Late last month, researchers revealed a finding that’s likely to shock some people and confirm the low expectations of others: Renewable energy facilities throughout Central Europe use unencrypted radio signals to receive commands to feed or ditch power into or from the grid that serves some 450 million people throughout the continent.

Fabian Bräunlein and Luca Melette stumbled on their discovery largely by accident while working on what they thought would be a much different sort of hacking project. After observing a radio receiver on the streetlight poles throughout Berlin, they got to wondering: Would it be possible for someone with a central transmitter to control them en masse, and if so, could they create a city-wide light installation along the lines of Project Blinkenlights?

The first Project Blinkenlights iteration occurred in 2001 in Berlin, when the lights inside a large building were synchronized to turn on and off to give the appearance of a giant, low-resolution monochrome computer screen.

Hijacking 60GW of power

The researchers, who presented their work last month at the 38th Chaos Communication Congress in Hamburg, Germany, wondered if they could control streetlights in Berlin to create a city-wide version, though they acknowledged it would likely be viewable only from high altitudes. They didn't know then, but their project was about to undergo a major transformation.

After an extensive and painstaking reverse-engineering process that took about a year, Bräunlein and Melette learned that they could indeed control the streetlights simply by replaying legitimate messages they observed being sent over the air previously. They then learned something more surprising—the very same system for controlling Berlin’s lights was used throughout Central Europe to control other regional infrastructure, including switches that regulate the amount of power renewable electric generation facilities feed into the grid.

Collectively, the facilities could generate as much as 40 gigawatts in Germany alone, the researchers estimate. In addition, they estimate that in Germany, 20 GW of loads such as heat pumps and wall boxes are controlled via those receivers. That adds up to 60 GW that might be controllable through radio signals anyone can send.

“The fact that the same receivers that are installed in street lamps are also used for smaller solar power plants did not surprise us too much,” Bräunlein wrote in an interview. “When we understood just how much power is being controlled via this system, and it also being installed in the largest renewable power plants in Germany, that was more of a shock to us.”

When Bräunlein and Melette realized how much power was controlled, they wondered how much damage might result from rogue messages sent simultaneously to multiple power facilities in strategically designed sequences and times of day. By their calculation, an optimally crafted series of messages sent under certain conditions would be enough to bring down the entire European grid. A grid security expert we contacted for this story doubts this assessment. More on this later.

Ripple effect

The continent-wide control system, formally known as Radio Ripple Control (Funkrundsteuerung in German), is derived from the older protocol Rundsteuertechnik, or Ripple Control. Implemented in the early 1900s, Ripple Control was made up of a series of decentralized tone (ripple) injectors at voltage conversion sites known as medium voltage transformers.

Based on the messages in each telegram, the receivers would then send commands to connected devices that instructed them to perform a specific action. As radio technology became more prevalent, the cost of sending telegrams over the wire, compared with sending them over the air, grew large enough to prompt the creation of Radio Ripple Control, which is now used primarily today.

Radio Ripple Control uses a frequency-modulation scheme known as frequency-shift keying to send telegrams. The earliest modems used the same scheme, which relies on electromagnetic waves to represent digital information over an analog channel. More specifically, frequency-shift keying encodes information by periodically shifting the frequency of a carrier between several discrete frequencies.

The company that oversees this service is Munich-based EFR. Today, it operates three high-power, low-frequency transmitting stations, two in Germany and one in Hungary.

Anyone can listen to these signals using a software-defined radio tuned to the frequency corresponding to an antenna within range. A Netherlands-based SDR that can be accessed here will receive the signal from the transmitter located in Burg, Germany, when the SDR is set to a frequency of 140 KHz and the modulation to LSB. The radio will sound a tone that is interrupted roughly every 10 seconds with encoded information.

The Radio Ripple Control in use today sends signals not just for managing streetlights and grid allocations throughout Central Europe. It also controls various other functions, including those for delivering weather forecasts, synchronizing times, and controlling electricity pricing tariffs. Roughly 300 customers, most of them electric companies, use Radio Ripple Control for grid allocations from small- and medium-sized renewable facilities.

These customers—known as EVUs, short for Energieversorgungsunternehmen (power supply company)—use either a Web or VPN desktop app to send one of the three transmitters instructions to either feed power into or ditch power from the grid. The transmitter, in turn, sends the instructions as a telegram to a radio receiver located at the power facility the EVU wants to control. When grid supply exceeds the amount of power needed at a given moment, the telegram instructs the facility to withhold electricity from the grid. When supply runs low, the telegram will instruct the facility to feed in energy.

No confidentiality, no authentication

These signals aren't encrypted to provide either confidentiality or authentication. That means anyone can listen in, record them, and play them back over the same frequencies. People can go much further, as Bräunlein and Melette did, by learning to speak the same arcane language that Radio Ripple Control does.

Among the first steps in the research duo's reverse engineering process was purchasing nine receivers—known as FREs in Radio Ripple Control parlance—from different manufacturers of the devices. The researchers then implemented an emulator of the real transmitter. To do that, they used an ESP microcontroller outfitted with a waveform generator and, for an antenna, a coil from a wireless phone charger. They used capacitors to tune their emulator to the correct frequencies. With that, the researchers could now send and receive telegrams in their lab.

Bräunlein and Melette eventually discovered that the message bits sent to the FREs are encoded using two protocols, one known as Versacom and the other Semagyr. The bits are then modulated through frequency-shifting keying to produce the radio signal containing the telegrams.

The Versacom and Semagyr protocols are partially documented in standards set by the Germany Institute for Standardization.

The researchers wrote:

We collected messages that are sent by the original transmitters and tried to correlate it to what we read in the standards. Some information, however, is not described in the standard (e.g., EVU addresses and addressing usage). We could fill those blanks through PDFs we found online as well as from the actual data we recorded.

 

To understand Semgyr, we also used some hardware reverse engineering (identifying chips, tracing PCB lines, etc.) and found one of the software solutions that technicians use to parameterize the receivers during installation, which also had some advanced functionality to read its memory and decode raw Telegram bytes to commands.

The reverse engineering gave the researchers near-perfect fluency in speaking and understanding the Versacom and Semagyr languages. They put their fluency to use by using them to send telegrams that could indeed turn on and off simulated streetlights in their labs.

More impressive still, they could use the language to send telegrams to FREs that control real electric systems in their lab, the same types that are connected to the real Radio Ripple Control system. The video below shows the researchers stopping a real 40 kWp photovoltaic system from feeding energy into the grid.

Photovoltaic system disconnect.

For ease, they used a Flipper Zero device they had configured to send the proper telegram to the photovoltaic system. They did this after discovering that the Flipper Zero's RFID reading mode could be used to send signals modulated with frequency-shift keying to receivers within a one-meter distance.

With confidence that an attacker could send unauthorized Radio Ripple Control telegrams that instructed real electrical systems connected to the grid, the researchers got to wondering: What's the maximum amount of damage a malicious actor—most likely one working for a nation-state—could inflict?

The researchers surveyed the grid to measure the capacity of power that small- and medium-sized renewable facilities could feed into the grid. They arrived at the estimate of 40 GW. Combined with the 20 GW of load they theoretically can add, that amounted to an unbalanced capacity of 60 GW, enough to power roughly all of Germany. They posited that a sudden change that added or ditched that amount of electricity from the grid all at once could create enough instability to take it down entirely.

Like dominoes falling over

In a published summary of last month's presentation, the researchers explained their thinking behind the estimate:

To understand, we need to look at the grid frequency. It’s 50 hertz, and it should always stay there.

 

• If it reaches 50.2 hertz or more, interventions are triggered to reduce the supply. For example, using the technology we’re discussing today to turn off solar parks.
• If the frequency drops below 49.8 hertz, other interventions occur, such as activating energy reserves or disconnecting industries that have contractually agreed to this happening. Also, the first hardware fails as it happened at Vienna airport.
• If the frequency reaches 49 Hz or less, automated stepwise load shedding begins, up to 50% at 48.5 Hz. That might sound a bit technical and sober, but what it means for the European grid is over 200 million people without power.
• At 47.5 Hz, power plants disconnect from the grid to protect themselves from damage. At that point, the grid needs to be rebuilt from scratch.

 

In theory, with a fully loaded grid at 300 GW, creating a 1 Hz change to reach this private load-shedding threshold requires an imbalance of 18 GW. However, such a large imbalance—though not even that massive compared to the 60 GW estimate—has never been seen.

 

In practice, one of the most recent incidents was in 2021, when approximately 3 GW of power were unexpectedly lost in Poland, causing the grid frequency to drop by 0.16 hertz. What this demonstrates is that the grid hasn’t yet faced such a significant imbalance.

 

But if we start talking about imbalances of 18 GW, or 60 GW, or even more when considering other countries, there’s an additional issue besides the theoretical effect on grid frequency. That issue is power transfer.

 

If a significant amount of power is missing in one region, it must be transferred there over power lines that could become overloaded. These lines might then shut off to prevent damage, which could overload other lines, causing them to shut off too.

 

Such a domino effect—or cascade—happened in 2006, when a power line was shut off to accommodate a cruise ship transport. The planning wasn’t thorough, and a cascade of failures followed. So, the theoretical limits of the grid don’t fully capture the potential for much larger disruptions.

 

Taking all of that into account, it’s clear there is enough power under radio control to cause serious trouble.

Send malicious telegrams to select FREs

There are enough obstacles to make triggering such a catastrophic disruption challenging at best (Bräunlein's and Melette's assessment) or doubtful to unlikely (the assessment of an outside grid expert). The researchers noted three key requirements for such an attack.

First, the attack must control a sufficient number of gigawatts (by the researchers' calculations (no one really knows how many). Second, it must overpower the legitimate signals sent by the three EFR transmitting facilities. And third, it must occur at an optimal time.

The easiest way to trigger such a catastrophic disruption would be to take over the three EFR transmitters. One possible way for such a compromise is to hack into EFR's network remotely by, for instance, targeting vulnerabilities in the apps the EVUs use. Another is through a physical intrusion of each facility simultaneously. The researchers said that based on their observations, the transmitting facilities aren't particularly well-fortified against physical intrusions.

In either scenario, the threat actor would then use the hijacked EFR transmitters to send malicious telegrams to carefully selected power generators.

Another attack avenue would be to create rogue transmitters that would broadcast malicious telegrams. To override the legitimate telegrams sent by the EFR transmitters, rogue transmitters would have to be present in carefully selected locations so they could (1) reach the correct FREs and (2) overpower the legitimate signals.

The researchers estimated the required effort by calculating and simulating transmitters with 10 kW of power and antennas approximately 500 meters long. To meet those requirements, they proposed building an amplifier powered by portable battery systems. An antenna 500 meters high could be erected in several scenarios.

The most plausible scenario for such a transmitter is tethering a strong wire from a kite or weather balloon. Radio amateurs have been using such techniques for years to build antennas as high as 1 kilometer, so the researchers built a kite version prototype. To comply with local laws, they limited the height of their kite to 100 m line length and radiated less than 1 watt of power on the 2.2 km amateur radio band.

Kite antenna field test.

Weebles don't fall down

The attack and the research behind it are elegant, but the grid security experts I talked to said they're doubtful it's possible to carry it out in the real world the way it's envisioned. And even if it is, they question whether the 60 GW estimate is accurate. Albert Moser, a RWTH Aachen professor with expertise in power grids, said both assumptions are very possibly not true.

"A sudden deficit of 60 GW will definitely lead to a brownout because 60 GW is far more than [the] reserves available," he wrote in an email. "A sudden deficit of 60 GW could even lead to a blackout due to the very steep fall of frequency that likely cannot be handled fast enough by underfrequency relays (load shedding)."

He said he's unable to confirm that 60 GW of generation/load is controlled by radio signals. He was also unable to confirm that security measures for Radio Ripple Control are insufficient.

Jan Hoff, a grid security expert with experience securing the European grid against malicious hacks, said he doubted that much electricity could be dropped quickly enough to cause even a brownout. He likened the grid to the roly-poly toys from the 1970s, which were built to be knocked around but not fall over. "That's a very good analogy for a grid," he said.

Attacks like the ones Russian state-backed hackers used to cause blackouts in Ukraine in 2015 and again in 2016 attacked substations, the distributed facilities where many power wires come together and things turn on and off.

He elaborated:

Here, we're talking the potential to impact participants on the grid and not necessarily those interconnects.
 So we just have control over individual feed-in points, which just from the timing you have to get right with the amount of production you have in the grid and the amount of current load you need for the grid to be destabilized by simultaneously ending control messages to every single station. That's where I do understand [the researchers'] train of thought, and that's why it's still concerning. but it would be something different if those messages would be affecting substations directly.

 

The immediate effect would be for the grid operators to see anomalies feed in and would see this equilibrium of load and generation shift in a way that they weren't anticipating. Then they would take their measures accordingly. So it would result in additional grid control actions. And those grid control actions are normal.
They are a day-to-day thing.

