Month: July 2020

Zoom has patched a security hole that could have allowed attackers to break their way into password-protected private calls.

The flaw, discovered by SearchPilot’s Tom Anthony, meant that hackers and spies could have broken into private password-protected Zoom video calls “within a matter of minutes.”

The problem revolved around the six-digit numeric passcode, used by default to secure Zoom chats. Six digits mean that the passcode for a specific chat had to be a number between “000000” and “999999”.

One million possible combinations may sound like an awful lot for a hacker to manually try, but it’s little effort for a computer to brute force their way through until they find the one that unlocks the private Zoom conversation.

Anthony had discovered the security concern after UK Prime Minister Boris Johnson made headlines after tweeting a screenshot of a sensitive Cabinet meeting held on Zoom, revealing its meeting ID.

At the time, the UK government debunked the threat posed by the tweet as entry to the Zoom meeting had been protected by a password.

However, Anthony discovered that his attempts to brute force his way into password-protected Zoom meetings did not trigger any warnings or slowdown.

With some what he described as “fairly clunky” Python code, Anthony was able to confirm that it was possible to crack his way into Zoom meetings without too much difficulty from a home PC.

According to the researcher, using 4-5 cloud servers it would be possible to check all the possible six digit numeric passwords in just “a few minutes.”

Contacting Zoom about the issue, Anthony made a number of suggestions, including:

• Rate-limiting the number of attempts that can be made to enter a password to a Zoom meeting (for instance, to 10 different attempts per hour)
• Rate-limit IP addresses if they make too many attempts to guess a password (regardless of which meeting ID may be targeted)
• Trigger a warning should a given meeting pass a set number of failed password attempts.
• Increase the length of the default password.

A spokesperson for Zoom confirmed that the video chat service has since improved its security:

“Upon learning of this issue we immediately took down the Zoom web client to ensure our users’ security while we implemented mitigations. We have since improved rate limiting… and relaunched the web client on 9 April. With these fixes, the issue was fully resolved, and no user action was required. We are not aware of any instances of this exploit being used in the wild.”

Online services that are protected by something as simple as a six digit numeric passcode cannot afford to ignore the very real risk that attackers might attempt to brute-force their way through.

Making passwords longer and more complex than six numeric digits is one way to make life harder for hackers, but the most useful defence is undoubtedly to spot excessive failed attempts to break in and shut or slow them down so they no longer become practical.

New research conducted by the Ponemon Institute reveals a substantial lack of empowerment felt by consumers when it comes to their data privacy. There is also a gap between the data protection individuals want and what industry and regulators provide, pointing to a dire need for digital identity protection solutions on a consumer level.

According to the report (Privacy and Security in a Digital World: A Study of Consumers in the United States), consumers are still waiting on — or expecting – the federal government to drive data protection initiatives.

More than
half of consumers (60%) believe government regulation should help address the
privacy risks facing consumers today. Of those, 34% say government regulation
is needed to protect personal privacy and 26% believe a hybrid option
(regulation and self-regulation) should be pursued.

The study found that 64% of consumers think it’s “creepy” when they receive online ads that are relevant to them. And 73% of consumers want advertisers to allow them to “opt-out” of receiving ads on any specific topic at any time.

It is worth noting that the social microblogging platform Twitter indeed offers this opt-in/opt-out feature. This cannot be said about other popular online services, though.

The research
reveals a lack of empowerment that consumers feel in their ability to protect
their privacy, coupled with a bit of negligence on the users’ end.

While 74% of
consumers say they have no control over the personal information that is
collected on them, they are also not taking much action to limit the data they
provide to the online services they employ on a daily basis, like Facebook and
Google.

In fact, the
report notes, 54% of consumers say they do not consciously limit what personal
data they are providing.

“This lack
of empowerment can have devastating effects on consumers’ privacy if it goes
unchecked,” the researchers said.

