Zoom makes 2FA available for all its users

Zoom now supports phone calls, text messages and authentication apps as forms of two-factor authentication  

Zoom is rolling out support for two-factor authentication (2FA) across its web, desktop, and mobile applications, allowing users to double down on the security of their accounts with an extra layer of protection. 

For context, 2FA systems require users to pass authentication challenges that need responses from two different factors. There are three classic authentication factors that are commonly used – something you know like a password or PIN code, something you have such as physical keys  or authentication apps, and something you are, this includes biometrics like fingerprints or retina scans. 

The videoconferencing platform announced the new security feature in a blog stating: “Zoom’s enhanced Two-Factor Authentication (2FA) makes it easier for admins and organizations to protect their users and prevent security breaches right from our own platform.” In a statement provided to The Verge, the company confirmed that it is making the feature available to all its users across the board, including those using its free plan. 

Zoom also described the ways users can authenticate themselves while signing into their accounts, “With Zoom’s 2FA, users have the option to use authentication apps that support Time-Based One-Time Password (TOTP) protocol (such as Google Authenticator, Microsoft Authenticator, and FreeOTP), or have Zoom send a code via SMS or phone call, as the second factor of the account authentication process.” 

RELATED READING: Privacy watchdogs urge videoconferencing services to boost privacy protections

While using SMS text messages as a form of two-factor authentication is better than not using one at all, it’s better to opt for one of the supported authentication apps, especially since it makes it more difficult for cybercriminals to access your account even if you become a target of a SIM swapping attack. 

The video communication company also allows users to use recovery codes to sign into their accounts in the event that their device gets lost or stolen. You can check out the whole process of activating 2FA as well as using recovery codes on the platform’s help center 

With the COVID-19 pandemic surging outside forcing a lot of companies to transition to remote working, Zoom, and other videoconferencing and communication services have enjoyed a boost in popularity. However, the company has also been in the spotlight due to the privacy and security issues it had been experiencing after users flocked to its platform in large numbers. If you’re a Zoom user, you should also check out our article on getting your Zoom security settings right 

Week in security with Tony Anscombe

ESET researchers have discovered and analyzed CDRThief, a malware that targets Voice over IP (VoIP) softswitches. Righard Zwienenberg deep in the lead-offering business and invites us to take steps to mitigate this problem. Finally, an overview of the TikTok pairing feature, which gives parents greater control over how their children interact with the app All

ESET researchers have discovered and analyzed CDRThief, a malware that targets Voice over IP (VoIP) softswitches. Righard Zwienenberg deep in the lead-offering business and invites us to take steps to mitigate this problem. Finally, an overview of the TikTok pairing feature, which gives parents greater control over how their children interact with the app All this – and more – on WeLiveSecurity.com.

Portland passes the strictest facial recognition technology ban in the US yet 

Oregon’s largest city aims to be a trailblazer when it comes to facial recognition legislation .

On Wednesday, The Portland City Council passed what could be considered one of the strictest facial recognition bans in the United States. The legislation bans both city government agencies and private businesses from using the technology on the city’s grounds. 

While bans on the public use of facial recognition have been previously passed by other cities, Portland is the first to bar private use of this technology. As stated by Portland City Council Commissioner Jo Ann Hardesty, quoted by OneZero: “I believe what we’re passing is model legislation that the rest of the country will be emulating as soon as we have completed our work here. 

The bill that was passed unanimously by the city’s legislative body comprises two ordinances.The first, which bans the public use of facial recognition technology, came into effect immediately after the bill was passed. The ordinance also gives all the city bureaus 90 days to complete an assessment on their use of facial recognitionMeanwhile the  second ordinance is aimed at blocking use of the technology by “private entities in places of public accommodation” and will be effective starting January 1st 2021. 

Specifically, places like hotels, restaurants, movie theaters, educational institutions, barbershops and others will be prohibited from using facial recognition technology. Venues violating the ban could be condemned to pay a fine of US$1,000 for each day of violation. 

