By William Knowles @c4i
Senior Editor
InfoSec News
April 10, 2020
How to prevent ZoomBombing from your Zoom video conference
By William Knowles @c4i
Senior Editor
InfoSec News
April 3, 2020
It seems lately not an hour goes by without news of another ZoomBombing happening, just as I was preparing this story comes this headline from Vermont Senate committee Zoom hearing derailed by porn hacker
A Vermont Senate Committee on Agriculture Zoom hearing, which was being live-streamed on Youtube, was interrupted by a hacker Thursday who screen shared pornographic videos before reaching into his pants.
The sudden outburst came as the committee had been in the midst of discussing school lunch access and how farms were faring during the COVID-19 crisis.
The first sign of trouble began with a sudden outburst of “p—- ass” and a racial slur before a video from the site Pornhub began to play.
Without blaming the Zoom administrators, many of these stories of ZoomBombings remind me of early conversations about using Amazon Web Services and hearing minds blown about insecure EC2 instances. I can’t tell you how many enterprises thought the workloads they ran in AWS were completely secure by default. More than a few shops were counting their stars nothing happened.
I suspect a number of Zoom users naturally feel the same way as early AWS users, but fear not, Zoom has a guide with a number of recommendations to keep your video conferencing secure.
When you share your meeting link on social media or other public forums, that makes your event … extremely public. ANYONE with the link can join your meeting.
Avoid using your Personal Meeting ID (PMI) to host public events. Your PMI is basically one continuous meeting and you don’t want randos crashing your personal virtual space after the party’s over. Learn about meeting IDs and how to generate a random meeting ID (at the 0:27 mark) in this video tutorial.
Familiarize yourself with Zoom’s settings and features so you understand how to protect your virtual space when you need to. For example, the Waiting Room is an unbelievably helpful feature for hosts to control who comes and goes. (More on that below.)
Manage screen sharing
The first rule of Zoom Club: Don’t give up control of your screen.
You do not want random people in your public event to take control of the screen and sharing unwanted content with the group. You can restrict this — before the meeting and during the meeting in the host control bar — so that you’re the only one who can screen-share.
Follow this link for more tips on how to keep your Zoom conferences secure.
Also, Founder and CEO of Zoom, Eric S. Yuan said in a blog posting today that effective immediately, Zoom will have a feature freeze for the next 90 days, and shifting all engineering resources to focus on their biggest trust, safety, and privacy issues.
- Conducting a comprehensive review with third-party experts and representative users to understand and ensure the security of all of our new consumer use cases.
- Preparing a transparency report that details information related to requests for data, records, or content.
- Enhancing our current bug bounty program.
- Launching a CISO council in partnership with leading CISOs from across the industry to facilitate an ongoing dialogue regarding security and privacy best practices.
- Engaging a series of simultaneous white box penetration tests to further identify and address issues.
- Starting next week, Yuan will host a weekly webinar on Wednesdays at 10 am PT to provide privacy and security updates to our community.
InfoSec News Signal Boost – March 27, 2020
By William Knowles @c4i
Senior Editor
InfoSec News
March 27, 2020
As we try to get used to the new normal, InfoSec News understands many cyber and information security professionals (including myself) are looking for their new security forever homes. As I find these calls for security professionals, I’m hopeful this might be the catalyst for breaking what has been broken forever. Hiring experienced professionals and competent security-aware people that can be trained to be that unicorn that many HR departments have been looking for.
-=-
The popular Infosec R&D company Grimm (https://grimm.rip), famous for only
taking on “difficult projects” is still hiring at a time when many of their
competitors are going out of business. The lack of competitors also means tons
of work coming in, so job security is solid. If you were laid off and have a
heavy Security Engineering (& DevSecOps) Exploit Dev and/or AppSec background
and want to work with some of the objectively smartest people in Infosec, check
out their job postings here https://www.grimm-co.com/caree
“General Resume Submission” link at the bottom if you want to be considered for
“whatever.”
-=-
Research Analyst, Cyber Policy Initiative
Cyber Policy Initiative
The Carnegie Endowment for International Peace is seeking a Research Analyst to
work with scholars in our Washington DC-based Cyber Policy Initiative. Founded
in 1910, Carnegie is a top-ranked policy think tank with a unique global network
research centers in Russia, China, Europe, the Middle East, India, and the
United States. The Cyber Policy Initiative is part of Carnegie’s Technology and
International Affairs program, which also focuses on artificial intelligence and
biotechnology.
The Research Analyst will primarily help build a project exploring how to
leverage market incentives to improve cyber risk management. For example, it
researches and promotes ways in which commercial insurers, major asset-holding
corporations, and credit-rating agencies, can set de facto standards that
promote cybersecurity more quickly, flexibly, and internationally than
governmental regulatory processes often do.
