Tumblr and WordPress to Sell Users’ Data to Train AI Tools

Tumblr and WordPress.com (Ed. Note: they’re talking about wp.COM. If you’re hosting somewhere other than WordPress.com you don’t have to worry. Yet.) are preparing to sell user data to Midjourney and OpenAI, according to a source with internal knowledge about the deals and internal documentation referring to the deals. 

The exact types of data from each platform going to each company are not spelled out in documentation we’ve reviewed, but internal communications reviewed by 404 Media make clear that deals between Automattic, the platforms’ parent company, and OpenAI and Midjourney are imminent.

The internal documentation details a messy and controversial process within Tumblr itself. One internal post made by Cyle Gage, a product manager at Tumblr, states that a query made to prepare data for OpenAI and Midjourney compiled a huge number of user posts that it wasn’t supposed to. It is not clear from Gage’s post whether this data has already been sent to OpenAI and Midjourney, or whether Gage was detailing a process for scrubbing the data before it was to be sent. 

Source and more details: https://www.404media.co/tumblr-and-wordpress-to-sell-users-data-to-train-ai-tools/

EFF adds Street Surveillance Hub so Americans can check who’s checking on them

‘The federal government has almost entirely abdicated its responsibility’

For a country that prides itself on being free, America does seem to have an awful lot of spying going on, as the new Street Surveillance Hub from the Electronic Frontier Foundation shows.

The Hub contains detailed breakdowns of the type of surveillance systems used, from bodycams to biometrics, predictive policing software to gunshot detection microphones and drone-equipped law enforcement. It also has a full news feed so that concerned citizens can keep up with the latest US surveillance news; they can also contribute to the Atlas of Surveillance on the site.

The Atlas, started in 2019, allows anyone to check what law enforcement is being used in their local area – be it license plate readers, drones, or gunshot detection microphones. It can also let you know if local law enforcement is collaborating with third parties like home security vendor Ring to get extra information.

EFF policy analyst Matthew Guariglia told The Register that once people look into what’s being deployed using their tax dollars, a lot of red flags are raised.

Over the last few years America’s thin blue line have not only been harvesting huge amounts of data themselves, but also buying it in from commercial operators. The result is a perfect storm on privacy – with police, homeowners, and our personal technology proving to be a goldmine of intrusive information that’s often misused.

The Register: The updated guide has a bunch of new information, how big is the problem?

Guariglia: We have to start to pay attention to the fact that many cities across the United States are paying millions of dollars for all these high tech devices and software that they claimed were going to be the silver bullet to ending crime.

Just after a few months or a few years, they are canceling those contracts, because they’re actually not very useful, or the technology gets things wrong. Police used to want to put up as many cameras as possible, but now we see them pivoting more toward things like automated license plate readers.

The Register: Is this solely a police problem or is surveillance becoming more ubiquitous?

Guariglia: The disturbing thing about our current landscape is that just because police don’t own cameras doesn’t mean they have access to footage. So if communities or homeowners associations are putting up license plate reader, police often can very easily get access to that data as well. Increasingly, police, use private technology companies, and the data they collect, as an extension of their own evidence.

The Register: Does that extend all the way down to supposedly personal technology devices?

Guariglia:As police extend their own network of surveillance, and as it becomes more omnipresent, there is a whole other landscape of surveillance below the surface, which is our personal devices. These collect data which police can also access, sometimes without a warrant.

Source & more details: https://www.theregister.com/2024/01/22/eff_privacy_atlas/

It’s Still Easy for Anyone to Become You at Experian

In the summer of 2022, KrebsOnSecurity documented the plight of several readers who had their accounts at big-three consumer credit reporting bureau Experian hijacked after identity thieves simply re-registered the accounts using a different email address. Sixteen months later, Experian clearly has not addressed this gaping lack of security. I know that because my account at Experian was recently hacked, and the only way I could recover access was by recreating the account.

Entering my SSN and birthday at Experian showed my identity was tied to an email address I did not authorize.

I recently ordered a copy of my credit file from Experian via annualcreditreport.com, but as usual Experian declined to provide it, saying they couldn’t verify my identity. Attempts to log in to my account directly at Experian.com also failed; the site said it didn’t recognize my username and/or password.

A request for my Experian account username required my full Social Security number and date of birth, after which the website displayed portions of an email address I never authorized and did not recognize (the full address was redacted by Experian).

I immediately suspected that Experian was still allowing anyone to recreate their credit file account using the same personal information but a different email address, a major authentication failure that was explored in last year’s story, Experian, You Have Some Explaining to Do. So once again I sought to re-register as myself at Experian.

