WebProNews

Category: CybersecurityUpdate

CybersecurityUpdate

  • Brazil Fines Facebook Over Cambridge Analytica Scandal

    Brazil Fines Facebook Over Cambridge Analytica Scandal

    Bloomberg is reporting that Brazil has levied a $1.6 million fine on Facebook for its role in the Cambridge Analytica scandal.

    The fine is the result of an investigation that began in April 2018, finding that Facebook illegally shared data for some 443,000 users.

    “It’s evident that the data of about 443,000 users of the platform were made available by the developers of the app ‘thisisyourdigitallife’ for reasons that are at least questionable,” Brazil’s justice ministry said in a statement.

    Facebook has said there is no evidence the data from Brazilian users was transferred to Cambridge Analytica, but the justice ministry said Facebook and its local unit failed to prove that less users were impacted.

    As Bloomberg points out, Facebook agreed in July to pay a $5 billion fine to the U.S. Federal Trade Commission. It is not clear if Facebook will immediately pay the Brazilian fine or fight it, however. The company simply said “we are currently evaluating our legal options in this case.”

  • U.S. Army Reverses Course, Bans TikTok

    U.S. Army Reverses Course, Bans TikTok

    TikTok has been under increasing scrutiny, with allegations it represents a national security threat. Following guidance from the Pentagon, the U.S. Army has officially banned the app, according to Military.com.

    TikTok has surged in popularity in the U.S., and military personnel are no exception. In fact, as Military.com points out, Army recruiters have been using the app to help reach Generation Z.

    The Department of Defense (DoD) recently issued guidance on mobile phone security, mentioning TikTok specifically. The DoD guidance tells employees to “be wary of applications you download, monitor your phones for unusual and unsolicited texts etc., and delete them immediately and uninstall TikTok to circumvent any exposure of personal information.”

    Following that guidance, the U.S. Army has officially banned the app from personnel phones.

    “It is considered a cyber threat,” Army spokeswoman, Lt. Col. Robin Ochoa, told Military.com. “We do not allow it on government phones.”

    Evidence suggests all individuals, not just military personnel, should be wary of the social media app. A recent lawsuit in California accuses the app of secretly analyzing videos and images without consent, and uploading them to servers in China.

  • Wyze Data Breach Exposes 2.4 Million Customers

    Wyze Data Breach Exposes 2.4 Million Customers

    Security camera manufacturer Wyze is the latest company to experience a data breach, exposing sensitive data of 2.4 million users.

    According to Twelve Security, the cybersecurity firm that first discovered the leak, two production databases were left completely open to the internet. These databases contained email addresses of individuals who purchased cameras, emails for anyone who was given access, list of cameras in use and their nicknames, WiFi SSIDs and more.

    Wyze eventually confirmed the breach, although disagreed with some details about the information that was exposed. Wyze also denies the databases were production databases, according to a post on the company’s forums.

    “To help manage the extremely fast growth of Wyze, we recently initiated a new internal project to find better ways to measure basic business metrics like device activations, failed connection rates, etc.,” the post reads.

    “We copied some data from our main production servers and put it into a more flexible database that is easier to query. This new data table was protected when it was originally created. However, a mistake was made by a Wyze employee on December 4th when they were using this database and the previous security protocols for this data were removed. We are still looking into this event to figure out why and how this happened.”

    The company did confirm many other details of the breach, however, stating: “It did not contain user passwords or government-regulated personal or financial information. It did contain customer emails along with camera nicknames, WiFi SSIDs, Wyze device information, body metrics for a small number of product beta testers, and limited tokens associated with Alexa integrations.”

    The company has taken measures to address the breach and restore security. However, as Twelve Security’s author Ghost says: “Personally, in my ten years of sysadmin and cloud engineering, I never encountered a breach of this magnitude.”

    Breaches like this continue to be both shocking and unacceptable. As IoT devices become increasingly common in both corporate and personal use, security should be the number one concern—not an afterthought.

  • Amazon and Ring Sued In Federal Court Over Failure to Secure Cameras

    Amazon and Ring Sued In Federal Court Over Failure to Secure Cameras

    TMZ is reporting that Ring and its parent company, Amazon, are being sued in federal court in California, claiming they have failed to protect users.

    Ring made headlines a couple of weeks ago when a number of cameras where hacked. In one particularly disturbing incident, a camera in an 8 year-old girl’s room was hacked, with the hacker talking to her, claiming to be her best friend. There have been other incidents as well, with a woman woken by a hacker shouting at her and a couple subjected to racist comments about their son.

