Week in security with Tony Anscombe

ESET joins global effort to disrupt the infamous Trickbot botnet – Criminals claim to have hijacked thousands of security cameras – Five ways to secure your home office

ESET has joined a global coordinated operation to disrupt Trickbot, the infamous botnet that has compromised at least a million computers. A hacker group is selling access to people’s private footage after allegedly hijacking more than 50,000 home security cameras. What are some of the ways to secure your home office – without having to rely on an expert’s help? All this – and more – on WeLiveSecurity.com.

Child abductors may use social media to lure victims, FBI warns

School closings and more screen time can ultimately put children at an increased risk of being kidnapped by strangers they met online

With the pandemic-forced closure of schools and a surplus of free time on their hands, minors are currently at greater risk of encountering all manner of criminals online, warns the FBI’s Internet Crime Complaint Center (IC3). The offenders may even pose as minors in an attempt to lure their targets into a trap and abduct them.

“While criminals exploit social media and social networks to commit crimes involving child sexual abuse material, sex trafficking of a minor, and child sex tourism, the use of these platforms to facilitate child abductions is lesser-known,” said the Bureau. Indeed, the FBI recently warned that human traffickers were luring victims using dating apps.

The modus operandi of child abductors involves creating accounts on various social media networks and dating platforms, where they search for their prospects. The offenders will then contact and attempt to groom the targets, eventually convincing them to meet up with the aim of abducting them. Using these platforms proves to be an attractive method of initiating contact since it’s not as risky as trying to lure the victims in person.

While the number of kidnappings where social media platforms were used to establish contact account for just a small part of the FBI’s child abduction investigations, the proliferation and availability of the internet in combination with the time minors spend on it are likely to exacerbate the problem.

According to a survey by YouGov, 2 in 5 children aged 8-12 years spend two hours and more online, with almost half of those aged 13-17 saying that they spend a similar amount of time online with at least some of it dedicated to using social media. Although most social media apps require account holders to be at least 13, it’s safe to say that many children set up their profiles sooner than that – with or without their parents’ knowledge or consent.

RELATED READING: The best social networks for younger children

The Bureau also described three cases where victims were abducted after being contacted by criminals on social media apps. All three children were eventually reunited with their families, but the incidents clearly make a case for monitoring children’s social media use.

For starters, parents should actively discuss social media use with their children. By having these discussions early and clearly explaining the risks, parents can lower the chances of their children using these platforms in ways that may hurt them. If you’d like to take an even more active role in your children’s social media journey, you can use parental controls such as TikTok’s Family pairing or Facebook’s Messenger Kids.

Importantly, comprehensive parental control tools are often integrated into security software and can be very helpful when it comes to keeping an eye on what your offspring are up to online

To learn more about more dangers faced by children online as well as about how not only technology can help, head over to Safer Kids Online.

5 things you can do to secure your home office without hiring an expert

You don’t need a degree in cybersecurity or a bottomless budget to do the security basics well – here are five things that will get you on the right track

Many home offices are merely a corporate tentacle complete with a virtual private network (VPN), remotely managed workstations with IT experts at the corporate offices doing the heavy lifting. But others lack virtually any kind of IT super-sleuth to sort things out and that means that the end user is the IT staff, like it or not.

If this is you, not to worry. Since this week’s theme of Cybersecurity Awareness Month is “Securing devices at home and work”, here are five things you can do to secure your home office – without an advanced degree in cybersecurity or a budget in the millions. Before we dig in, the first point is really just to get started. Some security is far better than none, and since it’s so easy to get overwhelmed by the technology and give up, we’re happy you’re still reading and hope you will prepare and jump in.

Start with the router

These days, the router that you use for internet access does far more than you might think. It has a firewall, some security options, wireless connectivity and a host of other options. If you pay US$50 extra and get a business-class router, it will come stuffed with extra security options like stateful packet inspection firewall, Denial-of-Service (DoS) protection, content filtering and others. You don’t have to be an expert in some of the crazier security features, but business routers are usually more secure out-of-the-box, and have good support to tell you what to enable. Some come with threat feeds built in, so they keep up with blocking the latest badness. Also, remember to check for updated firmware when installing the router, and periodically check with the manufacturer, say once a month, for updates.

