Categories
Security

Zoom fixed a big problem on Mac, and you should update today

If you have Zoom installed on your MacBook, you’ll want to update the app right now. Zoom spent the weekend patching a major security flaw in its Mac app, and the update is available right now.

According to The Verge, it all began at Def Con, a computer security and hacker conference in Las Vegas. The founder of the security non-profit Objective-See and an ex-NSA security analyst, Patrick Wardle, took to the stage on Friday and presented a stunning find: a massive security vulnerability in the Zoom installer for MacBooks.

The exploit allowed a threat actor to take control of someone’s Mac through the Zoom app, right down to the root level of the machine. The Zoom package installer used a weak security certificate test and any file with the same name as the official Zoom package could easily bypass the test. At this level, the MacBook recognizes the hacker as a “superuser” who can then read, change or create any file, including adding other malware to the system.

Frustratingly, Wardle had discovered the security threat back in December and had informed Zoom of his findings. Wardle said Zoom didn’t take him seriously and released a patch after a month, which contained another security bug. He informed Zoom of this second bug, and more importantly, of the first bug not being fixed. Zoom sat on it.

Wardle decided to go public with his findings at Def Con. He had followed responsible disclosure protocols, which gives companies time to fix bugs, and after eight months of inaction, he felt he had to warn others. Zoom released a small patch a few weeks before the conference but Wardle said the vulnerability was still present.

This isn’t the first time Zoom has been criticized for lax security. In 2020 Wardle discovered a Mac vulnerability in Zoom which allowed cameras and microphones to be hijacked. Zoom was also found to have been sending user data to Facebook, and then the US Department of Justice filed charges against a Zoom executive for collusion with the Chinese government.

Zoom spent the weekend working on a new patch following Wardle’s presentation, and it is now available. Version 5.11.5 is a free update for Mac-based Zoom installs and is available now.

If you would prefer to use a different video conferencing platform, check out our handy guide to Microsoft Teams.

Editors’ Choice






Repost: Original Source and Author Link

Categories
Security

Zoom’s latest update on Mac includes a fix for a dangerous security flaw

Zoom has issued a patch for a bug on macOS that could allow a hacker to take control of a user’s operating system (via MacRumors). In an update on its security bulletin, Zoom acknowledges the issue (CVE-2022-28756) and says a fix is included in version 5.11.5 of the app on Mac, which you can (and should) download now.

Patrick Wardle, a security researcher and founder of the Objective-See Foundation, a nonprofit that creates open-source macOS security tools, first uncovered the flaw and presented it at the Def Con hacking conference last week. My colleague, Corin Faife, attended the event and reported on Wardle’s findings.

As Corin explains, the exploit targets the Zoom installer, which requires special user permissions to run. By leveraging this tool, Wardle found that hackers could essentially “trick” Zoom into installing a malicious program by putting Zoom’s cryptographic signature on the package. From here, attackers can then gain further access to a user’s system, letting them modify, delete, or add files on the device.

“Mahalos to Zoom for the (incredibly) quick fix!” Wardle said in response to Zoom’s update. “Reversing the patch, we see the Zoom installer now invokes lchown to update the permissions of the update .pkg, thus preventing malicious subversion.”

You can install the 5.11.5 update on Zoom by first opening the app on your Mac and hitting zoom.us (this might be different depending on what country you’re in) from the menu bar at the top of your screen. Then, select Check for updates, and if one’s available, Zoom will display a window with the latest app version, along with details about what’s changing. From here, select Update to begin the download.



Repost: Original Source and Author Link

Categories
Security

The Zoom installer let a researcher hack his way to root access on macOS

A security researcher has found a way that an attacker could leverage the macOS version of Zoom to gain access over the entire operating system.

Details of the exploit were released in a presentation given by Mac security specialist Patrick Wardle at the Def Con hacking conference in Las Vegas on Friday. Some of the bugs involved have already been fixed by Zoom, but the researcher also presented one unpatched vulnerability that still affects systems now.

The exploit works by targeting the installer for the Zoom application, which needs to run with special user permissions in order to install or remove the main Zoom application from a computer. Though the installer requires a user to enter their password on first adding the application to the system, Wardle found that an auto-update function then continually ran in the background with superuser privileges.

