News: Security & Privacy News

Apple and Google’s AI wizardry promises privacy—at a cost

Fri, 18 Jun 2021 22:09:41 +0000

Apple and Google’s AI wizardry promises privacy—at a cost

Upgraded data protection and less reliance on the cloud could lock users in.

Since the dawn of the iPhone, many of the smarts in smartphones have come from elsewhere: the corporate computers known as the cloud. Mobile apps sent user data cloudward for useful tasks like transcribing speech or suggesting message replies. Now Apple and Google say smartphones are smart enough to do some crucial and sensitive machine-learning tasks like those on their own.

At Apple's WWDC event this month, the company said its virtual assistant Siri will transcribe speech without tapping the cloud in some languages on recent and future iPhones and iPads. During its own I/O developer event last month, Google said the latest version of its Android operating system has a feature dedicated to secure, on-device processing of sensitive data, called the Private Compute Core. Its initial uses include powering the version of the company's Smart Reply feature built into its mobile keyboard that can suggest responses to incoming messages.

Apple and Google both say on-device machine learning offers more privacy and snappier apps. Not transmitting personal data cuts the risk of exposure and saves time spent waiting for data to traverse the internet. At the same time, keeping data on devices aligns with the tech giants' long-term interest in keeping consumers bound into their ecosystems. People that hear their data can be processed more privately might become more willing to agree to share more data.

The companies' recent promotion of on-device machine learning comes after years of work on technology to constrain the data their clouds can "see."

In 2014, Google started gathering some data on Chrome browser usage through a technique called differential privacy, which adds noise to harvested data in ways that restrict what those samples reveal about individuals. Apple has used the technique on data gathered from phones to inform emoji and typing predictions and for web browsing data.

More recently, both companies have adopted a technology called federated learning. It allows a cloud-based machine-learning system to be updated without scooping in raw data; instead, individual devices process data locally and share only digested updates. As with differential privacy, the companies have discussed using federated learning only in limited cases. Google has used the technique to keep its mobile typing predictions up to date with language trends; Apple has published research on using it to update speech-recognition models.

Rachel Cummings, an assistant professor at Columbia who has previously consulted on privacy for Apple, says the rapid shift to do some machine learning on phones has been striking. "It's incredibly rare to see something going from the first conception to being deployed at scale in so few years," she says.

That progress has required not just advances in computer science but for companies to take on the practical challenges of processing data on devices owned by consumers. Google has said that its federated learning system only taps users' devices when they are plugged in, idle, and on a free Internet connection. The technique was enabled in part by improvements in the power of mobile processors.

Beefier mobile hardware also contributed to Google's 2019 announcement that voice recognition for its virtual assistant on Pixel devices would be wholly on-device, free from the crutch of the cloud. Apple's new on-device voice recognition for Siri, announced at WWDC this month, will use the "neural engine" the company added to its mobile processors to power up machine-learning algorithms.

The technical feats are impressive. It's debatable how much they will meaningfully change users' relationship with tech giants.

Presenters at Apple's WWDC said Siri's new design was a "major update to privacy" that addressed the risk associated with accidentally transmitting audio to the cloud, saying that was users' largest privacy concern about voice assistants. Some Siri commands—such as setting timers—can be recognized wholly locally, making for a speedy response. Yet in many cases transcribed commands to Siri—presumably including from accidental recordings—will be sent to Apple servers for software to decode and respond. Siri voice transcription will still be cloud-based for HomePod smart speakers commonly installed in bedrooms and kitchens, where accidental recording can be more concerning.

Google also promotes on-device data processing as a privacy win and has signaled it will expand the practice. The company expects partners such as Samsung that use its Android operating system to adopt the new Privacy Compute Core and use it for features that rely on sensitive data.

Google has also made local analysis of browsing data a feature of its proposal for reinventing online ad targeting, dubbed FLoC and claimed to be more private. Academics and some rival tech companies have said the design is likely to help Google consolidate its dominance of online ads by making targeting more difficult for other companies.

Michael Veale, a lecturer in digital rights at University College London, says on-device data processing can be a good thing but adds that the way tech companies promote it shows they are primarily motivated by a desire to keep people tied into lucrative digital ecosystems.

"Privacy gets confused with keeping data confidential, but it's also about limiting power," says Veale. "If you're a big tech company and manage to reframe privacy as only confidentiality of data, that allows you to continue business as normal and gives you license to operate."

A Google spokesperson said the company "builds for privacy everywhere computing happens" and that data sent to the Private Compute Core for processing "needs to be tied to user value." Apple did not respond to a request for comment.

Cummings of Columbia says new privacy techniques and the way companies market them add complexity to the trade-offs of digital life. Over recent years, as machine learning has become more widely deployed, tech companies have steadily expanded the range of data they collect and analyze. There is evidence some consumers misunderstand the privacy protections trumpeted by tech giants.

A forthcoming survey study from Cummings and collaborators at Boston University and the Max Planck Institute showed descriptions of differential privacy drawn from tech companies, media, and academics to 675 Americans. Hearing about the technique made people about twice as likely to report they would be willing to share data. But there was evidence that descriptions of differential privacy's benefits also encouraged unrealistic expectations. One-fifth of respondents expected their data to be protected against law enforcement searches, something differential privacy does not do. Apple's and Google's latest proclamations about on-device data processing may bring new opportunities for misunderstandings.

This story originally appeared on wired.com.

Apple and Google’s AI wizardry promises privacy—at a cost

First American Financial Pays Farcical $500K Fine

Fri, 18 Jun 2021 21:56:08 +0000

First American Financial Pays Farcical $500K Fine

In May 2019, KrebsOnSecurity broke the news that the website of mortgage settlement giant First American Financial Corp. [NYSE:FAF] was leaking more than 800 million documents — many containing sensitive financial data — related to real estate transactions dating back 16 years. This week, the U.S. Securities and Exchange Commission settled its investigation into the matter after the Fortune 500 company agreed to pay a paltry penalty of less than $500,000.

First American Financial Corp.

If you bought or sold a property in the last two decades or so, chances are decent that you also gave loads of personal and financial documents to First American. According to data from the American Land Title Association, First American is the second largest mortgage title and settlement company in the United States, handling nearly a quarter of all closings each year.

The SEC says First American derives nearly 92 percent of its revenue from its title insurance segment, earning $7.1 billion last year.

Title insurance protects homebuyers from the prospect of someone contesting their legitimacy as the new homeowner. According to SimpleShowing.com, there are actually two title insurance policies in each transaction — one for the buyer and one for the lender (the latter also needs protection as they’re providing the mortgage to purchase the home).

Title insurance is not mandated by law, but most lenders require it as part of any mortgage transaction. In other words, if you wish to take out a mortgage on a home you will not be able to do so without giving companies like First American gobs of documents about your income, assets and liabilities — including quite a bit of sensitive financial data.

Aside from its core business competency — checking to make sure the property at issue in any real estate transaction is unencumbered by any liens or other legal claims against it — First American basically has one job: Protect the privacy and security of all these documents.

A redacted screenshot of one of many millions of sensitive records exposed by First American’s Web site.

It’s easy to see why companies like First American might not view protecting this data as sacrosanct, as the entire industry’s incentive for safeguarding all those sensitive documents is somewhat misaligned.

That is to say, in the title insurance industry the parties to a real estate transaction aren’t customers, but rather they are are the product. The actual customers of the title insurance companies are principally the banks which back these mortgage transactions.

We see a similar dynamic with social media platforms, where the “user” is not the customer at all but the product whose data is being bought and sold by these platforms.

Roughly five months before KrebsOnSecurity notified First American that anyone with a web browser could view sensitive document in its “Eagle Pro” database online just by changing some characters at the end of a link, an internal security audit at First American flagged the exact same vulnerability.

But the company never acted to fix it until the news media came calling.

The SEC’s administrative proceeding (PDF) explains how things slipped through the cracks. Under First American’s documented vulnerability remediation policies, the data leak was classified as a security weakness with a “level 3” severity, which placed it in the “medium risk” category and required remediation within 45 days.

But rather than recording the vulnerability as a level 3 severity, due to a clerical error the vulnerability was erroneously entered as a level 2 or “low risk” severity in First American’s automated tracking system. Level 2 issues required remediation within 90 days. Even so, First American missed that mark.

The SEC said that under First American’s remediation policies, if the person responsible for fixing the problem is unable to do so based on the timeframes listed above, that employee must have their management contact the company’s information security department to discuss their remediation plan and proposed time estimate.

“If it is not technically possible to remediate the vulnerability, or if remediation is cost prohibitive, the [employee] and their management must contact Information Security to obtain a waiver or risk acceptance approval from the CISO,” the SEC explained. “The [employee] did not request a waiver or risk acceptance from the CISO.”

So, someone within First American accepted the risk, but that person neglected to ensure the higher-ups within the company also were comfortable with that risk. It’s difficult not to hum a tune whenever the phrase “accepted the risk” comes up if you’ve ever seen this excellent infosec industry parody.

The SEC took aim at First American because a few days after our May 24, 2019 story ran, the company issued an 8-K filing with the agency stating First American had no prior indication of any vulnerability.

“That statement demonstrated that First American’s senior management was not properly informed of the prior report of a vulnerability and a failure to remediate the problem,” wrote Michael Volkov, a 30-year federal prosecutor who now runs The Volkov Law Group in Washington, D.C.

