You were promised Zoom news last week, but due to a late night of writing, that story was delayed to this week. So whats the deal with Zoom? Google, SpaceX, and even the government of Taiwan and the US Senate have banned Zoom. You may remember our coverage of Zoom from nearly a year ago, when Apple forcibly removed the Zoom service from countless machines. The realities of COVID-19 have brought about an explosion of popularity for Zoom, but also a renewed critical eye on the platforms security.
Zoombombing, joining a Zoom meeting uninvited, made national headlines as a result of a few high profile incidents. The US DOJ even released a statement about it. Those incidents seem to have been a result of Zoom default settings: no meeting passwords, no waiting room, and meeting IDs that persist indefinitely. A troll could simply search google for Zoom links, and try connecting to them until finding an active meeting. Ars ran a great article on how to avoid getting zoombombed (thanks to Sheldon for pointing this out last week).
There is another wrinkle to the Zoom story. Zoom is technically an American company, but its Chinese roots put it in a precarious situation. Recently its been reported that encryption keying is routed through infrastructure in China, even though the calling parties are elsewhere. In some cases, call data itself goes through Chinese infrastructure, though that was labeled as a temporary bug. Zoom was also advertising its meetings as having end-to-end encryption. That claim was investigated, and discovered to be false. All meetings get decrypted at Zoom servers, and could theoretically be viewed by Zoom staff.
Why does it matter? Is this just anti-Chinese rhetoric? Well, no. When a service like Zoom is hosted on a server in a given country, that service is subject to that countrys laws. China has a rather dismal history of abusing communications infrastructure to spy on and persecute its own citizens. (I am aware that the US has a dismal history there as well. Im not excited about my conversations being in the clear on a US server, either.) While thats not necessarily a huge problem for a school doing distance learning, government leaders should probably avoid holding cabinet meetings over the service.
Its a Hollywood trope at this point. Our hero has to infiltrate the super secret organization, and to get in, he has to defeat a fingerprint scanner. No problem, the hero has lifted a fingerprint earlier in the movie, and with a bit of ingenuity, fools the fingerprint scanner. Thats just the movies, and real fingerprint readers are more secure, right? Well, the Talos group at Cisco put the myth to the test. They used a 25 micron UV 3d printer to make a series of molds, and then tried different materials to cast the fake prints. A fabric glue seemed to work the best, as it was able to fool capacitive sensors as well as visual.
A mold could be calculated and printed in an hour in 25-micron resolution. There is some additional time for the cast itself to set, and they conclude that the attack isnt something that can be performed quickly.
Phones seemed to fare the worst, with a success rate somewhere around 80%. Of particular interest is the devices that were difficult to compromise. Interestingly, Windows Hello, a part of Windows 10, was entirely resilient to their attacks. The Talos researchers suggest that the key here is the comparison algorithm used to compare the scanned fingerprints. Another winner was the pair of USB keys that use a fingerprint scanner to unlock the stored data. Those keys also shrugged off this attack. The Talos researchers made sure to point out that this doesnt mean that these devices are secure against this type of attack. Their work was intentionally low-budget, and its likely a more determined, well-funded attacker could overcome the rest of the devices.
But even if you just want to play around with this at home, with a little effort you can fool face and iris recognition yourself. And all this aside, you shouldnt have to use biometric information in place of passwords anyway.
Running Firefox or the Tor browser anywhere? Go update now, make sure you on 74.0.1 or better (or 68.6.1 if youre using Firefox ESR). There are a pair of use-after-free bugs that are being actively exploited. There arent many more details available at the moment, possibly because of related bugs that still need to be fixed. According to the researcher that found the bugs: There is still lots of work to do and more details to be published (including other browsers). Stay tuned.
On the Google side of the fence, the big news is that the new same-site cookies policy is being rolled back. The Chrome blog has a link to a great explainer of the potential problem with 3rd party cookies, and how the samesite policy changes can help.
A novel paper came across my digital desk this week (PDF) that introduces a new way to ask an old question: What secrets is this closed-source app hiding? Weve talked about backdoors, hard-coded passwords, and hidden administrator menus in the past. Most of the time, these are unintentional; bits of debugging code that were forgotten about and never removed. In the linked paper, a technique was developed to examine the input validation code of an app, looking for hidden hardcoded options.
For example, a 3rd party screen lock will take user input, and then make a system call to compare that input against the system password. If there is a string compare that happens before the expected system call, then there might be a secret backdoor password hard-coded into the app. In another example, a translation app had a secret menu, unlocked by entering a hardcoded key, where debugging tasks could be done, like disabling ads.
After scanning 150k Android apps, about 12k were discovered to have hardcoded backdoors, passwords, or debugging menus. In other words, just over 8% of the most popular Android apps have some suspicious behavior built-in.
