source: usatoday.com

Hackers are breaking into home security cameras, and the process isn't always as difficult as you may think. 

This week, there were reports of hackers gaining access to Ring security cameras in Tennessee, Mississippi, Florida and Texas. And cybersecurity experts say incidents like these aren't very complex to execute because people often use passwords that are easily guessed.

"The easiest way for a hacker to gain access to something is to guess the username and password of the device's administrative account," said Brian Vecci, chief technology officer at the data protection company Varonis. "That's the most common way to get hacked."

He said bad actors are trolling through the internet, reading about devices that are exposed and keying in default usernames and simple passwords to see if they can gain access to real accounts. 

If it works, and you're the unsuspecting subject, they can watch you and your family during your most intimate moments. Hacker can, and have, also talk through the camera's speaker, startling kids and harassing parents. 

Yikes! Family says Ring camera in 8-year-old daughter's room accessed by hacker

Hackers hover near online shopping carts, too.It's called e-skimming

Home security cameras are also getting broken into because, like everything else that connects to the internet, they are inherently open to outside forces.

In order to monitor what's happening in your home remotely, security cameras have to be connected to the internet, Vecci said. And the moment you connect a device to the internet "hypothetically someone can get access to it."

What's even scarier is once a camera is compromised, hackers can make "lateral movements" onto other connected devices in your home.

So they could, in theory, disable your alarm system, unlock your front door if you have a smart lock, torment your household by blasting music and more, said Renaud Deraison, co-founder of the cybersecurity company Tenable.

"They can decrease your quality of life by hacking the tech that is supposed to improve your quality of life," Deraison said. 

Still, there are things you can do to help decrease the likelihood that someone will gain access to your home's security camera. Here's what you should do:

 

1. Go with a big-name vendor

When choosing a specific brand, choose a familiar company that treats security more responsibility. Large manufacturers with household names are held to higher scrutiny than a "no-name company," Deraison said. Nest, Samsung, Panasonic, Ring and Arlo are popular choices.

2. Upgrade to a cloud-based system 

Store your footage in a cloud. Tech companies that offer cloud-based storage systems can install software updates to patch vulnerabilities soon after they're discovered, Deriason said. 

Earlier this week, Tenable researchers said they discovered "seven severe vulnerabilities" in Amazon's Blink XT2 camera systems. Amazon patched the problem with a firmware update. 

3. Create complex passwords

"Don't use a default user name and password" that comes with your device, Vecci said. "Change your passwords to something long and difficult to break. Don't use last names, birthdays or addresses." Experts recommend a combination of upper and lower case letters, numbers and symbols. 

4. Use two-factor authentication

Two-factor is favored by security pros because you have to log in twice to get into your account. Hackers will try you once, and if not successful, move on to other prey. If you've ever had a six-digit verification code sent to your smartphone in order to log in to an online account, you're familiar with two-factor authentication. It basically sends you a notification when someone new tries to log on to your network. And they can't get in without access to your phone or email address.

5. Update your devices regularly

Surveillance camera vendors often expect users to update the devices manually, experts said. So every few months, you should check to see if yours has an available update. Set up manual security updates, if that's an option. 

"If you don't update your device, you end up with old software that’s not undergoing rigorous testing," Deraison said. "All of it together, you have a recipe for something that’s fairly insecure. You're risking a personal leak that could be devastating."

 source: threatpost.com

 The malware affected 100 different online publishers.

A malicious web redirect campaign affecting iPhone users has impacted more than 100 publisher websites, including online newspapers and international weekly news magazines.

According to The Media Trust’s Digital Security & Operations (DSO) team, iPhone users visiting any of the impacted websites were redirected in a recent malvertising campaign via a multistage process, to eventually land on a fraudulent popup masquerading as a grocery store reward ad. Along the way, the “Krampus-3PC” malware proceeded to harvest user session and cookie information from users, thus giving attackers the ability to log into users’ various online accounts

Adding insult to injury, if visitors click on the grocery store ad, they are also redirected to a phishing page that prompted them to enter their personal information.

