The update is available under version 131.0.2903.112 (Stable Channel) and 131.0.2903.99 (Extended Stable Channel). Here is what was fixed:

• CVE-2024-12695: Out-of-bounds write in V8 in Google Chrome prior to 131.0.6778.204 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

• CVE-2024-12694: Use after free in Compositing in Google Chrome prior to 131.0.6778.204 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

• CVE-2024-12693: Out-of-bounds memory access in V8 in Google Chrome prior to 131.0.6778.204 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

• CVE-2024-12692: Type Confusion in V8 in Google Chrome prior to 131.0.6778.204 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

   

Microsoft Edge will update itself automatically in the background, but you can always speed things up by navigating to edge://settings/help and force-install available updates.

In other Edge news, Microsoft recently shared some interesting stats about the browser and its usage in 2024. According to the company, users participated in over 10 billion conversations with Copilot, saved on average $400 with built-in shopping assistant tools, and over 7 trillion megabytes of memory were saved with the Sleeping Tabs feature.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

2023: Over 5,800 news posts | 2024 (till end of November): 5,298 news posts

RIP Matrix | Farewell my friend  

One interesting thing Chainalysis saw change this year was where crypto was being stolen from. In previous years and the first quarter of 2024, DeFi (decentralized finance) platforms were prime targets for crypto thefts. During Q2 and Q3, however, the focus moved to centralized platforms. Some notable hacks were on the platforms DMM Bitcoin and WazirX where $305 million and $234.9 million.

With more attacks on centralized platforms, Chainalysis highlighted the importance of private key security. A huge 43.8% of hacks were due to the compromise of private keys, giving hackers access to the funds. It said that centralized platforms have to take private key security seriously to prevent thefts.

Another notable aspect of crypto theft is the part North Korea has been playing. The closed country managed to steal $1.34 billion in crypto assets in 2024 from 47 incidents. This is 61% of all the crypto stolen this year and the incidents made up 20% of all incidents. Chainalysis says that the country is sophisticated and relentless when it comes to crypto theft and uses its ill-gotten gains to develop nuclear weapons and ballistic missiles.

With Bitcoin's price hitting new highs in recent weeks, crypto hacks become more appealing to criminals looking to make money. For this reason, platforms that people trust need to do everything to bolster their security to prevent hacks.

Chainalysis believes that as crypto regulatory frameworks continue to develop, more attention will be brought to the security measures platforms put in place. By working with law enforcement and putting enough resources into responding to hacks, Chainalysis says the industry can become more trusted.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

2023: Over 5,800 news posts | 2024 (till end of November): 5,298 news posts

RIP Matrix | Farewell my friend  

According to Apple, Meta has made 15 interoperability requests—more than any other company. The requests seek board access to Apple's technology, which Apple urges compromises user safety. "In many cases, Meta is seeking to alter functionality in a way that raises concerns about the privacy and security of users, and that appears to be completely unrelated to the actual use of Meta external devices, such as Meta smart glasses and Meta Quests," Apple said. The iPhone maker highlighted that many of Meta's requests were unrelated to its hardware such as its smart glasses, virtual reality (VR) or mixed reality (XR) devices.

Apple claims that granting these requests to Meta will expose sensitive data including messages, emails, app usage, photos, and even passwords. The Cupertino-based company said that Meta will be able to "see every phone call they make or receive, track every app that they use, scan all of their photos, look at their files and calendar events, log all of their passwords, and more." The company also pointed out Meta's history of privacy violations in Europe as a cause for alarm.

Meta, however, retaliated and accused Apple of using privacy as an excuse to avoid fair competition. A Meta spokesperson said, "What Apple is actually saying is they don't believe in interoperability. Every time Apple is called out for its anticompetitive behavior, they defend themselves on privacy grounds that have no basis in reality."

The European Commission which oversees competition in the EU has proposed measures under which Apple has to allow access to developer requests, updates on interoperability solutions, and a mechanism for solving disputes. Apple is also required to provide interoperability for features such as iOS notifications across its devices, including the Apple Watch and Vision Pro. The commission will finalize a decision on Apple's compliance by March 2025.

Source: Reuters

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

2023: Over 5,800 news posts | 2024 (till end of November): 5,298 news posts

RIP Matrix | Farewell my friend  

The breach was caused by the exploitation of user access tokens by unauthorized parties, exposing sensitive user data such as names, email addresses, phone numbers, and physical locations, while it also impacted children.

Although Facebook took immediate corrective action upon discovering the bug in its "View As" feature, the incident still violated several GDPR articles.

Specifically, the Irish DPC says the following GDPR violations are related to the incident:

• Article 33(3): Incomplete breach notification details → €8M fine
• Article 33(5): Poor documentation of breach facts/remedies → €3M fine
• Article 25(1): Failure to embed data protection in system design → €130M fine
• Article 25(2): Failure to limit data processing to what's necessary → €110M fine

"This enforcement action highlights how the failure to build in data protection requirements throughout the design and development cycle can expose individuals to very serious risks and harms, including a risk to the fundamental rights and freedoms of individuals," commented Graham Doyle, the DPC's Deputy Commissioner.

The DPC has promised to publish the entire decision soon, providing the public with more insight.

In response to the DPC's announcement, Meta sent BleepingComputer the following statement:

"This decision relates to an incident from 2018. We took immediate action to fix the problem as soon as it was identified, and we proactively informed the people impacted, as well as the Irish Data Protection Commission," Meta told BleepingComputer.

"We have a wide range of industry-leading measures in place to protect people across our platforms."

Meta settles in Australia

Also today, the Australian Information Commissioner announced that Meta has agreed to a $50 million settlement for Australian Facebook users impacted by the Cambridge Analytica incident.

The settlement resolves privacy breaches under the Privacy Act 1988 involving data disclosed to the This is Your Digital Life app, potentially misused for political profiling.

Australians who had Facebook accounts between November 2, 2013, and December 17, 2015, spent over 30 days in Australia and either installed the Your Digital Life app or were friends with someone who did are eligible for compensation.

More details about the payment scheme are available on the enforceable undertaking page.

Meta has sent BleepingComputer a separate statement regarding that development, renouncing past practices.

"We settled on a no admissions basis, as it is in the best interest of our community and shareholders that we close this chapter on allegations that relate to past practices no longer relevant to how Meta's products or systems work today. We look forward to continuing to build services Australians love and trust with privacy at the forefront," Meta told BleepingComputer.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

2023: Over 5,800 news posts | 2024 (till end of November): 5,298 news posts

RIP Matrix | Farewell my friend  

It might not ever be fully dead, but Firefox calling it quits on Do Not Track (DNT) is a strong indication that an idealistic movement born more than 13 years ago has truly reached the end of its viable life.

The Windows Report tech news site spotted that Firefox has removed the option to "Send websites a 'Do Not Track' request" as of version 135, already visible in Nightly builds. Users checking the Website Privacy Preference section will soon see a linked notice that Firefox will no longer support the signal. Firefox's support page for Do Not Track notes that "Many sites do not respect this indication of a person's privacy preferences, and, in some cases, it can reduce privacy."

Google Chrome and Microsoft Edge (based in part on Chrome's open source origin, Chromium) still offer a Do Not Track option, but they are just as ineffective. Global Privacy Control has largely superseded Do Not Track as a supported—and, in some places, legislated—means of signaling a desire not to be tracked.

