This posting is here to collect cyber security news in April 2020.
I post links to security vulnerability news with short descriptions to comments section of this article.
If you are interested in cyber security trends, read my Cyber security trends 2020 posting.
You are also free to post related links to comments.
218 Comments
Tomi Engdahl says:
Koulujen sulkemisen ikävä sivuilmiö: Kyberhyökkäykset verkon opiskeluympäristöihin ovat lähes päivittäisiä
https://www.iltalehti.fi/koronavirus/a/c369c07d-be1d-43e4-bc88-0d12d3f72817
Poliisin mukaan palvelunestohyökkäykset ovat kotikutoisia. Niiden taustalla on siirtyminen etäopetukseen koronavirusepidemian vuoksi.
Tomi Engdahl says:
Requires physical access, and I can inject into explorer to get access to your microphone.
Other than “ex-NSA” I don’t see why this is newsworthy. Am I missing something?
Ex-NSA hacker drops new zero-day doom for Zoom
https://techcrunch.com/2020/04/01/zoom-doom/amp/
Now that a large portion of the world is working from home to ride out the coronavirus pandemic, Zoom’s popularity has rocketed, but also has led to an increased focus on the company’s security practices and privacy promises. Hot on the heels of two security researchers finding a Zoom bug that can be abused to steal Windows passwords, another security researcher found two new bugs that can be used to take over a Zoom user’s Mac, including tapping into the webcam and microphone.
Tomi Engdahl says:
Zoom Lets Attackers Steal Windows Credentials via UNC Links
https://www.bleepingcomputer.com/news/security/zoom-lets-attackers-steal-windows-credentials-via-unc-links/
The Zoom Windows client is vulnerable to UNC path injection in the client’s chat feature that could allow attackers to steal the Windows credentials of users who click on the link.
Tomi Engdahl says:
The FCC announced today all carriers and phone companies must adopt the STIR/SHAKEN protocol by June 30th, 2021. The regulatory requirement is designed to combat robocalls, specifically those that try to hide their phone numbers by allowing carriers to authenticate caller IDs.
The agency says the widespread adoption of STIR/SHAKEN will reduce the effectiveness of illegal spoofing, help law enforcement agencies identify bad actors and, most importantly, allow carriers to identify spammers before they ever call your phone.
FCC will require phone carriers to authenticate calls by June 2021
https://www.google.com/amp/s/www.engadget.com/amp/2020-03-31-fcc-stir-shaken-june-30-2021.html
Tomi Engdahl says:
Microsoft works with healthcare organizations to protect from popular
ransomware during COVID-19 crisis: Heres what to do
https://www.microsoft.com/security/blog/2020/04/01/microsoft-works-with-healthcare-organizations-to-protect-from-popular-ransomware-during-covid-19-crisis-heres-what-to-do/
As part of intensified monitoring and takedown of threats that exploit
the COVID-19 crisis, Microsoft has been putting an emphasis on
protecting critical services, especially hospitals. Now more than
ever, hospitals need protecting from attacks that can prevent access
to critical systems, cause downtime, or steal sensitive information.
Tomi Engdahl says:
Zoom’s end-to-end encryption isn’t actually end-to-end at all. Good thing the PM isn’t using it for Cabinet calls. Oh, for f…
Super-crypto actually normal TLS, lawsuit launched over Facebook API usage, privacy policy rewritten
https://www.theregister.co.uk/2020/04/01/zoom_spotlight/
UK Prime Minister Boris Johnson sparked security concerns on Tuesday when he shared a screenshot of “the first ever digital Cabinet” on his Twitter feed. It revealed the country’s most senior officials and ministers were using bog-standard Zoom to discuss critical issues facing Blighty.
The tweet also disclosed the Zoom meeting ID was 539-544-323, and fortunately that appears to have been password protected. That’s a good thing because miscreants hijacking unprotected Zoom calls is a thing.
Crucially, the use of the Zoom software is likely to have infuriated the security services, while also raising questions about whether the UK government has its own secure video-conferencing facilities. We asked GCHQ, and it told us that it was a Number 10 issue.