    To make matters worse, VICE tested the Ring devices and found their security was abysmal. There was no way to see if anyone else was logged in to the camera, nor was there a log of who had accessed the device in the past. In other words, once a camera is hacked, there is virtually no way of knowing it has been compromised.

    The lawsuit’s plaintiff, John Baker Orange, seems to have a similar story as the other hacking incidents. He claims that “someone hacked into his outdoor security cameras and started commenting on his kids who were playing basketball … encouraging them to get closer to the camera.” If the claim is true, it could be the earliest known example of Rings being maliciously hacked, as Orange claims the incident occurred last July.

    For a company specializing in security hardware, failure to provide basic security measures is beyond abysmal—it is unforgivable. It’s a safe bet this won’t be the first lawsuit Ring and Amazon face.

  • Software Engineer ‘Biohacks’ His Body, Has Computer Chips Implanted

    Software Engineer ‘Biohacks’ His Body, Has Computer Chips Implanted

    Cyborgs may be a mainstay of science fiction, but at least one software engineer is bringing the future to the present.

    ABC News is reporting that Ben Workman, a 29 year-old software engineer, has implanted RFID and NFC computer chips in his hands. He also has a magnet implanted in one hand, which he uses for mainly for entertainment value, and a Tesla key implanted in the other.

    According to Workman, it was not easy finding someone willing to implant the chips. The process is relatively simply—similar to microchipping a pet—using a needle to insert the implant under the skin. Despite that, doctors, veterinarians and tattoo parlors all turned him down before his phlebotomist cousin finally agreed to implant the first two.

    Implanting the Tesla key was more challenging.

    “I had to send the valet key to a company called Dangerous Things,” Workman told ABC News. “They take the key, dissolve it in acetate, reshape it and then put a medical polymer on it.”

    While the insertion process is somewhat painful, due to the size needle required, once in the implants cause no discomfort. On the other hand, Workman can feel the magnet when he moves his hand, due to its size.

    The RFID and NFC chips allow Workman to control electronic devices and duplicate some smartphone technology. For example, he can copy a person’s contact info from their phone with his hand or configure a WiFi network. Thanks to his programming background, he can also program the implants to do different tasks.

    “Anything with home automation I can program into my chips,” he said.

    According to ABC News, he can also use “his hands to control his home’s smart devices, like turning on and off the lights, and programmed his hand to replace his work badge he uses to swipe open the door at work.”

    As Workman points out, one of the biggest benefits of this type of technology is security. It’s much easier to steal a phone, car keys or security badge than it is to hack a biochip. And, of course, there’s always the futuristic cool factor as well.

  • Microsoft Acquires Pentagon Certification, Closes Gap With Amazon

    Microsoft Acquires Pentagon Certification, Closes Gap With Amazon

    According to the Washington Post, Microsoft has achieved Impact Level 6, the Pentagon’s highest IT security certification.

    Prior to December 12, Amazon was the only company to have achieved Impact Level 6. The certification allows a company to store classified data in the cloud. Under normal circumstances, “defense and intelligence agencies typically use air-gapped, local computer networks to store sensitive data rather than the cloud-based systems that most companies now use to harness far-off data centers.”

    As the Washington Post points out, the security clearance helps justify Microsoft beating Amazon for a lucrative Pentagon contract. Amazon, as well as many experts, thought the company was all but guaranteed to win the contract, in part because it was the only company to have Impact Level 6. In addition, the company has previously worked with the CIA, giving it valuable experience with sensitive or classified data. In spite of that, Microsoft managed to secure the contract, worth some $10 billion.

    Amazon has maintained the bidding process was compromised by comments President Trump made and is challenging the results in court. In the meantime, having Impact Level 6 will only help Microsoft as it continues to challenge Amazon for government work.

  • Spotify Ignores Basic Security Rules, Sends USB Drives to Journalists

    Spotify Ignores Basic Security Rules, Sends USB Drives to Journalists

    In another case of “what were they thinking,” Spotify sent journalists USB drives with a note saying: “Play me.”

    The journalists at TechCrunch were brave enough to plug in the drive and open it—after taking the necessary precautions, of course. The drive was plugged into a spare computer running a disposable version of Linux on a live CD.

    As it turns out, the drive was harmless, containing a single audio file promoting one of Spotify’s new podcasts. The file simply said: “This is Alex Goldman, and you’ve just been hacked.”