The ordinances also plot out some exceptions where facial recognition can be used. Examples include means of verification for unlocking smartphones, automated face detection used for tagging someone by social media apps, and for city bureaus and agencies to obscure and redact faces to protect privacy when images are released outside the city. 

Although the topic of using facial recognition is a contentious issue, especially from the privacy versus security point of view, the number of cities banning the use of the surveillance technology has been slowly growing. San Francisco became the first US city to ban the technology, with other US cities following in its footsteps including Oakland, Cambridge, and Berkley. Preceding Portland, Boston was the most recent city to join the ranks and barring city officials from using the technology and procuring facial surveillance from third parties.   

UK University suffers cyberattack, ransomware gang claims responsibility 

The cyber incident has taken most of Newcastle University’s systems offline and officials estimates it will take weeks to recover. 

While students are slowly preparing to return to their universities and colleges after a prolonged absence due to the Covid-19 pandemicNewcastle University in England has been left reeling from a cybersecurity incident that has affected almost all its systems. 

The university first became aware of the cyber incident disrupting its networks and IT systems on Sunday, August 30th, and deployed a full incident response plan to evaluate the extent of the issue and stabilize the situation. 

Although Newcastle University only stated that it suffered a cyberattack without identifying a culprit, according to BleepingComputer the DoppelPaymer ransomware gang is claiming credit for the attack sharing 750Kb of stolen data on their website as proof. 

Due to the early stage of the investigation, officials did not disclose whether any personal information was compromised. They however insisted that the university takes the security of its systems seriously and that it responded quickly to the situation. 

Moreoverthey confirmed that there was no evidence that the university payroll data had been compromised adding that their online payment system has not been affected either, since it is managed offsite by the university’s payment provider. 

The incident response also brings issues itself. “All University systems – with the exceptions of those listed in the communications (Office365 – including email and Teams, Canvas and Zoom) are either unavailable or available but with limitations. Access may cease at any point,” officials said on the incident dedicated webpage. 

University officials also warned that many of its IT systems will not be working and those that currently are operational may be taken offline without prior notice, staff may also lose access to their accounts without notice and devices may be removed if they have been impacted by the incident. The university also went on to recommend that students and staff should transfer any essential or critical data to their OneDrives.   

An update from the University Executive Board to the staff has revealed that the ongoing IT issues have forced teams at the Faculty of Medical Sciences to register over 1,000 returning medical students manually over the weekend, before they were set to return on Monday. 

Newcastle University’s IT service (NUIT) is working to recover its systems while aiding the Police and the National Crime Agency in their investigation. The UK’s Internet Commissioner’s Office has been notified as well. 

Universities falling victim to cyberattacks are not an unusual occurrence, since besides handling the personal data of employees and students they tend to work on highly-valuable research.  In 2019 a malware infestation led to a curious password retrieval process, where 38,000 people were forced to pick up their passwords in person. 

Photo caption: Newcastle University

Week in security with Tony Anscombe

ESET research dissects KryptoCibule malware family – Why close unused accounts rather than just remove apps – Microsoft’s new deepfake detector

ESET researchers dissect a malware family that they named KryptoCibule and that uses the victim’s resources to mine digital coins, hijacks transactions by replacing wallet addresses in the clipboard, and exfiltrates cryptocurrency-related files. After the COVID-19 pandemic has prompted many of us to create accounts on various video-chatting apps, including Houseparty, it might be a good time to check for apps you no longer use and delete your accounts with the services. Microsoft has announced a new tool called Microsoft Video Authenticator that’s designed to identify deepfakes and help combat the proliferation of doctored media on the internet. All this – and more – on WeLiveSecurity.com.

Microsoft debuts deepfake detection tool

As the US presidential election nears, the company’s new tech should also help assure people that an image or video is authentic

Microsoft has announced a new tool that’s designed to identify deepfakes and help combat the proliferation of doctored media on the internet. Dubbed Microsoft Video Authenticator, the new technology can analyze both photos and videos, looking for signs that the media was artificially manipulated.