Reporting for Reuters Regulatory Intelligence, Richard Satran says the SEC charged First American with violating Rule 13a-15(a) of the Exchange Act.

“The rule broadly requires firms involved in securities issuance to have a compliance process in place to assure material information follows securities laws,” Satran wrote. “The SEC avoided getting into the specific details of the breach and instead focused on the way its disclosure was handled.”

Mark Rasch, also former federal prosecutor in Washington, said the SEC is signaling with this action that it intends to take on more cases in which companies flub security governance in some big way.

“It’s a win for the SEC, and for First America, but it’s hardly justice,” Rasch said. “It’s a paltry fine, and it involves no admission of guilt by First American.”

Rasch said First American’s first problem was labeling the weakness as a medium risk.

“This is lots of sensitive data you’re exposing to anyone with a web browser,” Rasch said. “That’s a high-risk vulnerability. It also means you probably don’t know whether or not anyone has accessed that data. There’s no way to tell unless you can go back through all your logs all those years.”

The SEC said the 800 million+ records had been publicly available on First American’s website since 2013. In August 2019, the company said a third-party investigation into the exposure identified just 32 consumers whose non-public personal information likely was accessed without authorization.

When KrebsOnSecurity asked how long it maintained access logs or how far back in time that review went, First American declined to be more specific, saying only that its logs covered a period that was typical for a company of its size and nature.

However, documents from New York financial regulators show First American was unable to determine whether records were accessed prior to Jun 2018 (one year prior to fixing the weakness).

The records exposed by First American would have been a virtual gold mine for phishers and scammers involved in Business Email Compromise (BEC) scams, which often impersonate real estate agents, closing agencies, title and escrow firms in a bid to trick property buyers into wiring funds to fraudsters. According to the FBI, BEC scams are the most costly form of cybercrime today.

First American is not out of the regulatory woods yet from this enormous data leak. In July 2020, the New York State Department of Financial Services announced the company was the target of their first ever cybersecurity enforcement action in connection with the incident, charges that could bring steep financial penalties. That inquiry is ongoing.

The DFS considers each instance of exposed personal information a separate violation, and the company faces penalties of up to $1,000 per violation. According to the SEC, First American’s EaglePro database contained tens of millions of document images that included non-public personal information.

First American Financial Pays Farcical $500K Fine

Fake DarkSide gang targets energy, food industry in extortion emails

Fri, 18 Jun 2021 21:52:53 +0000

Fake DarkSide gang targets energy, food industry in extortion emails

Threat actors impersonate the now-defunct DarkSide Ransomware operation in fake extortion emails sent to companies in the energy and food sectors.

The Darkside ransomware operation launched in August 2020, targeting corporate networks and demanding millions of dollars for a decryptor and a promise not to release stolen data.

After hitting Colonial Pipeline, the largest fuel pipeline in the US, the ransomware gang was thrust into the spotlight, with the US government and law enforcement shifting their focus to the group.

This increased scrutiny by enforcement led to DarkSide suddenly shutting down its operation in May out of fear of being arrested.

Since then, there has been no additional activity from its group or known aliases.

Extortionists impersonate DarkSide gang

In a new report, Trend Micro researchers reveal that a new extortion campaign started in June where threat actors are impersonating the DarkSide ransomware gang.

"Several companies in the energy and food industry have recently received threatening emails supposedly from DarkSide," explains Trend Micro researcher Cedric Pernet.

"In this email, the threat actor claims that they have succesfully hacked the target's network and gained access to sensitive information, which will be disclosed publicly if a ransom of 100 bitcoins (BTC) is not paid."

This new extortion campaign consists of emails sent to companies or through their website contact forms that state the ransomware gang hacked the company's servers and stole data during the attack. The email says that the company must pay 100 bitcoins to an enclosed bitcoin address, or threat actors will publicly release the documents.

You can read the entire extortion message below:

Hi, this is DarkSide.

It took us a lot of time to hack your servers and access all your accounting reporting. Also, we got access to many financial documents and other data that can greatly affect your reputation if we publish them.

It was difficult, but luck was helped by us - one of your employees is extremely unqualified in network security issues. You could hear about us from the press - recently we held a successful attack on the Colonial Pipeline.

For non-disclosure of your confidential information, we require not so much - 100 bitcoins. Think about it, these documents may be interested not only by ordinary people, but also the tax service and other organizations, if they are in open access ... We are not going to wait long - you have several days.

Our bitcoin wallet - bc1qcwrl3yaj8pqevj5hw3363tycx2x6m4nkaaqd5e

According to Trend Micro, all of the emails use the same bitcoin address. An extortion demand submitted through a site's contact form and seen by BleepingComputer showed that this bitcoin address is bc1qcwrl3yaj8pqevj5hw3363tycx2x6m4nkaaqd5e.

At this time, the bitcoin address has seen no payments and will likely not in the future, considering the ridiculous $3.6 million bitcoin demand.

Trend Micro states that the emails they have seen are being sent from the darkside@99email[.]xyz and darkside@solpatu[.]space email addresses, with 99email.xyz account being a throwaway email account service.

It is not clear why the wannabe extortionists are only targeting the food and energy sector, but it is believed to be because recent attacks in those industries have been quick to pay a ransom.

The industries targeted by the fake DarkSide campaign
Source: Trend Micro

After Colonial Pipeline was attacked, they paid a $4.4 million ransom to DarkSide, with the majority of the ransom later recovered by the FBI.

Likewise, meat producer JBS paid $11 million to REvil after a ransomware attack.

Fake DarkSide gang targets energy, food industry in extortion emails

Cybereason: 80% of orgs that paid the ransom were hit again

Fri, 18 Jun 2021 17:50:13 +0000

Cybereason: 80% of orgs that paid the ransom were hit again

Ransomware attacks are on the rise globally as cybercriminals adopt more sophisticated tactics. The Federal Bureau of Investigation reported a 225% increase in total losses from ransomware in the United States in 2020. According to Cybersecurity Ventures, businesses are under attack every 11 seconds, on average, and damage losses are projected to reach $20 billion worldwide. Against this backdrop, the Cybereason Global Ransomware Study measured how much financial and reputational damage these attacks wreak on businesses.

Dealing with the aftermath of a ransomware attack can be complicated and costly. The vast majority of organizations experienced significant business impact due to ransomware attacks, including loss of revenue (66%), damage to the organization’s brand (53%), unplanned workforce reductions (29%), and even closure of the business altogether (25%).

Above: This table provides a side-by-side comparison of which solutions were in place that may have protected organizations from a ransomware attack and the investments made by organizations after an attack.

Image Credit: Cybearson

After an organization experienced a ransomware attack, the top 5 solutions implemented included security awareness training (48%), security operations (SOC) (48%), endpoint protection (44%), data backup and recovery (43%), and email scanning (41%). The least deployed solutions post-attack included web scanning (40%), endpoint detection and response (EDR) and extended detection and response (XDR) technologies (38%), antivirus software (38%), mobile and SMS security solutions (36%), and managed security services provider (MSSP) or managed detection and response (MDR) provider (34%). Only 3% of respondents said they did not make any new security investments after a ransomware attack.

Cybereason’s study found that the majority of organizations that chose to pay ransom demands in the past were not immune to subsequent ransomware attacks, often by the same threat actors. In fact, 80% of organizations that paid the ransom were hit by a second attack, and almost half were hit by the same threat group.

This study offers insight into the business impact of ransomware attacks across key industry verticals and reveals data that can be leveraged to improve ransomware defenses. For example, after an organization experienced a ransomware attack, the top two solutions implemented included security awareness training (48%) and security operations (48%). This research underscores that prevention is the best strategy for managing ransomware risk and ensuring your organization does not fall victim to a ransomware attack in the first place.

1,263 cybersecurity professionals took part in the study commissioned by Cybereason and fielded by Censuswide, with participants in varying industries from the United States, United Kingdom, Spain, Germany, France, United Arab Emirates, and Singapore.

Source

US supermarket chain Wegmans notifies customers of data breach

Fri, 18 Jun 2021 15:23:25 +0000

US supermarket chain Wegmans notifies customers of data breach

Wegmans Food Markets notified customers that some of their information was exposed after the company became aware that two of its databases were publicly accessible on the Internet because of a configuration issue.

Wegmans is a 106-store major regional supermarket chain with stores in the mid-Atlantic and Northeastern regions (i.e., New York, Pennsylvania, New Jersey, Virginia, Maryland, Massachusetts, and North Carolina).

The store chain was founded in 1916, and it is one of the largest private companies in the US, employing more than 50,000 people.

No payment information exposed in the incident

"We recently became aware that, due to a previously undiscovered configuration issue, two of our cloud databases, which are used for business purposes and are meant to be kept internal to Wegmans, were inadvertently left open to potential outside access," the supermarket chain said in a press release.

"This issue was first brought to our attention by a third-party security researcher and we then confirmed the configuration problem, beginning on or about April 19, 2021."

After the data breach was discovered, Wegmans hired a leading forensics firm to investigate the incident and correct the database misconfiguration.

Customer information exposed in the data breach included names, addresses, phone numbers, birth dates, Shoppers Club numbers, and Wegmans.com account e-mail addresses and passwords.

However, according to Wegmans, the databases contained only salted password hashes were both hashed and salted, with the actual passwords not being stored in the unsecured databases.

"Social security numbers were not impacted (Wegmans does not collect this information from its customers) nor was any payment card or banking information involved," the company added.

