Eliana Willis

Did you know that that handy video your Ring doorbell takes of anyone coming by your door isn’t private? If you get a Ring Protect Plan, not only are your videos kept in the Amazon Web Services (AWS) cloud, it’s transmitted in the clear. A sufficiently motivated hacker, or your local police force, can easily watch who’s walking by your door. Until now. Starting today in the US (and soon, throughout the world), you’ll be able to encrypt your video stream to keep it private.

This is done with Amazon’s Video End-to-End Encryption (E2EE). If you decide to install this optional privacy feature, you’ll need to install a new version of the Ring application on your smartphone. Once installed, it uses a Public Key Infrastructure (PKI) security system based on an RSA 2048-bit asymmetric account signing key pair. In English, the foundation is pretty darn secure.Earlier, Ring already encrypted videos when they are uploaded to the cloud (in transit) and stored on Ring’s servers (at rest). Law enforcement doesn’t have automatic access to customer devices or videos. You choose whether or not to share footage with law enforcement. With E2EE, customer videos are further secured with an additional lock, which can only be unlocked by a key that is stored on the customer’s enrolled mobile device, designed so that only the customer can decrypt and view recordings on their enrolled device.In addition, you’ll need to opt into using E2EE. It doesn’t turn on automatically with the software update. You’ll also need to set a passphrase, which you must remember. AWS doesn’t keep a copy. If you lose it, you’re out of luck.  Before using E2EE, you should know AWS hasn’t integrated E2EE fully into the Ring’s feature set. In other words, there are many features — such as sharing your videos, being able to view encrypted videos on Ring.com, the Windows desktop app, the Mac desktop app, or the Rapid Ring app, and the Event Timeline — that you won’t be able to use. E2EE also won’t work with many Ring devices. In particular, E2EE won’t run on Ring’s most popular, least expensive, battery-powered Ring doorbells. Even with E2EE security, the police can ask for or demand your video and audio content. As Matthew Guariglia, an Electronic Freedom Foundation (EFF) policy analyst, has pointed out: “If your town’s police department has a partnership with Ring, you can also anticipate getting email requests from them asking for footage from your camera any time a suspected crime occurs nearby.”

According to a Ring representative, Ring’s E2EE is designed so that even the company cannot decrypt your end-to-end encrypted video. That includes law enforcement officers because the private keys required to decrypt the videos are only stored on customer’s enrolled mobile devices.Until recently, by default, police could send automatic bulk email requests to individual Ring users in an area of interest of up to a square half-mile. Now, police can publicly post their requests to Ring’s Neighbors app. Guariglia also observed, “Ring’s default setup is primed to instill paranoia: Ring doorbells send you an alert whenever the motion activation is triggered, which means that your phone will buzz every time a squirrel, falling snow, a dog walker, or a delivery person set off the Ring.” For example, many people now believe that violent crime is worse than ever in the US. That’s simply not true.Privacy, on the other hand, is under siege. If you value your privacy, and you still like the convenience of Ring, I encourage you to use E2EE. I will be.Related Stories: More

Microsoft has released 117 security fixes for software including a remote code execution (RCE) vulnerability in Exchange Server found by participants of the Pwn2Own competition.

The Redmond giant’s latest round of patches, usually released on the second Tuesday of each month in what is known as Patch Tuesday, includes fixes for 117 flaws tackling RCEs, privilege escalation, spoofing, memory corruption, and information disclosure. Thirteen are considered critical and nine are zero-days — with four under active exploit. Products impacted by Microsoft’s latest security update, issued on July 13, include Microsoft Office, SharePoint, Excel, Microsoft Exchange Server, Windows Defender, Windows Kernel, and Windows SMB.  Read on: Some of the most interesting vulnerabilities resolved in this update are:  CVE-2021-31206: A Microsoft Exchange Server RCE found during Pwn2Own. CVE-2021-34448: An actively exploited scripting engine memory corruption vulnerability, requiring a victim to actively visit a malicious website or to click a malicious link.CVE-2021-34494: A Windows DNS Server RCE, albeit restricted to DNS servers only.CVE-2021-34458: A Windows Kernel RCE which permits a single root input/output virtualization (SR-IOV) device, assigned to a guest, to potentially tamper with PCIe associates. The latest round of patches comes just a week after an emergency fix was issued by Microsoft to rectify a security flaw nicknamed “PrintNightmare.” Tracked under CVE-2021-1675 and CVE-2021-34527, the combination of RCE and a local privilege escalation flaw is already impacting some printers, and exploit code has been released. In total, four of the vulnerabilities — CVE-2021-34527 (PrintNightmare), CVE-2021-34448, CVE-2021-31979, and CVE-2021-33771 — are listed as exploited in the wild. 