    Despite the harmless nature of this drive, security experts have been warning companies and individuals for years of the dangers of plugging random USB drives into computers. These devices can contain executable files, viruses and other malware, making them a popular attack vector for cyber criminals.

    For a company of Spotify’s stature to resort to such a tactic in the interest of self-publicity was irresponsible and obtuse, and will no doubt cost the company a great deal of good will with journalists.

  • Pentagon Warns Military Personnel Not to Use Home DNA Kits

    Pentagon Warns Military Personnel Not to Use Home DNA Kits

    NBC News is reporting that the Pentagon has told military personnel not to use home DNA testing kits.

    According to a memo NBC News obtained, “Under Secretary of Defense for Intelligence Joseph Kernan and James Stewart, acting Under Secretary of Defense for Personnel and Readiness, said that DNA testing companies were targeting military members with discounts and other undisclosed incentives.”

    The memo expressed concern that DNA companies’ policies may post a greater risk to military personnel than the general population. Inaccurate medical analysis impacting military medical disclosures, data being sold to third parties, data being used for surveillance and the possibility of tracking people without their consent were some of the specific concerns mentioned.

    Experts have for some time been warning about the privacy implications of home DNA testing kits and the companies behind them. The fact that the Pentagon is taking such a strong stand certainly adds weight to those concerns.

  • FBI Using Deception to Help Protect Companies From Cybercrime

    FBI Using Deception to Help Protect Companies From Cybercrime

    According to an Ars Technica story, the FBI is using one of the oldest tricks in the book to help companies protect data: deception.

    Under a program called IDLE (Illicit Data Loss Exploitation), the FBI is working to proactively protect companies, rather than waiting for an incident to occur. According to Ars, IDLE is “a form of defensive deception—or as officials would prefer to refer to it, obfuscation—that the FBI hopes will derail all types of attackers, particularly advanced threats from outside and inside the network.”

    The goal is to lure hackers into going for fake data, servers or infrastructure, leading them down dead-ends. The longer hackers are engaged with these fake systems, the more time security experts have to track them down.

    The program represents a fundamental shift in the FBI’s approach, where there is a greater emphasis placed on cooperation between the FBI and other government agencies, as well as with the private sector. In the ongoing arms race between cyber criminals and cyber security experts, the FBI’s approach is an innovative—albeit old—tactic that should help companies better protect themselves.

  • Beware of Watching ‘Star Wars: The Rise of Skywalker’ On Streaming Sites

    Beware of Watching ‘Star Wars: The Rise of Skywalker’ On Streaming Sites

    While it may be tempting to watch the latest Star Wars installment from the comfort of home, the International Business Times (IBT) is warning that doing so could be dangerous.

    According to the IBT report, security firm Kaspersky Labs has found some 30 fraudulent websites claiming to stream the new film. In reality, the goal of the sites is to capture unsuspecting users credit card information.

    The security firm also found 65 malicious files disguised as downloadable copies of the film. The files are actually malware designed to infect the devices they are downloaded on.

    According to a Kaspersky researcher: “It is typical for fraudsters and cybercriminals to try to capitalize on popular topics, and ‘Star Wars’ is a good example of such a theme this month.”

    As with most things related to cybersecurity, better safe than sorry when it comes to the new film: watch it in theaters or wait for it to be released on DVD or Disney+.

  • ToTok Removed From Apple and Google Stores Amid Claims It’s a Government Spying App

    ToTok Removed From Apple and Google Stores Amid Claims It’s a Government Spying App

    ToTok was released only months ago and has climbed the charts to become one of the most popular messaging apps in Britain, India, Saudi Arabia and Sweden, as well as becoming one of the most downloaded social media apps in the U.S. last week.

    According to a report by the New York Times, however, the app is actually a spying tool for the United Arab Emirates government, giving it the ability to “track every conversation, movement, relationship, appointment, sound and image of those who install it on their phones.” The allegation is based on American officials who were aware of classified intelligence, as well as the NYT’s own investigation.

    The app is distributed by a company called Breej Holding. However, investigation indicates the firm is likely a front company associated with DarkMatter, a cyberintelligence and hacking firm located in Abu Dhabi. DarkMatter is staffed with individuals who previously worked for the NSA, Israeli intelligence and Emirate intelligence, and is under FBI investigation for possible cyber crimes.

