Researcher warns the highly-rated Kasa family of security cameras have bugs that gives hackers access to private video feeds and settings.
A California man has been put behind bars for his role in an identity theft scheme that victimized thousands of US veterans and service members.
Trorice Crawford pleaded guilty on December 5 last year to one count of conspiracy to launder monetary instruments. The 32-year-old San Diego resident admitted conspiring with US citizen Robert Wayne Boling Jr. and others to steal millions of dollars between May 2017 and July 2019.
Crawford hired at least 30 people to act as money mules, paying them to receive funds stolen from current and former military personnel into their bank accounts.
Unauthorized transfers from victims’ accounts ranged from $8,000 to $13,000 on average, with Crawford keeping a cut from each transaction. Crawford also oversaw the transmission of stolen funds to Boling and others in the Philippines via international money remittance services.
A federal judge in San Antonio yesterday sentenced Crawford to 46 months in federal prison. Chief US District Judge Orlando Garcia ordered Crawford to pay $103,700 in restitution and be placed on a three-year period of supervised release after completing his prison term.
Crawford’s co-defendant, Frederick Brown, pleaded guilty to charges in connection with the identity theft scheme in October 2019 and will be sentenced on September 17. The 38-year-old used his former position as a civilian medical records administrator for the US Army to steal the personal identifying information (PII) of thousands of military members.
Brown admitted using his cell phone to capture members’ names, Social Security numbers, DOD ID numbers, dates of birth, and contact information while being logged into the Armed Forces Health Longitudinal Technology Application.
The Las Vegas resident further confessed to handing over the stolen PII to Boling and his Philippines-based co-defendants, Australian Allan Albert Kerr and South Korean Jongmin Seok, so that they could use it to access Department of Defense and Veterans Affairs benefits sites and steal millions of dollars.
As asserted in the federal grand jury indictment, Boling, Kerr, and Seok used the stolen data to compromise a Department of Defense portal designed to enable military members to access benefits information online.
The trio are charged with multiple counts of conspiracy, wire fraud, and aggravated identity theft. Measures are being taken to extradite them from the Philippines to Texas.
A platform created by the SANS Institute to teach core cybersecurity skills is now available to students and young adults across the Middle East and Africa.
CyberStart Game provides a gamified learning experience that can be used in the classroom or accessed at home. This 100% online learning platform is designed to teach complex security concepts while promoting self-guided exploration and investigation over traditional learning tropes.
Users can access over 200 different challenges via the platform, working through each one at a pace dictated by their own schedule and ability. The platform was thoughtfully established with built-in clues, tips, and video hints to assist students when they get stuck and to help them complete the challenge.
CyberStart Game was created by SANS Institute CTO James Lyne, who based each challenge on historical real-world cyber-attacks, security breaches, and other cybersecurity scenarios.
SANS Institute has opened up the platform to students and young adults in Africa and the Middle East as part of an ongoing emphasis on online learning and because of the heightened level of cybersecurity threat triggered by the current global health pandemic.
Ned Baltagi, Managing Director, Middle East & Africa at SANS Institute, said: “Global communities and their families including school- and university-going students are now in a shelter-at-home position. On the flip side, threat actors are increasing their activities, using advanced social engineering phishing techniques to lure online workers to malicious sites and possible ransomware attacks.”
Baltagi believes that through playing CyberStart, youngsters can acquire valuable cyber-self-defense skills that will help protect them while online.
“At this stage, CyberStart Game is the most appropriate and suitable platform to build awareness of cyber security skills for young adults, who may encounter these threats as they move to the next level of their career or device usage,” he said.
SANS Institute is offering CyberStart Game Education and Enterprise packages that include flexible access for students and teachers. No prior cybersecurity expertise is required to play the game or teach others how to play it.
“We will help schools, universities and organizations in the Middle East and Africa to find the right option for them,” said Baltagi.
Attackers could hack the smartwatch and send dementia patients alerts for taking their medication.
A hobby farmer on the hunt for a vegetable-eating critter has discovered a flaw in a popular outdoor home security camera.
Midwesterner Jason Kent purchased a Kasa camera to help identify whatever creature it was that had been eating his cucumber plants. In addition to uncovering the antics of a groundhog, Kent was alarmed to discover an account takeover (ATO)/credential stuffing vulnerability in the security device.
Kent said: “Upon installation I realized the mobile application was connecting directly over the network to the camera, and if I wasn’t on the network, I still could see the images from my camera on the mobile app. As a security professional, this concerned me.”
Kent, who is hacker-in-residence at Cequence Security, said the cybersecurity flaw he found in the device could allow a bad actor to spy on a user’s home and change the camera’s settings.
“This API vulnerability makes it easier for a cyber-criminal to take over someone’s Kasa camera account and then use that access to change passwords, modify camera settings, view private security footage or use it to surreptitiously snoop on a user’s home,” he said.
Through further investigation, Kent discovered that although the Kasa’s mobile application uses SSL, the SSL certificate wasn’t pinned. This made it “easy to open it up and look at the transactions.”
“I also found that the authentication is simply BASE64 encoded username:password being passed under SSL,” said Kent.
“Security best practices dictate that the application should hash under the SSL rather than encoding and reiterated the value of pinning the certificate.”
Of equal concern to Kent was the finding that the authentication to the web platform was giving “very verbose” API error messages included phrases such as “password incorrect.” Kent posits that this could leave users who set up their username as their email address vulnerable to cyber-attack.
