ISA is committed to keeping the security community up to date with the latest cybersecurity news.
Zoom Video Communications Inc. under fire for limiting end-to-end encryption
On May 7, Zoom’s CEO Eric Yuan announced the acquisition of security startup Keybase to help Zoom build and “offer an end-to-end encrypted meeting mode to all paid accounts” in the “near future”. Amid the excitement of the announcement, the implications of the “paid accounts” qualification seemed to have gone unnoticed until early June, when Yuan expanded on his plans in the company’s June 2 earnings call. While Zoom is prepared to offer end-to-end encryption for customers who “who seek to prioritize privacy over compatibility,” Yuan was clear that Zoom was not extending the same level of encryption to free users.
“Free users for sure we don’t want to give [end-to-end encryption] because we also want to work together with FBI, with local law enforcement in case some people use Zoom for a bad purpose,” Yuan said on the call.
Later in June, a Zoom spokesperson provided more explanation. “Zoom’s end-to-end encryption plan balances the privacy of its users with the safety of vulnerable groups, including children and potential victims of hate crimes. We plan to provide end-to-end encryption to users for whom we can verify identity. Free users sign up with an email address, which does not provide enough information to verify identity.”
This distinction has alarmed some privacy and rights advocates. Mozilla and the Electronic Frontier Foundation published an open letter to Zoom on June 8 outlining concerns about restricting access to end-to-end encryption for all.
This situation is the latest in a series of security and PR incidents at Zoom. Despite these issues, Zoom has had enormous popularity bringing people and businesses together virtually during the COVID-19 crisis. Zoom reported a peak of 300 million meeting participants on their AWS-based videoconferencing platform in April 2020, and have seen their stock shares triple in value since the beginning of 2020.
Honda hit by suspected ransomware attack
On Monday, June 7, Honda was forced to halt production and service operations at some of its factories around the world after a suspected ransomware attack shut down crucial IT systems inside the company. The malware used in the attack, widely thought to be “Ekans” or “Snake” ransomware, affected a diverse range of Honda systems ranging from production at car plants in the United States and Turkey, motorcycle facilities in India and South America, and customer/financial service systems for customers in Canada and the United States.
Honda offered few public details about the nature of the attack, but took to Twitter on Tuesday, June 8 to confirm that a number of systems were “experiencing technical difficulties and are unavailable.” In a public statement later in the week, Honda acknowledged the attack but stressed that there was “no current evidence of loss of personally identifiable information.”
According to an internal memorandum sourced and quoted by the technology and news website The Verge, Honda suffered a “major computer ransomware (virus) attack” in its internal alert system. According to the internal memo, “Teams from IT Globally and across the NA Region are working continuously [to] contain this attack and restore normal business operation as quickly as possible, however many business processes that rely on information systems are impacted.”
In a statement reported by the New York Times on June 12, Honda resumed operations at some production facilities by June 8, and had all back up and running by June 11. Other service functions, involving financial operations, parts supply, and warranty enquiries had “almost entirely recovered” by Friday, June 12.
“Ekans” or “Snake”, the ransomware that is suspected to be involved in the attack, was first identified in December 2019. A variant of Ekans, designed to target industrial and heavy manufacturing concerns, was identified in February 2020, but this is the first widely reported attack against a manufacturer using the ransomware.
Update: Nintendo data breach
In our report on April 26, we discussed the user account data breach disclosed by Nintendo. This week, news came to light that up to 300,000 Nintendo Switch accounts were hacked, nearly twice the original number mentioned in Nintendo’s original press release.
On June 9, Nintendo released a revised statement on their Japanese website – exclusively in Japanese – advising of the significant increase in the number of users affected. The description of the nature of the breach and Nintendo’s response remained consistent with their original statement. Nintendo confirmed that they have disabled the ability to log into a Nintendo account using a “Nintendo Network ID” (NNID), and that the passwords for all affected users have been reset. Further, all affected users have been contacted directly by the gaming company to provide additional instructions. The company did indicate that it is now taking additional security precautions to help prevent breaches in the future.
Comparitech “Honeypot” Experiment
Tech research firm Comparitech recently conducted a “honeypot” experiment to demonstrate how quickly data can be exposed on the Internet. In a controlled test conducted in late May and reported on their website on June 10, Comparitech placed an unsecured database containing fictitious data – a so-called data “honeypot” – on their network to watch for the type and frequency of potential attacks. Within just 8½ hours, unauthorized access attempts started to appear against the database. Over the course of the test period of about a week, some 175 attacks were recorded: an average of nearly 18 per day.
After the official test had concluded, Comparitech removed the bulk of the data from the honeypot, but left the file structures accessible from the Internet. Within another week, a ransomware attack, thought to have originated from The Netherlands, compromised the database. Malware encrypted most of the folder structure and triggered a demand for payment of 0.06 BTC (approximately $750 Canadian) to decrypt the remaining files.
“If you don’t do a payment all your data may be used for our purposes and/or will be leaked/sold,” advised a text message left in an unencrypted portion of the file system.
The Comparitech experiment underscores the importance of securing data before exposing it to access from the Internet; leaving unsecured content exposed even for a short period can have dramatic effects. Further, the experiment illustrates that there may be no particular targeting of a victim for cyberattack – anyone leaving data unprotected on the Internet can attract attacks from automated scans and ransomware assault.