anyone

now browsing by tag

 
 

#cybersecurity | #infosec | Webex flaw allowed anyone to join private online meetings

Source: National Cyber Security – Produced By Gregory Evans Cisco, the makers of Webex, had warned users of the online conferencing service that a vulnerability allowed unauthorised remote users to listen in on private online meetings – without having to enter a password. The vulnerability, which was rated as high severity by Cisco in a […] View full post on AmIHackerProof.com

#hacking | Daily Inter Lake – Politics & Government, The big lesson from the Bezos hack: Anyone can be a target

Source: National Cyber Security – Produced By Gregory Evans

PROVIDENCE, R.I. (AP) — You may not think you’re in the same league as Jeff Bezos when it comes to being a hacking target. Probably not, but you — and just about anyone else, potentially including senior U.S. government figures — could still be vulnerable to an attack similar to one the Amazon founder and Washington Post owner apparently experienced.

Two U.N. experts this week called for the U.S. to investigate a likely hack of Bezos’ phone that could have involved Saudi Arabian Crown Prince Mohammed bin Salman. A commissioned forensic report found with “medium to high confidence” that Bezos’ iPhone X was compromised by a video MP4 file he received from the prince in May 2018.

Bezos later went public about the hack after the National Enquirer tabloid threatened to publish Bezos’ private photos if he didn’t call off a private investigation into the hacking of his phone. It’s not clear if those two events are related. The Saudis have denied any involvement in the purported hack.

The events could potentially affect U.S.-Saudi relations. On Friday, Sen. Ron Wyden, an Oregon Democrat, said he is asking the National Security Agency to look into the security of White House officials who may have messaged the crown prince, particularly on personal devices. Jared Kushner, a White House aide and President Donald Trump’s son-in-law, is known to have done so using WhatsApp.

Wyden called reports of the Bezos hack “extraordinarily ominous” and said they may have “startling repercussions for national security.”

But they could resonate at the personal level as well. As the cost of hacking falls while opportunities to dig into peoples’ online lives multiply, more and more people are likely to end up as targets, even if they’re not the richest individuals in the world.

Ultimately, that boils down to a simple lesson: Be careful who you talk to — and what you’re using to chat with them.

“People need to get out of the mindset that nobody would hack them,” said Katie Moussouris, founder and CEO of Luta Security. “You don’t have to be a specific target or a big fish to find yourself at the mercy of an opportunistic attacker.”

WhatsApp, owned by Facebook, is generally considered a secure way of trading private online messages due to the fact that it scrambles messages and calls with encryption so that only senders and recipients can understand them. What many people may not have realized is that it, like almost any messaging service, can act as a conduit for malware.

That encryption, however, is no help if a trusted contact finds a way to use that connection to break into the phone’s operating system. In fact, an infected attachment can’t be detected by security software while it’s encrypted, and apps like WhatsApp don’t scan for malware even once files are decrypted.

WhatsApp users can disable the automatic downloading of photos, videos and other media, which happens by default unless the user takes action.

Other messaging apps are likely also vulnerable. “It just so happens that this one was a vulnerability in WhatsApp,” said JT Keating, of Texas-based security firm Zimperium. “It could have been in any one of any number of apps.”

Prince Mohammed exchanged numbers with Bezos during a U.S. trip in spring 2018. On the same visit, the prince also met with other tech executives, including the CEOs of Google, Apple and Palantir, as well as sports and entertainment celebrities and academic leaders. Virgin Group founder Richard Branson gave the Saudi delegation a tour of the Mojave Air and Space Port in the desert north of Los Angeles.

Google and Apple didn’t respond to emailed requests for comment this week on whether their executives shared personal contacts after that trip. Palantir Technologies confirmed that its CEO Alex Karp met with the prince but said they never shared personal messages. Virgin Group said it was looking into it.

UC Berkeley cybersecurity researcher Bill Marczak cautioned that there’s still no conclusive evidence that the Saudi video was malicious, adding that it might be premature to jump to broader conclusions about it. Many other security experts have also questioned the forensics report upon which U.N. officials are basing their conclusions.

But Marczak said it is generally good advice to “always be on the lookout for suspicious links or messages that sound too good to be true.”

Even caution about avoiding suspicious links might not be good enough to ward off spyware — especially for high-profile targets like dissidents, journalists and wealthy executives. Hackers-for-hire last year took advantage of a WhatsApp bug to remotely hijack dozens of phones and take control of their cameras and microphones without the user having to click anything to let them in.

In such cases, said Marczak, “there doesn’t need to be any interaction on the part of the person being targeted.”

  

Source link

The post #hacking | Daily Inter Lake – Politics & Government, The big lesson from the Bezos hack: Anyone can be a target appeared first on National Cyber Security.

View full post on National Cyber Security

Kids’ smartwatch security tracker can be hacked by anyone – Naked Security

Source: National Cyber Security – Produced By Gregory Evans

For researchers at testing outfit AV-Test, the SMA M2 kids’ smartwatch is just the tip of an iceberg of terrible security.

On sale for around three years, superficially it’s not hard to understand why the model M2 might appeal to anxious parents or carers.

Costing only $32, it pairs with a smartphone so that adults can track the real-time location of kids via GPS, GSM or Wi-Fi using a simple mapping app and online account. Add a SIM and it can be used to make voice calls and there’s even an SOS button children can press in the event of an emergency.

The colour screen, cartoon icons, and baby-blue or pink colour scheme is almost guaranteed to appeal to younger children.

The punchline?

AV-Test’s investigations reveal that the M2 also happens to be an unmitigated security disaster.

Naked Security has covered numerous security screw-ups over the years but it’s hard to imagine a more face-palming charge sheet than that levelled at the makers of the M2 by AV-Test.

To illustrate the point, the testers use the example of a girl called Anna who lives in Dortmund, Germany.

She vacations with her grandparents in a coastal town called Norderney, where she regularly visits the local harbour around 2 o’clock to spot seals for an hour.

The company knows all of this because Anna is wearing an M2 smartwatch which has been leaking this information along with that of another 5,000 children via a public system whose security would be non-existent for any competent hacker.

AV-Test was able to find the names and addresses of these children, their age, images of what they looked like, as well as voice messages transmitted from the watch.

In a development that would be ironic if it weren’t so serious, they were able to discover children’s current locations. Warns AV-Test’s Maik Morgenstern:

We picked out Anna as much as we could have picked Ahmet from London or Pawel from Lublin in Poland.