It's probably been a while since anyone thought about Apple's router and network storage combo called Time Capsule. Released in 2008 and discontinued in 2018, the product has mostly receded into the sands of gadget time. So when independent security researcher Matthew Bryant recently bought a Time Capsule from the United Kingdom on eBay for $38 (plus more than $40 to ship it to the United States), he thought he would just be getting one of the stalwart white monoliths at the end of its earthly journey. Instead he stumbled on something he didn't expect: a trove of data that appeared to be a copy of the main backup server for all European Apple Stores during the 2010s. The information included service tickets, employee bank account data, internal company documentation, and emails.

“It had everything you can possibly imagine,” Bryant tells WIRED. “Files had been deleted off the drive, but when I did the forensics on it, it was definitely not empty.”

Bryant hadn't stumbled on the Time Capsule completely by accident. At the Defcon security conference in Las Vegas on Saturday, he's presenting findings from a months-long project in which he scraped secondhand electronics listings from sites like eBay, Facebook Marketplace, and China's Xianyu, and then ran computer vision analysis on them in an attempt to detect devices that were once part of corporate IT fleets.

Bryant realized that the sellers hawking office devices, prototypes, and manufacturing equipment often weren't aware of their products' significance, so he couldn't comb tags or descriptions to find enterprise gems. Instead, he devised an optical character recognition processing cluster by chaining together a dozen dilapidated second-generation iPhone SEs and harnessing Apple's Live Text optical character-recognition feature to find possible inventory tags, barcodes, or other corporate labels in listing photos. The system monitored for new listings, and if it turned up a possible hit, Bryant would get an alert so he could assess the device photos himself.

In the case of the Time Capsule, the listing photos showed a label on the bottom of the device that said “Property of Apple Computer, Expensed Equipment.” After he evaluated the Time Capsule's contents, Bryant notified Apple about his findings, and the company's London security office eventually asked him to ship the Time Capsule back. Apple did not immediately return a request from WIRED for comment about Bryant's research.

“The main company in the talk for proofs of concept is Apple, because I view them as the most mature hardware company out there. They have all their hardware specially counted, and they really care about the security of their operations quite a bit,” Bryant says. “But with any Fortune 500 company, it’s basically a guarantee that their stuff will end up on sites like eBay and other secondhand markets eventually. I can’t think of any company where I haven’t seen at least some piece of equipment and got an alert on it from my system.”

Another alert from his search system led Bryant to purchase a prototype iPhone 14 intended for developer use internally at Apple. Such iPhones are coveted by both bad actors and security researchers because they often run special versions of iOS that are less locked down than the consumer product and include debugging functionality that's invaluable for gaining insight into the platform. Apple runs a program to give certain researchers access to similar devices, but the company only grants these special iPhones to a limited group, and researchers have told WIRED that they are typically outdated iPhone models. Bryant says he paid $165 for the developer-use iPhone 14.
 

Finally, Bryant says that manufacturing and assembly-line devices can be particularly revealing and can also be found on secondhand markets—especially platforms in China, since so many electronics are assembled in the country. Bryant was curious to see if he could find any equipment that had formerly been used in a Foxconn factory where iPhones are notoriously assembled. By analyzing Chinese listings with his computer vision system, Bryant says he was able to piece together how Foxconn’s asset management system works and how the company labels its devices—particularly those used on the factory floor. Eventually he found a Mac Mini that had a bunch of the Foxconn tags on it and had seemingly been used on a Foxconn quality-and-assurance testing line. But the computer was simply listed for parts, because the photos clearly showed that it had a large drill hole running through the device.

After examining schematics of various generations of Mac Minis, though, Bryant concluded that it was possible the drill had missed the magnetic tray where data would be stored on the hard drive. He took a chance and ordered the computer from China and assessed it himself. Bryant isn't a hardware expert, but once he received the device, it also seemed to him that the physical destruction had likely not achieved its goal. So he sent the Mac Mini to a forensics lab in Los Angeles, which was ultimately able to recover all the data from the drive.

“It had the internal software that Apple uses on their factory line to do testing, including special interfaces for communicating with prototypes and QA units,” Bryant says. “And the computer also contained credentials for Foxconn and logs.”

Bryant again reported his findings to Apple and returned the Mac Mini to them.

The project contains a warning for companies, both about the inevitability of having some device attrition and the importance of taking asset management and deprovisioning seriously. For hackers and eagle-eyed deal seekers alike, though, rogue corporate devices may be a new item for the shopping list.

Source

What's behind the surge in phishing? One popular answer is AI – particularly generative AI, which has made it trivially easier for threat actors to craft content that they can use in phishing campaigns, like malicious emails and, in more sophisticated cases, deepfake videos.

In addition, AI can help write the malware that threat actors often plant on their victims' computers and servers as part of phishing campaigns.

Phishing as a Service, or PhaaS, is another development sometimes cited to explain why phishing threats are at an all-time high. By allowing malicious parties to hire skilled attackers to carry out phishing campaigns for them, PhaaS makes it easy for anyone with a grudge – or a desire to exfiltrate some money from unsuspecting victims – to launch phishing attacks.

Phishing has become agile

A true understanding of what's behind the surge in phishing requires an analysis of how threat actors are using AI and PhaaS to operate in new ways – specifically, by responding more quickly to changing events.

In the past, the time and effort required to create phishing content manually (as opposed to using generative AI) made it challenging for threat actors to capitalize on unexpected events in order to launch high-impact campaigns. Likewise, without PhaaS solutions, groups that wanted to target an organization with phishing often didn't have a quick and easy way of getting an attack underway. Recent developments, however, suggest that this is changing.

Phishing Attacks Targeting Evolving Events

Phishing has a habit of latching on to current events in the world to take advantage of excitement or fear surrounding these events. This is especially true when it comes to evolving events, such as the CrowdStrike "Blue Screen of Death" (BSOD).

Phishing in the wake of the CrowdStrike BSOD

CrowdStrike, the cybersecurity vendor, issued a buggy update on July 19 that rendered Windows machines unable to boot properly and left users staring into the infamous Blue Screen of Death (BSOD).

CrowdStrike fixed the problem relatively quickly – but not before threat actors had begun launching phishing campaigns designed to take advantage of individuals and businesses seeking a resolution to the failure. Within the first day following the CrowdStrike incident, Cyberint detected 17 typo-squatting domains related to it. At least two of these domains were copying and sharing Crowdstrike's workaround fix in what was apparently an effort to solicit donations via PayPal. By following the breadcrumbs, Cyberint traced the donation page to a software engineer named Aliaksandr Skuratovich, who also posted the website on his LinkedIn page.

Efforts to profit by collecting donations for a fix that originated elsewhere were among the more mild efforts to take advantage of the CrowdStrike incident. Other typosquatted domains claimed to offer a fix (which was available for free from CrowdStrike) in exchange for payments of up to 1,000 euros. The domains were taken down, but not before organizations fell victim to them. Cyberint's analysis shows that the crypto wallet linked to the scheme collected around 10,000 euros.

Phishing Attacks Responding to Planned Events

When it comes to planned events the attacks are often more diverse and detailed. Threat actors have more time to prepare than they do in the wake of unexpected events like the CrowdStrike outage.

Phishing at the Olympics

Phishing attacks related to the 2024 Olympics in Paris also showcased threat actors' ability to execute more effective campaigns by tying them to current events.

As one example of attacks in this category, Cyberint detected phishing emails claiming that recipients had won tickets to the Games and that, to collect the tickets, they needed to make a small payment to cover the delivery fee.

If recipients entered their financial information to pay the fee, however, the attackers used it to impersonate victims and make purchases using their accounts.

In another example of phishing linked to the Olympics, threat actors in March 2024 registered a professional-looking website claiming to offer tickets for sale. In actuality, it was a fraud.

Even though the site was not very old, and therefore did not have strong authority based on its history, it ranked near the top of Google searches, increasing the likelihood that people searching to purchase Olympics tickets online would fall for the ruse.

Phishing and football

Similar attacks played out during the UEFA Euro 2024 football championship, Most notably, threat actors launched fraudulent mobile apps that impersonated the UEFA, the sporting association that organized the event. Because the apps used the organization's official name and logo, it was presumably easy for some people to assume they were legitimate.

It's worth noting that these apps were not hosted in the app stores run by Apple or Google, which typically detect and take down malicious apps (although there's no guarantee they'll do so quickly enough to prevent abuse). They were available through unregulated third-party app stores, making them somewhat harder for consumers to find – but most mobile devices would have no controls in place to block the apps if a user were to browse to a third-party app store and try to download malicious software.

Phishing and recurring events

When it comes to recurring events, too, phishers know how to take advantage of situations to launch powerful attacks.

For instance, gift card fraud, non-payment scams and fake order receipts surge during the holiday season. So do phishing scams that attempt to lure victims into applying for fake seasonal jobs in a bid to collect their personal information.

The holidays create a perfect storm for phishing due to the rise in online shopping, attractive deals, and a flood of promotional emails. Scammers exploit these factors, leading to significant financial and reputational damage for businesses.

When it comes to phishing, timing matters

Unfortunately, AI and PhaaS have made phishing easier, and we should expect threat actors to continue adopting these sorts of strategies.

Businesses can, however, anticipate spikes in attacks in response to specific developments or (in the case of recurring phishing campaigns) times of the year and take measures to mitigate the risk.

For example, they can educate employees and consumers to be extra cautious when responding to content associated with a current event.

While AI and PhaaS have made phishing easier, businesses and individuals can still defend against these threats. By understanding the tactics used by threat actors and implementing effective security measures, the risk of falling victim to phishing attacks can be reduced.

Source

"If exploited, these vulnerabilities could allow an attacker to control inverter settings that could take parts of the grid down, potentially causing blackouts," Bitdefender researchers said in an analysis published last week.

The vulnerabilities have been addressed by Solarman and Deye as of July 2024, following responsible disclosure on May 22, 2024.

The Romanian cybersecurity vendor, which analyzed the two PV monitoring and management platforms, said they suffer from a number of issues that, among others, could result in account takeover and information disclosure.

A brief description of the issues is listed below -

•     Full Account Takeover via Authorization Token Manipulation Using the /oauth2-s/oauth/token API endpoint

•     Deye Cloud Token Reuse

•     Information Leak through /group-s/acc/orgs API Endpoint

•     Hard-coded Account with Unrestricted Device Access (account: "SmartConfigurator@solarmanpv.com" / password: 123456)

•     Information Leak through /user-s/acc/orgs API Endpoint

•     Potential Unauthorized Authorization Token Generation

Successful exploitation of the aforementioned vulnerabilities could allow attackers to gain control over any Solarman account, reuse JSON Web Tokens (JWTs) from Deye Cloud to gain unauthorized access to Solarman accounts, and gather private information about all registered organizations.

They could also obtain information about any Deye device, access confidential registered user data, and even generate authentication tokens for any user on the platform, severely compromising on its confidentiality and integrity.

"Attackers can take over accounts and control solar inverters, disrupting power generation and potentially causing voltage fluctuations," the researchers said.