The ability of the described attack to take down the Central European grid is very much contested. There's less debate that it's time to retire Radio Ripple Control and replace it with something that's harder to tamper with.

iMSys to the rescue

One possible replacement would be iMSys, short for Intelligentes Messsystem. It currently uses LTE, the same wireless transmission standard that carries traffic over 4G mobile networks. LTE uses encryption to provide confidentiality and antispoofing protection. Short for Long Term Evolution, LTE isn't impervious to hacks (see here, here, and here). However, it contains a robust security architecture that would add a significant layer of protection that is not possible with Radio Ripple Control.

iMSys is currently used mostly for smart meters. Regulators are considering plans to run iMSys on a completely independent 450 MHz LTE infrastructure that's reserved exclusively for critical infrastructure. The researchers say that, unfortunately, the roadmap for rolling out this plan is slow and doesn't adequately prioritize securing the most vulnerable parts of the grid.

Further underscoring the lack of urgency in moving away from Radio Ripple Control, the researchers said, the city of Hamburg recently updated its infrastructure to adopt the standard.

Neither EFR nor Germany's Federal Office for Information Security responded to requests for comment.

Ultimately, the debate over the ability of malicious hackers to trigger a continent-wide blackout is moot and a distraction from the issue that really matters. The use of unencrypted radio signals that anyone can send to control power sent from generating facilities to the grid is never a sound practice and greatly violates a defense-in-depth approach to securing critical infrastructure.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

News posts... 2023: 5,800+ | 2024: 5,700+

RIP Matrix | Farewell my friend  

We’re only three weeks into 2025, and it’s already shaping up to be the year of Internet of Things-driven DDoSes. Reports are rolling in of threat actors infecting thousands of home and office routers, web cameras, and other Internet-connected devices.

Here is a sampling of research released since the first of the year.

Lax security, ample bandwidth

A post on Tuesday from content-delivery network Cloudflare reported on a recent distributed denial-of-service attack that delivered 5.6 terabits per second of junk traffic—a new record for the largest DDoS ever reported. The deluge, directed at an unnamed Cloudflare customer, came from 13,000 IoT devices infected by a variant of Mirai, a potent piece of malware with a long history of delivering massive DDoSes of once-unimaginable sizes.

The same day, security company Qualys published research detailing a "large-scale, ongoing operation" dubbed the Murdoc Botnet. It exploits vulnerabilities to install a Mirai variant, primarily on AVTECH Cameras and Huawei HG532 routers. Late Tuesday afternoon, searches like this one indicated devices on more than 1,500 IP addresses were compromised, up from a figure of 1,300 reported a few hours earlier by Qualys. These devices are also waging DDoSes. It’s unknown if Cloudflare and Qualys are reporting on the same botnet.

Last week, security company Trend Micro said it also found an IoT botnet. The botnet, which is driven by variants of Mirai and a similar malware family known as Bashlite, has been delivering large-scale DDoSes since the end of last year, primarily to targets in Japan.

A report early last week from security firm Infoblox revealed a botnet comprising 13,000 devices—mostly routers manufactured by MikroTik—that researchers likened to “a large cannon, poised and ready to unleash a barrage of malicious activities.” The primary activity Infoblox has observed from this botnet is a flood of malicious spam emails that attempt to trick recipients into executing malicious file attachments.

On January 7, researchers at China-based security firm Xlab said they've been tracking an IoT botnet since last February. The botnet, named with an offensive term, was mostly unremarkable until later in the year when it began targeting zero-day and recently fixed n-day vulnerabilities to infect more devices. By November, it began exploiting a zero-day in industrial routers sold by Four-Faith and unknown vulnerabilities in routers sold by Neterbit and in smart home devices from Vimar. The botnet comprises on average 15,000 compromised devices, mostly located in China, the United States, Iran, Russia, and Turkey. Threat actors are using it to wage DDoSes.

IoT devices are an ideal DDoS tool from the standpoint of an attacker. They typically ship running a version of Linux that is missing months, if not years, of security updates; infections are difficult to detect; and the devices often have lots of available bandwidth. In 2016—when IoT botnets were a new phenomenon—they were observed delivering DDoSes as high as 1Tbps, a once-unimaginable size. Cloudflare’s revelation on Tuesday that it observed and blocked an IoT botnet delivering a DDoS more than five times bigger indicates that these attacks continue to grow more potent.

A Cloudflare spokesperson said in an email that the attack was delivered not just by IoT devices but also virtual machines hosted inside cloud environments. The hybrid approach may be one example of the growing evolution of botnets in the race to create larger DDoSes.

The most effective way to protect IoT devices from compromise is to replace all default passwords with long, randomly generated ones that are unique to each device. Turning off remote management is also a good move when possible. And as always, installing security updates promptly is a must.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

News posts... 2023: 5,800+ | 2024: 5,700+

RIP Matrix | Farewell my friend  

7-Zip added support for MotW in June 2022, starting with version 22.00. Since then, it has automatically added MotW flags (special 'Zone.Id' alternate data streams) to all files extracted from downloaded archives.

This flag informs the operating system, web browsers, and other applications that files may come from untrusted sources and should be treated with caution.

As a result, when double-clicking risky files extracted using 7-Zip, users will be warned that opening or running such files could lead to potentially dangerous behavior, including installing malware on their devices.

Microsoft Office will also check for the MotW flags, and if found, it will open documents in Protected View, which automatically enables read-only mode and disables all macros.

However, as Trend Micro explained in an advisory published over the weekend, a security flaw tracked as CVE-2025-0411 can let attackers bypass these security warnings and execute malicious code on their targets' PCs.

"This vulnerability allows remote attackers to bypass the Mark-of-the-Web protection mechanism on affected installations of 7-Zip. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file," Trend Micro says.

"The specific flaw exists within the handling of archived files. When extracting files from a crafted archive that bears the Mark-of-the-Web, 7-Zip does not propagate the Mark-of-the-Web to the extracted files. An attacker can leverage this vulnerability to execute arbitrary code in the context of the current user."

Luckily, 7-Zip developer Igor Pavlov has already patched this vulnerability on November 30, 2024, with the release of 7-Zip 24.09.

"7-Zip File Manager didn't propagate Zone.Identifier stream for extracted files from nested archives (if there is open archive inside another open archive)," Pavlov said.

Similar flaws exploited to deploy malware

However, since 7-Zip doesn't have an auto-update feature, many users are likely still running a vulnerable version that threat actors could exploit to infect them with malware.

All 7-Zip users should patch their installs as soon as possible, considering that such vulnerabilities are often exploited in malware attacks.

For instance, in June, Microsoft addressed a Mark of the Web security bypass vulnerability (CVE-2024-38213) that DarkGate malware operators have exploited in the wild as a zero-day since March 2024 to circumvent SmartScreen protection and install malware camouflaged as installers for Apple iTunes, NVIDIA, Notion, and other legitimate software.

The financially motivated Water Hydra (aka DarkCasino) hacking group has also exploited another MotW bypass (CVE-2024-21412) in attacks targeting stock trading Telegram channels and forex trading forums with the DarkMe remote access trojan (RAT).

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

News posts... 2023: 5,800+ | 2024: 5,700+

RIP Matrix | Farewell my friend  

The UDP-based attack occurred last year on October 29 and targeted an internet service provider (ISP) in Eastern Asia in an attempt to bring its services offline.

Security and connectivity services provider Cloudflare says that the assault lasted 80 seconds but had no impact on the target and generated no alerts because its detection and mitigation was completely autonomous.

An earlier DDoS attack that Cloudflare reported in early October  2024 peaked at 3.8 Tbps, lasted for 65 seconds, and held the record for the largest volumetric assault.

Hyper-volumetric attacks on the rise

Hyper volumetric DDoS attacks have started to become more frequent, a trend that became noticeable in the third quarter of 2024, according to Cloudflare. In the fourth quarter of the year attacks started to exceed 1Tbps, with a quarter-over-quarter growth of 1,885%.

Attacks that exceeded 100 million packets per second (pps) also increased by 175%, with a notable 16% of them also going over 1 billion pps.

Hyper-volumetric HTTP DDoS attacks only accounted for 3% of the total recorded, with 63% of the remaining being small attacks that did not exceed 50,000 requests per second (rps).

The stats are similar for network layer (Layer 3/Layer 4) DDoS attacks, where 93% did not go beyond 500 Mbps, and 87% were limited to numbers below 50,000 pps.

Blitz DDoS attacks

Cloudflare warns that DDoS attacks are becoming increasingly short-lived, to a point that it is impractical for a human to respond, analyze the traffic, and apply mitigations.

Roughly 72% of HTTP and 91% of network layer DDoS attacks ended in less than10 minutes. On the other side of the spectrum, only 22% of HTTP and 2% of network layer DDoS attacks lasted for more than an hour.

The internet security firm says these short bursts of overwhelming traffic usually occur during peak usage periods, like during holidays and sales events for a maximum impact.

This lays the ground for ransom DDoS attacks, which also had a notable 78% increase QoQ and 25% growth YoY, peaking during Q4 and the Christmas holiday season.

“The short duration of attacks emphasizes the need for an in-line, always-on, automated DDoS protection service,” Cloudflare says.

The company says that the most attacked targets in the last quarter of 2024 were in China, Philippines, and Taiwan, followed by Hong Kong and Germany.

Cloudflare's telemetry data shows that most of the targets were in the telecommunications, service providers and carriers industry, internet sector, and marketing and advertising.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

News posts... 2023: 5,800+ | 2024: 5,700+

RIP Matrix | Farewell my friend  

Microsoft has intensified its Windows 11 campaign by using aggressive tactics, including full-screen multipage popup ads, to urge Windows 10 users to upgrade before the operating system's imminent death, slated for October 14, 2025. However, Windows 10 continues to dominate the market share with a staggering 62.73%, per StatCounter's December 2024 report.

User reluctance to upgrade to Windows 11 can partly be attributed to Microsoft's stringent operating system requirements. These requirements limit the operating system's accessibility to unsupported hardware missing salient features like Secure Boot and TPM.

While these security features are designed to keep the operating system secure, a vulnerability (CVE-2024-7344) has been accessible to bad actors for over seven months, making Windows 11 susceptible to malicious attacks. However, Microsoft finally patched the security threat earlier this week.

For context, the vulnerability allowed hackers to gain unauthorized access to a device and run malicious attacks during the bootup process. As you may know, Secure Boot is one of the stringent system requirements for running Windows 11. The security feature prevents malicious firmware from running when a device is booting.

Hackers often deploy attacks before a device starts because it allows them to hide the ploys in plain sight before Windows loads, making it difficult to identify them. Moreover, it makes the malware less susceptible to defense mechanisms that ship with the operating system.

UEFI security: Win some, lose some

As highlighted by ArsTechnica, Martin Smolár, a security researcher at ESET, made a shocking discovery last year. The researcher noticed that a digitally signed app bypassed Microsoft's strict manual review process for third-party UEFI apps. For context, Smolár made this deduction when SysReturn, a real-time system recovery software from Howyar Technologies, bypassed the stringent process. The researcher further disclosed that the app was buried under an XOR-encoded UEFI app called reloader.efi.

On Microsoft Edge, you can control the personal information that the browser uses to help you fill out forms online, and in this guide, I will explain how.

Sometimes, when filling out an online form, you will notice that as you click the text field, the browser will suggest the required information, such as part of your full name, address, phone number, email, and others. Usually, the browser knows this information from previous forms in which you may have interacted.

While autofill can expedite tasks like checkouts or account creations, you might consider managing the stored information to correct inaccuracies, add new details, or delete data for privacy reasons.

In this how-to guide, I will explain how to manage the personal information available on Microsoft Edge for Windows 11 (or 10).

How to add or remove personal information from Microsoft Edge

On Microsoft Edge, you can review, add, edit, and remove the personal information the browser saves while interacting with different online services.

Review saved personal info

To review the addresses saved on the browser, use these steps:

1. Open Microsoft Edge.
2. Click the "Settings and more" (three-dots) button in the top right.
3. Choose the Settings option.
4. Click on Profiles from the left pane.
5. Click the Personal info setting under the "Microsoft Wallet" section.

The developers have released the first major update of 2025. It is available already for all supported platforms and includes a number of important changes and improvements.

Bitwarden published the changelog on its official website. A core change improves auto fill.

Auto Fill improvements

All browser extensions support the improvement. Up until now, you had to use the Fill-button to fill out login information automatically.

Once the update is installed, you may initiate the process by simply clicking on an entry. This functionality is not enabled by default, but you can enable it in the following way:

1. Select Settings > Autofill.
2. Toggle "Click items to autofill on Vault view" to enable the feature.

Once enabled, clicking on a vault item will paste the data into the web form on the active webpage. To view an item from the menu, select the three-dots menu and then the view option to do so.