Although all affected Wegmans.com passwords were protected through hashing, as a conservative measure, you can change the password to your Wegmans.com account, as well as for any other account for which you use the same password. It is generally a good idea to use a unique password for each online account you may have. - Wegmans

Credential stuffing attack warning three months earlier

In late March, the supermarket chain also notified customers of credential stuffing attacks using credentials stolen from other online services and affecting more than 2,7000 accounts in January.

"It is likely that your login credentials were taken from another source, for example, the compromise of another company or website, where you may have used the same or similar login credentials," the company said in a notification letter sent to impacted customers in March.

"This is known as a 'credential stuffing' attack, which can occur when individuals use the same login credentials on multiple websites."

After discovering the incident in mid-February, Wegmans found that the attackers could gain access to names, phone numbers, addresses, dates of birth, and Wegmans Shoppers Club Numbers associated with the compromised Wegmans.com accounts.

Credit or debit card payment information was not exposed in the incident because Wegmans does not store such info on their servers.

Wegmans also blocked the attacker's access by forcing a password reset for all affected accounts to prevent future logins.

Impacted customers were also advised no to use the same credentials (i.e., emails and passwords) for multiple online platforms, including email, banking, social media, and other retailer accounts.

Source

Russia bans VyprVPN, Opera VPN services for not complying with blacklist request

Fri, 18 Jun 2021 13:57:46 +0000

Russia bans VyprVPN, Opera VPN services for not complying with blacklist request

Russia's telecommunications and media regulator Roskomnadzor (RKN) on Thursday introduced restrictions on the operation of VyprVPN and Opera VPN services in the country.

"In accordance with the regulation on responding to threats to circumvent restrictions on access to child pornography, suicidal, pro-narcotic and other prohibited content, restrictions on the use of VPN services VyprVPN and Opera VPN will be introduced from June 17, 2021," the state agency said in a statement.

The watchdog described them as threats in accordance with the Decree of the Government of the Russian Federation No. 127 dated February 12, adding the restrictions will not affect Russian companies using VPN services in continuous technological processes.

The development comes a little over a month after RKN sent a request to enterprises and organizations that use the two VPN services to inform the Center for Monitoring and Management of the Public Telecommunications Network and seek exceptions so as to avoid disruptions to their business operations.

The agency said more than 200 technological processes associated with 130 Russian companies are included in the "white lists."

On March 28, 2019, Russian government required VPNs, anonymizers, and search engine operators to ensure that they block sites included on Roskomnadzor's regularly updated register of banned sites through the Federal State Information System (FSIS).

To that effect, ten providers of virtual private network (VPN) servers — including NordVPN, Hide My Ass (HMA), Hola VPN, OpenVPN, VyprVPN, ExpressVPN, TorGuard, IPVanish, Kaspersky Secure Connection, and VPN Unlimited — were mandated to connect to the national blocklist.

According to Russian news agency Interfax, Kaspersky Lab was the only company that complied with the request. Avast, another cybersecurity vendor, exited the VPN market following the order.

Source

Bank, airline web outage 'not caused' by cyberattack

Fri, 18 Jun 2021 13:42:04 +0000

Bank, airline web outage 'not caused' by cyberattack

A major online outage that hit bank and airline websites on both sides of the Pacific was not caused by a cyberattack, the tech provider responsible said Friday.

In a statement, US-based Akamai said around 500 of its customers were briefly knocked offline on Thursday because of a problem with one of its online security products.

The outage hit American, Delta, United and Southwest Airlines and most of Australia's major banks, leaving customers unable to access websites and mobile apps.

Akamai said the problem was resolved in just over four hours, although most websites experienced problems for around an hour.

"The issue was not caused by a system update or a cyberattack," Akamai said, adding the issue had been narrowed down to a data routing problem that had now been fixed.

It is the latest incident to draw attention to the stability of economically vital online platforms and the key role that a handful of little-known "CDN"—content delivery network—companies play in keeping the web running.

Last week, US media and government websites, including the White House, New York Times, Reddit and Amazon were temporarily hit after a glitch with cloud computing services provider Fastly.

Fastly offers a service to speed up loading times for websites.

Akamai offers a range of similar IT products designed to boost online performance and security.

The firm said this problem was linked to a product that prevents DDoS attacks—an often crude cyberattack that knocks websites out by peppering them with requests for data.

"Many of the approximately 500 customers using this service were automatically rerouted, which restored operations within a few minutes," the company said.

"The large majority of the remaining customers manually rerouted shortly thereafter."

Source

Three big questions about Facebook’s new VR ads

Thu, 17 Jun 2021 22:04:22 +0000

Three big questions about Facebook’s new VR ads

Lots of people saw this coming, but what will it look like?

Yesterday, Facebook took a leap many people have been predicting for years: it started putting ads inside virtual reality. The company launched a limited test of advertisements inside three Oculus Quest apps, saying it would expand the system based on user feedback. The move is a turning point for Oculus, bringing one of Facebook’s most controversial features into a medium that inspires both idealism and alarm. And it raises three big questions about Facebook’s future and immersive computing.

The first question is how deeply Facebook will end up linking advertising with hardware sensor data. Even more than smartphones, Oculus Quest headsets are a gold mine of information about you. They capture precise head and hand motion, pictures of your surroundings through tracking cameras, and microphone audio for Facebook’s voice command system. Future headsets will likely include even more intimate features like eye tracking, which would offer incredibly precise metrics on what captures your attention in VR.

Right now, Facebook says much of this data either never leaves your headset or is completely segmented from its advertising system, and it says it has “no plans” to do things like target ads based on movement data. But as Facebook moves deeper into virtual and augmented reality, using its hardware’s special features for advertising will become an increasingly attractive prospect.

Facebook is reportedly working on a fitness tracker and has discussed building AR glasses that you’ll use to interact with the world. These products are custom-built to produce quantifiable insights about your body and surroundings, and it’s hard to believe Facebook doesn’t have plans to monetize that — even if Facebook Reality Labs head Andrew Bosworth has said the company is “not really focused on business model” questions for experimental hardware. Oculus is Facebook’s first big test case for advertising on its own computing device, and as it expands ads on VR and other hardware, we’ll see how it handles the wealth of new data types it’s collecting.

The second question is how ads will affect VR development. Several of the bestselling VR titles right now feel like substantive console or PC games and sell at a similar price. By contrast, it’s not yet clear which app genres work well with an ad-based model. (Blaston, the first game we know includes ads, is a multiplayer dueling game that you play in short competitive bouts.) Whatever those genres are, Facebook just created an incentive to make a lot more of them, since developers get a cut of the revenue involved.

It’s easy to imagine dystopian scenarios like a huge library of attention-grabbing but low-quality games and social apps plastered with pop-ups, or the seizure-inducing corporate hellscape from Ready Player One. It doesn’t help that Facebook’s first tests look like flat banner ads from a website or freeware game. That said, Facebook is notoriously picky about what goes into the Quest library and there’s no indication that will change soon.

We also don’t know VR advertising’s final form. Facebook says it’s currently exploring “new ad formats that are unique to VR.” It didn’t specify what that looked like, but for one nontraditional ad platform, we could look at Fortnite — a popular virtual world from a studio with an impeccable gaming pedigree, and one of the most effective ad delivery systems in the modern cultural landscape. (A system where players pay to promote the intellectual property of multinational media conglomerates is possibly also dystopian, but in a way most people seem okay with.) Modern consumer VR headsets have been full of ads since practically the beginning, thanks to promotional tie-ins and sponsorships. Yesterday’s news was just the latest iteration of a long-running trend.

This iteration, though, has a big Facebook-shaped wrinkle. The Quest ads are served based on data from your Facebook profile, and Facebook’s hyper-personalization is one of its most controversial features — criticized in general as a tool for social division and more specifically for enabling discrimination. Beyond any larger social effects, if you’re sharing a headset with friends and family, it could feel simply invasive to have them see what Facebook thinks you’re into. You can add multiple accounts to a Quest headset, but the feature is experimental and it’s not clear how many users know about it.

And that raises the third question: how will Facebook and its critics address general concerns about “Big Tech” in the realm of VR? Should Facebook, for example, ban specific kinds of ads — or methods of ad delivery — from appearing in headsets? And should consumer protection watchdogs look specifically at how ads work inside the Oculus platform, which they’ve largely ignored when scrutinizing Facebook?

It wasn’t hard to see these debates coming. Facebook has wanted to own the next computing platform for years, and its vision of computing relies a lot on advertising. Oculus founder Palmer Luckey once promised that Oculus wouldn’t “flash ads at you” inside VR, but he (along with Oculus’ other early executives) left the company years ago. Bosworth said in 2015 that the Oculus experience “should include ads, because life includes ads.”

But Facebook says it’s not just barreling ahead with a long-held master plan — instead, it promises it’s looking at feedback as it moves forward with VR advertising. As VR gets closer to Facebook’s core business, Quest users and developers will get to see if the company keeps that promise.

Three big questions about Facebook’s new VR ads

2021 looks to become another record year for the DuckDuckGo search engine

Thu, 17 Jun 2021 21:50:43 +0000

2021 looks to become another record year for the DuckDuckGo search engine

Can a privacy-focused search engine survive on today's Internet? It appears that it can, as DuckDuckGo is looking to end the year 2021 with another record-breaking traffic increase.

