Week in security with Tony Anscombe

Security challenges for connected medical devices – Zero-day in Chrome gets patched – How to avoid USB drive security woes

Is your internet-connected medical device vulnerable to cyberattacks and what are the odds that it could be compromised? We look at five chinks in their armor. Google has fixed a vulnerability in the Chrome web browser that was under active exploitation by attackers. USB flash drives are a common sight across homes, offices and schools, but just how secure are they? Are you aware of the underlying risks? All this – and more – on WeLiveSecurity.com.

Securing medical devices: Can a hacker break your heart?

Why are connected medical devices vulnerable to attack and how likely are they to get hacked? Here are five digital chinks in the armor.

There’s virtually no realm in healthcare today that isn’t adopting more technology. From real-time wireless access to your own health parameters through smart watches and wearables to implanted devices inside your body, technology is coming. But can we secure it all?

Several years ago at Black Hat, we saw an insulin pump being hacked. And whether the lion’s share of software on that device was off the shelf, regulators say that the integrator is responsible for security up and down the stack, including the underlying operating system (OS), even if it that OS has a good security track record. In other words: Device manufacturers bear the responsibility, no matter what technology they use.

While that casts the burden of security on the manufacturer, it also steeply increases the cost and complexity of bringing a device to market. As a result, while market pressures lean on companies to produce devices quickly, the road ahead looks rocky and expensive. Also, it can unknowingly put patients on the defense.

And what about patches, who’s responsible for those? According to the FDA, the manufacturer does that too. With some medical devices expected to be around for many years, that’s a long time to pay to support gear in the field.

What makes the devices vulnerable and how likely are they to get hacked? As this week’s theme of Cybersecurity Awareness Month focuses on the security of internet-connected devices in healthcare, here are five digital chinks in the armor:

Many medical devices integrate monitoring and interaction via Bluetooth, which has a long history of vulnerabilities. And while there may be patches, it’s hard to determine the real adoption rate and timeline in the field. Meanwhile, if your blood sugar measurement gets spoofed, you could be in real physical danger if you try to adjust blood glucose levels based on false readings.

Many hospitals have management computers for their medical equipment which run on older, unsupported Windows versions due to lagging updates from the manufacturer that did the integration. A manufacturer can’t simply push the latest Windows patch before extensive testing on their units to see integration issues, so patch vetting can be tricky. A would-be attacker has the advantage here, since they can deploy well-known exploits as soon as they come to light, and long before the manufacturer can react.

Many implanted devices “phone home” to medical clinicians through cloud connectivity to facilitate health status updates and trigger events where patients may need to seek attention. As we saw this year at Black Hat and DEF CON, cloud security can be less than stellar. It’s unlikely the patient would have a way to know about potential vulnerabilities, but attackers are quick to seize on known exploits, pumping them through their attack frameworks quite rapidly. In some cases, patients have opted out of external communications with their pacemakers citing hacking fears, but cloud adoption for implanted devices has strong tailwinds pushing further adoption.

Many medical devices plug into medical TCP/IP networks via Ethernet, but it would be very difficult for many clinicians and patients to notice a network tap placed inline with existing connections. By exfiltrating data across wireless links embedded in such a tap, attackers could snoop traffic and craft exploits. This way, attackers only need one-time physical access, and don’t necessarily have to return to retrieve the device if it’s deemed dangerous, due to their low cost.

  • Wireless keyboards

Keyloggers have been standard fare for logging keystrokes from wireless keyboards for some time now, posing as fake USB chargers plugged into outlets, while simultaneously snooping for signals and exfiltrating them across industrial 4G wireless cards. This allows the capture of sensitive data like typed passwords, but can also allow attackers to attempt to download and install remote backdoor exploits by bypassing warning prompts from security products.

In closing

The medical field has been on its heels – security wise – for years. And while it may be making important strides, many medical devices have been performing fine all those years, lessening the perceived need to act. It will be a challenge to “modernize the fleet” for some years to come. Even so, medical folk have started to lean into the process and get the technical chops on staff to start moving the needle. Meanwhile, it might be wise to get to know any vulnerabilities that might affect your medical devices, especially if they are critically involved in your health care, as so many are.