"Sensitive information about users and organizations can be leaked, leading to privacy violations, information harvesting, targeted phishing attacks or other malicious activities. By accessing and modifying settings on solar inverters, attackers can cause widespread disruptions in power distribution, impacting grid stability and potentially leading to blackouts."

Source

The data allegedly comes from National Public Data, a company that collects and sells access to personal data for use in background checks, to obtain criminal records, and for private investigators.

National Public Data is believed to scrape this information from public sources to compile individual user profiles for people in the US and other countries.

In April, a threat actor known as USDoD claimed to be selling 2.9 billion records containing the personal data of people in the US, UK, and Canada that was stolen from National Public Data.

At the time, the threat actor attempted to sell the data for $3.5 million and claimed it contained records for every person in the three countries.

USDoD is a known threat actor who was previously linked to an attempted sale of InfraGard's user database in December 2023 for $50,000.

BleepingComputer, at the time, contacted National Public Data and never received a response to our email.

Stolen data leaked for free

Since then, various threat actors have released partial copies of the data, with each leak sharing a different number of records and, in some cases, different data.

On August 6th, a threat actor known as "Fenice" leaked the most complete version of the stolen National Public Data data for free on the Breached hacking forum. 

However, Fenice says the data breach was conducted by another threat actor named "SXUL," rather than USDoD.

The leaked data consists of two text files totaling 277GB and containing nearly 2.7 billion plaintext records, rather than the original 2.9 billion number originally shared by USDoD.

While BleepingComputer can't confirm if this leak contains the data for every person in the US, numerous people have confirmed to us that it included their and family members' legitimate information, including those who are deceased. 

Each record consists of the following information - a person's name, mailing addresses, and social security number, with some records including additional information, like other names associated with the person. None of this data is encrypted.

Previously leaked samples of this data also included phone numbers and email addresses, but these are not included in this 2.7 billion record leak. 

It is important to note that a person will have multiple records, one for each address they are known to have lived. This also means that this data breach did not impact 3 billion people as has been erroneously reported in many articles that did not properly research the data.

Some people have also told BleepingComputer that their social security numbers were associated with other people they don't know, so not all the information is accurate.

Finally, this data may be outdated, as it does not contain the current address for any of the people we checked, potentially indicating that the data was taken from an old backup.

The data breach has led to multiple class action lawsuits against Jerico Pictures, which is believed to be doing business as National Public Data, for not adequately protecting people's data.

If you live in the US, this data breach has likely leaked some of your personal information.

As the data contains hundreds of millions of social security numbers, it is suggested that you monitor your credit report for fraudulent activity and report it to the credit bureaus if detected.

Furthermore, as previously leaked samples also contained email addresses and phone numbers, you should be vigilant against phishing and SMS texts attempting to trick you into providing additional sensitive information.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every single day for many years.

2023: Over 5,800 news posts | 2024 (till end of July): 3,313 news posts

Computer Emergency Response Team (CERT-In), the cyber security watchdog under the Ministry of Electronics and Information Technology (MeitY), has issued a high severity alert for Google Chrome users, affecting users on Windows, Mac and Linux operating systems.

According to CERT-In, Google Chrome for desktop has been found to have multiple vulnerabilities that could be exploited by a remote attacker to execute arbitrary code on the user's system. The cybersecurity agency said that these vulnerabilities exist in Google Chrome due to a number of reasons, including initialised and insufficient data usage in dawn and out of bounds read in WebTransport.

Giving reasons behind the vulnerabilities in an advisory dated August 7, CERT-In noted, “These vulnerabilities exist in Google Chrome for Desktop due to Uninitialized use in dawn; Out of bounds read in WebTransport and Insufficient data validation in dawn. An attacker could exploit these vulnerabilities by persuading a victim to visit a specially crafted request."

The vulnerability affects users of Google Chrome stable channel versions prior to 127.0.6533.88/89 on Windows, Mac and Google Chrome stable channel versions prior to 127.0.6533.88 on Linux.

What should a Google Chrome user do?

Thanks, CERT-In notes that appropriate updates that fix the above mentioned issues are available on the Google Chrome website.

Therefore, the cybersecurity agency urges users to update to the latest version of Google Chrome for desktop in order to stay safe.

Apple Safari and Google Chrome working on resolving critical security flaw:

Meanwhile, a recent but unrelated report by Forbes had stated that Apple and Google are working to resolve a critical security vulnerability that has been present in their web browsers for years. This vulnerability, related to the IP address 0.0.0.0, and is reportedly being exploited by cybercriminals to breach devices and steal user data.

According to a Forbes report, this security flaw could have existed for as long as 18 years, yet developers did not notice it until recently. Researchers from the Israeli cybersecurity firm Oligo uncovered the issue, which has been labeled a "zero-day vulnerability" due to the lack of prior awareness and immediate patching.

The exploit, dubbed the "0.0.0.0-day attack" by Oligo AI security researcher Avi Lumelsky, involves malicious websites potentially sending harmful requests through the 0.0.0.0 IP address. If a user inadvertently clicks on a malicious link, it could enable attackers to gain unauthorized access to sensitive information on their device.

Although this flaw primarily impacts individuals and organizations that host their own web servers, the potential scale of compromised systems is significant, and experts emphasize that this security issue should not be underestimated.

Source

If you know where to look, plenty of secrets can be found online. Since the fall of 2021, independent security researcher Bill Demirkapi has been building ways to tap into huge data sources, which are often overlooked by researchers, to find masses of security problems. This includes automatically finding developer secrets—such as passwords, API keys, and authentication tokens—that could give cybercriminals access to company systems and the ability to steal data.

Today, at the Defcon security conference in Las Vegas, Demirkapi is unveiling the results of this work, detailing a massive trove of leaked secrets and wider website vulnerabilities. Among at least 15,000 developer secrets hard-coded into software, he found hundreds of username and password details linked to Nebraska’s Supreme Court and its IT systems; the details needed to access Stanford University’s Slack channels; and more than a thousand API keys belonging to OpenAI customers.

A major smartphone manufacturer, customers of a fintech company, and a multibillion-dollar cybersecurity company are counted among the thousands of organizations that inadvertently exposed secrets. As part of his efforts to stem the tide, Demirkapi hacked together a way to automatically get the details revoked, making them useless to any hackers.

In a second strand to the research, Demirkapi also scanned data sources to find 66,000 websites with dangling subdomain issues, making them vulnerable to various attacks including hijacking. Some of the world’s biggest websites, including a development domain owned by The New York Times, had the weaknesses.

While the two security issues he looked into are well-known among researchers, Demirkapi says that turning to unconventional datasets, which are usually reserved for other purposes, allowed thousands of issues to be identified en masse and, if expanded, offers the potential to help protect the web at large. “The goal has been to find ways to discover trivial vulnerability classes at scale,” Demirkapi tells WIRED. “I think that there’s a gap for creative solutions.”

Spilled Secrets; Vulnerable Websites

It is relatively trivial for a developer to accidentally include their company’s secrets in software or code. Alon Schindel, the vice president of AI and threat research at the cloud security company Wiz, says there’s a huge variety of secrets that developers can inadvertently hard-code, or expose, throughout the software development pipeline. These can include passwords, encryption keys, API access tokens, cloud provider secrets, and TLS certificates.

“The most acute risk of leaving secrets hard-coded is that if digital authentication credentials and secrets are exposed, they can grant adversaries unauthorized access to a company’s code bases, databases, and other sensitive digital infrastructure,” Schindel says.

The risks are high: Exposed secrets can result in data breaches, hackers breaking into networks, and supply chain attacks, Schindel adds. Previous research in 2019 found thousands of secrets were being leaked on GitHub every day. And while various secret scanning tools exist, these largely are focused on specific targets and not the wider web, Demirkapi says.

During his research, Demirkapi, who first found prominence for his teenage school-hacking exploits five years ago, hunted for these secret keys at scale—as opposed to selecting a company and looking specifically for its secrets. To do this, he turned to VirusTotal, the Google-owned website, which allows developers to upload files—such as apps—and have them scanned for potential malware.

VirusTotal’s Retrohunt feature allows a year’s worth of uploaded files to be scanned and uses YARA rules, which can look for specific patterns in data. “What if we reuse those tools and VirusTotal’s petabytes of data, and now we look for secrets instead,” Demirkapi says.

Using a complex serverless setup, Demirkapi says he scanned through more than 1.5 million samples for secrets and validated that the patterns he found were active secret keys. To determine the secrets and keys hadn’t expired, he performed API calls on them. In total, Demirkapi has found more than 15,000 active secrets of all kinds.

Within the vast number of exposed keys were those that could give an attacker access to the digital assets of companies and organizations, including the potential to obtain sensitive data. For instance, a member of Nebraska’s Supreme Court had uploaded details of usernames and passwords linked to its IT systems, and Stanford University Slack channels could be accessed using API keys.

Nebraska State Court Administrator Corey R. Steel says all the exposed details were immediately changed, there is no evidence that the details were abused, and policies have been changed to stop similar future instances. Stanford University did not respond to a request for comment; however, correspondence seen by WIRED indicates the issues were quickly fixed after they were reported.

Demirkapi also scoured passive DNS replication data, to search for websites with dangling subdomain issues. Vulnerable websites can be impersonated, used to deploy malware or phishing pages, steal cookies, and more. “Dangling domains are widespread, and it’s pretty easy for attackers to find high-valuable targets,” says Daiping Liu, a senior research manager at Palo Alto Networks. Liu says tens of thousands of dangling records are exposed at any one time, adding that larger domains can be more susceptible to the issue as they’re harder to manage and there’s more chance for human error.

For example, Demirkapi briefly published an (almost convincing) satirical article on a New York Times production domain with the headline “U.S. Declares War Against Russia Amid Escalating Tensions, Sending Shockwaves Through International Community.” This was removed after around a week, Demirkapi says. A spokesperson for The New York Times declined to comment.

The researcher says by starting with dangling cloud resources instead of looking for issues with a specific domain or set of domains allows for issues to be discovered systematically. Overall, he found more than 78,000 dangling cloud resources linked to 66,000 apex domains. Pointing to academic research that followed a similar technique using passive DNS replication data, but starting with URLs, Demirkapi says his approach was able to find magnitudes more issues.

Photograph: Roger Kisby

No Easy Fixes

Finding thousands of vulnerable websites and exposed secrets is one thing—getting them fixed is another. While Demirkapi says it has not been possible to alert all websites with dangling domain issues to the problems; he has managed to find ways to clean up the 15,000 hard-coded secrets.

Some Demirkapi directly reported to impacted companies. But he also turned to those providing credentials to their customers to see if there was a more efficient way to report the exposed secrets. In February, the researcher reported more than 1,000 exposed OpenAI API keys. The firm provided him with a public self-service API key that allows the exposed details to be automatically revoked. (OpenAI company spokesperson Niko Felix says the API “enables automatic deactivation of any keys detected as compromised” and allows customers to be kept safe.)