Other key
findings include:

• Consumer Concern Is Increasing: Two-thirds of consumers (68%) are
  more concerned about the privacy and security of their personal information
  than they were three years ago. Three-fourths of consumers (75%) in the over 55
  age group have become more concerned about their privacy over the past three
  years.
• Search Engines Least Trusted: Almost all consumers (92%) believe
  search engines are sharing and selling their private data, 78% believe social
  media platforms are and 63% of consumers think shopping sites are as well.
  Similarly, 86% of respondents say they are very concerned when using Facebook
  and Google and 66% of respondents say they are very concerned when shopping
  online or using online services.
• Seniors Against Advertising Tracking: A majority of older consumers (78%)
  say advertisers should not be able to serve ads based on their conversations
  and messaging.
• Consumers Have Little Hope in
  Websites’ Ad Blocking: Only 33% of consumers expect websites to have an ad blocker that stops
  tracking and only 17% of consumers say they expect websites to limit the
  collection and sharing of personal information.
• Split Responsibility: More consumers (54%) say online
  service providers should be accountable for protecting the privacy of
  consumers, while 45% say they themselves should assume responsibility.

According to
Dr. Larry Ponemon, chairman and founder of Ponemon Institute, “these findings
make a compelling case for the important role identity protection products and
services play in protecting consumers’ privacy.”

“The study
shows that many consumers are alarmed by the uptick in privacy scandals and
want to protect their information, but don’t know how to and feel like they
lack the right tools to do so,” Dr. Ponemon stressed.

At Bitdefender, we believe the more we control our digital footprint, the easier it is to manage our individual online reputation and personal data. Bitdefender Digital Identity Protection lets you see if your personal info has been stolen or made public, or – in case the answer is Yes – how much of it has actually been leaked.

Bitdefender DIP offers continuous identity monitoring, meaning you are alerted if any sensitive information that relates to your identity is found on the Dark Web or public databases. You get alerts about identity-theft attempts, data breaches, account take-overs and social media impersonations, and you can immediately take action to secure your online identity with only a few clicks. Learn more at https://www.bitdefender.com/solutions/digital-identity-protection.html.

A critical vulnerability in a third-party plugin installed on over 70,000 websites running WordPress could allow hackers to execute malicious code remotely.

The vulnerability, discovered by security researchers at Wordfence, hides in a vulnerable version of the wpDiscuz commenting plugin and enables hackers to upload arbitrary files to targeted websites, including executable PHP files.

wpDiscuz offers an alternative (and some would argue more stylish) way for people to leave feedback on blog posts than JetPack Comments, Disqus, and WordPress’s own built-in commenting system, and has received praise from some for its handling of comments in real-time through Ajax, comment rating system, and its support for storing comments on the site’s local servers rather than on a third-party service.

However, Wordfence’s researchers told wpDiscuz’s developers in June that it had found a flaw, which – due to a lack of security precautions – allowed unauthenticated users to upload to a comment any type of file (including PHP files).

The problem was found in version 7 of wpDiscuz which added a feature allowing users to upload images alongside their comments. However, Wordfence discovered that there was a failure to properly identify if uploaded files were really images or not, allowing the upload of potentially malicious code.

According to Wordfence, a successful attack could leave an attacker with control of every website on the server:

“If exploited, this vulnerability could allow an attacker to execute commands on your server and traverse your hosting account to further infect any sites hosted in the account with malicious code.”

wpDiscuz’s developers initially told Wordfence that the flaw would be fixed in version 7.0.4 of the plugin, which was eventually released on July 20 2020.

Unfortunately, Wordfence found that that update did not sufficiently patch the security hole, and a new (properly working) version of wpDiscuz was released on July 23 2020.

Wordfence recommends that all administrators of self-hosted WordPress-powered websites that are running the wpDiscuz plugin update to the latest version as a matter of priority.

As Bleeping Computer reports, since the fixed version of wpDiscuz was released it has been downloaded just over 25,000 times – meaning some 45,000 websites may still be vulnerable.

