New research being presented at the Black Hat security conference in Las Vegas today shows that a vulnerability in Windows Update could be exploited to downgrade Windows to older versions, exposing a slew of historical vulnerabilities that then can be exploited to gain full control of a system. Microsoft says that it is working on a complex process to carefully patch the issue, dubbed “Downdate.”

Alon Leviev, the SafeBreach Labs researcher who discovered the flaw, says he started looking for possible downgrade attack methods after seeing that a startling hacking campaign from last year was using a type of malware (known as the “BlackLotus UEFI bootkit”) that relied on downgrading the Windows boot manager to an old, vulnerable version. After probing the Windows Update flow, Leviev discovered a path to strategically downgrading Windows—either the entire operating system or just specifically chosen components. From there, he developed a proof-of-concept attack that utilized this access to disable the Windows protection known as Virtualization-Based Security (VBS) and ultimately target highly privileged code running in the computer's core “kernel.”

“I found a downgrade exploit that is fully undetectable because it is performed by using Windows Update itself,” which the system trusts, Leviev told WIRED ahead of his conference talk. “In terms of invisibility, I didn't uninstall any update—I basically updated the system even though under the hood it was downgraded. So the system is not aware of the downgrade and still appears up-to-date.”

Leviev's downgrade capability comes from a flaw in the components of the Windows Update process. To perform an upgrade, your PC places what is essentially a request to update in a special update folder. It then presents this folder to the Microsoft update server, which checks and confirms its integrity. Next, the server creates an additional update folder for you that only it can control, where it places and finalizes the update and also stores an action list—called “pending.xml”—that includes the steps of the update plan, such as which files will be updated and where the new code will be stored on your computer. When you reboot your PC, it takes the actions from the list and updates the software.

The idea is that even if your computer, including your update folder, is compromised, a bad actor can't hijack the update process because the crucial parts of it happen in the server-controlled update folder. Leviev looked closely at the different files in both the user's update folder and the server's update folder, though, and he eventually found that while he couldn't modify the action list in the server's update folder directly, one of the keys controlling it—called “PoqexecCmdline”—was not locked. This gave Leviev a way to manipulate the action list, and with it the entire update process, without the system realizing that anything was amiss.

With this control, Leviev then found strategies to downgrade multiple key components of Windows, including drivers, which coordinate with hardware peripherals; dynamic link libraries, which contain system programs and data; and, crucially, the NT kernel, which contains the most core instructions for a computer to run. All of these could be downgraded to older versions that contain known, patched vulnerabilities. And Leviev even cast a wider net from there, to find strategies for downgrading Windows security components including the Windows Secure Kernel; the Windows password and storage component Credential Guard; the hypervisor, which creates and oversees virtual machines on a system; and VBS, the Windows virtualization security mechanism.

The technique does not include a way to first gain remote access to a victim device, but for an attacker who already has initial access, it could enable a true rampage, because Windows Update is such a trusted mechanism and can reintroduce a vast array of dangerous vulnerabilities that have been fixed by Microsoft over the years. Microsoft says that it has not seen any attempts to exploit the technique.

“We are actively developing mitigations to protect against these risks while following an extensive process involving a thorough investigation, update development across all affected versions, and compatibility testing, to ensure maximized customer protection with minimized operational disruption,” a Microsoft spokesperson told WIRED in a statement.

Part of the company's fix involves revoking vulnerable VBS system files, which must be done carefully and gradually, because it could cause integration issues or reintroduce other, unrelated problems that were previously addressed by those same system files.

Leviev emphasizes that downgrade attacks are an important threat for the developer community to consider as hackers endlessly seek paths into target systems that are stealthy and difficult to detect.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every single day for many years.

2023: Over 5,800 news posts | 2024 (till end of July): 3,313 news posts

As technology advances, threat actors increasingly leverage these innovations to conduct social engineering attacks including vishing, targeting the human element that technical controls often cannot fully safeguard.

What is Vishing?

Voice phishing, also known as Vishing, is a type of social engineering attack that uses phone calls or audio messages as a delivery method. These calls deceive people into divulging personal, financial or sensitive information. Vishing calls can also be used to convince people to carry out a malicious action such as resetting the password of a user account or transferring money to a threat actor’s bank account.

Social engineering attacks are increasing year-over-year in complexity, sophistication, and frequency.  Threat actors are looking for alternative attack paths as defensive technologies improve at detecting, mitigating and stopping cyberattacks. These technological advancements are apparent in the prolific use of artificial intelligence and machine learning in defensive operations. However, AI is also being used in offensive operations as well. In this blog post, GuidePoint’s Threat and Attack Simulation Team (TAS) will explore how threat actors can leverage AI-generated voices to social engineer their targets and provide guidance on how to protect you and your organization.

The following is a quick reference on the tools and platforms used in this post:

• ElevenLabs – Used to create AI-generated voices using text-to-speech or speech-to-speech capabilities. Voices can also be cloned by uploading a one-minute video or soundbite.
• Soundux – A free and open-source soundboard that can be used to play AI-generated speech during a phone call.
• Voicemeeter – An audio mixer application that can create virtual sound cards and allow Soundux audio to be used in voice-over-internet protocol (VoIP) calls or virtual meetings. Background sounds can also be introduced to add legitimacy to these attacks.
• Google Voice – A VoIP provider that can place phone calls from a computer.

Use Cases and Scenarios

Threat actors routinely use social engineering attacks to go after “high-value” targets. What makes a person a “high-value” target? It depends on the threat actor, but typically an attacker is going to target someone who has access to:

•     Sensitive financial information.
•     Intellectual property.
•     Internal servers or data centers.

No matter what job role a person has, they have access to information that threat actors want. This means that everyone is a potential target for social engineering attacks. The following scenarios are real-world examples of social engineering attacks where a threat actor uses AI-generated voices.

• A threat actor discovers an interview featuring the CEO of a company. Using this audio, the CEO’s voice is cloned using AI. The threat actor then calls a subsidiary company to request a wire transfer and receives $243,000. (Source: Forbes)
• A threat actor discovers valid credentials in a data breach. They clone the voice of an employee using AI and contact the company’s IT help desk. The threat actor convinces the IT help desk to reset the user’s multi-factor authentication profile. After gaining access to the internal network, the threat actor deploys ransomware causing nearly $100,000,000 in damages. (Source: CyberArk)

The best way to defend against these attacks is by educating ourselves on how threat actors operate, and to become familiar with the tools, techniques and procedures used to carry out these attacks.

Why Use Text-To-Speech?

Real-time voice changing using AI-generated voice files can be challenging and it isn’t as realistic as text-to-speech. The current technology for real-time voice changing isn’t convincing enough. However, with the current speed of innovation regarding AI voice technology, that may change very soon!

Generating AI Voices

ElevenLabs offers free and paid subscription plans to create AI-generated audio. While the default voices provided by ElevenLabs work well, they sound more like a voiceover for a commercial than a user calling to reset their password.

ElevenLabs has a voice library that includes various voice models that can better handle natural speech. This can be accessed by navigating to the “Voices” tab, then to “Voice Library”.

Advanced filters can be applied to determine the type of voice, age, language, and accent used by clicking the filter button on the right side of the filter bar.

The voice you pick will be added under your “Voices” tab where you can generate audio from text.

Each voice can be modified to change the tone and overall sound of the generated audio. This is also where you can clone a voice using existing audio or video. This is a premium feature and requires a paid subscription, but any custom voices will be saved within the “VoiceLab” tab.

Using the Multilingual model, audio can be produced in multiple languages depending on the prompt. Various modifications can be made to change how the AI voice sounds.

• Stability will determine how “natural” the voice sounds. A more variable setting percentage will add intonation, inflection, and tone to different areas of the prompt.
• A higher similarity will make the AI voice sound more robotic. Each voice model is unique, and some may require changes to the similarity setting percentage to sound more “natural”.
• Some voice models will allow you to change the style exaggeration percentage. Think of this as increasing the emotions in a message.

These can sometimes sound jarring, and with each model being unique, there will need to be minor changes to get the audio to sound perfect.

Adding Pauses, Stammering and Filler Words

To better mirror natural speaking, you can add special tags within the prompt that will make the AI voice pause or throw in some “uhhs” or “ahhs” between words.

Adding a break tag will make the voice pause. Keep in mind that the maximum pause is three seconds.

“This is an example of what my AI voice will say” <break time=”2.5s” /> “After a short break I am back!”

Additional stammering or filler phrases can be added by using an ellipsis (…) between words.

… This is an example of what my AI voice will say … Let’s get to hacking!

Sometimes the audio might be too rushed, or there might be a pause in the wrong place. You can regenerate the speech and get a new audio file.

These audio files can also be slowed down using free audio editing software such as Audacity. After installing Audacity and opening the audio file, the sound clip can be slowed down without changing the pitch by first selecting the clip, then by clicking the “Effect” tab. Next, expand the “Pitch and Tempo” submenu, and select “Change Speed and Pitch”.

Save the generated or edited files locally in a new project folder. This project folder will be used later by Soundux to play the AI-generated audio through a phone call. Name the file after your prompt, this will make it easier to find the sentence you want to play on the call.

Creating Prompts

Good storytellers have captivated people for millennia. Social engineering attacks are like stories, threat actors impersonate the reality we see around us to deceive and trick people into acting. Threat actors can be thought of as theatrical actors in the sense that developing a realistic attack scenario or pretext requires a sense of acting.

Have you ever called an IT help desk or technical support about an annoying issue? Social engineering attacks follow the same conventions and conversational flow.

“Thank you for calling the Acme co-helpdesk, this is Adam speaking.”

“Hey there Adam, this is James Doe. I’m hoping you can help me out here, I tried changing my password on my own and it didn’t work. Can you give me a temporary password so I can get back to work?”

These conversational flows can be pre-scripted, writing out a response to any possible questions or reactions will allow a threat actor to have an AI-generated response for any situation.

Creating a Sound Board

Once the voice files are saved, they will be played using Soundux, a free and open-source soundboard project. A Soundux installer can be found here, or the executable can be compiled from the source code from the project’s GitHub repository.

Soundux may produce an error about the audio output. Because we are using a custom audio engine, this error can be ignored.

After installing the software, configure Soundux to use the audio project folder that was created earlier by clicking “Add Tab”. This will import the audio files and allow them to be played.

Afterward, click “Reload” to import the audio files. Click on the title of the file and it will play it using your assigned output device.

Installing and Configuring the Audio Engine

Voicemeeter offers a free audio mixing engine that can create virtual sound ports on your machine. This means that you can route audio from a program like Soundux and use that audio as input to another program such as Google Voice or any other VoIP provider.

Voicemeeter Banana can be downloaded here.

Next, Voicemeeter and Soundux will be configured to work together. Within Soundux, change the “Output Device” to “Voicemeeter Input”.

This will force Soundux to output the AI-generated audio to Voicemeeter. The “Voicemeeter Input” value is enabled by default. To hear the AI-generated audio, “A1” must be enabled for the “Voicemeeter Input” column. Enabling “B1” will allow the audio to be played in a virtual port and used by other programs like a microphone. The following image explains each function within Voicemeeter.

Additional adjustments can be made such as increasing the bass of the audio by enabling the “EQ” in the virtual audio out column. The volume of the AI-generated voice can be lowered if needed using the fader gain slider in the same column.

Soundux should now output sound using Voicemeeter as an audio engine. The sound can be tuned and modified depending on the audio samples.

Conducting the Vishing Attack

VoIP providers such as Google Voice, Twilio, or Vonage can be used to make phone calls using a desktop computer. These aren’t the only platforms that can be used to carry out vishing attacks. Software such as Microsoft Teams, Zoom, or Cisco WebEx can be used to start audio calls. For example, a threat actor can impersonate an internal user, clone their voice, or create a voice within their demographic, and invite another person to an audio-only meeting.

For this example, Google Voice will be used to make phone calls.

After configuring a free phone number or transferring an existing phone number, Google Voice will need to be configured to use the virtual output of Voicemeeter as the microphone. These settings can be accessed by clicking the headset button shown below.

Configure the microphone within Google Voice and select “Voicemeeter Out B1”. Ensure “B1” is enabled under the “Voicemeeter Input” column. Next, set the ringing and speaker settings to “Voicemeeter AUX Input”.  The following image highlights the associated areas in their respective colors.

Make a test call using Google Voice to test the attack and adjust the output of the AI-generated voice as needed. To adjust the volume of the AI voice, lower the fader gain in the first virtual output column as seen below.

Click each audio clip within Soundux that your AI voice will say during the conversation. The audio of the person who called will be outputted to your headphones or speakers, allowing you to quickly reply as if you were talking on the phone.

Defending Against AI Vishing Attacks

As the use of AI increases, so will the abuse of AI. Threat actors will always update their tactics to match the latest advances in technology. There are some ways to protect your organization and protect yourself. The term “trust but verify” is at the core of defending against vishing attacks.

