News: Security & Privacy News

Microsoft’s Recall Feature Is Even More Hackable Than You Thought

Fri, 07 Jun 2024 04:48:01 +0000

A new discovery that the AI-enabled feature’s historical data can be accessed even by hackers without administrator privileges only contributes to the growing sense that the feature is a “dumpster fire.”

Microsoft's CEO Satya Nadella has hailed the company's new Recall feature, which stores a history of your computer desktop and makes it available to AI for analysis, as “photographic memory” for your PC. Within the cybersecurity community, meanwhile, the notion of a tool that silently takes a screenshot of your desktop every five seconds has been hailed as a hacker's dream come true and the worst product idea in recent memory.

Now, security researchers have pointed out that even the one remaining security safeguard meant to protect that feature from exploitation can be trivially defeated.

Since Recall was first announced last month, the cybersecurity world has pointed out that if a hacker can install malicious software to gain a foothold on a target machine with the feature enabled, they can quickly gain access to the user's entire history stored by the function. The only barrier, it seemed, to that high-resolution view of a victim's entire life at the keyboard was that accessing Recall's data required administrator privileges on a user's machine. That meant malware without that higher-level privilege would trigger a permission pop-up, allowing users to prevent access, and that malware would also likely be blocked by default from accessing the data on most corporate machines.

Then on Wednesday, James Forshaw, a researcher with Google's Project Zero vulnerability research team, published an update to a blog post pointing out that he had found methods for accessing Recall data without administrator privileges—essentially stripping away even that last fig leaf of protection. “No admin required ;-)” the post concluded.

“Damn,” Forshaw added on Mastodon. “I really thought the Recall database security would at least be, you know, secure.”

Forshaw's blog post described two different techniques to bypass the administrator privilege requirement, both of which exploit ways of defeating a basic security function in Windows known as access control lists that determine which elements on a computer require which privileges to read and alter. One of Forshaw's methods exploits an exception to those control lists, temporarily impersonating a program on Windows machines called AIXHost.exe that can access even restricted databases. Another is even simpler: Forshaw points out that because the Recall data stored on a machine is considered to belong to the user, a hacker with the same privileges as the user could simply rewrite the access control lists on a target machine to grant themselves access to the full database.

That second, simpler bypass technique “is just mindblowing, to be honest,” says Alex Hagenah, a cybersecurity strategist and ethical hacker. Hagenah recently built a proof-of-concept hacker tool called TotalRecall designed to show that someone who gained access to a victim's machine with Recall could immediately siphon out all the user's history recorded by the feature. Hagenah's tool, however, still required that hackers find another way to gain administrator privileges through a so-called “privilege escalation” technique before his tool would work.

With Forshaw's technique, “you don’t need any privilege escalation, no pop-up, nothing,” says Hagenah. “This would make sense to implement in the tool for a bad guy.”

In fact, just an hour after speaking to WIRED about Forshaw's finding, Hagenah added the simpler of Forshaw's two techniques to his TotalRecall tool, then confirmed that the trick worked by accessing all the Recall history data stored on another user's machine for which he didn't have administrator access. “So simple and genius,” he wrote in a text to WIRED after testing the technique.

That confirmation removes one of the last arguments Recall's defenders have had against criticisms that the feature acts as, essentially, a piece of pre-installed spyware on a user's machine, ready to be exploited by any hacker who can gain a foothold on the device. “It makes your security very fragile, in the sense that anyone who penetrates your computer for even a second can get your whole history,” says Dave Aitel, the founder of the cybersecurity firm Immunity and a former NSA hacker. “Which is not something people want.”

For now, security researchers have been testing Recall in preview versions of the tool ahead of its expected launch later this month. Microsoft said it plans to integrate Recall on compatible Copilot+ PCs with the feature turned on by default. WIRED reached out to the company for comment on Forshaw's findings about Recall's security issues, but the company has yet to respond.

The revelation that hackers can exploit Recall without even using a separate privilege escalation technique only contributes further to the sense that the feature was rushed to market without a proper review from the company's cybersecurity team—despite the company's CEO Nadella proclaiming just last month that Microsoft would make security its first priority in every decision going forward. “You cannot convince me that Microsoft's security teams looked at this and said ‘that looks secure,’” says Jake Williams, a former NSA hacker and now the VP of R&D at the cybersecurity consultancy Hunter Strategy, where he says he's been asked by some of the firm's clients to test Recall's security before they add Microsoft devices that use it to their networks.

“As it stands now, it’s a security dumpster fire,” Williams says. “This is one of the scariest things I’ve ever seen from an enterprise security standpoint.”

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every single day for many years.

2023: Over 5,800 news posts | 2024 (till end of May): Nearly 2,400 news posts

Microsoft: Protect yourself with VBS, TPM-based Enhanced Sign-in Security using our guide

Fri, 07 Jun 2024 04:46:28 +0000

Yesterday, Microsoft published official guides on how to Save, Use and Manage Windows 11 Passkeys. Following that, today, the company has published a new guide related to passwordless sign-in.

