Information Technology

A 21-year-old Virginia native living in Turkey has admitted to being the main force behind the massive T-Mobile hack that exposed the sensitive information of more than 50 million people.John Binns was originally identified as the possible culprit by Alon Gal, co-founder of cybercrime intelligence firm Hudson Rock. 

ZDNet Recommends

On Twitter earlier this month, Gal shared a message he received from Binns that said, “The breach was done to retaliate against the US for the kidnapping and torture of John Erin Binns (CIA Raven-1) in Germany by CIA and Turkish intelligence agents in 2019,” the hacker allegedly told Gal. “We did it to harm US infrastructure,” Binns allegedly told Gal at the time.Binns has now spoken out publicly in an interview with the Wall Street Journal, telling the newspaper he was in fact behind the attack and conducted it from his home in Izmir, Turkey, where he lives with his mother. His father, who died when he was two, was American and his mother is Turkish. They moved back to Turkey when Binns was 18.Through Telegram, Binns provided evidence to the Wall Street Journal proving he was behind the T-Mobile attack and told reporters that he originally gained access to T-Mobile’s network through an unprotected router in July. According to the Wall Street Journal, he had been searching for gaps in T-Mobile’s defenses through its internet addresses and gained access to a data center near East Wenatchee, Washington where he could explore more than 100 of the company’s servers. From there, it took about one week to gain access to the servers that contained the personal data of millions. By August 4 he had stolen millions of files. 

“I was panicking because I had access to something big. Their security is awful,” Binns told the Wall Street Journal. “Generating noise was one goal.”He would not confirm if the data he stole has already been sold or if someone else paid him to hack into T-Mobile. While Binns did not explicitly say he worked with others on the attack, he did admit that he needed help in acquiring login credentials for databases inside T-Mobile’s systems. The Wall Street Journal story also noted that T-Mobile was initially notified of the breach by a cybersecurity company called Unit221B LLC, which said their customer data was being marketed on the dark web. Binns repeated his assertion that the attack was done because he was angry about how he was treated by US law enforcement agencies in recent years. Binns filed a lawsuit against the FBI, CIA and Justice Department in November where he said he was being investigated for various cybercrimes, including participation in the Satori botnet conspiracy. In the lawsuit, he said he had been tortured and spied on for being an alleged member of the Islamic State militant group. He denied being a member of the group in his lawsuit.He repeated his claims that he had been abducted in both Germany and Turkey and unfairly placed in a mental institution against his will by US law enforcement agencies. “I have no reason to make up a fake kidnapping story and I’m hoping that someone within the FBI leaks information about that,” he explained in his messages to the Wall Street Journal.T-Mobile did not respond to requests for comment but released a statement last week confirming that the names, dates of birth, SSNs, driver’s licenses, phone numbers, as well as IMEI and IMSI information for about 7.8 million customers had been stolen in the breach.Another 40 million former or prospective customers had their names, dates of birth, SSNs and driver’s licenses leaked. More than 5 million “current postpaid customer accounts” also had information like names, addresses, date of births, phone numbers, IMEIs and IMSIs illegally accessed. T-Mobile said another 667,000 accounts of former T- Mobile customers had their information stolen alongside a group of 850,000 active T-Mobile prepaid customers, whose names, phone numbers and account PINs were exposed. The names of 52,000 people with Metro by T-Mobile accounts may also have been accessed, according to T-Mobile. The telecom giant, which is the second largest in the US behind Verizon, is offering victims two years of free identity protection services with McAfee’s ID Theft Protection Service.  More

The Chinese developers of popular Android gaming apps exposed information belonging to users through an unsecured server.

In a report shared with ZDNet, vpnMentor’s cybersecurity team, led by Noam Rotem and Ran Locar, revealed EskyFun as the owner of a 134GB server exposed and made public online. EskyFun is the developer of Android games including Rainbow Story: Fantasy MMORPG, Adventure Story, The Legend of the Three Kingdoms, and Metamorph M. On Thursday, the team said that users of the following games were involved in the data leak: Rainbow Story: Fantasy MMORPG, Metamorph M, and Dynasty Heroes: Legends of Samkok. Together, they account for over 1.6 million downloads.  In total, the team said that an alleged 365,630,387 records contained data from June 2021 onward, leaking user data collected on a seven-day rolling system. The team says that the developers impose “aggressive and deeply troubling tracking, analytics, and permissions settings” when their software is downloaded and installed, and as a result, the variety of data collected was, perhaps, far more than you would expect mobile games to require.  The records included IP and IMEI numbers, device information, phone numbers, the OS in use, mobile device event logs, whether or not a handset was rooted; game purchase and transaction reports, email addresses, EskyFun account passwords stored in plaintext, and support requests, among other data. 
vpnMentor