• Educate users on the rise of AI-based social engineering attacks. Users not only need to closely monitor emails but phone calls and meetings as well. Implement this education within your security awareness training.
• Implement strong identity verification steps across help desks and support groups. Ensure that phone calls are verified with a form of multi-factor authentication (MFA).

What Does Strong Identity Verification Look Like?

The first step would be to move away from only requiring personal information as a verification measure. Threat actors often conduct reconnaissance on their victims ahead of an attack, looking for birthdates, addresses, pets, or the names of people’s children. All this information can be found on social media, public records, or public data leaks.

If a user calls the help desk requesting any activity that could change the details of an account such as a password, or a multi-factor authentication token, the term “trust but verify” should come into effect. One way to stop vishing attacks is to require a physical method to verify their identity.

If a user requests a password reset, the help desk can send a push notification or request a verification code from their device that handles multi-factor authentication. A remote threat actor would need to have physical access to the legitimate user’s device or carry out extensive attacks to gain access to their phone or physical authentication device.

“Trust but verify” can also apply to your personal life as well. Threat actors don’t only target organizations and governments but increasingly target everyday people directly.

We all get phone calls from trusted sources, some of which may require sensitive information. A good measure is to call them back directly and request some form of authentication. This will rule out caller ID spoofing and get you one step closer to verifying the call. Perhaps they could send a push notification to your phone or send you an email to verify the call.

No matter what, properly verifying communications can mitigate the risk of a successful social engineering attack. As the threat landscape changes and technology progresses, we all must have a sense of caution and “trust but verify” as a standard moving forward.

Source

Researchers at the Graz University of Technology in Austria have found a new cross-cache attack (PDF) that can bypass modern kernel defenses and provide arbitrary read and write access. The exploits involved affect Linux kernel versions 5.19 and 6.2.

The team has dubbed the attack technique SLUBStick. This attack vector takes advantage of memory reuse of the kernel allocator in a novel way, making it more reliable than most other cross-cache attacks. Whereas most cross-cache attacks have a success rate of just 40%, the researchers pushed SLUBStick to a 99% success rate for frequently used generic caches.

This success rate comes despite the modern security protections available for the Linux kernel. Recognizing the susceptibility of the Linux kernel to memory safety vulnerabilities, researchers and kernel developers have included defenses to inhibit the success of cross-cache attacks.

SLUBStick, however, is capable of bypassing Supervisor Mode Execution Prevention (SMEP), Supervisor Mode Access Prevention (SMAP), and Kernel Address Space Layout Randomization (KASLR). The researchers note that existing kernel defenses promise to reduce SLUBStick’s threat, but none currently provide comprehensive protection. Therefore, the danger of exploitation via SLUBStick is still natural, even with kernel defenses in use.

CVEs tested using SLUBStick attack vector

SLUBStick takes advantage of a heap vulnerability in Linux’s memory management to gain elevated privileges, break out of sandbox environments in virtual machines, and gain root access to the host system. Even worse, the technique uses a side-channel exploit to observe memory usage and determine the exact moment of whether or not to reallocate a memory hash. This means that SLUBStick can predict and control memory reuse to increase its success rate.

For SLUBStick to work, attackers need local access to the attacked Linux system. The attack also requires the presence of a heap vulnerability in the Linux kernel, which has been found in both the 5.19 Linux kernel and the 6.2 kernel.

The researchers systematically analyzed the attack on the two Linux kernel versions, finding that SLUBStick was effective at executing on generic cache from kmalloc-08 through kmalloc-4096. Using a synthetic vulnerability and nine real-world CVEs, they tested the attack method to escalate privileges and gain root access.

SLUBStick was tested on both x86 and aarch64 virtual machines, and it is equally effective on Intel—and AMD-based processors and Arm CPUs. The team notes that the attack technique afforded by SLUBStick “greatly enhances the reliability of cross-cache attacks from generic caches and makes them practical for exploitation.” In other words, SLUBStick can make other attacks more successful and effective.

Source

CISA said that "Microsoft COM for Windows contains a deserialization of untrusted data vulnerability that allows for privilege escalation and remote code execution," in a listing added to the agency's Known Exploited Vulnerability Catalog Monday.

The listing advised users to stop using software or utilize a patch through Windows.

CISA said that it did not know if the vulnerability, titled CVE-2018-0824, had been used in a ransomware campaign but a CISCO Talos report released Thursday said that a Chinese hacking group utilized the vulnerability in an attack on a Taiwanese government research center. The report said the center was, "likely compromised."

Second organization issues Windows warning

CISA was not the only organization to issue a warning to Windows users Monday.

"Criminals are preying on Windows users yet again, this time in an effort to hit them with a keylogger that can also steal credentials and take screenshots," enterprise technology news site the Register reported Monday.

The outlet reported that FortiGuard Labs, a threat intelligence agency, found an uptick in malware attacks with SnakeKeylogger. The malware is known to steal credentials and record keystrokes in infected machines.

It was originally sold on a subscription basis on Russian crime forums and became a major threat in 2020, according to the Register.

In 2022 Check Point Research, a cyber security firm, warned that the malware, "is usually spread through emails that include docx or xlsx attachments with malicious macros," and through PDF files.

The warnings come on the heels of the "Crowdstrike outage" in July, where a defective software update rendered devices using Windows software useless for hours.

Source

The development comes after an unnamed commodity firm based in Singapore fell victim to a BEC scam in mid-July 2024. It refers to a type of cybercrime where a malicious actor poses as a trusted figure and uses email to trick targets into sending money or divulging confidential company information.

Such attacks can take place in myriad ways, including gaining unauthorized access to a finance employee or a law firm's email account to send fake invoices or impersonating a third-party vendor to email a phony bill.

"On 15 July, the firm had received an email from a supplier requesting that a pending payment be sent to a new bank account based in Timor-Leste," INTERPOL said in a press statement. "The email, however, came from a fraudulent account spelled slightly different to the supplier's official email address."

The Singaporean company is said to have transferred $42.3 million to the non-existent supplier on July 19, only for it to realize the blunder on July 23 after the actual supplier said it had not been compensated.

However, by taking advantage of INTERPOL's Global Rapid Intervention of Payments (I-GRIP) mechanism, authorities in Singapore managed to detect $39 million and froze the counterfeit bank account a day later.

Separately, seven suspects have been arrested in the Southeast Asian nation in connection with the scam, leading to the further recovery of $2 million.

Back in June, I-GRIP was used to trace and intercept the illicit proceeds stemming from fiat and cryptocurrency crime, successfully recovering millions and intercepting hundreds of thousands of BEC accounts as part of a global police operation named First Light.

"Since its launch in 2022, INTERPOL's I-GRIP mechanism has helped law enforcement intercept hundreds of millions of dollars in illicit funds," the agency said.

"INTERPOL is encouraging businesses and individuals to take preventative steps to avoid falling victim to business email compromise and other social engineering scams."

The disclosure follows the law enforcement seizure of an online digital wallet and cryptocurrency exchange known as Cryptonator for allegedly receiving criminal proceeds of computer intrusions and hacking incidents, ransomware scams, various fraud markets, and identity theft schemes.

Cryptonator, launched in December 2013 by Roman Boss, has also been accused of failing to institute appropriate anti-money laundering controls in place. The U.S. Justice Department indicted Boss for founding and operating the service.

Blockchain intelligence firm TRM Labs said the platform facilitated more than 4 million transactions worth a total of $1.4 billion, with Boss taking a small cut from each transaction. This comprised money exchanged with darknet markets, scam wallet addresses, high-risk exchanges, ransomware groups, crypto theft operations, mixers, and sanctioned addresses.

Specifically, cryptocurrency addresses controlled by Cryptonator transacted with darknet markets, virtual exchanges, and criminal marketplaces like Bitzlato, Blender, Finiko, Garantex, Hydra, Nobitex, and an unnamed terrorist entity.

"Hackers, darknet market operators, ransomware groups, sanctions evaders and others threat actors gravitated to the platform to exchange cryptocurrencies as well as cash out crypto into fiat currency," TRM Labs noted.

The popularity of cryptocurrency has created plenty of opportunities for fraud, with threat actors constantly devising new ways to drain victims' wallets over the years.

Indeed, a recent report from Check Point found that fraudsters are abusing legitimate blockchain protocols like Uniswap and Safe.global to conceal their malicious activities and siphon funds from cryptocurrency wallets.

"Attackers leverage the Uniswap Multicall contract to orchestrate fund transfers from victims' wallets to their own," researchers said.

"Attackers have been known to use the Gnosis Safe contracts and framework, coaxing unsuspecting victims into signing off on fraudulent transactions."

Source

An endless parade of data breaches, brutally disruptive ransomware attacks, and crippling IT outages has somehow become the norm around the world. And in spite of escalating impacts to critical infrastructure and daily life, progress has been intermittent and often fleeting. Something's gotta give—and at the BSides Las Vegas security conference this week, a longtime critical-infrastructure security researcher is launching a project to communicate with utility operators, municipalities, and regular people in creative ways about both urgency and optimism around protecting critical infrastructure now.

Dubbed UnDisruptable27, the project will start as a pilot with a $700,000 grant for the first year through Craig Newmark Philanthropies' Cyber Civil Defense coalition. Led by Josh Corman, who was chief strategist for the US Cybersecurity and Infrastructure Security Agency's Covid Task Force, in collaboration with the Institute for Security and Technology (IST), the project will focus on the critical interdependence of water, food, emergency medical care, and power as the backbone of human safety. Corman says that the key goal is to foster new discourse about these challenges inspired by the disaster management tenets “inform, influence, inspire.” In other words, people need to understand the risks and feel empowered that they can take action.

“We are overdependent on undependable things. No one should feel comfortable with the potential for harm here with our current state of defense,” Corman told WIRED ahead of the announcement. “Our dependence on connected tech has grown faster than our ability to secure it. People have been doing good things, but public policy takes time, and I think this year we need to cross certain thresholds on the sense of urgency.”

One of Corman's main motivations to launch the effort as quickly as possible came from comments made during a January congressional hearing about the cybersecurity threat China poses to the US. In the hearing, then Cyber Command head and NSA director Paul Nakasone, Cybersecurity and Infrastructure Security Agency director Jen Easterly, FBI director Christopher Wray, and head of the Office of the National Cyber Director Harry Coker Jr. testified about pressing threats to US critical infrastructure, including specific campaigns the Chinese hacking group known as Volt Typhoon has been conducting to pre-position itself in US water infrastructure. The goal of this targeting is apparently to create leverage and a credible threat against the US as part of a Chinese plan to invade Taiwan, potentially in 2027.

“The budgets that emerge from discussions underway now will dictate what kind of resources we have ready in 2027, a year that, as this committee knows all too well, the CCP has circled on its calendar,” Wray told the US House of Representatives committee in January. “And that year will be on us before you know it. As I've described, the PRC is already today putting their pieces in place. I do not want those watching today to think we can't protect ourselves, but I do want the American people to know that we cannot afford to sleep on this danger.”

Having worked on embedded device security and critical infrastructure defense for years, including through the decade-old grassroots computer security and human safety initiative he founded known as I Am the Cavalry, Corman says that it felt significant that some of the nation's top intelligence officials were warning Congress of such specific threats to US infrastructure in an unclassified setting.

“It’s not just that the water goes out, it’s that when the sole wastewater facility in your community is down really bad things start to happen. For example, no water means no hospital,” he says. “I really encountered a lot of this during my leadership of the Covid Task Force. There is such interdependence across the basic functions of society.”

UnDisruptable27 will focus on interacting with communities who aren't reached by Washington, DC-based policy discussions or Information Sharing and Analysis Centers (ISACs), which are meant to represent each infrastructure sector of the US. The project aims to communicate directly with people who actually work on the ground in US critical infrastructure, and grapple together with the reality that cybersecurity-related disasters could impact their daily work.

“There’s a data breach, you get whatever services like identity protection for some period of time, and life carries on, and people think that there’s no long-term impact," says Megan Stifel, IST's chief strategy officer. “There’s this expectation that it’s fine, things will just continue. So we’re very interested in getting after this issue and thinking about how do we tackle critical infrastructure security with perhaps a new approach.”

Corman notes that even though cybersecurity incidents have become a well-known fact of life, business owners and infrastructure operators are often shaken and caught off guard when a cybersecurity incident actually affects them. Meanwhile, when government entities try to impose cybersecurity standards or become a partner on defense initiatives, communities often balk at the intrusion and perceived overreach. Last year, for example, the US Environmental Protection Agency was forced to rescind new cybersecurity guidelines for water systems after water companies and Republicans in Congress filed a lawsuit over the initiative.

“Time and time again, trade associations or lobbyists or owners and operators have an allergic reaction to oversight and say, ‘We prefer voluntary, we’re doing fine on our own,’” Corman says. “And they really are trying to do the right thing. But then also time and time again, people are just shocked that disruption could happen and feel very blindsided. So you can only conclude that the people who feel the pain of our failures are not included in the conversation. They deserve to understand the risks inherent in this level of connectivity. We’ve tried a lot of things, but we have not tried just leveling with people.”