The decision to use Zoom, as millions of others stuck at home during the coronavirus outbreak are doing, comes as concerns are growing about the conferencing app’s business model and security practices.
Most notably, the company has been forced to admit that although it explicitly gives users the option to hold an “end-to-end encrypted” conversation and touts end-to-end encryption as a key feature of its service, in fact it offers no such thing.
Specifically, it uses TLS, which underpins HTTPS website connections and is significantly better than nothing. But it most definitely is not end-to-end encryption (E2E).
it appears that the company is able to access data in transit along that connection, and can also be compelled to provide it to governments. So, it’s not E2E.
While that is not something that will bother most Zoom users, whose conversations are not highly sensitive nor confidential, for something like a UK Cabinet meeting, the lack of true end-to-end encryption is dangerous.
Under questioning, a Zoom spokesperson admitted: “Currently, it is not possible to enable E2E encryption for Zoom video meetings.
“When we use the phrase ‘End to End’ in our other literature, it is in reference to the connection being encrypted from Zoom end point to Zoom end point,” a spokesperson told The Intercept on Tuesday.
The use of “end point” in this context refers to Zoom servers, not just Zoom clients; a second layer of purposefully misleading semantics.
As we reported earlier this month, Zoom granted itself the right to mine your personal data and conference calls to target you with ads, and seemed to have a “creepily chummy” relationship with tracking-based advertisers.
In other words, it was, arguably, the Facebook of the video-conferencing world, sucking every piece of data it can from you and any device you install it on.
Zoom Meetings Aren’t End-to-End Encrypted, Despite Misleading Marketing
https://theintercept.com/2020/03/31/zoom-meeting-encryption/
Tomi Engdahl says:
Microsoft finds itself in odd position of sparing elderly, insecure protocols: Grants stay of execution to TLS 1.0, 1.1
A few more months to get those servers upgraded ‘in light of current global circumstances’
https://www.theregister.co.uk/2020/04/01/microsoft_extends_tls_support/
Microsoft has blinked once again and delayed disabling TLS 1.0 and 1.1 by default in its browsers until the latter part of 2020.
The move is in recognition of the fact that in the light of current events, administrators have their hands a little full dealing with a surge of remote working and a team likely not running at full capacity.
TLS 1.0 and TLS 1.1 will soon be disabled by default in all supported Microsoft browsers, starting with Microsoft Edge version 84.
Tomi Engdahl says:
Boris Johnson tweets photo of first ever cabinet meeting with meeting ID and usernames
If you want to dial into the next Cabinet meeting….
https://www.thelondoneconomic.com/politics/boris-johnson-tweets-photo-of-first-ever-cabinet-meeting-with-meeting-id-and-usernames/01/04/?fbclid=IwAR2DEcchgENgqWIf7RGwsAUeGQ9-wHUsXAYnUVO1-p2b4dkymQsb5–993k
Tomi Engdahl says:
A crypto-mining botnet has been hijacking MSSQL servers for almost two years
https://www.zdnet.com/google-amp/article/a-crypto-mining-botnet-has-been-hijacking-mssql-servers-for-almost-two-years/
Vollgar botnet launches brute-force attacks against MSSQL databases to take over servers and install Monero and Vollar cryptocurrency miners.
Tomi Engdahl says:
Cybersecurity experts come together to fight coronavirus-related hacking
https://www.channelnewsasia.com/news/business/cybersecurity-experts-come-together-to-fight-coronavirus-related-hacking-12577740
Tomi Engdahl says:
Eric S. Yuan / Zoom Blog:
Zoom apologizes for security failures, says it has 200M+ DAUs vs. 10M in Dec., and plans to freeze development of new features to focus on security and privacy — Whether you are a global corporation that needs to maintain business continuity, a local government agency working to keep …
https://blog.zoom.us/wordpress/2020/04/01/a-message-to-our-users/
Tomi Engdahl says:
Lawrence Abrams / BleepingComputer:
A vulnerability in Zoom’s Windows client could let attackers steal Windows login credentials of users who click on malicious links in chat messages
Zoom Lets Attackers Steal Windows Credentials, Run Programs via UNC Links
https://www.bleepingcomputer.com/news/security/zoom-lets-attackers-steal-windows-credentials-run-programs-via-unc-links/
Tomi Engdahl says:
CONGRESS IS TRYING TO KILL ENCRYPTION DURING A PANDEMIC
https://www.inverse.com/innovation/congress-is-trying-to-kill-encryption
It seems Congress thinks this might be a good time to kill encryption and trample on our civil liberties.
