Security Risks Loom Over Public Zoom Meeting Links

A recent investigation has uncovered potential security risks associated with Zoom links. Numerous organizations, including some Fortune 500 companies, have inadvertently exposed web links that could allow any individual to initiate a Zoom video conference meeting posing as an employee.

The crux of the issue lies with the Zoom Personal Meeting ID (PMI), a permanent identification number linked to each Zoom account. This PMI is part of every new meeting URL created by that account. While this feature offers convenience, it also poses a significant security risk. If a PMI link falls into the wrong hands, it can be used to gain access to any ongoing meeting associated with that PMI unless additional security measures such as meeting locks or Zoom’s Waiting Room feature are activated. The situation is further exacerbated if these Zoom links are indexed by search engines like Google, a scenario that is reportedly true for thousands of organizations.

Charan Akiri, a security engineer at Reddit, has drawn attention to the potential misuse of PMI links. He cautions that these readily accessible links can be manipulated by attackers for impersonation purposes. As Akiri puts it, “These vulnerabilities allow attackers to masquerade as companies and initiate meetings without users’ knowledge. They can interact with other employees or customers under the guise of the company, potentially gaining unauthorized access to sensitive information.”

Read: https://krebsonsecurity.com/2023/10/dont-let-zombie-zoom-links-drag-you-down/

Renowned Authors Fight Back Against OpenAI’s Unauthorized Content Use in LLM Training

Generative AI’s rise has triggered copyright suits across the country, with OpenAI as a major target. Plaintiffs, including Sarah Silverman, Paul Tremblay, George R.R. Martin, and John Grisham, allege unauthorized use of their content by OpenAI to train its AI tool, violating the U.S. Copyright Act.

OpenAI chose not to seek dismissal of the direct copyright infringement claims brought by the plaintiffs, Sarah Silverman and Paul Tremblay. Instead, OpenAI focused on vicarious liability and the plaintiffs’ failure to demonstrate substantial similarity between ChatGPT’s outputs and their works under the DMCA.

Regarding the DMCA allegations, the Plaintiffs asserted that “OpenAI intentionally removed CMI from” their works that were protected and that, among other things, their creations included CMI. However, OpenAI will respond before the court’s decision. This case is significant as it will determine if LLMs can use others’ creative content for training without compensating the rights holders.

Read:
https://www.mondaq.com/unitedstates/copyright/1371906/famous-authors-clap-back-at-openais-attempt-to-dismiss-claims-regarding-unauthorized-use-of-content-for-training-llm-models

Canada Imposes Mandatory Registration for Podcast Platforms Under Government Authority

Recently, the Canadian Radio-television and Telecommunications Commission (CRTC) unveiled stringent regulations mandating the registration of all digital platforms that transmit audio or visual content and achieve a specific earnings threshold. This registration requirement must be fulfilled with the government agency by the end of November.

The regulatory requirement will apply to both traditional radio stations and online live-streaming podcast services, leaving no exceptions. However, platforms that generate less than $10 million in annual broadcasting revenues in Canada, along with video games and audiobook services, will be exempt from this rule.

This regulation signifies increased government control over the digital landscape, raising concerns about threats to net neutrality and freedom of speech. It foreshadows a potential conflict between individual freedom, free speech, and the unexplored realm of digital censorship.

Read: https://reclaimthenet.org/canada-forces-even-podcast-platforms-to-register-with-the-government

Canada Faces Cyber Onslaught from Indian Hacker Group

Canada’s federal government has been grappling with a series of cyberattacks. A hacker group from India, known as the Indian Cyber Force, has claimed responsibility. Despite the disruption, Canada’s signals intelligence agency maintains that these attacks have not compromised private information.

The Canadian Armed Forces’ website was temporarily inaccessible to mobile users due to a distributed denial-of-service (DDoS) attack. The site was restored within a few hours. The House of Commons website also experienced slow or incomplete loading due to an ongoing DDoS attack. Elections Canada was hit by a denial-of-service attack that lasted about an hour.

The Indian Cyber Force has not only claimed responsibility for the military incident but also appears to have infiltrated several websites owned by small Canadian businesses. The group posted messages criticizing Canada for allegedly providing refuge to terrorists and insulting Sikh separatists. They also criticized Prime Minister Justin Trudeau for making allegations without proof.

The U.S., a close ally of Canada, has urged India to cooperate with the Canadian investigation into these cyberattacks. However, it remains to be seen how this international cyber incident will unfold and what measures will be taken to prevent such attacks in the future.

Read: https://www.cbc.ca/news/politics/cyberattacks-parliament-india-1.6981399

Critical Vulnerabilities Uncovered in WS_FTP Server Software

Progress Software, a company that offers file-transfer solutions to an estimated 40 million users, has discovered critical vulnerabilities in its WS_FTP Server software. It’s crucial to clarify that these vulnerabilities are specific to the server software and do not impact the FTP client. The most dangerous of these vulnerabilities enables remote code execution (RCE) without user interaction or authentication. This discovery follows a previously disclosed zero-day vulnerability in Progress’s MOVEit file transfer technology.

The most critical vulnerability, CVE-2023-40044, is present in WS_FTP Server versions prior to 8.7.4 and 8.8.2. This vulnerability is a .NET serialization issue that could enable denial-of-service attacks, information leaks, and RCE. Another significant vulnerability is a directory traversal issue, CVE-2023-42657, present in WS_FTP Server versions before 8.7.4 and 8.8.2, which could permit attackers to manipulate files outside their authorized WS_FTP folder path.

Additionally, there are two high-severity cross-site scripting (XSS) vulnerabilities (CVE-2023-40045 and CVE-2023-40047) that could enable the execution of malicious JavaScript. Medium security flaws include a cross-site request forgery (CSRF) issue (CVE-2023-40048) and an information disclosure problem (CVE-2023-40049). To identify instances of WS_FTP Server, organizations are advised to utilize software inventory tools and network monitoring tools, which can be particularly effective due to the open incoming ports typically associated with the software.

Read: https://www.darkreading.com/cloud/moveit-progress-critical-bug-ws_ftp-software

Elsewhere online: 

Decoding the CRTC’s New Rules for Online News Services and Podcast Providers
Read: https://www.michaelgeist.ca/2023/10/crtcregistrationregs/

Reddit Tightens Ad Policy, Removes Opt-Out for Personalized Ads
Read: https://www.mediapost.com/publications/article/389707/redditors-no-longer-able-to-opt-out-of-personalize.html

Emergence of BunnyLoader: A New Malware-as-a-Service Threat in the Cybercrime Underground
Read: https://thehackernews.com/2023/10/bunnyloader-new-malware-as-service.html

KillNet Strikes: DDoS Attack Hits UK Royal Family Website
Read: https://www.hackread.com/uk-royal-family-website-ddos-attack-killnet/

AWS Employing MadPot Decoy System for Disrupting APTs and Botnets
Read: https://www.securityweek.com/aws-using-madpot-decoy-system-to-disrupt-apts-botnets/

Previously on #AxisOfEasy