If you are wondering how this works, Windows follows the principle of least privilege, giving users minimal access by default via a deprivileged user token. When admin rights are needed, Windows asks for approval and creates a temporary, privileged but isolated admin token. This token exists only for that specific task and is destroyed afterward, ensuring admin privileges don’t persist and hence the need for just-in-time admin rights. The process repeats whenever admin access is required, thus enhancing security.

Administrator protection requires user verification via Windows Hello before granting admin rights. Windows Hello recognizes a user's face using the camera and authenticates biometrics using a fingerprint scanner.

However, with the latest update to Administrator rights, Microsoft says that input devices like the Camera and Microphone, as well as Location data, will be disabled by default when apps try to access them. Enabling these would require "explicit user consent."

Microsoft writes, "Access to sensitive resources such as camera, microphone and location (C/M/L) will soon require explicit user consent. The journey begins with Windows changing the desktop access switch for these resources from default ON to OFF, ensuring users have more control over which apps can access this data."

Microsoft adds that developers of apps that require a camera or a microphone must ensure that such applications can work with the default OFF setting before the Administrator protection feature exits preview.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of April): 1,811

RIP Matrix | Farewell my friend  

The fixes, which include the Firefox on Desktop and Android and two Extended Support Releases (ESR), came mere hours after the conclusion of Pwn2Own, on Saturday, where the second vulnerability was demonstrated.

The first flaw, tracked under CVE-2025-4918, is an out-of-bounds read/write issue in the JavaScript engine when resolving Promise objects.

The flaw was demonstrated during Day 2 of the competition by Palo Alto Networks security researchers Edouard Bochin and Tao Yan, who earned $50,000 for their discovery.

The second flaw, CVE-2025-4919, allows attackers to perform out-of-bounds reads/writes on a JavaScript object by confusing array index sizes.

It was discovered by security researcher Manfred Paul, who gained unauthorized access within the program's renderer, winning $50,000 in the process.

Although the flaws constitute significant risks for Firefox, with Mozilla rating them "critical" in its bulletins, the software vendor underlined that neither researchers could perform a sandbox escape, citing targeted strengthening on that front.

"Unlike prior years, neither participating group was able to escape our sandbox this year," explained Firefox in the announcement.

"We have verbal confirmation that this is attributed to the recent architectural improvements to our Firefox sandbox which have neutered a wide range of such attacks."

Although there are no indications that the two flaws have been exploited outside of Pwn2Own, their public demonstration could fuel real attacks soon.

To mitigate this risk, Mozilla engaged a diverse "task force" from across the globe that worked feverishly to develop fixes for the demonstrated exploits, test them, and push out security updates as soon as possible.

Firefox users are recommended to upgrade to version 138.0.4, ESR 128.10.1, or ESR 115.23.1.

Pwn2Own Berlin 2025 concluded on Saturday with over a million USD in payouts and the STAR Labs SG team winning the 'Master or Pwn' title.

Two Firefox zero-days were also demonstrated last year at Pwn2Own Vancouver 2024, with Mozilla fixing them the next day.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of April): 1,811

RIP Matrix | Farewell my friend  

Throughout the contest, they targeted enterprise technologies in the AI, web browser, virtualization, local privilege escalation, servers, enterprise applications, cloud-native/container, and automotive categories.

According to Pwn2Own's rules, all targeted devices had all security updates installed and ran the latest operating system versions.

While Tesla also provided two 2025 Tesla Model Y and 2024 Tesla Model 3 bench-top units, security researchers who joined the contest haven't registered any attempts in this category before Pwn2Own started.

Competitors collected $260,000 in cash awards after the first day and another $435,000 on the second day after exploiting 20 zero-day vulnerabilities. On the third day of Pwn2Own, they collected another $383,750 for eight more zero-days.

After these vulnerabilities are demoed during Pwn2Own events, vendors have 90 days to release security updates before TrendMicro's Zero Day Initiative publicly discloses them.

The STAR Labs SG team won this year's edition of Pwn2Own Berlin with 35 Master of Pwn points and $320,000 earned throughout the three-day contest after hacking Red Hat Enterprise Linux, Docker Desktop, Windows 11, VMware ESXi, and Oracle VirtualBox.

STAR Labs' Nguyen Hoang Thach won the competition's highest reward of $150,000 after using an integer overflow exploit to hack the VMware ESXi hypervisor software.

Team Viettel Cyber Security took second place after demonstrating zero-day flaws that could let attackers escape to the host system from Oracle VirtualBox guests and hack Microsoft SharePoint using an exploit chain combining an auth bypass and an insecure deserialization.

On the third day, team Reverse Tactics again hacked VMware's hypervisor software using an exploit chain abusing an integer overflow and an uninitialized variable bug to earn $112,500 and take third place in the rankings.

Mozilla has already patched the two Firefox zero-day bugs (CVE-2025-4918 and CVE-2025-4919) demoed during the competition after releasing Firefox 138.0.4, Firefox ESR 128.10.1, Firefox ESR 115.23.1, and a new Firefox for Android version over the weekend to address them.

In March 2024, Mozilla fixed two other zero-day vulnerabilities in the Firefox web browser (CVE-2024-29943 and CVE-2024-29944) after security researcher Manfred Paul exploited and reported them at Pwn2Own Vancouver 2024.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of April): 1,811

RIP Matrix | Farewell my friend  

A few months later, in August 2019, Microsoft improved upon this by introducing a new "De-elevate browser on launch" flag for Edge, which enabled the browser to automatically relaunch without admin rights if it detected elevated privileges.

As good as this feature has been on Edge, a bit surprisingly perhaps, Google's own Chrome browser has been lacking this ability, despite the fact that Edge received the feature in its Chromium form.

Finally, though, de-elevated browser launch is coming to Google Chrome, too, thanks to Microsoft. Stefan Smolen, a Principal Software Engineer at Microsoft working on Microsoft Edge, added a new "Automatically de-elevate users launching Chrome elevated" code commit to Chromium Gerrit for Chrome recently.

It says:

This CL is based on changes we've had in Edge, circa 2019, which attempts to automatically de-elevate the browser when it's run with the elevated part of a split / linked token.

 

This automatically attempts a relaunch once, and then if it still fails it falls back to the current behaviour (which tries to launch admin). We append a command-line switch to prevent auto-relaunch if, for whatever reason, we re-launch into admin mode again.

Thus, the flag, similar to the one on Edge we discussed above, for automatically relaunching a browser without elevation, is coming soon to Chrome as well. However, Smolen also notes that the new patch will not run on systems where Chrome is running in automation mode so as not to interfere with automation tools.

Interestingly, Stefan Smolen is the same engineer who first brought this change to Edge in 2019.

Source: Chromium Gerrit via Leopeva64 (X)

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of April): 1,811

RIP Matrix | Farewell my friend  

That is not keeping Google, the world's largest advertising company, from testing new ad formats and exploring ways to screw with YouTube users who use content blockers or Firefox.

Soon, Google is going to push things to new extremes on YouTube. The company announced the Peak Points feature recently, a new tool for YouTube advertisers, according to CNBC.

Peak Points, according to YouTube, allows advertisers to display advertisement to user at the most engaging moments of YouTube videos. The feature uses Gemini, Google's artificial intelligence, to identify these key momens of a video to display an ad right afterwards.

Google believes that Peak Point increases the value of an advertisement on the platform. Ads displayed as part of the feature should see more impressions and click throughs compared to regular advertisement on the video streaming website.

How does it work? YouTube revealed that the Peak Point AI model is trained with transcripts of videos and video elements, including frames. It uses the data to determine the key points of a video to highlight the best moments for ad breaks.

Google did not really say much else about the feature or its training. Is it going to replace conventional ads that would have played otherwise? Or is it is a new ad that is going to be added to the number of video ads of a video?

YouTube is testing Peak Points already on the site and inclined to roll out the feature to more users, advertisers, and videos going forward.

Closing Words

For non-Premium users, Peak Points will be another annoying tool in YouTube's ad arsenal. Whether it is going to benefit Google the most, as more eyes and clicks on ads will result in more ad revenue for the company, or also advertisers, remains to be seen. What is clear is that regular users will be at the receiving end again regarding the new AI-powered advertising option.

Now You: do you use YouTube regularly? What is your experience regarding ads? Feel free to leave a comment down below.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of April): 1,811

RIP Matrix | Farewell my friend  

Solidlab security researcher Vsevolod Kokorin discovered the flaw (CVE-2025-4664) and shared technical details online on May 5th. Google released security updates to patch it on Wednesday.

As Kokorin explained, the vulnerability is due to insufficient policy enforcement in Google Chrome's Loader component, and successful exploitation can allow remote attackers to leak cross-origin data via maliciously crafted HTML pages.

"You probably know that unlike other browsers, Chrome resolves the Link header on subresource requests. But what's the problem? The issue is that the Link header can set a referrer-policy. We can specify unsafe-url and capture the full query parameters," Kokorin noted.

"Query parameters can contain sensitive data - for example, in OAuth flows, this might lead to an Account Takeover. Developers rarely consider the possibility of stealing query parameters via an image from a 3rd-party resource."

While Google didn't disclose if the vulnerability was previously abused in attacks or if it's still being exploited, it warned in a security advisory that it has a public exploit, which is how it usually hints at active exploitation.

