The way people tilt their smartphone ‘can give away passwords and pins’

The way you tilt your mobile while you’re using it could allow hackers to work out your pin numbers and passwords, according to new research.
  
The way you tilt your mobile while you’re using it could allow hackers to work out your pin numbers and passwords, according to new research.
 
Experts at Newcastle University analysed the movement of a smartphone as the screen was used. They say they cracked four-digit Android pins with 70% accuracy on the first guess and 100% by the fifth. The team of cyber-experts claim tech companies know about the problem but can’t figure out what to do about it.
 
Dr Maryam Mehrnezhad, from the university’s school of computing science, said: “Most smartphones, tablets, and other wearables are now equipped with a multitude of sensors (gyroscope, rotation sensors, accelerometer, etc). But because mobile apps and websites don’t need to ask permission to access most of them, malicious programmes can covertly ‘listen in’ on your sensor data.”
 
The research suggests there’s a problem in the tech industry because of the number of different sensors used by competing companies.
 
Dr Mehrnezhad said: “On some browsers we found that if you open a page on your phone or tablet which hosts one of these malicious codes and then open [another one], then they can spy on every personal detail you enter. And worse still, in some cases, unless you close them down completely, they can even spy on you when your phone is locked. People were far more concerned about the camera and GPS than they were about the silent sensors.”

 
The team said it was able to identify 25 different sensors which come as standard on most devices. The researchers found that everything you do – from clicking, scrolling and holding to tapping – led to people holding their phone in a unique way.
 
So on a known webpage, the team was able to work out which part of the page the user was clicking on, and what they were typing, by the way it was tilted. They said they’d told all the major tech companies, like Google and Apple, about the risks but no-one has been able to come up with an answer so far.
 
The team is now looking at the risks around personal fitness trackers linked to online profiles.
 
 

UK flight ban on electronic devices announced

The UK has announced a cabin baggage ban on laptops on passenger flights from Turkey, Lebanon, Jordan, Egypt, Tunisia and Saudi Arabia.
  
The UK has announced a cabin baggage ban on laptops on passenger flights from Turkey, Lebanon, Jordan, Egypt, Tunisia and Saudi Arabia.
 
The restrictions, which also apply to tablets, DVD players and phones over a certain size, follow a similar US ban affecting eight countries. Downing Street said they followed talks on air security and were “necessary, effective and proportionate”. US officials said bombs could be hidden in a series of devices.
 
The six affected UK carriers are: British Airways, EasyJet, Jet2.com, Monarch, Thomas Cook & Thomson.
 
The eight overseas airlines subject to the ban are: Turkish Airlines, Pegasus Airways, Atlas-Global Airlines, Middle East Airlines, Egyptair, Royal Jordanian, Tunis Air & Saudia.
 
A UK government spokesperson said: “Decisions to make changes to our aviation security regime are never taken lightly. We will not hesitate to act in order to maintain the safety of the travelling public and we will work closely with our international partners to minimise any disruption these new measures may cause.”
 
The US ban applies to flights on nine airlines from 10 airports in eight countries.
 
 

 
 
 
 

Your smartphone or TV could hold you to ransom

Smartphones, watches, televisions and fitness trackers could be used to hold people to ransom over personal data, cyber security experts have warned.
  
Smartphones, watches, televisions and fitness trackers could be used to hold people to ransom over personal data, cyber security experts have warned.
 
Ransomware, which makes devices unusable until their owners pay to unlock them, has become increasingly prevalent in the past year, they say. Devices holding photos, emails and fitness information could be targeted.
 
The risk to business is “significant and growing”, the National Crime Agency and National Cyber Security Centre say. 
 
The joint report from the NCA and the NCSC says cyber crime is becoming more aggressive. More devices connecting to the internet meant opportunities for criminals, the report said. Any devices containing personal data such as photos, that people consider sufficiently valuable to pay for, are likely to be targeted by criminals. Such devices often have limited security built in.
 