I have followed the rise of DuckDuckGo since 2012, when I announced here on this site that it became my primary search engine. I had plenty of reasons for that, but privacy was the main one.

Then came PRISM, and DuckDuckGo's traffic started to rise a lot. Back in 2013, traffic rose to more than 2 million queries per day, a small number for search engine heavyweight Google Search, but an important milestone for the DuckDuckGo search engine.

In 2015, DuckDuckGo reported that it crossed the 10 million daily searches mark, and this year (2021), it managed to cross the 100 million searches mark for the first time.

If you look at the reported traffic figures for 2019 and 2020, you get about 15 billion queries in 2019 and 23.6 billion in 2020.

Here is the year-by-year listing from 2015 to 2020.

2015 -- 3.1 billion
2016 -- 4.0 billion
2017 -- 5.9 billion
2018 -- 9.2 billion
2019 -- 15.0 billion
2020 --23.6 billion

Now, in 2021, it looks as if the search engine will report another record year. It is mid-June right now, and traffic is already at 16.0 billion queries. With six months to go, it is very likely that the 30 billion mark will be crossed in the year, and that traffic will likely end between 32-34 billion queries in the year.

The search engine announced plans today to accelerate the growth further. The company plans to release its first desktop application, which it states can be used as a primary browser. DuckDuckGo did not reveal any details on its new browser project. It is likely that it will be based on Chromium, but there is also a chance that Firefox might be its base. If the former is true, it will be interesting to see how it fares against other privacy browsers such as Brave or Vivaldi. Brave, on the other hand, is testing its own search engine that is focused on privacy.

Additionally, it wants to add "new privacy protections" to its portfolio of features and tools, including a "cross-platform email privacy solution" and "app tracker blocking on Android devices" later this year to provide even more privacy services to its users (and new ones).

DuckDuckGo has been profitable since 2014, and generates a revenue of over $100 million US Dollars now.

Now You: which search engine do you use predominantly?

2021 looks to become another record year for the DuckDuckGo search engine

Google fixes seventh Chrome zero-day exploited in the wild this year

Thu, 17 Jun 2021 21:41:24 +0000

Google fixes seventh Chrome zero-day exploited in the wild this year

Google has released Chrome 91.0.4472.114 for Windows, Mac, and Linux to fix four security vulnerabilities, with one of them a high severity zero-day vulnerability exploited in the wild.

This version, released today, June 17th, 2021, to the Stable desktop channel, has started rolling out worldwide and will become available to all users over the next few days.

Google Chrome will automatically attempt to upgrade the browser the next time you launch the program, but you can perform a manual update by going to Settings > Help > 'About Google Chrome'.

No details on zero-day attacks in the wild

"Google is aware that an exploit for CVE-2021-30554 exists in the wild.," the company's announcement reads.

The zero-day is caused by a use after free weakness in the WebGL (Web Graphics Library) JavaScript API used by the Chrome web browsers to render interactive 2D and 3D graphics without using plug-ins.

Successful exploitation of this vulnerability could lead to arbitrary code execution on computers running unpatched Chrome versions.

Although Google says that it is aware of CVE-2021-30554 in the wild exploitation, it did not share info regarding these attacks.

"Access to bug details and links may be kept restricted until a majority of users are updated with a fix," the company said.

"We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed."

Google fixed three more high severity use after free bugs today in Chrome's Sharing, WebAudio, and TabGroups components, tracked as CVE-2021-30555, CVE-2021-30556, and CVE-2021-30557.

Seventh Chrome zero-day exploited in the wild this year

Today's update fixes Google Chrome's sixth zero-day exploited in attacks this year, with the other five listed below:

CVE-2021-21148 - February 4th, 2021
CVE-2021-21166 - March 2nd, 2021
CVE-2021-21193 - March 12th, 2021
CVE-2021-21220 - April 13th, 2021
CVE-2021-21224 - April 20th, 2021
CVE-2021-30551 - June 9th, 2021

In addition to these zero-days, Kaspersky reported that a threat actor group known as Puzzlemaker is chaining Chrome zero-day bugs to escape the browser's sandbox and install malware on Windows systems.

"Once the attackers have used both the Chrome and Windows exploits to gain a foothold in the targeted system, the stager module downloads and executes a more complex malware dropper from a remote server," Kaspersky said.

Project Zero, Google's zero-day bug-hunting team, also unveiled a large-scale operation where a group of hackers used 11 zero-days to attack Windows, iOS, and Android users within a single year.

Google fixes seventh Chrome zero-day exploited in the wild this year

Audi, Volkswagen customer data being sold on a hacking forum

Thu, 17 Jun 2021 21:38:47 +0000

Audi, Volkswagen customer data being sold on a hacking forum

Audi and Volkswagen customer data is being sold on a hacking forum after allegedly being stolen from an exposed Azure BLOB container.

Last week, the Volkswagen Group of America, Inc. (VWGoA) disclosed a data breach after a vendor left customer data unsecured on the Internet between August 2019 and May 2021.

"The data included some or all of the following contact information about you: first and last name, personal or business mailing address, email address, or phone number," disclosed VWGoA in a data breach notification.

"In some instances, the data also included information about a vehicle purchased, leased, or inquired about, such as the Vehicle Identification Number (VIN), make, model, year, color, and trim packages."

The data breach involved 3.3 million customers for Audi, Volkswagen, and some authorized dealers in the USA and Canada.

Stolen data sold on a hacking forum

On June 14th, a known seller of data stolen during data breaches put the Audi and Volkswagen data up for sale on a popular hacking forum.

According to a post on the forum, the sold data consists of over 5 million records, with 3,862,231 records being leads and 1,792,278 records in the sales database.

Audi data for sale on a hacking forum

While the leads database contains contact information and phone numbers for prospective buys, the seller states that the sales database contained a great deal more information, including VINs, business numbers, information about the driver, and vehicle information.

According to Vice, who first reported on the sale of this data, the hacker said they accessed the exposed data in March after finding it in an unsecured Azure Blob container.

The hackers are asking between $4,000 and $5,000 for all of the records and said the database does not contain any customers' social security numbers.

The threat actor had previously told BleepingComputer that they were selling the database for a VPN service provider with multiple Android apps on the Google Play Store for $1,000.

They also claimed responsibility for a data breach at the popular recipe site, Copy Me That.

Audi, Volkswagen customer data being sold on a hacking forum

Carnival Cruise hit by data breach, warns of data misuse risk

Thu, 17 Jun 2021 21:37:06 +0000

Carnival Cruise hit by data breach, warns of data misuse risk

Carnival Corporation, the world's largest cruise ship operator, has disclosed a data breach after attackers gained access to some of its IT systems and the personal, financial, and health information belonging to customers, employees, and crew.

Carnival is included in both S&P 500 and FTSE 100 stock market indices, has more than 150,000 employees in roughly 150 countries, and provides leisure travel to roughly 13 million guests each year.

The company operates nine of the world's leading cruise line brands (Carnival Cruise Line, Costa, P&O Australia, P&O Cruises, Princess Cruises, Holland American Line, AIDA, Cunard, and Seabourn) and a travel tour company (Holland America Princess Alaska Tours).

Data misuse risk warning

"Unauthorized third-party access to a limited number of email accounts was detected on March 19, 2021," the cruise line operator giant says in a data breach notification letter recently sent to affected customers.

However, Carnival's SVP & Chief Communications Officer Roger Frizzell told BleepingComputer after the article was published that the attackers gained access to "limited portions of its information technology systems."

"It appears that in mid-March, the unauthorized third-party gained access to certain personal information relating to some of our guests, employees, and crew.

"The impacted information includes data routinely collected during the guest experience and travel booking process or through the course of employment or providing services to the Company, including COVID or other safety testing."

According to Carnival, the accessed information included names, addresses, phone numbers, passport numbers, dates of birth, health information, and, in some limited instances, additional personal information like Social Security or national identification numbers.

The cruise line operator also warned impacted customers, employees, as well as Carnival Cruise Line, Holland America Line, Princess Cruises, and medical operations crew that they found evidence indicating "a low likelihood of the data being misused."

Hit by ransomware twice in one year

BleepingComputer previously reported that a ransomware attack also hit Carnival in August 2020, an incident confirmed by the cruise line operator in an 8-K form filed with the US Securities and Exchange Commission (SEC).

Two months later, Carnival said in a separate SEC filling the ransomware gang behind the August attack gained access to the personal information of both customers and employees during the attack.

Roughly 37,500 individuals were impacted affected by the August ransomware attack, according to info filed by Carnival with the Office of Maine's Attorney General.

The August ransomware attack came after a data breach disclosed in March 2020 that also led to the exposure of customers' personal and financial info after threat actors gained access to Carnival employees' email accounts.

In December 2020, Carnival was hit by a second (previously undisclosed) ransomware attack with "investigation and remediation phases" still ongoing, according to a 10-Q form filed with the SEC in April 2021.

"There is currently no indication of any misuse of information potentially accessed or acquired and we continue to work with regulators to bring these matters and other reportable incidents to conclusion," Carnival said about the December 2020 ransomware incident.

BleepingComputer reported at the time that the German cruise line and Carnival subsidiary AIDA Cruises was dealing with mysterious "IT restrictions" that led to the cancellation of their New Year's Eve cruises.

Costa Crociere, another Carnival subsidiary, was also affected by an IT outage around the December ransomware attack that prevented customers from booking trips via the cruise line's online reservation system.