Other instances didn’t go so smoothly. GitHub, which hosts more than 420 million code repositories, has for years run its own “secret scanning” tool that can detect tokens and keys that are uploaded to its website. It partners with external companies so these keys can be reported and potentially revoked. Demirkapi asked GitHub, in March, if it had a publicly available endpoint where he could report secrets so the thousands he found could be quickly flagged. A company spokesperson says it doesn’t have systems available for individuals.

Demirkapi turned to Amazon Web Services, but the company refused to provide him with access to existing reporting tools it has for its vendors. “We believe firmly that customer credentials, including security keys, belong solely to customers. AWS does not grant external users access to manage or revoke security keys as that would violate security policies and erode customer trust,” says Aisha Johnson, an AWS spokesperson, adding people can email its security team and it will tell customers when it becomes aware of exposed keys.

To get around the limitations, Demirkapi turned to a GitHub and started uploading secrets to trigger the company’s secret scanning and get them reported. “I found a way of not making it exposed to the public at all,” Demirkapi says of the automated method he hacked together to upload secrets in notes.

Ultimately, Demirkapi says he picked low-hanging fruit for the research. “Detecting a hard-coded secret or detecting if a resource is dangling, those are fairly trivial classes of vulnerability," he says, adding that more complex vulnerabilities could potentially be detected in big data sources. There may be plenty of untapped databases that can help fix security issues. “I think that we need to think more about leveraging these large data sources to derive value from them in unconventional ways,” Demirkapi says.

Source

There has been a 400% surge in GPS spoofing incidents affecting commercial airliners in recent months, according to aviation advisory body OPSGROUP. Many of those incidents involve illicit ground-based GPS systems, particularly around conflict zones, that broadcast incorrect positions to the surrounding airspace in a bid to confuse incoming drones or missiles.

“We think too much about GPS being a source of position, but it's actually a source of time,” Ken Munro, founder of Pen Test Partners, a British cybersecurity firm, said during a presentation at the DEF CON hacking convention in Las Vegas on Saturday.

“We're starting to see reports of the clocks on board airplanes during spoofing events start to do weird things."

In an interview with Reuters, Munro cited a recent incident in which an aircraft operated by a major Western airline had its onboard clocks suddenly sent forward by years, causing the plane to lose access to its digitally-encrypted communication systems.

The plane was grounded for weeks while engineers manually reset its onboard systems, said Munro. He declined to identify the airline or aircraft in question.

In April, Finnair (FIA1S.HE) temporarily paused flights to the eastern Estonian city of Tartu due to GPS spoofing which Tallin blamed on neighboring Russia.

GPS, short for Global Positioning System, has largely replaced expensive ground devices that transmit radio beams to guide planes towards landing. However, it is also fairly easy to block or distort GPS signals using relatively cheap and easy to obtain parts, and limited technological knowledge.

“Is it going to make a plane crash? No, it's not,” Munro told Reuters.

“What it does is it just creates a little confusion. And you run the risk of starting what we call a cascade of events, where something minor happens, something else minor happens, and then something serious happens."

Source

Bargury demonstrated the Copilot flaws this past week during two sessions at Black Hat USA 2024, 15 Ways to Break Your Copilot and Living off Microsoft Copilot, and he posted more information on the website for Zenity Labs, the company he cofounded after leaving Microsoft. In each case, he was specifically highlighting Copilot for Microsoft 365, because that service relies on access to the sensitive internal data that’s stored by Microsoft’s corporate customers. And despite security controls designed to keep that data private, Bargury was able to mine and exfiltrate it in some cases.

Some of this involves social engineering. His most dramatic demo is of a so-called spear-phishing attack called LOLCopilot that can gain access to internal emails, draft new emails that mimic the author’s writing style, and send mass mailings on their behalf. It requires that the user’s account first be compromised in some way, an important caveat. But Copilot’s ability to automate malicious actions using so much internal data amplifies the damage it can do dramatically.

“I can do this with everyone you have ever spoken to, and I can send hundreds of emails on your behalf,” Bargury told Wired. “A hacker would spend days crafting the right email to get you to click on it, but they can generate hundreds of these emails in a few minutes.”

Unlike the security researchers who undermined the Recall feature that Microsoft planned to release in June with new Copilot+ PCs, Bargury properly disclosed the flaws he discovered to the software giant privately. He’s complimentary of the work Microsoft has done securing Copilot, and he’s working with the company to help address the underlying problems.

“The risks of post-compromise abuse of AI are similar to other post-compromise techniques,” Microsoft head of AI incident detection and response Phillip Misner said of Bargury’s findings. “Security prevention and monitoring across environments and identities help mitigate or stop such behaviors.”

Microsoft aggressively pushed its AI technologies into the market at an unusually fast pace over the past few years. But the worry is that, in doing so, the software giant may have left Copilot open to attack and abuse. Gaining the upper hand against competitors isn’t just about speed, after all: If Copilot is found to be unsafe, corporations will ignore it, and those that have adopted it will drop it.

Not coincidentally, Microsoft this past week described the “red teaming” it does to emulate real-world attacks against its AI systems so it can help proactively protect corporate data. But this is particularly challenging because those systems are changing rapidly.

“The practice of AI red teaming not only covers probing for security vulnerabilities, but also includes probing for other system failures, such as the generation of potentially harmful content,” Microsoft AI Read Team Lead Ram Shankar Siva Kumar explains. “AI systems come with new risks, and red teaming is core to understanding those novel risks, such as prompt injection and producing ungrounded content. ... Microsoft recently committed that all high-risk AI systems will go through independent red teaming before deployment.”

Source

"The Quick Share application implements its own specific application-layer communication protocol to support file transfers between nearby, compatible devices," SafeBreach Labs researchers Or Yair and Shmuel Cohen said in a technical report shared with The Hacker News.

"By investigating how the protocol works, we were able to fuzz and identify logic within the Quick Share application for Windows that we could manipulate or bypass."

The result is the discovery of 10 vulnerabilities – nine affecting Quick Share for Windows and one impacting Android – that could be fashioned into an "innovative and unconventional" RCE attack chain to run arbitrary code on Windows hosts. The RCE attack chain has been codenamed QuickShell.

The shortcomings span six remote denial-of-service (DoS) flaws, two unauthorized files write bugs each identified in Android and Windows versions of the software, one directory traversal, and one case of forced Wi-Fi connection.

The issues have been addressed in Quick Share version 1.0.1724.0 and later. Google is collectively tracking the flaws under the below two CVE identifiers -

• CVE-2024-38271 (CVSS score: 5.9) - A vulnerability that forces a victim to stay connected to a temporary Wi-Fi connection created for sharing

• CVE-2024-38272 (CVSS score: 7.1) - A vulnerability that allows an attacker to bypass the accept file dialog on Windows

Quick Share, formerly Nearby Share, is a peer-to-peer file-sharing utility that allows users to transfer photos, videos, documents, audio files or entire folders between Android devices, Chromebooks, and Windows desktops and laptops in close proximity. Both devices must be within 5 m (16 feet) of each other with Bluetooth and Wi-Fi enabled.

In a nutshell, the identified shortcomings could be used to remotely write files into devices without approval, force the Windows app to crash, redirect its traffic to a Wi-Fi access point under an attacker's control, and traverse paths to the user's folder.

But more importantly, the researchers found that the ability to force the target device into connecting to a different Wi-Fi network and create files in the Downloads folder could be combined to initiate a chain of steps that ultimately lead to remote code execution.

The findings, first presented at DEF CON 32 today, are a culmination of a deeper analysis of the Protobuf-based proprietary protocol and the logic that undergirds the system. They are significant not least because they highlight how seemingly harmless known issues could open the door to a successful compromise and could pose serious risks when combined with other flaws.

"This research reveals the security challenges introduced by the complexity of a data-transfer utility attempting to support so many communication protocols and devices," SafeBreach Labs said in a statement. "It also underscores the critical security risks that can be created by chaining seemingly low-risk, known, or unfixed vulnerabilities together."

Source

"The trojan malware contains different deliverables ranging from simple adware extensions that hijack searches to more sophisticated malicious scripts that deliver local extensions to steal private data and execute various commands," the ReasonLabs research team said in an analysis.

"This trojan malware, existing since 2021, originates from imitations of download websites with add-ons to online games and videos."

The malware and the extensions have a combined reach of at least 300,000 users of Google Chrome and Microsoft Edge, indicating that the activity has a broad impact.

At the heart of the campaign is the use of malvertising to push lookalike websites promoting known software like Roblox FPS Unlocker, YouTube, VLC media player, Steam, or KeePass to trick users searching for these programs into downloading a trojan, which serves as a conduit for installing the browser extensions.

The digitally signed malicious installers register a scheduled task that, in turn, is configured to execute a PowerShell script responsible for downloading and executing the next-stage payload fetched from a remote server.

This includes modifying the Windows Registry to force the installation of extensions from Chrome Web Store and Microsoft Edge Add-ons that are capable of hijacking search queries on Google and Microsoft Bing and redirecting them through attacker-controlled servers.

"The extension cannot be disabled by the user, even with Developer Mode 'ON,'" ReasonLabs said. "Newer versions of the script remove browser updates."

It also launches a local extension that is downloaded directly from a command-and-control (C2) server, and comes with extensive capabilities to intercept all web requests and send them to the server, receive commands and encrypted scripts, and inject and load scripts into all pages.

On top of that, it hijacks search queries from Ask.com, Bing, and Google, and funnels them through its servers and then on to other search engines.

This is not the first time similar campaigns have been observed in the wild. In December 2023, the cybersecurity company detailed another Trojan installer delivered through torrents that installs malicious web extensions masquerading as VPN apps but are actually designed to run a "cashback activity hack."

Source

In this technology-fuelled, fully-digital age, we are surrounded by smart devices, from our watches to our speakers and even our toothbrushes. It makes sense that our cars are no different.

Unfortunately, where there are Wi-Fi connections, there are cybersecurity risks. And where there are cybersecurity risks, there are hackers who will attempt to exploit these risks for their own gain.

That's where carhacking comes in - some enterprising hackers are not satisfied with taking down airlines, hospitals or casinos and instead want to commit grand theft auto all from their phone.

How exactly do they do this? Read on to find out more…

(Image credit: Getty Images)

How can you hack into smart cars?

One thing about hackers is that they can and will find a way to get into pretty much anything, smart cars included.

How they can hack into cars is varied, so we'll be taking a deep dive into these car-stealing hacks:

(Image credit: Getty Images)

By using AI

AI is a hot topic, thanks to its use skyrocketing and it being integrated into a huge amount of things in everyday life, from chatbots to search engines. It is also, of course, making its way into cars through the processing systems of autonomous vehicles.

AI's benefits and uses cannot be understated, but as with any kind of technology, malicious people can and will use AI for nefarious purposes. One of these purposes is hacking autonomous vehicles.

A report by McAfee noted that the AI systems used to power autonomous vehicles could be hacked into and manipulated by cyber attackers. One example of this was forcing a Tesla Model S to read a speed limit sign that read '35 miles per hour' as '85 miles per hour', making the vehicle rapidly speed up.

