News: Security & Privacy News

EU requests algorithm data from YouTube, Snapchat and TikTok

Wed, 02 Oct 2024 18:43:25 +0000

The European Commission is putting pressure on major tech platforms to be more transparent about how their algorithms recommend content to users. Today, the Commission sent information requests under its new Digital Services Act (DSA) to YouTube, Snapchat, and TikTok.

The Commission wants to know the details of the inner workings of the recommender systems employed by companies and how any potential risks associated with it were mitigated. This includes illegal content, such as drugs and hate speech, and supposed harm to elections, civic discourse, and the well-being of minors.

Both YouTube and Snapchat would need to provide information on the standards powering their recommendation algorithms, as well as steps taken to reduce content "rabbit holes" that may have adverse effects on the mental health of users. TikTok has been asked to send policies that prevent coordinated inauthentic behavior for influencing elections or debates.

TikTok has been requested to provide more information on the measures it adopted to avoid the manipulation of the service by malicious actors and to mitigate risks related to elections, pluralism of media, and civic discourse, which may be amplified by certain recommender systems.

All three companies have until November 15 to reply to the Commission's queries. The responses will help regulators determine whether the firms are compliant with DSA rules on transparency around algorithmic amplification of risks. Under the new law, non-cooperation or incomplete answers could result in fines.

The rules under the DSA also introduce far-reaching transparency requirements for digital platforms, which have more than 45 million monthly active users. A senior EU official says the Commission's investigation sends an urgent message to change their practices involving recommendation systems.

These demands are part of the Commission's ongoing platform recommendation systems scrutiny, which has been upped a notch since the DSA came into force. Formal proceedings of non-compliance against Facebook, Instagram, AliExpress, and TikTok are also currently underway for failing to provide "devised recommender guidelines" and mitigation of risks related to the respective guidelines.

Source

RIP Matrix | Farewell my friend

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

2023: Over 5,800 news posts | 2024 (till end of September): 4,292 news posts

Cloudflare fends off record 3.8 Tbps DDoS attack with autonomous systems

Wed, 02 Oct 2024 18:42:20 +0000

Cloudflare has announced that its distributed denial of service (DDoS) protection systems have managed to thwart a massive 3.8 Tbps DDoS attack—the largest ever disclosed publicly by any organization. Cloudflare's systems handled this issue fully autonomously.

The cloud cybersecurity company revealed that this huge DDoS attack was part of a wider month-long campaign of "hyper-volumetric L3/4 DDoS attacks" that exceeded 2 billion packets per second (Bpps) and 3 Tbps. Layer 3 (L3) attacks are designed to overwhelm network infrastructure by flooding it with a large volume of packets. Layer 4 (L4) attacks are designed to exhaust the resources of the transport layer by overwhelming it with connection requests or data packets.

As these defenses deal with DDoS attacks autonomously it also means that Cloudflare customers are protected promptly. Customers of its HTTP reverse proxy services such as Cloudflare WAF and Cloudflare CDN as well as customers using Spectrum and Magic Transit are automatically protected.

One of the charts of the attack published by Cloudflare shows the duration of the attack. It starts around 15:01:25 and is mitigated by 15:02:30, allowing the target to continue operating as normally very quickly.

Cloudflare warned that these massive attacks can take down unprotected internet properties as well as those protected by on-premise equipment or cloud providers that can't absorb such attacks. It claimed, and as shown by its announcement, that it does have the network capacity, global coverage, and intelligent systems required to absorb these big attacks.

Attacks like this have been noticed by Cloudflare affecting several of its customers in multiple sectors including financial services, internet, and telecommunication industries. It said they tend to use UDP on a fixed port and many contributions to the attacks come from Vietnam, Russia, Brazil, Spain, and the US.

All sorts of devices are utilized for attacks including MikroTik devices, DVRs, and web servers. It's believed that the attacks have been originating from a large number of ASUS home routers exploiting a vulnerability that was found recently by Censys.

Source: Cloudflare

Source

RIP Matrix | Farewell my friend

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

2023: Over 5,800 news posts | 2024 (till end of September): 4,292 news posts

Microsoft Defender for individuals now supports unsecure Wi-Fi detection in more countries

Mon, 30 Sep 2024 18:43:08 +0000

Back in 2023, Microsoft first announced the availability of privacy protection features with Microsoft Defender for individuals. Earlier this year, Microsoft expanded the availability of these privacy protection features to the UK and also made them available on iOS and Android mobile platforms. Today, Microsoft announced a further expansion of Microsoft Defender for individuals' privacy protection features.

Microsoft Defender can now automatically detect and notify you about unsecure Wi-Fi connections on Android, iOS, and Windows. This feature is also coming soon to macOS. When your device connects to a Wi-Fi hotspot that has weaker security encryption, Defender will notify you and allow you to disconnect with a single click. Additionally, Microsoft is working to automatically enable a VPN on public Wi-Fi networks in future updates.

Microsoft Defender's privacy protection (VPN) is now available on Windows, macOS, Android, and iOS platforms in the US, UK, Germany, and Canada. Microsoft will also bring privacy protection to ten additional countries in Europe, Asia, and Latin America soon. When the privacy protection feature is enabled, your internet traffic is encrypted, and your IP address is hidden. Currently, Microsoft offers a 50GB monthly data limit (per user) to browse the web securely and anonymously using this privacy protection feature. It is important to note that the following popular streaming sites are excluded from this VPN connection:

Video: YouTube, TikTok, Netflix, Disney+, Amazon Prime
Social: Facebook video, Instagram, Snapchat
Music: Spotify, YouTube Music
Messaging: WhatsApp

You can download the Microsoft Defender app from the Google Play Store, Apple App Store and Microsoft Store. To take advantage of these new features, you need sign-in with the personal Microsoft account (@gmail, @outlook, etc.) linked to your Microsoft 365 Personal or Family subscription.

With the expansion of privacy protection and the upcoming auto-VPN feature, users can enjoy a safer and more private browsing experience.

Source: Microsoft

Source

RIP Matrix | Farewell my friend

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

2023: Over 5,800 news posts | 2024 (till end of September): 4,292 news posts

Ireland fines Meta €91 million for storing passwords in plaintext

Mon, 30 Sep 2024 18:42:13 +0000

The Data Protection Commission (DPC) in Ireland has fined Meta Platforms Ireland Limited (MPIL) €91 million ($100 million) for storing in plaintext passwords of hundreds of millions of users.

The incident occurred in 2019. At the time, Meta disclosed it publicly and notified DPC, which initiated an investigation into the tech giant's practices for storing sensitive user data.

"In March 2019, MPIL notified the DPC that it had inadvertently stored certain passwords of social media users in 'plaintext' on its internal systems (i.e. without cryptographic protection or encryption)," reads DPC's announcement.

In the 2019 disclosure, Meta said that it had found "some user passwords" stored on its systems in a readable format during a routine security review at the beginning of the year.

Although the company did not say how many users were impacted, it estimated that it would notify "hundreds of millions of Facebook Lite users, tens of millions of other Facebook users" and millions of Instagram users.

It is worth noting that the passwords were available to external parties and the review found no evidence of abuse or improper access.

Storing user account passwords without proper protections, such as encryption and access control constitutes a violation of multiple General Data Protection Regulation (GDPR) articles relating to measures data controllers implement to guarantee the security of people's data:

Article 33(1) - Notification of a Personal Data Breach: Meta failed to notify the DPC in a timely manner that they had stored user passwords in plaintext, which constitutes a personal data breach.
Article 33(5) - Documentation of a Personal Data Breach: Meta did not properly document the personal data breaches related to the storage of user passwords in plaintext, failing to maintain adequate records of the incident.
Article 5(1)(f) - Integrity and Confidentiality: Meta did not implement adequate security measures to ensure the protection of users' passwords, as they were stored in plaintext, lacking encryption or cryptographic protection.
Article 32(1) - Security of Processing: Meta failed to implement appropriate technical and organizational measures to protect the passwords, such as encryption, which would have maintained the confidentiality of the data and reduced the risk of unauthorized access.

For the above violations, and taking into consideration that Meta informed the Irish data protection authority voluntarily DPC imposes an official reprimand and an administrative fine of €91 Million.

The DPC will publish at a later date its complete decision and information related to the incident, the agency said.

Source

RIP Matrix | Farewell my friend

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

2023: Over 5,800 news posts | 2024 (till end of September): 4,292 news posts

Microsoft reveals how Windows 10 and Windows 11 block keyloggers

Fri, 27 Sep 2024 17:28:30 +0000

In the early 2000s, the security of the Windows operating system relied heavily on third-party antivirus software. In 2009, Microsoft first introduced Security Essentials as free antivirus software for Windows PCs. In the following years, Microsoft developed Security Essentials into a robust product that even surpassed other antivirus industry leaders in AV-TEST certification.