The second auto fill related feature improves the entering of TOTP-codes using browser extensions. Bitwarden supports two-factor authentication codes for quite some time. These need to be entered as a second authentication step, provided that you have configured this extra layer off protection.

With the update installed, it is now possible to use the inline menu to enter TOTP codes on websites. It is necessary to enable the inline autofill menu, if you have not done so already. Here is how that is done:

1. Select Settings > Autofill.
2. Locate "Show autofill suggestions on form fields" and pick the desired autofill memthod.

Bitwarden recommends to disable the autofill of the web browser to avoid conflicts.

Other improvements in Bitwarden

Bitwarden notes that password managed desktop apps that are downloaded via the Snap Store do support biometric unlocks after the installation of the update.

The remaining changes are mostly for Enterprise customers and organizations:

• New Public API operation. GET operation added to /public/organization/subscription.
• Remove Free Bitwarden Families sponsorship policy to prevent users from "redeeming a sponsored Families plan through their organization".
• New integrations page added to the Admin console that provides Help Center links.
• Provider members can no longer export client vaults.

Now it is your turn. Which password manager do you use and why? Have you tried Bitwarden in the past? Feel free to leave a comment down below.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

News posts... 2023: 5,800+ | 2024: 5,700+

RIP Matrix | Farewell my friend  

Once you've created a passkey for a website or app, you can sign in to that service using a fingerprint, facial recognition, a PIN, or a pattern. It removes the need to use passwords to access your account, which, theoretically, makes it more difficult for hackers to breach your account. One issue with passkeys right now is that they're not exportable if you decide to change browsers, though they will be in the future.

To create passkeys in the Google Password Manager in Chrome for iOS/iPadOS, you need to be on version 17 or higher of those operating systems. These are the minimum requirements for syncing passkeys from other devices as well.

Explaining what problems this fixes, Google says:

“Previously, passkeys created on Google Password Manager on Android, Windows, Linux, and ChromeOS were not available on iOS or iPadOS. Similarly, passkeys created on iOS or iPadOS were saved to Apple Passwords (formerly iCloud Keychain) and not synced to other platforms. While Apple Passwords syncs passkeys across Apple devices under the same Apple account, it does not extend compatibility to other platforms.”

To start using Chrome passkeys on iOS, you'll need to set Chrome as an autofill provider in Settings. Open System Settings on your iOS or iPadOS device, then go to General > AutoFill & Passwords. Under Autofill From, toggle Chrome to enable autofill.

Passkeys are quite a new login option and aren't perfect yet with their lack of exportability. If you want to try out passkeys, you can do so with a GitHub account. Wisely, GitHub lets you sign in with passkeys as a complementary option to passwords, so if you don't have a device that supports passkeys, you can fall back on your password and 2FA.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

News posts... 2023: 5,800+ | 2024: 5,700+

RIP Matrix | Farewell my friend  

The point update for Google Chrome brings the desktop version to 132.0.6834.83 and 132.0.6834.84 for all supported operating systems. The update itself is available for Chrome on Windows, Linux, Mac, ChromeOS, and Android.

16 unique security vulnerabilities fixed

Google reveals that it has fixed 16 security issues in the new update. The official release notes lists only publicly reported issues. These have a severity rating of high or lower only. Vulnerabilities were fixed in several components of the browser, including its JavaScript engine, Extensions, or navigation.

Google makes no mention of exploits in the wild, which is reassuring.

Chrome users may want to upgrade the browser as soon as possible to block potential attacks. On desktop, the easiest option to do that is the following:

1. Open Menu.
2. Select Help > About Google Chrome.

Google Chrome displays the currently installed version on the page. The browser checks for updates whenever that page is opened. Chrome should download and install the point update automatically at this point.

Please note that a restart of the browser is required to complete the update. This does not happen automatically though.

Android users need to wait until the update is offered via Google Play. There is no option to speed up the delivery of the security update on the mobile platform.

Outlook

Another point update is expected next week, as new security updates for Chrome get released once a week by Google. The next stable version of Chrome is version 133, which Google is expected to release in two weeks.

As mentioned earlier, if you use another Chromium-based browser, look out for updates for these. Since they use the same engine as Google Chrome, they tend to be affected by the majority of security issues that affect Chrome as well.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

News posts... 2023: 5,800+ | 2024: 5,700+

RIP Matrix | Farewell my friend  

Highlighting the issues, Canonical says:

Security researchers at Google (Pedro Gallegos, Simon Scannell, and Jasiel Spelman) discovered vulnerabilities in the rsync server and rsync client. The rsync server vulnerabilities (CVE-2024-12084 and CVE-2024-12085) ultimately allow remote code execution (RCE). The rsync client vulnerabilities allow a malicious server to read arbitrary files (CVE-2024-12086), create unsafe symlinks (CVE-2024-12087) and overwrite arbitrary files in certain circumstances (CVE-2024-12088).

 

During the coordinated vulnerability response of the above issues, a sixth vulnerability (CVE-2024-12747) which affects how the rsync server handles symlinks was reported by Aleksei Gorban.

 

Canonical’s security team has released updates of the rsync packages for all supported Ubuntu releases. The updates remediate CVE-2024-12084, CVE-2024-12085, CVE-2024-12086, CVE-2024-12087, CVE-2024-12088, and CVE-2024-12747. Information on the affected versions can be found in the CVE pages linked above.

If you are on Ubuntu 16.04 LTS or above, the unattended-upgrades feature is enabled by default, which means these security updates will be applied within 24 hours of them being available. If you've switched that off or are using another distribution, then you might have to get the update yourself via your update manager or the terminal.

To update via the terminal, enter the following command and input your password when requested:

sudo apt update && sudo apt upgrade

If you can't upgrade all packages and want to just update rsync then you can use the following command:

sudo apt update && sudo apt install --only-upgrade rsync

If you're wondering whether you really need to update the rsync package now, the answer is yes, you should do it as soon as possible. It can impact both servers and end user computers, and it can all be done remotely.

The fixed packages for each Ubuntu release are as follows:

You can open the terminal and run dpkg -l rsync to check if you have the updated package. If you have a lower version, open up the update manager and look to see if the update is available. This package comes pre-installed on most Ubuntu-based systems so it's important for everyone to check that they're updated.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

News posts... 2023: 5,800+ | 2024: 5,700+

RIP Matrix | Farewell my friend  

Why it is important: digital fingerprinting uses signals, like the IP address, location, language, used software, or operating system, to identify devices and users on the Internet.

Numerous digital fingerprinting techniques exist, some even capable of cross-browser fingerprinting.

Tip: you can test your browser's anti-fingerprinting protections, or lack therefor, on the EFF's Cover Your Tracks webpage.

This tracking technique works well with other methods, but may also stand on its own. It offers several advantages over cookies, but only to the trackers:

• Information may be collected without user consent or the user even knowing that it is collected.
• The data is stored remotely, not on the user's device.
• Unlike cookies, which can be deleted easily at any time, digital fingerprint data cannot.

Google announced the change on its Google Marketing Platform Help support website. According to Google, the updated policies "clarify the activities that we prohibit to better protect the ads ecosystem from harmful activities, while being less prescriptive with partners in how they target and measure ads".

The UK's Information Commissioner's Office was one of the first to react to Google's announcement stating that "businesses do not have free rein to use fingerprinting as they please".

It highlighted that Google was against fingerprinting of users in 2019 stating back then that it subverted user choice and that it was wrong.

What changed? Google's stance is that two advertising ecosystem shifts have happened in recent time.

1. Advances in privacy-enhancing technologies.
2. Rise of ad-supported devices and platforms.

Privacy-enhancing technologies, short PETs, include on-device processing, trusted execution environments, or secure multi-party computation. Google says that advancements "are unlocking new ways for brands to manage and activate their data safely and securely".

The big policy shift is only hinted at in the main support article. A single sentence in the middle of the text provides it: "The policy also updates the requirements for our partners on the use of data signals.".

The updated policy itself is not linked on that page. You can open it here.

When you compare the current policy to the new, you will notice several changes. For users, an important change is listed under "Identifying users and user consent".

Previously, Google did not allow advertisers to pass any information to it that

• Google could use or recognize as personally-identifiable information.
• permanently identifies a particular device (such as a mobile phone's unique device identifier if such an identifier cannot be reset).

The second rule has been removed in the new policy. In other words, advertisers may identify users based on the devices that they use and may pass the information to Google for tracking purposes.

What can you do about it?

1. Content blockers work against many forms of fingerprinting as well.
2. Some browsers, for example Brave and Firefox, come with fingerprinting defenses that make it harder for companies to track you using fingerprints.

Now it is your turn. Do you use protections against fingerprinting in your browsers, apps and devices? Are you worried about the policy change? Feel free to leave a comment down below.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

News posts... 2023: 5,800+ | 2024: 5,700+

RIP Matrix | Farewell my friend  

A federal judge this week rejected Google's motion to throw out a class-action lawsuit alleging that it invaded the privacy of users who opted out of functionality that records a users' web and app activities. A jury trial is scheduled for August 2025 in US District Court in San Francisco.

The lawsuit concerns Google's Web & App Activity (WAA) settings, with the lead plaintiff representing two subclasses of people with Android and non-Android phones who opted out of tracking. "The WAA button is a Google account setting that purports to give users privacy control of Google's data logging of the user's web app and activity, such as a user's searches and activity from other Google services, information associated with the user's activity, and information about the user's location and device," wrote US District Judge Richard Seeborg, the chief judge in the Northern District Of California.

Google says that Web & App Activity "saves your activity on Google sites and apps, including associated info like location, to give you faster searches, better recommendations, and more personalized experiences in Maps, Search, and other Google services." Google also has a supplemental Web App and Activity setting that the judge's ruling refers to as "(s)WAA."

"The (s)WAA button, which can only be switched on if WAA is also switched on, governs information regarding a user's '[Google] Chrome history and activity from sites, apps, and devices that use Google services.' Disabling WAA also disables the (s)WAA button," Seeborg wrote.

Google sends data to developers

But data is still sent to third-party app developers through the Google Analytics for Firebase (GA4F), "a free analytical tool that takes user data from the Firebase kit and provides app developers with insight on app usage and user engagement," the ruling said. GA4F "is integrated in 60 percent of the top apps" and "works by automatically sending to Google a user's ad interactions and certain identifiers regardless of a user's (s)WAA settings, and Google will, in turn, provide analysis of that data back to the app developer."

Plaintiffs have brought claims of privacy invasion under California law. Plaintiffs "present evidence that their data has economic value," and "a reasonable juror could find that Plaintiffs suffered damage or loss because Google profited from the misappropriation of their data," Seeborg wrote.

The lawsuit was filed in July 2020. The judge notes that summary judgment can be granted when "there is no genuine dispute as to any material fact and the movant is entitled to judgment as a matter of law." Google hasn't met that standard, he ruled.

In a statement provided to Ars, Google said that "privacy controls have long been built into our service and the allegations here are a deliberate attempt to mischaracterize the way our products work. We will continue to make our case in court against these patently false claims."

In a proposed settlement of a different lawsuit, Google last year agreed to delete records reflecting users' private browsing activities in Chrome's Incognito mode.

Google disclosures are ambiguous, judge says

Google claimed that the "undisputed facts" show its collection of "data was lawful and consistent with its representations to class members," Seeborg wrote. But in the judge's view, the "various interpretations of these disclosures render them ambiguous such that a reasonable user would expect the WAA and (s)WAA settings to control Google's collection of a user's web app and activity on products using Google's services."

Google contends that its system is harmless to users. "Google argues that its sole purpose for collecting (s)WAA-off data is to provide these analytic services to app developers. This data, per Google, consists only of non-personally identifiable information and is unrelated (or, at least, not directly related) to any profit-making objectives," Seeborg wrote.

On the other side, plaintiffs say that Google's tracking contradicts its "representations to users because it gathers exactly the data Google denies saving and collecting about (s)WAA-off users," Seeborg wrote. "Moreover, Plaintiffs insist that Google's practices allow it to personalize ads by linking user ad interactions to any later related behavior—information advertisers are likely to find valuable—leading to Google's lucrative advertising enterprise built, in part, on (s)WAA-off data unlawfully retrieved."

Plaintiffs contend that "Google should be disgorged of all its profits derived from serving any ads to (s)WAA-off users. Google "denies that any (s)WAA-off data is saved to a user's marketing profile, which precludes it from personalizing advertising to a WAA-off users." Google says the data is "intended to be shared with only developers through GA4F for their own analysis."

Jury can evaluate Google’s “pseudonymous” claims

Google, as the judge writes, purports to treat user data as pseudonymous by creating a randomly generated identifier that "permits Google to recognize the particular device and its later ad-related behavior... Google insists that it has created technical barriers to ensure, for (s)WAA-off users, that pseudonymous data is delinked to a user's identity by first performing a 'consent check' to determine a user's (s)WAA settings."