AIDA Cruises, Costa Crociere, and Carnival Corporation did not reply to BleepingComputer emails regarding the disruptions and trip cancellations.

Update: Added info provided by Roger Frizzell, Carnival's SVP & Chief Communications Officer.

Carnival Cruise hit by data breach, warns of data misuse risk

Vigilante malware blocks victims from downloading pirated software

Thu, 17 Jun 2021 21:33:17 +0000

Vigilante malware blocks victims from downloading pirated software

A vigilante developer turns the tables on software pirates by distributing malware that prevents them from accessing pirated software sites in the future.

Threat actors commonly use pirated software and fake crack sites to distribute malware to unsuspecting users who think they are downloading the latest game or movie.

Malware distributed via these methods is typically information-stealing trojans, ransomware, or cryptominers that can be used to generate value for the threat actor.

Malware blocks access to The Pirate Bay

In a new report, SophosLabs shares how a vigilante malware is being distributed that prevents pirates from accessing the most popular copyrighted content torrent site, The Pirate Bay.

"In one of the strangest cases I’ve seen in a while, one of my Labs colleagues recently told me about a malware campaign whose primary purpose appears to stray from the more common malware motives." explains SophosLabs Principal Researcher Andrew Brandt in the new report.

"Instead of seeking to steal passwords or to extort a computer’s owner for ransom, this malware blocks infected users’ computers from being able to visit a large number of websites dedicated to software piracy by modifying the HOSTS file on the infected system."

According to Brandt, the new malware is being distributed through Discord or pirated software torrent sites. On Discord, the malware is distributed as standalone executables pretending to be pirated software, as shown below.

Malware hosted on Discord

On sites like The Pirate Bay, the malware is being distributed in a similar way to other torrent files in the sense that they contain readme files, NFO files, and shortcut files back to thepiratebay.org.

A fake Readme file in a malicious torrent

However, many of the files contained in these torrent archives serve no purpose and are only added as filler to impersonate your typical pirated software/movie torrent.

"Looking more closely at these files bundled with the installer, it’s clear that they have no practical benefit other than to give the archive the appearance of files typically shared over Bittorrent, and to modify hash values with the addition of random data," says Brandt in his report.

Once a user runs the malware executable, it will modify the Windows HOSTS file to add numerous entries that point to 127.0.0.1 for sites associated with The Pirate Bay.

HOSTS file modified by the malware

After adding these HOSTS entries, when a user attempts to access one of the listed sites, they will instead be redirected to their localhost and be unable to connect to the site's actual IP address. This effectively blocks access to the listed sites that are distributing torrents for copyrighted content.

To make matters worse, when the vigilante malware is executed, it will connect to a remote host under the attacker's control and send the name of the fake pirated software that has infected the user.

As web servers usually log a visitor's IP address, the attacker now has both the pirate's IP address and the name of the software or movie that they attempted to use.

While it is unknown what this information is used for, the threat actors could share it with ISPs, copyright agencies, or even law enforcement.

The attackers could also use this information in further attacks, such as email extortion campaigns where the attacker threatens to reveal the user's illegal activity if they don't pay a small extortion demand.

Brandt told BleepingComputer that this malware campaign was live between October 2020 and January 2021, when the attacker's site went offline.

According to Brandt, the malicious torrents have also stopped being distributed, likely after users stopped seeding them after learning that the files were malicious or fake.

While rare, vigilantes have taken justice in their own hands in the past by hacking into Netgear to remove malware, distributing malware to secure IoT devices, releasing weaponized version.

Vigilante malware blocks victims from downloading pirated software

The Cl0p Bust Shows Exactly Why Ransomware Isn’t Going Away

Thu, 17 Jun 2021 21:29:50 +0000

The Cl0p Bust Shows Exactly Why Ransomware Isn’t Going Away

Ukrainian authorities managed to make some high-profile arrests. But nothing’s going to change until Russia does the same.

Believe it or not, Joe Biden and Vladimir Putin did not solve the ransomware problem at this week's summit.Photograph: Mikhail Metzel/Getty Images

On Wednesday, as United States president Joe Biden and Russian president Vladimir Putin prepared to meet in Geneva, Ukrainian law enforcement announced the arrest of six suspects allegedly tied to the notorious Cl0p ransomware group. In collaboration with South Korean and US investigators, Ukrainian authorities searched 21 residences in and around Kyiv, seized computers, smartphones, and servers, and recovered the equivalent of $184,000, believed to be ransom money.

The Cl0p arrests constitute an all-too-rare success story as the ransomware crisis continues to spiral. The group has racked up several high-profile victims since 2019, including Stanford University Medical School, the University of California, and the South Korean ecommerce giant E-Land. And the hackers seem to collaborate with or have ties to other cybercriminal organizations, including the financial crimes group FIN11 and the malware distribution organization dubbed TA505. The collaborative law enforcement process that led to the takedown, though, also underscores why stopping the broader ransomware threat remains a distant dream. Ukraine was willing to help this time, but until Russia does the same very little will change.

The majority of ransomware actors who have been wreaking havoc in recent months operate out of Russia, including Ryuk, which went on a massive hospital-hacking spree in the United States last year, DarkSide, which took down the Colonial Pipeline in May, and REvil, which recently hit the global meat supplier JBS and Apple supplier Quanta Computer. The US Department of Justice has indicted Russian ransomware actors but struggles to apprehend them. And Putin has said openly for years—including an oft-cited 2016 interview with NBC—that as long as cybercriminals aren't breaking Russian laws, he has no interest in prosecuting them.

Photograph: Cyberpolice Department of theNational Police of Ukraine

“If you have any region in any country where you have lax law enforcement, sure enough people who want to do illegal things will show up there,” says Craig Williams, director of outreach at Cisco Talos. “We have these regions not just in Europe but in regions like South America where we have effectively safe havens for cybercriminals to operate. So what we end up with is this pattern of aggression that’s being allowed to be carried out online against private businesses and civilians with really no end in sight.”

Russia’s blind eye toward cybercrime has been a problem for years, but the Kremlin's brazen state-sponsored hacking, from election meddling to expansive espionage operations, has typically drawn more attention. Over the past 18 months, though, the severity and frequency of ransomware attacks around the world has morphed from a consistent problem to an urgent crisis. Attacks on critical infrastructure and supply chains have painted a dire picture of just how far ransomware attackers will go to make money.

Tracking down the culprits often isn't as big an obstacle as apprehending them. The US has indicted multiple Russia-based hackers and even managed to seize millions of dollars of the ransom Colonial Pipeline paid. But acting on that information typically requires international cooperation. Russia does not have an extradition treaty with the US and seemingly goes out of its way not to help. In fact, the Department of Justice didn't bother asking for assistance from Russian law enforcement in tracking the Colonial Pipeline hackers, said John Demers, the assistant attorney general for national security, in a talk recorded June 3 and released Wednesday.

“I think we’ve reached the stage, today, where there’s very little point in doing so,” Demers said as part of the CyberTalks event series. “They’re actively getting in the way of US law enforcement efforts to combat this type of hacking.”

Russia can go a long way toward undermining global efforts to combat ransomware through non-participation alone. Take the Cl0p takedown. Ukraine's arrests ultimately appear not to have impacted the group's core operation—which is based out of Russia.

During Wednesday's Geneva summit, Biden and Putin explicitly discussed a number of cybersecurity topics and made vague agreements to create joint cybersecurity task forces.

“As far as cybersecurity is concerned, we agreed that we would begin consultations on that issue, and I believe that's extraordinarily important," Putin said in a press conference through a translator. "Obviously both sides have to assume certain obligations there."

Whether more cooperation is, in fact, obvious and inevitable remains to be seen. “I think we’re going to have to test their willingness to cooperate,” says John Hultquist, vice president of intelligence analysis at the security firm FireEye.

Biden offered a similar assessment on Wednesday after the summit. When asked whether there had been any ultimatums between the two about ransomware, he said, “Are they going to act? We'll find out.”

The Cl0p Bust Shows Exactly Why Ransomware Isn’t Going Away (may require free registration to view)

Researchers Uncover 'Process Ghosting' — A New Malware Evasion Technique

Thu, 17 Jun 2021 14:02:26 +0000

Researchers Uncover 'Process Ghosting' — A New Malware Evasion Technique

Cybersecurity researchers have disclosed a new executable image tampering attack dubbed "Process Ghosting" that could be potentially abused by an attacker to circumvent protections and stealthily run malicious code on a Windows system.

"With this technique, an attacker can write a piece of malware to disk in such a way that it's difficult to scan or delete it — and where it then executes the deleted malware as though it were a regular file on disk," Elastic Security researcher Gabriel Landau said. "This technique does not involve code injection, Process Hollowing, or Transactional NTFS (TxF)."

Process Ghosting expands on previously documented endpoint bypass methods such as Process Doppelgänging and Process Herpaderping, thereby enabling the veiled execution of malicious code that may evade anti-malware defenses and detection.

Process Doppelgänging, analogous to Process Hollowing, involves injecting arbitrary code in the address space of a legitimate application's live process that can then be executed from the trusted service. Process Herpaderping, first detailed last October, describes a method to obscure the behavior of a running process by modifying the executable on disk after the image has been mapped in memory.

The evasion works because of "a gap between when a process is created and when security products are notified of its creation," giving malware developers a window to tamper with the executable before security products can scan it.