Stick to basics

Use security software that includes multiple layers of protection; indeed, today’s security suites tend to have stacks of security and are not just “one-dimensional antiviruses” anymore. Also, keep your operating system and applications updated, ideally automatically – the updates matter because they often include patches for critical vulnerabilities. If you haven’t already, now is the time to implement full-disk encryption – even if working from home, you may have “off-site” meetings you take your laptop to, and the risk of physical theft is never zero. Speaking of which, it’s hard to overstate the importance of regular backups.

Set boundaries

You may not worry about having your device stolen by your relatives or housemates, and yet they may cause some trouble for you or your employer, even if unintentionally. Make sure you have a dedicated secure workstation you use for work and protect access to data stored on it by a strong password or passphrase that you don’t share with anybody else. Put bluntly, if everyone has the password, it’s not really a password. By extension, your family shouldn’t really use the device for things like chatting with friends or streaming movies. Also, set short timeout intervals so that the device locks itself automatically when not in use. And perhaps your virtual friend, such as Alexa or Siri, could do with some time off when you have calls or video meetings involving sensitive data.

Stay vigilant

Fraudsters of all ilk didn’t take long to catch onto the then-new reality, using the virus as a cover story in a barrage of COVID-19-themed scams and spam. The virus is now firmly entrenched in our minds and cybercriminals have by no means let up on their efforts to siphon off business funds or hold organizations’ data for ransom – including by exploiting the remote work trend and the physical separation between co-workers. Business Email Compromise (BEC) fraud, for example, has for long been a major money-maker, and the losses are only expected to climb further amid the pandemic. To counter that, scrutinize all email messages and avoid clicking on any links or attachments especially in unsolicited emails, since they may be attempts to part you from your account credentials or to download malware onto the device. Be highly suspicious of urgent requests and verify them through an alternative communication channel before sending money or data.

It’s amazing what you can learn by down-to-earth podcasts or videos on security. There’s also an endless number of free or low-priced courses that will give you a solid grounding in any imaginable aspect of security. Don’t pick one that’s written high above your head, though; instead, find some you can easily understand that take you through the basics a step at a time. We’ve previously compiled a list of free online courses about security, which also might be worth reviewing. Put bluntly, blissful ignorance should not be an option.

Stay safe and healthy

While we all have new worries these days, the old worries – and cyberthreats – haven’t gone anywhere; quite the contrary, in fact. You may still be relatively new to remote work and may still be trying to get a handle on the new reality. That said, the current troubled times may require some change in mindset – thinking of your remote office like your “real” office and being acutely aware of the myriad online threats that may hit particularly “close to home”.

Zoom to begin rolling out end‑to‑end encryption

The videoconferencing platform is making the feature available to users of both free and paid tiers

The Zoom videoconferencing platform has announced that starting next week it will begin rolling out long-awaited end-to-end encryption (E2EE) to users. The feature will be released as a technical preview, with the company proactively seeking the feedback of its userbase over the first 30 days after the launch.

“We’re pleased to roll out Phase 1 of 4 of our E2EE offering, which provides robust protections to help prevent the interception of decryption keys that could be used to monitor meeting content,” said the company when announcing the new feature. “End-to-end encryption is another stride toward making Zoom the most secure communications platform in the world … This phase of our E2EE offering provides the same security as existing end-to-end-encrypted messaging platforms, but with the video quality and scale that has made Zoom the communications solution of choice for hundreds of millions of people and the world’s largest enterprises,” Zoom CEO Eric S. Yuan was quoted as saying.

Zoom first shared its plans to launch end-to-end encryption in May, however, the news was met with mixed reactions due to the feature being announced for paying customers only. The company amended its decision in June and said that it would release the feature to all users.

