12 11 -26December 2019 Email us your security questions [email protected]
QWhat are
cybersecurity
companiesdoing
to tackle theriseof
stalkerware[seeFAQ,
Issue489]?
KatherineJameson,
FacebookAAs well as the
primarythreat
toward theSecurity flawfoundin
Android camera
Avulnerability
affectingGoogle
and Samsung
smartphones
could allow
hackers to
remotelyspyonusers through their
phone’scameraandspeakers,
according toresearchers atsecurity
firm Checkmarx.
Theteamuncoveredawayfor
attackers totakephotosandvideos,
recordphone conversations, identify
users’ locations andmore.All this
could be donecovertly,the
researchers said, evenwhenthe
phone was locked.Theloophole,
which stemmed from permission-
bypassissues, could haveleft
hundreds ofthousands ofAndroid
users open tospying.
Checkmarx submittedits
vulnerability reporttoGoogle’sintendedvictims,stalkerware
isaformoftechnological
abuseandthe
securityrisksit
brings –the
malware canleak
victims’ dataand
breachdevice
protection –should
concerneveryone.
At Kaspersky,we
believe it’s necessaryfor the
cybersecurityindustry to
unite to protectusers against
stalkerwareand to bring in
theexperienceand expertise
of non-profitorganisations
that helpvictims of domestic
abuse everyday,sowe’ve
founde dthe Coalition Against
Stalkerwaretogether with
Avira, theElectronicFrontierFounda tion,the
NationalNetwork
to EndDomestic
Viol ence,GData
Cyber Defense, the
Euro peanNetworkfor
theWorkwith Perp etrators
of Domestic Viol ence,
NortonLifeLock,Operation
Safe Escape, Malwarebytes
and WeisserRing.
Ourkey objectives include
raisi ng awareness,improving
detectionand mitigation of
stalkerware, andeducating
victimsand advocacy
organisations abou ttechn icalaspects.The Coalition has
also launched awebsite
(www.stopstalkerware.org )
that provides advice on
find ingout if there’s
stal kerwareonyourdevice
and whatto do aboutit,
and provides contacts for
orga nisations that deal
withdomesticviolence
and canhelpprevent or
mitigate thedamage.
We also hopetochange
theformal legal statusof
stal kerware, making it
illegal to spyonpeople
without their consent.News abou tthe latest threats and advicefrom security experts
Stay SafeOnlineSECURITY ALERT! |What’sbeenbothering usthis fortnight
Security Helpdesk |Your questionsansweredbysecurityspecialistsAndroid security teamon 4July and,
on 29 August, Samsung confirmed that
the vulnerabilityalso affected itsdevices.
“WeappreciateCheckmarx bringing this
toourattention and workingwith
Googleand Androidpartnersto
coordinatedisclosure,”said aGoogle
spokesperson. “Theissue was addressed
on impacted Google devices viaaPlay
storeupdatetotheGoogle Camera
application inJuly 20 19 .Apatchhas also
been made available toallpartners.”
bit.ly/camera4 90DisneyPlus userstargeted
by hackers
Hackersreportedly
hijacked thousands
of Disney Plus
accounts just
hours after the servicelaunchedin the
US on 12 November(see FAQonpage
38). An investigationby tech-newssite
ZDNetfound login detailsformanyof
the hackedaccounts availa ble forsaleand for free on hacking forums.
DisneyPlusattracted 10 million
customers in itsfirst24hours,with the
volume of trafficleadingtoseveral
technical problems. Amid the flood of
complaints, some users reported a
totallossofaccesstotheiraccounts,
describing attacks inwhichhackers
loggedthem out onevery deviceand
changedtheir emailaddresses and
passwords.
Some users hadreused passwords
fortheirDisneyPlusaccounts,meaning
hackers could haveused details
harvestedfrom othersecurity
breaches.Others, however,used
uniquepasswords,suggesting
credentialswereobtained through
data-stealing malware.
Rival streamingservices havebeen
exploited in thesame way,with
Amazon Prime,Netflix and Hulu
accounts frequently traded onhacking
forums.
bit.ly/disneyhack4 90The securityrisks thatstalkerware
bringsshould concern everyoneTHISISSUE’SEXPERT:
Vyacheslav
Zakorzhevsky,
headofanti-malware
researchatKaspersky
(www.kaspersky.co.uk)