The U.K.-based security company NCC Group and consumer advocacy group Which? have found vulnerabilities in 11 "smart" doorbells sold on popular platforms like Amazon and eBay. CyberScoop reports: One flaw could allow a remote attacker to break into the wireless network by swiping login credentials. Another critical bug, which has been around for years, could enable attackers to intercept and manipulate data on the network. The investigation focused on doorbells made by often obscure vendors, but which nonetheless earned top reviews and featured prominently on Amazon and eBay. The researchers raised concerns that some of the devices were storing sensitive data, including location data and audio and video captured by the doorbell's camera, on insecure servers. One device made by a company called Victure, for example, sent a user's wireless name and password, unencrypted, to servers in China, according to the researchers. In a statement, Amazon said it requires products sold on its site to be compliant with applicable laws and regulations, and that it has tools to detect "unsafe or non-compliant products from being listed in our stores." eBay said it takes down listings that violate its safety standards, but that the devices flagged by the researchers did not meet that threshold. Victure did not immediately respond to a request for comment. The NCC Group-Which? team said they tried to contact the various vendors of the vulnerable smart doorbells, with mixed success. The unnamed vendor of one device, for example, removed an online listing for the product after the researchers shared their findings.

Read more of this story at Slashdot.

Bernard Meyer, reporting for CyberNews: In a collaboration between CyberNews Sr. Information Security Researcher Mantas Sasnauskas and researchers James Clee and Roni Carta, suspicious backdoors have been discovered in a Chinese-made Jetstream router, sold exclusively at Walmart as their new line of "affordable" wifi routers. This backdoor would allow an attacker the ability to remotely control not only the routers, but also any devices connected to that network. CyberNews reached out to Walmart for comment and to understand whether they were aware of the Jetstream backdoor, and what they plan to do to protect their customers. After we sent information about the affected Jetstream device, a Walmart spokesperson informed CyberNews: "Thank you for bringing this to our attention. We are looking into the issue to learn more. The item in question is currently out of stock and we do not have plans to replenish it." Besides the Walmart-exclusive Jetstream router, the cybersecurity research team also discovered that low-cost Wavlink routers, normally sold on Amazon or eBay, have similar backdoors. The Wavlink routers also contain a script that lists nearby wifi and has the capability to connect to those networks. We have also found evidence that these backdoors are being actively exploited, and there's been an attempt to add the devices to a Mirai botnet. Mirai is malware that infects devices connected to a network, turns them into remotely controlled bots as part of a botnet, and uses them in large-scale attacks. The most famous of these is the 2016 Dyn DNS cyberattack, which brought down major websites like Reddit, Netflix, CNN, GitHub, Twitter, Airbnb and more.

Read more of this story at Slashdot.

An anonymous reader quotes a report from ZDNet: A team of academics has detailed this week novel research that converted a smart vacuum cleaner into a microphone capable of recording nearby conversations. Named LidarPhone, the technique works by taking the vacuum's built-in LiDAR laser-based navigational component and converting it into a laser microphone. [...] They tested the LidarPhone attack with various objects, by varying the distance between the robot and the object, and the distance between the sound origin and the object. Tests focused on recovering numerical values, which the research team said they managed to recover with a 90% accuracy. But academics said the technique could also be used to identify speakers based on gender or even determine their political orientation from the music played during news shows, captured by the vacuum's LiDAR. But while the LidarPhone attack sounds like a gross invasion of privacy, users need not panic for the time being. This type of attack revolves around many prerequisites that most attacks won't bother. There are far easier ways of spying on users than overwriting a vacuum's firmware to control its laser navigation system, such as tricking the user on installing malware on their phone. The LidarPhone attack is merely novel academic research that can be used to bolster the security and design of future smart vacuum robots. In fact, the research team's main recommended countermeasure for smart vacuum cleaning robot makers is to shut down the LiDAR component if it's not rotating. Additional details about the research are available in a research paper titled "Spying with Your Robot Vacuum Cleaner: Eavesdropping via Lidar Sensors."

