The novel loader, dubbed Nimbda, is "bundled with a Chinese language greyware 'SMS Bomber' tool that is most likely illegally distributed in the Chinese-speaking web," Israeli cybersecurity company Check Point said in a report.

"Whoever crafted the Nim loader took special care to give it the same executable icon as the SMS Bomber that it drops and executes," the researchers said. "Therefore the entire bundle works as a trojanized binary."

SMS Bomber, as the name indicates, allows a user to input a phone number (not their own) so as to flood the victim's device with messages and potentially render it unusable in what's a denial-of-service (DoS) attack.

The fact that the binary doubles up as SMS Bomber and a backdoor suggests that the attacks are not just aimed at those who are users of the tool — a "rather unorthodox target" — but also highly targeted in nature.

Tropic Trooper, also known by the monikers Earth Centaur, KeyBoy, and Pirate Panda, has a track record of striking targets located in Taiwan, Hong Kong, and the Philippines, primarily focusing on government, healthcare, transportation, and high-tech industries.

Calling the Chinese-speaking collective "notably sophisticated and well-equipped," Trend Micro last year pointed out the group's ability to evolve their TTPs to stay under the radar and rely on a broad range of custom tools to compromise its targets.

The latest attack chain documented by Check Point begins with the tampered SMS Bomber tool, the Nimbda loader, which launches an embedded executable, in this case the legitimate SMS bomber payload, while also also injecting a separate piece of shellcode into a notepad.exe process.

This kicks off a three-tier infection process that entails downloading a next-stage binary from an obfuscated IP address specified in a markdown file ("EULA.md") that's hosted in an attacker-controlled GitHub or Gitee repository.

The retrieved binary is an upgraded version of a trojan named Yahoyah that's designed to collect information about local wireless networks in the victim machine's vicinity as well as other system metadata and exfiltrate the details back to a command-and-control (C2) server.

Yahoyah, for its part, also acts as a conduit to fetch the final-stage malware, which is downloaded in the form of an image from the C2 server. The steganographically-encoded payload is a backdoor known as TClient and has been deployed by the group in previous campaigns.

"The observed activity cluster paints a picture of a focused, determined actor with a clear goal in mind," the researchers concluded.

"Usually, when third-party benign (or benign-appearing) tools are hand-picked to be inserted into an infection chain, they are chosen to be the least conspicuous possible; the choice of an 'SMS Bomber' tool for this purpose is unsettling, and tells a whole story the moment one dares to extrapolate a motive and an intended victim."

Source

According to a statement by the U.S. Department of Justice, RSOCKS offered clients access to IP addresses assigned to devices that had been hacked:

“A cybercriminal who wanted to utilize the RSOCKS platform could use a web browser to navigate to a web-based ‘storefront’ (i.e., a public web site that allows users to purchase access to the botnet), which allowed the customer to pay to rent access to a pool of proxies for a specified daily, weekly, or monthly time period. The cost for access to a pool of RSOCKS proxies ranged from $30 per day for access to 2,000 proxies to $200 per day for access to 90,000 proxies.”

The DOJ’s statement doesn’t mention that RSOCKS has been in operation since 2014, when access to the web store for the botnet was first advertised on multiple Russian-language cybercrime forums.

The user “RSOCKS” on the Russian crime forum Verified changed his name to RSOCKS from a previous handle: “Stanx,” whose very first sales thread on Verified in 2016 quickly ran afoul of the forum’s rules and prompted a public chastisement by the forum’s administrator.

Verified was hacked twice in the past few years, and each time the private messages of all users on the forum were leaked. Those messages show that after being warned of his forum infraction, Stanx sent a private message to the Verified administrator detailing his cybercriminal bona fides.

“I am the owner of the RUSdot forum (former Spamdot),” Stanx wrote in Sept. 2016. “In spam topics, people know me as a reliable person.”

RUSdot is the successor forum to Spamdot, a far more secretive and restricted forum where most of the world’s top spammers, virus writers and cybercriminals collaborated for years before the community’s implosion in 2010. Even today, the RUSdot Mailer is advertised for sale at the top of the RUSdot community forum.

Stanx said he was a longtime member of several major forums, including the Russian hacker forum Antichat (since 2005), and the Russian crime forum Exploit (since April 2013). In an early post to Antichat in January 2005, Stanx disclosed that he is from Omsk, a large city in the Siberian region of Russia.

According to the cyber intelligence firm Intel 471, the user Stanx indeed registered on Exploit in 2013, using the email address stanx@rusdot.com, and the ICQ number 399611. A search in Google for that ICQ number turns up a cached version of a Vkontakte profile for a Denis “Neo” Kloster, from Omsk, Russia.

Cybersecurity firm Constella Intelligence shows that in 2017, someone using the email address istanx@gmail.com registered at the Russian freelancer job site fl.ru with the profile name of “Denis Kloster” and the Omsk phone number of 79136334444. Another record indexed by Constella suggests Denis’s real surname may in fact be “Emilyantsev” [Емельянцев].

That phone number is tied to the WHOIS registration records for multiple domain names over the years, including proxy[.]info, allproxy[.]info, kloster.pro and deniskloster.com.

The “about me” section of DenisKloster.com says the 35-year-old was born in Omsk, that he got his first computer at age 12, and graduated from high school at 16. Kloster says he’s worked in many large companies in Omsk as a system administrator, web developer and photographer.

According to Kloster’s blog, his first real job was running an “online advertising” firm he founded called Internet Advertising Omsk (“riOmsk“), and that he even lived in New York City for a while.

“Something new was required and I decided to leave Omsk and try to live in the States,” Kloster wrote in 2013. “I opened an American visa for myself, it was not difficult to get. And so I moved to live in New York, the largest city in the world, in a country where all wishes come true. But even this was not enough for me, and since then I began to travel the world.”

The current version of the About Me page on Kloster’s site says he closed his advertising business in 2013 to travel the world and focus on his new company: One that provides security and anonymity services to customers around the world. Kloster’s vanity website and LinkedIn page both list him as CEO of a company called “SL MobPartners.”

In 2016, Deniskloster.com featured a post celebrating three years in operation. The anniversary post said Kloster’s anonymity business had grown to nearly two dozen employees, most of whom were included in a group photo posted to that article (and some of whom Kloster thanked by their first names and last initials).

“Thanks to you, we are now developing in the field of information security and anonymity!,” the post enthuses. “We make products that are used by thousands of people around the world, and this is very cool! And this is just the beginning!!! We don’t just work together and we’re not just friends, we’re Family.”

Mr. Kloster did not respond to repeated requests for comment.

It’s not clear if the coordinated takedown targeting the RSOCKS botnet will be permanent, as the botnet’s owners could simply rebuild — and possibly rebrand — their crime machine. Based on the RSOCKS owner’s posts, that is exactly what they intend to do.

“RSocks ceases to exist,” wrote the Rsocks account on the BlackHatWorld forum on June 17. “But don’t worry. All the active plans and fund balances will be transferred to another service. Stay tuned. We will inform you about its name and all the details later.”