Microsoft thanked researchers from Google Security, Checkmarx, the Trend Micro Zero Day Initiative, and Fortinet’s FortiGuard Lab, among other organizations, for reporting the now-patched security flaws, A number of vulnerabilities were also reported by Microsoft Threat Intelligence Center (MSTIC). According to the Zero Day Initiative (ZDI), which reported 17 of the bugs, this month’s volume of fixes “is more than the last two months combined and on par with the monthly totals from 2020.” Last month, Microsoft resolved 50 vulnerabilities in the June batch of security fixes. These included seven zero-day bugs, six of which were reported by the Redmond giant as being actively exploited.  A month prior, the tech giant tackled 55 security flaws during May Patch Tuesday. Four of which were deemed critical, and three were zero-days. Alongside Microsoft’s Patch Tuesday round, other vendors, too, have published security updates which can be accessed below. More

Security researchers are reporting that all of the dark web sites for prolific ransomware group REvil — including the payment site, the group’s public site, the ‘helpdesk’ chat and their negotiation portal — are offline.It is still unclear what caused the outages but dozens of theories were floated online. On Friday, US President Joe Biden made news when he said he spoke directly to Russian President Vladmir Putin following REvil’s massive ransomware attack on Kaseya that affected almost 1,500 organizations.”I made it very clear to him that the United States expects when a ransomware operation is coming from his soil, even though it’s not sponsored by the state, we expect them to act if we give them enough information to act on who that is,” Biden said. “And secondly, we’ve set up a means of communication now on a regular basis to be able to communicate with one another when each of us thinks something is happening in another country that affects the home country. And so it went well. I’m optimistic.”White House officials are expected to meet with members of the Russian government to discuss ransomware this week. While some security researchers believe the group may have taken their own websites down, either because of internal squabbles or fear over increased law enforcement scrutiny, others think it may be the result of official actions taken by government agencies. “We all want to believe it is law enforcement, but this is a pretty extensive takedown across multiple providers,” said Allan Liska, a ransomware expert and CSIRT at Recorded Future.

“This early on the more likely scenario is that it is a self-directed takedown. But I wouldn’t rule out ‘self-directed after a conversation with the Kremlin.’ We’ve been speculating about this since the Kaseya attack: Biden gets a win because a major ransomware gang is gone, Putin gets a win because he ‘helped’ and REvil gets to keep all of their money (and their heads). The timing, the day before the next ransomware summit tomorrow, also lines up. But, that is all speculation.”Jake Williams, CTO at BreachQuest, added that Ransomware gangs operating in Russia “were on borrowed time the second Colonial was hit,” explaining that the Russian government didn’t care about the cybercrime occurring within its borders as long as it didn’t impact Russia itself. “That has clearly changed – the Russian government can clearly see they are being impacted by the actions of these actors. Whether REvil was taken out of commission by the Russian government, saw the writing on the wall and took infrastructure down, is simply rebranding like so many groups have (likely including REvil itself), or something else is unknown at this point,” Williams said. 