The homepage said I needed to provide a Social Security number and mobile phone number, and that I’d soon receive a link that I should click to verify myself. The site claims that the phone number you provide will be used to help validate your identity. But it appears you could supply any phone number in the United States at this stage in the process, and Experian’s website would not balk. Regardless, users can simply skip this step by selecting the option to “Continue another way.”

Experian then asks for your full name, address, date of birth, Social Security number, email address and chosen password. After that, they require you to successfully answer between three to five multiple-choice security questions whose answers are very often based on public records. When I recreated my account this week, only two of the five questions pertained to my real information, and both of those questions concerned street addresses we’ve previously lived at — information that is just a Google search away.

Assuming you sail through the multiple-choice questions, you’re prompted to create a 4-digit PIN and provide an answer to one of several pre-selected challenge questions. After that, your new account is created and you’re directed to the Experian dashboard, which allows you to view your full credit file, and freeze or unfreeze it.

At this point, Experian will send a message to the old email address tied to the account, saying certain aspects of the user profile have changed. But this message isn’t a request seeking verification: It’s just a notification from Experian that the account’s user data has changed, and the original user is offered zero recourse here other than to a click a link to log in at Experian.com.

If you don’t have an Experian account, it’s a good idea to create one. Because at least then you will receive one of these  emails when someone hijacks your credit file at Experian.

And of course, a user who receives one of these notices will find that the credentials to their Experian account no longer work. Nor do their PIN or account recovery question, because those have been changed also. Your only option at this point is recreate your account at Experian and steal it back from the ID thieves!

In contrast, if you try to modify an existing account at either of the other two major consumer credit reporting bureaus — Equifax or TransUnion — they will ask you to enter a code sent to the email address or phone number on file before any changes can be made.

Reached for comment, Experian declined to share the full email address that was added without authorization to my credit file.

“To ensure the protection of consumers’ identities and information, we have implemented a multi-layered security approach, which includes passive and active measures, and are constantly evolving,” Experian spokesperson Scott Anderson said in an emailed statement. “This includes knowledge-based questions and answers, and device possession and ownership verification processes.”

Anderson said all consumers have the option to activate a multi-factor authentication method that’s requested each time they log in to their account. But what good is multi-factor authentication if someone can simply recreate your account with a new phone number and email address?

Several readers who spotted my rant about Experian on Mastodon earlier this week responded to a request to validate my findings. The Mastodon user @Jackerbee is a reader from Michican who works in the biotechnology industry. @Jackerbee said when prompted by Experian to provide his phone number and the last four digits of his SSN, he chose the option to “manually enter my information.”

“I put my second phone number and the new email address,” he explained. “I received a single email in my original account inbox that said they’ve updated my information after I ‘signed up.’ No verification required from the original email address at any point. I also did not receive any text alerts at the original phone number. The especially interesting and egregious part is that when I sign in, it does 2FA with the new phone number.”

The Mastodon user PeteMayo said they recreated their Experian account twice this week, the second time by supplying a random landline number.

“The only difference: it asked me FIVE questions about my personal history (last time it only asked three) before proclaiming, ‘Welcome back, Pete!,’ and granting full access,” @PeteMayo wrote. “I feel silly saving my password for Experian; may as well just make a new account every time.”

I was fortunate in that whoever hijacked my account did not also thaw my credit freeze.  Or if they did, they politely froze it again when they were done. But I fully expect my Experian account will be hijacked yet again unless Experian makes some important changes to its authentication process.

It boggles the mind that these fundamental authentication weaknesses have been allowed to persist for so long at Experian, which already has a horrible track record in this regard.

In December 2022, KrebsOnSecurity alerted Experian that identity thieves had worked out a remarkably simple way to bypass its security and access any consumer’s full credit report — armed with nothing more than a person’s name, address, date of birth, and Social Security number. Experian fixed the glitch, and acknowledged that it persisted for nearly seven weeks, between Nov. 9, 2022 and Dec. 26, 2022.

In April 2021, KrebsOnSecurity revealed how identity thieves were exploiting lax authentication on Experian’s PIN retrieval page to unfreeze consumer credit files. In those cases, Experian failed to send any notice via email when a freeze PIN was retrieved, nor did it require the PIN to be sent to an email address already associated with the consumer’s account.

A few days after that April 2021 story, KrebsOnSecurity broke the news that an Experian API was exposing the credit scores of most Americans.