With Windows 8, Microsoft replaced Security Essentials with Windows Defender. With Windows 10, Microsoft made Windows Defender an umbrella brand for several security products, and all Windows 10/11 PCs now come with Windows Defender Antivirus built-in.

Microsoft recently published a blog post explaining how Microsoft Defender Antivirus protects Windows 10 and Windows 11 users from keylogger and screen scraper malware. Keylogger malware can record all keystrokes, clipboard data, and screenshots on a PC, while a screen scraper can take screenshots and record videos of what's happening on your PC's screen.

Microsoft mentioned that Microsoft Defender Antivirus uses AI, ML, and the cloud-based Microsoft Intelligent Security Graph to block malware in milliseconds once it's detected. Additionally, Defender AV can even analyze behaviors and process trees to stop fileless malware and human-operated attacks.

Here's how Windows Defender Antivirus protects Windows 10 and Windows 11 users from keylogger malware:

When a PC is powered on, Windows uses Secure Boot, Trusted Boot, and Measured Boot to verify whether the expected firmware, bootloader, kernel, drivers, and anti-malware software are loaded. This prevents malware from affecting the boot sequence and attempting to compromise the PC even before Microsoft Defender Antivirus starts up.
Once the PC starts, Microsoft Defender Antivirus will use multiple detection engines to block malware when detected.
The Tamper protection feature prevents features such as virus and threat protection from being turned off or modified by malware.
Microsoft Defender SmartScreen prevents malware from being downloaded. This feature works even if Microsoft Defender Antivirus real-time scanning is turned off.
For advanced security, Microsoft recommends using Microsoft Defender for Endpoint in addition to the built-in Defender Antivirus.

You can learn more about Windows 11's security features here. With its multi-layered defense, Windows Defender Antivirus offers robust protection against keyloggers and other threats, demonstrating Microsoft's commitment to user security.

Source: Microsoft

Source

RIP Matrix | Farewell my friend

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every single day for many years.

2023: Over 5,800 news posts | 2024 (till end of August): 3,792 news posts

Flaw in Kia’s web portal let researchers track, hack cars

Fri, 27 Sep 2024 17:27:16 +0000

Bug let researchers track millions of cars, unlock doors, and start engines at will.

When security researchers in the past found ways to hijack vehicles' Internet-connected systems, their proof-of-concept demonstrations tended to show, thankfully, that hacking cars is hard. Exploits like the ones that hackers used to remotely take over a Chevrolet Impala in 2010 or a Jeep in 2015 took years of work to develop and required ingenious tricks: reverse engineering the obscure code in the cars’ telematics units, delivering malicious software to those systems via audio tones played over radio connections, or even putting a disc with a malware-laced music file into the car’s CD drive.

This summer, one small group of hackers demonstrated a technique to hack and track millions of vehicles that’s considerably easier—as easy as finding a simple bug in a website.

Today, a group of independent security researchers revealed that they'd found a flaw in a web portal operated by the carmaker Kia that let the researchers reassign control of the Internet-connected features of most modern Kia vehicles—dozens of models representing millions of cars on the road—from the smartphone of a car’s owner to the hackers’ own phone or computer. By exploiting that vulnerability and building their own custom app to send commands to target cars, they were able to scan virtually any Internet-connected Kia vehicle’s license plate and within seconds gain the ability to track that car’s location, unlock the car, honk its horn, or start its ignition at will.

After the researchers alerted Kia to the problem in June, Kia appears to have fixed the vulnerability in its web portal, though it told WIRED at the time that it was still investigating the group’s findings and hasn’t responded to WIRED’s emails since then. But Kia’s patch is far from the end of the car industry’s web-based security problems, the researchers say. The web bug they used to hack Kias is, in fact, the second of its kind that they’ve reported to the Hyundai-owned company; they found a similar technique for hijacking Kias' digital systems last year. And those bugs are just two among a slew of similar web-based vulnerabilities they’ve discovered within the last two years that have affected cars sold by Acura, Genesis, Honda, Hyundai, Infiniti, Toyota, and more.

“The more we’ve looked into this, the more it became very obvious that web security for vehicles is very poor,” says Neiko “specters” Rivera, one of the researchers who both found the latest Kia vulnerability and worked with a larger group responsible for the previous collection of web-based car security issues revealed in January of last year.

“Over and over again, these one-off issues keep popping up,” says Sam Curry, another member of the car hacking group, who works as a security engineer for Web3 firm Yuga Labs but says he did this research independently. “It's been two years, there's been a lot of good work to fix this problem, but it still feels really broken.”

Read a license plate, hack a car

Before they alerted Kia to its latest security vulnerability, the research group tested their web-based technique on a handful of Kias—rentals, friends’ cars, even cars on dealer lots—and found that it worked in every case. They also showed the technique to WIRED, demonstrating it on the 2020 Kia Soul of a security researcher introduced to them just minutes earlier in a parking lot in Denver, Colorado, as seen in the video above.

The group’s web-based Kia hacking technique doesn’t give a hacker access to driving systems like steering or brakes, nor does it overcome the so-called immobilizer that prevents a car from being driven away, even if its ignition is started. It could, however, have been combined with immobilizer-defeating techniques popular among car thieves or used to steal lower-end cars that don't have immobilizers—including some Kias.

Even in cases when it didn't allow outright theft of a car, the web flaw could have created significant opportunities for theft of a car's contents, harassment of drivers and passengers, and other privacy and safety concerns.

“If someone cut you off in traffic, you could scan their license plate and then know where they were whenever you wanted and break into their car,” says Curry. “If we hadn’t brought this to Kia’s attention, anybody who could query someone’s license plate could essentially stalk them.” For Kias that come installed with a 360-degree camera, that camera, too, was accessible to hackers. Beyond allowing the hijacking of connected features in cars themselves, Curry says, the web portal flaw also allowed hackers to query a broad range of personal information about Kia customers—names, email addresses, phone numbers, home addresses, and even past driving routes in some cases—a potentially massive data leak.

The Kia hacking technique the group found works by exploiting a relatively simple flaw in the backend of Kia's web portal for customers and dealers, which is used to set up and manage access to its connected car features. When the researchers sent commands directly to the API of that website—the interface that allows users to interact with its underlying data—they say they found that there was nothing preventing them from accessing the privileges of a Kia dealer, such as assigning or reassigning control of the vehicles' features to any customer account they created. “It’s really simple. They weren't checking if a user is a dealer,” says Rivera. “And that's kind of a big issue.”

Kia's web portal allowed lookups of cars based on their vehicle identification number (VIN). But the hackers found they could quickly find a car's VIN after obtaining its license plate number using the website PlateToVin.com.

More broadly, Rivera adds, any dealer using the system seemed to have been trusted with a shocking amount of control over which vehicles' features were linked with any particular account. “Dealers have way too much power, even over vehicles that don’t touch their lot,” Rivera says.

A dozen carmakers’ websites, millions of hackable cars

Curry and Rivera, who worked with two other researchers to develop their hacking technique, reported their findings to Kia shortly after demonstrating them to WIRED in June, and the company responded to an inquiry from WIRED to note that it was investigating their findings. “We take this matter very seriously, and value our collaboration with security researchers,” a spokeperson wrote.

Shortly after the researchers reported the issue, Kia did make a change to its web portal API that appeared to block their technique, the researchers say. Then, in August, Kia told the researchers it had validated their findings but was still working on implementing a permanent fix for the problem. Kia hasn't updated the researchers since or responded to WIRED's questions. But after the standard 90-day window given to companies to fix security issues that researchers report, the hackers decided to go public with their findings—though they haven't released their Kia-hacking proof-of-concept application and don't plan to.

The Kia-hacking research group first began to assemble around the idea of probing carmakers' websites and APIs for vulnerabilities in late 2022. A few of them were staying with a friend on a college campus and messing around with the app for a mobile scooter company when they accidentally triggered all the company's scooters across the campus to honk and flash their lights for 15 minutes. At that point, the group “became super interested in trying more ways to make more things honk,” as Curry would write—including vehicles more significant than scooters. Soon after, Curry discovered that Rivera, who'd long been focused on car hacking and had previously worked at the carmaker Rivian, was already looking at web vulnerabilities in vehicle telematics.