    In the wake of these revelations, both Apple and Google have removed the app from their respective stores. ToTok released a post to their user community to address the allegations, but stopped short of denying them outright. In fact, their privacy policy expressly says they may share data with “group companies,” as well as “to comply with a legal obligation to which we are subject.” Either of those clauses come into play if the allegations are correct and the app is actually backed by the government.

    As the NYT comments, this is a significant “escalation in a digital arms race among wealthy authoritarian governments.” Whereas many governments have banned apps like WhatsApp and Signal, since they employ end-to-end encryption, the UAE took it a step further by lulling their citizens into a false sense of security with an app deliberately designed to spy on them and anyone else using it.

  • Millions of Child-Tracking Smartwatches Exposed In Flaw

    Millions of Child-Tracking Smartwatches Exposed In Flaw

    TechCrunch has reported on a vulnerability in GPS-enabled smartwatches for kids that could allow anyone to track them.

    In an exclusive release to TechCrunch, security firm Pen Test Partners detailed their findings. The researchers found a vulnerability in the cloud platform developed by a Chinese firm called Thinkrace.

    Not only does Thinkrace manufacture and sell its own line of child-tracking smartwatches, but it is also a white-label manufacturer. In other words, it manufactures devices that are relabeled and sold by other companies under different names and brands. All told, Thinkrace makes some 360 different devices, totaling at least 47 million units.

    “Often the brand owner doesn’t even realize the devices they are selling are on a Thinkrace platform,” Ken Munro, founder of Pen Test Partners, told TechCrunch.

    Because all Thinkrace devices use their cloud platform, all of them—regardless of what companies they’re branded under—are vulnerable.

    According to TechCrunch, “each tracking device sold interacts with the cloud platform either directly or via an endpoint hosted on a web domain operated by the reseller. The researchers traced the commands all the way back to Thinkrace’s cloud platform, which the researchers described as a common point of failure.

    “The researchers said that most of the commands that control the devices do not require authorization and the commands are well documented, allowing anyone with basic knowledge to gain access and track a device. And because there is no randomization of account numbers, the researchers found they could access devices in bulk simply by increasing each account number by one.”

    Perhaps most disturbing, because Thinkrace watches allow parents and children to talk to each other, walkie-talkie-style, “researchers found that the voice messages were recorded and stored in the insecure cloud, allowing anyone to download files.”

    Worse yet, the researchers told TechCrunch that the most common commands are well documented and do not require authorization, leaving them virtually wide open for anyone to access. Account numbers are also in sequential order, rather than randomized, meaning that with a single account number a hacker could keep accessing other devices by increasing or decreasing the account number a digit at a time.

    Pen Test Partners discovered the vulnerabilities and notified the affected companies in 2015 and 2017, giving manufacturers time to address the issues. While some did, unfortunately many did not. Even those companies that implemented fixes saw some of them undone at a later date.

    The lack of definitive action to address these vulnerabilities prompted Pen Test Partners to finally go public with their findings in the interest of warning people about the danger of Thinkrace’s devices.

    It continues to be utterly shocking how irresponsible companies can be in handling user data, not to mention data involving children. Needless to say, any individual—and especially parents—using a Thinkrace device should stop immediately.

  • Twitter Fixes Serious Vulnerability in Android Client

    Twitter Fixes Serious Vulnerability in Android Client

    Twitter announced Friday that it has patched a serious vulnerability in the official Twitter client for Android.

    According to the announcement on the company’s blog, the bug “could allow a bad actor to see nonpublic account information or to control your account (i.e., send Tweets or Direct Messages). Prior to the fix, through a complicated process involving the insertion of malicious code into restricted storage areas of the Twitter app, it may have been possible for a bad actor to access information (e.g., Direct Messages, protected Tweets, location information) from the app.”

    The company does not have any evidence the vulnerability was actually exploited, but is choosing to error on the side of caution. Twitter is contacting—via email or the app—any users who could have been exposed and providing instructions on what they should do.

    In the meantime, all Android users should update to the latest version, where the vulnerability has been fixed. iOS users are in the clear, as the bug appears to have only impacted the Android client.

  • Apple Expands Security Bounty Program to Include macOS

    Apple Expands Security Bounty Program to Include macOS

    Bug bounty programs are one of the most effective tools at a company’s disposal to find and fix bugs in operating systems and software. Under such a program, security researchers are paid a bounty for vulnerabilities they find and report to the company.

