The headline on 08 Apr 2020
Zoom Acknowledges Encryption Problems. The University of Toronto’s Citizen Lab has examined Zoom’s encryption and concluded that the teleconferencing app is “not suitable for secrets.” Zoom initially claimed it offered “end-to-end encryption” for meetings, but last week published a blog saying that it “recognize[s] that there is a discrepancy between the commonly accepted definition of end-to-end encryption and how we were using it.” Citizen Lab also found a security issue with Zoom’s Waiting Room feature and recommends that Zoom meetings use passwords.
- On 5 April, Zoom changed defaults to enable passwords and start with the waiting room feature. I’ll pretty much repeat what I said last Friday in Newsbites: “The easy answer is there are more secure alternatives to Zoom and companies should be providing and recommending those. The real answer is that many employees working at home and their families will be using Zoom for the next few months.” On the end-to-end crypto issue – a term that is thrown around a lot – many issues arise across many products. The bigger issue with Zoom has been user-stored sessions being easily findable and accessible on the Internet – another issue Zoom is working on. Great webcast on how to mitigate many Zoom issues by SANS instructor Mick Davis is available at www.sans.org: ZOMG it’s ZOOM
- Great work by Citizen Lab analyzing the Zoom encryption issues. The part I find most concerning is the fact that simple statements, like the length of the key used, were obviously wrong in Zoom’s description of the encryption protocol. This shows, yet again, a common tech startup problem: a leadership group that is over-confident in the capabilities of their product but has little connection to the reality of what their product is actually capable of doing. This is not uniquely a Zoom issue; it is pervasive among startups including security startups. Always double check the vendor’s claims.
- It is important to understand the security of any video teleconferencing system used. The Zoom Blog below explains the encryption options for Zoom, including noting they have an option for customers to use their own key management systems. Understanding and accepting the risk of where the encryption keys are and how they are managed is important for any outsourced service. User guides need to be clear regarding the differences in security of room meeting systems, telephone and using the native meeting client. Irrespective of the software used, using the native client for all functions by all participants is the most secure option for meeting participation.
Read more in:
- Move Fast and Roll Your Own Crypto | A Quick Look at the Confidentiality of Zoom Meetings
- The Facts Around Zoom and Encryption for Meetings/Webinars
- Zoom concedes custom encryption is substandard as Citizen Lab pokes holes in it
- So Wait, How Encrypted Are Zoom Meetings Really?
Some US School Districts Will Stop Using Zoom. New York City public schools and other US school districts have said that security and privacy concerns about Zoom has prompted them to stop using the teleconferencing platform for distance learning. New York City Schools Chancellor Richard Carranza says they are aiming to “get more classrooms videoconferencing on a safe and secure platform.” Other school distracts have decided to stop using Zoom or have mandated stricter security measures for its use.
- See more detailed comments on the “Zoom Acknowledges Encryption Problems” item, but with some basic security hygiene instruction for users and admins Zoom can used safely for many purposes, like education. One reality: just as all businesses learned they needed emergency backup power and had to periodically test switchover in advance of need, the same will be true for remote work/remote education etc. Businesses, schools, government will need to turn these emergency remote measures into safer and management backup capabilities. Just like schools have fire drills, the future should have “remote education” drills.
- For schools, configuration issues that lead to issues like “Zoom Bombing” are a real problem. Other collaboration platforms may have similar problems, and these problems are fixable in Zoom (and Zoom has addressed them with better default configurations).
- Rather than a wholesale switch to another teleconferencing platform, look first at securing what you have. Simple changes may provide sufficient security without incurring the expense of replacement. Mick Douglas has an excellent analysis on Zoom security and associated risks. www.sans.org: ZOMG it’s ZOOM
- Zoom is not the only video conferencing game in town. It has more mature, if more expensive, competitors. The decision not to use it should include the allocation of funds to pay for the more expensive options. If the schools pay as little attention to the secure use of the more mature systems as they have to that of Zoom, a simple change in platform will not help much. Properly configured and setup, Zoom remains a good choice for primary and secondary schools, if somewhat less so for college class sizes. (Simply by altering the default settings, Zoom has become more resistant to the more notorious abuses.)
