A highly critical cryptographic vulnerability has been found affecting some Bluetooth implementations that could allow an unauthenticated, remote attacker in physical proximity of targeted devices to intercept, monitor or manipulate the traffic they exchange.

The Bluetooth hacking vulnerability, tracked as CVE-2018-5383, affects firmware or operating system software drivers from some major vendors including Apple, Broadcom, Intel, and Qualcomm, while the implication of the bug on Google, Android and Linux are still unknown.

The security vulnerability is related to two Bluetooth features—Bluetooth low energy (LE) implementations of Secure Connections Pairing in operating system software, and BR/EDR implementations of Secure Simple Pairing in device firmware.
 

How the Bluetooth Hack Works?

Researchers from the Israel Institute of Technology discovered that the Bluetooth specification recommends, but does not mandate devices supporting the two features to validate the public encryption key received over-the-air during secure pairing.

Since this specification is optional, some vendors' Bluetooth products supporting the two features do not sufficiently validate elliptic curve parameters used to generate public keys during the Diffie-Hellman key exchange.

In this case, an unauthenticated, remote attacker within the range of targeted devices during the pairing process can launch a man-in-the-middle attack to obtain the cryptographic key used by the device, allowing them to potentially snoop on supposedly encrypted device communication to steal data going over-the-air, and inject malware.

"For an attack to be successful, an attacking device would need to be within wireless range of two vulnerable Bluetooth devices that were going through a pairing procedure."

"The attacking device would need to intercept the public key exchange by blocking each transmission, sending an acknowledgment to the sending device, and then injecting the malicious packet to the receiving device within a narrow time window. If only one device had the vulnerability, the attack would not be successful."

On Monday, CERT/CC also released a security advisory, which includes additional technical details about the Bluetooth vulnerability and attack method.

According to the CERT/CC, Bluetooth makes use of a device pairing mechanism based on elliptic-curve Diffie-Hellman (ECDH) key exchange to allow encrypted communication between devices.
 

Stop Bluetooth Hacking—Install Patches from Vendors

To fix the issue, the Bluetooth SIG has now updated the Bluetooth specification to require products to validate public keys received as part of public key-based security procedures.

Moreover, the organization has also added testing for this vulnerability within its Bluetooth Qualification Process.

The CERT/CC says patches are needed both in firmware or operating system software drivers, which should be obtained from vendors and developers of the affected products, and installed—if at all possible.

Many small businesses are opting for cloud storage solutions rather than having their own server in-house. But this has led some business owners to wonder whether these services are safe.

Thankfully, as cloud storage has been around for a number of years, there are a multitude of organizations successfully using cloud storage as safe and secure way to store their data.

The real question is “is it safer for you to use cloud storage or internal servers?”

What Are The Benefits of The Cloud?

There’s no doubt that one of the major benefits of the cloud is not having the expense of running your own server or data centre. This doubles up as one of the reasons why the cloud is safer; costs can be so high that businesses fail to spend enough to get a high quality and secure system.

The security of cloud stored data tends to be better provided that passwords are strong and protected. It also means that you do not need to have members of staff with the knowledge and expertise needed to manage your server, as this will all be taken care of for you. There is also the benefit that if your data is stored away from your premises, there is less risk that you could lose it in the event of a disaster, such as a flood or fire.

An additional advantage of cloud storage is that your level of usage can be reduced or expanded to suit your current needs. This means that you won’t be overspending on a large server that you don’t need, nor struggling with limited capacity.

Are There Any Risks?

Of course, like any technology, using cloud is not free from risk. One of the clear risks is that you are no longer in full control of how and where your data is held. You are handing that responsibility over to another company. This is why it is essential to choose a reputable company that you can trust – especially if you’re handling highly sensitive data such as medical records. Your data is the lifeblood of your business, so you need to be certain that the company storing it can be completely relied upon.

Remember, the “cloud” is still a physical server, it’s just located somewhere else. There is still the risk of data being lost, wiped or even stolen. You might assume that keeping your data on the cloud will guarantee that it will never go missing or be corrupted, but there is always the possibility, however small.

Is Data Safer On The Cloud?

There are undoubtedly many reasons that data can be considered safer on the cloud – for example, major data breaches tend to occur mostly against companies with their own internal servers rather than those utilizing cloud storage. Additionally, it tends to be issues such as outdated systems that are the major cause of these breaches.

Working with a high-quality cloud storage provider will almost certainly carry fewer risks than having your own server in-house. Still, they are not invulnerable. If passwords are stolen, a hacker can use them to access your data just as they would with an in-house server.

Choosing a good cloud storage provider

Choosing a cloud provider might seem like a daunting task at first, especially if you do not have much data security experience. It’s worth noting that some providers specialize in the storage of certain types of data, so it’s wise to search for cloud storage that suits your business’ needs.

Nebula Consulting offers several cloud storage options. Contact us today to speak with one of our engineers for a free consultation.

Amazon launched Prime Day in 2015 during the company’s 20th anniversary. And they’ve been stepping up their game ever since. To date, Prime Day is hailed as the biggest shopping event in the company’s history, surpassing its 2016 Black Friday and Cyber Monday revenue.

Phishing emails are a popular tool for cybercriminals. They are extremely successful at finding new victims with these scams. Recognizing fraudulent messages that look official can be difficult to the untrained eye.

It won’t be a surprise, then, to expect that Prime Day 2018 will be even bigger than last year—and cybercriminals may be counting on this.

