Starting on December 10, many Australian teenagers will no longer be as online as their peers in other countries. The Social Media Minimum Age Bill, passed in 2024, stipulates that a person must be at least 16 years old to have an account on platforms like Instagram, TikTok, Snapchat, and YouTube.

Across the world, people young and old are increasingly recognizing the negative impacts that social media has on adolescents. Nearly half of teenagers in the US claim these platforms harm people their age; parents are even more concerned. While several US states have introduced legislation to safeguard kids online, a national ban seems far off.

Australia, by contrast, fast-tracked its prohibition: Annabel West, a lawyer and mother in Adelaide, read Jonathan Haidt’s book The Anxious Generation, and told her husband—South Australia premier Peter Malinauskas—that he had to do something. He proposed legislation in his small state, and it rapidly gained support across the country. A few months later, the social media ban was signed into law, making Australia the first country in the world to make such a move.

“Parents want their kids off their phones and on the footy field,” Prime Minister Anthony Albanese told the Australian Broadcasting Corporation last fall after the national ban was proposed. “So do I.”

The legislation has seen resounding support among Australian parents and legislators. It passed in Parliament with an overwhelming, bipartisan majority; 77 percent of Australians support the ban. Perhaps unsurprisingly, it’s less popular with tech companies—who may face fines if they can’t keep kids off their platforms—and with teenagers themselves.

“At first it seemed like a good idea, but over time, I’ve become more and more against it,” says Elena Mitrevska, an 18-year-old who lives in Melbourne. “I honestly think it is removing spaces for connection and community.”

More than most teens, Mitrevska has a say in how the social media bill’s provisions take shape in real life. She’s a member of the eSafety Youth Council, a group of 17 Australians, ages 13 to 24, who advise the country’s eSafety office, which will enforce the new legislation when it goes into effect in December. They didn’t vote on the bill, but now they have input on how it’ll be enacted. (Mitrevska and the other teenagers quoted in this article are expressing their own views, not the views of the eSafety Youth Council or Commissioner.)

Like other members of the council, Mitrevska believes that social media can be harmful for young people, especially in terms of addictive design and graphic material shared in online communities. But she worries an outright ban won’t get to the root of the problem. “It seems really disingenuous to me to remove entire online spaces for young people, versus just talking and trying to fix those particular issues,” she says. “It really feels like an attempt to bury young people’s heads in the sand.”

Australian regulators disagree. They believe the ban will give adults the chance to teach kids some internet literacy one-on-one before they are fully immersed in social media. The goal is to improve mental health outcomes while putting the onus on tech companies to verify the ages of their users.

“We’re aware that delaying children’s access to social media accounts won’t solve everything but it will introduce some friction in a system that has previously had none,” eSafety Commissioner Julie Inman Grant tells WIRED via email. She emphasized that it’s designed to let parents set the ground rules, “giving them valuable time to help their children develop the resilience, critical thinking and digital literacy they need.”

Mitrevska stresses that for many teenagers, social media platforms are where they develop beliefs and community. She has used apps like TikTok and Instagram to find other young people who are politically engaged; it’s also been transformative in terms of exploring her own identity. “I grew up believing a lot of homophobic rhetoric, and the thing that got me out of that spiral was YouTube short films from art colleges,” she says. “There’s no phonebook for finding other gay kids like you, and social media is really great for that.”

When the ban passed last year, tech companies warned it could send teens to darker corners of the internet. Facing fines of nearly 50 million Australian dollars ($32 million), they’re now figuring out how they’ll keep kids under 16 off their platforms. They can ask for government ID, or perhaps use facial scanning technology, but the specific mechanisms each platform will use—and how kids might try to get around them—have yet to be determined.

Raghu Vijayan, a 17-year-old from Adelaide on the eSafety Youth Council, believes that the social media bill is a start—although he cautions that a ban alone isn’t enough. He also stresses that turning 16 doesn’t immediately equip someone with the tools to handle social media, that “they’re going to magically learn how to deal with harmful content,” especially if they’ve been shielded from it. He believes the law needs to be paired with comprehensive education about social media, tailored by young people, and a social media trial period, like a learner’s permit before a driver’s license.

Vijayan also worries that the ban will discourage young people from reporting dangerous content or experiences online. The bill states that while social media companies will be fined, teenagers won’t be prosecuted for accessing platforms, “but if you’re a young person, you probably won’t remember that,” he says. That’s part of the role of the Youth Council: to help the eSafety Commission structure its regulatory guidance and communicate the law to young people in a way that they’ll trust.

Vijayan wishes that social media companies would make the changes themselves. “They’ve allowed cyber bullying, echo chambers, and harmful content, and they’ve created a system where image-based abuse is allowed to fester, so we think the onus should be on them to try and design a system to solve it,” he says. “Then we wouldn’t have to ban social media for young people.”

For adults, the idea of doing away with social media for young people is appealing. Work like Haidt’s The Anxious Generation calls for a return to an earlier time, one where kids made friends by playing outside and sustained relationships in-person. But teenagers know that social media is the water they swim in.

“There’s such a big focus on bringing back adolescence and protecting childhood, but removing social media for under-16s isn’t going to make being under 16 like it was before social media,” says Mitrevska. “It’s such an integrated part of daily life.” Despite the negative impacts, these platforms are where young people learn and spend their social lives; without investment in alternative spaces, the ban will leave a sizable gap.

The members of the Youth Council are focused on how to help 16-year-olds safely navigate social media for the first time. “I feel personal expertise comes from experience, so if young people are not spending that time in digital spaces, they’re going to enter those spaces again much less informed and in a way, much more vulnerable,” says Mitrevska. Like with any pressing issue, the teens are looking for answers on social media and in the group chat.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Tuesday 19 August 2025 at 2:53 am AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of July): 3,458

RIP Matrix

The admission from the search giant was made as part of Federal Court proceedings where Google has agreed to a joint submission for a $55 million penalty. However, the court is still to determine if this penalty and other orders are appropriate.

In addition to admitting anti-competitive behavior, Google has signed a court-enforceable undertaking with the Australian Competition & Consumer Commission (ACCC) to address broad competition concerns from 2017 onwards. An important caveat to note is that Google doesn’t agree with the ACCC’s broad concerns but has offered to resolve them.

As part of this undertaking, Google commits to removing certain pre-installation and default search engine restrictions from its contracts with Android phone manufacturers and telcos.

ACCC Chair Gina Cass-Gottlieb said that the outcome will create the “potential for millions of Australians to have greater search choice.” She said that the agreements were illegal because they can lead to less choice and worse service for consumers. She also said that the decision allows telcos to configure search services on a device-by-device basis and enter into agreements with other search providers.

The ACCC’s investigation followed concerns that arose during its Digital Platform Services Inquiry. The inquiry’s reports highlighted a need for a new regulatory regime that promotes competition in digital platform services and addresses issues like exclusive pre-installation agreements. The ACC has also recommended a framework for mandatory service-specific codes for designated digital platforms to address competition issues.

Image via Depositphotos.com

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Monday 18 August 2025 at 6:32 pm AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of July): 3,458

RIP Matrix

Antropenko, indicted in Texas for computer fraud and money laundering, was linked to Zeppelin ransomware, a now-defunct extortion operation that ran between 2019 and 2022.

Apart from the digital asset seizure, the authorities also confiscated $70,000 in cash and a luxury vehicle.

“Antropenko used Zeppelin ransomware to target and attack a wide range of individuals, businesses, and organizations worldwide, including in the United States,” reads the U.S. DoJ announcement.

“Specifically, Antropenko and his coconspirators would encrypt and exfiltrate the victim’s data, and typically demand a ransom payment to decrypt the victim’s data, refrain from publishing it, or to arrange the data’s deletion.”

After receiving the ransom payments, Antropenko attempted to launder the amounts on the coin tumbling service ChipMixer, seized by authorities in March 2023.

Other money laundering methods Antropenko used include crypto-to-cash exchanges and structured deposits, meaning breaking large sums into smaller deposits to avoid bank reporting rules.

The Zeppelin ransomware came into existence in late 2019 as a new variant of the VegaLocker/Buran ransomware, targeting healthcare and IT firms through MSP software flaws.

In 2021, following a period of dormancy, Zeppelin operators returned with updated versions, though the encryption scheme used in subsequent attacks indicated sloppiness.

By November 2022 the Zeppelin operation was essentially defunct. It was revealed at that time that security researchers from Unit221b had the decryption key to help victims recover files for free since early 2020.

In January 2024, news came out suggesting that the Zeppelin ransomware source code was sold on a hacking forum for just $500.

The indictment against Antropenko shows that evidence can lead to unmasking ransomware operators even years after halting their cybercriminal activities.

The seizure of the $2.8 million believed to be from ransom proceeds follows other similar actions that the U.S. authorities announced recently, including the confiscation of cryptocurrency worth $1 million from BlackSuit ransomware and $2.4 million worth of Bitcoin from Chaos ransomware.