Read more in:
- School districts, including New York City’s, start banning Zoom because of online security issues
- NYC schools step away as Zoom sets remediation plan
Critical Unpatched Microsoft Exchange Servers. More than 350,000 Internet-facing Microsoft Exchange servers have still not been patched against a known vulnerability, according to data gathered by Rapid7. Microsoft released a fix for the remote code execution flaw in February.
Note: This vulnerability has been overlooked by many organizations because it can be exploited without requiring user credentials. Any user will do. If you are concerned about users re-using credentials, or being subject to phishing, then you should be concerned about this vulnerability. Exploitation will lead to a full compromise of the exchange server.
Read more in:
- Phishing for SYSTEM on Microsoft Exchange (CVE-2020-0688)
- Too Many Exchange Servers Remain Unpatched
- CVE-2020-0688 | Microsoft Exchange Validation Key Remote Code Execution Vulnerability
- Description of the security update for Microsoft Exchange Server 2019 and 2016: February 11, 2020
NASA Experiencing “Exponential” Increase in Malware Attacks as Employees Work from Home. A memo from NASA’s Chief Information Officer (CIO) says that the agency has experienced an “exponential increase in malware attacks on NASA systems” since employees started working from home due to the COVID-19 outbreak. NASA has also noted that the numbers of phishing attempts and of agency devices trying to access malicious websites are twice what they regularly are.
- When working remotely, the user has an added responsibility as their system is not protected by the enterprise perimeter and network security systems. Consider leveraging information in the SANS Security Awareness Work at Home Deployment toolkit (www.sans.org) to help users be secure and make good choices.
- Criminals will take advantage of any crisis and will target your company and employees. Revise your detection and response capabilities and processes to see how you can manage an incident when your response team is working from home.
- Note that the “increase in malware attacks” results in part from users visiting unsafe sites from home or from their own computers that they cannot or do not visit from work. Some will result from the use of home or family use computers that may already have been contaminated. Prefer enterprise owned and managed computers for all enterprise use without regard to the location where it is used. Recognize the need for user direction, compensating controls, or intentional risk acceptance.
FireEye Report on Zero-Day Exploits. In a blog post published in Monday, April 6, FireEye observes that while exploiting zero-day vulnerabilities used to be a sign of a sophisticated malware actor, now it means that the attackers have the funds to purchase zero-day exploits from companies that sell offensive cyber tools. FireEye tracked exploited zero-day vulnerabilities in 2019; more zero-day vulnerabilities were exploited in 2019 than in any of the three previous years. FireEye also noted an increase in the use of zero-day exploits by governments and law enforcement agencies.
Read more in:
- Zero-Day Exploitation Increasingly Demonstrates Access to Money, Rather than Skill — Intelligence for Vulnerability Management, Part One
- This Map Shows the Global Spread of Zero-Day Hacking Techniques
- Roaring trade in zero-days means more vulns are falling into the hands of state spies, warn security researchers
- More Attackers Have Begun Using Zero-Day Exploits
- A Brisk Private Trade in Zero-Days Widens Their Use
Jupiter, Florida Recovering From Ransomware. Computers belonging to the town of Jupiter, Florida, were hit with ransomware on March 23. Due to the attack, the town’s email and utility payment systems were still not available, as was the system for submitting plans. Jupiter does not plan to pay the ransom demand.
Note: Unlike the recovery for Lake City and Riviera Beach Florida last year, there are two new variables in this incident. First that REvil/Sodinokibi are now promising to publish exfiltrated data from victims and second that COVID-19 introduces health-saftey challenges to the tasks of recovery and response. I have not seen a COOP/DR plan that includes provisions for preventing of infection, and including best practices from this pandemic in them is prudent.
DarkHotel APT Group Allegedly Targeting Chinese Government Agencies. Hackers allegedly working on behalf of an unnamed government used an unpatched vulnerability in virtual private networks (VPNs) to launch cyberattacks against Chinese government agencies around the world. The perpetrators are believed to be the advanced persistent threat (APT) group known as DarkHotel.