vpnMentor suspects that up to, or more than, one million users may have had their information exposed. The unsecured server was discovered on July 5 and EskyFun was contacted two days later. However, after receiving no response, vpnMentor made a second attempt on July 27.  Continued silence required the team to also reach out to Hong Kong CERT and the server was secured on July 28.  “Much of this data was incredibly sensitive, and there was no need for a video game company to be keeping such detailed files on its users,” the researchers commented. “Furthermore, by not securing the data, EskyFun potentially exposed over one million people to fraud, hacking, and much worse.”ZDNet has reached out to EskyFun and we will update when we hear back. Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

StackCommerce
With the frequency and severity of cyber threats increasing practically by the day, it’s become more important than ever to put strong measures in place to protect your privacy and your most confidential data. The most effective way to do this is to protect yourself online with an excellent VPN, and protect the files on your computer with encrypted cloud storage such as Internxt Drive offers. Since both of those services are ridiculously inexpensive, there is no excuse for leaving you and your data vulnerable.

The Internxt – 2TB Decentralized Cloud Storage: 1-Year Subscription that is currently available for just $9.99 offers zero-knowledge decentralized cloud storage with end-to-end encryption that provides uncompromising security. It encrypts your uploaded files and then divides them into fragments on your end so that you’re the only one with the decryption key that is required to retrieve them.However, in spite of its complex power, Internxt is very easy to use. The user interface is quite intuitive and the service is convenient to access. An app is available for all of your devices, including desktop and browser, as well as Android and iOS mobile devices.Also, while your files are supremely protected, sharing them is still a simple matter. Internxt Drive users can share their data over other cloud storage services such as Dropbox, Google Drive, Apple iCloud, and Microsoft OneDrive. That makes it easy for teams to privately collaborate with customized features and user-to-user solutions.If you want truly private and secure cloud storage, it’s hard to beat what Internxt offers, especially when you can get a year’s subscription at a discount. As TechRadar notes: “Unlike popular cloud storage services like Google Drive, Dropbox, and Microsoft OneDrive, Internxt is a zero-knowledge file storage service that supports end-to-end encryption.”Don’t pass up this chance to enjoy the peace of mind that a vast amount of high-security storage can offer. Get Internxt – 2TB Decentralized Cloud Storage: 1-Year Subscription while it’s on sale for just $9.99, instead of the normal price of $126.

ZDNet Recommends More

The UK has announced plans to change data protection and privacy laws in what the government describes as a new mandate that promotes innovation and economic growth.A new series of ‘data adequacy partnerships’ will allow Britain to drive international trade with countries and bodies including the United States, Australia, the Republic of Korea, Singapore, the Dubai International Finance Centre and Colombia, the Department for Digital, Culture, Media & Sport (DCMS) has said.

more on GDPR

According to the government, the data adequacy partnerships will remove the need for costly measures around data compliance when transferring personal data to other countries. In a statement, DCMS said this will happen while also ensuring that “high data protection standards are maintained”.Any changes to data transfer rules will also need to be deemed adequate by the European Union — if they’re not, there’s a risk that data transfers between the United Kingdom and the EU will be affected.The proposed changes form part of the government’s plans to “use the power of data to drive growth and create jobs”, although some data privacy experts have voiced concerns that the changes could be used to roll back data privacy for consumers brought in as part of General Data Protection Regulation (GDPR). GDPR was brought in across the European Union in May 2018, and despite the UK having voted to leave the EU, the data protection laws were applied. But now the government claims that, following Brexit, the country can benefit from diverging its data protection laws from the rest of Europe. “Now that we have left the EU I’m determined to seize the opportunity by developing a world-leading data policy,” said Secretary of State for Digital, Culture Media and Sport Oliver Dowden.