Whether this counts as personal information under the law is a question for a jury, the judge wrote. Seeborg pointed to California law that defines personal information to include data that "is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household." Given the legal definition, "a reasonable juror could view the (s)WAA-off data Google collected via GA4F, including a user's unique device identifiers, as comprising a user's personal information," he wrote.

As Seeborg wrote, "Google insists that users knew and consented to its tracking practices," specifically the collection of pseudonymous data. Seeborg rejected this claim. To a reasonable user reading Google's disclosures, "it is unclear Plaintiffs were consenting to the data collection at issue," he wrote.

Another argument from Google is that plaintiffs have no reasonable expectation of privacy in anonymized, aggregate data. But information doesn't have to be personally identifying in order to be private, and "whether the data collected by Google constitutes personal information is not, as Google suggests, a foregone conclusion," Seeborg wrote.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

News posts... 2023: 5,800+ | 2024: 5,700+

RIP Matrix | Farewell my friend  

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

News posts... 2023: 5,800+ | 2024: 5,700+

RIP Matrix | Farewell my friend  

This marks a 67% increase over 2023 figures although the number of victims only rose by 3.7%, indicating that victims held more significant amounts on average.

The data comes from web3 anti-scam platform 'Scam Sniffer,' which has been tracking wallet drainer activity for a while now, previously reporting attack waves that impacted up to 100,000 people at once.

Wallet drainers are phishing tools specifically designed to steal cryptocurrency or other digital assets from users' wallets, often deployed on fake or compromised websites.

In 2024, Scam Sniffer observed 30 large-scale (above $1 million) thefts conducted via wallet drainers, with the largest single heist cashing in $55.4 million worth of cryptocurrency.

This occurred early in the year when Bitcoin's price hikes fueled phishing activity. In the first quarter of the year, a total of $187 million was stolen via wallet drainer attacks.

In the second quarter of the year, a notable drainer service named 'Pink Drainer,' previously seen impersonating journalists in phishing attacks to compromise Discord and Twitter accounts for cryptocurrency-stealing attacks, announced its exit.

Although this caused a drop in phishing activity, the scammers started to gradually pick up the pace in the third quarter with the Inferno service taking the the lead by causing $110 million in losses in August and September combined.

Finally, the activity subsided in the final quarter of the year, which only accounted for about 10.3% of the total losses recorded in 2024. At that time, Acedrainer also emerged as a major player, taking 20% of the drainer market, ScamSniffer says.

Most of the losses (85.3%) occurred on Ethereum, amounting to $152 million while staking (40.9%) and stablecoins (33.5%) were among the most targeted.

Regarding trends seen in 2024, Scam Sniffer highlights the use of fake CAPTCHA and Cloudflare pages, and IPFS to evade detection, as well as a shift in signature types facilitating money theft.

Specifically, most thefts relied on the 'Permit' signature (56.7%) or 'setOwner' (31.9%) to drain funds. The first gives approval for token spending as per the EIP-2612 standard, while the second updates smart contract ownership or administrative rights.

Another noteworthy trend is the increased use of Google Ads and Twitter ads as a source of traffic to the phishing websites, with the attackers using compromised accounts, bots, and fake token airdrops to achieve their goal.

To protect from Web3 attacks, the recommendation is to interact only with trusted and verified websites, cross-check URLs with official project websites, read transaction approval prompts and permission requests before signing, and simulate transactions before performing them.

Many wallets also offer built-in warnings for phishing or malicious transactions, so make sure to enable those. Finally, use token revoking tools to ensure no suspicious permissions are active.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

News posts... 2023: 5,800+ | 2024: 5,700+

RIP Matrix | Farewell my friend  

As many of us celebrated the year-end holidays, a small group of researchers worked overtime tracking a startling discovery: At least 33 browser extensions hosted in Google’s Chrome Web Store, some for as long as 18 months, were surreptitiously siphoning sensitive data from roughly 2.6 million devices.

The compromises came to light with the discovery by data loss prevention service Cyberhaven that a Chrome extension used by 400,000 of its customers had been updated with code that stole their sensitive data.

’Twas the night before Christmas

The malicious extension, available as version 24.10.4, was available for 31 hours, from December 25 at 1:32 AM UTC to Dec 26 at 2:50 AM UTC. Chrome browsers actively running Cyberhaven during that window would automatically download and install the malicious code. Cyberhaven responded by issuing version 24.10.5, and 24.10.6 a few days later.

The Cyberhaven extension is designed to prevent users from inadvertently entering sensitive data into emails or websites they visit. Analyses of version 24.10.4 showed that it was configured to work with different payloads that were downloaded from cyberhavenext[.]pro, a malicious site the threat actor registered to give the appearance it was affiliated with the company. One recovered payload, Cyberhaven said, scoured user devices for browser cookies and authentication credentials for the facebook.com domain. A separate payload recovered by security firm Secure Annex stole cookies and credentials for chatgpt.com; Cyberhaven said the payload didn't appear functional.

The malicious version came through a spear phishing email sent to the developers Google listed for the Cyberhaven extension on Christmas Eve. It warned that the extension wasn’t in compliance with Google terms and would be revoked unless the developer took immediate action.

A link in the email led to a Google consent screen requesting access permission for an OAuth application named Privacy Policy Extension. A Cyberhaven developer granted the permission and, in the process, unknowingly gave the attacker the ability to upload new versions of Cyberhaven’s Chrome extension to the Chrome Web Store. The attacker then used the permission to push out the malicious version 24.10.4.

As word of the attack spread in the early hours of December 25, developers and researchers discovered that other extensions were targeted, in many cases successfully, by the same spear phishing campaign. John Tuckner, founder of Security Annex, a browser extension analysis and management firm, said that as of Thursday afternoon, he knew of 19 other Chrome extensions that were similarly compromised. In every case, the attacker used spear phishing to push a new malicious version and custom, look-alike domains to issue payloads and receive authentication credentials. Collectively, the 20 extensions had 1.46 million downloads.

“For many I talk to, managing browser extensions can be a lower priority item in their security program,” Tuckner wrote in an email. “Folks know they can present a threat, but rarely are teams taking action on them. We've often seen in security [that] one or two incidents can cause a reevaluation of an organization's security posture. Incidents like this often result in teams scrambling to find a way to gain visibility and understanding of impact to their organizations.”

The earliest compromise occurred in May 2024. Tuckner provided the following spreadsheet:

But wait, there’s more

One of the compromised extensions is called Reader Mode. Further analysis showed it had been compromised not just in the campaign targeting the other 19 extensions but in a separate campaign that started no later than April 2023. Tuckner said the source of the compromise appears to be a code library developers can use to monetize their extensions. The code library collects details about each web visit a browser makes. In exchange for incorporating the library into the extensions, developers receive a commission from the library creator.

Tuckner said that Reader Mode is one of 13 Chrome extensions known to have used the library to collect potentially sensitive data. Collectively, these extensions had 1.14 million installations. The full list is:

As Tuckner indicated, browser extensions have long remained a weak link in the security chain. In 2019, for example, extensions for both Chrome and Firefox were caught stealing sensitive data from 4 million devices. Many of the infected devices ran inside the networks of dozens of companies, including Tesla, Blue Origin, FireEye, Symantec, TMobile, and Reddit. In many cases, curbing the threat of malicious extensions is easy since so many extensions provide no useful benefit.

In the case of other abused extensions, such as the one used by Cyberhaven customers, it's not as easy to address the threat. After all, the extension provides a service that many organizations find valuable. Tuckner said one potential part of the solution is for organizations to compile a browser asset management list that allows only selected extensions to run and blocks all others. Even then, Cyberhaven customers would have installed the malicious extension version unless the asset management list specifies a specific version to trust and to distrust all others.

Anyone who ran one of these compromised extensions should carefully consider changing passwords and other authentication credentials. The Secure Annex post provides additional indicators of compromise, as do posts here, here, here, and here.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

News posts... 2023: 5,800+ | 2024: 5,700+

RIP Matrix | Farewell my friend  

Some stories, though, were more impactful or popular with our 31 million readers than others.

Below are fourteen of what BleepingComputer believes are the most impactful cybersecurity stories of 2024, with a summary of each. These stories are in no particular order.

14. Internet Archive hacked

On October 9, the Internet Archive was hit by two different attacks at once—a data breach where the site's user data for 33 million users was stolen and a DDoS attack by an alleged pro-Palestinian group named SN_BlackMeta.

While both attacks occurred over the same period, they were conducted by different threat actors.

The threat actors who breached Internet Archive told BleepingComputer that they could do so through an exposed GitLab configuration file containing an authentication token, allowing them to download the Internet Archive source code.

This source code contained additional credentials and authentication tokens, including the credentials to Internet Archive's database management system. This allowed the threat actor to download the organization's user database, further source code, and modify the site.

13. Bad CrowdStrike updates crashed 8.5 million Wndows devices

On July 19th, 2024, a faulty CrowdStrike Falcon update was pushed out to Windows PCs in the early morning, causing the cybersecurity software's kernel driver to crash the operating system. 

This bug caused significant global disruptions, impacting approximately 8.5 million Windows systems, who now found that their devices had crashed with no easy way back into the operating system to remove the faulty update other than booting into safe mode.

The bug stemmed from a flaw in CrowdStrike's content validation process, which failed to detect a defective update. This faulty update triggered a series of system crashes, including endless reboot loops that affected both Windows devices and Windows 365 Cloud PCs.

As CrowdStrike is used by many organizations, it quickly caused widespread disruption, impacting financial firms, airlines, and hospitals worldwide who suddenly found their Windows devices and applications were unavailable.

Microsoft released a Windows repair tool to help remove the problematic CrowdStrike driver and restore affected systems. Despite this tool, many organizations faced a lengthy recovery process as each device would need to be manually fixed.

Things got worse when the threat actors started getting into the game.

Cybercriminals distributed fake CrowdStrike repair tools and manuals that pushed malware, including the new Daolpu infostealer. These phishing campaigns targeted orgs attempting to recover from the outage, further delaying outages.

Investors soon filed a lawsuit against CrowdStrike, accusing it of negligence in its quality assurance processes and failing to prevent the release of the defective update.

Microsoft also announced that they would be looking into changing their kernel driver handling policies in response to the incident and encouraged antivirus vendors to limit their use of Kernel drivers to prevent these types of crashes.

12. Kaspersky banned in the US—software automatically replaced with UltraAV

In June, the Biden administration announced an upcoming ban of Kaspersky antivirus software, giving customers until September 29, 2024, to find alternative security software.

The ban not only involved the sale of Kaspersky software in the US, but also prevented the company from delivering antivirus and security updates to customers.

A month later, Kaspersky began shutting down its operations in the US, telling BleepingComputer that the Biden administration's decisions have made operations "no longer viable."

Kaspersky decided to sell its US customer base to Pango and emailed customers in early September that they would receive a free upgrade to the UltraAV software.

However, the company didn't make it clear to customers that it would uninstall its software, and on September 19, Kaspersky users suddenly found their Kaspersky products removed and UltraAV force-installed on their computers whether they wanted it or not.

This made many Kaspersky customers furious that software was installed on their devices without permission or clear notification that it would happen.

11. Russian state-sponsored hackers breached Microsoft's corporate email

In January, Microsoft disclosed that Russian state-sponsored threat actors breached their corporate email servers in November 2023 to steal email from their leadership, cybersecurity, and legal teams.

Some of these emails contained information about the hacking group itself, allowing the threat actors to learn what Microsoft knew about them.

The hacking group, known as Midnight Blizzard (aka Nobelium, or APT29) is believed to be a state-backed cyberespionage group tied to the Russian Foreign Intelligence Service (SVR).

Microsoft later disclosed that the threat actors conducted a password-spray attack that allowed access to a legacy non-production test tenant account.

This test tenant account also had access to an OAuth application with elevated privileges in Microsoft's corporate environment, allowing the hackers to steal data from corporate mailboxes.

The hackers breached Microsoft again in March 2024 using information found in the stolen emails, allowing them to steal source code repositories.

It kept getting worse, with CISA confirming in April that emails between US federal agencies and Microsoft were also stolen in the attack. These emails contained information that let the hackers gain access to some customer's systems.

10.  National Public data breach exposed your Social Security Number

In August, almost 2.7 billion records of personal information for people in the United States were leaked on a hacking forum, exposing names, social security numbers, all known physical addresses, and possible aliases.

The data was stolen from National Public Data, a company that collects and sells access to personal data for use in background checks, to obtain criminal records, and for private investigators.

Have I Been Pwned's Troy Hunt analyzed the breach and determined it contained 134 million unique email addresses, making this a monstrous data breach.

The threat actors behind the breach attempted to sell it for $3.5 million, but it was eventually leaked for free on a hacking forum.