Malware-based proxy services like RSOCKS have struggled to remain competitive in a cybercrime market with increasingly sophisticated proxy services that offer many additional features. The demise of RSOCKS follows closely on the heels of VIP72[.]com, a competing proxy botnet service that operated for a decade before its owners pulled the plug on the service last year.

Meet the Administrators of the RSOCKS Proxy Botnet

The black box security assessment prototype, tested by engineers in Australia, Pakistan and the UAE, is more effective than existing web scanners which collectively fail to detect the top 10 weaknesses in web applications.

UniSA mechanical and systems engineer Dr. Yousef Amer is one of the co-authors of a new international paper that describes the development of the tool in the wake of escalating global cyberattacks.

Cybercrime cost the world $6 trillion in 2021, reflecting a 300% hike in online criminal activity in the past two years.

Remote working, cloud-based platforms, malware and phishing scams have led to skyrocketing data breaches, while the rollout of 5G and Internet of Things (IoT) devices has made us more connected—and vulnerable—than ever.

Dr. Yousef Amer and colleagues from Pakistan, the UAE and Western Sydney University, highlight numerous security weaknesses in website applications and how these are costing organizations dearly.

Due to the widespread adoption of eCommerce, iBanking and eGovernment sites, web applications have become a prime target of cybercriminals who want to steal individual and company information and disrupt business activities.

Despite a projected $170 billion global outlay on internet security in 2022 against a backdrop of escalating and more severe cyberattacks, existing web scanners are falling way short when it comes to assessing vulnerabilities, according to Dr. Amer.

"We have identified that most of the publicly available scanners have weaknesses and are not doing the job they should," he says.

Nearly 72% of organizations have suffered at least one serious security breach on their website, with vulnerabilities tripling since 2017.

WhiteHat Security, a world leader in web application security, estimates that 86% of scanned web pages have on average 56% vulnerabilities. Among these, at least one is classified as critical.

The researchers compared 11 publicly available web application scanners against the top 10 vulnerabilities.

"We found that no single scanner is capable of countering all these vulnerabilities, but our prototype tool caters for all these challenges. It's basically a one-stop guide to ensure 100% website security," Dr. Amer says.

"There's a dire need to audit websites and ensure they are secure if we are to curb these breaches and save companies and governments millions of dollars."

The researchers are now seeking to commercialize their prototype.

Source

Hackers and criminals from abroad were caught sending phishing emails with Trojan horse programs to teachers and students at the university, attempting to steal their data and personal information, Northwestern Polytechnical University said in a statement on Wednesday.

For a long time, some groups such as the US National Security Agency (NSA) have launched large-scale network attacks around the world for the purpose of intelligence collection, with China being one of the main victims.

In order to further find out the facts about the cyberattack, the university said it had reported the case to the relevant public security organs.

Xi’an-based Northwestern Polytechnical University is known for its studies and research into aviation, aerospace and navigation. It is funded by the Ministry of Industry and Information Technology.

The attack has so far not caused any leakage of key data, but it still represents a huge risk, the university said.

The university has been paying great attention to cyberattacks, with the application of regular cyber security inspections and technical monitors, as well as increased sensitivity among teachers and students to cybersecurity, it noted.

The university reserves the right to take legal action, and will take measures to build a strong network security barrier as well as safeguarding the legitimate rights and interests of teachers and students, it said.

Over the years, China has been a major victim of cyberattacks. The Chinese Foreign Ministry has said that China firmly opposes cyberattacks and cyber theft in all forms.

Data obtained by the Global Times from security companies reveals details of at least 40 high-level overseas hacker organizations and more than 2,700 advanced cyberattacks against China in the past few years, aimed at industries, governments, universities, medical institutions, [Sic].

Source

Following Google’s footsteps, Microsoft is halting the sale of emotion-reading technologies. The company will also limit “unrestricted” access to facial recognition technology. Existing customers will have just one year before losing access to Azure Face, a set of Artificial Intelligence (AI) tools that attempt to infer emotion, gender, age, smile, facial hair, hair, and makeup. Speaking about the development, Sarah Bird, principal group product manager at Microsoft's Azure AI unit said:

These efforts raised important questions about privacy, the lack of consensus on a definition of 'emotions,' and the inability to generalize the linkage between facial expression and emotional state across use cases, regions, and demographics.

Microsoft has reportedly been reviewing whether emotion recognition systems are rooted in science. It is not immediately clear what Microsoft meant. However, it is possible that the company hasn’t been able to perfect the algorithms that guess a person’s emotional state based on an image. Moreover, the company could be bolstering its case against new rules and regulations about the use of such tools.

Apart from halting the sale of emotion-reading tech, Microsoft is also stopping unrestricted access to its facial technologies. The company has indicated that customers using its facial recognition technologies must obtain prior approval. It is obvious that Microsoft’s customers must have contractual obligations. However, it is not clear if Microsoft is placing additional restrictions or merely asking companies to sign a disclaimer absolving Microsoft of any legal penalties arising from any misuse.

For the time being, Microsoft has merely asked its clients “to avoid situations that infringe on privacy or in which the technology might struggle”. An obvious legally questionable purpose would be identifying minors. Incidentally, Microsoft isn’t specifically banning such uses.

Microsoft is also putting some restrictions on its Custom Neural Voice feature, which lets customers create AI voices based on recordings of real people.

Microsoft will halt sale of emotion-reading tech and limit access to face recognition tools

Adobe’s product is checking if components from 30 security products are loaded into its processes and likely blocks them, essentially denying them from monitoring for malicious activity.

Flagging incompatible AVs

For a security tool to work, it needs visibility into all processes on the system, which is achieved by injecting dynamic-link libraries (DLLs) into software products launching on the machine.

PDF files have been abused in the past to execute malware on the system. One method is to add a command in the ‘OpenAction’ section of document to run PowerShell commands for malicious activity, explain the researchers at cybersecurity company Minerva Labs.

According to a report this week, the list has grown to include 30 DLLs from security products of various vendors. Among the more popular ones with consumers are Bitdefender, Avast, Trend Micro, Symantec, Malwarebytes, ESET, Kaspersky, F-Secure, Sophos, Emsisoft.

Querying the system is done with ‘libcef.dll’, a Chromium Embedded Framework (CEF) Dynamic Link Library used by a wide variety of programs.

While the Chromium DLL comes with a short list of components to be blacklisted because they cause conflicts, vendors using it can make modifications and add any DLL they want.

Chromium's list of hardcoded DLLs, source: Minerva Labs

The researchers explain that “libcef.dll is loaded by two Adobe processes: AcroCEF.exe and RdrCEF.exe” so both products are checking the system for components of the same security products.

Looking closer at what happens with the DLLs injected into Adobe processes, Minerva Labs found that Adobe checks if the bBlockDllInjection value under the registry key ‘SOFTWARE\Adobe\Adobe Acrobat\DC\DLLInjection\’ is set to 1. If so, it will prevent antivirus software's DLLs from being injected into processes.

It is worth noting that the registry key’s value when Adobe Reader runs for the first time is ‘0’ and that it can be modified at any time.

According to Minerva Labs researcher Natalie Zargarov, the default value for the registry key is set to '1' - indicating active blocking. This setting may depend on the operating system or the Adobe Acrobat version installed, as well as other variables on the system.