How did we get here, to where Do Not Track is seen as a privacy pariah by its first major adopter?

Wide adoption, default setting, success?

The Federal Trade Commission issued a report in 2010 on "Protecting Consumer Privacy in an Era of Rapid Change." In it, the FTC built on the ideas of researchers Christopher Soghoian and Sid Stamm, the former of which would go on to work at the FTC itself. The report latched onto the popularity (at the time) of the Do Not Call registry, asking for a similar "browser-based mechanism through which consumers could make persistent choices." The issue, then and now, was the ability of advertisers to track the behavior of browser users from site to site to develop profiles of their behavior, making them richer targets for advertising.

Google's move soon after was to offer a Chrome add-on that would trigger an opt-out supported by the 15 largest advertising networks. This opt-out signal would have persisted even when cookies were wiped. Ars' Ryan Paul described it as "effective and pragmatic" at the time.

You don't need to tell me this screenshot is from 2011, I can clearly see the Skitch arrow.

Credit: Ryan Paul

Mozilla went a different route, relying on HTTP headers that signaled an opt-out from tracking, but which would put the onus on individual sites to comply. Firefox included a settings option, "Tell web sites I do not want to be tracked," in version 4 of its browser, less than four months after the FTC's challenge to browser makers and advertisers. Ars' Paul wrote at the time:

It's extremely important to understand that this checkbox doesn't directly block tracking. All it does is broadcast the user's opt-out preference to servers. The obvious problem with this approach is that it doesn't accomplish anything unless there is widespread industry acceptance of the custom header. There is no means of enforcing the preference or compelling advertisers to support it properly. Mozilla added the feature to Firefox 4 with the hope that it would encourage advertisers to get on board.

The standard-setting W3C had a draft Do Not Track standard by the end of 2011. In early 2012, the White House announced an agreement with 90 percent of behavioral tracking advertisers. While this meant that advertisers who signed on to the DNT agreement would be subject to FTC enforcement, "Apparently, that means companies that choose not to make the commitment will not be subject to FTC enforcement," Ars' Jon Brodkin wrote then. An industry group, the Digital Advertising Alliance, was already clarifying then that it would respect DNT only when users chose it, not as a default, and that users were informed that some information would still be collected.

Still, browser makers seemed eager. Microsoft, after initial push-back, made DNT a default switched-on option in Internet Explorer 10 (back then, IE was the most-used browser on the web). The Apache webserver and Yahoo both blocked IE10's DNT requests as a result. Google, for which web advertising is the vast bulk of its revenue, finally offered Do Not Track in Chrome 23 in November 2012.

DNT now more liability than help

That moment, when every major browser had a Do Not Track option, was perhaps the height of DNT, and even then, there was a feeling that it could never work. Lorrie Faith Cranor, leader of the Privacy Preferences Project (P3P) that predated DNT, told Ars in 2012 that "every time we come up with a technical solution that protects privacy, the websites come up with something they want to do that is broken by this privacy protection."

Yahoo, citing itself as the "first major tech company" to implement DNT, announced in 2014 that it no longer would honor it. The firm noted that the White House-organized promise "remains unfulfilled" and that standardized DNT "resulted in deadlock." The Electronic Frontier Foundation debuted its Privacy Badger extension as a means of enforcing DNT when users demanded it soon after. In early 2015, the Federal Communications Commission dismissed a petition asking it to enforce DNT among website owners and services like Netflix, mostly on technical grounds, but eliminating one of the last hopes for some kind of broad shift.

Besides lacking regulatory teeth, DNT was also generally overcome by advancements in tracking. All the signals put out by a browser—plug-ins, time zone, monitor resolution, even the DNT option itself—could be used to effectively track a user, even across browsers. Apple dropped DNT from Safari in 2019, citing both its ineffectiveness and fingerprinting.

Concerns about tracking are now mostly left to the user to figure out for themselves, whether that means choosing sites and services that make explicit their policies on tracking, clicking "Reject all" on GDRP-compliant websites and seeing what happens, or using software tools (like VPNs marketed with vague promises) to subvert advertising systems.

This week's removal by Mozilla, which was at the vanguard of the Do Not Track movement, is more symbolic than practical. Chrome, the by-far dominant browser, still offers it, even if it disclaims it right underneath the setting. People have shown, overwhelmingly, that they want this kind of privacy, like the 96 percent of iOS users who opted out of app tracking when Apple offered a blocking option. But they're not going to secure it by asking the advertisers for it.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

2023: Over 5,800 news posts | 2024 (till end of November): 5,298 news posts

RIP Matrix | Farewell my friend  

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

2023: Over 5,800 news posts | 2024 (till end of November): 5,298 news posts

RIP Matrix | Farewell my friend  

On the same day, the team over at 0patch announced that it identified a new Windows vulnerability that allows attackers to steal NTLM credentials using malware. This zero-day security flaw affects all Windows clients, including Windows 11 24H2, and server versions. Microsoft has been made aware of it. 0patch writes:

Our researchers discovered a vulnerability on all Windows Workstation and Server versions from Windows 7 and Server 2008 R2 to the latest Windows 11 v24H2 and Server 2022.

 

The vulnerability allows an attacker to obtain user's NTLM credentials by simply having the user view a malicious file in Windows Explorer - e.g., by opening a shared folder or USB disk with such file, or viewing the Downloads folder where such file was previously automatically downloaded from attacker's web page.

If you are wondering why Windows Server 2025 is missing from the list, 0patch co-founder, Mitja Kolsek, says that the team is still testing it as it is still less than a month old and it also has NTLM-related enhancements, among other things. Kolesk writes:

Windows Server 2025 has only been released this November and is still undergoing compatibility testing. We'll start issuing 0day patches for it when testing is completed (and results satisfactory)

Microsoft itself understands the drawbacks of NTLM or New Technology LAN Manager when it comes to security. It is also why the company has already announced the death of the feature and has recommended users and organizations move on to more secure and modern alternatives.

To get access to the patch, head over to 0patch Central at this link and register with a free account.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

2023: Over 5,800 news posts | 2024 (till end of November): 5,298 news posts

RIP Matrix | Farewell my friend  

The recently uncovered 'Bootkitty' Linux UEFI bootkit exploits the LogoFAIL flaw, tracked as CVE-2023-40238, to target computers running on vulnerable firmware.

This is confirmed by firmware security firm Binarly, which discovered LogoFAIL in November 2023 and warned about its potential to be used in actual attacks.

Bootkitty and LogoFAIL connection

Bootkitty was discovered by ESET, who published a report last week, noting that it is the first UEFI bootkit specifically targeting Linux. However, at this time, it is more of an in-development UEFI malware that only works on specific Ubuntu versions, rather than a widespread threat.

LogoFAIL is a set of flaws in the image-parsing code of UEFI firmware images used by various hardware vendors, exploitable by malicious images or logos planted on the EFI System Partition (ESP).

"When these images are parsed during boot, the vulnerability can be triggered and an attacker-controlled payload can arbitrarily be executed to hijack the execution flow and bypass security features like Secure Boot, including hardware-based Verified Boot mechanisms," explained Binarly previously.

According to Binarly's latest report, Bootkitty embeds shellcode within BMP files ('logofail.bmp' and 'logofail_fake.bmp') to bypass Secure Boot protections by injecting rogue certifications into the MokList variant.