Tomi Engdahl says:
Zoom’s Security and Privacy Woes Violated GDPR, Expert Says
https://www.securityweek.com/zooms-security-and-privacy-woes-violated-gdpr-expert-says
Tomi Engdahl says:
Researcher Finds New Class of Windows Vulnerabilities
https://www.securityweek.com/researcher-finds-new-class-windows-vulnerabilities
Tomi Engdahl says:
Why coronavirus scammers can send fake emails from the WHO
https://m.youtube.com/watch?v=_CrbHvbvvMw
Why coronavirus scammers can send fake emails from real domains
https://www.vox.com/recode/2020/4/2/21202852/coronavirus-scam-email-who-spoofing-domain-dmarc
Organizations like the WHO could prevent domain spoofing, but many don’t.
If it seems like it shouldn’t be this easy to impersonate a leading global health institution, you’re right. As we outline in the video at the top of this post, there is a way for organizations and companies to prevent spoofing of their domain, but the WHO hasn’t done it.
“One of the things that a lot of NGOs and nonprofits don’t necessarily understand is that email is a very open protocol by design,” said Ryan Kalember, who leads cybersecurity strategy at Proofpoint.
That “open protocol” means that the email transmission system itself doesn’t verify the identity of senders. Instead, senders and receivers have had to organize voluntary authentication methods: Domain owners can adopt an ID system, and email providers can check for for those IDs. But participation has not been universal on both sides.
“There are just so many organizations that don’t authenticate their mail. So if you are interested in tricking someone, that becomes an incredibly useful vector to do so,” said Kalember.
There’s SPF (Sender Policy Framework), through which a domain owner can specify that legitimate emails always come from a certain set of IP addresses. There’s DKIM (Domain Keys Identified Mail), which relies on a unique signature to verify senders.
And then there’s DMARC, which builds on SPF and DKIM by specifying how the receiving email service should treat messages that fail those tests (do nothing, send to spam, or reject the message altogether).
Setting a strong DMARC policy is the surest way to prevent domain spoofing, and all major email providers like Gmail, Outlook, and Yahoo, will check incoming emails against a DMARC record.
The WHO has enabled SPF but there is no DMARC record for who.int as of April 1, 2020. “The SPF record is a good thing to have, but without a corresponding DMARC policy, it won’t unfortunately result in spoofed messages being blocked,” Kalember said.
Tomi Engdahl says:
A Must For Millions, Zoom Has A Dark Side — And An FBI Warning
https://www.npr.org/2020/04/03/826129520/a-must-for-millions-zoom-has-a-dark-side-and-an-fbi-warning
Dennis Johnson fell victim last week to a new form of harassment known as “Zoombombing,” in which intruders hijack video calls and post hate speech and offensive images such as pornography. It’s a phenomenon so alarming that the FBI has issued a warning about using Zoom.
He said he was in the middle of presenting when someone started drawing male genitalia on the screen. At first, Johnson said, he was not sure what was happening.
It got worse. The attacker scrawled a racial slur that everyone on the Zoom call could see.
Johnson was horrified. The organizers blocked everyone’s screen until they could remove the intruder from the meeting. But, Johnson said, they were not able to identify that person.
what should have been a triumphant celebration was ruined.
Zoombombers have disrupted an Alcoholics Anonymous meeting in New York, Sunday school in Texas, online classes at the University of Southern California and a city meeting in Kalamazoo, Mich.
With schools closed and millions of people working from home, Zoom has become wildly popular. The company said 200 million people used the app on a daily basis in March, up from just 10 million in December. But that newfound popularity is bringing new scrutiny.
The FBI is warning schools, in particular, to be careful.