Fraudsters crave loyalty points amid COVID‑19

Scammers even run their own dark-web “travel agencies”, misusing stolen loyalty points and credit card numbers

The hospitality, travel, and retail industries, which have been hit particularly hard by the COVID-19 pandemic, have also been increasingly targeted by cybercriminals seeking to profit from the dire situation, a report has found.

“During the lockdowns in Q1 2020, criminals circulated dozens of password combination lists, and targeted each of the commerce industries. It was during this time that criminals started recirculating old credential lists in an effort to identify new vulnerable accounts, leading to an uptick in sales related to loyalty programs,” reads the Loyalty for Sale – Retail and Hospitality Fraud report by content delivery network (CDN) provider Akamai.

These developments contributed to the total tally of more than 100 billion credential-stuffing attacks that Akamai detected between July 2018 and July 2020. No fewer than 63 billion of them targeted the retail, travel, and hospitality sectors. The British health and beauty products retailer Boots is just one notable victim.

Credential stuffing is an automated account-takeover attack during which bad actors leverage bots to hammer websites with login attempts, using stolen or leaked access credentials. Once they stumble upon the right combination of “old” credentials and a new website, they can proceed to exploit the victims’ personal data.

Customer loyalty programs prove to be a juicy target for hackers, since the accounts aren’t perceived as high risk by their holders, who may put more effort into locking down online accounts that they think contain more sensitive data. Such laxity could materialize in the form of password recycling or other common password mistakes people tend to make.

However, the perception of loyalty programs not being high risk isn’t strictly true. “These days, retail and loyalty profiles contain a smorgasbord of personal information, and in some cases financial information too. All of this data can be collected, sold, and traded or even compiled for extensive profiles that can later be used for crimes such as identity theft,” reads the report.

RELATED READING: Simple steps to protect yourself against identity theft

The report also outlines a number of examples of how compromised loyalty card accounts could be abused. Hotel reward points, for one, are considered a hot commodity, since these can be used to book free stays, upgrade to better rooms, or used to access various activities. Depending on the number of accumulated points and the hotel chain, loyalty accounts can be sold on cybercrime forums for as much as US$850.

Some cybercriminals venture even further and operate their own dark-web “travel agencies”, using a combination of stolen credit cards and airline and hotel loyalty programs. “Many of the travel listings on the darknet charge a percentage of the overall trip cost, anywhere from 25% to 35% — meaning a US$2,000 booking on a well-known travel comparison/booking website would cost about US$700 on the darknet,” the report said.

Beyond credential-stuffing attacks, threat actors also used SQL Injection and Local File Inclusion attacks to target the retail, hospitality, and travel industries. Akamai recorded almost 4.4 billion web attacks targeting these sectors, which accounted for 41% of overall attacks against all industries. Cybercriminals also deployed Distributed Denial-of-Service (DDoS) attacks, with an average of 125 attacks targeting the commerce industry each week between July 2019 and July 2020.

Google patches Chrome zero‑day under attack

In addition to patching the actively exploited bug, the update also brings fixes for another four security loopholes

Google has rolled out an update to its Chrome web browser that fixes five security flaws, including a vulnerability that is known to be actively exploited by attackers.

“Google is aware of reports that an exploit for CVE-2020-15999 exists in the wild,” said Google about the zero-day flaw in FreeType, a widely used software development library that is also a Chrome component. The bug in this font rendering library affects the browser versions for Windows, macOS, and Linux.

The flaw, classified as high-severity, was reported by Sergei Glazunov, a member of Google’s Project Zero, on October 19th, with the update released soon after. Details about the zero-day remain sparse, although Google did disclose that the memory-corruption flaw causes heap buffer overflow in FreeType. Heap overflows are known to cause data corruption or unexpected behavior on a system and may give an attacker “the keys to the kingdom”.

“This is an emergency release, fixing a severe vulnerability in embedded PNG bitmap handling… All users should update immediately,” reads the message on the FreeType website.

Ben Hawkes, the technical lead at Project Zero, tweeted that although the team only noticed an exploit targeting Chrome, those using FreeType should also patch their systems using the software library’s emergency fix, lest they be targeted by cybercriminals rushing to exploit the loophole. He also addressed concerns about whether the zero-day might also affect Chrome for Android.

The update also patched four other vulnerabilities, with three of them considered high- and one medium-severity bugs.