UnDisruptable27 is launching this week for visibility among attendees at BSides as well as the other conferences, Black Hat and Defcon, that will run through Sunday in Las Vegas. Corman says that the goal is to combine the hacker mentality and, essentially, a call for volunteers with plans to work with creative collaborators on producing engaging content to fuel discourse and understanding. Information campaigns using memes and social media posts or moonshots like narrative podcasts and even reality TV are all on the table.

“We must prioritize the security, safety, and resilience of critical infrastructure—including water, health care facilities, and utilities," Craig Newmark, the Craigslist founder whose philanthropy is funding UnDisruptable27, told WIRED. "The urgency of this issue requires affecting human behavior through storytelling.”

Source

We’re pleased to announce Stealth, a new, undetectable VPN protocol that can bypass most firewalls and VPN blocking methods. You’ll be able to bypass advanced VPN blocks, access censored sites, and communicate with people on social media, even if your government is trying to restrict access.

Why is Stealth needed?

In 2017, we launched Proton VPN because there was no trustworthy, reliable, and freely available VPN service. Our motivation was simple.

Because our services, such as Proton Mail, play a crucial role in ensuring freedom and privacy worldwide, we knew authoritarian governments would eventually try to block them.

But with Proton VPN, people can bypass those blocks and continue using Proton Mail. Over the past few years, Proton VPN has become an essential tool, helping ensure the free flow of information for tens of millions of people during crises and wars around the world.

Since we launched Proton VPN, we’ve continuously worked on technology to bypass surveillance and censorship. For example, in 2017, we launched Secure Core VPN, which provides greater privacy than typical VPN services.

In 2020, we launched alternative routing(new window), which bypasses VPN blocks by re-routing our connections over other hard-to-trace paths. Finally, in 2021, we released VPN Accelerator, a unique technology that provides connection speeds that are up to 400% faster, which is critically important for users in far-flung regions with slower internet.

As we have stepped up our efforts to build a more censorship-resistant VPN, authoritarian governments have also stepped up their efforts to block VPNs. Traditional VPN protocols (such as OpenVPN, IKEv2, and WireGuard) are relatively easy to recognize on a network. And as deep packet inspection (DPI) technology becomes more widespread, it will be easier and easier for authoritarian governments to detect and block VPNs using these protocols.

For years there have been various projects to try to obfuscate existing VPN protocols, but many of them are hacks on top of existing protocols that unfortunately no longer work very well.

We designed our Stealth protocol from the ground up to not have these issues. With Stealth enabled, your Proton VPN connection will be almost completely undetectable.

Stealth is available on all Proton VPN plans, including our Free plan, because everyone deserves online freedom. For now, you can use Stealth on our Android, Windows, macOS, and iOS apps.

Source

Why this matters

These updates make it easier to bypass internet censorship, and it's as easy as just switching on the VPN.

Proton is a Swiss-based VPN provider known for its commitment to privacy. Just last month, the company made it safer to share sensitive information via their password manager. And now, they've introduced a few changes intended to combat censorship.

In a press release sent to Lifewire, the company detailed the changes which include new servers for countries most at risk of censorship, an anti-censorship protocol for the Windows app, and a new way for Android users to hide the VPN app on their devices.

Proton has added local VPN servers in 12 countries. Chosen based on threats like authoritarian rule and decreasing civil liberties, they include Afghanistan, Bahrain, Eritrea, Ethiopia, Iraq, Kuwait, Libya, Saudi Arabia, Sudan, Tajikistan, Turkmenistan, and Yemen. These new servers let people in those areas access the internet freely.

Additionally, Windows users can now use the company's exclusive Stealth protocol for increased protection. Proton calls it an "undetectable" protocol designed to make it harder for governments and ISPs to see that a VPN is being used, thus lowering the odds that the traffic will be blocked. The Stealth protocol is also available on other platforms.

Proton VPN is also available on Android. Today's update includes a small but helpful change where users can swap out the app icon for something less conspicuous. Helpful in regions where police might randomly inspect the phone, users can change out the standard Proton VPN logo for something more generic. Options include a weather app, a to-do list, and a few others.

Source

The Indian Computer Emergency Response Team (CERT-In) has issued a “high” severity warning for Apple product users in India about software vulnerabilities on iPhones, iPads, and Macs. According to CERT-In, which is part of the Ministry of Electronics and Information Technology, these vulnerabilities could allow hackers to easily attack these devices and steal sensitive information.

CERT-In recommends users update their Apple products to the latest available version to secure their devices. The list of affected devices includes:

iOS and iPadOS versions prior to 17.6 and 16.7.9 (iPhones and iPads)
macOS Sonoma versions prior to 14.6 (Macs)
macOS Ventura versions prior to 13.6.8 (Macs)
macOS Monterey versions prior to 12.7.6 (Macs)
watchOS versions prior to 10.6 (Apple Watch)
tvOS versions prior to 17.6 (Apple TV)
visionOS versions prior to 1.3 (Vision Pro)
Safari versions prior to 17.6 (iPhone, iPad, Mac, Vision Pro)

Due to the high severity rating of these vulnerabilities, users may experience issues such as sensitive information disclosure, denial of service, security bypass, spoofing attacks, arbitrary code execution, and cross-site scripting-related problems.

If you are already using the latest software for these devices, this will not be an issue, as Apple has patched these vulnerabilities with the latest security update. However, if you have not yet installed the latest version, it is recommended that you do so to secure your Apple device.

Apple has also been sending alerts about “mercenary spyware attacks” to high-profile individuals, including politicians, journalists, and government officials, in over 150 countries, including India. If Apple believes a device is compromised, the user will be notified and can engage the device in lockdown mode to prevent data and device cyber attacks.

Source

This is the latest step by the company to implement what it calls a security-first mindset. It follows a series of high-profile breaches that have raised concerns among regulators and legislators, and resurfaced longstanding questions about the widespread reliance on Microsoft’s technology by major customers.

The change will be implemented for all employees when setting priorities and reviewing performance, known internally as “Connect,” according to the email Monday from Kathleen Hogan, Microsoft’s chief people officer.

“The Security Core Priority is not a check-the-box compliance exercise; it is a way for every employee and manager to commit to — and be accountable for — prioritizing security, and a way for us to codify your contributions and to recognize you for your impact,” Hogan wrote. “We all must act with a security-first mindset, speak up, and proactively look for opportunities to ensure security in everything we do.”

With the move, security joins two existing core priorities as part of the Connect process, focused on diversity and inclusion, and Microsoft’s expectations and principles for managers.

Priorities and performance reviews are factors in employee bonuses, but the company did not provide specifics on the degree to which the change could impact employee compensation.

The timing for the Connect process varies, generally occurring two to three times a year. Microsoft is calling on employees to implement the new core priority starting with their first “Connect” of the fiscal year, which started July 1.

Separately, Microsoft said last week that it will provide employees with a special one-time cash award amounting to an additional 10% to 25% of the value of their annual bonuses for the company’s recently completed fiscal year.

The security changes build on Microsoft’s Secure Future Initiative (SFI), introduced last fall. It’s Microsoft’s latest attempt to prioritize security, dating back the “Trustworthy Computing” initiative that Bill Gates instituted in 2002.

Microsoft said in May that it would base a portion of senior executive compensation on progress toward security priorities, place deputy chief information security officers (CISOs) in each product group, and bring together teams from its major platforms and product teams in “engineering waves” to overhaul security.

Microsoft CEO Satya Nadella. (GeekWire File Photo)

In an internal memo at the time, Microsoft CEO Satya Nadella called on employees to make security their top priority, even if that means making difficult choices in the interest of greater security.

“If you’re faced with the tradeoff between security and another priority, your answer is clear: Do security,” the Microsoft CEO told employees. “In some cases, this will mean prioritizing security above other things we do, such as releasing new features or providing ongoing support for legacy systems.”

A critical report by the Cyber Safety Review Board (CSRB) in April described Microsoft’s security culture as “inadequate.” The report called for security initiatives to be “overseen directly and closely” by Microsoft’s CEO and board, and said “all senior leaders should be held accountable for implementing all necessary changes with utmost urgency.”

The CSRB report focused on a high-profile incident in May and June 2023, in which a Chinese hacking group known as Storm-0558 is believed to have compromised the Microsoft Exchange Online mailboxes of more than 500 people and 22 organizations worldwide, including senior U.S. government officials.

Microsoft revealed in January that a Russian state-sponsored actor known as Nobelium or Midnight Blizzard accessed its internal systems and executive email accounts. Subsequently, the company said the same attackers were able to access some of its source code repositories and internal systems.

Testifying before the U.S. House Committee on Homeland Security in June, Microsoft President Brad Smith said the company took responsibility for the issues cited by the CSRB, and reiterated the commitment to prioritizing security.

Here’s the full text of Hogan’s memo to employees Monday morning.

Date: August 5, 2024

Subject: Introducing our Company-wide Security Core Priority

At Microsoft, we deliver mission-critical infrastructure that the world depends on to achieve more. With that trust in us comes a great responsibility: to protect our customers, our company, and our world from cyber threats. As Microsoft employees, we all have a role in that responsibility.

As Satya referenced in his May 3 email and again during his FY25 kick off on July 9, security is our number-one priority, and everyone at Microsoft will have security as a Core Priority. When faced with a tradeoff, the answer is clear and simple: security above all else.

Our commitment to security is enduring. New and novel attacks will require us to continue to learn, innovate, and defend. Yet working together, we will make nonlinear improvements, stay alert, and meet the expectations of our customers. They are counting on us, and our future depends on their trust.

Our new Security Core Priority reinforces our commitment to security and holds us accountable for building secure products and services. It is now available in the Connect tool for most employees, and we are partnering with geo HR teams to expand access to all employees globally. The Security Core Priority is not a check-the-box compliance exercise; it is a way for every employee and manager to commit to — and be accountable for — prioritizing security, and a way for us to codify your contributions and to recognize you for your impact. We all must act with a security-first mindset, speak up, and proactively look for opportunities to ensure security in everything we do.

The core priority will have two parts:

• Core and common elements that apply to all employees

• An optional section for employees to further specify how they will activate the Security Core Priority based on their role, team, org, etc.

All employees will set their Security Core Priority as part their first FY25 Connect, with the intent that during regular Connect conversations, you and your manager will discuss your Security Core Priority progress and impact. This process will follow the same approach as our other company-wide core priorities for Diversity & Inclusion and Managers. …

As we kick off our 50th year as a company, I know we all feel honored and humbled that we are still here — as a relevant and consequential company — pursuing our mission together. When we empower every person and organization on the planet to achieve more, we take on society’s biggest challenges and empower the world. What a big, bold, and meaningful mission we have, and yet none of us can take this for granted. We are here because our customers trust us, and we must continue to earn their trust every day.

Thank you for your commitment to our Security Core Priority that will help protect Microsoft, our customers, and our partners.

Kathleen

The changes follow the end of Microsoft’s 2024 fiscal year on June 30. Microsoft reported fiscal fourth quarter earnings of $64.7 billion, up 15%, and profits of $22 billion, up 10%, surpassing Wall Street’s expectations, even as some analysts were disappointed by its cloud growth and the timeline for seeing a larger payoff from AI investments.

Source

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every single day for many years.

2023: Over 5,800 news posts | 2024 (till end of July): 3,313 news posts

Unlike traditional content blockers that remove ads, Apple's approach is more careful. As the name implies, the feature tries to eliminate various web annoyances, such as newsletter signups (that thing that dims the entire screen and begs for your email two and a half seconds after you load the website), cookie prompts, autoplaying videos, and other irritations.

Although you can use Distraction Control to block ads, they return once you refresh the page, clearly indicating that Apple is not trying to substitute third-party ad blockers. Safari will even warn you that Distraction Control cannot permanently remove ads.

In a nutshell, Apple is giving iOS, iPadOS, and macOS users a quick and easy tool to hide distracting elements when visiting websites. Another important aspect is that hiding certain parts of a website requires action from the end user, so the process is not automatic, and it won't sync across devices. You have to invoke the feature from the menu and manually select the element you want to remove.

If that sounds like too much work, Apple users can always get a third-party ad blocker that would automate the process.

Distraction Control is now available in the latest iOS 18, iPadOS 18, and macOS Sequoia developer betas. It is expected to arrive in the next public beta and land alongside the stable releases in the next month or two.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every single day for many years.

2023: Over 5,800 news posts | 2024 (till end of July): 3,313 news posts

Hackers delivered malware to Windows and Mac users by compromising their Internet service provider and then tampering with software updates delivered over unsecure connections, researchers said.

The attack, researchers from security firm Volexity said, worked by hacking routers or similar types of device infrastructure of an unnamed ISP. The attackers then used their control of the devices to poison domain name system responses for legitimate hostnames providing updates for at least six different apps written for Windows or macOS. The apps affected were the 5KPlayer, Quick Heal, Rainmeter, Partition Wizard, and those from Corel and Sogou.