Of course, the impact of hacks like this could be incredibly dangerous, with vehicles forced to speed up or slow down on the whims of hackers, causing chaos on the roads.

(Image credit: Getty Images)

Targeting electric vehicles

The use of electric vehicles (EVs) is growing rapidly, with a 69% increase in EVs worldwide from 26 million in 2022 to over 40 million in 2024.

While this is great for the environment, it also presents an avenue for hackers to exploit and gain access to your vehicle.

Tomas Bodeklint, research and business developer at RISE, notes that this is due to the nature of electric vehicles: “Electrification broadens the possible threats. We’re talking about all vehicles being connected in what is known as Vehicle to Grid, or V2G for short, which is to help society with its energy supply. This means communication has to take place when the vehicle is connected."

This presents an opportunity for hackers to intercept this communication to the car (and others) in a man-in-the-middle attack. These interceptions could allow hackers to gain access to the car, wreaking havoc on its system or even stealing it.

Not only this, but charging points for electric vehicles also pose a danger. Hackers could distribute malware to electric vehicles via public charging points, impacting the vehicle's function or using its software for nefarious means like bitcoin mining.

(Image credit: Getty Images)

Stealing user login information

It's not enough just to worry about your personal details being stolen if you use public Wi-Fi - now you have to worry about your car being stolen, too.

In a YouTube video published in March 2024, two researchers (Tommy Mysk and Talal Haj Bakry from cybersecurity firm Mysk) showed how they were able to gain access to a Tesla Model 3 by generating a digital key, despite the account being protected by two-factor authentication.

Mysk and Bakry were able to bypass this layer of security and gain access to the car using a Flipper Zero (a self-described "multi-tool for geeks") and a Wi-Fi development board to create a fake Tesla login page, tricking their unsuspecting victim into entering their details. They were then able to access their account, generate a digital key and unlock the car.

Of course, Mysk and Bakry are white-hat hackers using this exploit to demonstrate the dangers posed by it, but it's not hard to imagine what hackers might do if they had discovered it first.

(Image credit: Getty Images)

By using Bluetooth

Having Bluetooth in your car is incredibly useful, letting you listen to tunes, answer calls hands-free and even transfer directions from on your phone to on your car's navigation system seamlessly. However, it can also allow hackers onto your car's system.

Researchers from NCC Group have discovered a method of hacking into and stealing a Tesla Model 3 and a Tesla Model Y using a Bluetooth Low Energy (BLE) relay attack.

Essentially, the attack saw researchers put the hacker between communications from the Tesla app to the vehicle itself, allowing them to intercept and change these communications.

Tesla described the issue exploited as a "known limitation of the passive entry system”.

(Image credit: Getty Images)

How car manufacturers are avoiding cyber attacks

So, we've taken a look at just how disruptive cyber attacks on smart cars can be, but it's not all doom and gloom – car manufacturers are aware of these risks and are actively working to reduce them.

In fact, chief executive of the Society of Motor Manufacturers and Traders, Mike Hawes, has said that "security is a priority for the automotive industry".

"Vehicle manufacturers are investing significantly in new features to help keep cars safe from cyber-crime. Industry is also working closely with government and security agencies to help implement further safeguards to ensure current and future generations of connected cars remain resilient to cyberattacks,” he explains.

Essentially, what this means is that manufacturers are aware of the risks and are working to combat them, so you can drive easy, knowing that the likelihood of your car being hacked and stolen is dropping by the day.

Source

A VPN is one of the best ways to improve your privacy and security online. One of the best VPN providers is ExpressVPN and its newest feature is designed to help improve that privacy.

Using a VPN changes your IP address based on the location you select. This is a great way to distance yourself from hackers and be harder to track. But what's even harder to trace than one spoofed IP Address? Multiple spoofed IP Addresses.

Well with ExpressVPN's new ShuffleIP feature, you can be a digital Jason Bourne with a new identity everywhere you go, without even having to change server. Best of all, it's completely free for subscribers.

(Image credit: ExpressVPN)

How does ShuffleIP work?

Well, many servers in ExpressVPN's 3000+ network have a pool of dozens of different IP addresses. Usually, users connecting to a server will be assigned one of the addresses from the pool and stick with it until they change server or reconnect. But that's not the case with ShuffleIP.

Instead, each time the user changes website or web server then the IP address will seamlessly switch to another in that server's pool. This unpredictable switching makes it much harder to be tracked online, and ExpressVPN already has an audited no-logs policy, so together that undoubtedly makes for one of the most secure VPNs on the market.

It's worth noting of course that not every server will have a deep enough pool of IP addresses for this feature to work and that its virtual servers are incompatible with it too.

We love ExpressVPN for its security credentials and ease of use, but it is undoubtedly more expensive than some of its competitors, so it's worth checking out the best cheap VPNs too.

Source

There is a grand tradition at the annual Defcon security conference in Las Vegas of hacking ATMs. Unlocking them with safecracking techniques, rigging them to steal users' personal data and PINs, crafting and refining ATM malware and, of course, hacking them to spit out all their cash. Many of these projects targeted what are known as retail ATMs, freestanding devices like those you'd find at a gas station or a bar. But on Friday, independent researcher Matt Burch is presenting findings related to the “financial” or “enterprise” ATMs used in banks and other large institutions.

Burch is demonstrating six vulnerabilities in ATM-maker Diebold Nixdorf’s widely deployed security solution, known as Vynamic Security Suite (VSS). The vulnerabilities, which the company says have all been patched, could be exploited by attackers to bypass an unpatched ATM's hard drive encryption and take full control of the machine. And while there are fixes available for the bugs, Burch warns that, in practice, the patches may not be widely deployed, potentially leaving some ATMs and cash-out systems exposed.

“Vynamic Security Suite does a number of things—it has endpoint protection, USB filtering, delegated access, and much more,” Burch tells WIRED. “But the specific attack surface that I’m taking advantage of is the hard drive encryption module. And there are six vulnerabilities, because I would identify a path and files to exploit, and then I would report it to Diebold, they would patch that issue, and then I would find another way to achieve the same outcome. They’re relatively simplistic attacks.”

The vulnerabilities Burch found are all in VSS's functionality to turn on disk encryption for ATM hard drives. Burch says that most ATM manufacturers rely on Microsoft's BitLlocker Windows encryption for this purpose, but Diebold Nixdorf’s VSS uses a third-party integration to run an integrity check. The system is set up in a dual-boot configuration that has both Linux and Windows partitions. Before the operating system boots, the Linux partition runs a signature integrity check to validate that the ATM hasn't been compromised, and then boots it into Windows for normal operation.

“The problem is, in order to do all of that, they decrypt the system, which opens up the opportunity,” Burch says. “The core deficiency that I’m exploiting is that the Linux partition was not encrypted.”

Burch found that he could manipulate the location of critical system validation files to redirect code execution; in other words, grant himself control of the ATM.

Diebold Nixdorf spokesperson Michael Jacobsen tells WIRED that Burch first disclosed the findings to them in 2022 and that the company has been in touch with Burch about his Defcon talk. The company says that the vulnerabilities Burch is presenting were all addressed with patches in 2022. Burch notes, though, that as he went back to the company with new versions of the vulnerabilities over the past couple of years, his understanding is that the company continued to address some of the findings with patches in 2023. And Burch adds that he believes Diebold Nixdorf addressed the vulnerabilities on a more fundamental level in April with VSS version 4.4 that encrypts the Linux partition.

In spite of all of this, Burch says, it would probably still be possible to find a path to exploit similar vulnerabilities, but “it’s significantly harder now.” More importantly, though, he notes that it can involve significant infrastructure initiatives for large institutions to actually update enterprise ATMs and it's very possible that there are ATMs and cash-out systems that are still running old versions of VSS.

“We’re currently working to ensure our customers are up to date and using the current version appropriate for their environment,” Jacobsen tells WIRED. He added that Diebold Nixdorf's customers should not assume that implementing different disk encryption, like Microsoft BitLocker, would be feasible. “One of Matt’s recommendations for switching to an enterprise disk encryption product, especially Bitlocker, is vulnerable in our environments,” Jacobsen says. “A Bitlocker-encrypted machine can be compromised, and Microsoft will not address this, as the ATM use case is not in their scope.”

This may refer to ongoing, real-world attacks on ATM machines that use malware to steal cash from enterprise ATMs made by multiple manufacturers. These incidents illustrate that there are very real concerns about ATM vulnerabilities being exploited, even though most attacks require physically targeting ATMs and can't be carried out remotely.

“Doing the attack requires physical access where you open the top portion of the ATM, pull the hard drive out, and then patch the contents of the hard drive,” Burch says. “An unrehearsed execution would not be easy to do. But it's absolutely feasible if you know what you’re looking at. Similar attacks have been executed in under 10 minutes. Organized crime is presumably training people in how to do these attacks.”

As long as attackers are finding success and making money from ATM cash-out attacks, there will be Defcon talks about what the next frontiers of ATM hacking may look like.

Source

Security flaws in your computer's firmware, the deep-seated code that loads first when you turn the machine on and controls even how its operating system boots up, have long been a target for hackers looking for a stealthy foothold. But only rarely does that kind of vulnerability appear not in the firmware of any particular computer maker, but in the chips found across hundreds of millions of PCs and servers. Now security researchers have found one such flaw that has persisted in AMD processors for decades, and that would allow malware to burrow deep enough into a computer's memory that, in many cases, it may be easier to discard a machine than to disinfect it.

At the Defcon hacker conference tomorrow, Enrique Nissim and Krzysztof Okupski, researchers from the security firm IOActive, plan to present a vulnerability in AMD chips they're calling Sinkclose. The flaw would allow hackers to run their own code in one of the most privileged modes of an AMD processor, known as System Management Mode, designed to be reserved only for a specific, protected portion of its firmware. IOActive's researchers warn that it affects virtually all AMD chips dating back to 2006, or possibly even earlier.

Nissim and Okupski note that exploiting the bug would require hackers to already have obtained relatively deep access to an AMD-based PC or server, but that the Sinkclose flaw would then allow them to plant their malicious code far deeper still. In fact, for any machine with one of the vulnerable AMD chips, the IOActive researchers warn that an attacker could infect the computer with malware known as a “bootkit” that evades antivirus tools and is potentially invisible to the operating system, while offering a hacker full access to tamper with the machine and surveil its activity. For systems with certain faulty configurations in how a computer maker implemented AMD's security feature known as Platform Secure Boot—which the researchers warn encompasses the large majority of the systems they tested—a malware infection installed via Sinkclose could be harder yet to detect or remediate, they say, surviving even a reinstallation of the operating system.

“Imagine nation-state hackers or whoever wants to persist on your system. Even if you wipe your drive clean, it's still going to be there,” says Okupski. “It's going to be nearly undetectable and nearly unpatchable.” Only opening a computer's case, physically connecting directly to a certain portion of its memory chips with a hardware-based programming tool known as SPI Flash programmer and meticulously scouring the memory would allow the malware to be removed, Okupski says.