Self-hosting your WordPress site has its benefits, but one of the biggest downsides is that the onus is much more on you to ensure it is kept updated with the latest patches and updates. New vulnerabilities are frequently found in the software and its many thousands of third-party plugins – so it’s not something that you can afford to ignore.

My advice? Enable automatic updates wherever possible.

Left unattended, a website running a self-hosted edition of WordPress can be all too easy for a hacker to exploit. And it will be your brand, and the visitors to your website, who will be running the risk of serious harm.

Last month, SafetyDetectives researchers discovered an unsecured database belonging to the popular Avon beauty company. The server, which lacked basic security measures, was easily accessible by investigators, who found a trove of 19 million records, including personal information of employees and website technical data.

While the news might not strike a chord at first, the data breach disclosure follows a June 9 regulatory filing by the company, which confirmed a security incident that “interrupted some systems and partially affected operations.”

On June 12, Avon Products submitted a second regulatory filing stating that, “after suffering the cyber incident communicated on June 9, 2020” they are “planning to restart some of its affected systems in the impacted markets throughout the course of next week.”

“Avon is continuing the investigation to determine the extent of the incident, including potential compromised personal data,” the report said. “Nevertheless, at this point it does not anticipate that credit card details were likely affected, as its main ecommerce website does not store that information.”

A third update said the company “reestablished most its operating systems and resumed operations in most of its markets, including the majority of its distribution centers.”

SafetyDetectives speculate that the statements are not linked to the data breach discovered by their team.

The investigator’s report released on July 28 says the unprotected Avon.com server contained API logs for both web and mobile website, meaning that all production server information along with sign-in and refresh OAuth tokens were exposed.

The database contained over 7GB of data such as personal identifiable information and non-personal technical information:

• Names, phone numbers, date of birth and physical address
• Email addresses, GPS coordinates, last payment amounts
• Names of company employees (not confirmed)
• Administrator user emails
• More than 40,000 security tokens
• OAuth tokens and internal logs
• Account settings and server information

Moreover, the leaked data contained sensitive information such as PIN codes sent by SMS. The leaked internal logs could even be used to attack Avon’s IT infrastructure.

“Hackers could potentially harness the server to mine cryptocurrency, plant malware or conduct ransomware attacks upon the server owners,” the researchers added.

Even though there is not enough evidence to link the initial security incident reported by Avon with this data leak, precautionary measures should be taken.

Employees and Avon customers should inspect their online accounts and reset their passwords. Although the company has secured its leaky server, the possibility of malicious access to the open database can’t be excluded.

As a quick side note, Brazil’s Natura & Co Cosmetics, which acquired a 76% stake in Avon, also suffered a similar security incident, in April 2020, when the personal identifiable information (PII) of more than 190 million customers was found completely unprotected on two US-based Amazon servers. However, unlike Avon’s data leak, Natura’s servers contained the payment information of 40,000 shoppers.

In January 2020, a security researcher discovered an exposed server belonging to Front Rush, an athlete-recruiting software company offering solutions to more than 9,500 college teams at over 850 institutions across the United States.

The initial report was kept low key, and it appears that the unsecured server contained over 700,000 files including medical records, performance reports, driver’s licenses and other personal identifiable information of college athletes.

Yesterday, however, Front Rush disclosed that it has started informing potentially affected individuals about the security incident that was overlooked 7 months ago.

According to the data breach notification, “on or around January 5, 2020, Front Rush was informed by a security researcher that one of its Amazon Web Services S3 buckets (“the S3 bucket”) was publicly accessible from the internet.”

The company said the S3 bucket contained:

• Attachments uploaded by the college institutions such as transcripts, injury reports, or athletic reports)
• Attachments that were uploaded by student athletes, prospective student athletes or their parents/guardians
As disclosed by the report, the type of personal information exposed varied by individuals. However, Front Rush reveals that data sets may have included first and last names, date of birth, Social Security number, Driver’s License Number/State ID Number, student ID number, passport number, other ID number, financial account information, payment card information, mother’s maiden name, birth certificate, username or email address and password, electronic signature, Medicare/Medicaid number, diagnoses, prescriptions, disability information, information, other medical information, health insurance subscriber and group numbers and other health insurance information.

