Security related news for the week ending 2020 06 09

This week we start the security journey with your fridge and end with Apple. In between, we cover Singapore’s struggle with Covid-19 tracking, NASA’s explosion in cyber incidents, a story about the death of an elephant in India causing the “People for Animals” website to be hacked, how to protest safely and an ugly story about “Beauty” cam apps.

Smart Fridge Froze?

Matthew Hughes: A report from consumer advocates Which? highlights the short lifespan of “smart” appliances, with some losing software support after just a few years, despite costing vastly more than “dumb” alternatives. That lifespan varies between manufacturers: Most vendors were vague, Meie and Beko offer about 10 years, LG states patches would be made available as required, but Samsung said it would offer software support for only two years.

Remember the average lifespan of a fridge is 11-20 years.

In 2016, owners of the Revolv smart home hub were infuriated after the Google-owned Nest deactivated the servers required for it to work. More recently, Belkin turned off its WeMo NetCam IP cameras, offering refunds only to those users whose devices were still in warranty and had their receipt.

Given that smart appliances are essentially computers with a persistent connection to the internet, there’s a risk hackers could co-opt unpatched fridges and dishwashers, turning them into drones in vast botnets. So these devices really do need to have the commitment of regular updates for as long as they function. Because, remember, there’s precedent. The Mirai botnet, for example, was effectively composed of hacked routers and IP cameras.

EU: Honda Tackling Suspected Ransomware Infection

Honda is investigating a cyber-attack on its IT network in Europe which researchers are claiming is Ekans ransomware. It said it had “experienced a disruption in its computer network that has caused a loss of connectivity, thus impacting our business operations. The code checked specifically for the mds(dot)honda(dot)com domain, indicating that this variant has been specially customized to target the firm.

SG: Singapore to distribute wearable contact-tracing device

Vivian Balakrishnan, the minister-in-charge of Singapore’s Smart Nation Initiative, said the device is necessary because uptake of Singapore’s contact-tracing TraceTogether app has stalled at around 25 percent of Singapore’s population. The minister said the wearable’s main target is those who don’t have a smartphone or don’t have one that delivers useful data with the nation’s TraceTogether app. iPhones fall into the latter category because TraceTogether was developed before the Apple and Google contact-tracing API was available. Singapore has shown no sign of adopting that offering since.

“It will operate exactly the same way as TraceTogether on a smartphone,” he said. “There is no GPS chip on the device, or internet or mobile telephony. The data that TraceTogether captures is only Bluetooth proximity data.”

That data never leaves the device unless the user tests positive for COVID-19 and Balakrishnan added that all of the Singapore government officers who can access data are bound by the nation’s Official Secrets Act. “Whether circumstances would ever require mandatory adoption we cannot say,” he said. “I am going to do my best to push participation rates up without having to go down the mandatory route.”

It’s expected the first batch of devices will become available in the second half of June and be distributed according to a to-be-determined list of priority users.

Singapore’s Contact Tracing Wearable Causes Privacy Backlash

Singapore’s announcement that it is developing a wearable for contact tracing has caused citizens to voice concern for the technology’s impact on their data privacy, with more than 35,000 signing a petition against the devices.

US: Cox slows Internet speeds in entire neighborhoods to punish any heavy users

Jon Brodkin for ars Technica: Cox, a cable company with about 5.2 million broadband customers in the United States, has been sending notices to some heavy Internet users warning them to use less data and notifying them of neighborhood-wide speed decreases. In one case, a gigabit customer who was paying $50 extra per month for unlimited data was flagged by Cox because he was using 8TB to 12TB a month.

Cox responded by lowering the upload speeds on the gigabit-download plan from 35Mbps to 10Mbps for the customer’s whole neighborhood. Cox confirmed to Ars that it has imposed neighborhood-wide slowdowns in multiple neighborhoods in cases like this one but didn’t say how many excessive users are enough to trigger a speed decrease.

Cox is a private company and thus doesn’t report network-upgrade spending publicly, but major ISPs such as Comcast, AT&T, and Charter have reduced network spending since the FCC repealed its net neutrality rules and common-carrier regulation.

CA: Canada’s Fitness Depot Alerts Customers to Data Breach

Fitness Depot, the largest retailer of specialty exercise equipment in Canada, has alerted customers to a data breach affecting its e-commerce platform. The incident dates back to February 2020 and may have affected some shoppers’ personal and financial information.

