• Vulnerable U
  • Posts
  • 🎓️ Vulnerable U | #056 - 70+ Million AT&T Customers Data Leaked

🎓️ Vulnerable U | #056 - 70+ Million AT&T Customers Data Leaked

AT&T denies data breach but researchers think it's legitimate data, Apex Legends Hack, Glassdoor attached real names to anon accounts, Car privacy vs. insurance, Millions of hotel doors can be hacked open

Read Time: 7 minutes

Howdy from New Orleans!

This is my first time here, even though I’ve been all over Louisiana. One of my first pentest gigs sent me from Baton Rouge to Monroe and Lafayette. I even had to go to a town called Napoleanville, and this was pre-smart phones, so I had a rental car, Tom-Tom, send me through a sugar cane field, and I almost hit a cow. This NYC boy was out of his element.

Anyway. Cool city. My Twitter thread asking for recommendations got a bunch if you’re looking for some NOLA plans. Already tried some of the food on this list and A+. The WW2 museum is top-notch, probably the 2nd best museum I’ve ever been to. Even saw an Enigma machine, which is always cool as part of the birth of our industry.

ICYMI

🖊️ Something I wrote: I think Rich Mogull is killing it. He’s giving away 10s of thousands of dollars of cloud security training for free in his publication Cloud SLAW (Security Lab A Week)

🎧️ Something I heard: The latest of my friends over at the Critical Thinking podcast who had the legend Jhaddix on this week

🎤 Something I said: SIM Swappers are migrating their tactics to target eSIMs

🔖 Something I read: My good friend Will Bengston wrote a book! And he was nice enough to offer the Vuln U readers a discount code (I don’t get a kickback here, just a straight discount to you) - The Security Path is a book to help in cybersecurity careers. - 40% discount code - “vulnu”

“With real-world examples and expert insights from interviews with current practitioners in the industry, whether you want to be a penetration tester, blue team member, or security architect, we hope that "The Security Path" will be your trusted companion on your journey through the world of security.”

Vulnerable News

~73 million records for sale on the dark web. The seller claims they’re from AT&T. This data breach happened in 2021, and AT&T denied they were breached. Now the data has surfaced for sale, supposedly… AT&T is still denying they’re the source of the data! But upon first glance from anyone who has tried to validate, the data looks legit.

Troy Hunt of Haveibeenpwned and Bleeping Computer says the data they’ve looked at is validated and not scrapable. I’ve even seen reports of others who looked at the data and found their email address in the pile, and it was an email they only use with AT&T. (read more)

Which of these options do you think is most likely?

Login or Subscribe to participate in polls.

Not everyday you hear people throwing around terms like “RCE” in the mainstream. During a live-streamed professional Apex Legends tournament, some of the players started yelling, “I’m hacked! I’m cheating!” but they weren’t doing it on purpose. All of a sudden their games were showing them all their enemies through the walls and aiming for them with an aimbot. For about a day, the community was pointing fingers at Apex Legends or at the anti-cheat program “Easy Anti Cheat" (EAC) for having a vulnerability.

Pretty quickly, the hacker came out and talked to some TechCrunch reporters and said some pretty interesting things. They announced they would’ve used a bug bounty program if one had existed, but since it didn’t, they wanted to get attention on the bug to get it fixed. The bug was in Apex Legends itself and they never were on the player’ computers outside of the game process. Also go check out John Hammond chatting on PirateSoftware’s stream about this. (read more)

I’ve seen this type of research before, and it’s always cool because it is widespread. I remember the Spider Labs guys making a highlighter pen-type device that could unlock hotel doors. This latest research was presented at BlackHat, but we had no details since the flaws weren’t patched. They also stated, “Well, these bugs have existed with no known exploitation for over 30 years.” Still, they disclosed to the vendor first and just let the details out now.

I also want to praise Wired and the subsequent articles on this one for not biting at the Flipper Zero bait since, yes, the flippers could, in fact, be used to be programmed into master keys using this vulnerability. (read more)

A privacy nightmare emerging at Glassdoor. The job review site that made a name for itself, offering a way for employees to anonymously review their employers, has started associating people’s real names with their accounts, whether they like it or not. Don’t get too scared, its not like the names are immediately public on any old scathing review you might’ve written. But as some users are pointing out, that doesn’t stop the reviews from being associated with your real name and attributed in the case of a data breach or a lawsuit where the backend data is made public.

It seems Glassdoor automatically associates real names with accounts whenever and however they can find that info out, including if you emailed their support team from your personal email. Folks are even pointing out they’re worried that if you close you'r account, it just deactivates it. You have to submit a request for them to delete your information in a special form if you want to be safe from your reviews leaking in a breach or lawsuit. (read more)

I’ve heard about insurance companies allowing you to opt into having a device that monitors your mileage. I’ve heard of self-reporting info for discounts and such, but that is not what is going on here. People are reporting their insurance rates skyrocketing, and the culprit is their cars snitching on them about any poor driving habits like sharp braking or speeding.

