IP Camera Hacking Attempts Are Rising

IP Camera Hacking Attempts Are Rising

Recently, Trend Micro published some statistics that just about everyone should find disturbing.  According to their latest statistics, the security company has blocked more than five million cyber-attacks against IP cameras, just in the past five months. Worse, IP cameras don’t tend to have great security in place to begin with, making it relatively easy for hackers to control them remotely. IP cameras send video directly to the internet as it is captured, and are typically used for surveillance. They’re among the vast crop of ‘low hanging fruit’ of web-connected devices these days.  The company found that of the attacks, fully 75 percent relied on simple brute-force tactics. Oscar Chang, of Trend Micro, had this to say about the findings: “More verticals are seeking connected, AI-powered video surveillance applications, causing a clear paradigm shift from a relatively closed-off network to a more interconnected network operated heavily by cloud-based technologies.  Due to this shift in the landscape, manufacturers and users must pay attention to the security of these IoT devices. While the industry has known about cyber-risks, manufacturers have been unable to properly address the risk without knowing the root cause and attack methods.” Those are wise words. There is explosive growth of the number of smart devices in recent years, and hackers have gleefully appointed them by the tens of thousands and turned them into botnet armies for hire. Given those circumstances, one would think that every smart device manufacturer would make increased security of the devices they sell a top priority. To date, however, that simply hasn’t been the case.  Until that changes, we can expect to see...
Windows Phone App Updates Are Ending Soon

Windows Phone App Updates Are Ending Soon

Microsoft initially had grand ambitions where smartphones were concerned. The company invested billions in their quest to create a phone that ran on Windows 8 (and later, Windows 8.1). That was all in a bid to carve a niche for itself in a market dominated by iOS and Android. That plan never bore much fruit. Although the company sold some Windows-based smartphones, they were never able to penetrate the market deeply enough to establish a strong foothold.  After a few years of trying, the company quietly retreated from the market. That’s bad news for anyone who owns a Windows 8 or 8.1 smartphone. Recently, the news got a little worse.  Microsoft has announced that there will be no further app updates from the Windows store for those devices. This is sad news, but hardly a surprise.  The company formally announced the end of support for Windows-based smart phones back in July of 2017.  Since then, the owners of those devices haven’t received any security updates or other fixes.  This then, is a natural extension of a policy already well on its way to being fully executed. As for the owners of the phones, they don’t have any recourse except to retire the phone and buy something new in the Android or iOS ecosystem.  Even if you own a Windows 8 phone that’s capable of running Windows 10, your device will still be on borrowed time, so it may not even be worth the effort to upgrade.  Microsoft has already announced that Windows 10 support for mobile devices will be coming to an end. All that to say, the clock...
Recent Popular Aged Face APP on Facebook Has Serious Privacy Issues

Recent Popular Aged Face APP on Facebook Has Serious Privacy Issues

If you spend any time at all on social media, you’ve probably seen the latest craze:  People posting photos of themselves aged, so they look like they’re in their sixties, seventies, or even older than that. FaceApp, the program behind the face-aging magic has actually been available for a few years, but it has only recently gained the attention of the masses, suddenly and inexplicably going viral after enjoying a quiet existence early on. Unfortunately, one feature of the app, paired with the company’s expansive terms of service could make a number of users uncomfortable. Let’s start with the company’s terms of service, which reads, in part, as follows: “You grant FaceApp a perpetual, irrevocable, nonexclusive, royalty-free, worldwide, fully-paid, transferable sub-licensable license to use, reproduce, modify, adapt, publish, translate, create derivative works from, distribute, publicly perform and display your User Content and any name, username or likeness provided in connection with your User Content in all media formats and channels now known or later developed, without compensation to you.  When you post or otherwise share User Content on or through our Services, you understand that your User Content and any associated information (such as your Username, location or profile photo) will be visible to the public.” That’s quite a mouthful but think for a moment about the scope and scale of the permission you’re giving to this app to use it. Now pair that with the fact that when you tap a photograph in the app and instruct it to age you, it uploads a copy of your photo to servers located in Russia.  Also note that it doesn’t ask...
Update Your Browser To Fix New Firefox Security Vulnerability