9. Attacks on edge networking devices run rampant

This year, we continued to see attacks targeting edge networking devices from various manufacturers, including Fortinet, TP-Link, Ivanti, and Cisco. 

These types of devices are valuable targets as they are meant to be exposed to the Internet, and once breached, allow threat actors to pivot into the internal network.

There are too many stories to summarize, so here are a list of the interesting ones:

• Chinese hackers breached 20,000 FortiGate systems worldwide
• CISA cautions against using hacked Ivanti VPN gateways even after factory resets
• The Pacific Rim attacks: US sanctions Chinese firm for hacking firewalls in ransomware attacks
• Chinese hackers use Quad7 botnet to steal credentials
• Cisco warns of NX-OS zero-day exploitation to deploy custom malware

It has gotten so bad that the US is considering banning China-made TP-Link routers over cybersecurity concerns.

8. CDK Global ransomware attacks takes down the car dealership industry

Car dealership software-as-a-service provider CDK Global suffered a Black Suit ransomware attack, causing the company to shut down its systems and leaving clients unable to operate their business normally.

CDK Global provides clients in the auto industry with a SaaS platform that handles all aspects of a car dealership's operation, including CRM, financing, payroll, support and service, inventory, and back-office operations.

As many of the car dealerships in the US utilize the platform, the outage led to widespread disruption, preventing dealers from tracking and ordering car parts, conducting new sales, and offering financing.

7. The SnowFlake data theft attacks

In May, threat actors began selling data that they claimed was stolen from customers of the Snowflake cloud data platform.

After the attacks were investigated, it was determined that the threat actors didn't breach Snowflake but rather used compromised credentials to log in to customer's SnowFlake accounts.

These credentials are believed to have been stolen through information-stealing malware.

Once they logged into the account, they were able to export the databases and use them to extort companies into paying a ransom for the data not to be publicly released.

AT&T disclosed in July that call logs of 109 million customers were exposed during the incident and that the data was accessed from an online database on the company's Snowflake account.

TicketMaster was also impacted, with the threat actors claiming to steal the data of 560 million customers.

Data breaches linked to these attacks, which started in April 2024, have affected hundreds of millions of individuals using the services of AT&T, Ticketmaster, Santander, Pure Storage, Advance Auto Parts, Los Angeles Unified, QuoteWizard/LendingTree, and Neiman Marcus.

In November, the US Department of Justice unsealed an indictment against two people, Connor Riley Moucka and John Erin Binns, who are accused of being behind the attacks.

The threat actors allegedly extorted $2.5 million as part of these attacks, with Wired reporting that AT&T paid $370,000 for the hackers to delete stolen call records.

6.  The North Korean IT Worker scheme

This year, we saw an uptick in North Korean IT workers trying to get jobs in the US and other countries to perform cyberespionage and generate revenue for their country's operations.

In May, the Department of Justice charged five individuals, a US Citizen woman, a Ukrainian man, and three foreign nationals, for their involvement in helping North Korean IT works infiltrate US job markets to generate revenue for North Korea's nuclear weapons program.

In July, email security firm KnowBe4 mistakenly hired a North Korean hacker as their Principal Software Engineer, who attempted to install information-stealing malware on the network.

In August, the Justice Department arrested a Nashville man charged with helping North Korean IT workers obtain remote work at companies across the United States and operating a laptop farm they used to pose as U.S.-based individuals.

Both Mandiant and SecureWorks later released reports on the North Korean IT Worker threat, sharing their tactics and how companies can protect themselves.

5. The UnitedHealth Change HealthCare ransomware attack

In February, UnitedHealth subsidiary Change Healthcare suffered a massive ransomware attack that caused massive disruption to the US healthcare industry.

The outages prevented doctors and pharmacies from filing claims and prevented pharmacies from accepting discount prescription cards, causing patients to pay full price for medications.

The attack was ultimately linked to the BlackCat ransomware gang, aka ALPHV, who used stolen credentials to breach the company's Citrix remote access service, which did not have multi-factor authentication enabled.

During the attack, the threat actors stole 6 TB of data and ultimately encrypted computers on the network, causing the company to shut down IT systems to prevent the spread of the attack.

The UnitedHealth Group admitted to paying a ransom demand to receive a decryptor and for the threat actors to delete the stolen data. The ransom payment was allegedly $22 million, according to the BlackCat ransomware affiliate who conducted the attack.

The BlackCat ransomware operation was under immense pressure from law enforcement after the Change Healthcare attacks, causing them to shut down.

After UnitedHealth paid an alleged $20 million ransom, the ransomware operation performed an exit scam, stealing all of the money and not sharing any with the affiliate who conducted the attack.

Unfortunately, the affiliate claimed to still have Change Healthcare's data, which they used to extort the healthcare company again, this time using RansomHub's extortion site.

Ultimately, the data disappeared from the extortion, likely indicating that another ransom was paid.

In October, UnitedHealth confirmed that over 100 million people had their personal and healthcare data stolen, marking this as the largest healthcare data breach in recent years.

4. LockBit disrupted

On February 19, authorities took down LockBit's infrastructure, which included 34 servers hosting the data leak website and its mirrors, data stolen from the victims, cryptocurrency addresses, decryption keys, and the affiliate panel.

This disruption was part of an international law enforcement operation called Operation Cronos.

Five days later, LockBit relaunched with new infrastructure and threatened to focus more of its attacks on the government sector.

However, the ransomware gang was never able to return to its previous prominence, with its affiliates moving to other ransomware operations.

Over the past year, law enforcement has continued to target LockBit, identifying and charging seven LockBit ransomware members.

Among those charged, is the primary operator of the ransomware operation, who the Department of Justice claims is a Russian national named Dmitry Yuryevich Khoroshev, aka 'LockBitSupp' and 'putinkrab'.

LockBit recently began testing a new encryptor called LockBit 4, which does not appear to be much different than its previous version.

3. Windows 11 Recall: A privacy nightmare?

Microsoft's new AI-powered Windows 11 Recall feature has sparked a lot of concern among the cybersecurity community, with many thinking that it is a massive privacy risk and a new attack vector that threat actors can exploit to steal data.

After receiving tremendous backlash, Microsoft delayed the release of the software to increase its security by requiring users to opt-in to enable Recall on their computers and that they'll have to confirm they're in front of their PC via Windows Hello to be able to use it.

Microsoft continued to delay its release while adding additional features, such as automatically filtering sensitive content, allowing users to exclude specific apps, websites, or in-private browsing sessions, and it can be removed if needed.

However, after releasing the software to Windows Insiders for testing, it was discovered that Windows 11 Recall did not properly filter sensitive information, like credit cards.

Microsoft said they continue refining the product as new issues are discovered.

2. The 2024 Telecom attacks

A Chinese state-sponsored hacking group known as "Salt Typhoon" is linked to a series of cyberattacks targeting telecommunications firms globally.

These breaches compromised at least nine major telecom providers, including AT&T, Verizon, and T-Mobile.

The group reportedly focused on infiltrating telecom infrastructure to steal text messages, phone call information, and voicemails from targeted people. The threat actors also targeted the wiretapping platforms used by the US government, raising serious national security concerns. 

A White House briefing revealed that Salt Typhoon's operations also impacted telecommunications providers in dozens of countries.

In the US, these attacks prompted concerns about weaknesses in telecom infrastructure and the security of government surveillance platforms. 

US lawmakers, including Senator Ron Wyden, have proposed legislation to address vulnerabilities in the nation's telecom infrastructure. The proposed bill aims to establish stricter cybersecurity standards and oversight for telecom providers to prevent similar attacks in the future.

The US government reportedly plans to ban China Telecom's last active US operations in response to the telecom hacks.

1. The rise of Infostealers

Information-stealing malware campaigns are running rampant this year, used in many different campaigns to steal infected users' browser information, cookies, saved credentials, credit cards, and cryptocurrency wallets.

While infostealers have been around for many years, they have been particularly prominent with threat actors using them in a wide range of campaigns.

These stolen credentials are then used to breach corporate networks, bank accounts, cryptocurrency exchanges, and email accounts.

The number of stories surrounding infostealers is too long to summarize, so instead, here are a few of the ways infostealers were used this year:

• Hacker hijacks Orange Spain RIPE account to cause BGP havoc
• Global infostealer malware operation targets crypto users, gamers
• Windows vulnerability abused braille "spaces" in zero-day attacks
• Malicious ads push Lumma infostealer via fake CAPTCHA pages
• Clever 'GitHub Scanner' campaign abusing repos to push malware
• Cybercriminals pose as "helpful" Stack Overflow users to push malware

Unfortunately, for those who become infected with an infostealer, it can lead to devastating financial losses as threat actors steal cryptocurrency and access victims' bank accounts. 

The best way to prevent these types of attacks is to enable two-factor authentication with an authenticator app on all accounts that offer the protection. With 2FA enabled, even if a threat actor has your credentials, they won't be able to log in without the code generated by your authenticator.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

News posts... 2023: 5,800+ | 2024: 5,700+

RIP Matrix | Farewell my friend  

Corporate executives are being hit with an influx of hyper-personalized phishing scams generated by artificial intelligence bots, as the fast-developing technology makes advanced cyber crime easier.

Leading companies such as British insurer Beazley and ecommerce group eBay have warned of the rise of fraudulent emails containing personal details probably obtained through AI analysis of online profiles.

“This is getting worse and it’s getting very personal, and this is why we suspect AI is behind a lot of it,” said Beazley’s chief information security officer Kirsty Kelly. “We’re starting to see very targeted attacks that have scraped an immense amount of information about a person.”

Cyber security experts said the increasing attacks come during a period of rapid advancement for AI technology, as tech companies race to create ever more sophisticated systems and launch popular products for consumers and businesses.

AI bots can quickly ingest large quantities of data about the tone and style of a company or individual and replicate these features to craft a convincing scam.

They can also scrape a victim’s online presence and social media activity to determine what topics they may be most likely to respond to—helping hackers generate bespoke phishing scams at scale.

“The availability of generative AI tools lowers the entry threshold for advanced cyber crime,” said eBay cyber crime security researcher Nadezda Demidova. “We’ve witnessed a growth in the volume of all kinds of cyber attacks,” particularly in “polished and closely targeted” phishing scams, she added.

Kip Meintzer, an executive at security company Check Point Software Technologies, told a recent investor conference that AI had given hackers “the ability to write a perfect phishing email.”

More than 90 percent of successful cyber attacks begin with a phishing email, according to the US Cybersecurity and Infrastructure Security Agency. As these attacks become more sophisticated, their consequences have become increasingly expensive, with the global average cost of a data breach rising nearly 10 percent to $4.9 million in 2024, according to IBM.

Researchers have warned that AI is particularly effective for crafting business email compromise scams—a specific type of malware-free phishing where fraudsters trick recipients into transferring funds or divulging confidential company information. This kind of scam has cost victims worldwide more than $50 billion since 2013, according to the FBI.

AI is “being used to scan everything to see where there’s a vulnerability, whether that’s in code or in the human chain,” said Sean Joyce, global cyber security lead at PwC.

Phishing scams generated using AI may also be more likely to bypass companies’ email filters and cyber security training.

Basic filters, which generally block repeated bulk phishing campaigns, may struggle to track these scams if AI is used to rapidly generate thousands of reworded messages, said eBay’s Demidova.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

News posts... 2023: 5,800+ | 2024: 5,700+

RIP Matrix | Farewell my friend  

Although initial reports focused on Cyberhaven's security-focused extension, subsequent investigations revealed that the same code had been injected into at least 35 extensions collectively used by roughly 2,600,000 people.

From reports on LinkedIn and Google Groups from targeted developers, the latest campaign started around December 5th, 2024. However, earlier command and control subdomains found by BleepingComputer existed as far back as March 2024.

"I just wanted to alert people to a more sophisticated phishing email than usual that we got that stated a Chrome Extension policy violation of the form: 'Unnecessary details in the description'," reads the post to Google Group's Chromium Extension's group.

"The link in this email looks like the webstore but goes to a phishing website that will try to take control of your chrome extension and likely update it with malware."

A deceptive OAuth attack chain

The attack begins with a phishing email sent to Chrome extension developers directly or through a support email associated with their domain name.

From emails seen by BleepingComputer, the following domains were used in this campaign to send the phishing emails:

supportchromestore.com
forextensions.com
chromeforextension.com

The phishing email, which is made to appear as if it comes from Google, claims that the extension is in violation of Chrome Web Store policies and is at risk of being removed.  

"We do not allow extensions with misleading, poorly formatted, non-descriptive, irrelevant, excessive, or inappropriate metadata, including but not limited to the extension description, developer name, title, icon, screenshots, and promotional images," reads the phishing email.

Specifically, the extension's developer is led to believe their software's description contains misleading information and must agree to the Chrome Web Store policies.