“It means reforming our own data laws so that they’re based on common sense, not box-ticking,” he added  In an interview with The Telegraph, Dowden singled out policies around “pointless” cookie requests as something the UK could now diverge from — but several data privacy experts have pointed out that cookies come under a completely different directive to GDPR.Data privacy experts have also voiced concerns that the proposed plans will change the role of the Information Commissioner’s Office (ICO) from being a privacy regulator to promoting economic growth.A DCMS spokesperson told ZDNet “we’re not going to compromise our high data standards and people’s privacy and data protection”.The government is set to launch a consultation on the role of the ICO in September so that “it can be empowered to encourage the responsible use of data to achieve economic and social goals as well as preventing privacy breaches before they occur”.DCMS has also announced a preferred successor to Elizabeth Denham as Information Commissioner: John Edwards, who is currently New Zealand’s Privacy Commissioner. “There is a great opportunity to build on the wonderful work already done and I look forward to the challenge of steering the organisation and the British economy into a position of international leadership in the safe and trusted use of data for the benefit of all,” said Edwards. According to Oliver Dowden, Edwards brings the experienced required to “pursue a new era of data-driven growth and innovation at the ICO”. “John Edwards’s vast experience makes him the ideal candidate to ensure data is used responsibly to achieve those goals,” Dowden added. MORE ON CYBERSECURITY More

A recently disclosed flaw in chipsets from Taiwanese semiconductor company Realtek is being targeted by a botnet based on the old IoT malware, Mirai.German security firm IoT Inspector reports that the Realtek bug, tracked as CVE-2021-35395, affects over 200 wi-fi and router products from 65 vendors, including Asus, Belkin, China Mobile, Compal, D-Link, LG, Logitec, Netgear, ZTE, and Zyxel. The flaw is located in a Realtek software developer kit (SDK) and is currently under attack from a group using a variant of the IoT malware, Mirai, which is designed to function on devices with budget processors and little memory.  Should an attack be successful, it would give the attacker full control of the wi-fi module and root access to the device’s operating system.  

Internet of Things

The attacks highlight vulnerabilities in the software supply chain that US president Joe Biden hopes to patch up with billions of dollars promised this week by Microsoft and Google. This follows recent cyberattacks on US critical infrastructure, which have compromised top US cybersecurity firms and classical critical infrastructure providers, such as east coast fuel distributor Colonial Pipeline.While Mirai poses some threat to information stored on devices such as routers, the greater damage is caused by high-powered distributed denial of service (DDoS) attacks on websites using compromised devices. In 2016, Mirai was used to launch the world’s biggest DDoS attack on Dyn — a domain name service (DNS) provider that matches website names with numerical internet addresses. Oracle acquired the firm shortly after the Mirai attack. Researchers at IoT Inspector found a bug within the Realtek RTL819xD module that allows hackers to gain “complete access to the device, installed operating systems and other network devices”. The firm identified multiple vulnerabilities within the SDK. 

Realtek has released a patch, but device brands (OEMs) need to distribute them to end-users on devices that, for the most part, lack a user interface, and therefore can’t be used to communicate that a patch is available. Vendors need to analyse their firmware to check for the presence of the vulnerability. “Manufacturers using vulnerable Wi-Fi modules are strongly encouraged to check their devices and provide security patches to their users,” warned Florian Lukavsky, managing director of IoT Inspector.   The attacker generally needs to be on the same wi-fi network as the vulnerable device, but IoT Inspector noted that faulty ISP configurations can expose vulnerable devices directly to the internet. Per security firm Recorded Future, IoT security firm SAM said that attackers were observed remotely exploiting CVE-2021-35395 over the web on August 18.IoT Inspector notes that Realtek’s poor software development practices and lack of testing allowed “dozens of critical security issues to remain untouched in Realtek’s codebase for more than a decade”. More

The trial successfully demonstrated, according to Verizon, that it is possible to replace current security processes with protocols that are quantum-proof.    
Image: Bloomberg / Contributor / Getty Images
To protect our private communications from future attacks by quantum computers, Verizon is trialing the use of next-generation cryptography keys to protect the virtual private networks (VPNs) that are used every day by companies around the world to prevent hacking. Verizon implemented what it describes as a “quantum-safe” VPN between one of the company’s labs in London in the UK and a US-based center in Ashburn, Virginia, using encryption keys that were generated thanks to post-quantum cryptography methods – meaning that they are robust enough to withstand attacks from a quantum computer. According to Verizon, the trial successfully demonstrated that it is possible to replace current security processes with protocols that are quantum-proof.  VPNs are a common security tool used to protect connections made over the internet, by creating a private network from a public internet connection. When a user browses the web with a VPN, all of their data is redirected through a specifically configured remote server run by the VPN host, which acts as a filter that encrypts the information.

This means that the user’s IP address and any of their online activities, from sending emails to paying bills, come out as gibberish to potential hackers – even on insecure networks like public WiFi, where eavesdropping is much easier. Especially in the last few months, which have seen many employees switching to full-time working from home, VPNs have become an increasingly popular tool to ensure privacy and security on the internet. The technology, however, is based on cryptography protocols that are not un-hackable. To encrypt data, VPN hosts use encryption keys that are generated by well-established algorithms such as RSA (Rivest–Shamir–Adleman). The difficulty of cracking the key, and therefore of reading the data, is directly linked to the algorithm’s ability to create as complicated a key as possible.  