The new E2EE feature is built on the same Galois/Counter Mode (GCM) encryption Zoom already uses to encrypt all its meetings, with the key difference being in how the encryption keys are distributed and stored. “In typical meetings, Zoom’s cloud generates encryption keys and distributes them to meeting participants using Zoom apps as they join. With Zoom’s E2EE, the meeting’s host generates encryption keys and uses public key cryptography to distribute these keys to the other meeting participants. Zoom’s servers become oblivious relays and never see the encryption keys required to decrypt the meeting contents,” the company explained.

RELATED READING: Zoom security: Getting the settings right

The E2EE feature can be enabled across Zoom’s videoconferencing services – i.e. its desktop client, mobile apps, or Zoom room – and can host up to 200 participants in E2EE meetings. However, Zoom warns that once E2EE is enabled, use of other features will be restricted, including join before host, cloud recording, streaming, live transcription, Breakout Rooms, polling, 1:1 private chat, and meeting reactions.

To start using E2E encryption, users will have to activate it in their account settings and then opt-in on a meeting-to-meeting basis – meaning that all participants will have to have the setting enabled if they want to join an E2EE meeting. Non-paying users who’d like to gain access to E2E encryption will have to go through a one-time verification process that will require them to provide additional information such as their phone number.

A green shield logo with a padlock will appear in the upper left corner of the client to alert the users that the feature has been turned on. Additionally, to confirm the security of the connection the host’s code will be displayed in the participants’ clients; the host can then read it out aloud and the meeting attendees can check whether the codes match.

The platform also expects to release better identity management and E2EE single-sign-on integration during Phase 2 of its E2EE offering with the release date “tentatively” set for 2021.

This is just the latest security and privacy feature to be launched as part of Zoom’s effort to mitigate concerns after its privacy and security shortcomings came to light amid the platform’s rise to stardom largely occasioned by the recent shift to remote work. Last month, the company rolled out support for two-factor authentication across its web, desktop, and mobile applications.

50,000 home cameras reportedly hacked, footage posted online

Some footage has already appeared on adult sites, with cybercriminals offering lifetime access to the entire loot for US$150

A hacker collective claims to have breached over 50,000 home security cameras before going on to steal people’s private footage and post some of it online. While a considerable portion of the videos seems to have come from Singapore, a number of people living in Thailand, South Korea, and Canada also seem to have their privacy invaded.

Some of the videos – which range from one to twenty minutes in length and show people of varying ages in compromising positions or various stages of undress – have been uploaded to porn websites.

The New Paper, which broke the story, quoted the unnamed hacker group as saying that it has shared the clips with over 70 members who paid US$150 for lifetime access to the loot. The gang, whose group on the instant messaging app Discord has nearly 1,000 members, reportedly specializes in hacking security cameras.

To lend extra credence to their claims, the collective is offering a free sample containing 700 megabytes worth of data comprising over 4,000 clips and pictures. They’re also reportedly willing to share access to all hijacked cameras with fellow members. Moreover, “VIP members” with voyeuristic tendencies will be treated to a course on how to “explore, watch live and record” hacked cameras, which could mean that the number of private videos could grow over time.

RELATED READING: Prison surveillance footage posted on YouTube

“As worrying as it may seem, this comes as a clear reminder that when cameras are placed on the internet, they must be properly installed with security in mind. When smart devices are set up, they are still regularly placed around the home with no second thought for privacy,” said ESET Security Specialist Jake Moore. However, he hopes that the incident will prompt people to take security precautions when setting up their smart cameras.

While details on how the cybercriminals were able to gain access to the cameras that are usually used to boost security or monitor minors are sparse, there are multiple plausible explanations for how the cameras were compromised.

Much like other devices, internet-connected cameras aren’t immune to security vulnerabilities. For example, a few months ago British consumer watchdog Which? warned about 3.5 million cameras from around the world that were susceptible to hacking due to a set of security flaws. Last year, ESET researchers uncovered a series of vulnerabilities in a D-Link cloud camera that could have allowed attackers to tap into its video stream.

RELATED READING: These things may be cool, but are they safe?

