TikTok users beware: Hackers could swap your videos with their own

Naked Security

Mobile app developers Tommy Mysk and Talal Haj Bakry just published a blog article entitled “TikTok vulnerability enables hackers to show users fake videos“.

As far as we can see, they’re right.

(We replicated their results with a slightly older Android version of TikTok from a few days ago, 15.5.44; their tests included the very latest builds on Android and iOS, numbered 15.7.4 and 15.5.6 respectively.)

We used a similar approach to Mysk and Haj Bakry to look at the network traffic produced by TikTok – we installed the tPacketCapture app on Android and then ran the TikTok app for a while to flip through a few popular videos.

The tPacketCapture app works rather like tcpdump on Unix/Linux computers, logging your network packets to a file called a .pcap (short for packet capture) that you can analyze later at your leisure.

We imported our .pcap file back into Wireshark on Linux, which automatically “dissects” the captured packets to give you a human-readable interpretation of their contents.

Full article

Over 500,000 Zoom accounts sold on hacker forums, the dark web

Bleeping Computer

Over 500,000 Zoom accounts are being sold on the dark web and hacker forums for less than a penny each, and in some cases, given away for free.

These credentials are gathered through credential stuffing attacks where threat actors attempt to login to Zoom using accounts leaked in older data breaches. The successful logins are then compiled into lists that are sold to other hackers.

Some of these Zoom accounts are offered for free on hacker forums so that hackers can use them in zoom-bombing pranks and malicious activities. Others are sold for less than a penny each.

Cybersecurity intelligence firm Cyble told BleepingComputer that around April 1st, 2020, they began to see free Zoom accounts being posted on hacker forums to gain an increased reputation in the hacker community.

Full article

Thunderbird 68.7 is available!

Thunderbird version 68.7.0, first offered to channel users on April 8, 2020 is now available to Ubuntu users.

In the release notes we can read what is new, changed and fixed.

Below is the Ubuntu Security Notice USN-4328-1

A security issue affects these releases of Ubuntu and
its derivatives:

- Ubuntu 19.10
- Ubuntu 18.04 LTS

Summary:

Several security issues were fixed in Thunderbird.

Software Description:
- thunderbird: Mozilla Open Source mail and newsgroup
  client

Details:

It was discovered that Message ID calculation was
based on uninitialized data. An attacker could
potentially exploit this to obtain sensitive
information. (CVE-2020-6792)

Mutiple security issues were discovered in
Thunderbird. If a user were tricked in to opening
a specially crafted message, an attacker could
potentially exploit these to cause a denial of
service, obtain sensitive information, or execute
arbitrary code. (CVE-2020-6793, CVE-2020-6795,
CVE-2020-6822)

It was discovered that if a user saved passwords
before Thunderbird 60 and then later set a master
password, an unencrypted copy of these passwords
would still be accessible. A local user could
exploit this to obtain sensitive information.
(CVE-2020-6794)

Multiple security issues were discovered in
Thunderbird. If a user were tricked in to opening a
specially crafted website in a browsing context, an
attacker could potentially exploit these to cause a
denial of service, conduct cross-site scripting (XSS)
attacks, obtain sensitive information, or execute
arbitrary code. (CVE-2019-20503, CVE-2020-6798,
CVE-2020-6800, CVE-2020-6805, CVE-2020-6806,
CVE-2020-6807, CVE-2020-6812, CVE-2020-6814,
CVE-2020-6819, CVE-2020-6820, CVE-2020-6821,
CVE-2020-6825)

It was discovered that the Devtools’ ‘Copy as cURL’
feature did not fully escape website-controlled data.
If a user were tricked in to using the ‘Copy as cURL’
feature to copy and paste a command with specially
crafted data in to a terminal, an attacker could
potentially exploit this to execute arbitrary
commands via command injection. (CVE-2020-6811)

Update instructions:

The problem can be corrected by updating your system
to the followingpackage versions:

Ubuntu 19.10:
  thunderbird        1:68.7.0+build1-0ubuntu0.19.10.1

Ubuntu 18.04 LTS:
  thunderbird        1:68.7.0+build1-0ubuntu0.18.04.1

After a standard system update you need to restart
Thunderbird to make all the necessary changes.