“The FBI has received multiple reports of conferences being disrupted by pornographic and/or hate images and threatening language,”
Tomi Engdahl says:
Zoombombing: What it is and how to prevent it in Zoom video chat
https://www.cnet.com/how-to/zoombombing-what-it-is-and-how-to-prevent-it-in-zoom-video-chat/
Improve your Zoom security by following these steps.
Video-conferencing software Zoom has been drawing attention from researchers and journalists lately for a number of potential privacy and security issues, as use of the platform surges due to an increase in coronavirus-related remote working. One of the biggest security issues facing Zoom is the surge in “Zoombombing,” when uninvited attendees break into and disrupt your meeting.
On Thursday, Zoom CEO Eric Yuan responded to concerns , saying Zoom will freeze features updates to address security issues, aiming to address them in the next 90 days.
Unfortunately, it can be easy to Zoombomb a meeting. In many cases, a simple Google search for URLs that include “Zoom.us” can turn up the unprotected links of multiple meetings that anyone can jump into. Similarly, links to public meetings can be found scattered across organizational pages on social media.
While there are no guarantees against determined trolls, there are a few ways to hedge your bets and improve your overall privacy levels when using Zoom. Here’s where you can start.
Tomi Engdahl says:
‘War Dialing’ Tool Exposes Zoom’s Password Problems
https://krebsonsecurity.com/2020/04/war-dialing-tool-exposes-zooms-password-problems/
Each Zoom conference call is assigned a Meeting ID that consists of 9 to 11 digits. Naturally, hackers have figured out they can simply guess or automate the guessing of random IDs within that space of digits.
Security experts at Check Point Research did exactly that last summer, and found they were able to predict approximately four percent of randomly generated Meeting IDs. The Check Point researchers said enabling passwords on each meeting was the only thing that prevented them from randomly finding a meeting.
the incidence of Zoombombing has skyrocketed over the past few weeks, even prompting an alert by the FBI on how to secure meetings against eavesdroppers and mischief-makers. This suggests that many Zoom users have disabled passwords by default and/or that Zoom’s new security feature simply isn’t working as intended for all users.
Tomi Engdahl says:
Facebook is blocking a million accounts a day to protect the election: Sandberg
https://finance.yahoo.com/news/sheryl-sandberg-facebook-blocking-million-accounts-a-day-to-protect-election-153031702.html
Facebook (FB) is removing vast numbers of fake accounts to protect against misinformation and to safeguard the upcoming presidential election, according to Sheryl Sandberg the company’s COO.
Tomi Engdahl says:
Not only is Zoom’s strong end-to-end encryption not actually end-to-end, its encryption isn’t even that strong
Video calls also routed through China, probe discovers
https://www.theregister.co.uk/2020/04/03/dont_use_zoom_if_privacy/
Cybersecurity research group Citizen Lab is among those turning the spotlight on the video-conferencing app maker, and on Friday, it published a damning dossier on the state of the software.
“An app with easily-identifiable limitations in cryptography, security issues, and offshore servers located in China which handle meeting keys presents a clear target to reasonably well-resourced nation state attackers, including the People’s Republic of China,” the report says.
Tomi Engdahl says:
How EFF Evaluates Government Demands for New Surveillance Powers
https://www.eff.org/deeplinks/2020/04/how-eff-evaluates-government-demands-new-surveillance-powers
The COVID-19 public health crisis has no precedent in living memory. But government demands for new high-tech surveillance powers are all too familiar. This includes well-meaning proposals to use various forms of data about disease transmission among people. Even in the midst of a crisis, the public must carefully evaluate such government demands, because surveillance invades privacy, deters free speech, and unfairly burdens vulnerable groups.
Tomi Engdahl says:
Zoom admits some calls were routed through China by mistake
https://techcrunch.com/2020/04/03/zoom-calls-routed-china/
Hours after security researchers at Citizen Lab reported that some Zoom calls were routed through China, the video conferencing platform has offered an apology and a partial explanation.
