Information Technology

Image: Abode
Abode on Tuesday announced its latest product, a $35 smart security camera. Abode offers a complete home security system that includes cameras, motion sensor, and door or window sensors. 

However, before Tuesday, the only camera listed in the Abode shop was the $199.99 Outdoor Smart Camera. 
With the addition of the Abode Cam 2, the company gives its subscribers and those who are new to the platform an inexpensive option. To be clear, you don’t need to have an Abode security system in order to use the Cam 2, but if you do, it’ll integrate directly with your security system. 
The Cam 2 is capable of 1080p with an IP65-rated housing, which will allow you to place it inside or outside, even if it’s exposed to the occasional rain or snowstorm. There’s a built-in Starlight sensor that brings full-color night vision to the Cam 2, allowing you to see what’s happening in a dark room or in front of your house at night. 
You don’t have to sign up for a paid Abode plan to use the camera. You’ll still be able to view live video, and you’ll also receive motion alerts on your phone. However, in order to use Smart Detect with person detection and 24/7 video recording (the Cam 2 can detect motion), you’ll need to sign up for one of Abode’s monitoring plans. 

Image: Abode
The standard plan is $6 a month or $60 per year and includes seven days of video storage. The premium plan is $20 a month or $200 a year and includes 30 days of video storage. Abode says it will add package and pet detection later this year. The latter plan is more geared toward users who have a complete Abode security system, and not just a single camera. 
The camera doesn’t support Apple’s HomeKit platform, but it will work with Amazon Alexa and Google Assistant. 

The design of the Cam 2 reminds me of the $20 Wyze Cam , another reasonably priced camera. Only instead of cloud storage, you can use the microSD card slot to store video locally. 
The $29.99 price is an introductory price for pre-orders. After the promotion ends, the Cam 2 will cost $34.99. 
Abode expects the camera to begin shipping in April. To learn more about the Cam 2 or order one for yourself, make sure to visit Abode’s site.

ZDNet Recommends More

Macs are true workhorses, but as is the case with every computer, detritus builds up, filling storage space, and turning a once-speedy system sluggish. With a little bit of care and feeding, a Mac can run at its best for longer. Also, depending on what you use your Mac for, having a suite of tools and utilities that can carry out useful tasks with a click of a button is super handy.

My absolute favorite Mac utility. One click allows you to find junk files, scan my system for threats, and look for ways to speed up my system. Then, with another click, all those tasks are carried out, quickly, efficiently, and safely. It’s a great product that gets regular and timely updates, and a tool that’s helped me keep many Macs running smoothly for years. Highly recommended!
$34 at MacPaw

There are a lot of tools that claim to be able to recover your data when your disk fails. 
DiskWarrior is the only one I trust with that task. With one click, you can get DiskWarrior to scan your storage drive, finds all recoverable data, and then build an error-free, optimized copy for you.
$119 at Alsoft

Not a single tool, but a suite of over 30 tools, most of which are productivity and system health tools, and all of which are super easy to use. Many do their jobs with a single click.
So, what utilities are there? There’s a disk cleanup tool, image resizer, video downloader, screen recorder, archiver, clipboard history tool, GIF maker, presentation mode switch, and much more. Because there are so many parts to Parallels Toolbox, I sometimes lose track of how much I use these tools every day.
$19 at Parallels

One of the things that can be responsible for a lot of wasted storage space is duplicate files. It’s not just duplicate files that can be a problem, but also similar files. This can be especially true when it comes to photos. Gemini 2 can scan your photos, spot ones that are similar, and lets you pick which ones to keep. 
$19 at MacPaw

The all-in-one temperature monitoring, fan control, and diagnostics for Macs. 
If you’re someone who makes their Mac work hard, this is a fantastic tool for tuning the cooling system for optimal performance and keeping things running at their best.
$10 at Tunabelly Software
Other honorable mentions
MacCleaner Pro: Speed up and clean up your Mac, as well as manage your precious storage space (compatible with M1-powered Macs).
MacBooster 8: Free up space on your Mac by eradicating 20 different types of junk files from your system. 