Read more in:
- DarkHotel hackers use VPN zero-day to breach Chinese government agencies
- Government VPN Servers Targeted in Zero-Day Attack
Firefox Updates Fix Two Actively Exploited Flaws. Mozilla has released an update for Firefox that addresses two critical vulnerabilities that are being actively exploited. Both of the vulnerabilities, a use-after-free while running the nsDocShell destructor, and a use-after-free when handling a ReadableStream, can be exploited to execute arbitrary code or cause machines to crash. The most current versions of the browsers are Firefox 704.0.1 and Firefox ESR 68.6.1.
Note: This provides an opportunity to verify your software update capability when the majority of the workforce is remote. Can your management systems provide updates when the VPN is disconnected? Consider communication to leave systems running or self-service update options. With the duration of current events unknown, waiting for systems to return for updates is unwise.
Read more in:
- Mozilla Foundation Security Advisory 2020-11 | Security Vulnerabilities fixed in Firefox 74.0.1 and Firefox ESR 68.6.1
- Mozilla Patches Critical Vulnerabilities in Firefox, Firefox ESR
- Firefox gets fixes for two zero-days exploited in the wild
- Firefox Zero-Day Flaws Exploited in the Wild Get Patched
- Mozilla Patches Two Actively Exploited Firefox Zero-Days
- Mozilla Fixes Two Firefox Flaws Under Active Attack
- Mozilla plugs two Firefox browser holes exploited in the wild by hackers to hijack victims’ computers
Border Gateway Protocol Hijacking Sends Traffic Through Russian Telecom. A border gateway protocol (BGP) hijacking incident caused traffic intended for more than 200 content delivery networks and cloud hosting providers to be rerouted through Russia’s telecommunications provider, Rostelecom. The situation lasted for approximately one hour.
Note: It is incidents like this, and the ever increasing concerns raised over vulnerabilities in the networking and communications hardware we deploy on the Internet, that we should be using to highlight why strong encryption is so important to secure our data and inserting backdoors or golden keys only weakens that security.
Microsoft DART Case Report: Emotet Caused Full Operational Shutdown. Microsoft’s Detection and Response Team (DART) has published a case report that describes an incident in which the Emotet malware shut down an entire operational network. The attack began with a malicious attachment to a phishing email. Once the attackers gained purchase within the system, they proceeded to spread Emotet throughout the system. Emotet updated with new definitions every few days, enabling it to evade detection by antivirus programs. The malware maxed out computers’ CPUs and consumed the network’s bandwidth, shutting down the company’s core services.
Note: “Phishing” and other attacks designed to dupe and exploit users will continue to be the Achilles heel of the enterprise unless and until we isolate e-mail and browsing from other enterprise applications.
Read more in:
- Full Operational Shutdown (PDF)
- Full Operational Shutdown—another cybercrime case from the Microsoft Detection and Response Team
- Microsoft: Emotet Attack Shut Down an Entire Business Network
- Microsoft: Emotet Took Down a Network by Overheating All Computers
The headline on 03 Apr 2020
FBI Issues Warning About Zoom Security Issues. The FBI has issued a warning that Zoom and other teleconferencing apps may be vulnerable to hijacking. The FBI advises users not to make meetings or classrooms, public, to restrict screen-sharing capability, and to use meeting passwords. Zoom has a “waiting room” feature that allows the host to control who is admitted.
- Today The Citizen Lab released the results of their examination of the security and privacy features in Zoom: (citizenlab.ca: Move Fast & Roll Your Own Crypto: A Quick Look at the Confidentiality of Zoom Meetings). Their findings back up the warnings from the FBI and raised several concerns over how encryption is enabled within the application. However, we need to remember that companies are using Zoom, and other conferencing platforms, to enable them to survive through the COVID19 pandemic and companies need to do a risk assessment that suits them. For many companies, the warnings from the FBI and The Citizen Lab will be an acceptable risk for them, while others who may be discussing sensitive data it may not.
