This week, Duck advises on how to keep your company safe while working remotely, Peter discusses a malwareless ransomware attack, and Mark shares the latest in the EARN IT saga.
Host Anna Brading is joined by Sophos experts Paul Ducklin, Peter Mackenzie and Mark Stockley.
Listen now!
LISTEN NOW
Click-and-drag on the soundwaves below to skip to any point in the podcast.
With so much of the world self-isolating, physically distancing themselves from others and remotely working from home, people are flocking to remote-work apps such as Microsoft, Slack and Zoom – anything that can make them feel connected by teleconference or videoconference.
Well, hang on to your hats, hosts: before you set up meetings, you need to know how to block the trolls. Specifically, if you’re using the Zoom videoconferencing app to connect people, you need to configure meetings so your participants don’t wind up connecting to the closest receptacle as their guts suddenly start to churn.
I’m talking about ZoomBombing: a new form of trolling in which asshats use Zoom’s screensharing feature to scorch other viewers’ eyeballs with the most revolting videos they can find, be they violent, pornographic, or a mixture of multiple revolting ingredients into a bile-rising cocktail.
As TechCrunch reports, on Tuesday, WFH Happy Hour – a popular daily public Zoom call hosted by The Verge reporter Casey Newton and investor Hunter Walk – got ZoomBombed. Dozens of attendees were suddenly exposed to disturbing imagery when a troll entered the call and screenshared a brain-scorching fetish video along with other “horrifying” sexual videos, Josh Constine reports.
Attendees of the WFH Happy Hour videoconference found it futile to block the barrage. The perpetrator simply re-entered the call under a new name and kept up the screensharing of nastiness. Since they couldn’t stop the assaults, the hosts simply ended the call.
Unfortunately, it’s Zoom policy that enables the infliction of this abhorrent content. To wit:
The host does not need to grant screen share access for another participant to share their screen.
By default, any participant in a meeting can share their video, screen, and audio.
“By default?” To avoid this kind of horror show, the setting should really be “screensharing only with moderator permission.” Be that as it may, hosts can disable the option in settings, pre-meeting, by changing screensharing to “Host Only.” Otherwise, during the meeting, hosts can turn on that setting as soon as they see that the screensharing feature is being abused.
Here’s where you can check out Zoom’s instructions on managing participants in a meeting.
As well, Tech Crunch passed along these tips from entrepreneur Alex Miller on other ways to protect your Zoom calls:
Don’t be like The Verge’s Newton, who found himself apologizing to his parents, who were on the #WFHappyHour call on Tuesday for the first time. He told Tech Crunch that he didn’t capture screenshots of the attack since he was too busy screaming. Constine quoted him sometime after his heart rate returned to normal:
Today we all learned an important lesson about disabling screen sharing and saw once again the importance of good content moderation.
Yes, we kind of have: ZoomBombing is the latest iteration of an ancient fad known as bluejacking that first popped up in 2003. It allowed pranksters to exploit mobile phones’ Bluetooth technology, which lets devices communicate with each other up to a range of about 30 feet. When Bluetooth is activated, it automatically seeks out other Bluetooth devices in the vicinity, and that lets people send anonymous messages to each other.
Or, say, pictures of their junk. In 2017, one woman was subjected to 120 down-the-pants selfies via iPhone AirDrop while riding public transport.
Now’s as good a time as any to remind everybody that inflicting depictions of wobbly flesh on others is a crime. In England, sending indecent images is classified under section 66 of the Sexual Offences Act (2003), given that it’s the same as exposing genitals and intending that the recipient “see them and be caused alarm or distress”. At least back in 2017, the penalty for breaking the law was a prison term of up to two years.
Online exchange rate data provider Open Exchange Rates has exposed an undisclosed amount of user data via an Amazon database, according to a notification letter published on Twitter this week.
Open Exchange Rates provides foreign exchange data for over 200 currencies worldwide, including digital ones. Software developers can access it using an application programming interface (API). It lets software applications query the Open Exchange Rates service, which delivers their results back in a machine- and human-readable format, JSON.
The company runs its service in the Amazon Web Services (AWS) cloud. Unfortunately, this was the focus of a breach that started on 9 February 2020, the company said in a notification that it sent to customers on 12 March. Linux and open source engineer Sylvia van Os tweeted the notification:
@troyhunt https://t.co/HfAwV7gtVq
—
Sylvia van Os (@SylvieLorxu) March 12, 2020
This incident is different from many of the AWS-based exposures we report here because it wasn’t due to a public database or S3 bucket exposure. In those incidents, organisations publish information on the web for all to see, usually through database or cloud misconfiguration. Instead, this appears to have been a targeted attack.
Open Exchange Rates explained that it started getting complaints about its API performance on 2 March, which it tracked to a misconfiguration in its network. When fixing the issue, it found that an unauthorised account had been tampering with its AWS environment. According to the letter, they used a compromised secure access key.
The company shut off that user’s access and fixed the network issue, but found that the account had access to a database containing user data. Its letter said:
Whilst our investigations are ongoing, we have also found evidence indicating that information contained in this database is likely to have been extracted from our network.
The data included registered names and email addresses, encrypted account access passwords, user IP addresses, and tokens used to authenticate querying applications. If provided by the user, the data breach also divulged their personal and/or business address, country of residence, and web address.
It continued:
There is a risk that the data that may have been extracted from our network could be used to facilitate fraud, identity theft or social engineering attempts.
As a precautionary measure, the company reset all user passwords, although it left it up to customers to reset their application tokens, which could enable people to use the service on a victim’s dime.
