You were promised Zoom news last week, but due to a late night of writing, that story was delayed to this week. So whats the deal with Zoom? Google, SpaceX, and even the government of Taiwan and the US Senate have banned Zoom. You may remember our coverage of Zoom from nearly a year ago, when Apple forcibly removed the Zoom service from countless machines. The realities of COVID-19 have brought about an explosion of popularity for Zoom, but also a renewed critical eye on the platforms security.
Zoombombing, joining a Zoom meeting uninvited, made national headlines as a result of a few high profile incidents. The US DOJ even released a statement about it. Those incidents seem to have been a result of Zoom default settings: no meeting passwords, no waiting room, and meeting IDs that persist indefinitely. A troll could simply search google for Zoom links, and try connecting to them until finding an active meeting. Ars ran a great article on how to avoid getting zoombombed (thanks to Sheldon for pointing this out last week).
There is another wrinkle to the Zoom story. Zoom is technically an American company, but its Chinese roots put it in a precarious situation. Recently its been reported that encryption keying is routed through infrastructure in China, even though the calling parties are elsewhere. In some cases, call data itself goes through Chinese infrastructure, though that was labeled as a temporary bug. Zoom was also advertising its meetings as having end-to-end encryption. That claim was investigated, and discovered to be false. All meetings get decrypted at Zoom servers, and could theoretically be viewed by Zoom staff.
Why does it matter? Is this just anti-Chinese rhetoric? Well, no. When a service like Zoom is hosted on a server in a given country, that service is subject to that countrys laws. China has a rather dismal history of abusing communications infrastructure to spy on and persecute its own citizens. (I am aware that the US has a dismal history there as well. Im not excited about my conversations being in the clear on a US server, either.) While thats not necessarily a huge problem for a school doing distance learning, government leaders should probably avoid holding cabinet meetings over the service.
Its a Hollywood trope at this point. Our hero has to infiltrate the super secret organization, and to get in, he has to defeat a fingerprint scanner. No problem, the hero has lifted a fingerprint earlier in the movie, and with a bit of ingenuity, fools the fingerprint scanner. Thats just the movies, and real fingerprint readers are more secure, right? Well, the Talos group at Cisco put the myth to the test. They used a 25 micron UV 3d printer to make a series of molds, and then tried different materials to cast the fake prints. A fabric glue seemed to work the best, as it was able to fool capacitive sensors as well as visual.
A mold could be calculated and printed in an hour in 25-micron resolution. There is some additional time for the cast itself to set, and they conclude that the attack isnt something that can be performed quickly.
Phones seemed to fare the worst, with a success rate somewhere around 80%. Of particular interest is the devices that were difficult to compromise. Interestingly, Windows Hello, a part of Windows 10, was entirely resilient to their attacks. The Talos researchers suggest that the key here is the comparison algorithm used to compare the scanned fingerprints. Another winner was the pair of USB keys that use a fingerprint scanner to unlock the stored data. Those keys also shrugged off this attack. The Talos researchers made sure to point out that this doesnt mean that these devices are secure against this type of attack. Their work was intentionally low-budget, and its likely a more determined, well-funded attacker could overcome the rest of the devices.
But even if you just want to play around with this at home, with a little effort you can fool face and iris recognition yourself. And all this aside, you shouldnt have to use biometric information in place of passwords anyway.
Running Firefox or the Tor browser anywhere? Go update now, make sure you on 74.0.1 or better (or 68.6.1 if youre using Firefox ESR). There are a pair of use-after-free bugs that are being actively exploited. There arent many more details available at the moment, possibly because of related bugs that still need to be fixed. According to the researcher that found the bugs: There is still lots of work to do and more details to be published (including other browsers). Stay tuned.
On the Google side of the fence, the big news is that the new same-site cookies policy is being rolled back. The Chrome blog has a link to a great explainer of the potential problem with 3rd party cookies, and how the samesite policy changes can help.
A novel paper came across my digital desk this week (PDF) that introduces a new way to ask an old question: What secrets is this closed-source app hiding? Weve talked about backdoors, hard-coded passwords, and hidden administrator menus in the past. Most of the time, these are unintentional; bits of debugging code that were forgotten about and never removed. In the linked paper, a technique was developed to examine the input validation code of an app, looking for hidden hardcoded options.