The guide is available inside a new support document published by the company regarding Enhanced Sign-in Security or ESS. If you are not aware, ESS essentially provides an additional level of security to biometric data with the help of Virtualization-based Security (VBS) and TPM 2.0.

Windows Hello allows authentication via facial recognition, fingerprint recognition, as well as via PIN, and with the help of ESS the authentication is done securely. If you recall, when Windows 11 was first released, Microsoft had explained the benefits of security features like VBS and TPM 2.0.

Here's MIcrosoft's guide on how to configure ESS inside Windows 11 Settings is given below:

You can use the Settings app to configure ESS.

In the Settings app on your Windows device, select Accounts > Sign-in options or use the following shortcut:

Sign-in options

Under Additional settings > Sign in with an external camera or fingerprint reader, there's a toggle that allows you to enable or disable ESS:

When the toggle is Off, ESS is enabled and you can't use external peripherals to sign in. Remember, you can still use external peripherals within apps like Teams

When the toggle is On, ESS is disabled and you can use Windows Hello compatible peripherals to sign in

Bear in mind though that ESS does require specially certified hardware. For example, Microsoft says that a face or fingerprint reader should have the “CM_DEVCAP_SECUREDEVICE” capability to support ESS. This can be found in the Details tab inside the device's property.

You can find the new support article Microsoft published here. You can also learn much more about it in this document here on Microsoft's official website. This guide was published by Microsoft simultaneously in addition to one about going passwordless using MSA.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every single day for many years.

2023: Over 5,800 news posts | 2024 (till end of May): Nearly 2,400 news posts

Microsoft wants you to ditch Windows 11/10 passwords with the help of MSA using this guide

Fri, 07 Jun 2024 04:43:42 +0000

It seems Microsoft has been on a roll these last couple of days or so. The company published official guides on how to Save, Use and Manage Windows 11 Passkeys. Following that, it has now posted a guide on how to go passwordless using the Microsoft account (MSA).

This is not the first time Microsoft has talked about passwordless sign-ins using MSA though. However, this time the company has published a simple guide that is very easy to follow along for non-tech-savvy people.

In case you may not be aware, passwordless sign ins on Windows are done using Hello, which allows authentication via face recognition, fingerprint recognition, as well as PIN.

In its guide below, Microsoft has also explained the benefits of using MSA-based Windows Hello sign ups:

Once you remove the password option, all features on your device that require your Microsoft account and password, including various apps and web browsers, will seamlessly transition to using Windows Hello’s facial recognition, fingerprint identification, or PIN code.

Note: This option is available only when you sign in with your Microsoft account.

To go passwordless, you can use the Settings app.

In the Settings app on your Windows device, select Accounts > Sign-in options or use the following shortcut:

Sign-in options

Under Additional settings, turn on the option For improved security, only allow Windows Hello sign-in for Microsoft accounts on this device

Note: in Windows 10, this option is under Require Windows Hello sign-in for Microsoft accounts.

Sign-in experience

The next time you sign in to your device, you won't have the option to use your password. Only the Windows Hello face, fingerprint, or PIN gestures will be available.

You can view the official support document here on Microsoft's website. The company has also simultaneously published a guide on how to enable Enhanced Security Sign-in that you can find here.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every single day for many years.

2023: Over 5,800 news posts | 2024 (till end of May): Nearly 2,400 news posts

DuckDuckGo offers “anonymous” access to AI chatbots through new service

Thu, 06 Jun 2024 20:13:17 +0000

DDG offers LLMs from OpenAI, Anthropic, Meta, and Mistral for factually-iffy conversations.

On Thursday, DuckDuckGo unveiled a new "AI Chat" service that allows users to converse with four mid-range large language models (LLMs) from OpenAI, Anthropic, Meta, and Mistral in an interface similar to ChatGPT while attempting to preserve privacy and anonymity. While the AI models involved can output inaccurate information readily, the site allows users to test different mid-range LLMs without having to install anything or sign up for an account.

DuckDuckGo's AI Chat currently features access to OpenAI's GPT-3.5 Turbo, Anthropic's Claude 3 Haiku, and two open source models, Meta's Llama 3 and Mistral's Mixtral 8x7B. The service is currently free to use within daily limits. Users can access AI Chat through the DuckDuckGo search engine, direct links to the site, or by using "!ai" or "!chat" shortcuts in the search field. AI Chat can also be disabled in the site's settings for users with accounts.

According to DuckDuckGo, chats on the service are anonymized, with metadata and IP address removed to prevent tracing back to individuals. The company states that chats are not used for AI model training, citing its privacy policy and terms of use.