Nissim sums up that worst-case scenario in more practical terms: “You basically have to throw your computer away.”

In a statement shared with WIRED, AMD acknowledged IOActive's findings, thanked the researchers for their work, and noted that it has “released mitigation options for its AMD EPYC datacenter products and AMD Ryzen PC products, with mitigations for AMD embedded products coming soon.” (The term “embedded,” in this case, refers to AMD chips found in systems such as industrial devices and cars.) For its EPYC processors designed for use in data-center servers, specifically, the company noted that it released patches earlier this year. AMD declined to answer questions in advance about how it intends to fix the Sinkclose vulnerability, or for exactly which devices and when, but it pointed to a full list of affected products that can be found on its website's security bulletin page.

In a background statement to WIRED, AMD emphasized the difficulty of exploiting Sinkclose: To take advantage of the vulnerability, a hacker has to already possess access to a computer's kernel, the core of its operating system. AMD compares the Sinkhole technique to a method for accessing a bank's safe-deposit boxes after already bypassing its alarms, the guards, and vault door.

Nissim and Okupski respond that while exploiting Sinkclose requires kernel-level access to a machine, such vulnerabilities are exposed in Windows and Linux practically every month. They argue that sophisticated state-sponsored hackers of the kind who might take advantage of Sinkclose likely already possess techniques for exploiting those vulnerabilities, known or unknown. “People have kernel exploits right now for all these systems,” says Nissim. “They exist and they're available for attackers. This is the next step.”

IOActive researchers Krzysztof Okupski (left) and Enrique Nissim.Photograph: Roger Kisby

Nissim and Okupski's Sinkclose technique works by exploiting an obscure feature of AMD chips known as TClose. (The Sinkclose name, in fact, comes from combining that TClose term with Sinkhole, the name of an earlier System Management Mode exploit found in Intel chips in 2015.) In AMD-based machines, a safeguard known as TSeg prevents the computer's operating systems from writing to a protected part of memory meant to be reserved for System Management Mode known as System Management Random Access Memory or SMRAM. AMD's TClose feature, however, is designed to allow computers to remain compatible with older devices that use the same memory addresses as SMRAM, remapping other memory to those SMRAM addresses when it's enabled. Nissim and Okupski found that, with only the operating system's level of privileges, they could use that TClose remapping feature to trick the SMM code into fetching data they've tampered with, in a way that allows them to redirect the processor and cause it to execute their own code at the same highly privileged SMM level.

“I think it's the most complex bug I've ever exploited,” says Okupski.

Nissim and Okupski, both of whom specialize in the security of low-level code like processor firmware, say they first decided to investigate AMD's architecture two years ago, simply because they felt it hadn't gotten enough scrutiny compared to Intel, even as its market share rose. They found the critical TClose edge case that enabled Sinkclose, they say, just by reading and rereading AMD's documentation. “I think I read the page where the vulnerability was about a thousand times,” says Nissim. “And then on one thousand and one, I noticed it.” They alerted AMD to the flaw in October of last year, they say, but have waited nearly 10 months to give AMD more time to prepare a fix.

For users seeking to protect themselves, Nissim and Okupski say that for Windows machines—likely the vast majority of affected systems—they expect patches for Sinkclose to be integrated into updates shared by computer makers with Microsoft, who will roll them into future operating system updates. Patches for servers, embedded systems, and Linux machines may be more piecemeal and manual; for Linux machines, it will depend in part on the distribution of Linux a computer has installed.

Nissim and Okupski say they agreed with AMD not to publish any proof-of-concept code for their Sinkclose exploit for several months to come, in order to provide more time for the problem to be fixed. But they argue that, despite any attempt by AMD or others to downplay Sinkclose as too difficult to exploit, it shouldn't prevent users from patching as soon as possible. Sophisticated hackers may already have discovered their technique—or may figure out how to after Nissim and Okupski present their findings at Defcon.

Even if Sinkclose requires relatively deep access, the IOActive researchers warn, the far deeper level of control it offers means that potential targets shouldn't wait to implement any fix available. “If the foundation is broken,” says Nissim, "then the security for the whole system is broken."

Source

Ring -2 is one of the highest privilege levels on a computer, running above Ring -1 (used for hypervisors and CPU virtualization) and Ring 0, which is the privilege level used by an operating system's Kernel.

The Ring -2 privilege level is associated with modern CPUs' System Management Mode (SMM) feature. SMM handles power management, hardware control, security, and other low-level operations required for system stability.

Due to its high privilege level, SMM is isolated from the operating system to prevent it from being targeted easily by threat actors and malware.

SinkClose CPU flaw

Tracked as CVE-2023-31315 and rated of high severity (CVSS score: 7.5), the flaw was discovered by IOActive Enrique Nissim and Krzysztof Okupski, who named privilege elevation attack 'Sinkclose.'

Full details about the attack will be presented by the researchers at tomorrow in a DefCon talk titled "AMD Sinkclose: Universal Ring-2 Privilege Escalation."

The researchers report that Sinkclose has passed undetected for almost 20 years, impacting a broad range of AMD chip models.

The SinkClose flaw allows attackers with Kernel-level access (Ring 0) to modify System Management Mode (SMM) settings, even when SMM Lock is enabled. This flaw could be used to turn off security features and plant persistent, virtually undetectable malware on a device.

Ring -2 is isolated and invisible to the OS and hypervisor, so any malicious modifications made on this level cannot be caught or remediated by security tools running on the OS.

Okupski told Wired that the only way to detect and remove malware installed using SinkClose would be to physically connect to the CPUs using a tool called a SPI Flash programmer and scan the memory for malware.

According to AMD's advisory, the following models are affected:

• EPYC 1st, 2nd, 3rd, and 4th generations
• EPYC Embedded 3000, 7002, 7003, and 9003, R1000, R2000, 5000, and 7000
• Ryzen Embedded V1000, V2000, and V3000
• Ryzen 3000, 5000, 4000, 7000, and 8000 series
• Ryzen 3000 Mobile, 5000 Mobile, 4000 Mobile, and 7000 Mobile series
• Ryzen Threadripper 3000 and 7000 series
• AMD Threadripper PRO (Castle Peak WS SP3, Chagall WS)
• AMD Athlon 3000 series Mobile (Dali, Pollock)
• AMD Instinct MI300A

AMD stated in its advisory that it has already released mitigations for its EPYC and AMD Ryzen desktop and mobile CPUs, with further fixes for embedded CPUs coming later.

Real implications and response

Kernel-level access is a prerequisite for carrying out the Sinkclose attack. AMD noted this in a statement to Wired, underlying the difficulty in exploiting CVE-2023-31315 in real-world scenarios.

However, IOActive responded by saying that kernel-level vulnerabilities, although not widespread, are surely not uncommon in sophisticated attacks, which is true based on previous attacks covered by BleepingComputer.

Advanced Persistent Threat (APT) actors, like the North Korean Lazarus group, have been using BYOVD (Bring Your Own Vulnerable Driver) techniques or even leveraging zero-day Windows flaws to escalate their privileges and gain kernel-level access.

Ransomware gangs also use BYOVD tactics, employing custom EDR killing tools they sell to other cybercriminals for extra profits.

The notorious social engineering specialists Scattered Spider have also been spotted leveraging BYOVD to turn off security products.

These attacks are possible via various tools, from Microsoft-signed drivers, anti-virus drivers, MSI graphics drivers, bugged OEM drivers, and even game anti-cheat tools that enjoy kernel-level access.

All that said, Sinkclose could pose a significant threat to organizations using AMD-based systems, especially from state-sponsored and sophisticated threat actors, and should not be disregarded.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every single day for many years.

2023: Over 5,800 news posts | 2024 (till end of July): 3,313 news posts

Tracked as CVE-2024-38200, this security flaw is caused by an information disclosure weakness that enables unauthorized actors to access protected information such as system status or configuration data, personal info, or connection metadata.

The zero-day impacts multiple 32-bit and 64-bit Office versions, including Office 2016, Office 2019, Office LTSC 2021, and Microsoft 365 Apps for Enterprise.

Even though Microsoft's exploitability assessment says that exploitation of CVE-2024-38200 is less likely, MITRE has tagged the likelihood of exploitation for this type of weakness as highly probable.

"In a web-based attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) that contains a specially crafted file that is designed to exploit the vulnerability," Microosoft's advisory explains.

"However, an attacker would have no way to force the user to visit the website. Instead, an attacker would have to convince the user to click a link, typically by way of an enticement in an email or Instant Messenger message, and then convince the user to open the specially crafted file."

The company is developing security updates to address this zero-day bug but has yet to announce a release date.

More details to be shared at Defcon

While Redmond has not shared any details regarding the flaw, its discovery was attributed to PrivSec Consulting security consultant Jim Rush and Synack Red Team member Metin Yunus Kandemir.

PrivSec's Managing Director Peter Jakowetz told BleepingComputer that Rush will disclose more information about this vulnerability in his upcoming "NTLM - The last ride" Defcon talk.

"There will be a deep dive on several new bugs we disclosed to Microsoft (including bypassing a fix to an existing CVE), some interesting and useful techniques, combining techniques from multiple bug classes resulting in some unexpected discoveries and some absolutely cooked bugs," Rush explains.

"We'll also uncover some defaults that simply shouldn't exist in sensible libraries or applications as well as some glaring gaps in some of the Microsoft NTLM related security controls."

A Synack spokesperson was not immediately available for comment when contacted by BleepingComputer earlier today for more details regarding the CVE-2024-38200 vulnerability.

Microsoft is also working on patching zero-day flaws that could be exploited to "unpatch" up-to-date Windows systems and reintroduce old vulnerabilities.

The company also said earlier this week that it's considering patching a Windows Smart App Control, SmartScreen bypass exploited since 2018.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every single day for many years.

2023: Over 5,800 news posts | 2024 (till end of July): 3,313 news posts

The flood of text messages started arriving early this year. They carried a similar thrust: The United States Postal Service is trying to deliver a parcel but needs more details, including your credit card number. All the messages pointed to websites where the information could be entered.

Like thousands of others, security researcher Grant Smith got a USPS package message. Many of his friends had received similar texts. A couple of days earlier, he says, his wife called him and said she’d inadvertently entered her credit card details. With little going on after the holidays, Smith began a mission: Hunt down the scammers.

Over the course of a few weeks, Smith tracked down the Chinese-language group behind the mass-smishing campaign, hacked into their systems, collected evidence of their activities, and started a months-long process of gathering victim data and handing it to USPS investigators and a US bank, allowing people’s cards to be protected from fraudulent activity.

In total, people entered 438,669 unique credit cards into 1,133 domains used by the scammers, says Smith, a red team engineer and the founder of offensive cybersecurity firm Phantom Security. Many people entered multiple cards each, he says. More than 50,000 email addresses were logged, including hundreds of university email addresses and 20 military or government email domains. The victims were spread across the United States—California, the state with the most, had 141,000 entries—with more than 1.2 million pieces of information being entered in total.