For example, a 3rd party screen lock will take user input, and then make a system call to compare that input against the system password. If there is a string compare that happens before the expected system call, then there might be a secret backdoor password hard-coded into the app. In another example, a translation app had a secret menu, unlocked by entering a hardcoded key, where debugging tasks could be done, like disabling ads.
After scanning 150k Android apps, about 12k were discovered to have hardcoded backdoors, passwords, or debugging menus. In other words, just over 8% of the most popular Android apps have some suspicious behavior built-in.
Via Heise Online
Ahhh, theres not many things that satisfy quite like unboxing new hardware for the first time. You finally pulled the trigger on a new laptop, and now its ready to boot up for the first time. Many of us have a similar policy in these situations: Boot the laptop, uninstall the OEM bloatware. If that isnt your habit, then maybe[Bill Demirkapi]s research on HP bloatware will convince you.
Theres quite a bit here, but the most interesting attack chain, an RCE, takes advantage of some seemingly unrelated issues. The first is an open redirect on HPs site. This seem innocuous enough. https://ers.rssx.hp.com/ers/redirect?targetUrl=https://google.com” would automatically redirect you to Google. The second issue is an HP service that registers a custom URL protocol. That protocol downloads and runs or opens the downloaded file. Before starting the download, there is check run that this download is coming from an HP domain. The open redirect comes in handy here, as the redirect is followed after that domain check is performed. An official looking link can then trigger HPs update downloader, which then will automatically open a downloaded zip file. Yes, it requires two interactions to compromise, but is a clever chain nonetheless.
Yet another installment of our Coronavirus scamming story. This week well look at emails claiming to be from the US Small Business Administration (SBA).
I received this email Tuesday the 7th, and took a moment to realize it was a fake. The first giveaway is that the attachment is a .img, rather than a PDF or other image file. That disk image contains a SBA_Disaster_Application_Confirmation_Documents_COV_Relief_doc.exe executable. There are a few other tip-offs that this probably isnt a legitimate communication, like the spelling of centres and endeavour, using the British spellings. The last, and perhaps most obvious flaw, is that the date has already passed.
Hold on to your hats, because were about to speculate. You see, this email came in only a few hours after I filled out some online paperwork for an Economic Injury Disaster Loan, on the official SBA website. I very nearly fell for this, because the timing was so spot-on. It appears that the SBA is leaking information about grant applicants, and someone is using that leak to run a phishing campaign.
More here:
This Week In Security: Zoom (Really This Time), Fingerprints, And Bloatware - Hackaday
- Tor Browser Has a New WebTunnel Feature to Avoid Censorship - How-To Geek - March 14th, 2024 [March 14th, 2024]
- The CIA Is Now Trying to Recruit Russian Spies On Telegram - TIME - May 18th, 2023 [May 18th, 2023]
- Dark Web Alerts: Identifying Criminal Data Exposure on the Dark Web - Security Boulevard - May 18th, 2023 [May 18th, 2023]
- Mullvad aces security audit with this new privacy tool - TechRadar - May 18th, 2023 [May 18th, 2023]
- Billions of Google Chrome users warned to avoid browser over red alert privacy concerns check your sett... - The US Sun - May 18th, 2023 [May 18th, 2023]
- How the decision on Space Command's home will be made - POLITICO - May 18th, 2023 [May 18th, 2023]
- Bitcoin Mixers: Clearnet vs. Darknet Which Offers Greater Anonymity? - Crypto Mode - April 27th, 2023 [April 27th, 2023]
- Matt Taibbi: Report on the Censorship-Industrial Complex - Scheerpost.com - April 27th, 2023 [April 27th, 2023]
- The Ultimate 2023 Guide to The Tor Browser Explained - Pixel Privacy - January 31st, 2023 [January 31st, 2023]