Flagged as actively exploited

One day later, CISA confirmed CVE-2025-4664 is being abused in the wild and added it to the Known Exploited Vulnerabilities catalog, which lists security flaws actively exploited in attacks.

As mandated by the November 2021 Binding Operational Directive (BOD) 22-01, U.S. Federal Civilian Executive Branch (FCEB) agencies must patch their Chrome installation within three weeks, by May 7th, to secure their systems against potential breaches.

While this directive only applies to federal agencies, all network defenders are advised to prioritize patching this vulnerability as soon as possible.

"These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise," the cybersecurity agency warned.

This is the second actively exploited Chrome zero-day patched by Google this year, after another high-severity Chrome zero-day bug (CVE-2025-2783), which was abused to target Russian government organizations, media outlets, and educational institutions in cyber-espionage attacks.

Kaspersky researchers who spotted the zero-day attacks said that the threat actors used CVE-2025-2783 exploits to bypass Google Chrome's sandbox protections and infect targets with malware.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of April): 1,811

RIP Matrix | Farewell my friend  

The cyber criminals were also able to steal information related to Coinbase customers’ crypto balances, as well as various internal details about the company. According to Coinbase, the hackers obtained this information with the help of several support agents who were working outside the United States. They bribed these employees to gather the data and hand it over to them.

All the employees involved have reportedly been identified and fired from the company. Legal action is also being taken against them. By stealing Coinbase customer data, the hackers aimed to contact the customers while pretending to be Coinbase and trick them into transferring all their crypto assets.

Brian Armstrong, the CEO of Coinbase, posted a video on X stating that the hackers demanded $20 million in Bitcoin in exchange for not leaking the stolen data. Instead of giving in to the demand, the exchange has offered to pay $20 million to anyone who helps catch the hackers.

Some customers have reportedly already transferred their crypto to the hackers. However, Coinbase has stated that it will reimburse those customers, as they were deceived into making the transfers. Following the breach, the exchange has strengthened its security. Customers will now be required to go through additional ID verification steps when they try to withdraw a large amount from the exchange.

Additionally, a new support hub has been established in the U.S., and more investments will reportedly be made in internal threat detection to help prevent similar breaches in the future. Coinbase has also sent notifications to all customers affected by the data breach.

This isn’t the first time a crypto exchange has been targeted by hackers. Just a few months ago, in February 2025, hackers managed to steal around $1.4 billion worth of Ethereum from ByBit, the second-largest crypto exchange. In 2024, approximately $230 million in various cryptocurrencies was stolen from WazirX, one of the top cryptocurrency exchanges in India.

In total, about $2.2 billion in crypto was stolen throughout 2024. These ongoing crypto-related crimes are ultimately making it more difficult for countries to adopt cryptocurrencies and invest in them with confidence.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of April): 1,811

RIP Matrix | Farewell my friend  

Red Hat Enterprise Linux for Workstations was the first to fall in the local privilege escalation category after DEVCORE Research Team's Pumpkin exploited an integer overflow vulnerability to earn $20,000.

Hyunwoo Kim and Wongi Lee also got root on a Red Hat Linux device by chaining a use-after-free and an information leak, but one of the exploited flaws was an N-day, which led to a bug collision.

Next, Chen Le Qi of STARLabs SG was awarded $30,000 for an exploit chain combining a use-after-free and an integer overflow to escalate privileges to SYSTEM on a Windows 11 system.

Windows 11 was hacked twice more to gain SYSTEM privileges by Marcin Wiązowski, who exploited an out-of-bounds write vulnerability, and Hyeonjin Choi, who demoed a type confusion zero-day.

Team Prison Break earned $40,000 after demoing an exploit chain that used an integer overflow to escape Oracle VirtualBox and execute code on the underlying operating system.

Summoning Team's Sina Kheirkhah was awarded another $35,000 for a Chroma zero-day and an already known vulnerability in Nvidia's Triton Inference Server, while STARLabs SG's Billy and Ramdhan earned $60,000 for escaping Docker Desktop and executing code on the underlying OS using a use-after-free zero-day.

The Pwn2Own Berlin 2025 hacking competition, which focuses on enterprise technologies and introduces an AI category, takes place in Berlin between May 15 and May 17, during the OffensiveCon conference.

On the second day, security researchers will try to exploit zero-days in Microsoft SharePoint, VMware ESXi, Mozilla Firefox, Red Hat Enterprise Linux for Workstations, and Oracle VirtualBox.

After the zero-day vulnerabilities are demoed and disclosed during Pwn2Own, vendors have 90 days to release security fixes for their software and hardware products.

Pwn2Own contestants will target fully patched products in the AI, web browser, virtualization, local privilege escalation, servers, enterprise applications, cloud-native/container, and automotive categories, and will be able to earn over $1,000,000 in cash and prizes.

However, while the 2024 Tesla Model 3 and the 2025 Tesla Model Y bench-top units were also available as targets, no attempts have been registered before the competition started.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of April): 1,811

RIP Matrix | Farewell my friend  

With Oniux, you may no longer need to worry about misconfigured proxy settings as it puts apps into their own Linux namespace, a kernel feature for isolating system resources, to route it through Tor, eliminating the possibility of potential data leaks. The Tor Project said this might be useful for anyone from activists to researchers who need network isolation.

Oniux is quite similar to another tool developed by the Tor Project called Torsocks. Oniux aims to overcome some of the limitations in Torsocks such as working on all applications, instead of just those that make system calls through libc. Oniux also makes it impossible for malicious apps to leak data via system calls through raw assembly.

If you’re on Linux and want to try out Oniux you can do that already with the following instructions, first you will need to install Rust on your system as Oniux is built using Rust:

• curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh

Next up, you need to install Oniux with this command:

• cargo install --git https://gitlab.torproject.org/tpo/core/oniux oniux@0.4.0

Here are some examples of how to use Oniux (don't type the $ when writing commands):

# Perform a simple HTTPS query using oniux!
$ oniux curl https://icanhazip.com

 

# oniux also supports IPv6 of course!
$ oniux curl -6 https://ipv6.icanhazip.com

 

# Tor without onion services is like a car without an engine ...
$ oniux curl http://2gzyxa5ihm7nsggfxnu52rck2vv4rvmdlkiu3zzui5du4xyclen53wid.onion/index.html

 

# You can also enable logging if you are a nerd. 🤓
$ RUST_LOG=debug oniux curl https://icanhazip.com

 

# If you want, you can "torify" your entire shell, isolating all processes within!
$ oniux bash

 

# If you are in a desktop environment, you can isolate graphical applications too!
$ oniux hexchat

While Oniux certainly holds notable advantages over Torsocks, it is much newer and considered experimental, while Torsocks is much more tested, being 15 years old. With that said, the Tor Project doesn’t want this to discourage you from using it and it says it aims to continue working on it to make it better.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of April): 1,811

RIP Matrix | Farewell my friend  

Valve published a statement on the official website about the discovered data. Here is what the company revealed:

The details:

• The data consists of old SMS messages used for two-factor authentication.
• It includes one-time codes and the phone numbers the messages were sent to.
• Valve says that Steam was not breached.
• The investigation is ongoing.

Valve confirms that the "leaked data did not associate the phone numbers with a Steam account, password information, payment information or other personal data". Furthermore, the one-time codes are valid for 15 minutes only, which means that they have expired and can't be used for authentication anymore.

In other words: The data includes phone numbers of current or past Steam users and information that the accounts used SMS verification at one point in time for authentication.

No need to worry, says Valve

Valve says that Steam users do not need to change their passwords or phone numbers as a response to the data leak. It suggsts, however, that Steam users should be suspicious about any security message that they receive that was not triggered by the user's action.

Users may check their account security on Steam on the official website.

Switching authentication

Steam users are encouraged to switch to Steam Guard instead of using SMS and a mobile phone for verification. SMS is notoriosly unsafe, as messages are not encrypted. The same is true for email verifications, which are also unsafe.

Steam Guard is an authenticator for Steam. It is included in the official Steam apps for Anroid and iOS.

Here is how that is done:

1. Download the official Steam application for iOS or Android. The Steam Guard functionality is integrated into the app.
2. Sign in to the installed Steam app with your account credentials.
3. Steam Guard is displayed on one of the first pages after sign in.
4. Select "add authenticator" to start the setup process.
5. Valve sends a code to the phone number of the Steam account. If you have not added a phone number to the account, you are prompted to add one. You may also proceed without adding a phone number by selecting "I don't have access to a phone number".
6. Type the code to proceed.
7. Write down the recovery code that Steam displays on the next page. This code is needed to regain access to your account, if you do not have access to the device with the Steam mobile app (anymore).

Once set up, you have three options to sign in to Steam on another device:

1. Scan the Steam QR code using the mobile application.
2. Type the username and password to sign in and confirm the sign in using the mobile application.
3. Type the username and password, and then enter the Steam Guard code from the mobile app to sign-in.

Closing Words

Using two-factor authentication improves security significantly. This is true for any online service, but there are differences. Text or email codes are notoriously unsafe, while the use of authenticator apps is considered safer and better. You can check out our overview of the best authenticator apps for Android and iOS here.

Note that some proprietary services, including Steam, do not support third-party authenticators.