    In 2016, Apple opened a security bounty program for iOS and invited specific researchers to join it. However, according to an announcement on their website, the company has expanded the program to all operating systems—iOS, iPadOS, macOS, tvOS and watchOS. The program is also available to all security researchers, rather than a select few.

    Payouts for bugs range from $100,000 to $1,000,000. According to Apple, “researchers must:

    • Be the first party to report the issue to Apple Product Security.
    • Provide a clear report, which includes a working exploit (detailed below).
    • Not disclose the issue publicly before Apple releases the security advisory for the report. (Generally, the advisory is released along with the associated update to resolve the issue).”

    This is a welcome announcement by Apple and should help improve security on Apple’s products even more.

  • FBI Warns Travelers About Automatically Joining WiFi Hotspots

    FBI Warns Travelers About Automatically Joining WiFi Hotspots

    On the eve of the holiday travel season, the FBI’s Oregon field office is warning travelers about the danger of letting their computers and devices automatically connect to open WiFi networks.

    Many devices have a feature that allows them to automatically scan for, and join, open WiFi networks. While convenient, the feature represents a world of potential problems, as there is no way to verify the safety and security of an unknown hotspot. There could be hackers scanning traffic on a third-party, open network, or the network itself could be hosted by bad actors.

    The FBI’s post outlined a number of common sense precautions travelers should take:

    “Now is not the time you want to talk about cyber security, but we do have a few travel tips to keep you safe while you are on the go.

    • Don’t allow your phone, computer, tablet, or other devices to auto-connect to a free wireless network while you are away from home. This is an open invitation for bad actors to access your device. They then can load malware, steal your passwords and PINs, or even take remote control of your contacts and camera.
    • If you do need to connect to a public hotspot – such as at an airport or hotel – make sure to confirm the name of the network and the exact login procedures. Your goal is to avoid accidentally connecting to a fraudster’s WiFi that they are trying to make look legit.
    • If you absolutely have to use an unsecured hotspot, avoid doing anything sensitive like accessing your bank account. A hacker would love your user ID and password – don’t give it to them.
    • Related to the above point, using your own secured hotspot from your phone is generally a better option.
    • If you are having guests stay at your home, consider setting up a separate WiFi account for them. That way, if they are running unsecured devices on your network, you can segregate their vulnerabilities from your sensitive data.
    • Disable location services – including those on your social media accounts and in your camera settings – that tell people where you are.
    • Finally, as hard as this may be in a world of oversharing, consider NOT pushing out pictures and posts about your grand adventures. Yes, your kids are adorable and Christmas morning was the best ever – but do you really want to tell the world that you are away from home?

    “From the FBI family to your family, enjoy your travels and stay safe.”

    The FBI’s recommendations are solid tips that should be followed at all times.

  • Facebook Reveals New Census Interference Policy Ahead of 2020 Census

    Facebook Reveals New Census Interference Policy Ahead of 2020 Census

    Facebook received its share of criticism over the 2016 election thanks to Russian operatives using the social media platform to sow disinformation and disagreement. As a result, ahead of the 2020 census—the first people can complete online—Facebook is taking measures to protect against interference.

    In a blog post on the company’s site, Facebook outlines “a new census interference policy that bans misleading information about when and how to participate in the census and the consequences of participating. We are also introducing a new advertising policy that prohibits ads that portray census participation as useless or meaningless or advise people not to participate in the census.”

    The company worked with the U.S. Census Bureau, as well as the civil rights community “to develop thoughtful rules around prohibiting census interference on our platforms and making sure people can use their voice to be counted.”

    The post outlines some of the specifics involved in its new policy.


    “Our census interference policy will prohibit:

    • Misrepresentation of the dates, locations, times and methods for census participation;
    • Misrepresentation of who can participate in the census and what information and/or materials must be provided in order to participate;
    • Content stating that census participation may or will result in law enforcement consequences;
    • Misrepresentation of government involvement in the census, including that an individual’s census information will be shared with another government agency; and
    • Calls for coordinated interference that would affect an individual’s ability to participate in the census, enforcement of which often requires additional information and context.

    “We will begin enforcement next month and use a combination of technology and people to proactively identify content that may violate this policy. All content surfaced will be assessed by a team of reviewers who will benefit from the training and guidance of a consultant with census expertise. And as with voter interference, content that violates our census interference policy will not be allowed to remain on our platforms as newsworthy even if posted by a politician.”

