The possibility of some hackers getting into my laptop was always a scary thought. That was why a Dell was never purchased by me. My aunt, now deceased, told me she had problems with her desktop. No one was allowed to use it because of her having to reformat the hard drive every time. They might be a favorite item this Christmas, but they may come with malicious software in tow. This blogger felt empathy for the children and parents of Vtech also.
In Dell’s case, it came as an already installed certificate that poses as Google, making it easier for hackers to gain entry. That wasn’t all. Bank of America and other HTTPS sites were vulnerable also, at least their encrypted information was. What bothered me was the length of time Dell knew about this software certificate security problem or how many laptop models were affected by the faulty security program? Here was their statement to Reuters:
“The recent situation raised is related to an on-the-box support certificate intended to provide a better, faster and easier customer support experience,” Dell said.
“Unfortunately, the certificate introduced an unintended security vulnerability.”
How long they knew or how many laptops had this problem didn’t seem to matter because the company has taken steps to correct the situation. Anyone finding this situation on their laptop was offered on site and email instructions on the removal of this malicious security software. This was frighteningly almost the same as their “Superfish” program found on their Lenovo computers at the beginning of this year.
Vtech had its own hacker’s situation too, but on its apps store database SQL servers. Over 4 million children were affected by this trouble because not only were their names, gender and ages revealed, the names, addresses phone numbers and email addresses of their parents were also.
The creepiest thing was other sensitive information like credit card data secret questions, and passwords were also stolen by this hacker mainly, because users of the app leaned heavily on making payments via a third party. The only bright spot was that this hacker identified himself and how this very large data breach took place.
The hacker who claimed responsibility for the breach provided files containing the sensitive data to Motherboard last week. Apparently, they gained access to the company’s database using a technique known as SQL injection. Also known as SQLi, this is an ancient, yet extremely effective, method of attack where hackers insert malicious commands into a website’s forms, tricking it into returning other data. The hacker was then able to break into VTech’s web and database servers, where they had “root access”—in other words, access with full authorization or control. The hacker said that while they don’t intend to publish the data publicly, it’s possible others exfiltrated it first.
This was the hacker’s statement via encrypted chat:
“It was pretty easy to dump, so someone with darker motives could easily get it.”
One annonymous user stated, “I was surprised and shocked to see my data breached on a ‘child friendly’ website.”
VTech then confirmed the breach in an email on Thursday, days after Motherboard reached out to the company for comment. Their statement was:
“We were not aware of this unauthorized access until you alerted us.”
Disgusted said it best in their well thought out email to the company in the comments. Of course, the efforts of VTech were professional and poised to say the least, in their reply. This blogger was glad they hadn’t purchased anything in this article.