A Hacker Found a Way to Take Over Any Apple Webcam

WIRED

Apple has a well-earned reputation for security, but in recent years its Safari browser has had its share of missteps. This week, a security researcher publicly shared new findings about vulnerabilities that would have allowed an attacker to exploit three Safari bugs in succession and take over a target’s webcam and microphone on iOS and macOS devices.

Apple patched the vulnerabilities in January and March updates. But before the fixes, all a victim would have needed to do is click one malicious link and an attacker would have been able to spy on them remotely.

Full article

The Zoom Privacy Backlash Is Only Getting Started

WIRED

The popular video conferencing application Zoom has been having A Moment during the Covid-19 pandemic. But it’s not all positive. As many people’s professional and social lives move completely online, Zoom use has exploded. But with this boom has come added scrutiny from security and privacy researchers—and they keep finding more problems, including two fresh zero day vulnerabilities revealed Wednesday morning.

The debate has underscored the inherent tension of balancing mainstream needs with robust security. Go too far in either direction, and valid criticism awaits.

Zoom has never been known as the most hardcore secure and private service, and there have certainly been some critical vulnerabilities, but in many cases there aren’t a lot of other options.

Kenn White, Security researcher

It’s absolutely fair to put public pressure on Zoom to make things safer for regular users. But I wouldn’t tell people ‘don’t use Zoom.’ It’s like everyone is driving a 1989 Geo and security folks are worrying about the air flow in a Ferrari.

Kenn White, Security researcher

Zoom isn’t the only video conferencing option, but displaced businesses, schools, and organizations have coalesced around it amid widespread shelter in place orders. It’s free to use, has an intuitive interface, and can accommodate group video chats for up to 100 people. There’s a lot to like. By contrast, Skype’s group video chat feature only supports 50 participants for free, and live streaming options like Facebook Live don’t have the immediacy and interactivity of putting everyone in a digital room together. Google offers multiple video chat options—maybe too many, if you’re looking for one simple solution.

Full article

Zoom’s end-to-end encryption isn’t actually end-to-end at all. Good thing the PM isn’t using it for Cabinet calls. Oh, for f…

The Register

UK Prime Minister Boris Johnson sparked security concerns on Tuesday when he shared a screenshot of “the first ever digital Cabinet” on his Twitter feed. It revealed the country’s most senior officials and ministers were using bog-standard Zoom to discuss critical issues facing Blighty.

The tweet also disclosed the Zoom meeting ID was 539-544-323, and fortunately that appears to have been password protected. That’s a good thing because miscreants hijacking unprotected Zoom calls is a thing.

Crucially, the use of the Zoom software is likely to have infuriated the security services, while also raising questions about whether the UK government has its own secure video-conferencing facilities. We asked GCHQ, and it told us that it was a Number 10 issue. Downing Street declined to comment.

The decision to use Zoom, as millions of others stuck at home during the coronavirus outbreak are doing, comes as concerns are growing about the conferencing app’s business model and security practices.

Full article

Patch now! Critical flaw found in OpenWrt router software

Naked Security

A researcher has stumbled on a big security flaw affecting OpenWrt, an open source operating system used by millions of home and small business routers and embedded devices.

OpenWrt has become a popular Linux alternative to the stock software that vendors ship with home routers. Other examples of this type of router software include DD-WRT and Tomato.

It can used to replace the factory firmware on any router product with the correct hardware, for example, models from NetGear, Linksys, Zyxel and others.

Full article

Japan to invest $237.12 million in Artificial Intelligence to counter Cyber Attacks

Cybersecurity Insiders

The Ministry of Defense (MoD) of Japan has confirmed that it is going to invest over 25.6 billion Yen or $237.12 million in USD to develop Artificial Intelligence-based tools to counter cyber attacks.

Japan aims to develop an all-inclusive AI system that can detect malevolent emails, respond to cyberattacks in an automated way through machine learning skills and eventually neutralize the effect of attacks on public and private sector targets.