Read more of this story at Slashdot.

An anonymous reader quotes a report from Ars Technica: Researchers have uncovered a massive hacking campaign that's using sophisticated tools and techniques to compromise the networks of companies around the world. The hackers, most likely from a well-known group that's funded by the Chinese government, are outfitted with both off-the-shelf and custom-made tools. One such tool exploits Zerologon, the name given to a Windows server vulnerability, patched in August, that can give attackers instant administrator privileges on vulnerable systems. Symantec uses the code name Cicada for the group, which is widely believed to be funded by the Chinese government and also carries the monikers of APT10, Stone Panda, and Cloud Hopper from other research organizations. The group has been active in espionage-style hacking since at least 2009 and almost exclusively targets companies linked to Japan. While the companies targeted in the recent campaign are located in the United States and other countries, all of them have links to Japan or Japanese companies. The attacks make extensive use of DLL side-loading, a technique that occurs when attackers replace a legitimate Windows dynamic-link library file with a malicious one. Attackers use DLL side-loading to inject malware into legitimate processes so they can keep the hack from being detected by security software. The campaign also makes use of a tool that's capable of exploiting Zerologon. Exploits work by sending a string of zeros in a series of messages that use the Netlogon protocol, which Windows servers use to let users log into networks. People with no authentication can use Zerologon to access an organization's crown jewels -- the Active Directory domain controllers that act as an all-powerful gatekeeper for all machines connected to a network. Microsoft patched the critical privilege-escalation vulnerability in August, but since then attackers have been using it to compromise organizations that have yet to install the update. Both the FBI and Department of Homeland Security have urged that systems be patched immediately. Among the machines compromised during attacks discovered by Symantec were domain controllers and file servers. Company researchers also uncovered evidence of files being exfiltrated from some of the compromised machines.

Read more of this story at Slashdot.

"Forget all the rules about uppercase and lowercase letters, numbers and symbols; your password just needs to be at least 12 characters, and it needs to pass a real-time strength test" developed by the passwords research group in Carnegie Mellon's CyLab Security and Privacy Institute (according to the Lab's web site). CNET reports: After a user has created a password of at least 10 characters, the meter will start giving suggestions, such as breaking up common words with slashes or random letters, to make your password stronger... One of the problems with many passwords is that they tick all the security checks but are still easy to guess because most of us follow the same patterns, the lab found. Numbers? You'll likely add a "1" at the end. Capital letters? You'll probably make it the first one in the password. And special characters? Frequently exclamation marks... In an experiment, users created passwords on a system that simply required them to enter 10 characters. Then the system rated the passwords with the lab's password strength meter and gave tailored suggestions for stronger passwords. Test subjects were able to come up with secure passwords that they could recall up to five days later. It worked better than showing users preset lists of rules or simply banning known bad passwords (I'm looking at you "StarWars")... Lorrie Cranor, director of the CyLab Usable Security and Privacy Laboratory at CMU, says the best way to create and remember secure passwords is to use a password manager. Those aren't widely adopted, and they come with some trade-offs. Nonetheless, they allow you to create a random, unique password for each account, and they remember your passwords for you.

Read more of this story at Slashdot.

"The Nov. 3rd election was the most secure in American history," state and federal election officials said in a statement Thursday. "There is no evidence that any voting system deleted or lost votes, changed votes, or was in any way compromised." Bloomberg reports: The statement acknowledged the "many unfounded claims and opportunities for misinformation about the process of our elections" and urged Americans to turn to election administrators and officials for accurate information. The statement was signed by officials from the Elections Infrastructure Government Coordinating Council, which shares information among state, local and federal officials, and the Election Infrastructure Sector Coordinating Council, which includes election infrastructure owners and operators. Among the 10 signatories were Benjamin Hovland, who chairs the U.S. Election Assistance Commission, and Bob Kolasky, the assistant director of the Cybersecurity and Infrastructure Security Agency, part of the Department of Homeland Security. Key officials at the cybersecurity agency, including its head, Christopher Krebs, are stepping down or expecting to get fired as Trump refuses to concede. Krebs, who has enjoyed bipartisan support for his role in helping run secure U.S. elections in 2018 and 2020, has told associates he expects to be dismissed, according to three people familiar with internal discussions. His departure would follow the resignation of Bryan Ware, assistant director for cybersecurity at CISA, who resigned on Thursday morning after about two years at the agency. In addition, Valerie Boyd, the assistant secretary for international affairs at the Department of Homeland Security, which oversees CISA, has also left, according to two other people. Krebs and Ware are both Trump appointees.