More greatest hits from Experian:

2022: Class Action Targets Experian Over Account Security
2017: Experian Site Can Give Anyone Your Credit Freeze PIN
2015: Experian Breach Affects 15 Million Customers
2015: Experian Breach Tied to NY-NJ ID Theft Ring
2015: At Experian, Security Attrition Amid Acquisitions
2015: Experian Hit With Class Action Over ID Theft Service
2014: Experian Lapse Allowed ID Theft Service Access to 200 Million Consumer Records
2013: Experian Sold Consumer Data to ID Theft Service

Source: https://krebsonsecurity.com/2023/11/its-still-easy-for-anyone-to-become-you-at-experian/

Warning: New Outlook sends passwords, mails and other data to Microsoft

“Microsoft steals access data” – When the well-known German IT portal “Heise Online” uses such drastic words in its headline, then something is up. If Microsoft has its way, all Windows users will have to switch to the latest version of Microsoft Outlook. But: Not only can the IMAP and SMTP access data of your e-mail account be transferred to Microsoft, but all e-mails in the INBOX can also be copied to the Microsoft servers, even if you have your mailbox with a completely different provider such as mailbox.org.

Main risk: Transferring your data to Microsoft “Synchronisation with the Microsoft server” – and everything is copied!

If you set up a new account in the software, Microsoft offers a supposed security function: It says that non-Microsoft accounts are synchronised with the Microsoft cloud and that copies of “emails, calendars and contacts are therefore synchronised between your email provider and Microsoft data centres”.

Anyone who reads this carefully may be perplexed, no question. But we all know how easy it is to agree to supposed banalities without reading them and to click away notices, especially when setting up software. In view of the drastic consequences of giving consent here, the warnings and explanations from Microsoft are probably too inconspicuous. Only a few users will realise that they are giving Microsoft comprehensive access to passwords, mail and more. Therefore, once again clearly:

Microsoft gets full access to mails, calendars and contacts!

But not only Windows users are at risk: Outlook versions for iOS, Mac and even Android are also affected, according to Heise.

mailbox.org warns against using the new Microsoft Outlook

mailbox.org warns its users: there is a high risk that sensitive data may be transmitted to Microsoft when using the new Outlook! And by the way: this compromised data includes not only emails, but also calendar and contact data.

For business customers, storing personal data in this way (albeit unintentionally) may constitute a GDPR offence that is subject to fines. After all, storing data in the Microsoft cloud legally constitutes data processing that requires the conclusion of an order data processing agreement (DPA) with Microsoft – and companies may have to identify this as such in their data protection declarations and in the data processing directory. It is irrelevant whether this is done intentionally by the company management or ultimately through the uninformed consent of an individual employee.

Our recommendation

Whether business or private: We strongly advise all our customers not to use the new Outlook! And we have the following alternatives for you:

  • Another e-mail client: We advise you to switch to the popular e-mail client “Thunderbird” on your computer. This is compatible with Windows and easy to set up. On mobile devices, there are a number of different IMAP mail clients, such as FairEmail and K9 Mail (which will also be called Thunderbird in the future).
  • Using the webmailer: As a mailbox.org customer, you can use our secure webmail portal at any time, which offers an excellent alternative to desktop email clients. In addition to mail, calendar and contacts, you also have secure access to files and Office documents – and your personal video conference with OpenTalk is just a click away.

We do everything we can to protect the security and privacy of your e-mail communication. But we also need your help: make sure you use apps from providers that respect and protect your privacy and security.

Update

The German Federal Commissioner for Data Protection and Freedom of Information, Ulrich Kelber, is also alarmed: On the social media network Mastodon, he described the data collection as “alarming” and announced his intention to pursue the issue at European level through the data protection authorities as early as next Tuesday.

Source: https://mailbox.org/en/post/warning-new-outlook-sends-passwords-mails-and-other-data-to-microsoft

The Fake Browser Update Scam Gets a Makeover

One of the oldest malware tricks in the book — hacked websites claiming visitors need to update their Web browser before they can view any content — has roared back to life in the past few months. New research shows the attackers behind one such scheme have developed an ingenious way of keeping their malware from being taken down by security experts or law enforcement: By hosting the malicious files on a decentralized, anonymous cryptocurrency blockchain.

an image of a warning that the Chrome browser needs to be updated, showing several devices (phone, monitor, etc.) open to Google and an enticing blue button to click in the middle.

In August 2023, security researcher Randy McEoin blogged about a scam he dubbed ClearFake, which uses hacked WordPress sites to serve visitors with a page that claims you need to update your browser before you can view the content.

The fake browser alerts are specific to the browser you’re using, so if you’re surfing the Web with Chrome, for example, you’ll get a Chrome update prompt. Those who are fooled into clicking the update button will have a malicious file dropped on their system that tries to install an information stealing trojan.

Earlier this month, researchers at the Tel Aviv-based security firm Guardio said they tracked an updated version of the ClearFake scam that included an important evolution. Previously, the group had stored its malicious update files on Cloudflare, Guardio said.

But when Cloudflare blocked those accounts the attackers began storing their malicious files as cryptocurrency transactions in the Binance Smart Chain (BSC), a technology designed to run decentralized apps and “smart contracts,” or coded agreements that execute actions automatically when certain conditions are met.