Move Fast & Roll Your Own Crypto
A Quick Look at the Confidentiality of Zoom Meetings
https://citizenlab.ca/2020/04/move-fast-roll-your-own-crypto-a-quick-look-at-the-confidentiality-of-zoom-meetings/
Tomi Engdahl says:
Zoom will enable waiting rooms by default to stop Zoombombing
https://techcrunch.com/2020/04/03/zoom-waiting-rooms-default/
Tomi Engdahl says:
Suomessa kaupitellaan nyt olemattomia hengityssuojaimia – Koronapandemia pitää rötöstelijätkin kotona, mutta nettirikolliset aktiivisina
Kuluttajaviranomaiset saavat valituksia harhaanjohtavasta markkinoinnista ja huijauksista.
https://yle.fi/uutiset/3-11288563?origin=rss
Tomi Engdahl says:
Hundreds of internal servicedesks exposed due to COVID-19
https://medium.com/@intideceukelaire/hundreds-of-internal-servicedesks-exposed-due-to-covid-19-ecd0baec87bd
An increasing number of Atlassian JIRA Servicedesks have been
misconfigured to be accessible for anyone to sign up. In essence, this
is nothing to worry about as servicedesks may have legitimate reasons
to be public. However, a growing number of instances have been
repurposed to serve as an internal service ticket portal, allowing
attackers to impersonate employees and create legitimate internal .
requests. [...] I took a list of 10.000 popular domain names globally
and found out that no less than 288 of 1.972 (roughly 15%)
corresponding Atlassian instances were open to the public.
Tomi Engdahl says:
This is how you deal with route leaks
https://radar.qrator.net/blog/how_you_deal_with_route_leaks
Heres the beginning: for approximately an hour, starting at 19:28 UTC
on April 1, 2020, the largest Russian ISP Rostelecom (AS12389) was
announcing prefixes belonging to prominent internet players: Akamai,
Cloudflare, Hetzner, Digital Ocean, Amazon AWS, and other famous
names.
Tomi Engdahl says:
Harri Hursti varoittaa: koronavirus tai kyberkonnat liikkeelle
https://www.tivi.fi/uutiset/tv/662fdc7d-d6f6-4132-b38c-af5310b4f322
Koronaviruksen varjolla rakennetaan parhaillaan massiivista
disinformaatiokoneistoa sosiaaliseen mediaan ja internetiin,
kyberasiantuntija Harri Hursti sanoo haastattelussa.
Tomi Engdahl says:
NSO Group: Facebook tried to license our spyware to snoop on its own
addicts the same spyware it’s suing us over
https://www.theregister.co.uk/2020/04/03/nso_facebook_pegasus_whatsapp/
The Israeli spyware maker’s CEO Shalev Hulio alleged in a statement
[PDF] to a US federal district court that in 2017 he was approached by
Facebook reps who wanted to use NSO’s Pegasus technology in Facebook’s
controversial Onavo Protect app to track mobile users.
Tomi Engdahl says:
Google rolls back Chrome privacy feature due to COVID-19
https://www.zdnet.com/article/google-rolls-back-chrome-privacy-feature-due-to-covid-19/
Google announced today it was rolling back a recent Chrome browser
privacy feature to prevent any disruption to existing websites and
their availability during the current coronavirus (COVID-19)
outbreak..
https://blog.chromium.org/2020/04/temporarily-rolling-back-samesite.html
Tomi Engdahl says:
Why is ransomware still a thing? One-in-three polled netizens say they
would cave to extortion demands
https://www.theregister.co.uk/2020/04/02/ransomware_pay_ransomware/
This is according to a customer survey [PDF] by Kaspersky Lab. The
Russian security house polled more than 2,000 business workers in the
US, and 1,000 in Canada, in an online study, and found that 33 per
cent would cough up at least some money to cyber-extortionists to get
their data back on their own personal machines.. Report at
https://www.theregister.co.uk/2020/04/02/ransomware_pay_ransomware/.
Report at
https://media.kasperskydaily.com/wp-content/uploads/sites/85/2020/03/25170451/Final_Ransomware-Report.pdf
Tomi Engdahl says:
More Than 8,000 Unsecured Redis Instances Found in the Cloud
https://blog.trendmicro.com/trendlabs-security-intelligence/more-than-8000-unsecured-redis-instances-found-in-the-cloud/
We discovered 8,000 Redis instances that are running unsecured in
different parts of the world, even ones deployed in public clouds.
