ADT techie admits he peeked into women's home security cams thousands of times to watch them undress, have sex

Plus: SonicWall hacked, Qualcomm security wobble, warrantless cellphone monitoring by US snoops revealed


In brief One-time ADT security engineer Telesforo Aviles, 35, pleaded guilty to computer fraud in the US after spying on women through their home surveillance cameras.

As we reported last year, Aviles added himself as an admin user, using his personal email address, to the accounts of customers' home security systems, giving him full access to every part of their lives. When some customers questioned why his email address was on their system, he told some it had to be there for testing purposes.

On Thursday, he admitted in a federal court snooping on 220 clients in Texas more than 9,600 times over his career with the Florida-based company, spying on them, for his own sexual kicks, while they undressed and slept with their partners.

“This defendant, entrusted with safeguarding customers’ homes, instead intruded on their most intimate moments,” said Acting Texas US Attorney Prerak Shah. “We are glad to hold him accountable for this disgusting betrayal of trust.”

Aviles will be sentenced later this year and could face five years in a federal prison. ADT is facing multiple lawsuits from its clients.

Breaking news... VPN and firewall biz SonicWall says it was hacked, and its internal systems compromised, via what looks like zero-day vulnerabilities in its own products.

"SonicWall identified a coordinated attack on its internal systems by highly sophisticated threat actors exploiting probable zero-day vulnerabilities on certain SonicWall secure remote access products," the Silicon Valley biz said on Friday night.

Organizations using SonicWall products – such as the Secure Mobile Access (SMA) 100 series – are urged to configure their systems to only accept connections from known trusted IP addresses, among other mitigations, to keep out whoever has these exploits for SonicWall software. This is a developing situation: SonicWall appears to still be reeling from the intrusion, and trying to figure out full mitigations and patches.

The Hacker News, which broke the news of the hack, said it received reports that earlier in the week SonicWall's internal systems had fallen over and that miscreants had accessed the vendor's source code.

We don't need no stinking warrants

More evidence has emerged that American spies are swerving requirements for warrants before accessing citizens' cellphone location records – by simply buying it from private brokers.

A report in the New York Times tells us Uncle Sam's Defense Intelligence Agency was buying up location data from companies, and using it without a warrant. Under the 2018 Carpenter ruling by the US Supreme Court, law enforcement has to get a warrant for a phone's location data, though the DIA thinks it has found a loophole.

“DIA does not construe the Carpenter decision to require a judicial warrant endorsing purchase or use of commercially available data for intelligence purposes,” the leaked agency memo states.

Senate privacy warrior Ron Wyden (D-OR) has called for a full investigation. Meanwhile, the ACLU has its own court case pending on the issue.

Intel and the hack that wasn't

This week, Intel published its latest quarterly financial figures minutes ahead of schedule after claiming someone hacked its news pages and leaked an infographic summary of the results early. It now turns out there was no hack.

"The URL of our earnings infographic was inadvertently made publicly accessible before publication of our earnings and accessed by third parties," Intel told AP. "Once we became aware of the situation we promptly issued our earnings announcement. Intel’s network was not compromised and we have adjusted our process to prevent this in the future."

Whether or not that allowed stock traders to make a killing remains to be seen. Intel shares are down nearly 10 per cent since the earnings release on Thursday.

Smut webcam site popped, plaintext passwords sold

Spotted for sale on the Raidforums marketplace this week: a user account database stolen from the sex webcam website MyFreeCams. It contained user names and email addresses, the account balance of tokens used to purchase viewing sessions, and plain-text passwords for as many as two million punters.

"Breaches like this raise serious privacy issues: most users of websites like MyFreeCams would undoubtedly prefer to remain anonymous, but now their email addresses can be used to out them as cam site members," said Mantas Sasnauskas, senior information security researcher at Cybernews.

"It's not difficult to imagine the implications if this information was used maliciously. For example, to extort and blackmail people to pay up, leak their user details from the website, or even simply reveal the fact that they frequent the website to their families, employers, or the general public."

The sale has now been shut down, though not before the seller made $22,400 in Bitcoin from 49 transactions. Punters should expect to be spammed with blackmail demands, credential stuffing attempts, and phishing expeditions.

Qualcomm visitor ID system screw-up

Late on Friday, Qualcomm issued a warning that its visitor check-in system may have exposed people's information via an unnamed vulnerability. No highly sensitive info was at risk, though enough to fuel potential phishing attempts. We're told the exposed records included: people's last name, first name, email address, phone number, address, country of citizenship, start date of visit, end date of visit, Qualcomm escorts, visit type, visit purpose, organization, title, visit location, and if the visitor was a job applicant, the job position they were seeking, and interview schedule – though not their CV.