When Zoom issued an update, the updater function would install the new package after checking that it had been cryptographically signed by Zoom. But a bug in how the checking method was implemented meant that giving the updater any file with the same name as Zoom’s signing certificate would be enough to pass the test — so an attacker could substitute any kind of malware program and have it be run by the updater with elevated privilege.

The result is a privilege escalation attack, which assumes an attacker has already gained initial access to the target system and then employs an exploit to gain a higher level of access. In this case, the attacker begins with a restricted user account but escalates into the most powerful user type — known as a “superuser” or “root” — allowing them to add, remove, or modify any files on the machine.

Wardle is the founder of the Objective-See Foundation, a nonprofit that creates open-source security tools for macOS. Previously, at the Black Hat cybersecurity conference held in the same week as Def Con, Wardle detailed the unauthorized use of algorithms lifted from his open-source security software by for-profit companies.

Following responsible disclosure protocols, Wardle informed Zoom about the vulnerability in December of last year. To his frustration, he says an initial fix from Zoom contained another bug that meant the vulnerability was still exploitable in a slightly more roundabout way, so he disclosed this second bug to Zoom and waited eight months before publishing the research.

“To me that was kind of problematic because not only did I report the bugs to Zoom, I also reported mistakes and how to fix the code,” Wardle told The Verge in a call before the talk. “So it was really frustrating to wait, what, six, seven, eight months, knowing that all Mac versions of Zoom were sitting on users’ computers vulnerable.”

A few weeks before the Def Con event, Wardle says Zoom issued a patch that fixed the bugs that he had initially discovered. But on closer analysis, another small error meant the bug was still exploitable.

In the new version of the update installer, a package to be installed is first moved to a directory owned by the “root” user. Generally this means that no user that does not have root permission is able to add, remove, or modify files in this directory. But because of a subtlety of Unix systems (of which macOS is one), when an existing file is moved from another location to the root directory, it retains the same read-write permissions it previously had. So, in this case, it can still be modified by a regular user. And because it can be modified, a malicious user can still swap the contents of that file with a file of their own choosing and use it to become root.

While this bug is currently live in Zoom, Wardle says it’s very easy to fix and that he hopes that talking about it publicly will “grease the wheels” to have the company take care of it sooner rather than later.

In a statement to The Verge, Matt Nagel, Zoom’s security and privacy PR lead, said: “We are aware of the newly reported vulnerability in the Zoom auto updater for macOS and are working diligently to address it.”

Update August 12th, 11:09 PM ET: Article updated with response from Zoom.

Repost: Original Source and Author Link

Categories
Security

Why it’s taking so long to encrypt Facebook Messenger

After a high-profile incident in which subpoenaed Facebook messages led to felony charges for a 17-year-old girl and her mother in a Nebraska abortion case, Meta said Thursday that it would expand testing of end-to-end encryption in Messenger ahead of a planned global rollout.

This week, the company will automatically begin to add end-to-end encryption in Messenger chats for more people. In the coming weeks, it will also increase the number of people who can begin using end-to-end encryption on direct messages in Instagram.

Meanwhile, the company has begun to test a feature called “secure storage” that will allow users to restore their chat history when they install Messenger on a new device. Backups can be locked by a PIN, and the feature is designed to prevent the company or anyone else from being able to read their contents.

The global rollout is expected to be completed next year.

Meta told Wired that it had long planned to make these announcements, and that the fact that they came so soon after the abortion case came to light was a coincidence. I’m less interested in the timing, though, than the practical challenges of making encrypted messaging the default for hundreds of millions of people. In recent conversations with Meta employees, I’ve come to understand more about what’s taking so long — and how consumer apathy toward encryption has created challenges for the company as it works to create a secure messaging app that its user base will actually use.

It has now been three years since Mark Zuckerberg announced, amid an ongoing shift away from public feeds toward private chats, that going forward the company’s products would embrace encryption and privacy. At the time, WhatsApp was already encrypted end to end; the next step was to bring the same level of protection to Messenger and Instagram. Doing so required that the apps be rebuilt almost from scratch — and teams have encountered a number of roadblocks along the way.