- The easy answer is there are more secure alternatives to Zoom and companies should be providing and recommending those. The real answer is that many employees working at home and their families will be using Zoom for the next few months. Security vendor Checkpoint recently put good safe use guidelines for using Zoom at blog.checkpoint.com: Who’s Zooming Who? Guidelines on How to Use Zoom Safely and SANS has released a secure work at home awareness kit at www.sans.org: SANS Security Awareness Work-from-Home Deployment Kit. Zoom (see item below) has also pledged to make security job one over the next few months – much needed.
Read more in:
- FBI warns Zoom, teleconference meetings vulnerable to hijacking
- FBI Warns of Teleconferencing and Online Classroom Hijacking During COVID-19 Pandemic
Zoom: Two Zero-days Patched; Credential Theft Flaw Not Yet Fixed; Password Problems. Fixes Available for two zero-day vulnerabilities in Zoom for macOS; Zoom is working on a fix for a vulnerability that lets attackers steal Windows credentials; and an automated Zoom meeting discovery tool found that many meetings are not password protected.
- Disclosing vulnerabilities should be done responsibly, and directly to the affected provider prior to a public blog posting to give them time to respond. Zoom has been working to accelerate addressing security issues discovered. Of late, the patches are released as quickly as 24 hours after issue discovery. These discovered issues have been resolved.
- For reasons of audience convenience, few Zoom meetings employ passwords. However, they are essential for many business applications. Be particularly careful about privileges granted to meeting participants.
Read more in:
- Two Zoom Zero-Day Flaws Uncovered
- Zoom Rushes Patches for Zero-Day Vulnerabilities
- Attackers can use Zoom to steal users’ Windows credentials with no warning
- ‘War Dialing’ Tool Exposes Zoom’s Password Problems
Zoom Founder Says Company Will Focus on Security and Privacy. Due to the number of people currently working and learning from home, the use of the Zoom videoconferencing app has risen sharply from 10 million users in December 2019 to more than 200 million in March 2020. The company has faced complaints about myriad security and privacy issues, including meetings disrupted by intruders, user data being shared with Facebook, and the fact that the app’s end-to-end encryption feature does not actually function as end-to-end encryption. The company has taken steps to remedy some of the issues. Zoom’s founder Eric Yuan says that the company will spend the next three months working on addressing security issues.
- Zoom’s founder came from Cisco where security is the top priority. He should have made security a top requirement from the start. I hope Zoom’s Board of Directors is hearing the message – you can help by giving Zoom feedback about how important security is. Their feedback form is at zoom.us/feed.
- Credit is due to Zoom for how quickly they responded to the issues raised and how openly they have communicated to their users. There are many lessons here for companies to learn how they can improve their vulnerability management processes.
Read more in:
- A Message to Our Users
- Zoom: We’re freezing all-new features to sort out security and privacy
- Zoom founder promises to remedy security, privacy concerns during a ‘feature freeze’
- Zoom boss says it’ll freeze feature updates to address security issues
- The Zoom Privacy Backlash Is Only Getting Started
- Zoom’s end-to-end encryption isn’t actually end-to-end at all. Good thing the PM isn’t using it for Cabinet calls. Oh, for f…
Microsoft Warns Hospitals of Vulnerabilities in VPN and Gateway Appliances. Microsoft has directly warned hospitals that their virtual private network (VPN) and gateway appliances contain security flaws that are being exploited by attackers behind the REvil/Sodinokibi ransomware. In a blog post, the Microsoft Threat Protection Intelligence Team writes, “Through Microsoft’s vast network of threat intelligence sources, we identified several dozens of hospitals with vulnerable gateway and VPN appliances in their infrastructure.”
- Johannes Ulrich of SANS Internet Storm Center highlighted these vulnerabilities in his part of the SANS “Five Most Dangerous Attack Techniques and How to Prevent Them” keynote panel at the 2020 RSA Conference – you can see it at www.sans.org: The Five Most Dangerous New Attack Techniques. SANS will present the 2020 Threat Trends report that includes those 5 areas and more, on an April 28th webinar – info at www.sans.org: SANS Top New Attacks and Threat Report.
