We will deliver a security incident and cyber incident that occurred over the week of April 20th in a digest.
Vulnerability of sensitive information disclosure in Sharp's Android terminal
Sharp announced on April 23 that the company's Android smartphones are vulnerable. The target models and versions are as follows.
- AQUOS SH-M02 version 01.00.05 and earlier
- AQUOS SH-RM02 version 01.00.04 and earlier
- AQUOS mini SH-M03 version 01.00.0, 4 and earlier
- AQUOS mobile phone SH-N01 version 01.00.01 and earlier
- AQUOS L2 [UQ mobile / J: COM] version 01.00.05 and earlier
- AQUOS sense lite SH-M05 version 03.00.04 and earlier
- AQUOS sense [UQ mobile] version 03.00.03 and earlier
- AQUOS compact SH-M06 version 02.00.02 and earlier
- AQUOS sense plus SH-M07 version 02.00.02 and earlier
- AQUOS sense2 SH-M08 version 02.00.05. And earlier
- AQUOS sense2 [UQ mobile] version 02.00.06 and earlier
Due to this vulnerability, the information in the product may be ingested from the application in the terminal. However, since leaked information is sensitive, it is said that there will be no significant impact.
Already released the software that fixed the vulnerability. Be sure to update the target model users.
Unauthorized login damage with Nintendo Network ID
Nintendo revealed on April 24 that an unauthorized login to the "Nintendo Network ID" [hereinafter NNID] occurred.
Unauthorized login is due to a password list attack using login IDs and passwords that were obtained illegally from services other than the company's. It seems that an attack occurred around the beginning of April and spoofing logins were being performed.
NNID is an ID for using services for Nintendo 3DS series and Wii U. Although it is different from the Nintendo account, the company has abolished the linkage function because it can be linked. If you use a common password, you may be able to log in to your Nintendo account, so you will be required to reset your password.
About 160,000 NNIDs received unauthorized login. Information that may have been viewed by a third party includes nickname, date of birth, country / region, and email address. If you are linked to a Nintendo account, your registered name, date of birth, gender, country / region, and email address.
The company urges users not to reuse the same password when resetting their password, including other external services. Two-step authentication can be set for Nintendo accounts, so I would like to introduce it.
Vulnerability in password tool attached to Toshiba's external HDD "CANVIO" series
Toshiba Device & Storage revealed on April 20 that there is a vulnerability in the Windows password tool of the external HDD "CANVIO" series. This software is installed in the product or published on the website. The target software versions and products are as follows.
- Windows password tool version 1.20.6620 or earlier
- CANVIO PREMIUM [3TB, 2TB, 1TB]
- HD-MB30TY / HD-MA30TY [dark gray metallic]
- HD-MB30TS / HD-MA30TS [silver metallic]
- HD-MB20TY / HD-MA20TY [dark gray metallic]
- HD-MB20TS / HD-MA20TS [silver metallic]
- HD-MB10TY / HD-MA10TY [dark gray metallic]
- HD-MB10TS / HD-MA10TS [silver metallic]
- CANVIO SLIM [1TB, 500MB]
- HD-SB10TK [black]
- HD-SB10TS [silver]
- HD-SB50GK / HD-SA50GK [black]
- HD-SB50GS / HD-SA50GS [silver]
The vulnerability is to acquire the authority used for the operation of the service via an application whose name consists of the first part of the path including white space. As a result, there is a possibility of executing an illegal file.
If you already have "Password Tool for Windows 1.20.6620 or earlier", delete it without executing this. If yes, remove the password and then uninstall the software. The fixed version will be provided on April 28.
Phishing email tricking Yodobashi camera
As of April 21, phishing emails tricking Yodobashi cameras are spreading. The subject of the email is as follows.
- [Yodobashi member] Have you logged in? [Date Time]
- [Yodobashi member] Security system upgrade [at time]
In the email, you will be asked to confirm your account information, and you will be prompted to click the link. The link is a phishing site for stealing the ID and password of Yodobashi Camera [Yodobashi.com], which also attempts to enter credit card information.
The phishing site looks like Yodobashi.com officially, so it's hard to distinguish from it. If you often use Yodobashi.com, check the domain etc. to determine whether it is official. The phishing site is in operation as of April 21. There is a possibility that similar sites will be released, so be careful.
Member information leaked on Yamakei Online
Yama and Keiya announced on April 18 that personal information was leaked at "Yamakei Online" operated by the company. Information leakage was discovered after receiving a point from a third party.
As a result of the survey, information on users registered before the renewal of "Yamakei Online" on April 9, 2013 was leaked. In response, the company reset the user's registered password on April 18 and changed it to a randomly generated password.
The number of leaks was 29,431 people. For details of information, email address, login password, date of birth, telephone number. The company warns that there is a possibility that unauthorized login, spoofing, phishing emails, etc. may be sent from the personal information leaked in the future.
“Yamakei Online” also received unauthorized access from outside by SQL injection in July 2015 and November 2017, and is also investigating the relationship.