The Digital Shadows Photon Research Team has been scouring Russian-language forums for chatter about the outage and said that while discussion is limited, “some threat actors have speculated that even if law enforcement agencies have successfully targeted REvil, this will not spell the end of the group’s activities.” “Some predicted that the group will reappear under another name or split into smaller groups to attract less attention,” the team said.”The inaccessibility of the REvil ransomware group’s websites is unusual because the group’s infrastructure has historically been more stable than that of other ransomware groups. The outage could be down to temporary technical issues or upgrades, or it could signify a law enforcement disruption of the group’s operations. REvil’s representatives have not appeared on high-profile Russian-language cybercriminal forums for several days.”Others, like Check Point Software spokesperson Ekram Ahmed, compared the situation to the DarkSide ransomware group, which shut down its operations in May after their attack on Colonial Pipeline drew global headlines and outrage in the US. DarkSide also saw some of its infrastructure disrupted by US law enforcement agencies after the attack. “Though it might be too early to celebrate, another viable possibility is that the ransomware gang has decided to lay low, given all the attention and spotlight they’ve underwent recently from the Kaseya, Colonial Pipeline and JBS attacks,” Ahmed explained. “It’s possible that REvil has gone into ‘retirement’, or at least a temporary one, as they did with the GandCrab ransomware a few years ago.”REvil has attacked at least 360 US-based organizations this year, according to Emsisoft threat analyst Brett Callow. The RansomWhere research site says the group has brought in more than $11 million this year, with high profile attacks on Acer, JBS, Quanta Computer and more.  Egnyte cybersecurity evangelist Neil Jones said people should be wary of celebrating the group’s potential downfall because new ransomware infrastructure can be brought online quickly. Steve Moore, chief security strategist at Exabeam, theorized that the outage “could be criminal maintenance, planned retirement, or, more likely, the result of an offensive response to the criminal enterprise.” “If the outage is the result of an offensive response, this then sends a new message to these groups that they have a limited window in which to work,” Moore said. “Furthermore, if a nation responds to criminals backed by and hosted in another country, this will change the definition of risk for affected private organizations.” More

Facebook is adding a new perk to its bug bounty program that will pay bonus rewards to researchers based on the time it takes the social network to fix a vulnerability after it’s found and reported by bug hunters. 

Essentially, Facebook is acknowledging that it’s sometimes slow to reach a bounty decision and is using this bonus payment to encourage patience among the researchers in its bug bounty community.  The Payout Time Bonus will reward reports that are paid more than 30 days from the time Facebook receives all the necessary information for a successful reproduction of the report and its impact, Facebook said. The bonuses will be paid on a sliding scale, with payouts made between 30-59 days receiving a 5% bonus; payouts made between 60-89 days receiving a 7.5% bonus; and payouts made after 90 days or more receiving a 10% bonus. Reports that require clarification from the researcher will have the payments adjusted accordingly.Facebook has always maintained a friendly relationship with the infosec community, and is one of the few companies managing its own bug bounty program. Facebook is known for offering large payouts on a regular basis, and often open-sourcing many security-focused tools.After the Cambridge Analytica scandal, Facebook intensified its efforts into improving the security of its main platform and mobile apps, but also its adjacent third-party app ecosystem.In 2018, Facebook started paying significant bug bounties to researchers who discovered exposures of user data in popular Facebook third-party apps and games. The following year, the social network expanded its bug bounty program to offer rewards for finding cases where third-party services exposed Facebook user access tokens. Around the same time, Facebook also began offering rewards of up to $40,000 to researchers who found vulnerabilities that could lead to account takeovers.

Facebook stepped up its efforts to woo bounty hunters last year with the launch of Hacker Plus, the first-ever loyalty program for a tech company’s bug bounty platform. Designed after the loyalty programs used by airlines and hotels, Facebook said Hacker Plus would provide extra bonuses and special perks to bug hunters based on their past reports. More