These aren’t the update servers you’re looking for

Because the update mechanisms didn’t use TLS or cryptographic signatures to authenticate the connections or downloaded software, the threat actors were able to use their control of the ISP infrastructure to successfully perform machine-in-the-middle (MitM) attacks that directed targeted users to hostile servers rather than the ones operated by the affected software makers. These redirections worked even when users employed non-encrypted public DNS services such as Google’s 8.8.8.8 or Cloudflare’s 1.1.1.1 rather than the authoritative DNS server provided by the ISP.

“That is the fun/scary part—this was not the hack of the ISPs DNS servers,” Volexity CEO Steven Adair wrote in an online interview.

“This was a compromise of network infrastructure for Internet traffic. The DNS queries, for example, would go to Google’s DNS servers destined for 8.8.8.8. The traffic was being intercepted to respond to the DNS queries with the IP address of the attacker’s servers.”

In other words, the DNS responses returned by any DNS server would be changed once it reached the infrastructure of the hacked ISP. The only way an end user could have thwarted the attack was to use DNS over HTTPS or DNS over TLS to ensure lookup results haven’t been tampered with or to avoid all use of apps that deliver unsigned updates over unencrypted connections.

Volexity provided the following diagram illustrating the flow of the attack:

As an example, the 5KPlayer app uses an unsecure HTTP connection rather than an encrypted HTTPS one to check if an update is available and, if so, to download a configuration file named Youtube.config. StormBamboo, the name used in the industry to track the hacking group responsible, used DNS poisoning to deliver a malicious version of the Youtube.config file from a malicious server. This file, in turn, downloaded a next-stage payload that was disguised as a PNG image. In fact, it was an executable file that installed malware tracked under the names MACMA for macOS devices or POCOSTICK for Windows devices.

MACMA first came to light in 2021 post published by Google’s Threat Analysis Group, a team that tracks malware and cyberattacks backed by nation-states. The backdoor was written for macOS and iOS devices and provided a full suite of capabilities including device fingerprinting, screen capture, file downloading and uploading, execution of terminal commands, audio recording, and keylogging.

POCOSTICK, meanwhile, has been in use since at least 2014. Last year, security firm ESET said the malware, which it tracked under the name MGBot, was used exclusively by a Chinese-speaking threat group tracked as Evasive Panda.

ESET researchers determined that the malware was installed through legitimate updates of benign software, but they weren’t sure how that happened. One possibility, the researchers said at the time, was through a supply-chain attack that replaced the legitimate updates with malicious ones at the very source. The other possible scenario was through a MitM attack on the servers delivering the updates. Volexity’s findings now confirm that the latter explanation is the correct one.

In at least one case in the most recent attacks, StormBamboo forced a macOS device to install a browser plugin Volexity tracks under the name RELOADEXT. The extension masquerades as one that loads webpages to be compatible with Internet Explorer. In fact, Volexity said, it copies browser cookies and sends them to a Google Drive account controlled by the attackers. The data was base64 encoded and encrypted using the Advanced Encryption Standard. Despite the care taken by the hackers, they nonetheless exposed the client_id, client_secret, and refresh_token in the malicious extension.

One other technique Volexity observed was StormBamboo’s use of DNS poisoning to hijack www.msftconnecttest.com , a domain Microsoft uses to determine if Windows devices are actively connected to the Internet. By replacing the legitimate DNS resolution with an IP address pointing to a malicious site operated by the threat actors, they could intercept HTTP requests destined for any host.

Adair declined to identify the hacked ISP other than to say it’s “not a big huge one or one you’d likely know.”

“In our case the incident is contained but we see other servers that are actively serving malicious updates but we do not know where they are being served from,” he said. “We suspect there are other active attacks around the world we do not have purview into. This could be from an ISP compromise or a localized compromise to an organization such as on their firewall.”

As noted earlier, there are many options for preventing these sorts of attacks beyond (1) eschewing all software that updates unsecurely or (2) using DNS over HTTPS or DNS over TPS. The first method is likely the best, although it likely means having to stop using a preferred app in at least some cases. The alternative DNS configurations are viable, but at the moment are offered by only a handful of DNS providers, with 8.8.8.8 and 1.1.1.1 being the best known.

Source

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every single day for many years.

2023: Over 5,800 news posts | 2024 (till end of July): 3,313 news posts

Intrusions, which were noted by BleepingComputer and ID-Ransomware to have increased in prevalence since July 20, were reported by some victims to have resulted in device encryption following the execution of cracked software and key generators. Aside from appending random extensions to encrypted files, Magniber also created a ransom note including a link to the ransomware gang's Tor site. While Magniber initially demands a $1,000 ransom from its victims, it later seeks $5,000 should they fail to provide payment within three days. Such findings come seven years after Magniber emerged as Cerber ransomware's successor and while a decryptor for the ransomware was unveiled just a year after its launch, such a tool is no longer functional after attackers addressed the payload's free file decryption bug. Organizations have been urged to avoid key generators and cracked software to avoid potential compromise.

Source

Aside from conducting the ongoing internet outage, which was proven by showing the takedown of most Iranian ministry websites, WeRedEvils also purported exfiltrating data from the impacted computer systems, which has already been given to the Israeli government.

"Stop raising red flags and start raising a white flag. The folly will take you all to the dustbin of history. Iran will burn – Israel will win," said WeRedEvils in a translated Telegram message, which also noted their desire to personally communicate with supporters of Iran's Revolutionary Guards. WeRedEvils' alleged compromise of Iran's internet comes nearly a year after claiming to disrupt Iran's electric grid in what is believed to be the hacktivist group's initial attack. Numerous WeRedEvils members were also noted to have been apprehended by the Israeli government for espionage in June.

Source

Threat intelligence and incident response firm Volexity has shared details on attacks in which a threat actor linked to China used ISP-level DNS poisoning in order to deliver malware to targets.

The operation was conducted by an APT tracked as StormBamboo, Evasive Panda, and StormCloud.

Volexity has not shared any information on the targeted entities, but the threat actor is known for cyberespionage operations aimed at organizations in Asia.

According to the cybersecurity firm, which started investigating the attacks in mid-2023, the attackers compromised an internet provider’s systems and performed DNS poisoning in order to deliver Windows and macOS malware through insecure automatic software update mechanisms.

“Volexity determined that StormBamboo was altering DNS query responses for specific domains tied to automatic software update mechanisms. StormBamboo appeared to target software that used insecure update mechanisms, such as HTTP, and did not properly validate digital signatures of installers. Therefore, when these applications went to retrieve their updates, instead of installing the intended update, they would install malware,” the security firm explained.

Volexity worked with the targeted ISP to respond to the incident.

“As the ISP rebooted and took various components of the network offline, the DNS poisoning immediately stopped. During this time, it was not possible to pinpoint a specific device that was compromised, but various components of the infrastructure were updated or left offline and the activity ceased,” Volexity said.

The company saw StormBamboo delivering malware such as MacMa (CDDS), a macOS threat first spotted by Google in 2021. At the time it had been delivered to users in Hong Kong via watering hole attacks and a macOS zero-day vulnerability.

In another case, Volexity saw StormBamboo deploying a malicious Chrome extension named Reloadext, which enables the exfiltration of email data.

Source

Smart App Control (SAC) is a cloud-powered security feature introduced by Microsoft in Windows 11 to block malicious, untrusted, and potentially unwanted apps from being run on the system. In cases where the service is unable to make a prediction about the app, it checks if it's signed or has a valid signature so as to be executed.

SmartScreen, which was released alongside Windows 10, is a similar security feature that determines whether a site or a downloaded app is potentially malicious. It also leverages a reputation-based approach for URL and app protection.

"Microsoft Defender SmartScreen evaluates a website's URLs to determine if they're known to distribute or host unsafe content," Redmond notes in its documentation.

"It also provides reputation checks for apps, checking downloaded programs and the digital signature used to sign a file. If a URL, a file, an app, or a certificate has an established reputation, users don't see any warnings. If there's no reputation, the item is marked as a higher risk and presents a warning to the user."

It's also worth mentioning that when SAC is enabled, it replaces and disables Defender SmartScreen.

"Smart App Control and SmartScreen have a number of fundamental design weaknesses that can allow for initial access with no security warnings and minimal user interaction," Elastic Security Labs said in a report shared with The Hacker News.

One of the easiest ways to bypass these protections is get the app signed with a legitimate Extended Validation (EV) certificate, a technique already exploited by malicious actors to distribute malware, as recently evidenced in the case of HotPage.

Some of the other methods that can be used for detection evasion are listed below -

• Reputation Hijacking, which involves identifying and repurposing apps with a good reputation to bypass the system (e.g., JamPlus or a known AutoHotkey interpreter)

• Reputation Seeding, which involves using an seemingly-innocuous attacker-controlled binary to trigger the malicious behavior due to a vulnerability in an application, or after a certain time has elapsed.

• Reputation Tampering, which involves altering certain sections of a legitimate binary (e.g., calculator) to inject shellcode without losing its overall reputation

• LNK Stomping, which involves exploiting a bug in the way Windows shortcut (LNK) files are handled to remove the mark-of-the-web (MotW) tag and get around SAC protections owing to the fact that SAC blocks files with the label.

"It involves crafting LNK files that have non-standard target paths or internal structures," the researchers said. "When clicked, these LNK files are modified by explorer.exe with the canonical formatting. This modification leads to removal of the MotW label before security checks are performed."

"Reputation-based protection systems are a powerful layer for blocking commodity malware," the company said.

"However, like any protection technique, they have weaknesses that can be bypassed with some care. Security teams should scrutinize downloads carefully in their detection stack and not rely solely on OS-native security features for protection in this area."

Source

We are in a new cold war. That sounds like it's not news. However, it is not the bordered cyber-war between nation states involving armies of hackers, but more akin to a quiet civil conflict between ordinary people - who use and depend on technology - and the… well to quote Bill Hicks "demons that run amok amongst us".

It's a political and psychological battle for culture and is the old battle for the dividends of technology. Who gets to use the fruits of science and to what end? As technologists it behoves us to take stock of this landscape, if not to pick a side then to plan our own way between the falling shells.

Recent events demonstrate clearly that our technology is unsafe. We're in an accelerating situation of acute failures that shut down businesses, sometimes for days or weeks. Large one-off losses from fraud, such as ransomware or AI assisted social engineering, keep growing. At a deeper level there are systemic failures because the goods and services we rely on are not fit for purpose, and those responsible for supplying and maintaining services are unable to discharge their duty.

And at the highest level there is a political failure to confront the real causes. The UK Horizon Post-Office scandal laid bare the complicity of authority in burying inconvenient truths, making scape-goats and disseminating official lies to cover up problems with civic technology.

We find that our major concerns in cybersecurity are not really technical at all. They are political. But they are largely beyond tha capacity of our current political thinkers to solve. Instead, politicians bat the problem back into the technical court. We add or remove a layer of encryption, change a key protocol, deploy "intrusion detection" or "malware filtering"… and within a week the same problem is back, metamorphosed into something new. This will continue ad nauseum until there is political change.

The digital version is more subtle and damaging than kinetic wars in a civil space. We can't look to history for guidance. Conjure up mental images of ruined cities, food shortages, civil unrest, exploding power plants, disabled hospitals and broken transport systems. Worst case cyber-war is what Hollywood disaster movies have equipped us to anticipate. In the drama of a post-apocalyptic Mad Max fantasy world we can see ourselves playing unlikely solar-punk survivors living off-grid.

But that's just a story, at least so far. How do we recognise the effects of the different kind of war? What does a "worst case" look like if limited to infowars in cyberspace?

In Hollywood movies, the {terrorists, evil maniacs, rogue states} take over cyberspace and then use it to {hijack planes, melt down reactors, assassinate presidents}, or whatever. They are doing one thing, which is taking power.

Power, or "control" is one of the primary functions of digital systems - the others are computation, storage and communication. Control systems, which permit action at a distance, almost always involve communication along with telemetry as feedback. They close a loop. If you can mess with that loop you can exercise control.

That's why the integrity of communications systems is important. If the bad guys get control of the communications they win, and Hollywood events ensue. In reality, power seekers can act to manipulate events. That's the hard way. In cyberspace, you don't have to leave your seat to just manipulate the capture, transformation and transmission of signals that represent events. The media have done this for decades. Going further, if you can manipulate the perception and discussion of ideas that's even more powerful, especially if you already more or less own the means of communication.

That's why the Great Maker created the Internet first, as a little patch of level playing-field (or garden if you like) to see what we'd make of it. Not much, it turned out. We preferred to let developers pave it over and build us a residential amusement park. And of course, amusement parks always turn spooky and fill up with murderous robots and killer clowns.