Nati Tal, head of security at Guardio Labs, the research unit at Guardio, said the malicious scripts stitched into hacked WordPress sites will create a new smart contract on the BSC Blockchain, starting with a unique, attacker-controlled blockchain address and a set of instructions that defines the contract’s functions and structure. When that contract is queried by a compromised website, it will return an obfuscated and malicious payload.

“These contracts offer innovative ways to build applications and processes,” Tal wrote along with his Guardio colleague Oleg Zaytsev. “Due to the publicly accessible and unchangeable nature of the blockchain, code can be hosted ‘on-chain’ without the ability for a takedown.”

Tal said hosting malicious files on the Binance Smart Chain is ideal for attackers because retrieving the malicious contract is a cost-free operation that was originally designed for the purpose of debugging contract execution issues without any real-world impact.

“So you get a free, untracked, and robust way to get your data (the malicious payload) without leaving traces,” Tal said.

Attacker-controlled BSC addresses — from funding, contract creation, and ongoing code updates. Image: Guardio

In response to questions from KrebsOnSecurity, the BNB Smart Chain (BSC) said its team is aware of the malware abusing its blockchain, and is actively addressing the issue. The company said all addresses associated with the spread of the malware have been blacklisted, and that its technicians had developed a model to detect future smart contracts that use similar methods to host malicious scripts.

“This model is designed to proactively identify and mitigate potential threats before they can cause harm,” BNB Smart Chain wrote. “The team is committed to ongoing monitoring of addresses that are involved in spreading malware scripts on the BSC. To enhance their efforts, the tech team is working on linking identified addresses that spread malicious scripts to centralized KYC [Know Your Customer] information, when possible.”

Guardio says the crooks behind the BSC malware scheme are using the same malicious code as the attackers that McEoin wrote about in August, and are likely the same group. But a report published today by email security firm Proofpoint says the company is currently tracking at least four distinct threat actor groups that use fake browser updates to distribute malware.

Proofpoint notes that the core group behind the fake browser update scheme has been using this technique to spread malware for the past five years, primarily because the approach still works well.

“Fake browser update lures are effective because threat actors are using an end-user’s security training against them,” Proofpoint’s Dusty Miller wrote. “In security awareness training, users are told to only accept updates or click on links from known and trusted sites, or individuals, and to verify sites are legitimate. The fake browser updates abuse this training because they compromise trusted sites and use JavaScript requests to quietly make checks in the background and overwrite the existing website with a browser update lure. To an end user, it still appears to be the same website they were intending to visit and is now asking them to update their browser.”

More than a decade ago, this site published Krebs’s Three Rules for Online Safety, of which Rule #1 was, “If you didn’t go looking for it, don’t install it.” It’s nice to know that this technology-agnostic approach to online safety remains just as relevant today.

Source: https://krebsonsecurity.com/2023/10/the-fake-browser-update-scam-gets-a-makeover/

‘Log in with…’ Feature Allows Full Online Account Takeover for Millions

Hundreds of millions of users of Grammarly, Vidio, and the Indonesian e-commerce giant Bukalapak are at risk for financial fraud and credential theft due to OAuth misfires — and other online services likely have the same problems.

Flaws in the implementation of the Open Authorization (OAuth) standard across three prominent online services could have allowed attackers to take over hundreds of millions of user accounts on dozens of websites, exposing people to credential theft, financial fraud, and other cybercriminal activity. 

Researchers from Salt Labs discovered critical API misconfigurations on the sites of several online companies — artificial intelligence (AI)-powered writing tool Grammarly, online streaming platform Vidio, and Indonesian e-commerce site Bukalapak — that lead them to believe that dozens of other sites are likely compromised in the same way, they revealed in a report published Oct. 24.

OAuth is a widely implemented standard for allowing for cross-platform authentication, familiar to most as the option to log in to an online site with another social media account, such as “Log in with Facebook” or “Log in with Google.” 

The recently-discovered implementation flaws are among a series of issues in OAuth that the researchers have discovered in recent months, stretching across prominent online platforms that put users at risk. Salt researchers already had discovered similar OAuth flaws in the Booking.com website and Expo — an open source framework for developing native mobile apps for iOS, Android, and other Web platforms using a single codebase — that could have allowed account takeover and full visibility into user personal or payment-card data. The Booking.com flaw also could have allowed log-in access to the website’s sister platform, Kayak.com.

The researchers refer broadly to the latest issue found in Vidio, Grammarly, and Bukalapak as a “Pass-The-Token” flaw, in which an attacker may use a token — the unique, secret site identifier used to verify the handoff — from a third party site typically owned by the attacker himself to login to another service.