In a post on Citrix forums on March 28, a user complaining about Sophos AV errors due to having an Adobe product installed said that the company “suggested to disable DLL-injection for Acrobat and Reader.

Adobe responding to Citrix user experiencing errors on machine with Sophos AV

Working on the problem

Replying to BleepingComputer, Adobe confirmed that users have reported experiencing issue due to DLL components from some security products being incompatible with Adobe Acrobat’s usage of the CEF library.

The company added that it is currently working with these vendors to address the problem and “to ensure proper functionality with Acrobat's CEF sandbox design going forward.”

Minerva Labs researchers argue that Adobe chose a solution that solves compatibility problems but introduces a real attack risk by preventing security software from protecting the system.

BleepingComputer has contacted Adobe with further questions to explain the conditions the DLL blocking occurs and will update the article once we have the information.

Adobe Acrobat may block antivirus tools from monitoring PDF files

Ohnepixel said his inventory contained seven souvenir AWP Dragon Lore, which is one of the most expensive skins that CS:GO players can own. He alleged some items had already been sold, while the rest were sent to the hacker’s Steam account and are on a trade hold.

Ohnepixel urged the CS:GO developers or an employee at Steam to contact him so he can retrieve the items. There’s still time to recover some of the items, according to the skin collector.

The email and password of his Steam profile were changed a week ago and he did not notice it, according to ohnepixel. Apparently, the hacker didn’t even bother to make a huge profit on the skins and instead sold part of the inventory for the market price listed on Steam.

Skins and cosmetics in general are a huge part of the success of CS:GO. This is not only because the average player can buy and equip them, but also because cosmetics, such as team logos and player autographs, are released for every CS:GO Major.

Source

This will require individuals and companies running all the websites in China to hire ‘a review and editing team suitable for the scale of services’. The new comment moderators will have to check every comment before it is published. They will then have to approve it or flag any potential illegal information to China's administration.

However, this is not where it stops. Every website that allows users to comment will have to collect their real names and verify their identities before allowing them to submit comments.

It looks like the new measures are set in place following the online criticism of the Chinese government's mandatory lockdowns. This is not the first time the Chinese government has tried to regulate the internet. Last year, it passed a law that allowed minors to only play an hour of video games on weekends.

Websites such as Facebook, Instagram, Reddit and a lot more are blocked in China. A lot of companies have already exited from the country due to tight regulations. The country has also blocked Virtual Private Network (VPN) services for individuals who are trying to access restricted content.

Source: Metro.co.uk

Source

Companies that have an open source software (OSS) security policy in place tend to perform much better in self-assessed measures of readiness. They also tend to have dedicated teams in charge of driving software security, according to a survey published on June 21.

The survey — published by software-security firm Snyk and the Linux Foundation on Tuesday — found that seven out of 10 companies that have an OSS security policy in place consider their application development to be highly or somewhat secure. Comparatively, just 45% of companies that failed to institute such a policy consider themselves at least somewhat secure.

Open source software has significant benefits for application development, but companies also have to recognize and prepare for the downsides, says Matt Jarvis, director of developer relations for Snyk.

"While open source is a proven mechanism for innovation and building high-quality software, it's becoming somewhat a victim of its own success in that its ubiquity has made it a target for supply-chain attacks," he says. "Companies need to build a stronger understanding of both the mechanisms by which open source works, and this includes governance as well as code, and strengthen their approach to supply chain management through adopting developer-first security tooling and methodologies."

Smaller Firms Lag in OSS Policies

Overall, only about half of firms have an open source security policy in place to guide developers in the use of components and frameworks, with a greater number of small companies, 60%, either having no policies or not knowing whether they have one, according to the report.

The economics of security tends to reduce the priority of creating a formal policy for startups and smaller firms, the report states.

"Small organizations have small IT staffs and budgets, and the functional needs of the business often take precedence so that the business can remain competitive," the report states. "Lack of resources and time were the leading reasons why organizations were not addressing OSS security best practices."

Source: "Addressing Cybersecurity Challenges in Open Source Software" report

Different programming languages also brought different security considerations, according to the study. Applications written in .NET, for example, had the longest average time to fix flaws at 148 days, followed by JavaScript, Meanwhile, those written in Go had the speediest time-to-patch, and were typically fixed in a third of that time, or 49 days.

JavaScript Dependencies Abound

JavaScript application have the most dependencies — an average of 174 per project, according to Snyk — or about seven times the language with the fewest dependencies, Python, which averages 25 per project.

While large transitive dependency trees can result in circuitous paths to fix vulnerabilities, having a large number of dependencies is not necessarily a disadvantage, if an organization has ways to track the relationships between projects, says Jarvis.

"JavaScript packages tend to have a smaller scope than other ecosystems, so whilst there are more of them, there may be less code to audit for potential weaknesses," he says. "The most important issue is to understand the dependencies which you are using, particularly the transitive ones brought in as dependencies of dependencies, and that comes down to using the appropriate security tooling to scan things."

However, the data also shows that different languages tended to have different severities of flaws. The average project written in Java, for example, had more than 47 high-severity vulnerabilities and 28 medium-severity vulnerabilities, much higher than the second-ranked JavaScript, which had an average of 18 and 21 vulnerabilities, respectively. However, Python had the most low-severity vulnerabilities, an average of 20 per project.

"There are a lot of factors at play in the data — the complexity of projects, the number of developers, and the popularity will all have an impact on the number and types of vulnerabilities," Jarvis says. "Many developer eyes on projects that are extremely popular are likely to surface more bugs."

Automation = Security Maturity

Despite the importance of identifying vulnerabilities in dependencies, most security-mature companies — those with OSS security policies — rely on industry vulnerability advisories (60%), automated monitoring of packages for bugs (60%), and notifications from package maintainers (49%), according to the survey.

Automated monitoring represents the most significant gap between security-mature firms and those firms without a policy, with only 38% of companies that do not have a policy using some sort of automated monitoring, compared with the 60% of mature firms.

Companies should add an OSS security policy if they don't have one, as a way to harden their development security, says Snyk's Jarvis. Even a lightweight policy is a good start, he says.

"There is a correlation between having a policy and the sentiment of stating that development is somewhat secure," he says. "We think having a policy in place is a reasonable starting point for security maturity, as it indicates the organization is aware of the potential issues and has started that journey."

Source

The relatively new adversarial collective is said to have commenced its operations by targeting Microsoft Exchange servers in Taiwan and Vietnam using an unknown exploit to deploy the China Chopper web shell and activate a multi-stage infection chain.

Other prominent countries targeted include Afghanistan, India, Indonesia, Iran, Kyrgyzstan, Malaysia, Pakistan, Russia, Slovakia, Thailand, the U.K., and Uzbekistan, just as the threat actor evolved its toolset over the course of different campaigns.

"The first wave of attacks exclusively targeted Microsoft Exchange Servers, which were compromised with Samurai, a sophisticated passive backdoor that usually works on ports 80 and 443," Russian cybersecurity company Kaspersky said in a report published today.

"The malware allows arbitrary C# code execution and is used with multiple modules that allow the attacker to administrate the remote system and move laterally inside the targeted network."

