Checklist 100: It’s Episode 100!
It has been a long time coming, but we are proud to celebrate the milestone achievement of 100 episodes of The Checklist, brought to you by SecureMac! We’d like to take this moment to say a big “thank you” to our listeners, especially those who’ve been here from the start. With such a big milestone, it seems appropriate that one of the top stories we have on our list this week concerns another gargantuan trove of personal data— and chances are, at least some of your information will probably end up in that trove. That, plus a few other stories make up what we have on our list for today:
- Who is Exactis — and what do they know about you?
- A new Bluetooth vulnerability makes the news
- LifeLock returns to the headlines for a second run
Let’s not waste any time; we’re diving straight into the latest data breach in the headlines. If you’ve been following the headlines — and they’re almost daily at this point — you might have heard about this story already. It’s easy for everything to get lost in the mix as it seems like we’re constantly hearing about companies losing or leaking data all the time. Even big stories seem to fade faster than you might expect — who’s still talking about Equifax? The organization in question today also starts with an “E”… so what’s up with Exactis?
Who is Exactis — and what do they know about you?
Exactis is a data broker — a business that buys and sells information, usually about average people like you. The purpose: enable marketing firms and businesses to target their outreach efforts to the types of people most likely to be interested in spending money on their products and services. Companies like Exactis can gather a huge amount of information based on making inferences from things such as magazine subscriptions, credit reports, and even card transaction histories some banks make available in data-sharing exchanges. Exactis might be able to tell whether you own pets, how much you pay in rent every month, or even the types of movies you like to see, depending on what sources they are able to tap.
All this information — around 340 million records in total, according to one estimate — was left exposed on the Internet for anyone with the right skills to find. That breaks down to about 230 individual records, with an additional 110 million records on businesses held in a separate database. Don’t panic (much) yet, though: the data Exactis left accidentally exposed did not include anything highly sensitive, such as credit card numbers or social security numbers.
Though the potential number of affected individuals is far larger than last year’s Equifax breach, it would not enable the same potential level of identity theft as Equifax did. Nonetheless, how could a data broker be so careless as to leave that type of data available on the open Internet? It didn’t take too much to find, either. Here’s how security researcher Vinny Troia figured it out.
He began by using a special engine called Shodan. Unlike Google, which looks for webpages in relation to your queries, Shodan looks for Internet-connected devices that have open, accessible ports on the Internet. This could be anything from an unsecured Internet-connected camera, certain types of IoT devices, and more. Troia was using Shodan to investigate something called an ElasticSearch database.
ElasticSearch is a tool that allows someone to remotely query a database for information using an Internet connection and some simple command line entry. Many businesses use protected, encrypted ElasticSearch databases to share information or to make it easily accessible to remote employees. After setting his search terms to American-based ElasticSearch databases, Troia began to comb through the results. Before long, he had stumbled into the Exactis database, which had no firewall or other protections to keep out outside users.
Troia noted in his disclosure that his curiosity about ElasticSearch wasn’t unusual, which meant it was highly likely that others could have also discovered the Exactis database. Scraping and dumping the information into a file would have taken a trivial amount of work for someone familiar with the necessary tools. In other words, this huge treasure trove of personal information was completely exposed for an unknown length of time. Troia quickly contacted both the FBI and Exactis with his findings. Although the leak was locked down, and the data is no longer available on the open Internet, the company has made no comment publicly about the incident.
Is there a potential for harm stemming from this leak? Since there was nothing exceptionally personal like SSNs leaked, the likelihood of something like full-on identity theft coming from Exactis’ information is pretty slim. That doesn’t mean there’s no danger, though. In total, Exactis compiled personality profiles featuring up to 400 unique identifiers for people. Though the bad guys could have already found some of these things from public databases, others come from sources of information not typically available to the average individual.
The biggest risk, therefore, is an increased potential for creative social engineering or very clever phishing attacks. Someone who knows all this information about another individual could try to impersonate them or to convince someone else to hand over information about you. They might even be able to fool you; if they know certain personal things about you, it might make sense to assume they’re acting in an official capacity. As always, it’s a good idea to stay vigilant and to be on the lookout for potential attempts to phish you for your information.
Other than that, was there any way you could have protected yourself from such a leak? The answer is unfortunately no. Practically speaking, the best thing we can do is also the one thing that won’t have immediate results: call your representatives and let them know that we need better protections and rules in place for these sorts of situations. One can imagine that if we had something similar to Europe’s GDPR in the United States, Exactis would at least face a requirement to disclose the leak and some details about it; we lack accountability for these situations right now. Even Equifax hasn’t faced any serious punishments — in fact, their profits are up this year! As disappointing as that may be, it’s proof positive that we need to keep pushing forward for better, more robust requirements for security.
