Upstream Security Gets Cisco Investment to Protect Connected Vehicles and Devices

Upstream Security, an Israeli auto cybersecurity startup, said on Wednesday it received an undisclosed investment from Cisco Investments as demand grows for internet-connected vehicles and other devices.

Cyware News – Latest Cyber News – ​Read More

Ransomware Group Claims Theft of Data From Chipmaker Nexperia 

The Dark Angels (Dunghill) ransomware group claims to have stolen 1 Tb of data from Nexperia, which is investigating the incident.

The post Ransomware Group Claims Theft of Data From Chipmaker Nexperia  appeared first on SecurityWeek.

SecurityWeek – ​Read More

European Police Swoop on $685m Cannabis Investment Fraud Gang

JuicyFields operated as a classic Ponzi scheme between 2020 and July 2022, according to Europol. Promising high returns with little to no risk, the scammers simply used money from new investors to pay returns to earlier ones.

Cyware News – Latest Cyber News – ​Read More

Crickets from Chirp Systems in Smart Lock Key Leak

The U.S. government is warning that smart locks securing entry to an estimated 50,000 dwellings nationwide contain hard-coded credentials that can be used to remotely open any of the locks. The lock’s maker Chirp Systems remains unresponsive, even though it was first notified about the critical weakness in March 2021. Meanwhile, Chirp’s parent company, RealPage, Inc., is being sued by multiple U.S. states for allegedly colluding with landlords to illegally raise rents.

On March 7, 2024, the U.S. Cybersecurity & Infrastructure Security Agency (CISA) warned about a remotely exploitable vulnerability with “low attack complexity” in Chirp Systems smart locks.

“Chirp Access improperly stores credentials within its source code, potentially exposing sensitive information to unauthorized access,” CISA’s alert warned, assigning the bug a CVSS (badness) rating of 9.1 (out of a possible 10). “Chirp Systems has not responded to requests to work with CISA to mitigate this vulnerability.”

Matt Brown, the researcher CISA credits with reporting the flaw, is a senior systems development engineer at Amazon Web Services. Brown said he discovered the weakness and reported it to Chirp in March 2021, after the company that manages his apartment building started using Chirp smart locks and told everyone to install Chirp’s app to get in and out of their apartments.

“I use Android, which has a pretty simple workflow for downloading and decompiling the APK apps,” Brown told KrebsOnSecurity. “Given that I am pretty picky about what I trust on my devices, I downloaded Chirp and after decompiling, found that they were storing passwords and private key strings in a file.”

Using those hard-coded credentials, Brown found he could then connect to an application programming interface (API) that Chirp uses which is managed by smart lock vendor August.com, and use that enumerate and remotely lock or unlock any door in any building that uses the technology.

Brown said when he complained to his leasing office, they sold him a small $50 key fob that uses Near-Field Communications (NFC) to toggle the lock when he brings the fob close to his front door. But he said the fob doesn’t eliminate the ability for anyone to remotely unlock his front door using the exposed credentials and the Chirp mobile app.

A smart lock enabled with Chirp. Image: Camdenliving.com

Also, the fobs pass the credentials to his front door over the air in plain text, meaning someone could clone the fob just by bumping against him with a smartphone app made to read and write NFC tags.

Neither August nor Chirp Systems responded to requests for comment. It’s unclear exactly how many apartments and other residences are using the vulnerable Chirp locks, but multiple articles about the company from 2020 state that approximately 50,000 units use Chirp smart locks with August’s API.

Roughly a year before Brown reported the flaw to Chirp Systems, the company was bought by RealPage, a firm founded in 1998 as a developer of multifamily property management and data analytics software. In 2021, RealPage was acquired by the private equity giant Thoma Bravo.

Brown said the exposure he found in Chirp’s products is “an obvious flaw that is super easy to fix.”

“It’s just a matter of them being motivated to do it,” he said. “But they’re part of a private equity company now, so they’re not answerable to anybody. It’s too bad, because it’s not like residents of [the affected] properties have another choice. It’s either agree to use the app or move.”

In October 2022, an investigation by ProPublica examined RealPage’s dominance in the rent-setting software market, and that it found “uses a mysterious algorithm to help landlords push the highest possible rents on tenants.”

“For tenants, the system upends the practice of negotiating with apartment building staff,” ProPublic found. “RealPage discourages bargaining with renters and has even recommended that landlords in some cases accept a lower occupancy rate in order to raise rents and make more money. One of the algorithm’s developers told ProPublica that leasing agents had ‘too much empathy’ compared to computer generated pricing.”

Last year, the U.S. Department of Justice threw its weight behind a massive lawsuit filed by dozens of tenants who are accusing the $9 billion apartment software company of helping landlords collude to inflate rents.

In February 2024, attorneys general for Arizona and the District of Columbia sued RealPage, alleging RealPage’s software helped create a rental monopoly in their states.

Krebs on Security – ​Read More

Muddled Libra Shifts Focus to SaaS and Cloud for Extortion and Data Theft Attacks

The threat actor known as Muddled Libra has been observed actively targeting software-as-a-service (SaaS) applications and cloud service provider (CSP) environments in a bid to exfiltrate sensitive data.
“Organizations often store a variety of data in SaaS applications and use services from CSPs,” Palo Alto Networks Unit 42 said in a report published last week.
“The threat

The Hacker News – ​Read More

Microsoft Wants You to Watch What It Says, Not What It Does

The responsibility to hold Microsoft accountable for abiding by its self-proclaimed principles shouldn’t fall to customers and competition authorities.

darkreading – ​Read More

Juniper Networks Publishes Dozens of New Security Advisories

Juniper Networks patches dozens of vulnerabilities in Junos OS, Junos OS Evolved, and other products.

The post Juniper Networks Publishes Dozens of New Security Advisories appeared first on SecurityWeek.

SecurityWeek – ​Read More

TechRepublic’s Review Methodology for VPNs

Our review methodology for virtual private networks involves comprehensive research, expert analysis and first-hand experience.

Security | TechRepublic – ​Read More

AI Copilot: Launching Innovation Rockets, But Beware of the Darkness Ahead

Imagine a world where the software that powers your favorite apps, secures your online transactions, and keeps your digital life could be outsmarted and taken over by a cleverly disguised piece of code. This isn’t a plot from the latest cyber-thriller; it’s actually been a reality for years now. How this will change – in a positive or negative direction – as artificial intelligence (AI) takes on

The Hacker News – ​Read More

Software Support: 7 Essential Reasons You Can’t Overlook

By Owais Sultan

Explore the significance of software support in the fast-paced digital world. Discover how continuous maintenance, bug fixing, feature enhancement, and integration management optimize operations. With expert assistance, enhance security, ensure project continuity, and improve processes for operational excellence

This is a post from HackRead.com Read the original post: Software Support: 7 Essential Reasons You Can’t Overlook

Hackread – Latest Cybersecurity, Tech, Crypto & Hacking News – ​Read More