In brief Unlucky owners of Eufycam security cameras were horrified earlier today when they opened their app for the equipment and saw video streams from strangers’ homes instead of their own.
A software bug was blamed for the fault, which has been corrected, we’re told.
These 1080p Wi-Fi-connected devices are made by Anker, and are designed to be used indoors and outdoors. They can record to microSD cards and/or the cloud, and viewable via a mobile app. On Monday, some users found themselves staring at feeds from other people’s homes – even those in other countries – and feared they were being watched, too. The privacy breakdown sparked an eruption of complaints on Reddit and Anker’s support forum.
“I use Eufy to monitor my baby daughter’s room,” said one Redditor. “Tonight I logged into the app and instead have complete access to the security systems of someone in a different country. I can view streams from all of their cameras, turn lights on and off, and have access to the HomeBase settings. Their contact details including email addresses appear in my app.
“This is a terrible security and privacy breach. If I’m able to view other people’s cameras, anyone could be looking in on my daughter. I have unplugged the camera in her room for now, but I imagine this is seriously bad news for Eufy. I will certainly be contacting a lawyer in the morning.”
A spokesperson for Anker told us just a small number of customers were affected: “Due to a software bug during our latest server upgrade at 4:50 AM EST today, a limited number (0.001 per cent) of our users were able to access video feeds from other users’ cameras. Our engineering team recognized this issue at around 5:30 AM EST, and quickly got it fixed by 6:30AM EST.”
We’re told customers in the US, New Zealand, Australia, Cuba, Mexico, Brazil, and Argentina were affected though not GDPR-armed Europe.
“We realize that as a security company we didn’t do good enough,” the spokesperson added. “We are sorry we fell short here and are working on new security protocols and measures to make sure that this never happens again.”
If they haven’t already done so, users should unplug and then reconnect their devices, log out of the Eufy security app, and log in again to see the correct feeds.
DarkSide ransomware gang flees
The DarkSide crew, which shut down a major US oil pipeline with a ransomware infection, has insisted it has closed its doors, claiming unnamed law enforcement agents have taken control of its ransom-collection site, content delivery network, and cryptocurrency wallets. The crooks have extracted at least $17m from victims since March, according to analysis by Elliptic.
DarkSide’s business model is to provide ransomware software and backend systems to affiliates that do the actual job of infecting and encrypting victims’ networks. The gang then gives those partners a cut of any ransom paid. This criminal enterprise bit off more than it can chew by hitting America’s Colonial Pipeline, and attracting the attention of the FBI at least. Now the Eastern European crew claims it’s shutting down and ending its affiliate scheme – though it could simply be laying low to later rebrand itself and start all over again.
“In view of the above and due to the pressure from the US, the affiliate program is closed,” it said, in a forum post spotted by Intel471 on Thursday. “Stay safe and good luck.”
The group said it was giving out free decryption tools to victims who have yet to cough up. There are still funds in escrow from organizations that have paid a ransom, and DarkSide said it will make one last payment to affiliates by May 23.
DarkSide isn’t alone in seemingly changing course. The Babuk ransomware crooks said they are stepping back, and have handed their source code to another team. The extortionists, who have recently stolen and then published, records from the Washington DC Metropolitan Police, say they will maintain existing operations for the time being.
Meanwhile the operators of the REvil ransomware have changed their terms and conditions, saying that all future targets for their malware by their partners must be pre-approved and can’t include government, healthcare, educational, and charity organizations – because, we reckon, those are the ones that generate the most headlines, and ransomware gangs really hate publicity as it tends to attract more scrutiny by law enforcement and infosec researchers.
If a handful of notable attacks finally stirs concerted international action against ransomware operators where they live, this could be a shift in the situation. But it’s far more likely others will come in to fill any gaps, and the scourge will continue.
Biden signs executive order on US cybersecurity
Last week saw the panic buying of gas across the US East Coast due to the aforementioned pipeline ransomware attack. Amid that, President Biden unveiled his plan to make America secure again, or at least try to.
As executive orders go, it’s a massive one: more than 8,000 words that are good news for cloud platforms, bug hunters, and threat data sharers, although sysadmins may face a task or two. Here are the essentials.
- If you sell to a federal agency, security threats and incidents must be reported to the Feds in a timely manner, and personnel contracts banning such information sharing will need to be amended to enable this.
- Within its own IT systems, the government plans to shift as fast as possible to cloud-based, zero-trust operations and fully supporting “multifactor authentication and encryption,” the latter a hot-button issue of late.
- Biden wants action on supply-chain issues, such as those at the heart of the SolarWinds fiasco, and the government is drawing up minimum security standards for agencies and those who supply them. It also orders a pilot scheme for an IoT device security labeling program so buyers know what they are letting themselves in for.
- Future major security incidents will be examined by a Cybersecurity Safety Review Board, made up of representatives from government and the private sector. They will issue post-incident reports and recommendations for best practice, though the report will be non-binding.
- The government will develop a playbook for how federal bodies deal with future attacks, including defining key terms to avoid inter-agency confusion.
- Federal agencies must keep and share event logs of incidents and security teams must coordinate with each other more efficiently.
There are some lofty goals here though the devil is going to be in the implementation, and the speed of change. Miscreants aren’t sitting still.
US senator questions Pentagon about buying Americans’ location data
Senator Ron Wyden (D-OR) has written a formal request [PDF] to the Pentagon to find out if it’s buying sensitive data on US persons’ whereabouts without a search warrant.
Uncle Sam’s Homeland Security is facing a lawsuit for buying people’s location data from commercial vendors, thus getting around all that pesky business of getting a court order. Wyden wants to know if any Department of Defense agencies are doing the same warrant-less tracking by buying location data collected from phones, DNS traffic, vehicles, and any other internet traffic data.
Wyden said he’s had some answers but not enough, and has spent the last year digging into the topic. Expect more on this in the coming months.
And while we’re on government spying, social media is next
The US Homeland Security is setting up a task force to monitor social media posts for evidence of looming domestic terrorism.
“We’re not looking at who are the individual posters,” a senior official told NBC. “We are looking at what narratives are resonating and spreading across platforms. From there you may be able to determine what are the potential targets you need to protect.”
While the monitoring of public social media posts by the government isn’t illegal, and has been very useful in identifying the insurrectionists who stormed the Capitol in January, it worries civil liberties groups.
Frankly, we’re amazed Homeland Security isn’t already doing this kind of surveillance. ®