Update Your Browser To Fix New Firefox Security Vulnerability

Are you a Firefox user?  If so, you’ll want to update to version 67.0.4 as soon as possible.  Just last week, Mozilla released Firefox 67.0.3 to address a critical remote code execution vulnerability that was being used in the wild to selectively target vulnerable systems. Unfortunately, that proved to be just the tip of the iceberg. Since then, the company discovered that the vulnerability they initially addressed was merely the second part in a chained pair of security flaws. The pair worked in tandem to drop and execute malicious code onto vulnerable systems. In response, the company quickly released the latest version, 67.0.4, which addresses both links in the chain.  The issue, initially reported by Coinbase Security, is being tracked as CVE-2019-11708. Its description reads as follows: “Insufficient vetting of parameters passed with the Prompt: Open IPC message between child and parent processes can result in the non-sandboxed parent process opening web content chosen by a compromised child process.  When combined with additional vulnerabilities, this could result in executing arbitrary code on the user’s computer.” Obviously, this is a serious issue indeed, especially since it’s one that’s already being actively exploited by hackers around the world.  If you’re not sure what version you’re running, open Firefox, go to the help menu, and click on “About Firefox.”  The software will take it from there and scan for a new version.  If one is available, it will let you know, and you can download and install it. If you don’t want to go that route, just head to Mozilla’s website and grab the latest direct from there. Kudos to the sharp-eyed...
Large Percentage Of Mobile Apps Have Security Flaws

Large Percentage Of Mobile Apps Have Security Flaws

How many apps do you have on your phone?If you’re like most people, you’ve likely got dozens or more. Considering how much storage is available on mobile devices these days, people tend to install apps and when they no longer want them, they don’t bother to uninstall them. Whatever your number is, the statistics recently published by Positive Technologies in their report “Vulnerabilities and Threats in Mobile Applications 2019” will alarm you. Here are a few of the key findings: 35 percent of all mobile apps tested had vulnerabilities relating to the insecure transmission of sensitive data. 35 percent had issues with the incorrect implementation of session expiration 20 percent had problems relating to sensitive data being stored in the app source code and insufficient protection against cyber attacks using brute-force techniques 29 percent of tested apps contained vulnerabilities relating to insecure inter-process communications, which are classed as high risk Overall, high-risk vulnerabilities were found in 38 percent of tested iOS apps, and 43 percent of Android apps.  Even worse, 89 percent of the vulnerabilities that were discovered could be exploited via malware.  The hacker targeting the device would never even need to take physical control of the device. Leigh-Anne Galloway (one of the people responsible for the report) said: “Developers pay painstaking attention to software design in order to give us a smooth and convenient experience and people gladly install mobile apps and provide personal information.  However, an alarming number of apps are critically insecure, and far less developer attention is spent on solving that issue. We recommend that users take a close look when applications request access...
NASA Suffers Data Breach With Device Connected To Network

NASA Suffers Data Breach With Device Connected To Network

Not even NASA is immune to hacking.  Recently, the American space agency announced that they traced a breach back to April of 2018. That was when a group described as an APT (Advanced, Persistent Threat) breached the Jet Propulsion Laboratory’s network via a ‘Raspberry-Pi’ device that was improperly connected to the network. The hackers made off with more than 500MB worth of data in 23 files. Two of the files contained sensitive information relating to international Traffic in Arms Regulations relating to the Mars Science Laboratory mission. According to investigators, the reason the hackers were able to burrow so deeply into the agency’s networks from a third-party device was that the agency did not have their network properly segmented.  Once the hackers gained access, they could go pretty much anywhere they wanted. “We also found that security problem log tickets, created in the TISB when a potential or actual IT system security vulnerability is identified, were not resolved for extended periods of time - sometimes longer than 18 days.”  The investigators from the OIG said. Late last year, the US Department of Justice charged a pair of Chinese nationals for hacking cloud providers, the US Navy, and NASA.  The DOJ’s filings identified the pair as part of one of the Chinese government’s elite hacking corps known as APT10. Given that, it is entirely possible that APT10 was behind the Raspberry Pi incident.  They certainly have the skills, means and motive. Especially given Chinese interest in US technology in general and their recent big push for space exploration. Clearly, NASA has some work to do to shore up their security,...