The 'logofail.bmp' file embeds shellcode at its end, and a negative height value (0xfffffd00) triggers the out-of-bounds write vulnerability during parsing.

The legitimate MokList is replaced with a rogue certificate, effectively authorizing a malicious bootloader ('bootkit.efi').

After diverting execution to the shellcode, Bootkitty restores overwritten memory locations in the vulnerable function (RLE8ToBlt) with original instructions, so any signs of obvious tampering are erased.

Impact on specific hardware

Binarly says Bootkitty could impact any device that has not been patched against LogoFAIL, but its current shellcode expects specific code used in firmware modules found on Acer, HP, Fujitsu, and Lenovo computers.

The researcher's analysis of the bootkit.efi file determined that Lenovo devices based on Insyde are the most susceptible, as Bootkitty references specific variable names and paths used by this brand. However, this could indicate that the developer is just testing the bootkit on their own laptop and will add support for a broader range of devices later.

Some widely used devices whose latest firmware is still vulnerable to LogoFAIL exploits include IdeaPad Pro 5-16IRH8, Lenovo IdeaPad 1-15IRU7, Lenovo Legion 7-16IAX7, Lenovo Legion Pro 5-16IRX8, and Lenovo Yoga 9-14IRP8.

"It's been more than a year since we first sounded the alarm about LogoFAIL and yet, many affected parties remain vulnerable to one or more variants of the LogoFAIL vulnerabilities," warns Binarly.

"Bootkitty serves as a stark reminder of the consequences of when these vulnerabilities are not adequately addressed or when fixes are not properly deployed to devices in the field."

If you're using a device with no available security updates to mitigate the LogoFAIL risk, limit physical access, enable Secure Boot, password-protect UEFI/BIOS settings, disable boot from external media, and only download firmware updates from the OEM's official website.

Update 12/2/24: ESET updated their original BootKitty article today, stating that the project was created by cybersecurity students in Korea's Best of the Best (BoB) training program.

"The primary aim of this project is to raise awareness within the security community about potential risks and to encourage proactive measures to prevent similar threats," the program told ESET.

"Unfortunately, few bootkit samples were disclosed prior to the planned conference presentation." 

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

2023: Over 5,800 news posts | 2024 (till end of November): 5,298 news posts

RIP Matrix | Farewell my friend  

Microsoft delivered the latest security definitions for Windows images via security intelligence update version 1.419.396.0. The Defender package version is also the same. Microsoft also published a link to its detailed guidance about the recent NPD data breach which leaked SSNs, house addresses, and more, of over 150 million people.

In the support document describing the new update, Microsoft explains:

The first hours of a newly installed Windows deployment can leave the system vulnerable because of a Microsoft Defender protection gap. This is because the OS installation images may contain outdated antimalware software binaries.

 

[..] Devices using either the Windows built-in antivirus or another security solution can benefit from these updates. Defender updates also contain critical performance fixes that will improve the user experience.

 

[..] This article describes antimalware update package for Microsoft Defender in the OS installation images (WIM and VHD files). This feature supports the following OS installation images:

 

• Windows 11
• Windows 10 (Enterprise, Pro, and Home editions)
• Windows Server 2022
• Windows Server 2019
• Windows Server 2016

 

Version information

 

• Defender package version: 1.419.396.0

 

This package updates the anti-malware client, anti-malware engine, and signature versions in the OS installation images to following versions:

 

• Platform version: 4.18.24090.11
• Engine version: 1.1.24090.2
• Security intelligence version: 1.419.396.0

From Microsoft's security bulletin, we learn that the security intelligence update version 1.419.396.0 was released last month. It adds threat detections for various backdoor exploits, trojans, among others. For those wondering, the latest intelligence update is version 1.421.573.0 at the time of writing.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

2023: Over 5,800 news posts | 2024 (till end of November): 5,298 news posts

RIP Matrix | Farewell my friend  

Named 'Bootkitty,' the Linux malware is a proof-of-concept that works only on some Ubuntu versions and configurations rather than a fully fledged threat deployed in actual attacks.

Bootkits are malware designed to infect a computer's boot process, loading before the operating system and allowing it to gain control over a system at a very low level.

The advantage of this practice is that bootkits can evade security tools running at the operating system level and modify system components or inject malicious code without risking detection.

ESET researchers who discovered Bootkitty warn that its existence is a significant evolution in the UEFI bootkit threats space despite the current real-world implications.

A Linux bootkit in the making

ESET discovered Bootkitty after examining a suspicious file (bootkit.efi) uploaded to VirusTotal in November 2024.

Upon analysis, ESET confirmed that this was the first case of a Linux UEFI bootkit to bypass kernel signature verification and preload malicious components during the system boot process.

Bootkitty relies on a self-signed certificate, so it won't execute on systems with Secure Boot enabled and only targets certain Ubuntu distributions.

Additionally, hardcoded offsets and simplistic byte-pattern matching make it only usable on specific GRUB and kernel versions, so it's unsuitable for widespread deployment.

ESET also notes that the malware contains many unused functions and handles kernel-version compatibility poorly, often leading to system crashes.

The malware's buggy nature and the fact that ESET's telemetry shows no signs of Bootkitty on live systems led the researchers to conclude that it is in early-stage development.

Bootkitty's capabilities

During boot, Bootkitty hooks UEFI security authentication protocols (EFI_SECURITY2_ARCH_PROTOCOL and EFI_SECURITY_ARCH_PROTOCOL) to bypass Secure Boot's integrity verification checks, ensuring the bootkit loads regardless of security policies.

Next, it hooks various GRUB functions like 'start_image' and 'grub_verifiers_open' to manipulate the bootloader's integrity checks for binaries, including the Linux kernel, turning off signature verification.

Bootkitty then intercepts the Linux kernel's decompression process and hooks the 'module_sig_check' function. This forces it to always return success during kernel module checks, allowing the malware to load malicious modules.

Also, it replaces the first environment variable with 'LD_PRELOAD=/opt/injector.so' so that the malicious library is injected into processes upon system launch.

This whole process leaves behind several artifacts, some intended and others not, explains ESET, which is another indication of Bootkitty's lack of refinement.

The researchers also noted that the same user who uploaded Bootkitty onto VT also uploaded an unsigned kernel module named 'BCDropper,' but available evidence weakly links the two.

BCDropper drops an ELF file named 'BCObserver,' a kernel module with rootkit functionality that hides files, processes, and opens ports on the infected system.

The discovery of this type of malware illustrates how attackers are developing Linux malware that was previously isolated to Windows as the enterprise increasingly adopts Linux.

Indicators of compromise (IoCs) associated with Bootkitty have been shared on this GitHub repository.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

2023: Over 5,800 news posts | 2024 (till end of October): 4,832 news posts

RIP Matrix | Farewell my friend  

allowing remote attackers to execute malicious code through specially crafted archives.

The vulnerability tracked as CVE-2024-11477 has received a high CVSS score of 7.8, indicating significant security risks for users of affected versions.

The flaw specifically exists within the Zstandard decompression implementation, where improper validation of user-supplied data can result in an integer underflow before writing to memory.

This vulnerability enables attackers to execute arbitrary code in the context of the current process when users interact with malicious archives.

According to Nicholas Zubrisky of Trend Micro Security Research, attackers can exploit this vulnerability by convincing users to open carefully prepared archives, which could be distributed through email attachments or shared files.