If you have automatic updates enabled, your browser should update to the latest 86.0.4240.111 version by itself. However, if you haven’t enabled this option, you’ll have to do it yourself via the About Google Chrome section, which is located under Help in the side menu.

How safe is your USB drive?

What are some of the key security risks to be aware of when using USB flash drives and how can you mitigate the threats?

Most of you probably own at least one USB thumb drive, which you typically use either to transfer data or as a backup for sensitive documents. Alternatively, you may like to carry your work with you so you can dive into it at a moment’s notice. So, if you only plug the flash drive into machines you trust, most of the time you should be safe.

Unfortunately, if you’re like most people, you may not always use only trustworthy devices. For example, students tend to use flash drives to print out their study materials and other documents at print shops or libraries. They also tend to allow their classmates to borrow them or pass them around. And these practices aren’t just limited to students. Since you can’t tell how either the print shop or your friends manage their devices, or what their approach to cybersecurity is, you can’t be sure about anything.

If any of those devices has been infested with malware, it’s highly possible that your drive is now infested as well, or your files copied from it for nefarious purposes. When you plug your USB stick into your own computer, then the malware will probably spread to it too. This is known as cross-contamination and is a common way for malicious code to spread.

Another thing you have to watch out for is what data you store on your drives. Although you may consider it highly unlikely, there is always a chance that you may misplace it, or it may be stolen. If that happens: at best, the only loss you incur is the flash drive with some useless data; at worst, it may contain data that can be exploited by whoever found it or stole it.

The above-listed examples are just some of the reasons why some companies, such as IBM, opted to ban removable storage devices altogether. The risks are just too high.

What are your options?

Right off the bat, you should draw a clear distinction between your work and personal flash drives, so if either of them gets compromised, you don’t cross-contaminate your devices. You should also avoid storing personal data on your work flash drive and vice versa.

Another thing you might want to do is encrypt all your sensitive data that you want to load onto your flash drive. So, even if it is ever lost or stolen, no one can access the data and the drive essentially becomes nothing more than a fancy paperweight.

To kick it up a notch, you can also purchase a flash drive that has additional security features, like a hardware security solution in the form of a PIN code or a biometric scanner, as well as built-in encryption. Some of the manufacturers even offer multiple levels of protection such as adding additional encryption and dividing your drive into private and public partitions.

We mentioned the following advice in our recent article about USB flash drives, but repetition is the mother of wisdom. You should disable the Autorun feature on your computer to prevent it from opening any USB drives – especially those that may possibly contain any form of malicious threat.

And never underestimate the value of a reputable endpoint solution, which can go a long way in protecting you against various threats including infested USB drives.

Also, don’t forget to keep all your devices patched and your software updated to the latest versions.

Microsoft issues two emergency Windows patches

The flaws, neither of which is being actively exploited, were fixed merely days after the monthly Patch Tuesday rollout

Microsoft has rushed out fixes for two security vulnerabilities affecting Microsoft Windows Codecs Library and Visual Studio Code. The security flaws are classified as Remote Code Execution (RCE) vulnerabilities and if successfully exploited could allow threat actors to take over an affected system.

Both vulnerabilities hold a score of 7.8 on the Common Vulnerability Scoring System (CVSS) scale and are rated as “important” by Microsoft. Importantly, there is no evidence that either has been under active exploitation.

Indexed as CVE-2020-17022, the security loophole in the Windows Codecs Library does not affect users running Windows 10 in its default configuration. Instead, only users who have installed the optional High Efficiency Video Coding (HEVC) or “HEVC from Device Manufacturer” media codecs and are running Windows 10 version 1709 or above could be vulnerable.

“Exploitation of the vulnerability requires that a program process a specially crafted image file,” Microsoft said, explaining the attack vector a cybercriminal could use. The flaw – for which there are no known mitigations or workarounds – has to do with how Windows Codecs Library handles objects in memory.

It’s worth noting that instead of the usual Microsoft Update channel, the patch is being delivered via Microsoft Store. Since both HVEC versions are optional apps or components that are offered to customers via the Store, the updates are offered through the same channel.

“Affected customers will be automatically updated by Microsoft Store. Customers do not need to take any action to receive the update,” said Microsoft. The company also offered this guidance for users who want to expedite the process or check if the updates have been implemented on their systems.