“This shows the mass scale of the problem,” says Smith, who is presenting his findings at the Defcon security conference this weekend and previously published some details of the work. But the scale of the scamming is likely to be much larger, Smith says, as he didn't manage to track down all of the fraudulent USPS websites, and the group behind the efforts have been linked to similar scams in at least half a dozen other countries.

Gone Phishing

Chasing down the group didn’t take long. Smith started investigating the smishing text message he received by the dodgy domain and intercepting traffic from the website. A path traversal vulnerability, coupled with a SQL injection, he says, allowed him to grab files from the website’s server and read data from the database being used.

“I thought there was just one standard site that they all were using,” Smith says. Diving into the data from that initial website, he found the name of a Chinese-language Telegram account and channel, which appeared to be selling a smishing kit scammers could use to easily create the fake websites.

Details of the Telegram username were previously published by cybersecurity company Resecurity, which calls the scammers the “Smishing Triad.” The company had previously found a separate SQL injection in the group’s smishing kits and provided Smith with a copy of the tool. (The Smishing Triad had fixed the previous flaw and started encrypting data, Smith says.)

“I started reverse engineering it, figured out how everything was being encrypted, how I could decrypt it, and figured out a more efficient way of grabbing the data,” Smith says. From there, he says, he was able to break administrator passwords on the websites—many had not been changed from the default “admin” username and “123456” password—and began pulling victim data from the network of smishing websites in a faster, automated way.

Smith trawled Reddit and other online sources to find people reporting the scam and the URLs being used, which he subsequently published. Some of the websites running the Smishing Triad’s tools were collecting thousands of people’s personal information per day, Smith says. Among other details, the websites would request people’s names, addresses, payment card numbers and security codes, phone numbers, dates of birth, and bank websites. This level of information can allow a scammer to make purchases online with the credit cards. Smith says his wife quickly canceled her card, but noticed that the scammers still tried to use it, for instance, with Uber. The researcher says he would collect data from a website and return to it a few hours later, only to find hundreds of new records.

The researcher provided the details to a bank that had contacted him after seeing his initial blog posts. Smith declined to name the bank. He also reported the incidents to the FBI and later provided information to the United States Postal Inspection Service (USPIS).

Michael Martel, a national public information officer at USPIS, says the information provided by Smith is being used as part of an ongoing USPIS investigation and that the agency cannot comment on specific details. “USPIS is already actively pursuing this type of information to protect the American people, identify victims, and serve justice to the malicious actors behind it all,” Martel says, pointing to advice on spotting and reporting USPS package delivery scams.

Initially, Smith says, he was wary about going public with his research, as this kind of “hacking back” falls into a “gray area”: It may be breaking the Computer Fraud and Abuse Act, a sweeping US computer-crimes law, but he’s doing it against foreign-based criminals. Something he is definitely not the first, or last, to do.

Multiple Prongs

The Smishing Triad is prolific. In addition to using postal services as lures for their scams, the Chinese-speaking group has targeted online banking, ecommerce, and payment systems in the US, Europe, India, Pakistan, and the United Arab Emirates, according to Shawn Loveland, the chief operating officer of Resecurity, which has consistently tracked the group.

The Smishing Triad sends between 50,000 and 100,000 messages daily, according to Resecurity’s research. Its scam messages are sent using SMS or Apple’s iMessage, the latter being encrypted. Loveland says the Triad is made up of two distinct groups—a small team led by one Chinese hacker that creates, sells, and maintains the smishing kit, and a second group of people who buy the scamming tool. (A backdoor in the kit allows the creator to access details of administrators using the kit, Smith says in a blog post.)

“It’s very mature,” Loveland says of the operation. The group sells the scamming kit on Telegram for a $200-per month subscription, and this can be customized to show the organization the scammers are trying to impersonate. “The main actor is Chinese communicating in the Chinese language,” Loveland says. “They do not appear to be hacking Chinese language websites or users.” (In communications with the main contact on Telegram, the individual claimed to Smith that they were a computer science student.)

The relatively low monthly subscription cost for the smishing kit means it’s highly likely, with the number of credit card details scammers are collecting, that those using it are making significant profits. Loveland says using text messages that immediately send people a notification is a more direct and more successful way of phishing, compared to sending emails with malicious links included.

As a result, smishing has been on the rise in recent years. But there are some tell-tale signs: If you receive a message from a number or email you don't recognize, if it contains a link to click on, or if it wants you to do something urgently, you should be suspicious.

Source

The passage of the treaty is significant and establishes for the first time a global-level cybercrime and data access-enabling legal framework.

The treaty was adopted late Thursday by the body’s Ad Hoc Committee on Cybercrime and will next go to the General Assembly for a vote in the fall. It is expected to sail through the General Assembly since the same states will be voting on it there.

The agreement follows three years of negotiations capped by the final two-week session that has been underway.

Russia also supported the draft treaty, which was a surprise given earlier concerns raised by the country’s representative.

Opponents of the treaty include human rights organizations and big tech companies.

Both factions have concerns over text that says authorities investigating crimes in any nation  are entitled to obtain electronic evidence  from other nations as well as ask internet service providers to hand over data.

There were disagreements on just a couple of parts of the latest text voted on Thursday, but the final outcome is a treaty that does not significantly change earlier, controversial versions of the draft agreement, said Raman Jit Singh Chima, the Asia Pacific Policy Director at the digital freedoms organization Access Now.

Singh Chima, who was in the room during Thursday’s debate and final vote, said every attempt to tweak the final draft text was defeated.

In an interview with Recorded Future News following the vote, he cited concerns that have been echoed by several other human rights and digital freedoms organizations.“We think this convention text that has advanced is insufficient in its human rights commitments,” Singh Chima said.

“It does not have strong safeguards to prevent misuse of digital investigation and digital evidence powers in the 21st century,” he added.

“It, in fact, would enable more surveillance and enable data access in a way that undermines people's trust in computers and in digital technology and directly puts people at risk.”

Like other human rights and digital freedoms proponents, Singh Chima characterized the agreed upon treaty as the result of UN member states believing a “bad treaty is better than no treaty.”

While there are other existing treaties on cybercrime which emanate from regional bodies — and some that are slightly more international, such as the 23-year-old Budapest Convention — there has previously been no legal framework which has been debated and accepted by consensus among all UN member states.

The Budapest Convention was not signed by China, Russia, India or Brazil — countries that are home to significant internet-based criminal organizations.

“One of the complaints about the Budapest convention, or the Council of Europe treaty, was that it was negotiated by Europeans, and there wasn't any involvement from the global south or others,” Jim Lewis, director of the Strategic Technologies Program at the Center for Strategic and International Studies, said in an interview Thursday. “They have always said we can't possibly sign a convention that we didn't help to negotiate.”

“Now we have a global compact that nations have agreed to that lets us move forward on cybercrime,” Lewis, a former diplomat, added.

“This is a global problem that needs to be addressed so if it can move us forward even a couple feet, it's progress.”

Source

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every single day for many years.

2023: Over 5,800 news posts | 2024 (till end of July): 3,313 news posts

The flaw, discovered by Oligo Security, was found in how browsers handle network requests.

In summary, devices read IP addresses to connect users to websites, with 0.0.0.0 serving as a placeholder until a real address is assigned. Oligo researchers found that a would-be attack can exploit how browsers like Apple’s Safari, Google’s Chrome and Mozilla’s Firefox handle queries to 0.0.0.0, redirecting them to other addresses such as ‘localhost,’ which is typically private.

This exploit allows attackers to access private data by sending requests to 0.0.0.0. Attackers could then perform all types of nefarious actions, gaining unauthorized access and executing remote code on locally running programs, which could impact development platforms, operating systems and internal networks.

Oligo has dubbed the vulnerability “0.0.0.0 day,” and wrote in a blog post that it considers it to be “far-reaching, affecting individuals and organizations alike.”

By April, Oligo had alerted security teams at major tech companies and started working with them on solutions to the issue. Google has already started to block 0.0.0.0 requests in Chrome, and over the next few months will be implementing fixes to Chromium, the open-source code base that powers Chrome and other popular browsers.

Apple told Forbes that it has initiated changes to deny such requests in Safari. Oligo says there is no immediate fix for Firefox, but it has been working with Mozilla to block 0.0.0.0 in the future.  

To further avoid any possible security issues, Oligo suggests that security teams use Private Network Access headers — a feature that provides attentional protection for local networks from potential vulnerabilities or malicious attacks. The company also recommends using HTTPS whenever possible and implementing cross-site request forgery (CSRF) tokens in web applications, even if they are only running locally.

You can read the full technical details on Oligo’s blog.

Source

(TNS) — Gov. Ned Lamont and state officials are warning Connecticut consumers about a surge in credit, debit and EBT card theft targeting residents at the gas pump, the ATM and the grocery line.

At a briefing outside a Stop & Shop in New Britain, Lamont joined state commissioners and law enforcement to raise the alarm on skimming, a fast growing crime in which fraudsters install illicit devices over point-of-sale terminals that record card numbers and PINs when a consumer takes an unsuspecting swipe. When the criminals retrieve the skimming device, they use the data to make unauthorized purchases and withdrawals on consumer cards.

Wayne Pesce, the president of the Connecticut Food Association, said retailer efforts to identify skimming devices in stores before they can steal consumer information have resulted in the discovery of at least 12 to 15 devices in the last five weeks.

“We’re seeing an acceleration of this type of activity,” Pesce said.

To combat the crime wave, Pesce said retailers have been trained to mark pin pads with a specific symbol in a unique location. Pesce said store clerks and cashiers will check card readers in the morning, during the day and at closing to ensure that the markings are there and skimming devices have not compromised the machine.

While retailers increase skimming prevention efforts, Lamont and other officials are working to equip consumers with the knowledge and tools to remain vigilant.

“These scammers are targeting Connecticut consumers who are just trying to fuel their cars, buy groceries, and feed their families,” Lamont said. “Our state agencies are working together, along with our towns and cities, local police departments, and the federal government, to combat this issue and keep us safe. But it will require all of us remaining vigilant, learning the signs of a skimming device, sharing that information with our friends and family, and reporting any incidents to the police to bring this scam to an end.”

Pesce and others said Connecticut first saw an uptick in skimming crimes six months ago. The breed of scam made headlines this summer with devices found in ATMs, gas stations and grocery stores.

On Sunday a customer at a 7-Eleven in Montville discovered two credit card skimmers in two payment terminals inside the store.

In July, another skimming device was spotted at an ATM located in a Mobil gas station in Fairfield.

At the end of June, Big Y reported that an “unknown individual attached a skimming device to one single terminal in each of our Naugatuck and Plainville Connecticut locations.”

Andrea Barton Reeves, the commissioner of the Connecticut Department of Social Services said skimming has had a particular impact on families who rely on EBT card benefits for food assistance. Barton Reeves said EBT cards are more susceptible to theft because they require consumers to swipe a magnetic strip and input a PIN, as opposed to more secure methods of payment like chips and tap features.

Barton-Reeves said the scammers wait until the start of the month when benefits are loaded onto the card to withdraw all of the funds.