For context, deepfakes are synthetic media created using machine learning (commonly mislabled as “artificial intelligence”) to superimpose the likeness of a person onto an existing image or video. This can be done from scratch or using a template, with the doctored result sometimes being practically indistinguishable from the real thing. This allows attackers to make people to appear to be saying things they did not say or to appear to be in places where they haven’t been.

Microsoft Video Authenticator, which the company hopes can be helpful in the run-up to the US presidential election, can analyze videos and photos and provide a percentage chance or confidence score to estimate if the media has been artificially manipulated.

“In the case of a video, it can provide this percentage in real-time on each frame as the video plays. It works by detecting the blending boundary of the deepfake and subtle fading or greyscale elements that might not be detectable by the human eye,” explains Microsoft’s blog.

Source: Microsoft

The tool was created using a public dataset from Face Forensics++ and its testing was conducted using the Deepfake Detection Challenge Dataset, both of which are considered to be paragons of training and testing detection technologies.

However, the Redmond giant expects deepfake and similar technologies to evolve and become more sophisticated. “As all AI detection methods have rates of failure, we have to understand and be ready to respond to deepfakes that slip through detection methods. Thus, in the longer term, we must seek stronger methods for maintaining and certifying the authenticity of news articles and other media,” said Microsoft.

Per the company, there aren’t many tools to help readers verify that the media they’re consuming are coming from a trusted source and that the material wasn’t altered. That’s why Microsoft is also launching a new piece of technology that aims to ferret out manipulated or doctored content, as well as to assure readers that the media they’re seeing is genuine. The tech is made up of two parts.

The first component is integrated into Microsoft Azure and allows the content creator to add digital hashes and certificates to their content, which remain a part of it in the form of metadata wherever it spreads across the interwebs. The second component is a reader that verifies the certificates and matches the hashes so as to confirm their authenticity.

The tech titan also partnered up with the University of Washington, Sensity, and USA Today to launch an interactive quiz to educate people on synthetic media and spotting deepfakes. Although the quiz is aimed at people in the United States in the run-up to the presidential elections, anyone can take the test.

Houseparty – should I stay or should I go now?

What’s the benefit of deleting your Houseparty – or any other unused – account, rather than just uninstalling the app?

When the coronavirus pandemic began, people took to Houseparty in their millions. Many of us weren’t allowed to meet anyone in person, so videocalling became an even bigger success and Houseparty was the front runner. Between March and April 2020, Houseparty reported 50 million sign-ups. For comparison, the app was downloaded 533,000 times in February 2020.

 

Houseparty was in the press for all sorts of reasons, including some rather negative slants from rumours that some accounts had been hacked. However, this was never proven and is thought to be a smear campaign. Nonetheless, the app was definitely a hit with the younger generations for keeping in touch with their friends, and remained a top 10 app during the early part of lockdown.

Moving on a few months, and as we start to ease back into our normal routines as safely as we can, we now have the option of seeing a small number of people again. It is, therefore, likely that Houseparty “rooms” aren’t being attended in the same numbers they once were.

Like many unused apps on people’s phones, I assume many people left Houseparty idle on their devices rather than deleting it and even fewer probably deleted their accounts. “But what’s the benefit of deleting an account rather than just removing the app?” you may ask.

Houseparty, and many other apps, collect basic registration details like name, email address, birthday, phone number, address, username and password when you create an account. They even have the ability to collect location information from your IP address, and some apps may share all of this information with third parties too.

What happens when you delete your Houseparty account?

When we delete a social media or any other online service account, most of us probably assume that the service operator will wipe all our personal information from their systems. Our data cannot be used for any further use such as marketing, which is a win for privacy and a loss for mass data collection.

However, in my research I found that not all apps have been playing by the “rules” of information deletion – even when they said they did. Security researcher Saugat Pokharel was awarded a US$6,000 bug bounty payout after he discovered that Instagram retained photos and private direct messages on its servers long after he thought he had deleted them. And Instagram isn’t the only big name in recent years to fall foul of this misdemeanour. Last year, security researcher Karan Saini found that Twitter was retaining deleted direct messages for years, as well as data sent to and from accounts that had been deactivated and suspended.