Now You: Do you use authenticator apps to protect online accounts? What about Steam? Do you use two-factor authentication here as well? Feel free to leave a comment down below.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of April): 1,811

RIP Matrix | Farewell my friend  

For years, a Chinese-language market for crypto scammers and money launderers—by some measures, the internet's biggest black market of all time—operated in plain sight on the messaging service Telegram, facilitating tens of billions of dollars in illicit finance. Now, thanks to the scrutiny of one team of crypto crime researchers and Telegram's ban hammer, it's gone.

Haowang Guarantee, the crypto-fueled crime bazaar more widely known by its original name, Huione Guarantee, declared in an announcement posted to its website sometime in the last 24 hours that it would be shutting down. The move comes in response to Telegram's action on Monday to ban thousands of accounts and usernames that served as the infrastructure for the sprawling marketplace of third-party vendors, many of whom provided money laundering and other services to the burgeoning industry of East Asian crypto scammers.

“Telegrame were blocked all of our NFT, Channels and group on May 13th 2025, Haowang Grarantee will cease operation from now,” the company wrote on its website in a short, typo-ridden statement in English, apparently using the acronym NFT to refer to the blockchain-based non-fungible tokens that serve as proof of ownership for certain Telegram usernames. “Thank you for your attention.”

Prior to its abrupt shutdown, Haowang Guarantee—which despite its rebrand was still partially owned by Huione Guarantee and its Cambodia-based parent company Huione Group—had allowed third-party vendors to sell a wide variety of services to crypto scammers, all via Telegram, using deposit and escrow systems to “guarantee” the transactions. Huione Guarantee merchants primarily offered money laundering via the cryptocurrency Tether, but they also sold other components of the crypto scam industry, ranging from potential victim data for targeting, telecommunications infrastructure, deepfake software, and even GPS-enabled collars and electric batons used to enslave workers in the scam compounds that have spread across Myanmar, Cambodia, and the Philippines.

Telegram's sudden move to ban the marketplace's accounts appears to have been spurred by WIRED's inquiry to Telegram late last week about new findings from researchers at the crypto-tracing firm Elliptic. Since July of last year, Elliptic has highlighted the enormous volume of money laundering and other illicit transactions taking place on Huione Guarantee and later Haowang Guarantee. By Elliptic's accounting in a January report, the market and its rebrand had facilitated more than $24 billion in total transactions, which would make it by far the largest single black market operation in the internet's history. That figure has since jumped to $27 billion, according to Elliptic.

Elliptic's latest findings concerned a second Telegram-based market known as Xinbi Guarantee, which offered a similar model of third-party transactions and had facilitated $8.4 billion in deals since 2022 that researchers say included not only money laundering for scammers, but also stolen data, harassment for hire, and apparent sex trafficking. When WIRED asked Telegram about Elliptic's findings regarding both markets, the company responded with broad bans of Xinbi Guarantee and Haowang Guarantee accounts.

“This is a huge win. The largest dark-net marketplace to have ever existed has been shut down,” says Elliptic cofounder Tom Robinson. “It's a game changer in terms of overall online criminal markets, and it's huge for victims of online fraud. This marketplace was a key enabler of the global scam epidemic, and I think this will put a real dent in the ability of online scammers to do what they do.”

In a statement sent to WIRED Monday, Telegram spokesperson Remi Vaughn wrote that “communities previously reported to us by WIRED or included in reports published by Elliptic have all been taken down,” and added that “criminal activities like scamming or money laundering are forbidden by Telegram's terms of service and are always removed whenever discovered.” Telegram declined to comment further following Haowang's announcement that it was going offline.

Although it wasn't mentioned in Vaughn's statement, Telegram's ban may have also been related to an announcement earlier this month from the US Treasury's Financial Crimes Enforcement Network that Huione Group, Huione Guarantee and Haowang Guarantee's parent company, would be added to a list of known money laundering operations in an attempt to limit its access to US financial institutions.

While Haowang Guarantee responded to Telegram's bans by almost immediately shutting down, Xinbi Guarantee appears to be making an effort to relaunch itself on new Telegram channels, Robinson says. Elliptic says that Haowang Guarantee's owners also own a stake in another similar Telegram-based market called Tudou Guarantee, according to a Telegram post from one of Haowang's administrators, and they may seek to rebuild their business there. Tudou Guarantee has already seen a significant surge in new users, Robinson says.

Whether the two markets succeed in relaunching, Robinson notes, will depend largely on how serious Telegram is about its efforts to prevent them from using its messaging services.

“Are they going to pursue all of these marketplaces and continue to do so as new ones emerge?” Robinson asks. “If so, I think that Telegram is no longer a realistic platform for these marketplaces, and they'll have to look for somewhere else to operate.” He suggests the crypto-scam market operators would then likely try to migrate to another messaging service with less oversight, or even a decentralized one where they can't be effectively banned.

Haowang, in particular, has powerful backing from a company with links to businesses associated with the Cambodian ruling family. Huione Guarantee's parent company, the Cambodian financial conglomerate Huione Group, includes a company linked to the family of Cambodia’s prime minister, Hun Manet. Hun To, the prime minister’s cousin, serves as one of those companies' directors—and has also been linked in an Al Jazeera investigation to an alleged scam compound.

All of that means Telegram's takedowns are by no means the end of the crypto-scam industry, says Robinson. They may, however, represent a serious setback for the markets that cash out its profits and launder its money.

“Online crime is a cat-and-mouse game in general. But these are very large mice,” Robinson says. “It's a big blow to the criminal ecosystem that will take a long time to recover from.”

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of April): 1,811

RIP Matrix | Farewell my friend  

Google launched AI-powered Scam Detection last year to block suspicious package delivery and job-seeking scams for Google Messages users. Today, Google announced that the AI-powered Scam Detection can now detect dangerous crypto and financial scams, toll road scams, gift card scams, and more. Even with this expanded scam detection coverage, this feature works completely offline on an Android device.

When you are on a phone call, Android now has new in-call protections that will prevent users from performing the following:

• Disabling Google Play Protect, Android’s built-in security protection, which is on by default and continuously scans for malicious app behavior, no matter the download source.
• Sideloading an app for the first time from a web browser, messaging app, or other source – which may not have been vetted for security and privacy by Google.
• Granting accessibility permissions, which can give a newly downloaded malicious app access to gain control over the user's device and steal sensitive/private data, like banking information.

To identify scammers who try to impersonate someone, Google has come up with a new tool called Key Verifier. This new feature offers a visual way for users and their contacts to easily confirm that their public keys match before starting their conversation. This new tool will be available later this summer in Google Messages on Android 10+ devices.

Google is improving the theft protection feature that was launched last year. With the upcoming update, Android will restrict all functionalities on devices that are reset without the owner’s authorization. Android will also improve the Remote Lock feature with a new security challenge question to prevent unauthorized actions by thieves.

Android's Find My Device app allows users to easily locate their devices and tagged items. Google is rebranding Find My Device as Find Hub with support for more compatible devices and Bluetooth tags. For devices and carriers with satellite connectivity, Find Hub will help users stay connected even when the mobile network is unavailable. Similar to iOS, Android will also get the ability to easily share your Bluetooth tag's location with airlines early next year to locate your lost baggage.

Finally, Google is improving the Advanced Protection feature with the release of Android 16. New improvements include Intrusion Logging, USB protection, the option to disable auto-reconnect to insecure networks, and integration with Scam Detection for Phone by Google.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of April): 1,811

RIP Matrix | Farewell my friend  

These days, when Nicole Yelland receives a meeting request from someone she doesn’t already know, she conducts a multistep background check before deciding whether to accept. Yelland, who works in public relations for a Detroit-based nonprofit, says she’ll run the person’s information through Spokeo, a personal data aggregator that she pays a monthly subscription fee to use. If the contact claims to speak Spanish, Yelland says, she will casually test their ability to understand and translate trickier phrases. If something doesn’t quite seem right, she’ll ask the person to join a Microsoft Teams call—with their camera on.

If Yelland sounds paranoid, that’s because she is. In January, before she started her current nonprofit role, Yelland says, she got roped into an elaborate scam targeting job seekers. “Now, I do the whole verification rigamarole any time someone reaches out to me,” she tells WIRED.

Digital imposter scams aren’t new; messaging platforms, social media sites, and dating apps have long been rife with fakery. In a time when remote work and distributed teams have become commonplace, professional communications channels are no longer safe, either. The same artificial intelligence tools that tech companies promise will boost worker productivity are also making it easier for criminals and fraudsters to construct fake personas in seconds.

On LinkedIn, it can be hard to distinguish a slightly touched-up headshot of a real person from a too-polished, AI-generated facsimile. Deepfake videos are getting so good that longtime email scammers are pivoting to impersonating people on live video calls. According to the US Federal Trade Commission, reports of job and employment related scams nearly tripled from 2020 to 2024, and actual losses from those scams have increased from $90 million to $500 million.

Yelland says the scammers that approached her back in January were impersonating a real company, one with a legitimate product. The “hiring manager” she corresponded with over email also seemed legit, even sharing a slide deck outlining the responsibilities of the role they were advertising. But during the first video interview, Yelland says, the scammers refused to turn their cameras on during a Microsoft Teams meeting and made unusual requests for detailed personal information, including her driver’s license number. Realizing she’d been duped, Yelland slammed her laptop shut.