Between 2023 and 2024, Barton Reeves said $3.7 million in benefits have been stolen and that the department has processed 7,513 applications for benefit replacement.

“Those are hundreds and hundreds of families who have had the unfortunate experience of going up and attempting to pay for their groceries and finding that all of their benefits have been stolen from their card,” Reeves said.

The skimming spike in Connecticut follows a national trend.

According to a March 2024 analysis from Fair Isaac Corporation, the company that developed the FICO credit score, the number of debit cards compromised in skimming crimes nearly doubled in 2023, impacting more than 315,000 cards and 3,500 financial institutions.

In April, the U.S. Secret Service said “law enforcement agencies have seen a nationwide increase in skimming” over the past two years.

According to the FBI, the illicit technology that lay-in-wait at gas pumps, ATMs and point-of-sale terminals costs consumers and financial institutions more than $1 billion annually.

To avoid falling victim to these scams, the FBI and Connecticut state officials offer the following guidance for consumers:

• Location, location, location. According to the FBI, tourist areas and under-supervised terminals are hotbeds for skimming activity. Choosing a more secure location can reduce the risk of theft. When making withdrawals, the FBI recommends using ATMs that are well-lit and located indoors. Connecticut State police also encourage consumers to stick with ATM at brick-and-mortar banks and avoid third-party machines. If you are filling up on gas, the FBI says consumers should “choose a fuel pump that is closer to the store and in direct view of the attendant” or avoid paying at the pump entirely and complete transactions inside with the attendant.

• Inspect before use. Before using an ATM, point-of-sale terminal or other card-reading device, the FBI advises consumers to “look for anything loose, crooked, damaged, or scratched.” State officials say sticky keys, bulky devices and mismatched colors are also red flags. They encourage consumers to give card slots and readers a wiggle to determine if any machine parts are loose or heavier than normal. If anything looks or feels suspicious, don’t use it.

• Use a tap-to-pay option. According to the FBI, “tap-to-pay transactions are more secure and less likely to be compromised” than payment options that require you to swipe or insert a card.

• Don’t swipe. Devices that steal magnetic strip data are more common than those that can steal chip data, according to the FBI.

• Check the keypad. The FBI advises consumers to “examine the keypad before use for any inconsistencies in coloring, material, or shape,” and to “pull at the edges of the keypad before entering your PIN.” These tiny details could signal the presence of a keypad overlay or other skimming device.

• Avoid using a PIN altogether. If it’s an option, the FBI says consumers should opt to run their debit card as a credit card. Just select the credit option at the payment terminal, insert or tap your debit card, and you will not be asked to enter a pin.

• If you have to use a PIN, cover it. While some technology can track consumer’s keystrokes straight from the keypad to keypad, the FBI says many scammers still rely on pinhole cameras to steal customer pins. To avoid the latter, the bureau recommends covering the keypad as much as possible.

• Opt to pay with credit, not debit. The FBI suggests that consumers should “avoid using your debit card when you have linked accounts, since the card’s compromise will give criminals access to all of the accounts.”

• Change your pin. Barton-Reeves said the Department of Social Services recommends that EBT card users change their pin as often as possible to prevent criminals from stealing their benefits.

• Monitor statements and set up alerts. Remaining vigilant is key to identifying and responding to a skimming event. The FBI says consumers should “Routinely monitor your credit card, bank, and EBT or other benefits accounts to promptly identify any unauthorized transactions. If possible, set email or text-message alerts to notify you of card or account transactions.”

• Inconvenience is protection. The FBI recommends turning on account-security options such as multi-factor authentication and account freezes between purchases and withdrawals. “Such steps may seem inconvenient, but they significantly reduce the risk of financial losses,” the FBI said.

• Report. Connecticut state officials encourage consumers to report suspected skimming devices or fraudulent purchases to store managers and law enforcement, and file a complaint with the Connecticut Department of Consumer Protection through ct.gov/DCP

Source

As Business Insider's Rob Price reports, the debacle began when he was added to a random WhatsApp group chat filled with people from multiple countries who began asking him random questions in Spanish.

The people in the chat seemed bemused when the senior Silicon Valley correspondent asked them why he'd been added to the group chat and why they were asking him questions. Eventually, someone posted a screenshot and Price noticed that his number was saved under the name "Meta AI."

After more back-and-forth, someone eventually shared another screenshot that included a one-on-one exchange with Meta AI, the company's cross-platform chatbot, explaining that Price's phone number could be used to add it to group chats.

"You can add me to a WhatsApp group as if I were just another contact," the chatbot told the user in a translation of the original Spanish exchange. "You only need to save my phone number."

After that first bizarre instance, people from various countries in South America kept contacting the reporter thinking he was Meta AI, spitting out Price's work number each time when users asked the chatbot for its phone number.

Working Theory

As a journalist, Price was accustomed to being contacted by random people, but this was substantially different. Generally speaking, being accused of being a bot only happens during particularly intense political debates between humans on social media — and this was nothing of the sort.

Ultimately, the reporter concluded that when training the large language model (LLM) undergirding the Meta AI chatbot, the company had likely scraped his publicly-available phone number, too.

Having written roughly 300 stories mentioning Facebook that included his phone number — which was shared, as is common practice, to solicit tips — Price reckons that the number may have been "scooped up" into Meta's training data. During the mysterious "black box" sausage-making process that results in AI, the LLM may then have made some "misguided causal connection" that resulted in his number being spat out when users asked Meta for its phone number.

In a statement to BI, a company spokesperson seemed to co-sign this theory, telling Price that because Meta AI "was trained on publicly available information online," his number may have ended up in the secret sauce.

The only problem? Axel Springer, Business Insider's parent company, doesn't have any deal in place to allow Meta to train its AI on its content (though it does have one with OpenAI).

Price noted that after he'd contacted Meta about the bizarre occurrences, people stopped randomly messaging him thinking he was a chatbot — and that he'd never been able to replicate the fluke for himself, either.

Source

In a famous scene from the 1992 movie Sneakers, a hacker classic, the main characters park a surveillance van across the street from their target's office and point a telephoto lens through his window—only to find that their view of his computer keyboard is blocked by the surprise entrance of his love interest at the precise moment when he types his password. The surveillance team ends up watching and rewatching their partially obstructed VHS video of his keystrokes, bickering comically about the layout of a QWERTY keyboard.

Today, with a few decades of surveillance tech advancements and some clever feats of physics, all it would take to grab that password—as well as anything typed on the computer, or, for that matter, every word spoken in the room—would be a well-aimed infrared laser.

At the Defcon security conference this weekend in Las Vegas, renowned hacker Samy Kamkar plans to debut his own DIY advances in a form of laser-based surveillance, demonstrating that he can point a laser that's invisible to the human eye at a faraway laptop, through a window, and detect the computer's vibrations to reconstruct virtually every character typed on it. The trick, which takes advantage of the subtle acoustics created by tapping different keys on a computer, works even without a view of the computer's keyboard, so long as the hacker has a line-of-sight view of any relatively reflective portion of the target laptop.

In the process of perfecting that light-based keystroke eavesdropping technique, Kamkar says he's also created what may well be one of the world's most high-fidelity implementations of a laser microphone—a tool that bounces a laser off a room's window to detect its vibrations and record all the sounds inside—or at least, one of the most advanced such laser microphones whose technical details have been publicly released. (Kamkar plans to publish the full schematics on his website and GitHub.) The result is an open-source spying setup that can, in various forms, potentially pick up virtually everything either typed or spoken aloud in a surveillance target's room.

Kamkar says he's been determined to build his own laser-based spy setup since he watched a Defcon talk 15 years ago, in which a pair of hackers demonstrated some rudimentary detection of keystrokes with a laser pointed at a laptop from across a room. “It blew my mind. ‘I want to do this,’” Kamkar says he remembers thinking. “But I also wanted to improve the attack. Can I make it work from outside, from far away? Can I do it with an infrared laser so the target can't see it? And can I also hear what's happening in the room, such as by bouncing the laser off a window?”

The answers: Yes to all the above. The video below shows an example of Kamkar's prototype setup–he tested it through different windows of his house with varying results—with his infrared laser outside pointed at his Macbook inside, where he's typing and listening to music.

Here's a sample of text he was able to recover in one case from his own typing, compared to the original:

Kamkar says that his keystroke spying trick works best when he can aim his laser at a spot on a laptop that reflects light—ideally a shiny metal or plastic spot on the laptop's case, such as a logo. “The Apple logo is nearly a mirror,” he says. “So that's a really good reflective surface.” The video clip below, captured with an infrared camera and steam to make the laser's path visible, shows Kamkar's infrared laser bouncing off that shiny Apple logo.

When it came to recording sounds inside a room, Kamkar was in some cases able to pick up music clearly, as in the first two samples below—though he found that double-paned glass produced far more muffled results, which you can hear in the third audio sample.

< Listen to the audio samples at the source page. >

Neither of Kamkar's two laser-spying techniques are entirely new concepts: Both the keystroke-surveillance technique and the laser-based audio eavesdropping trick are essentially his own versions of a tool known as a laser microphone, a decades-old invention that bounces a laser off a surface and measures the reflected light to detect the target's vibrations—such as those caused by either key presses on a laptop's keyboard or someone's nearby voice.

For both of his laser-based techniques, however, Kamkar used his own engineering tricks and a few thousand dollars in hardware to significantly advance the fidelity of his optical eavesdropping. To reduce the noise created by ambient light when attempting to detect vibrations in his reflected infrared laser, for instance, he designed his laser microphone system to strobe on and off 400,000 times per second, picking up the reflected light through a lens so that the light hits a photo diode—or doesn't—depending on the target's vibrations.

By using that 400-kilohertz frequency and measuring variances in the signal's amplitude just as an amplitude-modulated, or AM, radio does, Kamkar was able to later filter out everything other than that frequency to vastly reduce noise. He then amplified that signal and used a piece of hardware known as an upconverter to shift that AM radio signal to a higher frequency, so that it could be fed it into a software-defined radio—a digital, programmable radio capable of handling a far larger range of frequencies than a typical radio—to analyze it.

“I think I've created the first laser microphone that's actually modulated in the radio frequency domain,” Kamkar says. “Once I have a radio signal, I can treat it like radio, and I can take advantage of all the tools that exist for radio communication.” In other words, Kamkar converted sound into light into radio—and then back again into sound.

Samy Kamkar at his home workstation.Photograph: Roger Kisby

For his keystroke detection technique, Kamkar then fed the output of his laser microphone into an audio program called iZotopeRX to further remove noise and then an open source piece of software called Keytap3 that can convert the sound of keystrokes into legible text. In fact, security researchers have demonstrated for years that keystroke audio, recorded from a nearby microphone, can be analyzed and deciphered into the text that a surveillance target is typing by distinguishing tiny acoustic differences in various keys. One group of researchers has shown that relatively precise text can even be derived from the sounds of keystrokes recorded over a Zoom call.