- Terminate VPNs on the application, not the perimeter and not an on operating system. The additional design, setup, and administration will be more than offset by the reduction in risk.
Read more in:
- Coronavirus: Microsoft directly warns hospitals, ‘Fix your vulnerable VPN appliances’
- Microsoft is Alerting Hospitals Vulnerable to Ransomware Attacks
- Ransomware Attackers Exploit #COVID19 to Target Hospital VPNs
- Microsoft works with healthcare organizations to protect from popular ransomware during COVID-19 crisis: Here’s what to do
FCC Order Requires Carriers to Implement STIR/SHAKEN Protocol. The US Federal Communications Commission (FCC) has unanimously approved an anti-robocall order, which “requires all originating and terminating voice service providers to implement STIR/SHAKEN in the Internet Protocol (IP) portions of their networks by June 30, 2021.” This action from the FCC was required as a part of the TRACED Act, which passed Congress and became law in December 2019.
- While some carriers, including AT&T, Verizon, Sprint and T-Mobile, have voluntarily implemented STIR/SHAKEN, sometimes a regulatory requirement is needed to get resources and commitment to implement security measures. Once implemented, carriers need to verify their solution works with other networks. The last step: users need devices that display the “Caller Verified” notification and have the notification enabled for their account.
- STIR/SHAKEN is the first critical step, providing call authentication – raising the bar against spoofing of the calling number. Congress finally acted on that, a good thing. The next step is another chance for the carriers to raise the bar through rapid voluntary action – the addition of better call analytics to detect malicious calls, even if they are coming from an authenticated calling number. Then apply those same major bar raisers to data traffic.
Read more in:
- FCC requires anti-robocall tech after “voluntary” plan didn’t work out [Updated]
- FCC will require phone carriers to authenticate calls by June 2021
- STIR/SHAKEN overview
Marriott Discloses Second Data Breach in 16 Months. Marriott International has disclosed a data breach that exposed information belonging to 5.2 million customers. The information was compromised through the use of access credentials belonging to “two employees at a franchise property.” In November 2018, Marriott disclosed that a breach of the Starwood hotel reservation database that affected nearly 400 million people. Both breaches illustrate the need for organizations to ensure the security not only of their own systems, but also of those of their partners.
- The judicious use of multi-factor authentication reduces the value of captured credentials. Make sure that all entry points that accept those credentials have the same authentication requirements.
- The lodging industry is obviously hard hit by the travel restrictions to fight the pandemic. This would be a good time for lodging IT operations to upgrade the security of their IT systems, just as they will be upgrading sanitary protections at the facilities.
Read more in:
- Marriott International: Incident Notification
- New Marriott data breach impacts 5.2 million guests
- Hack Brief: Marriott Got Hacked. Yes, Again
- Marriott Hotels hacked AGAIN: Two compromised employee logins abused to siphon off 5.2m guests’ personal info
- Marriott discloses new data breach impacting 5.2 million hotel guests
- Marriott Reports Data Breach Affecting Up to 5.2 Million Guests
Microsoft Will Postpone Disabling TLS 1.0 and 1.1 in Browsers. Microsoft will delay disabling of TLS 1.0 and 1.1 in its browsers. The change, originally scheduled for the first half of 2020 will be pushed back to the second half of the year. TLS 1.0 and 1.1 will now be disabled by default “no sooner than Microsoft Edge version 84,” scheduled for release in July 2020. The protocols will be disabled by default in Internet Explorer 11 and Microsoft Edge Legacy as of September 8, 2020. Microsoft made the decision to postpone the changes “in light of current global circumstances.”
Note: Continue to queue up efforts to update services to support TLS 1.2 & 1.3 as regardless of when the support is deprecated, the perception will be a problem with your service rather than their browser.
Read more in:
- Plan for change: TLS 1.0 and TLS 1.1 soon to be disabled by default
- Microsoft finds itself in the odd position of sparing elderly, insecure protocols: Grants stay of execution to TLS 1.0, 1.1
COVID-19 Malware Overwrites Master Boot Record. Researchers have identified several strains of coronavirus-themed malware that wipe files or overwrite master boot records on infected computers.