    Information that may be inaccurate, but not necessarily violate the new policy, may still be fact-checked. If it is found to be false, it will have prominent labels and rank lower in news feeds. The company promises to share “accurate, non-partisan information about how to participate in the census in consultation with the US Census Bureau.”

  • Vladimir Putin Still Using (Long) Unsupported Windows XP

    Vladimir Putin Still Using (Long) Unsupported Windows XP

    One would expect a former KGB officer to use the latest and greatest when it comes to computer security. Evidently, Vladimir Putin disagrees, as he is still relying on Windows XP, according to The Guardian.

    According to the story, “Putin, 67, appears to have the obsolete Microsoft Windows XP operating system installed on computers in his office at the Kremlin and at his official Novo-Ogaryovo residence near Moscow, according to images released by his press service.”

    Evidently, the opposition-friendly, Russian news site Open Media reported “that Mikhail Klimaryov, the head of Russia’s independent Internet Protection Society, had confirmed that Putin’s computers were running Windows XP in the photographs.”

    Microsoft stopped supporting Windows XP, as well as Office 2003, in April 2014. Despite the availability of newer versions of Windows, the Russian government has been trying to phase out Microsoft and Google software in favor of its own Linux distribution. As a result, government regulation is likely behind Putin’s archaic operating system choice.

    On the bright side, at least he’s not subjected to ads in his Windows applications. In other news, the CIA is dusting off its archive of Windows XP exploits.

  • Facebook Defends Tracking Users Even They Opt Out

    Facebook Defends Tracking Users Even They Opt Out

    According to The Hill, Facebook has admitted to senators that it ignores users’ settings and continues to track their location in order to profit off of that information.

    Senators Christopher Coons (D-Del.) and Josh Hawley (R-Mo.) had questioned how the social media giant handled location tracking, specifically whether it continued to track individuals even if they turned location tracking off. In reply to the senators’ request, Facebook’s deputy chief privacy officer, Rob Sherman, indicated that the company continues to use other means at its disposal to track users, regardless of their location sharing settings.

    “When location services is off, Facebook may still understand people’s locations using information people share through their activities on Facebook or through IP addresses and other network connections they use,” Sherman wrote.

    Sherman went on to add that as people use Facebook, they often leave indicators of their activities, such as checking in at a restaurant, location-tagging a photo or appearing in a friend’s photo, all of which the company uses to continue tracking them. In addition, the company uses this indirect tracking information to keep providing targeted ads based on that location data, even if location tracking is turned off on their phone.

    Needless to say, the senators were not pleased with this admission and had strong words regarding the company’s behavior.

    “Facebook claims that users are in control of their own privacy, but in reality, users aren’t even given an option to stop Facebook from collecting and monetizing their location information,” Coons said. “The American people deserve to know how tech companies use their data, and I will continue working to find solutions to protect Americans’ sensitive information.”

    “There is no opting out. No control over your personal information,” Hawley tweeted. “That’s Big Tech. And that’s why Congress needs to take action.”

  • VICE Tests Ring’s Security: Spoiler, It’s Awful

    VICE Tests Ring’s Security: Spoiler, It’s Awful

    Ring made headlines last week when multiple hacks were reported, with some disturbing results. In the wake of the reports, Ring tried to assure users that its network and systems had not been compromised and that the hacks were the result of users reusing passwords from other, compromised services.

    Not content with that explanation, the journalists at VICE took it upon themselves to test Ring’s security firsthand. The results were…unfortunate…to say the least.

    “Motherboard purchased a Ring camera to test what sort of security protections are in place to stop or slow hackers trying to break into Ring accounts. After setting up an account, the Ring app, and the camera itself, we shared the email address and password to the camera interface with multiple reporters who used both virtual private network software to connect to the camera from IP addresses from all over the world as well as physically being located in other countries.

    “We logged into the Ring app and website from the U.S., U.K., Spain, and Singapore, in some cases simultaneously and from various devices and browsers that had never been used to log into the platform before. At no point did Ring trigger any sort of alert, such as an email notification, to check that the IP address the system had never seen did indeed belong to the legitimate camera owner. Gmail, for instance, may email you if it detects a suspicious login attempt from a new location, a new device, or a new browser.

    “On a desktop web browser, someone who is logged in is able to watch historical, archived footage. From a smartphone app, someone who is logged in can watch live and historical footage, listen through the camera’s microphone, speak through the camera’s speaker, play an alarm, see the name of the specific Wi-Fi network the camera is connected to, see the address the user originally registered the Ring camera with, see the phone number a user has entered into the app, and see nearby crime ‘incidents.’”

