News: Security & Privacy News

Rogue WHOIS server gives researcher superpowers no one should ever have

Wed, 11 Sep 2024 17:40:17 +0000

.mobi top-level-domain managers changed the location of its WHOIS server. No one got the memo.

It’s not every day that a security researcher acquires the ability to generate counterfeit HTTPS certificates, track email activity, and the position to execute code of his choice on thousands of servers—all in a single blow that cost only $20 and a few minutes to land. But that’s exactly what happened recently to Benjamin Harris.

Harris, the CEO and founder of security firm watchTowr, did all of this by registering the domain dotmobiregistry.net. The domain was once the official home of the authoritative WHOIS server for .mobi, a top-level domain used to indicate that a website is optimized for mobile devices. At some point—it’s not clear precisely when—this WHOIS server, which acts as the official directory for every domain ending in .mobi, was relocated, from whois.dotmobiregistry.net to whois.nic.mobi. While retreating to his Las Vegas hotel room during last month’s Black Hat security conference in Las Vegas, Harris noticed that the previous dotmobiregistry.net owners had allowed the domain to expire. He then scooped it up and set up his own .mobi WHOIS server there.

Misplaced trust

To Harris’s surprise, his server received queries from slightly more than 76,000 unique IP addresses within a few hours of setting it up. Over five days, it received roughly 2.5 million queries from about 135,000 unique systems. The entities behind the systems querying his deprecated domain included a who’s who of Internet heavyweights comprising domain registrars, providers of online security tools, governments from the US and around the world, universities, and certificate authorities, the entities that issue browser-trusted TLS certificates that make HTTPS work.

“watchTowr’s research has demonstrated that trust placed in this process by governments and authorities worldwide should be considered misplaced at this stage, in [our] opinion,” Harris wrote in a post documenting his research. “watchTowr continues to hold concern around the basic reality: watchTowr found this on a whim in a hotel room while escaping the Vegas heat surrounding Black Hat, while well-resourced and focused nation-states look for loopholes like this every day. In watchTowr’s opinion, they are not likely to be the last to find inexcusable flaws in such a crucial process.”

WHOIS has played a key role in Internet governance since its earliest days, back when it was still called the ARPANET. Elizabeth Feinler, an information scientist working for the Augmentation Research Center, became the principal investigator for NIC, short for the Network Information Center project, in 1974. Under Feinler’s watch, NIC developed the top-level domain naming system and the official host table and published the ARPANET Directory, which acted as a directory of phone numbers and email addresses of all network users. Eventually, the directory evolved into the WHOIS system, a query-based server that provided a comprehensive list of all Internet host names and the entities that had registered them.

Despite its antiquated look and feel, WHOIS today remains an essential resource with tremendous consequences. Lawyers pursuing copyright or defamation claims use it to determine the owner of a domain or IP address. Anti-spam services depend on it to determine the true owner of email servers. Certificate authorities rely on it to determine the official administrative email address of a domain. The list goes on.

Harris populated his WHOIS database with junk data that corresponded to all real .mobi addresses. Administrative email addresses, and most other fields led to the watchtowr.com domain. For humor, he also added ASCII art. The WHOIS entry for google.mobi, for instance, looks like this:

WHOIS information for google.mobi as shown by a rogue server at whois.dotmobiregistry.net

watchTowr

The humor aside, the rogue WHOIS server gave him powers he never should have had. One of the greatest was the ability to dictate the email address certificate authority GlobalSign used to determine if a party applying for a TLS certificate was the rightful owner of the domain name the certificate would apply to. Like the vast majority of its competitors, GlobalSign uses an automated process. An application for example.com, for instance, will prompt the certificate authority to send an email to the administrative email address listed in the authoritative WHOIS for that domain. If the party on the other end clicks a link, the certificate is automatically approved.

When Harris generated a certificate signing request for microsoft.mobi, he promptly received an email from GlobalSign. The email gave him the option of receiving a verification link at whois@watchtowr.com. For ethical reasons, he stopped the experiment at this point.

An email Harris received from GlobalSign after generating a certificate signing request for microsoft.mobi.

watchTowr

“Now that we have the ability to issue a TLS/SSL cert for a .mobi domain, we can, in theory, do all sorts of horrible things—ranging from intercepting traffic to impersonating the target server,” Harris wrote. “It’s game over for all sorts of threat models at this point. While we are sure some may say we didn’t ‘prove’ we could obtain the certificate, we feel this would’ve been a step too far—so whatever.”

The nefarious things Harris can do with his rogue WHOIS server aren't limited to obtaining counterfeit certificates. Many email servers and anti-spam services, including those used by government, military, and large organizations, queried his dotmobiregistry.net domain each time they received an email from a .mobi domain. The ability to track email chains over sustained periods of time could give him the ability to passively infer the parties involved in sending and receiving the communications.

Various WHOIS clients and security services also contain vulnerabilities, some of which make it possible for an attacker to execute malicious code on the querying device. Normally, exploits of these sorts of vulnerabilities would be considered unlikely because only a trusted WHOIS server would be in a position to capitalize on them. A rogue server like the one Harris created, however, would be under no such constraints.

A painful and reoccurring issue

"The purchase of a $20 domain that allowed the passive inference of .gov/.mil communications and the subversion of the Certificate Authority verification system should be a clear demonstration that the integrity of the trust and security processes we as Internet users rely on is, and continues to be, extremely fragile," Harris wrote in an online interview. "The systems and security we all take for granted is, in many places, truly held together in ways that would not pass approval in 2024."

Dozens of third-party sites and services also queried the rogue server as recently as Monday afternoon. A small sample: Google’s VirusTotal; website analysis service URLScan; domain registrars domain.com, godaddy.com, and name.com; and WHOIS websites who.is, whois.ru, smallseo.tools, seocheki.net, centralops.net, and webchart.or.

Harris said that watchTowr has since engaged with National Counterintelligence and Security Center and security organization ShadowServer to take custody of the dotmobiregistry.net domain. He expects they will safeguard it to ensure that systems that continue to speak to this WHOIS server do not continue to be exposed to the threat.

After receiving a request for comment on Monday, a representative at GlobalSign said the company has initiated an investigation. A Google representative said that as an aggregator of tools, antivirus engines, security scanners, and other utilities, VirusTotal “may occasionally generate false positives, false negatives, or errors.” VirusTotal aggregates WHOIS responses from WhoisDS and the WHOIS client included in Linux. Once those sources query the correct WHOIS server for .mobi addresses, VirusTotal will, too, the representative said.

While the Linux client appears to have recently started querying the correct .mobi WHOIS server, most other resources have not, as evidenced by the constant stream of queries that continue to pour into his rogue server as recently as Tuesday.

“The reality that this interconnected ‘network’ of WHOIS servers comes from a time where things were only hardcoded into numerous WHOIS clients, [meaning] that unfortunately, this won’t be cleared up overnight,” Harris told Ars.

It’s unclear if WHOIS lookups for other top-level domains suffer similar threats. In any event, the problem is that there’s no uniform naming convention for authoritative WHOIS servers or even, for that matter, a clear way to look them up. While some third parties have compiled lists of what they say are authoritative WHOIS servers, many of them erroneously list the now-deprecated dotmobiregistry.net as the authoritative WHOIS server for .mobi.

What's more, Harris said, the problem he has unearthed isn't restricted to retired domains. S3 buckets and other cloud infrastructure can also create threats when they're discarded and websites, deployment scripts, or other resources continue to reference them.

“The reality is that this issue exists in various forms (whether it be people using personal domains that they leave to expire, subsequently being registered by another individual who then subsequently has access to all accounts of the previous owner,” Harris told Ars. “We are of the opinion that this will continue to be a painful issue that reoccurs as we see the recycling of infrastructure/domains/etc.”

Source

RIP Matrix | Farewell my friend

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every single day for many years.

2023: Over 5,800 news posts | 2024 (till end of August): 3,792 news posts

Zyxel warns of vulnerabilities in a wide range of its products

Thu, 05 Sep 2024 07:09:18 +0000

Most serious vulnerabilities carry severity ratings of 9.8 and 8.1 out of a possible 10.

Networking hardware-maker Zyxel is warning of nearly a dozen vulnerabilities in a wide array of its products. If left unpatched, some of them could enable the complete takeover of the devices, which can be targeted as an initial point of entry into large networks.

The most serious vulnerability, tracked as CVE-2024-7261, can be exploited to “allow an unauthenticated attacker to execute OS commands by sending a crafted cookie to a vulnerable device,” Zyxel warned. The flaw, with a severity rating of 9.8 out of 10, stems from the “improper neutralization of special elements in the parameter ‘host’ in the CGI program” of vulnerable access points and security routers. Nearly 30 Zyxel devices are affected. As is the case with the remaining vulnerabilities in this post, Zyxel is urging customers to patch them as soon as possible.

But wait... there’s more

The hardware manufacturer warned of seven additional vulnerabilities affecting firewall series including the ATP, USG-FLEX, and USG FLEX 50(W)/USG20(W)-VPN. The vulnerabilities carry severity ratings ranging from 4.9 to 8.1. The vulnerabilities are:

CVE-2024-6343: a buffer overflow vulnerability in the CGI program that could allow an authenticated attacker with administrator privileges to wage denial-of-service by sending crafted HTTP requests.

CVE-2024-7203: A post-authentication command injection vulnerability that could allow an authenticated attacker with administrator privileges to run OS commands by executing a crafted CLI command.

CVE-2024-42057: A command injection vulnerability in the IPSec VPN feature that could allow an unauthenticated attacker to run OS commands by sending a crafted username. The attack would be successful only if the device was configured in User-Based-PSK authentication mode and a valid user with a long username exceeding 28 characters exists.

CVE-2024-42058: A null pointer dereference vulnerability in some firewall versions that could allow an unauthenticated attacker to wage DoS attacks by sending crafted packets.

CVE-2024-42059: A post-authentication command injection vulnerability that could allow an authenticated attacker with administrator privileges to run OS commands on an affected device by uploading a crafted compressed language file via FTP.

CVE-2024-42060: A post-authentication command injection vulnerability that could allow an authenticated attacker with administrator privileges to execute OS commands by uploading a crafted internal user agreement file to the vulnerable device.

CVE-2024-42061: A reflected cross-site scripting vulnerability in the CGI program “dynamic_script.cgi” that could allow an attacker to trick a user into visiting a crafted URL with the XSS payload. The attacker could obtain browser-based information if the malicious script is executed on the victim’s browser.

The remaining vulnerability is CVE-2024-5412 with a severity rating of 7.5. It resides in 50 Zyxel product models, including a range of customer premises equipment, fiber optical network terminals, and security routers. A buffer overflow vulnerability in the “libclinkc” library of affected devices could allow an unauthenticated attacker to wage denial-of-service attacks by sending a crafted HTTP request.

In recent years, vulnerabilities in Zyxel devices have regularly come under active attack. Many of the patches are available for download at links listed in the advisories. In a small number of cases, the patches are available through the cloud. Patches for some products are available only by privately contacting the company’s support team.

Source

RIP Matrix | Farewell my friend

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every single day for many years.

2023: Over 5,800 news posts | 2024 (till end of August): 3,792 news posts

Microsoft, Google, Facebook, Amazon partner admits your phone could listen to everything

Wed, 04 Sep 2024 16:39:05 +0000

Ever felt like your smartphone or some other similar smart device could be eavesdropping on you because something you talked about privately suddenly got shoved to your face as an ad? This does not look like a coincidence after all as a leaked sales pitch deck from a large advertising media firm seems to confirm such suspicions.