Read more in:
- Wiper Malware Called “Coronavirus” Spreads Among Windows Victims
- There’s now COVID-19 malware that will wipe your PC and rewrite your MBR
GoDaddy Phishing Attack. A spear-phishing attack that targeted employees of domain name registrar GoDaddy managed to obtain access credentials that allowed the attacker to alter domain settings for at least six GoDaddy customers.
Note: Dealing with entities that are trolling domain registries and sending users messages designed to modify their registration is common; attackers are trying to target less savvy associates for success. Additionally, make sure that your registrar accounts use two-factor authentication, your domains are locked, and DNSSEC is enabled. GoDaddy support will help you analyze any unexpected messages if you cannot verify they are genuine on your own.
Update Addresses Two Vulnerabilities in WordPress Rank Math SEO Plugin. A critical vulnerability in the WordPress Rank Math search engine optimization (SEO) plugin could be exploited to gain elevated privileges. A second, high-severity vulnerability in the same plugin could be exploited to install redirects on a vulnerable website. Users are urged to update to Rank Math version 220.127.116.11.
Note: Plug-ins are a major source of vulnerability in WordPress use and come with few indicators of quality. They may even put other applications at risk. Minimize and maintain those that you use; consider focused penetration testing of them.
Read more in:
- Critical Vulnerabilities Affecting Over 200,000 Sites Patched in Rank Math SEO Plugin
- Critical WordPress Plugin Bug Can Lock Admins Out of Websites
- Critical WordPress Plugin Bug Lets Hackers Turn Users Into Admins
Biotech Company Doing COVID-19 Research Hit With Ransomware. According to information provided in a financial disclosure filing to the US Securities and Exchange Commission (SEC), biotech company 10x Genomics experienced a ransomware attack in March 2020 in which some company data were stolen. 10x Genomics writes that it has “isolated the source of the attack and restored normal operations with no material day-to-day impact to the Company or the Company’s ability to access its data.” 10x Genomics, along with other companies around the world, is sequencing cells from people who have recovered from COVID-19 to look for antibodies.
Read more in:
- Ransomware strikes biotech firm researching possible COVID-19 treatments
- Hackers ‘Without Conscience’ Target Health-Care Providers
- FORM 8-K | 10x Genomics, Inc.
NERC Releases Report on November 2019 Power Grid Security Exercise. The North American Electric Reliability Corporation (NERC) has released its report on the results of the November 2019 GridEx grid security and emergency response exercise. In all, over 7,000 people at more than 500 organizations participated in the exercise, which simulated a malware attack against utilities’ industrial control systems. The report includes recommendations from NERC on how to improve grid resilience.
Note: It should not come as too big a surprise that the conclusions and recommendations of the exercise report focus on communications among the organizations rather than on the security and resilience of those organizations.
Read more in:
- North American utilities drill ‘GridEx’ brings record turnout — except from supply chain vendors
- GridEx V Grid Security Exercise | Lessons Learned Report March | 2020 (PDF)
Hackers with Alleged Iranian Ties Have Targeted WHO Staff eMail Accounts. Hackers with alleged ties to Iran’s government have been trying to break into staff members’ email accounts systems at the World Health Organization (WHO) since early March. It is not known if the phishing attacks succeeded.
The headline on 01 Apr 2020
Kwampirs Malware Targets Healthcare Sector. The FBI has released a private industry notification for the Kwampirs malware. Kwampirs, also known as “Orangeworm,” has been used to target different industries in the past, and according to this latest update, is now also being used to target the healthcare sector. Likely the work of nation state-linked attackers, Kwampirs uses the software supply chain to spread. This makes it particularly difficult to defend against. Kwampirs will likely enter your network as part of a software update from a trusted vendor.
Note: In defending against threats like Kwampirs, do not focus too much on specific indicators of compromise. They will change quickly, and are only useful to detect past infections. Instead, verify how well you are able to detect the techniques the malware uses to spread. For example, Kwampirs like other malware seeks out administrative shares and installs as a new service. These are fairly generic techniques used by other malware as well. Implementing techniques to detect this type of behavior has the benefit that it will not just detect this particular malware, but more generically help identify malicious behavior.