In a letter to potentially affected customers, Fitness Depot says it was informed of an attack affecting transactions on May 22. The company shut down its service and launched an investigation that revealed criminals placed a fraudulent form on its website. When customers were redirected to the form, their information was captured. Customers with home delivery were affected between Feb. 18 and April 27. From April 28 through May 22, any shopper who ordered for home delivery or in-store pickup also could have been affected.

Information collected by the attackers may have included customers’ names, addresses, email addresses, phone numbers, and credit card numbers used in the transaction.

CallStranger: UPnP Flaw Affecting Billions of Devices Allows Data Exfiltration, DDoS Attacks

By Ionut Arghire: In an alert published on Monday, the Computer Emergency Readiness Team (CERT) Coordination Center (CERT/CC) warns of a vulnerability that impacts the protocol in effect prior to April 17, when the Open Connectivity Foundation (OCF) updated the UPnP protocol specification. UPnP stands for Universal Plug and Play, a collection of protocols that ship on most smart devices. The flaw could allow attackers to send “large amounts of data to arbitrary destinations accessible over the Internet.”

The vulnerability, which is tracked as CVE-2020-12695 and is referred to as CallStranger, could be abused by remote, unauthenticated attackers to carry out DDoS assaults, bypass security systems and exfiltrate data, and scan internal ports.

It is caused by the Callback header value in UPnP SUBSCRIBE function which can be controlled by an attacker and enables an SSRF-like vulnerability affecting millions of Internet-facing and billions of LAN devices. Home users are not expected to be targeted directly. If their internet-facing devices have UPnP endpoints, their devices may be used for DDoS sources. So if you get bored this weekend, ask your ISP if your router has Internet-facing UPnP with the CallStranger vulnerability — There are currently around 5.45 million UPnP-capable devices connected to the internet. You might get an interesting response… And because this is a protocol vulnerability, it may take a long, long time for them to provide patches.

US: Cyber incidents at NASA spiked 366% in 2019

Esther Shein for TechRepublic: There were 1,468 cyber incidents at NASA in 2019—an increase of a staggering 366%, according to data extracted and analyzed by Atlas VPN, which released the findings in a new report. As one of the nation’s most important federal agencies, “this is an alarming finding,” the company said. In 2018, NASA experienced only 315 cyber incidents.

Nearly 1,000 Vulnerabilities Found in Popular Open Source Projects in 2019

By Eduard Kovacs for Security Week: early 1,000 vulnerabilities were found in popular open-source projects in 2019, more than double compared to the previous year, according to a report published on Monday by risk management company RiskSense. They analyzed 54 open source projects in which nearly 2,700 vulnerabilities were reported between 2015 and March 2020.

IN: Animal Rights Group Hacked Over Exploded Elephant Comments

Sarah Coble: The website of an animal rights group has been hacked after its founder made accusations regarding the killing of a pregnant elephant in Kerala.

The 15-year-old elephant suffered a broken jaw died on May 27 in the Velliyar River after allegedly eating a pineapple filled with firecrackers. Such traps are commonly set in India’s forest fringe areas to keep boars and other wild animals from damaging crops. Following the expectant animal’s tragic demise, Indian politician, animal rights activist, and founder of the organization People for Animals (PfA) Maneka Gandhi said that “action should be taken against everyone who is suspected in Malappuram. An elephant is killed every three days in Kerala. We have less than 20,000 elephants left in India, they are rapidly declining.”

Following the expectant animal’s tragic demise, Indian politician, animal rights activist, and founder of the organization People for Animals Maneka Gandhi said that “action should be taken against everyone who is suspected in Malappuram.”

The politician’s comments were considered to be controversial since it is not yet clear who may have laid the trap and whether it was intended specifically for the elephant, or whether the incident occurred in Malappuram district or in the adjoining Palakkad district.

On June 4, following Gandhi’s comments, a group of cyber-criminals hacked the official website of the PFA. The group, who call themselves Kerala Cyber Warriors, replaced the PFA site with a message that read “Maneka Gandhi dragged the sad death of pregnant elephant for dirty politics.”

US: House police reform bill includes face recognition provisions

Teri Robinson: Tucked into the police reform bill introduced by the House today are provisions for using body cameras along with a cursory rebuff of facial recognition, prompting privacy advocates to call for legislators to clarify that the technology should only be used for accountability, not surveillance.