I decided to reach out to Houseparty and asked them what the best way is to delete my data from their servers. Their response was speedy and helpful:

“Generally, account deletion is the only way to remove data from our systems. Kindly note that any related personal identifying information will be removed once you have processed the account deletion.”

When you delete your Houseparty account, you are restricting the use of your data and withdrawing consent to being tracked. However, the bigger worry for me is if you don’t delete your account and then one day the company is hit with a data breach, you could see all your information being sold on the dark web. Criminals will never stop attacking servers and if your data is among that stolen, it could be used against you.

Should any of our readers be old enough to remember Myspace, there is a fair chance they would have owned an account. In 2005 it was the coolest network going and arguably one of the earliest, widely popular social media sites. It was a great place to find friends, bands and banter. But when Facebook and other sites came along and dominated, I wonder how many users deleted their accounts or unconsciously chose to just never log in again. In 2016, login credentials and related data of 427 million Myspace accounts were put up for sale on the dark web, and it’s my hunch that not all of those accounts were active users. This stolen data included passwords, so anyone reusing passwords could have lost access to other accounts as well. If people leave their accounts open and idle, they are potentially leaving themselves open to future attacks.

My advice is to only ever enter personal data if you absolutely must and use a VPN where possible for apps that use or even on-sell your information. In the UK, GDPR laws prohibit the selling of personally identifiable information to third parties without consent, but of course this all goes out the window when a threat actor steals the data in a breach as they don’t have the same set of morals.

While you still have the chance, it’s far safer not to be on a “breached list” in the first place, but many will say that once your data is on the internet it’s there forever. However, it may be worth going through your phone, opening up those idle apps one last time and deleting the account, rather than just deleting the app and forgetting about the account. The information that lives on may not feel like it is worth anything to anyone else, but it could be used nefariously when pieced together with other information on you and can have damaging effects if used in conjunction with identity theft or bank fraud.

So, should you now want to delete Houseparty, simply head to the app, hit the settings button and head to the “Privacy” tab which will give you the option to delete your account after multiple attempts to try to keep you to stay. Whilst you’re at it, make sure you do a similar operation for any other unused apps on your devices too!

Security flaw allows bypassing PIN verification on Visa contactless payments

The vulnerability could allow criminals to rack up fraudulent charges on the cards without needing to know the PINs

A team of researchers from the Swiss Federal Institute of Technology in Zurich (ETH Zurich) has found a security vulnerability in Visa’s EMV contactless protocol that could allow attackers to perform PIN bypass attacks and commit credit card fraud.

For context, there is typically a limit on the amount you can pay for goods or services using a contactless card. Once the limit is surpassed, the card terminal will request verification from the cardholder – typing in the PIN.

However, the new research, entitled ‘The EMV Standard: Break, Fix, Verify’, showed that a criminal who can get their hands on a credit card could exploit the flaw for fraudulent purchases without having to input the PIN even in cases where the amount exceeded the limit.

The academics demonstrated how the attack can be carried out using two Android phones, a contactless credit card, and a proof-of-concept Android application that they especially developed for this purpose.

“The phone near the payment terminal is the attacker’s Card emulator device and the phone near the victim’s card is the attacker’s POS emulator device. The attacker’s devices communicate with each other over WiFi, and with the terminal and the card over NFC,” the researchers explained, adding that their app doesn’t need any special root privileges or Android hacks to work.



“The attack consists in a modification of a card-sourced data object –the Card Transaction Qualifiers– before delivering it to the terminal,” reads the description of the attack, with the modification instructing the terminal that a PIN verification isn’t needed and that the cardholder was already verified by the consumer’s device.

The researchers tested their PIN bypass attack on one of the six EMV contactless protocols (Mastercard, Visa, American Express, JCB, Discover, UnionPay); however, they theorized that it could apply to the Discover and UnionPay protocols as well, although those weren’t tested in practice. EMV, the international protocol standard for smartcard payment, is used in over 9 billion cards worldwide and as of December 2019 it was used in more than 80% of all card-present transactions globally.