If the developer clicks on the embedded 'Go To Policy' button in an effort to understand what rules they have violated, they are taken to a legitimate login page on Google's domain for a malicious OAuth application.

The page is part of Google's standard authorization flow, designed for securely granting permissions to third-party apps to access specific Google account resources.

On that platform, the attacker hosted a malicious OAuth application named "Privacy Policy Extension" that asked the victim to grant permission to manage Chrome Web Store extensions through their account.

"When you allow this access, Privacy Policy Extension will be able to: See, edit, update, or publish your Chrome Web Store extensions, themes, apps, and licenses you have access to," reads the OAuth authorization page.

Multi-factor authentication didn't help protect the account as direct approvals in OAuth authorization flows aren't required, and the process assumes the user fully understands the scope of permissions they're granting.

"The employee followed the standard flow and inadvertently authorized this malicious third-party application," explains Cyberhaven in a post-mortem writeup.

"The employee had Google Advanced Protection enabled and had MFA covering his account. The employee did not receive an MFA prompt. The employee's Google credentials were not compromised."

Once the threat actors gained access to the extension developer's account, they modified the extension to include two malicious files, namely 'worker.js' and 'content.js,' which contained code to steal data from Facebook accounts.

The hijacked extension was then published as a "new" version on the Chrome Web Store.

While Extension Total is tracking thirty-five extensions impacted by this phishing campaign, IOCs from the attack indicate that a far greater number were targeted.

According to VirusTotal, the threat actors pre-registered domains for targeted extensions, even if they did not fall for the attack.

While most domains were created in November and December, BleepingComputer found that the threat actors were testing this attack in March 2024.

Targeting Facebook business accounts

Analysis of compromised machines showed that the attackers were after the Facebook accounts of users of the poisoned extensions.

Specifically, the data-stealing code attempted to grab the user's Facebook ID, access token, account info, ad account information, and business accounts.

Additionally, the malicious code added a mouse click event listener specifically for the victim's interactions on Facebook.com, looking for QR code images related to the platform's two-factor authentication or CAPTCHA mechanisms.

This aimed to bypass 2FA protections on the Facebook account and allow the threat actors to hijack it.

The stolen information would be packaged together with Facebook cookies, the user agent string, Facebook ID, and the mouse click events and exfiltrated to the attacker's command and control (C2) server.

Threat actors have been targeting Facebook business accounts via various attack pathways to make direct payments from the victim's credit to their account, run disinformation or phishing campaigns on the social media platform, or monetize their access by selling it to others.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

News posts... 2023: 5,800+ | 2024: 5,700+

RIP Matrix | Farewell my friend  

It's that time again, when families and friends gather and implore the more technically inclined among them to troubleshoot problems they're having behind the device screens all around them. One of the most vexing and most common problems is logging into accounts in a way that's both secure and reliable.

Using the same password everywhere is easy, but in an age of mass data breaches and precision-orchestrated phishing attacks, it's also highly unadvisable. Then again, creating hundreds of unique passwords, storing them securely, and keeping them out of the hands of phishers and database hackers is hard enough for experts, let alone Uncle Charlie, who got his first smartphone only a few years ago. No wonder this problem never goes away.

Passkeys—the much-talked-about password alternative to passwords that have been widely available for almost two years—was supposed to fix all that. When I wrote about passkeys two years ago, I was a big believer. I remain convinced that passkeys mount the steepest hurdle yet for phishers, SIM swappers, database plunderers, and other adversaries trying to hijack accounts. How and why is that?

Elegant, yes, but usable?

The FIDO2 specification and the overlapping WebAuthn predecessor that underpin passkeys are nothing short of pure elegance. Unfortunately, as support has become ubiquitous in browsers, operating systems, password managers, and other third-party offerings, the ease and simplicity envisioned have been undone—so much so that they can't be considered usable security, a term I define as a security measure that's as easy, or only incrementally harder, to use as less-secure alternatives.

"There are barriers at each turn that guide you through a developer's idea of how you should use them," William Brown, a software engineer specializing in authentication, wrote in an online interview. "None of them are deal-breaking, but they add up."

Passkeys are now supported on hundreds of sites and roughly a dozen operating systems and browsers. The diverse ecosystem demonstrates the industry-wide support for passkeys, but it has also fostered a jumble of competing workflows, appearances, and capabilities that can vary greatly depending on the particular site, OS, and browser (or browser agents such as native iOS or Android apps). Rather than help users understand the dizzying number of options and choose the right one, each implementation strong-arms the user into choosing the vendor's preferred choice.

The experience of logging into PayPal with a passkey on Windows will be different from logging into the same site on iOS or even logging into it with Edge on Android. And forget about trying to use a passkey to log into PayPal on Firefox. The payment site doesn't support that browser on any OS.

Another example is when I create a passkey for my LinkedIn account on Firefox. Because I use a wide assortment of browsers on platforms, I have chosen to sync the passkey using my 1Password password manager. In theory, that choice allows me to automatically use this passkey anywhere I have access to my 1Password account, something that isn't possible otherwise. But it's not as simple as all that.

When I look at the passkey in LinkedIn settings, it shows as being created for Firefox on Mac OS X 10, even though it works on all the browsers and OSes I'm using.

Why is LinkedIn indicating otherwise? The answer is that there's no way for LinkedIn to interoperate flexibly with the browsers and OSes and vice versa. Per the FIDO2 and WebAuthn specs, LinkedIn knows only the browser and OS I used when creating the credential. 1Password, meanwhile, has no way to coordinate with LinkedIn to ensure I'm presented with consistent information that will help me keep track of this. Suddenly, using passkeys is more confusing than it needs to be for there to be utility to ordinary users.

Things get more complicated still when I want to log into LinkedIn on Firefox for Android, and am presented with the following dialog box.

At this point, I don't know if it's Google or Firefox that's presenting me with this non-intuitive response. I just want to open LinkedIn using the passkey that's being synced by 1Password to all my devices. Somehow, the mysterious entity responsible for this message (it's Google in this case) has hijacked the process in an attempt to convince me to use its platform.

Also, consider the experience on WebAuthn.io, a site that demonstrates how the standard works under different scenarios. When a user wants to enroll a physical security key to log in on macOS, they receive a dialog that steers them toward using a passkey instead and to sync it through iCloud.

The user just wants to enroll a security key in the form of a USB dongle or smartphone and can be used when logging in on any device. But instead, macOS preempts this task with directions for creating a passkey that will be synced through iCloud. What's the user to do? Maybe click on the "other options" in small text at the very bottom? Let's try and see.

Wait, why is it still offering the option for the passkey to be synced in iCloud, and how does that qualify as "other options"? And why is the most prominent suggestion that the user "continue with Touch ID"? It isn't until selectng "security key" that the user will see that option they wanted all along—to store the credential on a security key. Only after this step—now three clicks in—does the light on a USB security key begin blinking, and the key is finally ready to be enrolled.

The dueling dialogs in this example are by no means unique to macOS.

Too many cooks in the kitchen

"Most try to funnel you into a vendor's sync passkey option, and don't make it clear how you can use other things," Brown noted. "Chrome, Apple, Windows, all try to force you to use their synced passkeys by default, and you have to click through prompts to use alternatives."

Bruce Davie, another software engineer with expertise in authentication, agreed, writing in an October post that the current implementation of passkeys "seems to have failed the 'make it easy for users' test, which in my view is the whole point of passkeys."

In April, Son Nguyen Kim, the product lead for the free Proton Pass password manager, penned a post titled Big Tech passkey implementations are a trap. In it, he complained that passkey implementations to date lock users into the platform they created the credential on.

“If you use Google Chrome as your browser on a Mac, it uses the Apple Keychain feature to store your passkeys,” he wrote. "This means you can’t sync your passkeys to your Chrome profile on other devices.” In an email last month, Kim said users can now override this option and choose to store their passkeys in Chrome. Even then, however, "passkeys created on Chrome on Mac don’t sync to Chrome in iPhone, so the user can’t use it seamlessly on Chrome on their iPhone."

Other posts reciting similar complaints are here and here.

In short, there are too many cooks in the kitchen, and each one thinks they know the proper way to make pie.

I have put these and other criticisms to the test over the past four months. I have used them on a true heterogeneous environment that includes a MacBook Air, a Lenovo X1 ThinkPad, an iPhone, and a Pixel running Firefox, Chrome, Edge, Safari, and on the phones, a large number of apps, including those for LinkedIn, PayPal, eBay, Kayak, Gmail, Amazon, and Uber. My objective has been to understand how well passkey-based authentication works over the long term, particularly for cross-platform users.

I fully agree that syncing across different platforms is much harder than it should be. So is the messaging provided during the passkey enrollment phase. The dialogs users see are dictated arbitrarily by whatever OS or browser has control at the moment. There's no way for previously made configuration choices to be communicated to tailor dialog boxes and workflow.

Another shortcoming: There's no programming interface for Apple, Google, and Microsoft platforms to directly pass credentials from one to the other. The FIDO2 standard has devised a clever method in an attempt to bridge this gap. It typically involves joining two devices over a secure BLE connection and using a QR code so the already-authenticated device can vouch for the trustworthiness of the other. This process is easy for some people in some cases, but it can quickly become quirky and prone to failure, particularly when fussy devices can't connect over BLE.

In many cases, however, critics overstate the severity of these sorts of problems. These are definitely things that unnecessarily confuse and complicate the use of passkeys. But often, they're one-time events that can be overcome by creating multiple passkeys and bootstrapping them for each device. From then on, these unphishable, unstealable credentials live on both devices, in much the way some users allow credentials for their Gmail or Apple ID to be stored in two or more browsers or password managers for convenience.

More helpful still is using a cross-platform password manager to store and sync passkeys. I have been using 1Password to do just that for a month with no problems to report. Most other name-brand password managers would likely perform as well. In keeping with the FIDO2 spec, these credentials are end-to-end encrypted.

Halfway house for password managers

With my 1Password account running on my devices, I had no trouble using a passkey to log into any enrolled site on a device running any browser. The flow was fast and intuitive. In most cases, both iOS and Android had no problem passing the key from 1Password to an app for Uber, Amazon, Gmail, or another site. Signing into phone apps is one of the bigger hassles for me. Passkeys made this process much easier, and it did so while also allowing me the added security of MFA.

This reliance on a password manager, however, largely undermines a key value proposition of passkeys, which has been to provide an entirely new paradigm for authenticating ourselves. Using 1Password to sync a password is almost identical to syncing a passkey, so why bother? Worse still, the majority of people still don't use password managers. I'm a big believer in password managers for the security they offer. Making them a condition for using a passkey would be a travesty.

I'm not the first person to voice this criticism. David Heinemeier Hansson said much the same thing in September.

"The problem with passkeys is that they're essentially a halfway house to a password manager, but tied to a specific platform in ways that aren't obvious to a user at all, and liable to easily leave them unable to access ... their accounts," wrote the Danish software engineer and programmer, who created Ruby on Rails and is the CTO of web-based software development firm 37signals. "Much the same way that two-factor authentication can do, but worse, since you're not even aware of it."

He continued:

Let's take a simple example. You have an iPhone and a Windows computer. Chrome on Windows stores your passkeys in Windows Hello, so if you sign up for a service on Windows, and you then want to access it on iPhone, you're going to be stuck (unless you're so forward thinking as to add a second passkey, somehow, from the iPhone will on the Windows computer!). The passkey lives on the wrong device, if you're away from the computer and want to login, and it's not at all obvious to most users how they might fix that.

 

Even in the best case scenario, where you're using an iPhone and a Mac that are synced with Keychain Access via iCloud, you're still going to be stuck, if you need to access a service on a friend's computer in a pinch. Or if you're not using Keychain Access at all. There are plenty of pitfalls all over the flow. And the solutions, like scanning a QR code with a separate device, are cumbersome and alien to most users.

 

If you're going to teach someone how to deal with all of this, and all the potential pitfalls that might lock them out of your service, you almost might as well teach them how to use a cross-platform password manager like 1Password.

Undermining security promises

The security benefits of passkeys at the moment are also undermined by an undeniable truth. Of the hundreds of sites supporting passkeys, there isn't one I know of that allows users to ditch their password completely. The password is still mandatory. And with the exception of Google's Advanced Protection Program, I know of no sites that won't allow logins to fall back on passwords, often without any additional factor. Even then, all bug Google APP accounts can be accessed using a recovery code.

This fallback on phishable, stealable credentials undoes some of the key selling points of passkeys. As soon as passkey adoption poses a meaningful hurdle in account takeovers, threat actors will devise hacks and social engineering attacks that exploit this shortcoming. Then we're right back where we were before.

Christiaan Brandt, co-chair of the FIDO2 technical working group and an identity and security product manager at Google, said in an online interview that most users aren't ready for true passwordless authentication.