These kinds of schemes have become so widespread that AI startups have emerged promising to detect other AI-enabled deepfakes, including GetReal Labs and Reality Defender. OpenAI CEO Sam Altman also runs an identity-verification startup called Tools for Humanity, which makes eye-scanning devices that capture a person’s biometric data, create a unique identifier for their identity, and store that information on the blockchain. The whole idea behind it is proving “personhood,” or that someone is a real human. (Lots of people working on blockchain technology say that blockchain is the solution for identity verification.)

But some corporate professionals are turning instead to old-fashioned social engineering techniques to verify every fishy-seeming interaction they have. Welcome to the Age of Paranoia, when someone might ask you to send them an email while you’re mid-conversation on the phone, slide into your Instagram DMs to ensure the LinkedIn message you sent was really from you, or request you text a selfie with a time stamp, proving you are who you claim to be. Some colleagues say they even share code words with each other, so they have a way to ensure they’re not being misled if an encounter feels off.

“What’s funny is, the lo-fi approach works,” says Daniel Goldman, a blockchain software engineer and former startup founder. Goldman says he began changing his own behavior after he heard a prominent figure in the crypto world had been convincingly deepfaked on a video call. “It put the fear of god in me,” he says. Afterward, he warned his family and friends that even if they hear what they believe is his voice or see him on a video call asking for something concrete—like money or an Internet password—they should hang up and email him first before doing anything.

Ken Schumacher, founder of the recruitment verification service Ropes, says he’s worked with hiring managers who ask job candidates rapid-fire questions about the city where they claim to live on their résumé, such as their favorite coffee shops and places to hang out. If the applicant is actually based in that geographic region, Schumacher says, they should be able to respond quickly with accurate details.

Another verification tactic some people use, Schumacher says, is what he calls the “phone camera trick.” If someone suspects the person they’re talking to over video chat is being deceitful, they can ask them to hold up their phone camera to show their laptop. The idea is to verify whether the individual may be running deepfake technology on their computer, obscuring their true identity or surroundings. But it’s safe to say this approach can also be off-putting: Honest job candidates may be hesitant to show off the inside of their homes or offices, or worry a hiring manager is trying to learn details about their personal lives.

“Everyone is on edge and wary of each other now,” Schumacher says.

While turning yourself into a human captcha may be a fairly effective approach to operational security, even the most paranoid admit these checks create an atmosphere of distrust before two parties have even had the chance to really connect. They can also be a huge time suck. “I feel like something’s gotta give,” Yelland says. “I’m wasting so much time at work just trying to figure out if people are real.”

Jessica Eise, an assistant professor studying climate change and social behavior at Indiana University Bloomington, says her research team has been forced to essentially become digital forensics experts due to the amount of fraudsters who respond to ads for paid virtual surveys. (Scammers aren’t as interested in the unpaid surveys, unsurprisingly.) For one of her research projects, which is federally funded, all of the online participants have to be over the age of 18 and living in the US.

“My team would check time stamps for when participants answered emails, and if the timing was suspicious, we could guess they might be in a different time zone,” Eise says. “Then we’d look for other clues we came to recognize, like certain formats of email address or incoherent demographic data.”

Eise says the amount of time her team spent screening people was “exorbitant” and that they’ve now shrunk the size of the cohort for each study and have turned to “snowball sampling,” or recruiting people they know personally to join their studies. The researchers are also handing out more physical flyers to solicit participants in person. “We care a lot about making sure that our data has integrity, that we’re studying who we say we’re trying to study,” she says. “I don’t think there’s an easy solution to this.”

Barring any widespread technical solution, a little common sense can go a long way in spotting bad actors. Yelland shared with me the slide deck that she received as part of the fake job pitch. At first glance, it seemed legit, but when she looked at it again, a few details stood out. The job promised to pay substantially more than the average salary for a similar role in her location and offered unlimited vacation time, generous paid parental leave, and fully covered health care benefits. In today’s job environment, that might have been the biggest tipoff of all that it was a scam.

This story originally appeared on wired.com.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of April): 1,811

RIP Matrix | Farewell my friend  

The flaw was discovered by an independent cybersecurity researcher from New Zealand named Paul (aka "MrBruh"), who found that the software had poor validation of commands sent to the DriverHub background service.

This allowed the researcher to create an exploit chain utilizing flaws tracked as CVE-2025-3462 and CVE-2025-3463 that, when combined, achieve origin bypass and trigger remote code execution on the target.

The DriverHub problem

DriverHub is ASUS's official driver management tool that is automatically installed on the first system boot when utilizing certain ASUS motherboards.

This software runs in the background, automatically detecting and fetching the latest driver versions for the detected motherboard model and its chipset.

Once installed, the tool remains active and running in the background via a local service on port 53000, continually checking for important driver updates.

Meanwhile, most users don't even know such a service is constantly running on their system.

That service checks the Origin Header of incoming HTTP requests to reject anything that doesn't come from 'driverhub.asus.com.'

However, this check is poorly implemented, as any site that includes that string is accepted even if it's not an exact match to ASUS's official portal.

The second issue lies in the UpdateApp endpoint, which allows DriverHub to download and run .exe files from ".asus.com" URLs without user confirmation.

Stealthy attack flow

An attacker can target any user with ASUS DriverHub running on their system to trick them into visiting a malicious website on their browser. This website then sends "UpdateApp requests" to the local service at 'http://127.0.0.1:53000.'

By spoofing the Origin Header to something like 'driverhub.asus.com.mrbruh.com,' the weak validation check is bypassed, so DriverHub accepts the commands.

In the researcher's demonstration, the commands order the software to download a legitimate ASUS-signed 'AsusSetup.exe' installer from the vendor's download portal, along with a malicious .ini file and .exe payload.

The ASUS-signed installer is silently run as admin and uses the configuration information in the .ini file. This ini file directs the legitimate ASUS driver installer to launch the malicious executable file.

The attack is also made possible by the tool failing to delete files that fail signature checks, like the .ini and payload, which are kept on the host after their download.

ASUS' response and user action

ASUS received the researcher's reports on April 8, 2025, and implemented a fix on April 18, after validating it with MrBruh the day before. The hardware giant did not offer the researcher any bounty for his disclosure.

The CVE descriptions, which the Taiwanese vendor submitted, somewhat downplays the issue with the following statement: 

"This issue is limited to motherboards and does not affect laptops, desktop computers, or other endpoints," reads the CVE description.

This is confusing, as the mentioned CVEs impact laptops and desktop computers with DriverHub installed.

However, ASUS is clearer in its security bulletin, advising users to quickly apply the latest update. 

"This update includes important security updates and ASUS strongly recommends that users update their ASUS DriverHub installation to the latest version," reads the bulletin.

"The latest Software Update can be accessed by opening ASUS DriverHub, then clicking the "Update Now" button."

MrBruh says he monitored certificate transparency updates and found no other TLS certificates containing the "driverhub.asus.com" string, indicating it was not exploited in the wild.

If you're uncomfortable with a background service automatically fetching potentially dangerous files upon visiting websites, you may disable DriverHub from your BIOS settings.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of April): 1,811

RIP Matrix | Farewell my friend  

The new owners of VPN provider VPNSecure have drawn ire after canceling lifetime subscriptions. The owners told customers that they didn’t know about the lifetime subscriptions when they bought VPNSecure, and they cannot honor the purchases.

In March, complaints started appearing online about lifetime subscriptions to VPNSecure no longer working.

The first public response Ars Technica found came on April 28, when lifetime subscription holders reported receiving an email from the VPN provider saying:

To continue providing a secure and high-quality experience for all users, Lifetime Deal accounts have now been deactivated as of April 28th, 2025.

A copy of the email from “The VPN Secure Team” and posted on Reddit notes that VPNSecure had previously deactivated accounts with lifetime subscriptions that it said hadn’t been used in “over 6 months.” The message noted that VPNSecure was acquired in 2023, “including the technology, domain, and customer database—but not the liabilities.” The email continues:

Unfortunately, the previous owner did not disclose that thousands of Lifetime Deals (LTDs) had been sold through platforms like StackSocial.

 

We discovered this only months later—when a large portion of our resources were strained by these LTD accounts and high support volume from users, who through part of the database, provided no sustaining income to help us improve and maintain the service.

VPNSecure is offering affected users discounted new subscriptions for either $1.87 for a month (instead of $9.95), $19 for a year (instead of $79.92), or $55 for three years (instead of $107.64). The deals are available until May 31, per the email.

This week, users reported receiving a follow-up email from VPNSecure providing more details about why it made its bold and sudden move. Screenshots of the email shared on Reddit say that the acquisition by InfiniteQuant Ltd (which is a different company than InfiniteQuant Capital Ltd, an InfiniteQuant Capital rep told Ars via email) was “an asset only deal.”

A VPNSecure representative claimed on the reviews site Trustpilot that the current owners “did not gain access to the customer database until months” after the acquisition. According to VPNSecure’s owners, their acquisition netted them “the tech, the brand, and the infrastructure/technology—but none of the company, contracts, payments, or obligations from the previous owners.”

The current owners said they didn’t sue the seller because “a corporate lawsuit would’ve cost more than the entire purchase of the business.”

VPNSecure also apologized to any customers who felt caught off guard by the changes, noted their backlash, and thanked those who purchased new subscriptions.