The company claims that, upon learning of the event, it immediately opened an investigation alongside third-party security experts. It appears that the S3 bucket housing the database was publicly accessible between January 18, 2016 and January 8, 2020.

While the report says there is “no evidence to suggest that the S3 bucket was accessed by anyone other than the security researcher, logs were not sufficient to show whether anyone else had accessed the data.”

College institutions were notified on June 15, and letters to potentially impacted individuals for whom address information was available were sent out starting with July 27.

It’s unclear why the company waited to notify affected individuals. However, the company hinted that they were waiting on the results of the data mining investigation before publicly disclosing impacted athletic departments across the country.

“To date, Front Rush has not received any reports that personal information has been misused as a result of this incident,” the notification reads.

The data breach could have serious consequences for athletes, parents and guardians. Even if there is no evidence that the unsecured data was accessed by malicious actors, the fact that the server was left unprotected for four years leaves room for serious debate.

Victims should be aware that, with such a variety of exposed personal identifiable information (PII), the chances of identity theft are high. As such, “Front Rush encourages potentially impacted individuals to remain vigilant against incidents of identity theft and fraud, promptly change any involved account passwords, and to review account statements, and credit reports for suspicious activity.”

The company has also provided credit monitoring to individuals who had a Social Security Number or Driver’s License Number/State ID exposed and notified state regulatory authorities.

One of Ireland’s largest banks, Bank of Ireland, has been fined almost €1.7 million after regulators discovered it had failed to inform financial regulators and the police after a fraudster tricked them into transferring funds from a client’s account.

In September 2014, a fraudster impersonated a client of Bank of Ireland’s former subsidiary, Bank of Ireland Private Banking Limited (BOIPB), and tricked the bank into making transferring a total of €106,430 (approximately US $125,000) from the client’s personal current account and the bank’s own funds into a UK bank account.

The fraudster had hacked into the victim’s email account to request the money transfers from the bank.

Astonishingly, the bank released confidential details related to the account to the fraudster without requiring them to answer any security questions. Furthermore, the bank did not call the client using the contact telephone number on its database to confirm the request for the money transfer.

That, obviously, is bad enough.

The client who had money stolen from their account had it immediately reimbursed by Bank of Ireland, but the fraud was not reported to the Central Bank of Ireland or police.

Indeed it was over a year later before Central Bank discovered a reference to the incident in Bank of Ireland’s logs, demanded more details, and insisted that the fraud should also be reported to the police.

A subsequent investigation by Central Bank found “serious deficiencies” in how Bank of Ireland handled third-party payments:

• Inadequate systems and controls to minimise the risk of loss from fraud
• Inadequate governance, oversight and ongoing review of the systems and control environment
• Lack of staff training and a culture in which fulfilling clients’ instructions was given primacy over security and regulatory requirements
• Lack of compliance monitoring.

The Central Bank of Ireland went on to say that BOIPB’s “failure to be open and transparent had the effect of misleading the Central Bank in the course of the investigation,” and that it had failed for 19 months to disclose an internal report created after the incidenty which revealed systemic failings.

According to the Central Bank of Ireland report, the problems related to third-party payments were only fixed 17 months after the incident, and even then only after the Central Bank intervened.

“BOIPB’s failure to put appropriate safeguards in place exposed BOIPB and its clients to the serious and avoidable risk of cyber-fraud. That risk crystallised twice,” Seána Cunningham, the Central Bank’s director of enforcement and anti-money laundering, was reported as saying to the Irish Times. “BOIPB then failed to report the cyber-fraud to An Garda Síochána, which is a serious matter. Reporting illegal activity is essential in the fight against financial crime.”

