GET Children and parents on the Web: a history of hacking VTech services / ua-hosting.company's blog / Sudo Null IT News FREE
Data leakage by users of various services due to hacking of the latter is far from especial, unfortunately. One need solitary recall the impressive hacking service of Ashley Medison cheating, when the data of millions of users leaked to the Network. A huge number of users turned out to be just bots, but this does not exchange anything - for each one of us is vulnerable.
Even the data of users World Health Organization monitor their accounts, come upward with compound passwords, try to anticipate negative scenarios leak out into the Network. But leaks still occur. Moreover, an interesting nuance is that if everything is monitored roughly the safety of big data everywhere, then the problem of protecting the data of children along the Web is somehow not too well known. And in that location are even more problems, because children are not too well acquainted with the basics of selective information security. And if so, then kooky find unusual ways to get these kids. An exercise is the recent hacking of VTech services (a manufacturer of children's electronic toys), American Samoa a result of which data from millions of small user accounts leaked to the Network.
In total, we are talking about 4.8 million records, including names, electronic mail, dates of birth, etc. True, Here almost of the accounts belonged to parents, but about 200 thousand are children's accounts. Moreover, hackers gained access non only to accounts, merely also to hundreds of thousands of photos and other materials. One of the freshman users to discover the hack was Lorenzo Bicchierai , WHO often writes for Motherboard. This exploiter decided to contact an information security specialist.
The get-go step that has been assumed is that some accounts from the integral data set ahead have been proven. Inquiries were sent to some e-mail addresses (with an explanation of the spot), and whatsoever users responded. The effect - yes, definitely, the Vtech service was hacked.
Aside the way, a service that notifies users in guinea pig of hacking has been running for a long time. Check and subscribe to notifications here .
This is the interface of the service.
And this substance that anyone can discover adults and children, and understand who the parents of the children whose information were "merged" into the network. What is more, the data allows you to find out the place of residence of most people recorded on Vtech.
Interestingly, the service organization was non cognizant of the hack until Lorenzo wrote to IT. Only after that began make to extinguish the consequences of hacking. In summation, it was possible to contact the cracker, who conducted the entire cognitive process. As it turned out, he did it "just for amusing". He simply did not need the data.
Hither in this form, all the data was received.
The main information was contained in the file top — nurture.csv, where there were almost 5 million lines. User information is atomic number 3 follows:
id
encrypted_password
first_name
last_name
password_hint
secret_question
secret_answer
email_promotion
activist
first_login
last_login
login_count
free_order_count
pay_order_count
client_ip
client_location
registration_url
country
address
urban center
state
zip
updated_datetime
Passwords are presented in this cast:
But such data was required when registering a child's parent:
Vtech itself produces many dozens of models of devices for children and their parents, including, for example, a TV nanny. Vtech also has an online storage where parents can download e-books, applications and games for their children's devices.
A hacker World Health Organization hacked into the Vtech network aforesaid that SQL injection was used. The cracker bequeath gain access to the company's web servers and databases, with full access.
After analyzing what happened, it clothed that hacking was only a matter of sentence. E.g., passwords were hashed using MD5, which is not the most difficult algorithm to fling, to put information technology mildly. Moreover, password reminder questions were saved as plain text. Soh there was no problem getting surgery resetting the password in the least. If necessary, the same information could be used to try to gain control over the user chronicle on other services - Gmail or a deposit account, as an example.
Worst of all, the accounts of galore children were related with the accounts of parents, plus the address of residence was too indicated. Nowadays, this attitude to the storage of information of children is only unforgivable.
How to distinguish parents? Yes, it's very oblanceolate:
Parent data is displayed same this:
id
username
domain
ll_child_id
ll_parent_id
parent_id
country_lang
create_datetime
expired_datetime
Example entries:
215836, 'foo% 40bar.com', 'kc-im2.vtechda.com', 0, 2700413, 2700413 , 'USeng', '2013-12-25 13:55:21', Cypher
and child record:
215841, 'LittleJohnny', 'kc-im2.vtechda.com', 3974296, 0, 2700413, 'USeng', ' 2013-12-25 13:55:23 ', NULL
Fortunate, and asset to everything, additive data:
dob
product_code
is_avatar_created
account_level
gender
expiry_date
registration_url
Where are they from? From other sites that are associated with Vtech. Namely:
World Wide Web.planetvtech.com
www.lumibeauxreves.com
www.planetvtech.fr
web.vsmilelink.com
www.planetvtech.de
WWW.planetvtech.co.uk
World Wide Web.planetvtech.es
www.proyectorvtech.es
www.sleepybearlullabytime.com
de.vsmilelink.com
fr.vsmilelink.com
uk.vsmilelink.com
E.vsmilelink.com
But everything looks pretty precise:
Here is the registration form:
Leave we hyperkinetic syndrome a child account? No more problem:
It is Worth noting that the safety problems voiced above (for example, the power to connect a baby and a rear in a weigh of seconds) is non so easy to pay back. They are, if I English hawthorn say so, important, Vtech will have to remake everything, if non re-originate its WWW services and authentication system.
After the hacking became known, the parents became indignant, interrogative why the company had to know the computer address and all other data solely so that customers could make the opportunity to download a copulate of e-books.
And it is all the to a greater extent strange that Vtech does non use security standards that take over long been mandatory. For example, SSL is not used anywhere, and data (passwords, logins) are transmitted in clear text. In general, it's even strange that no one paid attending to the table service earlier.
Key Vtech Surety Issues
Let's look over again at the mistakes made by the keep company, whose annual turnover is about 2 billion US dollars.
1. No SSl. Data is transmitted via unsealed channels, and there is a caboodle of information. This information active parents, password, login, entropy about the child.
2. Passwords are stored in a slightly fortified form, let's pronounce. But the inward questions are already completely unprotected, this is plain text. And the passwords of children are also stored in the clear. These are children, wherefore protect their information, word-perfect?
3. Lack of protection against SQL injection. Present, in the main, everything is not simple, only very simple.
4. The widespread consumption of Tatty. Even the Creator, the Adobe company, urges to abandon this technology. And a ship's company like Vtech could ingest done this for a long time victimization safe technology.
Contain care of yourself and your children!
DOWNLOAD HERE
GET Children and parents on the Web: a history of hacking VTech services / ua-hosting.company's blog / Sudo Null IT News FREE
Posted by: weirnonsts.blogspot.com
0 Response to "GET Children and parents on the Web: a history of hacking VTech services / ua-hosting.company's blog / Sudo Null IT News FREE"
Post a Comment