Checklist 107: Newegg, Old Issues

This week, we’re looking at a slew of security issues, from a good old-fashioned data breach, to Apple’s latest way to make sure that the person using your device is really you! Those stories, plus a look at California’s attempts to rein in problems with the Internet of Things, will give us a glimpse into what’s going on in the world of security recently. On our checklist for today’s discussion:

• Security concerns break for Newegg
• California considers laws for Internet of Things things
• Using phone call data to protect your iPhone

If you like to tinker with computers or enjoy shopping for hardware online, you probably have heard of Newegg, one of the biggest online electronics retailers out there. Well — we’ve got some bad news…

Security concerns break for Newegg

If we wanted to turn this into the Weekly Checklist of Data Breaches, it wouldn’t be difficult. In fact, it would be pretty easy to create a show that focused on three data breaches every week — but that would get rather dull after a while. Visiting one of these topics from time to time is a good idea, though, in part because you may be a victim of the breach without knowing it, and also partly because it’s simply a good opportunity to revisit best practices for online safety. In the case of Newegg, we not only have a severe data breach but one where the method of execution was quite unique compared to other stories we’ve seen.

According to a report by The Verge, Newegg’s servers were leaking sensitive customer data for nearly a month before two IT security firms, Volexity and RiskIQ, discovered that something was amiss. What happened? Hackers somehow gained access to the webpages Newegg uses for payment processing and inserted just 15 lines of simple code amid everything else. As customers proceeded to complete their orders, this code would steal their credit card information as soon as users pressed the button to submit their payment.

A copy of the entire payment form, including billing addresses and expiration dates, would instantly transmit itself across the web to a server for a domain called “neweggstats.com,” designed to look close enough to the real thing to fool any casual observers. The domain was used as a trap for credit card data, and even had its own valid HTTPS certificate, which may be what allowed the attackers (known to the security community as Magecart) to fly under the radar for a month. With tens of millions of visitors each month and a swelling annual revenue, it is likely that tens of thousands of customers were affected. Newegg is still assessing the extent of the breach and the amount of customer information stolen.

The Verge report notes that researchers believe Magecart was also responsible for two other similar hacks that led to data breaches across the pond earlier this year. Those attacks hit Ticketmaster UK and British Airways, two other major players in their respective industries. In both cases, Magecart ignored internal business databases and did not try to steal information that was already stored. Instead, their focus has always been on direct theft of consumer data. Finding malicious code hiding inside a legitimate page for purchasing products sounds like every online shopper’s worst nightmare — so the big question many people are asking is simple: how could it happen?

For now, we don’t know the exact details, and we likely won’t until Newegg completes its investigation. However, there are a few methods hackers might use to execute a plan like this. In one case, they might have direct access to the server itself, and the corresponding ability to intercept pages and alter them on their way to loading for a user.

A more likely potential scenario would go like this: the hackers gain access to a particular web database for Newegg and insert a malicious record. This record contains the JavaScript code they want to run for stealing data. When the payment page loads, it calls the database for information, and one of the records it returns is the malicious code. This code then runs on the page as intended, stealing the user’s data. Keep in mind that this is only speculation. In the British Airways attack, RiskIQ believes that Magecart targeted a vulnerable script on the website to exploit and inject their credit card stealing code.

So, what can you do? If you bought something on Newegg from the start of August to mid-September, keep an eye on your bank account for suspicious activity. You may even want to contact your card issuer to alert them to the problem and to ask for the cancellation of your current number and the issuance of a new one. While passwords may not have been compromised, Newegg said in an email to its customers that it was as yet unsure what data was stolen — so changing your password is likely a good step just to be safe. For tips on that, we’ve got an old Checklist episode for you to check out — Episode 8.

Finally, keep an eye on your email. Newegg says it is alerting customers who made purchases that were affected by the breach and be sure to check out the FAQ page that should now be up on their website. It will contain important information on the next steps, how you might have been affected, and more about how the company plans to move forward.

California considers laws for Internet of Things things

These days, just about everyone has something to say about the Internet of Things and its security — or lack thereof. Even here on The Checklist, we’ve covered the subject several times, from breaches resulting from bad IoT security to ways you can use these technologies while still staying safe. Now, California looks as though it’s poised to potentially pass a law that would finally put some serious regulations on IoT devices. While the proposed legislation does have some detractors, by and large, it looks like it could be a good thing for the safety of the average end user. Plus, if companies need to change their products to comply with California law, it’s likely that users in the rest of the nation would benefit from those changes, too. So, what are they?

According to a report by Engadget, California Governor Jerry Brown has received a draft of a law drawn up by the legislature that would end practices such as standard default passwords on IoT devices. Under the terms of the law, any device that allows a user to log-in would have to implement one of two procedures. In the first scenario, every device would have to come with its own unique password built in, rather than the ubiquitous “admin/password” combo we all know and loathe. Otherwise, if a standard default login is used, the device must mandate the user set a new username and password after the first login with no exceptions. The law also includes vague terms mandating that devices feature “security features” in line with the device’s function.