There’s not a huge amount you or I can do but trust the banks who look after our financial accounts to do a decent job of securing them from fraudsters. And we also trust them to work closely with law enforcement agencies and regulators when a security breach occurs.

What is somewhat under our control, however, is to better secure our email accounts – using strong, unique passwords and multi-factor authentication. Taking steps like that can help make it much harder for fraudsters to take their first steps towards emptying our bank accounts.

That’s no excuse for Bank of Ireland, however. They should have been following proper procedures to ensure that the money transfer was authorised by a the real holder of the account – and they definitely shouldn’t have tried to hide what happened from regulators and the police.

The No More
Ransom decryption tool repository has so far registered over 4.2 million
visitors from 188 countries. The repository has helped save an estimated $632
million for ransomware victims worldwide, with 12% saved by Bitdefender’s
GandCrab decryptors alone.

No More
Ransom, powered by the contributions of 163 partners fighting cybercrime
globally, turns four years old this month. The first public-private partnership
of its kind, NMR helps ransomware victims recover encrypted data without having
to pay their aggressors.

Users simply
visit nomoreransom.org and follow the Crypto Sheriff steps to help identify the
ransomware strain affecting their data. If a decryptor is available, a download
link will be provided.

Celebrating its achievements, the European Union Agency for Law Enforcement Cooperation (Europol) this week published a press release announcing that the repository “has registered since its launch over 4.2 million visitors from 188 countries and has stopped an estimated $ 632 million in ransom demands from ending up in criminals’ pockets.”

“Powered by
the contributions of its 163 partners, the portal has added 28 tools in the
past year and can now decrypt 140 different types of ransomware infections. The
portal is available in 36 languages,” Europol said.

Cybersecurity
vendors were the most prolific contributors, accounting for 37% of
contributions, but 28% of the decryption tools came from law enforcement, 11%
from CERTs, 7% from players in the financial services industry, 6% from non-profits
and 3% from consulting. Even telcos and academia contributed, each with a small
but still important 2% share.

For its
part, Bitdefender has so far provided seven free decryption tools for nine ransomware
families. Bitdefender’s GandCrab decryptors alone have helped save victims more
than $76 million to date – or 12% of the total $632 million in ransom demands prevented
by No More Ransom from ending up in criminals’ pockets in the past four years.

A handy infographic accompanying the press release shows the breakdown by partners, tools, languages and countries, as well as the partner annual growth, total downloads and ransomware families covered.

Acknowledging
that many types of ransomware are still out there without a public decryptor,
Europol describes some steps to take to protect yourself from ransomware,
including keeping regular backups (preferably offline) and using reliable
antivirus software.

“Do not
download programs from suspicious sources. Do not open attachments in e-mails
from unknown senders, even if they look important and credible,” Europol adds.

As always,
the agency urges ransomware victims to refrain from paying ransom. The FBI has
historically also issued the same recommendations to entities falling prey to
ransomware operators, though for some victims – like healthcare providers – denying
attackers their demands just might have a life-threatening impact.

Promo.com, a video creation platform for businesses and agencies, has confirmed a data breach after bad actors posted a database containing 22 million user records on a hacking forum.

The award-winning video maker, which is partnered with social media venues such as Facebook and Instagram, allows users to create an unlimited number of promotional videos that can be shared online.

In a data breach memo, Promo.com announced that it became aware of the security incident on July 21, linking the breach to one of its third-party service providers.

“On July 21, 2020, our team became aware that a data security vulnerability on a 3rd party service had caused a breach affecting certain non-finance related Slidely and Promo user data,” the letter reads. “We immediately stopped all suspicious activity and launched an internal investigation to further learn about what happened.”

No financial data such as credit cards or billing information was exposed in the breach. However, personal identifiable information were accessed and exfiltrated by the attackers.

The compromised data was listed in the Promo Data Breach FAQ page, and includes first and last name, email address, IP address, approximated user location based on the IP address and gender, as well as encrypted, hashed and salted passwords to the Promo or Slidely account. However, “your Log in via your social media account was not affected,” the company added.