The Zstandard format, particularly prevalent in Linux environments, is commonly used in various file systems, including Btrfs, SquashFS, and OpenZFS.

The vulnerability poses significant risks as it allows attackers to:

• Execute arbitrary code on affected systems
• Gain the same access rights as logged-in users
• Potentially achieve complete system compromise

Mitigation and Fixes

7-Zip has addressed this security issue in version 24.07. Since the software lacks

an integrated update mechanism, users must manually download and install the

latest version to protect their systems. IT administrators and software developers

who implement 7-Zip in their products should immediately update their installations to the patched version.

The vulnerability was initially reported to 7-Zip in June 2024, with the coordinated

public disclosure occurring on November 20, 2024. Security experts emphasize

the importance of prompt patching, as the vulnerability requires minimal technical

expertise to exploit, though no known malware is currently targeting this flaw.

This incident highlights the critical importance of input validation in application security,

particularly when processing data from potentially untrusted sources.

Organizations and individuals using 7-Zip or products that incorporate its functionality

should prioritize updating to the latest version to maintain system security.

Source :

https://cybersecuritynews.com/7-zip-vulnerability-arbitrary-code/

Daniel van Strien, a machine learning librarian at Hugging Face, compiled a dataset of one million Bluesky posts using Bluesky’s Firehose API. This dataset wasn’t anonymized; it included user content along with decentralized identifiers (DIDs), which made it traceable. His goal was to support machine learning research and experimentation with social media data. The dataset quickly became popular on Hugging Face, a platform that hosts open-source AI tools, and it has been trending among other projects for a while.

Van Strien posted about the dataset on Bluesky, and users reacted strongly. Many of them are vocal about their opposition to AI training on their posts, a stance that aligns with Bluesky’s policy. The platform explicitly states it doesn’t use user content for training generative AI models, though it does rely on AI for moderation and feed algorithms. This dataset, however, became a major point of controversy, triggering a wave of criticism. Users argued that their posts were being used without consent, violating the principles Bluesky was founded on.

Van Strien eventually removed the dataset and issued an apology. He admitted that while his intentions were to advance tools for the Bluesky platform, the lack of transparency and user consent in his approach was a mistake. The repository hosting the project remains up on Hugging Face, but the dataset itself is no longer available.

Bluesky's open-source and public architecture allows third parties to use its data freely, including for purposes the platform and its users may strongly oppose. Bluesky’s Firehose API, which streams all public posts in real time, was instrumental in this dataset's creation. While it’s a feature designed for transparency and innovation, it also opens doors for potential misuse.

Bluesky’s response has been measured but clear. A spokesperson (via 404Media) compared the platform to the open internet, where public data can be indexed and used, sometimes against the wishes of the original creators. They expressed interest in developing ways for users to signal whether they consent to their content being used in such projects, but no concrete solutions are in place yet.

The irony is that many users left platforms like X to escape having their content used for AI training. X and Meta have openly added clauses to their terms of service allowing such use. Bluesky, with its decentralized model, seemed like the antidote. Now, users realize that decentralization doesn’t necessarily protect them from third parties doing what they please with public data.

The debate has been intense, with the controversy echoing the kinds of public uproars that were common on old Twitter. For Bluesky, it may be its first major "pitchfork-wielding" controversy. It’s a telling moment for the platform, which is still in its early stages of growth and figuring out how to navigate the challenges that come with its unique setup.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

2023: Over 5,800 news posts | 2024 (till end of October): 4,832 news posts

RIP Matrix | Farewell my friend  

Microsoft has responded to allegations and clarified that it does not use user data from Office documents for AI training. "Optional connected experiences," the feature that was accused of data scrapping, does not relay your document data to Microsoft. It is only used for additional online capabilities in Office products, such as cloud fonts, templates, weather on calendar, co-authoring, and more.

Some users responded to the report with a link to the official documentation describing what "Connected experiences in Office" mean, and Microsoft confirmed that in its own reply on X (via The Verge😞

While the official documentation is pretty straightforward, it is easy to understand why some people got spooked. It says that connected experiences "analyze your content," and some falsely assumed that means AI data training. These days, with every tech company obsessed with AI to oblivion, it is not surprising to see people overreacting to the lack of transparency.

It is good to see Microsoft clarifying the situation and putting an end to fake news. However, it would be nice for the company to update its documentation so that it explicitly states that Office apps do not send your data for AI training. Adobe was forced to do that not so long ago, and it looks like it is now Microsoft's turn.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

2023: Over 5,800 news posts | 2024 (till end of October): 4,832 news posts

RIP Matrix | Farewell my friend  

According to the proposed legislation, Australian children under the age of 16 can no longer create accounts on social platforms, including Instagram, Facebook, Snapchat, and Reddit. As highlighted by Bloomberg, the underage children can't even bypass the ban with parental permission. Social platforms are obligated to apply the restriction, while any violation could lead to fines of up to A$50 million ($32.5 million) for the platform.

Now, Google, Meta, X, and TikTok have submitted their concerns to the Australian Senate, calling for a delay in passing the legislation to better understand its potential impact on children.

Google and Meta argued that the government should wait for the results of the age verification trial as any potential ban "overlooks the practical reality of age assurance technology." As noted in Meta's submission, "In the absence of such results, neither industry nor Australians will understand the nature or scale of age assurance required by the Bill nor the impact of such measures on Australians."

Moreover, X's submission described the bill as "vague," adding, "There is no evidence that banning young people from social media will work, and to make it law in the form proposed is highly problematic." Elon Musk also reacted to the proposed legislation, saying it "Seems like a backdoor way to control access to the Internet by all Australians."

However, there are numerous unclear aspects of the proposed bill. Crucially, the government has not yet detailed the workings of the age verification process. In the midst of this uncertainty, Australian Communication Minister Michelle Rowland has stated that the process does not necessitate children to upload their identification documents. This raises the question: how will platforms determine if a user is under 16? No one actually knows!

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

2023: Over 5,800 news posts | 2024 (till end of October): 4,832 news posts

RIP Matrix | Farewell my friend  

Starting with QNAP Notes Station 3, a note-taking and collaboration application used in the firm's NAS systems, the following two vulnerabilities impact it:

• CVE-2024-38643 – Missing authentication for critical functions could allow remote attackers to gain unauthorized access and execute specific system functions. The lack of proper authentication mechanisms makes it possible for attackers to exploit this flaw without prior credentials, leading to potential system compromise. (CVSS v4 score: 9.3, "critical")
• CVE-2024-38645 – Server-side request forgery (SSRF) vulnerability that could enable remote attackers with authentication credentials to send crafted requests that manipulate server-side behavior, potentially exposing sensitive application data.

QNAP has resolved these issues in Notes Station 3 version 3.9.7 and recommends users update to this version or later to mitigate the risk. Instructions on updating are available in this bulletin.

The other two issues listed in the same bulletin, CVE-2024-38644 and CVE-2024-38646, are high-severity (CVSS v4 score: 8.7, 8.4) command injection and unauthorized data access problems that require user-level access to exploit.

QuRouter flaws

The third critical flaw QNAP addressed on Saturday is CVE-2024-48860, impacting QuRouter 2.4.x products, QNAP's line of high-speed, secure routers.

The flaw, rated 9.5 "critical" according to CVSS v4, is an OS command injection flaw that could allow remote attackers to execute commands on the host system.