The email’s authors claimed that they could have chosen to shut down VPNSecure after learning about the lifetime subscriptions but “chose the hard path.” They also emphasized they “never will” sell lifetime subscriptions.

Unaware of lifetime subscriptions

Customers have been incredulous about VPNSecure's owners not knowing about the purchased lifetime subscriptions before buying the company. The firm's email to customers this week said the current owners reviewed six to 12 months of VPNSecure’s prior “financials” before making the purchase, but the listing, profit and loss statements, and communications never mentioned lifetime deals.

The email included a link to a VPNSecure sales listing dated April 2023 that shows an “estimated valuation” of $282,090–$344,770 and doesn’t mention lifetime subscriptions.

Ars looked at the VPNSecure website’s history using the Internet Archive’s Wayback Machine and didn’t find mention of lifetime subscriptions. Lifetime subscriptions to the service were apparently only offered through third parties, like these listings on StackSocial and Wccftech, that no longer link to purchaseable subscriptions. VPNSecure’s email this week claimed that lifetime subscriptions were sold “between 2015 and 2017”; however, Ars found ads on ZDNET pushing $40 lifetime subscriptions in 2021 and $28 lifetime subscriptions in 2022.

A screenshot from a 2021 ZDNET listing.

ZDNET

 

A screenshot from a 2022 ZDNET listing.

Customer backlash

Since March, there have been 20 pages worth of one-star reviews on Trustpilot complaining about lifetime subscribers losing access to their VPN. One Trustpilot user wrote on April 30:

When the service stopped working, I logged a ticket. A couple days later, I got that infamous email informing me my subscription had (already) been cancelled. The comms should have been sent earlier (before the service was interrupted), and written with more clarity and empathy.

VPNSecure is responding to the complaints on Trustpilot and has acknowledged that it could have communicated better with customers.

"We acknowledge that notifying users after the deactivation was a poor experience, and we take full responsibility for that,” a company rep wrote on April 30.

People have also been complaining on Reddit. One user, for example, wrote that the new owners "said they did their due diligence, but a simple Google Search would have shown lifetime deal offers from the past."

VPNSecure ownership

VPNSecure’s website lists its owner as InfiniteQuant Ltd in the Bahamas; however, its terms of service names the company “HOLDXB Trading FZCO trading as VPN Secure, IFZA Business Park, Dubai - UAE.” According to the Wayback Machine, the terms of service page moved from naming an Australian firm, “Boost Network Pty Ltd trading as VPN Secure” to HOLDXB until 2024. VPNSecure’s email to customers this month noted that the team is “in the Bahamas” and “not [in] one [of the] five eyes countries anymore.”

Ars has reached out to The VPN Secure support team for more information but didn’t hear back in time for publication. There isn’t much information or contact details for InfiniteQuant Ltd, HOLDXB Trading FZCO, or Boost Network Pty Ltd online.

Limited lifetime subscriptions

VPNSecure’s ordeal is a reminder that so-called lifetime subscriptions often last shorter than advertised. Per comments online, VPNSecure’s lifetime subscriptions lasted up to 20 years.

Lifetime subscriptions, as well as lifetime warranties, can also get abruptly voided if a company goes out of business, and as we’ve seen with VPNSecure, new owners could also jeopardize “lifetime” offerings. Users can also see capabilities reduced or altered in the course of a "lifetime."

VPNSecure could’ve potentially mitigated backlash by giving users more advanced warning of the changes and a longer opportunity to select a new subscription before deactivating their accounts. We can’t confirm if InfiniteQuant Ltd. knew about the lifetime subscriptions before making its purchase. However, the firm claims to have known about the subscriptions a few months after taking ownership, so it had ample time to warn customers before abruptly deactivating “dormant” accounts and killing the subscriptions of thousands of customers.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of April): 1,811

RIP Matrix | Farewell my friend  

These days, when Nicole Yelland receives a meeting request from someone she doesn’t already know, she conducts a multistep background check before deciding whether to accept. Yelland, who works in public relations for a Detroit-based nonprofit, says she’ll run the person’s information through Spokeo, a personal data aggregator that she pays a monthly subscription fee to use. If the contact claims to speak Spanish, Yelland says, she will casually test their ability to understand and translate trickier phrases. If something doesn’t quite seem right, she’ll ask the person to join a Microsoft Teams call—with their camera on.

If Yelland sounds paranoid, that’s because she is. In January, before she started her current nonprofit role, Yelland says, she got roped into an elaborate scam targeting job seekers. “Now, I do the whole verification rigamarole any time someone reaches out to me,” she tells WIRED.

Digital imposter scams aren’t new; messaging platforms, social media sites, and dating apps have long been rife with fakery. In a time when remote work and distributed teams have become commonplace, professional communications channels are no longer safe, either. The same artificial intelligence tools that tech companies promise will boost worker productivity are also making it easier for criminals and fraudsters to construct fake personas in seconds.

On LinkedIn, it can be hard to distinguish a slightly touched-up headshot of a real person from a too-polished, AI-generated facsimile. Deepfake videos are getting so good that longtime email scammers are pivoting to impersonating people on live video calls. According to the US Federal Trade Commission, reports of job and employment related scams nearly tripled from 2020 to 2024, and actual losses from those scams have increased from $90 million to $500 million.

Yelland says the scammers that approached her back in January were impersonating a real company, one with a legitimate product. The “hiring manager” she corresponded with over email also seemed legit, even sharing a slide deck outlining the responsibilities of the role they were advertising. But during the first video interview, Yelland says, the scammers refused to turn their cameras on during a Microsoft Teams meeting and made unusual requests for detailed personal information, including her driver’s license number. Realizing she’d been duped, Yelland slammed her laptop shut.

These kinds of schemes have become so widespread that AI startups have emerged promising to detect other AI-enabled deepfakes, including GetReal Labs and Reality Defender. OpenAI CEO Sam Altman also runs an identity-verification startup called Tools for Humanity, which makes eye-scanning devices that capture a person’s biometric data, create a unique identifier for their identity, and store that information on the blockchain. The whole idea behind it is proving “personhood,” or that someone is a real human. (Lots of people working on blockchain technology say that blockchain is the solution for identity verification.)

But some corporate professionals are turning instead to old-fashioned social engineering techniques to verify every fishy-seeming interaction they have. Welcome to the Age of Paranoia, when someone might ask you to send them an email while you’re mid-conversation on the phone, slide into your Instagram DMs to ensure the LinkedIn message you sent was really from you, or request you text a selfie with a time stamp, proving you are who you claim to be. Some colleagues say they even share code words with each other, so they have a way to ensure they’re not being misled if an encounter feels off.

“What’s funny is, the lo-fi approach works,” says Daniel Goldman, a blockchain software engineer and former startup founder. Goldman says he began changing his own behavior after he heard a prominent figure in the crypto world had been convincingly deepfaked on a video call. “It put the fear of god in me,” he says. Afterward, he warned his family and friends that even if they hear what they believe is his voice or see him on a video call asking for something concrete—like money or an internet password—they should hang up and email him first before doing anything.

Ken Schumacher, founder of the recruitment verification service Ropes, says he’s worked with hiring managers who ask job candidates rapid-fire questions about the city where they claim to live on their résumé, such as their favorite coffee shops and places to hang out. If the applicant is actually based in that geographic region, Schumacher says, they should be able to respond quickly with accurate details.

Another verification tactic some people use, Schumacher says, is what he calls the “phone camera trick.” If someone suspects the person they’re talking to over video chat is being deceitful, they can ask them to hold up their phone camera to show their laptop. The idea is to verify whether the individual may be running deepfake technology on their computer, obscuring their true identity or surroundings. But it’s safe to say this approach can also be off-putting: Honest job candidates may be hesitant to show off the inside of their homes or offices, or worry a hiring manager is trying to learn details about their personal lives.

“Everyone is on edge and wary of each other now,” Schumacher says.

While turning yourself into a human captcha may be a fairly effective approach to operational security, even the most paranoid admit these checks create an atmosphere of distrust before two parties have even had the chance to really connect. They can also be a huge time suck. “I feel like something’s gotta give,” Yelland says. “I’m wasting so much time at work just trying to figure out if people are real.”

Jessica Eise, an assistant professor studying climate change and social behavior at Indiana University Bloomington, says her research team has been forced to essentially become digital forensics experts due to the amount of fraudsters who respond to ads for paid virtual surveys. (Scammers aren’t as interested in the unpaid surveys, unsurprisingly.) If the research project is federally funded, all of the online participants have to be over the age of 18 and living in the US.

“My team would check time stamps for when participants answered emails, and if the timing was suspicious, we could guess they might be in a different time zone,” Eise says. “Then we’d look for other clues we came to recognize, like certain formats of email address or incoherent demographic data.”

Eise says the amount of time her team spent screening people was “exorbitant” and that they’ve now shrunk the size of the cohort for each study and have turned to “snowball sampling,” or recruiting people they know personally to join their studies. The researchers are also handing out more physical flyers to solicit participants in person. “We care a lot about making sure that our data has integrity, that we’re studying who we say we’re trying to study,” she says. “I don’t think there’s an easy solution to this.”