Seizing crime proceeds is vital in the fight against ransomware, especially in cases where no arrests are made, as it prevents operators and affiliates from using those funds to rebuild infrastructure or recruit new members.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Monday 18 August 2025 at 2:52 am AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of July): 3,458

RIP Matrix

"Microsoft Teams now blocks messages containing weaponizable file types, such as executables, in chats and channels, increasing protection against malware and other file-based attacks," the company said in a Microsoft 365 roadmap update this week.

"Microsoft Teams can now detect and warn users on malicious URLs sent in Teams chat and channels, increasing protection against malware attacks," it added in a separate entry.

Both of these features are currently in development and are expected to begin rolling out worldwide across standard Microsoft 365 multi-tenants next month.

On Monday, the company also announced in the Microsoft 365 Message Center that Teams now integrates with the Microsoft Defender for Office 365 Tenant Allow/Block List, enabling security administrators to block incoming communications (chats, channels, meetings, and calls) from blocked domains.

Security admins will also be able to automatically delete existing communications from users in blocked domains and manage blocked external domains in Microsoft Teams via the Microsoft Defender portal.

This feature is now in a targeted release phase and will reach general availability worldwide by late September 2025.

Earlier this year, Microsoft introduced another Teams feature that started rolling out in July 2025, preventing users from capturing screenshots of sensitive information shared during meetings.

"To address the issue of unauthorized screen captures during meetings, the Prevent Screen Capture feature ensures that if a user attempts to take a screen capture, the meeting window will turn black, thereby protecting sensitive information," it said.

In January, the company also reminded Microsoft 365 admins that its new Teams Chat brand impersonation protection feature, designed to alert users of phishing attacks targeting organizations with external Teams access enabled, will be available to all customers by mid-February 2025.

At last year's Enterprise Connect conference, Redmond announced that Teams had reached over 320 million monthly active users across 181 markets and 44 languages.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Sunday 17 August 2025 at 7:01 am AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of July): 3,458

RIP Matrix

Aside from that, Microsoft also published a new Defender update for Windows 11/10/Server installation images. This update package is necessary as a Windows installation image may contain old, outdated anti-malware definitions and software binaries. Aside from better security, these updates can also provide improved performance benefits in some cases.

When a new Windows installation is set up, there may be a temporary security risk due to outdated Microsoft Defender protection in the OS installation images. This happens because the antimalware software included in these images might not be up to date. Thus Microsoft says that these updated definitions essentially help close this protection gap.

Microsoft delivered the latest security definitions for Windows images via security intelligence update version 1.431.796.0. The Defender package version is also the same.

It applies to Windows 11, Windows 10 (Enterprise, Pro, and Home editions), Windows Server 2022, Windows Server 2019, and Windows Server 2016. Microsoft writes:

Version information

 

• Defender package version: 1.431.796.0

   

This package updates the anti-malware client, anti-malware engine, and signature versions in the OS installation images to following versions:

 

• Platform version: 4.18.25070.5

• Engine version: 1.1.25070.4

• Security intelligence version: 1.431.796.0

From Microsoft's security bulletin, we learn that the security intelligence update version 1.431.796.0 was released towards the end of last month and adds threat detections for various stealer malware including Lumma, which affected nearly 400,000 systems across the world. Microsoft had already released an earlier Defender update for that, but it looks like some of it was still out there undetected.

You can find more information about it in this article on Microsoft's official website. For those wondering, the latest intelligence update is version 1.435.225.0 at the time of writing.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Sunday 17 August 2025 at 6:59 am AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of July): 3,458

RIP Matrix

In case you missed it, Xbox, X (Twitter), Reddit, and many other services now require users to submit an ID to prove that are 18 years old or older, in the above-mentioned regions. These measures are being placed to ensure compliance with the local laws such as The Online Safety Bill in the U.K.

Such laws were created to prevent underage users from accessing harmful, inappropriate content, but they have risen privacy concerns among users. Who likes to provide government issued ID cards, or phone numbers, or selfies, to websites? One way to work around the issue is to use a VPN to mask your location.

NextDNS' new feature reportedly works similarly, it uses DNS level geo spoofing for this feature. So, when you visit a website that requires users from a country to verify their age by submitting an ID, the service will intercept the DNS request, and route it to a proxy server located in a different country that doesn't require ID verification.

The option to Bypass Age Verification is available in the free version of NextDNS, which is pretty cool. To use it,

1. Go to https://my.nextdns.io/ 2. Login to your account. 3. Click on the Settings tab. 4. Scroll down the list till you see Bypass Age Verification, and click on the button to toggle it.

Note: NextDNS says that users who enable the feature acknowledge that they are legally old enough to access the content.

According to users, NextDNS' new feature does not work for some websites, notably, Twitter and Reddit. But it is worth noting that the feature is still in beta, so it might support more websites in the future.

Since age verification isn't mandatory for websites in India, I used a VPN with a custom DNS setting to connect to servers in the U.K. There were no promts for age verification on Reddit, X, etc. Did it work? I'm not sure, because when I disabled NextDNS' setting, the websites still worked fine. I also wanted to know whether it was able to bypass age-restricted videos (e.g. The Witcher 4 trailer) on YouTube, but it failed to so, probably because YouTube's APIs requires users to sign in to their account. YouTube is testing age estimation in the U.S., by using AI to analyze user accounts, but this could spread to more Countries.

Some users say they've had success with unblocking access to a few websites, but it's all hearsay for now. It also remains to be seen whether services that are tied to a regional account/currency (like Xbox) will be able to make use of NextDNS' bypass option. In theory, the option to bypass these annoying requirements should make things easier to access social media websites. Perhaps users from the U.K. will have better luck with it.

Have you tried NextDNS to get past the verification prompts?

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Saturday 16 August 2025 at 6:01 pm AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of July): 3,458

RIP Matrix

According to Microsoft, the update is part of its broader effort to “strengthen security across Microsoft 365 services” and will require Entra applications accessing the Teams PowerShell Module to be “properly scoped and secured.”

This change aligns with the company's ongoing security hardening, like the ones announced earlier this year in June 2025 where it confirmed that it will be disabling outdated security protocols, which perhaps coincidentally happened just days after the Washington Post email hacks.

For those not familiar, the Microsoft Teams PowerShell Module is widely used for administrative automation, enabling IT teams to configure policies, manage settings, and control Teams features at scale. It is essentially a set of cmdlets for managing Teams directly from the PowerShell command line and requires Windows PowerShell version 5.1 or PowerShell version 7.2 or later.

The message was published on the Microsoft 365 admin center dashboard and it lays out the eligible application permissions that require the update:

• RoleManagement.Read.Directory: Required for all Entra applications to verify association with an Administrative Unit.
• GroupMember.Read.All: Required if your application uses the following cmdlets:
  • *-CsGroupPolicyAssignment
  • *-CsGroupPolicyPackageAssignment

Aside from that, Microsoft has also outlined the steps on how to "ensure uninterrupted access" by reviewing and updating them. It writes:

1. Review your Entra applications:

• Go to Microsoft Entra ID > Roles and administrators.
• Check the Global Administrator, Teams Administrator, and Skype for Business Administrator roles for any Entra applications or service principals used with Teams PowerShell.

2. Update API permissions:

• Navigate to Microsoft Entra ID > App registrations.
• Locate the relevant application and add the following permissions:
  • GroupMember.Read.All
  • RoleManagement.Read.Directory

For those who have access to the Microsoft 365 admin center website, they can view the message under ID MC1134747.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Saturday 16 August 2025 at 4:58 am AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of July): 3,458

RIP Matrix

For those who may not be familiar, BitLocker, referred to as Device Encryption (DE) on Windows, provides data‑at‑rest protection using Full Volume Encryption (FVE) and is one of the few Windows features that protects data against physical attackers.

Following BitLocker’s introduction, Microsoft introduced several changes to the WinRE to ensure that Windows recovery remained possible even when the BitLocker-encrypted Windows OS drive was inaccessible. These measures included:

• Relocating WinRE.wim from the encrypted OS volume to an unencrypted recovery partition for accessibility during failures,
• Implementing Trusted WIM Boot to verify the image against a known‑good hash before auto‑unlocking the OS volume, and
• Adding a volume re‑lock mechanism triggered by risky tools such as Command Prompt, requiring the BitLocker recovery key to restore access.

According to the team, once Trusted WIM Boot validation passes, WinRE is in its auto‑unlock state and parses files from unprotected partitions, specifically the EFI system partition and the recovery volume. They identified multiple vulnerabilities in WinRE and its boot procedure, adding that this attack surface was negligible before the BitLocker-induced WinRE changes.

To reduce the attack surface, Microsoft recommends enabling TPM with a PIN for pre‑boot authentication, limiting exposure solely to the TPM and thus lowering the reliance on auto‑unlock mechanisms. It has also advised enabling the REVISE mitigation (under KB5025885) to secure against downgrade attacks.

These vulnerabilities were tracked under IDs CVE-2025-48800, CVE-2025-48003, CVE-2025-48804, and CVE-2025-48818, and they were patched on Windows 11 and Windows 10 with the July 2025 Patch Tuesday. Since patches are cumulative, you can also download and install the latest August Patch for Windows 11 (KB5063878, KB5063875) and Windows 10 (KB5063709 / KB5063877 / KB5063871 / KB5063889) that were released yesterday.