References:
  https://usn.ubuntu.com/4328-1
  CVE-2019-20503, CVE-2020-6792, CVE-2020-6793,
  CVE-2020-6794, CVE-2020-6795, CVE-2020-6798,
  CVE-2020-6800, CVE-2020-6805, CVE-2020-6806,
  CVE-2020-6807, CVE-2020-6811, CVE-2020-6812,
  CVE-2020-6814, CVE-2020-6819, CVE-2020-6820,
  CVE-2020-6821, CVE-2020-6822, CVE-2020-6825

Package Information:

1:68.7.0+build1-0ubuntu0.19.10.1

1:68.7.0+build1-0ubuntu0.18.04.1

Data Breach at San Francisco International Airport

Cybersecurity Insiders

A hacking group that infiltrated into the network of San Francisco’s International Airport in March 2020 is reported to have access login credentials used by employees on two of its websites – SFOConnect.com and SFOConstruction.com. And the interesting part in this hacking story is that the threat actors were not interested in seeking the data from the website, but were rather interested in knowing the login credentials of those accessing the websites from their respective windows devices and IE browsers.

Authorities from the 7th busiest airport’s in North America are urging users to change their email and windows device passwords accordingly and said that an email alert in this regard will be posted to the victims by this weekend.

Cybersecurity Insiders has learned that the breach took place when hackers maliciously injected code into the said 2 websites to steal the user credentials. Both the websites were pulled down as soon as the incident was identified. But SFOConnect has been restored last week and SFOConstruction will be restored by the end of this week.

Full article

Zoom App hires Facebook Security Chief after ban from Google and Amazon

Cybersecurity Insiders

After Google, Amazon, and Microsoft announced to the workforce to not use the video conferencing app for any business purposes, Zoom has appointed Ex-Facebook Security Chief Office Alex Stamos as an adviser to improve security and privacy quotient on the rapidly growing communication amid stiff backlash.

Alex will be taking control of his office from early this week and will be helping Zoom in rebuilding a security program that can be trusted by its users across the world.

During the Coronavirus pandemic and lockdown, millions of users took the help of the Zoom app to quench their work from home communication needs. For instance, many schools and educational institutes in North America starting using the app as a platform to host online classes.

However, things turned negative when Patrick Wardle, a former NSA hacker discovered several vulnerabilities in the remote working app which made hackers take control of the webcam and the microphone of users.

This triggered panic among users who then started to look for alternatives such as Microsoft Teams and Cisco’s WebEx due to privacy concerns.

Full article

How to Cover Your Tracks Every Time You Go Online

WIRED

Illustration: Elena Lacey; Getty Images

Venture online nowadays, and your presence is immediately logged and tracked in all manner of ways. Sometimes this can be helpful—like when you want to see new movies similar to ones you’ve watched in the past—but very often it feels invasive and difficult to control.

Here we’re going to show you how to cover some of those tracks, or not to leave any in the first place. This isn’t quite the same as going completely invisible online, or encrypting every single thing you do. But it should help you sweep up most records of your online activity that you’d rather disappear.

Full article

Security News This Week: Signal Threatens to Leave the US If EARN IT Act Passes

WIRED

Photograph: Yifei Fang

The end-to-end encrypted messaging app Signal, which is respected and trusted for its transparent, open-source design, says that it will be one of the immediate casualties should the controversial EARN IT Act pass Congress. Written by South Carolina Republican senator Lindsey Graham and Connecticut Democrat Richard Blumenthal and introduced in the Senate last month, the EARN IT Act claims to be a vehicle for improving how digital platforms reduce sexual exploitation and abuse of children online. But the law would really create leverage for the government to ask that tech companies undermine their encryption schemes to enable law enforcement access. Signal developer Joshua Lund said in a blog post on Wednesday that Signal is not cool with that! More specifically, he noted that Signal would face insurmountable financial burdens as a result of the law and would therefore be forced to leave the US market rather than undermine its encryption to stay. Given that Signal is recommended and used across the Department of Defense, Congress, and other parts of the US government, this would be a seemingly problematic outcome for everyone.