Read more in:
- Kwampirs threat actor continues to breach transnational healthcare orgs
- Kwampirs Targeted Attacks Involving Healthcare Sector
Snail Mail Malware Delivery. The FIN7 hacking group is distributing malware through the U.S. Postal service – sending users USB sticks in the mail. If users plug the stick in, it installs a backdoor on their computer. Some of the packages have included gift cards and teddy bears.
- A good analogy for security awareness around this issue is to equate USB sticks that aren’t from IT or a store to be like a piece of what kids used to call ABC gum: Already Been Chewed gum. Don’t put ABC USB drives in your computer’s mouth.
- It remains imperative to not insert unknown or untrusted media in systems. Right now many users are working from home outside many of the normal corporate security controls, so increased attention to work-from-home security measures is appropriate. Also, while enabling controls that limit the insertion of removable media to approved devices only will help raise the bar, the current environment makes it attractive for the user to insert these into their personal devices, so be sure to include that scenario in your awareness training.
Read more in:
- FBI: Hackers Sending Malicious USB Drives & Teddy Bears via USPS
- Malware from notorious FIN7 group is being delivered by snail mail
Court Orders Injunctions Against VoIP Carriers for Facilitating Fraudulent Robocalls. A US district court in New York has issued injunctions against two companies for “facilitate[ing] the transmission of massive volumes of fraudulent robocalls to consumers in the United States.”. The callers claimed to be from government agencies or legitimate businesses and were designed to trick people into giving up information and money. The calls targeted elderly and otherwise vulnerable people.
- Carriers of all flavors have refused to filter malicious calls/data that are known to be from spoofed addresses. It is good to see courts and the FTC (noted in another item) start to put appropriate pressure on them. Imagine if the water company said “Well, we knew the dangerous chemicals were in the water, but we just pass the water from left to right; don’t blame us. But, we will sell you a water cleaning service.”
- The elderly are some of the hardest users to protect, as they have not “grown-up” with these threats, and are not necessarily connected with, or may not understand security awareness campaigns. Taking the time to work with them one-on-one to understand call security and enabling appropriate controls is the best mitigation while technical and carrier level controls evolve.
Read more in:
- VoIP Carriers Investigated Over Fraudulent Robocalls
- District Court Orders Injunctions against Two Telecom Carriers Who Facilitated Hundreds of Millions of Fraudulent Robocalls to Consumers in the United States
Georgian Database Published Online. A database containing personal information about every citizen in the Republic of Georgia has been posted to a hacker forum. The database includes information for more than 4.9 million people, some of whom are deceased. Georgian authorities are investigating.
Apple VPN Bypass Flaw. An unpatched flaw in Apple’s iOS could be exploited to access some traffic data. The issue prevents virtual private network (VPN) applications from protecting some data that are being sent between the iOS device and the servers they are communicating with. The vulnerability exists in the most recent version of the mobile operating system, iOS 13.4.
Note: While this bug remains in iOS 13.4, it also impacts iOS 13.3.1 and later. The problem is the VPN does not terminate all existing network connections when established. The primary risk is moderate, as this can be used to reveal metadata about the device’s connections as most application connections are themselves encrypted and short-lived. The risk can be partly mitigated by enabling auto-connect features in third-party VPNs or setting the always-connected feature of managed devices accessing the corporate VPN.
Read more in:
- Apple Unpatched VPN Bypass Bug Impacts iOS 13, Warn Researchers
- Vulnerability in Apple’s iOS exposes VPN user location data
- Unpatched iOS Bug Blocks VPNs From Encrypting All Traffic
- VPN bypass vulnerability in Apple iOS
Windows Font Parsing Bug. Microsoft has suggested several workarounds to help protect their computers from attacks exploiting two critical vulnerabilities. The flaws affect the Windows font parsing component, Adobe Type Manager Library. On systems older than Windows 10, these flaws can be exploited to allow remote code execution. Microsoft is aware that there are targeted attacks exploiting these flaws and is working on a fix.