You can read it in more detail here on the official blog post.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Thursday 14 August 2025 at 12:52 pm AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of July): 3,458

RIP Matrix

These weaker login channels are vulnerable to adversary-in-the-middle phishing attacks that employ tools like Evilginx, enabling attackers to snatch valid session cookies and hijack the accounts.

Although the attack doesn't prove a vulnerability in FIDO itself, it shows that the system can be bypassed, which is a crucial weakness.

This is especially worrying considering the increased adoption of FIDO-based authentication in critical environments, a consequence of the technology being touted as extremely phishing-resistant.

FIDO passkeys are a passwordless authentication method based on the FIDO2 and WebAuthn standards, designed to eliminate the weaknesses of passwords and traditional multi-factor authentication (MFA).

When a user registers a passkey, their device generates a pair of keys (private + public), which are used for solving a random, unique challenge during login onto online services, verifying the user's identity.

As only the user's device holds the correct private key, which isn't transmitted anywhere during the login process, there's nothing phishing actors can intercept.

Downgrading and bypassing FIDO

The new downgrade attack created by Proofpoint researchers employs a custom phishlet within the Evilginx adversary-in-the-middle (AiTM) framework to spoof a browser user agent that lacks FIDO support.

Specifically, the researchers spoof Safari on Windows, which is not compatible with FIDO-based authentication in Microsoft Entra ID.

"This seemingly insignificant gap in functionality can be leveraged by attackers," explains Proofpoint researcher Yaniv Miron.

"A threat actor can adjust the AiTM to spoof an unsupported user agent, which is not recognized by a FIDO implementation. Subsequently, the user would be forced to authenticate through a less secure method. This behavior, observed on Microsoft platforms, is a missing security measure."

When the target clicks a phishing link delivered via email, SMS, or an OAuth consent prompt, they are directed to a phishing site running the custom phishlet. As this is an AiTM attack, the legitimate Microsoft Entra ID form is proxied by the phishing platform and shown to the targeted user.

Because the phishlet spoofs an unsupported browser user agent, Microsoft Entra ID turns off FIDO authentication and instead returns an error.

This error prompts the user to choose an alternate verification fallback method, such as the Microsoft Authenticator app, SMS code, or OTP.

If the user uses one of the alternative methods, the AiTM proxy intercepts both their account credentials and the MFA token or session cookie.

The attacker then imports the stolen cookie into their own browser, granting full access to the victim's account, which was theoretically phishing-resistant.

Proofpoint says it has observed no cases of this technique being used by hackers in the wild yet, as threat actors still focus on easier targets such as accounts lacking MFA protection. Still, the risk is significant, especially in limited, highly targeted attacks.

To mitigate risks from this emerging threat, consider turning off fallback authentication methods for your account or activating additional checks and confirmations when such processes are triggered.

If a login process suddenly asks for a different method instead of a registered passkey, it's a red flag, and users should abort and verify via official, trusted channels.

In July, Expel researchers presented a different FIDO downgrade attack dubbed 'PoisonSeed,' where a phishing site stole the target's credentials and initiated a cross-device authentication flow,  generating a QR code on the real service's login page, tricking the target to scan it to approve a login request from a rogue device.

Although the concept was interesting, the researchers later discovered that it was practically infeasible due to proximity requirements, which led to the fraudulent authentication requests failing.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Thursday 14 August 2025 at 12:50 pm AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of July): 3,458

RIP Matrix

New York Attorney General Letitia James is suing the banks behind Zelle over claims that their payment platform enabled “massive amounts of fraud” that caused customers to lose more than $1 billion between 2017 and 2023. In the lawsuit, James alleges Zelle was rushed to market, resulting in a design that made the platform “an obvious conduit for fraudulent activity.”

Early Warning Services (EWS), a company owned by major institutions including Bank of America, Capital One, JPMorgan Chase, Wells Fargo, and others, launched Zelle in 2017 as a way to let customers send money from their bank account to other users on the platform. However, James claims EWS “knew from the beginning that key features of the Zelle network made it uniquely susceptible to fraud” and still “failed to adopt basic safeguards.”

One of the alleged issues highlighted by James’ lawsuit includes a registration process that ”lacked important verification steps” that enabled scammers to sign up using misleading email addresses, which they could use to pose as a government employee or business to trick Zelle customers into sending them money that they couldn’t get back. Following government pressure, Zelle began paying back victims of imposter scams in 2023.

Additionally, James claims EWS did not ensure that banks reported customer complaints about fraud in a “timely” manner and falsely advertised the service as a “safe” money transfer tool. “Even when EWS did receive reports of fraud, it failed to promptly remove the fraudsters from the Zelle network or require banks to reimburse consumers for certain scams,” James alleges.

The lawsuit touches on many of the same points as the one initially filed by the Consumer Financial Protection Bureau. In March, the CFPB dropped its lawsuit against Zelle amid the Trump administration’s attempt to dismantle the agency and the firing of former head Rohit Chopra, who had taken an aggressive approach to tech regulation. That still hasn’t stopped scrutiny from federal lawmakers — and now, New York’s attorney general.

Zelle spokesperson Eric Blankenbaker pushed back on these claims in a statement to The Verge, saying Zelle “leads the fight to stop fraud and scams” in the US. “This lawsuit is a political stunt to generate press, not progress,” Blankenbaker says. “The Attorney General wants to hand criminals a blueprint for guaranteed payouts with no consequences, opening the floodgates to more scams, not less. That’s bad policy and puts consumers at greater risk.”

Attorney General James claims EWS violated New York law and is asking for restitution and damages for all New Yorkers harmed by scams on Zelle. “I look forward to getting justice for the New Yorkers who suffered because of Zelle’s security failures,” James said in the press release.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Thursday 14 August 2025 at 12:49 pm AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of July): 3,458

RIP Matrix

Following the discovery of vulnerabilities in Exchange Server deployments, Microsoft has released SUs for Exchange Server Subscription Edition (SE), Exchange Server 2019 CU14 and CU15, and Exchange Server 2016 CU23. Exchange Server deployments not running any of the aforementioned cumulative updates (CUs) should first install a supported CU. It is important to note that these SUs are not applicable to Exchange Online environments since those are already protected from these cybersecurity vulnerabilities.

In addition, Microsoft has highlighted that the November 2024 SU for Exchange Server introduced enhancements to the Antimalware Scan Interface (AMSI) integration, allowing scanning of the HTTP message body. This will now be enabled by default once you install the August 2025 SUs, but if you notice performance degradation, you can refer to this guidance to disable HTTP body scanning in AMSI.

Microsoft has recommended customers install the latest SUs on all Exchange Servers within their organizations, even if they are just being used to run Exchange Server Management Tools. The dowload links to the SUs for applicable Exchange Server deployments can be found below:

• Security Update for Exchange Server Subscription Edition SU1 (KB5063224)
• Security Update for Exchange Server 2019 CU14 SU6 (KB5063222)
• Security Update for Exchange Server 2019 CU15 SU3 (KB5063221)
• Security Update for Exchange Server 2016 CU23 SU17 (KB5063223)

Since Exchange Server SUs are cumulative in nature, you'll receive all previous security updates along with the patch for the recent CVE-2025-53786 vulnerability once you install the August 2025 SUs.

Source

Hope you enjoyed this news post.

Posted Wednesday 13 August 2025 at 5:41 pm AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of July): 3,458

RIP Matrix | Farewell my friend  

Epic Games had sued Apple and Google in 2020, due to their app markets' 30% commission fees, and the removal of Fortnite from the two stores. The Sydney Morning Herald reports that the lawsuits began 5 years ago as four separate cases, but since some issues overlapped, they were heard as a single trial.

Epic may have lost its antitrust battle against Apple in the U.S., but it won its lawsuit against Google, which was found to have built an illegal monopoly in the Android market.

Its case in Australia was based on similar claims. Epic had claimed that the tech giants maintained an illegal monopoly over their app markets, and created walled gardens that locked out rival app stores, including its own. Apple and Google had argued that these claims were false, and that restrictions placed on their app stores were to protect the privacy and security of its users.

In a judgment that spanned 2000 pages, Australian Federal Court Justice Jonathan Beach, ruled that Apple had a substantial degree of market power. The Judge said both Apple and Google had breached Section 46 of Australia’s Competition Act. The companies had abused their market power to stifle the competition. But, it wasn't all in favor of Epic Games. Beach rejected the claim that Apple and Google had breached consumer law, he also said that the companies had not engaged in unconscionable conduct.

Apple said it welcomed the court's rejection of some of Epic Games' claims, and that it disagreed with the rulings on others. Google also welcomed the rejection of some claims, but disagreed with the characterization of its billing policies, practices, and some partnerships. Google is reviewing the decision, to assess its next steps.

Epic Games has said that Fortnite will soon be available in Australia, along with the Epic Games Store for iOS. Fortnite had recently returned to iPhones in the U.S.

