Cyber Security news
Although people buy video camera doorbells from Ring manufacturer hoping to increase the security of their homes, a flaw in the software of these devices could expose its users to a new security risk. According to experts in ethical hacking, the flaw would allow a threat actor to extract username and WiFi password from the doorbell user.
According to Bitdefender’s report, the security firm in charge of reporting the vulnerability, Ring’s parent company was informed of this flaw last June; the vulnerability was corrected in the Ring update for September.
It should be remembered that Ring is a company dedicated to the manufacture of doorbells with surveillance camera; almost two years ago, this company was acquired by Amazon for almost $850 million USD. Currently, these surveillance systems are linked to at least 580 police departments in the United States, integrating a neighborhood surveillance network, ethical hacking experts report.
Explained in this way, installing Ring devices in homes would seem like a good idea, although not everyone thinks their use is recommended. Privacy specialists have expressed concern that these systems connect directly to police stations, as well as the obvious exposure to threat actors.
An additional concern is that this is not the first time experts found vulnerabilities in Ring. A couple of years ago, experts at Pen Ten Partners discovered a series of flaws in these devices that, if exploited, allowed hackers to extract passwords from the WiFi network to which the doorbell connects. Other research has shown that it is possible to extract real-time images from these devices.
Ethical hacking experts mention that the vulnerability lies in the connection between the video camera and the Ring app. When setting up a device for the first time, the app must send a sign-in record from the WiFi network to the doorbell. Because this information is sent over an unencrypted network, any hacker could perform a Man-in-the-Middle (MiTM) attack to intercept the sent data. It is important to note that the attacker must be in a location close to the signal from the target WiFi network.
After the latest security issue was revealed in Ring, the company released a statement: “The security of our devices and the trust of our users are the most important thing to us. We want to report that a security update was released to address the reported failure; the problem has already been corrected.”
Due to its characteristics, this attack can only occur during the device configuration process, mentioning ethical hacking specialists from the International Institute of Cyber Security (IICS). However, a hacker could also send fake messages to a user to try to trick them and have them set the ring from scratch again, although the complexity of this scenario increases considerably.
A team of web application security specialists from Ruhr University in Bochum, Germany, has discovered a critical vulnerability in some new programmable logic controller (PLC) models manufactured by Siemens. According to the experts, the flaw is related to the presence of a hidden access feature and could be exploited both to perform cyberattacks and security tool.
The security issue is related to the hardware access function of the Siemens S7-1200 PLC (this feature processes software updates and verifies the integrity of the PLC firmware when starting the device). Apparently, this access shows behavior similar to that of a backdoor.
According to web application security experts, a threat actor may abuse this feature to bypass the firmware integrity verification step for about half a second, time in which the attacker could download malicious code and subsequently gain full control over the device’s processes.
In their report, experts say they ignore why Siemens could have installed such access on these devices: “This is clearly a bad security practice; this feature gives anyone with sufficient knowledge access to the contents of memory, as well as the ability to overwrite data and extract information,” the experts say.
During the investigation, experts discovered that this hidden access can also be useful for security researchers, as it provides a memory device forensic. “We managed to use this feature to access the contents of the PLC’s memory, which could help in digital forensics investigation to detect malicious code. Although the company does not allow access to memory content under normal conditions, this is feasible using this access,” the experts conclude. The findings will be officially presented during a cybersecurity event to be held next month in London.
On the other hand, Siemens received the report on this security flaw in a timely manner and has already announced the launch of a solution as soon as possible. “We are aware of the research of the experts of Ruhr University, regarding special hardware-based access on SIMATIC S7-1200 CPUs; our web application security teams are working to resolve the issue as soon as possible. We recommend that our users remain alert to any official update,” the company’s statement says.
It is still unknown whether Siemens will deploy only software updates or whether new hardware components will be needed to fix this vulnerability. International Institute of Cyber Security (IICS) web application security specialists mention that a hardware replacement would be a definitive solution, but it is very complicated to perform for all affected devices (something similar to the Nintendo Switch case). That being said, the company will most likely release continuous security updates to fix the flaw.