Via Heise Online
Ahhh, theres not many things that satisfy quite like unboxing new hardware for the first time. You finally pulled the trigger on a new laptop, and now its ready to boot up for the first time. Many of us have a similar policy in these situations: Boot the laptop, uninstall the OEM bloatware. If that isnt your habit, then maybe[Bill Demirkapi]s research on HP bloatware will convince you.
Theres quite a bit here, but the most interesting attack chain, an RCE, takes advantage of some seemingly unrelated issues. The first is an open redirect on HPs site. This seem innocuous enough. https://ers.rssx.hp.com/ers/redirect?targetUrl=https://google.com” would automatically redirect you to Google. The second issue is an HP service that registers a custom URL protocol. That protocol downloads and runs or opens the downloaded file. Before starting the download, there is check run that this download is coming from an HP domain. The open redirect comes in handy here, as the redirect is followed after that domain check is performed. An official looking link can then trigger HPs update downloader, which then will automatically open a downloaded zip file. Yes, it requires two interactions to compromise, but is a clever chain nonetheless.
Yet another installment of our Coronavirus scamming story. This week well look at emails claiming to be from the US Small Business Administration (SBA).
I received this email Tuesday the 7th, and took a moment to realize it was a fake. The first giveaway is that the attachment is a .img, rather than a PDF or other image file. That disk image contains a SBA_Disaster_Application_Confirmation_Documents_COV_Relief_doc.exe executable. There are a few other tip-offs that this probably isnt a legitimate communication, like the spelling of centres and endeavour, using the British spellings. The last, and perhaps most obvious flaw, is that the date has already passed.
Hold on to your hats, because were about to speculate. You see, this email came in only a few hours after I filled out some online paperwork for an Economic Injury Disaster Loan, on the official SBA website. I very nearly fell for this, because the timing was so spot-on. It appears that the SBA is leaking information about grant applicants, and someone is using that leak to run a phishing campaign.
- To Gmail, Black Lives Matter emails are 'promotions' - The Next Web - July 5th, 2020
- Can the Dark Web Be Searched? Find Out How to Reach It - TechNadu - July 5th, 2020
- Tor Browser Download (2020 Latest) for Windows 10, 8, 7 - June 17th, 2020
- Tor Browser Review | PCMag - June 17th, 2020
- What is Tor? Everything you need to know about the anonymity network - The Daily Swig - June 17th, 2020
- Exposing the dark web coronavirus scammers - TechRepublic - June 17th, 2020
- Tor Browser Makes it Easier to Visit Mainstream Websites' .Onion Addresses - PCMag - June 7th, 2020
- Tor Browser 9.5 arrives with the option to automatically switch to more secure Onion versions of sites - BetaNews - June 7th, 2020
- The Dark Web Explained, and how to access it - Techjaja - June 7th, 2020
- Dark web is the underworld of cyberspace - MyRepublica - June 7th, 2020
- How to Track the Tech Thats Tracking You Every Day - Gizmodo Australia - June 7th, 2020
- What is the dark web? Your questions answered, in plain English - Naked Security - May 29th, 2020
- Ransomware that uses .onion websites - Ransomware Help & Tech Support - BleepingComputer - May 29th, 2020
- What is Tor? A beginner's guide to using the private browser - CNET - May 24th, 2020
- How to activate DNS-over-HTTPS in the latest version of Google Chrome - Komando - May 24th, 2020
- The Patriot Act and your privacy - Security Boulevard - May 24th, 2020
- Firefox zero day in the wild: patch now (Tor Browser too!) - Naked Security - April 11th, 2020
- IntSights: The dark web is a wretched hive of coronavirus scams and pandemic cybercrime - VentureBeat - April 11th, 2020
- What Is the Tor Browser & How To Use It In 2020 - Blokt - April 11th, 2020
- Tape the webcam, enable firewall: 11 rules to ensure cyber security when you work from home - Economic Times - April 11th, 2020
- Tails 4.5 Is Out: Run The Live Operating System With Secure Boot - Fossbytes - April 11th, 2020
- Apple blocks third-party cookies in Safari - ZDNet - March 26th, 2020
- Dark Web A cyber heaven of criminal activity - The Financial Express BD - March 26th, 2020
- Install the privacy-focused Tor Browser on your Chromebook in 4 simple steps - Chrome Unboxed - March 24th, 2020
- NetAbstraction Announces Support for Private and Secure Access to the Dark Web #48955 - New Kerala - March 24th, 2020
- Tails 4.4 has been released with new Tor Browser version - Neowin - March 14th, 2020