“The malware was able to retrieve not only whatever information users entered but also their phone numbers, which were later used for phishing texts, and cookie IDs,” explained DSO, in a report [PDF] issued on Wednesday. “The cookie ID enabled Krampus-3PC to hijack the browser, and – if the user had other sites like their bank or favorite online retailer open on their device – gain access to the user’s account. Access to a session cookie would enable the malvertiser to log in as that user at a later time.”

The attackers – who are of unknown origin, according to The Media Trust – first placed an ad to be distributed via the Adtechstack adtech provider. They then used the platform’s API to insert rogue code.

“Because they are running an ad on the platform, they have access to the platform’s tools. The platform takes the ad from the malicious advertiser, and the ad platform sold it to the publisher not knowing it was malicious,” Mike Bittner, director of digital security at The Media Trust, told Threatpost.

 source: nytimes.com

A high-profile inspector general report has served as fodder for arguments about President Trump. But its findings about surveillance are important beyond partisan politics.

When a long-awaited inspector general report about the F.B.I.’s Russia investigation became public this week, partisans across the political spectrum mined it to argue about whether President Trump falsely smeared the F.B.I. or was its victim. But the report was also important for reasons that had nothing to do with Mr. Trump.

At more than 400 pages, the study amounted to the most searching look ever at the government’s secretive system for carrying out national-security surveillance on American soil. And what the report showed was not pretty.

The Justice Department’s independent inspector general, Michael E. Horowitz, and his team uncovered a staggeringly dysfunctional and error-ridden process in how the F.B.I. went about obtaining and renewing court permission under the Foreign Intelligence Surveillance Act, or FISA, to wiretap Carter Page, a former Trump campaign adviser.

“The litany of problems with the Carter Page surveillance applications demonstrates how the secrecy shrouding the government’s one-sided FISA approval process breeds abuse,” said Hina Shamsi, the director of the American Civil Liberties Union’s National Security Project. “The concerns the inspector general identifies apply to intrusive investigations of others, including especially Muslims, and far better safeguards against abuse are necessary.”

Congress enacted FISA in 1978 to regulate domestic surveillance for national-security investigations — monitoring suspected spies and terrorists, as opposed to ordinary criminals. Investigators must persuade a judge on a special court that a target is probably an agent of a foreign power. In 2018, there were 1,833 targets of such orders, including 232 Americans.

Most of those targets never learn that their privacy has been invaded, but some are sent to prison on the basis of evidence derived from the surveillance. And unlike in ordinary criminal wiretap cases, defendants are not permitted to see what investigators told the court about them to obtain permission to eavesdrop on their calls and emails.

 source: military.com

The top Pentagon acquisition official said Tuesday that the U.S. military is ramping up its counter-drone effort as commanders downrange continue to struggle with these small, often difficult-to-detect threats.

Ellen Lord, the under secretary of defense for acquisition and sustainment, recently met with commanders in Iraq, Afghanistan and other countries in the Middle East, who told her that countering unmanned aerial vehicle systems, or UAS, remains a challenge despite efforts to combat low-tech enemy drones.

 

"The one takeaway from all of my visits is that we need to continue to focus heavily on counter-UAS systems and strategies," Lord told reporters at the Pentagon on Tuesday. "This remains a top priority for the department, and I will continue to engage with Congress and the defense industry on ways ahead."

The threat seen overseas, as well as at many continental U.S. installations, is a "variety of different drones, often small, difficult to detect with typical sensor packages we have," she said.

For the past several years, combat units have been equipped with drone-disabling systems such as Battelle's DroneDefender, which has a range of several hundred meters against UAS such as quadcopters and hexacopters.

Recently, the Pentagon named the U.S. Army as executive agent for counter-UAS for all the services, but that is only the beginning, Lord said.