In January 2023, they published the initial results of their work, an enormous collection of web vulnerabilities affecting Kia, Honda, Infiniti, Nissan, Acura, Mercedes-Benz, Hyundai, Genesis, BMW, Rolls Royce, and Ferrari—all of which they had reported to the automakers. For at least half a dozen of those companies, the web bugs the group found offered at least some level of control of cars' connected features, they wrote, just as in their latest Kia hack. Others, they say, allowed unauthorized access to data or the companies' internal applications. Still others targeted fleet management software for emergency vehicles and could have even prevented those vehicles from starting, they believe—though they didn't have the means to safely test out that potentially dangerous trick.

In June of this year, Curry says, he discovered that Toyota appeared to still have a similar flaw in its web portal that, in combination with a leaked dealer credential he found online, would have allowed remote control of Toyota and Lexus vehicles' features like tracking, unlocking, honking, and ignition. He reported that vulnerability to Toyota and showed WIRED a confirmation email seeming to demonstrate that he'd been able to reassign himself control of a target Toyota's connected features over the web. Curry didn't film a video of that Toyota hacking technique before reporting it to Toyota, however, and the company quickly patched the bug he'd disclosed, even temporarily taking its web portal offline to prevent its exploitation.

“As a result of this investigation, Toyota promptly disabled the compromised credentials and is accelerating security enhancements of the portal, as well as temporarily disabling the portal until enhancements are complete,” a Toyota spokesperson wrote to WIRED in June.

More smart features, more dumb bugs

The extraordinary number of vulnerabilities in carmakers' websites that allow remote control of vehicles is a direct result of companies' push to appeal to consumers—particularly young ones—with smartphone-enabled features, says Stefan Savage, a professor of computer science at UC San Diego whose research team was the first to hack a car's steering and brakes over the Internet in 2010. “Once you have these user features tied into the phone, this cloud-connected thing, you create all this attack surface you didn’t have to worry about before,” Savage says.

Still, he says, even he is surprised at the insecurity of all the web-based code that manages those features. “It’s a little disappointing that it’s as easy to exploit as it has been,” he says.

Rivera says he's observed firsthand in his time working in automotive cybersecurity that car companies often put more focus on “embedded” devices—digital components in non-traditional computing environments like cars—rather than web security, in part because updating those embedded devices can be far more difficult and lead to recalls. “It was clear ever since I started that there was a glaring gap between embedded security and web security in the auto industry,” Rivera says. “These two things mix together very often, but people only have experience in one or the other.”

UCSD's Savage hopes that the Kia-hacking researchers' work might help shift that focus. Many of the early, high-profile hacking experiments that affected cars' embedded systems, like the 2015 Jeep takeover and the 2010 Impala hack pulled off by Savage's team at UCSD, persuaded automakers that they needed to better prioritize embedded cybersecurity, he says. Now car companies need to focus on web security too—even, he says, if it means making sacrifices or changes to their process.

“How do you decide, ‘We’re not going to ship the car for six months because we didn’t go through the web code?’ That’s a tough sell,” he says. “I would like to think this kind of event causes people to look at that decision more fully.”

This story originally appeared on wired.com.

Source

RIP Matrix | Farewell my friend

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every single day for many years.

2023: Over 5,800 news posts | 2024 (till end of August): 3,792 news posts

Tor Project welcomes Tails OS to improve user privacy and security

Thu, 26 Sep 2024 19:09:04 +0000

The Tor Project, responsible for the Tor Browser, has announced that Tails OS has joined its structure. For those unaware, Tails OS is a USB-based Linux distribution that is intended to preserve user privacy. It offers lots of privacy-preserving features and uses Tor Browser as its default browser to keep users safe online.

One of the other main features of Tails OS is that when you shut it down, it will leave no traces on the computer you booted it on. If you're in a hurry, you can even pull out the USB, and it will shut down the computer without leaving remnants. There is also a selection of apps to work on sensitive documents and communicate securely.

By joining the Tor Project, the two projects can collaborate more easily, it's more sustainable for the Tails team, there are reduced overheads, and it creates opportunities for expanded training and outreach programs. Regarding outreach, the Tor Project said:

"Until now, Tor’s educational efforts have primarily focused on its browser. With Tails integrated into these programs, we can address a wider range of privacy needs and security scenarios."

One of the most interesting things about these two entities partnering is that they can improve their work on overlapping threat models to deliver network and system-level security for those in high-risk environments, such as activists, journalists, and other at-risk and everyday users.

Hopefully, this match-up will lead to both projects rolling out new features faster. For the Tails team, which had fewer resources to conduct outreach, this will mean it can reach more users who will benefit from Tails OS in their daily lives.

Both projects have seemingly got on quite well over the years, so hopefully, they will not have a big fight over any issues that arise going forward.

Source: Tor Project

Source

RIP Matrix | Farewell my friend

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every single day for many years.

2023: Over 5,800 news posts | 2024 (till end of August): 3,792 news posts

LG TVs start showing ads on screensavers

Thu, 26 Sep 2024 06:29:23 +0000

LG's TV business is heightening focus on selling ads and tracking.

Last month, Ars Technica went on a deep dive into the rapid growth of ads in TV software. Less than three weeks later, LG announced that it was adding advertisements to its TVs’ screensavers. The move embodies how ads are a growing and virtually inescapable part of the TV-viewing experience—even when you're not watching anything.

As you might have expected, LG didn’t make a big, splashy announcement to consumers or LG TV owners about this new ad format. Instead, and ostensibly strategically, the September 5 announcement was made to advertisers. LG appears to know that screensaver ads aren't a feature that excites users. Still, it and many other TV makers are happy to shove ads into the software of already-purchased devices.

LG TV owners may have already spotted the ads or learned about them via FlatpanelsHD, which today reported seeing a full-screen ad on the screensaver for LG's latest flagship TV, the G4. “The ad appeared before the conventional screensaver kicks in," per the website, “and was localized to the region the TV was set to.” (You can see images that FlatpanelsHD provided of the ads here, here, and here.) The reviewer reported seeing an ad for LG’s free ad-supported streaming channel, LG Channels, as well as third-party ads.

LG has put these ads on by default, according to FlatpanelsHD, but you can disable them in the TVs' settings. Still, the introduction of ads during a screensaver, shown during a pause in TV viewing that some TVs use as an opportunity to show art or personal photos that amplify the space, illustrates the high priority that ad dollars and tracking have among today’s TVs—even new top-of-the-line ones.

According to LG’s ads arm, LG AD Solutions, the screensaver ads activate “across the home screen, LG Channels, and Content Store on LG smart TVs." The point is to capitalize "on idle screen time, turning what may be perceived as a period of downtime into a valuable engagement opportunity.” LG AD Solutions claims that it has commissioned testing showing that screensaver ads drive “on average a 2.5 times higher lift in brand awareness.”

In a statement, LG AD Solutions CTO Dave Rudnick seemed to acknowledge that people whose TVs are showing screensavers are often trying to do something other than look at adverts.

“In the past, a screensaver ad might have indicated that viewers had left the room, but today’s viewing habits are markedly different," he said. "Now, 93 percent of viewers multitask while watching TV, engaging in activities like messaging, shopping, browsing social media, or playing games on their phones."

TV advertising: The next generation

The addition of screensaver ads that users can disable may sound like a comparatively smaller disruption as far as TV operating system (OS) ads go. But the incorporation of new ad formats into TV OSes' various nooks and crannies is a slippery slope. Some TV brands are even centered more on ads than selling hardware. Unfortunately, it’s up to OS operators and TV OEMs to decide where the line is, including for already-purchased TVs. User and advertiser interests don’t always align, making TV streaming platforms without third-party ads, such as Apple TV, increasingly scarce gems.

LG has been expanding its business for selling and tracking ads shown on LG TVs. It has a partnership with Nielsen that sends automatic content-recognition data gathered from LG TVs to Nielsen, for example. Additionally, LG has boasted of plans to evolve from a hardware business into a “media and entertainment platform,” which includes selling ads. The South Korean company has also expressed strong interest in shopable TV ads.

For its part, LG's growing ad interests have led it to launch a new LG Ad Solutions division this month that's focused on developing new ways to show ads to and track smart TV users. In a statement, Rudnick said Innovation Labs is seeking to "push the boundaries" of smart-TV advertising and drive "next-generation advertising," including interactive ads, on smart TVs.

LG is adapting to a changing market

LG claims to have done its homework before deciding to inject ads into its TVs' screensavers. LG Ad Solutions-commissioned research, which was reportedly conducted and measured by Lucid, a consumer market research firm, found that screensaver ads increase brand awareness, especially among adults 45 and up and women with a household income greater than $80,000 (assumedly annually).