ZDNet Recommends More

The number of hackers uncovering security vulnerabilities and submitting them to one of the best known bug bounty programs increased by almost two thirds over the course of the last year.
The 2021 Hacker Report from bug bounty platform HackerOne details the development of penetration testing and ethical hacking over the last 12 months and says that there’s been a 63 percent increase in the number of hackers submitting vulnerabilities over the course of that period.
The goal of bug bounty schemes is to provide ethical hackers with a means of discovering and disclosing these vulnerabilities before cyber criminals taking advantage of them. Hackers earned $40 million from disclosing vulnerabilities to the HackerOne bug bounty program during the last year alone, up from $19 million in 2019.
SEE: Meet the hackers who earn millions for saving the web, one bug at a time
While most of the people hunting for vulnerabilities focus on web applications, there’s been an increase in those examining other potential flaws, with a large growth in the submission of vulnerabilities relating to Android, Internet of Things devices and APIs.
While the financial incentives of finding vulnerabilities to play a role in hacking – 76 percent of those surveyed by HackerOne said they do it to make money – 85 percent of those involved in bug bounty schemes say they’re involved in order to learn, while two thirds do it for fun.
“We’re seeing huge growth in vulnerability submissions across all categories and an increase in hackers specialising across a wider variety of technologies,” said HackerOne co-founder, Jobert Abma, who believes human ingenuity is still the best way to discover and disclose security vulnerabilities.

“Every time a hacker links several low-severity vulnerabilities together to help a customer avoid a breach, or finds a unique bypass to a software patch, it proves that machines will never truly outpace humankind,” he said.
MORE ON CYBERSECURITY More

Apple has released a fix for a bug that affects iPhones, iPads and MacBooks and which could lead to ‘arbitrary code execution’ by visiting a website hosting malicious code. 

Like many bugs, this one is a memory related bug and it affects WebKit, the browser engine behind Safari on iPhones and MacBooks. Apple delivered the security fix in macOS Big Sur 11.2.3 and iOS 14.4.1 and iPadOS 14.4.1. 
In typical fashion, Apple hasn’t released much information about the bug but notes that the issue means its browser is vulnerable to processing maliciously crafted web content that “may lead to arbitrary code execution”.
SEE: Top 10 iPad tips (free PDF) (TechRepublic)
The bug, tracked as CVE-2021-1844, was discovered by Clément Lecigne from Google’s Threat Analysis Group and Alison Huffman from Microsoft’s browser vulnerability research group. 
Apple doesn’t say whether the bug was being exploited before the update. Both security researchers are noteworthy. 
Huffman discovered a flaw in Google’s Chrome browser that was being exploited before Google released a patch. That bug, CVE-2021-21166, was addressed in the release of the Chrome 89 stable channel for desktop on Windows, Mac, and Linux last week. Lecigne found two critical iPhone bugs that were being exploited in 2019.   

The iOS updates are available for the iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch (7th generation).
iOS 14.4.1 is available now worldwide and contains a 138MB update. “This update provides important security updates and is recommended for all users,” Apple notes. iPhone owners can go to the Settings app and check for software updates to get the patch. It’s always easy to install but, as usual, the process takes a few minutes while the device prepares the update and then users will need to wait for the device to restart.  More

Google has removed 10 apps from the Play Store which contained droppers for financial Trojans. 

On Tuesday, Check Point Research (CPR) said in a blog post that the Android applications appear to have been submitted by the same threat actor who created new developer accounts for each app.
The dropper was loaded into otherwise innocent-looking software and each of the 10 apps were utilities, including Cake VPN, Pacific VPN, BeatPlayer, QR/Barcode Scanner MAX, and QRecorder. 
The utilities’ functionality is ripped from existing, legitimate open source Android apps. 
In order to avoid detection by Google’s standard security protections, Firebase was used as a platform for command-and-control (C2) communication and GitHub was abused for payload downloads. 
According to the researchers, the hidden dropper’s C2 infrastructure contains parameters — enable or disable — to ‘decide’ whether or not to trigger the app’s malicious functions. The parameter is set to “false” until Google has published the app, and then the trap springs. 
Dubbed Clast82, CPR says the newly-discovered dropper has been designed to deliver financial malware. Once triggered, second-stage payloads are pulled from GitHub including mRAT and AlienBot.