“Any reform legislation should make clear that face recognition cannot be used on footage from the body cameras of federal law enforcement, and should similarly restrict federal funds from being used by local law enforcement agencies who do not implement the same restrictions,” ACLU Senior Legislative Counsel Neema Singh Guliani said in a statement. “We need to invest in technologies that can help eliminate the digital divide, not technologies that create a surveillance infrastructure that exacerbates policing abuses and structural racism.”

House Democrats crafted the bill in the wake of the death of George Floyd at the hand of Minneapolis police officers, who have since been arrested on an array of charges.

IBM Quits Facial Recognition Over Rights Concerns

IBM has claimed it no longer sells facial recognition software and has called for a “national dialogue” on how it should be used by police in the wake of recent US protests against systemic racism.

In an open letter to Congress on racial justice reform, CEO Arvind Krishna revealed that the tech giant “has sunset its general-purpose facial recognition and analysis software products. IBM firmly opposes and will not condone uses of any technology, including facial recognition technology offered by other vendors, for mass surveillance, racial profiling, violations of basic human rights and freedoms, or any purpose which is not consistent with our values and Principles of Trust and Transparency.”

Selfie -Gen Android Users Beware: These Top Camera Apps May Secretly Be Spying On You

Zak Doffman. A report from CyberNews says that BeautyPlus, the number-one Camera app with 300 million installs, “was identified as malware or spyware,” its developer alleged to be collecting data on servers back in China from where it was being sold. That would be your data, remember.

CyberNews investigated the top-30 “beauty” cam search results, finding an app that turns on a user camera without asking permission first, another app installing malware through its software, even an app accused of “sending users pornographic content, redirecting them to phishing sites, or collecting their pictures.” The team also found that nearly half the apps access GPS locations, 23 access device microphones, and 29 access device cameras—unsurprising for a photo app. 29 of the apps also seek permission to read user data. Once those permissions are granted the apps have free rein. The applications emanate from China. Several were linked back to the same developer network. Those common developer roots mean common code sets and methodologies. More apps mean more downloads. More users. More data. More money. If you have one on your phone, you might want to remove it.

These are the 30 Camera apps from the report…

BeautyPlus – Easy Photo Editor & Selfie Camera


Beauty Camera – Selfie Camera

Selfie Camera – Beauty Camera & Photo Editor

Beauty Camera Plus – Sweet Camera & Makeup Photo

Beauty Camera – Selfie Camera & Photo Editor

YouCam Perfect – Best Selfie Camera & Photo Editor

Sweet Snap – Beauty Selfie Camera & Face Filter

Sweet Selfie Snap – Sweet Camera & Beauty Cam Snap

Beauty Camera – Selfie Camera with Photo Editor

Beauty Camera – Best Selfie Camera & Photo Editor

B612 – Beauty & Filter Camera

Face Makeup Camera & Beauty Photo Makeup Editor

Sweet Selfie – Selfie Camera & Makeup Photo Editor

Selfie camera – Beauty Camera & Makeup camera

YouCam Perfect – Best Photo Editor & Selfie Camera

Beauty Camera Makeup Face Selfie, Photo Editor

Selfie Camera – Beauty Camera

Z Beauty Camera

HD Camera Selfie Beauty Camera

Candy Camera – selfie, beauty camera & photo editor

Makeup Camera-Selfie Beauty Filter Photo Editor

Beauty Selfie Plus – Sweet Camera Wonder HD Camera

Selfie Camera – Beauty Camera & AR Stickers

Pretty Makeup, Beauty Photo Editor & Selfie Camera

Beauty Camera

Bestie – Camera360 Beauty Cam

Photo Editor – Beauty Camera

Beauty Makeup, Selfie Camera Effects & Photo Editor

Selfie cam – Bestie Makeup Beauty Camera & Filters

Google is indexing the phone numbers of WhatsApp users… raising privacy concerns

Security researcher Athul Jayaram discovered a data leak with WhatsApp’s ‘[was(dot)me] domain that was revealing contact phone numbers on Google.

The [was(dot)me] domain is used to host ‘click to chat‘ links that allow users to start a chat with someone without having their phone number saved in the phone’s address book.

To create the click to chat links, use https://wa(dot)me/ where the is a full phone number in international format and (dot) is a .