QNAP also fixed a second, less severe command injection problem tracked as CVE-2024-48861, with both issues addressed in QuRouter version 2.4.3.106.

Other QNAP fixes

Other products that received important fixes this weekend are QNAP AI Core (AI engine), QuLog Center (log management tool), QTS (standard OS for NAS devices), and QuTS Hero (advanced version of QTS).

Here's a summary of the most important flaws that were fixed in those products, with a CVSS v4 rating between 7.7 and 8.7 (high).

• CVE-2024-38647: Information exposure problem that could allow remote attackers to gain access to sensitive data and compromise system security. The flaw affects QNAP AI Core version 3.4.x and has been resolved in version 3.4.1 and later.
• CVE-2024-48862: Link-following flaw that could allow remote unauthorized attackers to traverse the file system and access or modify files. It impacts QuLog Center versions 1.7.x and 1.8.x, and was fixed in versions 1.7.0.831 and 1.8.0.888.
• CVE-2024-50396 and CVE-2024-50397: Improper handling of externally controlled format strings, which could allow attackers to access sensitive data or modify memory. CVE-2024-50396 can be exploited remotely to manipulate system memory, while CVE-2024-50397 requires user-level access. Both vulnerabilities have been resolved in QTS 5.2.1.2930 and QuTS hero h5.2.1.2929.

QNAP customers are strongly advised to install the updates as soon as possible to remain protected against potential attacks.

As always, QNAP devices should never be connected directly to the Internet and should instead be deployed behind a VPN to prevent remote exploitation of flaws.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

2023: Over 5,800 news posts | 2024 (till end of October): 4,832 news posts

RIP Matrix | Farewell my friend  

Passkeys use biometric authentication, such as fingerprints and facial recognition, to provide a more secure and convenient alternative to traditional passwords, thus significantly reducing data breach risks.

Redmond has been collaborating with credential providers like 1Password, Bitwarden, and others since early October when it first announced that it would create a new plugin authentication model for passkeys in Windows.

As the company revealed today, users will soon have the option to choose from third-party passkey providers in addition to the native Windows one for authentication through Windows Hello using the same passkey you created on a mobile device.

"We are releasing updates to WebAuthn APIs to support a plugin authentication model for passkeys," the Windows Insider team said today.

"In the coming months, Windows customers will be able to choose a third-party provider as an additional choicealongside the native Windows passkey provider while maintaining the Windows Hello user experience.

"Messages in WebAuthn flows will be forwarded to the plugin and responses are returned to the WebAuthn client applications. This enables plugins to create and authenticate with passkeys when requested by the customer."

These updates are rolling out today to Windows Insiders in the Beta Channel who install Preview Build 22635.4515 (KB5046756). Redmond also asked customers using the new feature to share feedback on the Feedback Hub platform under the Privacy > Passkey category.

Microsoft has also released source code to help developers create their own plugins to support their own passkey platforms.

The company joined the FIDO Alliance and other major platforms to support passkeys as a standard passwordless sign-in method, endorsing Web Authentication (WebAuthn) credentials (also known as FIDO credentials).

Most recently, in May, Redmond rolled out support for passkey authentication for personal Microsoft accounts after adding a built-in passkey manager for Windows Hello with the Windows 11 22H2 feature update.

Today, Microsoft also started rolling out the ability to resume working on OneDrive files from iOS and Android phones on Windows 11 PCs running the latest Windows 11 Beta Preview build for Insiders.

In a separate announcement, the company also introduced Microsoft Edge Game Assist (Preview), an in-game web browser optimized for PC gaming that will appear on top of your game in Game Bar.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

2023: Over 5,800 news posts | 2024 (till end of October): 4,832 news posts

RIP Matrix | Farewell my friend  

The malware that drops the driver is a variant of an AV Killer of no particular family. It comes with a hardcoded list of 142 names for security processes from various vendors.

Since the driver can operate at kernel level, it provides access to critical parts of the operating system and allows the malware to terminate processes.

Security researchers at cybersecurity company Trellix recently discovered a new attack that leverages the bring-your-own-vulnerable-driver (BYOVD) approach with an old version of the anti-rootkit driver to stop security products on a targeted system.

They explain that a piece a piece of malware with the file name kill-floor.exe drops the vulnerable driver with the file name ntfs.bin in the default Windows user folder. Next, the malware creates the service ‘aswArPot.sys’ using the Service Control (sc.exe) and registers the driver.

The malware then uses a hardcoded list of 142 processes associated with security tools and checks it against multiple snapshots of active processes on the system.

Trellix researcher Trishaan Kalra says that when it finds a match, "the malware creates a handle to reference the installed Avast driver."

It then leverages the ‘DeviceIoControl’ API to issue the required IOCTL commands to terminate it.

As seen in the screenshot above, the malware targets processes from various security solutions, including those from McAfee, Symantec (Broadcom), Sophos, Avast, Trend Micro, Microsoft Defender, SentinelOne, ESET, and BlackBerry.

With defenses deactivated, the malware can perform malicious activities without triggering alerts to the user or getting blocked.

It is worth noting that the driver and similar procedures were observed in early 2022 by researchers at Trend Micro while investigating an AvosLocker ransomware attack.

In December 2021, the Stroz Friedberg’s Incident Response Services team found that Cuba ransomware used in attacks a script that abused a function in Avast's Anti-Rootkit kernel driver to kill security solutions on victim's systems.

Around the same time, researchers at SentinelLabs discovered discovered two high-severity flaws (CVE-2022-26522 and CVE-2022-26523) that had been present since 2016, which could be exploited "to escalate privileges enabling them to disable security products."

The two issues were reported to Avast in December 2021 and the company addressed them silently with security updates.

Protecting against attacks that rely on vulnerable drivers is possible by using rules that can identify and block components based on their signatures or hashes, such as this one that Trellix recommends.

Microsoft also has solutions, such as the vulnerable driver blocklist policy file, which is updated with every major Windows release. Starting Windows 11 2022, the list is active by default on all devices. The latest version of the list is possible through App Control for Business.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

2023: Over 5,800 news posts | 2024 (till end of October): 4,832 news posts

RIP Matrix | Farewell my friend  

An ad company’s foray into TV operating systems (OSes) illustrates a significant shift for TV hardware toward products that are increasingly focused on ad sales and tracking.

With more people using web-based streaming for TV, smart TV OSes have become the most lucrative part of the TV business. OS owners accumulate valuable data on how people use their smart TVs and streaming sticks, which is helpful for OS operators as well as third parties, like companies paying for ads distributed via TV OSes. Meanwhile, the smart TV ad business is growing rapidly, with GroupM, the world's biggest media investment firm, expecting ad revenue to reach $38.3 billion this year, a 20.1 percent year-over-year increase.

That trend has pushed TV OS operators, from Vizio and Roku to Samsung and LG, to seek new ways to incorporate ads and tracking into their TV software. Now, an ad tech giant is planning to become a TV OS provider itself.

The Trade Desk, which was founded in 2009 and sells one of the world's most popular demand-side platforms (that enables advertisers to purchase real-time automated digital ads across various publishers), plans to launch the Ventura TV OS in the second half of 2025, CEO Jeff Green told Axios this week.