These Redis instances have been found without Transport Layer Security
(TLS) encryption and are not password protected.. Using Shodan, a
popular search engine for internet-connected or IoT devices, we
discovered over 8,000 unsecured Redis instances deployed worldwide.
Some of these unsecured Redis instances were deployed in public clouds
such as AWS, Azure, and Google Cloud.
Tomi Engdahl says:
Researchers Discover Hidden Behavior in Thousands of Android Apps
https://www.securityweek.com/researchers-discover-hidden-behavior-thousands-android-apps
The research uncovered 12,706 applications (8.47%) with backdoor
secrets (secret access keys, master passwords, and secret commands
providing access to admin-only functions), and 4,028 apps (2.69%) that
contain blacklist secrets (they would block content based on keywords
subject to censorship, cyber bullying or discrimination).. Paper at
https://web.cse.ohio-state.edu/~lin.3021/file/SP20.pdf
Tomi Engdahl says:
Zoom admits some calls were routed through China by mistake
https://techcrunch.com/2020/04/03/zoom-calls-routed-china/
Zoom now says that during its efforts to ramp up its server capacity
to accommodate the massive influx of users over the past few weeks, it
mistakenly allowed two of its Chinese data centers to accept calls as
a backup in the event of network congestion.
Tomi Engdahl says:
https://www.securityweek.com/how-address-surging-need-secure-remote-access-ot-networks
https://www.securityweek.com/most-security-pros-prefer-enterprise-over-industrial-cybersecurity-survey
https://www.securityweek.com/public-ics-hacking-tools-make-it-easier-launch-attacks-fireeye
Tomi Engdahl says:
A hacker has wiped, defaced more than 15,000 Elasticsearch servers
https://www.zdnet.com/article/a-hacker-has-wiped-defaced-more-than-15000-elasticsearch-servers/
For the past two weeks, a hacker has been breaking into Elasticsearch
servers that have been left open on the internet without a password
and attempting to wipe their content, while also leaving the name of a
cyber-security firm behind, trying to divert blame.
Tomi Engdahl says:
Europol report on cybercrime and disinformation amid the COVID-19
pandemic
https://www.europol.europa.eu/newsroom/news/catching-virus
During the COVID-19 pandemic, criminals have been quick to seize
opportunities to exploit the crisis by adapting their modi operandi
and engaging in new criminal activities. Cybercriminals have been
among the most adept at exploiting the pandemic. The threat from
cybercrime activities during the crisis is dynamic and has the
potential to increase further. With a record number of potential
victims . staying at home and using online services across the EU, the
ways for cybercriminals seeking to exploit emerging opportunities and
vulnerabilities have multiplied.. Report at
https://www.europol.europa.eu/sites/default/files/documents/catching_the_virus_cybercrime_disinformation_and_the_covid-19_pandemic_0.pdf
Tomi Engdahl says:
Thousands of Zoom video calls left exposed on open Web
https://www.washingtonpost.com/technology/2020/04/03/thousands-zoom-video-calls-left-exposed-open-web/
The problem is not exclusive to Zoom video or Amazon storage. But in
designing their service, Zooms engineers bypassed some common security
features of other video-chat programs, such as requiring people to use
a unique file name before saving their own clips. That style of
operating simplicity has powered Zoom to become the most popular
video-chat application in the United States, but it has . also
frustrated some security researchers who believe such shortcuts can
leave users more vulnerable to hacks or abuse.
Tomi Engdahl says:
Supo: Poikkeusolojen pitkittyminen voi lisätä kansallisen
turvallisuuden uhkia myös etätyö aiheuttaa oman riskinsä
https://yle.fi/uutiset/3-11288420?origin=rss
Supo harvoin ohjeistaa suoraan kansalaisia, mutta koronavirustilanteen
keskellä se lähettää terveiset kotikonttoreille. Nyt olisi hyvä aika
muistaa tietoturva.