ToddyCat, also tracked under the moniker Websiic by Slovak cybersecurity firm ESET, first came to light in March 2021 for its exploitation of ProxyLogon Exchange flaws to target email servers belonging to private companies in Asia and a governmental body in Europe.

The attack sequence post the deployment of the China Chopper web shell leads to the execution of a dropper that, in turn, is used to make Windows Registry modifications to launch a second-stage loader, which, for its part, is designed to trigger a third-stage .NET loader that's responsible for running Samurai.

The backdoor, besides using techniques like obfuscation and control flow flattening to make it resistant to reverse engineering, is modular in that it the components make it possible to execute arbitrary commands and exfiltrate files of interest from the compromised host.

Also observed in specific incidents is a sophisticated tool named Ninja that's spawned by the Samurai implant and likely functions as a collaborative tool allowing multiple operators to work on the same machine simultaneously.

Its feature similarities to other post-exploitation toolkits like Cobalt Strike notwithstanding, the malware enables the attacker to "control remote systems, avoid detection, and penetrate deep inside a targeted network."

Despite the fact that ToddyCat victims are related to countries and sectors traditionally targeted by Chinese-speaking groups, there is no evidence tying the modus operandi to a known threat actor.

"ToddyCat is a sophisticated APT group that uses multiple techniques to avoid detection and thereby keeps a low profile," Kaspersky security researcher Giampaolo Dedola said.

"The affected organizations, both governmental and military, show that this group is focused on very high-profile targets and is probably used to achieve critical goals, likely related to geopolitical interests."

Source

When iOS 16 comes out later this fall, you may notice that you don’t have to deal with as many annoying CAPTCHAs asking you to slide a puzzle piece or distinguish between a hill and a mountain. That’s because Apple’s introducing a feature for its iPhones and Macs called Automatic Verification, which let some sites know that you’re not a bot without you actually having to do anything (via MacRumors).

Apple has worked with two major content delivery networks, Fastly and Cloudflare, to develop the system. When it launches with iOS 16 and macOS Ventura, sites that use either of the services to defend against spam should be able to take advantage of the system and stop showing you so many CAPTCHAs. If you’re attentive to how many sites go down when either Fastly or Cloudflare start to have issues, you’ll know that’s a solid chunk of the internet that may become significantly less annoying (especially to those who see CAPTCHAs more often than average because they use a VPN or clear their cookies frequently).

A basic diagram of how Apple’s system works. Image: Apple

While this is far from the first attempt to ditch CAPTCHAs, Apple’s scale means we may really see some headway this time. The underlying system, which Apple calls Private Access Tokens, is vaguely reminiscent of its system to replace passwords. Here's a very simplified idea of how it works: your device looks at a variety of factors to determine whether you’re a human. When you go to a website that would normally ask you to fill out a CAPTCHA, that site can ask your phone or computer if a human is using it. If your device says yes, you’ll be let right on through.

If you want to do a deep-dive on details about the tech, you can watch Apple’s WWDC session on it, read Apple Insider’s explainer, and check out Fastly’s article about it.

As with most new tech it pitches, Apple has a privacy story to go along with. The company says that while your Apple ID is being used as proof that you’re an actual person, your phone or computer isn’t sending out the data (like your email address or phone number) that’s associated with it. The only thing the site gets is what’s essentially a thumbs-up from Apple. Similarly, Apple only knows that your device is asking it to confirm whether you’re a human; it doesn’t get info about who wants to know.

Thankfully for Android and Windows users, Apple isn’t the only one working on this tech. According to Fastly, Google also helped develop it, and the concept of having a trusted party vouch that you’re a human is being built into internet standards. Google started building a similar system into Chrome around two years ago and while it seems to be focusing mostly on third-party issuers instead of doing verification itself, I can definitely see it making a system similar to Apple’s for its users down the line.

iOS 16 will let you bypass CAPTCHAs on some apps and websites

A former Amazon engineer has been convicted of seven federal crimes after she was caught stealing the personal data of over 100 million people.

Following a seven-day trial and 10-hour deliberation by the jury, 36-year-old Paige A. Thompson was convicted on Friday(Opens in a new window) in the US District Court in Seattle of seven federal crimes including wire fraud, five counts of unauthorized access to a protected computer, and damaging a protected computer.

"Ms. Thompson used her hacking skills to steal the personal information of more than 100 million people, and hijacked computer servers to mine cryptocurrency," said US Attorney Nick Brown. "Far from being an ethical hacker trying to help companies with their computer security, she exploited mistakes to steal valuable data and sought to enrich herself."

Thompson was arrested in July 2019 when Capital One alerted the FBI to a hacking incident. After having previously worked as an engineer at Amazon, Thompson wrote a tool that scanned Amazon Web Services (AWS) accounts for misconfigurations.

She discovered more than 30, one of which was Capital One's account, and proceeded to steal personal data stored in the accounts as well as installing cryptocurrency mining software for her own personal gain. The hacking netted Thompson the personal data over 100 million US Capital One customers, which she then bragged about via text and online forums.

In his closing arguments at the trial, Assistant United States Attorney Andrew Friedman said, "She wanted data, she wanted money, and she wanted to brag." Now she'll get to brag about her actions in prison.

Sentencing for Thompson is scheduled to happen on Sept. 15, and according to CNBC(Opens in a new window), wire fraud carries up to 20 years in prison, where as each of the other charges carry up to five years each.

Source

Microsoft is testing a new “Privacy Auditing” feature that would allow Windows 11 users to see which apps have been accessing hardware such as the PC's microphone, camera, and so on. It is basically a set of tools that would reveal which apps have access to "sensitive devices". Additionally, the tool would also indicate when the apps accessed the hardware.

It appears that Privacy Auditing might go beyond just offering information about access to sensitive hardware. Android and iOS already have comprehensive permission settings that make it possible to control precisely what tools, features, and data, the installed apps are able to access. The Privacy Auditing tool might offer something similar for Windows 11. The capability was highlighted by Microsoft's VP on OS Security and Enterprise recently:

 New Windows 11 Privacy Auditing features allow you to see history of sensitive device access like the Microphone pic.twitter.com/vq3IJkAIMO

 — David Weston (DWIZZZLE) (@dwizzzleMSFT) June 16, 2022

As visible from the tweet above, the tool appears to be a part of the Privacy & security section of the Settings app. In addition to revealing information about microphone access along with a timestamp, it also lets users see which apps have access to or have accessed screenshots, messages, location data, and more.

Privacy Auditing is not available in the Stable Release channel of Windows 11. Microsoft seems to be testing the feature in the Insider Preview of Windows 11 from the Dev Channel. Hence, those who wish to test the feature need to be a member of the Windows Insider Preview and install the latest build available in the Dev Channel.

Source

Regardless of what TikTok says publicly, it seems the short-form video hosting service has been sharing US user data with China.

As BuzzFeed reports(Opens in a new window), leaked audio from more than 80 internal TikTok meetings reveals engineers working for ByteDance (TikTok's parent company) in China could see everything. In total, 14 statements from nine different TikTok employees confirmed access to the data by individuals located in China.