Around half of firms don’t have the technology to prevent or detect ransomware attacks, according to research by cybersecurity company Trend Micro. It suggests that many of organisations don’t have the cybersecurity capabilities required to prevent ransomware attacks such as the ability to detect phishing emails, remote desktop protocol (RDP) compromise or other common techniques deployed by cyber attackers during ransomware campaigns.  For example, the report warns that many organisations struggle with detecting the suspicious activity associated with ransomware and attacks which could provide early evidence that cyber criminals have compromised the network. That includes failing to identify unusual lateral movement across corporate networks, or being able to spot unauthorised users gaining access to corporate data.   The cyber criminals behind ransomware attacks are accessing this data not only just to encrypt it, but also steal it, using the threat of publishing stolen information as extra leverage to pressure ransomware victims into paying the ransom for the decryption key.   In addition to this, the research, commissioned by Trend Micro suggests that under half of organisations can recover quickly following a ransomware attack. In addition to this, two in five could struggle to effectively learn the mitigation processes required to avoid falling victim to a ransomware attack in future, even after falling victim to cyber criminals.SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)     “There is still a lot of scope for ransomware to become a larger problem,” warns the research paper. “And if organisations are ill-prepared the first time to defend against an attack, they may be ill-prepared the second and third times too. Until the business model of ransomware and extortion is disrupted, ransomware is an enduring threat that organizations will have to defend against.” The paper, based on interviews with 130 cyber professionals in mid-sized and large organisations in the United States conducted specifically for the research, recommends three cybersecurity procedures which organisations should employ to help protect against falling victim to ransomware and other cyber attacks. They are multi-factor authentication (MFA), rapidly patching security vulnerabilities and storing back ups offline.    

MFA can help a lot, because even if cyber criminals do manage to steal passwords, that extra layer of protection can act as an effective barrier to being able to exploit them.   “While phishing may still result in compromised credentials, MFA reduces the consequential impact,” said the report.   Meanwhile, rapid patching reduces the ability of cyber criminals to exploit known security vulnerabilities as part of the attack chain, while storing back-ups offline provides a method of retrieving data without paying cyber criminals for a decryption key.   Despite this however, restoring the network can be a long and cumbersome process, so the best means of avoiding it is to avoid falling victim to a ransomware attack all together – although the paper acknowledges that no cybersecurity strategy can completely prevent cyber attacks.  However, if an organisation has a pre-prepared strategy on how to react to a cyber attack, it can make damage limitation and recovery much more effective.  MORE ON CYBERSECURITY More

An Iranian cyber espionage campaign used spoofed identities of real academics at a UK university in phishing attacks designed to steal password details of experts in Middle Eastern affairs from universities, think tanks and the media. Detailed by cybersecurity researchers at Proofpoint, who’ve dubbed it Operation SpoofedScholars, the campaign also compromised a university-affiliated website in an effort to deliver personalised credential harvesting pages to targets, under the guise of inviting them to speak in a webinar on Middle Eastern issues.Proofpoint researchers have linked the phishing campaign to an Advanced Persistent Threat (APT) group they refer to as TA453 – also known as Charming Kitten and Phosphorus – a state-backed intelligence gathering operation working on behalf of the Islamic Revolutionary Guard Corps (IRGC), a branch of the Iranian armed forces. The attackers used a Gmail addresses designed to look like they belonged to genuine academics at the University of London’s School of Oriental and African Studies (SOAS), exploiting trust in the names of real staff.The attackers operating the email address sent messages to prospective targets, inviting them to an online conference on “The US Security Challenges in the Middle East”, including the offer to speak to the target on the phone to discuss details, which is unusual.Eventually, the attackers sent a personalised “registration link” to their targets, sending them to what looked like a SOAS webinar platform.  This was hosted on a legitimate but compromised website belonging to University of London’s SOAS Radio – a website SOAS says is separate from the main SOAS website and not part of the official domain – which asked the user to sign in to the platform via an email address, with options of different links to click on depending on the choice of email hosting provider of the victim. 