“For example, if a user logged in to a site called mytimeplanner.com, which is owned by the attacker, the attacker could then use the users token and log in on his behalf to other sites, like Grammarly for instance,” Yaniv Balmas, vice president of research at Salt, explains to Dark Reading.

The researchers found the latest issues in Vidio, Bukalapak, and Grammarly between February and April, respectively, and notified the three companies in turn, which all responded in a timely way. The misconfigurations all have since been resolved in these particular services, but that’s not the end of the story. 

“Just these three sites are enough for us to prove our point, and we decided to not look for additional targets,” according to the report, “but we expect that thousands of other websites are vulnerable to the attack we detail in this post, putting billions of additional Internet users at risk every day,”

Various Ways to Misconfigure OAuth

The issue manifests itself uniquely on each of the three sites. On Vidio, an online streaming platform with 100 million monthly active users, the researchers found that when logging into the site through Facebook, the site did not verify the token — which the website developers and not OAuth must do. Because of this, an attacker could manipulate the API calls to insert an access token generated for a different application, the researchers found.

“This alternate token/AppID combination allowed the Salt Labs research team to impersonate a user on the Vidio site, which would have allowed massive account takeover on thousands of accounts,” the researchers wrote in the report.

Like Vidio, Bukalapak — which has more than 150 million monthly users — also didn’t verify the access token when users registered using a social login. In a similar way, the researchers could insert a token from another website to access a user’s credentials and completely take over that user’s account.

The OAuth issue discovered on Grammarly — which helps more than 30 million daily users improve their writing by offering grammar, punctuation, spelling checks, and other writing tips — manifested itself slightly differently.

The researchers found that by doing reconnaissance on the API calls and learning the terminology the Grammarly site uses to send the code, they could manipulate the API exchange to insert code used to verify users on a different site and, again, obtain the credentials of a user’s account and achieve full account takeover.

Secure OAuth From the Start

OAuth itself is well-designed, and the major OAuth providers such as Google and Facebook have secure servers protecting them on the back end. However, those developing the services and sites that leverage the standard to perform the authentication handoff often create issues that render the exchange inherently insecure even if the site appears to function properly, Balmas says.

“It is very easy for anyone to add social-login functionality to his website … and everything will actually work quite fine,” he says. “However, without the proper knowledge and awareness, it is very easy to leave cracks that the attacker will be able to abuse and achieve very serious impact on all the website users.”

For this reason, it’s essential to the security of sites and services that leverage OAuth to be secure from an implementation standpoint, which may require that developers do some homework before building the standard into the site.

“Web services who wish to implement social login or any other OAuth-related functionalities should make sure they have a solid understanding of how OAuth works and common pitfalls that may have potential for being abused,” he says.

Developers can also use third-party tools that monitor for anomalies and deviations from typical behavior and which may identify as-yet unknown attacks, providing a safety net for the site and thus all of its users, Balmas adds.

Source: ‘Log in with…’ Feature Allows Full Online Account Takeover for Millions (darkreading.com)

How to Keep Uninvited Guests Out of Your Zoom Meeting

 Without precautions, meetings that are designed to bring people together could be attended by a person who is not invited. 

Disruptions typically occur when meeting information is made open to the public. A user could post a private meeting link on social media, share their virtual classroom information, and more. But when these links are out on social media or other public forums, that makes your meeting completely public and anyone with the link can join it. 

Here are a few easy ways you can help prevent disruptions:

Tips to prevent disruptions 

  • Use the right Zoom solution for your need: If you’re specifically hoping to use Zoom to host a virtual event with people you may not know, make sure to steer your attention from Zoom Meetings to Zoom Webinars or Zoom Events — products designed specifically for digital events. 
  • Avoid using your Personal Meeting ID (PMI): Your PMI is basically one continuous meeting and you don’t want outsiders crashing your personal virtual space after your designated meeting is over. 
  • Manage screen sharing: You do not want random people in your public session taking control of the screen and sharing unwanted content with the group. You can restrict this — before the meeting and during the meeting in the host control bar — so that you’re the only one who can screen share. If you disable screen sharing, the Whiteboard setting will be automatically disabled as well. 

To prevent participants from screen sharing during a call, using the host controls at the bottom, click the arrow next to “Share Screen” and then go to “Advanced Sharing Options.” Under “Who can share?” choose “Only Host” and close the window.  

 without precautions, meetings that are designed to bring people together could be attended by a person who is not invited. 

Disruptions typically occur when meeting information is made open to the public. A user could post a private meeting link on social media, share their virtual classroom information, and more. But when these links are out on social media or other public forums, that makes your meeting completely public and anyone with the link can join it. 

Enable the Waiting Room

The Waiting Room is an important feature for securing a Zoom Meeting. Just like it sounds, the Waiting Room is a virtual staging area that stops your guests from joining until you’re ready for them. It’s almost like the velvet rope outside a nightclub, with you as the bouncer carefully monitoring who gets let in.

