Posted on

A massive database of 8 billion Thai internet records leaks

Thailand’s largest cell network AIS has pulled a database offline that was spilling billions of real-time internet records on millions of Thai internet users.

Security researcher Justin Paine said in a blog post that he found the database, containing DNS queries and Netflow data, on the internet without a password. With access to this database, Paine said that anyone could “quickly paint a picture” about what an internet user (or their household) does in real-time.

Paine alerted AIS to the open database on May 13. But after not hearing back for a week, Paine reported the apparent security lapse to Thailand’s national computer emergency response team, known as ThaiCERT, which contacted AIS about the open database.

The database was inaccessible a short time later.

It’s not known who owns the database. Paine told TechCrunch that the kind of records found in the database can only come from someone who’s able to monitor internet traffic as it flows across the network. But there is no easy way to differentiate between if the database belongs to the internet provider — or one of its subsidiaries — or a large enterprise customer on AIS’ network. AIS spokespeople did not respond to our emails requesting comment.

DNS queries are a normal side-effect of using the internet. Every time you visit a website, the browser converts a web address into an IP address, which tells the browser where the web page lives on the internet. Although DNS queries don’t carry private messages, emails, or sensitive data like passwords, they can identify which websites you access and which apps you use.

But that could be a major problem for high-risk individuals, like journalists and activists, whose internet records could be used to identify their sources.

Thailand’s internet surveillance laws grant authorities sweeping access to internet user data. Thailand also has some of the strictest censorship laws in Asia, forbidding any kind of criticism against the Thai royal family, national security, and certain political issues. In 2017, the Thai military junta, which took power in a 2015 coup, narrowly backed down from banning Facebook across the country after the social network giant refused to censor certain users’ posts.

DNS query data can also be used to gain insights into a person’s internet activity.

Using the data, Paine showed how anyone with access to the database could learn a number of things from a single internet-connected house, such as the kind of devices they owned, which antivirus they ran, and which browsers they used, and which social media apps and websites they frequented. In households or offices, many people share one internet connection, making it far more difficult to trace internet activity back to a particular person.

Advertisers also find DNS data valuable for serving targeted ads.

Since a 2017 law allowed U.S. internet providers to sell internet records — like DNS queries and browsing histories — of their users, browser makers have pushed back by rolling out privacy-enhancing technologies that make it harder for internet and network providers to snoop.

One such technology, DNS over HTTPS — or DoH — encrypts DNS requests, making it far more difficult for internet or network providers to know which websites a customer is visiting or which apps they use.

Read More

Posted on

A ton of Ruckus Wireless routers are vulnerable to hackers

A security researcher has found several vulnerabilities in a number of Ruckus Wireless routers, which the networking giant has since patched.

Gal Zror told TechCrunch that the vulnerabilities he found lie inside in the web user interface software that runs on the company’s Unleashed line of routers.

The flaws can be exploited without needing a router’s password, and can be used to take complete control of affected routers from over the internet.

Routers act as a gateway between a home or office network and the wider internet. Routers are also a major line of defense against unauthorized access to that network. But routers can be a single point of failure. If attackers find and take advantage of vulnerabilities in the router’s software, they can control the device and gain access to the wider internal network, exposing computers and other devices to hacks and data theft.

Zror said his three vulnerabilities can be used to to gain “root” privileges on the router — the highest level of access — allowing the attacker unfettered access to the device and the network.

Although the three vulnerabilities vary by difficulty to exploit, the easiest of the vulnerabilities uses just a single line of code, Zror said.

With complete control of a router, an attacker can see all of the network’s unencrypted internet traffic. An attacker can also silently re-route traffic from users on the network to malicious pages that are designed to steal usernames and passwords.

Zror said that because many of the router are accessible from the internet, they make “very good candidates for botnets” That’s when an attacker forcibly enlists a vulnerable router — or any other internet-connected device — into its own distributed network, controlled by a malicious actor, which can be collectively told to pummel websites and other networks with massive amounts of junk traffic, knocking them offline.

There are “thousands” of vulnerable Ruckus routers on the internet, said Zror. He revealed his findings at the annual Chaos Communication Congress conference in Germany.

Ruckus told TechCrunch it fixed the vulnerabilities in the 200.7.10.202.92 software update, but said that customers have to update their vulnerable devices themselves.

“By design our devices do not fetch and install software automatically to ensure our customers can manage their networks appropriately,” said Ruckus spokesperson Aharon Etengoff. “We are strongly advising our customers and partners to deploy the latest firmware releases as soon as possible to mitigate these vulnerabilities,” he said.

Ruckus confirmed its SmartZone-enabled devices and Ruckus Cloud access points are not vulnerable.

“It’s very important for the customers to know that if they’re running an old version [of the software], they might be super vulnerable to this very simple attack,” said Zror.

Source: TechCrunch