In other words, encryption protocols as we know them are essentially a huge math problem for hackers to solve. With existing computers, cracking the equation is extremely difficult, which is why VPNs, for now, are still a secure solution. But quantum computers are expected to bring about huge amounts of extra computing power – and with that, the ability to hack any cryptography key in minutes. “A lot of secure communications rely on algorithms which have been very successful in offering secure cryptography keys for decades,” Venkata Josyula, the director of technology at Verizon, tells ZDNet. “But there is enough research out there saying that these can be broken when there is a quantum computer available at a certain capacity. When that is available, you want to be protecting your entire VPN infrastructure.” One approach that researchers are working on consists of developing algorithms that can generate keys that are too difficult to hack, even with a quantum computer. This area of research is known as post-quantum cryptography, and is particularly sought after by governments around the world. In the US, for example, the National Institute of Standards and Technology (NIST) launched a global research effort in 2016 calling on researchers to submit ideas for algorithms that would be less susceptible to a quantum attack. A few months ago, the organization selected a group of 15 algorithms that showed the most promise. “NIST is leading a standardization process, but we didn’t want to wait for that to be complete because getting cryptography to change across the globe is a pretty daunting task,” says Josyula. “It could take 10 or even 20 years, so we wanted to get into this early to figure out the implications.”  Verizon has significant amounts of VPN infrastructure and the company sells VPN products, which is why the team started investigating how to start enabling post-quantum cryptography right now and in existing services, Josyula adds.One of the 15 algorithms identified by NIST, called Saber, was selected for the test. Saber generated quantum-safe cryptography keys that were delivered to the endpoints – in London and Ashburn – of a typical IPsec VPN through an extra layer of infrastructure, which was provided by a third-party vendor. Whether Saber makes it to the final rounds of NIST’s standardization process, in this case, doesn’t matter, explains Josyula. “We tried Saber here, but we will be trying others. We are able to switch from one algorithm to the other. We want to have that flexibility, to be able to adapt in line with the process of standardization.” In other words, Verizon’s test has shown that it is possible to implement post-quantum cryptography candidates on infrastructure links now, with the ability to migrate as needed between different candidates for quantum-proof algorithms. This is important because, although a large-scale quantum computer could be more than a decade away, there is still a chance that the data that is currently encrypted with existing cryptography protocols is at risk.  The threat is known as “harvest now, decrypt later” and refers to the possibility that hackers could collect huge amounts of encrypted data and sit on it while they wait for a quantum computer to come along that could read all the information.  “If it’s your Amazon shopping cart, you may not care if someone gets to see it in ten years,” says Josyula. “But you can extend this to your bank account, personal number, and all the way to government secrets. It’s about how far into the future you see value for the data that you own – and some of these have very long lifetimes.” For this type of data, it is important to start thinking about long-term security now, which includes the risk posed by quantum computers. A quantum-safe VPN could be a good start – even though, as Josyula explains, many elements still need to be smoothed out. For example, Verizon still relied on standard mechanisms in its trial to deliver quantum-proof keys to the VPN end-points. This might be a sticking point, if it turns out that this phase of the process is not invulnerable to quantum attack. The idea, however, is to take proactive steps to prepare, instead of waiting for the worst-case scenario to happen. Connecting London to Ashburn was a first step, and Verizon is now looking at extending its quantum-safe VPN to other locations. 

Quantum Computing More

Image: Symantec
In less than a week, the Parliamentary Joint Committee on Intelligence and Security (PJCIS) has conducted a review into the Foreign Intelligence Legislation Amendment Bill that will allow for the practice of incidentally collecting the data of Australians, and recommended it be passed.The Telecommunications Interception and Access Act (TIA Act) previously banned the practice, but the government and its security agencies have argued that Australia has been falling behind foreign agencies. “The challenge with the existing foreign communications warrant is that the interception of domestic communications (communications that both start and end within Australia) is prohibited, even where that interception is inadvertent or unavoidable,” the PJCIS report said. The report said this approach made sense when interception warrants were introduced in 2000, and the main ways to communicate where telephone and fax lines, which had “reliable geographic identifiers such as country code, city code and exchange code”, but the use of the internet has changed that environment. “Advances in technology — particularly widespread use of internet‑based communications and mobile applications — mean that it can be impossible to know, at the point of interception, if a communication is foreign or domestic,” the report added. “Currently, to avoid breaching the TIA Act, intelligence agencies do not intercept foreign communications where there is even the smallest risk of incidentally intercepting domestic communications. This considerable constraint on the collection of foreign intelligence is creating the real risk that intelligence agencies are missing critical foreign intelligence.” The committee argued the changes would be accompanied by a set of “robust safeguards” including warrants only being able to be issued for obtaining foreign intelligence from foreign communications, the warrant request must specify the risk of interception domestic data, as well as having the Attorney-General create a mandatory written procedure that will cover screening domestic communications, destroying all domestic records captured, and that agencies need to alert the Inspector‑General of Intelligence and Security (IGIS) of when domestic data is captured.

