Welcome to all the new CyberLite readers who’ve joined since the last issue! If you haven’t joined them yet, you can get the most impactful news in cybersecurity delivered to you each week by subscribing here.
See a term you don’t understand in this issue? Any word that’s in italics and underlined is explained in a guide that accompanies each issue. Just click on them and you’ll be taken to the guide!
⛏ Nvidia Targets Cryptojackers
This week Nvidia announced that its new gaming graphics card the RTX 3060 will have software to detect Ether mining and cut mining efficiency in half. Alongside this Nvidia is also releasing a graphics card dedicated to cryptocurrency mining. The hope being that consumers purchase cards that aren’t likely to be targetted by cryptojacking and cryptocurrency miners don’t purchase all the graphics cards meant for gamers.
What’s Cryptojacking? It's the malicious use of someone's computer to mine cryptocurrencies without consent. Cryptocurrency mining is where users are paid a small amount of currency for verifying cryptocurrency transactions, graphics cards are very good at carrying out the calculations needed to verify these transactions.
So will this work? The prevailing opinion seems to be that this won’t dissuade many cybercriminals from engaging in cryptojacking. But it might be a win for gamers who won’t see cryptocurrency miners buying up all the graphics card stock as soon as it’s made available.
“Even though these new Nvidia drivers will halve the earning rate of the cybercriminals, the crooks aren’t paying for the electricity (you are!), so any unlawfully mined crypto-coins are still essentially free money for them.” Paul Ducklin of Sophos security.
🎙 Alexa Skills Can Bypass Security Checks
Security Researchers this week identified gaps in how Amazon secures the Alexa skills ecosystem.
What’s an Alexa skill? It’s essentially an application for Alexa built by third-party developers. For example, you can download skills to read the news or play a game.
What security issues were found?
- Researchers were able to register skills that use the names of well-known company names like Ring or Samsung. This would enable attackers to create malicious skills that appeared to be legitimate.
- A third of skills share the same “invocation name” as another skill. This is the word that a user must say to activate the skill. Sharing these names makes it easy for a bad actor to create a malicious skill that could unknowingly activate when a user said the invocation name of another skill.
- Attackers can make code changes after the skills have been approved and undergone a security check by Amazon.
An Amazon spokesman commented on the story stating that “The security of our devices and services is a top priority. Any offending skills we identify are blocked during certification or quickly deactivated”.
Whilst Amazon does take down offending skills, it seems like there are some simple checks that Amazon could introduce to improve the security of the Alexa Skills ecosystem. Checking for the unauthorized use of popular developers’ names and not allowing overlapping invocation names would be a good start.
🏡 Does Clubhouse have Security Problems?
There’s been a lot of articles published this week with headlines like “Clubhouse is recording your conversations”. Clubhouse is the new social media platform taking the tech industry by storm - it’s essentially a platform for live streaming conversations. Users can join “rooms” to hear people discussing lots of different topics.
Researchers this week found some sites online where you could listen to the audio of any clubhouse room without joining them. Clubhouse has now blocked the avenues that these sites used, but it shouldn’t be surprising to anyone that their conversations on a live streaming service are public. This isn’t a security issue, it’s a perception issue. If anyone thought that conversations on Clubhouse were private they were mistaken - that’s not the purpose of the platform.
The security issue that’s actually worth discussing with Clubhouse is their use of the Chinese company Agora. Agora provides Clubhouse’s audio streaming and data storage services. Agora certainly doesn’t have a spotless security record and last week I covered a vulnerability in their video chat platform that was left unfixed for 8 months.
Last year when Trump moved to ban TikTok, the reasoning given was that as a Chinese company the Communist party could compel TikTok to share user data with them - the same is true with Agora. This week Bruce Schneider released a report he co-authored on The Threat of Chinese-owned Technology Platforms if you’re interested in reading more.
🔥 Rapid Fire
Some shorter stories…
🙆♂️ We got reports of new cyberattacks by the Chinese and Vietnamese governments this week that are targeting activists and political opponents. Link.
⌨ Some researchers have attempted to infer what you're typing just by looking at hand movements on video calls - a very interesting idea. Their accuracy is pretty low right now at 20% for inferring passwords, but it's worth keeping an eye on! Link.
📈 As we approach the end of the tax year, malware targetting the QuickBooks accounting software has seen a 6/7x increase. Attackers have been trying to exfiltrate users’ accounting data, which can then be sold or stored for future use in spear-phishing campaigns. These rely on personal information to tailor social-engineering scams for maximum effect. Link.
💾 Malware that’s been built to run on Apple’s new M1 processor has been discovered. It’s been given the name Silver Sparrow and it uses the MacOS Installer to write its own scripts into the victim's file system. Currently, its purpose is unknown as it does not carry out any malicious actions when installed. But if malicious functionality were added to Silver Sparrow it could become a more serious threat. An increasing number of Macs will start using the M1 processor in the years to come, so being able to target them could be very lucrative for attackers. Link.
💵 A number of companies have recently been hacked using vulnerabilities in the Accellion FTA software. The attacks have been traced back to a ransomware gang known as Clop. The interesting aspect of these attacks is that Clop hasn’t deployed any ransomware against these companies. Rather than encrypting the company’s data they threatened to release it online if a ransom wasn’t paid. It’s worth keeping an eye on this trend. As ransomware protection and mitigation gets better, cybercriminals will need to find new ways of monetizing cyberattacks. There are lots of new tactics coming to the surface at the moment. Link.
🎯 New Vulnerabilities
The most interesting new vulnerabilities disclosed this week.
A buffer overflow vulnerability in Python has been discovered. New Python versions have been rushed out that address the flaw. In most cases, hackers would only be able to use this to crash an app running on Python, but remote code execution could be possible. Link.
Vulnerabilities in 11 out of 29 popular pdf readers allow attackers to change the content of pdfs that have been digitally signed. This made me think about the security of digital signatures in general; I’m sure plenty of companies during the pandemic have resorted to signing documents in ways that are easy for malicious actors to spoof. Link.
VMware has addressed multiple vulnerabilities in VMware ESXi and vSphere Client. The software is used in data centers for managing virtual machines. The vulnerabilities would allow attackers to execute arbitrary commands and take control of affected systems. Link.
Cisco fixed 3 critical flaws this week, 2 in their software products and the other affecting certain models of their network switches. All gave a remote attacker admin (root) privileges on affected devices. Link.
💭 Anything Else?
Other news, ideas and insights from around the web that you might enjoy.
📞 Apple's App Tracking Transparency Policy means that users will have to opt-in to let developers track their activities in other apps. An article from Mobile Dev Memo about the unintended consequences of ATT. Link.
📽 Inside Chinese TikTok’s censorship machine. It’s pretty scary stuff. Link.
📊 An article from Bookings on why data ownership is the wrong approach to protecting privacy. Link.
❤ Liked what you read?
Nothing helps me out more than sharing CyberLite with a friend who might enjoy it. If you do please tag me so I can say thanks!
If you’re that friend… Sign up here to receive CyberLite every week!
🎁 Wrapping Up
Thanks for reading, I’ll catch you next week!