- Want to browse the web privately? Heres how to do it for real - Yahoo Tech - March 14th, 2020
- 17 things you can buy on the Dark Web - MyBroadband - March 14th, 2020
- 3 ways to browse the web anonymously - We Live Security - January 27th, 2020
- What is a Bitcoin mixer and how does it work? - CryptoTicker - January 27th, 2020
- Digital surveillance threats for 2020 - The Star, Kenya - January 18th, 2020
- Teejayx6 Will Steal Your Identityand Rap About It - WIRED - December 2nd, 2019
- Such as the struggle of the Venezuelan economy, some residents turn to a lucrative gig: Cybercrime - Herald Journalism 24 - December 2nd, 2019
- Smart users guide to the snooping game - Livemint - November 17th, 2019
- Privacy on your smartphone: how to protect your data - AndroidPIT - November 17th, 2019
- BBC News heads to the dark web with new Tor mirror - The Verge - October 27th, 2019
- The Tor Project releases Tor Browser 9.0 with several UX improvements - Neowin - October 27th, 2019
- Fraudulent Tor Browser Spies and Has Been Stealing The Bitcoins - GoodTime Nation - October 27th, 2019
- OnionShare Lets Anyone Host Anonymous Sites on the Dark Web - BleepingComputer - October 16th, 2019
- #SecTorCa: Millions of Phones Leaking Information Via Tor - Infosecurity Magazine - October 16th, 2019
- Is there anything we can do to stop someone spying on us? - Newstalk 106-108 fm - August 25th, 2017
- If you're really concerned about browser security, Incognito isn't enough - TechRepublic - August 20th, 2017
- The Daily Stormer has lost its lease, accessible only via Tor browser - The Moderate Voice - August 20th, 2017
- Tor Project 'disgusted' by Daily Stormer, defends software ethos - CNET - August 18th, 2017
- Neo-Nazi site Daily Stormer resurfaces with Russian domain following Google and GoDaddy bans - Vox - August 16th, 2017
- Tor Browser 7.0.4 Download - TechSpot - August 14th, 2017
- Debian-Based Tails 3.1 Anonymous OS Debuts with Tor Browser 7.0.4, Linux 4.9.30 - LXer (press release) - August 11th, 2017
- Tails 3.1 has been released but you'll need to do a manual upgrade - Neowin - August 10th, 2017
- China and Russia go further in squelching Internet freedom - Washington Post - August 10th, 2017
- The FBI Booby-Trapped a Video to Catch a Suspected Tor ... - Motherboard - August 9th, 2017
- Major Improvements Are Coming Soon to the Tor Browser - The Merkle - August 8th, 2017
- The Attack on Global Privacy Leaves Few Places To Turn - WIRED - August 4th, 2017
- Tor Co-Founder: There Is No Dark Web The Merkle - The Merkle - August 3rd, 2017
- Online privacy protection - Choice - CHOICE - August 2nd, 2017
- There Is Basically No Dark Web. It's Only A Few Webpages TOR Co-founder - Fossbytes - July 31st, 2017
- How to Install Tor Browser for Mac and Protect Your Online Activity - iDrop News - July 29th, 2017
- How to get around an ISP blocking a website - MyBroadband - July 26th, 2017
- Don't blame online anonymity for dark web drug deals. - Slate Magazine (blog) - July 26th, 2017
- Tor network will pay you to hack it through new bug bounty program ... - ZDNet - July 21st, 2017
- Tor Project to launch public bug bounty project - CIO Dive - July 21st, 2017
- How to access the dark web - The Daily Dot - July 20th, 2017
- Your Mailman Is a Drug Dealer. He Just Doesn't Know It. - WNYC - July 20th, 2017
- Want porn? Prove your age (or get a VPN) Naked Security - Naked Security - July 20th, 2017
- Suspected AlphaBay founder dies in Bangkok jail after shutdown of online black market - Washington Post - July 19th, 2017
- S. Sudan blocks Sudan Tribune website over hostile coverage - Sudan Tribune - July 19th, 2017
- Assassins and child porn; a darknet offers everything - The Slovak Spectator - July 19th, 2017
- Apple users warned of dangerous new Mac malware that steals banking credentials - ThaiVisa News - July 18th, 2017
- The best security apps to lock down your Android phone - The Daily Dot - July 14th, 2017
- Mozilla is held to a higher standard - Ghacks Technology News - July 14th, 2017
- Privacy blunder? Firefox's Get Add-ons page uses Google Analytics - Ghacks Technology News - July 13th, 2017
- Russia, China vow to kill off VPNs, Tor browser - The Register - July 11th, 2017
- How to safely search the deep web - The Age - The Age - July 11th, 2017
- ACLU's Gillmor on privacy: 'We pay for what we value' (Q&A) - The Parallax (blog) - July 10th, 2017
- What is Tor browser, and is it safe? | Komando.com - July 7th, 2017
- Darknet 101: Your guide to the badlands of the internet - CNET - CNET - July 5th, 2017
- In Reporting on North Korea, Tech Helps Break Through Secrecy - New York Times - July 5th, 2017
- How to safely search the deep web - The Sydney Morning Herald - July 5th, 2017
- TOR Browser - darkwebnews.com - July 5th, 2017