It’s worth mentioning that the researchers didn’t just test the attack in laboratory conditions but were able to successfully carry it out in actual stores, using Visa Credit, Visa Electron, and V Pay cards. To be sure, they used their own cards for the test.

The team also pointed out that it would be difficult for a cashier to notice that something was afoot since it has become a regular occurrence for customers to pay for goods with their smartphones.

The researches also uncovered another vulnerability, which involves offline contactless transactions carried out by either a Visa or an old Mastercard card. During this attack, the cybercriminal modifies card-produced data called ‘Transaction Cryptogram’ before it is delivered to the terminal.

However, this data cannot be verified by the terminal, but only by the card issuer, i.e. the bank. So, by the time that happens, the crook is long in the wind with the goods in hand. Due to ethical reasons, the team did not test this attack on real-life terminals.

The team notified Visa about its discoveries.

Week in security with Tony Anscombe

Canada’s government services hit by cyberattacks – Vishing attacks surge amid COVID-19 pandemic – DDoS extortionists strike again

Several Canadian government services were temporarily suspended recently after a series of credential-stuffing attacks. The FBI and CISA have issued a joint alert to warn about a surge in vishing attacks targeting remote workers. A cybercrime gang is demanding ransom from various organizations across the world under threat of launching DDoS attacks against them. For more information, go to WeLiveSecurity.com.

DDoS extortion campaign targets financial firms, retailers

The extortionists attempt to scare the targets into paying by claiming to represent some of the world’s most notorious APT groups

Over the last few weeks, a cybercrime group has been extorting various organizations all over the world by threatening to launch distributed denial-of-service (DDoS) attacks against them unless they pay thousands of dollars in Bitcoin.

The attackers have been targeting organizations operating in various industries, notably finance, travel, and e-commerce. However, they don’t seem to be targeting any specific region, as ransom letters have been sent to organizations residing in the United Kingdom, the United States and the Asia-Pacific region.

According to ZDNet, the group is also behind a string of attacks against MoneyGram, YesBank, Braintree, Venmo, and most recently also the New Zealand stock exchange, which has been forced to stop its trading for three days running.

The ransom note discloses specific assets at the victim company that will be targeted by a ‘test attack’ to demonstrate the seriousness of the threat. Akamai, which has been tracking the attacks, has recorded some of the DDoS attacks reaching almost 200 Gb per second, while previously an attack targeting one of its customers was recorded coming in at ‘only’ 50 Gb per second.

As part of their scare tactics, the cybercriminals take up the guise of notorious hacking groups, to wit Sednit, also known as Fancy Bear, and Armada Collective. The activities of the former group have been the subject of extensive ESET research.

The extortionists contact their victims with an email, warning them of a looming DDoS attack unless they pay the demanded ransom in Bitcoin within a specified timeframe. The fee varies based on the group they are impersonating and ranges from 5 BTC (some US$57,000) to 20 BTC (US$227,000) with the prices increasing if the deadline is missed.

The attackers ramp up their intimidation tactics further by describing the possible consequences: “…your websites and other connected services will be unavailable for everyone. Please also note that this will severely damage your reputation among your customers. […] We will completely destroy your reputation and make sure your services will remain offline until you pay. (sic)” reads a ransom note excerpt published by Akamai.

RELATED READING: Spammed‑out emails threaten websites with DDoS attack on September 30th

Indeed, reputational damage combined with downtime could cost the targeted companies millions in lost revenue. However, even if the targeted organizations would consider paying the ransom, there is no guarantee that the black hats would cease their attacks; a quick payday may even encourage them to target other companies as well.

DDoS attacks, including those accompanied by extortion, have been around for years, and ESET Security Specialist Jake Moore notes that organizations shouldn’t underestimate the threat.

“These gangs will continue to cause havoc by directing massive volumes of traffic to a website, either to send a message or test the site’s defenses in preparation for further attacks. It’s clear that we should never take this threat too lightly and need to start protecting now for even stronger DDoS bombs,” he said.