Poor password hygiene could be blamed for the hacks. Users may have stuck to the default password that was set up by the device manufacturer and wouldn’t be hard to obtain or guess for anyone with ill intentions. Other users may have underestimated the need for a strong and unique password or passphrase for a ‘mere’ IoT device.

Whatever the case may be, IoT security should not be underestimated as the use of all sorts of smart devices has profound security and privacy implications. To save yourself from a privacy nightmare in the future, make sure that all your IoT devices run the latest firmware version and any security patches are applied promptly. When choosing a password, try to avoid the cardinal sins of password creation. Whenever possible, secure your accounts with multi-factor authentication. If you’re considering buying a connected device, instead of going for the cheapest optio,n choose a reputable vendor with a proven track record of manufacturing properly-secured devices that they regularly update and patch during its lifecycle.

Attackers chain Windows, VPN flaws to target US government agencies

Bad actors have accessed US elections support systems, although there’s no evidence to suggest that election data has been compromised, say FBI and CISA

Threat actors have been chaining vulnerabilities in Windows and Virtual Private Network (VPN) services to target various government agencies, critical infrastructure and election organizations, according to a warning by the United States’ Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI). The technique, which involves exploiting several flaws over the course of a single attack to infiltrate an organization’s network, is part of the gangs’ ramped-up efforts ahead of the US presidential election.

“This recent malicious activity has often, but not exclusively, been directed at federal and state, local, tribal, and territorial (SLTT) government networks. Although it does not appear these targets are being selected because of their proximity to elections information, there may be some risk to elections information housed on government networks,” reads the advisory issued by the agencies.

And while CISA did note that some of the attackers’ activities have led to unauthorized access to elections support systems, the agency doesn’t have any evidence to conclude that the integrity of the elections has been jeopardized in any way.

Malicious cyber actors are exploiting legacy vulnerabilities against SLTT, Critical Infrastructure, and Elections Organizations. Read our joint advisory with the @FBI for technical details and recommended actions: https://t.co/FDbCpPdNbV #InfoSec #InfoSecurity #Protect2020 pic.twitter.com/D2Clny9zUI

— Cybersecurity and Infrastructure Security Agency (@CISAgov) October 10, 2020

The chains

The threat actors have been exploiting several legacy vulnerabilities in VPN services together with the Windows Netlogon elevation of privilege vulnerability tracked as CVE-2020-1472 and patched in August to gain unauthorized network access. Threat actors have been seen leveraging this flaw, also known as Zerologon, in tandem for example with the vulnerability indexed as CVE-2018-13379 and residing in FortiOS Secure Socket Layer (SSL) VPN.

“After gaining initial access, the actors exploit CVE-2020-1472 to compromise all Active Directory (AD) identity services. Actors have then been observed using legitimate remote access tools, such as VPN and Remote Desktop Protocol (RDP), to access the environment with the compromised credentials,” the agencies warned.

RELATED READING: Black Hat 2020: Fixing voting issues – boiling the ocean?

Additionally, cybercriminals have been observed exploiting a remote code execution vulnerability in MobileIron Core & Connector. The flaw, tracked as CVE-2020-15505, could allow attackers to gain administrative-level privileges to a system; however, its exploitation hasn’t been as widespread.

The advisory also sets out a list of other vulnerabilities that could be used to compromise internet-facing infrastructure and gain network access, such as CVE-2020-19781 in Citrix NetScaler, CVE-2019-11510 in Pulse Secure VPN, and the vulnerability indexed as CVE-2020-5902 and affecting F5 Networks’ BIG-IP multi-purpose networking devices.

To mitigate the chances of being compromised, the CISA and the FBI advise organizations to keep their systems up-to-date and apply the latest available security patches where available. Moreover, institutions should update both their VPN and network infrastructure and use multi-factor authentication when signing into their respective VPN services. If they suspect that credential abuse is afoot, organizations should run comprehensive account resets.

This is just the latest in a series of advisories published by the two federal agencies in the run-up to the 2020 presidential election. Last month, for example, they issued a warning about disinformation campaigns spreading rumors and false claims about hacked voting systems.