"We have agreements in place with all model providers to ensure that any saved chats are completely deleted by the providers within 30 days," says DuckDuckGo, "and that none of the chats made on our platform can be used to train or improve the models."

An example of DuckDuckGo AI Chat with GPT-3.5 answering a silly question in an inaccurate way.

Benj Edwards

However, the privacy experience is not bulletproof because, in the case of GPT-3.5 and Claude Haiku, DuckDuckGo is required to send a user's inputs to remote servers for processing over the Internet. Given certain inputs (i.e., "Hey, GPT, my name is Bob, and I live on Main Street, and I just murdered Bill"), a user could still potentially be identified if such an extreme need arose.

While the service appears to work well for us, there's a question about its utility. For example, while GPT-3.5 initially wowed people when it launched with ChatGPT in 2022, it also confabulated a lot—and it still does. GPT-4 was the first major LLM to get confabulations under control to a point where the bot became more reasonably useful for some tasks (though this itself is a controversial point), but that more capable model isn't present in DuckDuckGo's AI Chat. Also missing are similar GPT-4-level models like Claude Opus or Google's Gemini Ultra, likely because they are far more expensive to run. DuckDuckGo says it may roll out paid plans in the future, and those may include higher daily usage limits or access to "more advanced models.")

It's true that the other three models generally (and subjectively) pass GPT-3.5 in capability for coding with lower hallucinations, but they can still make things up, too. With DuckDuckGo AI Chat as it stands, the company is left with a chatbot novelty with a decent interface and the promise that your conversations with it will remain private. But what use are fully private AI conversations if they are full of errors?

Mixtral 8x7B on DuckDuckGo AI Chat when asked about the author. Everything in red boxes is sadly incorrect,

but it provides an interesting fantasy scenario. It's a good example of an LLM plausibly filling gaps between

concepts that are underrepresented in its training data, called confabulation. For the record, Llama 3 gives a

more accurate answer.

Benj Edwards

As DuckDuckGo itself states in its privacy policy, "By its very nature, AI Chat generates text with limited information. As such, Outputs that appear complete or accurate because of their detail or specificity may not be. For example, AI Chat cannot dynamically retrieve information and so Outputs may be outdated. You should not rely on any Output without verifying its contents using other sources, especially for professional advice (like medical, financial, or legal advice)."

So, have fun talking to bots, but tread carefully. They'll easily "lie" to your face because they don't understand what they are saying and are tuned to output statistically plausible information, not factual references.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every single day for many years.

2023: Over 5,800 news posts | 2024 (till end of May): Nearly 2,400 news posts

Proton launches Proton Pass on macOS and Linux

Thu, 06 Jun 2024 20:10:58 +0000

Today, Proton announced that Proton Pass, its privacy-focused password manager, is expanding to more platforms. In addition to Windows, Android, and iOS, Proton Pass is now available on macOS and Linux, giving customers a true cross-platform experience.

Proton's native password manager app for macOS, Linux, Windows, Android, and iOS features end-to-end encryption and offline support for all your stored data. Additional capabilities include secure password sharing, password monitoring, hide-my-email capabilities for protection against spam and phishing, and the recently announced passkey support.

The macOS version of the Proton Pass app also has a new Safari extension with cross-device sync support.

Proton Pass subscribers will also benefit from the Argon2 hashing algorithm, which is included in the offline mode. It protects your passwords and sensitive data from unauthorized access without an active internet connection.

This approach ensures the highest level of security and data integrity. Users can securely access their stored information while offline, ensuring their data is always within reach. Additionally, we guarantee that any updates are synchronized and managed with the utmost security standards once connected.

This dual-layered strategy ensures both convenience and top-notch security for our users' data. Argon2, distinguished for its defense against brute-force attacks, underscores our unwavering commitment to safeguarding user privacy with the most robust security measures available today.

It is worth noting that TouchID for Mac and Linux authentication API support will arrive in an upcoming update in a few weeks. For now, these capabilities are not supported.

Proton Pass is available for free on an unlimited number of devices. You can upgrade to Proton Pass Plus to get additional features, such as hide-my-email, two-factor authentication, password monitoring, and more. For now, you can get the first year of Proton Pass Plus for $23.88 and save $10. You can learn more about Proton Pass here.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every single day for many years.

2023: Over 5,800 news posts | 2024 (till end of May): Nearly 2,400 news posts

7,000 LockBit decryption keys now in the hands of the FBI, offering victims hope

Thu, 06 Jun 2024 20:10:03 +0000

The announcement could be good news for those whose data has been inaccessible.

The FBI is urging victims of one of the most prolific ransomware groups to come forward after agents recovered thousands of decryption keys that may allow the recovery of data that has remained inaccessible for months or years.

