Newsletter

open source and cybersecurity news

December 4, 2023

It's 5:05, December 4, 2023. TIme for your cybersecurity and open source headlines

In this Episode:

Marcel Brown:  December 3rd, 2001. Inventor Dean Kamen unveils the Segway self-balancing battery-powered vehicle on the TV show Good Morning America. The Segway uses computers and motors in its base to keep itself upright while the user is riding it. While the original Segway was not considered a commercial success, it definitely became a familiar icon of personal transportation.

Edwin Kwan: Security researchers revealed a vulnerability in Zoom that allowed the unauthorized access of service accounts. The vulnerability enabled hackers to claim a Zoom Room’s service account, gaining invisible access to team chat, whiteboards, and other applications.

Katy Craig: Security researchers have unveiled “LogoFAIL,” a set of vulnerabilities in the Unified Extensible Firmware Interface (UEFI), used by various firmware vendors. These flaws, found in firmware image-parsing libraries, pose a significant risk to a wide range of consumer and enterprise devices from major manufacturers.

Hillary Coover: As we approach peak shopping season, it’s crucial to consider measures to protect yourself from online fraud. One effective tool is the use of virtual credit cards. Here are a few frequently asked questions to get you all set up.

 

The Stories Behind the Cybersecurity Headlines

 

Edwin Kwan
Zoom Vulnerability Allows Account Hijacking

Edwin Kwan, Contributing Journalist, It's 5:05 PodcastSecurity researchers revealed a vulnerability in Zoom that allowed the unauthorized access of service accounts with potential access to confidential information.

This is Edwin Kwan from Sydney, Australia.

The flaw, primarily affecting Zoom tenants using email addresses from major providers like Outlook and Gmail, was initially found at a bug bounty event in June and promptly patched by Zoom before public disclosure. The vulnerability enabled hackers to claim a Zoom room’s service account, gaining invisible access to team chat, whiteboards, and other applications.

Zoom Rooms, designed for video conferencing between teams in different locations, represented potential targets for exploitation. The vulnerability arose from the creation of a Zoom Room service account, which automatically assigned an email address. If a hacker could create an email account with an identical name, they could sign up for Zoom, activate the account, and log in to the victim’s Zoom tenant. This could potentially leak confidential information, as the compromised account would have access to meetings, contacts, whiteboards, and team chat channels.

The Zoom team validated and promptly remediated the vulnerability, removing the ability to activate Zoom Room accounts. As for the security researcher who discovered the bug, he received a $5,000 payout from Zoom’s Bug Bounty program.

Resources
SC Magaine: https://www.scmagazine.com/news/zoom-flaw-enabled-hijacking-of-accounts-with-access-to-meetings-team-chat

 

Katy Craig
LogoFAIL: UEFI Vulnerabilities Threaten Device Firmware Security

Katy Craig, Contributing Journalist, It's 5:05 PodcastSecurity researchers have unveiled “LogoFAIL,” a set of vulnerabilities in the Unified Extensible Firmware Interface (UEFI), used by various firmware vendors that allow attackers to bypass key security features like Secure Boot and Intel Boot Guard by injecting a malicious logo image into the EFI system partition, enabling persistent malware during device boot-up.

This is Katy Craig in San Diego, California.

The vulnerabilities, affecting both x86 and ARM-based devices, are identified as a heap-based buffer overflow and an out-of-bounds read. They are unique to UEFI and independent BIOS vendor IBV systems, with detailed findings expected from the upcoming Black Hat Europe conference.

These flaws, found in firmware image-parsing libraries, pose a significant risk to a wide range of consumer and enterprise devices from major manufacturers. This represents the first major demonstration of UEFI firmware image parser vulnerability since 2009, highlighting ongoing concerns about firmware security and the need for more robust protections.

The full details are in embargo until 6 December, when they will be released to the public at Black Hat Europe.

This is Katy Craig, stay safe out there.

Resources
Binary IO: https://binarly.io/posts/The_Far_Reaching_Consequences_of_LogoFAIL/index.html
Hacker News: https://thehackernews.com/2023/12/logofail-uefi-vulnerabilities-expose.html

 

Hillary Coover
Navigate the Peak Season with Virtual Credit Cards

Hillary Coover, Contributing Journalist, It's 5:05 Podcast

As we approach peak shopping season, it’s crucial to consider measures to protect yourself from online fraud. One effective tool is the use of virtual credit cards. These are generated for individual purposes, offering an extra layer of security and are provided by major credit card companies.

Hi, this is Hillary Coover in Washington, DC.

Despite the existence of virtual credit cards for years, many consumers and businesses have yet to utilize them. Here are a few frequently asked questions to get you all set up.

– Why consider them? Virtual cards can mitigate the impact of fraud, providing the same protections as physical cards. With losses of $32.34 billion to credit card fraud in 2021, according to the Nilson report, virtual cards help reduce the risk of actual card data being stolen, especially in scenarios where card information is stored online.

-How do you get a virtual card? Your card issuer must offer the virtual card option. Depending on the provider, users can create virtual cards through their online accounts or browser extensions. For instance, Amex users can select a virtual card number directly from their Google account when making a purchase.

-How do you buy something with a virtual card? Using a virtual card may involve additional steps, like logging into your credit card account to receive an authentication code before making a purchase. Some providers allow users to set spending limits and expiration dates, offering flexibility in managing subscriptions and controlling spending.

– Are all virtual cards the same? While the basic concept is consistent, virtual cards can vary in functionality. Some are for single use, while others allow multiple uses with customizable features, like spending limits and expiration dates. Privacy.com, for instance, offers free and fee-based models for up to 60 cards a month.

-Do you need a virtual card if you have a mobile wallet? While mobile wallets offer a secure alternative, not all merchants support this payment method. Virtual cards can serve as a safe alternative with similar protections against unauthorized transactions.

Virtual cards present a valuable tool in safeguarding against online fraud, providing an extra layer of protection during peak shopping season and beyond.

Resources
WSJ: https://www.wsj.com/tech/cybersecurity/virtual-credit-cards-explained-11073e97?mod=cybersecurity_news_article_pos5

 

Marcel Brown
This Day, December 4, in Tech History

Marcel Brown, Contributing Journalist, It's 5:05 PodcastThis is Marcel Brown bringing you your technology history for December 3rd and 4th.

December 3rd, 2001. Inventor Dean Kamen unveils the Segway self-balancing battery-powered vehicle on the TV show Good Morning America. The Segway uses computers and motors in its base to keep itself upright while the user is riding it. Users shift their weight to control the Segway. While the original Segway was not considered a commercial success, it definitely became a familiar icon of personal transportation.

December 4th, 1993. The Space Shuttle Endeavor captures the Hubble Space Telescope to begin the first servicing mission of the flawed satellite. Over the next 5 days, a variety of repairs and upgrades are completed, most notably the installation of the Corrective Optics Space Telescope Axial Replacement (COSTAR) and the Wide Field and Planetary Camera 2 modules that together were able to compensate for the flaw in the Hubble’s main mirror. Once these corrections were made, the Hubble Space Telescope was, after 3 years, finally able to fulfill its promise of delivering detailed imagery that was not possible with Earth-based telescopes.

December 4th, 2001. Disguised as a screensaver and spread through an infected user’s Microsoft Outlook email software, the Goner worm spreads through the internet at a pace second only to the Lovebug virus the previous year. Goner was estimated to cause about $ 80 million in damage.

That’s your technology history for today. For more, tune in tomorrow, and visit my website, ThisDayInTechHistory.com.

Resources
https://thisdayintechhistory.com/12/04

Contributors:

Comments:

Leave the first comment

Newsletter