The “wa(dot)me” or “API(dot)Whatsapp(dot)com” domains don’t’ prevent search engines from crawling phone numbers on the website allowing any link like “https://wa(dot)me/” to get indexed by Google.

“As individual phone numbers are leaked, an attacker can message them, call them, sell their phone numbers to marketers, spammers, scammers,” Jayaram told ThreatPost.

Experts pointed out that the link to chat feature could be exploited by threat actors to “enumerate” legitimate WhatsApp numbers.

Jayaram reported the issue to Facebook that did not accept it as part of its bug bounty program.

“While we appreciate this researcher’s report and value the time that he took to share it with us, it did not qualify for a bounty since it merely contained a search engine index of URLs that WhatsApp users chose to make public. All WhatsApp users, including businesses, can block unwanted messages with the tap of a button,” Facebook replied to Jayaram

The solution to the problem is quite simple, using a robot.txt in the above domains it is possible to prevent Google from crawling these results.

“Unfortunately they did not do that yet, and your privacy may be at stake,” he said. “Today, your mobile number is linked to your Bitcoin wallets, Adhaar, bank accounts, UPI, credit cards…[allowing] an attacker to perform SIM card swapping and cloning attacks by knowing your mobile number is another possibility,” Jayaram stated.

IN: Any Indian DigiLocker Account Could’ve Been Accessed Without Password

Ravie Lakshmanan: The Indian Government said it has addressed a critical vulnerability in its secure document wallet service Digilocker that could have potentially let a remote attacker bypass mobile one-time passwords (OTP) and sign in as other users.

Discovered separately by two independent bug bounty researchers, Mohesh Mohan and Ashish Gahlot, the vulnerability could have been exploited easily to unauthorisedly access sensitive documents uploaded by targeted users’ on the Government-operated platform.

“The OTP function lacks authorization which makes it possible to perform OTP validation with submitting any valid users details and then manipulation flow to sign in as a totally different user,” Mohesh Mohan said in a disclosure shared with The Hacker News.

With over 38 million registered users, Digilocker is a cloud-based repository that acts as a digital platform to facilitate online processing of documents and speedier delivery of various government-to-citizen services. It’s linked to a user’s mobile number and Aadhar ID—a unique identity number (UID) issued to every resident of India.

IL: Owners of DDoS-for-Hire Service vDOS Get 6 Months Community Service

Brian Krebs: The co-owners of vDOS, a now-defunct service that for four years helped paying customers launch more than two million distributed denial-of-service (DDoS) attacks that knocked countless Internet users and websites offline, each has been sentenced to six months of community service by an Israeli court.

A judge in Israel handed down the sentences plus fines and probation against Yarden Bidani and Itay Huri, both Israeli citizens arrested in 2016 at age 18 in connection with an FBI investigation into vDOS.

Until it was shuttered in 2016, vDOS was by far the most reliable and powerful DDoS-for-hire or “booter” service on the market, allowing even completely unskilled Internet users to launch crippling assaults capable of knocking most websites offline.

vDOS advertised the ability to launch attacks at up to 50 gigabits of data per second (Gbps) — well more than enough to take out any site that isn’t fortified with expensive anti-DDoS protection services.

Chinese Hackers Target Biden Campaign and Iranian Actors Hit Trump Campaign

Google’s Threat Analysis Group said on Thursday that a China-linked hacking group known as APT 31 or Zirconium has targeted Joseph Biden’s presidential campaign staff with phishing attacks and that the Iran-linked actor APT 35 or Charming Kitten has been launching phishing attacks against Donald Trump’s campaign.

Shane Huntley, who leads TAG, said the researchers have not seen signs that these assaults were successful. Google sent warnings to impacted users about the behavior and also informed federal law enforcement. Microsoft issued a similar warning in October that APT 35 was targeting the Trump campaign. The activity is also in keeping with Russia’s actions ahead of the 2016 United States presidential election in which Russian hackers launched highly consequential phishing attacks against campaigns and political organizations.

Anonymous Resurfaces Amidst Nationwide Protests

The leaderless hacktivist collective known as Anonymous hasn’t been much of a force to be reckoned with since 2011 or so when it rampaged across the internet in a so-called “summer of lulz.” But as Movement for Black Lives protests grew over the past week, someone self-identifying as Anonymous has raised its flag again.