In their report, aimed at businesses, the agencies say: “This data may not be inherently valuable, and might not be sold on criminal forums but the device and data will be sufficiently valuable to the victim that they will be willing to pay for it.
 
“Ransomware on connected watches, fitness trackers and TVs will present a challenge to manufacturers, and it is not yet known whether customer support will extend to assisting with unlocking devices and providing advice on whether to pay a ransom.”
 
The report also raises concerns about the ability of the most sophisticated criminal gangs to use the same high-tech tools as states to target financial institutions. Others, it adds, can download more basic software to carry out attacks on smaller businesses and the general public which require very little technical ability.
 
As many as 21 billion devices used by businesses and consumers around the world are forecast to be connected to the internet by 2020.
 
Ciaran Martin, chief executive of the NCSC, said cyber attacks would continue to evolve and the public and private sectors must continue to work at pace to reduce the threat to critical services and deter would-be attackers. The report also says there is no clear understanding of the true scale and cost of current cyber attacks to the UK, as they believe they are under-reported.
 
In three months after the NCSC was created, there were 188 “high-level” attacks as well as “countless” lower-level incidents, it says. 
 
Donald Toon, director for economic and cyber crime at the NCA, said devices that helped businesses control operations remotely had an online capability built into them. “They’re mass-produced and the security may not be particularly good,” he said. “Businesses often don’t change the basic security software that’s in there, or change the passwords.”
 
The report will be published on Tuesday as the NCSC hosts a major conference, CyberUK, in Liverpool.
 
 

Tech giants ‘urgently’ study CIA leaks

Several of the tech firms whose products have been allegedly compromised by the CIA have given their first reactions to the claims.
  
Several of the tech firms whose products have been allegedly compromised by the CIA have given their first reactions to the claims.
 
Wikileaks published thousands of documents said to detail the US spy agency’s hacking tools on Tuesday. They included allegations the CIA had developed ways to listen in on smartphone and smart TV microphones.
 
Apple’s statement was the most detailed, saying it had already addressed some of the vulnerabilities. “The technology built into today’s iPhone represents the best data security available to consumers, and we’re constantly working to keep it that way,” it said. “Our products and software are designed to quickly get security updates into the hands of our customers, with nearly 80% of users running the latest version of our operating system. While our initial analysis indicates that many of the issues leaked today were already patched in the latest iOS, we will continue work to rapidly address any identified vulnerabilities. We always urge customers to download the latest iOS to make sure they have the most recent security update.”
 
Samsung – whose F8000 series of televisions was reportedly compromised via a hack co-developed with the UK’s MI5 agency – was briefer. “Protecting consumers’ privacy and the security of our devices is a top priority at Samsung,” it said. “We are aware of the report in question and are urgently looking into the matter.”
 
The leaks also claimed that the CIA had created malware to target PCs running Microsoft’s Windows operating system. “We are aware of the report and are looking into it,” a spokesman from Microsoft said.
 
Google declined to comment about allegations that the CIA was able to “penetrate, infest and control” Android phones due to its discovery and acquisition of “zero day” bugs – previously unknown flaws in the operating system’s code. Likewise, the Linux Foundation has yet to publicly react to claims the agency had created “attack and control systems” that could hijack computers powered by Linux-based software.
 
The CIA has not confirmed whether the documents – said to date between 2013 to 2016 – are real. But one of its former chiefs was concerned by their publication. “If what I have read is true, then this seems to be an incredibly damaging leak in terms of the tactics, techniques, procedures and tools that were used by the Central Intelligence Agency to conduct legitimate foreign intelligence,” ex-CIA director Michael Hayden said. “In other words, it’s made my country and my country’s friends less safe.”
 
But one expert said the fact that the CIA had targeted such a wide range of technology was no surprise. “The story here isn’t that the CIA hacks people. Of course they do; taxpayers would be right to be annoyed if that weren’t the case,” blogged Nicholas Weaver, a security researcher at the International Computer Science Institute in Berkeley. “The CIA’s job, after all, is [to] collect intelligence, and while its primary purview is human intelligence, hacking systems interacts synergistically with that collection. The actual headline here is that someone apparently managed to compromise a Top Secret CIA development environment, exfiltrate a whole host of material, and is now releasing it to the world… now the world wants to know who, and how, and why.”
 