The evidence is quite damning, with US employees either not having permission to or knowledge of how to access US user data themselves. Instead, someone in China had to access it for them, with at least one ByteDance engineer in Beijing referred to as a "Master Admin."

It's unclear exactly how long US data has been accessible in China, but the leaked audio confirms it was available from Sept. 2021 to Jan. 2022 at the very least. That's a key bit of information to keep in mind when you consider TikTok released a statement back in 2019(Opens in a new window) which said, "We store all TikTok US user data in the United States, with backup redundancy in Singapore. Our data centers are located entirely outside of China, and none of our data is subject to Chinese law."

While that statement above may be true, the company also stated "TikTok does not operate in China, nor do we have any intention of doing so in the future," clearly ByteDance employees in China are treated separately.

In response to the leaked audio, TikTok spokesperson Maureen Shanahan told BuzzFeed:

 "We know we're among the most scrutinized platforms from a security standpoint, and we aim to remove any doubt about the security of US user data. That's why we hire experts in their fields, continually work to validate our security standards, and bring in reputable, independent third parties to test our defenses."

On the same day BuzzFeed revealed details of the leaked audio, TikTok announced(Opens in a new window) it has been working with Oracle for more than a year to "better safeguard our app, systems, and the security of US user data."

All US user traffic is now routed through the Oracle Cloud Infrastructure and TikTok expects to delete US users' private data from its own data centers in the US and Singapore. TikTok also explains how it has a new department "with US-based leadership, to solely manage US user data for TikTok."

Switching to Oracle's cloud and pledging to manage US data in the US suggests no more ByteDance engineers will have access to it. However, TikTok's management would be naive to think this was the end of the matter. If anything, it's more likely to be just the beginning of fresh scrutiny over the company's practices.

Source

Google started locking down its email service and how it connects to third-party email clients, finally retiring “less secure apps”. When enabled, it allowed you to use your main Google email address and password to sign into an email client, weakening the overall security of your Google account.

You can still use Google on third-party apps, but the app must support either “OAuth2” (An authentication method that opens a dialog box allowing you to authenticate by signing into Google and allowing the application access to your Google account), or you must use an app-specific password.

App-specific passwords are used in conjunction with two-factor authentication on your Google account.

Most applications do not know how to handle two-factor. Thus, giving you no way to enter an authentication code, so app-specific passwords were created.

This allows you to create a special password on a per-application basis. Once created, instead of giving an application such as Outlook your Google password you give it an “app-specific” password instead.

There are still people out there who have yet to enable two-factor (2FA) authentication on their Google accounts.

2FA greatly enhances the security of a Google account. This type of authentication is separated into 3 different groups:

• Something you know - A password.
• Something you have - A phone in your possession that gets a text message, a code generated by an authentication app, or a sign-in prompt.
• Something you are - Your fingerprint or face.

Without 2FA enabled, all you have is “something you know”, which could also be something an attacker knows, too. That is if you accidentally give out your credentials from a phishing email or they were obtained from a website breach.

Once 2FA is enabled, even if an attacker were to find out your password, they would be prompted by an authentication code that only you have in your possession.

You are probably thinking to yourself, “Well that sounds pretty cool. How do I turn that on?" I’m glad you asked.

• First, log into your Google account.
• Next, click your profile icon (circle) in the top right corner of the screen and click “Manage your Google Account”.
• Click “Security” on the left-hand side of the screen.
• On the right, scroll down until you see “2-Step Verification” and click it to start enabling two-factor authentication.

• In that same section, you will also see “Backup Codes”. Print a copy of these, as it gives you a sheet of 10 one-time use codes as a form of “Get out jail free” in case you lose access to your phone or authentication app.

• Once you are finished enabling 2FA and printing off a copy of your backup codes, go back to the security section of your Google account.
• You’ll see an option called “App password”. Click it and enter your Google password.

• Click “Select app”, and select an option from the drop-down menu. The same goes for “Select device”.
• Once finished, click “Generate” and it will give you a nice random-looking password. Copy it and paste (or type it) it into your email client.

Your email program should be able to send and receive emails again.

Google no longer allows username and passwords on third-party email applications

To track users on the web, it is possible to create fingerprints, or tracking hashes, based on various characteristics of a device connecting to a website. These characteristics include GPU performance, installed Windows applications, a device's screen resolution, hardware configuration, and even the installed fonts.

It is then possible to track a device across sites using the same fingerprinting method.

Fingerprint from installed Chrome extensions

Yesterday, web developer 'z0ccc' shared a new fingerprinting site called 'Extension Fingerprints' that can generate a tracking hash based on a browser's installed Google Chrome extensions.

When creating a Chrome browser extension, it is possible to declare certain assets as 'web accessible resources' that web pages or other extensions can access.

These resources are typically image files, which are declared using the 'web_accessible_resources' property in a browser extension's manifest file.

An example declaration of web-accessible resources is shown below:

"web_accessible_resources": [
    {
      "resources": [ "logo.png" ],
      "matches": [ "https://www.bleepingcomputer.com/*" ]
    }
],

As previously disclosed in 2019, it is possible to use web-accessible resources to check for installed extensions and generate a fingerprint of a visitor's browser based on the combination of found extensions.

To prevent detection, z0ccc says that some extensions use a secret token that is required to access a web resource. However, the researcher discovered a 'Resource timing comparison' method that can still be be used to detect if the extension is installed.

"Resources of protected extensions will take longer to fetch than resources of extensions that are not installed. By comparing the timing differences you can accurately determine if the protected extensions are installed," explained z0ccc on the project's GitHub page.

To illustrate this fingerprinting method, z0ccc created an Extension Fingerprints website that will check a visitor's browser for the existence of web-accessible resources in 1,170 popular extensions available on the Google Chrome Web Store.

Some of the extensions that the website will identify are uBlock, LastPass, Adobe Acrobat, Honey, Grammarly, Rakuten, and ColorZilla.

Based on the combination of installed extensions, the website will generate a tracking hash that can be used to track that particular browser, as shown below.

Some popular extensions, such as MetaMask, do not expose any resources, but z0ccc could still identify if they are installed by checking if "typeof window.ethereum equals undefined."

While those with no extensions installed will have the same fingerprint and be less useful for tracking, those with many extensions will have a less common fingerprint that can be used to track them around the web.

However, adding other characteristics to the fingerprinting model can further refine the fingerprint, making the hashes unique per user.

"This is definitely a viable option for fingerprinting users," z0ccc explained in an email to BleepingComputer.

"Especially using the 'fetching web accessible resources' method. If this is combined with other user data (like user agents, timezones etc) users could be very easily identified."
with no extensions

The Extensions Fingerprints site only works with Chromium browsers installing extensions from the Chrome Web Store. While this method will work with Microsoft Edge, it would need to be modified to use extension IDs from Microsoft's extension store.

This method does not work with Mozilla Firefox add-ons as Firefox extension IDs are unique for every browser instance.

uBlock is the most commonly installed

While z0ccc is not collecting any data regarding installed extensions, his own tests showed that uBlock installed is the most common extension fingerprint.

"By far the most popular is having no extensions installed. As previously said I do not collect specific extension data but in my own testing it seems that having only ublock installed is a common extension fingerprint," shared z0ccc.