Source

Hope you enjoyed this news post.

Posted Wednesday 13 August 2025 at 3:38 am AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of July): 3,458

RIP Matrix | Farewell my friend  

Right now, there is no way to verify a profile link, which means that a malicious user could add a link to a celebrity’s profile and mislead others. In a world where online trust issues are growing, this will be a welcome addition to WhatsApp.

To verify an Instagram profile link, users will need to connect their WhatsApp account to Meta’s Accounts Center. The Accounts Center is a centralized hub for managing connected experiences across Meta’s apps, including Facebook, Instagram, and WhatsApp. Using the Accounts Center for verification is entirely optional, and users still have the choice to add unverified links.

Users who do decide to carry on using unverified profile links will not have the new authenticity label. This forces users to rely on their own judgment to determine whether a link is trustworthy. The new feature creates a two-tiered system of trust on the platform that users may find helpful for security, but increases Meta’s centralization by forcing you to use Accounts Center to get the badge.

The feature is still under development and will be released in a future update. It’s not even available for most beta users just yet, but a wider expansion is expected before it arrives for stable users. There is no specific release timeline available yet. WABetaInfo notes that only Instagram is supported right now, but other services could be supported in the future.

Source

Hope you enjoyed this news post.

Posted Tuesday 12 August 2025 at 4:34 am AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of July): 3,458

RIP Matrix | Farewell my friend  

Reddit says that it has caught AI companies scraping its data from the Internet Archive’s Wayback Machine, so it’s going to start blocking the Internet Archive from indexing the vast majority of Reddit. The Wayback Machine will no longer be able to crawl post detail pages, comments, or profiles; instead, it will only be able to index the Reddit.com homepage, which effectively means Internet Archive will only be able to archive insights into which news headlines and posts were most popular on a given day.

”Internet Archive provides a service to the open web, but we’ve been made aware of instances where AI companies violate platform policies, including ours, and scrape data from the Wayback Machine,” spokesperson Tim Rathschmidt tells The Verge.

The Internet Archive’s mission is to keep a digital archive of websites on the internet and “other cultural artifacts,” and the Wayback Machine is a tool you can use to look at pages as they appeared on certain dates, but Reddit believes not all of its content should be archived that way.“Until they’re able to defend their site and comply with platform policies (e.g., respecting user privacy, re: deleting removed content) we’re limiting some of their access to Reddit data to protect redditors,” Rathschmidt says.

The limits will start “ramping up” today, and Reddit says it reached out to the Internet Archive “in advance” to “inform them of the limits before they go into effect,” according to Rathschmidt. He says Reddit has also “raised concerns” about the ability of people to scrape content from the Internet Archive in the past.

Reddit has a recent history of cutting off access to scraper tools as AI companies have begun to use (and abuse) them en masse, but it’s willing to provide that data if companies pay. Last year, Reddit struck a deal with Google for both Google Search and AI training data early last year, and a few months later, it started blocking major search engines from crawling its data unless they pay. It also said its infamous API changes from 2023, which forced some third-party apps to shut down, leading to protests, were because those APIs were abused to train AI models.

Reddit also struck an AI deal with OpenAI, but it sued Anthropic in June, claiming Anthropic was still scraping from Reddit even after Anthropic said it wasn’t scraping anymore.

The Internet Archive didn’t immediately respond to a request for comment.

Source

Hope you enjoyed this news post.

Posted Tuesday 12 August 2025 at 4:33 am AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of July): 3,458

RIP Matrix | Farewell my friend  

It's easier than ever to manipulate video footage to deceive the viewer and increasingly difficult for fact checkers to detect such manipulations. Cornell University scientists developed a new weapon in this ongoing arms race: software that codes a "watermark" into light fluctuations, which in turn can reveal when the footage has been tampered with. The researchers presented the breakthrough over the weekend at SIGGRAPH 2025 in Vancouver, British Columbia, and published a scientific paper in June in the journal ACM Transactions on Graphics.

“Video used to be treated as a source of truth, but that’s no longer an assumption we can make,” said co-author Abe Davis, of Cornell University, who first conceived of the idea. “Now you can pretty much create video of whatever you want. That can be fun, but also problematic, because it’s only getting harder to tell what’s real.”

Per the authors, those seeking to deceive with video fakes have a fundamental advantage: equal access to authentic video footage, as well as the ready availability of advanced low-cost editing tools that can learn quickly from massive amounts of data, rendering the fakes nearly indistinguishable from authentic video. Thus far, progress on that front has outpaced the development of new forensic techniques designed to combat the problem. One key feature is information asymmetry: an effective forensic technique must have information not available to the fakers that cannot be learned from publicly available training data.

Granted, digital watermarking techniques do exist that make good use of information asymmetry, but the authors note that most of those tools fall short on other desired attributes. Other methods may require control over the recording camera or access to the original unmanipulated video. And while a checksum, for example, can determine if a video file has been changed, it can't tell the difference between standard video compression or something malicious, like inserting virtual objects.

Hiding in the light

Captured video in a conference room with two coded light sources.

Peter Michael et al., 2025

 

Setup for outdoor capture

Peter Michael et al., 2025

 

Previously, the Cornell team had figured out how to make small changes to specific pixels to tell if a video had been manipulated or created by AI. But its success depended on the creator of the video using a specific camera or AI model. Their new method, "noise-coded illumination" (NCI), addresses those and other shortcomings by hiding watermarks in the apparent noise of light sources. A small piece of software can do this for computer screens and certain types of room lighting, while off-the-shelf lamps can be coded via a small attached computer chip.

“Each watermark carries a low-fidelity time-stamped version of the unmanipulated video under slightly different lighting. We call these code videos,” Davis said. “When someone manipulates a video, the manipulated parts start to contradict what we see in these code videos, which lets us see where changes were made. And if someone tries to generate fake video with AI, the resulting code videos just look like random variations.” Because the watermark is designed to look like noise, it's difficult to detect without knowing the secret code.

The Cornell team tested their method with a broad range of types of manipulation: changing warp cuts, speed and acceleration, for instance, and compositing and deep fakes. Their technique proved robust to things like signal levels below human perception; subject and camera motion; camera flash; human subjects with different skin tones; different levels of video compression; and indoor and outdoor settings.

“Even if an adversary knows the technique is being used and somehow figures out the codes, their job is still a lot harder,” Davis said. “Instead of faking the light for just one video, they have to fake each code video separately, and all those fakes have to agree with each other.” That said, Davis added, “This is an important ongoing problem. It’s not going to go away, and in fact it's only going to get harder,” he added.

DOI: ACM Transactions on Graphics, 2025. 10.1145/3742892  (About DOIs).

Source

Hope you enjoyed this news post.

Posted Tuesday 12 August 2025 at 4:31 am AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of July): 3,458

RIP Matrix | Farewell my friend  

• LuBian’s weak encryption gave a hacker complete access to 127,000 Bitcoins without alert
• A gaming PC and time were all the hacker needed to breach crypto's “safest” platform
• Over 5,000 wallets compromised and no alarms triggered as billions silently vanished

What began as a silent infiltration into one of the world’s largest cryptocurrency mining pools has now been confirmed as the biggest crypto theft in history.

The LuBian mining pool, once a dominant force in the Bitcoin network, quietly lost over 127,000 Bitcoins in 2020.

The breach was only uncovered in 2025 by Arkham Intelligence, revealing a staggering $14.5 billion worth of stolen assets that had remained untouched and undetected for half a decade.

A historic breach hidden in plain sight

The scale of this theft eclipses even the infamous Mt. Gox incidents of the early 2010s, as while Mt. Gox saw a higher number of Bitcoins disappear, the significantly lower value of Bitcoin at the time made the financial loss far smaller in comparison.

By contrast, the LuBian hack, valued at around $3.5 billion when it occurred, has since ballooned to $14.5 billion due to the rise in Bitcoin prices.

Despite the passage of time, the hacker has held onto all the stolen funds, with no signs of large-scale laundering or spending.

Arkham’s investigation suggests that the LuBian breach likely exploited a fundamental weakness in the platform’s security architecture.

Its private key generation reportedly relied on only 32 bits of entropy, a dangerously low standard by cryptographic norms, and which allowed the attacker to deploy brute-force attacks with nothing more than a gaming PC and patience.

The implication is critical digital assets were being guarded with the digital equivalent of a paper lock.

The hacker, who reportedly compromised over 5,000 wallets, used the vulnerability to access and siphon nearly all of LuBian’s Bitcoin holdings.

The mining pool itself disappeared from the network in 2021, only a few months after the theft.

LuBian had once boasted of being the “safest high-yielding mining pool,” a claim now overshadowed by its catastrophic collapse.

This incident calls attention to the broader issue of cyber hygiene within crypto infrastructure.

The use of comprehensive security suites, robust encryption methods, and advanced firewall protections should be non-negotiable - yet even among top-tier players, critical oversights remain alarmingly common.

The lack of transparency around the breach until 2025 also raises questions about how many similar attacks may have gone unnoticed.

The hacker has now been arrested, but the LuBian case is a reminder of the consequences of weak digital security.

