Lock-Pickers Face an Uncertain Future Online

Teaching the hardware hacker skill of picking locks is evolving in the face of the pandemic’s lockdown.
Source: DarkReading
Lock-Pickers Face an Uncertain Future Online

Q2 DDoS Attacks Triple Year Over Year: Report

Distributed denial-of-service attacks have stayed consistently high throughout 2020, a shift from normal attack trends that researchers attribute to COVID-19.
Source: DarkReading
Q2 DDoS Attacks Triple Year Over Year: Report

Utah Family Tormented in "Stalking on Steroids" Case

Utah Family Tormented in “Stalking on Steroids” Case

A Hawaii man has admitted sending over 500 unwanted visitors to the home of a Utah family in a case police have described as “stalking on steroids.”



Loren M. Okamura was arrested in December 2019 on charges of cyber-stalking, making interstate threats, and transporting a person over state lines for the purpose of prostitution. The 44-year-old entered a guilty plea in US District Court on July 27.



Okamura admitted sending a string of unwanted service providers to the North Salt Lake home of Walt Gilmore and his family. Unwanted visitors turned away by the Gilmores as a result of Okamura’s actions included plumbers, locksmiths, food delivery workers, electricians, and sex workers.



When arranging the unwanted services, Okamura used apps to obscure his identity and phone location data. 



The family’s stalking experience began in August 2018 when a tow-truck company employee turned up on their doorstep with false instructions to remove a car from the Gilmore’s driveway. 



For the next seven months, the family turned away up to 20 people a day who had been sent to their house by Okamura under false pretenses. 



The arrival of misled service providers at the Gilmore family home became so frequent that the family resorted to erecting a sign in their front yard warning of the hoax. 



“This is stalking on steroids. It’s pretty vicious,” North Salt Lake police told the Deseret News in March 2019.



Gilmore said that the family was plagued by unwanted visitors at all hours of the day and night.



“They have police records. Criminals. Felons. Active warrants for their arrests coming to my home. They’re looking for drugs. They’re offering prostitution,” Gilmore told the Deseret News



“These are individuals who come to our home in the middle of the night—10, 11 o’clock, 1, 2, 3 in the morning.”



Local police parked a patrol car in the family’s driveway to deter people scammed by Okamura from knocking on the front door. Police estimate that the companies Okamura scammed have lost over $20k in staff hours and uncollected service fees.



Walt Gilmore said that his adult daughter had known Okamura at one point but no longer had any contact with the cyber-stalker. 



Okamura’s sentencing is scheduled for October 5.


Source: Infosecurity
Utah Family Tormented in “Stalking on Steroids” Case

CVE-2020-17476

Mibew Messenger before 3.2.7 allows XSS via a crafted user name.
Source: NIST
CVE-2020-17476

Alleged Soccer Leaks Source Released from Custody

Alleged Soccer Leaks Source Released from Custody

A Portuguese computer whiz accused of leaking a series of confidential documents belonging to various soccer clubs has been released from custody.



Rui Pinto has been moved to a safe house in Portugal after spending 18 months behind lock and key while he awaits his trial before a Portuguese court. 



The 32-year-old was arrested in Hungary in March 2019 on charges related to hacking, violation of correspondence, computer sabotage, illegitimate access, and attempted extortion. Pinto had been resident in Hungary for four years at the time of his arrest.



Portugal state broadcaster RTP and other media reported that Pinto was released from police custody in Lisbon late Friday.



Pinto’s removal to a safe house at the behest of Judge Margarida Alves follows intervention in the defendant’s case by Luís Neves, the head of Portugal’s Policia Judiciaria. 



In a June interview with Diário de Notícias, Neves described Pinto as a young man with serious concerns for society. The police chief then called for a change to the law to protect whistleblowers who cooperate with the justice system to expose organized crime and corruption.



Further support for Pinto’s cause came from Albano Pinto, director of the central department of criminal investigation and penal action (DCIAP). In July, Albano Pinto, who is no relation of Rui Pinto, praised the accused for his “total availability and spontaneity to get to the truth.”



The Observador reported that Pinto cooperated with Portuguese police by unlocking access codes for all the electronic devices to which he had access. 