- What is Tor & How Do You Use It? Microsoft 365 - January 17th, 2023 [January 17th, 2023]
- Improving privacy when browsing web: Alternative browsers and chrome extensions - HackRead - October 19th, 2022 [October 19th, 2022]
- Tor Browser Bundle - Free download and software reviews - CNET Download - October 11th, 2022 [October 11th, 2022]
- Hacktivists seek to aid Iran protests with cyberattacks and tips on how to bypass internet censorship - CNBC - October 11th, 2022 [October 11th, 2022]
- This security firm claims to have the right tool for your privacy, and it's not a VPN - TechRadar - September 15th, 2022 [September 15th, 2022]
- A VPN Isn't the Only Way to Change Your IP Address - CNET - September 11th, 2022 [September 11th, 2022]
- Hi, I'll be your ransomware negotiator today but don't tell the crooks that - The Register - August 6th, 2022 [August 6th, 2022]
- Rewards for Justice Reward Offer for Information on Russian Interference in U.S. Elections - United States Department of State - Department of State - July 29th, 2022 [July 29th, 2022]
- How Tor Is Fightingand BeatingRussian Censorship - WIRED - July 29th, 2022 [July 29th, 2022]
- What Is Incognito Mode And Should You Be Using It? - Forbes - July 29th, 2022 [July 29th, 2022]
- TOR Browser - Onion VPN on the App Store - July 17th, 2022 [July 17th, 2022]
- Tor Browser now bypasses internet censorship automatically - BleepingComputer - July 17th, 2022 [July 17th, 2022]
- The dangers of the dark web: being safe online - Open Access Government - July 13th, 2022 [July 13th, 2022]
- Tor vs VPN: Which One Should You Use? - Dignited - June 30th, 2022 [June 30th, 2022]
- Rewards for Justice Offers Up to $10 Million for Information on Foreign Interference in US Elections - HS Today - HSToday - June 30th, 2022 [June 30th, 2022]
- Kremlin tightens control over Russians' online lives threatening domestic freedoms and the global internet - Jacksonville Journal-Courier - June 30th, 2022 [June 30th, 2022]
- Defence in Amanda Todd 'sextortion' trial zeroes in on missing data - The Tri-City News - June 30th, 2022 [June 30th, 2022]
- Now that 'Roe' has been overturned, it's up to the tech industry to protect our data - Fast Company - June 30th, 2022 [June 30th, 2022]
- QAnon Is Celebrating the Return of Its Leader After 18 Months of Silence - VICE - June 30th, 2022 [June 30th, 2022]
- 3 ways to find out if your passwords are being sold on the Dark Web - Komando - June 22nd, 2022 [June 22nd, 2022]
- EXPLAINER: EFCC 'Linked Naira Marley to the Dark Web'. Here's What You Need to Know About the Internet's Most Hidden Part - FIJ NG - June 11th, 2022 [June 11th, 2022]
- What is the Dark Web? - AOL - May 28th, 2022 [May 28th, 2022]
- Cookie Banners Can Be AnnoyingHere's How To Block Them - WRAL News - May 28th, 2022 [May 28th, 2022]
- DuckDuckGo tries to explain why its browsers won't block some Microsoft web trackers - The Register - May 28th, 2022 [May 28th, 2022]
- Proton VPN Secure Core: what it is and when you should use it - TechRadar - May 28th, 2022 [May 28th, 2022]
- How to Download & Install Tor Browser in Windows 10 - May 7th, 2022 [May 7th, 2022]
- How to Unblock a Webpage from Behind a Firewall - Beebom - May 7th, 2022 [May 7th, 2022]
- Download Tor Browser For Windows & MAC (Offline Installer) - May 1st, 2022 [May 1st, 2022]
- Tor Browser - Dark Web Portal Exposed | Dark Web Wiki - May 1st, 2022 [May 1st, 2022]
- Top 10 dark web links & Tor websites for 2022 - Surfshark - May 1st, 2022 [May 1st, 2022]
- How to Install the Tor Browser on a Chromebook - May 1st, 2022 [May 1st, 2022]
- How to Anonymous access to the dark web with Tor - BollyInside - May 1st, 2022 [May 1st, 2022]
- How to Change the Tor Browser Language - How-To Geek - April 29th, 2022 [April 29th, 2022]
- Bites of Life: Shining Light on the Dark Web - Macalester College The Mac Weekly - April 29th, 2022 [April 29th, 2022]
- How to protect against the weakest link in cybersecurity THE USERS - Security Boulevard - April 29th, 2022 [April 29th, 2022]
- What Is Dark Social and Why It Matters - Legal Talk Network - April 29th, 2022 [April 29th, 2022]