The Research Analyst will work closely with scholars to develop and execute
original research and writing projects such as policy briefs and longer research
reports and build partnerships within the private sector. Additional activities
include: Engaging with policymakers in the U.S. Congress and administration;
preparing and delivering briefings; attending and reporting back on relevant
events in the policy community; contributing to other areas of the Initiative’s
work on cyber policy and strategy; and occasional administrative support, such
as organizing public and private events.
The ideal candidate will have deep interest in technology policy, a willingness
to dive into new research topics, and possess the ability to perform within a
challenging program environment. Up to two years of relevant post-graduate
experience is a plus, but not required. Strong writing and research skills are
essential.
Located in Dupont Circle in Washington, DC, we offer an outstanding benefits
package. When applying, please include your resume/C.V. and cover letter. Please
apply via the Carnegie Endowment website:
https://carnegieendowment.appl
All qualified applicants will receive consideration for employment without
regard to race, color, religion, sex, national origin, disability, protected
veteran status, sexual orientation, gender identity, or any other protected
group
-=-
Principal Technician (Cyber Security)-200286
Primary Location Belgium-Mons
NATO Body NATO Communications and Information Agency (NCI Agency)
Schedule Full-time
Salary (Pay Basis) : 4,449.34Euro (EUR) Monthly
Grade B.5
Description:
NATO offers you more than a job. It gives you a mission: building peace and
security for one billion people in Europe and North America. The NATO
Communications & Information Agency is leading NATO’s Digital Endeavour.
We are NATO’s technology and cyber leaders, helping NATO Nations to communicate
and work together in smarter ways. Our work is challenging and meaningful, and
you will develop and apply your expertise as part of a dynamic international
team of civilian and military professionals.
What do we offer?
Genuinely meaningful work as part of the most successful alliance in history
3 year contract with competitive tax-free salary and household and children’s
allowances
Privileges for expatriate staff including expatriation and education allowances
(where appropriate) and additional home leave
Excellent private health insurance scheme
Generous annual leave of 30 days plus official holidays
Retirement Pension Plan
About the job
Based in Mons, Belgium you will join the Agency as we embark on a journey to
transform our IT services to support NATO’s Digital Endeavour. You will be
responsible for production and management of Security Hardening, Configuration
and Installation guidelines; providing security expert assistance and support in
analysis of security incidents and resolution; reviewing documents to be
published on NCSC Portals, or provided to NCSC customers, as part of projects
deliverables.
For a full list of duties, please review the job description. Here.
https://www.ncia.nato.int/Docu
About you
We’re looking for a talented and knowledgeable Principal Technician (Cyber
Security) professional with ideally a higher vocational training in a relevant
discipline with 3 years post-related experience; or, a secondary educational
qualification with 5 years post-related experience A different qualification
coupled with particularly relevant experience may also be considered.
Knowledge of English, both written and spoken, is essential.
Alexis Bledel, Lil Wayne, and Nicki Minaj Make McAfee’s Most Dangerous Celebrity 2019 List
Not that McAfee!
By William Knowles @c4i
Senior Editor
InfoSec News
October 29, 2019
Actress Alexis Bledel, best known for her role as Rory Gilmore in network television’s “Gilmore Girls,” tops McAfee’s U.S. list of most dangerous celebrities to search for online. For the thirteenth year, McAfee researched which famous individuals generate the riskiest results that could potentially expose their fans to malicious websites and viruses.
Referred to as a “good girl” and “bookworm” in her role in “Gilmore Girls” and Netflix’s sequel “Gilmore Girls: A Year in the Life,” it may come as a surprise that Alexis Bledel was found to be the most dangerous celebrity by McAfee. Her repertoire also includes roles in the “Sisterhood of the Traveling Pants” movies, and more recently, playing Ofglen in Hulu’s acclaimed “The Handmaid’s Tale,” which came to a series end in August 2019.
Trailing Bledel at No. 2 is beloved Late Late Night talk show host James Corden, followed by “Game of Thrones” star Sophie Turner (No. 3), actress Anna Kendrick (No. 4), “Us” leading lady Lupita Nyong’o (No. 5), SNL and talk show star Jimmy Fallon (No. 6), martial arts master Jackie Chan (No. 7), rappers and musicians Lil Wayne (No. 8) and Nicki Minaj (No. 9), and finally Marvel actress Tessa Thompson (No. 10).
Former McAfee founder John McAfee probably would make the Top 500 because of his antics with bath salts, Bitcoin, and whales, but InfoSec News hasn’t confirmed that detail yet.
The truth is consumers are faced with endless options to feed their obsession with celebrities. They are interacting with content across multiple devices and conducting potentially dangerous searches across the internet to find the latest information or gossip without fear of consequence. For cybercriminals, this creates a field day to lure unsuspecting consumers to malicious websites that may install malware or steal personal information and passwords.