LG's ads push comes as it's challenged to continue finding revenue and growth from its TV business while TVs get more advanced and reliable and are able to get new features via software updates. Meanwhile, advertisers are challenged to find ways to continue reaching TV viewers in a world shifting from linear TV to streaming and web-based entertainment that's often sold with the option of being commercial-free. Although lower-priced TVs, like those running Roku OS, may have a reputation for more ads, they’re also doing well in the market.

Market conditions and changing TV users' habits are forcing LG to adapt the way it makes money from TVs. Unfortunately for those adverse to ads, that means pushing more commercials and finding better ways to track viewers.

Source

RIP Matrix | Farewell my friend

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every single day for many years.

2023: Over 5,800 news posts | 2024 (till end of August): 3,792 news posts

UltraAV says Kaspersky users were moved over for their own good and they knew it was coming

Wed, 25 Sep 2024 18:50:40 +0000

A couple of days ago, we reported about the automatic migration of Kaspersky U.S. customers over to UltraAV following the former's ban.

The general sentiment from such users seems to be of curiosity and concern with a mix of frustration and we too empathized with that. Following our report, an UltraAV spokesperson reached out to Neowin and issued a statement explaining the procedure of the transition.

UltraAV has explained the motivation behind such a move was nothing but good claiming that it was "intended to minimize the risk that Kaspersky Labs users would be left unprotected for any period of time following their mandatory exit from the market."

The firm has also stated that the move was communicated appropriately with customers via email and in-app notifications as well as via Kaspersky's website.

Here's what UltraAV has stated:

Following the Biden administration’s announcement that it would ban Kaspersky Labs (KL) from selling or updating antivirus software in the United States effective September 29, 2024, the company reached an agreement with Pango Group to automatically transition all U.S. Kaspersky customers to its UltraAV antivirus product. This effort was intended to minimize the risk that KL users would be left unprotected for any period of time following their mandatory exit from the market.

KL began communicating this transition to U.S. customers on September 5. All KL users with valid email addresses received direct communications and all users had access to transition notifications in-app, on MyKaspersky account pages, and via Kaspersky Labs' webpages.

Additionally, UltraAV has tried to reassure that it is a competent security solution and a good replacement for Kaspersky. It states:

UltraAV is a mature technology, developed and improved for more than 20 years. It incorporates the latest threat intelligence and leverages advanced techniques including AI and sophisticated heuristics to detect malware. With Ultra AV, users will receive comparable protections to those they had with KL at the same pricing.Beyond traditional antivirus and VPN services, UltraAV will also include Identity theft protections, including transaction monitoring, real-time alerts for signs of fraud, lost wallet protection and $1M identity theft insurance.

UltraAV has also requested users to visit its official website for a comparison chart of the features. It has also reminded that users seeking more information on the transition can visit Ultrasecureav.com/faq or reach out to UltraAV customer support.

Source

RIP Matrix | Farewell my friend

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every single day for many years.

2023: Over 5,800 news posts | 2024 (till end of August): 3,792 news posts

Complaint filed against Mozilla Firefox for PPA 'default-tracking' as most users are 'dumb'

Wed, 25 Sep 2024 18:44:38 +0000

NOYB, short for None Of Your Business, has filed a complaint against Mozilla over a new Privacy Preserving Attribution (PPA) feature that was recently released by the company. For those who may not be familiar with it, NOYB is based in Austria and has in the past filed complaints against the likes of Microsoft and X, among others.

PPA is similar to Google Chrome's Privacy Sandbox and is meant to provide a privacy-friendly alternative to third-party cookies with minimal footprint via anonymous reporting. And it also has the option to opt in and opt-out which means all is good for the consumers.

However, NOYB has noted in its complaint that the feature has been enabled by default since Firefox version 128 where it was first introduced.

NOYB writes:

Today, noyb filed a complaint against Mozilla for quietly enabling a supposed “privacy feature” (called Privacy Preserving Attribution) in its Firefox browser. Contrary to its reassuring name, this technology allows Firefox to track user behaviour on websites. In essence, the browser is now controlling the tracking, rather than individual websites. While this might be an improvement compared to even more invasive cookie tracking, the company never asked its users if they wanted to enable it.

...

With a recent Firefox update, Mozilla seems to have taken a leaf out of Google’s playbook: without directly telling its users, the company has secretly enabled a so-called “Privacy Preserving Attribution” (PPA) feature. Similar to Google’s (failed) Privacy Sandbox, this turned the browser into a tracking tool for websites.

In the press release, NOYB has also highlighted how Firefox's Bas Schouten, the Tech Lead with the Mozilla Performance team, had argued in favour of setting the option of PPA to on as default suggesting that it would be quite difficult to explain to non-tech savvy users the benefits and drawbacks of PPA.

Schouten had said:

Opt-in is only meaningful if users can make an informed decision. I think explaining a system like PPA would be a difficult task. And most users complain a lot about these types of interruption.

In my opinion an easily discoverable opt-out option + blog posts and such were the right decision.

...

After all most of its users have no idea how it works . Or an electric kettle, for that matter.

There are numerous blog posts explaining the idea, going as far back as 2021 as well as explainers. All of which show up for me if I do any search query with Mozilla and in google.

To Firefox's credit, opting out of PPA is indeed not too difficult. If you wish to do so, you can:

In the Menu bar at the top of the screen, click Firefox and then select Preferences or Settings, depending on your macOS version.Click the menu button and select Settings.

In the Privacy & Security panel, find the Website Advertising Preferences section.

Uncheck the box labeled Allow websites to perform privacy-preserving ad measurement.

You can view the full NOYB press release regarding the complaint here on its official website.

Source

RIP Matrix | Farewell my friend

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every single day for many years.

2023: Over 5,800 news posts | 2024 (till end of August): 3,792 news posts

Hacker plants false memories in ChatGPT to steal user data in perpetuity

Wed, 25 Sep 2024 07:14:55 +0000

Emails, documents, and other untrusted content can plant malicious memories.

When security researcher Johann Rehberger recently reported a vulnerability in ChatGPT that allowed attackers to store false information and malicious instructions in a user’s long-term memory settings, OpenAI summarily closed the inquiry, labeling the flaw a safety issue, not, technically speaking, a security concern.

So Rehberger did what all good researchers do: He created a proof-of-concept exploit that used the vulnerability to exfiltrate all user input in perpetuity. OpenAI engineers took notice and issued a partial fix earlier this month.

Strolling down memory lane

The vulnerability abused long-term conversation memory, a feature OpenAI began testing in February and made more broadly available in September. Memory with ChatGPT stores information from previous conversations and uses it as context in all future conversations. That way, the LLM can be aware of details such as a user’s age, gender, philosophical beliefs, and pretty much anything else, so those details don’t have to be inputted during each conversation.

Within three months of the rollout, Rehberger found that memories could be created and permanently stored through indirect prompt injection, an AI exploit that causes an LLM to follow instructions from untrusted content such as emails, blog posts, or documents. The researcher demonstrated how he could trick ChatGPT into believing a targeted user was 102 years old, lived in the Matrix, and insisted Earth was flat and the LLM would incorporate that information to steer all future conversations. These false memories could be planted by storing files in Google Drive or Microsoft OneDrive, uploading images, or browsing a site like Bing—all of which could be created by a malicious attacker.

Rehberger privately reported the finding to OpenAI in May. That same month, the company closed the report ticket. A month later, the researcher submitted a new disclosure statement. This time, he included a PoC that caused the ChatGPT app for macOS to send a verbatim copy of all user input and ChatGPT output to a server of his choice. All a target needed to do was instruct the LLM to view a web link that hosted a malicious image. From then on, all input and output to and from ChatGPT was sent to the attacker's website.

ChatGPT: Hacking Memories with Prompt Injection - POC

“What is really interesting is this is memory-persistent now,” Rehberger said in the above video demo. “The prompt injection inserted a memory into ChatGPT’s long-term storage. When you start a new conversation, it actually is still exfiltrating the data.”

The attack isn’t possible through the ChatGPT web interface, thanks to an API OpenAI rolled out last year.

While OpenAI has introduced a fix that prevents memories from being abused as an exfiltration vector, the researcher said, untrusted content can still perform prompt injections that cause the memory tool to store long-term information planted by a malicious attacker.

LLM users who want to prevent this form of attack should pay close attention during sessions for output that indicates a new memory has been added. They should also regularly review stored memories for anything that may have been planted by untrusted sources. OpenAI provides guidance here for managing the memory tool and specific memories stored in it. Company representatives didn’t respond to an email asking about its efforts to prevent other hacks that plant false memories.

