Tag Archive for: Olympics

Official Beijing 2022 Olympics Mobile App Is Marred by Security Flaws, Researchers Say

/in


A mobile app that’s mandatory for all participants in next month’s Winter Olympics in Beijing contains security flaws that could make it easy for a hacker to steal sensitive personal information, cybersecurity researchers in Canada warn.

The China-built app, My 2022, will be used to monitor the health of attendees, as well as facilitate information sharing, leading up to and throughout the 2022 Games. Technicians with Citizen Lab, a human rights-focused cybersecurity and censorship research group at the University of Toronto, said they found the app failed to authenticate the identity of certain websites, leaving transfers of personal data open to attackers.

In a report released Tuesday, Citizen Lab also said the app didn’t properly encrypt sensitive metadata transmitted through the app’s messaging function, which meant any eavesdropper operating a Wi-Fi hot spot could discover who users are communicating with and when.

The researcher found the vulnerabilities in the iOS version of the app after downloading it and creating an account, said

Jeffrey Knockel,

one of the authors of the report. They weren’t able to create an account on the Android version of the app but found similar vulnerabilities by testing its publicly available features, he said.

Beijing has been put on high alert ahead of the Olympics, with authorities trying to quickly stamp out Covid-19 outbreaks wherever they pop up.



Photo:

Kevin Frayer/Getty Images

Citizen Lab said the vulnerabilities were similar to those frequently found in other Chinese apps, which led it to believe they are more likely to be the result of China’s lax enforcement of cybersecurity standards than part of an intentional government effort to steal data.

Apple

and Google, the maker of Android, didn’t immediately respond to requests for comment. The Beijing Olympic Committee didn’t respond to a request for comment.

The Beijing 2022 handbook for athletes and officials…

Source…

Fraudsters Go for Olympics Gold Attacking Streaming Sites, but are Foiled by Arkose Labs

/in


Since the establishment of the Olympic Games in ancient Greece in 776 B.C., the event has been an occasion for athletes and competitors from around the world to test their skills against the very best. This year, while many of us marveled at the amazing feats in gymnastics, track & field, swimming, and more, some fraudsters were attacking streaming sites to show off their skills in the realm of credential stuffing. While they aimed for gold in this particular dark art, they were foiled by Arkose Labs. 

The Arkose Labs platform protects one of the most prominent and popular streaming media platforms, which also was one of the platforms that broadcast the Olympic games. During the games, Arkose Labs detected a much higher spike in traffic coming to the streaming platform than normal. Much of this, however, was not simply an increase in viewers coming to watch feats of athletic strength and speed, but fraudsters performing credential stuffing attacks. In fact, credential stuffing attacks spiked by 52% during the week of the opening ceremony, peaking during the closing ceremony. 

Credential stuffing is one of the major attacks that powers account takeover fraud. It is when fraudsters use automation to run millions of username and password combinations on accounts until they get a match. Years of data breaches have exposed these usernames and passwords, and large lists can be purchased on the Dark Web for relatively little. Some even post them for free on sites like Pastebin. 

Account takeover attacks are highly popular among fraudsters because of the numerous ways they can be monetized. They can drain money from an account or steal personal information and resell it to other criminals. They can use the compromised accounts to launder or move stolen money obtained from another crime. And there are many industry-specific paths to monetization as well.

RECOMMENDED RESOURCE

A New Approach to Fraud Prevention

In attacking streaming sites, fraudsters often seek to launch mass attacks at scale, since these accounts are not as lucrative as, say, financial accounts. This means fraudsters need volume to make money and gain access to as many accounts as possible to resell…

Source…

Tokyo Olympics could be threatened by cyberattack, FBI warns

/in


The Olympics are ripe for cyberattacks by nation-state actors, the FBI said in a notification to cybersecurity professionals, adding that these actors could hack or ransom sensitive stolen data.

The games provide an opportunity for state-backed actors to “sow confusion…and advance ideological goals,” the FBI said in a statement.

In its notification, the FBI cited the potential for distributed denial of service (DDoS) attacks – where computers are rendered unavailable to an organization – targeting TV broadcasters, hotels, mass transit, ticketing services and event security infrastructure as a possibility.

TOKYO OLYMPICS: WHAT TO KNOW ABOUT THE 2020 GAMES

DDoS attacks are often part and parcel of ransomware.

Some attacks have already happened. In June, Japan’s Kyodo News reported that information was leaked from a data sharing tool developed by Japanese IT company Fujitsu. The breach involved Japan’s national cybersecurity center which was preparing for potential cyberattacks during the games, Kyodo said.

Olympic meddling from state actors would not be unprecedented. The FBI indicted Russian cyber actors for hacking into computers supporting the 2018 PyeongChang Winter Olympics, culminating in a cyberattack targeting the Opening Ceremony.

And the FBI notification comes in the wake of a joint advisory from The National Security Agency, Cybersecurity and Infrastructure Security Agency and FBI about an active malicious cyber campaign being carried out by the Russian General Staff Main Intelligence Directorate (GRU) targeting hundreds of U.S. and foreign organizations in order to penetrate government and private sector networks.

“GRU continues to be a threat…The scale, reach and pace of their operations is alarming,” a spokesperson from cybersecurity firm Check Point Software told Fox News.

BIDEN TELLS PUTIN TO ‘DISRUPT’ RANSOMWARE GROUPS OPERATING OUT OF RUSSIA

Against a backdrop of global cyber warfare, the usual suspects could be active.

“Given the ongoing rise in temperatures of the ‘Cyber Cold War,’ it is likely that we will see many of those previously linked with recent high profile cyberattacks – such as Russia, China, REvil and other organized groups,”…

Source…

Tokyo Olympics Postponed, But 5G Security Lessons Shine

/in

Threatpost Senior Editor Tara Seals is joined by Russ Mohr, engineer and Apple evangelist at MobileIron along with Jerry Ray, COO at SecureAge, for a discussion about the now postponed Tokyo Games and its use of 5G and the myriad of security concerns Japan is preparing for.
Mobile Security – Threatpost