News outlets picked up new threats from the group against Donald Trump and the Minneapolis Police Department, which is responsible for the killing of George Floyd that set off a new wave of demonstrations.

A collection of email addresses and passwords of Minneapolis police officers published by the group, however, turned out to be old credentials picked out of previous hacker dumps. The group’s new actions seemed to have amounted to a short-lived distributed denial-of-service attack on the Minneapolis Police website.

How to Protest Safely in the Age of Surveillance

Lily Hay Newman: militarized police in cities across the United States have deployed armored vehicles and rubber bullets against protesters and bystanders alike. If you’re going out to protest—as is a US Citizen’s right under the First Amendment—and bringing your smartphone with you, there are some basic steps you should take to safeguard your privacy. The surveillance tools that state and federal law enforcement groups have used at protests for years put it at risk right along with your physical wellbeing.

There are two main aspects of digital surveillance to be concerned about while at a protest. One is the data that police could potentially obtain from your phone if you are detained, arrested, or confiscate your device. The other is law enforcement surveillance, which can include wireless interception of text messages and more, and tracking tools like license plate scanners and facial recognition.

“The device in your pocket is definitely going to give off information that could be used to identify you,” says Harlo Holmes, director of newsroom security at the Freedom of the Press Foundation,

For that reason, Holmes suggests that protesters who want anonymity leave their primary phone at home altogether. If you do need a phone for coordination or as a way to call friends or a lawyer in case of an emergency, keep it off as much as possible to reduce the chances that it connects to a rogue cell tower or Wi-Fi hot spot being used by law enforcement for surveillance. Sort out logistics with friends in advance so you only need to turn your phone on if something goes awry. Or to be even more certain that your phone won’t be tracked, keep it in a Faraday bag that blocks all of its radio communications. You can skip buying a faraday bag by simply wrapping your phone up in aluminum foil. Open the bag only when necessary.

If you are using your phone but want end-to-end encryption try Signal, but remember that the recipient has to be using the same app.

The next thing to protect is your phone’s contents: Your phone should be encrypted (both it and the SD card if your phone allows that), then you need to have your phone set to a strong passcode rather than biometric unlock as a search warrant is required for the latter. On an iPhone, you can enable the pin, if you had been using biometric unlocking, by holding the wake button and one of the volume buttons at the same time.

If you use a device to take photos or videos during a protest, it’s important to keep in mind how this content could potentially be used to identify and track you and others. Files you upload to social media might contain metadata like time stamps and location information that could help law enforcement track crowds and movement. Police departments and other federal agencies have a long history of monitoring social media sites.

As protests continue—and as law enforcement and even the federal government escalate their response—be prepared too for forms of digital surveillance that have never been used before to counter civil disobedience, or to retaliate against protesters after the fact. That means protesters will need to stay vigilant—against digital threats as well as bodily ones.

US: Military Surveillance Planes Flew Over US Protests

High above the ubiquitous helicopters hovering over US cities during the current protests, military planes usually used in Iraq and Afghanistan were also watching the dissent below. Tech news site Motherboard reviewed data from ADS-B Exchange, a repository of air traffic control information, and found evidence that a RC-26B military-style reconnaissance aircraft was circling Las Vegas. The FBI also deployed small Cessna aircraft, which the Freedom of the Press Foundation believes likely carried devices known as “dirtboxes,” airborne versions of the IMSI catcher systems that impersonate cell phone towers to intercept users’ communications and track the identities of protestors.

Apple publishes free resources to improve password security

Apple’s new set of tools, collectively called the Password Manager Resources, were open-sourced on GitHub last week. Apple says the new tools are primarily meant to help developers of password manager applications create a better experience for users. The tools include lists of password selection rules for many of today’s most popular websites.

The tools were published to address a long-standing issue with password manager applications that impact users across all operating systems, and not solely macOS and iOS, because while password managers may create unique and strong passwords, often, those passwords aren’t compatible with the websites they are being created for.

Users encountering errors while generating a random password will often resort to choosing their own one instead, which many times is shorter and less secure than the one normally generated by the password manager app.

Apple claims that password managers that use its list of rules will start generating passwords that are both strong and unique, but also compatible with the websites they are being used for, and, hence, reduce user experience (UX) errors and instances where users tend to choose their passwords – a situation Apple wants to avoid.

1 Like