404 Media obtained the supposed deck belonging to Cox Media Group (CMG), the digital marketing service that has partnered with the likes of Google, Facebook's Meta, Microsoft, and Amazon.

According to the sales pitch document (published November 2023) CMG presented to the above big tech giants, the technology used to monitor and actively listen is called "Voice Data" and CMG openly claims "Yes, Our Phones are Listening to US" in a section explaining how businesses can use that data to efficiently target ads. It reads:

In most moments of the day, there's a smart device in within two-inch radius of us.

That means a smart device is likely within earshot when we talk about our plans for the weekend, how badly we need our kitchen remodeled, or which SUV model is best for the family with our spouse, and so much more.

When small businesses know who needs them, they can target ads with enhanced accuracy, waste less money, and grow their audience.

Down below, there is yet another section that doubles down on that same idea and outright brags about the notion with no apparent concern for consumers' consent and privacy:

Don't Just Know What They're Searching For- Know What They're Talking About

It may seem like black magic, but it's not-it's AI. The growing ability to access microphone data on devices like smartphones and tablets enables our technology partner to aggregate and analyze voice data during pre-purchase conversations.

The result? Unprecented understanding of consumer behaviour, so we can deliver personalized ads that make your target audience think: wow, they must be a mind reader.

Cox Media Group, in its deck, also suggests that it is perfectly legal to be snooping in as smart devices and assistants alike technically have to always listen anyway. Google seemingly cut ties with CMG sometime after this report was aired, 404 Media adds.

You can find the archived version of the pitch deck here.

Source: 404 Media

Source

RIP Matrix | Farewell my friend

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every single day for many years.

2023: Over 5,800 news posts | 2024 (till end of August): 3,792 news posts

YubiKeys are vulnerable to cloning attacks thanks to newly discovered side channel

Wed, 04 Sep 2024 02:46:33 +0000

Sophisticated attack breaks security assurances of the most popular FIDO key.

The YubiKey 5, the most widely used hardware token for two-factor authentication based on the FIDO standard, contains a cryptographic flaw that makes the finger-size device vulnerable to cloning when an attacker gains temporary physical access to it, researchers said Tuesday.

The cryptographic flaw, known as a side channel, resides in a small microcontroller used in a large number of other authentication devices, including smartcards used in banking, electronic passports, and the accessing of secure areas. While the researchers have confirmed all YubiKey 5 series models can be cloned, they haven’t tested other devices using the microcontroller, such as the SLE78 made by Infineon and successor microcontrollers known as the Infineon Optiga Trust M and the Infineon Optiga TPM. The researchers suspect that any device using any of these three microcontrollers and the Infineon cryptographic library contains the same vulnerability.

Patching not possible

YubiKey-maker Yubico issued an advisory in coordination with a detailed disclosure report from NinjaLab, the security firm that reverse-engineered the YubiKey 5 series and devised the cloning attack. All YubiKeys running firmware prior to version 5.7—which was released in May and replaces the Infineon cryptolibrary with a custom one—are vulnerable. Updating key firmware on the YubiKey isn’t possible. That leaves all affected YubiKeys permanently vulnerable.

“An attacker could exploit this issue as part of a sophisticated and targeted attack to recover affected private keys,” the advisory confirmed. “The attacker would need physical possession of the YubiKey, Security Key, or YubiHSM, knowledge of the accounts they want to target and specialized equipment to perform the necessary attack. Depending on the use case, the attacker may also require additional knowledge including username, PIN, account password, or authentication key.”

Side channels are the result of clues left in physical manifestations such as electromagnetic emanations, data caches, or the time required to complete a task that leaks cryptographic secrets. In this case, the side channel is the amount of time taken during a mathematical calculation known as a modular inversion. The Infineon cryptolibrary failed to implement a common side-channel defense known as constant time as it performs modular inversion operations involving the Elliptic Curve Digital Signature Algorithm. Constant time ensures the time sensitive cryptographic operations execute is uniform rather than variable depending on the specific keys.

More precisely, the side channel is located in the Infineon implementation of the Extended Euclidean Algorithm, a method for, among other things, computing the modular inverse. By using an oscilloscope to measure the electromagnetic radiation while the token is authenticating itself, the researchers can detect tiny execution time differences that reveal a token’s ephemeral ECDSA key, also known as a nonce. Further analysis allows the researchers to extract the secret ECDSA key that underpins the entire security of the token.

In Tuesday’s report, NinjaLab co-founder Thomas Roche wrote:

In the present work, NinjaLab unveils a new side-channel vulnerability in the ECDSA implementation of Infineon 9 on any security microcontroller family of the manufacturer.This vulnerability lies in the ECDSA ephemeral key (or nonce) modular inversion, and, more precisely, in the Infineon implementation of the Extended Euclidean Algorithm (EEA for short). To our knowledge, this is the first time an implementation of the EEA is shown to be vulnerable to side-channel analysis (contrarily to the EEA binary version). The exploitation of this vulnerability is demonstrated through realistic experiments and we show that an adversary only needs to have access to the device for a few minutes. The offline phase took us about 24 hours; with more engineering work in the attack development, it would take less than one hour.

After a long phase of understanding Infineon implementation through side-channel analysis on a Feitian 10 open JavaCard smartcard, the attack is tested on a YubiKey 5Ci, a FIDO hardware token from Yubico. All YubiKey 5 Series (before the firmware update 5.7 11 of May 6th, 2024) are affected by the attack. In fact all products relying on the ECDSA of Infineon cryptographic library running on an Infineon security microcontroller are affected by the attack. We estimate that the vulnerability exists for more than 14 years in Infineon top secure chips. These chips and the vulnerable part of the cryptographic library went through about 80 CC certification evaluations of level AVA VAN 4 (for TPMs) or AVA VAN 5 (for the others) from 2010 to 2024 (and a bit less than 30 certificate maintenances).

In an online interview, Roche elaborated:

Infineon produces “security microcontrollers” or “secure elements.” You can find many of them out there. Some of them (and this is the case for YubiKey 5 Series) run the Infineon cryptographic library (that Infineon develops for their customers that do not want to develop their own).

This cryptolibrary is highly confidential (even its API is secret, you need to sign an NDA with Infineon just to know the API). Nobody, but Infineon, knows the cryptolibrary details and notably its countermeasures choices.

This cryptolibrary, as many others, implement the ECDSA (core crypto function of FIDO, but also used in many different applications/protocols). Inside the ECDSA scheme, there are several sub-functions calls, one of them is the modular inversion of the ECDSA ephemeral key. This is a very sensitive operation: any information leaking about the ECDSA ephemeral key would eventually reveal the ECDSA secret key.

In the Infineon cryptolibrary the modular inversion is not constant time: different ephemeral key will lead to different inversion execution time. When acquiring the electromagnetic radiation of a chip running this function one can extract tiny differences of execution times throughout the inversion computation. These small timing leakages allow us to extract the ephemeral key and then the secret key.

The attacks require about $11,000 worth of equipment and a sophisticated understanding of electrical and cryptographic engineering. The difficulty of the attack means it would likely be carried out only by nation-states or other entities with comparable resources and then only in highly targeted scenarios. The likelihood of such an attack being used widely in the wild is extremely low.

Tuesday's report from NinjaLab outlines the full flow of the cloning attack as:

The adversary steals the login and password of a victim’s application account protected with FIDO (e.g., via a phishing attack).
The adversary gets physical access to the victim’s device during a limited time frame without the victim noticing.
Thanks to the stolen victim’s login and password (for a given application account), the adversary sends the authentication request to the device as many times as is necessary while performing side-channel measurements.
The adversary quietly gives back the FIDO device to the victim.
The adversary performs a side-channel attack over the measurements and succeeds in extracting the ECDSA private key linked to the victim’s application account.
The adversary can sign in to the victim’s application account without the FIDO device and without the victim noticing. In other words, the adversary created a clone of the FIDO device for the victim’s application account. This clone will give access to the application account as long as the legitimate user does not revoke its authentication credentials.

The list, however, omits a key step, which is tearing down the YubiKey and exposing the logic board housed inside. This likely would be done by using a hot air gun and a scalpel to remove the plastic key casing and expose the part of the logic board that acts as a secure element storing the cryptographic secrets. From there, the attacker would connect the chip to hardware and software that take measurements as the key is being used to authenticate an existing account. Once the measurement-taking is finished, the attacker would seal the chip in a new casing and return it to the victim.

Left: a YubiKey 5Ci intact; Right: the logic board found inside.

NinjaLab
Two images showing the how the electromagnetic radiation is measure using a probe.

NinjaLab

The attack and underlying vulnerability that makes it possible are almost entirely the same as that allowed NinjaLab to clone Google Titan keys in 2021. That attack required physical access to the token for about 10 hours.

The attacks violate a fundamental guarantee of FIDO-compliant keys, which is that the secret cryptographic material they store can’t be read or copied by any other device. This assurance is crucial because FIDO keys are used in various security-critical environments, such as those in the military and corporate networks.

That said, FIDO-compliant authentication is among the most robust forms of authentication, one that’s not susceptible to credential phishing or adversary-in-the-middle attacks. As long as the key stays out of the hands of a highly skilled and well-equipped attacker, it remains among the strongest forms of authentication. It’s also worth noting that cloning the token is only one of two major steps required to gain unauthorized access to an account or device. An attacker also must obtain the user password used for the first factor of authentication. These requirements mean that physical keys remain among the most secure authentication methods.

To uncover the side channel, the researchers reverse-engineered the Infineon cryptographic library, a heavily fortified collection of code that the manufacturer takes great pains to keep confidential. The detailed description of the library is likely to be of intense interest to cryptography researchers analyzing how it works in other security devices.

People who want to know what firmware version their YubiKey runs can use the Yubico Authenticator app. The upper-left corner of the home screen displays the series and model of the key. In the example below, from Tuesday’s advisory, the YubiKey is a YubiKey 5C NFC version 5.7.0.

Yubico

YubiKeys provide optional user authentication protections, including the requirement for a user-supplied PIN code or a fingerprint or face scan. For the cloning attack to work against YubiKeys using these additional measures, an attacker would need to possess the user verification factor as well. More information about using these additional measures to lock down YubiKeys further is available here.

A key question that remains unanswered at the moment is what other security devices rely on the three vulnerable Infineon secure modules and use the Infineon cryptolibrary? Infineon has yet to issue an advisory and didn't respond to an email asking for one. At the moment, there is no known CVE for tracking the vulnerability.

Source

RIP Matrix | Farewell my friend

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every single day for many years.

2023: Over 5,800 news posts | 2024 (till end of August): 3,792 news posts

D-Link says it is not fixing four RCE flaws in DIR-846W routers

Tue, 03 Sep 2024 17:27:06 +0000

D-Link is warning that four remote code execution (RCE) flaws impacting all hardware and firmware versions of its DIR-846W router will not be fixed as the products are no longer supported.

The four RCE flaws, three of which are rated critical and do not require authentication, were discovered by security researcher yali-1002, who released minimal details in their GitHub repository.

The researcher published the information on August 27, 2024, but has withheld the publication of proof-of-concept (PoC) exploits for now.