The first is that end-to-end encryption can be a pain to use. This is often the tradeoff we make in exchange for more security, of course. But average people may be less inclined to use a messaging app that requires them to set a PIN to restore old messages, or displays information about the security of their messages that they find confusing or off-putting.

The second, related challenge is that most people don’t know what end-to-end encryption is. Or, if they’re heard of it, they might not be able to distinguish it from other, less secure forms of encryption. Gmail, among many other platforms, encrypts messages only when a message is in transit between Google’s servers and your device. This is known as transport layer security, and it offers most users good protection, but Google — or law enforcement — can still read the contents of your messages.

Meta’s user research has shown that people grow concerned when you tell them you’re adding end-to-end encryption, one employee told me, because it scares them that the company might have been reading their messages before now. Users also sometimes assume new features are added for Meta’s benefit, rather than their own — that’s one reason the company labeled stored-message feature “secure storage,” rather than “automatic backups,” so as to emphasize security in the branding.

When they company surveyed users earlier this year, only a minority identified as being significantly concerned about their privacy, I’m told.

On Tuesday, I wrote that companies like Meta should consider going beyond end-to-end encryption to make messages disappear by default. One employee told me this week that the company has considered doing so, but usage of the feature in Messenger to date — where it is available as an option — has been so low that making it a default has generated little enthusiasm internally.

On the contrary, I’m told, access to old messages is a high priority for many Messenger users. Messing with that too much could send users scrambling for communications apps like the ones they’re used to — the kind that keep your chat history stored on a server, where law enforcement may be able to request and read it.

A third challenge is that end-to-end encryption can be difficult to maintain even within Facebook, I’m told. Messenger is integrated into the product in ways that can break encryption — Watch Together, for example, lets people message each other while watching live video. But that inserts a third person into the chat, making encryption much more difficult.

There’s more. Encryption won’t work unless everyone is using an up-to-date version of Messenger; lots of people don’t update their apps. It’s also tough to pack encryption into a sister app like Messenger Lite, which is designed to have a small file size so it can be used by users with older phones or limited data access. End-to-end encryption technology takes up a lot of megabytes.

I bring all this up not to excuse Meta for failing to roll out end-to-end encryption up to now. The company has been working on the project steadily for three years, and while I wish it were moving faster, I’m sympathetic to some of the concerns that employees raised with me over the past few days.

At the same time, I think Meta’s challenges in bringing encryption to the masses in its messaging app raise real questions about the appetite for security in these products. Activists and journalists take it for granted that they should be using encrypted messaging apps already, ideally one with no server-side storage of messages, such as Signal.

But Meta’s research shows that average people still haven’t gotten — well, the message. And it’s an open question how the events of 2022, as well as whatever we’re in for in the next few years, may change that.

(Employees told me that Meta’s push to add encryption picked up after the invasion of Ukraine earlier this year, when stories about Russian military personnel searching captives’ phones drew attention to the dangers of permanently stored, easily accessible messages.)

For all the attention the Nebraska case got, it had almost nothing to do with the overturning of Roe vs. Wade: Nebraska already banned abortion after 20 weeks, and the medical abortion at the heart of this case — which took place at 28 weeks — would have been illegal under state law even had Roe been upheld.

Yes, Meta turned over the suspects’ messages upon being subpoenaed, but there’s nothing surprising about that, either: the company got 214,777 requests in the second half of last year, about 364,642 different accounts; it produced at least some data 72.8 percent of the time. Facebook cooperating with law enforcement is the rule, not the exception.

In another way, though, this has everything to do with Roe. Untold numbers of women will now be seeking abortion care out of state, possibly violating state law to do so, and they’ll need to communicate about it with their partners, family, and friends. The coming months and years will bring many more stories like the Kansas case, drawing fresh attention each time to how useful tech platforms are to law enforcement in gathering evidence.

It’s possible the general apathy toward encryption of most Facebook users will survive the coming storm of privacy invasions. But it strikes me as much more likely that the culture will shift to demand that companies collect and store less data, and do a better job educating people about how to use their products safely.

If there’s a silver lining in any of this, it’s that the rise in criminal prosecutions for abortion could create a massive new constituency organized to defend encryption. From India to the European Union to the United States, lawmakers and regulators have been working to undermine secure messages for many years now. To date, it has been preserved thanks in part to a loose coalition of activists, academics, civil society groups, tech platforms, and journalists: in short, some of the people who rely upon it most.