It also shows how easily identity theft and systemic failures can converge in the largely unregulated world of cryptocurrency.

Via Toms Hardware

Source

Hope you enjoyed this news post.

Posted Sunday 10 August 2025 at 5:19 pm AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of July): 3,458

RIP Matrix | Farewell my friend  

Two years ago, researchers in the Netherlands discovered an intentional backdoor in an encryption algorithm baked into radios used by critical infrastructure–as well as police, intelligence agencies, and military forces around the world–that made any communication secured with the algorithm vulnerable to eavesdropping.

When the researchers publicly disclosed the issue in 2023, the European Telecommunications Standards Institute (ETSI), which developed the algorithm, advised anyone using it for sensitive communication to deploy an end-to-end encryption solution on top of the flawed algorithm to bolster the security of their communications.

But now the same researchers have found that at least one implementation of the end-to-end encryption solution endorsed by ETSI has a similar issue that makes it equally vulnerable to eavesdropping. The encryption algorithm used for the device they examined starts with a 128-bit key, but this gets compressed to 56 bits before it encrypts traffic, making it easier to crack. It’s not clear who is using this implementation of the end-to-end encryption algorithm, nor if anyone using devices with the end-to-end encryption is aware of the security vulnerability in them.

The end-to-end encryption the researchers examined, which is expensive to deploy, is most commonly used in radios for law enforcement agencies, special forces, and covert military and intelligence teams that are involved in national security work and therefore need an extra layer of security. But ETSI’s endorsement of the algorithm two years ago to mitigate flaws found in its lower-level encryption algorithm suggests it may be used more widely now than at the time.

In 2023, Carlo Meijer, Wouter Bokslag, and Jos Wetzels of security firm Midnight Blue, based in the Netherlands, discovered vulnerabilities in encryption algorithms that are part of a European radio standard created by ETSI called TETRA (Terrestrial Trunked Radio), which has been baked into radio systems made by Motorola, Damm, Sepura, and others since the ’90s. The flaws remained unknown publicly until their disclosure, because ETSI refused for decades to let anyone examine the proprietary algorithms. The end-to-end encryption the researchers examined recently is designed to run on top of TETRA encryption algorithms.

The researchers found the issue with the end-to-end encryption (E2EE) only after extracting and reverse-engineering the E2EE algorithm used in a radio made by Sepura. The researchers plan to present their findings today at the BlackHat security conference in Las Vegas.

ETSI, when contacted about the issue, noted that the end-to-end encryption used with TETRA-based radios is not part of the ETSI standard, nor was it created by the organization. Instead it was produced by The Critical Communications Association’s (TCCA) security and fraud prevention group (SFPG). But ETSI and TCCA work closely with one another, and the two organizations include many of the same people. Brian Murgatroyd, former chair of the technical body at ETSI responsible for the TETRA standard as well as the TCCA group that developed the E2EE solution, wrote in an email on behalf of ETSI and the TCCA that end-to-end encryption was not included in the ETSI standard “because at the time it was considered that E2EE would only be used by government groups where national security concerns were involved, and these groups often have special security needs.

For this reason, Murgatroyd noted that purchasers of TETRA-based radios are free to deploy other solutions for end-to-end encryption on their radios, but he acknowledges that the one produced by the TCCA and endorsed by ETSI “is widely used as far as we can tell.”

Although TETRA-based radio devices are not used by police and military in the US, the majority of police forces around the world do use them. These include police forces in Belgium and Scandinavian countries, as well as Eastern European countries like Serbia, Moldova, Bulgaria, and Macedonia, and in the Middle East in Iran, Iraq, Lebanon, and Syria. The Ministries of Defense in Bulgaria, Kazakhstan, and Syria also use them, as do the Polish military counterintelligence agency, the Finnish defense forces, and Lebanon and Saudi Arabia’s intelligence services. It’s not clear, however, how many of these also deploy end-to-end decryption with their radios.

The TETRA standard includes four encryption algorithms—TEA1, TEA2, TEA3 and TEA4—that can be used by radio manufacturers in different products, depending on the intended customer and usage. The algorithms have different levels of security based on whether the radios will be sold in or outside Europe. TEA2, for example, is restricted for use in radios used by police, emergency services, military, and intelligence agencies in Europe. TEA3 is available for police and emergency services radios used outside Europe but only in countries deemed “friendly” to the EU. Only TEA1 is available for radios used by public safety agencies, police agencies, and militaries in countries deemed not friendly to Europe, such as Iran. But it’s also used in critical infrastructure in the US and other countries for machine-to-machine communication in industrial control settings such as pipelines, railways, and electric grids.

All four TETRA encryption algorithms use 80-bit keys to secure communication. But the Dutch researchers revealed in 2023 that TEA1 has a feature that causes its key to get reduced to just 32 bits, which allowed the researchers to crack it in less than a minute.

In the case of the E2EE, the researchers found that the implementation they examined starts with a key that is more secure than ones used in the TETRA algorithms, but it gets reduced to 56 bits, which would potentially let someone decrypt voice and data communications. They also found a second vulnerability that would let someone send fraudulent messages or replay legitimate ones to spread misinformation or confusion to personnel using the radios.

The ability to inject voice traffic and replay messages affects all users of the TCCA end-to-end encryption scheme, according to the researchers. They say this is the result of flaws in the TCCA E2EE protocol design rather than a particular implementation. They also say that “law enforcement end users” have confirmed to them that this flaw is in radios produced by vendors other than Sepura.

But the researchers say only a subset of end-to-end encryption users are likely affected by the reduced-key vulnerability because it depends on how the encryption was implemented in radios sold to various countries.

ETSI’s Murgatroyd said in 2023 that the TEA1 key was reduced to meet export controls for encryption sold to customers outside Europe. He said when the algorithm was created, a key with 32 bits of entropy was considered secure for most uses. Advances in computing power make it less secure now, so when the Dutch researchers exposed the reduced key two years ago, ETSI recommended that customers using TEA1 deploy TCCA's end-to-end encryption solution on top of it.

But Murgatroyd said the end-to-end encryption algorithm designed by TCCA is different. It doesn’t specify the key length the radios should use because governments using the end-to-end encryption have their own “specific and often proprietary security rules” for the devices they use. Therefore they are able to customize the TCCA encryption algorithm in their devices by working with their radio supplier to select the “encryption algorithm, key management and so on” that is right for them—but only to a degree.

“The choice of encryption algorithm and key is made between supplier and customer organisation, and ETSI has no input to this selection—nor knowledge of which algorithms and key lengths are in use in any system,” he said. But he added that radio manufacturers and customers “will always have to abide by export control regulations.”

The researchers say they cannot verify that the TCCA E2EE doesn’t specify a key length because the TCCA documentation describing the solution is protected by a nondisclosure agreement and provided only to radio vendors. But they note that the E2EE system calls out an “algorithm identifier" number, which means it calls out the specific algorithm it’s using for the end-to-end encryption. These identifiers are not vendor specific, the researchers say, which suggests the identifiers refer to different key variants produced by TCCA—meaning TCCA provides specifications for algorithms that use a 126 bit key or 56 bit key, and radio vendors can configure their devices to use either of these variants, depending on the export controls in place for the purchasing country.

Whether users know their radios could have this vulnerability is unclear. The researchers found a confidential 2006 Sepura product bulletin that someone leaked online, which mentions that “the length of the traffic key … is subject to export control regulations and hence the [encryption system in the device] will be factory configured to support 128, 64, or 56 bit key lengths.” But it’s not clear what Sepura customers receive or if other manufacturers whose radios use a reduced key disclose to customers if their radios use a reduced-key algorithm.

“Some manufacturers have this in brochures; others only mention this in internal communications, and others don’t mention it at all,” says Wetzels. He says they did extensive open-source research to examine vendor documentation and “ found no clear sign of weakening being communicated to end users. So while … there are ‘some’ mentions of the algorithm being weakened, it is not fully transparent at all.”

Sepura did not respond to an inquiry from WIRED.

But Murgatroyd says that because government customers who have opted to use TCCA’s E2EE solution need to know the security of their devices, they are likely to be aware if their systems are using a reduced key.

“As end-to-end encryption is primarily used for government communications, we would expect that the relevant government National Security agencies are fully aware of the capabilities of their end-to-end encryption systems and can advise their users appropriately,” Murgatroyd wrote in his email.

Wetzels is skeptical of this, however. “We consider it highly unlikely non-Western governments are willing to spend literally millions of dollars if they know they're only getting 56 bits of security,” he says.

This story originally appeared at WIRED.com.

Source

Hope you enjoyed this news post.

Posted Sunday 10 August 2025 at 3:25 am AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of July): 3,458

RIP Matrix | Farewell my friend  

The flaw is a directory traversal vulnerability that was fixed in WinRAR 7.13, which allows specially crafted archives to extract files into a file path selected by the attacker.

"When extracting a file, previous versions of WinRAR, Windows versions of RAR, UnRAR, portable UnRAR source code and UnRAR.dll can be tricked into using a path, defined in a specially crafted archive, instead of user specified path," reads the WinRAR 7.13 changelog.