 

 
 

Scammers taking control of computers

Scammers are taking control of people’s computers and demanding payments to release them again, consumers are being warned.
  
Scammers are taking control of people’s computers and demanding payments to release them again, consumers are being warned.
 
Trading Standards officers say that tens of thousands of users are falling victim to such scams, which begin when they ask for help with a printer error. The fraudsters claim to offer “printer helplines”, which consumers are fooled into contacting. Typically, users then allow scammers remote access to their computers.
 
In some cases the fraudsters steal information – such as bank account details – or demand money to hand back control. They appear credible by claiming to have links with well-known computer and printer brands.
 
In one case, they tried to charge a victim £700. Another user was told that their online identity had been corrupted and all their passwords had been stolen. The “fee” to correct it was £200.
 
“This printer helpline scam scam is particularly pernicious because it encourages victims to unknowingly contact the fraudsters of their own accord,” said Mike Andrews, lead co-ordinator of the National Trading Standards eCrime team. “While victims expect they will receive help with their printer problems, they have in fact been lured into a trap, and find themselves at risking of losing money or important personal information and also have their computer security compromised.”
 
In 2016 there were more than 32,000 such cases of computer service fraud, according to Action Fraud, which is a 47% rise since 2014.
 
“I would urge people to be particularly vigilant about this scam,” said Lord Harris, chair of National Trading Standards. “If you are seeking help for printer issues you should always use the official printer helpline details provided when you bought the product or consult the official website of the manufacturer for helpline details.”
 
 

Android Pattern Lock system can be cracked in five attempts

Scientists have discovered that even having a security password enabled on your phone will not stop thieves from accessing your details.
  
Scientists have discovered that even having a security password enabled on your phone will not stop thieves from accessing your details.
 
Researchers from Lancaster University found that by filming a person’s finger movements as they use Android’s Pattern Lock system, it is possible to crack the code and access devices. The Pattern Lock system is used on millions of Android phones. Most of the passwords were cracked within five attempts.
 
A vulnerable system Android’s pattern lock means the device’s user has to draw a pattern by connecting dots in order to access the phone. Users have five attempts to draw the correct code before it stops you from using the handset.
 
There have long been web pages discussing the possibility of cracking the code however Professor Zheng Wang and his team from Lancaster University have managed to come up with a formula. The team conducted the research by filming people entering their passwords from two and a half metres away and then tried to guess the passwords. By using a computer generated system that contained around 120 individual patterns, they were able to crack the passwords in under five attempts in around 95 percent of cases.
 
Professor Wang said “The value of this kind of research is to inform designers of potential weaknesses to help combat crime such as theft of data and fraud.” Even the toughest passwords can be cracked The team found that the more difficult passwords were easier to crack while the easier passwords proved the toughest. Professor Zheng Wang and his team from Lancaster University found that the harder passwords were easier to crack. He said: “I think our research debunks many people’s belief that complex patterns provide stronger protection and in fact our study shows the opposite.”
 
Other researchers in the past have demonstrated the vulnerabilities of various authentication methods including pins and fingerprints. Professor Zheng Wang says all of the research suggests that a better authentication mechanism is needed to protect personal data. Legal muggings The research findings come after reports that police were conducting legal muggings in order to gain access to suspects’ mobile phones.
 
In December the BBC reported that Scotland Yard’s cybercrime unit had busted a fake credit card fraud ring by stealing a phone from a suspect and continuously swiping until they were able to download all of the data from his phone. The suspect was thought to be at the forefront of the fraud ring and was said to be using an iPhone to discuss activities with other members. A team of officers seized the suspect’s phone while he was on a call, allowing them access to his phone and bypassing the security settings.
 