Tomi Engdahl says:
Catalin Cimpanu / ZDNet:
Twice this week, traffic to 200+ of the world’s largest CDNs and cloud hosts was redirected through Russia’s telco Rostelecom in likely BGP hijacking attacks
Russian telco hijacks internet traffic for Google, AWS, Cloudflare, and others
https://www.zdnet.com/article/russian-telco-hijacks-internet-traffic-for-google-aws-cloudflare-and-others/
Rostelecom involved in BGP hijacking incident this week impacting more than 200 CDNs and cloud providers.
Earlier this week, traffic meant for more than 200 of the world’s largest content delivery networks (CDNs) and cloud hosting providers was suspiciously redirected through Rostelecom, Russia’s state-owned telecommunications provider.
The incident affected more than 8,800 internet traffic routes from 200+ networks.
Impacted companies are a who’s who in the cloud and CDN market, including big names such as Google, Amazon, Facebook, Akamai, Cloudflare, GoDaddy, Digital Ocean, Joyent, LeaseWeb, Hetzner, and Linode.
The incident is a classic “BGP hijack.”
BGP stands for the Border Gateway Protocol and is the de-facto system used to route internet traffic between internet networks across the globe.
The entire system is extremely brittle because any of the participant networks can simply “lie” and publish an announcement (BGP route) claiming that “Facebook’s servers” are on their network, and all internet entities will take it as legitimate and send all the Facebook traffic to the hijacker’s servers.
In the old days, before HTTPS was broadly used to encrypt traffic, BGP hijacks allowed attackers to run man-in-the-middle (MitM) attacks and intercept and alter internet traffic.
Nowadays, BGP hijacks are still dangerous because it lets the hijacker log traffic and attempt to analyze and decrypt it at a later date when the encryption used to secure it has weakened due to advances in cryptography sciences.
Rostelecom, a repeat offender
Experts have pointed out many times in the past that not all BGP hijacks are malicious. Most incidents can be the result of a human operator mistyping an ASN (autonomous system number, the code through which internet entities are identified), and hijacking that company’s internet traffic by accident.
However, some entities continue to be behind BGP hijacks on a regular basis, and behind incidents that many experts are labeling as suspicious, suggesting that they are more than just accidents.
China Telecom is currently considered the biggest offender on this front [1, 2].
While not involved in BGP hijacks as common as China Telecom, Rostelecom (AS12389) is also behind many similarly suspicious incidents.
Tomi Engdahl says:
Valerie Strauss / Washington Post:
Zoom is being banned over security concerns by some US school districts, including NYC, which is directing teachers to switch to Microsoft Teams — Some school districts around the country have started to ban the use of Zoom for online learning from home during the coronavirus crisis …
School districts, including New York City’s, start banning Zoom because of online security issues
https://www.washingtonpost.com/education/2020/04/04/school-districts-including-new-york-citys-start-banning-zoom-because-online-security-issues/
Tomi Engdahl says:
J.M. Porup / CSO:
Critics say bug bounty programs buy researcher silence, may violate labor law, and are less effective when they are closed and have NDAs placed on them
Bug bounty platforms buy researcher silence, violate labor laws, critics say
https://www.csoonline.com/article/3535888/bug-bounty-platforms-buy-researcher-silence-violate-labor-laws-critics-say.html
The promise of crowdsourced cybersecurity, fueled by “millions of hackers,” turns out to be a pipe dream, despite high-octane marketing from the bug bounty platforms.
Tomi Engdahl says:
Mozilla Patches Two Firefox Vulnerabilities Exploited in Attacks
https://www.securityweek.com/mozilla-patches-two-firefox-vulnerabilities-exploited-attacks
Mozilla has released updates for its Firefox web browser to patch two critical use-after-free
vulnerabilities that have been exploited in attacks.
One of the flaws, tracked as CVE-2020-6819, has been described as a use-after-free caused by a race
condition that is triggered in certain conditions when running the nsDocShell destructor. Researchers at
Tenable have analyzed the patch and they believe the issue exists “due to the mContentViewer not being
released properly.”
The second vulnerability, identified as CVE-2020-6820, has been described as a use-after-free caused by a
race condition triggered by the handling of a ReadableStream.