“Consumers may not be fully aware that the searches they conduct pose risk, nor may they understand the detrimental effects that can occur when personal information is compromised in exchange for access to their favorite celebrities, movies, TV shows or music,” said Gary Davis, chief consumer security evangelist at McAfee. “Criminals use deceptive websites to dupe unsuspecting consumers into accessing malicious files or content. It is essential that consumers learn to protect their digital lives from lurking cybercriminals by thinking twice before they click on suspicious links or download content.”
The top 10 celebrities from this year’s U.S. study are:
Alexis Bledel
James Corden
Sophie Turner
Anna Kendrick
Lupita Nyong’o
Jimmy Fallon
Jackie Chan
Lil Wayne
Nicki Minaj
Tessa Thompson
Bypassing Subscriptions
McAfee’s most dangerous actresses, Alexis Bledel and Sophie Turner, are well known for their powerful roles in their respective series – Hulu’s “The Handmaid’s Tale” and HBO’s “Game of Thrones.” Additionally, their names are strongly associated with searches including the term “torrent.” With many popular shows available via streaming services, consumers have access to more content than ever before, yet they still choose to put their digital lives at risk in exchange for pirated content.
This finding indicates that people may be pursuing “free” options to avoid paying a subscription fee. However, it’s important for these viewers to understand the risks associated with torrent or pirated downloads, as they may open up themselves to savvy cybercriminals and end up having a much higher cost to pay.
The Reality is, Reality TV Stars are not that Popular
Unlike 2018’s list of most dangerous celebrities, reality TV stars ranked low on this year’s list. Kim Kardashian is the highest-ranked reality star at No. 99 followed by “The Hills” Audrina Patridge (No. 108), “Vanderpump Rules’” Kristen Doute (No. 119) and Jax Taylor (No. 169). Kristen Cavallari and Kourtney Kardashian who found themselves in last year’s top 10 list dropped to number 214 and 222, respectively.
Tips to Help Consumers Stay Safe Online:
- Be careful what you click. Users looking for a sneak-peek of Star Wars: Rise of Skywalker starring Lupita Nyong’o should be cautious and only stream and download directly from a reliable source. The safest thing to do is to wait for the official release instead of visiting a third-party website that could contain malware.
- Refrain from using illegal streaming sites. When it comes to dangerous online behavior, using illegal streaming sites is the equivalent of spreading the Mad King’s wildfire to your device. Many illegal streaming sites are riddled with malware or adware disguised as pirated video files. Do yourself a favor and stream the show from a reputable source.
- Protect your online realm with a cybersecurity solution. Send your regards to malicious actors with a comprehensive security solution like McAfee Total Protection. This can help protect you from malware, phishing attacks, and other threats.
- Use a Web Reputation tool. Using a Web reputation tool such as freely available McAfee WebAdvisor alerts users when they are about to go to a malicious website.
- Use parental control software. Kids are fans of celebrities too, so ensure that limits are set for your child on the devices they use and use parental control software to help minimize exposure to potentially malicious or inappropriate websites.
For More Information:
- To learn more about the study, check out:
- Blog post from Gary Davis: https://securingtomorrow.mcafee.com/consumer/consumer-threat-notices/most-dangerous-celebrities-2019/
- Twitter: Follow @McAfee_Home for online safety tips, and use the hashtag #RiskyCeleb to discuss the Most Dangerous Celebrities of 2019
- Local lists broken down by country are available upon request
Survey Methodology
McAfee used the Google API Console to search for popular mobile, PC and platform games coupled with search modifying terms (e.g. celebrity + torrent). “Most dangerous” really means that these celebrities are likely popular search subjects.
Search terms used this year:
- Torrent
- Fix gamble
- Free mp3
- Nudes
- Pirated download
- Sledging
- Streaming
Using McAfee WebAdvisor data, resulting domains and URLs were measured and assigned a risk of “high,” “medium” and “unverified.” URLs were then given a score between negative 127 and positive 127 with higher scores indicating a riskier website. The score was calculated using the following formula:
Danger = 1*(high count) + 0.5*(medium count) + 0.1*(unverified count)
Navy Information Warfare
By William Knowles @c4i
Senior Editor
InfoSec News
October 29, 2019
As a ten-year regular volunteer at the USO O’Hare, there’s a sly grin on my face knowing all the U.S. Navy personnel featured in this video have visited the Terminal 2 center at least once in their careers and should make every InfoSec News reader happy these men and women are learning about information warfare, cybersecurity (both offensive and defensive) and wireless networking, among other security topics, nearly two years of college training over the span of six months.
Hat tip: Soldier Systems