    VICE goes on to highlight that Ring provides no way of seeing who is currently logged on to the device, despite allowing multiple people to be logged in simultaneously. The device also provides no log to see who has accessed it in the past. In other words, if a hacker manages to gain access to a Ring device, the owner has absolutely no way of knowing—other than obsessively monitoring the little blue light on the front of the camera. Even then, that only indicates someone is live-streaming the camera feed at that exact moment.

    The bottom line is that Ring provides a deplorable level of security for a device whose sole purpose is to increase security.

  • WhatsApp Bug Can Crash the App and Delete Group Chats Forever

    WhatsApp Bug Can Crash the App and Delete Group Chats Forever

    A group of researchers has discovered a bug in WhatsApp that could allow hackers to crash it and delete group chats forever.

    The exploit was discovered by Check Point and builds on previous research they have done regarding WhatsApp’s security. The researchers’ report goes into quite a bit of technical detail regarding the bug, but here are the basic steps:

    • A hacker would need to gain access to a particular WhatsApp group chat in order to be able to compromise it.
    • Using standard development and penetration-testing tools, the hacker would then gain access to the key-pair used to encrypt the messages for that particular group.
    • The hacker can then intercept and edit various parameters of messages, such as the originating phone number, replacing numbers with non-digit characters.

    Once the message is sent with the modified information, WhatsApp will crash, and continue crashing even after it is reopened. It can only be stopped by deleting and reinstalling it. Unfortunately, even if everyone deletes and reinstall their app, all the data in the group chat thread is permanently lost.

    Obviously, given the nature of gaining access to a specific group and the skills required to access the encryption keys for that particular group, this is not a bug that is a widespread threat. In addition, Check Point reported the bug to WhatsApp developers after finding it in August and only reported it publicly today, after the bug has been fixed.

    Even so, for users who have not updated to version 2.19.246 or later, the potential for targeted attacks is very high. Researchers Dikla Barda, Roman Zaikin and Yaara Shriki voiced concern about the implications in their report:

    “In WhatsApp there are many important groups with valuable content. If an attacker uses this technique and crashes one of these groups all chat history will be gone and further communication would be impossible.

    “The impact of this vulnerability is potentially tremendous, since WhatsApp is the main communication service for many people. Thus, the bug compromises the availability of the app which is a crucial for our daily activities.”

  • Feds Bust Illegal Streaming Sites With More Content Than Most Legal Sites Combined

    Feds Bust Illegal Streaming Sites With More Content Than Most Legal Sites Combined

    The Department of Justice (DOJ) has secured guilty pleas from two programmers who ran massive illegal streaming sites, following an investigation by the FBI’s Washington Field Office.

    Darryl Julius Polo plead guilty “to one count of conspiracy to commit criminal copyright infringement, one count of criminal copyright infringement by distributing a copyrighted work being prepared for commercial distribution, one count of copyright infringement by reproduction or distribution, one count of copyright infringement by public performance and one count of money laundering.” His co-defendant, Luis Angel Villarino plead guilt “to one count of conspiracy to commit copyright infringement.”

    According to the report, at least one “site called iStreamItAll (ISIA), an online, subscription-based service headquartered in Las Vegas that permitted users to stream and download copyrighted television programs and movies without the permission of the relevant copyright owners. Polo admitted that he reproduced tens of thousands of copyrighted television episodes and movies without authorization, and streamed and distributed the infringing programs to thousands of paid subscribers located throughout the U.S. Specifically, Polo admitted that ISIA offered more than 118,479 different television episodes and 10,980 individual movies. In fact, according to the plea agreement, ISIA had more content than Netflix, Hulu, Vudu and Amazon Prime, and Polo sent out emails to potential subscribers highlighting ISIA’s huge catalog of works and urging them to cancel those licensed services and subscribe to ISIA instead.”

    Evidently, Polo ran a sophisticated set of automated scripts that scoured pirate sites, torrents and Usenet groups 24/7 looking for new content. The content was then processed, stored and made available to subscribers of ISIA and Jetflicks, the other site in question. Both ISIA and Jetflicks were designed to work on a variety of operating systems, mobile devices, set-top boxes, consoles and smart televisions.

    The level of sophistication is truly impressive and likely only a taste of what’s to come as technology continues to be democratized.