Tomi Engdahl says:
Hacker ‘Ceasefire’ Gets Little Traction as Pandemic Fuels Attacks
https://www.securityweek.com/hacker-ceasefire-gets-little-traction-pandemic-fuels-attacks
Internet users have seen a surge in COVID-related cyberattacks and fraud schemes which could add to the misery of the pandemic, even as some hackers have called for dialing back their criminal efforts.
A deluge of attacks has included phishing emails purported to be from health agencies, counterfeit product offers and bogus charity donation requests, according to security analysts.
Over the past month, at least 100,000 new web domain names were registered containing terms like covid, corona, and virus, many of which are considered “malicious,” according to a report prepared for the global internet registry agency ICANN.
“The pandemic has led to an explosion of cybercrime, preying upon a population desperate for safety and reassurance,” said the report released this week by Interisle Consulting Group
Tomi Engdahl says:
Keys Used to Encrypt Zoom Meetings Sent to China: Researchers
https://www.securityweek.com/keys-used-encrypt-zoom-meetings-sent-china-researchers
A recent analysis of the Zoom video conferencing application revealed that the keys used to encrypt and decrypt meetings may be sent to servers in China, even if all participants are located in other countries.
Zoom also recently clarified that its definition of “end-to-end encryption” is different from the one of the cybersecurity community.
in the case of Zoom, only communications between meeting participants and Zoom servers are encrypted, which gives the company access to unencrypted data and allows it to monitor conversations.
As for the encryption itself, the organization noticed that Zoom meetings are encrypted with an AES-128 key, contrary to Zoom documentation, which claims AES-256 encryption is used. Furthermore, the AES key is used in ECB mode, which is no longer recommended due to the fact that it fails to properly hide data patterns.
Citizen Lab has also pointed out that while Zoom is based in the U.S., it owns three Chinese companies that are responsible for developing Zoom software.
UPDATE. Zoom has published a blog post claiming certain meetings connected to servers in China due to an error, which the company has addressed.
https://blog.zoom.us/wordpress/2020/04/03/response-to-research-from-university-of-torontos-citizen-lab/
Tomi Engdahl says:
Self-Propagating Malware Targets Thousands of Docker Ports Per Day
https://threatpost.com/self-propagating-malware-docker-ports/154453/
Tomi Engdahl says:
Google to publish user location data to help govts tackle virus
https://news.yahoo.com/google-publish-user-location-data-help-govts-tackle-081909211.html
Google will publish location data from its users around the world from Friday to allow governments to gauge the effectiveness of social distancing measures put in place to combat the COVID-19 pandemic.
In Europe and the United States, technology firms have begun sharing “anonymised” smartphone data to better track the outbreak.
Even privacy-loving Germany is considering using a smartphone app to help manage the spread of the disease.
But activists say authoritarian regimes are using the coronavirus as a pretext to suppress independent speech and increase surveillance.
Tomi Engdahl says:
Hacking forum gets hacked for the second time in a year
Forum where hackers sold and bought hacked accounts gets hacked itself.
https://www.zdnet.com/article/hacking-forum-gets-hacked-for-the-second-time-in-a-year/
OGUsers, one of the most popular hacking forums on the internet, disclosed today a security breach, the second such incident in the past year.
“It appears that someone was able to breach the server through a shell in avatar uploading in the forum software and get access to our current database dating April 2, 2020,” said Ace, the forum’s administrator.
Tomi Engdahl says:
Someone’s wiping out elastic searches and leaving a security firm’s name
https://www.databreaches.net/someones-wiping-out-elastic-searches-and-leaving-a-security-firms-name/
Security researcher Bob Diachenko reported a disturbing finding yesterday: someone was wiping out public-facing elastic searches and leaving “NightlionSecurity.com” in their place:
Tomi Engdahl says:
Move Fast and Roll Your Own Crypto
A Quick Look at the Confidentiality of Zoom Meetings
https://citizenlab.ca/2020/04/move-fast-roll-your-own-crypto-a-quick-look-at-the-confidentiality-of-zoom-meetings/