The flaws are summarized as follows:

CVE-2024-41622: Remote Command Execution (RCE) vulnerability via the tomography_ping_address parameter in the /HNAP1/ interface. (CVSS v3 score: 9.8 "critical")
CVE-2024-44340: RCE vulnerability via the smartqos_express_devices and smartqos_normal_devices parameters in SetSmartQoSSettings (authenticated access requirement reduces the CVSS v3 score to 8.8 "high").
CVE-2024-44341: RCE vulnerability via the lan(0)_dhcps_staticlist parameter, exploitable through a crafted POST request. (CVSS v3 score: 9.8 "critical")
CVE-2024-44342: RCE vulnerability via the wl(0).(0)_ssid parameter. (CVSS v3 score: 9.8 "critical")

Though D-Link acknowledged the security problems and their severity, it noted that they fall under its standard end-of-life/end-of-support policies, meaning there will be no security updates to address them.

"As a general policy, when products reach EOS/EOL, they can no longer be supported, and all firmware development for these products cease," reads D-Link's announcement.

"D-Link strongly recommends that this product be retired and cautions that any further use of this product may be a risk to devices connected to it," adds the vendor further down in the bulletin.

It is noted that DIR-846W routers were sold primarily outside the U.S., so the impact of the flaws should be minimal in the States, yet still significant globally. The model is still sold in some markets, including Latin America.

Though DIR-846 reached the end of support in 2020, over four years ago, many people only replace their routers once they face hardware problems or practical limitations, so a lot of people could still use the devices.

D-Link recommends that people still using the DIR-846 retire it immediately and replace it with a currently supported model.

If that is impossible, the hardware vendor recommends that users ensure the device runs the latest firmware, use strong passwords for the web admin portal, and enable WiFi encryption.

D-Link vulnerabilities are commonly exploited by malware botnets, such as Mirai and Moobot, to recruit devices into DDoS swarms. Threat actors have also recently exploited a D-Link DIR-859 router flaw to steal passwords and breach devices.

Therefore, securing the routers before proof-of-concept exploits are released and abused in attacks is vital.

Source

RIP Matrix | Farewell my friend

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every single day for many years.

2023: Over 5,800 news posts | 2024 (till end of August): 3,792 news posts

Major Sites Are Saying No to Apple’s AI Scraping

Thu, 29 Aug 2024 18:19:48 +0000

This summer, Apple gave websites more control over whether the company could train its AI models on their data. Major publishers and platforms like The New York Times and Facebook have already opted out.

Less than three months after Apple quietly debuted a tool for publishers to opt out of its AI training, a number of prominent news outlets and social platforms have taken the company up on it.

WIRED can confirm that Facebook, Instagram, Craigslist, Tumblr, The New York Times, The Financial Times, The Atlantic, Vox Media, the USA Today network, and WIRED’s parent company, Condé Nast, are among the many organizations opting to exclude their data from Apple’s AI training. The cold reception reflects a significant shift in both the perception and use of the robotic crawlers that have trawled the web for decades. Now that these bots play a key role in collecting AI training data, they’ve become a conflict zone over intellectual property and the future of the web.

This new tool, Applebot-Extended, is an extension to Apple’s web-crawling bot that specifically lets website owners tell Apple not to use their data for AI training. (Apple calls this “controlling data usage” in a blog post explaining how it works.) The original Applebot, announced in 2015, initially crawled the internet to power Apple’s search products like Siri and Spotlight. Recently, though, Applebot’s purpose has expanded: The data it collects can also be used to train the foundational models Apple created for its AI efforts.

Applebot-Extended is a way to respect publishers' rights, says Apple spokesperson Nadine Haija. It doesn’t actually stop the original Applebot from crawling the website—which would then impact how that website’s content appeared in Apple search products—but instead prevents that data from being used to train Apple's large language models and other generative AI projects. It is, in essence, a bot to customize how another bot works.

Publishers can block Applebot-Extended by updating a text file on their websites known as the Robots Exclusion Protocol, or robots.txt. This file has governed how bots go about scraping the web for decades—and like the bots themselves, it is now at the center of a larger fight over how AI gets trained. Many publishers have already updated their robots.txt files to block AI bots from OpenAI, Anthropic, and other major AI players.

Robots.txt allows website owners to block or permit bots on a case-by-case basis. While there’s no legal obligation for bots to adhere to what the text file says, compliance is a long-standing norm. (A norm that is sometimes ignored: Earlier this year, a WIRED investigation revealed that the AI startup Perplexity was ignoring robots.txt and surreptitiously scraping websites.)

Applebot-Extended is so new that relatively few websites block it yet. Ontario, Canada–based AI-detection startup Originality AI analyzed a sampling of 1,000 high-traffic websites last week and found that approximately 7 percent—predominantly news and media outlets—were blocking Applebot-Extended. This week, the AI agent watchdog service Dark Visitors ran its own analysis of another sampling of 1,000 high-traffic websites, finding that approximately 6 percent had the bot blocked. Taken together, these efforts suggest that the vast majority of website owners either don’t object to Apple’s AI training practices are simply unaware of the option to block Applebot-Extended.

In a separate analysis conducted this week, data journalist Ben Welsh found that just over a quarter of the news websites he surveyed (294 of 1,167 primarily English-language, US-based publications) are blocking Applebot-Extended. In comparison, Welsh found that 53 percent of the news websites in his sample block OpenAI’s bot. Google introduced its own AI-specific bot, Google-Extended, last September; it’s blocked by nearly 43 percent of those sites, a sign that Applebot-Extended may still be under the radar. As Welsh tells WIRED, though, the number has been “gradually moving” upward since he started looking.

Welsh has an ongoing project monitoring how news outlets approach major AI agents. “A bit of a divide has emerged among news publishers about whether or not they want to block these bots,” he says. “I don't have the answer to why every news organization made its decision. Obviously, we can read about many of them making licensing deals, where they're being paid in exchange for letting the bots in—maybe that's a factor.”

Last year, The New York Times reported that Apple was attempting to strike AI deals with publishers. Since then, competitors like OpenAI and Perplexity have announced partnerships with a variety of news outlets, social platforms, and other popular websites. “A lot of the largest publishers in the world are clearly taking a strategic approach,” says Originality AI founder Jon Gillham. “I think in some cases, there's a business strategy involved—like, withholding the data until a partnership agreement is in place.”

There is some evidence supporting Gillham’s theory. For example, Condé Nast websites used to block OpenAI’s web crawlers. After the company announced a partnership with OpenAI last week, it unblocked the company’s bots. (Condé Nast declined to comment on the record for this story.) Meanwhile, Buzzfeed spokesperson Juliana Clifton told WIRED that the company, which currently blocks Applebot-Extended, puts every AI web-crawling bot it can identify on its block list unless its owner has entered into a partnership—typically paid—with the company, which also owns the Huffington Post.

Because robots.txt needs to be edited manually, and there are so many new AI agents debuting, it can be difficult to keep an up-to-date block list. “People just don’t know what to block,” says Dark Visitors founder Gavin King. Dark Visitors offers a freemium service that automatically updates a client site’s robots.txt, and King says publishers make up a big portion of his clients because of copyright concerns.

Robots.txt might seem like the arcane territory of webmasters—but given its outsize importance to digital publishers in the AI age, it is now the domain of media executives. WIRED has learned that two CEOs from major media companies directly decide which bots to block.

Some outlets have explicitly noted that they block AI scraping tools because they do not currently have partnerships with their owners. “We’re blocking Applebot-Extended across all of Vox Media’s properties, as we have done with many other AI scraping tools when we don’t have a commercial agreement with the other party,” says Lauren Starke, Vox Media’s senior vice president of communications. “We believe in protecting the value of our published work.”

Others will only describe their reasoning in vague—but blunt!—terms. “The team determined, at this point in time, there was no value in allowing Applebot-Extended access to our content,” says Gannett chief communications officer Lark-Marie Antón.

Meanwhile, The New York Times, which is suing OpenAI over copyright infringement, is critical of the opt-out nature of Applebot-Extended and its ilk. “As the law and The Times' own terms of service make clear, scraping or using our content for commercial purposes is prohibited without our prior written permission,” says NYT director of external communications Charlie Stadtlander, noting that the Times will keep adding unauthorized bots to its block list as it finds them. “Importantly, copyright law still applies whether or not technical blocking measures are in place. Theft of copyrighted material is not something content owners need to opt out of.”

It’s unclear whether Apple is any closer to closing deals with publishers. If or when it does, though, the consequences of any data licensing or sharing arrangements may be visible in robots.txt files even before they are publicly announced.

“I find it fascinating that one of the most consequential technologies of our era is being developed, and the battle for its training data is playing out on this really obscure text file, in public for us all to see,” says Gillham.

Source

RIP Matrix | Farewell my friend

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every single day for many years.

2023: Over 5,800 news posts | 2024 (till end of July): 3,313 news posts

WhatsApp testing Passkeys feature to make accessing your encrypted backups much easier

Wed, 28 Aug 2024 16:32:34 +0000

WhatsApp has been developing several features that we have reported in the recent past. Now, WhatsApp is testing another new feature for its Android app called "Passkeys" for encrypted backups.

The new passkey feature will allow users to access their encrypted backups more easily and securely. Passkeys will allow WhatsApp Android users to encrypt and unlock their backups using biometric methods, such as fingerprint or facial recognition.

This eliminates the need to enter a complex password to access the backup, which you previously needed to create to secure the backup. Currently, WhatsApp lets you protect your backup with a custom password or 64-digit encryption key. While a custom password is secure, it can be pretty hard to remember.

Image via WABetaInfo

Thanks to the new passkey feature, users will be able to use biometric authentication. This also reduces the chances of being locked out of your backups if you forget your backup's password.

According to WABetaInfo, the passkey will be securely stored in a password manager with an added layer of security.

WhatsApp passkey feature for backups is currently under development and was spotted in WhatsApp Android beta app version 2.24.18.13.

It hasn't been rolled out to the public yet and is available only to a limited set of beta testers via the Google Play Beta program, which is currently full for WhatsApp.

Recently, WhatsApp has been reported to be working on a new feature that will let users mark all unread chats as read in a single tap. The messaging platform is also testing AR effects and filters for video calls on iOS.

To limit spam messages, WhatsApp is also testing the option to allow users to set usernames along with an option to set PINs. Thanks to this feature, every time new users who have never messaged you want to message you, they will require your PIN to send you a message.

Source

RIP Matrix | Farewell my friend

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every single day for many years.

2023: Over 5,800 news posts | 2024 (till end of July): 3,313 news posts

Uber fined $325 million for moving driver data from Europe to US

Mon, 26 Aug 2024 17:39:53 +0000

The Dutch Data Protection Authority (Autoriteit Persoonsgegevens, AP) has imposed a fine of €290,000,000 ($325 million) on Uber Technologies Inc. and Uber B.V. over GDPR violations.

The authority accuses Uber of transferring personal data from the European Economic Area (EEA) to servers in the United States without adequate safeguards, as defined by Chapter V of the General Data Protection Regulation.

This is the third time the Dutch Data Protection Authority has imposed an administrative fine on Uber.

The first was a €600,000 fine for poor data access controls in November 2018. The second was a €10,000,000 fine imposed in January 2024 for Uber's obscure data management practices about the handling of data from EU subjects.

AP's investigation into Uber's data practices was triggered by complaints from French drivers and escalated to the AP by the French data protection authority (CNIL).