"We have to meet users where they are," he wrote. "When we tested messaging for passkeys, users balked at 'replace your password with passkeys,' but felt much more comfortable with more softened language like "you can now use a passkey to log in to your account too.' Over time, we most definitely plan to wean users off phishable authentication factors, but we anticipate this journey to take multiple years. We really can only do it once users are so comfortable with passkeys that the fallback to passwords is (almost) never needed."

A design choice further negating the security benefits of passkeys: Amazon, PayPal, Uber, and no small number of other sites supporting passkeys continue to rely on SMS texts for authentication even after passkeys are enrolled.

SMS-based MFA is among the weakest form of this protection. Not only can the texts be phished, but they're also notoriously vulnerable to SIM swaps, in which an adversary gains control of a target's phone number. As long as these less-secure fallbacks exist, passkeys aren't much more than security theater.

I still think passkeys make sense in many cases. I'll say more about that later. First, for a bit more context, readers should know:

Passkeys are defined in the WebAuthn spec as a "discoverable credential," historically known as a "resident key." The credential is in the form of a private-public key pair, which is created on the security key, which can be in the form of a FIDO-approved secure enclave embedded into a USB dongle, smartphone, or computer. The key pair is unique to each user account. The user creates the key pair after proving their identity to the website using an existing authentication method, typically a password. The private key never leaves the security key.

Going forward, when the user logs in, the site sends a security challenge to the user. The user then uses the locally stored private key to cryptographically sign the challenge and sends it to the website. The website then uses the public key it stores to verify the response is signed with the private key. With that, the user is logged in.

Under the FIDO2 spec, the passkey can never leave the security key, except as an encrypted blob of bits when the passkey is being synced from one device to another. The secret key can be unlocked only when the user authenticates to the physical key using a PIN, password, or most commonly a fingerprint or face scan. In the event the user authenticates with a biometric, it never leaves the security key, just as they never leave Android and iOS phones and computers running macOS or Windows.

Passkeys can be stored and synced using the same mechanisms millions of people already use for passwords—a password manager such as Bitwarden, Apple iCloud, Google Password Manager, or Microsoft's cloud. Just like passwords, passkeys available in these managers are end-to-end encrypted using tried and true cryptographic algorithms.

The advent of this new paradigm was supposed to solve multiple problems at once—make authenticating ourselves online easier, eliminate the hassle of remembering passwords, and all but eradicate the most common forms of account takeovers.

When not encumbered by the problems mentioned earlier, this design provides multifactor authentication in a single stroke. The user logs in using something they have—the physical key, which must be near the device logging in. They must also use something they know—the PIN or password—or something they are—their face or fingerprint—to complete the credential transfer. The cryptographic secret never leaves the enclave embedded into the physical key.

What to tell Uncle Charlie?

In enterprise environments, passkeys can be a no-brainer alternative to passwords and authenticators. And even for Uncle Charlie—who has a single iPhone and Mac, and logs into only a handful of sites—passkeys may provide a simpler, less phishable path forward. Using a password manager to log into Gmail with a passkey ensures he's protected by MFA. Using the password alone does not.

The takeaway from all of this—particularly for those recruited to provide technical support this week but also anyone trying to decide if it's time to up their own authentication game: If a password manager isn't already a part of the routine, see if it's viable to add one now. Password managers make it practical to use a virtually unlimited number of long, randomly generated passwords that are unique to each site.

For some, particularly people with diminished capacity or less comfort being online, this step alone will be enough. Everyone else should also, whenever possible, opt into MFA, ideally using security keys or, if that's not available, an authenticator app. I'm partial to 1Password as a password manager, Authy as an authenticator, and security keys from Yubico or Titan. There are plenty of other suitable alternatives.

I still think passkeys provide the greatest promise yet for filling the many security pitfalls of passwords and lowering the difficulty of remembering and storing them. For now, however, the hassles of using passkeys, coupled with their diminished security created by the presence of fallbacks, means no one should feel like a technophobe or laggard for sticking with their passwords. For now, passwords and key- or authenticator-based MFA remain essential.

With any luck, passkeys will someday be ready for the masses, but that day is not (yet) here.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

2023: Over 5,800 news posts | 2024 (till end of November): 5,298 news posts

RIP Matrix | Farewell my friend  

Specifically, the domains "dotnetcli.azureedge.net" and "dotnetbuilds.azureedge.net" will be taken offline in the next few months, which could break the functionality of projects relying on the domains.

This includes developers using .NET installers residing on the affected domains, organizations using GitHub Actions or Azure DevOps with custom pipelines using those domains, Docker and script users with files and code referencing the retired domains, and more.

"We maintain multiple Content Delivery Network (CDN) instances for delivering .NET builds. Some end inazureedge.net. These domains are hosted by edg.io, which will soon cease operations due to bankruptcy. We are required to migrate to a new CDN and will be using new domains going forward," explains Microsoft.

"It is possible that azureedge.net domains will have downtime in the near-term. We expect that these domains will be permanently retired in the first few months of 2025."

Microsoft recommends that potentially impacted developers search their code, scripts, and configurations for references to azureedge.net and dotnetcli.blob.core.windows.net and replace them with builds.dotnet.microsoft.com.

During the transition, the new domains will be catered by a combination of Edgio, Akamai, and Azure Front Door, as Microsoft works on solidifying the final distribution model with other CDN providers.

CI/CD teams need to ensure GitHub Actions (actions/setup-dotnet) and Azure DevOps tasks are updated to versions supporting the new domains, while updates for Azure DevOps Server are expected in early 2025.

Additionally, given that new CDN domains will now be used, even when configurations are auto-updated, firewalls need to be set to allow traffic from the new locations (builds.dotnet.microsoft.com and ci.dot.net). 

The tech giant notes that the timing is quite unfortunate, as impacted users are requested to take action during the holidays when most IT teams are understaffed.

When asked why Microsoft can't simply transfer the domains and continue using them, Rich Lander, Program Manager of .NET at Microsoft, said it was not possible.

"We asked the same question. We were told that this option wasn't being made available. We don't have more information on that," explained Lander.

The answer is confusing as Microsoft's Scott Hanselman confirmed that Microsoft already obtained ownership of the domains, stating that "no other party will ever have access to use these domains."

By owning the domains and preventing their reuse, the chances of a supply chain compromise for those not migrating their applications are minimal. However, it still doesn't explain the sudden rush to migrate domains and the risks of operational disruptions.

If you're impacted, you can follow the issue more closely and access status updates on this GitHub page.

BleepingComputer contacted Microsoft with questions about this .NET domain migration but has not received a reply at this time.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

2023: Over 5,800 news posts | 2024 (till end of November): 5,298 news posts

RIP Matrix | Farewell my friend  

The list of targets includes popular D-Link devices used by individuals and organizations such as DIR-645, DIR-806, GO-RT-AC750, and DIR-845L.

For initial access, the two pieces of malware use known exploits for CVE-2015-2051, CVE-2019-10891, CVE-2022-37056, and CVE-2024-33112.

Once a device is compromised, attackers leverage weaknesses in in D-Link’s management interface (HNAP) and execute malicious commands through a GetDeviceSettings action.

The botnets can steal data and execute shell scripts. Attackers appear to compromise the devices for distributed denial-of-service (DDoS) purposes.

Ficora has a widespread geographic distribution with some focus on Japan and the United States. Capsaicin appears to be targeting mostly devices in East Asian countries and increased its activity for just two days, starting on October 21.

Ficora botnet

Ficora is a newer variant of the Mirai botnet, adapted to exploit flaws in D-Link devices specifically.

According to Fortinet's telemetry data, the botnet shows random targeting, with two notable surges in its activity during October and November.

After gaining initial access on D-Link devices, Ficora uses a shell script named ‘multi’ to download and execute its payload through multiple methods like wget, curl, ftpget, and tftp.

The malware includes a built-in brute force component with hard-coded credentials to infect additional Linux-based devices, while it supports multiple hardware architectures.

Regarding its DDoS capabilities, it supports UDP flooding, TCP flooding, and DNS amplification to maximize the power of its attacks.

Capsaicin botnet

Capsaicin is a variant of the Kaiten botnet and is believed to be malware developed by the Keksec group, known for ‘EnemyBot’ and other malware families targeting Linux devices.

Fortinet only observed it in a burst of attacks between October 21 and 22, targeting primarily East Asian countries.

The infection occurs through a downloader script (“bins.sh”), which fetches binaries with the prefix ‘yakuza’ for different architectures, including arm, mips, sparc, and x86.

The malware actively looks for other botnet payloads that are active on the same host, and disable them.

Apart from its DDoS capabilities, which mirror those of Ficora, Capsaicin can also gather host information and exfiltrate it to the command and control (C2) server for tracking.

Defending against botnets

One way to prevent botnet malware infections on routers and IoT devices is to ensure that they’re running the latest firmware version, which should addresses known vulnerabilities.

If the device has reached end-of-life and no longer receives security updates, it should be replaced with a new model.

A a general advice, you should replace default admin credentials with unique and strong passwords and disable remote access interfaces if not needed.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

2023: Over 5,800 news posts | 2024 (till end of November): 5,298 news posts

RIP Matrix | Farewell my friend  

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

2023: Over 5,800 news posts | 2024 (till end of November): 5,298 news posts

RIP Matrix | Farewell my friend  

The idea was simple: display a basic puzzle to the user to make sure that a human is performing the action and not a bot. This worked fine in the beginning for the most part. Bots were not powerful enough to solve captures quickly or at all at the time.

Captchas evolved, Google acquired the technology a decade ago and evolved it further. Soon, you'd get the dreaded "I'm not a robot" checkboxes and eventually no checkboxes to prove that you were human.

Services like Cloudflare introduced hCaptcha and other solutions to block bots and allow human visitors.

Rise of AI makes captchas a burden, but only for humans

Systems were invented to bypass captchas, but the rise of AI has made captchas a burden to humans only. According to a 2023 research paper, researchers were able to defeat 70% of captchas in 2016 already.

Extensions like Buster or Privacy Pass promised to improve the handling of captchas. Buster claimed that it could be used to solve any captcha and Privacy Pass was designed by Cloudflare to reduce the number of captchas the service displayed to visitors.

to help solve any captchas, to make the process less cumbersome for humans.

Today, researchers claim that AI is capable of solving anything thrown at them at a fraction of the time it takes humans to solve them, according to a report by The Conversation.

While you are still pondering whether you have overlooked a car or traffic light while solving a captcha, bots have most likely solved it in milliseconds only to perform whatever action they have programmed to do. So, that ticket for the concert may be long gone, even if you are among the first to start the checkout.

Tools like Google Vision or OpenAI's Clip are better at recognising objects than humans will ever be. The same is true for deciphering letters, numbers, and symbols in captchas. Even the latest iteration of Google's captcha technology, which does not require any puzzle solving at all, has been conquered already.

This particular technology observes the behavior of the user on the website. Does the visitor behave like a human? With AI becoming more powerful, systems can easily mimic human behavior on websites to pass these tests.

Other forms of captchas exist. Some ask users to move a puzzle piece somewhere, or position an animal so that it aligns with something displayed as well. These have been conquered already by AI systems.

In Closing

Ever since captchas were invented, there was a heated debate whether they do more harm than good. Nowadays, with bots easily solving anything thrown at them, captchas are only capable of blocking older bots and, of course, humans, from accessing a site or service.

So, would it be better to get rid of all captchas? It would certainly be beneficial to the millions of Internet users who regularly bite in their keyboards out of frustration when a captcha cannot be solved quickly.

What is your take on all of this? Do you encounter captchas regularly? Have you problem solving them, sometimes? Feel free to leave a comment down below.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

2023: Over 5,800 news posts | 2024 (till end of November): 5,298 news posts

RIP Matrix | Farewell my friend  

The financial regulators Friday sued Bank of America, JP Morgan Chase and Wells Fargo saying they failed to protect consumers from widespread fraud on the popular peer-to-peer payment network. The independent agency also sued the operator of Zelle, called Early Warning Services.

The CFPB put Zelle-related fraud losses at more than $870 million involving customers at just the three banks alone over seven years since the launch of the app in 2017.

Zelle disputes how the CFPB reached the $870 million figure. A Zelle spokesperson issued a statement, saying, "The CFPB’s headline grabbing number is misleading, as many reported fraud claims are not found to involve actual fraud after investigation."

In some cases, banks say, a customer might report fraud but maybe the customer later remembers that they did make a certain purchase. So, it's not fraud, after all. Or maybe a criminal is trying to exploit the network by submitting a false claim.

The CFPB figure, banks said, is based on total fraud claims minus what banks paid out in losses. But banks said all claims do not involve actual fraud or end up being a case where banks are required by law to reimburse a customer using a payment app, such as if they were tricked into paying $500 or $1,000 as part of an online puppy-for-sale scam.

Hundreds of thousands of consumers filed complaints after getting hit by fraud, according to the CFPB, and they were largely denied assistance. In some cases, the CFPB said, some consumers were told to contact the fraudsters directly to recover their money.