The one loophole for keeping domestic data will be when communications “relates, or appears to relate” to circumstances that involve a “significant risk to a person’s life”. “Only in the exceptional circumstance where there is a significant risk to life will intelligence agencies be able to rely on inadvertently intercepted domestic communications. This exception will ensure Australia’s intelligence agencies can respond to, for example, an imminent terrorist attack,” the report said. Prior to the Attorney-General creating or modifying the procedure, they must consult with the Foreign Minister, Defence Minister, IGIS, and the head of ASIO. “The Attorney‑General must review the mandatory procedure as soon as practicable within one year of it being issued, and then every 3 years,” the report said. The Bill also includes powers allowing the Attorney-General to issue foreign intelligence warrants to collect “foreign intelligence on Australians in Australia who are acting for, or on behalf of, a foreign power”. This practice is also currently banned. “These amendments will close a legislative gap where foreign intelligence can be collected offshore on an Australian working for a foreign power, but that same intelligence cannot be collected inside Australia on that Australian under a warrant,” the report said. “There are circumstances where Australian citizens and permanent residents are of legitimate foreign intelligence interest. For example, where an Australian citizen is acting as an agent of a foreign state.” The committee said during its inquiry it had been assured that non-compliance would be reported to IGIS, and recommended the Bill be amended to the PJCIS would also be informed about changes to the procedure, and the committee could review the Bill within five years of it receiving assent. “The committee notes that this Bill aligns Australia with the Five Eyes community but with a stronger set of safeguards,” it said. “These are not powers that the Parliament provides lightly and the committee sees its role in reviewing the provision of such powers as one of its most important functions.” The Bill was referred to the PJCIS on Friday, and handed down its report on Wednesday after a single classified hearing. “It is not ordinarily the preference of the committee to conduct private inquiries nor to do so on an expedited basis,” it wrote. “The committee only agreed to in this instance because of the unique circumstances of this bill and the additional risks to Parliamentary sittings caused by the current COVID outbreaks.” At the time of writing, the Bill had cleared the House with amendments and was in its second reading in the Senate. On Wednesday, the Surveillance Legislation Amendment (Identify and Disrupt) Bill 2020 cleared Parliament, and hands new powers to the Australian Federal Police and the Australian Criminal Intelligence Commission that would allow them to modify, add, copy, or delete data when dealing with online crime. The new powers have a sunset clause of five years. PJCIS justifying its proposed protections against Australia’s Five Eyes allies.
Image: PJCIS
Related Coverage More

Huawei has reportedly received licence approval from the United States to buy chips for the auto component portion of its business. Reported by Reuters, the United States has granted licences authorising suppliers to sell chips to Huawei for vehicle components, such as video screens and sensors. The licence approval from the United States is a shift from its usual position in relation to Huawei. The Chinese technology giant was added to the US entity list in 2019, which banned US companies from selling goods and technology to the company without special licences from government.The US then added further restrictions last year, banning overseas companies from selling chips to Huawei if they contained US equipment.During this time, the US has also rallied other countries to exclude Huawei from their 5G networks over spying concerns. Despite Huawei repeatedly denying the allegations, Australia, Sweden, the UK, among other countries have banned the networking equipment giant from their 5G networks. All of Canada’s major telcos have also gone elsewhere for their 5G rollouts and, although not officially banned, Huawei has not made any inroads in New Zealand after GCSB prevented Spark from using Huawei kit in November 2018.  In the face of these restrictions, Huawei reported a steep decline in its first-half revenue for 2021, with its business to the end of June reporting 320 billion yuan in sales, compared to 454 billion yuan at this time last year.

Automotive manufacturers have struggled to produce cars since the pandemic started due to chip shortages, with some countries’ car production being halved during that period. Ford, for example, lost around 700,00 vehicles that were planned for production in the second quarter of 2021, while General Motors has stated that losses caused by the lack of semiconductors could cost up to $2 billion in profit. RELATED COVERAGE More