Barring any widespread technical solution, a little common sense can go a long way in spotting bad actors. Yelland shared with me the slide deck that she received as part of the fake job pitch. At first glance, it seemed legit, but when she looked at it again, a few details stood out. The job promised to pay substantially more than the average salary for a similar role in her location and offered unlimited vacation time, generous paid parental leave, and fully covered health care benefits. In today’s job environment, that might have been the biggest tipoff of all that it was a scam.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of April): 1,811

RIP Matrix | Farewell my friend  

The office of Texas Attorney General Ken Paxton announced the settlement agreement, which called it a 'historic win' for the state, noting that it's the highest recovery nationwide against Google.

"To date, no state has attained a settlement against Google for similar data-privacy violations greater than $93 million," commented Paxton's office in the announcement.

"Even a multistate coalition that included forty states secured just $391 million—almost a billion dollars less than Texas's recovery."

Google was accused of violating the state's biometric privacy act, which dictates that companies must clearly inform users and get their consent before collecting biometric identifiers such as fingerprints, voice, hand scans, and retina/iris scans.

According to the lawsuit, since at least 2015, Google has unlawfully (without consent) collected Texans' face and voice scans to empower its targeted advertising business.

Additionally, Google was accused of persistently tracking Texans who used its products and services, constantly logging their location and searches made while in Chrome's incognito mode.

Paxton underlined that nobody is above the law, and Big Tech will not be left unchecked.

A Google spokesperson told BleepingComputer that this settlement covers two cases and three claims, all of which have already resulted in product/procedure changes in the tech giant's products and services, so no further action is required.

"This settles a raft of old claims, many of which have already been resolved elsewhere, concerning product policies we have long since changed," said Google spokesperson José Castañeda.

"We are pleased to put them behind us, and we will continue to build robust privacy controls into our services."

Google also noted that the settlement is not an admission of wrongdoing or liability.

Under AG Paxton, Texas has had successful motions against tech giants in recent years.

A highlighted example is a $1.4 billion July 2024 settlement with Meta for unlawfully collecting and using facial recognition data.

In January 2025, Paxton filed a lawsuit targeting car insurer Allstate and its subsidiary Arity for unlawfully collecting, using, and re-selling driving data from over 45 million Americans, violating TDPSA, the Data Broker Law, and the Texas Insurance Code.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of April): 1,811

RIP Matrix | Farewell my friend  

ClickFix is a social engineering tactic where fake verification systems or application errors are used to trick website visitors into running console commands that install malware.

These attacks have traditionally targeted Windows systems, prompting targets to execute PowerShell scripts from the Windows Run command, resulting in info-stealer malware infections and even ransomware.

However, a 2024 campaign using bogus Google Meet errors also targeted macOS users.

ClickFix targeting Linux users

A more recent campaign spotted by Hunt.io researchers last week is among the first to adapt this social engineering technique for Linux systems.

The attack, which is attributed to the Pakistan-linked threat group APT36 (aka "Transparent Tribe"), utilizes a website that impersonates India's Ministry of Defence with a link to an allegedly official press release.

When visitors click on this website link, they are profiled by the platform to determine their operating system, and then redirected to the correct attack flow.

On Windows, victims are served a full-screen page warning them of limited content usage rights. Clicking on 'Continue' triggers JavaScript that copies a malicious MSHTA command to the victim's clipboard, who is instructed to paste and execute it on the Windows terminal.

This launches a .NET-based loader which connects to the attacker's address, while the user sees a decoy PDF file to make everything appear legitimate and as expected.

On Linux, victims are redirected to a CAPTCHA page that copies a shell command to their clipboard when clicking the "I'm not a robot button."

The victim is then guided to press ALT+F2 to open a Linux run dialog, paste the command into it, and then press Enter to execute it.

The command drops the 'mapeal.sh' payload on the target's system, which, according to Hunt.io, does not perform any malicious actions in its current version, limited to fetching a JPEG image from the attacker's server.

"The script downloads a JPEG image from the same trade4wealth[.]in directory and opens it in the background," explains Hunt.io.

"No additional activity, such as persistence mechanisms, lateral movement, or outbound communication, was observed during execution."

However, it is possible that APT36 is currently experimenting to determine the effectiveness of the Linux infection chain, as they would just need to swap out the image for a shell script to install malware or perform other malicious activity.

The adaptation of ClickFix to carry out attacks on Linux is another testament to its effectiveness, as the attack type has now been used against all three major desktop OS platforms.

As a general policy, users should not copy and paste any commands into Run dialogs without knowing exactly what the command does. Doing so only increases the risk of a malware infection and theft of sensitive data.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of April): 1,811

RIP Matrix | Farewell my friend  

One new feature highlighted in the latest release is the increased device privacy via randomized Resolvable Private Addresses (RPA) updates.

"Randomizing the timing of address changes makes it much more difficult for third parties to track or correlate device activity over time," reads SIG's announcement.

A Resolvable Private Address (RPA) is a Bluetooth address created to look random and is used in place of a device's fixed MAC address to protect user privacy. It allows trusted devices to securely reconnect without revealing their true identity.

Currently, RPAs are updated at fixed intervals, usually every 15 minutes, which introduces a level of predictability. This predictability can be exploited in correlation attacks, making long-term tracking possible.

Bluetooth 6.1 improves privacy by randomizing the RPA updates between 8 and 15 minutes (default), while also allowing custom values between the range of 1 second to 1 hour.

The Controller picks a random value in the defined range using a NIST-approved random number generator, and updates the RPA. This makes tracking significantly harder, as there is no pattern in the value selection.

More details about how the new privacy feature works can be found in the specification document published along with the announcement.

Another feature highlighted in the announcement is better power efficiency starting from Bluetooth 6.1, which stems from allowing the chip (Controller) to autonomously handle the randomized RPA updates.

Specifically, the Bluetooth chip will choose the randomized timing intervals and generate and update the RPA internally without waking the host device.

This saves CPU cycles and memory operations, so much power is saved when conditions are met. For smaller devices like fitness bands, earbuds, and IoT sensors, this could make a big difference in battery life.

While Bluetooth 6.1 has made exciting steps forward, it's important to underline that actual support in hardware and firmware may take years to arrive.

The first wave of chips with Bluetooth 6.1 should not be realistically expected before 2026, and even then, early implementations may not immediately expose all the newly available features, as testing and validation may be required.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of April): 1,811

RIP Matrix | Farewell my friend  

These devices, which were released many years back and no longer receive security updates from their vendors, are vulnerable to external attacks leveraging publicly available exploits to inject persistent malware. 

Once compromised, they are added to residential proxy botnets that route malicious traffic. In many cases, these proxies are used by cybercriminals to conduct malicious activities or cyberattacks.

"With the 5Socks and Anyproxy network, criminals are selling access to compromised routers as proxies for customers to purchase and use," explains the FBI Flash advisory.

"The proxies can be used by threat actors to obfuscate their identity or location."

The advisory lists the following EoL Linksys and Cisco models as common targets:

• Linksys E1200, E2500, E1000, E4200, E1500, E300, E3200, E1550
• Linksys WRT320N, WRT310N, WRT610N
• Cradlepoint E100
• Cisco M10

The FBI warns that Chinese state-sponsored actors have exploited known (n-day) vulnerabilities in these routers to conduct covert espionage campaigns, including operations targeting critical U.S. infrastructure.

In a related bulletin, the agency confirms that many of these routers are infected with a variant of the "TheMoon" malware, which enables threat actors to configure them as proxies.

"End of life routers were breached by cyber actors using variants of TheMoon malware botnet," reads the FBI bulletin.

"Recently, some routers at end of life, with remote administration turned on, were identified as compromised by a new variant of TheMoon malware. This malware allows cyber actors to install proxies on unsuspecting victim routers and conduct cyber crimes anonymously."

Once compromised, the routers connect to command and control (C2) servers to receive commands to execute, such as scanning for and compromising vulnerable devices on the Internet.

The FBI says that the proxies are then used to evade detection during cryptocurrency theft, cybercrime-for-hire activities, and other illegal operations.

Common signs of compromise by a botnet include network connectivity disruptions, overheating, performance degradation, configuration changes, the appearance of rogue admin users, and unusual network traffic.

The best way to mitigate the risk of botnet infections is to replace end-of-life routers with newer, actively supported models.

If that is impossible, apply the latest firmware update for your model, sourced from the vendor's official download portal, change the default admin account credentials, and turn off remote administration panels.

The FBI has shared indicators of compromise associated with the malware installed on EoL devices.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of April): 1,811

RIP Matrix | Farewell my friend  

Threads, the text-based app launched by Instagram's team on July 5, 2023, is clearly moving closer to full-on monetization as it works to establish itself as a major social platform. The platform has grown significantly since its launch, quickly accumulating users and recently crossing a big milestone. Meta CEO Mark Zuckerberg confirmed in last month's earnings call that Threads now has over 350 million monthly active users.

Beyond just the user count, Threads has seen increased engagement, with Zuckerberg also reporting a 35% rise in time spent on the app, which Meta attributes to better recommendation systems helping users find compelling content. Meta makes most of its money from ads, so dropping them into a growing, active app like Threads was probably just a matter of time. It's starting to feel more and more like X and the rest. However, when Meta first began testing image ads early this year, backlash from some users occurred, unhappy to see promotional content start appearing in what had been an ad-free experience.