"Unix versions of RAR, UnRAR, portable UnRAR source code and UnRAR library, also as RAR for Android, are not affected."

Using this vulnerability, attackers can create archives that extract executables into autorun paths, such as the Windows Startup folder located at:

%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup (Local to user)
%ProgramData%\Microsoft\Windows\Start Menu\Programs\StartUp (Machine-wide)

The next time a user logs in, the executable will automatically run, allowing the attacker to achieve remote code execution.

As WinRAR does not include an auto-update feature, it is strongly advised that all users manually download and install the latest version from win-rar.com so they are protected from this vulnerability.

Exploited as a zero-day in attacks

The flaw was discovered by Anton Cherepanov, Peter Košinár, and Peter Strýček from ESET, with Strýček telling BleepingComputer that it was actively exploited in phishing attacks to install malware.

"ESET has observed spearphishing emails with attachments containing RAR files," Strýček told BleepingComputer.

These archives exploited the CVE-2025-8088 to deliver RomCom backdoors. RomCom is a Russia-aligned group."

RomCom (also tracked as Storm-0978, Tropical Scorpius, or UNC2596) is a Russian hacking group linked to ransomware and data-theft extortion attacks, along with campaigns focused on stealing credentials.

The group is known for its use of zero-day vulnerabilities in attacks and the use of custom malware for use in data-theft attacks, persistence, and to act as backdoors.

RomCom has previously been linked to numerous ransomware operations, including Cuba and Industrial Spy.

ESET is working on a report regarding the exploitation, which will be published at a later date.

Source

Hope you enjoyed this news post.

Posted Saturday 9 August 2025 at 11:56 am AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of July): 3,458

RIP Matrix | Farewell my friend  

About two years ago, security researchers James Rowley and Mark Omo got curious about a scandal in the world of electronic safes: Liberty Safe, which markets itself as “America’s #1 heavy-duty home and gun safe manufacturer,” had apparently given the FBI a code that allowed agents to open a criminal suspect's safe in response to a warrant related to the January 6, 2021, invasion of the US Capitol building.

Politics aside, Rowley and Omo were taken aback to read that it was so easy for law enforcement to penetrate a locked metal box—not even an internet-connected device—that no one but the owner ought to have the code to open. “How is it possible that there's this physical security product, and somebody else has the keys to the kingdom?” Omo asks.

So they decided to try to figure out how that backdoor worked. In the process, they'd find something far bigger: another form of backdoor intended to let authorized locksmiths open not just Liberty Safe devices, but the high-security Securam Prologic locks used in many of Liberty’s safes and those of at least seven other brands. More alarmingly, they discovered a way for a hacker to exploit that backdoor—intended to be accessible only with the manufacturer's help—to open a safe on their own in seconds. In the midst of their research, they also found another security vulnerability in many newer versions of Securam's locks that would allow a digital safecracker to insert a tool into a hidden port in the lock and instantly obtain a safe’s unlock code.

Security researchers James Rowley and Mark Omo.

Photograph: Ronda Churchill

 

At the Defcon hacker conference in Las Vegas today, Omo and Rowley made their findings public for the first time, demonstrating onstage their two distinct methods for opening electronic safes sold with Securam ProLogic locks, which are used to protect everything from personal firearms to cash in retail stores to narcotics in pharmacies.

While both their techniques represent glaring security vulnerabilities, Omo says it's the one that exploits a feature intended as a legitimate unlock method for locksmiths that's the more widespread and dangerous. “This attack is something where, if you had a safe with this kind of lock, I could literally pull up the code right now with no specialized hardware, nothing,” Omo says. “All of a sudden, based on our testing, it seems like people can get into almost any Securam Prologic lock in the world.”

Omo and Rowley demonstrate both their safecracking methods in the two videos below, which show them performing the techniques on their own custom-made safe with a standard, unaltered Securam ProLogic lock:

Security Update? No, Buy a New Lock

Omo and Rowley say they informed Securam about both their safe-opening techniques in spring of last year, but have until now kept their existence secret because of legal threats from the company. “We will refer this matter to our counsel for trade libel if you choose the route of public announcement or disclosure,” a Securam representative wrote to the two researchers ahead of last year's Defcon, where they first planned to present their research.

Only after obtaining pro bono legal representation from the Electronic Frontier Foundation's Coders’ Rights Project did the pair decide to follow through with their plan to speak about Securam's vulnerabilities at Defcon. Omo and Rowley say they're even now being careful not to disclose enough technical detail to help others replicate their techniques, while still trying to offer a warning to safe owners about two different vulnerabilities that exist in many of their devices.

When WIRED reached out to Securam for comment, the company’s CEO, Chunlei Zhou, responded in a statement. “The specific ‘vulnerabilities’ alleged by Omo and Rowley are already well known to industry professionals and in fact, also affect other safe lock providers that use similar chips,” Zhou writes. “Delivering any attack based on these vulnerabilities does require specialized knowledge, skills, and equipment, and we have no record of any customer that has ever had even a single safe lock defeated through a use of this attack.”

Zhou’s statement goes on to point to other ways safes’ locks can be opened from drilling and cutting to the use of a locksmith device called a Little Black Box that exploits vulnerabilities in some brands of electronic safe locks.

Omo and Rowley respond that the vulnerabilities they found were not previously known to the public; one of the two does not require any special equipment, despite Zhou’s claim; and none of the other techniques Zhou mentions represents as serious a security flaw as their findings about the Securam ProLogic locks. The brute-force safecracking methods Zhou points to, like cutting and drilling are far slower and less stealthy—or, like the Little Black Box, are available only to locksmiths and haven’t been publicly shown to be exploitable by unauthorized hackers.

Zhou added in his statement that Securam will be fixing the vulnerabilities Omo and Rowley found in future models of the ProLogic lock. “Customer security is our priority and we have begun the process of creating next-generation products to thwart these potential attacks,” he writes. “We expect to have new locks on the market by the end of the year.”

Photograph: Ronda Churchill

 

In a followup call, Securam director of sales Jeremy Brookes confirmed that Securam has no plan to fix the vulnerability in locks already in use on customers’ safes, but suggests safe owners who are concerned buy a new lock and replace the one on their safe. “We’re not going to be offering a firmware package that upgrades it,” Brookes says. “We’re going to offer them a new product.”

Brookes adds that he believes Omo and Rowley are “singling out” Securam with the intention of “discrediting” the company.

Omo responds that’s not at all their intent. “We’re trying to make the public aware of the vulnerabilities in one of the most popular safe locks on the market,” he says.

A Senator’s Warning

Beyond Liberty Safe, Securam ProLogic locks are used by a wide variety of safe manufacturers including Fort Knox, High Noble, FireKing, Tracker, ProSteel, Rhino Metals, Sun Welding, Corporate Safe Specialists, and pharmacy safe companies Cennox and NarcSafe, according to Omo and Rowley’s research. The locks can also be found on safes used by CVS for storing narcotics and by multiple US restaurant chains for storing cash.

Rowley and Omo aren't the first to raise concerns about the security of Securam locks. In March of last year, US senator Ron Wyden wrote an open letter to Michael Casey, then director of the National Counterintelligence and Security Center, urging Casey to make clear to American businesses that safe locks made by Securam, which is owned by a Chinese parent company, have a manufacturer reset capability. That capability, Wyden wrote, could be used as a backdoor—a risk that had already led to Securam locks being prohibited for US government use like all other locks with a manufacturer reset, even as they're widely used by private US companies.

In response to learning about Rowley and Omo’s research, Wyden wrote in a statement to WIRED that the researchers’ findings represent exactly the risk of a backdoor—whether in safes or in encryption software—that he’s tried to call attention to.

“Experts have warned for years that backdoors will be exploited by our adversaries, yet instead of acting on my warnings and those of security experts, the government has left the American public vulnerable,” Wyden writes. “This is exactly why Congress must reject calls for new backdoors in encryption technology and fight all efforts by other governments, such as the UK, to force US companies to weaken their encryption to facilitate government surveillance.”

ResetHeist

Rowley and Omo’s research began with that same concern, that a largely undisclosed unlocking method in safes might represent a broader security risk. They initially went searching for the mechanism behind the Liberty Safe backdoor that had caused a backlash against the company in 2023, and found a relatively straightforward answer: Liberty Safe keeps a reset code for every safe and, in some cases, makes it available to US law enforcement.

Liberty Safe has since written on its website that it now requires a subpoena, a court order, or other compulsory legal process to hand over that master code, and will also delete its copy of the code at a safe owner’s request.

Rowley and Omo planned to reveal the existence of Securam’s vulnerabilities more than a year ago, but held 

off until now due to the company’s legal threats.

Photograph: Ronda Churchill

 

Rowley and Omo didn't find any security flaw that would allow them to abuse that particular law-enforcement-friendly backdoor. When they started examining the Securam ProLogic lock, however, their research on the higher-end version of the two kinds of Securam lock used on Liberty Safe products revealed something more intriguing. The locks have a reset method documented in their manual, intended in theory for use by locksmiths helping safe owners who have forgotten their unlock code.