But with Roe overturned, the number of people for whom encrypted messaging is now a necessity has grown markedly. A cultural shift toward encryption could help preserve and expand access to secure messaging, both in the United States and around the world.

That shift will take time. But there’s much that tech platforms can do now, and here’s hoping they will.

Repost: Original Source and Author Link

Categories
Security

This Mac hacker’s code is so good, corporations keep stealing it

Patrick Wardle is known for being a Mac malware specialist — but his work has traveled farther than he realized.

A former employee of the NSA and NASA, he is also the founder of the Objective-See Foundation: a nonprofit that creates open-source security tools for macOS. The latter role means that a lot of Wardle’s software code is now freely available to download and decompile — and some of this code has apparently caught the eye of technology companies that are using it without his permission.

Wardle will lay out his case in a presentation on Thursday at the Black Hat cybersecurity conference with Tom McGuire, a cybersecurity researcher at Johns Hopkins University. The researchers found that code written by Wardle and released as open source has made its way into a number of commercial products over the years — all without the users crediting him or licensing and paying for the work.

The problem, Wardle says, is that it’s difficult to prove that the code was stolen rather than implemented in a similar way by coincidence. Fortunately, because of Wardle’s skill in reverse-engineering software, he was able to make more progress than most.

“I was only able to figure [the code theft] out because I both write tools and reverse engineer software, which is not super common,” Wardle told The Verge in a call before the talk. “Because I straddle both of these disciplines I could find it happening to my tools, but other indie developers might not be able to, which is the concern.”

The thefts are a reminder of the precarious status of open-source code, which undergirds enormous portions of the internet. Open-source developers typically make their work available under specific licensing conditions — but since the code is often already public, there are few protections against unscrupulous developers who decide to take advantage. In one recent example, the Donald Trump-backed Truth Social app allegedly lifted significant portions of code from the open-source Mastodon project, resulting in a formal complaint from Mastodon’s founder.

One of the central examples in Wardle’s case is a software tool called OverSight, which Wardle released in 2016. Oversight was developed as a way to monitor whether any macOS applications were surreptitiously accessing the microphone or webcam, with much success: it was effective not only as a way to find Mac malware that was surveilling users but also to uncover the fact that a legitimate application like Shazam was always listening in the background.

Wardle — whose cousin Josh Wardle created the popular Wordle game — says he built OverSight because there wasn’t a simple way for a Mac user to confirm which applications were activating the recording hardware at a given time, especially if the applications were designed to run in secret. To solve this challenge, his software used a combination of analysis techniques that turned out to be unusual and, thus, unique.

But years after Oversight was released, he was surprised to find a number of commercial applications incorporating similar application logic in their own products — even down to replicating the same bugs that Wardle’s code had.

A slide from Wardle and McGuire’s Defcon presentation.
Image: Patrick Wardle

Three different companies were found to be incorporating techniques lifted from Wardle’s work in their own commercially sold software. None of the offending companies are named in the Black Hat talk, as Wardle says that he believes the code theft was likely the work of an individual employee, rather than a top-down strategy.

The companies also reacted positively when confronted about it, Wardle says: all three vendors he approached reportedly acknowledged that his code had been used in their products without authorization, and all eventually paid him directly or donated money to the Objective-See Foundation.

Code theft is an unfortunate reality, but by bringing attention to it, Wardle hopes to help both developers and companies protect their interests. For software developers, he advises that anyone writing code (whether open or closed source) should assume it will be stolen and learn how to apply techniques that can help uncover instances where this has happened.

For corporations, he suggests that they better educate employees on the legal frameworks surrounding reverse engineering another product for commercial gain. And ultimately, he hopes they’ll just stop stealing.

Repost: Original Source and Author Link

Categories
Security

Crypto bridge RenBridge used to launder $540 million, says report

Hackers, fraudsters, and others laundered at least $540 million through the cryptocurrency bridge network RenBridge since 2020, according to blockchain analysis group Elliptic. Elliptic researchers published the report today, citing RenBridge as an example of the risks of decentralized cross-chain networks.

