NJCCIC Publishes: Tips for Teleworkers, Remote Access Security

For many organizations, telework programs have been in practice for years – whether as part of the organization’s everyday work program or as a component of their business continuity plans.

For those organizations, policies, educational programs, technologies, and support services for the remote workforce are well established. For organizations engaging in telework for the first time, defining expectations is a good starting point.

First, create a telework policy that addresses the following:

• The scope of the telework program, roles and responsibilities, eligibility to telework (not all jobs can be performed remotely), 
• work hours and paid time-off, 
• the suitability of the alternate workplace and its related safety requirements, 
• responsibility for equipment and supplies, 
• operating costs and expenses, 
• and requirements for physical and information security. more

Wi-Fi Internet Communicator Hidden in a Calculator Hack

Sometimes a device is just too tempting to be left untouched. For [Neutrino], it was an old Casio calculator that happened to have a perfectly sized solar panel to fit a 128×32 OLED as replacement.

But since the display won’t do much on its own, he decided to connect it to an ESP8266 and mount it all inside the calculator’s housing, turning it into a spy-worthy, internet-connected cheating device, including a stealthy user interface controlled by magnets instead of physical buttons. more


It wouldn't take much to turn this into a Wi-Fi bug.

Pew Comments on Relationship Health - It Stinks

Most Americans think snooping on a partner’s phone is a bad thing to do, but that hasn’t stopped more than a third of people in committed relationships from doing it anyway, according to Pew research published Friday.

Of those surveyed, 34 percent of people in committed relationships admitted to snooping on their partner’s phone without their knowledge. Interestingly, the survey also found that 42 percent of women (who are in relationships) say they’ve snooped through their current partners’ phones without them knowing, while just 25 percent of men say they have.

As many of us find ourselves cooped up with our partners and our phones for the foreseeable future, the researchers suggest that using this technology is not necessarily great for the health of our long-term relationships. more

Eavesdropper Scams Financial Advisor | Prevention Tips

Early in April, a financial advisor and her team met with an insurance company wholesaler via the video conferencing platform Zoom.

Unbeknownst to them, another participant had joined the virtual meeting.

As the hacker captured details, the wholesaler named the price of a new policy and the advisor agreed to the terms.

...It’s likely that even before the meeting ended the eavesdropper generated an email to the advisor so that it appeared to come from the insurer. In a later forensic analysis, an overlooked detail revealed the spoof: a single letter the hacker changed in the insurance company’s name.

After the meeting ended, the advisor received the message with instructions to wire money — in the low six figures — to a New York bank account. She did as instructed, sending the money to the hacker. more

———How to prevent Zoombombing in your video chats in 4 easy steps———

1. Don't use your Personal Meeting ID for the meeting. Instead, use a per-meeting ID, exclusive to a single meeting. Zoom's support page offers a video walk-through on how to generate a random meeting ID for extra security.

2. Enable the "Waiting Room" feature so that you can see who is attempting to join the meeting before allowing them access. Like many other privacy functions, a skillful disrupter can sometimes bypass this control, but it helps to put another hurdle in their route to chaos.

Zoom offers a support article here as well. To enable the Waiting Room feature, go to Account Management > Account Settings. Click on Meeting, then click Waiting Room to enable the setting.

3. Disable other options, including the ability for others to Join Before Host (it should be disabled by default, but check to be sure -- see below). Then disable screen-sharing for nonhosts, and also the remote control function. Finally, disable all file transferring, annotations and the autosave feature for chats...

4. Once the meeting begins and everyone is in, lock the meeting to outsiders ... and assign at least two meeting co-hosts. The co-hosts will be able to help control the situation in case anyone bypasses your efforts and gets into the meeting. more

'Zoom-bombed' | Salary Cuts Call Eavesdropped on by Rival Company

Staff at national news outlet The Independent were on a ‘confidential and sensitive video’ Zoom call to learn about salary cuts and furloughs when it was ‘zoom-bombed’ by an employee from a rival media organisation. more

Mark Di Stefano, a reporter with the Financial Times, allegedly entered meetings held over the video conferencing app by the Independent and the Evening Standard.

Stefano, according to the Independent, brazenly joined the meeting by using his work email address. This caused Stefano’s name to appear on the call, although his camera remained disabled.

The journalist reportedly joined for 16 seconds before logging out but returned soon after by logging in with his phone number.

Not long after the call, Stefano sent out a series of tweets describing topics that the Independent says were discussed during the staff meeting.

Stefano described information on everything from pay cuts to the outlet’s issues with falling ad revenue. more

Related News...
DHS Reportedly Concerned Zoom May be Vulnerable to Foreign Spies 
The feds are concerned that Zoom’s security flaws could make the popular videoconferencing platform vulnerable to foreign spies, a new report says.