 
 
 
 

Personal data being shared on huge scale, claims Which?

Personal and financial data is being traded on a “huge scale” – and sometimes illegally – according to an investigation by Which?
  
Personal and financial data is being traded on a “huge scale” – and sometimes illegally – according to an investigation by Which?
 
Undercover researchers from the consumer group contacted 14 companies that sell data. They managed to access personal information about half a million people over the age of 50, including details about their salary and pensions. In some cases the data was on sale for as little as 4p an item.
 
Such information can be instrumental in helping scammers who con people out of their pension savings, or persuade them to move money from their bank accounts. Ten of the firms failed to carry out proper checks to see if the researchers were from a registered company, according to Which? And it said many of the companies appeared to be in breach of guidelines from the Information Commissioner’s Office (ICO).
 
To share such data, companies have to show that the consumers concerned have given their full consent. Such consent has to be “knowingly and freely given”. 
 
During its investigation, Which? found: a company prepared to sell 500,000 pieces of personal information for 4p each. This included phone numbers and addresses; another firm listed more than 2000 people with incomes of more than £35,000 for 66p an item; a company which sent a list of phone numbers, even though most of the owners were registered with the opt-out Telephone Preference Service
 
“Our investigation highlights that sensitive personal and financial data is being traded on a huge scale, with some companies apparently willing to sell to anyone who comes calling,” said Harry Rose, Which? Money editor.
Which? advises consumers never to share their data with third parties.
 
The government has already announced plans to ban cold calling, even to individuals who have inadvertently opted-in to receiving marketing calls. The new laws, announced in the Autumn budget, could see fines of up to £500,000 being levied on perpetrators.
 
 

TalkTalk’s wi-fi hack advice is ‘astonishing’

TalkTalk’s handling of a wi-fi password breach is being criticised by several cyber-security experts.
 
TalkTalk’s handling of a wi-fi password breach is being criticised by several cyber-security experts.
 
The Company has been presented with evidence that many of its customers’ router credentials have been hacked, putting them at risk of data theft. The UK broadband provider confirmed that the sample of stolen router IDs it had been shown was real. But it is still advising users that there is “no need” to change their routers’ settings.
 
A cyber-security advisor to Europol said he was astounded by the decision. “If TalkTalk has evidence that significant numbers of passwords are out in the wild, then at the very least they should be advising their customers to change their passwords,” said the University of Surrey’s Prof Alan Woodward. “To say they see no need to do so is, frankly, astonishing.”
 
A spokeswoman for TalkTalk said that customers could change their settings “if they wish” but added that she believed there was “no risk to their personal information”.
 
The risk to TalkTalk’s subscribers was first flagged over the weekend by cyber-security researchers at Pen Test Partners. They had been investigating the spread of a variant of the Mirai worm, which was causing several makes of routers to stop working properly. During tests of a TalkTalk model, the researchers discovered that the vulnerability exploited by the worm was also being abused to carry out a separate attack that forced the router to reveal its wi-fi password.
 
But TalkTalk played down the discovery, saying it had “not seen anything to confirm” that users’ router credentials had been stolen. It said it was also making “good progress” to protect its routers.
 
A leading broadcast company was subsequently contacted by someone who said he had access to a database of 57,000 router IDs that had been scraped before any fix had been rolled out. He did not reveal his identity, but agreed to share a sample of the credentials that had been harvested.
 
The list contained details of about 100 routers including: their service set identifier (SSID) codes and media access control (MAC) addresses. These can be entered into online tools that reveal the physical location of the routers, the router passwords, which would allow someone who travelled to the identified property to access the wi-fi network, The source said he wanted to highlight the problem because other more malevolent actors might have carried out a similar operation.
 
“The list that you sent me, I can confirm that they are TalkTalk router IDs,” said its head of corporate communications. “But we haven’t seen anything to suggest that there are 57,000 of them out there.”