The issue arose after the Schrems II ruling by the Court of Justice of the European Union invalidated the EU-U.S. Privacy Shield due to insufficient data protection standards in the US.

Despite the ruling, Uber allegedly continued to transfer personal data to the US without implementing Standard Contractual Clauses (SCCs), or other safeguards, thus violating GDPR Article 44, which mandates that data transfers to third countries must ensure an equivalent level of protection as within the EU.

This is the same violation for which the Irish Data Protection Commission (DPC) imposed a massive $1.3 billion fine on Meta (Facebook). More recently, four firms were fined $1.1 million by the Swedish Authority for Privacy Protection (IMY) for similar violations caused by the use of Google Analytics.

Uber's response

Uber argued that Chapter V of the GDPR did not apply because Article 3 of the GDPR already extended the regulation's protection to their processing activities in the US.

Additionally, the tech firm contends that no data transfer occurs, as defined under GDPR, since drivers provide their data directly to Uber's US-based servers through the app.

The AP rejected those arguments and proceeded to impose the massive. More details about AP's investigation and final decision can be found in the supporting document.

Responding to our request for a comment, an Uber spokesperson told BleepingComputer that they find the ruling unjustified and plan to appeal the decision.

"This flawed decision and extraordinary fine are completely unjustified. Uber's cross-border data transfer process was compliant with GDPR during a 3-year period of immense uncertainty between the EU and US. We will appeal and remain confident that common sense will prevail." - Uber spokesperson

Uber maintains that its data handling practices, as those are laid out in its privacy notice, adhere to GDPR. In addition, it sees data flows between users as well as users and Uber as a fundamental and inherent component of its services.

The appeal process can take up to 4 years, during which the fine will be suspended.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every single day for many years.

2023: Over 5,800 news posts | 2024 (till end of July): 3,313 news posts

Telegram says CEO has ‘nothing to hide’ after being arrested in France

Mon, 26 Aug 2024 05:33:38 +0000

The company says “it is absurd to claim that a platform or its owner are responsible for abuse of that platform” after Pavel Durov was arrested by French authorities.

Telegram says its CEO and founder Pavel Durov has “nothing to hide” after he was arrested by French authorities outside of Paris.

“It is absurd to claim that a platform or its owner are responsible for abuse of that platform,” the company says in an unnamed statement posted to its official channel in the Telegram app on Sunday. French officials have confirmed to multiple outlets that Durov was arrested as part of a police investigation into criminal activity taking place on the social network.

While not encrypted by default, Telegram’s largely hands-off approach to moderation means that the app is seen by many as a private, censorship-free alternative to other social networks. “Almost a billion users globally use Telegram as means of communication and as a source of vital information,” reads the company’s statement. “We’re awaiting a prompt resolution of this situation.”

Telegram has also been a critical source of information for the ongoing war between Ukraine and Russia, the latter of which appears to be quite interested in what happens to Durov. The Russian Embassy in Paris says that the French government has so far not granted it access to Durov, who was born in Russia and holds citizenship in both France and the United Arab Emirates, where Telegram is headquartered.

In a rare interview with Tucker Carlson in April, Durov said Telegram’s goal is to be a “neutral” platform and resist requests from governments to moderate. He said he mostly avoids traveling to “big, geopolitical” countries where there’s “too much attention” on the company. “I travel to places where I have confidence that those places are consistent with what we do and our values.”

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every single day for many years.

2023: Over 5,800 news posts | 2024 (till end of July): 3,313 news posts

Hackers steal banking creds from iOS, Android users via PWA apps

Fri, 23 Aug 2024 07:45:25 +0000

Threat actors started to use progressive web applications to impersonate banking apps and steal credentials from Android and iOS users.

Progressive web apps (PWA) are cross-platform applications that can be installed directly from the browser and offer a native-like experience through features like push notifications, access to device hardware, and background data syncing.

Using this type of apps in phishing campaigns allows evading detection, bypass app installation restrictions, and gain access to risky permissions on the device without having to serve the user a standard prompt that could raise suspicion.

The technique was first observed in the wild in July 2023 in Poland, while a subsequent campaign that launched in November of the same year targeted Czech users.

Cybersecurity company ESET reports that it is currently tracking two distinct campaigns relying on this technique, one targeting the Hungarian financial institution OTP Bank and the other targeting TBC Bank in Georgia.

However, the two campaigns appear to be operated by different threat actors. One uses a distinct command and control (C2) infrastructure to receive stolen credentials, while the other group logs stolen data via Telegram.

Infection chain

ESET says that the campaigns rely on a broad range of methods to reach their target audience, including automated calls, SMS messages (smishing), and well-crafted malvertising on Facebook ad campaigns.

In the first two cases, the cybercriminals trick the user with a fake message about their banking app being outdated and the need to install the latest version for security reasons, providing a URL to download the phishing PWA.

PWA campaigns infection flow
Source: ESET

In the case of malicious advertisements on social media, the threat actors use the impersonated bank’s official mascot to induce a sense of legitimacy and promote limited-time offers like monetary rewards for installing a supposedly critical app update.

One of the malicious ads used in the phishing campaign
Source: ESET

Depending on the device (verified via the User-Agent HTTP header), clicking on the ad takes the victim to a bogus Google Play or App Store page.

Fake Google Play installation prompt (left) and progress (right)
Source: ESET

Clicking on the ‘Install’ button prompts the user to install a malicious PWA posing as a banking app. In some cases on Android, the malicious app is installed in the form of a WebAPK - a native APK generated by Chrome browser.

The phishing app uses the official banking app’s identifiers (e.g. logo legitimate-looking login screen) and even declares Google Play Store as the software source of the app.

The malicious WebAPK (left) and the phishing login page (right)
Source: ESET

The appeal of using PWAs on mobile

PWAs are designed to work across multiple platforms, so attackers can target a broader audience through a single phishing campaign and payload.

The key benefit, though, lies in bypassing Google’s and Apple’s installation restrictions for apps outside the official app stores, as well as “install from unknown sources” warning prompts that could alert victims to potential risks.

PWAs can closely mimic the look and feel of native apps, especially in the case of WebAPKs, where the browser logo on the icon and the browser interface within the app are hidden, so distinguishing it from legitimate applications is nearly impossible.

PWA (left) and legitimate app (right). WebAPKs are indistinguishable as they lose the Chrome logo from the icon.
Source: ESET

These web apps can get access to various device systems through browser APIs, such as geolocation, camera, and microphone, without requesting them from the mobile OS’s permissions screen.

Ultimately, PWAs can be updated or modified by the attacker without user interaction, allowing the phishing campaign to be dynamically adjusted for greater success.

Abuse of PWAs for phishing is a dangerous emerging trend that could gain new proportions as more cybercriminals realize the potential and benefits.

A few months back, we reported about new phishing kits targeting Windows accounts using PWAs. The kits were created by security researcher mr.d0x specifically to demonstrate how these apps could be used to steal credentials by creating convincing corporate login forms.

BleepingComputer has contacted both Google and Apple to ask if they plan to implement any defenses against PWAs/WebAPKs, and we will update this post with their responses once we hear back.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every single day for many years.

2023: Over 5,800 news posts | 2024 (till end of July): 3,313 news posts

Phrack hacker zine publishes new edition after three years

Wed, 21 Aug 2024 19:03:16 +0000

Phrack #71 has been released online and is available to read for free. This issue is the first to be released since 2021, marking a new chapter in the influential online magazine’s history.

Phrack is an underground online magazine first launched in 1985 as a text file distributed through Bulletin Board Systems (BBS) and later through the internet.

It features content ranging from highly technical articles on vulnerabilities, exploits, and hacking tutorials, to discussions about hacking culture and ethics, and interviews with notable figures in the field.

The magazine is backed by a staff team as well as external contributors from the global hacking and cybersecurity community, including established researchers, underground figures, and anonymous authors.

The community-driven publication has always enjoyed an influential status in the cybersecurity space, remaining a respected source of high-quality information.

New team, new issue

A new issue of Phrack, number 71, was published in hardcopy format and distributed at the 32nd edition of the DEF CON hacker conference this year.

The electronic edition of Phrack #71 published on the e-zine’s site on August 19 for anyone to download or read.

The new issue criticizes the current state of technology, where lack of transparency and hasty adoption of untested systems create a state of “information dark age,” underscores the role of hackers in maintaining access to practical knowledge, and offers a range of technical articles that dive into advanced cybersecurity topics.

This is the first issue to come out since October 5, 2021, showing that Phrack is active again and will continue to remain relevant in the rapidly evolving field of cybersecurity.

One of the Phrack staff members told BleepingComputer that the extensive lull was due to the previous team looking to pass the project to new and capable people.

“Phrack was passed down to the next generation of enthusiastic hackers after long years of service,” declared Phrack’s new staff member.

The same person told us that they plan to do a printed issue next year, on Phrack’s 40th anniversary. However, , due to the complex logistical undertaking of creating physical copies, nothing is certain yet.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every single day for many years.

2023: Over 5,800 news posts | 2024 (till end of July): 3,313 news posts

Toyota confirms third-party data breach impacting customers

Wed, 21 Aug 2024 02:46:59 +0000

Toyota confirmed that customer data was exposed in a third-party data breach after a threat actor leaked an archive of 240GB of stolen data on a hacking forum.

"We are aware of the situation. The issue is limited in scope and is not a system wide issue," Toyota told BleepingComputer when asked to validate the threat actor's claims.

The company added that it's "engaged with those who are impacted and will provide assistance if needed," but has yet to provide information on when it discovered the breach, how the attacker gained access, and how many people had their data exposed in the incident.

One day later, a spokesperson clarified in a new statement shared with BleepingComputer that Toyota Motor North America's systems were "not breached or compromised," and the data was stolen from what appears to be "a third-party entity that is misrepresented as Toyota."

When asked to share the name of the breached third-party entity, the spokesperson said that Toyota Motor North America was "not at liberty to disclose" that information.

Employee and customer data exposed

ZeroSevenGroup (the threat actor who leaked the stolen data) says they breached a U.S. branch and were able to steal 240GB of files with information on Toyota employees and customers, as well as contracts and financial information,

They also claim to have collected network infrastructure information, including credentials, using the open-source ADRecon tool that helps extract vast amounts of information from Active Directory environments.

"We have hacked a branch in United States to one of the biggest automotive manufacturer in the world (TOYOTA). We are really glad to share the files with you here for free. The data size: 240 GB," the threat actor claims.

"Contents: Everything like Contacts, Finance, Customers, Schemes, Employees, Photos, DBs, Network infrastructure, Emails, and a lot of perfect data. We also offer you AD-Recon for all the target network with passwords."

Toyota data leak (BleepingComputer)

While Toyota hasn't shared the date of the breach, BleepingComputer found that the files had been stolen or at least created on December 25, 2022. This date could indicate that the threat actor gained access to a backup server where the data was stored.

Last year, Toyota subsidiary Toyota Financial Services (TFS) warned customers in December that their sensitive personal and financial data was exposed in a data breach resulting from a Medusa ransomware attack that impacted the Japanese automaker's European and African divisions in November.

Months earlier, in May, Toyota disclosed another data breach and revealed that the car-location information of 2,150,000 customers was exposed for ten years, between November 6, 2013, and April 17, 2023, because of a database misconfiguration in the company's cloud environment.

Weeks later, it found two additional misconfigured cloud services leaking Toyota customers' personal information for over seven years.