An Internet is a jolly useful and powerful thing, if you can keep it, and the trick is to ensure that power remains spread out and not let one group of people suddenly have it all, like terrorists in the films.

But as Bruce Schniere puts it best, Terrorists Don't Do Movie Plots. In number theory there's an idea for that, it's called Cantor's Diagonal or otherwise Russell's paradox if you prefer to think of sets, but either way the insight is that "there's always one more…", one more bug, one more escape sequence, and so on, which entreats us to abandon the folly of totalitarianism and chasing "perfect systems". Concern with risk then is really about emerging threats rather than known ones against which we can pit our security.

For any system there are a couple of places from which threats can come. From the outside or from the inside. Inside threats may come from defective people, but more likely from failures of the system itself. Poor maintenance is a rather mundane and preventable cause. Through the distracted happy apathy of our amusement park days we forgot to oil the works and kick the tyres.

Our Internet has slowly rusted. The repair bill is high and the effects already showing are not good. We've undergone a slow descent into digital serfdom, meaningless pseudo-employment, apathy, anomie, a permanent state of endemic economic, spiritual depression and frustration. Like all realities it emerges day by day without fanfare.

We don't feel it creeping up on us. We don't notice the walls of social media echo-chambers closing in on us… our horizons narrowing, hope evaporating. We don't feel the steady increase of pressure and anxiety from constant hostile surveillance, being tricked, gaslighted, lied to and manipulated. Yet the present, evident cultural effects are on everybody's lips. Every day we read and talk about the negative effects of news and communication technology.

The technology itself seems so "successful". Is it? We've always celebrated technology that's good for us, whether it's steam engines or rockets, and even the stuff that we didn't know was so bad for us, like our cars.

But the idea of tech which is just bad for everyone and we all know it is something new. It hadn't taken hold until this century. At least here in the West beyond a context of warfare far away, our weapons were always aimed "at them". But remember that the Internet started in an "Advanced Research Projects" defence laboratory. It's a weapon. We were so excited to unbox it nobody read the manual and the warning about the "sharp end" and which way to point it.

Like bad food or environmental pollutants, the effects of bad technologies take time to come on, and then get us talking about "what to do?" Surely we are prepared, because there are so many amazing books and films about dystopias and failed social experiments, served as cautionary signposts for what not to do (again, elsewhere or just…ever!). Orwell, Solzhenitsyn, Kafka Huxley and Gibson all described states we do not want to build.

But for some people these warnings became blueprints. They set us off on a slow death-march; a slow maddening of humanity. These are our times. Soviet style conditions of hostile, intrusive and abusive corporate plutocracy… the various ideologies of consumer communism, surveillance capitalism, advertising madmen, blood-thirsty tech visionaries with shark-lasers… meanwhile most of our stuff, like the trains and planes and banks just don't work the way we want.

It is this sad carnival of clowns that we are at war against. It is a war on cheap, greedy incompetence, on reckless engineering, on sleazy opportunists, on crony contractors and corrupt IT back-room deals. It is a war against those who have their hands on the levers of technology, but are a dangerous lot who do not deserve to. It is a war for functional civic technology that the people own and control.

As defenders we are called to arms because real cybersecurity has to consider not just where technology fails, but where it succeeds - for some strange paperclip-maximised value of "success".

Technology is not neutral. It carries values. Often, bad technology is just ordinary, but designed and deployed by those with wicked agendas. Where technology grows too thickly or in the wrong place it is a weed and a poison. Like any garden or ecosystem the Internet can decline, as it has, into a form of wholly inadequate but irreversible social control. For example, "social media" is the obliteration of the social.

But what do you call a struggle like this? Fifty years ago radical Marxists might have called it a "class war", if you substitute ownership of means of production for control of the means to social life. Yet it seems an entirely different sort of conflict that transcends class, wealth, pedigree and political belief.

In all conflicts people use mental defences to say "it can't happen here", until it does. Digital war is a great leveller.

Whatever walk of life you come from it affects you. You are no less at risk from an enemy of sorts that does not recognise power or privilege, laws, station or legitimacy.

If we split the world of digital threats up into a few broad kinds we might call them advanced persistent threats (APT), which are specific and even localised, transient situational threats like Y2K or solar storms which came and went, and ambient or nebulous effects, which are already inside our system or all around us. Here let's consider the last of these. What are we to do about ambient threats that are within the very systems we use to naviagate life?

Self devouring

Most of Western society now depends on digital technology. Yet we have a technology industry that is at war with its own customers. Much of our technology is broken, and it is broken by design. because this is profitable and brings power to its creators. Technologically, our civilisation is suffering from a lack of self-care. We are struggling with a broken model of "security" and the emergence of a global insecurity industry. This self-devouring and abandonment of our own values is what Solzhenitsyn warned us against in his Warning to the West.

We are now taking an unprecedented direction in political history having slept-walked into a territory where the monopoly companies we allowed quasi-governmental status through delegation (dereliction) of power in the late 20th century cannot be coerced, regulated, fined or even taken over and "nationalised" as a remedy. So far politicians have underestimated and misunderstood the power struggle with technology that is afoot.

Money, money, money

Let's take a simple, modest example from your everyday life; If you have an Android type phone spend a moment researching how to stop Google from spying on your location. Simple enough, no?

Google are a 'legitimate company', are they not? But despite all the protections your laws afford you, despite still more tough-talk from Europe about our privacy rights, the realpolitik is quite different. In fact it's more or less impossible to get Google to stop spying on you.

First let's acknowledge the motives: US American BigTech companies primarily make money by selling your private data to co-parasitical advertising and security industries. Commercially they discriminate to distribute digital goods preferentially by location, social strata or even as personally targeted campaigns.

Increasingly for political reasons, service access is only available in certain countries or by certain groups. The Internet has become the The Splinternet, a tool for division. Conflict makes clicks.

Of course this disadvantages anyone who moves between spheres, is travelling or relocated for work, or has family in other countries. It "locks things down", and simply goes against the basic principles of "The Internet" as a global, universal system (which it hasn't been for almost 10 years now). But, "so what?" you may say. These are "first world problems", surely? Minor inconvenience at most?

Look again. Tech corporations have insinuated themselves into almost all aspects of life. For too many people companies like Microsoft act as their identity. Companies like Amazon control everything they buy, sell, read, own or even think about. Google know every thought they've had since 1998.

Governments and bodies for trade, development and intellectual property (WIPO, WEF, WTO), have been derelict and allowed BigTech to carve up the global economy into new digital fiefdoms. Through negligence, through weakness, through our own deliberate fault, we've enabled the rise of digital colonialism, new forms of slavery and neo-feudalism. We've failed "consumers" as people, and all of us as citizens.

Of course it is still possible to live, and live well, without invasive low-life-quality technology. Millions of us do. Smart kids don't have smart phones. For the adults, Microsoft's operating system is now an advert-infested disaster-area teetering on unusable, with droves abandoning it. As is Google's derelict search engine. Social media is a misery pit of teen anxiety, disinformation and hate-spreading.

But the aim was never to live without technology, just to have good, simple, humane, flexible, durable tools that make life a little easier and bring some fun. We long ago surpassed that need. People are turning away from tech, or at least pinning their anger and fear upon it, because of the effects of how it's used now, not what it essentially is.

With pomp, bluster and glory the big technology companies bask in the glow of "freedom". They supply us all with the mind-numbing cargo-cult of games, media and applications we can give our attention to.

They present themselves as "progressive" and there is always the breathless cry… "Follow us follow us! Don't be left behind" But surely we must start to see them for what they really are. The Pied Piper is fundamentally anti-progressive because he leads in a circle. Other writers have described it as the problem of the modern East India Tea Company, as throwbacks to the unfettered laissez-faire capitalism of the era before the Great War, and consequent global crash of the 30s and World War 2. We've already learned these lessons from history, so why are we going for a replay?

As a British person I can really relate to companies like Google, Microsoft and Meta… dinosaurs, still trading on the myths of their once glorious past empires, standing uncomfortably too long on the stage, missing all the cues for a graceful exit and having to be hauled off with a shepherds crook. They have been holding back technology for decades.

They are first and foremost companies who cannot allow actual progress to come before profit. Sure they came out of the garages of suburbia, as the cool new rockers. But if Bigtech were bands they'd be the kind on 12 inch vinyl in your mum's record box, who now wear gold watches, own organic fish-farms and were at least accused of touching their groupies inappropriately in the 1970s.

Dig into the reality behind Google and you'll discover a company that, apart from having a defunct "search engine" on which it built its initial reputation, also abandoned almost every other product it ever touched. It adds up to a gargantuan bonfire of wealth and lost opportunity imposed on the rest of Western society. Likewise, Microsoft's death-grip of insecurity on computing by acquisitions, smothering or outspending competition, has done for the progress of computer security what Julius Caesar did at Library of Alexandria in 48 BC.

Is anyone still fooled?

Apparently, at long last, the U.S. government is losing trust in Microsoft. In recent years it has stood up against powerful foreign technology actors like Huawei and TikTok. Even in Britain we had to acknowledge the security catastophe of Hikvision cameras and our government finally banned them. But these are the tip of the iceberg of toxic tech. It is easy to pick on Chinese or Russian companies precisely because we don't trust their regimes. But most dangerous of all are the companies we suppose we can trust, like Meta, Google, Amazon, and Apple.

Trust is the ability to do harm.

The political fault-lines lie in this misplaced trust, "special relations" and trade agreements that place U.S. technology suppliers beyond question.

Yet we continue to lionise these lumbering monsters. Their bright coloured logos, sit behind the strutting stars of TED talks in their brown leather brogues, turtle-necks and jeans. Their hipster language still dazzles us. In our minds they are youthful, vibrant and privy to secrets about the future.

Reality check; They are already the next iteration of tired old power, replete with red mid-life-crisis-mobiles on the drive. Our "tech leaders" are now the generation of fossilised cranky and emotionally challenged old men. Same as the ones that ran Exxon Mobil while the planet was heating up in the 1950s.

The limits of industry

In academic writing and political talk we often see "Industry" used as a notional symbol, It stands, not in a harmony but alongside "Government" and "Academia", as a timeless imaginary power grouping. It requests a deflationary logic that "industry" is synonymous with "the economy" which is in turn synonymous with "happiness and quality of life".

It is a peculiarly post-Thatcher/Reagan take, a neo-liberalist ideal of "private industry" taking the place of government. But if Thatcher was ever to be taken seriously on a single word she said, what we have today is an abomination of her values. "Private enterprise" was another way of talking about the ordinary people, but through an economic lens. If you cut someones hair or carried your own groceries to the car today you're involved in "industry". We have a music industry a culture industry, an education industry… what has not been industrialised? So what does that leave that isn't an "industry"?

Of course what politicians really mean by "industry" today is the one percent of rich and powerful owners.

Perhaps we misunderstand industry as "engines of progress" because of the persistent mythology of our own bygone industrial revolution; greats like Brunel, Stephenson and Telford. We still see ourselves on the frontier, paving roads to infinity. But industry has other forms, especially in mature civilisations. It is sustaining, home-building, frugal, refining.

The old mythology is still recycled in the stories and pseudo-philosophies of Ayn Rand, and now Elon Musk, Peter Thiel and company. Modern heroes? Noble strugglers against "Old power"? Or perhaps, misogynistic, grandiose, psychopathic Silicon Valley "bros" who are not ashamed to hide their naked contempt for the poor, for education, mobility, for women, blacks or anyone else who refuses to "get with their programme" of social immobility. Silicon Valley increasingly has the stench of some alt-right faction, throwbacks to violence - so long as it is cowardly, technologically mediated violence.

In it's disdain for women it's starting to look more like a backward religious sect. The irony is that tech is an industry that doesn't really produce anything. Software is mostly like music, in that you sell the same thing again and again.

It recycles old ideas and repackages software sponged from a global network of volunteer "free software" writers, sticks that on some chips imported from China, and uses that as bait to attract victims for data harvesting. It's a tasty racket if ever there was.

Of course real industry is very important, and it is part of human progress. Steel and concrete must come from somewhere. But we've long passed time to put the tech industry alongside the old oil and pharmaceuticals. It is no "disruptive" challenger to the status quo. What it perpetuates is more of itself, more control. It might not be a paperclip-maximiser yet, for now it's just a tech-industry maximiser.

It is the status-quo.

So it needs disrupting. Real progress is complex. It's not just this or that breakthrough… Penicillin. Electric lights. Steam engines. It isn't just spotting opportunities to monetise this or that idea. It's a balance of the intellectual, social, political, artistic, as well as industrial faculties. Yet we have bowed down before just a few industrial totems. This one-sided cult-like obsession with technology must be overcome and balance restored to the political and humanistic classes if we are to survive.

The Cost

AI is consuming electricity equal to the supply for Netherlands. Crypto block-chains twice as much again. Every new phone manufactured uses the daily water supply of 10,000 people. Survival of the planet was simply not on the profit road-map for the oil companies, and likewise neither will human survival be a priority for tech. Stubborn refusal to pause AI despite low value-yields and skyrocketing risk is the giveaway.

