Guess what? These PIN numbers are much easier to brute-force attack than a more complicated password or passphrase. While a number of routers will time out an attacker after they botch a certain number of password attempts, that hasn’t stopped more ingenious WPS attacks from surfacing. The easiest way to prevent these kinds of shenanigans is to just disable WPS entirely.
Yes, you’ll have to type in your password. Yes, it’ll be annoying. It’s an extra minute of your life. You’ll be fine. Or, if you truly cannot handle this process, check to see if your router allows you to use push-button WPS instead of PIN-based WPS. That way, you’ll have to physically press buttons on your router and any devices you want to connect, which will make it a lot trickier for someone to exploit WPS and break into your network.
Use a better DNS
Browse the web a little bit faster by switching away from your ISP’s DNS and using a service like Google DNS, Cloudflare, or OpenDNS. As an added bonus, you’ll also increase the likelihood that you actually make it to the websites you’re trying to visit without any man-in-the-middle attacks, popups, redirects, interstitials, or annoying “you made a typo in your web address so we’re going to redirect you to a webpage filled with spam and ads” that your ISP might use.
Advertisement
If you want to get really crafty, you can drop a service like OpenDNS on your kid’s laptop, enable parental controls to keep them off time-sucking websites like Tumblr and Reddit, and give yourself a different DNS provider (like Google DNS) to browse the web without any restrictions. Your child will hate you, but at least they’ll turn out to be a rocket scientist with 27 inventions instead of a Twitch streamer with 3 followers.
Consider using MAC filtering, annoying as it might get
While it’s easy for an attacker to spoof a MAC address, you can at least give yourself a little extra security by setting up your router to only allow devices to connect that appear on a whitelist. This filtering is based on each device’s MAC address—a long string of letters and numbers that looks something like “00-11-22-33-44-55.”
While this means that you’ll need to go in and add any new devices you purchase whenever you want them to be able to connect to your router, it also means that devices you don’t authorize won’t be able to do squat. Like I said, though, MAC addresses are easy to spoof, so if this tip gets more annoying than practical, feel free to disable MAC filtering. You’ll be OK.
Consider scheduling your wifi
If you work a pretty normal schedule during the week and you have no reason to remotely connect to your home devices, consider using your router’s scheduling mechanism—if it has one—to just turn off your wifi when you aren’t home.
Advertisement
This isn’t the most practical tip if you have a bunch of smarthome devices that need the Internet, like if you want to be able to turn the lights on and off to piss off your cat or you want to be able to watch a delivery driver drop off the expensive package you ordered. If you live a relatively simple life—no harm there—and nothing really needs Internet connectivity when you aren’t around, then why power up your wifi for no reason? It’s hard to hack into a network that doesn’t exist.
Disable potentially sketchy services
You probably don’t need to mess with your router’s settings when you aren’t actively connected to your wireless network. If your router has some kind of an option for “remote management” or “remote administration” make sure it’s disabled.
You should also consider disabling UPnP on your router, although this might give you a little grief when you’re gaming or running BitTorrent—to name two examples. Still, when an entire website is dedicated to the various ways one can exploit UPnP for nefarious purposes … maybe it’s time to go back to manually forwarding ports, if needed.
Advertisement
Some routers also let you set up an FTP server so you can transfer files in and out of your network. However, we live in an era when it’s easy to use any number of cloud storage providers—or file-uploading services—to share your files. You probably don’t need to run an FTP at home, and it’s a lot safer to disable this feature entirely (if your router supports it).
You also likely don’t need to access your router over SSH or Telnet—turn either off, if offered—nor do you probably need to access any USB-connected printers or storage when you aren’t at home. In short, if your router lets you do something from afar, consider turning the feature off (if you can). The fewer ways you can access your home network when you aren’t in it, the harder it’ll be for someone else to take advantage of a vulnerability and access your router (or your home network).
If you can, consider disabling your router’s cloud functionality as well. While it might be useful to be able to edit your router’s settings by logging into the manufacturer’s cloud service, it’s just one more open door that an attacker could use to compromise your router (or network). While you have no choice with some routers—typically mesh routers—it’s always better, and safer, to log into a router’s web-based UI manually from a device that’s connected to your home network, even though it’s a lot less convenient.
Consider a separate wifi network for guests and smart-home devices
I’ve been playing, testing, and reviewing routers for more than a decade, and I still have yet to meet someone who uses their router’s guest network feature. Heck, I don’t think I’ve ever even connected to a friend’s “guest network” in their home or apartment.
