This Week In Security - 01/13/2020
Google temporarily suspends Xiaomi due to a camera privacy glitch
Reddit user Dio-V in the Netherlands claimed that his Google Home Hub started displaying photos from identified locations. The photos appeared on the smart screen when he accessed the camera made by the Chinese tech giant, Xiaomi.
Amongst the images, he came across a still of a sleeping baby.
Google Home Hub is much like Amazon’s Echo, a home automation display which is controlled by a voice assistant and GUI. You can use the device to ask it questions, control the lighting in your home, control your thermostat or view images from the connected IP cameras in your home.
A spokesperson for Xiaomi told BBC that the issue “was caused by a cache update on 26 December 2019, which was designed to improve camera streaming quality”.
“Xiaomi has communicated and fixed this issue with Google, and has also suspended this service until the root cause has been completely solved, to ensure that such issues will not happen again.”
It was also added that only those users with “extremely poor network conditions” would have been likely to be affected by the bug.
Users are being warned, if it seems too good to be true, it probably is
Cybercriminals are hooking people in with a courier-style website where people can track their orders of a MacBook Pro for just $1. The user receives an email with a fake courier website from Europe with the notification that your item has been found from its barcode.
Of course, there is no item, much less, a MacBook Pro involved. The phishing scam goes on to notify the user that while the item has arrived, it is stuck at the depot and awaiting payment of a delivery fee.
If you fall for the hoax, you are taken to a very realistic looking page where you can enter your payment details. When you enter the details of your credit card, it will come up with an error notice saying that your card has been declined. Basically just looking for more of your banking details to take advantage of.
Depending on how many cards you enter, the crooks now have your personal, credit card as well as the CVV, or short security code on the back of your card.
If you receive an email like this, please do not enter your details or click on the links.
Users are being urged to patch Pulse Secure VPN for fear of phishing attacks
Hackers are taking full advantage of unpatched VPN setups, particularly of Pulse Secure VPN’s code which has contained a bug for a while now. These vulnerabilities are being used to spread ransomware.
One of the bugs can be exploited in order to extract plain-text passwords as well as other sensitive information from networks without needing authentication.
“That vulnerability is incredibly bad — it allows people without valid usernames and passwords to remotely connect to the corporate network the device is supposed to protect, turn off multi-factor authentication controls, remotely view logs and cached passwords in plain text (including Active Directory account passwords),” Beaumont explained.
Even though these vulnerabilities were fixed there have been instances where they were used as entry points by hackers.
“In both cases, the organizations had unpatched Pulse Secure systems, and the footprint was the same,” Beaumont explained, “access was gained to the network, domain admin was gained, VNC was used to move around the network (they actually installed VNC via psexec, as java.exe), and then endpoint security tools were disabled and Sodinokibi was pushed to all systems via psexec.”
A Chinese state-sponsored hacking group has managed to get around 2FA
The hacking group has been able to target Western government entities by bypassing two-factor authentication protection. The claims were made after a two-year investigation by Fox-IT, with their findings released in a whitepaper detailing the hacker’s methods.
The hacking group, APT20 which has reportedly worked with the Chinese government for almost ten years, exploited vulnerabilities found in web browsers in order to access various networks.
Targeting workstations using administrator privileges as well as password vaults, the hackers were also able to generate their own software tokens for access.
“As it turns out, the actor does not actually need to go through the trouble of obtaining the victim’s system-specific value, because this specific value is only checked when importing the SecurID Token Seed, and has no relation to the seed used to generate actual 2-factor tokens. This means the actor can actually simply patch the check which verifies if the imported soft token was generated for this system, and does not need to bother with stealing the system-specific value at all.”
Basically, all the hacker needs to do is to use the 2FA codes to take advantage of RSA SecurID Software Tokens and patch 1 instruction, therefore, resulting in the generation of completely valid tokens.