Promo.com underlined that it has completely removed the vulnerable third-party service, and that it has hired a cybersecurity firm to help enhance their protection and intrusion detection mechanisms to prevent future unauthorized access to their customer database.

Since hashed and salted passwords could be decrypted by cyberthieves, the company encourages users to immediately reset their Promo.com account password, along with any other accounts that share the same login credentials. As an additional precaution, users should also regenerate any social media login tokens, where possible.

A dedicated 24/7 support team may be contacted via support@promo.com by any users who have questions or concerns regarding their account security.

REvil ransomware operators successfully targeted Spanish state-owned railway operator Administrador de Infraestructuras Ferroviarias (Adif) last week.

The bad actors claimed to have exfiltrated around 800 GB of data from Adif’s servers, including personal information, letters, contracts, and account information of the company.

As proof, the cybercriminals even posted a sample of their bounty on their underground website. Although Adif said its security team controlled the ransomware attack, cybercriminals said they will continue to exfiltrate data from their servers unless their ransom demands are met.

“Simultaneously with the publication, the third attack will follow,” REvil operators said. “We advise you to get in touch immediately. We have personal information including correspondence, contracts and other accounting (total 800 gigabytes of data). If you do not comply with our terms, your data will be published in the public domain. We will continue to download your data until you contact us.”

In a statement to the International Railway Journal (IRJ), Adif said its “infrastructure has not been affected at any time, and the correct functioning of all of its services has been guaranteed.”

“Adif, aware of being the manager of a critical infrastructure such as the exploitation of the railway network, considers cybersecurity as one of the pillars of comprehensive security,” the statement reads.

Details on how the criminals managed to breach security of the railway infrastructure manager are yet to be revealed. What we do know, however, is that REvil has added some big names to its list of victims. The gang has been prolific this year, compromising Travelex, Grubman Shire Meiselas & Sacks, Aussie beverage manufacturer Lion, a Brazilian power company and Telecom Argentina, one of the largest Internet service providers in the country.

The ransom demands received by Adifalso remain unknown, but it’s recommended never to give in to such ultimatums. Recently, ransomware gangs haven’t been limiting their malicious actions to encrypting the data of their victims, but instead focus on publicly extorting them by threatening to leak their confidential data online.

Digital banking and cash advance app Dave has reported a data breach after a bad actor published a database containing personal information of 7.5 million users on a public hacking forum.

According to a data breach memo, “a malicious party recently gained unauthorized access to certain user data” after breaching the systems of Waysez, a former third-party service provider of the company.

The exfiltrated information included users’ names, emails, dates of birth, home addresses and phone numbers, along with “user passwords that were stored in hashed form, using Bcrypt, an industry-recognized hashing algorithm.”

“Importantly, this did not affect bank account numbers, credit card numbers, records of financial transactions, or unencrypted Social Security numbers,” the notification reads. “Dave has no evidence that any unauthorized actions were taken with any accounts or that any user has experienced any financial loss as a result of this incident.”

As reported by cybersecurity researchers from Cyble, the stolen data was privately auctioned on a hacking forum for a whopping $16,000. However, on July 24, a data breach broker called ShinyHunter released the complete database free of charge.

After learning about the incident, Dave.com started an internal investigation alongside the FBI and third-party cybersecurity consultants. The company said its “security team quickly secured its systems and has been working around the clock to keep customers’ accounts safe.”

Although Dave.com is still notifying affected customers, a mandatory reset of all account passwords has been implemented. Users are also advised to change passwords for all online accounts that share the same login credentials with Dave app.

While company officials clearly stated that the security incident did not affect financial data or unencrypted Social Security numbers, users should look out for any signs of malicious use of their personal data. Identity thieves may attempt to contact Dave users via social media or email to gain additional information from victims. Keep an eye out for unsolicited emails and phishing attempts, and avoid providing your personal information on bogus-looking links and websites.