RenBridge is pitched as a way to easily convert virtual currencies like ZCash and Bitcoin to the Ethereum network and then to other blockchains. But “as well as a legitimate tool, cross-chain bridges have also emerged as a key facilitator of money laundering,” letting users avoid regulations and move money easily across networks, the report says. That includes the proceeds of ransomware operations and theft from other chains.

Cryptocurrency isn’t as untraceable as some users expect, but it’s still possible to mask the sources of funds with specific services, especially decentralized ones like Elliptic. And regulators have started to take notice. Earlier this week, the US Department of the Treasury sanctioned Tornado Cash, a decentralized mixer designed to obscure the sources of crypto. It made a similar move with the mixer Blender.io in May. In both of those cases, the government noted the services’ alleged use by North Korean hacker groups.

Elliptic’s report similarly suggests RenBridge was used to launder money stolen from Japan’s Liquid crypto network, a hack linked with North Korea. It also claims RenBridge is popular among Russia-linked ransomware operations, saying $153 million in ransomware was laundered through the service.

Many other digital services can be used for both crime and noncriminal purposes, like privacy and censorship evasion. But decentralized finance or DeFi is particularly rife with theft and hacking, and identifying chokepoints is potentially useful for security analysts and governments alike.

Repost: Original Source and Author Link

Categories
Security

Burger King blank email orders confuse thousands of customers

Burger King has just emailed thousands of customers with a blank order email receipt. The blank emails started appearing at around 12:15AM ET, leaving Burger King customers confused whether the company has been breached by a hungry hacker attempting a midnight feast, or if the emails are simply a giant whopper of a mistake.

Twitter users were quick to turn to the social network in a state of confusion over the blank emails, with some even receiving two Burger King emails in an apparent double whopper of a mistake. The order emails are totally blank, and were sent by Burger King’s main promotional marketing email address.

Burger King’s blank order receipt.
Screenshot by Tom Warren / The Verge

There’s no clear indication that Burger King has been breached. A lot of people who have received the emails don’t even remember creating a Burger King account, so it could simply be a system change that went wrong and blasted out blank orders to Burger King’s entire marketing database.

After this story was published, an email from “BK PR Team” responded to our request for more information, claiming the issue was “the result of an internal processing error.” We have asked for a specific individual to attribute the information to.

Update August 9th, 3:27PM ET: Added information from Burger King.

Repost: Original Source and Author Link

Categories
Security

1Password 8 arrives on Android and iOS with a big redesign and personalized home

1Password is launching a big update to its Android and iOS apps today. 1Password 8 overhauls the design of the mobile password management apps in many of the same ways the 1Password 8 apps for Windows and Mac were redesigned in recent months. The new mobile interface includes a personalized home tab, which should make it easier to find logins, pin favorites, and organize your passwords.

The new personalized homescreen also lets you easily see logins you’ve recently created and even pin individual fields from a login. You can also reorder sections and add quick actions to the home tab, and the navigation bar now provides quick access to search, home, and settings.

Search isn’t super obvious in the current 1Password mobile app, and the navigation bar is split into favorites, categories, tags, and settings instead. 1Pasword 8 greatly simplifies the entire interface and navigation bar, making it easier for 1Password users who aren’t familiar with the mobile app to find their logins more easily. The updated app also has new and improved icons, typography, and detailed views for logins and vaults.

New icons and customizable homescreen on 1Password 8 mobile.
Image: 1Password

1Password has also added an updated Watchtower UI inside the mobile app, including alerts about data breaches inside items. Collections are also available in the mobile app now, allowing 1Password users to create custom groups of vaults. Autofill is also faster and more precise, so 1Password on mobile should more accurately auto fill payment cards, addresses, and identities across apps.

“Over the last couple years we’ve been making a concerted effort to unify our design language,” explained Michael Fey, VP of engineering for client apps at 1Password, earlier this year. “The updated designs result in a modern take on 1Password that is both familiar and fresh.”

The improvements in usability across mobile and desktop are particularly important as 1Password attempts to capture even more subscribers. 1Password now has more than 100,000 paying business customers, and it saw subscriber growth during the pandemic that led to a $6.8 billion valuation for the company earlier this year.