A couple of months ago, another investigation into Siemens S7 PLCs was revealed; on that occasion, experts discovered that all modern PLC S7 families were running the same firmware version, and they even shared the same cryptographic key; the company received all these reports and began the process of correcting security flaws.
We must not forget that even specialized companies can suffer cybersecurity incidents. According to digital forensics experts, an employee of Japan-based security firm TrendMicro was discovered stealing information from the company’s customers and selling it to third parties aiming to deploy sophisticated tech support scam campaigns.
The targets of this campaign were the company’s customers using a home-use security solution, who received phone calls from threat actors posing as TrendMicro customer service employees.
The company began receiving reports on these calls, in which criminals used information only operated by some of TrendMicro employees, leading them to intuit that the attackers had the collaboration of an insider. After an internal investigation, TrendMicro determined that an employee had been improperly accessing a database operated by the company’s customer service area to extract sensitive information and sell it to scammers.
“After a thorough investigation, our digital forensics team was able to confirm that this is an internal threat,” the company mentions a blog post. “One of our employees fraudulently accessed our customer support databases, extracting information including names, email addresses, phone numbers, and client support query backup”.
The company also added that, so far, there is no evidence to prove that other sensitive data, such as payment card information, was also compromised. The employee has already been fired by TrendMicro and is awaiting legal proceedings against him.
The company claims that less than 1% of TrendMicro tech support users were affected by this fraudulent campaign. In addition, the company’s digital forensics team report highlights the fact that only English speakers were attacked in this campaign.
Although no financial data was extracted from affected customers, it is possible that the attackers tried to make arbitrary charges for support services that were not really needed.
As a security measure, users are reminded that TrendMicro never makes unsolicited support calls, so in case of receiving a call from an alleged customer service employee users must hang up immediately and, if possible, notify TrendMicro.
International Institute of Cyber Security (IICS) digital forensics specialists mention that TrendMicro’s corporate clients were not targeted by the operators of this campaign, although they recommend that the company remain vigilant, as this is the second incident of unauthorized access to sensitive information that occurred recently on TrendMicro. A few months ago, it was reported that an unidentified hacker accessed a company test lab and managed to extract more than 30 terabytes of information, including sensitive source code.
DATA BREACHES COULD INCREASE THE PRICE OF A COMPANY’S SHARES. THE REASON WHY COMPANIES DON’T FIX THEIR SECURITY
Data breach incidents can be catastrophic for any organization, resulting in large fines, loss of user or customer trust, and public image damage. However, a recent research conducted by information security specialists has found that these incidents could in fact be beneficial for some companies.
As you may recall, a data breach involves unauthorized access or disclosure of personal information records. Most countries have legislation applicable in these cases, although not all governments in the world similarly punish such incidents.
Information security specialists stress that any company could be impacted by such incidents, as it does not influence whether they are public or private organizations and no matter the industry sector to which the company belongs. Whether it’s airlines, banks, public institutions and e-commerce sites, they’re all exposed to a data breach.
One of the main indicators for measuring the impact of a data breach on a company is the price of its shares. Information security services firm Comparitech has conducted an analysis of some companies listed on the US stock exchange for the purpose of determining the impact that a data breach has on the stock performance on a compromised company.
From the study of 33 different cases, the researchers found that, on average, a company affected by a data breach lost 7.3% of the value of its shares; in the worst cases, stocks could fall for up to 15 consecutive days.
Yes, this is an undesirable scenario, although the investigation took a surprising turn. About six months after the incident, all affected companies achieved even higher growth than in the six months prior to the data breach (an average of 7.1% compared to previous growth of 4%).
In addition, researchers found that the more recent the data breach is, the larger it causes a decline in the price on the shares of the affected companies. For the companies concerned, financial institutions were the hardest hit, while health care companies suffer to a lesser extent the financial impact of these incidents.
According to information security specialists from the International Institute of Cyber Security (IICS) one of the possible causes of this revaluation is the way in which companies handle these incidents. After suffering a data breach, a company can update its security policies and practices, in addition to its IT infrastructure, to finally undergo audits that demonstrate an improvement in its it security systems, supporting its growth after completing cybersecurity incident recovery processes.