Process Ghosting goes a step further from Doppelgänging and Herpaderping by making it possible to run executables that have already been deleted. It takes advantage of the fact that Windows' attempts to prevent mapped executables from being modified or deleted only come into effect after the binary is mapped into an image section.

"This means that it is possible to create a file, mark it for deletion, map it to an image section, close the file handle to complete the deletion, then create a process from the now-fileless section," Landau explained. "This is Process Ghosting."

In a proof-of-concept (PoC) demo, the researchers detailed a scenario wherein Windows Defender attempts to open a malicious payload executable to scan it, but fails to do so because the file is in a delete-pending state, and then fails again as the file is already deleted, thus allowing it to be executed unimpeded.

Elastic Security said it reported the issue to Microsoft Security Response Center (MSRC) in May 2021, following which the Windows maker stated the issue "does not meet their bar for servicing," echoing a similar response when Process Herpaderping was responsibly disclosed to MSRC in July 2020.

Microsoft, for its part, has since released an updated version of its Sysinternals Suite earlier this January with an improved System Monitor (aka Sysmon) utility to help detect Process Herpaderping and Process Hollowing attacks.

As a result, Sysmon versions 13.00 (and later) can now generate and log "Event ID 25" when a piece of malware tampers with a legitimate process and if a process image is changed from a different process, with Microsoft noting that the event is triggered "when the mapped image of a process doesn't match the on-disk image file, or the image file is locked for exclusive access."

Source

Molerats Hackers Return With New Attacks Targeting Middle Eastern Governments

Thu, 17 Jun 2021 13:58:10 +0000

Molerats Hackers Return With New Attacks Targeting Middle Eastern Governments

A Middle Eastern advanced persistent threat (APT) group has resurfaced after a two-month hiatus to target government institutions in the Middle East and global government entities associated with geopolitics in the region in a rash of new campaigns observed earlier this month.

Sunnyvale-based enterprise security firm Proofpoint attributed the activity to a politically motivated threat actor it tracks as TA402, and known by other monikers such as Molerats and GazaHackerTeam.

The threat actor is believed to be active for a decade, with a history of striking organizations primarily located in Israel and Palestine, and spanning multiple verticals such as technology, telecommunications, finance, academia, military, media, and governments.

The latest wave of attacks commenced with spear-phishing emails written in Arabic and containing PDF attachments that come embedded with a malicious geofenced URL to selectively direct victims to a password-protected archive only if the source IP address belongs to the targeted countries in the Middle East.

Recipients who fall outside of the target group are diverted to a benign decoy website, typically Arabic language news websites like Al Akhbar (www.al-akhbar.com) and Al Jazeera (www.aljazeera.net).

"The password protection of the malicious archive and the geofenced delivery method are two easy anti-detection mechanisms threat actors can use to bypass automatic analysis products," the researchers said.

The last step in the infection chain involved extracting the archive to drop a custom implant called LastConn, which Proofpoint said is an upgraded or new version of a backdoor called SharpStage that was disclosed by Cybereason researchers in December 2020 as part of a Molerats espionage campaign targeting the Middle East.

Besides displaying a decoy document when LastConn is run for the first time, the malware relies heavily on Dropbox API to download and execute files hosted on the cloud service, in addition to running arbitrary commands and capturing screenshots, the results of which are subsequently exfiltrated back to Dropbox.

If anything, the ever-evolving toolset of TA402 underscores the group's continued focus on developing and modifying customized malware implants in an attempt to sneak past defenses and thwart detection.

"TA402 is a highly effective and capable threat actor that remains a serious threat, especially to entities operating in and working with government or other geopolitical entities in the Middle East," the researchers concluded. "It is likely TA402 continues its targeting largely focused on the Middle East region."

Source

Facebook begins tying social media use to ads served inside its VR ecosystem

Thu, 17 Jun 2021 02:49:30 +0000

Facebook begins tying social media use to ads served inside its VR ecosystem

Announcement doubles down on Facebook account requirement for Oculus hardware.

Everything we've feared about the Facebookening of Oculus and its virtual reality ecosystem is starting to come true.

A Wednesday blog post has confirmed that Oculus, the VR-specific arm of Facebook, is now displaying advertisements in select VR games and apps to their players. As Facebook has since emphasized in emails sent directly to the press, these ads will leverage "first-party info from Facebook to target these ads"—and FB has yet to announce any limitations for what Facebook account data may be leveraged. (Ars Technica was not briefed about this news ahead of the announcement, and we did not get the opportunity to request the comments that other members of the media received.)

FB's additional clarifying statements about biometric and use data inside of VR are carefully worded to clarify that the company does examine specific use data as it sees fit, and for now, that data won't apply to its new advertising platform. Facebook says it processes and keeps track of the following data, uploaded by users while connected to any Oculus services:

"Weight, height, or gender information that you choose to provide to Oculus Move [a pre-installed fitness suite]"
"Movement data" that Facebook uses to "keep you safe from bumping into real-world objects"—in other words, every single way your head and hands move around within VR and relative spatial data about the rooms you play VR within, which researchers have concluded can be used to create a recognizable biometric profile after only minutes of training
"The content of your conversations with people on apps like Messenger, Parties, and [Oculus] chats or your [Oculus] voice interactions"

For now, Facebook continues to tell users that "data that are processed on the device" are not uploaded to Facebook servers, which include "raw images" from Oculus headset sensors and "images of your hands" in its hand-tracking interface. Meanwhile, if you'd like to know how much of your use data inside of Facebook (and Instagram and other FB-connected services) might be leveraged by its combined advertising network, clear the rest of your day's schedule and dive in.

Today's announcement emphasizes that this advertising option is meant to generate "new ways for developers to generate revenue. The thing is, Facebook itself created a revenue blocker for VR game and app creators up until now, since its "app policies" agreement has always forbidden third-party advertising services inside of any products. Now that Facebook can operate the advertising platform and skim revenue off the top, things have changed.

How rapidly will the downstream soon run?

Facebook itself suggests that advertising is a key element in its VR business going forward: "This is a key part of ensuring we're creating a self-sustaining platform that can support a variety of business models." It also admits that product pricing can vary with advertising in the mix: "It helps us continue to make innovative AR [augmented reality]/VR hardware more accessible to more people."

That news is unsurprising to anyone who follows Facebook's quarterly financial results, which revolve largely around its targeted advertising platforms that deftly move from app to app and from service to service. Meanwhile, rival VR hardware manufacturers like HTC have loudly shot back at Facebook's cheap-hardware sales approach.

Recently, HTC Vive general manager Dan O'Brien said the following to Ars Technica:

When pressed about Oculus as VR's top-selling consumer option, O'Brien was frank: HTC wants to make its VR money from upfront purchase revenue, not from "downstream" opportunities. He described at length the business model of "some brands" subsidizing expensive hardware at a lower MSRP "with the hope of monetizing downstream on shared services" and "maybe using data-mining tactics to understand user behavior and then run a program that also generates downstream income."

But also: notice the official mention of augmented reality in Facebook's Wednesday pitch. The most recent Facebook Connect presentation revolved around Oculus research and hardware, included a wide-open pitch hosted by longtime Oculus lead Michael Abrash. He spoke of the company's ambitions for Google Glass-like hardware that people may one day wear in public, full of real-time virtual images embedded in your nearby surroundings and high-level processing of all nearby audio and conversations. While we aren't surprised that Facebook might want its eventual always-on-your-face device to tap into its advertising ecosystem, today's announcement is a clear warning: if such a product should reach the market, it, like the $299 Oculus Quest 2, could very well be priced to move—but at a cost outside of shoppers' dollars and cents.

As a reminder, all new Oculus-branded hardware going forward requires a Facebook account to work. Meanwhile, hardware sold before that rules change went into effect will require a ToS agreement beginning January 1, 2023. And the company's combined ToS can penalize users for creating phantom or dummy Facebook accounts for the sole purpose of enabling connected Oculus VR features; by agreeing to that ToS, Facebook can void your account and its related purchases, should they be found in violation of its rules.

And as Facebook continues acquiring VR-focused video game developers, particularly the makers of megahit Beat Saber, those fully owned development houses could reasonably become prime targets for Facebook's internal advertising tools. Big companies don't acquire successful, smaller ones for charity, after all.

Facebook begins tying social media use to ads served inside its VR ecosystem

Paint 3D for Windows 10 had a Remote Code Execution flaw

Thu, 17 Jun 2021 02:27:58 +0000

Paint 3D for Windows 10 had a Remote Code Execution flaw

Microsoft’s Paint 3D was never popular, but it turns out the app was also actually dangerous to your system health after ZDI researchers discovered a Remote Code Execution Flaw in the 3D modelling software.

The exploit, which was discovered by fuzzing, requires a user to load a compromised file and has now been patched by Microsoft in the latest Patch Tuesday.

The issue is described in CVE-2021-31946 and reads as such:

Microsoft Paint 3D GLB File Parsing Out-Of-Bounds Read Remote Code Execution Vulnerability

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Microsoft Paint 3D. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.

The specific flaw exists within the parsing of GLB files. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated data structure. An attacker can leverage this vulnerability to execute code in the context of the current process at low integrity.

The flaw had a medium severity, as it required that the attacker had already escalated their privileges on your system.

Microsoft has issued an update to the software which fixes the issue, but Windows 11 users need not worry, as the software is no longer pre-installed in that OS.