Your security and privacy means nothing for the technology companies. Until we internalise a new reality; that our quest for technology run by people, that our quest for a sustainable, reliable, private, and secure world is not a technical problem but a political struggle, we will make no progress toward it.

Look out of your window at the floods, wildfires, hurricanes, and streets lined with stationary automobiles, then do some research on the systematic suppression of electric vehicle technology. We could have begun a serious counter to climate change over 60 years ago when it would have made a difference. The computer security problem today is eerily similar. It is stuck in political stasis, but presented as a technical problem.

Taking back tech

Technology has one purpose; to serve humanity.

Here, today… on every smartphone there should be a single, reliable button to switch off spying once and for all. But there isn't. Why not? Because it's not profitable for you to have privacy. That's all there is to it. There's no technical challenge.

But, you say, those with political power can simply order these mischievous tech companies to behave. Sadly, no.

Foremost our politicians lack the courage, knowledge and fluency. But behind that is a Faustian bargain by which they hope to benefit from a surveillance pact. They imagine themselves "sharing" power with the tech oligarchs. They will not. Like Yeltsin, post-1991 Minsk Agreement they will become puppets and vassals to those who control their means of communication. There will be nothing left but for a "strong man" to come to the rescue of the people. And nothing good will come of that.

Who dares?

It seems that, to get the things we want and need from technology today we must all become active. We must become hackers and combatants in a theatre of digital political warfare - fighting for security. For civic cybersecurity.

Security, privacy and self-determination in tech is what you take, not what is given to you out of kind-heartedness. What we need will not be obtained because corporations adhere to the rule of law. Nor by market forces. There is certainly nothing you can buy from people who want to rob you of it.

Big tech companies scoff at the law. They think it old-fashioned. Enormous fines are simply factored into their budgets. They have more money and influence than the political blocs that hope to regulate them. Neither can we rely on our political representatives to put up resistance, because they are poorly educated in technical matters and easily bought or misinformed.

No escape?

Now, suppose you are active and skilled enough to do things like root a phone, disable, spoof or jam GPS, remove the SIM, connect by wifi via a VPN endpoint hosted in another country, and use a payment service located in that country… then you may briefly be able to trick companies like Google or Meta to give you what you need. But no matter what apps you install on an Android smartphone, the operating system itself is written by Google, and is therefore untrustworthy.

In all such software, privacy settings default to unsafe or revert to unsafe settings following a forced update. Some location-tracking even works when your phone is supposedly "switched off". Although their Play Store contains hundreds of apps for masking or spoofing location, few of these really work because the company is locked in an endless cat and mouse game to defeat suppliers of those products. They kill products that meet a manifestly enormous market-demand. They pretend this is motivated by "business", not ideology.

Like the British Tory party who sabotaged hospitals so that they could deem them "failing" and ripe for privatisation, BigTech firms vandalise the privacy landscape in order to declare that "there is no demand for privacy". This disinformation trick can be seen on social media forums and Internet discussion boards everywhere tech industry shills operate.

The big players dislike any independent suppliers of security products, because they conflict with their thirst for profit and power. By empowering users, small companies become the enemies of BigTech, tolerated briefly in their "App Stores" before being arbitrarily ejected. Hacker forums are filled with stories of upstart developers trying to build a company, but being turfed off BigTech land by capricious diktats. Github, a common developer platform run by Microsoft is notorious for political beheadings of dissident projects.

False security

Maybe more damaging is that BigTech misuses people's desire for security, and misuses the language of security, to misdirect users into less beneficial or safe situations. For example, printer companies sabotage third party ink refils with malicious updates pitched as "necessary for security". This undermines any real project of cybersecurity. Users begin to mistrust updates of any kind when companies use them as vehicles for malware and undocumented suprises.

Companies muddy the waters around "security" by conflating "your security" with "our security". They then use the word "securty" as an abstract noun to imply users are getting something that benefits them but in reality benefits the vendor.

They get security from the user. Even the word itself has become a kind of token, a false "moral high ground" from which wannabe tyrants can denounce their enemies. This is a sort of cyber-washing, to use fake cybersecurity for virtue signalling and concern trolling.

Once we see that this sort of security is a fixed-sum game then it's clear that anything that improves the end-user's security actually subtracts from that of the platform suppliers who benefit from a user's vulnerability. So the main vendors smear the sellers of things that compete with their "insecurity model". They attack Libre Open Source software written by regular citizens as "insecure" and "risky" - while secretly it's the same software they take for their own products, without paying for it.

Rebuilding public trust

Thankfully the political systems of Europe have started to wise-up and stand-up to US BigTech hostility and have mandated that all software used for public services, government and state apparatus must be Libre open source code that is auditable, verifiable and under control of the people. We want to see the same for schools, hospitals, railways and every other facet of public life and governance in the UK. Digital sovereignty is a big issue today.

Meanwhile practically, all of the "official" methods given by BigTech for obtaining privacy are no good. Play with your "preferences or choices" but regardless the platforms are still quite able to extract personal information from wifi networks and Bluetooth points in range of your devices, metadata in photos you share online, financial transactions, IP addresses of anything that touches a computer run by AWS, Meta, Azure or Google Cloud (even just to download a font or style-sheet). Any information passing through Gmail, Hotmail or Google Drive is subject to their prying if you are still unaware not to use such things.

Remarkably, some government offices still use these systems, and everything from doctors to parts of the British defence industry are entangled with Gmail, Amazon cloud, and even Whatsapp, despite warnings from the intelligence services that this isn't a good idea. Hypocritically, even GCHQ buy-in services from Amazon. If organisations that absolutely should avoid these security risks cannot resist the economic lure, who can?

There is a clear conflict of interests that companies that supply the systems for private and secure communication also profit from violating privacy and security. Surveillance is Google and Facebook's core business model. The only reliable way to defeat them and their type is not to use their products, or at least to fully root an "Android" smartphone and replace the operating system with something safer like F-Droid and with alternative social media platforms.

A boot stamping…

But ubiquitous location spying is just one random example of the spectacular mess of consumer computing. Let's now talk about "Secure Boot", which is in the news this week as the latest massive tech SNAFU.

"Secure boot" is a ploy by (mainly) Microsoft to ensure that every computer on Earth must run exploitable software. You'll hear other explanations for "secure boot" - such as the ability to stop malware writing to the BIOS. That's handy, In reality though, that problem is solved by a "jumper", a small wire or component costing fractions of a penny. Instead the "industry" invested billions of dollars in an arcane, elaborate scheme of "trusted computing" based on suspect cryptography, to replace a wire that costs a penny. Why would they do that?

Well, it's also a way for "anti-cheat" and digital restrictions code to run on your computer, whether you want it to or not. And to stop you copying what you see on your computer screen. These don't sound like features you requested, am I right? That's because they're feature requests from tech's neighboring trillion dollar industry - arts and entertainments.

Anyone in physical possession of computer hardware can subvert it. End of. Secure boot is a fine idea in some very limited use cases, but as a general principle to replicate into all consumer technologies it's an industry con, what we call a "Fritz Chip" that cedes power to the commercial OS vendors and software-as-service industry.

It puts your computer completely under the control of a remote and hostile company. It provides "trusted computing" for them and does not, unless you have a side business deploying remote servers in hostile locations, serve you (as a regular dude/dudette), and importantly the ostensible owner of the computer.

Last week Bruce Schneier reported on research from a group called Binerly that "secure boot" is completely compromised on almost all systems. In response, the comments were mostly "Good! We own our own computers!". Go away secure boot!

Secure-boot is a solutionist reaction to fixing a security problem that should never be there in the first place. It caters to conditions of extreme mistrust and therefore cultivates mistrust where deployed. This is a perfect example of the "insecurity industry". It is an undesirable computing concept because it brings more security to the powerful while removing security for the less powerful.

Besides, another problem is that computer main-boards even still have BIOS/EFI, now a silly and unnecessary mistake prolonged by industry inertia. People who've built and maintained computers for decades know that the more minimal the loader and the less the BIOS needs to do the better.

Computer scientists and electronics engineers get to build some quite challenging things as rites of passage. In my youth I wired together my own microprocessor (4 bit ALU with three registers and 12 bit address using TTL logic) and a full microprocessor system or "computer" (68000 based board roughly equal to an Apple Lisa - along with a simple operating system and loader for it). Having built, and in the process properly understood such technology, it's my humble opinion that since it worked in the past without any opaque magic, it can work in the future without opaque magic. The inconvenient theory that, anything that has happened can happen, leaves little space for a logical comeback.

Board-level OS is one of those ritual grooves that we are stuck doing because we always have. The root of it is disorder in the hardware industry and betrayal of standards. Egged on by the likes of Microsoft to add "trusted computing" hardware, the PC "mainboard" industry lacks a creative escape plan. In practice many simpler but very powerful "single board computers" (SBCs) completely do without this nonsense and there are hundreds of brands of main-boards that don't have encumbering and trecherous technologies embedded. Nonetheless we are attempting to normalise dangerous ideas, wandering into territory that's hostile to user security in the name of making big business more secure against them.

Perhaps the spectacular failure of Microsoft as a company is the best thing that has happened to cyberscurity for years.

Why are we stuck?

So why do we accept this dynamic? As regular citizens, mostly because we don't know much about it. As engineers, because we get confused about whose control we are supposed to be protecting. As governments, probably because the power seems seductive but there's a lack of education in the political science of why that would be a bad thing.

In part it's also down to a dearth of technical education and the power of dishonest marketing. Technnology is always a market where people will buy things they have no need or use for, no understanding of, but hope might bring empowering magic. That is the push-power of an industry that does not answer to demand. It is also a failure of our legal and political systems to challenge predatory business, dishonest advertising and monopoly.

However, in the name of innovation, we have always taken a hands-off approach to tech, with minimal regulation. That's led to a slowly growing abusive culture. There's a toxic relationship that's grown through habit of non-challenging and taking-for-granted. We now have an industry that feels itself above and beyond the law. We have "consumers" who dwell in learned-helplessness without the courage, knowledge or political voice to fight back.

But the horror show is getting a lot more light shone on it and cracks are now visible due to a slew, indeed an inexorable tide, of spectacular technology failures that now threaten individual lives, small and medium sized businesses and government too.

Digital lemons

It's also because the quality and provenance of software is hard to evaluate. Experts are as pressed as an average person to tell whether software is genius or junk. We don't know what value it will really bring. We don't know where the bugs are. Software quality metrics are as much a black-art as 40 years ago. We are kept on the path of cavalier engineering, to "move fast and break stuff" by the ever-present promise of medical and other scientific breakthroughs that can help humanity.

But have we factored political turmoil and social disintegration into our risk equations as a likely price to pay? Technology is risky ground and you need to look whare you are going. I think we are rather lost in fact. We seem at the mercy of tech hype cycles - blockchains, AI, virtual reality, consuming trillions of dollars and thousands of terawatt hours of energy. Where is the practical upshot? We get unemployment, pornography, and scorching the planet, so that going outside is unbearable; which may all at least cancel each other out if we can build enough homes for people to hide in and masturbate.

In truth, nobody is really sure what they are doing, and so we avoid long term discussion and decisions by deferring everything and moving agency to a future "long-tail" or maintenance phase of hardware and software. The core idea at the heart of so much bad cybersecurity is:

"Someone else will sort that out later"

The trick is to push the security onus and cost onto the end consumer in the form of so-called "updates". Like with climate, it pushes the risks and costs on to future generations… those that will have to clear up the mess caused by short-term profit. Unfortunately there's no "update" for a ruined planet in civil turmoil.

Digital technology is an industry that gets away with a fundamental violation of basic expectations of quality and fitness for purpose more than any other. We call this "software exceptionalism". The technology industry is run by people who think what they do is special - in an almost religiously sincere way. But most are not special. They are ordinary irresponsible people/ hoping to make a buck quick and get out before the fall.

With so many con-artists around, this means tech is a market for lemons in which the base price of all products is basically zero. Because that's the real level of confidence people have in gratuitous tech, despite all they might say. Therefore all profit made is by grift, encumbrances, rents, liens and deceptions laid on top of ostensibly "free" software services. It is not even really a "market" at all.

For about 30 years that didn't matter. People and businesses did not rely on computer software as we do today. In the 70s, 80' and 90s consumer tech products were seen as toys, fads, passing fun and frivolity. Now we put the same quality of software into Boeing airliners that fall out of the sky when it fails.

The tragedy is that we've plenty of smart people around who've devoted their lives to software engineering, quality, formal methods, and digital security. But their professionalism is made a mockery of by greedy corporations, our lack of investment in smaller, local tech, and missing political will to redistribute power on the Internet.