The Trade Desk told Axios that it has been working on the OS for three years. Its announcement of Ventura painted an image of software designed to cater to advertisers and didn't detail specific user features that represent improvements over the TV OSes available today. The company claimed that it would improve the user experience with features that many TV OSes already offer, like "cross-platform content discovery, personalization, subscription management, and ultimately fewer (more relevant) ads." The Trade Desk has also suggested that Ventura would be a more impartial content referrer since it doesn't own content, unlike other TV OS providers such as Amazon and Roku.

Per The Trade Desk, Ventura's other top "benefits" will include a "cleaner supply chain for streaming TV advertising, minimizing supply chain hops and costs—ensuring maximum ROI for every advertising dollar and optimized yield for publishers" and improved ad targeting.

TVs sold at a loss in order to bolster ad businesses

The Trade Desk plans to sell Ventura to TV manufacturers and distributors, plus other types of companies, like airlines, hotel chains, and "gaming companies," Axios reported.

The ad tech firm says it isn't looking to make money off of the OS directly and doesn't plan to make hardware.

Instead, Ventura is supposed to benefit The Trade Desk by helping its advertiser customers reach more people. Differing from how TV owners traditionally view TV software's purpose, Ventura will prioritize the ability to show TV owners the most appealing type of ads. Green will consider Ventura a success "if it drives more pricing transparency and stronger measurement for the CTV advertising ecosystem writ large," per Axios.

Ventura has reportedly garnered interest from Sonos already, CEO Patrick Spence told Axios. Sonos is rumored to be developing a streaming set-top box. The audio company's serious and public consideration of something like Ventura hints at the type of business approach it may take with streaming hardware.

The Trade Desk's interest in creating a TV OS centered on being helpful to advertisers indicates how important ads have become to TVs and/or TV software companies. Some, like Vizio and Roku, have embraced this shift so much that they're selling TVs "at somewhere between -3 and -7 percent margin" in a scramble to attract users, Paul Gray, Omdia’s research director of consumer electronics and devices, said at a CTV industry conference earlier this month, per Broadband TV News. Then there's Telly, a startup that has given TVs away for free so it can sell and track ads. (Telly TVs also have a secondary screen that can show ads when the TV is off.)

As companies continue to leverage TV software to sell ads and gather user data, TV owners will likely continue seeing fewer options for an ad-free TV viewing experience.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

2023: Over 5,800 news posts | 2024 (till end of October): 4,832 news posts

RIP Matrix | Farewell my friend  

Federal prosecutors have charged five men with running an extensive phishing scheme that allegedly allowed them to compromise hundreds of companies nationwide, gain non-public information, and steal millions of dollars in cryptocurrency.

The charges, detailed in court documents unsealed Wednesday, pertain to a crime group security researchers have dubbed Scattered Spider. Members were behind a massive breach on MGM last year that cost the casino and resort company $100 million. MGM preemptively shut down large parts of its internal networks after discovering the breach, causing slot machines and keycards for thousands of hotel rooms to stop working and slowing electronic transfers. Scattered Spider also breached the internal network of authentication provider Twilio, which allowed the group to hack or target hundreds of other companies.

Not your father’s phishing campaign

Key to Scattered Spider’s success were phishing attacks so methodical and well-orchestrated they were hard to detect even when sophisticated defenses were implemented. Microsoft researchers, who track the group under the name Octo Tempest, declared it “one of the most dangerous financial criminal groups.”

In multiple filings, federal prosecutors named the five defendants as:

• Ahmed Hossam Eldin Elbadawy, 23, aka “AD,” of College Station, Texas;
• Noah Michael Urban, 20, aka “Sosa” and “Elijah,” of Palm Coast, Florida;
• Evans Onyeaka Osiebo, 20, of Dallas; and
• Joel Martin Evans, 25, aka “joeleoli,” of Jacksonville, North Carolina.
• Tyler Robert Buchanan, 22, of the UK.

“We allege that this group of cybercriminals perpetrated a sophisticated scheme to steal intellectual property and proprietary information worth tens of millions of dollars and steal personal information belonging to hundreds of thousands of individuals,” US Attorney Martin Estrada said. “As this case shows, phishing and hacking has become increasingly sophisticated and can result in enormous losses. If something about the text or email you received or website you’re viewing seems off, it probably is.”

Prosecutors allege that the phishing attacks ran from at least September 2021 to April 2023. During that time, the defendants sent text messages to mobile phones of employees of the targeted companies that purported to come from the IT departments of their employers.

The text messages often falsely warned that the employees’ accounts would be deactivated imminently unless they clicked on links to malicious sites that were designed to look like legitimate websites used by victim companies. The phishing sites attempted to lure the employees into providing confidential information, including account login credentials. Some employees took the bait by visiting the sites, entering their credentials, and authenticating their identities with two-factor authentication. Scattered Spider then entered the intercepted passwords and 2FA credentials into the legitimate sites and gained access to the employee accounts.

Once inside targeted companies’ networks, the defendants allegedly stole confidential information, including personal information, such as account credentials, names, email addresses, and telephone numbers. Prosecutors said the defendants also used information stolen from hacked companies and elsewhere to access cryptocurrency accounts or wallets of “numerous individuals” and take millions of dollars' worth of digital coins.

If convicted, each defendant faces a maximum sentence of 20 years in prison for conspiracy to commit wire fraud, up to five years in federal prison for one count of conspiracy, and a mandatory two-year consecutive prison sentence for aggravated identity theft. Buchanan also faces up to 20 years in prison if he is convicted of wire fraud.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

2023: Over 5,800 news posts | 2024 (till end of October): 4,832 news posts

RIP Matrix | Farewell my friend  

Amazon listings promote illicit sites

Yesterday, BleepingComputer reported how threat actors were abusing Spotify playlists and podcasts to promote pirated software and game cheats.

The playlist names, podcast descriptions, and bogus "episodes" in these listings urged listeners to visit external links to dubious websites.

We have now come across several listings on Amazon's websites including amazon.com, amazon.co.uk, amazon.com.au, and Amazon Music that promote dubious "forex trading" schemes and link to "warez" sites.

Spammers are additionally abusing Audible podcasts as another vector to promote their illicit operations.

No digital platform that's open to all is immune from being spammed. What makes cases involving Spotify or Amazon peculiarly interesting is, one would instinctively expect the overhead associated with podcast and digital music distribution to deter spammers who'd otherwise rely on low hanging fruits, such as writing spammy social media posts or uploading YouTube videos with tainted descriptions.

An Amazon Music (Colombia) listing below which appears in Google search results for "download bookmap... final full crack" is shown below:

Similarly, Amazon websites including amazon.com and .com.au were caught serving listings for "bot trading software" laden with external links.

BleepingComputer observed the length of the audio "episodes" published under these "podcasts" was zero seconds. As such, these listings served no purpose other than flooding Amazon's digital properties in an attempt to boost the search engine ranking for spammy domains, a technique referred to as SEO poisoning.

BleepingComputer reached out to Amazon and Audible with our questions and shared one of the example listings with Amazon well in advance of publishing.

Amazon removed the example listing across its websites but did not respond to our questions.

'Trading' marketplaces and Telegram channels

A common trend we observed among many such listings was the mention of a dubious "trading platform" called EliteMarketMovers.

Some listings send users off to the Telegram and YouTube channels of this "marketplace."

While the "EliteMarketMovers.com" domain no longer responds due to a likely server misconfiguration, we peeked into the archived copies of the website:

The website claims to offer several "trading pairs" and "top forex robot" products, but there's little indication or assurance that these are authentic offerings or that the platform is a licensed and regulated entity in your jurisdiction. 