Full article

Read the Signal blog post here!

Twitter Removes Privacy Option, and Shows Why We Need Strong Privacy Laws

Electronic Frontier Foundation

Twitter greeted its users with a confusing notification this week. The control you have over what information Twitter shares with its business partners has changed, it said. The changes will help Twitter continue operating as a free service, it assured. But at what cost?

What Changed?

Twitter has changed what happens when users opt out of the allow additional information sharing with business partners setting in the Personalization and Data part of its site.

Full article

The Rise and Spread of a 5G Coronavirus Conspiracy Theory

WIRED

From an interview with an obscure Belgian doctor to apparent arson attacks in the UK, the unfounded claim that the pandemic is linked to 5G has spread unlike any other.

Photograph: George Frey

It started with one doctor. On January 22, Belgian newspaper Het Laatste Nieuws published an interview with Kris Van Kerckhoven, a general practitioner from Putte, near Antwerp. “5G is life-threatening, and no one knows it,” read the headline. One scientifically baseless claim in this article, published in a regional version of the paper’s print edition and since deleted from its website, sparked a conspiracy theory firestorm that has since torn through the internet and broken out into the real world, resulting in fires and threats. Van Kerckhoven didn’t just claim that 5G was dangerous: He also said it might be linked to coronavirus.

At the time, the outbreak was a comparative speck. It had claimed nine lives and infected 440 people, almost all of them in the Chinese city of Wuhan. Under the heading “Link met coronavirus?” the Het Laatste Nieuws journalist pointed out that since 2019 a number of 5G cell towers had been built around Wuhan. Could the two things be related? “I have not done a fact check,” Van Kerckhoven cautioned, before piling in. “But it may be a link with current events.” And so the fuse was lit.

Van Kerckhoven’s comments were quickly picked up by anti-5G campaigners in the Dutch-speaking world, with Facebook pages linking to and quoting from the article. Here, they claimed, was proof of something very dark indeed. Within days, the conspiracy theory had spread to dozens of English-language Facebook pages. But the conspiracy theory that Van Kerckhoven was peddling isn’t new,. It has been bubbling away quietly for decades in unfounded concerns about high-voltage power lines in the 1980s to mobile phones in the 1990s. In coronavirus, such concerns had found a new hook. “Because the quotes were unfounded, we withdrew the article within a few hours,” says Het Laatste Nieuws editor Dimitri Antonissen. “We regret the fact that the story was online for a few hours,” he adds. “Unfortunately with conspiracy theories popping up on several places, this does not stop a story from spreading.” And spread it did.

Full article

Cloudflare dumps Google’s reCAPTCHA, moves to hCaptcha as free ride ends (and something about privacy)

The Register

Cloudflare on Wednesday said it is ditching Google’s reCAPTCHA bot detector for a similar service called hCaptcha out of concerns about privacy and availability, but mostly cost.

The network services biz said it initially adopted reCAPTCHA because it was free, effective, and worked at scale. Some Cloudflare customers, however, have expressed reservations about having data sent to Google.

Google’s reCAPTCHA v3, used on about 1.2m websites, provides a way for web publishers to present puzzles called CAPTCHAs (completely automated public Turing test to tell computers and humans apart) that can usually, but not always, distinguish automated website interaction from human engagement. The point of presenting such challenges is to keep bots from registering fake accounts and conducting other sorts of online abuse.

In a blog post, CEO Matthew Prince and product manager Sergi Isasi observed that while Google is an advertising business and Cloudflare is not, Cloudflare nonetheless reconciled itself to Google’s privacy policy even if it made some customers wary.

Full article