“If the infected device prevents installations of applications from unknown sources, Clast82 prompts the user with a fake request, pretending to be ‘Google Play Services’ requesting the user to allow the installation every five seconds,” the team says. 
MRAT is used to provide remote access to a compromised mobile device, whereas AlienBot facilitates the injection of malicious code into existing, legitimate financial apps. Attackers can hijack banking apps to obtain access to user accounts and steal their financial data, and the malware will also attempt to intercept two-factor authentication (2FA) codes. 
The researchers reported the malicious apps to Google on January 29, a day after discovery. By February 9, Google had confirmed that the malware had been removed from the Play Store. The apps accounted for roughly 15,000 installs.
 “The hacker behind Clast82 was able to bypass Google Play’s protections using a creative, but concerning, methodology,” commented Aviran Hazum, Check Point mobile research manager. “With a simple manipulation of readily available third-party resources — like a GitHub account, or a FireBase account — the hacker was able to leverage readily available resources to bypass Google Play Store’s protections.”

Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Hackers breached the email servers of the European Banking Authority (EBA) as part of the global cyberattacks targeting Microsoft Exchange Server – and while the Paris-based financial security agency for the European Union says that no data has been stolen as part of the attack, it remains on high alert.
The EBA fell victim to a hacking campaign exploiting four zero-day vulnerabilities in Microsoft Exchange Server that has affected tens of thousands of organisations around the world.

More Coverage

The vulnerabilities allowed cyber attackers to gain access to the European Banking Authority’s email servers, initially leading to fears that personal data may have been accessed by hackers.
SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)
However, in an update on the investigation into the incident, the EBA said the email infrastructure has been secured and at this stage it’s believed “no data extraction has been performed” and there’s “no indication to think that the breach has gone beyond our email servers”.
The EBA’s email system was taken offline as a precautionary measure but it has now been fully restored following the deployment of additional security measures.
“Since it became aware of the vulnerabilities, the EBA has taken a proactive approach and carried out a thorough assessment to appropriately and effectively detect any network intrusion that could compromise the confidentiality, integrity and availability of its systems and data,” the EBA said in a statement.

“Besides re-securing its email system, the EBA remains in heightened security alert and will continue monitoring the situation,” it added.
Analysis of the Microsoft Exchange Server attack was carried out by the European Banking Authority in collaboration with the European Union’s Computer Emergency Response Team (CERT-EU), as well as additional security experts.
The EBA is just one of thousands of organisations around the world that are believed to have been targeted by attackers exploiting newly discovered zero-day flaws in Microsoft Exchange Server, the email inbox, calendar, and collaboration solution used by enterprises of all sizes around the world.
Microsoft has released a security update to patch the vulnerabilities and is urging customers to apply it as soon as possible to protect themselves from being attacked.
The cyberattacks targeting Microsoft Exchange Server have been attributed to a state-sponsored advanced persistent threat (APT) hacking group working out of China, dubbed Hafnium.
Other organisations targeted by the hacking group include think tanks, non-profits, defence contractors, higher education institutions and infectious disease researchers.
MORE ON CYBERSECURITY More

Microsoft has released security updates for unsupported versions of Exchange email servers following widespread attacks exploiting four newly discovered security vulnerabilities.
Microsoft has already released out-of-band emergency patches for Exchange Server 2013, Exchange Server 2016, and Exchange Server 2019 but, in light of ongoing cyberattacks exploiting the flaws, it’s produced security updates for earlier versions of Exchange it otherwise does not patch. 

More Coverage

The security updates for older versions of Exchange only address the four newly disclosed flaws that are being tracked as CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065. The issues affect on-premise Exchange servers. 
Though patches for unsupported Microsoft products are rare, the company has been forced to issue them on multiple occasions in the past five years to address global cyberattacks. It made patches for unsupported Windows XP in 2017 after the WannaCry ransomware attacks and produced patches for Windows XP again in 2019 after identifying a severe wormable flaw in Windows.    
Microsoft notes that this security update for Exchange only addresses the four new flaws and does not mean those versions of Exchange, such as Exchange 2010 and earlier, are now supported. The patches are designed to update specific cumulative updates (CU) of Exchange. 
The patches include updates for the following cumulative updates: 
“Microsoft is producing an additional series of security updates (SUs) that can be applied to some older (and unsupported) Cumulative Updates (CUs). The availability of these updates does not mean that you don’t have to keep your environment current,” Microsoft states.  