An intelligence analysis from the Department of Homeland Security found that Zoom’s explosive growth and its well-known security problems make it a “target-rich environment” for government spy services and other hackers, ABC News reported Tuesday.

“Any organization currently using — or considering using — Zoom should evaluate the risk of its use,” the department warned in the analysis, which was reportedly distributed to law enforcement agencies around the US. more
...and much more.

A Global Recession Will Fuel Cyber-Espionage

While the current pandemic crisis presents businesses with unprecedented economic challenges to their very existence, it has also created a tremendous level of cyber-risks. 

Heightened risks are present not only due to the significant numbers of individuals working from home, increasing the vulnerability landscape, but also because as states fall deeper into recessions, some may resort to cyber-espionage in an attempt to position better their post-pandemic political, economic, and industrial structures.

Regardless of the industry, the intellectual property (IP) of any organization is likely to be a precious target for foreign government-sponsored hackers...

Managing the crisis, in reality, can be much more complex and a nightmare for decision-makers. However, flexible, agile, and governments that are being flexible and adaptable while at the same time prioritizing their cybersecurity measures and counter-espionage efforts are more prone to survive the crisis as well as sustain domestic business operations with minimal loss. more

What 007 is Doing These Days

British Spy Unit Kills 2,000 COVID-19 Scams In Just One Month

Across the world, law enforcement and intelligence agencies are waging a different kind of war on COVID-19, one taking on scammers who’re exploiting fear around the coronavirus.

In the U.K., an arm of the GCHQ intelligence agency, has spent the last month wiping COVID-19 crooks from the web, with the National Cyber Security Centre (NCSC) announcing Monday that it had taken down more than 2,000 scams in a single month. more

7 Espionage Tricks to Avoid While Working From Home

Don't get tricked into giving away personal information. 
Why? Because this is what you use for your passwords.

1. Facebook Quizzes
   Quizzes are all over Facebook:  What does your eye color say about you? What kind of dog are you according to your zodiac sign? (Facebook says these were questions the criminals used.)


2. 10 Things About You
   As people try to connect during the stay-at-home order, they are answering cut-and-paste questionnaires from their friends. They usually start with something like “Tell me 10 things I don’t know about you” and go on to ask questions like: Who was your first love? ... Here's the problem: those are the exact same questions asked when you forget your password. So, be wary of posting the answers on social media.
   
   
3. Posting Information about Your Passwords
   People are posting all sorts of information about what’s going on at their homes with their children or with their pets. That’s fine, unless they use those same names as their passwords.


4. Photos of the Home Work Station
   At this point, people are pretty proud of their work from home stations. They have a new webcam, a makeshift desk, and maybe even a good microphone. But posting photos of that home work station might give criminals too much information. Can someone see the screen from a window? Are they giving away the brands and models of their IoT devices (which might or might not have exploitable vulnerabilities)?


5. Clicking Questionable Links
   There are a lot of questionable links on the internet. Users should be wary of sites they don’t recognize. While this is rudimentary advice, it’s a good reminder that the headline “New Pandemic Cure No One Is Talking About” likely leads to a malicious site.


6. Be Aware of What’s Public
   Savvy users have changed their Facebook and Instagram profile settings to make them more private. But as soon as you post to a group or comment on someone’s post without strong privacy settings, folks outside your friend's group can see what you’re doing. And, other sites like Twitter and Reddit are not generally private. more 

 Thanks to Jake Milstein, CI Security Inc. for compiling this list.

Office Printers: The Ticking IT Time Bomb

Unsecured printers are one of the items on our inspection checklist. Why? Because it is a very common problem. Normally buttoned-up networks put out a hacker welcome mat with just one unsecured printer. ~Kevin

Office printers don’t have to be security threats: with foresight and maintenance they’re very easily threat-proofed. The problem is that system administrators rarely give the humble printer (or scanner, or multifunction printer) much attention.

Hackers haven’t forgotten about printers – not by a long shot. Last summer, a Russian hacker group penetrated numerous organizations by first infiltrating unprotected printers, which were connected to the same network as every other device, and then laddering up to exploit increasingly sensitive areas.

Furthermore, according to a recent report, foreign governments can also easily conduct industrial espionage by targeting this under-the-radar beachhead into the organizational networks...

Using third parties to continually help identify security risks is a smart course of action for enterprises that are truly serious about security measures. more

500,000 Hacked Zoom Accounts Given Away - Free On The Dark Web

New users have flocked to the Zoom video conferencing platform as businesses, schools, and other organizations look for ways to meet safely during the Coronavirus pandemic. Unfortunately many of those brand new accounts appear to have been secured with old passwords.