Meanwhile, the flaw in Visual Studio Code tracked as CVE-2020-17023 could be exploited if a user was duped into opening a malicious JSON file. As is the case with the previous vulnerability, there are no workarounds or mitigating factors. Users are, therefore, advised to apply the patch.

The United States Cybersecurity and Infrastructure Agency (CISA) urged people to make sure their systems are updated.

The security patches were released within days of Microsoft’s Patch Tuesday, which addressed 87 vulnerabilities, 12 of which were classified as critical on the CVSS scale. Out-of-band patch releases are usually reserved for unexpected, wide-ranging, or severe vulnerabilities.

Child abductors may use social media to lure victims, FBI warns

School closings and more screen time can ultimately put children at an increased risk of being kidnapped by strangers they met online

With the pandemic-forced closure of schools and a surplus of free time on their hands, minors are currently at greater risk of encountering all manner of criminals online, warns the FBI’s Internet Crime Complaint Center (IC3). The offenders may even pose as minors in an attempt to lure their targets into a trap and abduct them.

“While criminals exploit social media and social networks to commit crimes involving child sexual abuse material, sex trafficking of a minor, and child sex tourism, the use of these platforms to facilitate child abductions is lesser-known,” said the Bureau. Indeed, the FBI recently warned that human traffickers were luring victims using dating apps.

The modus operandi of child abductors involves creating accounts on various social media networks and dating platforms, where they search for their prospects. The offenders will then contact and attempt to groom the targets, eventually convincing them to meet up with the aim of abducting them. Using these platforms proves to be an attractive method of initiating contact since it’s not as risky as trying to lure the victims in person.

While the number of kidnappings where social media platforms were used to establish contact account for just a small part of the FBI’s child abduction investigations, the proliferation and availability of the internet in combination with the time minors spend on it are likely to exacerbate the problem.

According to a survey by YouGov, 2 in 5 children aged 8-12 years spend two hours and more online, with almost half of those aged 13-17 saying that they spend a similar amount of time online with at least some of it dedicated to using social media. Although most social media apps require account holders to be at least 13, it’s safe to say that many children set up their profiles sooner than that – with or without their parents’ knowledge or consent.

RELATED READING: The best social networks for younger children

The Bureau also described three cases where victims were abducted after being contacted by criminals on social media apps. All three children were eventually reunited with their families, but the incidents clearly make a case for monitoring children’s social media use.

For starters, parents should actively discuss social media use with their children. By having these discussions early and clearly explaining the risks, parents can lower the chances of their children using these platforms in ways that may hurt them. If you’d like to take an even more active role in your children’s social media journey, you can use parental controls such as TikTok’s Family pairing or Facebook’s Messenger Kids.

Importantly, comprehensive parental control tools are often integrated into security software and can be very helpful when it comes to keeping an eye on what your offspring are up to online

To learn more about more dangers faced by children online as well as about how not only technology can help, head over to Safer Kids Online.

5 things you can do to secure your home office without hiring an expert

You don’t need a degree in cybersecurity or a bottomless budget to do the security basics well – here are five things that will get you on the right track

Many home offices are merely a corporate tentacle complete with a virtual private network (VPN), remotely managed workstations with IT experts at the corporate offices doing the heavy lifting. But others lack virtually any kind of IT super-sleuth to sort things out and that means that the end user is the IT staff, like it or not.

If this is you, not to worry. Since this week’s theme of Cybersecurity Awareness Month is “Securing devices at home and work”, here are five things you can do to secure your home office – without an advanced degree in cybersecurity or a budget in the millions. Before we dig in, the first point is really just to get started. Some security is far better than none, and since it’s so easy to get overwhelmed by the technology and give up, we’re happy you’re still reading and hope you will prepare and jump in.

  • Start with the router

These days, the router that you use for internet access does far more than you might think. It has a firewall, some security options, wireless connectivity and a host of other options. If you pay US$50 extra and get a business-class router, it will come stuffed with extra security options like stateful packet inspection firewall, Denial-of-Service (DoS) protection, content filtering and others. You don’t have to be an expert in some of the crazier security features, but business routers are usually more secure out-of-the-box, and have good support to tell you what to enable. Some come with threat feeds built in, so they keep up with blocking the latest badness. Also, remember to check for updated firmware when installing the router, and periodically check with the manufacturer — say, once a month — for updates.