Spam an ongoing problem for podcast distribution services

As we explored yesterday, like several Spotify "podcasts", these listings are also abusing third-party podcast publication and distribution services to push their bogus products on high ranking websites like Amazon.

BleepingComputer noticed an identical "Powered by Firstory" banner on these listings, implying the "podcast" producers are abusing Firstory to promote their operations across Amazon, Spotify, and other streaming platforms:

Launched in 2019, Firstory is an online service designed to "empower podcasters in the world to distribute everywhere and start to connect with audiences!"

One can use Firstory to publish podcasts on Spotify, but the platform acknowledges that spam is an ongoing problem that it is focusing on curtailing.

"Spam accounts and content are ongoing challenges, and it's something we continue to focus on improving," wrote Firstory co-founder Stanley Yu to BleepingComputer in response to our questions yesterday.

Anyone can use Firstory to publish podcasts to streaming platforms.

"However, we do have certain filters in place to prevent accounts using specific fraudulent domains or email addresses containing variations such as account+[numbers]@gmail.com or '.' in emails."

"These spam accounts not only violate the rights of the creators we value most, but they also drive up our operational costs. We've dedicated considerable resources to addressing this issue," states Yu.

In addition to collaborating closely with streaming platforms, Firstory continues to report infringing content to platforms, employ technology to scan podcast titles and shownotes for specific spammy keywords, and block suspicious email addresses used by threat actors to pollute these platforms.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

2023: Over 5,800 news posts | 2024 (till end of October): 4,832 news posts

RIP Matrix | Farewell my friend  

If this law passes, it’s not an instant switch. Platforms would have a year to adjust and start proving they’re enforcing the rules. But not everyone’s cheering for it. Critics, including digital industry groups like DIGI, think it could do more harm than good. Their argument? Banning kids might cut them off from online communities that are actually helpful, and maybe teaching digital literacy would be a smarter move.

Now, the UK hasn’t officially jumped on this bandwagon yet, but it’s not hard to picture. The country has been wrestling with its own tech regulation challenges. Its Online Safety Bill has already stirred up serious conversations about protecting young people online. If Australia’s plan works out, the UK might just follow suit, especially since the concerns—mental health, online predators, and so on—are pretty universal.

The back-and-forth between social media companies, kids, and governments is getting intense. Authorities are clamping down hard, with fines and even jail time being proposed for social media execs who fail to protect kids. For example, the UK’s Online Safety Bill could impose serious penalties if platforms don’t keep younger users safe. These companies are now scrambling to keep up.

Social media platforms like Instagram have rolled out features to protect kids, such as age-verification tools and better privacy controls. But, as usual, these changes are coming pretty late, mostly after governments start pushing for more action. Some companies are even considering creating independent oversight groups to help make sure the rules are followed.

At the same time, governments are tightening their grip, forcing platforms to do more. They want to see things like tougher age restrictions and better transparency on how social media companies are dealing with underage users. But it’s not an easy fix. Kids are still finding ways around age checks, and companies still rely heavily on their revenue from younger users.

Source: BBC

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

2023: Over 5,800 news posts | 2024 (till end of October): 4,832 news posts

RIP Matrix | Farewell my friend  

IT admins can manage the Edge browser within their network using the Microsoft Edge management service in the Microsoft 365 admin center. In some cases within an enterprise, passwords for certain websites are shared among a set of users. Users generally share credentials via email or chats. To prevent such insecure sharing of passwords, the Microsoft Edge management service will soon allow IT admins to deploy an encrypted, shared password to a specific set of users.

This will allow those specific users to sign in to websites without knowing the actual passwords. Through this new method, only the users designated by IT admins can access the common webpage or resource, preventing password misuse. Microsoft mentioned that the secure password deployment feature will be available in preview in the coming months for Microsoft 365 Business Premium, E3, and E5 license customers.

Based on IT admin feedback, Microsoft is now enabling the Edge management service to deploy both browser policies in the cloud and Intune. The Edge management service will be the place for browser-first management, and this new Edge management experience is now available in preview.

Scareware is already on the rise among online scams. Most online users have encountered messages like, “Your computer is infected, click here.” The new scareware blocker in Microsoft Edge will help protect users from such online scams. When a user comes across a website with a warning such as, “Your computer is infected, click here,” the new scareware blocker in Edge will alert the user that it is illegitimate information.

Microsoft mentioned that the scareware blocker is AI-powered and will continuously improve its detection capabilities based on user feedback. The new scareware blocker feature is expected to be available in preview for both consumer and commercial customers in the coming months.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

2023: Over 5,800 news posts | 2024 (till end of October): 4,832 news posts

RIP Matrix | Farewell my friend  

The leaked documents, initially shared by 404 Media, show that while Graykey can still unlock many iPhones, there are limits. It works on devices from the iPhone 12 to the iPhone 16 series, but it can only access partial data from those running iOS 18 and the smaller update, iOS 18.0.1. For users hoping to retrieve everything from their devices, Graykey doesn't quite deliver—there’s still plenty it can’t get to.

A significant twist in this leak is that it doesn’t clearly explain what Graykey can do with iPhones running iOS 18.1, which was released just last month. It seems Graykey hasn't caught up to this version yet, and phones are running the beta versions of iOS 18. Forget it—Graykey can’t unlock them at all. 404 Media has provided full versions of the leak here and here.

While Graykey’s work on iPhones is increasingly tricky due to Apple's constant security updates, its performance with Android devices isn’t much better. It can unlock partial data from Google Pixel devices—up to the Pixel 9—but only if the phone is in an “After First Unlock” state, meaning the device must have been unlocked at least once since booting up.

This leak is a big deal because it gives us a rare look into what Graykey can actually do and what it can’t. Before this, its capabilities were shrouded in secrecy. Forensic experts now have a much clearer picture of its strengths and weaknesses when it comes to cracking iPhones.

However, just because Graykey can’t unlock every piece of data doesn’t mean its battle with Apple and Google is over. In fact, it's all part of a long-running cat-and-mouse game. While Apple and Google push updates to protect user data, forensic companies like Grayshift and Cellebrite work tirelessly to stay ahead, trying to overcome obstacles like the USB Restricted Mode, Inactivity Reboot, and other security measures Apple has introduced in recent years.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

2023: Over 5,800 news posts | 2024 (till end of October): 4,832 news posts

RIP Matrix | Farewell my friend  

By injecting targeted keywords and links in playlist names and podcast descriptions, threat actors may benefit from boosting SEO for their dubious online properties, since Spotify's web player results appear in search engines like Google.

Spotify playlists pushing warez

When abusing platforms, spammers and scammers leave no stone unturned to promote their agenda.

Most recently, a Spotify playlist with the title "Sony Vegas Pro 13 Crack..." appeared to drive traffic to one or more "free" software sites listed in the playlist title and description.

Cybersecurity ethusiast Karol Paciorek who spotted the playlist said, "cybercriminals exploit Spotify for malware distribution. Why? Spotify has a strong reputation and its pages are easily indexed by search engines, making it an effective platform to promote malicious links."

The terms "warez" or "crack" are frequently used in the computing culture to refer to bootleg or pirated software circulating on the internet, often on untrustworthy websites.

There's no guarantee, ever, that attempting to download counterfeit software products from such websites, or "torrents" will be risk-free, as these could be malware, or lead users to bogus "survey" sites which are scams.