Here's the email the chip designer sent out to peeps, a copy of which was obtained by The Register:

Last week on January 15 we became aware of an issue affecting the security of Qualcomm’s visitor check-in system. We are informing you of this issue since you have previously visited one or more of our offices and used the system. It is possible that some of the information you provided when you checked in at reception may have been exposed to unauthorized access, such as your contact and employer information, citizenship, and the date, time, and purpose of your visit.

If you are or were a candidate for employment at Qualcomm, the affected data may have also included your candidate number and interview schedule. No government IDs, credit card numbers, Social Security/insurance numbers or other candidate materials such as resumes were exposed.

We promptly eliminated the vulnerability and are taking steps to ensure that an incident like this does not happen again. We do not wish to cause unnecessary alarm, but if a third party did access your information, it is possible they might seek to perform a “phishing” attempt, such as impersonating a Qualcomm representative in a communication to you. Please only open email attachments and click links in Qualcomm emails that you expected, and if you have any doubts about the source of a Qualcomm communication, please reach out to your Qualcomm contacts directly for verification.

We apologize for this incident and regret any inconvenience it may cause you. Qualcomm takes its privacy and security obligations seriously, and we are taking steps to ensure that an incident like this does not happen again. Transparency and responsible stewardship are core to our privacy principles. If you would like more information, please see our FAQs. If the FAQs do not answer your questions or concerns, please email [redacted]. You can also view our Privacy Policy at www.qualcomm.com/privacy.

Sincerely,

Qualcomm’s Security & Privacy Teams

OpenWrt in forum break-in drama

The OpenWrt project has said one of its forum administrator accounts was pwned. "It is not known how the account was accessed: the account had a good password, but did not have two-factor authentication enabled," the team said in a post.

"The intruder was able to download a copy of the user list that contains email addresses, handles, and other statistical information about the users of the forum. Although we do not believe the intruder could download the database, from an abundance of caution, we are following the advice of the Discourse community and have reset all passwords on the Forum, and flushed any API keys."

The team recommends changing forum passwords as soon as possible, and refresh or reset any Github OAuth keys linked to the message board. ®

Broader topics


Other stories you might like

  • Lonestar plans to put datacenters in the Moon's lava tubes
    How? Founder tells The Register 'Robots… lots of robots'

    Imagine a future where racks of computer servers hum quietly in darkness below the surface of the Moon.

    Here is where some of the most important data is stored, to be left untouched for as long as can be. The idea sounds like something from science-fiction, but one startup that recently emerged from stealth is trying to turn it into a reality. Lonestar Data Holdings has a unique mission unlike any other cloud provider: to build datacenters on the Moon backing up the world's data.

    "It's inconceivable to me that we are keeping our most precious assets, our knowledge and our data, on Earth, where we're setting off bombs and burning things," Christopher Stott, founder and CEO of Lonestar, told The Register. "We need to put our assets in place off our planet, where we can keep it safe."

    Continue reading
  • Conti: Russian-backed rulers of Costa Rican hacktocracy?
    Also, Chinese IT admin jailed for deleting database, and the NSA promises no more backdoors

    In brief The notorious Russian-aligned Conti ransomware gang has upped the ante in its attack against Costa Rica, threatening to overthrow the government if it doesn't pay a $20 million ransom. 

    Costa Rican president Rodrigo Chaves said that the country is effectively at war with the gang, who in April infiltrated the government's computer systems, gaining a foothold in 27 agencies at various government levels. The US State Department has offered a $15 million reward leading to the capture of Conti's leaders, who it said have made more than $150 million from 1,000+ victims.

    Conti claimed this week that it has insiders in the Costa Rican government, the AP reported, warning that "We are determined to overthrow the government by means of a cyber attack, we have already shown you all the strength and power, you have introduced an emergency." 

    Continue reading
  • China-linked Twisted Panda caught spying on Russian defense R&D
    Because Beijing isn't above covert ops to accomplish its five-year goals

    Chinese cyberspies targeted two Russian defense institutes and possibly another research facility in Belarus, according to Check Point Research.

    The new campaign, dubbed Twisted Panda, is part of a larger, state-sponsored espionage operation that has been ongoing for several months, if not nearly a year, according to the security shop.

    In a technical analysis, the researchers detail the various malicious stages and payloads of the campaign that used sanctions-related phishing emails to attack Russian entities, which are part of the state-owned defense conglomerate Rostec Corporation.

    Continue reading

Biting the hand that feeds IT © 1998–2022