Source

RIP Matrix | Farewell my friend

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every single day for many years.

2023: Over 5,800 news posts | 2024 (till end of August): 3,792 news posts

11 million devices infected with botnet malware hosted in Google Play

Thu, 01 Jan 1970 00:00:00 +0000

Necro infiltrated Google Play in 2019. It recently returned.

Five years ago, researchers made a grim discovery—a legitimate Android app in the Google Play market that was surreptitiously made malicious by a library the developers used to earn advertising revenue. With that, the app was infected with code that caused 100 million infected devices to connect to attacker-controlled servers and download secret payloads.

Now, history is repeating itself. Researchers from the same Moscow, Russia-based security firm reported Monday that they found two new apps, downloaded from Play 11 million times, that were infected with the same malware family. The researchers, from Kaspersky, believe a malicious software developer kit for integrating advertising capabilities is once again responsible.

Clever tradecraft

Software developer kits, better known as SDKs, are apps that provide developers with frameworks that can greatly speed up the app-creation process by streamlining repetitive tasks. An unverified SDK module incorporated into the apps ostensibly supported the display of ads. Behind the scenes, it provided a host of advanced methods for stealthy communication with malicious servers, where the apps would upload user data and download malicious code that could be executed and updated at any time.

The stealthy malware family in both campaigns is known as Necro. This time, some variants use techniques such as steganography, an obfuscation method rarely seen in mobile malware. Some variants also deploy clever tradecraft to deliver malicious code that can run with heightened system rights. Once devices are infected with this variant, they contact an attacker-controlled command-and-control server and send web requests containing encrypted JSON data that reports information about each compromised device and application hosting the module.

The server, in turn, returns a JSON response that contains a link to a PNG image and associated metadata that includes the image hash. If the malicious module installed on the infected device confirms the hash is correct, it downloads the image.

The SDK module “uses a very simple steganographic algorithm,” Kaspersky researchers explained in a separate post. “If the MD5 check is successful, it extracts the contents of the PNG file—the pixel values in the ARGB channels—using standard Android tools. Then the getPixel method returns a value whose least significant byte contains the blue channel of the image, and processing begins in the code.”

The researchers continued:

If we consider the blue channel of the image as a byte array of dimension 1, then the first four bytes of the image are the size of the encoded payload in Little Endian format (from the least significant byte to the most significant). Next, the payload of the specified size is recorded: this is a JAR file encoded with Base64, which is loaded after decoding via DexClassLoader. Coral SDK loads the sdk.fkgh.mvp.SdkEntry class in a JAR file using the native library libcoral.so. This library has been obfuscated using the OLLVM tool. The starting point, or entry point, for execution within the loaded class is the run method.

Necro code implementing steganography.

Kaspersky

Follow-on payloads that get installed download malicious plugins that can be mixed and matched for each infected device to perform a variety of different actions. One of the plugins allows code to run with elevated system rights. By default, Android bars privileged processes from using WebView, an extension in the OS for displaying webpages in apps. To bypass this safety restriction, Necro uses a hacking technique known as a reflection attack to create a separate instance of the WebView factory.

This plugin can also download and run other executable files that will replace links rendered through WebView. When running with the elevated system rights, these executables have the ability to modify URLs to add confirmation codes for paid subscriptions and download and execute code loaded at links controlled by the attacker. The researchers listed five separate payloads they encountered in their analysis of Necro.

The modular design of Necro opens myriad ways for the malware to behave. Kaspersky provided the following image that provides an overview.

Necro Trojan infection diagram.

Kaspersy

The researchers found Necro in two Google Play apps. One was Wuta Camera, an app with 10 million downloads to date. Wuta Camera versions 6.3.2.148 through 6.3.6.148 contained the malicious SDK that infects apps. The app has since been updated to remove the malicious component. A separate app with roughly 1 million downloads—known as Max Browser—was also infected. That app is no longer available in Google Play.

The researchers also found Necro infecting a variety of Android apps available in alternative marketplaces. Those apps typically billed themselves as modified versions of legitimate apps such as Spotify, Minecraft, WhatsApp, Stumble Guys, Car Parking Multiplayer, and Melon Sandbox.

People who are concerned they may be infected by Necro should check their devices for the presence of indicators of compromise listed at the end of this writeup.

Source

RIP Matrix | Farewell my friend

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every single day for many years.

2023: Over 5,800 news posts | 2024 (till end of August): 3,792 news posts

Kaspersky deletes itself, installs UltraAV antivirus without warning

Mon, 23 Sep 2024 18:24:30 +0000

Starting Thursday, Russian cybersecurity company Kaspersky deleted its anti-malware software from customers' computers across the United States and automatically replaced it with UltraAV's antivirus solution.

This comes after Kaspersky decided to shut down its U.S. operations and lay off U.S.-based employees in response to the U.S. government adding Kaspersky to the Entity List, a catalog of "foreign individuals, companies, and organizations deemed a national security concern" in June.

On June 20, the Biden administration also announced a ban on sales and software updates for Kaspersky antivirus software in the United States starting September 29, 2024, over potential national security risks.

In July, Kaspersky told BleepingComputer that it would begin closing its business and lay off the staff on July 20 because of the sales and distribution ban. In early September, Kaspersky also emailed customers, assuring them they would continue receiving "reliable cybersecurity protection" from UltraAV (owned by Pango Group) after Kaspersky stopped selling software and updates for U.S. customers.

However, those emails failed to inform users that Kaspersky's products would be abruptly deleted from their computers and replaced with UltraAV without warning.

UltraAV force-installed on Kaspersky users' PCs

According to many online customer reports, including BleepingComputer's forums, UltraAV's software was installed on their computers without any prior notification, with many concerned that their devices had been infected with malware.

"I woke up and saw this new antivirus system on my desktop and I tried opening kaspersky but it was gone. So I had to look up what happened because I was literally having a mini heart attack that my desktop somehow had a virus which uninstalled kaspersky somehow," one user said.

To make things worse, while some users could uninstall UltraAV using the software’s uninstaller, those who tried removing it using uninstall apps saw it reinstalled after a reboot, causing further concerns about a potential malware infection.

Some also found UltraVPN installed, likely because they had a Kaspersky VPN subscription.

Not much is known about UltraAV besides being part of Pango Group, which controls multiple VPN brands (e.g., Hotspot Shield, UltraVPN, and Betternet) and Comparitech (a VPN software review website).

"If you are a paying Kaspersky customer, when the transition is complete UltraAV protection will be active on your device and you will be able to leverage all of the additional premium features," UltraAV says on its official website on a page dedicated to this forced transition from Kaspersky's software.

"On September 30th, 2024 Kaspersky will no longer be able to support or provide product updates to your service. This puts you at substantial risk for cybercrime."

A Kaspersky employee also shared an official statement on the company's official forums regarding the forced switch to UltraAV, saying that it "partnered with antivirus provider UltraAV to ensure continued protection for US-based customers that will no longer have access to Kaspersky's protections."

"Kaspersky has additionally partnered with UltraAV to make the transition to their product as seamless as possible, which is why on 9/19, U.S. Kaspersky antivirus customers received a software update facilitating the transition to UltraAV. This update ensured that users would not experience a gap in protection upon Kaspersky's exit from the market," it added.

The company states that UltraAV has a similar feature set to its products and asked customers to review a FAQ page on UltraAV's website or contact its support team for more information.

A Kaspersky spokesperson was not immediately available for comment when contacted by BleepingComputer earlier today.

Source

RIP Matrix | Farewell my friend

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every single day for many years.

2023: Over 5,800 news posts | 2024 (till end of August): 3,792 news posts

[US] Kaspersky users suddenly finding "UltraAV" automatically installed on their PC, here's why

Mon, 23 Sep 2024 08:10:21 +0000

Earlier this year in June, Russia-based Kaspersky was banned by the U.S. government and as a result, the U.S. staff were laid off. Following that, Kaspersky released its own statement on the matter.

Fast forward to September, Axios reported that around 1 million Kaspersky's U.S. customers were being offloaded to Pango Group's UltraAV. The information was shared by Neill Feather, president and chief operating officer at Pango.

As per the report, the companies understood that this would allow Kaspersky U.S. customers to continue receiving security updates in some form as they would no longer be serviced by Kaspersky.

Since then, several Kaspersky users including Neowin forum member Mockingbird are finding out that Kaspersky software uninstalled itself and has been replaced automatically with UltraAV.