This seems to be tied to OnStar systems for the time being, but it is a rough precedent to set, and if it keeps up, I’m sure it’ll be universal. This gets closer to the kind of monitoring other countries do with their social credit scores to make sure behavior is in line. Just seems to be using a financial insurance avenue here. (read more)

The difference between journalism and folks like me who are just loud on the Internet is the standards they hold themselves to to verify the claims they make. Here is a look behind the curtain in how TechCrunch verifies data breach claims.

The article shares insights on how they go about authenticating data sets and offers examples from past breaches, such as StockX and 23andMe, detailing the investigative steps taken to confirm their authenticity. (read more)

Bob Lord Linkedin Post: I just read an article that is a “greatest hits” list of misinformation and fear mongering about computer security.

Bob is one of the my north stars of sanity in this industry. He’s been the CISO of both Twitter and the DNC, knows his stuff, and is a constant cheerleader for common sense in cybersecurity. He often talks about FIDO2 and his use of public WiFi. I often reference the checklist he put out when he was with the DNC for folks who ask me for advice on protecting themselves.

In this LinkedIn post, Bob points out some things in this Wall Street Journal article that are either ancient advice or just plain wrong. (read more)

This is a great video going over this blog post - https://samcurry.net/web-hackers-vs-the-auto-industry/

We covered some of this when it dropped a few months back, but there are updates. Either way it is always interesting when car hacking research drops.

Check the video and the report to see what they found! (read more)

Runa makes a great short point here. Google’s Advanced Protection Program is an awesome way to level up the phishing protection on your account. It is a way for higher risk individuals to enforce hardware auth like Yubikeys on their accounts. More importantly, it limits the effectiveness of SMS as an account recovery (re: takeover) method. SMS is a major weakness in account ownership flows, especially for highly targetted individuals who can be easily SIM-swapped.

Runa states that Google's limited promotion of Advanced Protection undercuts its potential, leaving many potential beneficiaries, like activists and journalists, unaware of its availability. This lack of visibility is a missed opportunity to enhance the security of those most at risk. (read more)

Krebs on Security uncovers a network of shady people-search websites tied to China, using fabricated identities to promote services like TruePeopleSearch and FastPeopleSearch. His investigations reveal stock images for profiles, suggesting a complex web of fake identities and companies, likely aimed at generating affiliate commissions via established people-finder services like Spokeo. Interesting to see how intricate all the fake profiles are and how they interact to try to improve their legitimacy. (read more)

I’m cautiously optimistic on this one. We’ve long talked about shifting left as an industry, and that used to mean trying to find vulnerabilities earlier in the development lifecycle. But as we’ve matured as an industry, it has actually shown us that shifting left means improving the developer experience to include security as a default where possible—not just shifting where you play vulnerability whack-a-mole.

GitHub is better positioned than anyone to bake security into the default developer experience. All of the best AppSec vendors of the last 5 years can’t get away without having a GitHub integration for this reason.

General purpose SAST scanning has been around forever and is fraught with false positives and false negatives that have made it difficult for all but the most well-funded security teams to make use of. Modern players like CodeQL and Semgrep provide powerful engines for security engineers to find vulnerabilities in code but still struggle with legacy SAST issues. With an AI enhancement from GitHub Copilot we could see the usefulness of these tools increase for even teams that generally fall below the security poverty line.

The danger here is that a lot of AI can hallucinate and produce vulnerable code as much as it can find vulnerabilities to fix. This will continue to get better as LLMs train on better sources and get more accurate and advanced. (read more)

Glad Flipper Zero came out to respond to this one. “We believe that proposals like this are harmful to security and slow down technological progress. They are usually made by those who do not really understand how security works and will do nothing to solve the car theft problem. In this post, we’ll explain why banning Flipper Zero instead of fixing security threats is not the solution.” - Hard to argue with them here. (read more)

Miscellaneous mattjay

@thedailyshow

What Jon learned while he was away #DailyShow #JonStewart

How'd I do this edition?

It's hard doing this in a vacuum. Screaming into a void. Feedback is incredibly valuable to make sure I'm making a newsletter you love getting every week.

Login or Subscribe to participate in polls.

Parting Thoughts:

Community was foundational in launching and propelling my career. Community is the only reason I can stand being in Texas during the summer months. Community is the point. Today, I invite you to embrace discomfort on the road to a more vulnerable you.

Stay safe, Matt Johansen
@mattjay