Kent reported his concerns to TP-LINK, parent company of the Kasa brand, in March 2020. On June 15, the company said that the vulnerability he found would be fixed. At time of publication, the flaw had still not been remedied.
UK businesses have been slow to move to the cloud because of concerns over data loss and compliance breaches, according to the 2020 UK Veritas Databerg Report. It showed that just 47% of corporate data is currently stored in the cloud, despite IT decision makers believing 43% would be held in the cloud within 12 months during the last Databerg report back in 2015.
The study revealed that the current fears regarding data loss and compliance breaches has replaced other reservations organizations had regarding cloud adoption in 2015; whilst 77% highlighted security as a challenge to cloud adoption in 2015, this has fallen to 59% today. In addition, concerns over the unpredictability of the cloud fell from 49% in 2015 to 21% in 2020.
Another finding from the report was that just 19% of enterprise data is regarded as usable and business critical, whereas 28% is redundant, obsolete or trivial (ROT). Additionally, 53% is considered dark, i.e. stored without knowledge of what it is or its value.
Jasmit Sagoo, UK & Ireland CTO at Veritas Technologies, commented: “Businesses have negotiated the cloud challenges of 2015, but old fears are being replaced by new ones – and these need to be overcome if companies are going to meet their transformational goals. Concerns around cloud security and unpredictability may have been resolved, but they have been replaced by fear of data loss and compliance breaches, 55% and 54% respectively. This is understandable, given the wider data challenges that organizations often have, many of which can be exacerbated by a multi-cloud strategy.”
Nevertheless, the IT decision makers surveyed expect cloud adoption to increase well above the current rate within the next year, predicting that 64% of enterprise data will be stored in the cloud over the coming 12 months.
A key driver of cloud adoption is to reduce IT costs, according to the report, cited by 66% of businesses.
Google has updated its advertising policy to effectively ban stalkerware from its pages.
The tech giant announced the move in an update to its Enabling Dishonest Behavior policy. Although it didn’t mention the category by its more commonly known name, the firm said it will “prohibit the promotion of products or services that are marketed or targeted with the express purpose of tracking or monitoring another person or their activities without their authorization.”
Stalkerware is a type of monitoring tool downloaded secretly to a victim’s device, where it spies on their communications, location, photos and web browsing.
It’s commonly marketed by developers as a way for parents to monitor their children, or for adults to check whether their partners are having an affair. In reality, it is all-too-often used by domestic abusers, stalkers and violent ex-partners.
Google made it clear that the new policy doesn’t apply to “private investigation services” or tools designed to help parents monitor underage children.
The advertising ban will apply to the following:
“Spyware and technology used for intimate partner surveillance including but not limited to spyware/malware that can be used to monitor texts, phone calls, or browsing history; GPS trackers specifically marketed to spy or track someone without their consent; promotion of surveillance equipment (cameras, audio recorders, dash cams, nanny cams) marketed with the express purpose of spying.”
Figures released by Kaspersky in March this year to coincide with International Women’s Day revealed that the number of victims targeted by stalkerware jumped 91% in the UK from 2018 to 2019, while the global figure was 67%.
Although the AV vendor detected 67,500 cases worldwide over the period, this is likely to be just the tip of the iceberg.
In fact, Avast research has revealed a sharp rise in downloads following COVID-19 lockdowns. It claimed that installations of stalking apps in the UK rose 83% from March, versus January and February figures.
The new Google policy will come into force on August 11.
Zoom is scrambling to fix another zero-day vulnerability in its Windows client, this time potentially leading to arbitrary remote code execution.
Acros Security CEO, Mitja Kolsek, revealed the news in a blog post, claiming that the researcher who found the bug didn’t disclose to the vendor or a third-party broker, “but would not object to us reporting it to Zoom.”
“We analyzed the issue and determined it to be only exploitable on Windows 7 and older Windows systems. While Microsoft’s official support for Windows 7 has ended this January, there are still millions of home and corporate users out there prolonging its life with Microsoft’s Extended Security Updates or with 0patch,” he explained.
“We then documented the issue along with several attack scenarios, and reported it to Zoom earlier today along with a working proof of concept and recommendations for fixing. Should a bug bounty be awarded by Zoom, it shall be waived in favor of a charity of researcher’s choice.”
Acros Security’s 0patch offering provides “micropatches” to running processes without the need for administrators to restart these processes.
The firm has decided to provide these patches for free to anyone that downloads the 0patch Agent. These will automatically become obsolete as soon as Zoom releases an update to fix the vulnerability, it said.
There are no technical details of the zero-day available at present, however Zoom sent a brief statement to Infosecurity.
“Zoom takes all reports of potential security vulnerabilities seriously,” it noted. “Yesterday morning we received a report of an issue impacting users running Windows 7 and older. We have confirmed this issue and are currently working on a patch to quickly resolve it.”
Zoom has been on a hiring spree of late in a bid to ramp up its security credentials. Most recently it announced Salesforce SVP of security operations, Jason Lee, as its new CISO.
The video conferencing firm has also signed-up former Facebook CSO Alex Stamos as an advisor, Luta Security as a new partner to help rebuild its bug bounty program, John Hopkins cryptography expert Matthew Green, former Google privacy technology lead, Lea Kissner, and cybersecurity consultancy NCC Group.
End-2-End Encrypted. Secure. Ad-Free.
Lightweight and Faster than the Competition.
Vox Messenger is an ad-free, secure and end-2-end encrypted alternative to other popular chat messenger apps.
Available for Free. Whitelabel Corporate Edition Available on Request.
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.