Week in security with Tony Anscombe

Why deleting your personal data from social media may be impossible – How do you reset your face after a data breach? – The perils of working from a hotel

If you think that deleting your accounts from various social media and instant messaging apps also deletes your personally identifiable information, you should think again. It’s easy enough to reset your password or PIN after a data breach, but how do you reset your face in case your biometric data is compromised? As many remote workers are renting hotel rooms as their makeshift offices, the FBI is warning them of the risks that using hotels’ Wi-Fi networks entails. All this – and more – on WeLiveSecurity.com.

55 security flaws found in various Apple services

Five ethical hackers have earned almost US$300,000 in bug bounty rewards – so far

A team of five ethical hackers have discovered a grand total of 55 vulnerabilities in a range of Apple’s services, with almost a dozen flaws rated as critical. The disclosed security loopholes – which were found over a span of three months and were promptly fixed – have earned the white-hat hackers a total of US$288,500 in rewards under Apple’s bug bounty program. And even that may not be the final tally, since those are cash rewards for “only” 32 vulnerabilities, with payouts for the rest likely to follow soon.

“During our engagement, we found a variety of vulnerabilities in core portions of their infrastructure that would’ve allowed an attacker to fully compromise both customer and employee applications, launch a worm capable of automatically taking over a victim’s iCloud account, retrieve source code for internal Apple projects, fully compromise an industrial control warehouse software used by Apple, and take over the sessions of Apple employees with the capability of accessing management tools and sensitive resources,” said the five white hats.

RELATED READING: Is bug hunting a viable career choice?

No fewer than 11 vulnerabilities are considered critical, with 29 deemed high, 13 classified as medium, and the remaining two ranked as low. To evaluate the severity of the flaws, the team used a combination of the Common Vulnerability Scoring System (CVSS) and their knowledge of how much business-related impact the bugs would have.

There are two vulnerabilities that particularly stand out among the flaws: a remote code execution (RCE) flaw that could allow for a full compromise of the Apple Distinguished Educators program and a wormable stored cross-site scripting (XSS) vulnerability that could let a threat actor steal iCloud Data.

In the case of the former, a threat actor who successfully circumvents authentication and gets access to the administration console could completely compromise the application. “Overall, this would’ve allowed an attacker to execute arbitrary commands on the ade.apple.com web server, access the internal Lightweight Directory Access Protocol (LDAP) service for managing user accounts and access the majority of Apple’s internal network,” according to the white hats.

RELATED READING: Apple issues security patches for … just about everything

Meanwhile, the researchers were also able to put together a proof-of-concept where they went on to demonstrate how a hacker could potentially exploit the wormable XSS loophole. The attack involves modifying a Cascading Style Sheets tag, which would then be sent by email to an iCloud email address. An attacker could covertly pilfer all data that the victim has stored on their iCloud, including photos, videos, and documents, as well as spread the malicious email to everyone on the victim’s contact list.

The team praised the Cupertino tech giant for its quick response time: “Overall, Apple was very responsive to our reports. The turnaround for our more critical reports was only four hours between time of submission and time of remediation.” Most of the other flaws were fixed within 1-2 business days.

Google adds password breach alerts to Chrome for Android, iOS

The feature is part of the browser’s security improvements that were first built into its desktop version

Google is bringing new security features on the Android and iOS versions of its Chrome web browser. Chrome 86, which was released earlier this week, adds features that are aimed at bolstering password protection and as well as adding a more safe and secure browsing experience.

Much like with a feature that is already available for Chrome on computers, the browser’s version for mobile platforms will now compare your saved login credentials against a list of login details that are known to have been compromised; if a match is found, it will alert you. For convenience’s sake, the browser will also redirect you straight to the form where you can change your credentials.

RELATED READING: The worst passwords of 2019: Did yours make the list?

Additionally, Google is also introducing its Safety Check feature to the Chrome mobile release after first launching it on desktop. This will include checking whether your browser version is up to date and if you’ve enabled Safe Browsing.