- IP bans - why they happen and how to prevent them - Oneindia - April 29th, 2022 [April 29th, 2022]
- Deep Web Tor Browser - Tor Links - Onion Links (2022) - April 20th, 2022 [April 20th, 2022]
- How to Install and Use the Tor Browser on Linux - April 20th, 2022 [April 20th, 2022]
- The Best VPN for Binance 2022 [How to Use Binance With a VPN] - Cloudwards - April 20th, 2022 [April 20th, 2022]
- Three tactics for security providers in the age of Dark Web collaboration - SecurityInfoWatch - April 20th, 2022 [April 20th, 2022]
- Simple way to Install Tor Browser in Rocky Linux 8 - Linux Shout - March 17th, 2022 [March 17th, 2022]
- Laptop in Veltman apartment had what appeared to be 'hate-related material': docs - Lethbridge News Now - March 17th, 2022 [March 17th, 2022]
- How to Access Blocked Websites anywhere and for Free - BollyInside - March 17th, 2022 [March 17th, 2022]
- Download Tor Browser for Mac - Free - 10.0 - Digital Trends - March 11th, 2022 [March 11th, 2022]
- Open in Tor Browser Get this Extension for Firefox (en-US) - March 11th, 2022 [March 11th, 2022]
- Use Brave Private Browsing with Tor to Hide IP Address - OSXDaily - February 21st, 2022 [February 21st, 2022]
- Are Crypto Transactions More Transparent Than Wire Transfers? - InvestingCube - February 21st, 2022 [February 21st, 2022]
- The Truth about Dark Web Is It Really Dangerous? - Crypto Mode - February 21st, 2022 [February 21st, 2022]
- Tech-Savvy Professionals Among 22 Arrested In Dark Web Narcotics Operation - NDTV - February 15th, 2022 [February 15th, 2022]
- Download Tor Browser for Windows - Free - 11.0.3 - February 1st, 2022 [February 1st, 2022]
- Tor Project heads to Russian court to appeal against censorship - The Daily Swig - February 1st, 2022 [February 1st, 2022]
- Firefox Monitor may remove personal information now from the Internet - Ghacks Technology News - December 9th, 2021 [December 9th, 2021]
- The Real Russia. Today. Reining in an unruly Communist Party Meduza - Meduza - December 9th, 2021 [December 9th, 2021]
- See the stunning mansion Josh Duggar is calling home during his child pornography trial ahead of possible... - The US Sun - December 9th, 2021 [December 9th, 2021]
- Whats the Difference Between the Deep Web and the Dark Web? - How-To Geek - December 9th, 2021 [December 9th, 2021]
- How to Access the Dark Web Complete Guide? - The Bulletin Time - December 7th, 2021 [December 7th, 2021]
- Theres More to Threat Intelligence Than Dark Web Monitoring - Security Boulevard - November 25th, 2021 [November 25th, 2021]
- You have to work on this through the routeras options diet plan, as some items immediately restore previous setup after a forced reboot - ADOTAS - November 25th, 2021 [November 25th, 2021]
- What is Tor (Browser) & How does it work? | CyberNews - November 23rd, 2021 [November 23rd, 2021]
- Privacy-Protective Internet Browser Tor Is Running Low on Servers - Gizmodo - November 23rd, 2021 [November 23rd, 2021]
- Yes, the Internet has become safer but a VPN is still needed - TechGenix - November 19th, 2021 [November 19th, 2021]
- Scots businessman caught with the 'most serious' category of child abuse images jailed - Scottish Daily Record - November 19th, 2021 [November 19th, 2021]
- Anna and Josh Duggar welcomed daughter Madyson Lily on October 23, their 7th child * starcasm.net - Starcasm - November 17th, 2021 [November 17th, 2021]
- Tor Browser (Alpha) 11.0.9 Download | TechSpot - November 5th, 2021 [November 5th, 2021]
- US government offers $10 million bounty for information on Colonial Pipeline hackers - The Verge - November 5th, 2021 [November 5th, 2021]
- The Tor Browser: What is it and why would you use it ... - October 24th, 2021 [October 24th, 2021]
- Tor Explained: What is Tor? How Does It Work? Is It Illegal? - October 21st, 2021 [October 21st, 2021]
- Alternatives to Using a VPN That Provided Excellent Anonymity While Online - TechBullion - October 21st, 2021 [October 21st, 2021]
- Slicing open The Onion Router (Tor) with no tears - ComputerWeekly.com - October 19th, 2021 [October 19th, 2021]
- What is the dark web? - fox4kc.com - October 19th, 2021 [October 19th, 2021]