Read more of this story at Slashdot.

chicksdaddy shares a report from The Security Ledger: Millions of Android smart television sets from the Chinese vendor TCL Technology Group Corporation contained gaping software security holes that researchers say could have allowed remote attackers to take control of the devices, steal data or even control cameras and microphones to surveil the set's owners. The security holes appear to have been patched by the manufacturer in early November. However the manner in which the holes were closed is raising further alarm among the researchers about whether the China-based firm is able to access and control deployed television sets without the owner's knowledge or permission, according to a report published on Monday by two security researchers. The report describes two serious software security holes affecting TCL brand television sets. First, a vulnerability in the software that runs TCL Android Smart TVs allowed an attacker on the adjacent network to browse and download sensitive files over an insecure web server running on port 7989. That flaw, CVE-2020-27403, would allow an unprivileged remote attacker on the adjacent network to download most system files from the TV set up to and including images, personal data and security tokens for connected applications. The flaw could lead to serious critical information disclosure, the researchers warned. Second, the researchers found a vulnerability in the TCL software that allowed a local unprivileged attacker to read from and write to critical vendor resource directories within the TV's Android file system, including the vendor upgrades folder. That flaw was assigned the identifier CVE-2020-28055. The researchers, John Jackson, an application security engineer for Shutter Stock, and the independent researcher known by the handle "Sick Codes," said the flaws amount to a "back door" on any TCL Android smart television. "Anybody on an adjacent network can browse the TV's file system and download any file they want," said Sick Codes in an interview via the Signal platform. That would include everything from image files to small databases associated with installed applications, location data or security tokens for smart TV apps like Gmail. If the TCL TV set was exposed to the public Internet, anyone on the Internet could connect to it remotely, he said, noting that he had located a handful of such TCL Android smart TVs using the Shodan search engine.

Read more of this story at Slashdot.

An anonymous reader quotes a report from Ars Technica : In 2008, researcher Dan Kaminsky revealed one of the more severe Internet security threats ever: a weakness in the domain name system that made it possible for attackers to send users en masse to imposter sites instead of the real ones belonging to Google, Bank of America, or anyone else. With industrywide coordination, thousands of DNS providers around the world installed a fix that averted this doomsday scenario. Now, Kaminsky's DNS cache poisoning attack is back. Researchers on Wednesday presented a new technique that can once again cause DNS resolvers to return maliciously spoofed IP addresses instead of the site that rightfully corresponds to a domain name. On Wednesday, researchers from Tsinghua University and the University of California, Riverside presented a technique that, once again, makes cache poisoning feasible. Their method exploits a side channel that identifies the port number used in a lookup request. Once the attackers know the number, they once again stand a high chance of successfully guessing the transaction ID. The side channel in this case is the rate limit for ICMP, the abbreviation for the Internet Control Message Protocol. To conserve bandwidth and computing resources, servers will respond to only a set number of requests from other servers. After that, servers will provide no response at all. Until recently, Linux always set this limit to 1,000 per second. To exploit this side channel, the new spoofing technique floods a DNS resolver with a high number of responses that are spoofed so they appear to come from the name server of the domain they want to impersonate. Each response is sent over a different port. When an attacker sends a response over the wrong port, the server will send a response that the port is unreachable, which drains the global rate limit by one. When the attacker sends a request over the right port, the server will give no response at all, which doesn't change the rate limit counter. If the attacker probes 1,000 different ports with spoofed responses in one second and all of them are closed, the entire rate limit will be drained completely. If, on the other hand, one out of the 1,000 ports is open, then the limit will be drained to 999. Subsequently, the attacker can use its own non-spoofed IP address to measure the remaining rate limit. And if the server responds with one ICMP message, the attacker knows one of the previously probed 1,000 ports must be open and can further narrow down to the exact port number. Linux kernel developers responded by introducing a change that causes the rate limit to randomly fluctuate between 500 and 2,000 per second, preventing the new technique from working. Cloudflare also introduced a fix where its DNS service will fall back to TCP, "which is much more difficult to spoof," reports Ars. The researchers' press release is available here.

