'TeenSafe' Phone Monitoring App Leaked Thousands of User Passwords (zdnet.com) 44
An anonymous reader quotes a report from ZDNet: At least one server used by an app for parents to monitor their teenagers' phone activity has leaked tens of thousands of accounts of both parents and children. The mobile app, TeenSafe, bills itself as a "secure" monitoring app for iOS and Android, which lets parents view their child's text messages and location, monitor who they're calling and when, access their web browsing history, and find out which apps they have installed. But the Los Angeles, Calif.-based company left its servers, hosted on Amazon's cloud, unprotected and accessible by anyone without a password.
"We have taken action to close one of our servers to the public and begun alerting customers that could potentially be impacted," said a TeenSafe spokesperson told ZDNet on Sunday. The database stores the parent's email address associated with their associated child's Apple ID email address. It also includes the child's device name -- which is often just their name -- and their device's unique identifier. The data contains the plaintext passwords for the child's Apple ID. Because the app requires that two-factor authentication is turned off, a malicious actor viewing this data only needs to use the credentials to break into the child's account to access their personal content data.
"We have taken action to close one of our servers to the public and begun alerting customers that could potentially be impacted," said a TeenSafe spokesperson told ZDNet on Sunday. The database stores the parent's email address associated with their associated child's Apple ID email address. It also includes the child's device name -- which is often just their name -- and their device's unique identifier. The data contains the plaintext passwords for the child's Apple ID. Because the app requires that two-factor authentication is turned off, a malicious actor viewing this data only needs to use the credentials to break into the child's account to access their personal content data.
Absent legal penalties, this shit will persist. (Score:4, Insightful)
Recently it seems every week we read about data "leaks" or data "breaches".
The government needs to step up and create both civil and criminal forms of punishment such that a strong incentive exists for responsible parties to do more toward preventing data from being exposed.
Of course things will still go wrong, but strong disincentives which provide for civil and / or criminal penalties should at least act to reduce such events.
As an aside, I remember a year or so ago, a person I know smugly told me that "WhatsApp" was a 100% secure means of communicating which could not be spied on. My reply was : "I doubt that will be true for long".
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
That is a problem indeed. Also, break-ins happen (Score:3)
> discourage hacking targets from coming forward, which is worse for everyone. Imagine if they treated banks like that after a stick-up or heist
That's certainly an issue. Sharing information is important, knowing what kinds of attacks are being done against which kind of targets, etc. Companies like Cisco Talos and Alert Logic are able to better protect customers by proactively taking action to protect customers A and B against the type of attacks currently coming at Company C.
What we're j
Does Amazon Cloud default to no-security? (Score:1)
Re: (Score:2, Interesting)
"Amazon Cloud" is vague. I couldn't find any mention in the article itself of what the security hole was of said AWS servers. It could be bad S3 permissions (AWS has actually sent customers Emails about this repeatedly), it could be passwordless accounts in SSH, it could be a MySQL server exposed publicly without authentication requirements, etc.. Lots of possibilities. It just says "two leaky servers", which isn't very precise.
In most cases, this all boils down to bad (or lack thereof) systems administr
Re: (Score:2)
"Amazon Cloud" is vague. I couldn't find any mention in the article itself of what the security hole was of said AWS servers. It could be bad S3 permissions (AWS has actually sent customers Emails about this repeatedly), it could be passwordless accounts in SSH, it could be a MySQL server exposed publicly without authentication requirements, etc.. Lots of possibilities. It just says "two leaky servers", which isn't very precise.
In most cases, this all boils down to bad (or lack thereof) systems administration by the Amazon customer. If it's S3, Amazon has sent out Emails to all customers, multiple times, stressing the importance of proper S3 and IAM policies and to review said policies.
If it's EC2, SSH is open to the world by default (as it should be), and it's expected that the administrator lock it down (either through security groups or network ACLs); if you open up an Amazon technical support request (for anything!), they actually by habit review SGs and ACLs and will tell you "BTW, your servers have SSH open to the world, you should fix that" (sometimes it cannot be fixed, as some employees/etc. have roaming IPs).
If it's an RDS instance (ex. MySQL), then yes, the servers default to being publicly-accessible (it's a radio button you can toggle between private/VPC-only and public during the final stage of deployment); I agree "private" would be a better default.
That said: for whatever reason, security is rarely in the foregrounds of the minds of DevOps people today. For those of us that are "old beardo" UNIX SAs, it's the first thing that comes to mind when someone asks for something, and is often a reason we tell people "no you cannot have that".
And if you pay someone to regularly do security scans, or do your own on "Cloud" instances, you should probably consider just getting an MBA so you can't do more harm in the future. /s
Defaults. Amazon chooses the defaults (Score:2)
Much of what you said is true, but Amazon chooses the defaults. Amazon chose the defaults before the customer even logged in, so Amazon's choice of default settings can't possibly be the customer's responsibility.