Following these two incidents, Toyota said it implemented an automated system to monitor cloud configurations and database settings in all its environments to prevent such leaks in the future.

Multiple Toyota and Lexus sales subsidiaries were also breached in 2019 when attackers stole and leaked what the company described at the time as "up to 3.1 million items of customer information."

Update August 20, 17:09 EDT: Revised article and title based on new information Toyota Motor North America provided.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every single day for many years.

2023: Over 5,800 news posts | 2024 (till end of July): 3,313 news posts

WhatsApp may bring support for usernames with an option to set PIN to limit spam messages

Tue, 20 Aug 2024 18:23:11 +0000

WhatsApp has been working on introducing username support for a good number of months. However, the messaging app hasn't pushed the option to its users. Still, in the latest Android beta update, it seems like WhatsApp could soon let users set a unique username as an alternative to sharing their phone numbers.

The latest WhatsApp Android beta 2.24.18.2 build reveals that, in addition to setting a unique username, WhatsApp might also give users the option to set a PIN. This PIN would prevent anyone who knows their username from contacting them directly.

According to WABetaInfo, the PIN setup page appears after the username setup page. Once you have set your username and PIN, anyone who hasn't contacted you before will need to enter the PIN before they can start messaging you for the first time.

image via WABetaInfo

This could make it a bit more difficult for spammers and businesses to contact you, as they won't be able to message you without knowing your username PIN. Even if your username is shared publicly, you will always have the option to change it multiple times or remove the PIN if you wish to be easily reached.

Besides PIN, WhatsApp may also allow you to choose whether to initiate a new chat using your username or phone number. By opting for a username, you can hide your phone number and use WhatsApp as a private messenger.

The WhatsApp username and PIN features are still under development and aren't available to any beta testers as of yet. It's unclear when these features will make it to the stable version. Furthermore, WhatsApp has been spotted working on an option to block messages from unknown contacts. The messaging platform is also working on a sticker-related feature and an Instagram-like status-reaction feature.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every single day for many years.

2023: Over 5,800 news posts | 2024 (till end of July): 3,313 news posts

Your TV set has become a digital billboard. And it’s only getting worse.

Mon, 19 Aug 2024 18:50:16 +0000

TV software is getting loaded with ads, changing what it means to own a TV set.

The TV business isn't just about selling TVs anymore. Companies are increasingly seeing viewers, not TV sets, as their most lucrative asset.

Over the past few years, TV makers have seen rising financial success from TV operating systems that can show viewers ads and analyze their responses. Rather than selling as many TVs as possible, brands like LG, Samsung, Roku, and Vizio are increasingly, if not primarily, seeking recurring revenue from already-sold TVs via ad sales and tracking.

How did we get here? And what implications does an ad- and data-obsessed industry have for the future of TVs and the people watching them?

The value of software

Success in the TV industry used to mean selling as many TV sets as possible. But with smart TVs becoming mainstream and hardware margins falling, OEMs have sought new ways to make money. TV OS providers can access a more frequent revenue source at higher margins, which has led to a viewing experience loaded with ads. They can be served from the moment you pick up your remote, which may feature streaming service ads in the form of physical buttons.

Some TV brands already prioritize data collection and the ability to sell ads, and most are trying to boost their appeal to advertisers. Smart TV OSes have become the cash cow of the TV business, with providers generating revenue by licensing the software and through revenue sharing of in-app purchases and subscriptions.

A huge part of TV OS revenue comes from selling ads, including on the OS's home screen and screensaver and through free, ad-supported streaming television channels. GroupM, the world’s largest media investment company, reported that smart TV ad revenue grew 20 percent from 2023 to 2024 and will grow another 20 percent to reach $46 billion next year. In September 2023, Patrick Horner, practice leader of consumer electronics at analyst Omdia, reported that "each new connected TV platform user generates around $5 per quarter in data and advertising revenue."

Automatic content recognition (ACR) tech is at the heart of the smart TV ads business. Most TV brands say users can opt out of ACR, but we’ve already seen Vizio take advantage of the feature without user permission. ACR is also sometimes turned on by default, and the off switch is often buried in a settings menu. Including ACR on a TV at all says a lot about a TV maker's priorities. Most users have almost nothing to gain from ACR and face privacy concerns by sharing information—sometimes in real time—about what they do with their TVs.

At this point, consumers have come to expect ads and tracking on budget TVs from names like Vizio or Roku. But the biggest companies in TV are working on turning their sets into data-prolific billboards, too.

When TVs watch you back, so do corporations

In recent years, we've seen companies like LG and Samsung increase their TVs' ad capabilities as advertisers become more eager to access tracking data from TVs.

LG, for example, started sharing data gathered from its TVs with Nielsen, giving the data and market measurement firm “the largest ACR data footprint in the industry,” according to an October announcement. The deal gives Nielsen streaming and linear TV data from LG TVs and provides firms buying ads on LG TVs with "'Always On' streaming measurement and big data from LG Ad Solutions" via Nielsen's ONE Ads dashboard.

LG, which recently unveiled a goal of evolving its hardware business into an ad-pushing “media and entertainment platform company," expects there to be 300 million webOS TVs in homes by 2026. That represents a huge data-collection and recurring-revenue opportunity. In September, LG said it would invest 1 trillion KRW (about $737.7 million) through 2028 into its "webOS business," or the business behind its smart TV OS. The company said updates will include improving webOS's UI, AI-based recommendations, and search capabilities.

Similarly, Samsung recently updated its ACR tech to track exposure to ads viewed on its TVs via streaming services instead of just from linear TV. Samsung is also trying to make its ACR data more valuable for ad targeting, including through a deal signed in December with analytics firm Experian.

Representatives for LG and Samsung declined to comment to Ars Technica about how much of their respective company's business is ad sales. But the deals they've made with data-collection firms signal big interest in turning their products into lucrative smart TVs. In this case, "smart" isn't about Internet connectivity but rather how well the TV understands its viewer.

The true price of a cheap TV

Budget TVs are the leaders in this trend, often offsetting cheap hardware prices with ads and data collection. Some people seek out the latest display developments, but many consumers merely want the cheapest TV they can buy within a certain size range. Various brands lure budget shoppers with low prices but then force them to pay through heightened ad exposure—either immediately or after a future software update. In recent months, we've seen budget brands test users' limits when it comes to ads, and this is all happening amid a global shift to streaming services that are also increasingly ad-driven.

Roku OS is constantly trying to fit more ads with stronger targeting into its UI, whether that's on the menu, on screensavers, or delivered via Roku TV channels. Earlier this year, Roku OS introduced home-screen video ads.

Roku has also tested a feature that "would force viewers to sit through effectively a mid-roll ad when clicking from the Roku City screensaver to return to home screen," Digiday reported in May. Additionally, Roku filed a patent for showing ads over anything you plug into your TV. It's possible that neither capability will roll out, but interest in these sorts of developments illustrates the value Roku puts in advancing its ad services.

Moving off an Android fork, Amazon reportedly started deploying its own OS to run on its TVs in November. Amazon Fire TV users are subject to full-screen video ads, and OS ownership gives Amazon more control and greater potential for earnings from advertising services. Amazon's advertising business was thought to be its most profitable in 2020, and Fire OS is becoming a bigger part of that.

With software updates easily forcing new ad capabilities into already-owned TVs, it's likely that this strategy will intensify in the near term as OS providers try to find more ways to support new types of ads. In the long term, with price often cited as a top factor in TV purchasing decisions, pricier brands may potentially cave and adopt more ad-centric tactics. Such moves could help those brands offer prices that are more competitive with budget options.

TV or store?

Even before smart TVs, watching TV typically meant watching plenty of commercials and product placements. But Internet connectivity, advanced tracking techniques, and interest in TV data collection from megastores are pushing TVs to evolve from digital billboards to digital stores.

People usually only buy a new TV every few years or longer, which has driven OEMs to the ongoing revenue potential tied to data and ads. For users, this means that TV watching could become much more commercialized as the industry seeks new ways to use TVs for ad tracking. The current focus is on developing "shoppable ads," or ads that let people make purchases while using their TV.

A depiction of a shoppable ad for Walmart on a Roku TV.

Roku
Checking out on the Roku TV.

Roku

Streaming services like Hulu already show shoppable ads, and TV OS operators are exploring ways to capitalize on the trend. Amazon and Roku TVs, for example, have shoppable ads on screensavers. Other brands, like Samsung, are building out their ability to deliver shoppable ads on TVs. Relevant players are exploring formats like QR codes, games, and ads you can navigate with your remote. And TV brands are increasingly working with big stores like Walgreens and Best Buy to more extensively target advertising.

Omdia's Horner tells me that shoppable ads are the "next wave of smart TV advertising." Amazon and Walmart are expected to lead the way as huge retailers that can incorporate the purchase histories they have from their stores with viewer data. According to trade publication Retail TouchPoints, Walgreens Senior Director of Client Success Katie Vogt explained the appeal at a June conference:

The beauty of reaching a specific Walgreens shopper is that [brands can] tie back the measurement and understand whether the shoppable [connected TV] ad actually drove those customers to go into a store or go online to make a purchase.

Walmart's proposed Vizio acquisition is an obvious example of how eager retailers and advertisers are to access data collected from TVs. Through its Platform+ business unit, Vizio was one of the first OEMs to focus more business on ad sales and tracking than hardware.

In Q1 2024, Vizio reported $88.3 million gross profit for Platform+ and a $7.2 million loss for its devices business.

Omdia

Walmart is willing to pay $2.3 billion for Vizio to help reach its dream of being a top-10 advertising business. Soon, using a Vizio TV could mean fueling Walmart's ability to sell and track ads and make retail sales.

Stakeholders argue that shoppable ads provide a service to viewers, but the obvious winner is advertisers. As Tony Marlow, CMO of LG Ad Solutions, wrote earlier this year, without shoppable TV ads, "marketers have been unable to gain a truly holistic view of the entire purchase journey."

Going even further, newcomer Displace is offering a peek at an aggressive TV-as-a-store future. The company says its sets, which will ship at the end of the year, will be able to use proprietary gesture tech to tell if someone is raising a hand. The TV will pause the content and use computer vision to look for stuff the viewer can buy. Viewers can place items they want in a shopping cart and pay for them using the TV's integrated NFC reader.

As a 2-year-old startup offering a niche product, Displace likely won't have the same impact on the industry as the likes of Amazon or Vizio. But Displace's TVs are indicative of an industry desperate for new ways to make money and eager to be an integral part of e-commerce.

Telly’s free TVs

Another niche upcoming TV set is the Telly. The company's TVs are free but allow the startup to track their owners, and they have a secondary screen for showing ads, including when the TV is off (the secondary screen can also display information like the weather or sports scores). Telly's prospective owners must answer a long series of questions, like if they're registered to vote and who their cell phone provider is, with the data used for ad targeting. Telly has discussed further potential ways to commercialize TV watching, such as letting people earn gift cards by filling out surveys (also to help targeted advertising) on the TV.

Telly's 4K TV comes with a different kind of price.

Telly

Telly takes tracking to a new level, especially since owners can't opt out—blocking tracking may result in an owner being charged for the TV. The company's viewing and activity data policy says its TVs can track a myriad of things, including settings, search queries, apps usage, and how many people are within 25 feet of the TV. Telly claims that advertisers won’t see personal information when viewing data accumulated from its TVs.