The cyber risk assessment experts at Cyble recently discovered a hacker selling stolen Zoom credentials at dirt-cheap prices — and in some cases giving them away for free.

Cyble purchased more than 530,000 on an underground hacking forum for next to nothing. Several of the company’s clients were among the stolen credentials, which also included personal meeting URLs and Zoom host keys. Cyble reached out and confirmed that the credentials were indeed valid.

Password re-use remains a huge security issue for the general public. Fatigued users feel like they can’t remember yet another password so they set up new accounts using an old stand-by.

The problem is that by now all of those old stand-by passwords have been filed away in databases by criminal hackers. They’re actively using them to break into accounts using brute force attacks.
Usernames, email addresses, and passwords have been exposed by the billions over the past several years. Creating a new account on Zoom — or any service, for that matter — is simply not a good idea.

Hackers will come knocking. It’s not a question of if. It’s a question of when. more

Spybuster Tip # 053 - Upgrade all your passwords.
Spybuster Tip # 054 - Don't worry about having to remember all your passwords. Use a password vault.

State-Backed Hackers Using Virus to Increase Spying

State-backed hackers are seizing on the coronavirus pandemic to lead cyber espionage. 

In a rare joint assessment released on Wednesday, Britain’s National Cyber Security Centre — a branch of signals intelligence agency GCHQ — and the US’ Cybersecurity and Infrastructure Security Agency — part of the Department of Homeland Security — highlighted the “growing use” of Covid-19 in state-sponsored cyber attacks.

The frequency and severity of these initiatives is likely to “increase over the coming weeks and months”, the NCSC said. more

By monitoring network activity one can document and quantify this type of spying activity. Other spying methods—bugging, and physical intrusions—are covert, thus undetected. Makes sense these would be on the rise as well. Maybe more so. Something to think about while your offices are empty and vulnerable. ~Kevin

Taiwan Joins Canada & More in Banning Zoom

Taiwan's cabinet has told government agencies to stop using Zoom Video Communications Inc.'s video conferencing app, the latest blow to the company as it battles criticism of its booming platform over privacy and security. more

Malaysia - The National Security Council (NSC) has warned that hackers could be listening to their conversations amid increasing use of video conferencing applications during the movement control order (MCO) period. more

New York City's education department is directing teachers and staff to “move away from using Zoom as soon as possible” for virtual instruction purposes due to cybersecurity concerns, department spokesperson Danielle Filson said on Saturday. more 

Google has banned Zoom from its staffers' devices. Google told its employees last week that it would block Zoom from working on their Google-provided computers and smartphones. This move comes after Taiwan tolds government employees not to use Zoom. Earlier, New York schools told its teachers to "gradually transition" from Zoom to another video-conferencing service. more

Facebook Tried to Buy Controversial Tool to Spy on iPhone Users, Court Filing Reveals

Over the last few years, Facebook has had a slew of privacy and security blunders and more details about one of them have come to light through a new court filing as the social media company is suing the spyware company NSO Group. It turns out Facebook tried to buy controversial government spyware to monitor iPhone and iPad users.

Reported by Motherboard, when Facebook was starting to build its spyware cloaked in a VPN product, Onavo Protect for iOS and Android, the social media company reached out to the controversial company NSO Group that creates spyware for government agencies...

Apple made Facebook remove Onavo Protect from the App Store in August of 2018.

Then in 2019 Facebook repackaged it as a “Research app” and tried to pay teens to sideload it on their devices.

The Research app was shut down as well and Facebook finally shutdown Onavo completely in February 2019. more

Zoom’s Encryption Is “Not Suited for Secrets” and Has Surprising Links To China, Researchers Discover

Meetings on Zoom, the increasingly popular video conferencing service, are encrypted using an algorithm with serious, well-known weaknesses, and sometimes using keys issued by servers in China, even when meeting participants are all in North America, according to researchers at the University of Toronto.

Related

Zoom Meetings Aren’t End-to-End Encrypted, Despite Misleading Marketing

The researchers also found that Zoom protects video and audio content using a home-grown encryption scheme, that there is a vulnerability in Zoom’s “waiting room” feature, and that Zoom appears to have at least 700 employees in China spread across three subsidiaries. They conclude, in a report for the university’s Citizen Lab — widely followed in information security circles — that Zoom’s service is “not suited for secrets” and that it may be legally obligated to disclose encryption keys to Chinese authorities and “responsive to pressure” from them.
Zoom could not be reached for comment. more


4/15/2020 UPDATE - More top companies ban Zoom following security fears. more

Think Your Smart Speaker is Spying On You... get Paranoid

(Note: As of this date the manufacturer is only accepting pre-orders. Gauging demand before going into production is not uncommon. The following is just an interesting bit of news; not a product endorsement. Also, it might be an April Fool's prank.) 