The company did not respond to our request for comment yesterday. We’ll update this story if it does.
It’s the COVID-19 shortage nobody expected – not toilet rolls, tinned goods or headache pills this time but Google software engineers.
It’s a problem that many believe explains the abrupt decision by Google to delay the release of Chrome 81, the stable version of which was scheduled to start appearing on users’ computers on 17 March.
This was a bit of a shock – pulling the release of a browser version so late in the day is highly unusual, especially when the Chrome developers’ Twitter account had reportedly already announced its arrival in a now-deleted tweet.
The same delay applies for future Chrome versions, which should have appeared roughly every five weeks after that. Said the brief note from the Chrome Release Team:
Due to adjusted work schedules at this time, we are pausing upcoming Chrome and Chrome OS releases. Our primary objectives are to ensure Chrome continues to be stable, secure, and work reliably for anyone who depends on them.
The phrase “adjusted work schedules” is not surprising given that the company last week ordered many employees to work from home to enable social distancing to cope with COVID-19.
That’s not the same as saying there’s a physical shortage of engineers so much as a shortage of engineers in the right place to coordinate the complex fixing of rollout bugs.
Given the number of bugs that still have an assigned status, this might have been building up for a while.
What can Chrome users look forward to when version 81 appears?
According to last month’s feature preview, support for AR (augmented reality) and VR (virtual reality), Web NFC (lets apps ‘read’ Near Field Communication tags), and the integration of the V8 JavaScript engine. Expect a flood of new mobile apps supporting these.
In security, version 81 also sees the end of support or TLS 1.0 and 1.1, following the same move by Mozilla’s Firefox in March.
Despite the hiatus, Google says it is ploughing ahead with security updates for the current version, version 80, which should appear on users’ computers in the coming days.
This means fixes for 13 CVEs, including nine rated high priority. For most users, this should take them from version 80.0.3987.132 on desktop and mobile to version 80.0.3987.149.
Google hasn’t said when it hopes to release Chrome 81 but will post more news on the Chrome Release feed and Twitter accounts.
Welcome to Hong Kong, traveler, and to the mandatory, Disney MagicBand-esque tracking wristband we’re about to slap onto your potentially infectious arm.
The city-state had already been requiring arrivals from mainland China to self-isolate at home for 14 days. But as the area undergoes a COVID-19 resurgence, mostly brought in by travelers coming from European, US and Asian countries, it’s now enforcing the quarantine on all incoming travelers, with the wristbands helping to ensure that they adhere to movement restrictions.
The government announced on Monday that starting at midnight on Thursday (19 March), it was planning to put all arriving passengers under a two-week quarantine and medical surveillance.
On Wednesday evening, Government Chief Information Officer Victor Lam told reporters at the airport that the Privacy Commissioner for Personal Data had been consulted about the technology and had assured everybody that it won’t threaten people’s privacy.
CIO Lam:
The app will not capture, directly, the location. It will only capture the changes in location, especially the telecommunication signals around the confinee, to ensure that he’s staying at home.
Hong Kong confirmed 16 new cases of coronavirus on Thursday, bringing the city’s total to 208, according to the South China Morning Post. The new cases – 11 men and five women, aged 19 to 51 – had traveled to Europe, Britain and/or Canada. Hong Kong’s chief executive, Carrie Lam, said that of the 57 new cases Hong Kong recorded in the past two weeks, 50 were travelers from overseas.
Declan Chan, a Hong Kong resident who returned from Zurich on Tuesday and who was required to put on one of the wristbands at the airport, told CNBC that it felt “a bit weird” because of “privacy reasons,” but that he understood why it had to be done.
I was just expecting we’d have to fill out a form. I didn’t realize there would be a wristband.
The form Chan filled out suggested that passengers had the option of sharing their location data with the government either via messaging platforms, like WeChat and WhatsApp, or by agreeing to wear the electronic wristband. The government must have rethought that either/or option, given that Chan soon learned that the messaging apps weren’t actually an option and that all passengers must wear the wristbands.
Chan told CNBC that he was instructed to walk around the corners of his house once he got home, so that the technology could precisely track his geofence: i.e., the coordinates of the living space where he’d remain under quarantine.
The wristbands pair with a smartphone, and they aren’t easy to remove. The government says that it won’t directly capture location – only the changes in location, “especially the telecommunication and communication signals around the confinee to ensure that he (or she) is staying at home.”
If the wristband is broken or the smartphone is disconnected or taken away from the confinee’s geofence, an alert will be sent to the Department of Health and Police.
And just to make sure that people haven’t somehow subverted the technology location tracking, the government has a backup plan: surprise calls. From the government’s press release:
The staff at the communication centres set up by the Office of the Government Chief Information Officer will check the location of people under quarantine from time to time and make surprise video calls to ensure that they are staying at their dwelling places.
CNBC got hold of a handout now being to passengers. It threatens fines or imprisonment for those who mess with the quarantines:
A person who contravenes or knowingly gives false information to Department of Health is liable on conviction to a $5000 HKD (USD $644) fine and to imprisonment for 6 months.
Chan doesn’t feel like he’s being needlessly surveilled. In fact, he finds it comforting to be in a place where the government is taking the pandemic seriously, unlike, say, places where government allows people to flock to Florida beaches, hug each other in evangelical church meetings (“This Bible school is open because we’re raising up revivalists, not pansies.”), or stand shoulder to shoulder as they watch Disneyworld fireworks or cram into a bar to celebrate St. Patrick’s Day.
Chan:
It’s quite safe to be in Hong Kong where the situation of the virus is now in control.