In theory, Telly could help get a new 55-inch 4K TV in the hands of people who wouldn’t be able to afford one otherwise. But at least in this early stage, the company isn’t primarily benefitting low-income households. According to a May Video Week report, Telly’s first 400,000 users have “higher incomes than the US average," which seems like a draw for advertisers.

Telly's business model is an outlier, but its CEO thinks the company is ahead of the curve, and advertisers are jumping aboard. Still, Omdia's Horner believes Telly's strategy won't become mainstream. "Amazon and Walmart are the players to watch for trends in smart TV ads and e-commerce. Niche players giving away free TVs in exchange for extreme data collection will not move the market," he said.

When dumb TVs seem smart

As the TV industry has grown its ad capabilities over the years, shoppers have nearly lost the option to buy a new TV that doesn't connect to the Internet. Jacob Hoffman-Andrews, senior staff technologist at the Electronic Frontier Foundation, described the trend of building surveillance into all new smart TVs as "incredibly invasive and little understood."

In an email to Ars, he added, "Nobody wants a snooping and snitching television, but lately that's all you can buy."

Those who want a TV without an Internet connection have few options. You can try to prevent a smart TV from tracking you, but again, turning off ACR and other tracking techniques can be challenging. Some TVs remove basic features like Internet connectivity if you don’t let them track you.

Companies like Telly open a window for other brands to consider more intrusive tracking and ads. Consider a world in which you have to say a brand name at your TV to skip ads, as demonstrated by a Sony patent:

An image from Sony's patent.

Sony Interactive Entertainment LLC

It's likely that Sony won't make anything of this patent, as is typically the case with patents from research and development teams. But here again, we see how common it is for tech brands that sell TVs to experiment with ad formats and delivery.

Some things TVs already track would have sounded extreme before 2011, when ACR started taking off. For example, using ACR, TVs can reveal to OS providers—and therefore advertisers—the shows watched on the set and whether that content was streamed or watched via an antenna or cable. ACR can even identify DVDs watched on a TV. Per Ad Exchanger: “ACR ingests pixels on-screen to assign a value to each frame," which is like an "unknown fingerprint." The OS sends these fingerprints “to a database that logs content available on TV to find a known match and identify the content. Once ACR identifies the show, it can tie that viewing data to a specific household, such as a given household watching The Big Bang Theory at 9 pm." Advertisers can combine this information with other tactics, like advertisement identification, which assigns a unique ID to ads, to further track TV usage.

But there are plenty who don’t know the extent to which their TVs are monitoring them. Complexity in understanding and controlling TV tracking is especially relevant as more sets incorporate microphones and cameras. Terms of service are often complex, wordy agreements buried in elusive TV settings or online, and companies have ways of strong-arming TV owners into accepting such agreements. Further complicating matters, it's possible for consumers to disable tracking from the TV OS provider, such as Google, but still be tracked by the TV OEM, like TCL.

Tune in next time...

With TV sales declining and many shoppers prioritizing pricing, smart TV players will continue developing ads that are harder to avoid and better at targeting. Interestingly, Horner told Ars that smart TV advertising revenue exceeding smart TV hardware revenue (as well as ad sale margins surpassing those of hardware) is a US-only trend, albeit one that shows no signs of abating. OLED has become a mainstay in the TV marketplace, and until the next big display technology becomes readily available, OEMs are scrambling to make money in a saturated TV market filled with budget options. Selling ads is an obvious way to bridge the gap between today and The Next Big Thing in TVs.

Indeed, with companies like Samsung and LG making big deals with analytics firms and other brands building their businesses around ads, the industry's obsession with ads will only intensify. As we've seen before with TV commercials, which have gotten more frequent over time, once the ad genie is out of the bottle, it tends to grow, not go back inside.

One side effect we're already seeing, Horner notes, is "a proliferation of more TV operating systems." While choice is often a good thing for consumers, it's important to consider if new options from companies like Amazon, Comcast, and TiVo actually do anything to notably improve the smart TV experience for owners.

And OS operators' financial success is tied to the number of hours users spend viewing something on the OS. Roku's senior director of ad innovation, Peter Hamilton, told Digiday in May that his team works closely with Roku's consumer team, "whose goal is to drive total viewing hours." Many smart TV OS operators are therefore focused on making it easier for users to navigate content via AI.

Per a blog post from Omdia's Horner:

With advertising, it’s not just the number of TVs shipped but rather the number of hours of content consumed that determines the winner. In this respect, the TV itself matters as well. Only the set in the main TV viewing room will get enough engagement to justify selling at close-to-manufacturing costs. The smaller sets in bedrooms and the kitchen, for example, will not get enough engagement to be profitable from advertising alone. We expect that in the US, TVs that are 50 inches and above and in the main viewing area of the house will be the primary targets for advertising engagement.

Vendors I spoke with all said that ad interests wouldn't hinder R&D around more traditional features. Having TVs with desirable features like strong image or sound quality remains relevant for pushing ads. But it's easy to imagine TV brands growing complacent about improving more traditional TV capabilities, too.

For most people who want fewer ads on their TVs, the only option is to vote with your dollar. There's also a growing pool of technically savvy folks sharing hacks for disconnecting smart TVs from the web or even DIYing your own smart TV.

People who ask me for recommendations for cheap TVs used to receive lectures about factors like viewing angles and sound quality. Now, I talk about privacy, tracking concerns, and the software behind the hardware.

No matter how you slice it, though, the ad-ificaiton of TVs is here to stay.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every single day for many years.

2023: Over 5,800 news posts | 2024 (till end of July): 3,313 news posts

New Mad Liberator gang uses fake Windows update screen to hide data theft

Sat, 17 Aug 2024 19:19:21 +0000

A new data extortion group tracked as Mad Liberator is targeting AnyDesk users and runs a fake Microsoft Windows update screen to distract while exfiltrating data from the target device.

The operation emerged in July and although researchers observing the activity did not seen any incidents involving data encryption, the gang notes on their data leak site that they use AES/RSA algorithms to lock files.

Mad Liberator "About" page
Source: BleepingComputer

Targeting AnyDesk users

In a report from cybersecurity company Sophos, researchers say that a Mad Liberator attack starts with an unsolicited connection to a computer using AnyDesk remote access application, which is popular among IT teams managing corporate environments.

It is unclear how the threat actor selects its targets but one theory, although yet to be proven, is that Mad Liberator tries potential addresses (AnyDesk connection IDs) until someone accepts the connection request.

Connection request on AnyDesk
Source: Sophos

Once a connection request is approved, the attackers drop on the compromised system a binary named Microsoft Windows Update, which shows a fake Windows Update splash screen.

Fake Windows update splash screen
Source: Sophos

The only purpose of the ruse is to distract the victim while the threat actor uses AnyDesk's File Transfer tool to steal data from OneDrive accounts, network shares, and the local storage.

During the fake update screen, the victim's keyboard is disabled, to prevent disrupting exfiltration process.

In the attacks seen by Sophos, which lasted approximately four hours, Mad Liberator did not perform any data encryption in the post-exfiltration stage.

However, it still dropped ransom notes on the shared network directories to ensure maximum visibility in corporate environments.

Ransom note dropped on breached devices
Source: Sophos

Sophos notes that it has not seen Mad Liberator interact with the target prior to the AnyDesk connection request and has logged no phishing attempts supporting the attack.

Regarding Mad Liberator’s extortion process, the threat actors declare on their darknet site that they first contact breached firms offering to “help” them fix their security issues and recover encrypted files if their monetary demands are met.

If the victimized company does not respond in 24 hours, their name is published on the extortion portal and are given seven days to contact the threat actors.

After another five days since the ultimatum has been issued passed without a ransom payment, all stolen files are published on the Mad Liberator website, which currently lists nine victims.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every single day for many years.

2023: Over 5,800 news posts | 2024 (till end of July): 3,313 news posts

NationalPublicData.com Hack Exposes a Nation’s Data

Fri, 16 Aug 2024 06:57:11 +0000

A great many readers this month reported receiving alerts that their Social Security Number, name, address and other personal information were exposed in a breach at a little-known but aptly-named consumer data broker called NationalPublicData.com. This post examines what we know about a breach that has exposed hundreds of millions of consumer records. We’ll also take a closer look at the data broker that got hacked — a background check company founded by an actor and retired sheriff’s deputy from Florida.

On July 21, 2024, denizens of the cybercrime community Breachforums released more than 4 terabytes of data they claimed was stolen from nationalpublicdata.com, a Florida-based company that collects data on consumers and processes background checks.

The breach tracking service HaveIBeenPwned.com and the cybercrime-focused Twitter account vx-underground both concluded the leak is the same information first put up for sale in April 2024 by a prolific cybercriminal who goes by the name “USDoD.”

On April 7, USDoD posted a sales thread on Breachforums for four terabytes of data — 2.9 billion rows of records — they claimed was taken from nationalpublicdata.com. The snippets of stolen data that USDoD offered as teasers showed rows of names, addresses, phone numbers, and Social Security Numbers (SSNs). Their asking price? $3.5 million.

Many media outlets mistakenly reported that the National Public data breach affects 2.9 billion people (that figure actually refers to the number of rows in the leaked data sets). HaveIBeenOwned.com’s Troy Hunt analyzed the leaked data and found it is a somewhat disparate collection of consumer and business records, including the real names, addresses, phone numbers and SSNs of millions of Americans (both living and deceased), and 70 million rows from a database of U.S. criminal records.

Hunt said he found 137 million unique email addresses in the leaked data, but stressed that there were no email addresses in the files containing SSN records.

“If you find yourself in this data breach via HaveIBeenPwned.com, there’s no evidence your SSN was leaked, and if you’re in the same boat as me, the data next to your record may not even be correct.”

Nationalpublicdata.com publicly acknowledged a breach in a statement on Aug. 12, saying “there appears to have been a data security incident that may have involved some of your personal information. The incident appears to have involved a third-party bad actor that was trying to hack into data in late December 2023, with potential leaks of certain data in April 2024 and summer 2024.”

The company said the information “suspected of being breached” contained name, email address, phone number, social security number, and mailing address(es).

“We cooperated with law enforcement and governmental investigators and conducted a review of the potentially affected records and will try to notify you if there are further significant developments applicable to you,” the statement continues. “We have also implemented additional security measures in efforts to prevent the reoccurrence of such a breach and to protect our systems.”

Hunt’s analysis didn’t say how many unique SSNs were included in the leaked data. But according to researchers at Atlas Data Privacy Corp., there are 272 million unique SSNs in the entire records set.

Atlas found most records have a name, SSN, and home address, and that approximately 26 percent of those records included a phone number. Atlas said they verified 5,000 addresses and phone numbers, and found the records pertain to people born before Jan. 1, 2002 (with very few exceptions).

If there is a tiny silver lining to the breach it is this: Atlas discovered that many of the records related to people who are now almost certainly deceased. They found the average age of the consumer in these records is 70, and fully two million records are related to people whose date of birth would make them more than 120 years old today.

TWISTED HISTORY

Where did National Public Data get its consumer data? The company’s website doesn’t say, but it is operated by an entity in Coral Springs, Fla. called Jerico Pictures Inc. The website for Jerico Pictures is not currently responding. However, cached versions of it at archive.org show it is a film studio with offices in Los Angeles and South Florida.