  • Stick to basics

Use security software that includes multiple layers of protection; indeed, today’s security suites tend to have stacks of security and are not just “one-dimensional antiviruses” anymore. Also, keep your operating system and applications updated, ideally automatically – the updates matter because they often include patches for critical vulnerabilities. If you haven’t already, now is the time to implement full-disk encryption – even if working from home, you may have “off-site” meetings you take your laptop to, and the risk of physical theft is never zero. Speaking of which, it’s hard to overstate the importance of regular backups.

  • Set boundaries

You may not worry about having your device stolen by your relatives or housemates, and yet they may cause some trouble for you or your employer, even if unintentionally. Make sure you have a dedicated secure workstation you use for work and protect access to data stored on it by a strong password or passphrase that you don’t share with anybody else. Put bluntly, if everyone has the password, it’s not really a password. By extension, your family shouldn’t really use the device for things like chatting with friends or streaming movies. Also, set short timeout intervals so that the device locks itself automatically when not in use. And perhaps your virtual friend, such as Alexa or Siri, could do with some time off when you have calls or video meetings involving sensitive data.

  • Stay vigilant

Fraudsters of all ilk didn’t take long to catch onto the then-new reality, using the virus as a cover story in a barrage of COVID-19-themed scams and spam. The virus is now firmly entrenched in our minds and cybercriminals have by no means let up on their efforts to siphon off business funds or hold organizations’ data for ransom – including by exploiting the remote work trend and the physical separation between co-workers. Business Email Compromise (BEC) fraud, for example, has for long been a major money-maker, and the losses are only expected to climb further amid the pandemic. To counter that, scrutinize all email messages and avoid clicking on any links or attachments especially in unsolicited emails, since they may be attempts to part you from your account credentials or to download malware onto the device. Be highly suspicious of urgent requests and verify them through an alternative communication channel before sending money or data.

It’s amazing what you can learn by down-to-earth podcasts or videos on security. There’s also an endless number of free or low-priced courses that will give you a solid grounding in any imaginable aspect of security. Don’t pick one that’s written high above your head, though; instead, find some you can easily understand that take you through the basics a step at a time. We’ve previously compiled a list of free online courses about security, which also might be worth reviewing. Put bluntly, blissful ignorance should not be an option.

Stay safe and healthy

While we all have new worries these days, the old worries – and cyberthreats – haven’t gone anywhere; quite the contrary, in fact. You may still be relatively new to remote work and may still be trying to get a handle on the new reality. That said, the current troubled times may require some change in mindset – thinking of your remote office like your “real” office and being acutely aware of the myriad online threats that may hit particularly “close to home”.

Zoom to begin rolling out end‑to‑end encryption

The videoconferencing platform is making the feature available to users of both free and paid tiers

The Zoom videoconferencing platform has announced that starting next week it will begin rolling out long-awaited end-to-end encryption (E2EE) to users. The feature will be released as a technical preview, with the company proactively seeking the feedback of its userbase over the first 30 days after the launch.

“We’re pleased to roll out Phase 1 of 4 of our E2EE offering, which provides robust protections to help prevent the interception of decryption keys that could be used to monitor meeting content,” said the company when announcing the new feature. “End-to-end encryption is another stride toward making Zoom the most secure communications platform in the world … This phase of our E2EE offering provides the same security as existing end-to-end-encrypted messaging platforms, but with the video quality and scale that has made Zoom the communications solution of choice for hundreds of millions of people and the world’s largest enterprises,” Zoom CEO Eric S. Yuan was quoted as saying.

Zoom first shared its plans to launch end-to-end encryption in May, however, the news was met with mixed reactions due to the feature being announced for paying customers only. The company amended its decision in June and said that it would release the feature to all users.

The new E2EE feature is built on the same Galois/Counter Mode (GCM) encryption Zoom already uses to encrypt all its meetings, with the key difference being in how the encryption keys are distributed and stored. “In typical meetings, Zoom’s cloud generates encryption keys and distributes them to meeting participants using Zoom apps as they join. With Zoom’s E2EE, the meeting’s host generates encryption keys and uses public key cryptography to distribute these keys to the other meeting participants. Zoom’s servers become oblivious relays and never see the encryption keys required to decrypt the meeting contents,” the company explained.