Enter a “recovery code” into the lock—set to “999999” by default—and it uses that value, another number stored in the lock called an encryption code, and a third, random variable to compute a code that's displayed on the screen. An authorized locksmith can then read that code to a Securam representative over the phone, who then uses that value and a secret algorithm to compute a reset code the locksmith can enter into the keypad to set a new unlock combination.

Omo and Rowley found that by analyzing the Securam ProLogic's firmware, however, they could find everything they needed to compute that reset code themselves. “There's no hardware security to speak of,” says Rowley. “So we could reverse engineer the whole secret algorithm just by reading the firmware that's in the lock.” The resulting safecracking method requires little more than punching a few numbers into a Python script they wrote. They call the technique ResetHeist.

The researchers note that safe owners can prevent this ResetHeist technique by changing their lock's recovery code or its encryption code. But Securam doesn't recommend that safeguard in any user documentation the researchers could find online, only in a manual for some manufacturers and locksmiths. In another Securam webinar Omo and Rowley found, Securam notes that you can change the codes, but that it’s not necessary, and that the codes are “usually never” changed. In every lock the researchers tested, including about a handful they bought used from eBay, the codes hadn't been changed. “We have not bought a lock on which the recovery method didn't work,” Omo says.

CodeSnatch

The second technique the researchers developed, which they call CodeSnatch, is more straightforward. By removing the battery from a Securam ProLogic lock and inserting a small handheld tool they made with a Raspberry Pi minicomputer into an exposed debug port inside, they can extract a “super code” combination from the lock that's displayed on their tool's screen and can be used to immediately open the lock.

The researchers found that CodeSnatch trick by reverse engineering the Renesas chip that serves as the lock's main processor. That task was made far easier by the work of a group called fail0verflow, which had published their analysis of the same Renesas chip as part of their efforts to crack the PlayStation 4, which also uses that processor. Omo and Rowley built their tool to reprogram the chip's firmware to dump all of its information via the debug port—including the encrypted “super code” and the key, also stored on the chip, that decrypts it. “It's really not that challenging,” says Rowley. “Our little tool does that, and then it tells you what the super code is.”

Gaining access to the lock's code via its debug port does require inputting a password. But Omo and Rowley say that password was absurdly simple, and they successfully guessed it. They found that in one newer Securam ProLogic lock manufactured in March of this year, Securam had changed the password, but they were able to learn it again by using a “voltage glitching” technique: By soldering a switch to the voltage regulator on the chip, they could mess with its electrical voltage at the exact moment it performed the password check to bypass that check and then dump the chip's contents—including the new password.

In addition to Securam, WIRED reached out to 10 safe manufacturers that appear to use Securam ProLogic locks on their safes, as well as CVS. Most didn’t respond, but a spokesperson for High Noble Safe Company wrote in a statement that WIRED’s inquiry was the first it was learning of Securam’s vulnerabilities, and that it’s now reviewing the security of the locks used by its product line and preparing guidance for customers including “additional physical security measures or potential replacement options.”

A Liberty Safe representative similarly noted the company wasn’t previously aware of Securam’s vulnerabilities. “We are currently investigating this issue with SecuRam and will do whatever it takes to protect our customers,” a statement from the spokesperson reads, “including validating other potential lock suppliers and developing a new proprietary lock system.”

A CVS spokesperson declined to comment on “specific security protocols or devices,” but wrote that “the safety of our employees and patients is a top priority and we are committed to maintaining the highest physical security standards.”

“Safes That Aren’t Safe”

Rowley and Omo say that patching Securam Locks' security flaws is possible—their own CodeSnatch tool, in fact, could itself be used to update the locks' firmware. But any such fix would have to be implemented manually, lock by lock, a slow and expensive process.

Although Omo and Rowley aren't releasing the full technical details or any proof-of-concept code for their techniques, they warn that others with less benevolent intentions could still figure out how to replicate their safecracking tricks. “If you have the hardware and you're skilled in the art, this would be roughly a one-week thing,” Omo says.

He and Rowley decided to go public with their research despite that risk to make safe owners aware that their locked metal boxes may not be as secure as they think. More broadly, Omo says that they wanted to call attention to the wide gaps in US cybersecurity standards for consumer products. Securam locks are certified by Underwriters Laboratory, he points out—yet suffered from critical security flaws that will be tough to fix. (Underwriters Laboratory did not immediately respond to WIRED’s request for comment.)

In the meantime, they say, safe owners should at least know about their safes' flaws—and not rely on a false sense of security.

“We want Securam to fix this, but more importantly we want people to know how bad this can be,” Omo says. “Electronic locks have electronics inside. And electronics are hard to secure.”

Source

Hope you enjoyed this news post.

Posted Saturday 9 August 2025 at 11:45 am AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of July): 3,458

RIP Matrix | Farewell my friend  

You can download the new package from the Security Compliance Toolkit.

With this update, the company is enforcing the default to disable the EnableUnsafeSwiftShader policy. This will help to mitigate potential risks as malicious web content could exploit vulnerabilities in the renderer. SwiftShader is a software-based renderer that serves as a fallback for WebGL in environments without GPU acceleration, such as virtual machines. With Microsoft’s disabling of it, it seems as though this compatibility tool is now seen as a liability.

The disabled SwiftShader was the most relevant in virtual machines which are widely used in enterprises, so this change poses the risk of causing a bit of disruption. While the move is a good one for security, those who it affects may want to deviate away from Microsoft’s security baselines.

The security baseline announcement also mentions a new Edge for Business security connectors feature which is designed to integrate the browser with security software for DLP and authentication. Microsoft said that these connectors can close critical gaps in enterprise security. You can learn more on the feature’s landing page.

Microsoft doesn’t seem to have made the change to SwiftShader due to existing vulnerabilities, instead the move seems to be a proactive security improvement. If you rely on it with your virtual machines, feel free to deviate away from Microsoft’s security baseline, but understand you’re no longer following the company’s security advice.

Source

Hope you enjoyed this news post.

Posted Saturday 9 August 2025 at 4:21 am AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of July): 3,458

RIP Matrix | Farewell my friend  

Now, German researchers Tillmann Osswald and Dr. Baptiste David have revealed at this year's Black Hat conference in Las Vegas how the business version of Windows Hello can be cracked.

During their live demonstration, Osswald and David showed just how bad it is. After David logged into his machine using his own face, Osswald, acting as the attacker with local admin access, simply ran a few lines of code. He then injected his own facial scan, captured on a different computer, into the target machine's biometric database. Seconds later, He leaned in, and the computer put up no resistance and unlocked for him instantly, accepting his face as if it were David's all along.

To understand how this works, you have to look at the internals. The way Windows Hello works in a business setting is that when it is first provisioned, a public/private key pair is generated. That public key is then registered with the organization's ID provider, like Entra ID.

The biometric data itself, however, is stored in a database managed by the Windows Biometric Service (WBS), and this database is encrypted. Then, upon authentication, the system matches the live scan to the stored template.

The problem is that in some implementations, the encryption protecting that database cannot stop an attacker who has already gained local admin privileges, allowing them to decrypt the biometric data.

Enter Enhanced Sign-in Security (ESS), Microsoft's answer to the problem that works by isolating the entire biometric authentication process inside a secure environment managed by the system's hypervisor.

But, there's a catch, of course. For ESS to work, a machine needs a very specific set of hardware: a modern 64-bit CPU that supports hardware virtualization (since ESS is built on Virtualization-Based Security), a TPM 2.0 chip, Secure Boot enabled in the firmware, and specially certified biometric sensors. Side note: Microsoft mandates this level of protection for its new line of Copilot+ PCs, but as Osswald notes, many existing computers fall short.

ESS is very effective at blocking this attack, but not everyone can use it. For example, we bought ThinkPads around one and a half years ago, but sadly they do not have a secure sensor for the camera because they use AMD chips and not Intel's.

Okay, so we have a problem. How do we fix it? According to Osswald and David, a proper patch is very "difficult" or even impossible to implement without a massive redesign, because it hits the fundamental architecture of how non-ESS systems store that biometric data.

For now, if you are on a business machine using Windows Hello without ESS, they recommend that you disable the biometrics entirely and use something like a PIN instead.

The easiest way to check if your machine supports ESS is to go to your system settings. In your account's "Sign-in options", you may find a toggle labeled "Sign in with an external camera or fingerprint reader".

When that switch is off, ESS is active, which also means that the USB fingerprint reader you bought will not work for logging into Windows. Flip it on, and you disable the feature, letting your external peripherals work at the cost of that extra security.

Microsoft says that some "Windows Hello compatible" peripherals can enable ESS on your device. While this does not pose a security risk, it puts you in a bind. The company suggests that if you must use one, you should plug it in before the first boot and basically never unplug it. Full, proper support for external devices with ESS is not even expected until late 2025.

Source

Hope you enjoyed this news post.