Advertisement
Still, the premise of a guest network is great, security-wise: Your router automatically sets up a second SSID for friends to use, and any device connecting to it is walled off from other devices on your primary network, either plugged into your router directly or connected wirelessly. (Most routers let you adjust whether you want guests to see everything, each other, or nothing, if you need to customize your setup a bit.)
A guest network comes with an added bonus, too; you can use it for all of your less-secure smart-home devices. If someone takes advantage of a vulnerability in your smart lightbulb and breaks into your network, there will still be a layer of protection between your hacked device and your desktop PC, smartphone, and laptop—to name a few examples. While you can also get crazy and segment off your network with separate SSIDs and VLANs, if your router supports it, this is an easier method that won’t give you a weekend’s worth of headaches (if you don’t know what you’re doing).
A prolific hacking group has struck again, this time stealing close to $1 million from Russia’s PIR Bank. The July 3 heist came about five weeks after the sophisticated hackers first gained access to the bank’s network by compromising a router used by a regional branch.
Singapore’s largest healthcare group, SingHealth, has suffered a massive data breach that allowed hackers to snatch personal information on 1.5 million patients who visited SingHealth clinics between May 2015 and July 2018.
SingHealth is the largest healthcare group in Singapore with 2 tertiary hospitals, 5 national specialty , and eight polyclinics.
by Singapore’s Ministry of Health (MOH), along with the personal data, hackers also managed to stole ‘information on the outpatient dispensed medicines’ of about 160,000 patients, including Singapore’s Prime Minister Lee Hsien Loong, and few ministers.
“On 4 July 2018, IHiS’ database administrators detected unusual activity on one of SingHealth’s IT databases. They acted immediately to halt the activity,” MOH said.
The stolen data includes the patient’s name, address, gender, race, date of birth, and National Registration Identity Card (NRIC) numbers.
The Ministry of Health said the hackers “specifically and repeatedly” targeted the PM’s “personal particulars and information on his outpatient dispensed medicine.”
So far there’s no evidence of who was behind the attack, but the MOH stated that the cyber attack was “not the work of casual hackers or criminal gangs.” The local media is also speculating that the hack could be a work of state-sponsored hackers.
Investigations by the Cyber Security Agency of Singapore (CSA) and the Integrated Health Information System (IHiS) also confirmed that “this was a deliberate, targeted, and well-planned cyberattack.”
PM Comments On SingHealth Healthcare Data Breach
Commenting on the cyber attack through a Facebook post
today, Singapore’s Prime Minister said he believes that the attackers are “extremely skilled and determined” and they have “huge resources” to conduct such cyber attacks repeatedly.
“I don’t know what the attackers were hoping to find. Perhaps they were hunting for some dark state secret or at least something to embarrass me. If so, they would have been disappointed,” Singapore PM said. “My medication data is not something I would ordinarily tell people about, but nothing is alarming in it.”
The Singapore government has assured its citizens that no medical records were tampered, or deleted and that no diagnoses, test results, or doctors’ notes were stolen in the attack.
All affected patients will be contacted by the healthcare institution over the next five days.
Since the healthcare sector is part of the critical nation’s infrastructure, alongside water, electricity, and transport, it has increasingly become an attractive target for hackers.
In the past few years, we have reported several hacks and data breaches, targeting the healthcare sector. Just last month, it was revealed that
exposed its healthcare data in a massive data breach that targeted the country’s major healthcare organization.
The foremost thing to protect against any data breach is to stay vigilant, as nobody knows when or where your stolen identities will be used. So, affected consumers will just have to remain mindful.
An anonymous reader quotes ITWire:
Well-known British security researcher Kevin Beaumont says the breach of the British operations of American multinational ticket sales and distribution company Ticketmaster, that has led to the possible leak of tens of thousands of credit card details, was caused by the incorrect placement of a single line of code… Beaumont said Inbenta was providing a chat bot for website developers "by providing a single line of HTML which calls a JavaScript from Inbenta’s Web server…." He pointed out that while Inbenta had provided Ticketmaster a customised JavaScript one-liner, the ticketing company had placed this chatbot code on its payment processing website without informing Inbenta it had done so. "This means that Inbenta’s webserver was placed in the middle of all Ticketmaster credit card transactions, with the ability to execute JavaScript code in customer browsers," Beaumont said. This code had been altered by some malicious person back in February and the problems began at that point, he said. Beaumont warns businesses to be cautious with third-party JavaScript code in sensitive processes. "Check your supply chain. Because attackers are." And he also highlights how anti-virus tools started flagging the the script months before Ticketmaster announced the breach. "I can see the Javascript file being uploaded to a variety of threat intelligence tools from April through just before the breach announcement, so clearly somebody was looking into it."
