Fraser G

Richard,
Thanks for sharing your views on this article. Hard Coding keys has been a threat for a long time now, not only with respect to VPN, but also with Online Banking, Payment systems, and Credit Cards. With the new cryptographic vulnerability of the DUHK, it would be interesting to see how much can this be prevented in the shortest time possible. These attacks can be extremely dangerous as you mentioned because they can cause man-in-the-middle attacks to leak current session state of users who are connected to the VPN network.

Richard – Your response raises attention to the most important and widely used enterprise and personal software i.e. Adobe Flash and Microsoft Office. Both these are widely used and in fact more than 55% of consumers worldwide use them for their everyday use. Most of these malwares are embedded in Office documents, which people do not realize and unknowingly open it. They manifest themselves and attach them to the computer systems, slowly extracting and learning data communications and critical information. It is time that we have secure systems to protect people from Flash malware.

I think this is a pretty interesting article but also very scary. I saw some analytical data on reddit at one point that p0rnhub has a crazy amount of hits in any given day. This being the case something like this could be a huge problem even if 1% of the people who go the site will go along with it.

What a scary security flaw – as a mobile user with different apps on the phone, I’m always weary about which one is accessing my personal info when it’s not in use. I’m glad Uber decided to investigate it and fix it before they were compromised. But now it makes one worried about what other apps are doing this.

Richard,

I am not really a big fun of UBER company, I don’t believe that they operate their business ethically, your post makes me don’t like this company even more. However, there are so many companies track our lives just because we use their apps. It is very scary as Neil said to give someone the permission using your own fingure to have access your life and know exactly your daily activities that can be very private especially if you exchange sensitive information with other people using your phone.

This company has a very bad history regarding her operations and I think your post will help to show how much this company doesn’t trait its customer fairly.

Thank you for the article Richard.

Thanks for the article. I have Netflix account and therefore be careful with that.

Rich,

A data hack exposing social engineering type information…

It would be a great thing to know if an “Influencer” (Someone who is admired by several people) was going to be somewhere and when. This could lead to a crazy stalker, potential blackmail information, or disastrous terror attacks on high profile people who use the SVR service.

Here is what we should have learned… AWS is easy to use (configure) and cost effective solution, but… the ease of use and number of users makes it a prime target for criminals. The platform’s vulnerabilities are known and searched for by criminals. Many times the data they find is not very valuable, but they may get lucky when a small company stores more valuable data on a server, poorly configured by a friend, relative, or inexperienced IT person.

Richard,

Thank you for such article. This type of information leakage is worst that losing some other sensitive information such as Full names and addresses, I am saying this because the attackers who were able to get this important information that is including logs of all these vehicles stops would be able to know the daily activities and stops of more Than 540,000 people who use this service. This is very dangerous since they can be able to determine where these people go physically everyday. I feel these people can be under the risk to be attacked physically by thieves.

In the other hand, technically, the locations of these 450,000 vehicles which are registered under these accounts can be defined and stolen easily with the ability to delete all these logs as well as deactivating the tracking devices.

Richard-

Interesting article, and one of concern for me because I used CCleaner in the past. If I read these articles right one of their hosts was compromised… I wonder what sort of vetting process is used to make sure your host is legit, and has good security of their own. Thanks for posting this!

Fraser

I just posted the Time article about this before I saw your post. It caught my eye because I also use CCleaner and will be updating it today. I’m curious to know what broke down in their internal controls to allow the modified version to be the one released to the public. They should have had multiple levels of testing and approval prior to release. I wonder if it was modified in the short time between the final go-live approval and release, or if it happened during that testing/approval process and wasn’t caught then.

Although this wasn’t necessarily the case, my first instinct looking at this is that it was likely the act of an insider, or was done with the assistance of an insider. This is a great example of why detailed logs and documentation are so important. It will likely be a lengthy and meticulous process, but a detailed investigation of the logs may be the only way to determine how this happened and who is responsible for it.

Definitely an really interesting and clear example of a Supply Chain attack. Like Matt said, if it wasn’t an insider, there is a serious compromise in Avest’s SDLC. It’s good only one version was affected, so downgrading or upgrading will fix the issue, but with 2.27 Million version downloads since august, this malware is still very widespread.
It is pretty impressive.

Richard,

I did read an article that is related to your post and talks about CCleaner. According to that article CCleaner comes with two different version, a version you have to purchase and a free one. After this security problem, the company was able to develop an update by exclusively for the pay version. This is a big problem for the people who use the free version which don’t know that their data is under risk. I am just wondering why there is no update for the free version.

Anyway, thank for posting this article that covers a different area of this software (CCleaner) security issue.