Posted Friday 8 August 2025 at 5:11 pm AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of July): 3,458

RIP Matrix | Farewell my friend  

In June, Google said it unearthed a campaign that was mass-compromising accounts belonging to customers of Salesforce. The means: an attacker pretending to be someone in the customer's IT department feigning some sort of problem that required immediate access to the account. Two months later, Google has disclosed that it, too, was a victim.

The series of hacks are being carried out by financially motivated threat actors out to steal data in hopes of selling it back to the targets at sky-high prices. Rather than exploiting software or website vulnerabilities, they take a much simpler approach: calling the target and asking for access. The technique has proven remarkably successful. Companies whose Salesforce instances have been breached in the campaign, Bleeping Computer reported, include Adidas, Qantas, Allianz Life, Cisco, and the LVMH subsidiaries Louis Vuitton, Dior, and Tiffany & Co.

Better late than never

The attackers abuse a Salesforce feature that allows customers to link their accounts to third-party apps that integrate data with in-house systems for blogging, mapping tools, and similar resources. The attackers in the campaign contact employees and instruct them to connect an external app to their Salesforce instance. As the employee complies, the attackers ask the employee for an eight-digit security code that the Salesforce interface requires before a connection is made. The attackers then use this number to gain access to the instance and all data stored in it.

Google said that its Salesforce instance was among those that were compromised. The breach occurred in June, but Google only disclosed it on Tuesday, presumably because the company only learned of it recently.

“Analysis revealed that data was retrieved by the threat actor during a small window of time before the access was cut off,” the company said.

Data retrieved by the attackers was limited to business information such as business names and contact details, which Google said was “largely public” already.

Google initially attributed the attacks to a group traced as UNC6040. The company went on to say that a second group, UNC6042, has engaged in extortion activities, “sometimes several months after” the UNC6040 intrusions. This group brands itself under the name ShinyHunters.

“In addition, we believe threat actors using the 'ShinyHunters' brand may be preparing to escalate their extortion tactics by launching a data leak site (DLS),” Google said. “These new tactics are likely intended to increase pressure on victims, including those associated with the recent UNC6040 Salesforce-related data breaches.”

With so many companies falling to this scam—including Google, which only disclosed the breach two months after it happened—the chances are good that there are many more we don’t know about. All Salesforce customers should carefully audit their instances to see what external sources have access to it. They should also implement multifactor authentication and train staff how to detect scams before they succeed.

Source

Hope you enjoyed this news post.

Posted Friday 8 August 2025 at 1:13 pm AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of July): 3,458

RIP Matrix | Farewell my friend  

Dashlane belonged to the freemium group up until now. The developers of the password manager announced the discontinuation of the free plan this week.

Starting September 16, 2025, Dashlane Free will no longer be available. Free users of Dashlane may switch to the Premium or Friends & Family plan to continue using the service. Those who do not want to pay for the password manager have until September 16 to export their password data.

Dashlane started to notify all users of the free plan by email about the planned discontinuation of the product. It will upgrade all free users to "a trial of select premium features". During this trial, users have no limitations regarding passwords or passkeys, or the number of devices they may run Dashlane on.

However, users have until September 16, 2025 to either export their passwords or subscribe to a paid plan to continue using Dashlane and accessing their data. Dashlane started to limit free tier users to 25 passwords in 2023.

Dashlane Personal Pricing

Dashlane maintains two plans for non-business users: Premium and Friends & Family. Both share most features, e.g., unlimited passwords, passkeys and devices, secure sharing, dark web monitoring, or real-time phishing alerts. Premium includes a VPN on top of that, which Friends & Family does not provide. The latter is good for up to 10 members, e.g., family members, though.

• Dashlane Premium: $4.99 per month
• Dashlane Friends & Family: $7.49 per month

Dashlane alternatives

Dashlane may not be the most expensive password manager out there, but it is not the cheapest either. Here are alternatives for Dashlane that you may consider.

• Bitwarden: open source cross-platform password manager with a generous free version supporting unlimited devices, passwords, passkey management and more. A premium option is available for $1 per month or $10 per year that adds emergency access, security reports, file attachments, and an integrated authenticator to the mix.  Sync passwords using integrated features.
• KeePass: free password manager for Windows, forks support other systems and browsers. Great security and features, but lacks native syncing. You can read my KeePass review here for a general overview of the password manager.
• Proton Pass: another open source password manager by the makers of Proton Mail, VPN and Storage. Free option supports unlimited logins, notes and devices, gives access to all apps and extensions, supports passkeys, and 10 hide-my-email aliases on top. Syncing is supported. Paid plan is $2.99 per month currently. It adds unlimited emails, built-in 2FA authentication, secure vault sharing, dark web monitoring and more.

You should be able to import the Dashlane passwords to these applications.

Closing Words

The writing was on the wall. A password manager with a limit on the number of stored passwords is not really a great option. Many Dashlane free users may have moved on after Dashlane announced the limitation in 2023. Now, the remaining users are forced to make a decision.

Now You: have another password manager in mind that would be a good fit for Dashlane users? Feel free to leave a comment down below.

Source

Hope you enjoyed this news post.

Posted Friday 8 August 2025 at 2:33 am AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of July): 3,458

RIP Matrix | Farewell my friend  

The campaign, discovered and documented by Koi Security, impersonates cryptocurrency wallet extensions from well-known platforms such as MetaMask, TronLink, and Rabby.

These extensions are uploaded in a benign form initially, to be accepted by Firefox, and accumulate fake positive reviews.

At a later phase, the publishers strip out the original branding and replace it with new names and logos while also injecting malicious code to steal users' wallet credentials and IP addresses.

The malicious code acts as a keylogger, capturing input from form fields or within displayed popups, which are then sent to the attacker's server.

"The weaponized extensions captures wallet credentials directly from user input fields within the extension’s own popup interface, and exfiltrate them to a remote server controlled by the group," explains Koi Security's Tuval Admoni.

"During initialization, they also transmit the victim’s external IP address, likely for tracking or targeting purposes."

The crypto-draining operation is complemented by dozens of Russian-speaking pirated software websites that facilitate the distribution of 500 distinct malware executables, and also a network of websites impersonating Trezor, Jupiter Wallet, and fake wallet repair services.

In the cases of malware, the payloads include generic trojans, info-stealers (LummaStealer), or even ransomware.

All of these sites are linked to the same IP address, 185.208.156.66, which serves as a command-and-control (C2) hub for the GreedyBear operation

Koi Security reported its findings to Mozilla, and the offending extensions have been removed from Firefox's add-ons store.

However, its wide scale and apparent ease in execution are a demonstration of how AI can help cybercriminals create large-scale schemes and quickly recover from total takedowns.

"Our analysis of the campaign's code shows clear signs of AI-generated artifacts," explains the report.

"This makes it faster and easier than ever for attackers to scale operations, diversify payloads, and evade detection."

The previous large-scale attack on the Firefox store occurred last month, involving over 40 fake extensions pretending to be wallets from Coinbase, MetaMask, Trust Wallet, Phantom, Exodus, OKX, Keplr, and MyMonero.

It's notable that these fraudulent extensions still find their way into the Firefox store despite Mozilla having deployed a system in June 2025 to detect crypto-drainer add-ons.

Koi Security also reports seeing signs that the operators of GreedyBear are exploring expansion to the Chrome Web Store, as they already spotted a malicious Chrome extension named "Filecoin Wallet" that uses the same data-theft logic and communicates with the same IP address.

To minimize the risk from these threats, always read multiple user reviews and check extension and publisher details before installing add-ons on your browser.

You can find the official wallet extensions on the websites of the projects themselves, either hosted directly or linking to the legitimate add-on on online stores.

BleepingComputer contacted Mozilla and Google about this campaign and their efforts to protect users, and will update this article with any responses.

Source

Hope you enjoyed this news post.

Posted Friday 8 August 2025 at 2:31 am AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of July): 3,458

RIP Matrix | Farewell my friend  

The new feature is rolling out more widely to beta testers as part of the WhatsApp beta for Android 2.25.22.22 update but is only rolling out for some users right now. The About section lets you set a short profile note that is separate to your 24-hour Status update. While this boosts WhatsApp’s status as an ephemeral platform where information disappears, it does add a layer of complexity which some people might find confusing.

When you set an About status, it will be displayed in the conversation header and will alternate with your last seen information. You can also set an emoji character if you want to tell people your mood or current activity. When the timer expires, nobody else will be able to see your status, but it will be saved in your private history, accessible only by you.

While the move will be portrayed by Meta as a privacy feature, it could also be seen as an aggressive move to keep users engaged and informed of their contacts’ activities and could see users oversharing, rather than maintaining privacy.

While the timer will remove the status, users will still be able to update or remove the status at any time before it expires. People also need to remember that the About status is different to the traditional 24-hour Status.

Users on the stable version of WhatsApp will not yet see the feature, as it’s only coming to a limited number of beta testers. Meta has also not disclosed a full rollout timeline, so while the expanded rollout indicates that it’s getting closer, we don’t know for sure when it will arrive.

Source and image via WABetaInfo

Source

Hope you enjoyed this news post.

Posted Friday 8 August 2025 at 2:30 am AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of July): 3,458

RIP Matrix | Farewell my friend