Meeting hosts can customize Waiting Room settings for additional control, and you can even personalize the message people see when they hit the Waiting Room so they know they’re in the right spot. This message is really a great spot to post any rules/guidelines for your event, like who it’s intended for.

Updated customized waiting room message

The Waiting Room is an effective way to screen who’s trying to enter your Zoom session and keep unwanted guests out. When you disable “Join before host” in your settings, a Waiting Room will automatically greet your guests until you’ve started the meeting.

Keep Zooming responsibly

We hope these security features will help you continue to host safe and successful Zoom Meetings. Security is a key value for us at Zoom and will continue to help guide new product updates. We’re committed to being a platform users can trust — with their online interactions, information, and business. 

To learn more about Zoom privacy and security, explore our Trust Center.

Source: https://blog.zoom.us/keep-uninvited-guests-out-of-your-zoom-meeting/

Don’t Let Zombie Zoom Links Drag You Down

Many organizations — including quite a few Fortune 500 firms — have exposed web links that allow anyone to initiate a Zoom video conference meeting as a valid employee. These company-specific Zoom links, which include a permanent user ID number and an embedded passcode, can work indefinitely and expose an organization’s employees, customers or partners to phishing and other social engineering attacks.

At issue is the Zoom Personal Meeting ID (PMI), which is a permanent identification number linked to your Zoom account and serves as your personal meeting room available around the clock. The PMI portion forms part of each new meeting URL created by that account, such as:

zoom.us/j/5551112222

Zoom has an option to include an encrypted passcode within a meeting invite link, which simplifies the process for attendees by eliminating the need to manually enter the passcode. Following the previous example, such a link might look something like this:

zoom.us/j/5551112222/pwd=jdjsklskldklsdksdklsdkll

Using your PMI to set up new meetings is convenient, but of course convenience often comes at the expense of security. Because the PMI remains the same for all meetings, anyone with your PMI link can join any ongoing meeting unless you have locked the meeting or activated Zoom’s Waiting Room feature.

Including an encrypted passcode in the Zoom link definitely makes it easier for attendees to join, but it might open your meetings to unwanted intruders if not handled responsibly. Particularly if that Zoom link is somehow indexed by Google or some other search engine, which happens to be the case for thousands of organizations.

Armed with one of these links, an attacker can create meetings and invite others using the identity of the authorized employee. And many companies using Zoom have made it easy to find recently created meeting links that include encrypted passcodes, because they have dedicated subdomains at Zoom.us.

Using the same method, KrebsOnSecurity also found working Zoom meeting links for The National Football League (NFL), LinkedInOracleHumanaDisneyWarner Bros, and Uber. And that was from just a few minutes of searching. And to illustrate the persistence of some of these Zoom links, Archive.org says several of the links were first created as far back as 2020 and 2021.

KrebsOnSecurity received a tip about the Zoom exposures from Charan Akiri, a researcher and security engineer at Reddit. In April 2023, this site featured research by Akiri showing that many public Salesforce websites were leaking private data, including banks and healthcare organizations (Akiri said Salesforce also had these open Zoom meeting links before he notified them).

The Zoom links that exposed working meeting rooms all had enabled the highlighted option.

Akiri said the misuse of PMI links, particularly those with passcodes embedded, can give unauthorized individuals access to meetings.

“These one-click links, which are not subject to expiration or password requirement, can be exploited by attackers for impersonation,” Akiri said. “Attackers exploiting these vulnerabilities can impersonate companies, initiating meetings unknowingly to users. They can contact other employees or customers while posing as the company, gaining unauthorized access to confidential information, potentially for financial gain, recruitment, or fraudulent advertising campaigns.”

Akiri said he built a simple program to crawl the web for working Zoom meeting links from different organizations, and so far it has identified thousands of organizations with these perfectly functional zombie Zoom links.

According to Akiri, here are several tips for using Zoom links more safely:

Don’t Use Personal Meeting ID for Public Meetings: Your Personal Meeting ID (PMI) is the default meeting that launches when you start an ad hoc meeting. Your PMI doesn’t change unless you change it yourself, which makes it very useful if people need a way to reach you. But for public meetings, you should always schedule new meetings with randomly generated meeting IDs. That way, only invited attendees will know how to join your meeting. You can also turn off your PMI when starting an instant meeting in your profile settings.

Require a Passcode to Join: You can take meeting security even further by requiring a passcode to join your meetings. This feature can be applied to both your Personal Meeting ID, so only those with the passcode will be able to reach you, and to newly scheduled meetings. To learn all the ways to add a passcode for your meetings, see this support article.