Despite some user frustration surrounding the initial introduction of any advertising on the platform, Meta stated it is closely monitoring these tests, aiming to make ads feel both relevant and interesting to the audience. Users will still have controls at their disposal, able to skip, hide, or report any specific advertisement they encounter. The move to video ads was officially announced at the IAB NewFronts, a big industry event where social media and online video platforms pitch their ad tools to brands and agencies.

Source: TechCrunch

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of April): 1,811

RIP Matrix | Farewell my friend  

Google said in a blog post that the on-device model offers an extra layer of safety against online scams. It provides "instant insight on risky websites and allows us to offer protection, even against scams that haven't been seen before."

Enhanced protection has been available on Chrome since 2020 as part of Safe Browsing. You can enable it by going to Settings > Privacy and Security > Security. The feature offers real-time protection against malicious downloads and extensions, not just websites.

According to the tech giant, tech support scams are among the biggest online threats, and they are being dealt with using the new AI approach. In future updates, Google will expand the security feature to Android devices and more types of scams.

Google will also use on-device machine learning for Chrome on Android to warn unsuspecting users against malicious or misleading website notifications. A warning message will include the option to unsubscribe or view the blocked content.

The tech giant said that investments in AI scam detection systems and improvements in classifiers have enabled it to detect 20 times more scammy pages on Google Search. Over the last three years, it has made several AI-related improvements to its anti-scam systems.

Google uses these capabilities to "analyze vast quantities of text and identify subtle linguistic patterns and thematic connections that might indicate coordinated scam campaigns or emerging fraudulent narratives."

Google noted in a report that it cut down scams by 80% in Search, where scammers posed as airline customer service providers to take advantage of people who needed help. Due to the new protections, misleading pages mimicking official resources like visas or other government services saw a drop of over 70% in 2024.

The report suggests various indicators that can help you catch the scent of bad actors. For instance, they often use lookalike domains to trick people. You should be aware of strange formatting, unusual fonts, or unexpected symbols, and always look for official resources.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of April): 1,811

RIP Matrix | Farewell my friend  

The deadline is May 30, 2025. From that point on, email traffic relying on 3DES will not be delivered.

3DES is an encryption algorithm that applies the older Data Encryption Standard three times to each chunk of data. While this offered better protection than single DES, which became easy to break with faster computers, 3DES itself is now considered outdated. It uses a relatively small 64-bit block size. This limitation makes it vulnerable when a large amount of data is encrypted using the same key over time, potentially allowing attackers to figure things out about the content. It is also much slower than modern encryption standards like AES. For these reasons, 3DES has been on its way out for years, disappearing from many web browsers and other secure connections.

Google stated the change is needed "to improve our security and protect you from potential vulnerabilities associated with outdated encryption methods." The company is telling administrators of mail systems that send to Gmail to "ensure that all of your sending systems are configured to use more modern and secure TLS ciphers."

Admins for Google Workspace domains that have recently used 3DES to send email to Gmail were also notified by email with more specific information. If their end users are running into issues related to this, they might see a warning indicating the specific cipher is no longer supported. This removal affects all Google Workspace customers and anyone whose mail server sends email to any Gmail user.

In other Gmail news, the service recently made its data classification labels generally available. These labels let organizations categorize emails for better data protection and management. Gmail also added the ability to react to emails quickly using emojis on web and mobile interfaces. Furthermore, Gmail's search function is getting an upgrade with AI to prioritize the "most relevant" results based on factors like recency and how often you interact with emails or contacts.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of April): 1,811

RIP Matrix | Farewell my friend  

2025-05-01 14:00:00
 

One part of my work for the ScummVM project is helping to keep the server infrastructure up and running, including our primary server, which hosts our website, wiki, forums, and some internal applications.

 

About three weeks ago, I started receiving monitoring notifications indicating an increased load on the MariaDB server. This in itself is nothing too unusual. It usually means nothing but a sudden influx of new visitors, and in most cases, it is just a link being shared somewhere or a single IP trying to annoy us.

 

The notifications popped up and disappeared as quickly as they appeared. I started to look into the log files of our web server, and I didn’t notice anything too unusual, maybe a bit more background noise. This went on for a couple of days without seriously impacting our server or accessibility–it was a tad slower than usual.

 

And then the website went down.

 

We use a stack consisting of Apache2, PHP-FPM, and MariaDB to host the web applications. The server logs revealed that everything was saturated. Apache2 refused to accept new connections, the PHP-FPM pools were completely filled, and MariaDB also had no connections left.

 

Now, it was time to find out what was going on. Hoping that it was just one single IP trying to annoy us, I opened the access log of the day and was greeted by this:

127.0.0.1 - - [24/Apr/2025:23:42:29 +0000] "GET /index.php?days=30&from=20250417123108&hidemyself=1&limit=500&target=Lure_of_the_Temptress&title=Special%3ARecentChangesLinked HTTP/1.1" 200 6366 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/534.2 (KHTML, like Gecko) Chrome/16.0.843.0 Safari/534.2"
127.0.0.1 - - [24/Apr/2025:23:42:29 +0000] "GET /index.php?from=20250417205327&hidemyself=0&limit=100&target=California_Pacific_Computer_Company&title=Special%3ARecentChangesLinked HTTP/1.1" 200 6363 "-" "Mozilla/5.0 (compatible; MSIE 6.0; Windows NT 4.0; Trident/3.1)"
127.0.0.1 - - [24/Apr/2025:23:42:29 +0000] "GET /index.php?days=30&from=20250410022141&hidebots=0&hideliu=1&hideminor=1&target=The_Big_Red_Adventure&title=Special%3ARecentChangesLinked HTTP/1.1" 200 6368 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_5_3; rv:1.9.4.20) Gecko/8520-08-18 14:24:31.076782 Firefox/3.8"
127.0.0.1 - - [24/Apr/2025:23:42:29 +0000] "GET /index.php?days=1&from=20250424060651&fromFormatted=06%3A06%2C+24+April+2025&hideminor=1&limit=100&target=RAMA&title=Special%3ARecentChangesLinked HTTP/1.1" 200 6368 "-" "Mozilla/5.0 (X11; Linux i686; rv:1.9.7.20) Gecko/4195-09-07 16:38:05.879333 Firefox/3.8"
127.0.0.1 - - [24/Apr/2025:23:42:29 +0000] "GET /index.php?days=30&from=20250424183156&fromFormatted=18%3A31%2C+24+April+2025&hideminor=1&limit=250&target=AGOS%2FVersions&title=Special%3ARecentChangesLinked HTTP/1.1" 200 6367 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/534.0 (KHTML, like Gecko) Chrome/39.0.887.0 Safari/534.0"
127.0.0.1 - - [24/Apr/2025:23:42:29 +0000] "GET /index.php?days=30&from=20250411043805&hidebots=0&target=OpenTasks%2FEngine%2FImprove_WME&title=Special%3ARecentChangesLinked HTTP/1.1" 200 6367 "-" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; rv:1.9.3.20) Gecko/9958-03-18 16:15:48.117981 Firefox/14.0"
127.0.0.1 - - [24/Apr/2025:23:42:29 +0000] "GET /index.php?days=30&from=20250411042538&hidebots=0&hidemyself=1&limit=250&target=Compiling_ScummVM%2FPlayStation_Portable&title=Special%3ARecentChangesLinked HTTP/1.1" 200 6363 "-" "Opera/9.13.(X11; Linux i686; ce-RU) Presto/2.9.173 Version/11.00"
127.0.0.1 - - [24/Apr/2025:23:42:29 +0000] "GET /api.php?action=feedrecentchanges&days=14&feedformat=atom&from=20250405110953&hidebots=1&hidemyself=1&limit=50&target=Summer_of_Code%2FGSoC2010&urlversion=1 HTTP/1.1" 200 6364 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/531.2 (KHTML, like Gecko) Chrome/24.0.862.0 Safari/531.2"
127.0.0.1 - - [24/Apr/2025:23:42:29 +0000] "GET /index.php?days=30&from=20250421165249&fromFormatted=16%3A52%2C+21+April+2025&limit=100&target=Template%3AMain_Contact&title=Special%3ARecentChangesLinked HTTP/1.1" 200 6366 "-" "Opera/9.61.(X11; Linux x86_64; st-ZA) Presto/2.9.160 Version/12.00"
127.0.0.1 - - [24/Apr/2025:23:42:29 +0000] "GET /index.php?returnto=Special%3ARecentChangesLinked&returntoquery=from%3D20250418162237%26fromFormatted%3D16%253A22%252C%2B18%2BApril%2B2025%26hidemyself%3D1%26target%3DAGIWiki%252FAl_Pond_-_On_Holiday&title=Special%3AUserLogin HTTP/1.1" 200 6365 "-" "Mozilla/5.0 (compatible; MSIE 7.0; Windows 98; Win 9x 4.90; Trident/3.1)"
127.0.0.1 - - [24/Apr/2025:23:42:29 +0000] "GET /index.php?days=30&from=20250417091241&hidebots=1&limit=250&target=Summer_of_Code%2FApplication%2F2007&title=Special%3ARecentChangesLinked HTTP/1.1" 200 6366 "-" "Mozilla/5.0 (iPod; U; CPU iPhone OS 4_1 like Mac OS X; nr-ZA) AppleWebKit/535.26.3 (KHTML, like Gecko) Version/3.0.5 Mobile/8B114 Safari/6535.26.3"
127.0.0.1 - - [24/Apr/2025:23:42:29 +0000] "GET /api.php?action=webapp-manifest HTTP/2.0" 200 2102 "https://wiki.scummvm.org/index.php?title=Hopkins_FBI" "Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Mobile Safari/537.36"
127.0.0.1 - - [24/Apr/2025:23:42:29 +0000] "GET /index.php?days=30&from=20250417023112&hidebots=0&hideminor=1&hidemyself=1&limit=250&target=AGIWiki%2FSpecial_flags&title=Special%3ARecentChangesLinked HTTP/1.1" 200 6367 "-" "Mozilla/5.0 (compatible; MSIE 7.0; Windows 98; Trident/3.1)"
127.0.0.1 - - [24/Apr/2025:23:42:29 +0000] "GET /index.php?days=30&from=20250416060403&hideanons=1&limit=100&target=Summer_of_Code%2FApplication%2F2007&title=Special%3ARecentChangesLinked HTTP/1.1" 200 6367 "-" "Mozilla/5.0 (Linux; Android 4.3) AppleWebKit/536.0 (KHTML, like Gecko) Chrome/51.0.880.0 Safari/536.0"
127.0.0.1 - - [24/Apr/2025:23:42:30 +0000] "GET /index.php?days=1&hidebots=0&hideminor=1&hidemyself=0&limit=250&mobileaction=toggle_view_mobile&target=HOWTO-Tips_And_Tricks&title=Special%3ARecentChangesLinked HTTP/1.1" 200 6366 "-" "Mozilla/5.0 (Android 4.4.3; Mobile; rv:58.0) Gecko/58.0 Firefox/58.0"
127.0.0.1 - - [24/Apr/2025:23:42:30 +0000] "GET /index.php?days=30&from=20250415120719&limit=250&target=Time_Zone&title=Special%3ARecentChangesLinked HTTP/1.1" 200 6366 "-" "Mozilla/5.0 (iPad; CPU iPad OS 1_1_5 like Mac OS X) AppleWebKit/532.1 (KHTML, like Gecko) FxiOS/12.3t5461.0 Mobile/69A052 Safari/532.1"
127.0.0.1 - - [24/Apr/2025:23:42:30 +0000] "GET /index.php?title=SCI/Testing&direction=next&oldid=14195 HTTP/1.1" 200 6364 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_5; rv:123.0esr) Gecko/20100101 Firefox/123.0esr"
127.0.0.1 - - [24/Apr/2025:23:42:30 +0000] "GET /index.php?days=14&from=20250417034946&hideliu=1&hideminor=1&target=Nippon_Safes_Inc.&title=Special%3ARecentChangesLinked HTTP/1.1" 200 6364 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1; rv:1.9.6.20) Gecko/9899-07-01 03:29:48.393829 Firefox/3.8"
127.0.0.1 - - [24/Apr/2025:23:42:30 +0000] "GET /index.php?returnto=Special%3ARecentChangesLinked&returntoquery=days%3D30%26from%3D20250410005945%26hidebots%3D1%26hideminor%3D1%26hidemyself%3D1%26target%3DUser%253ASpookypeanut&title=Special%3AUserLogin HTTP/1.1" 200 6367 "-" "Mozilla/5.0 (Windows; U; Windows 95) AppleWebKit/533.2.2 (KHTML, like Gecko) Version/4.1 Safari/533.2.2"
127.0.0.1 - - [24/Apr/2025:23:42:30 +0000] "GET /index.php?days=30&from=20250410094930&hidebots=1&hideminor=1&hidemyself=1&limit=100&target=Loom&title=Special%3ARecentChangesLinked HTTP/1.1" 200 6364 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 13_7 like Mac OS X) AppleWebKit/533.1 (KHTML, like Gecko) FxiOS/9.0k8480.0 Mobile/92A641 Safari/533.1"
127.0.0.1 - - [24/Apr/2025:23:42:30 +0000] "GET /index.php?days=30&from=20250425184120&fromFormatted=18%3A41%2C+25+April+2025&hideminor=1&hidemyself=1&target=Indiana_Jones_and_the_Fate_of_Atlantis&title=Special%3ARecentChangesLinked HTTP/1.1" 200 6365 "-" "Mozilla/5.0 (iPod; U; CPU iPhone OS 4_1 like Mac OS X; pl-PL) AppleWebKit/535.5.2 (KHTML, like Gecko) Version/4.0.5 Mobile/8B116 Safari/6535.5.2"
127.0.0.1 - - [24/Apr/2025:23:42:31 +0000] "GET /index.php?diff=39241&oldid=29636&mobileaction=toggle_view_desktop HTTP/2.0" 200 2104 "https://wiki.scummvm.org/index.php?diff=39241&oldid=29636&mobileaction=toggle_view_desktop" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.3"
127.0.0.1 - - [24/Apr/2025:23:42:31 +0000] "GET /index.php?days=30&from=20250407050329&hideliu=1&hideminor=1&hidemyself=1&target=Summer_of_Code%2FGSoC_Ideas_2020&title=Special%3ARecentChangesLinked HTTP/1.1" 200 6367 "-" "Mozilla/5.0 (Android 2.2; Mobile; rv:51.0) Gecko/51.0 Firefox/51.0"

For privacy reasons, I replaced the real IPs with 127.0.0.1, but trust me, there were many IPs–around 35.000, to be precise–from residential networks all over the world. At this scale, it makes no sense to even consider blocking individual IPs, subnets, or entire networks. Due to the open nature of the project, geo-blocking isn’t an option either.

 

The main problem is time. The URLs accessed in the attack are the most expensive ones the wiki offers since they heavily depend on the database and are highly dynamic, requiring some processing time in PHP. This is the worst-case scenario since it throws the server into a death spiral.

 

First, the database starts to lag or even refuse new connections. This, combined with the steadily increasing server load, leads to slower PHP execution. Eventually, all resources in the PHP-FPM pools are used up, and since Apache2 doesn’t get a reply from PHP-FPM in time, it waits until it runs out of free connections.

 

At this point, the website dies. Restarting the stack immediately solves the problem for a couple of minutes at best until the server starves again.

 

To bring the website back up, I cranked up the configuration of our stack to insane values, risking that the server would eventually run out of memory.

 

I needed a proper solution, something that takes the load away from the web application stack.

Hi, Anubis!

Anubis is a program that checks incoming connections, processes them, and only forwards “good” connections to the web application. To do so, Anubis sits between the server or proxy responsible for accepting HTTP/HTTPS and the server that provides the application.

 

Designed to protect websites from AI scraper bots, Anubis primarily focuses on parameters like the user agent sent with the request and looks for oddities in the connection. “Known good” and harmless clients are always accepted, and “Known bad” clients are always denied. In case the defaults are not working for your application, Anubis allows extensive configuration with customizable bot policy definitions .

 

And then, there’s the in-between, the part where the real magic happens. Many bots disguise themselves as standard browsers to circumvent filtering based on the user agent. So, if something claims to be a browser, it should behave like one, right? To verify this, Anubis presents a proof-of-work challenge that the browser needs to solve. If the challenge passes, it forwards the incoming request to the web application protected by Anubis; otherwise, the request is denied.

 

Solving the challenge–which is valid for one week once passed–takes a couple of seconds on the client side, occupying CPU time. Checking if the browser solved the very fast on the server side, taking up virtually no resources.

 

Anubis presenting the proof-of-work challenge

 

As a regular user, all you’ll notice is a loading screen when accessing the website. As an attacker with stupid bots, you’ll never get through. As an attacker with clever bots, you’ll end up exhausting your own resources. As an AI company trying to scrape the website, you’ll quickly notice that CPU time can be expensive if used on a large scale.

 

Long story short, deploying Anubis immediately solved our issues. In fact, you can see the exact time in our monitoring.

 

Monitoring showing the drop in MariaDB usage after deploying Anubis

 

I didn’t get a single notification afterward. The server load has never been lower. The attack itself is still ongoing at the time of writing this article.

 

To me, Anubis is not only a blocker for AI scrapers. Anubis is a DDoS protection.

 

Source

In a new support document, Microsoft outlined its plans for the password-managing capabilities. In simple words, Microsoft kills it to make you use Edge.

Starting June 2025, Microsoft Authenticator will no longer be able to save new passwords in Authenticator. In July 2025, the app will stop auto-filling your data in websites and apps and delete your payment information. Finally, in August 2025, all your saved passwords, including those generated, will disappear.

The reason? To put it simply, so that more people switch to Edge (which has a hard time increasing its market share). In the support document, Microsoft said that the change is to "streamline autofill so you can use saved passwords easily across devices."

Still, the app itself is not going anywhere. You will be able to keep using it to generate two-factor authentication codes and store passkeys. It is just that the app is getting a lot less useful and now forces everyone to either use Edge or switch to another password manager.

Speaking of switching, Microsoft offers two courses of action: one is to embrace Microsoft's "AI browser" Edge (the browser supports autofill in apps on Android and iOS), or export all data from Authenticator to another password manager. Microsoft notes that all data should be exported before August 1, 2025. After that day, passwords and other information will be automatically deleted.

You can read more about the announcement, which was discovered right after Microsoft announced some changes to the passwordless experience in Microsoft Accounts, in a support document on the official website.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of April): 1,811

RIP Matrix | Farewell my friend