Watch out for this Amazon Prime Day phishing attack

What we're talking about is an Amazon Prime Day phishing email scam that is spreading like wildfire. The email thanks the recipient for a recent order on Amazon.com. It goes on to say you're invited to write up a quick review on the product, for your time you will receive a $50 bonus.

Here is what the phishing scam looks like:

As you can see, there is a link provided inside the email to review and print the reward.

Warning! Do NOT click on the provided link, it's malicious.

The criminals behind the attack can change the malicious links' payload at any time. The link currently takes you to a spoofed Amazon page that asks for your login credentials. It can be changed at any point, leading to malware infecting your computer or even ransomware that will encrypt the critical files on your gadget.

These types of attacks are on the rise. That's why you need to know what to watch for and how to handle the situation when it arises.

Here are suggestions from Amazon on how to recognize a phishing attack:

• Fake orders - If you receive an email claiming to be from Amazon confirming an order that you did not place, it's a scam. Instead of clicking links within the email, type Amazon.com into your browser, sign in and go to the Your Orders page to verify your purchases. If you didn't buy the item from the email, it's a phishing scam.
• Credential request - Amazon does not send emails requesting your username and/or password. If you receive an email like this, it's a scam.
• Update payment information - You should never click a link within an email asking you to update your payment information. Instead, go to your Amazon account and click Manage Payment Options in the Payment section. If you are not prompted to update your payment method on that screen, the email is not from Amazon.
• Fraudulent links - If you receive an email with a link that supposedly goes to Amazon, hover over the link with your cursor. If it does say that it's going to direct you to Amazon, it's a phishing scam.
• Attachments - Emails purportedly from Amazon that contain attachments or prompts to install software on your computer are scams.

If you receive an email from Amazon that you suspect is fraudulent, you need to report it. Click here to report the scam to Amazon.

How to protect against phishing attacks:

• Be cautious with links - If you get an email or notification that you find suspicious, don't click on its links. It could be a phishing attack. It's always better to type a website's address directly into a browser than clicking on a link.
• Do NOT enable macros - You should never download PDF, Word or Excel files attached to unsolicited emails to begin with. If you do open one of these documents and it says that you need to turn on macros, close the file and delete it immediately.
• Watch for typos - Phishing scams are infamous for having typos. If you receive an email or notification from a reputable company, it should not contain typos.
• Use unique passwords - Many people use the same password for multiple websites. This is a terrible mistake. If your credentials are stolen on one site and you use the same username and/or password on others, it's simple for the cybercriminal to get into each account. 
• Set up two-factor authentication - Two-factor authentication, also known as two-step verification, means that to log in to your account, you need two ways to prove you are who you say you are. It's like the DMV or bank asking for two forms of ID.
• Check your online accounts - The site Have I Been Pwned allows you to check if your email address has been compromised in a data breach.
• Have strong security software - Having strong protection on your gadgets is very important.

Globally, the impact of a data breach on an organization averages $3.86 million, though more serious "mega breaches" can cost hundreds of millions of dollars. IBM's 2018 Cost of a Data Breachstudy was formulated through interviews with more than 2,200 IT, data protection and compliance professionals from 477 companies and it provides an interesting insight into one of the most serious problems facing companies today.

The potential cost of an incident depends on several factors with the financial impact rising in line with the number of records stolen. On average, each record costs $148 and a breach of 1 million records costs $40 million while a breach of 50 million costs $350 million. The research also found that the efficiency in identifying an incident and the speed of the response has a huge impact on its overall cost. On average, it took companies 197 days to identify a data beach and 69 days to contain it.

Average total costs of a data breach also varied heavily between countries with the United States the hardest hit. In 2018, an average incident costs U.S. firms $7.91 million while in Canada and Germany, the impact is lower at less than $5 million. Indian and Brazilian companies have the lowest average cost of a data breach at $1.77 million and $1.24 million respectively.

Timehop social media app has been hit by a major data breach on July 4th that compromised the personal data of its more than 21 million users.

Timehop is a simple social media app that collects your old photos and posts from your iPhone, Facebook, Instagram, Twitter and Foursquare and acts as a digital time machine to help you find—what you were doing on this very day exactly a year ago.

The company revealed on Sunday that unknown attacker(s) managed to break into its Cloud Computing Environment and access the data of entire 21 million users, including their names, email addresses, and approximately 4.7 million phone numbers attached to their accounts.

"We learned of the breach while it was still in progress, and were able to interrupt it, but data was taken. Some data was breached," the company wrote in a security advisory posted on its website.

Social Media OAuth2 Tokens Also Compromised

Moreover, the attackers also got their hands on authorization tokens (keys) provided by other social networking sites to Timehop for gaining access to your social media posts and images.

With access to these tokens, hackers could view some of your posts on Facebook and other social networks without your permission.

However, Timehop claims that all the compromised tokens were deauthorized and made invalid within a "short time window" after the company detected the breach on its network on July 4th at 4:23 PM Eastern Time.

Since the company was not using two-factor authentication, the attacker(s) were able to gain access to its cloud computing environment by using compromised credential.

Timehop has now taken some new security measures that include system-wide multifactor authentication to secure its authorization and access controls on all accounts.

Timehop immediately logged out all of its users of the app after the company invalidated all API credentials, which means you will need to re-authenticate each of your social media accounts to the app when you log into your Timehop account to generate a new token.

The company is also working with security experts and incident response professionals, local and federal law enforcement officials, and its social media providers to minimize the impact of the breach on its users.