  
TalkTalk’s spokeswoman referred to Steve Armstrong, a cyber-security instructor that she said would support it on the matter. He said the risk to an individual user was relatively low. “If you look at the average home user and what is on their home network, that would be exposed to an attacker,… then there is not a great deal. The risk is probably no higher than using a [coffee shop’s] open wi-fi network.” But he added that he still felt TalkTalk was giving the wrong advice. “Part of my pushback to them is that they should be telling people, ‘You need to change your password,'” he said. “At the moment, you trust your home infrastructure, and as a result of this vulnerability, that may not be [secure].”
 
Others have been more critical of TalkTalk’s handling of the matter. “It does a disservice to the complicated debate around security and privacy to give out advice of this fashion,” said Don Smith, technology director at Dell SecureWorks.
 
Pen Test Partners’ Ken Munro said: “TalkTalk appear to be flying fast and loose with customer data security, yet again.”
 
The company was fined £400,000 last month by the Information Commissioner’s Office for a previous breach that led to the theft of nearly 157,000 customers’ personal details. TalkTalk has about four million customers in total.
 
TalkTalk’s approach contrasts with that of Eir, an Irish internet provider whose routers have also come under attack. It said on Tuesday that it had detected “unauthorised access” to two Zyxel-branded routers used by 2,000 of its customers.

 
“We do not have any indication at this time that customer data has been lost or accessed,” said a spokeswoman. “Our strong advice to customers is to reset their modem and, once this is done, to change both the modem administration password as well as the wi-fi password.”

 
TalkTalk asked that its statement be quoted in full: “As is widely known, the Mirai worm is an industry issue impacting many ISPs around the world, and a small number of TalkTalk customers have been affected. We can reassure these customers there is no risk to their personal information as a result of this router issue and there is no need for them to reset their wi-fi password. However, any customer with concerns can find out how to change their wi-fi password on our website or in their initial router set up guide. We have made good progress in repairing affected routers, but any customer who is still having any problems should visit our help site where they can find a guide that will show them how to reset their router. Alternatively, they can call us and we can talk them through the repair process or send them a new router.”
 
University College London’s data security expert Dr Steven Murdoch suggested the statement was misleading. “I think the press release is conflating the Mirai worm with the wi-fi password leak, and while the worm infection is dealt with for now, more work needs to be done to clear up the compromise of wi-fi passwords,” he explained. “I think that despite what the press release states, there is a risk to personal information.”
 
 

Credit card numbers guessed in ‘seconds’

Smart cyber thieves who query lots of websites at once can guess credit card numbers in a few seconds, suggests research.

 
Smart cyber thieves who query lots of websites at once can guess credit card numbers in a few seconds, suggests research.
 
Security experts from the University of Newcastle found loopholes on websites that helped thieves seeking card data. The attacks works against some of the most popular retailers on the web, said the team. Vulnerable sites have been told about their findings and some have now put in place defences against the attack.
 
The research, led by PhD student Mohammed Aamir Ali at the University of Newcastle, created a credit card querying system that simultaneously submitted payment requests to different sites at the same time.
 
Starting with just the first six digits of a card, the system guessed the remaining details and tried the combinations on many sites at the same time. By trying different combinations of a card’s number, expiry date and security code this system could quickly find out all the information needed to replicate a card, said the researchers in a paper describing their work. Because different sites ask for different parts of the credentials required to verify a purchase it was possible to compile the fragmented details that sites share to build up all the security information for a card.
 
“This attack subverts the payment functionality from its intended purpose of validating card details, into helping the attackers to generate all security data fields required to make online transactions,” they wrote. This approach could help thieves who have some knowledge of victims gained from information in the massive troves of data released by breaches at web firms.
 
Few sites noticed that multiple queries were being run across lots of sites, found the team. “It is possible to run multiple bots at the same time on hundreds of payment sites without triggering any alarms in the payment system,” they said.
 
A sample attack showed that if an attacker ran many queries at once they could compile the correct information about a card in approximately six seconds. There is no evidence that cyber thieves are using such a distributed attack, said the researchers, but their work showed it was “practical” and therefore a “credible” threat.
 