Paint 3D for Windows 10 had a Remote Code Execution flaw

Scammers mail fake Ledger devices to steal your cryptocurrency

Thu, 17 Jun 2021 02:19:43 +0000

Scammers mail fake Ledger devices to steal your cryptocurrency

Scammers are sending fake replacement devices to Ledger customers exposed in a recent data breach that are used to steal cryptocurrency wallets.

Ledger has been a popular target by scammers lately with rising cryptocurrency prices and the popularity of hardware wallets to secure cryptofunds.

In a post on Reddit, a Ledger user shared a devious scam after receiving what looks like a Ledger Nano X device in the mail.

As you can see from the pictures below, the device came in an authentic looking packaging, with a poorly written letter explaining that the device was sent to replace their existing one as their customer information was leaked online on the RaidForum hacking forum.

"For this reason for security purposes, we have sent you a new device you must switch to a new device to stay safe. There is a manual inside your new box you can read that to learn how to set up your new device," read the fake letter from Ledger.

"For this reason, we have changed our device structure. We now guarantee that this kinda breach will never happen again."

Even though the letter was filled with grammatical and spelling errors, the data for 272,853 people who purchased a Ledger device was actually published on the RaidForums hacking forum in December 2020. This made for a slightly convincing explanation for the sending of the new device.

Packaging and letter for the fake Ledger device
Source: Reddit

Also enclosed in the package was a shrinkwrapped Ledger Nano X box that contained what appeared to be a legitimate device.

Enclosed shrinkwrapped Ledger device
Source: Reddit

After becoming suspicious of the device, they opened it and shared pictures of the Ledger's printed circuit board on Reddit that clearly show the device was modified.

Front of fake Ledger hardware wallet
Source: Reddit

Front of real Ledger hardware wallet
Source: Ledger

Based on the photos, security researcher and offensive USB cable/implant expert Mike Grover, aka _MG_, told BleepingComputer that the threat actors added a flash drive and wired it to the USB connector.

"This seems to be a simply flash drive strapped on to the Ledger with the purpose to be for some sort of malware delivery," Grover told BleepingComputer in a chat about the photos.

"All of the components are on the other side, so I can't confirm if it is JUST a storage device, but.... judging by the very novice soldering work, it's probably just an off the shelf mini flash drive removed from its casing."

In the image below, Grover highlighted the flash drive implant connected to the wires while stating. "Those 4 wires piggyback the same connections for the USB port of the Ledger."

Back of fake Ledger hardware wallet
Source: Reddit

Back of real Ledger hardware wallet
Source: Ledger

The enclosed instructions tell the person to connect the Ledger to their computer, open a drive that appears, and run the enclosed application.

The instructions then tell the person to enter their Ledger recovery phrase to import their wallet to the new device.

Fake Ledger instructions explaining how to transfer wallet to new device
Source: Reddit

A recovery phrase is a human-readable seed used to generate the private key for a specific wallet. Anyone who has this recovery phrase can import a wallet and access the cryptocurrency it contains.

After entering the recovery phrase, it is sent to the attackers, who use it to import the victim's wallet on their own devices to steal the contained cryptocurrency funds.

Ledger is aware of this scam and has posted warnings about it in May on their dedicated phishing page.

As always, Ledger recovery phrases should never be shared with anyone and should only be entered directly on the Ledger device you are trying to recover. If the device does not provide the ability to enter the phrase directly, you should only use the Ledger Live application downloaded directly from Ledger.com.

In 2018, security researchers illustrated various methods that could be used to compromise hardware cryptocurrency wallets, including the Trezor One, Ledger Nano S, and Ledger Blue devices.

Ledger customers bomarded with scams

Ledger suffered a data breach in June 2020 after an unauthorized person accessed their e-commerce and marketing databasse.

This database was "used to send order confirmations and promotional emails – consisting mostly of email addresses, but with a subset including also contact and order details such as first and last name, postal address, email address and phone number."

Soon after, Ledger owners began receiving numerous phishing emails pointing them to fake Ledger applications designed to trick them into entering their wallet's recovery phrases.

These scams increased in frequency after the contact information for 270K Ledger owners was posted on the RaidForums hacker forum in December 2020.

This has led to phishing scams pretending to be further Ledger data breach notifications, SMS phishing texts, and software upgrades on sites impersonating Ledger.com.

All Ledger customers are advised to be suspicious of any unsolicited email, package, or text claiming to be related to their hardware devices.

Scammers mail fake Ledger devices to steal your cryptocurrency

Ukrainian Police Nab Six Tied to CLOP Ransomware

Wed, 16 Jun 2021 20:15:18 +0000

Ukrainian Police Nab Six Tied to CLOP Ransomware

Authorities in Ukraine this week charged six people alleged to be part of the CLOP ransomware group, a cybercriminal gang said to have extorted more than half a billion dollars from victims. Some of CLOP’s victims this year alone include Stanford University Medical School, the University of California, and University of Maryland.

A still shot from a video showing Ukrainian police seizing a Tesla, one of many high-end vehicles seized in this week’s raids on the Clop gang.

According to a statement and videos released today, the Ukrainian Cyber Police charged six defendants with various computer crimes linked to the CLOP gang, and conducted 21 searches throughout the Kyiv region.

First debuting in early 2019, CLOP is one of several ransomware groups that hack into organizations, launch ransomware that encrypts files and servers, and then demand an extortion payment in return for a digital key needed to unlock access.

CLOP has been especially busy over the past six months exploiting four different zero-day vulnerabilities in File Transfer Appliance (FTA), a file sharing product made by California-based Accellion.

The CLOP gang seized on those flaws to deploy ransomware to a significant number of Accellion’s FTA customers, including U.S. grocery chain Krogers, the law firm Jones Day, security firm Qualys, and the Singaporean telecom giant Singtel.

Last year, CLOP adopted the practice of attempting to extract a second ransom demand from victims in exchange for a promise not to publish or sell any stolen data. Terabytes of documents and files stolen from victim organizations that have not paid a data ransom are now available for download from CLOP’s deep web site, including Stanford, UCLA and the University of Maryland.

CLOP’s victim shaming blog on the deep web.

It’s not clear how much this law enforcement operation by Ukrainian authorities will affect the overall operations of the CLOP group. Cybersecurity intelligence firm Intel 471 says the law enforcement raids in Ukraine were limited to the cash-out and money laundering side of CLOP’s business only.

“We do not believe that any core actors behind CLOP were apprehended, due to the fact that they are probably living in Russia,” Intel 471 concluded. “The overall impact to CLOP is expected to be minor although this law enforcement attention may result in the CLOP brand getting abandoned as we’ve recently seen with other ransomware groups like DarkSide and Babuk” [links added].

While CLOP as a moneymaking collective is fairly young organization, security experts say CLOP members hail from a group of Threat Actors (TA) known as “TA505,” which MITRE‘s ATT&CK database says is a financially motivated cybercrime group that has been active since at least 2014. “This group is known for frequently changing malware and driving global trends in criminal malware distribution,” MITRE assessed.

Ukrainian Police Nab Six Tied to CLOP Ransomware

Malware Attack on South Korean Entities Was Work of Andariel Group

Wed, 16 Jun 2021 14:48:09 +0000

Malware Attack on South Korean Entities Was Work of Andariel Group

A malware campaign targeting South Korean entities that came to light earlier this year has been attributed to a North Korean nation-state hacking group called Andariel, once again indicating that Lazarus attackers are following the trends and their arsenal is in constant development.

"The way Windows commands and their options were used in this campaign is almost identical to previous Andariel activity," Russian cybersecurity firm Kaspersky said in a deep-dive published Tuesday. Victims of the attack are in the manufacturing, home network service, media, and construction sectors.

Designated as part of the Lazarus constellation, Andariel is known for unleashing attacks on South Korean organizations and businesses using specifically tailored methods created for maximum effectivity. In September 2019, the sub-group, along with Lazarus and Bluenoroff, was sanctioned by the U.S. Treasury Department for their malicious cyber activity on critical infrastructure.

Andariel is believed to have been active since at least May 2016.

North Korea has been behind an increasingly orchestrated effort aimed at infiltrating computers of financial institutions in South Korea and around the world as well as staging cryptocurrency heists to fund the cash-strapped country in an attempt to circumvent the stranglehold of economic sanctions imposed to stop the development of its nuclear weapons program.

The findings from Kaspersky build upon a previous report from Malwarebytes in April 2021, which documented a novel infection chain that distributed phishing emails weaponized with a macro embedded in a Word file that's executed upon opening in order to deploy malicious code concealed in the form of a bitmap (.BMP) image file to drop a remote access trojan (RAT) on targeted systems.

According to the latest analysis, the threat actor, besides installing a backdoor, is also said to have delivered file-encrypting ransomware to one of its victims, implying a financial motive to the attacks. It's worth noting that Andariel has a track record of attempting to steal bank card information by hacking into ATMs to withdraw cash or sell customer information on the black market.

"This ransomware sample is custom made and specifically developed by the threat actor behind this attack," Kaspersky Senior Security Researcher Seongsu Park said. "This ransomware is controlled by command line parameters and can either retrieve an encryption key from the C2 [server] or, alternatively, as an argument at launch time."

The ransomware is designed to encrypt all files in the machine with the exception of system-critical ".exe," ".dll," ".sys," ".msiins," and ".drv" extensions in return for paying a bitcoin ransom to gain access to a decrypt tool and unique key to unlock the scrambled files.