1Password has also been making it easier to share files, documents, and passwords with just a link and even helping people remember which “sign in” service they used on websites. The service also added a hide my email feature last year, giving all users the option of hiding their email addresses from apps and services.

Update, August 9th 9:40AM ET: Article updated with more 1Password 8 feature additions.

Repost: Original Source and Author Link

Categories
Security

Amazon One palm print payment service is coming to more Whole Foods locations

Amazon’s palm scanning technology is expanding to 65 Whole Foods locations across California. The checkout devices were introduced in 2020 as part of the Amazon One payment service, allowing customers to pay with a scan of their palm. This is the biggest rollout by the company yet, with the first new Whole Foods locations adding support today in Malibu, Montana Avenue, and Santa Monica.

Customers can set up Amazon One by registering their palm print using a kiosk or at a point of sale station at participating stores. To register, you need to provide a payment card and phone number, agree to Amazon’s terms of service, and share an image of your palms. Once completed, you can take items to checkout and not have to take out your wallet — or even your phone — a hover of your hand over the device is all that’s needed to pay and leave.

The Amazon One rollout is part of the company’s campaign to change how customers interact at retail stores and runs alongside its Just Walk Out-enabled stores with technologies that make it faster to pay. Amazon One is designed to identify you accurately and allow you to pay at Amazon-owned stores, but the company is looking to expand the technology to outside businesses as well.

Several Whole Foods locations have already been testing the palm-scanning tech in the LA area, as well in Austin, Seattle, and New York. It’s also been available at the company’s Amazon Style store in Glendale, and at select Amazon Go and Fresh stores.

Amazon states that the images taken on the kiosk aren’t stored locally, instead they are encrypted and then sent to a cloud server that is dedicated for Amazon One where an identifiable palm signature is generated. My colleague James Vincent wrote more about how the technology works and its concerns in 2020.

Amazon has found success in convincing millions of customers to provide them with data in exchange for a more convenient lifestyle. Things like online shopping, grocery shopping, using Alexa, Ring smart cameras, doorbells, and now room-mapping robot vacuum cleaners are all areas that Amazon collects data in, and that will continue to be a concern to privacy advocates.

Repost: Original Source and Author Link

Categories
Security

Cameo’s CEO fell victim to the latest Bored Ape NFT heist

Non-fungible token, or NFT, thefts aren’t uncommon, but they continue to be a little mind-boggling— a bizarre combination of high risk and massive financial losses. The latest high-profile target is Steven Galanis, the CEO of celebrity video platform Cameo. Galanis reported over the weekend that he’d gotten his Apple ID hacked, and as a result, he lost a variety of NFTs. Most prominently, that included a Bored Ape Yacht Club ape that he bought for nearly $320,000 in January.

Galanis tweeted about the theft of Ape #9012 on Saturday, following a bot reporting the NFT being resold. Galanis originally purchased the ape for 100 Ethereum — around $319,500 at the time of purchase — and the alleged thief flipped it to a new owner for 77 Ethereum, which is now worth around $130,000. Galanis tweeted that he’d also lost several other crypto assets, including BAYC-adjacent Otherside tokens and around 9,000 ApeCoin cryptocurrency tokens, currently worth around $66,000. As of this writing, OpenSea has frozen the ape in question, preventing the new owner — who goes by MonroeSaintJames — from selling it through the platform.

The exact hack mechanics aren’t clear from Galanis’ tweets. Some Twitter users suggested he’d kept a copy of his seed phrase (essentially a security key that can be used to get access to a crypto wallet) in a service that uses iCloud backups, giving the hacker access after his account was compromised. Galanis didn’t immediately reply to a Twitter direct message seeking confirmation from The Verge.

But plenty of other NFT owners have been hacked, sometimes for extraordinary sums. Actor Seth Green had an ape (which was also the star of an upcoming TV series from Green) hacked from his crypto wallet, then purchased it back for around $300,000. More egregiously, a hacker stole over $1 million in tokens by compromising the official BAYC Instagram account and phishing NFT owners. It’s theoretically easy to trace these transactions but essentially impossible to reverse them short of arranging a transfer with the new owner like Green did. So far, Galanis hasn’t done so — but if he wants the ape back, he may have no other choice.



Repost: Original Source and Author Link