Anyone who looks at the emerging failures in digital tech is bewildered. Not just journalists and politicians, but the experts and programmers as well. The failures behind events like "Solar Winds", "Crowdstrike" and the latest "Secure Boot" issues are beyond belief - in their fundamental stupidity. They prove that we can assemble thousands of the worlds smartest people, but if we give them perverse motives - like putting money ahead of human life - they will fare worse than as many halfwits.

This avoidance of real thinking and engagement can be seen in events like the sham Bletchley Declaration, signed by 28 nations to agree to… "think carefully and have more talks"… about a threat considered by many leading scientists to be more serious than nuclear war.

I am in agreement with Carissa Véliz of Oxford who thinks the summit was an ethical dodge. It sullied the name of Bletchley Park (now within the grubby paws of Facebook after a £1 million "donation") by assembling political opportunists alongside carefully selected experts to give an appearance that governments are in control of the tech industry and not the other way around.

What we saw with Crowdstrike was a fundamental misunderstanding of the concept of ownership. The US National Security Agency have described anti-virus software as indistinguishable from a "rootkit" (the very worst kind of malware). Indeed that's what it is. It's just very dangerous software you allow someone else - who you believe you trust - to install on your computer. Anti-virus and "managed endpoint security" are medicines far worse than the diseases they claim to cure. Sadly we have silently slipped into an age where nobody questions this any longer, but we must challenge and remedy this dangerous mindset.

Solutionism is where we start with a small mistake and build bigger ones in response to it. In drama, that's called farce. The cascade effects in commercial tech have become a kind of farcical "Where's my trousers?" British sitcom. With secure boot what we see is mistakes bolted on top of mistakes in an orgy of solutionism. Layer upon layer of cryptographic staging and signing, and every new link in the chain is a weakness. Most of the motives are unclear. Whose computer is it?

Whose property is being "protected"?

It has every hallmark of how security goes bad - because it is unclear - and I believe deliberately so - who the security is for, what it is security from, and what end it serves! A general consensus in the technology world is that it primarily serves the interests of publishers - the movie and recording industry, Sony, Disney, the RIAA and MPAA in the US who represent these powers and dictate to other tech companies.

Calling it out

As I've witnessed it unfold over 50 years this whole sorry saga reminds me of some cautionary tale about a tangled web woven by the boy who first told a little white lie, but then had to tell another to support it, and a bigger lie, and then a bigger one still, until he and everyone else had forgotten what was true and what was false.

That's computing today. Our industry is dominated by greedy and dishonest motives, so;

• we're not getting the technology we really need to face the existential and economic challenges of our age
• we are facing a catastrophic complexity collapse
• we endure nebulous societal harms like damaged mental health, ruined education, widespread depression and disaffection with politics
• we risk a major takeover/power-shift away from democacy

If human political pride is stopping us from preventing a much worse outcome that's no failure of science, technology and engineering, but a long overdue moral reckoning. The answers here are not technical but moral, and therefore political.

Whatever names we know each weekly tech disaster by… Crowdstrike, Meltdown, Solarwinds, Horizon… as we name hurricanes… they'll still keep coming and keep getting worse.

As with climate, to fix things we must look for the root causes. The sooner we stop pretending these are technical problems and start speaking the truth about the fundamental political problems in cybersecurity, and the issues we have with our consumer computing industry in general, the sooner we can have security for all computer users again, not just the already rich and powerful ones.

Source

That’s right – nearly HALF of these targeted email threats are coming straight from compromised internal accounts, making your sprawling corporation a perfect playground for these cyber scoundrels.

If you haven’t heard of it yet, congratulations on living under a rock. But for those who have, let me spell it out for you—this is not just another run-of-the-mill phishing scam. It’s the sinister cousin, the kind of attack that sneaks around, infiltrates, and makes a mockery of our so-called "security measures." And let me tell you, it’s more than just a problem—it’s an outright crisis.

First off, let’s talk about the "lateral" part. This is not your garden-variety phishing where some shady character tries to fool you into giving up your password. No, this is way more insidious.

The attacker doesn’t just want your credentials; they want to infiltrate your entire network. They get their dirty little hands on one account and suddenly, they're playing puppet master with your entire organization. And guess what? Most businesses are sitting ducks because they haven’t got a clue about how to defend against this.

Now, before you get too comfy thinking this is a problem only for the big leagues, let’s talk about the small fish. For companies with up to 100 employees, lateral phishing is almost non-existent, making up a mere 2% of attacks. But don’t get too cozy if you’re running a smaller operation.

You’re not off the hook! Smaller businesses are getting hammered with external phishing attacks, which account for a staggering 71% of the threats over the past year. That’s over twice the rate of larger companies, which experience these external attacks 41% of the time.

And it gets worse. Smaller businesses are three times more likely to face extortion attacks compared to their larger counterparts. For the little guys, extortion attacks make up 7% of all targeted threats, while the big companies see a paltry 2% of these nasty tactics.

Despite the variance, business email compromise (BEC) and conversation hijacking are striking across the board, showing no preference for company size. Olesia Klevchuk, Barracuda's product marketing director, spells it out: Large companies are a veritable buffet for attackers.

With a plethora of mailboxes and communication channels, attackers find ample opportunities to exploit. Employees might trust emails that look like they’re from within the organization, even if they don’t recognize the sender.

But don’t think that smaller companies are safe. They often lack layered security defenses and have poorly configured email filters thanks to limited resources and skills. Klevchuk warns that while large firms have more entry points for attackers, smaller businesses often suffer from inadequate security measures.

Lateral Phishing Exposed: The Sneaky Scam That's Making Your Inbox a Minefield.

We’re about to dive into the murky waters of lateral phishing – a devious cyber trick that’s spreading like wildfire and turning your inbox into a battleground. Think phishing is just about those annoying emails from fake princes or shady lottery wins? Think again! Lateral phishing is a whole new level of sneakiness, and it’s hitting businesses hard.

So, what in the cyber world is lateral phishing? Here’s the lowdown: Imagine your company’s email system is a giant, interconnected web of messages and accounts. Now, picture a hacker sneaking in and hijacking one of these accounts.

Sounds bad, right? But here’s where it gets worse: instead of blasting out their scam to the outside world, they use the already compromised account to launch attacks internally.

That’s right! The attacker sends out phishing emails from an account that’s already inside your organization’s network. These emails might look like they’re coming from a trusted coworker or a familiar source, tricking your unsuspecting colleagues into clicking on malicious links or handing over sensitive information. It’s the ultimate con game – using the trust that’s already built within your organization to break it down from the inside out.

Why is this such a big deal? Because it’s the cyber equivalent of a Trojan horse. The attacker doesn’t need to go through all the trouble of breaching your defenses from the outside. They’re already in the door, using legitimate accounts to carry out their dirty work. This makes detecting and stopping them a real nightmare.

•  Lateral Phishing - According To Barracuda

Attackers use recently hijacked or compromised accounts to send phishing emails to unsuspecting recipients, such as close contacts in the company and partners at external organizations.

So what’s the takeaway? Barracuda’s advice is clear: Regular security awareness training is a must. Employees need to stay sharp and be able to spot suspicious emails before they wreak havoc. Implementing multi-layered, AI-powered defenses is crucial to detect and neutralize these advanced attacks.

Steps to Protect Against Lateral Phishing Attacks

 1. Educate Employees:

• Phishing Awareness Training: Regularly train employees to recognize phishing attempts. This includes spotting suspicious emails, understanding common phishing tactics, and knowing how to verify the legitimacy of messages.

• Simulated Phishing Campaigns: Conduct periodic simulated phishing exercises to help employees practice identifying and responding to phishing threats.

 2. Implement Strong Authentication Practices:

• Multi-Factor Authentication (MFA): Enforce MFA across all accounts. Even if an attacker gains access to a password, MFA provides an additional layer of security.

• Strong Password Policies: Require complex passwords and encourage the use of password managers to store and manage them securely.

3. Monitor and Respond to Security Incidents:

•  Threat Detection Systems: Use security tools that monitor for suspicious activities and anomalous behavior within your network.

• Incident Response Plan: Develop and regularly update an incident response plan to ensure a swift reaction to potential phishing attacks or other security incidents.

4. Restrict and Monitor Access:

• Principle of Least Privilege: Ensure that users only have access to the information and systems necessary for their roles. Limiting access reduces the potential damage of a compromised account.

• Regular Access Reviews: Periodically review and adjust access permissions based on changing roles and responsibilities.

5. Secure Communication Channels:

• Verify Requests: Implement processes for verifying requests for sensitive information or financial transactions, especially when these requests come via email or other online methods.

• Use Encrypted Channels: Ensure that sensitive communications are conducted over secure, encrypted channels

6. Regularly Update and Patch Systems:

• Patch Management: Keep all software, systems, and applications up to date with the latest security patches to reduce vulnerabilities that attackers might exploit.

7. Establish a Culture of Security:

• Encourage Reporting: Foster an environment where employees feel comfortable reporting suspicious emails or potential security threats without fear of reprimand.

• Security Champions: Designate security champions within departments who can provide additional support and guidance on security matters.

Phishing Attack Trends

The phishing landscape is looking like a total dumpster fire, and it’s high time we faced the grim reality of this cyber mess.

Let’s talk stats: In the second quarter of 2023, a staggering 23% of phishing attacks worldwide were aimed straight at financial institutions.

Why? Because nothing says "easy target" like your bank account. Trailing close behind, social media platforms were hit by about 22.3% of these digital scams. And guess what? Web-based software services and webmail services were in the same boat, also accounting for 22.3% of the attacks. It's like they’re on a mission to ruin every corner of our online lives.

Now, let’s dive into the nitty-gritty from Cloudflare's so-called Phishing Threats Report, based on a jaw-dropping 13 billion emails. First off, businesses are no longer just getting hit by phishing in their inboxes—nope, they’re getting hit across multiple channels. Email? Sure. Texts? Probably. Carrier pigeons? At this point, who knows?

The top phishing strategy? Deceptive links, making up nearly 36% of threats. Oh, joy. So now instead of just dodging shady attachments, you’ve got to steer clear of every single link that pops up in your inbox.

And, just to make your life even more fun, these attacks are usually disguised under the names of a handful of “trusted” brands like Microsoft, Google, Salesforce, and Amazon. Yep, only 20 brands are behind most of these schemes. It's like the cybercriminals all decided to join the same scam club.

And if you thought ransomware attacks were bad, guess what? A whopping 35% of them come through email. That’s right. Your inbox is basically a minefield now.

But wait, there’s more! Identity deception threats are on the rise, with millions of attacks successfully bypassing email authentication methods like SPF, DKIM, and DMARC. In other words, your email security protocols are getting schooled by some really sneaky crooks.

Now let’s break down the causes of phishing attacks according to the 2023 Verizon Data Breach Investigations Report (DBIR):

• Negligence: This is the top culprit, showing up in a whopping 98% of breaches. Basically, people just aren’t paying attention, and it’s causing a mess.

• Stolen Credentials: These are responsible for 86% of breaches. Yep, hackers love getting their hands on your passwords and login info

• Misdelivery: Sending sensitive information to the wrong person is a factor in 43% of breaches. Oops, wrong recipient!

• Social Engineering: This trickery is behind 17% of breaches and 10% of incidents. Scammers are still making a living by fooling people into handing over their info.

• Financial Loss: Data breaches are hitting wallets hard, with an average financial loss of $26,000 in 7% of cases. That’s more than double the FBI’s old average loss of $11,500 from 2021.

• Ransomware: This nasty stuff is involved in 24% of breaches. Your data’s held hostage, and it’s becoming all too common.

• Financial Motivation: A staggering 95% of data breaches are driven by financial gain. Follow the money, right?

• Human Element: Humans are the weak link, playing a role in 74% of breaches. It’s not just about the tech; it’s about how people handle it.

Phishing Frenzy: The Cybercrime Epidemic of Our Times

Hold onto your keyboards, folks, because the cybercriminals are out in full force, and they're not taking a day off. Let’s break down the appalling truth about phishing attacks that’s making our digital world a hazardous minefield.

Lets talk about the sheer volume of these malicious assaults is enough to make anyone’s head spin. Brace yourselves: an astounding 31,000 phishing attacks are launched every single day. That's not a typo; that's 31,000 deceitful emails or messages aimed at tricking unsuspecting victims into handing over their sensitive information.

If you thought that was bad, here’s a kicker—phishing isn’t just some niche problem. No, it’s an epidemic. According to the Anti-Phishing Working Group (APWG), there were a jaw-dropping 1.3 million unique phishing sites detected in just the final quarter of 2022 alone. That’s a record, folks. A record we’d rather not have.

And it gets worse. The Verizon 2023 Data Breach Investigations Report reveals that a staggering 36% of all data breaches are directly tied to phishing attacks. That's over a third of all breaches, and it’s no surprise considering that every 20 seconds, a new phishing website springs up like a particularly nasty mushroom.

Digital Guardian’s latest findings are even more sobering. They’ve found that a whopping 90% of security breaches in corporations are the result of phishing attempts. In simpler terms, if you're working in any corporate environment, there’s a 90% chance that your security woes started with a phishing scam.