If a customer changes a setting, that's almost 100% on the customer (if it's even sane to offer the option, it's clear what the option does, etc.)
I do security for a living, focused on securing AWS instances. I've been doing security for a living for 20 years. So I'm a tad familiar with security c
Re: (Score:2)
In this case its even starker - Amazon offers hosted SQL databases that are inherently quite secure. If you choose to ignore that offering and instead install your own DB onto an exposed instance, that's your own damn fault and you're on your own.
Re: (Score:2)
Think of AWS as no contract automated server rental. They have no idea what you'll be doing with the server or how sensitive your data might be. Only you can make those determinations.
As for Windows, what you say is true of Windows ANYWHERE. That's MS's default.
With 14 drive partitions (Score:2)
> They have no idea what you'll be doing with the server
Yeah they don't know, maybe whatever you're doing would benefit from having 14 partitions on the drive. They don't do that by default, because 99.999% of the time that would be stupid.
Their default security groups are stupid for 99.999% of users.
Re: (Score:2)
Their defaults are designed to keep 99.999% of their users from pestering them for support so they don't have to charge more to be profitable. If you need managed servers, pay somebody more so they can get your instance set up for you.
Re: (Score:2)
Disable Two Factor Authentication?!?!? (Score:3)
In which case, is this software violating the Apple user agreement in some way? Or inducing the parents to do so?
Let me get this straight... (Score:5, Insightful)
Spyware (Because that's what this is.) that requires you to specifically compromise your target by intentionally disabling security features; is, in turn, itself insecure? And people are shocked by this?
Sorry, but I really can't conjure up any sympathy here. This is not a case of someone just screwing up and getting pwned. This is an intentional and malicious attack (and a particularly stupid one at that) that just happened to backfire. Every bad thing that might happen... to either the company or the parents... is richly deserved.
Re: (Score:2)
Well it was the unprotected amazon cloud server that released the information - the fact that the software is intrusive was not to blame for this breach.
I don't necessarily think everything bad that might happen is richly deserved, I'm not a big fan of spying on kids, but there's little options when you want to give your child the ability to call in an emergency and text friends and not do absolutely everything else possible on a smart device.
Re: (Score:3)
When I was in highschool there were filters
Re: (Score:2)
Yeah. On the one hand you have the sum total of our state-of-the-art security systems. On the other you have the raging hormones of a typical 14 year old. I know where I'm placing my bet in that fight...
Re: (Score:2)
Re: (Score:2)
Wtf, I did not know you could enter an ip address as a long [3630769679] until now.
Re: (Score:2)
Well, that depends. What is the parent's goal?
Is it to raise a teen to be a safe and responsible internet/smartphone/computer/technology-in-general user? Then they should be taught good information security habits as early as possible; starting with proper password discipline beginning with: "Never, but NEVER give your password to anyone under any circumstances."; continuing along to how important 2-factor and encryption are;, and including malware avoidance and removal. Seriously... we already entrust a
Re: (Score:2)
Then feel sympathy for the teens. They weren't likely given much choice here.
Parents that use this are utterly creepy (Score:3)
Of course, being those creeps, they may do exactly the best thing to prepare their children for living in the upcoming surveillance state and soon-to-follow full-blown fascism. The leakage of the accounts is obviously part of that pedagogic concept. Hence I conclude that this is an absolutely great app that anybody should inflict on their children as soon as possible! Of course, in any self-respecting fascism, children also do surveillance (and denunciation to the authorities) of their parents. A business opportunity for, aehm, "Parentsafe"?
Re: (Score:2)
Of course, being those creeps, they may do exactly the best thing to prepare their children for living in the upcoming surveillance state and soon-to-follow full-blown fascism. The leakage of the accounts is obviously part of that pedagogic concept. Hence I conclude that this is an absolutely great app that anybody should inflict on their children as soon as possible! Of course, in any self-respecting fascism, children also do surveillance (and denunciation to the authorities) of their parents. A business opportunity for, aehm, "Parentsafe"?
To be fair here, there are a number of concepts to which a teenager's right to privacy comes in second place:
1. Unless it's a prepaid phone, the parent is paying the bill - and, in the majority of cases, probably paid for the phone, too. If it's the parent's phone and the parent's service, being able to monitor what's going on isn't all that unreasonable. If a teen has purchased their own phone and their own service with their own money, sure, that's a bit different...but a parent monitoring the phone and s
Safe? (Score:2)
Noun
S: (n) safe (strongbox where valuables can be safely kept)
S: (n) safe (a ventilated or refrigerated cupboard for securing provisions from pests)
It's a collection of children, all in one convenient location. Nice work, TeenSafe. Great name, by the way. You had one job...
The ultimate tool for Helicopter Parenting (Score:3)