A new Bluetooth vulnerability makes the news
Do you use Bluetooth? Whether you’re jamming out to your favorite music on your AirPods or you’re connecting to a friend’s device to swap some cute pictures of your pets, it’s a useful wireless protocol for short distance communications. It’s not perfect, though, and recently Intel disclosed a new vulnerability it had discovered in Bluetooth applications. It was a serious attack that could have allowed the bad guys to do all kinds of things, but it was also difficult to pull off successfully. Here’s how it worked.
An attacker would need to be within a close distance, no more than about 100 feet away, of two Bluetooth devices preparing to pair with one another. If both devices had the unpatched vulnerability, the bad guys could trick the devices into believing they had successfully paired, when in fact they were giving access to the attacker. Through this vulnerability, a third party could intercept a variety of data from the target device while also potentially gaining privileged execution abilities on the device. If it was your iPhone they targeted, that could give them a big window into your private data.
Intel says this vulnerability affects its Bluetooth chipsets, plus those made by Broadcom, Qualcomm, and even Apple. Microsoft’s products appear to be in the clear. There’s good news, though: Apple has already deployed a fix for this problem in their most recent patches, which includes macOS High Sierra, iOS, tvOS, and watchOS — so if you haven’t updated recently, now is a good time to do so. In fact, the nature of the vulnerability makes a quick patch even more important.
Exploiting the flaw only works so long as both the target devices have the vulnerability. If one has the patch, the entire process will fail. In a way, it’s almost like the herd immunity we gain from vaccines — those of us who have the fix can help protect those who don’t. Overall, this isn’t something to worry about so long as you’re up to date; the execution method is complex, and the potential rewards aren’t enticing enough to make this a widespread attack. Of course, if you don’t use Bluetooth, this won’t be much of a concern in the first place. Either way, check to be sure you’re on the latest version before you start pairing devices in public again.
LifeLock returns to the headlines for a second run
Do you remember LifeLock? If you do, you probably remember it because of its founder’s major publicity stunt back when the online identity protection firm was first getting its start. At the time, he put his real social security number on billboards and even on the side of a truck, driving it around and declaring that LifeLock could still keep his identity safe. Spoiler art: it didn’t, and his identity was stolen at least 13 times by 2010. We assume that number is probably low these days. Recently purchased by security giant Symantec, LifeLock still offers identity protection services and help with recovering your identity after it has been stolen.
Based on recent reports from Krebs on Security, the company still isn’t exactly doing a bang-up job regarding keeping information safe. In fact, it looks like the LifeLock website had a vulnerability that could have allowed a savvy user to uncover the email addresses for millions of the company’s customers. This could’ve allowed bad guys to undertake spearphishing campaigns, targeting real LifeLock users with fake LifeLock-branded emails, trying to discover their passwords or other information.
With an estimated 4.5 million accounts, the fact that the website was set up with a lack of some of the most basic web security considerations is rather stunning. How did exploiting this vulnerability work? It’s almost embarrassingly easy.
Krebs On Security learned of the flaw thanks to work done by a freelancer researcher named Nathan Reese, himself a former member of LifeLock. After getting an official LifeLock email asking him to consider picking his old subscription back up, Reese mashed the “unsubscribe” button just like many of us would do in that situation. On the resulting webpage, he noted that the URL contained a unique “subscriber key” that allowed the server to identify his customer records.
If you’ve listened to the Checklist for a while now, you probably know what’s coming next. That’s right: by making tweaks to these numbers, Reese could find the email preferences for pretty much any other LifeLock subscriber with information on the server. After whipping up a quick script to prove his theory, Reese scraped about 70 email addresses before stopping the script. He validated the emails and then began to share his information. After Krebs broke the story, Symantec quickly pulled Lifelock.com off the Internet to implement a fix.
While it’s not known whether anyone else exploited this vulnerability, it’s shocking that a company sold for several billion dollars would have such a basic flaw. This is truly amateur hour stuff — the ability to easily increment numbers and find other customer records has exposed an untold amount of data across many websites in recent years. Though the vulnerability is presumably now fixed, it’s not exactly a ringing endorsement of their products.
What should you do if you want to protect your identity, aside from avoiding phishing efforts as best you can? Be vigilant on your own. Regularly monitor your credit report for suspicious activity, for example. You can also check with your bank to see if they provide any special identity protection services. Many do these days, and you may have better luck with them than a business such as LifeLock. However, it’s important to keep in mind that no service available right now is going to provide foolproof protection against identity theft. That’s why it’s best to take matters into your own hands by watching your information closely whenever possible.
That wraps up our discussion for this week. Remember to investigate the trustworthy solutions available to you if you have concerns and think you might need help with monitoring your identity, though don’t forget you can always do that yourself, too. That might be helpful for those who feel a bit helpless in the face of news like the Exactis leak. Take this opportunity to make some noise about the need for better security for your representatives, though; an extra voice is always helpful.