Their headline reads, "Blocks smart speakers from listening, while keep them voice-activated. Just say "Paranoid" before your usual commands." more

"How?" ...you may ask.

A. In one of three ways.

1. The BUTTON model begins with the mute button pressed.  When it hears you say, "Paranoid" it presses again, thus letting your next command to pass through. After your command is finished it re-mutes with another press.
2. The HOME model (it appears) uses ultrasound to block the speakers microphones. Click here to learn how ultrasound blocking works. The volume needed for this application is very low so it shouldn't be a health risk.
3. The MAX model requires you sending them your smart speaker so they can physically install their solution. People who use this option are not true paranoids. True privacy paranoids would be afraid the unit might come back, bugged!

Guest Wi-Fi Access Comes with Risks for Organizations

Reported this week: A convicted sex offender downloaded indecent child images at a hostel where he was staying after using another resident's wi-fi code. more

In this case, a stolen access code was used to gain access. In many organizations the same guest code is given out to all guests. Sometimes it is even posted. Often it is never changed. Once the password is out, there is no telling who will access the system, or when, or for what purpose.

Downloading illegal images is only one of many guest access risks.

While hiding behind a reputable IP address unauthorized and anonymous "guests" can also conduct: drug transactions, video voyeurism, blackmail, financial scams, hacking, and more. The finger points at the organization's network. They might be legally held responsible. And, these are just the outward facing threats. Guest access can also be a pivot point to internal information theft.

Take this 15 second assessment.
Does your organization...

• Provide guest Wi-Fi access?
• Does guest access use the organization's network?
• Is access unencrypted?
• Do all guests use the same password?
• Is the password posted anywhere, as in a conference room?
• If posted, can it be seen from outside with binoculars or a drone?
• Has the password remained the same for over a month? 

If you said yes (and/or not sure) three or more times your organization needs a Wi-Fi Security Analysis.

Legal defense is expensive. Reputational damage is hard to quantify. A proactive professsional analysis is easy. Reduce risk and keep profits where they belong, in the bottom line.

Bosses Panic-Buy Spy Software...

... to keep tabs on remote workers.

“Companies have been scrambling,” said Brad Miller, CEO of surveillance-software maker InterGuard. “They’re trying to allow their employees to work from home but trying to maintain a level of security and productivity.”...

“It’s not because of lack of trust,” Miller said, who compared the software to banks using security cameras. “It’s because it’s imprudent not to do it.” more

Being Zoom'ed on Zoom has Organizations Worried, or they should be...

...experts warn that a rush to hold virtual meetings through Zoom, which has close to 13m monthly active users, could pose security risks.

The threat is so significant that British Ministry of Defence staff were told this week that the use of Zoom was being suspended with immediate effect while "security implications" were investigated.

The biggest worry is that a sudden reliance on Zoom could allow opportunistic hackers to quietly observe video calls as executives are focused on responding to the spread of coronavirus.

...the idea of strangers barging into virtual meeting rooms should raise alarm. more

Online Zoom classes were disrupted by individuals spewing racist, misogynistic or vulgar content. Experts say professors using Zoom should familiarize themselves with the program's settings. more

 

Mysterious Hacker Group Eavesdropping on Corporate Email & FTP traffic

Since at least early December 2019, a mysterious hacker group has been taking over DrayTek enterprise routers to eavesdrop on FTP and email traffic inside corporate networks...

Instead of abusing the device to launch DDoS attacks or re-route traffic as part of a proxy network, the hackers turned into a spy-box...

...researchers didn't speculate why hackers were collecting FTP and email traffic. But speaking to ZDNet over the phone, a security researcher pointed out that this looked like a classic reconnaissance operation...

"It's obvious they're logging traffic to collect login credentials for FTP and email accounts," the researcher told ZDNet. "Those creds are flying unencrypted over the network. They're easy pickings." more

BBC Spycam Documentary

In a new BBC documentary Stacey Dooley Investigates: Spycam Sex Criminals.

The crime no doubt happens all over the world, but is actually one that has been sweeping South Korea lately, as many have been found guilty of planting recording equipment in public places and then charging people to view the footage online...

The upcoming documentary will see our fave reporter look into the subject head on to give us an insight into the voyeuristic practice and how now, with such advanced technology, it's easier than ever to hide cameras in public places.

Some of the cameras being used are as small as the head of a needle and are so difficult to spot, but Stacey will be taken on patrol with an experienced spy cam hunters to uncover hiding places.

Stacey Dooley Investigates: Spycam Sex Criminals will be available on iPlayer from 6am on 1st April - something to add to your quarantined watch list. more