In brief One-time ADT security engineer Telesforo Aviles, 35, pleaded guilty to computer fraud in the US after spying on women through their home surveillance cameras.
As we reported last year, Aviles added himself as an admin user, using his personal email address, to the accounts of customers' home security systems, giving him full access to every part of their lives. When some customers questioned why his email address was on their system, he told some it had to be there for testing purposes.
On Thursday, he admitted in a federal court snooping on 220 clients in Texas more than 9,600 times over his career with the Florida-based company, spying on them, for his own sexual kicks, while they undressed and slept with their partners.
“This defendant, entrusted with safeguarding customers’ homes, instead intruded on their most intimate moments,” said Acting Texas US Attorney Prerak Shah. “We are glad to hold him accountable for this disgusting betrayal of trust.”
Aviles will be sentenced later this year and could face five years in a federal prison. ADT is facing multiple lawsuits from its clients.
Breaking news... VPN and firewall biz SonicWall says it was hacked, and its internal systems compromised, via what looks like zero-day vulnerabilities in its own products.
"SonicWall identified a coordinated attack on its internal systems by highly sophisticated threat actors exploiting probable zero-day vulnerabilities on certain SonicWall secure remote access products," the Silicon Valley biz said on Friday night.
Organizations using SonicWall products – such as the Secure Mobile Access (SMA) 100 series – are urged to configure their systems to only accept connections from known trusted IP addresses, among other mitigations, to keep out whoever has these exploits for SonicWall software. This is a developing situation: SonicWall appears to still be reeling from the intrusion, and trying to figure out full mitigations and patches.
The Hacker News, which broke the news of the hack, said it received reports that earlier in the week SonicWall's internal systems had fallen over and that miscreants had accessed the vendor's source code.
We don't need no stinking warrants
More evidence has emerged that American spies are swerving requirements for warrants before accessing citizens' cellphone location records – by simply buying it from private brokers.
A report in the New York Times tells us Uncle Sam's Defense Intelligence Agency was buying up location data from companies, and using it without a warrant. Under the 2018 Carpenter ruling by the US Supreme Court, law enforcement has to get a warrant for a phone's location data, though the DIA thinks it has found a loophole.
“DIA does not construe the Carpenter decision to require a judicial warrant endorsing purchase or use of commercially available data for intelligence purposes,” the leaked agency memo states.
Senate privacy warrior Ron Wyden (D-OR) has called for a full investigation. Meanwhile, the ACLU has its own court case pending on the issue.
Intel and the hack that wasn't
This week, Intel published its latest quarterly financial figures minutes ahead of schedule after claiming someone hacked its news pages and leaked an infographic summary of the results early. It now turns out there was no hack.
"The URL of our earnings infographic was inadvertently made publicly accessible before publication of our earnings and accessed by third parties," Intel told AP. "Once we became aware of the situation we promptly issued our earnings announcement. Intel’s network was not compromised and we have adjusted our process to prevent this in the future."
Whether or not that allowed stock traders to make a killing remains to be seen. Intel shares are down nearly 10 per cent since the earnings release on Thursday.
Smut webcam site popped, plaintext passwords sold
Spotted for sale on the Raidforums marketplace this week: a user account database stolen from the sex webcam website MyFreeCams. It contained user names and email addresses, the account balance of tokens used to purchase viewing sessions, and plain-text passwords for as many as two million punters.
"Breaches like this raise serious privacy issues: most users of websites like MyFreeCams would undoubtedly prefer to remain anonymous, but now their email addresses can be used to out them as cam site members," said Mantas Sasnauskas, senior information security researcher at Cybernews.
"It's not difficult to imagine the implications if this information was used maliciously. For example, to extort and blackmail people to pay up, leak their user details from the website, or even simply reveal the fact that they frequent the website to their families, employers, or the general public."
The sale has now been shut down, though not before the seller made $22,400 in Bitcoin from 49 transactions. Punters should expect to be spammed with blackmail demands, credential stuffing attempts, and phishing expeditions.
Qualcomm visitor ID system screw-up
Late on Friday, Qualcomm issued a warning that its visitor check-in system may have exposed people's information via an unnamed vulnerability. No highly sensitive info was at risk, though enough to fuel potential phishing attempts. We're told the exposed records included: people's last name, first name, email address, phone number, address, country of citizenship, start date of visit, end date of visit, Qualcomm escorts, visit type, visit purpose, organization, title, visit location, and if the visitor was a job applicant, the job position they were seeking, and interview schedule – though not their CV.
Here's the email the chip designer sent out to peeps, a copy of which was obtained by The Register:
Last week on January 15 we became aware of an issue affecting the security of Qualcomm’s visitor check-in system. We are informing you of this issue since you have previously visited one or more of our offices and used the system. It is possible that some of the information you provided when you checked in at reception may have been exposed to unauthorized access, such as your contact and employer information, citizenship, and the date, time, and purpose of your visit.
If you are or were a candidate for employment at Qualcomm, the affected data may have also included your candidate number and interview schedule. No government IDs, credit card numbers, Social Security/insurance numbers or other candidate materials such as resumes were exposed.
We promptly eliminated the vulnerability and are taking steps to ensure that an incident like this does not happen again. We do not wish to cause unnecessary alarm, but if a third party did access your information, it is possible they might seek to perform a “phishing” attempt, such as impersonating a Qualcomm representative in a communication to you. Please only open email attachments and click links in Qualcomm emails that you expected, and if you have any doubts about the source of a Qualcomm communication, please reach out to your Qualcomm contacts directly for verification.
Qualcomm’s Security & Privacy Teams
OpenWrt in forum break-in drama
The OpenWrt project has said one of its forum administrator accounts was pwned. "It is not known how the account was accessed: the account had a good password, but did not have two-factor authentication enabled," the team said in a post.
"The intruder was able to download a copy of the user list that contains email addresses, handles, and other statistical information about the users of the forum. Although we do not believe the intruder could download the database, from an abundance of caution, we are following the advice of the Discourse community and have reset all passwords on the Forum, and flushed any API keys."
The team recommends changing forum passwords as soon as possible, and refresh or reset any Github OAuth keys linked to the message board. ®