Another feature that is making its way to Android and that, too, was launched on Chrome desktop earlier this year is Enhanced Safe Browsing. The feature adds proactive protection that are aimed at shielding you from phishing, malware as well as fraudulent and dangerous websites by providing real-time data to Google’s Safe Browsing service. Google estimates that users who have activated the feature have seen a 20-percent drop in entering their credentials into phishing websites.

To boost password security on iOS, Google is adding biometric authentication before auto-filling passwords on its browser. You will now be able to authenticate yourself using your device’s existing biometric login features – Face ID and Touch ID – as well as passcode. Moreover, the Chrome Password Manager will allow you to autofill saved passwords on other iOS apps as well, as long as you enable the feature in Chrome’s settings.

Google was also planning to launch Mixed form warnings that were slated for Chrome 86 but are now being delayed until Chrome 87 which will be released on November 17th. The feature is planned to be a part of both the desktop and Android versions of the browser and is supposed to warn you before you submit a non-secure form that is embedded on an HTTPS secured webpage. It will also block and alert you to some insecure downloads launched by secure websites. Chrome plans to eventually block mixed downloads altogether, which means secure websites will be limited to launching only secure downloads regardless of the file type.

Working from a hotel? Beware the dangers of public Wi‑Fi

As more and more hotels are turning rooms into offices, the FBI is warning remote workers of cyber-threats lurking in the shadows

With the COVID-19 pandemic forcing an increasing number of companies to shift to remote work, employees working from home have been struggling to find a quiet, distraction-free environment for work. The hospitality industry has also been impacted by the pandemic, with more and more hotels across the United States offering their empty rooms as daytime makeshift offices for remote workers seeking to work in peace.

Taking note of the trend, the FBI’s Internet Crime Complaint Center (IC3) has issued an announcement warning about the risks of using hotel Wi-Fi networks to access sensitive and work-related information. “Malicious actors can exploit inconsistent or lax hotel Wi-Fi security and guests’ security complacency to compromise the work and personal data of hotel guests,” the Bureau warned.

Related reading: Public Wi‑Fi security: Your questions answered

Hotel guests connected to Wi-Fi networks can be easy targets for cybercriminals, who can launch a variety of attacks to target their victims. This includes infiltrating a poorly secured network to monitor their victims’ traffic and redirect them to fraudulent login pages, or launching an “evil twin” attack, wherein the attacker creates a malicious Wi-Fi network that carries a similar name to the hotel’s network in order to dupe unsuspecting guests into connecting to it and providing the black hat direct access to their devices.

If a guest or teleworker connects to an ill-secured or vulnerable Wi-Fi network, a threat actor could compromise their company-issued devices, gaining access to sensitive work data stored on the device or infiltrating the company’s network. This could allow the hacker to comb through the company’s systems in search of proprietary information, as well as implant malware such as keyloggers or ransomware that could then propagate to other devices connected to the network.

“Cybercriminals can use information gathered from access to company data to trick business executives into transferring company funds to the criminal,” added the FBI when highlighting the threat of Business Email Compromise (BEC) scams, also known as CEO fraud.

Related reading: 6 tips for safe and secure remote working

Remote workers who are considering making the leap to working from a hotel would do well to ponder additional risks beyond their control, such as the hotel’s approach to cybersecurity or how it handles its network infrastructure. The hotel-turned-office may be using outdated networking equipment that could be riddled with vulnerabilities or it may not update and patch its systems often enough, any of which could provide avenues for attacks.

However, if working from a hotel room remains an attractive option, there are steps that employees can take to protect their devices and mitigate the chances of falling prey to cybercriminals while working on a public hotel Wi-Fi.

Using a Virtual Private Network (VPN) will help protect you from prying eyes by encrypting your internet traffic. Check to see if your work device as well as any device you will be connecting to the hotel’s Wi-Fi network have been updated to the newest versions of their operating systems and that all recent security patches have been applied. If possible, avoid accessing any accounts or files that carry sensitive data such as financial details. While logging into your accounts make sure that you’re using two-factor authentication, which will add an extra layer of security. Instead of connecting to the hotel’s network, you can use your smartphone to create a mobile hotspot.