'A gold mine' for fraud

Rohit Chopra, director of the CFPB, told journalists on a conference call Friday that the major financial institutions failed to fix glaring flaws in the system while marketing Zelle's near-instant electronic money transfers as safe.

"What they built became a gold mine for criminals," Chopra said.

Bankers see a 'last ditch effort' by CFPB

Bankers defended the safety of the Zelle app, saying the CFPB was overreaching in its actions.

Zelle said in a statement to the Detroit Free Press, part of the USA TODAY Network, that the CFPB was attempting to expand the existing law and appeared to be timing the lawsuit on political factors unrelated to Zelle.

Bill Halldin, a spokesperson for Bank of America, said in a statement to the Detroit Free Press that the bank strongly disagreed with the “CFPB’s effort to impose huge new costs on the 2,200 banks and credit unions that offer the free Zelle service to clients.”

He noted that “23 million Bank of America clients have embraced Zelle, regularly using it to send money to friends, family and people they trust.”

Bank of America said it works directly with customers when they have an issue.

Trish Wexler, a JPMorgan Chase spokesperson, called the CFPB's December lawsuit "a last ditch effort in pursuit of their political agenda."

"The CFPB is now overreaching its authority by making banks accountable for criminals, even including romance scammers," Wexler said in an emailed statement to the Free Press.

"It’s a stunning demonstration of regulation by enforcement, skirting the required rulemaking process," Wexler continued.

The Consumer Bankers Association issued a statement Friday, defending the bank's actions.

"Banks have rigorously followed the law in characterizing and offering services through Zelle, yet the CFPB today has moved the goalposts, suggesting that ‘being safe’ means something other than what Congress has defined in law," said Lindsey Johnson, president and CEO of the Consumer Bankers Association.

Chalk up one more heated issue that could be in play in Washington in 2025.

President-elect Donald Trump and Republicans in Congress are expected to try to vastly limit the CFPB's powers.

The CFPB was launched after the 2008-09 recession as part of the 2010 Dodd-Frank Wall Street Reform and Consumer Protection Act.

The scams are real and so are the losses

Consumers have been upset for years after being hit with a long list of scams, which can involve money being withdrawn from their bank accounts via Zelle. Crooks didn't need to send their victims out to buy gift cards when they could get instant cash via a payment app, like Zelle.

Over the years, I've talked with many consumers at all sorts of financial institutions who faced massive headaches because crooks knew the maneuvers to make, often starting by impersonating a bank or someone else, to steal money from a bank account via the Zelle app.

Too many times, the consumer told me, they were stuck on the hook and out the cash.

One consumer watchdog group called the CFPB's legal action "an important step in holding payment systems accountable for enabling fraudulent and unauthorized payments."

“Payment fraud impacts all Americans across many communities, young and old,” Carla Sanchez-Adams, senior attorney at the National Consumer Law Center, said in a statement.

“The CFPB is standing up for people who weren’t able to get the big banks to take their claims of fraud seriously and return their hard-earned money.”

PIRG’s research arm, the U.S. PIRG Education Fund, has been persistently raising awareness about fraud and other problems involving peer-to-peer payment apps, such as Zelle. The group issued a report called "Virtual wallets, real complaints" in June 2021.

Mike Litt, PIRG’s consumer campaign director, said consumers have had problems with fraud on Zelle for years.

"Hopefully, the CFPB’s lawsuit can change that," Litt said in a statement.

"These troubling alleged practices need to be addressed by all parties as quickly as possible. It’s crucial that in our increasingly cashless age, we have digital financial systems that the public can trust and use without fear of losing their money.”

What is often debated is what kind of fraud would be covered under existing banking rules. Did the consumer send the money willingly via a romance scam – or do something that isn't covered? Regulators are pushing banks to cover something new called “induced fraud” when a customer is tricked into sending money under false pretenses.

Last year, I reported that, after much public pressure, the network operator of Zelle had agreed to implement new requirements to "mandate consumer reimbursement for certain types of scams" on the Zelle Network. But Zelle was not specific about the kinds of scams for which people would be reimbursed.

Consumers can report fraud to their banks and submit complaints with the CFPB at www.consumerfinance.gov/complaint.

What the CFPB said about Zelle

The CFPB's complaint Friday takes aim at how the Zelle system itself worked and allegedly enabled fraud, too.

Chopra said the CFPB's investigation uncovered two major patterns of account takeover fraud that banks failed to address.

Some criminals, he said, would obtain one-time passcodes that could be used to take over accounts.

Other bad actors, he said, would physically steal phones or devices with banking apps installed to make immediate, unauthorized transfers.

"In case after case," he said, "banks routinely denied requests for help, turning a blind eye, even when customers provided clear evidence that criminals had taken over their accounts and that the transactions were unauthorized, including police reports documenting the crimes."

The lawsuit charged that more than $360 million in losses associated with Zelle-related fraud hit 420,000 Chase customers; some 210,000 Bank of America customers complained that they lost $290 million; and 280,000 Wells Fargo customers complained of losing more than $220 million.

The Zelle system, Chopra said, made it easy for fraudsters to move money quickly. And many consumers found it nearly impossible to get their money back.

Many times, Chopra said, the banks didn't do enough to stop suspicious activity across the banking system.

"When one bank detected fraud and closed an account, nothing stopped the criminal from hopping to another bank and starting fresh when fraud occurred," Chopra said.

Chopra said the three banks systematically failed their customers hit by fraud on Zelle.

Big banks, regulators said, joined forces to launch Zelle once the banks saw that they were losing out to other money transfer platforms, such as CashApp, Venmo and PayPal. But the regulators say the move to rush the Zelle network to the market to compete against growing payment apps was done without implementing effective consumer safeguards.

Early Warning Services, which designed and operates Zelle, is co-owned by seven big banks – Bank of America, Capital One, Chase, PNC Bank, Trust, U.S. Bank and Wells Fargo. Early Warning Services is a financial technology and consumer reporting company based in Scottsdale, Arizona.

The Zelle payment system is massive. Back in 2021 alone, about 1.8 billion payments – totaling $490 billion – were sent by consumers and businesses through the Zelle Network, according to Early Warning Services. Total dollars transferred were up 59% from 2020.

The regulators are not suing the other banks that co-own Zelle, noting that a bulk of the transactions involve the three banks being sued.

The CFPB said it is seeking to stop the "alleged unlawful practices, secure redress and penalties, and obtain other relief."

Consumers have reported losses related to fraud and Zelle at a wide range of financial institutions, however, regulators did not address those losses in the media call. Some 2,200 participating financial institutions offer the Zelle app to customers with U.S.-based deposit accounts.

The lawsuit points out that Zelle is embedded in the mobile apps of Bank of America, Wells Fargo and Chase and consumers cannot remove the Zelle function.

From the start, according to the legal complaint, Zelle's marketing and branding "exploited consumers' perceptions of reliability and security."

Specific charges of failing to prevent fraud

The CFPB said Friday that the defendant banks failed to implement appropriate fraud prevention and detection safeguards. The CFPB alleges that Bank of America, JPMorgan Chase, Wells Fargo and Early Warning Services violated federal law through critical failures including:

What Zelle has to say

Jane Khodos, a Zelle spokesperson, emailed a statement to the Free Press, saying that the CFPB's lawsuit will hurt consumers, as well as small businesses, community banks, minority-owned banks and credit unions.

"Zelle leads the fight against scams and fraud and has industry-leading reimbursement policies that go above and beyond the law," according to the company's statement.

"The CFPB’s misguided attacks will embolden criminals, cost consumers more in fees, stifle small businesses and make it harder for thousands of community banks and credit unions to compete," Zelle said.

In 2023, Zelle said in its defense, the company saw a 27% increase in transaction volume but reports of scams and fraud decreased by nearly 50%. Some 99.95% of payments were sent without reports of scams and fraud.

Zelle also took issue over when consumers must be reimbursed under the law, which has been a point of contention between banks and consumer watchdog groups.

"Zelle reimburses customers for all instances of fraud as required by the law under the Electronic Funds Transfer Act and Reg E, and today’s litigation from the CFPB does not dispute that fact," Zelle stated.

Zelle said it also goes "above and beyond what is required by law and reimburses customers for certain types of scams where the customer authorized the transaction."

Zelle said the CFPB, through the lawsuit, "would be simultaneously creating and enforcing entirely new legal requirements that go well beyond what Congress authorized the CFPB to do."

Regulation E

At issue is how much ability the CFPB has to expand consumer protections under what's known as Regulation E. The banks say the CFPB is overreaching its authority.

Zelle said the "CFPB is attempting to impermissibly expand the law to require banks to reimburse consumers for transactions they authorized, which goes well beyond the clearly defined requirements established by Congress in the Electronic Funds Transfer Act."

Consumers need to be suspicious of every contact that appears to be made from a financial institution or other trusted entity – and recognize that often you might not get any money back from the bank in cases of fraud. Do not try to resolve a problem quickly – say a call about unpaid taxes – by agreeing to transfer money via a payment app.

A U.S. Senate permanent subcommittee on investigations in July, for example, disclosed that nearly two-thirds of consumers were not reimbursed for their losses in 2023 when they disputed a transaction after falling victim to scams involving Zelle at three major banks: Chase, Bank of America and Wells Fargo. Nearly $102.3 million was not reimbursed in 2023, according to the report.

The subcommittee found several areas where Congress, regulators and companies that participate in the Zelle Network could take steps to improve consumer protection, including amending the Electronic Fund Transfer Act to require financial institutions to reimburse consumers for “fraudulently induced” authorized transactions.

It was also recommended that the CFPB update Regulation E to require financial institutions to provide greater transparency and clarity on what constitutes a “reasonable” investigation. The goal is to create a higher standard for dispute investigations, giving banks a minimum set of requirements.

Source

The vulnerabilities affect Sophos Firewall version 21.0 GA (21.0.0) and older, with the company already releasing hotfixes that are installed by default and permanent fixes through new firmware updates.

The three flaws are summarized as follows: 

• CVE-2024-12727: A pre-authentication SQL injection vulnerability in the email protection feature. If a specific configuration of Secure PDF eXchange (SPX) is enabled in combination with High Availability (HA) mode, it allows access to the reporting database, potentially leading to RCE.
• CVE-2024-12728: The suggested, non-random SSH login passphrase for HA cluster initialization remains active after the process completes, leaving systems where SSH is enabled vulnerable to unauthorized access due to predictable credentials.
• CVE-2024-12729: An authenticated user can exploit a code injection vulnerability in the User Portal. This allows attackers with valid credentials to execute arbitrary code remotely, increasing the risk of privilege escalation or further exploitation.

The company says CVE-2024-12727 impacts approximately 0.05% of firewall devices with the specific configuration required for exploitation. As for CVE-2024-12728, the vendor says it impacts approximately 0.5% of devices.

Available fixes

Hotfixes and complete fixes were made available through various versions and dates, as follows: 

Hotfixes for CVE-2024-12727 are available since December 17 for versions 21 GA, v20 GA, v20 MR1, v20 MR2, v20 MR3, v19.5 MR3, v19.5 MR4, v19.0 MR2, while a permanent fix was introduced in v21 MR1 and newer.

Hotfixes for CVE-2024-12728 were released between November 26 and 27 for v21 GA, v20 GA, v20 MR1, v19.5 GA, v19.5 MR1, v19.5 MR2, v19.5 MR3, v19.5 MR4, v19.0 MR2, and v20 MR2, while permanent fixes are included in v20 MR3, v21 MR1 and newer.

For CVE-2024-12729, hotfixes were released between December 4 and 10 for versions v21 GA, v20 GA, v20 MR1, v20 MR2, v19.5 GA, v19.5 MR1, v19.5 MR2, v19.5 MR3, v19.5 MR4, v19.0 MR2, v19.0 MR3, and v20 MR3, and a permanent fix is available in v21 MR1 and later.

Sophos Firewall hotfixes are installed by default, but you can find instructions on how to apply them and validate that they were successfully installed by referring to KBA-000010084.

Sophos has also proposed workarounds for mitigating risks associated with CVE-2024-12728 and CVE-2024-12729 for those who cannot apply the hotfix or upgrade.

To mitigate CVE-2024-12728, it is recommended to limit SSH access only to the dedicated HA link that is physically separated from other network traffic and reconfigure the HA setup using a sufficiently long and random custom passphrase.

For remote management and access, disabling SSH over the WAN interface and using Sophos Central or a VPN is generally recommended.

To mitigate CVE-2024-12729, it is recommended that admins ensure the User Portal and Webadmin interfaces are not exposed to the WAN.

Update 12/20/24: Updated article to explain that hotfixes are installed by default.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

2023: Over 5,800 news posts | 2024 (till end of November): 5,298 news posts

RIP Matrix | Farewell my friend