Only Allow Registered or Domain Verified Users: Zoom can also give you peace of mind by letting you know exactly who will be attending your meeting. When scheduling a meeting, you can require attendees to register with their email, name, and custom questions. You can even customize your registration page with a banner and logo. By default, Zoom also restricts participants to those who are logged into Zoom, and you can even restrict it to Zoom users whose email address uses a certain domain.

Update 12:33 p.m.: The list of affected organizations was updated, because several companies listed apparently only exposed links that let anyone connect to existing, always-on meeting rooms — not initiate and completely control a Zoom meeting. The real danger with the zombie links described above is that anyone can find and use them to create new meetings and invite others.

Source: https://krebsonsecurity.com/2023/10/dont-let-zombie-zoom-links-drag-you-down/#more-64991

The Continuing Threat of Unpatched Security Vulnerabilities

Unpatched software is a computer code containing known security weaknesses. Unpatched vulnerabilities refer to weaknesses that allow attackers to leverage a known security bug that has not been patched by running malicious code. Software vendors write additions to the codes, known as “patches,” when they come to know about these application vulnerabilities to secure these weaknesses.

Adversaries often probe into your software, looking for unpatched systems and attacking them directly or indirectly. It is risky to run unpatched software. This is because attackers get the time to become aware of the software’s unpatched vulnerabilities before a patch emerges.

report found that unpatched vulnerabilities are the most consistent and primary ransomware attack vectors. It was recorded that in 2021, 65 new vulnerabilities arose that were connected to ransomware. This was observed to be a twenty-nine percent growth compared to the number of vulnerabilities in 2020.

Groups involved in ransomware are no longer just focused on single unpatched instances. They have started looking at groups of multiple vulnerabilities, third-party applications prone to vulnerabilities, protocols concerning technology, etc. It is to be noted that these groups have gone to the extent of launching attacks by recruiting insiders.

Warnings concerning the cyber security threats of unpatched vulnerabilities to critical infrastructure entities have been issued by various governmental institutions such as the FBI, the National Security Agency, the Cybersecurity and Infrastructure Security Agency, and the Homeland Security Department.

This blog discusses a few examples of vulnerabilities and how updating applications can help prevent cyberattacks.

The Top 3 Most Severe Vulnerabilities in 2021#

The National Institute of Standards and Technology (NIST) reported finding 18,378 vulnerabilities in 2021. According to HackerOne, software vulnerabilities increased by 20% in 2021 compared to 2020.

The Common Weakness Enumeration, a community-developed list of software and hardware weakness types, recorded the top 25 most dangerous software weaknesses (CWE Top 25). This list consists of the most common and impactful issues experienced over the previous two calendar years. The top three most severe vulnerabilities recorded in 2021 are:

  1. Out-of-bounds Write: In this type of vulnerability, the software writes data past the intended buffer’s end or before its beginning. This results in data corruption, crash, or code execution. In simple terms, it causes memory corruption. It is a result of writing to invalid memory or that which is beyond the buffer’s bounds. The sequential copy of excessive data originating from a location is only one of the many other causes.
  2. Cross-site Scripting: This is also known as ‘Improper Neutralization of Input During Web Page Generation.’ Here, user-controlled input is not neutralized or is improperly neutralized before it is placed in output that is then used as a web page served to other users.

These software vulnerabilities enable attackers to introduce client-side scripts into web pages viewed by other users. It is used to bypass access controls like the same-origin policy.

  1. Out-of-bounds Read: The software reads data past the end or before the beginning of the intended buffer in this kind of application vulnerability. Hackers can access sensitive information through unauthorized memory leaks and can crash the system. Crashes occur when an external code piece attempts to read variable amounts of data. When it comes across a sentinel, the reading operation is stopped during the process, resulting in a buffer overflow or segmentation fault.

Why is Updating Applications Important?#

Software vulnerabilities can be prevented by testing your software using application vulnerability assessment tools, white box testing, black-box testing, and other techniques and updating it regularly. You can define a set of principles to be followed in developing each software release to prevent vulnerabilities. Sign your code digitally using a code signing certificate to maintain a tamper-proof code. This will help ensure digital safety and avoid security issues.

An ideal and effective patch management process should include an audit system to identify patches and vulnerable systems, deploy updates, and automate the patch management process.

Software updates can include repairing security holes adding new features and/or software patches. Outdated ones can be removed from your device, and new features can be introduced to upgrade the application security and prevent unpatched vulnerabilities.

Security holes are covered, and your data is protected from hackers. This helps prevent attackers’ access to personal information and documents, which might be misused to commit crimes. Data is encrypted in case of ransomware attacks. Remediating vulnerabilities in the applications can also cut the chances of hackers accessing the data of people you contact.