"Having 3+ detectable extensions installed seems to always make your fingerprint very unique."

Below are the percentages of users with various popular extensions installed from tests conducted by BleepingComputer.

• 58.248% - No extensions installed or enabled.
• 2.065% - Only Google Docs Offline, which is the only extension installed by default.
• 0.528% - uBlock Origin + Google Docs Offline
• 0.238% - AdBlock + Google Docs Offline
• 0.141% - Adobe Acrobat + Google Docs Offline
• 0.122% - Google Translate + Google Docs Offline
• 0.019% - Malwarebytes Browser Guard
• 0.058% - Grammarly + Google Docs Offline
• 0.058% - LastPass + Google Docs Offline
• 0.051% - Honey + Google Docs Offline
• 0.013% - ColorZilla + Google Docs Offline

In our tests, installing three to four extensions brought the percentage of users using the same extension to as low as 0.006%. Obviously, the more installed extensions, the fewer people will have the same combination installed.

z0ccc says the 0.006% percentage indicates that you are the only user with that combination of extensions, but this will change as more people visit the site.

Extension Fingerprints has been released as an open-source React project on GitHub, allowing anyone to see how to query for the presence of installed extensions.

Update 6/19/22: Clarified that z0ccc did not discover the method to detect installed extensions but rather the timing comparison method.

Google Chrome extensions can be fingerprinted to track you online

Defender failed to secure any score in last year's Real World Protection due to an error. Later, it was found that Microsoft's product had a rather poor offline detection rate and that it was also quite a system resource hog.

Getting into the latest May 2022 Real-World Protection test results, we start off with the most impressive feat wherein Microsoft Defender got the best result in the false positive test category. Alongside ESET, Defender had zero false positives (FPs). This is perhaps a little bit surprising as there have been some reports lately of false alarms from Defender.

In the above image, in case you're wondering what "user-dependent" is, AV-Comparatives says these are the false positive detections which were the outcome of a wrong user choice. It explains:

The evaluation process for each test case will recognise any variations among the malware files executed on each test machine. After the malware is executed (if not blocked before), we wait several minutes for malicious actions and also to give e.g. behaviour-blockers time to react and remedy actions performed by the malware. If the malware is not detected and the system is indeed infected/compromised, the process goes to “System Compromised”. Otherwise the product is deemed to have protected the test system, unless a user interaction is required. In this case, if the worst possible decision by the user results in the system becoming compromised, we rate this as “user-dependent”.

Where a tested product requests a user decision, we always select the option to let the program run (e.g. “Allow”). In cases where we do this, but the program is blocked anyway, the program is deemed to have protected the system.

For every user-dependent false positive, 0.5 marks are deducted and the final score is put in the FP Score column as you can see in the table image above. The worst offenders here are Malwarebytes and Trend Micro both of which have more than 40 FPs.

Up next, we have the summary of the entire evaluation. A total of 725 cases were tested and Defender got compromised seven times which is compromise percentage of around 1. Hence, overall Defender gets a 99% Protection Rate.

TotalAV does the worst in the test as it had 15 compromised samples. Interestingly, TotalAV is said to utilize the Avira engine but while the former did so poorly, the latter managed to be one of the best anti-malware protections in the test.

Here are the final protection awards that AV-Comparatives bestowed based on the performance of these products:

Although Defender had a poor detection rate, the product still managed to win the AV-Comparatives ADVANCED award due to its extremely good score in the false positive category. Meanwhile, due to this reason, others like Malwarebytes, Norton and Trend Micro have suffered quite a regression in this final awards ranking.

Source: AV-Comparatives

Source

Added in one of the June Windows 11 Preview Builds, it can now be tested by Windows Insiders in the Dev Channel.

Besides requests to access the users' contacts, the newly included privacy feature also keeps track of apps that have accessed other sensitive information linked to your location, phone calls, messaging, and screenshots in the last week.

The list of nosy apps is available via the Windows 11 Settings app, under Privacy & security > App permissions as a "Recent activity" drop-down menu that will show up for every tracked category of information.

Once clicked, it will display every instance one of the apps installed on your systems that has recently accessed sensitive devices and information.

Windows 11 recent activity (BleepingComputer)

While the list includes information on the last time the resource has been accessed by the app, clicking each entry doesn't provide additional information.

Other information that might be helpful in cases when, for instance, malicious apps or malware would gain access to your contacts or spy on you through your microphone or camera would include file paths, process names, and process IDs.

Even though Microsoft is yet to officially reveal this new privacy feature in a Windows Insider blog, the new capability was unveiled on Thursday by David Weston, Microsoft's VP for Enterprise and OS Security, in a tweet.

In April, Microsoft also announced that Windows 11 is getting enhanced phishing protection against targeted phishing attacks with the help of Microsoft Defender SmartScreen, the company's cloud-based anti-phishing and anti-malware service.

Another feature dubbed Personal Data Encryption will protect users' files and data while not logged in by blocking access until they authenticate via Windows Hello.

Last but not least, Microsoft wants to enable Credential Guard by Default and additional protection for Local Security Authority (LSA) in Windows 11 Enterprise to further improve security in enterprise environments.

New Windows 11 privacy feature lists apps that used your microphone, camera

To help users maintain their sanity, the UK is proposing a framework in which people would have to explicitly opt-out of cookies if they didn’t like them. This would make visiting websites more seamless for those who don’t care about allowing cookies. While the move sounds great for those who hate pop-ups, it could cause some headaches.

Right now, data can flow freely between the UK and EU because they share similar rules over data protection. If the UK moves too far away from the EU’s regime it could put this free flow of information at risk. A UK government official played down these fears by saying:

“EU adequacy decisions do not require countries to have the same rules. Our view is that these reforms are fully compatible with maintaining the free flow of personal data from Europe.”

It’s unclear how long it will take the UK to change its rules around cookies and how much of an impact it will have on websites. If you hate cookie pop-ups, there’s always the option of installing the I Don’t Care About Cookies add-on which will banish most of these pop-ups.

UK government plans opt-out cookie regime to reduce the number of banners

For years, the telecommunications industry has been trying to curb robocalls, the frustrating and potentially dangerous spam calls that try to scam anyone who picks up the phone. But even after significant milestones in defense—including the introduction of two telecom protocols that cryptographically authenticate the source of calls—you're probably still getting spammy calls that drive you nuts. In spite of the setbacks, though, researchers say they've seen real progress on reducing spam calls in the United States, and there's potential for even more improvement. 

At the RSA Conference in San Francisco last week, Josh Bercu of the trade association USTelecom and Gary Warner, director of intelligence at the security firm DarkTower, presented findings on progress squashing robocalls and the illegal call centers they emanate from, which are predominantly located in India. And they dug into the frustrating reality that the issue is far from solved.

“I think it’s not going well at all!” Warner tells WIRED. “And people understandably wonder why the carriers don’t just block spam calls. But if you're AT&T or Verizon or T-Mobile or whoever, it’s not in your purview to decide which conversations people are allowed to have. I don’t think people want to be in that surveillance state where carriers are in a position of deciding what is an acceptable conversation for Americans to have.”