We should stress that for now, as interesting as this development in, this is not law; it’s only under consideration. Furthermore, if it does receive the governor’s signature, the law’s provisions won’t kick in for another two years, with an activation date sometime in 2020. It would give device manufacturers and developers the time necessary to update their devices and software for compliance.

While some critics allege that these rules wouldn’t stop device makers from creating features that lacked security altogether, others point out that hard and fast rules would likely become obsolete within just a few years of the law’s introduction. The vague terms, these proponents argue, give the law room to expand as necessary through interpretation. We say it’s about time someone finally made a move to clamp down on these problems! In some cases, vagueness regarding what developers must do can actually be beneficial.

Consider development in the medical sector, which must comply with patient privacy rules such as HIPAA. HIPAA itself does not tell developers precisely how to protect patient data; instead, it focuses more on laying out the penalties that failure to protect patient data can trigger. The result is that software developers work much harder to ensure that all their bases are covered, leaving no stone unturned. When legislation sets a particular bar for compliance, it can be a race to the bottom as businesses look for the lowest amount of legal compliance they can implement to save time and money. With that in mind, the California law would allow for smarter responses to changes in the IoT industry.

If you don’t want to wait for California’s governor to make a decision or for 2020 to roll around, The Checklist has covered the Internet of Things in the past on Episode 42. In that episode, you can learn about what the IoT is and how you can safely and intelligently use smart devices. It’s getting harder to avoid some of these Internet-connected devices, like Smart TVs — so it’s worth taking the time to learn all you can about how to be safe with them until the industry makes a change.

Using phone call data to protect your phone

Would you trust Apple with your phone calls and emails? If you answered “no” but you own an iPhone, you should probably think again — since that’s exactly what you already do! Let’s frame the question another way as we prepare to dive into our last story for today: do you trust Apple to do anything with your calls and texts besides making sure they get to you safely? That question is at the crux of a new story developing in the wake of the release of iOS 12. Based on a story reported by VentureBeat, Apple seems to be collecting some information about a user’s communications habits as part of an anti-fraud effort.

Savvy Apple watchers noticed changes to the company’s privacy policy occurred not long after the rollout of iOS 12. The new policy language makes it clear that Apple is collecting some form of information about the communications activity on your device to try to identify when a person who is not you is trying to use the device. From the privacy policy:

To help identify and prevent fraud, information about how you use your device, including the approximate number of phone calls or emails you send and receive, will be used to compute a device trust score when you attempt a purchase. The submissions are designed so Apple cannot learn the real values on your device. The scores are stored for a fixed time on our servers.

To those paying attention, this seemed a bit strange for a few reasons — first, devices such as the Apple TV aren’t used for communications, so we don’t know how Apple could compute a “Trust Score” based without such information. Furthermore, the actual methodology the company wants to use to detect fraud isn’t clear. However, regular listeners of The Checklist will recall that we recently spent some time discussing how some sites could track users based on their clicking and browsing patterns. That makes this effort sound more realistic.

Apple devices already have a unique identifier code, plus unique serial numbers, so why Apple chose to add in this additional check isn’t known. We can imagine one scenario where this might work — a device that rarely makes calls suddenly begins to record a large and unusual volume of phone activity. Could Apple decide that means the phone was stolen and temporarily disable its access to things such as the iTunes Store? It’s possible.

Somewhat surprisingly, Apple reached out to VentureBeat to respond and offer a comment. The company confirmed the Trust Score was a new feature and was designed, in part, to help reduce false positives generated by other anti-fraud systems the company has in place to protect users who make purchases on iTunes. The company stressed that its servers only receive a numerical score that cannot be reverse engineered to identify a device or the activity that occurred on it; in fact, the score itself is computed secretly and securely on a user’s device. In other words, Apple is not retaining any records of who you called and when, or that time you stayed up to 3 AM sending text messages.

Overall, this is an interesting development, and fully in line with Apple’s typical commitment to user safety. By updating their privacy policy and being transparent with their efforts, it makes it easier to build trust. It’s always nice to see Apple watching out for its users — it’s even nicer to see them clarify what’s going on for once. With the precautions taken to protect user information, there’s not much to worry about with the new Trust Score feature, and there is plenty to like.

For now, though, that will be the last item we have to check off our list today. Remember to watch your inbox if you’ve recently shopped from Newegg, and we suggest you update to the latest version of iOS if you haven’t yet. In addition to newly implemented security protections, you’ll find a ton of new features and tweaks too.

Just because we’re done with this Checklist doesn’t mean you’re out of luck until next week, though. In the Checklist Archives, you’ll find everything you need to take a deep dive on all kinds of subjects in the world of security. Be sure to check out Episode 08 and  Episode 42 — The Internet of Things for more information about some of the topics we covered today. Of course, while you’re there, you’ll find more than 100 other episodes with plenty of links to follow as well.

Got a question for us? See a story in the news you’d like to hear us discuss? Send an email to Checklist@SecureMac.com with your thoughts and ideas. We look forward to hearing from you! Until then, we’ll talk to you again next week when we return with a new edition of The Checklist, brought to you by SecureMac. Thanks for listening.