The team shared its findings with 36 of the sites against which they ran their distributed card number-guessing system. The disclosure led to eight sites changing their security systems to thwart the attacks. Many now limit the number of times card details can be checked. However, said the researchers, the other 28 sites made no changes despite the disclosure.
 
“We do not know the reason behind this and further research will be needed to find the explanation,” wrote the team.
 
 

TalkTalk wi-fi router passwords ‘stolen’

TalkTalk customers’ wi-fi passwords have been stolen following a malware attack that blocked their internet access last week, an expert has warned. 
 
TalkTalk customers’ wi-fi passwords have been stolen following a malware attack that blocked their internet access last week, an expert has warned.
 
The researcher said other details had also been taken that would let attackers pinpoint where the equipment was being used, making more targeted hacks possible. Pen Test Partners’ Ken Munro wants thousands of routers to be replaced. But TalkTalk said it had not seen evidence to confirm the thefts.
 
“As is widely known, the Mirai worm is affecting many ISPs [internet service providers] around the world and it has affected a small number of TalkTalk customers,” a spokeswoman said. “We continue to take steps to review any potential impacts and have deployed a variety of solutions to ensure customers’ routers remain safe. We have also employed additional network-level controls to further protect our customers.”
 
It was revealed last week that TalkTalk’s D-Link DSL-3780 routers had been struck by malware causing connectivity issues for those customers using the model. The firm subsequently published advice online telling affected users to reset the equipment – which forced it to install an update to protect itself against the attack – and then “use the wireless network name and password on the back of the router” to get back online.
 
Security researcher Mr Munro obtained one of the affected routers to study the attack. He said his “honeypot” router was hit by the variant of Mirai, which is now being referred to as TR-06FAIL. But in addition to the connectivity issue, Mr Munro detected that a follow-up attack involving the same malware caused the device to disclose its wi-fi password and Service Set Identifier (SSID) code.
 
An SSID code can be used to reveal where a machine is located via online tools such as Wigle. As a consequence, he said, even after subscribers had restarted their routers they could remain at risk if they continued using the same password as before.
 
“Most consumers never change the wi-fi keys written on the back of their router, so the fix didn’t actually fix the problem,” Mr Munro explained. “Once an attacker has got the wi-fi key, if they go near to the house they can get nearly everything from their home network. TalkTalk should seriously consider replacing customer routers immediately unless it can prove they haven’t been compromised.”
 
Encrypted communications – such as online banking records – would not be at risk. But emails might be and it would be possible to place malware on computers linked to an exposed network. Mr Munro estimated that the recall would involve at least 55,000 routers.
 
TalkTalk’s spokeswoman said it “firmly” disputed that number, saying the number of routers infected had been “nothing in that order of magnitude”.
 
“Our security team does not believe there is any greater risk that a customer’s wi-fi can be used or accessed without their permission as a result of this,” she added. But Mr Munro countered that some of the routers hit by the password-stealing attack might not have had their internet connectivity disrupted, despite the same vulnerability being exploited.
 
An independent researcher who checked the findings said Mr Munro had reason to be concerned, but added it was not clear who had scooped up the passwords. “It’s possible they are just security researchers, but also reasonably possible that they are actually criminals that intend to exploit this information,” said Dr Steven Murdoch from University College London. “Even if it’s the latter, they would have to sit outside your house to do it.”

 
Dr Murdoch said the risk was still high enough that TalkTalk needed to address it, but said there were alternatives to recalling the routers. “The hardware is fine, what needs to be replaced is the wi-fi password. The problem is how to send a new password to all the affected customers. If TalkTalk does this online or over the phone, that leaves the customers open to phishing attacks, where a scammer says: ‘As you heard on the news you need to change your password, please do these things…'”
 
TalkTalk’s spokeswoman said some customers who had called in had been advised to change their wi-fi passwords, but the firm’s security team now believed the step was unnecessary despite Mr Munro’s warnings.