Why a smartwatch for children isn't so smart and how the sea turtle espionage campaign is hijacking DNS to target intelligence agencies These stories and more coming up on the ISNG security report Hello, I'm Matthew Schwartz This week's security report begins with an alarming look at a child tracking tool for parents that has flaws Which could be abused by an attacker to track a child or talk directly to them ISNG's Jeremy Kirk has more That's the voice of Australian security researcher Troy Hund's six-year-old daughter Ellie She's speaking with banjilist Stikis a security researcher with pen test partners in the UK As part of a security test Stikis managed to add himself as a parent to Ellie's TikTok track smartwatch and then call Hund's daughter Although Hund gave permission to run the test in theory Stikis shouldn't have been able to do that But Stikis and his colleagues found the smartwatch's web application contained a serious vulnerability The GPS smartwatch which has a SIM card is designed to let parents keep tabs on their kids including their location But the vulnerability could have allowed a hacker to track a child's location spoof the child's location and add themselves as a parent to an account The smartwatch is made by a China-based gator group but uses software developed by TikTok track Which is marketed by a Brisbane-based company the gator watch is sold around the world and often the web app is customized by local companies that sell it As a result of the findings TikTok track this week shut down its service pending verification of the flaws in a fix Company said if the flaws are verified by its own audit it would offer refunds for subscriptions The type of vulnerability that affected this smartwatch was an insecure direct object reference It allowed anyone logged into the TikTok track service to increments and identify or in a URL which allowed access to other accounts The type of vulnerability is an elementary one and should have been caught Security researchers have long warned of vulnerabilities in internet-connected toys and in children's smartwatches Theoretically the problems with the TikTok track should have never happened And that's not just because the developers should have had greater knowledge of insecure direct object references In October 2017 the Norwegian Consumer Council published a detailed paper into the privacy issues and security aspects of four kinds of children's smartwatches including the gator The council found what it termed significant security flaws unreliable safety features and a lack of consumer protection And about a year later Pentes partners published research outlining some of the same kinds of vulnerabilities also in a gator watch As a result of the findings gator fix problems with its own web application All this is a warning once again that internet-connected devices aimed at children are still an immature and potentially risky area For information security media group I'm Jeremy Kirk Next in the security report I'm joined by Scott Ferguson of ISMG who's been reporting on a domain name system hijacking campaign That's been targeting intelligence agencies the energy sector and more Scott what's going on here? Hi Matt, thanks. So on Wednesday this week Cisco Talos released a report about a nation state sponsored attack called C-Turtle This group has managed to hijack DNS traffic and it's something Cisco Talos has been looking at before There's a couple other groups operating in the North Africa and Middle East regions that have become pretty prolific at manipulating and hijacking DNS traffic Cisco Talos told me an email that this is not related to some of those other attacks which have been kind of pinned on Iran Cisco Talos also had told me that they know who is behind it But they're not saying yet exactly who these people are that might come out a little bit later But again, we're seeing these groups that have state sponsorship to them taking advantage of these older protocols and getting really prolific at hijacking that traffic Is this the first time that we have been seeing these kinds of DNS hijacking campaigns? This has actually been going on for a while A C-Turtle itself has been around since at least the very beginning of 2017 The folks at Cisco Talos have told me that they are still in operation right now even after Cisco planned on publishing some of these results that they had But we are again seeing different groups manipulating DNS traffic most are state sponsored So they're part of SB and Ojans spying campaigns I received an email late yesterday from a Talos spokeswoman and she said also to that this group of C-Turtle has also managed to steal data from some of the Organizations that it's targeted.
So this is a pretty extensive state sponsored campaign That's going on right now and again It's indicative of these sort of continuing operations, especially in the Middle East and North Africa How should organizations be protecting themselves against these sorts of attacks? Cisco Talos did release a little bit of material about how you can defend yourself one of the main things was You know take a good look at your DNS registry, right? Make sure that that is not being manipulated go into the logs If the logs don't have multi-factor authentication in them Maybe that's something you want to put in if you think maybe you've been targeted You want to reset your passwords do a whole network reset use a trusted computer reset all your passwords And of course like everything else because this group managed to take advantage of so many flaws and vulnerabilities in commodity software Go through all your patching make sure that everything is up to date and then from a more big picture perspective We're also seeing slowly the adoption of domain name system security extensions For example DNS sec that can help as well, can't it it can help? The only thing I would kind of add there as a kind of caveat is that Craig Williams He's one of the researchers at Talos who put together this report He said as DNS systems are sort of being upgraded from modern security the attackers are also updating their methods So even though better security is coming you have to be aware that the attackers are adjusting their methods to sort of manipulate the traffic Even with these better security protocols in place So it's a constant cat and mouse game as better security comes on the attackers change and then you need to re-up your game as well So cat and mouse game DNS edition exactly you know five versus five at this point.
Well Scott. Thanks so much for your time inside today Thank you, man. I appreciate it. You're listening to the ISMG security report on ISMG radio IsMG your number one source for information security news If you've ever been trying to do one thing on a website But it tricks you into doing something else that's a dark pattern to combat such practices a new bipartisan Senate bill introduced by Virginia Democratic Senator Mark Warner And Nebraska Republican Senator Deb Fisher would prohibit large online platforms from using deceptive interfaces Here's Senator Warner telling CNBC more about his deceptive experiences to online users reduction or D2R Act This one takes a look at the abuse For large platform companies people more than a hundred million users where you see Manipulative tactics on their sites or their application that we've all seen sites that have flashing arrows to say press I agree press I submit but you're gonna find the unsubscribe button on the same site This would set up a an advisory industry advisory group similar to the model the securities industry of thin rest would be that would set up rules and regulations That would be able to enforce this effort against our what we call dark patterns against manipulate behavior But we're hearing as well towards children and we think it's a good first step one useful resource for better understanding dark patterns is dark patterns Dot org the website highlights numerous examples of dark patterns seen in the wild for example bait and switch means you click An X on the upper left part of a window asking if you want to upgrade your operating system to Microsoft 10 Intending to dismiss the box only to have clicking the axe beak in the upgrade roach motels meanwhile Refer to sites that make it easy for a user to end up in a situation but difficult to get out of ticket master For example has been known to sneak magazine subscriptions into a customer's shopping cart unless they explicitly opt out Confirm shaming uses guilt to try and drive someone into accepting something information security veteran Wendy Nather calls this the yes I wanted to let the orphans starve prompt airline websites For example often do this to when they try to get ticket buyers to purchase one off travel insurance And the final example for today trick questions trick phrasing can leave users unclear about whether clicking no might instead mean yes Or it might follow a checkbox for opting out with a checkbox for opting in Regardless of the type of dark pattern at work if you had to summarize this sort of thing it might be don't be evil instead Organizations that use usability as a force not only for making things easier to use but for good have the opportunity to not only foster better data security But also greater transparency and to trust with users That's the ISMG security report our theme is by Ithaca audio.
I'm Matthew Schwartz. Catch you next time