That doesn't mean the carriers haven't stepped up their blocking when they see enough evidence that a call has a suspicious provenance. But USTelecom's Bercu notes that deciding how bold to be about blocking is a delicate issue that each phone company handles differently.

“As providers have gotten more aggressive blocking or labeling suspicious calls, they've taken on more risk that they'll mis-block or mislabel a legitimate call,” he says. “Maybe it really was a call from the bank or the pharmacy. There is some delicate balancing that providers have to do, and some are more aggressive than others.”

Bercu adds, too, that different carriers work with different analytics services to identify suspicious call activity. This can create situations where, as trends in robocalling techniques evolve and spammers use different strategies to bounce calls around international networks, some analytics services may be better at catching certain behavior than others.

Bercu is also executive director of the Industry Traceback Group, a neutral entity under USTelecom designated by the Federal Communications Commission to promote intelligence-sharing to trace the source of illegal robocalls and promote collaboration between carriers. The idea is to look at how robocalls circumvent existing technical defenses, identify networks where these protections haven't been fully implemented, and work with providers to adopt stronger safeguards.

Ultimately, though, DarkTower's Warner says that as with other digital criminal industries like email spam, business email compromise, and even ransomware, the key to limiting robocalling is to make it more difficult for scammers to operate at every level of their business. This means making it harder for them to route their calls, but also harder to recruit call agents and purchase lead lists—curated collections that claim to contain the phone numbers of targets like elderly people or people with medical issues. 

It also means targeting spammers' methods for laundering money. The financial sector has already done work in this area by putting flags on potentially suspicious gift cards, but scammers have found ways around this simply by requiring that victims send them a photo of their receipt for the gift card along with the card number itself. This way they can file claims that seem to show that they legitimately purchased and own the gift card. This takes time, though, and scammers have also developed laundering techniques in which they lean on money mule networks in the US or wherever they are operating and have mules open checking accounts where victims can wire money. They then quickly move the money out of the accounts using apps like Zelle, Venmo, or Cash App.

“The key is getting more people to understand the problem who can deny infrastructure to these actors, like communication platforms, financial institutions, telecoms, everyone together,” Warner says. "Denying the ability for criminals to communicate and coordinate—I think that is probably our most actionable path forward.”

He adds, too, that while the Indian government has struggled to meaningfully address the issue, Indian law enforcement has significantly ramped up arrests related to illegal call centers. But even arresting more than a dozen people a week won't curb the problem when there are estimated to be tens of thousands of people working on illegal robocalling scams in India alone.

YouMail, the blocking company that has reported estimated robocall volumes in the US for years, found that Americans received just under 4 billion robocalls in May, down from 4.74 billion in May 2019. In general, the company's stats underscore both improvement in the total volume of robocalls and the reality that numbers are still extremely high.

“The only way we could ensure that we never get any robocalls ever would be that we don’t have phone calls at all,” USTelecom's Bercu says. “When you can receive calls, you're opening up your network to someone else. So that's why I increasingly like to think about the problem the same way you would think about other cybersecurity issues. Every provider needs to do due diligence, and we need accountability—but also collaboration.”

Here’s Why You’re Still Stuck in Robocall Hell

(May require free registration to view)

So-called contactless fingerprinting technology uses your phone’s camera and image processing algorithms to capture people’s fingerprints. Hold your hand in front of the camera lens and the software can identify and record all the lines and swirls on your fingertips. The technology, which has been in development for years, is ready to be more widely used in the real world. This includes use by police—a move that worries civil liberty and privacy groups.

Contactless fingerprinting works using several processes, says Chace Hatcher, vice president of technology at Telos, a fingerprinting technology company. “The underlying component of this is an image processing algorithm that works with computer vision principles to transform the photograph of fingers into a machine-matchable fingerprint,” Hatcher says.

To accurately collect someone’s fingerprints, a person’s hand should be around five centimeters away from a phone’s camera, Hatcher says. From here, the company’s machine learning algorithms identify your fingertips and process the image. The system, Hatcher says, is able to detect the ridges that define your fingerprint by identifying shadows and lighter areas. “We need a camera that has autofocus on it,” Hatcher says. It’s possible to pick out fingerprints using a phone camera with a resolution as low as two megapixels. The result is a traditional fingerprint image, which can then be matched against existing databases.

Last week, Telos was announced as a joint winner of a US National Institute of Standards and Technology (NIST) competition, which looked at the performance of contactless fingerprinting systems and how they can be used by law enforcement. According to a report by the industry title Biometric Update, the results indicate the technology is ready for a wider rollout.

Contactless fingerprints are just one part of a rapidly expanding biometrics industry, which sells ways to gather and process the data created by our bodies. Biometrics can include face recognition, the way you walk, the patterns of veins in your wrist, and the way you sound. Among other things, the technologies are being used to replace passwords and help with proving your identity when opening a new bank account. Biometrics is a big business, with some estimates saying the market could be worth $127 billion by 2030.

Despite the increase in biometric technology, it can prove controversial. Theft or spoofing of fingerprints and other biometric information can lead to fraud and identity theft. Some lawmakers in Europe are pushing for bans on the use of biometric technology to identify people in public spaces—saying such surveillance technology could be “the end of anonymity.”

Shweta Mohandas, a lawyer working on privacy issues at the nonprofit Centre for Internet and Society, in India, says any new technologies should face privacy- and harm-impact assessments before they’re widely used. “More worrying issues would be when these technologies will be imported into developing economies, which neither have standards in place nor a robust data protection legislation to protect the individuals from harms that might arise,” Mohandas says.

Despite recent advancements, research around contactless fingerprints isn’t new. Multiple companies are developing the technology—around half a dozen were listed as winners of different categories in the NIST competition. One recent study from researchers in Germany found that contactless fingerprinting could be as accurate as more traditional fingerprinting. “The presented usability study shows that the majority of users prefer a contactless recognition system over a contact-based one for hygienic reasons,” the researchers write. “In addition, the usability of the contactless capturing device was seen as slightly better.”

Law enforcement agencies have also taken a keen interest in the new fingerprinting method for several years. (The FBI has a database holding more than 160 million people’s fingerprints). One 2017 biometrics review by the FBI and other US government staff says contactless fingerprinting would potentially allow people’s prints to be collected faster and more efficiently than by existing methods. By using smartphone cameras, police wouldn’t need mobile fingerprint readers nor would they need to take people to stations to collect their prints. “But by and large, what we're allowing to happen is use cases that are already in effect to be leveraged more efficiently and more cost-effectively,” Hatcher says.

The FBI-linked review also highlights some of the risks. It says people may not properly understand that their fingerprints are being gathered. “An impersonal collection method does not necessarily trigger the owner’s recognition of a biometric record creation,” it says.

“As the technology evolves, we'll see increasing possibilities for people to be 'fingerprinted' remotely and without their knowledge,” says Daniel Leufer, a senior policy analyst at the European NGO Access Now. “When technologies like this become more accessible and easier to use, they'll be used more often, increasing the risk.” At the extreme end of the scale there have already been several examples of police forces identifying suspects by pulling fingerprint data from photos they’ve shared online.