“This is intended only as a temporary measure to help you protect vulnerable machines right now. You still need to update to the latest supported CU and then apply the applicable SUs. If you are already mid-update to a later CU, you should continue with that update.”
Microsoft spokesman Frank X Shaw said on Twitter that Microsoft engineers had “worked around the clock to deliver fixes” for  these older and unsupported cumulative update versions of Windows Exchange.
Microsoft raced out patches for Exchange earlier this month after security researchers discovered that suspected China-backed hackers were exploiting Exchange servers to access emails of targets. Security firm Volexity said the bugs had been exploited from around January 6, 2021.  
SEE: Network security policy (TechRepublic Premium)
The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) this week ordered civilian agencies to apply Microsoft’s patches or disconnect vulnerable email servers. CISA also warned it had seen “widespread domestic and international exploitation” of the flaws. 
It’s been a busy few months for cybersecurity teams around the world after the SolarWinds supply chain attack was disclosed by Microsoft and FireEye in mid-December. Those teams are already under pressure after supporting remote-working arrangements during the pandemic. 
Chris Krebs, the former director of CISA, commented this week that incident response teams are burned out. He recommended patching Exchange now if possible and assume that the organization has been breached already. If searching for signs of compromise was not currently possible, he recommended following CISA’s advice: disconnect and rebuild the Exchange server.
Microsoft says the new Exchange updates are available only through the Microsoft Download Center and not on the Microsoft Update service.
“We are producing updates only for some older CUs for Exchange 2016 and 2019,” it notes. 
Microsoft also warns that there are problems with this security update that may cause Outlook on the web to crash, depending on the configuration. 
“When you try to manually install this security update by double-clicking the update file (.msp) to run it in normal mode (that is, not as an administrator), some files are not correctly updated,” Microsoft notes in a support document. 
“When this issue occurs, you don’t receive an error message or any indication that the security update was not correctly installed. However, Outlook on the web and the Exchange Control Panel (ECP) might stop working.””This issue occurs on servers that are using User Account Control (UAC). The issue occurs because the security update doesn’t correctly stop certain Exchange-related services. To avoid this issue, follow these steps to manually install this security update.”
CISA today issued another warning for organizations to apply Microsoft’s patches. 
“CISA urges ALL organizations across ALL sectors to follow guidance to address the widespread domestic and international exploitation of Microsoft Exchange Server product vulnerabilities,” CISA said on Twitter. 
“An adversary can exploit this vulnerability to compromise your network and steal information, encrypt data for ransom, or even execute a destructive attack,” it said in an advisory.   More

A cryptocurrency miner is being deployed on QNAP NAS devices through a remote code execution flaw.

QNAP, a Taiwanese vendor, manufactures hardware including network-attached storage (NAS) devices, products used to provide additional, centralized storage in home and business use cases. 
On March 2, 360Netlab researchers received reports that QNAP NAS devices were subject to a new wave of attacks. 
Internet of Things (IoT) and associated devices are commonly hijacked through brute-force attacks and via credential theft. However, in this case, two vulnerabilities leading to remote code execution (RCE) are thought to be to blame. 
The vulnerabilities are tracked as CVE-2020-2506 and CVE-2020-2507. According to QNAP, the Helpdesk app security issues combine improper access control and a command injection vulnerability which can be used to trigger RCE and hijack NAS devices. 
The critical vulnerabilities were disclosed in a security advisory dated October 7, 2020. Devices that contain firmware prior to August are vulnerable. 
360Netlab researchers estimate that “hundreds of thousands of online QNAP NAS devices” have not been patched. An online mapping scan, as of last week, detected 4,297,426 QNAP NAS devices — with 951,486 unique IPs — that may remain vulnerable. 

The team says that these products are susceptible to full hijacking through attackers gaining root privileges — and this allows them to deploy cryptocurrency mining malware. 
The miner is called UnityMiner. This malware, which utilizes a version of open source XMRig — used to mine Monero (XMR) — is able to disguise the mining process and tamper with reported CPU memory resource usage data in an attempt to hide its presence on a compromised machine. 
“When QNAP users check the system usage via the web management interface, they cannot see the abnormal system behavior,” the researchers note. 
Once deployed on a target machine, the malware consists of unity_install.sh and Quick.tar.gz, which together contain download instructions, the payload, and configuration data. 
The CPU architecture will be checked so the correct miner version can be installed, and as of now, UnityMiner is compatible with ARM64 and AMD64. Only half of the available cores are used for mining, likely in another effort to stay under the radar and not overload the infected NAS device. 
Three pool proxies are used to disguise the address of the wallet where cryptocurrency, after mining, is stored. 
360Netlab contacted QNAP with its findings on March 3. 
In January, QNAP published a security advisory warning of the active exploit of Dovecat, malware that compromises NAS devices via weak credentials for the purpose of cryptocurrency mining. 
ZDNet has reached out to QNAP and will update when we hear back. 
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More