Users who download such "warez" may indeed, on occasion, receive the software program advertised on the suspicious websites without coughing up a fee, but may unknowingly end up with viruses, adware, or other unwanted programs hidden in the "cracked" version of the software.

Added benefit: SEO for spam sites

We observed that a side effect of polluting trustworthy and vastly popular platforms like Spotify with spam, for threat actors, is the added boost to the search engine rankings of their shady websites.

Those searching for keywords like "free download" combined with "Sony Vegas Pro 13" or other software products may be presented with the following Google results:

This is made possible because, in addition to mobile and desktop apps, Spotify offers a web player version at open.spotify.com. Playlists and podcasts available on the web player are, as with any website, crawled by search engines like Google.

This means, the illicit "free" software websites now have greater visibility and a higher chance of driving traffic to their servers—which are often riddled with ads, spam content, bogus "surveys," and crypto giveaways that one would have to navigate through to, perhaps, be able to finally download a cracked software product, which is once again bound to be risky.

We asked Spotify if it had any controls or automated technologies in place to catch and prevent spam, and if any third-party Spotify apps or services were being abused to sneak in spam content on the platform.

Spotify deleted the "Sony Vegas Pro" playlist and podcast and their spokesperson responded:

"The playlist title in question has been removed," Spotify informed BleepingComputer.

"Spotify's Platform Rules prohibit posting, sharing, or providing instructions on implementing malware or related malicious practices that seek to harm or gain unauthorized access to computers, networks, systems, or other technologies."

We did not get an answer to our other questions.

Podcast 'episodes' use synthesized speech

BleepingComputer discovered Spotify's spam problem was not limited to playlists promoting links to pirated software but bootleg digital content in general, including eBooks.

Compared to playlists, we observed much greater instances of spurious podcasts, each with several "episodes," published with the apparent intention of promoting spam links, "torrents," and Telegram channels that seem to be scams.

These "episodes" are about ten to twenty seconds long, and comprise synthesized speech audio that directs users to visit the "link in the description." One such episode is transcribed below:

"Hello viewers, welcome to my channel, there is good news from me, if you want to download or listen to audiobooks from this channel, please click the link in the description and sign up there then you will get unlimited book access, please follow me I am looking for several ebook and audiobook options. Thank you for coming to my channel, warm greetings from me."

These links lead to a page that does have "download" or "read online" buttons featured next to the advertised book's digital cover image. Clicking either button, however, attempts to either launch a survey or worse, directs users to flimsy "ad block" Chrome extensions which may be instead be collecting your data:

Next up: Game cheats and "GTA V" mods

Similarly, some podcasts we discovered claimed to offer game cheat codes for hit titles like Apex Legends, Fortnite hacks, Roblox scripts, "GTA V mods," and trainers.

The "Free Cheat Codes" text in the description of this example episode was clickable and led to a cheater.ninja website:

In August, security researcher @g0njxa shared examples of "Fortnite" spammers abusing the platform too:

Published via third-party podcast distribution services

Interestingly, while platforms like Spotify could have their automated technologies and barriers restricting invalid playlist names or descriptions, third-party apps and services are another vector threat actors tap into to get their foot in.

A common denominator among many, though not all such "podcasts" was the use of such third-party services that provide hosting, publication, and distribution services to podcast producers across streaming platforms including Spotify.

We noticed a "Powered by Firstory Hosting" banner appended to the description area of these podcasts.

Launched in 2019, Firstory is an online service designed to "empower podcasters in the world to distribute everywhere and start to connect with audiences!"

One can use Firstory to publish podcasts on Spotify, but the platform acknowledges that spam is an ongoing problem that it is focusing on curtailing.

"Spam accounts and content are ongoing challenges, and it's something we continue to focus on improving," wrote Firstory co-founder Stanley Yu to BleepingComputer in response to our questions.

"Anyone can use our platform to publish podcasts on Spotify. However, we do have certain filters in place to prevent accounts using specific fraudulent domains or email addresses containing variations such as account+[numbers]@gmail.com or '.' in emails."

"These spam accounts not only violate the rights of the creators we value most, but they also drive up our operational costs."

"We've dedicated considerable resources to addressing this issue."

Yu shared that the security measures in place include email verification and blocking; that is, conducting "a series of checks to block suspicious or fraudulent email addresses during the account registration process."

Further, the platform works closely with Spotify and, according to Yu, promptly reviews and reports any infringing content detected.

"We also have API integration with Spotify to remove any flagged content."

"We scan podcast titles and show notes for specific keywords like EPUB, PDF, etc., to prevent the hosting of spammy content. A challenge here is that some episodes use variations such as "E.P.U.B." or contain terms like "epub" in unrelated contexts (e.g., "republic"). These cases require extra attention during our review process," Yu concluded.

From sneaking in "handwritten" links in dating profiles to hijacking government and university websites, unscrupulous actors have repeatedly employed novel tactics to push unwanted content to the masses. And, now they won't leave you in peace with your favorite music either.

Update, November 19th, 07:54 AM ET: Added quote from expert, Karol Paciorek.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

2023: Over 5,800 news posts | 2024 (till end of October): 4,832 news posts

RIP Matrix | Farewell my friend  

Here’s the deal: these emails claim your device was hacked and that they’ve got dirt on you—like videos or images of you in compromising situations. The scammers then demand payment in Bitcoin, threatening to share the supposed material if you don’t pay up. It’s a bold move, and the use of a legitimate Microsoft email address makes it seem even more real.

What makes these emails especially dangerous is how they manage to bypass email security systems. Normally, these scams would be flagged by filters, but because they are sent from a trusted Microsoft address, "o365mc@microsoft.com," they get through unnoticed.

Apparently, these scammers are abusing the "Personal Message" field in the Microsoft 365 Message Center’s "Share" option, which is designed to add a short note when sharing an advisory. Normally, this field is capped at 1,000 characters, but attackers have figured out a way around it. By using browser developer tools, they tweak the maxlength attribute in the HTML textarea element to allow longer messages. This lets them include their full sextortion text in the email without truncation.

It’s downright embarrassing for Microsoft that this works because the first rule in cybersecurity is "Never trust user input." This principle, often phrased as "Never trust what comes from the browser," emphasizes that client-side validations (like the character limit) are unreliable. Without server-side checks to enforce these restrictions, the email system blindly processes and sends the altered message.

Although this technique has allowed scammers to bypass filters, it is important for users to recognize these emails for what they are: scams. Bleeping Computer says that Microsoft has acknowledged the issue and is investigating the abuse, but as of now, the server-side checks to prevent such messages haven't been added.

A copy of one such scam email was posted on the Microsoft Answers forum, where a user shared the disturbing content. The email included bizarre arrow symbols and detailed information about the recipient, including their birthdate, to make it seem more authentic. It threatened to share compromising footage unless a Bitcoin payment was made within 48 hours.

Sextortion emails are nothing new, but they're getting way nastier and more advanced. A big chunk of these scams is driven by groups like the infamous "Yahoo Boys" from West Africa, who’ve turned this into a full-blown operation. They’ve been sharing how-to guides on platforms like TikTok and YouTube, targeting teens and young adults on apps like Instagram and Snapchat.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

2023: Over 5,800 news posts | 2024 (till end of October): 4,832 news posts

RIP Matrix | Farewell my friend