A quick Saturday digest of cybersecurity news articles from other sources.
FBI Releases Guidance on Defending Against VTC Hijacking and Zoom-bombing
Original release date: April 2, 2020
The Federal Bureau of Investigation (FBI) has released an article on defending against video-teleconferencing (VTC) hijacking (referred to as “Zoom-bombing” when attacks are to the Zoom VTC platform). Many organizations and individuals are increasingly dependent on VTC platforms, such as Zoom and Microsoft Teams, to stay connected during the Coronavirus Disease 2019 (COVID-19) pandemic. The FBI has released this guidance in response to an increase in reports of VTC hijacking.
The Cybersecurity and Infrastructure Security Agency encourages users and administrators to review the FBI article as well as the following steps to improve VTC cybersecurity:
- Ensure meetings are private, either by requiring a password for entry or controlling guest access from a waiting room.
- Consider security requirements when selecting vendors. For example, if end-to-end encryption is necessary, does the vendor offer it?
- Ensure VTC software is up to date. See Understanding Patches and Software Updates.
CISA also recommends the following VTC cybersecurity resources:
- FBI Internet Crime Complaint Center (IC3) Alert: Cyber Actors Take Advantage of COVID-19 Pandemic to Exploit Increased Use of Virtual Environments
- Zoom blog on recent cybersecurity measures
- Microsoft Teams security guide
Teaching Kids About Internet Safety
Age-appropriate ways to teach your children about internet safety. The Internet can be a source of education and fun for children. They can use it as a resource for school projects, watch fun videos, play interactive games, and learn more about the world. However, it’s also possible for them to stumble on inappropriate content or become a victim of cyberbullying and online predators. They may also unwittingly put themselves or other relatives at risk of identity theft by revealing personal information. That’s why it’s important to educate them starting at an early age.
Time to Level Up Our Cyber Resiliency Game
This article was originally published on Medium.com on September 19, 2018, here. This article was written by Ian Barwise, whose Twitter handle is z3roTrust. It is a longer read, about 30 minutes, but it does a great job of looking at cyber resiliency. Resiliency is the ability of a system to recover from system failure and return to some level of operational utility. Ian looks at the current state of affairs here in the US. Definitely worth a look. A brief preview from the article:
“Have you ever wondered why the United States, arguably the most technologically advanced nation to ever exist; inventor of the Internet, the Deep Web, and the Dark Web; generally continues to be the victim of massive data breaches such as those suffered by Equifax, Yahoo, the Office of Personnel Management (OPM), Ashley Madison, or Target? It’s lonely at the top when everyone is targeting you. It may seem strange to the layperson who is not formally educated or trained in cybersecurity, but there is a perfectly rational explanation for why U.S. cybersecurity appears to suck so badly. Unfortunately, this predicament we find ourselves in cannot be pinpointed to a single reason for the sad state of national cybersecurity due to the sheer size of the government and corporate industry which makes protecting it a nearly impossible task. Sadly, it has been a total shit show that continues to get worse over time because there are so many hands in the proverbial ‘cookie jar.’ There are ‘too many cooks in the kitchen,’ everyone wants to be a decision-maker, a policy influencer, and a technical expert.”
Top 5 remote access threats
When working from home, it’s important to understand the security risks. Tom Merritt lists five remote access threats so you can secure your system.
Voatz Internet Voting App Is Insecure
[2020.02.17] This paper describes the flaws in the Voatz Internet voting app: “The Ballot is Busted Before the Blockchain: A Security Analysis of Voatz, the First Internet Voting Application Used in U.S. Federal Elections.”
Abstract: In the 2018 midterm elections, West Virginia became the first state in the U.S. to allow select voters to cast their ballot on a mobile phone via a proprietary app called “Voatz.” Although there is no public formal description of Voatz’s security model, the company claims that election security and integrity are maintained through the use of a permissioned blockchain, biometrics, a mixnet, and hardware-backed key storage modules on the user’s device. In this work, we present the first public security analysis of Voatz, based on a reverse engineering of their Android application and the minimal available documentation of the system. We performed a clean-room reimplementation of Voatz’s server and present an analysis of the election process as visible from the app itself.
We find that Voatz has vulnerabilities that allow different kinds of adversaries to alter, stop, or expose a user’s vote,including a sidechannel attack in which a completely passive network adversary can potentially recover a user’s secret ballot. We additionally find that Voatz has a number of privacy issues stemming from their use of third party services for crucial app functionality. Our findings serve as a concrete illustration of the common wisdom against Internet voting,and of the importance of transparency to the legitimacy of elections.
iPhone is now Capable of Creating an Encrypted Google Safety Key
Google is updating their Google Smart Lock app to include iPhone users the ability to use their device as an encrypted security key, bypassing the need to receive one-time passwords over SMS (short message service.) Learn how to setup and activate this feature to keep your data extra secure.
Get the “F” Out – Keep Facebook off your trail
You see them everywhere: those little “F” buttons from Facebook. Sure, they let you share things quickly to your profile. But they also let Facebook follow and collect information about you without your consent — even if you don’t have an FB account.
So Firefox built the Facebook Container extension. It keeps FB out of your business when you’re not in their app. Not on FB these days? It works with Instagram, FB Messenger and Workplace, too. Get Facebook Container
Phone carriers may soon be forced to adopt anti-robocall tech
About freaking time already!! US carriers haven’t been doing enough to block robocalls voluntarily. Boo! The Federal Communications Commission’s response? Fine – we’ll make you. Yay!
Watch out for Office 365 and G Suite scams, FBI warns businesses
The FBI has warned users of Microsoft Office 365 and Google G Suite hosted email about Business Email Compromise (BEC) scams.
Forecasting the future of artificial general intelligence
The World Economic Forum wants to create an “ethics switch” to prevent artificial general intelligence from being harmful or unethical. Good luck with that.
FBI arrests alleged owner of Deer.io, top market for stolen accounts
Started around 2013, the site claims to host over 24,000 active shops doing brisk business in stolen PII and hacking services.
Trial for accused CIA leaker ends in hung jury
The US is expected to press for a retrial in the high-stakes trial of Joshua Schulte, suspected of raiding the CIA’s cyber arsenal.
Share
APR
About the Author:
I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at http://wyzguyscybersecurity.com