First Officer’s log, Terrestrial date, 20220630. Officer of the Deck reporting. The mission continues, with our patrol in this sector encountering roughly the expected level of hostile forces. Fortunately, our hostile encounters were balanced by some interesting news from Fleet Command.
Man Zooms into the middle
What happened
Multiple bugs, 4 of which are specific to Zoom, one affecting the Expatt library, came to light that let an attacker initiate a man in the middle attack against anyone in a Zoom call with them without requiring any action on the target’s part.
Why it matters
Ever since the pandemic pushed us into a work-from-home or hybrid work model, Zoom has become ubiquitous. It is the go-to platform for many people and has almost become synonymous with video conferencing, as Xerox became synonymous with photocopying.
While the attacker needs to be on the call with their target, that’s not much of an impediment considering how many open Zoom meetings happen that don’t restrict their attendance. Fortunately, Zoom has corrected these issues.
What they said
It didn’t take long before others turned on their mics.
See what they had to say here.
Good deeds can go unpunished
What happened
The US Department of Justice has announced that they will no longer use the Computer Fraud and Abuse Act (CFAA) to prosecute security researchers acting in good faith.
Why it matters
The CFAA put Legitimate security researchers into a situation where “no good deed goes unpunished” and they could face fines, or even jail time, simply for finding and reporting vulnerabilities. While it is a policy shift, rather than a change to the law, and can be undone by future administrations or ignored by local prosecutors, it should be seen as a step in the right direction for honest security research.
What they said
It’s safe to say that the news has been welcomed. Check out the response.
And then it happened again
What happened
QNAP reported an attack against some of their QTS and TS series devices using the Deadbolt ransomware. Unfortunately, QNAP has suffered several attacks and vulnerability exposures this year already.
Why it matters
This really highlights why it’s an industry best practice to keep NAS (Network Attached Storage) devices isolated from the public internet. Actually, it’s best practice to keep access to anything that doesn’t absolutely need to be exposed strictly controlled. The less exposure, the better. And, of course, apply security patches as soon as practical to help minimize the risk when you are exposed.
What they said
This got plenty of coverage. Read here
We can trust the NSA, right?
What happened
The NSA (National Security Agency) has some of the finest mathematicians and cryptographers in the world. Full stop. They are also involved in developing some of the cryptographic algorithms the internet depends on the work, day in and day out.
While NIST (National Institute of Standards and Technology) is holding competitions to develop new standards for quantum-resistant encryption algorithms, the NSA has promised that they will not try and place any back doors into the new standards.
Why it matters
It’s fair to say that encryption is deeply ingrained in the modern internet, used for everything from VPNs and simple web browsing, to securing commerce and financial transactions. Quantum computing threatens to turn that on its head, and the NSA does have the skills and resources to help keep that from happening.
However, there are long-standing and well-founded rumors of the NSA embedding back doors into encryption applications, operating systems, and hardware, and of modifying algorithms to make it easier for them to crack. As a national organization dedicated to making and breaking codes, it’s easy to understand why people might question how sincere the promise is.
What they said
There’s been some healthy skepticism around what the NSA will and won’t do. Read more.
Want to get ahead of the stories? Join the conversations as they happen with the Vulcan Cyber community Slack channel