Kamkar, however, was more interested in the 2009 Defcon demonstration in which security researchers Andrea Barisani and Daniele Bianco showed that they could use a simple laser microphone to roughly detect words typed on a keyboard, a trick that would allow long-distance line-of-sight spying. In that demo, the two Italian hackers only got as far as testing out their laser spying technique across the room from a laptop and generating a list of possible word pairs that matched the vibration signature they recorded.

Speaking to WIRED, Barisani says their experiment was only a “quick and dirty” proof of concept compared to Kamkar's more polished prototype. “Samy is brilliant, and there was a lot of room for improvement,” Barisani says. “I'm 100 percent sure that he was able to improve our attack both in the hardware setup and the signal processing.”

Kamkar’s laser spying kit: An infrared laser…Photograph: Roger Kisby

…attached to an oscilloscope’s signal generator, current controller, temperature controller, and amplifier power supply.Photograph: Roger Kisby

Kamkar's results do appear to be dramatically better: Some samples of text he recovered from typing with his laser mic setup and shared with WIRED were almost entirely legible, with only a missed letter every word or two; others showed somewhat spottier results. Kamkar's laser microphone worked well enough for detecting keystrokes, in fact, that he also tested using it to record audio in a room more generally, by bouncing his infrared laser off a window. It produced remarkably clear sound, noticeably better than other samples of laser microphone audio released online—at least among those recorded stealthily from a window's vibrations.

Of course, given that laser microphones have existed for decades, Kamkar admits he doesn't know what advancements the technology may have made in commercial implementations available to governments or law enforcement, not to mention even more secret, custom-built technologies potentially created or used by intelligence agencies. “I would assume they're doing this or something like it,” Kamkar says.

Unlike the creators of those professional spy tools, though, Kamkar is publishing the full schematics of his DIY laser microphone spy kit. “Ideally, I want the public to know everything that intelligence agencies are doing, and the next thing, too," Kamkar says. “If you don't know something is possible, you're probably not going to protect against it.”

Even knowing that Kamkar's silent, invisible, long-distance laser spy trick exists, how does anyone hide their secrets from it? He suggests that companies install double-paned or reflective glass. Some security device companies also sell protection devices that affix to windows and vibrate them to prevent laser microphone spying, and Kamkar concedes he hasn't tested his attack against those. But he also suggests a safer countermeasure: “Don't work on computers visible from a window,” he says. “Or just have dirty windows.”

Kamkar admits that beyond any idea of enabling or defeating surveillance, he was driven to develop his laser spying tricks mostly to test what was possible in the realm of physics-based hacking. More than a warning about any particular spy trick, he hopes his Defcon talk will inspire the conference's hacker audience to think more broadly about how information resonates through the real world in unexpected and exploitable ways, defying any simple model of computer security.

“You hit a key, it produces a sound that emanates in all directions. All the light hitting the laptop also vibrates at that frequency. The key then closes a circuit on the keyboard that generates electromagnetism and emits radio frequency in all directions,” Kamkar says. “The physical world screams secrets, and we have the ability to listen.” And if you don't, whoever's watching outside your window just might.

Source

Since the early 1990s, people have used doxing as a toxic way to strike digital revenge—stripping away someone’s anonymity by unmasking their identity online. But in recent years, the poisonous practice has taken on new life, with people being doxed and extorted for cryptocurrency and, in the most extreme cases, potentially facing physical violence.

For the past year, security researcher Jacob Larsen—who was a victim of doxing around a decade ago when someone tried to extort him for a gaming account—has been monitoring doxing groups, observing the techniques used to unmask people, and interviewing prominent members of the doxing community. Doxing actions have led to incomes of “well over six figures annually,” and methods include making fake law enforcement requests to get people’s data, according to Larsen’s interviews.

“The primary target of doxing, particularly when it involves a physical extortion component, is for finance,” says Larsen, who leads an offensive security team at cybersecurity company CyberCX but conducted the doxing research in a personal capacity with the support of the company.

Over several online chat sessions last August and September, Larsen interviewed two members of the doxing community: “Ego” and “Reiko.” While neither of their offline identities is publicly known, Ego is believed to have been a member of the five-person doxing group known as ViLe, and Reiko last year acted as an administrator of the biggest public doxing website, Doxbin, as well as being involved in other groups. (Two other ViLe members pleaded guilty to hacking and identity theft in June.) Larsen says both Ego and Reiko deleted their social media accounts since speaking with him, making it impossible for WIRED to speak with them independently.

People can be doxed for a full range of reasons—from harassment in online gaming, to inciting political violence. Doxing can “humiliate, harm, and reduce the informational autonomy” of targeted individuals, says Bree Anderson, a digital criminologist at Deakin University in Australia who has researched the subject with colleagues. There are direct “first-order” harms, such as risks to personal safety, and longer-term “second-order harms,” including anxiety around future disclosures of information, Anderson says.

Larsen’s research mostly focused on those doxing for profit. Doxbin is central to many doxing efforts, with the website hosting more than 176,000 public and private doxes, which can contain names, social media details, Social Security numbers, home addresses, places of work, and similar details belonging to people’s family members. Larsen says he believes most of the doxing on Doxbin is driven by extortion activities, although there can be other motivations and doxing for notoriety. Once information is uploaded, Doxbin will not remove it unless it breaks the website’s terms of service.

“It is your responsibility to uphold your privacy on the internet,” Reiko said in one of the conversations with Larsen, who has published the transcripts. Ego added: “It’s on the users to keep their online security tight, but let’s be real, no matter how careful you are, someone might still track you down.”

Impersonating Police, Violence as a Service

Being entirely anonymous online is almost impossible—and many people don’t try, often using their real names and personal details in online accounts and sharing information on social media. Doxing tactics to gather people’s details, some of which were detailed in charges against ViLe members, can include reusing common passwords to access accounts, accessing public and private databases, and social engineering to launch SIM swapping attacks. There are also more nefarious methods.

Emergency data requests (EDR) can also be abused, Larsen says. EDRs allow law enforcement officials to ask tech companies for people’s names and contact details without any court orders as they believe there may be danger or risks to people’s lives. These requests are made directly to tech platforms, often through specific online portals, and broadly need to come from official law enforcement or government email addresses.

“If a threat actor can intercept that process, it’s the fastest way for them to get highly accurate sensitive data on the victim,” Larsen explains. “They’re really stepping up and using that as their primary method for doxing victims.” This kind of request has previously been used to harass women and children, as well as weaponized against security researchers.

During his research, Larsen says he infiltrated various Telegram groups where people were selling access to systems to make EDRs and government emails needed to make requests. One individual, according to screenshots shared by Larsen, claimed to be selling access to TikTok’s law enforcement platform using a US Department of Justice email address, and claimed they had an FBI email address too.

Another claimed they would make government emails addresses from Mozambique, the Philippines, Pakistan, and Brazil for $125 each.

Larsen says he reported the details to law enforcement agencies. The FBI declined to comment about false EDRs to WIRED, while a TikTok spokesperson pointed toward its public policies on emergency data requests and the ways it tries to ensure they are valid. The US Cybersecurity and Infrastructure Security Agency did not respond to a request for comment.

“Violence as a service” groups have appeared from SIM swapping communities in recent years as well, allowing people to pay for violent acts to be carried out. Digital extortion can lead to physical extortion, Larsen says, adding that Doxbin doesn’t allow threats or discussions of violence to be posted on its platform. “I’ve seen people get doxed and that ends up in them being bricked, getting their house shot up, getting a Molotov thrown through their windows, gang stalked, all in an attempt to extort them for money,” Ego said in a conversation with Larsen. Videos of attacks are sometimes posted online. “Things get pretty wicked online, much more than people realize,” Ego said.

These incidents can involve people trying to extort cryptocurrency from people with large stashes—although some violence services have been used by feuding online groups. “Unless these platforms get taken down, or more actors get punished, both in the US and abroad, it's just going to continue to rise,” Larsen says. “Particularly as cryptocurrency becomes more adopted by more people.”

Few Doxing Protections

Globally, few legal protections against doxing exist—although elements may fall under stalking, harassment, or data protection legislation. “Laws worldwide are simply not fit to provide protection,” says Amanda Manyame, digital rights adviser at Equality Now, a feminist human rights NGO. “Victims have no way to swiftly regain control of information that has been published with the intent to harass, intimidate, and/or harm them.”

“The prompt takedown of doxing-related content is very important for victims, and governments need to enact laws that mandate the removal of such content within 24 hours,” Manyame says, with Equality Now’s research stating that doxing can “disproportionately” impact women and girls.

Indicating the challenges of getting information removed, Doxbin publishes a transparency report—mimicking the practices of Big Tech platforms—listing the number of removal requests it receives. Around 160 requests from lawyers and local and national law enforcement bodies are listed from 27 countries, Larsen says, with the majority being denied as they don’t break Doxbin’s limited terms of service.

While legal routes to getting data removed are slim, there are steps people can take to limit some of the impacts linked to doxing and wider online privacy abuses. At an individual level, Larsen says, common cybersecurity measures can help, including not reusing passwords across apps and websites, locking down social media accounts and not posting photos and personal information, and turning on multifactor authentication for as many accounts as possible. For people wanting to go further, using usernames and emails not linked to the same email address or online handle is a potential first step.

Source

A version-rollback vulnerability has been discovered by a cybersecurity researcher that allows a fully patched Windows machine to be downgraded to older version, allowing the exploitation of previously patched zero-days and vulnerabilities.

Alon Leviev unveiled his findings at Black Hat USA 2024 and DEF CON 32 (2024) as a tool named Windows Downdate.

Leviev says the tool can be used to make “the term “fully patched” meaningless on any Windows machine in the world.”

Windows Downdate

Leviev started their journey with the aim of discovering a version-rollback exploit using Windows Update as a starting point. It turned out Windows Update had a significant flaw that allowed for a full takeover of the update process, including downgrading Windows versions.

By also exploiting access to critical OS components, including dynamic link libraries (DLLs), drivers, and NT kernel, Leviev was able to have the Windows machine report  it was fully updated and unable to download any updates without having recovery and scanning tools detect anything out of the ordinary.

Leviev then also discovered the virtualization stack could be tampered with as well, allowing a number of previously secure applications to be exposed to previously patched privilege escalation vulnerabilities, with Credential Guard’s Isolated User Mode Process, Secure Kernel, and Hyper-V’s hypervisor all being suceptible.

Finally, Windows virtualization-based security was also disabled even when secured by UEFI locks. This allowed Leviev to also disable security features such as Credential Guard and Hypervisor-Protected Code integrity. According to Leviev’s knowledge, “this is the first time VBS’s UEFI locks have been bypassed without physical access.”

Leviev offers a number of suggestions to make operating systems less vulnerable to downgrade attacks, including:

•     Researching and implementing security measures that check for and prevent the downgrade of critical OS components.
•     Reviewing all design features as an attack surface, even old ones.
•     Research in-the-wild-attacks to evaluate whether other components or areas are vulnerable to attack.
•     These are the best firewalls around today
•     Check that email carefully — experts warn anti-phishing tools in Microsoft 365 can be easily bypassed
•     Take a look at the best VPN with antivirus

Source