Read more of this story at Slashdot.

The Swiss intelligence service has known since at least 1993 that Switzerland-based encryption device maker Crypto AG was actually a front for the CIA and its German counterpart, according to a new report released by the Swiss Parliament, but Swiss leaders were in the dark until last year. From a report: Switzerland's intra-governmental information gap is unlikely to be welcome news in Europe, which already looks warily upon the U.S.' expansive surveillance practices. Still, Crypto AG provided information of incalculable value to U.S. policymakers over many decades. Crypto AG was controlled from 1970 on by the CIA and the West German BND intelligence agency. It sold encryption devices -- often employed in diplomatic communications -- that were used by over 120 countries through the 2000s.

Read more of this story at Slashdot.

Compal, a Taiwanese electronics company that builds laptops for some of the world's largest computer brands, suffered a ransomware attack over the weekend. From a report: Responsible for the breach is believed to be the DoppelPaymer ransomware gang, according to a screenshot of the ransom note shared by Compal employees with Yahoo Taiwan reporters. According to Taiwanese media, the incident was discovered on Sunday morning and is believed to have impacted around 30% of Compal's computer fleet. Employees arriving at work were greeted by a memo from Compal's IT staff, asking workers to check the status of their workstations and back up important files on systems that were not impacted.

Read more of this story at Slashdot.

"Security firm Kaspersky said Friday that it discovered a Linux version of the RansomEXX ransomware," reports ZDNet, "marking the first time a major Windows ransomware strain has been ported to Linux to aid in targeted intrusions." RansomEXX is a relatively new ransomware strain that was first spotted earlier this year in June. The ransomware has been used in attacks against the Texas Department of Transportation, Konica Minolta, U.S. government contractor Tyler Technologies, Montreal's public transportation system, and, most recently, against Brazil's court system (STJ)... The RansomEXX gang creating a Linux version of their Windows ransomware is in tune with how many companies operate today, with many firms running internal systems on Linux, and not always on Windows Server. A Linux version makes perfect sense from an attacker's perspective; always looking to expand and touch as much core infrastructure as possible in their quest to cripple companies and demand higher ransoms. What we see from RansomEXX may soon turn out to be an industry-defining trend, with other big ransomware groups rolling out their Linux versions in the future as well. And, this trend appears to have already begun. According to cyber-security firm Emsisoft, besides RansomEXX, the Mespinoza (Pysa) ransomware gang has also recently developed a Linux variant from their initial Windows version.

Read more of this story at Slashdot.

Ransomware gangs that steal a company's data and then get paid a ransom fee to delete it don't always follow through on their promise. From a report: The number of cases where something like this has happened has increased, according to a report published by Coveware this week and according to several incidents shared by security researchers with ZDNet researchers over the past few months. These incidents take place only for a certain category of ransomware attacks -- namely those carried out by "big-game hunters" or "human-operated" ransomware gangs. These two terms refer to incidents where a ransomware gang specifically targets enterprise or government networks, knowing that once infected, these victims can't afford prolonged downtimes and will likely agree to huge payouts. But since the fall of 2019, more and more ransomware gangs began stealing large troves of files from the hacked organizations before encrypting the victims' files. The idea was to threaten the victim to release its sensitive files online if the company wanted to restore its network from backups instead of paying for a decryption key to recover its files.

Read more of this story at Slashdot.