Pinto was initially accused by Portugal’s Public Ministry of committing 147 crimes, but following his collaboration with DCIAP, some of the charges against Rui Pinto were dropped.



The accused is currently awaiting trial for 90 crimes, including 6 counts of illegitimate access, one count of computer sabotage, 14 counts of violation of correspondence, 68 counts of undue access and one count of attempted extortion.



The prosecutor in Pinto’s case disagreed with Judge Alves’ decision to release the defendant. According to Observador, the prosecutor fears that by having access to the internet, Pinto “may destroy evidence or even continue criminal activity.”


Source: Infosecurity
Alleged Soccer Leaks Source Released from Custody

CVE-2020-9529

Firmware developed by Shenzhen Hichip Vision Technology (V6 through V20), as used by many different vendors in millions of Internet of Things devices, suffers from a privilege escalation vulnerability that allows attackers on the local network to reset the device’s administrator password. This affects products marketed under the following brand names: Accfly, Alptop, Anlink, Besdersec, BOAVISION, COOAU, CPVAN, Ctronics, D3D Security, Dericam, Elex System, Elite Security, ENSTER, ePGes, Escam, FLOUREON, GENBOLT, Hongjingtian (HJT), ICAMI, Iegeek, Jecurity, Jennov, KKMoon, LEFTEK, Loosafe, Luowice, Nesuniq, Nettoly, ProElite, QZT, Royallite, SDETER, SV3C, SY2L, Tenvis, ThinkValue, TOMLOV, TPTEK, WGCC, and ZILINK.
Source: NIST
CVE-2020-9529

CVE-2020-9528

Firmware developed by Shenzhen Hichip Vision Technology (V6 through V20), as used by many different vendors in millions of Internet of Things devices, suffers from cryptographic issues that allow remote attackers to access user session data, as demonstrated by eavesdropping on user video/audio streams, capturing credentials, and compromising devices. This affects products marketed under the following brand names: Accfly, Alptop, Anlink, Besdersec, BOAVISION, COOAU, CPVAN, Ctronics, D3D Security, Dericam, Elex System, Elite Security, ENSTER, ePGes, Escam, FLOUREON, GENBOLT, Hongjingtian (HJT), ICAMI, Iegeek, Jecurity, Jennov, KKMoon, LEFTEK, Loosafe, Luowice, Nesuniq, Nettoly, ProElite, QZT, Royallite, SDETER, SV3C, SY2L, Tenvis, ThinkValue, TOMLOV, TPTEK, WGCC, and ZILINK.
Source: NIST
CVE-2020-9528

CVE-2020-9527

Firmware developed by Shenzhen Hichip Vision Technology (V6 through V20, after 2018-08-09 through 2020), as used by many different vendors in millions of Internet of Things devices, suffers from buffer overflow vulnerability that allows unauthenticated remote attackers to execute arbitrary code via the peer-to-peer (P2P) service. This affects products marketed under the following brand names: Accfly, Alptop, Anlink, Besdersec, BOAVISION, COOAU, CPVAN, Ctronics, D3D Security, Dericam, Elex System, Elite Security, ENSTER, ePGes, Escam, FLOUREON, GENBOLT, Hongjingtian (HJT), ICAMI, Iegeek, Jecurity, Jennov, KKMoon, LEFTEK, Loosafe, Luowice, Nesuniq, Nettoly, ProElite, QZT, Royallite, SDETER, SV3C, SY2L, Tenvis, ThinkValue, TOMLOV, TPTEK, WGCC, and ZILINK.
Source: NIST
CVE-2020-9527

CVE-2020-9526

CS2 Network P2P through 3.x, as used in millions of Internet of Things devices, suffers from an information exposure flaw that exposes user session data to supernodes in the network, as demonstrated by passively eavesdropping on user video/audio streams, capturing credentials, and compromising devices.
Source: NIST
CVE-2020-9526

CVE-2020-9525

CS2 Network P2P through 3.x, as used in millions of Internet of Things devices, suffers from an authentication flaw that allows remote attackers to perform a man-in-the-middle attack, as demonstrated by eavesdropping on user video/audio streams, capturing credentials, and compromising devices.
Source: NIST
CVE-2020-9525