RELATED READING: Zoom security: Getting the settings right

The E2EE feature can be enabled across Zoom’s videoconferencing services – i.e. its desktop client, mobile apps, or Zoom room – and can host up to 200 participants in E2EE meetings. However, Zoom warns that once E2EE is enabled, use of other features will be restricted, including join before host, cloud recording, streaming, live transcription, Breakout Rooms, polling, 1:1 private chat, and meeting reactions.

To start using E2E encryption, users will have to activate it in their account settings and then opt-in on a meeting-to-meeting basis – meaning that all participants will have to have the setting enabled if they want to join an E2EE meeting. Non-paying users who’d like to gain access to E2E encryption will have to go through a one-time verification process that will require them to provide additional information such as their phone numbers.

A green shield logo with a padlock will appear in the upper left corner of the client to alert the users that the feature has been turned on. Additionally, to confirm the security of the connection, the host’s code will be displayed in the participants’ clients; the host can then read it out aloud and the meeting attendees can check whether the codes match.

The platform also expects to release better identity management and E2EE single-sign-on integration during Phase 2 of its E2EE offering with the release date “tentatively” set for 2021.

This is just the latest security and privacy feature to be launched as part of Zoom’s effort to mitigate concerns after its privacy and security shortcomings came to light amid the platform’s rise to stardom largely occasioned by the recent shift to remote work. Last month, the company rolled out support for two-factor authentication across its web, desktop, and mobile applications.

50,000 home cameras reportedly hacked, footage posted online

Some footage has already appeared on adult sites, with cybercriminals offering lifetime access to the entire loot for US$150

A hacker collective claims to have breached over 50,000 home security cameras before going on to steal people’s private footage and post some of it online. While a considerable portion of the videos seems to have come from Singapore, a number of people living in Thailand, South Korea, and Canada also seem to have their privacy invaded.

Some of the videos – which range from one to twenty minutes in length and show people of varying ages in compromising positions or various stages of undress – have been uploaded to porn websites.

The New Paper, which broke the story, quoted the unnamed hacker group as saying that it has shared the clips with over 70 members who paid US$150 for lifetime access to the loot. The gang, whose group on the instant messaging app Discord has nearly 1,000 members, reportedly specializes in hacking security cameras.

To lend extra credence to their claims, the collective is offering a free sample containing 700 megabytes worth of data comprising over 4,000 clips and pictures. They’re also reportedly willing to share access to all hijacked cameras with fellow members. Moreover, “VIP members” with voyeuristic tendencies will be treated to a course on how to “explore, watch live and record” hacked cameras, which could mean that the number of private videos could grow over time.

RELATED READING: Prison surveillance footage posted on YouTube

“As worrying as it may seem, this comes as a clear reminder that when cameras are placed on the internet, they must be properly installed with security in mind. When smart devices are set up, they are still regularly placed around the home with no second thought for privacy,” said ESET Security Specialist Jake Moore. However, he hopes that the incident will prompt people to take security precautions when setting up their smart cameras.

While details on how the cybercriminals were able to gain access to the cameras that are usually used to boost security or monitor minors are sparse, there are multiple plausible explanations for how the cameras were compromised.

Much like other devices, internet-connected cameras aren’t immune to security vulnerabilities. For example, a few months ago British consumer watchdog Which? warned about 3.5 million cameras from around the world that were susceptible to hacking due to a set of security flaws. Last year, ESET researchers uncovered a series of vulnerabilities in a D-Link cloud camera that could have allowed attackers to tap into its video stream.

RELATED READING: These things may be cool, but are they safe?

Poor password hygiene could be blamed for the hacks. Users may have stuck to the default password that was set up by the device manufacturer and wouldn’t be hard to obtain or guess for anyone with ill intentions. Other users may have underestimated the need for a strong and unique password or passphrase for a ‘mere’ IoT device.

Whatever the case may be, IoT security should not be underestimated as the use of all sorts of smart devices has profound security and privacy implications. To save yourself from a privacy nightmare in the future, make sure that all your IoT devices run the latest firmware version and any security patches are applied promptly. When choosing a password, try to avoid the cardinal sins of password creation. Whenever possible, secure your accounts with multi-factor authentication. If you’re considering buying a connected device, instead of going for the cheapest option, choose a reputable vendor with a proven track record of manufacturing properly secured devices that they regularly update and patch during its lifecycle.