GitHub has denied rumors today of getting hacked after a mysterious entity shared what they claimed to be the source code of the GitHub.com and GitHub Enterprise portals. From a report: The "supposed" source code was leaked via a commit to GitHub's DMCA section. The commit was also faked to look like it originated from GitHub CEO Nat Friedman. But in a message posted on YCombinator's Hacker News portal, Friedman denied that it was him and that GitHub got hacked in any way. Friedman said the "leaked source code" didn't cover all of GitHub's code but only the GitHub Enterprise Server product. This is a version of GitHub Enterprise that companies can run on their own on-premise servers in case they need to store source code locally for security reasons but still want to benefit from GitHub Enterprise features. Friedman said this source code had already leaked months before due to its own error when GitHub engineers accidentally "shipped an un-stripped/obfuscated tarball of our GitHub Enterprise Server source code to some customers."

Read more of this story at Slashdot.

An anonymous reader quotes a report from ZDNet: GrowDiaries, an online community where marijuana growers can blog about their plants and interact with other farmers, has suffered a security breach in September this year. The breach occurred after the company left two Kibana apps exposed on the internet without administrative passwords. Kibana apps are normally used by a company's IT and development staff, as the app allows programmers to manage Elasticsearch databases via a simple web-based visual interface. Due to its native features, securing Kibana apps is just as important as securing the databases themselves. But in a report published today on LinkedIn, Bob Diachenko, a security researcher known for discovering and reporting unsecured databases, said GrowDiaries failed to secure two of its Kibana apps, which appear to have been left exposed online without a password since September 22, 2020. Diachenko says these two Kibana apps granted attackers access to two sets of Elasticsearch databases, with one storing 1.4 million user records and the second holding more than two million user data points. The first exposed usernames, email addresses, and IP addresses, while the second database also exposed user articles posted on the GrowDiaries site and users' account passwords. While the passwords were stored in a hashed format, Diachenko said the format was MD5, a hashing function known to be insecure and crackable (allowing threat actors to determine the cleartext version of each password). The company secured its infrastructure five days after Diachenko reported the exposed Kibana apps on October 10. It's unknown if someone else accessed the databases to download user data.

Read more of this story at Slashdot.

More than 23,000 hacked databases have been made available for download on several hacking forums and Telegram channels in what threat intel analysts are calling the biggest leak of its kind. From a report: The database collection is said to have originated from Cit0Day.in, a private service advertised on hacking forums to other cybercriminals. Cit0day operated by collecting hacked databases and then providing access to usernames, emails, addresses, and even cleartext passwords to other hackers for a daily or monthly fee. Cybercriminals would then use the site to identify possible passwords for targeted users and then attempt to breach their accounts at other, more high-profile sites. The idea behind the site isn't unique, and Cit0Day could be considered a reincarnation of similar "data breach index" services such as LeakedSource and WeLeakInfo, both taken down by authorities in 2018 and 2020, respectively.

Read more of this story at Slashdot.

Google Project Zero, the Google security team that finds bugs in all popular software, has disclosed what it classes a high-severity flaw on GitHub after the code-hosting site asked for a double extension on the normal 90-day disclosure deadline. From a report: The bug in GitHub's Actions feature -- a developer workflow automation tool -- has become one of the rare vulnerabilities that wasn't properly fixed before Google Project Zero's (GPZ) standard 90-day deadline expired. Over 95.8% of flaws are fixed within the deadline, according to Google's hackers. GPZ is known to be generally strict with its 90-day deadline, but it appears GitHub was a little lax in its responses as the deadline approached after Google gave it every chance to fix the bug. As detailed in a disclosure timeline by GPZ's Felix Wilhelm, the Google security team reported the issue to GitHub's security on July 21 and a disclosure date was set for October 18. According to Wilhelm, Actions' workflow commands are "highly vulnerable to injection attacks."

Read more of this story at Slashdot.