The general sentiment from such users seems to be of curiosity and concern with a mix of frustration about the new UltraAV they are finding on their systems, and they do have a right to feel so given that UltraAV is relatively untested compared to something as robust as Kaspersky which had proven itself time and again in independent testing by the likes of AV-TEST and AV-Comparatives.

UltraAV on its website provides some details about itself including its foundation:

Is UltraAV a US-based company?

UltraAV is a US-based company and is not subject to any geographic restrictions. However, UltraVPN, the premium VPN included with UltraAV, is a Panama-based entity which means UltraVPN is outside the Five Eyes and Fourteen Eyes Alliance. This ensures the highest level of privacy and security for our customers.

Interestingly, some users noticed that the UltraAV software installer is digitally signed by a Pune, India-based firm called "Max Secure Software India Pvt. Ltd."

Besides the origin, UltraAV has also provided details regarding the transition from Kaspersky:

What to Expect from the Kaspersky --> UltraAV transistion

Windows Users

No action is required. By mid-September you will have access to Ultra AV & Ultra VPN on your Windows desktop. If you are a paying Kaspersky customer, when the transition is complete UltraAV protection will be active on your device and you will be able to leverage all of the additional premium features.

Mac & Android Users

By mid-September, you will receive an email notification when your product is ready to set up. Click on the link in the email and follow the onboarding process. Alternatively, you can open the Kaspersky Mac/Android product and follow the instructions from there.

What will happen to my Kaspersky service?

On September 30th, 2024 Kaspersky will no longer be able to support or provide product updates to your service. This puts you at substantial risk for cybercrime. UltraAV has all the tools you need to stay safe online - from cutting edge malware protection, to premium VPN, password manager and identity theft protection.

Additionally, information on billing and subscription charges have also been provided:

When did Kaspersky stop billing me for my service?

Kaspersky stopped billing monthly and annual customers in June 2024. Billing with UltraAV will resume in October 2024.

Will I be charged for UltraAV?

Your billing schedule with UltraAV will be the same as your Kaspersky account. Annual and monthly billing will remain the same.

If your previous renewal date fell between July and September 2024 or if you were billed monthly, you were not billed during that time frame. Your billing was delayed until October 2024. Once you are billed in October, you will resume a renewal cadence in accordance with your new bill date (e.g. If you were billed on 10/8/2024, your new 1 year will renewal date will be 10/8/2025)

How much does UltraAV cost?

You will keep the same price for your UltraAV account as you did for Kaspersky. If you were to repurchase UltraAV with all the features provided in your Kaspersky account, it would cost 47.88 per year, billed annually for the first year and then would renew at the full price of $149.99.

*This price is subject to change. We will always notify you by e-mail in advance prior to charging.

The FAQ page also notes that users can cancel their UltraAV subscription if they are unsatisfied with the service and performance of the product. In order to do so, users need to fill out this form to contact the support team.

You may find more details about UltraAV here on its official website.

Source

RIP Matrix | Farewell my friend

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every single day for many years.

2023: Over 5,800 news posts | 2024 (till end of August): 3,792 news posts

Microsoft updates Defender for Windows 11/10 install images, patches ransomware, and more

Sun, 22 Sep 2024 07:37:57 +0000

Microsoft released September 2024 Patch Tuesday updates on the 9th under KB5043064, KB5043050, KB5043051, KB5043083 for Windows 10; KB5043076, KB5043067 for Windows 11 22H2 and 21H2; and KB5043080 for Windows 11 24H2. They mainly address security issues but also add new features and bug fixes among others. Alongside these, it also released the OOBE update (KB5043939), but for version 24H2 only. The company also published a Setup update (KB5043353), and a WinRE update (KB5043355) as well, also for version 24H2.

Microsoft also published a new Defender update during that. This update package is necessary as a Windows installation image may contain old, outdated anti-malware definitions and software binaries. Aside from better security, these updates can also provide improved performance benefits in some cases.

Microsoft is delivering the latest security definitions for Windows images via security intelligence update version 1.417.472.0. The Defender package version is 1.413.494.0. Microsoft has also published a link to its detailed guidance about the recent NPD data breach which has leaked SSNs, house addresses, and more, of over 150 million people.

In the support document describing the new update, Microsoft explains:

The first hours of a newly installed Windows deployment can leave the system vulnerable because of a Microsoft Defender protection gap. This is because the OS installation images may contain outdated antimalware software binaries.

[..] Devices using either the Windows built-in antivirus or another security solution can benefit from these updates. Defender updates also contain critical performance fixes that will improve the user experience.

[..] This article describes antimalware update package for Microsoft Defender in the OS installation images (WIM and VHD files). This feature supports the following OS installation images:

Windows 11

Windows 10 (Enterprise, Pro, and Home editions)

Windows Server 2022

Windows Server 2019

Windows Server 2016

Version information

Defender package version: 1.417.472.0

This package updates the anti-malware client, anti-malware engine, and signature versions in the OS installation images to following versions:

Platform version: 4.18.24080.9

Engine version: 1.1.24080.9

Security intelligence version: 1.417.472.0

From Microsoft's security bulletin, we learn that the security intelligence update version 1.417.472.0 was released last month. It adds threat detections for various trojans, ransomware, adware, and backdoor exploits, among others. For those wondering, the latest intelligence update is version 1.419.109.0 at the time of writing.

Source

RIP Matrix | Farewell my friend

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every single day for many years.

2023: Over 5,800 news posts | 2024 (till end of August): 3,792 news posts

Researcher reveals ‘catastrophic’ security flaw in the Arc browser

Fri, 20 Sep 2024 18:38:14 +0000

An exploit patched last month could have allowed attackers to access anyone’s browser just by knowing their user ID.

A security researcher revealed a “catastrophic” vulnerability in the Arc browser that would have allowed attackers to insert arbitrary code into other users’ browser sessions with little than an easily findable user ID. The vulnerability was patched on August 26th and disclosed today in a blog post by security researcher xyz3va, as well as a statement from The Browser Company. The company says that its logs indicate no users were affected by the flaw.

The exploit, CVE-2024-45489, relied on a misconfiguration in The Browser Company’s implementation of Firebase, a “database-as-a-backend service,” for storage of user info, including Arc Boosts, a feature that lets users customize the appearance of websites they visit.

In its statement, The Browser Company writes:

Arc has a feature called Boosts that allows you to customize any website with custom CSS and Javascript. Since running arbitrary Javascript on websites has potential security concerns, we opted not to make Boosts with custom Javascript shareable across members, but we still synced them to our server so that your own Boosts are available across devices.

We use Firebase as the backend for certain Arc features (more on this below), and use it to persist Boosts for both sharing and syncing across devices. Unfortunately our Firebase ACLs (Access Control Lists, the way Firebase secures endpoints) were misconfigured, which allowed users Firebase requests to change the creatorID of a Boost after it had been created. This allowed any Boost to be assigned to any user (provided you had their userID), and thus activate it for them, leading to custom CSS or JS running on the website the boost was active on.

Or, in the words of xyz3va,

arc boosts can contain arbitrary javascript

arc boosts are stored in firestore

the arc browser gets which boosts to use via the creatorID field

we can arbitrarily change the creatorID field to any user id

You can get someone’s creatorID in several ways, including referral links, shared easels, and publicly shared Boosts. With that info, an attacker could have created a boost with arbitrary code in it and added it to the victim’s Arc account without any action on the victim’s part. That’s bad.

The Browser Company responded quickly — xyz3va reported the bug to cofounder Hursh Agrawal, demonstrated it within minutes, and was added to the company Slack within half an hour. The bug was patched the next day, and the company’s statement details a list of security improvements it says it’s implementing, including setting up a bug bounty program, moving off of Firebase, disabling custom Javascript on synced Boosts, and hiring additional security staff.

Source

RIP Matrix | Farewell my friend

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every single day for many years.

2023: Over 5,800 news posts | 2024 (till end of August): 3,792 news posts

New Google Password Manager PIN adds layer of protection for your passkeys

Fri, 20 Sep 2024 18:37:18 +0000

Google has announced that it's rolling out updates to Google Chrome on Windows, macOS, Linux, Android, and ChromeOS that will allow you to save passkeys to Google Password Manager. Before this update, you could only save passkeys to Google Password Manager on Android. While you could use them to log in to websites on other devices, you still need to scan a QR code from your Android device, creating inconveniences.

When you save a passkey from one of your devices, it will now automatically sync across all of your devices. When using passkeys, you can use a variety of authentication methods including face, fingerprint, PIN, and more.

With its announcement, Google also said it would be introducing a new Google Password Manager PIN. The PIN acts as an extra layer of security to make sure your passkeys are end-to-end encrypted and can't be accessed by anyone but yourself, including Google.