Read more in:
- Actively Exploited Windows Font Parsing Bugs Get Temporary Fix
- ADV200006 | Type 1 Font Parsing Remote Code Execution Vulnerability
FTC Warns VoIP Companies Not to Facilitate Robocalls Preying on Coronavirus Concerns. The US Federal Trade Commission (FTC) has issued warnings to nine VoIP service providers take steps to ensure that their services are not being used to make fraudulent robocalls that exploit the current COVID-19 pandemic. The nine companies were given until March 30 to respond to the FTC, “describing the specific actions [they] have taken to ensure [their] company’s services are not being used in Coronavirus/COVID-19 robocall schemes.”
- The FTC was awarded a prestigious SANS Difference Maker’s award a few years ago. It is good to see them continuing to make a difference.
- What is needed is the implementation of security solutions such as SHAKEN / STIR to raise the bar on VoIP call security. Take note of the FTC advice on robocalls, particularly COVID-19 related ones, at the core: hang up, don’t press any buttons, better still don’t answer unrecognized calls. Leverage options to block unwanted calls. Some services have free call blocking tools, iOS allows you to silently send unrecognized callers to voicemail and Android allows you to block anonymous callers.
US Federal Court: Terms of Service Violations is Not CFAA Violation. A US federal court has ruled that violating a website’s terms of service is not a violation of the Computer Fraud and Abuse Act (CFAA). The plaintiffs in the case wanted to investigate racism in online job markets by creating accounts for phony employers and job seekers. They were concerned that the activity might find them in violation of the CFAA, so they filed a pre-enforcement challenge alleging that the portion of the CFAA that says it is a crime to “access a computer without authorization or exceed authorized access” is a violation of First Amendment rights. The Court did not address the constitutional issue, instead of writing “that the CFAA does not criminalize mere terms-of-service violations on consumer websites and, thus, that plaintiffs’ proposed research plans are not criminal under the CFAA.”
Note: Creating fraudulent accounts may not be criminal but it is unethical and not something we want to encourage. In this case, it contaminates the application and interferes with its objective.
Read more in:
- Court: Violating a site’s terms of service isn’t criminal hacking
- Algorithmic bias research doesn’t count as hacking
- Civil Action No. 16-1368 (JDB) | MEMORANDUM OPINION (PDF)
Zeus Sphinx Trojan. A banking Trojan has made a resurgence after three years of relative quiet. The Zeus Sphinx Trojan is being used to exploit the economic relief measures that governments are sending to citizens. The campaigns tell email recipients that they need to fill out forms to receive the payments; those forms capture bank account access credentials.
Read more in:
- Zeus Sphinx Banking Trojan Arises Amid COVID-19
- Zeus Sphinx malware resurrects to abuse COVID-19 fears
Russian Man Arrested in Connection with Money Laundering Scheme. US federal law enforcement agents have arrested Maksim Boiko, a Russian Citizen, for his alleged role in a money-laundering scheme. Boiko is allegedly part of an organized crime group known as QQAAZZ, which converted stolen money into cryptocurrency to obscure its origins.
HackerOne Boots Voatz from Platform. HackerOne has “terminate[d] the [Voatz] program on the HackerOne platform.” HackerOne provides a number of security services, including the facilitation of bug bounty programs. Last month Voatz updated its policy with regard to HackerOne, noting that it could not guarantee a safe harbor for hackers who access its live election systems. That change, along with “hostile interactions with security researchers,” contributed to HackerOne’s decision.
- There needs to be a balance between supporting research for bug identification and restricting activities that are out of the scope of the bug bounty program. This typically requires an organization of some size and maturity to have the resources to manage this balance as well as verify and respond to issues discovered.
- Since Voatz has been discouraging bug bounty style assessment of the security of its product and points to the Department of Homeland Security as evaluating the remote voting application, no elections should use the software until DHS completes an exhaustive evaluation, any and all issues noted are fixed, the DHS re-evaluates the app and publicly gives it a clean bill of health for state and local use.
- Said another way, Voatz has decided that inviting unknown “researchers” to attack its application is not a good idea.