A shared user account used by WeWork employees to access printer settings and print jobs had an incredibly simple password -- so simple that a customer guessed it. From a report: Jake Elsley, who works at a WeWork in London, said he found the user account after a WeWork employee at his location mistakenly left the account logged in. WeWork customers like Elsley normally have an assigned seven-digit username and a four-digit passcode used for printing documents at WeWork locations. But the username for the account used by WeWork employees was just four-digits: "9999". Elsley told TechCrunch that he guessed the password because it was the same as the username. ("9999" is ranked as one of the most common passwords in use today, making it highly insecure.) The "9999" account is used by and shared among WeWork community managers, who oversee day-to-day operations at each location, to print documents for visitors who don't have accounts to print on their own. The account cannot be used to access print jobs sent to other customer accounts. Elsley said that the "9999" account could not see the contents of documents beyond file names, but that logging in to the WeWork printing web portal could allow him to release other people's pending print jobs sent to the "9999" account to any other WeWork printer on the network.

Read more of this story at Slashdot.

Hackers stole $2.3 million from the Wisconsin Republican Party's account that was being used to help reelect President Donald Trump in the key battleground state, the party's chairman told The Associated Press on Thursday. From a report: The party noticed the suspicious activity on Oct. 22 and contacted the FBI on Friday, said Republican Party Chairman Andrew Hitt. Hitt said the FBI is investigating. The attack was discovered less than two weeks before Election Day as both Trump and Democratic rival Joe Biden made their final push to win Wisconsin and its 10 electoral votes. Trump won the state by fewer than 23,000 votes in 2016 and planned his third visit in seven days on Friday. Biden also planned to campaign in Wisconsin on Friday. Polls have consistently shown a tight race in the state, usually with Biden ahead by single digits and within the margin of error.

Read more of this story at Slashdot.

Several federal agencies on Wednesday warned hospitals and cyber-researchers about "credible" information "of an increased and imminent cybercrime threat to U.S. hospitals and health-care providers." From a report: The FBI, the Department of Health and Human Services and the Cybersecurity and Infrastructure Security Agency, part of the Department of Homeland Security and known as CISA, said hackers were targeting the sector, "often leading to ransomware attacks, data theft and the disruption of health-care services," according to an advisory. The advisory warned that hackers might use Ryuk ransomware "for financial gain." The warning comes as Covid-19 cases and hospitalizations surge across the country. The cybersecurity company FireEye said multiple U.S hospitals had been hit by a "coordinated" ransomware attack, with at least three publicly confirming being struck this week. [...] The attack was carried out by a financially motivated cybercrime group dubbed UNC1878 by computer security researchers, according to Charles Carmakal, FireEye's strategic services chief technology officer. At least three hospitals were severely affected by ransomware on Tuesday, he said, and multiple hospitals have been hit over the past several weeks. UNC1878 intends to target and deploy ransomware to hundreds of other hospitals, Carmakal said.

Read more of this story at Slashdot.

Brian Krebs: In March 2020, KrebsOnSecurity alerted Swedish security giant Gunnebo Group that hackers had broken into its network and sold the access to a criminal group which specializes in deploying ransomware. In August, Gunnebo said it had successfully thwarted a ransomware attack, but this week it emerged that the intruders stole and published online tens of thousands of sensitive documents -- including schematics of client bank vaults and surveillance systems. The Gunnebo Group is a Swedish multinational company that provides physical security to a variety of customers globally, including banks, government agencies, airports, casinos, jewelry stores, tax agencies and even nuclear power plants. The company has operations in 25 countries, more than 4,000 employees, and billions in revenue annually. Acting on a tip from Milwaukee, Wis.-based cyber intelligence firm Hold Security, KrebsOnSecurity in March told Gunnebo about a financial transaction between a malicious hacker and a cybercriminal group which specializes in deploying ransomware. That transaction included credentials to a Remote Desktop Protocol (RDP) account apparently set up by a Gunnebo Group employee who wished to access the company's internal network remotely. Five months later, Gunnebo disclosed it had suffered a cyber attack targeting its IT systems that forced the shutdown of internal servers. Nevertheless, the company said its quick reaction prevented the intruders from spreading the ransomware throughout its systems, and that the overall lasting impact from the incident was minimal.

Read more of this story at Slashdot.