Welcome to the October 2020 second fortnight edition of CF Bytes.
Security misconfigurations continued to be a headache worldwide since an independent study found that more than 78% of administrators have still not configured the Multi-Factor Authentication in MS 365 solution. Zoom finally enabled End to End encryption for all of its platforms; except web client and third-party clients using Zoom SDK. Nation-state espionage continued at a brisk pace with the OKIDB database uncovered by the Australian financial newspaper which contained details on personal information of nuclear subject matter experts. Technology continued to offer solutions in difficult pandemic times by deploying Robots for burger flipping tasks freeing the employees for logistics and home deliveries. MIT researchers also were able to sense the asymptomatic people affected by COVID-19 to a high degree of accuracy by listening to their cough sounds made during the cell phone calls.
Insecurity breaches, Pfizer data for prescription drugs in the US got leaked due to an unprotected Google Cloud storage buckets. Similarly, Broadvoice database cluster holding more than 350 million records, many including personal details and voicemail transcripts of Broadvoice clients’ customers, was left open for anyone to view. Concerns were also raised due to vulnerabilities been reported in link previews in several major messaging apps such as Facebook Messenger, Instagram, Line, Reddit and LinkedIn. In addition, 100 smart irrigation systems were left exposed online without a password which allowed anyone to access and tamper with water irrigation programs for crops, tree plantations, cities, and building complexes.
Security News
Zoom’s end-to-end encryption (E2EE) lets both free and paid users secure their meetings so that only participants, not Zoom or anyone else, can access their content. E2EE is supported across its Mac, PC, iOS, and Android apps, as well as Zoom Rooms, but not its web client or third-party clients that use the Zoom SDK. Read more.
An Australian financial newspaper has uncovered a database of more than 2 million scientists and subject matters kept by the Chinese government. The Overseas Key Individuals Database (OKIDB) includes many thousands of nuclear and other strategic industry experts, their personal information, and even where their relatives live. Read more.
CoreView’s Research data report indicates that approximately 78% of Microsoft 365 administrators do not have Multi-Factor Authentication (MFA) activated. This is a huge security risk – particularly during a time where the majority of employees are remote. Read more.
White Castle burger chain installed the commercially available version of Flippy Robot-on-aRail (ROAR) into its kitchens. During pandemic times, it expects Flippy to limit staff to ensure social distancing while keeping up with the increasing demand for delivery and take out orders due to the coronavirus pandemic. Read more.
MIT researchers deduced that for people who were asymptomatic, their cough sound was different from healthy individuals. When they fed the cough sound via cellphone recordings, the model accurately identified 98.5 percent of coughs from people who were confirmed to have Covid-19, including 100 percent of coughs from asymptomatics — who reported they did not have symptoms but had tested positive for the virus. Read more.
Attacks / Breaches
The newly discovered Firestarter malware uses Google Firebase Cloud Messaging to notify its authors of the final payload location. Even if the command and control (C2) are taken down, the DoNot team can still redirect the malware to another C2 using Google infrastructure. Read more.
More than 100 smart irrigation systems were left exposed online without a password last month, allowing anyone to access and tamper with water irrigation programs for crops, tree plantations, cities, and building complexes. Read more.
Pharma giant Pfizer has leaked the private medical data of prescription-drug users in the U.S. for months or even years, thanks to an unprotected Google Cloud storage bucket. Read more.
A Broadvoice database cluster holding more than 350 million records, many including personal details and voicemail transcripts of Broadvoice clients’ customers, was left open online for anyone to view with no authentication required for access. Read more.
Researchers Talal Haj Bakry and Tommy Mysk published a report detailing how link previews create vulnerabilities in several major messaging apps such as Facebook Messenger, Instagram, Line, Reddit, and LinkedIn. Read more.