However, Comparitech experts recognize that their research only focuses on analyzing the price of a company’s shares, adding that other variables, such as legal proceedings against affected companies, also influence performance in the stock exchange.
Marriott International hotel chain has alerted its associates about a cyber security incident that could negatively impact the security of some associate’s data (specifically their social security numbers), after an unidentified threat actor accessed network of an outside vendor formerly used by Marriott, data protection experts reported. This incident did not involve or impact the security of Marriott’s systems or platforms. A limited number of current and former Marriott US employees’ information was involved in the incident, and all of these employees are in the process of being notified by Marriott in accordance with US legal requirements.
The company mentions that exposure of information stems from a cyberattack suffered by an external vendor which previously had worked for Marriott: ” Marriott learned on September 4, 2019, that an unknown person gained access to information about certain Marriott associates by accessing the network of an outside vendor formerly used by Marriott ,” the company’s statement says.
Apparently, this vendor worked for Marriott receiving official documents (citations, court orders, etc.). The vendor acted as Marriott’s agent for purposes of receiving service of official legal documents such as subpoenas and court orders. included some partners’. No partners were involved, only a limited number of employees mentions data protection specialists.
After detecting this information exposure, Marriott contacted the third party provider, which ensured that they are handling this incident in the best possible way; ” We have been in frequent contact with the vendor since we learned what occurred to ensure appropriate action is being taken in response. Marriott has already terminated its relationship with the vendor, and the vendor confirmed that it has securely removed all information regarding Marriott associates from its network,” the hotel chain added.
As a security measure for affected associates, Marriott announced that they will be provided them with a free identity theft protection service for one year or two years depending on US state law requirements.
Although the company learned about this incident two months ago, the incident could not be publicly disclosed, as it was necessary to inform each affected associate directly before, in addition to notifying the competent authorities. All affected current and former Marriott associates will have been notified by early next week. Marriott has identified and reported the final number of affected employees to US regulators in accordance with US legal requirements.
This is not the first security incident reported by Marriott. About a year ago, data protection specialists from the International Institute of Cyber Security (IICS) reported that a hacker group managed to compromise the databases of Starwood, one of Marriott’s multiple brands, exposing almost 383 million records and not unique guests as there were multiple records for same guests.
According to information security specialists, about one hundred web application developers may have had inadequate access to the data of millions of Facebook users, as the company made a mistake that led to the revocation of some restrictions on the access to this information.
Because the data breach was publicly disclosed only through Facebook’s developer blog, this incident went almost completely unnoticed, except for some members of the cybersecurity community.
Although over a year ago Facebook group access parameters were updated, during this incident users’ names and profile photos, in addition to their activity logs in certain groups, remained accessible to specific developers, mentioned the company’s publication.
In addition, information security specialists point out of the nearly 100 developers with this access through the Facebook Groups API, at least a dozen would have been actively consulting this information over the past two months.
It should be noted that, before April 2018, Facebook group administrators could give app developers access to the group information. After the update in the group APIs, when an administrator authorized an app, developers can only access data such as group name, number of participants, and posts content.
These API updates are part of the measures implemented by Facebook after the Cambridge Analytica scandal was revealed, with which the company sought to improve its data usage policies for users and the companies that can access them.
Facebook claims that it has asked the developers involved to delete any records of information obtained through this improper access, adding that it will conduct some security audits to verify that this process is properly complied with. However, many information security experts believe that the company is not acting with full transparency, as the names of the developers, apps or Facebook groups involved were not disclosed, arguing security reasons.
Finally, the social media giant assured its users (although the message was addressed to developers) that until now there is no evidence to demonstrate abuse of this anomalous access; although when it comes to Facebook, data privacy always seems breached in one way or another.
This has been a convulsed year for Facebook in terms of data breach incidents, so authorities in various parts of the world have made relevant decisions. A few months ago, information security specialists from the International Institute of Cyber Security (IICS) reported a landmark decision by the Federal Trade Commission (FTC), which decided to impose a record $5 billion USD fine on Facebook for its multiple practices that violate various user data protection laws; still, many consider that this fine remains insufficient to put real pressure on these companies.