A hacking incident can ruin the image of your enterprise. This is one of the most important reasons why you should have an effective vulnerability and patch management process in hand and keep updating your applications regularly.

Conclusion#

A report by Redscan Labs showed that 90% of all common vulnerabilities and exposures (CVEs) uncovered in 2021 could be exploited by attackers without any technical skills. The report classifies 54% of vulnerabilities as having “high” availability. This means that they are readily and easily accessible or exploitable by hackers.

This makes it important to understand what CVEs are and what needs to be done to prevent them. The first step to this is to analyze and regularly update your applications with security monitoring tools like Indusface WAS. Secondly, an effective way to tamper-proof your website is to use a code signing certificate.

Unpatched vulnerabilities are hazardous to your digital safety and data security. Thus, it is incumbent upon software vendors to understand and follow procedures to ensure patching of website and application vulnerabilities.

Source: https://thehackernews.com/2022/03/the-continuing-threat-of-unpatched.html

Quishing is the new phishing, experts warn – here’s how not to get hooked

Experts are warning of the latest cyber threat to smartphone users – quishing.

Quishing uses the humble QR code to carry out a phishing attack, usually either to trick people into revealing sensitive information or infecting devices with malware.

In 2019, the QR code – short for quick response – was all but extinct. Invented in 1994 to track vehicles during manufacturing in Japan, they had slowly spread across the globe and were expected to take off in an increasingly digital world.

However, even after Apple gave the iPhone a QR code scanner in 2017 they were still far from ubiquitous – until Covid arrived, and suddenly we were scanning them left, right and centre to prove we were virus-free or get into restaurants.

With the habit still strong and QRs everywhere from loyalty cards to adverts on the bus, cyber criminals are jumping on the bandwagon.

‘Everyone with a smartphone happily scans a QR code, whether that be at a restaurant or museum or even to tip buskers on the street,’ said quishing expert Tim Callan, chief experience officer at technology firm Sectigo. ‘While QR codes do have their benefit, their rising popularity means they have also entered into the cybercriminals’ arsenal of weapons. 

‘It is worryingly easy for bad actors to falsify links and addresses. A bad QR code could infect your device or make you click on a link to a dangerous website.’

To avoid falling for a quishing scam, Mr Callan recommends avoiding QRs you can’t fully trust.

‘To avoid quishing scams users shouldn’t scan any QR codes where you cannot easily verify the identity of the end user,’ he said. ‘Think carefully before scanning QR codes in public places, such as for promotional posters, stickers and adverts. Consider instead looking up the organisation directly through a secure browser. 

‘Treat what you see in sites you access through unsolicited QR codes with a grain of salt, and be very careful about installing software or sharing information on the sites they link to.’

However, it is not just QR codes in public places that cannot be trusted. Scammers and hackers can also send them direct to your inbox – bypassing any virus protection you may have in place.

‘This innovative approach serves as a warning sign to organisations as well as the general public, reminding us of the importance of staying vigilant and informed in the face of emerging cyber threats,’ said Raluca Saceanu, CEO of Smarttech247.

‘The modus operandi of [a recent major] recent attack involves phishing emails posing as urgent Microsoft 365 account updates. These quishing emails feature PNG or PDF attachments containing QR codes, which recipients are prompted to scan to purportedly verify their accounts within a tight timeframe of 2-3 days. 

‘The clever use of QR codes embedded in images enabled attackers to bypass email security scans for known malicious links, ultimately reaching the target’s inbox.’

Ms Saceanu warns anyone who receives a QR code via email to be cautious, especially if the message stresses urgency. Cyber criminals often succeed by generating a sense of panic in their victims, so people act quickly without checking.

She adds to always verify the source of the email – remember, even though at first glance it may appear legitimate, cyber criminals can easily spoof email address. Look at the address itself, not just the name of the sender. Even if that appears believable, a quick search of the address may highlight anything untoward. Compare the style of the email address given with those you have previously received from the company or you can see online. 

For example, the courier Evri – formerly Hermes – makes clear on its website any contact from its UK arm will come from addresses ending @evri.com, @hermes-europe.co.uk or @myhermes.co.uk, but a recent scam warning of an unsuccessful package delivery came from shipping@hermescourierexpress.com. 

However, while cyber criminals are trying to use smartphones as a vehicle to personal information, your device is also a line of defence.

‘Your smartphone can be your ally in this battle,’ said Ms Saceanu. ‘Most QR code scanners will prompt you to confirm the destination URL before opening a browser, adding an extra layer of security. 

‘Keep your smartphone’s operating system and apps up to date to ensure you have the latest security patches.’

And remember. Check, then double-check. Be sure you know what you’re clicking on before hitting the button.

Source: Quishing is the new phishing, experts warn – here’s how to stay safe | Tech News | Metro News