It's important to remember your PIN as you'll need to know it when using passkeys on a new device. If you do forget, then you can also use the screen lock on your Android phone.

Passkeys are being pushed heavily by big tech companies with companies like Google, Amazon, PayPal, and WhatsApp already supporting the technology. With that said, everyone has been using passwords since the beginning of the web and they're not likely to go anywhere soon, heck, Google still refers to it as the Google Password Manager, not passkey manager, highlighting the dominance of passwords over passkeys.

Still, it is nice to see that Google is expanding support for passkeys as this gives people more choice about how they want to secure their accounts.

Let us know in the comments if you have started using passkeys yet or whether you find the concept a bit confusing and prefer to sign in with passwords or a social media account such as a Google Account or Facebook Account.

Source: Google

Source

RIP Matrix | Farewell my friend

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every single day for many years.

2023: Over 5,800 news posts | 2024 (till end of August): 3,792 news posts

Cloudflare outage cuts off access to websites in some regions

Wed, 18 Sep 2024 07:28:54 +0000

A rolling Cloudflare outage is impacting access to web sites worldwide, including BleepingComputer, with sites working in some regions and not others.

While Cloudflare says they are currently conducting scheduled maintenance in Sinagpore and Nashville, its status page does not indicate any problems.

However, for many users worldwide, when attempting to access websites utilizing Cloudflare, web browsers will display error messages stating they have trouble connecting to the server, as shown below.

Error connecting to BleepingComputer
Source: BleepingComputer

Our platform, BleepingComputer, is one of the sites affected by this outage, and our users are experiencing intermittent access issues. However, our monitoring tools indicate that the site is still receiving traffic, suggesting that the outage is region-specific.

Furthermore, from the publishing of this article, you can see that I can still access our site from the US, while some of our other staff are not able to from other countries.

Downdetector also shows increased complaints about Cloudflare at around 1:45 PM ET, which coincides with when we began having issues at BleepingComputer.

Similar reports are found on X, with customers stating that their sites are inaccessible over IPv4, but can be reached through IPv6.

NodeJS.org is also reporting being impacted by the Cloudflare outage, stating it is impacting the "ability to access nodejs.org, including access to the website and downloading Node.js."

BleepingComputer contacted Cloudflare to learn more about this outage, but a reply was not immediately available.

This is a developing story.

Source

RIP Matrix | Farewell my friend

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every single day for many years.

2023: Over 5,800 news posts | 2024 (till end of August): 3,792 news posts

Forum etiquette: A post that interests you enough for a comment, also deserves a reaction.

Google Drive finally getting shared folder restrict access option

Tue, 17 Sep 2024 17:16:55 +0000

Google is finally introducing a new option to restrict or limit access to folders in a shared Drive situation. This is part of the latest Workspace updates the company launched earlier today. Google has not finalized the update yet and as such it is still in beta. The tech giant has provided a form for interested and eligible customers if they want to test out the beta for their domains. You can find the form here.

The new option will be available as a "Limit access to" toggle. An administrator will be able to manage this feature from the Google Admin console via the "Manage shared drives" menu.

In the release notes Google explains how it will work:

Today, we’re introducing a beta that allows shared drive managers to restrict folders to specific users within a shared drive. This provides shared drive managers with greater flexibility to keep relevant content within a single shared drive, while restricting access to shared folders with sensitive information.

A folder with “limited access” can only be opened by people who have been added to it directly. People with general access to the shared drive or shared folder can see the restricted folder in Drive, but will not be able to open it.

Folders with limited access are available in both shared drives and My Drive:

Shared drive managers can always access folders with limited-access

Folder owners can always access limited-access folders in their My Drive

In a separate support article, Google has added how the Limit access option can be set up (images below for reference):

To create or edit limited access to a folder:

On your computer, open drive.google.com.

Right-click the folder for which you want to set up limited access.

Click Share Share Settings .

To enable limited access on the folder, turn on Limit access.

Click Back . In the sharing dialog, add or remove users to the folder.

Aside from the option to restrict access to shared folders in Google Drive, the new Workspace update also adds multi-monitor support for Google Slides. The company says:

Multi-monitor support enables presenters to see Presentation View components, such as speaker notes and the timer, on one display, while displaying the slides presentation on an external monitor.

You can learn more about these updates on this page on Google's official Workspace updates blog.

Source

RIP Matrix | Farewell my friend

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every single day for many years.

2023: Over 5,800 news posts | 2024 (till end of August): 3,792 news posts

Forum etiquette: A post that interests you enough for a comment, also deserves a reaction.

D-Link fixes critical RCE, hardcoded password flaws in WiFi 6 routers

Mon, 16 Sep 2024 17:43:51 +0000

D-Link has fixed critical vulnerabilities in three popular wireless router models that allow remote attackers to execute arbitrary code or access the devices using hardcoded credentials.

The impacted models are popular in the consumer networking market, especially among users looking for high-end WiFi 6 routers (DIR-X) and mesh networking systems (COVR).

The bulletin lists five vulnerabilities, three of which are rated critical, in the following firmware: COVR-X1870 (non-US) firmware versions v1.02 and below, DIR-X4860 (worldwide) on v1.04B04_Hot-Fix and older, and DIR-X5460 (worldwide) running firmware v1.11B01_Hot-Fix or older.

The five flaws and their associated advisories are listed below:

CVE-2024-45694 (9.8 critical): Stack-based buffer overflow, allowing unauthenticated remote attackers to execute arbitrary code on the device.
CVE-2024-45695 (9.8 critical): Another stack-based buffer overflow allowing unauthenticated remote attackers to execute arbitrary code.
CVE-2024-45696 (8.8 high): Attackers can forcibly enable the telnet service using hard-coded credentials within the local network.
CVE-2024-45697 (9.8 critical): Telnet service is enabled when the WAN port is plugged in, allowing remote access with hard-coded credentials.
CVE-2024-45698 (8.8 high): Improper input validation in the telnet service allows remote attackers to log in and execute OS commands with hard-coded credentials.

To fix the flaws, D-Link recommends customers upgrade to v1.03B01 for COVR-X1870, v1.04B05 for DIR-X4860, and DIR-X5460A1_V1.11B04 for DIR-X5460.

D-Link says it learned of the flaws from the country's CERT (TWCERT) on June 24 but was not given the standard 90-day period to fix the flaws before they were disclosed.

"When D-Link became aware of the reported security issues, we promptly started investigating and developing security patches," D-Link stated in its security bulletin.

"The third-party publicly disclosed the problem before the patches were available on our standard 90-day security patch release schedule. We do not recommend that security researchers act in this manner, as they expose end-users to further risks without patches being available from the manufacturer."

BleepingComputer has not been able to find any previous public disclosure of these vulnerabilities and has contacted D-Link to learn more.

D-Link has not reported any in-the-wild exploitation of the flaws, but as D-Link is commonly targeted by malware botnets, installing the security updates remains crucial.

Source

RIP Matrix | Farewell my friend

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every single day for many years.

2023: Over 5,800 news posts | 2024 (till end of August): 3,792 news posts

Forum etiquette: A post that interests you enough for a comment, also deserves a reaction.

Google Chrome gets upgraded Safety Check and one-time site permissions

Fri, 13 Sep 2024 17:47:22 +0000

Google has announced that it's rolling out three new features for Chrome to help you stay safe against online threats and give you more control over your data. The three new features include an upgraded Safety Check, the ability to opt out of unwanted website notifications more easily, and the option to grant site permissions for one time only.

With the revamped Safety Check feature, Chrome will automatically stay on the lookout behind the scenes, taking more proactive steps to keep you safe. Some actions it can take autonomously include revoking permissions from sites you no longer visit and flagging unwanted notifications. If it finds anything that needs your attention, it will let you know. Safety Check will also work with Google Safe Browsing to protect you from abusive notifications.

Next, Google says it will make it easier to opt out of website notifications. Users will now see an unsubscribe button under notifications, so they can press that if they don't want to continue receiving them. The feature is coming to Pixel devices first but will soon be available on more Android phones. In supported devices, this feature has led to a 30% reduction in notification volume.

Finally, Chrome users will soon be able to give one-time permission to websites. This will allow you to fully interact with a website while you need to, but you won't have to give websites extra control once you leave the website. This should help boost your privacy, especially in the case of giving permission to use your webcam.

Google says it's rolling out these features, so some of you will receive them before others. Hopefully, it shouldn't take too long for everyone to benefit from them.

Let us know in the comments which of these features you're most looking forward to using or if you have received any of these options yet.