And guess what? The cost of all these breaches? IBM’s Cost of a Data Breach Report confirms that compromised credentials are the prime culprits, fueling 19% of cyber attacks.

Let’s not forget the sheer scale of phishing operations. Cybercriminals are dispatching a staggering 3.4 billion malicious emails every day. Yes, billion with a 'B'. If that’s not a wake-up call, I don’t know what is.

Data Breaches

Phishing is the second most frequent cause of data breaches, and it’s one of the top four strategies used by cybercriminals to infiltrate organizations. Over 60% of social engineering attacks are phishing-related, so when you’re getting a sketchy email, it’s not just your inbox at risk; it’s your entire organization.

And who are these cyberthieves trying to impersonate? The usual suspects are all here. Microsoft takes the crown as the most impersonated brand, followed closely by heavyweights like the World Health Organization, Google, and even SpaceX. The list goes on with Salesforce, Apple, Amazon, T-Mobile, YouTube, MasterCard, Notion.so, Comcast, and LinePay also falling prey to these deceptive tactics.

Smaller businesses, listen up: consider teaming up with a managed service provider for that extra layer of protection. As it stands, nearly 1.2% of all global emails are malicious – that’s around 3.4 billion phishing emails daily. And guess what? Human error is a factor in 74% of breaches, thanks to social engineering tricks, mistakes, or outright misuse.

Wake up, world! We’re in a cyber war zone, and the threats are real!

The bottom line is that phishing is no longer a small-scale issue. It’s a full-blown crisis, and it’s only getting worse. So, the next time you get an email from a supposed CEO asking for urgent wire transfers or a mysterious message claiming you’ve won a prize, remember: it’s not just spam—it’s a potentially devastating phishing attack. Stay vigilant, and for the love of cybersecurity

Source

“Starting with Google Chrome 127, there will be a warning for uBlock Origin (uBO) in your Chrome Extensions page,” Melroy van den Berg writes in the uBlock Origin wiki on GitHub. “This is the result of Manifest V2 support being deprecated in favor of Manifest V3. uBO is a Manifest V2 extension, hence the warning in your Google Chrome browser. There is no Manifest v3 version of uBO, hence the browser will suggest alternative extensions as a replacement for uBO.”

Google announced Manifest V3 five years ago, and it’s been controversial from the get-go. Google has long claimed that the goal is only to make browser extensions more secure. But its critics, in particular, the makers of popular ad- and tracker-blocking extensions, say the restrictions in this platform are designed to help advertisers, not users.

Extension makers have had to adapt, but the net result is pretty clear: These products will be less effective than they were with Manifest V2. Some, like Ghostery, have simply adapted their software to work around the limitations where possible. Others, like uBlock, have split the extension in two: Chrome users will now be offered a less effective extension called uBlock Origin Lite, while users on better browsers will still get the full uBlock Origin.

“uBO Lite (uBOL) is a pared-down version of uBO with a best effort at converting filter lists used by uBO into a Manifest V3-compliant approach, with a focus on reliability and efficiency as has been the case with uBO since first published in June 2014,” van den Berg explains. “However, the focus on reliability and efficiency in a Manifest V3 environment meant having to sacrifice many features beyond those not possible within a Manifest V3 framework.”

Like many Google technology shifts, the Manifest V3 transition has been delayed many times. But back in May, the online giant announced it would begin warning Chrome users with Manifest V2-based extensions about the coming end of support. So that’s what we’re seeing now. Over time, it will disable Manifest V2 extensions automatically, and Chrome will recommend Manifest V3-based alternatives. Google expects to complete this transition by early 2025.

In any event, users who rely on uBlock Origin or other Manifest V2-based extensions have a choice to make. They can switch to less effective V3-based blockers and see how it goes. Or they can use a safer and more secure web browser that isn’t making Manifest V3 a requirement. Brave is the best choice, as it doesn’t even require this type of extension because it effectively blocks trackers and ads automatically. But Firefox is a good choice too, as long as you install a few good extensions (uBlock Origin, Privacy Badger, and others).

Source

The discovery comes from a team of researchers from the Graz University of Technology who demonstrated the attack on Linux kernel versions 5.9 and 6.2 (latest) using nine existing CVEs in both 32-bit and 64-bit systems, indicating high versatility.

Additionally, the attack worked with all modern kernel defenses like Supervisor Mode Execution Prevention (SMEP),  Supervisor Mode Access Prevention (SMAP), and Kernel Address Space Layout Randomization (KASLR) active.

SLUBStick will be presented in detail at the upcoming Usenix Security Symposium conference later this month. The researchers will showcase privilege escalation and container escape in the latest Linux with state-of-the-art defenses enabled.

In the meantime, the published technical paper contains all the details about the attack and the potential exploitation scenarios.

SLUBStick details

One way the Linux kernel manages memory efficiently and securely is by allocating and de-allocating memory chunks, called "slabs," for different types of data structures.

Flaws in this memory management process may allow attackers to corrupt or manipulate data structures, called cross-cache attacks. However, these are effective roughly 40% of the time and typically lead to system crashes sooner or later.

SLUBStick exploits a heap vulnerability, such as a double-free, user-after-free, or out-of-bounds write, to manipulate the memory allocation process.

CVEs successfully used in the researchers' experiments

Source: stefangast.eu

Next, it uses a timing side channel to determine the exact moment of memory chunk allocation/deallocation, allowing the attacker to predict and control memory reuse.

Using this timing information raises the success of the cross-change exploitation to 99%, making SLUBStick very practical.

Measured success rates

Source: stefangast.eu

The conversion of the heap flaw into arbitrary memory read-and-write primitive is done in three steps:

•     Free specific memory chunks and wait for the kernel to reuse them.

•     Reallocate these chunks in a controlled manner, ensuring they get repurposed for critical data structures like page tables.

•     Once reclaimed, the attacker overwrites the page table entries, getting the ability to read and write any memory location.

SLUBStick overview

Source: stefangast.eu

Real-world impact

As with most attacks involving a side channel, SLUBStick requires local access on the target machine with code execution capabilities. Furthermore, the attack requires the presence of a heap vulnerability in the Linux kernel, which will then be used to gain read and write access to the memory.

While this may make the attack appear impractical, it does introduce some benefits to attackers.

Even for attackers with code execution capabilities, SLUBStick provides the ability to achieve privilege escalation, bypass kernel defenses, perform container escapes, or use it as part of a complex attack chain.

Privilege escalation can be used to elevate privileges to root, allowing unlimited operations, while container escape can be used to break from sandboxed environments and access the host system.

Additionally, in the post-exploitation phase, SLUBStick could modify kernel structures or hooks to maintain persistence, making malware harder for defenders to detect.

Tampering with '/etc/passwd' data

Source: stefangast.eu

Those who want to dive deeper into SLUBStick and experiment with the exploits used by the Graz University researchers can find them in the researcher's GitHub repository.

Source

Why it matters: OneBlood provides blood samples to more than 300 hospitals in Georgia, Florida and the Carolinas, and some hospitals may need to delay certain procedures until the blood supply is back to normal.

State of play: Susan Forbes, a spokesperson for OneBlood, told Axios on Thursday that the nonprofit's online infrastructure systems are "starting to come back online," noting that they'll soon be able to return to the critical online tools they use to label donated blood.

• OneBlood first detected the ransomware attack on Monday, and ever since, the nonprofit has had to rely on manual processes — like printing out its own labels and having donors fill out paper forms — to ship donations to hospitals.

• In the last few days, the nonprofit has brought in more people, printers and other systems to more quickly label blood samples as required under FDA regulations, Forbes said.

• "Donors are coming in," she said. "It's getting the product out the door to the hospital — there's the delay in that because of the manual processes to label these products."

Threat level: Earlier this week, the nonprofit urged more than 250 hospital partners to activate their critical blood shortage protocols.

Other blood banks have started helping out local hospitals to fill in the gaps. But "there's only so much blood to go around," Forbes said.

Zoom in: At Tallahassee Memorial HealthCare, at least two complex elective surgeries were rescheduled Wednesday, and the hospital is actively seeking additional blood supply sources, according to WCTV.

• The University of Miami health system hosted a blood drive Thursday to help supplement supplies to local hospitals.

The big picture: Ransomware attacks against U.S. health care systems are getting worse, Allan Liska, a ransomware analyst at Recorded Future, told Axios.

• Cybersecurity firm Check Point Software Technologies estimates that health care organizations face an average of 1,671 attacks per week.

What they're saying: "Just because the ransomware actor didn't pull the trigger doesn't mean they weren't indirectly responsible for the death of a patient," Liska said.

• Anyone arguing that ransomware doesn't lead to patient death "is just wrong," he added.

Between the lines: Ransomware actors have learned that they can make a lot of money and get a lot of public attention when they target major health care systems, Liska said.

• Public attention can be a selling point for those who operate so-called ransomware-as-a-service groups, where malware developers license their ransomware strains to freelance hackers for a share of the attack profits.

• Ransoms can be lucrative if hackers hit the right target. Change Healthcare said it paid $22 million to ransomware hackers.

Yes, but: At least in the OneBlood cyberattack, people are able to help offset the impact, Liska said.

• "Everyone can donate blood, and that can help all of these hospitals, all of these medical facilities that are suffering," he said. "It's weird to have a ransomware attack where there's an effective and immediate call to action."

The bottom line: OneBlood is calling on people who are able to donate blood, especially those with the O-positive and O-negative blood types that hospitals urgently need.

• Platelet donations are also in high demand.

Source

The link looks good even though it is listed as sponsored. It shows Google's official site as the URL. When you check the advertiser, which you can on Google Search, you get confirmation that Google has verified the advertisers identity.

All good then? Not in the aforementioned case. If you would have downloaded the linked app, you would have installed malware-infested Authenticator application to your device. The application, which even came with a valid signature according to reports, installed the DeerStealer information-stealing malware on Windows devices.

Not the first case, likely not the last

Threat actors have managed to overcome the security systems of advertising companies such as Google numerous times in the past to plant malware ads on Google Search and elsewhere. We have reported on this numerous times already, for example here or here.

Just last year, it was reported that malware was distributed via Google Ads at an alarming rate. The situation has not improved.

These are often made to look like the legitimate product, and it is very difficult for the user to determine that they are not.

In the above case, everything checked out on first glance:

• Correct Google Domain listed.
• Google verified the advertiser.
• App is signed.

Bleeping Computer asked Google about the impersonating of legitimate companies and people, and Google stated that threat actors are evading detection by creating thousands of accounts simultaneously and using text manipulation and cloaking to show reviewers and automated systems different websites than a regular visitor would see".

In other words, Google admits that it cannot protect users from malicious ads 100% of the time. While it boasts that it has removed "3.4 billion ads" and suspended "5.6 million advertiser accounts" in 2023, it still has not found a way to detect all malicious ads and advertisers on Google Search.

Sponsored links are not to be trusted

Any link in Search that is listed as sponsored or an ad should not be trusted, especially when it comes to downloading software or making financial transactions. This is the only consequence that users should draw from that statement.

Threat actors have abused search ads one to many times to make them trusted. Usually, all it takes is to scroll down a bit more until you find the first organic search results. There you should find the official website listing of the product.

What about you? Do you click on ads or sponsored results sometimes? What is your take away from the recent malicious advertising campaign? Feel free to leave a comment down below.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every single day for many years.

2023: Over 5,800 news posts | 2024 (till end of July): 3,313 news posts

Analysts at Volexity said the hacking operation — known as Evasive Panda, Bronze Highland, Daggerfly and StormBamboo — was indeed undertaking “adversary in the middle” attacks in 2023 as it infected Mac and Windows systems. In such incidents, threat actors get between a device and an otherwise trusted server to deliver malicious code.

Researchers at a different company, ESET, had attributed at least one malware infection to Evasive Panda in 2023 but could only speculate that it was an adversary-in-the-middle attack.

Volexity said its analysis showed that Evasive Panda had compromised the target’s ISP and was poisoning DNS requests — the basic communications that help devices reach internet addresses.

“Volexity notified and worked with the ISP, who investigated various key devices providing traffic-routing services on their network,” Volexity said. “As the ISP rebooted and took various components of the network offline, the DNS poisoning immediately stopped.”

The attackers had used the disruption to serve up information-stealing malware known as MgBot or Pocostick (for Windows machines) and Macma (for MacOS devices). MgBot, in particular, has been a tool for Evasive Panda for more than a decade. ESET found MgBot used against China’s Tibetan population earlier this year.

Volexity said that in the 2023 incidents it analyzed, certain apps would request updates but the users’ devices would get MgBot and Macma instead.

“StormBamboo appeared to target software that used insecure update mechanisms, such as HTTP, and did not properly validate digital signatures of installers,” Volexity said.

Evasive Panda remains “a highly skilled and aggressive threat actor,” the researchers said, with a wide variety of malware at hand and “significant effort” invested in operations.

Source