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)   Options included Google, Yahoo, Microsoft, iCloud, Facebook and others – and if the user clicked on the link, they’d be taken to a spoofed version of the email provider’s login page, which the attackers could use to steal the username and password with the intention of espionage and additional phishing attacks. The researchers are confident that the campaign is working out of Iran. “Attribution specifically for Operation SpoofedScholars is based on similarities to previous TA453 campaigns and consistency with TA453’s historical targeting. TA453 often uses free email providers to spoof individuals familiar to their targets to increase the likelihood of successful compromise,” Sherrod DeGrippo, senior director of threat research and detection at Proofpoint told ZDNet. “Additionally, TA453 concentrates their credential phishing to specific individuals of interest to collect intelligence through exfiltration of sensitive email and contacts or initial access for future phishing campaigns”. It’s not known if the attackers have been successful in their attempts to steal information, but after being informed that the website was compromised, SOAS took action to remove it. “Once we became aware of the dummy site earlier this year, we immediately remedied and reported the breach in the normal way. We have reviewed how this took place and taken steps to further improve protection of these sort of peripheral systems,” a SOAS spokesperson told ZDNet. “To be clear, academic staff at SOAS of course have no involvement in this process, nor has any action or statement by SOAS staff led to them being spoofed in this way. There was no suggestion of breach of cybersecurity by any SOAS staff,” they said.Iranian cyber operations have regularly targeted academics in the UK and it’s likely that they’ll return with further campaigns in future. “Educational intuitions will remain prime targets due to high student, faculty and staff populations and turnover, coupled with ongoing independent research and the culture of openness and information-sharing,” said DeGrippo. “It is vital that educational institutions make security awareness training and people-centric cybersecurity solutions a priority to aid staff with the ability to identify phishing pages,” she added. MORE ON CYBERSECURITY More

A vulnerability discovered in Schneider Electric (SE) Modicon programmable logic controllers (PLCs) allows full takeover of the industrial chips.

Discovered by Armis researchers, the vulnerability can be used to bypass existing security mechanisms in PLCs to hijack the devices and potentially impact wider industrial setups. The authentication bypass vulnerability, dubbed Modipwn, has been assigned as CVE-2021-22779. Without authorization, it is possible for attackers to abuse undocumented commands and obtain full control over one of these chips, overwriting memory, leaking a hash required to take over secure connections, and executing code — which, in turn, can impact the security of workstations that manage the PLCs.  SE Modicon PLCs are used to control Industrial Internet of Things (IIoT) devices in the construction, energy, machinery, and utility sectors, among others.  Armis says that to trigger an attack, only network access is required to the target PLC.  Armis says there are inherent security issues in Modbus, an industry-standard protocol — and as SE’s proprietary UMAS is based on the protocol, PLCs linked to UMAS may be beset by known, weak encryption and authentication mechanisms in the original Modbus standard. When chained with CVE-2021-22779, this can result in known UMAS bugs (CVE-2021-22779, CVE-2018-7852, CVE-2019-6829, and CVE-2020-7537), partially mitigated, still being a risk to Modicon M340 and M580 products, as well as “other models.”  “SE has stated in the past its intent to adopt the Modbus Security protocol that offers encryption and authentication mechanisms that are not part of the classic Modbus protocol,” Armis says. “These adoption steps, however, have yet to be implemented.”

Armis informed SE of its findings on November 13, 2020. SE is due to issue clients an advisory with steps toward mitigation, but a full patch is not expected until Q4 2021.  In addition, two further vulnerabilities were found by the research team — both of which were authentication bypass bugs — which SE also needs to resolve.  “Due to inherent shortcomings of the Modbus protocol that powers SE’s Unified Messaging Application Services (UMAS) protocol used by Modicon PLCs, Armis will continue working with SE and additional vendors to address these issues,” the company says.  In 2018, a zero-day vulnerability was exploited in SE Triconex controllers by attackers attempting to disrupt industrial operations in the Middle East. During these attacks, the Triton Trojan was deployed to tamper with emergency shutdown systems.  “As always, we appreciate and applaud independent cybersecurity research because, as in this case, it helps the global manufacturing industry strengthen our collective ability to prevent and respond to cyberattacks,” Schneider Electric said in a statement.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More