Source: Google

Source

RIP Matrix | Farewell my friend

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every single day for many years.

2023: Over 5,800 news posts | 2024 (till end of August): 3,792 news posts

Ongoing antitrust evidence reveals Google's strategy to 'crush' its competition in ads

Thu, 12 Sep 2024 18:35:17 +0000

During the ongoing antitrust trial against Google, evidence presented by prosecutors revealed details about a former executive stating that the company's goal with its advertising platform was to "crush" others in the same sector.

The statements were made by David Rosenblatt, who was Google's former president of display advertising. According to notes shown in court, Rosenblatt said, "We'll be able to crush the other networks and that's our goal," while talking about the company's strategy in late 2008 or early 2009. Rosenblatt discussed the advantages of owning technology on both sides of the advertising market, comparing Google's position with that of both NYSE and Goldman Sachs.

Rosenblatt said, "Google has created what's comparable to the NYSE or London Stock Exchange; in other words, we'll do to display (ads) what Google did to search." He further added that by owning the publishing ad servers itself, Google's advertiser ad network would potentially have the "first look" at the spots available for ad placement and that it would be a "nightmare" for ad publishers to switch platforms.

The remark is part of the narrative laid by the U.S. Department of Justice in which prosecutors claim that Google has used exclusionary practices to maintain an illegal monopoly in the advertising market, which violates sections 1 and 2 of the Sherman Antitrust Act of 1890. The lawsuit was filed in 2023, and the trial started on September 9. The lawsuit aims to force Google to sell off significant portions of its adtech business while also requiring the company to refrain from certain business practices.

Google denies all the claims and argues that it competes vigorously with other digital advertising firms like Microsoft, Amazon, and Meta. Google also claims that the default search engine contracts make the user experience more seamless, which is why users want Google as the default and that the DOJ is improperly calculating its market share in advertising.

This antitrust case is different from the one DOJ filed in 2020 that accused Google of an illegal monopoly in the search engine market, whose verdict was ruled against Google. As part of its decision, Judge Amit P. Mehta wrote, "Google is a monopolist, and it has acted as one to maintain its monopoly."

Via Reuters

Source

RIP Matrix | Farewell my friend

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every single day for many years.

2023: Over 5,800 news posts | 2024 (till end of August): 3,792 news posts

Europe’s privacy watchdog probes Google over data used for AI training

Thu, 12 Sep 2024 18:34:15 +0000

Meta and X have already paused some AI training over same set of concerns.

Google is under investigation by Europe’s privacy watchdog over its processing of personal data in the development of one of its artificial intelligence models, as regulators ramp up their scrutiny of Big Tech’s AI ambitions.

Ireland’s Data Protection Commission, which is responsible for enforcing the EU’s General Data Protection Regulation, said it had launched a statutory inquiry into the tech giant’s Pathways Language Model 2, or PaLM 2.

PaLM 2 was launched in May 2023 and predates Google’s latest Gemini models, which power its AI products. Gemini, which was launched in December of the same year, is now the core model behind its text and image-generation offering.

The inquiry will assess whether the company has breached its obligations under GDPR on the processing of the personal data of citizens of the EU and European Economic Area.

Under the framework, companies must conduct a data protection impact assessment before embarking on handling such information when the nature of the way it is used is likely to pose a high risk to the rights and freedoms of individuals.

This applied in particular to new technologies and was “of crucial importance in ensuring that the fundamental rights and freedoms of individuals are adequately considered and protected,” the regulator said in a statement.

The assessment is being examined in the investigation.

A Google spokesperson said: “We take seriously our obligations under the GDPR and will work constructively with the DPC to answer their questions.”

This is the latest in a series of actions by the DPC against the Big Tech groups that are building large language models.

In June, Meta paused its plans to train its model Llama on public content shared by adults on Facebook and Instagram across Europe, following discussions with the Irish regulator. Meta subsequently limited the availability of some of its AI products to users in the region.

A month later, X users discovered that they were being “opted in” to having their posts to the site used to train systems on Elon Musk’s xAI startup.

The platform suspended its processing of several weeks’ worth of European user data that had been harvested to train its Grok AI model, following legal proceedings by the DPC. That was the first time that the regulator had used its powers to take such action against a tech firm.

Source

RIP Matrix | Farewell my friend

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every single day for many years.

2023: Over 5,800 news posts | 2024 (till end of August): 3,792 news posts

YouTube on TVs reportedly showing ads even when pausing videos to more users

Thu, 12 Sep 2024 08:07:18 +0000

If you watch YouTube videos on a TV without a premium subscription, be prepared to be bombarded with ads, even when you pause a video. According to multiple user reports, YouTube on TVs has started showing ads in a new format during paused video on TV.

YouTube announced the "Pause ads" format in May last year and started testing it in select regions. Now, it seems like YouTube has started to roll out the "Pause ads" format to more users across the globe.

image by Roaether on X

Users on Reddit and social media platform X have shared screenshots highlighting ads being displayed when a YouTube video is paused. As shown in the images, the video shrinks into a smaller window on the left, while the ad shows up on the right.

The ad column has a "Sponsored" label, featuring the brand's name and the logo on top, followed by the ad. You will also see a caption for the ad, a "Dismiss" button to close the ad, and an "i" button to know more about the ad. The ad automatically disappears when the video is resumed, or you can manually remove it by pressing the dismiss button.

image via Reddit

Currently, Dunkin Donuts appears to be the only advertiser that is popping up as "Pause ads" for now. This also suggests that it could be a limited rollout for the time being. YouTube has been adding multiple new features to the platform.

Back in June, Google was working on a new feature, basically a server-side injection of ads that will make ad-blockers useless, as the ads will be embedded inside the videos themselves.

It appears that the only way in the future to be able to skip ads would be to go for the premium subscription, the prices of which start at $13.99/monthly for Individuals and $22.99 for Family, in which you can add up to 5 members.

Source

RIP Matrix | Farewell my friend

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every single day for many years.

2023: Over 5,800 news posts | 2024 (till end of August): 3,792 news posts

Adobe fixes Acrobat Reader zero-day with public PoC exploit

Thu, 12 Sep 2024 02:07:46 +0000

A cybersecurity researcher is urging users to upgrade Adobe Acrobat Reader after a fix was released yesterday for a remote code execution zero-day with a public in-the-wild proof-of-concept exploit.

The flaw is tracked as CVE-2024-41869 and is a critical use after free vulnerability that could lead to remote code execution when opening a specially crafted PDF document.

A "use after free" bug is when a program tries to access data in a memory location that has already been freed or released. This causes unexpected behavior, such as a program crashing or freezing.

However, if a threat actor is able to store malicious code in that memory location, and the program subsequently accesses it, it could be used to execute malicious code on the targeted device.

The flaw has now been fixed in the latest Acrobat Reader and Adobe Acrobat versions.

PoC exploit discovered in June

The Acrobat Reader zero-day was discovered in June through EXPMON, a sandbox-based platform created by cybersecurity researcher Haifei Li to detect advanced exploits such as zero-days or hard-to-detect (unknown) exploits.

"I created EXPMON because I noticed that there were no sandbox-based detection and analysis systems specifically focusing on detecting threats from an exploit or vulnerability perspective," Li told BleepingComputer.

"All the other systems do detection from a malware perspective. The exploit/vulnerability perspective is much needed if you want to go more advanced (or, early) detection."

"For example, if no malware is dropped or executed due to certain conditions, or if the attack does not use any malware at all, those systems would miss such threats. Exploits operate quite differently from malware, so a different approach is needed to detect them."

The zero-day was discovered after a large number of samples from a public source were submitted to EXPMON for analysis. These samples included a PDF containing a proof-of-concept exploit that caused a crash.

While the PoC exploit is a work in progress and contains no malicious payloads, it was confirmed to exploit a "user after free" bug, which could be used for remote code execution.

After Li disclosed the flaw to Adobe, a security update was released in August. However, the update did not fix the flaw and could still be triggered after closing various dialogs.

"We tested the (exactly the same) sample on the "patched" Adobe Reader version, it displayed additional dialogs, but if the user clicked/closed those dialogs, the app still crashed! Same UAF bug!," tweeted the EXPMON X account.

Yesterday, Adobe released a new security update that fixes the bug, now tracked as CVE-2024-41869.

Li will be releasing details on how the bug was detected on EXPMON's blog and further technical information in an upcoming Check Point Research report.

Source

RIP Matrix | Farewell my friend

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every single day for many years.

2023: Over 5,800 news posts | 2024 (till end of August): 3,792 news posts