Kaspersky's attribution to Andariel stems from overlaps in the XOR-based decryption routine that have been incorporated into the group's tactics as early as 2018 and in the post-exploitation commands executed on victim machines.

"The Andariel group has continued to focus on targets in South Korea, but their tools and techniques have evolved considerably," Park said. "The Andariel group intended to spread ransomware through this attack and, by doing so, they have underlined their place as a financially motivated state-sponsored actor."

Source

Ransomware Attackers Partnering With Cybercrime Groups to Hack High-Profile Targets

Wed, 16 Jun 2021 14:44:36 +0000

Ransomware Attackers Partnering With Cybercrime Groups to Hack High-Profile Targets

As ransomware attacks against critical infrastructure skyrocket, new research shows that threat actors behind such disruptions are increasingly shifting from using email messages as an intrusion route to purchasing access from cybercriminal enterprises that have already infiltrated major targets.

"Ransomware operators often buy access from independent cybercriminal groups who infiltrate major targets and then sell access to the ransomware actors for a slice of the ill-gotten gains," researchers from Proofpoint said in a write-up shared with The Hacker News.

"Cybercriminal threat groups already distributing banking malware or other trojans may also become part of a ransomware affiliate network."

Besides angling for a piece of the illegal profits, the email and cloud security firm said it is currently tracking at least 10 different threat actors who play the role of "initial access facilitators" to supply affiliates and other cybercrime groups with an entry point to deploy data theft and encryption operations.

Initial access brokers are known to infiltrate the networks via first-stage malware payloads such as The Trick, Dridex, Qbot, IcedID, BazaLoader, or Buer Loader, with most campaigns detected in the first half of 2021 leveraging banking trojans as ransomware loaders.

The brokers — which were identified by tracking the backdoor access advertised on hacking forums — include TA800, TA577, TA569, TA551 (Shathak), TA570, TA547, TA544 (Bamboo Spider), TA571, TA574, and TA575, with overlaps observed between various threat actors, malware, and ransomware deployments.

For example, both TA577 and TA551 have been found to use IcedID as an initial access payload to deliver Egregor, Maze, and REvil ransomware, while TA800 has employed BazaLoader to deploy Ryuk on targeted systems.

In a hypothetical attack chain, a threat actor could send an email with a malware-infected Office document, which, when opened, drops the first-stage payload to maintain persistent backdoor access. This access can then be sold to a second threat actor, who exploits it to deploy a Cobalt Strike beacon to pivot across the broader network and deploy the ransomware laterally.

That said, attacks that rely on email messages to directly distribute ransomware in the form of malicious attachments or embedded hyperlinks continue to remain a threat, albeit at lower volumes. Proofpoint noted that it identified 54 ransomware campaigns distributing a little over one million messages over the past year.

"Short dwell times, high payouts, and collaboration across cybercriminal ecosystems have led to a perfect storm of cybercrime that the world's governments are taking seriously," the researchers concluded. "It is possible with new disruptive efforts focused on the threat and growing investments in cyber defense across supply chains, ransomware attacks will decrease in frequency and efficacy."

Source

Critical ThroughTek Flaw Opens Millions of Connected Cameras to Eavesdropping

Wed, 16 Jun 2021 14:40:17 +0000

Critical ThroughTek Flaw Opens Millions of Connected Cameras to Eavesdropping

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday issued an advisory regarding a critical software supply-chain flaw impacting ThroughTek's software development kit (SDK) that could be abused by an adversary to gain improper access to audio and video streams.

"Successful exploitation of this vulnerability could permit unauthorized access to sensitive information, such as camera audio/video feeds," CISA said in the alert.

ThroughTek's point-to-point (P2P) SDK is widely used by IoT devices with video surveillance or audio/video transmission capability such as IP cameras, baby and pet monitoring cameras, smart home appliances, and sensors to provide remote access to the media content over the internet.

Tracked as CVE-2021-32934 (CVSS score: 9.1), the shortcoming affects ThroughTek P2P products, versions 3.1.5 and before as well as SDK versions with nossl tag, and stems from a lack of sufficient protection when transferring data between the local device and ThroughTek's servers.

The flaw was reported by Nozomi Networks in March 2021, which noted that the use of vulnerable security cameras could leave critical infrastructure operators at risk by exposing sensitive business, production, and employee information.

"The [P2P] protocol used by ThroughTek lacks a secure key exchange [and] relies instead on an obfuscation scheme based on a fixed key," the San Francisco-headquartered IoT security firm said. "Since this traffic traverses the internet, an attacker that is able to access it can reconstruct the audio/video stream."

To demonstrate the vulnerability, the researchers created a proof-of-concept (PoC) exploit that deobfuscates on-the-fly packets from the network traffic.

ThroughTek recommends original equipment manufacturers (OEMs) using SDK 3.1.10 and above to enable AuthKey and DTLS, and those relying on an SDK version prior to 3.1.10 to upgrade the library to version 3.3.1.0 or v3.4.2.0 and enable AuthKey/DTLS.

Since the flaw affects a software component that's part of the supply chain for many OEMs of consumer-grade security cameras and IoT devices, the fallout from such exploitation could effectively breach the security of the devices, enabling the attacker to access and view confidential audio or video streams.

"Because ThroughTek's P2P library has been integrated by multiple vendors into many different devices over the years, it's virtually impossible for a third-party to track the affected products," the researchers said.

Source

A backdoor in mobile phone encryption from the '90s still exists

Wed, 16 Jun 2021 14:14:12 +0000

A backdoor in mobile phone encryption from the '90s still exists

The encryption algorithm GEA-1 was implemented in mobile phones in the 1990s to encrypt data connections. Since then, it has been kept secret. Now, a research team from Ruhr-Universität Bochum (RUB), together with colleagues from France and Norway, has analyzed the algorithm and has come to the following conclusion: GEA-1 is so easy to break that it must be a deliberately weak encryption that was built in as a backdoor. Although the vulnerability is still present in many modern mobile phones, it no longer poses any significant threat to users, according to the researchers.

Backdoors not useful according to researchers

"Even though intelligence services and ministers of the interior understandably want such backdoors to exist, they are not at all useful," says Professor Gregor Leander, Head of the Workgroup for Symmetric Cryptography. "After all, they are not the only ones who can exploit these vulnerabilities, any other attackers can exploit them as well. Our research shows: once a backdoor is implemented, it is very difficult to remove it." Accordingly, GEA-1 should have disappeared from mobile phones as early as 2013; at least that's what the mobile phone standards say. However, the research team found the algorithm in the current Android and iOS smartphones.

For the study, a team led by Dr. Christof Beierle, Dr. David Rupprecht, Lukas Stennes and Professor Gregor Leander from RUB collaborated with colleagues from Université de Rennes and Université Paris-Saclay as well as the French research institute Center Inria de Paris and the Norwegian research institute Simula UiB in Bergen. The team will present its findings at the Eurocrypt conference in October 2021. The paper has been available online since 16 June 2021.

The project was embedded in the Bochum Cluster of Excellence CASA—short for Cyber Security in the Age of Large-Scale Adversaries –, which aims at enabling sustainable IT security against large-scale attackers, most importantly national states.

Lottery win more likely than weak code being a coincidence

The IT security experts received the GEA-1 and GEA-2 algorithms from a source who wishes to remain anonymous and verified their authenticity in the first step. The ciphers had been used to encrypt data traffic over the 2G network, for example when sending emails or visiting websites. The researchers analyzed how exactly the algorithms work. They showed that GEA-1 generates encryption keys that are subdivided into three parts, two of which are almost identical. Due to their architecture, these keys are relatively easy to guess.

According to the Bochum-based team, the properties that render the cipher so insecure can't have happened by accident. "According to our experimental analysis, having six correct numbers in the German lottery twice in a row is about as likely as having these properties of the key occur by chance," as Christof Beierle illustrates.

GEA-2 algorithm likewise weak—but unintentionally so

The IT experts also scrutinized the GEA-2 algorithm. It is hardly more secure than GEA-1. "GEA-2 was probably an attempt to set up a more secure successor to GEA-1," assumes Gregor Leander. "GEA-2 was hardly better, though. But at least this algorithm doesn't seem to be intentionally insecure."

The encryptions that GEA-1 and GEA-2 produce are so weak that they could be used to decrypt and read live encrypted data sent over 2G. Today, most data traffic is sent over the 4G network, also called LTE. Moreover, the data is now protected with additional transport encryption. Therefore, the researchers assume that the old vulnerabilities that still exist no longer pose a serious threat to users.

Manufacturers don't adhere to standards

Originally, GEA-1 must not be implemented in mobile devices since 2013. "The fact that it is still happening shows that manufacturers are not following the standard properly," explains David Rupprecht. Through the mobile phone association GSMA, the Bochum-based group contacted the manufacturers before publishing their data to give them the opportunity to remove GEA-1 through software updates. In addition, they contacted ETSI, the organisation responsible for telecommunications standards, to also remove GEA-2 from phones. In the future, – so ETSI's decision—smartphones should not support GEA-2 anymore.

Source

AV-Comparatives Real-World Protection Test Feb-May 2021

Wed, 16 Jun 2021 13:26:05 +0000

AV-Comparatives Real-World Protection Test Feb-May 2021

https://www.av-comparatives.org/comparison/?usertype=consumer&chart_chart=chart2&chart_year=2021&chart_month=Feb-May&chart_sort=1&chart_zoom=2