The Florida Secretary of State says Jerico Pictures is owned by Salvatore (Sal) Verini Jr., a retired deputy with the Broward County Sheriff’s office. The Secretary of State also says Mr. Verini is or was a founder of several other Florida companies, including National Criminal Data LLC, Twisted History LLC, Shadowglade LLC and Trinity Entertainment Inc., among others.

Mr. Verini did not respond to multiple requests for comment. Cached copies of Mr. Verini’s vanity domain salvatoreverini.com recount his experience in acting (e.g. a role in a 1980s detective drama with Burt Reynolds) and more recently producing dramas and documentaries for several streaming channels.

Sal Verini’s profile page at imdb.com.

Pivoting on the email address used to register that vanity domain, DomainTools.com finds several other domains whose history offers a clearer picture of the types of data sources relied upon by National Public Data.

One of those domains is recordscheck.net (formerly recordscheck.info), which advertises “instant background checks, SSN traces, employees screening and more.” Another now-defunct business tied to Mr. Verini’s email — publicrecordsunlimited.com — said it obtained consumer data from a variety of sources, including: birth, marriage and death records; voting records; professional licenses; state and federal criminal records.

The homepage for publicrecordsunlimited.com, per archive.org circa 2017.

It remains unclear how thieves originally obtained these records from National Public Data. KrebsOnSecurity sought comment from USDoD, who is perhaps best known for hacking into Infragard, an FBI program that facilitates information sharing about cyber and physical threats with vetted people in the private sector.

USDoD said they indeed sold the same data set that was leaked on Breachforums this past month, but that the person who leaked the data did not obtain it from them. USDoD said the data stolen from National Public Data had traded hands several times since it was initially stolen in December 2023.

“The database has been floating around for a while,” USDoD said. “I was not the first one to get it.”

USDoD said the person who originally stole the data from NPD was a hacker who goes by the handle SXUL. That user appears to have deleted their Telegram account several days ago, presumably in response to intense media coverage of the breach.

ANALYSIS

Data brokers like National Public Data typically get their information by scouring federal, state and local government records. Those government files include voting registries, property filings, marriage certificates, motor vehicle records, criminal records, court documents, death records, professional licenses, bankruptcy filings, and more.

Americans may believe they have the right to opt out of having these records collected and sold to anyone. But experts say these underlying sources of information — the above-mentioned “public” records — are carved out from every single state consumer privacy law. This includes California’s privacy regime, which is often held up as the national leader in state privacy regulations.

You see, here in America, virtually anyone can become a consumer data broker. And with few exceptions, there aren’t any special requirements for brokers to show that they actually care about protecting the data they collect, store, repackage and sell so freely.

In February 2023, PeopleConnect, the owners of the background search services TruthFinder and Instant Checkmate, acknowledged a breach affecting 20 million customers who paid the data brokers to run background checks. The data exposed included email addresses, hashed passwords, first and last names, and phone numbers.

In 2019, malicious hackers stole data on more than 1.5 billion people from People Data Labs, a San Francisco data broker whose people-search services linked hundreds of millions of email addresses, LinkedIn and Facebook profiles and more than 200 million valid cell phone numbers.

These data brokers are the digital equivalent of massive oil tankers wandering the coast without GPS or an anchor, because when they get hacked, the effect is very much akin to the ecological and economic fallout from a giant oil spill.

It’s an apt analogy because the dissemination of so much personal data all at once has ripple effects for months and years to come, as this information invariably feeds into a vast underground ocean of scammers who are already equipped and staffed to commit identity theft and account takeovers at scale.

It’s also apt because much like with real-life oil spills, the cleanup costs and effort from data spills — even just vast collections of technically “public” documents like the NPD corpus — can be enormous, and most of the costs associated with that fall to consumers, directly or indirectly.

WHAT SHOULD YOU DO?

Should you worry that your SSN and other personal data might be exposed in this breach? That isn’t necessary for people who’ve been following the advice here for years, which is to freeze one’s credit file at each of the major consumer reporting bureaus. Having a freeze on your files makes it much harder for identity thieves to create new accounts in your name, and it limits who can view your credit information.

The main reason I recommend the freeze is that all of the information ID thieves need to assume your identity is now broadly available from multiple sources, thanks to the multiplicity of data breaches we’ve seen involving SSN data and other key static data points about people.

But beyond that, there are numerous cybercriminal services that offer detailed background checks on consumers, including full SSNs. These services are powered by compromised accounts at data brokers that cater to private investigators and law enforcement officials, and some are now fully automated via Telegram instant message bots. Meaning, if you’re an American who hasn’t frozen their credit files and you haven’t yet experienced some form of new account fraud, the ID thieves probably just haven’t gotten around to you yet.

All Americans are also entitled to obtain a free copy of their credit report once a year from each of the three major credit bureaus, through the website annualcreditreport.com. If you haven’t done this in a while, now would be an excellent time to order your files (or just get one now, and then a report from a different bureau in 4-5 months, and so on).

Either way, review the reports and dispute any errors you may find. Identity theft and new account fraud is not a problem that gets easier to solve by letting it fester.

Mr. Verini probably didn’t respond to requests for comment because his company is now the subject of a class-action lawsuit (NB: the lawsuit also erroneously claims 3 billion people were affected). These lawsuits are practically inevitable now after a major breach, but they also have the unfortunate tendency to let regulators and lawmakers off the hook.

Almost every time there’s a major breach of SSN data, Americans are offered credit monitoring services. Most of the time, those services come from one of the three major consumer credit bureaus, the same companies that profit by compiling and selling incredibly detailed dossiers on consumers’ financial lives. The same companies that use dark patterns to trick people into paying for “credit lock” services that achieve a similar result as a freeze but still let the bureaus sell your data to their partners.

But class-actions alone will not drive us toward a national conversation about what needs to change. Americans currently have very few rights to opt out of the personal and financial surveillance, data collection and sale that is pervasive in today’s tech-based economy.

The breach at National Public Data may not be the worst data breach ever. But it does present yet another opportunity for this country’s leaders to acknowledge that the SSN has completely failed as a measure of authentication or authorization. It was never a good idea to use as an authenticator to begin with, and it is certainly no longer suitable for this purpose.

The truth is that these data brokers will continue to proliferate and thrive (and get hacked and relieved of their data) until Congress begins to realize it’s time for some consumer privacy and data protection laws that are relevant to life in the 21st century.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every single day for many years.

2023: Over 5,800 news posts | 2024 (till end of July): 3,313 news posts

Debian LTS Team takes over Debian 11 security updates from today

Thu, 15 Aug 2024 18:55:06 +0000

The Debian Project has announced that the Debian Long Term Support (LTS) Team is taking over security support for Debian 11 now that it is three years old. The LTS Team takes over this responsibility from the Security and Release Teams, which can now focus on the current Debian 12 and soon-to-be-released Debian 13.

Now that the LTS Team has taken over Debian 11 updates, users can continue using it until August 31, 2026. With that said, the announcement recommends that people upgrade their machine to the current stable, Debian 12. This LTS phase will give anyone who needs it time to upgrade more graciously if they have a lot of data that needs backing up, etc. It's best not to wait until August 2026 to upgrade, though.

While the base packages should continue to be maintained, the Debian Project warns that a few of your packages may not be supported by the LTS Team. To identify any packages that won't be supported, users can install the debian-security-support package and then run check-support-status presumably from the terminal to get a list of unsupported packages. If you find a critical package that you would like to get support for, you can email debian-lts@lists.debian.org.

If you do have unmaintained packages installed on your system, it's probably a good idea to remove them from the terminal using the apt remove command preceded by sudo, of course. According to the Debian Wiki, it appears mostly to be game packages that support is being dropped during the LTS period.

While Debian has a reputation for being rock solid, it is also better suited for people more familiar with Linux than total newbies. One of the reasons for this is that upgrading between major versions is done from the command line instead of a graphical tool like Ubuntu or Fedora. If you want to upgrade to Debian 12, check out the DebianUpgrade page in the Debian Wiki for detailed instructions and read very carefully; don't just skim-read.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every single day for many years.

2023: Over 5,800 news posts | 2024 (till end of July): 3,313 news posts

Microsoft posts guidance for CVE-2024-21302 VBS flaw that downgrades modern Windows PCs

Thu, 15 Aug 2024 03:46:14 +0000

Earlier today, Microsoft released Patch Tuesday updates for Windows 10 (KB5041580 / KB5041578 / KB5041773 / KB5041782) and Windows 11 versions 23H2, 22H2, 21H2 (KB5041585 / KB5041592), as well as for 24H2 (KB5041571).

In a separate post, the company confirmed that it has finally retired the troublesome WinRE KB5034440 and KB5034441 updates, although they have now been replaced by new ones.

In yet another support document, the tech giant has published mitigation guidance for a recent security vulnerability that came to light. The vulnerability allows an attacker to quietly downgrade the system to an older vulnerable state, and Windows would not be able to tell the difference. The issue is being tracked under IDs "CVE-2024-21302" and "CVE-2024-38202," which we covered in our dedicated article here.

The security researcher who discovered this has named the vulnerability "Windows Downdate" as the Windows Update process incorrectly tells the user of a compromised system that their software is up-to-date.

About the vulnerability, Microsoft writes on its MSRC website:

A security researcher informed Microsoft of an elevation of privilege vulnerability in Windows 10, Windows 11, Windows Server 2016, and higher based systems including Azure Virtual Machines (VM) that support VBS.

The vulnerability enables an attacker with administrator privileges on the target system to replace current Windows system files with outdated versions. Successful exploitation provides an attacker with the ability to reintroduce previously mitigated vulnerabilities, circumvent VBS security features, and exfiltrate data protected by VBS.

Microsoft is developing a security update that will revoke outdated, unpatched VBS system files to mitigate this vulnerability, but it is not yet available. Due to the complexity of blocking such a large quantity of files, rigorous testing is required to avoid integration failures or regressions.

In the new guidance post, Microsoft has provided more details, including mitigation information for most modern versions and editions of Windows 10, 11, and Server that have VBS (Virtualization-based Security). It writes:

Available mitigations

For all supported versions of Windows 10, version 1809 and later Windows versions, and Windows Server 2019 and later Windows Server versions, administrators can deploy a Microsoft-signed revocation policy (SkuSiPolicy.p7b). This will block vulnerable versions of VBS system files that are not updated from being loaded by the operating system.

Note Additional mitigations and mitigation support for all supported versions of Windows 10, version 1507 and earlier Windows versions, and Windows Server 2016 and earlier Windows Server versions are planned for future updates.

You can learn the full details about the mitigation deployment as well as the risks involved here on the official support document on Microsoft's website.

Home users may not install the revocation policy as the threat is a local attack that requires physical access to a victim's PC. It is probably better to wait for an automatic fix that Microsoft is expected to deploy via Windows Update (or some other channel) later.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every single day for many years.

2023: Over 5,800 news posts | 2024 (till end of July): 3,313 news posts

Proton VPN: free VPN users can use the browser extensions now

Wed, 14 Aug 2024 16:25:20 +0000

Proton announced today that it has made the decision to allow free users of its service to use the Chrome and Firefox extensions. Up until now, access was limited to paying customers.

Here are the details:

Proton VPN is available as a free, limited version.
The browser extensions may now also be used by free users.

Note: Proton VPN is compatible with most Chromium-based and Firefox-based browsers.