The MoD is also planning to procure a Cyber Information Gathering System for $31.5 million resourceful to gather tactics, techniques, and procedures (TTP) or to adhere to Self-Defense Forces (SDF).

Highly placed sources say that the government of Japan woke up to a digital alert when a massive scale Cyber Attack was launched on Mitsubishi Electric by a hacking group from China.

Some media resources from Japan reported on an international note that some critical info about MoD and Nuclear Regulation Authority was accessed and stolen by hackers in the attack. Furthermore, digital documents related to private firms, railway operators and a car manufacturer visionary approach for the year 2022 were also reportedly accessed by the threat actors.

To prevent such attacks any further on public and private entities, Japan’s MoD has now initiated measures to thwart such attacks shortly. And as a plan to strategize a framework to defend the critical infrastructure from cyber attacks the company.

Full article

5 tips for keeping your data safe this World Backup Day

Naked Security

Today is, wait for it, drum roll, please…

World Backup Day.

You knew that already, didn’t you?

So you’re way ahead of us here, with your backups neatly done and safely stored away.

Or perhaps not, because sorting out your backups is a bit like taking the garbage out or washing the dog – you know it needs doing, and you might as well do it now, but it can probably wait until tomorrow.

Depending on what happens today, of course.

Well, the bad news is, now that so many of us are working from home, we can’t rely on IT to do it all for us, or to show up at our desks with a smile and a USB drive filled with all those precious files that we just deleted by mistake.

But the good news is, now that so many of us are working from home, that backup isn’t that hard to do right – the hardest part is just getting round to doing it properly, or even at all.

Full article

Auto-connect feature in new Android release (2020.4-beta1)

Mullvad

What’s new in this version

An Auto-connect option is now available under the Preferences menu. Enable this and the app will automatically connect to a server when it launches. If your Android device has the “Always-on VPN” feature, you can combine these two functionalities to automatically secure your connection from the moment you power on your phone.

You can now add an app shortcut tile to Android’s Quick Settings menu. A single tap on the tile will connect or disconnect you while tapping and holding opens the app.

Full blog post

Microsoft disinvests from Israeli Startup due to Espionage allegations

Cybersecurity Insiders

Microsoft has made it official that it is going to withdraw from an investment agreement that is made with an Israeli startup which was into the development of facial recognition software. Although the company never made its intention for disinvestment clear, a source from the tech giant says that the decision was taken after it learned that the startup’s product was being used by the government to conduct surveillance on the populace of West Bank- a region located near the border of Jordan.

The company in the discussion is AnyVision which is a company based in Tel Aviv and offering facial recognition software.

Highly placed sources say that the AnyVision facial recognition software was being used to monitor border crossings between West Bank and Israel. But it is still not clear whether the videos are a part of mass surveillance programs- similar to the espionage program being conducted in China.

Full article

How to keep your Work from Home strategy Cyber Secure

Cybersecurity Insiders

As many people across the world are working from home these days to keep their office operations going, hackers are seeing these devices as vulnerable points to infiltrate corporate networks. So, here are some strategies that can make your work from home experience spectacularly cyber secure.

Full article

Hackers Used Local News Sites to Install Spyware On iPhones

The Hacker News

A newly discovered watering-hole campaign is targeting Apple iPhone users in Hong Kong by using malicious website links as a lure to install spyware on the devices.

According to research published by Trend Micro and Kaspersky, the “Operation Poisoned News” attack leverages a remote iOS exploit chain to deploy a feature-rich implant called ‘LightSpy’ through links to local news websites, which when clicked, executes the malware payload and allows an interloper to exfiltrate sensitive data from the affected device and even take full control.

Watering-hole attacks typically let a bad actor compromise a specific group of end-users by infecting websites that they are known to visit, with an intention to gain access to the victim’s device and load it with malware.

Full article