There’s also the potential that easier fingerprint collection results in more people’s data being recorded. For instance, police in the UK have been using fingerprint scanning devices that clip onto smartphones since 2018. The tests involve scanning one finger using a device that plugs into a smartphone’s charging port, providing potential matches against a database in under a minute. A WIRED investigation in late 2020 found the devices were being disproportionately used to target ethnic minorities—in some areas Black Britons were between three and 18 times more likely to be stopped and scanned than white people.

“There is a lot of evidence showing intent in countries such as Greece and Italy to use 'handheld' biometric devices to identify migrants,” says Ella Jakubowska, a policy adviser at the civil rights NGO European Digital Rights. The technologies have the “capacity to exacerbate discrimination,” Jakubowska says.

The biometrics industry at large is pushing toward “seamless” biometrics, Jakubowska says. “We're seeing this idea across many different use cases, with providers trying to remove manual steps in biometric processing,” Jakubowska adds. “The problem is that when we talk about meaningful, informed consent, this becomes a lot harder when people are no longer as conscious and conscientious about the data that they are providing.”

Cops Will Be Able to Scan Your Fingerprints With a Phone

(May require free registration to view)

Discovered by Akamai researchers in March, the virus spreads using stolen SSH keys and operates its cryptomining malware in devices’ memory. Instead of stealing intellectual property by targeting educational institutes, this malware mines cryptocurrency. The peer-to-peer (P2P) virus reads id_rsa and known_hosts files to collect existing credentials. The malware then uses them to move laterally across the network.

The Panchan cryptojacker is written in the Go programming language. It communicates in plaintext over TCP; however, it can escape monitoring and features a ‘godmode’ admin panel for remotely controlling and distributing mining configurations. The creator of Panchan uses Go version 1.18, which Google released in March. “The admin panel is written in Japanese, which hints at the creator’s geolocation”, stated Steve Kupchik, security professional at Akamai.

Why education?

Educational institutions are clearly targeted. The question is why. Akamai believes it could be due to poor password hygiene and networking.

“Researchers in different academic institutions might collaborate more frequently than employees in the business sector, and require credentials to authenticate to machines that are outside of their organization and network”, he said. “Strengthening that hypothesis, we saw that some of the universities involved were from the same country.”

Source

But security expert Frédéric Basse found a security vulnerability that could be exploited to install other operating systems on the Nest Hub, and as a demonstration he installed Ubuntu Linux.

Basse has written up a detailed explanation of how the vulnerability was discovered and how the exploit was used to execute arbitrary code on the Nest Hub, and the software you’d need to repeat the process on your own Nest Hub has been shared to a GitHub repository.

But there are a few things to keep in mind before trying to install Ubuntu or another operating system on a Nest Hub. The first is that this isn’t just a simple software hack – you’ll need a Raspberry Pi Pico or similar device that can be configured to work as a USB flash drive with settings that will crash the Nest Hub and then load a custom payload that allows you to boot from an alternate device. Then you can insert a different flash drive that’s been prepared with a build of Ubuntu (or another OS) that’s compatible with the Nest Hub’s hardware.

The second issue? There’s a reasonable chance that if anything goes wrong, you could end up damaging your smart display. And since this is clearly not a use case covered by Google’s warranty, good luck getting your device repaired if you break it.

That said, it’s a pretty neat trick for now… and it could be a way to breathe new life into Google’s smart displays if Google eventually stops supporting them (something the company has a history of doing to old projects).

Source

Starting from as early as September 2014, 41-year-old Hao Kuo Chi from La Puente, California, started marketing himself as "icloudripper4you," someone capable of breaching iCloud accounts and stealing anything contained in the linked iCloud storage (in what he referred to as "ripping").

"This man led a terror campaign from his computer, causing fear and distress to hundreds of victims," FBI agent David Walker said.

"The FBI is committed to protecting the American people by exposing these cybercriminals and bringing them to justice."

To compromise a targeted account, Chi used emails that would allow him to impersonate Apple customer support representatives and trick targets into handing over their Apple IDs and passwords, according to court documents.

After compromising an iCloud account, he would look for and steal nude photographs and videos from victims' online storage (referred to as "wins"), sharing them with conspirators who later published them online.

Chi also shared some of the compromising photos and videos on a now-defunct revenge porn website (Anon-IB) without his victims' consent and intending "to intimidate, harass, or embarrass."

Hundreds of compromised iCloud accounts

Until caught, Chi gained unauthorized access to hundreds of targets' iCloud accounts from all over the United States, including Arizona, California, Florida, Kentucky, Louisiana, Maine, Massachusetts, Ohio, Pennsylvania, South Carolina, and Texas.

"Chi's email accounts contained the iCloud credentials of approximately 4,700 victims. These accounts also revealed that he had sent content stolen from victims to conspirators on more than 300 occasions," the Department of Justice revealed today.

He stored 3.5 terabytes of stolen content from over 500 victims on cloud and physical storage, with roughly 1 terabyte of the cloud storage dedicated to stolen nude photographs and videos.

"Chi victimized hundreds of women across the country, making them fear for their safety and reputations," said U.S. Attorney Roger Handberg.

"This sentence reflects the resolve of the U.S. Attorney's Office to hold cybercriminals responsible for their crimes."

Source

Microsoft customers may visit the Adv220002 support page, Microsoft Guidance on Intel Processor MMIO Stale Data Vulnerabilities, for information. Intel published a support page on the company's Security Center website.

The following four vulnerabilities affect certain Intel processors:

• CVE-2022-21123 - Shared Buffer Data Read (SBDR)? -- "Incomplete cleanup of multi-core shared buffers for some Intel Processors may allow an authenticated user to potentially enable information disclosure via local access"
• CVE-2022-21125 - Shared Buffer Data Sampling (SBDS) -- "Incomplete cleanup of microarchitectural fill buffers on some Intel Processors may allow an authenticated user to potentially enable information disclosure via local access"
• CVE-2022-21127 - Special Register Buffer Data Sampling Update (SRBDS Update) -- "Incomplete cleanup in specific special register read operations for some Intel Processors may allow an authenticated user to potentially enable information disclosure via local access"
• CVE-2022-21166 - Device Register Partial Write (DRPW) -- ": Incomplete cleanup in specific special register write operations for some Intel® Processors may allow an authenticated user to potentially enable information disclosure via local access"

The list of affected Intel processors is available here. It includes Intel 7th generation to 12th generation processors, Intel Atom processors, Intel Pentium Gold series processors, and Intel Celeron processors.

Intel published microcode updates, which administrators may install on affected systems to protect the devices. The company recommends that users update to the latest version provided by the system manufacturer.

Microsoft confirmed the issue and provided a description of a potential attack:

An attacker who successfully exploited these vulnerabilities might be able to read privileged data across trust boundaries. In shared resource environments (such as exists in some cloud services configurations), these vulnerabilities could allow one virtual machine to improperly access information from another. In non-browsing scenarios on standalone systems, an attacker would need prior access to the system or an ability to run a specially crafted application on the target system to leverage these vulnerabilities.

Windows client customers need to install the microcode update and software updates. Microsoft has not released the updates via Windows Update at the time of writing. German computer site WinFuture notes that Microsoft will release the updates soon.

Intel Firmware updates for Memory Mapped I/O security vulnerabilities