Proton says that access to browser extensions was a much requested feature. Using a browser extension offers some advantages:

The VPN connection applies only to the browser.
The Proton VPN app does not need to be installed.

Access to VPN apps may be blocked in some regions. The extension may still work, however.

Proton VPN Free

Proton VPN installed in Firefox

The free version of Proton VPN is limited, but not as much as most other free VPNs. The developers promise that theirs is the only solution that "doesn't limit your bandwidth, spy on your, show you privacy-invading ads, or sell your data".

Some features are off-limits when you use the free version. This includes:

The ability to select a specific country / server to connect to.
The highest possible speeds.
Split Tunneling support.
Custom DNS support.
Advanced features, including ad-blocking, malware protections, VPN acceleration, or double-hop support.

Using the free browser extensions is very easy. If you have a Proton VPN account already, you just download the extensions for your browser and sign-in with your account. All done.

If you do not have a Proton VPN account yet, you can create one for free using two steps:

Provide an email address on the "Create your account" page.
Accept the pre-generated password or set a custom one.

That is all to it. No verification of the email address during setup.

The extensions are available here:

Using the extension

Speed test results of Proton VPNs browser extension

Some features that are not available are shown in the user interface. These are either darker than the rest or use the upgrade icon (which contains a plus-symbol).

Activate the icon of the extension and hit the connect button to connect to the VPN network. Note that you cannot pick a server, but that a fast nearby server is selected automatically. This can be in another country, but does not have to be. It took less than a second to connect to the VPN during tests.

A click on the features icon shows the available features. These are:

Auto Connect - enabled by default. Connects to the VPN automatically when the browser is started.
WebRTC Leak Protection -- prevents that the device's IP address is leaked using WebRTC.
Notifications -- Displays a notification for connect and disconnect events.

A click on the settings icon displays two options:

Share anonymous usage statistics -- Disabled by default.
Share anonymous usage crash reports - Enabled by default.

You can toggle the settings there.

The speed of the VPN was quite good during tests. On a not--so-great wireless connection, I got about 24 Mbps download and 16 Mbps upload. Sufficient for most tasks on the Internet.

Upgrades to Proton VPN Plus are available for $4.49 per month if paid when you subscribe for two years.

Closing Words

The Proton VPN browser extension works well. Compared to the majority of free VPN solutions, it is a much preferred option, considering that it does not include the negatives that come along with many free VPNs. To name a few: tracking, ads, upsell popups, bandwidth limits, selling of user data.

Free users of Proton VPN have two options now: use the dedicated VPN app on their device, or use the browser extension. Note that free is limited to one device at a time.

All in all, this improves an already-great option for users who want to protect their Internet connection and thus privacy further.

Do you use VPN solutions? If so, which do you use and why? Let us know in the comments down below.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every single day for many years.

2023: Over 5,800 news posts | 2024 (till end of July): 3,313 news posts

India telecom watchdog directs carriers to stop spam calls, blacklist callers

Tue, 13 Aug 2024 13:30:13 +0000

BENGALURU, Aug 13 (Reuters) - India's telecom watchdog on Tuesday directed service providers to stop all promotional calls from unregistered callers and blacklist them as it looks to tackle a surge in spam and phishing calls that has seen people lose millions of rupees.

The government has been looking to clamp down on the spike in such calls including those where scammers pose as representatives of firms like FedEx and Blue Dart and extract sensitive financial information by sending phishing links in the pretext of retrieving lost packages.

"All promotional voice calls from the unregistered senders/unregistered telemarketer using Telecom Resources shall be stopped immediately," the Telecom Regulatory Authority of India said in a statement shared by the government.

Such unregistered callers will be blacklisted for up to two years, the statement said, adding that telecom service providers would need to submit updates on action taken on scam callers on the 1st and 16th of every month.

Source

Windows 11/10 system driver has BSOD-triggering CVE-2024-6768 flaw on fully updated PCs

Mon, 12 Aug 2024 19:29:35 +0000

Last month, a large number of Windows enterprise and business PCs worldwide came head-on with one of the biggest global computing outages of all time. It was a consequence of a buggy CrowdStrike Falcon IPC Template Type and this month the cybersecurity firm released its final report about the issue. What all that led to is the infamous Blue Screens of Death (BSODs), which has its roots in the first Windows NT (version 3.1) days.

While the CrowdStrike BSOD outage was a consequence of a botched security update, a new BSOD-triggering security flaw has been discovered in a Windows driver by cybersecurity firm Fortra, and fully updated Windows systems are affected by this vulnerability.

The firm explains that the Windows' CLFS.SYS driver, responsible for handling the Common Log FIle System, is the root of the issue and is triggered by improper validation (CWE-1284) thus leading to a denial of service-induced BSOD. The issue is being tracked under ID "CVE-2024-6768." Fortra's Nicardo Narvaja writes:

CVE-2024-6768 is a vulnerability in the Common Log File System (CLFS.sys) driver of Windows, caused by improper validation of specified quantities in input data. This flaw leads to an unrecoverable inconsistency, triggering the KeBugCheckEx function and resulting in a Blue Screen of Death (BSoD). The issue affects all versions of Windows 10 and Windows 11, despite having all updates applied.

A Proof of Concept (PoC) shows that by crafting specific values within a .BLF file, an unprivileged user can induce a system crash. The potential problems include system instability and denial of service, as malicious users can exploit this vulnerability to repeatedly crash affected systems, disrupting operations and potentially causing data loss.

The bright side is that this is a local attack so a threat actor trying to manipulate the CLFS' Base Log File (BLF) would need physical access to your system. You can find the technical details about the Proof of Concept (PoC) on Fortra's website.

The flaw is similar to CVE-2023-36424 LPE (local privilege escalation) which Microsoft addressed last year with the November 2023 Patch Tuesday updates (KB5032189 for Windows 10 and KB5032190 for Windows 11).

This security flaw report comes hot on the heels of another issue that we covered last week where a fully updated Windows PC can be tricked into downgrading permanently.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every single day for many years.

2023: Over 5,800 news posts | 2024 (till end of July): 3,313 news posts

Microsoft quietly updated Defender for Windows 11/10/Server install images

Mon, 12 Aug 2024 19:28:28 +0000

This month, Microsoft has quietly published multiple updates. These include KB5001716 which is meant to force update Windows PCs, as well as WinRE update KB5041979 and Setup update KB5041178 for Windows 11 24H2.

Alongside these, about a week or so ago, Microsoft also released a new Defender update for Windows installation images that applies to Windows Imaging Format (WIM) and VHD (Virtual Hard Disk) formats. Windows 11, 10, and Servers are supported in this new update including Server 2016 which is reaching the end of servicing status next year and as such, the company released a detailed uninstallation and decommissioning guide.

This update package is necessary as a Windows installation image may contain old, outdated anti-malware definitions and software binaries. Aside from better security, these updates can also provide improved performance benefits in some cases.

Microsoft is delivering the latest security definitions for Windows images via security intelligence update version 1.413.494.0. The Defender package version is 1.413.494.0. In the support document describing the new update, Microsoft explains:

The first hours of a newly installed Windows deployment can leave the system vulnerable because of a Microsoft Defender protection gap. This is because the OS installation images may contain outdated antimalware software binaries.

[..] Devices using either the Windows built-in antivirus or another security solution can benefit from these updates.

[..] This article describes antimalware update package for Microsoft Defender in the OS installation images (WIM and VHD files). This feature supports the following OS installation images:

Windows 11

Windows 10 (Enterprise, Pro, and Home editions)

Windows Server 2022

Windows Server 2019

Windows Server 2016

Version information

Defender package version: 1.413.494.0

This package updates the anti-malware client, anti-malware engine, and signature versions in the OS installation images to following versions:

Platform version: 4.18.24060.7

Engine version: 1.1.24060.1

Security intelligence version: 1.413.494.0

From Microsoft's security bulletin, we learn that the security intelligence update version 1.413.494.0 was released last month. It adds threat detections for various trojans, adware, and backdoor exploits, among others. For those wondering, the latest intelligence update is version 1.417.71.0 at the time of writing.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every single day for many years.

2023: Over 5,800 news posts | 2024 (till end of July): 3,313 news posts

Google services go down for subset of users, including Search, YouTube, and Meet

Mon, 12 Aug 2024 15:15:49 +0000

Service keeps returning and then crashing

Google services including Search, YouTube, Gmail, and Meet went down today for a subset of users.

For most, systems returned within minutes - although appear to be still buggy and hit by recurring brief outages.

It is not yet clear how many people are impacted by the issue, nor how many countries are affected.

Online user reports appear to primarily come from Europe, although not exclusively. Many report being kicked off of Google Meet meetings and being unable to rejoin, while others cannot load the main search engine.

Google's Cloud, Search, and Workspace status page currently do not suggest any issues.

The company did not immediately respond to requests for comment.

Source

Malicious browser extensions leveraged in widespread malware compromise

Mon, 12 Aug 2024 15:07:47 +0000

More than 300,000 Google Chrome and Microsoft Edge users have been impacted by a massive ongoing malware campaign involving malicious browser extensions that facilitate data exfiltration and command execution while bypassing antivirus tools, reports BleepingComputer.

Malvertising exploiting Google search results has been leveraged to lure victims into downloading fraudulent software installers, including YouTube downloader, Roblox FPS Unlocker, and VLC video player, which run a PowerShell script enabling payload retrieval and execution, as well as forces installation of extensions, all of which have since been removed from the Chrome and Edge stores, according to a report from ReasonLabs. Such extensions have been used to enable search query takeovers and redirections to revenue-generating pages, as well as allow login credential theft, online activity tracking, and command execution. Aside from altering browser shortcut links to load the extensions, such payloads also hinder further security updates, said researchers, who noted that infections could be remediated only through a multi-step process involving the removal of a scheduled task, malicious registry entries, and malware files.

Source

Australian gold mining company Evolution Mining announces ransomware attack

Mon, 12 Aug 2024 14:53:10 +0000

Evolution Mining, an Australian gold mining company, told investors on Monday that it became aware of a ransomware attack last week impacting its IT systems.

The company, which operates in Australia and Canada, filed a statement with the Australian Stock Exchange announcing that it had discovered the incident August 8, and that it now believes the attack to be “contained.”

Evolution Mining said it worked with “external cyber forensics experts to investigate the incident” but did not provide further details on which ransomware scheme was behind the attack, nor whether the company made an extortion payment.

“The incident has been proactively managed with a focus on protecting the health, safety and privacy of people, together with the company’s systems and data,” said the official notice, adding the company did “not anticipate any material impact on operations.”

The company, which recorded an underlying profit after income tax of over AUS $158 million (U.S. $104 million) in 2023, said it reported the attack to the Australian Cyber Security Centre (ACSC).

It comes as the Australian government considers introducing a new Cyber Security Act that would legally oblige businesses to report being hit by a ransomware attack to the ACSC, although debates are ongoing about whether the obligation will apply to smaller enterprises.

The legislative moves follows a series of high-profile ransomware attacks in Australia, particularly those affecting Optus, Medibank, and MediSecure.

As part of the Medibank criminals’ extortion attempt, sensitive healthcare claims data for around 480,000 individuals — including information about drug addiction treatments and abortions — was published on the dark web.

The move, alongside several other high-profile breaches, set off a range of cybersecurity reforms in Australia. These included an updated national cybersecurity strategy that ultimately fell short of the government’s initial intentions to ban ransomware payments in their entirety.

Source