The revelation, made Wednesday by a top FBI official, comes three months after an international roster of law enforcement agencies seized servers and other infrastructure used by LockBit, a ransomware syndicate that authorities say has extorted more than $1 billion from 7,000 victims around the world. Authorities said at the time that they took control of 1,000 decryption keys, 4,000 accounts, and 34 servers and froze 200 cryptocurrency accounts associated with the operation.

At a speech before a cybersecurity conference in Boston, FBI Cyber Assistant Director Bryan Vorndran said Wednesday that agents have also recovered an asset that will be of intense interest to thousands of LockBit victims—the decryption keys that could allow them to unlock data that’s been held for ransom by LockBit associates.

“Additionally, from our ongoing disruption of LockBit, we now have over 7,000 decryption keys and can help victims reclaim their data and get back online,” Vorndran said after noting other accomplishments resulting from the seizure. “We are reaching out to known LockBit victims and encouraging anyone who suspects they were a victim to visit our Internet Crime Complaint Center at ic3.gov.”

The number of decryption keys now in the possession of law enforcement is significantly higher than the 1,000 keys authorities said they had obtained on the day the takedown was announced.

The assistant director warned that recovering decryption keys by purchasing them from the operators solves only one of two problems for victims. Like most ransomware groups, LockBit follows a double-extortion model, which demands a bounty not only for the decryption key but also the promise not to sell confidential data to third parties or publish it on the Internet. While the return of the keys may allow victims to recover their data, it does nothing to prevent LockBit from selling or disseminating the data.

“When companies are extorted and choose to pay to prevent the leak of data, you are paying to prevent the release of data right now—not in the future,” Vorndran said. “Even if you get the data back from the criminals, you should assume it may one day be released, or you may one day be extorted again for the same data.”

It stands to reason that victims who obtain one of the 7,000 keys recovered by law enforcement face the same threat that their data will be released unless they pay.

The fight against ransomware is marked with similarly limited victories, and efforts to curb LockBit’s activities are no different. Authorities arrested one LockBit associate named Mikhail Vasiliev in 2022 and secured a four-year prison sentence against him in March. Last month, authorities named the shadowy LockBit kingpin as 31-year-old Russian national Yuryevich Khoroshev.

Despite those actions and the February seizure of key LockBit infrastructure, LockBit-based malware has continued to spread. Researchers have also observed new LockBit attacks and the release of new encryptors by the group. Since the law enforcement operation, LockBit associates have also released tranches of data stolen from victims both before and since.

The US State Department is offering $10 million for information that leads to the arrest or conviction of LockBit leaders and $5 million for affiliates of the group.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every single day for many years.

2023: Over 5,800 news posts | 2024 (till end of May): Nearly 2,400 news posts

New Gitloker attacks wipe GitHub repos in extortion scheme

Thu, 06 Jun 2024 20:08:44 +0000

Attackers are targeting GitHub repositories, wiping their contents, and asking the victims to reach out on Telegram for more information.

These attacks are part of what looks like an ongoing campaign first spotted on Wednesday by Germán Fernández, a security researcher at Chilean cybersecurity company CronUp.

The threat actor behind this campaign—who has the Gitloker handle on Telegram and is posing as a cyber incident analyst—is likely compromising targets' GitHub accounts using stolen credentials.

Subsequently, they claim to steal the victims' data, creating a backup that could help restore the deleted data. They then rename the repository and add a single README.me file, instructing the victims to reach out on Telegram.

"I hope this message finds you well. This is an urgent notice to inform you that your data has been compromised, and we have secured a backup," the ransom notes read.

When BleepingComputer contacted GitHub earlier today for more details regarding the Gitloker extortion campaign, a spokesperson was not immediately available for comment.

Dozens of GitHub repos already impacted (BleepingComputer)

After previous attacks against GitHub users, the company advised users to change their passwords to secure their accounts against unauthorized access. This should protect against malicious actions such as adding new SSH keys, authorizing new apps, or modifying team members.

To prevent attackers from compromising your GitHub account and detect suspicious activity, you should also:

Enable two-factor authentication.
Add a passkey for secure, passwordless login.
Review and revoke unauthorized access to SSH keys, deploy keys, and authorized integrations.
Verify all email addresses associated with your account.
Review account security logs to track repository changes.
Manage webhooks on your repositories.
Check for and revoke any new deploy keys.
Regularly review recent commits and collaborators for each repository.

Commonly targeted in data theft attacks

This isn't the first time GitHub accounts have been compromised to steal data from users' private repositories.

Around March 2020, hackers also compromised the account of Microsoft, the developer platform's parent company since June 2018, stealing more than 500GB worth of files from Redmond's private repositories.

While the stolen files contained mostly code samples, test projects, and other generic items (nothing significant for Microsoft to worry about), security experts were concerned that private API keys or passwords might have also accidentally been exposed in the breach.

A now-notorious threat actor known as ShinyHunters also confirmed the inconsequential nature of the stolen data by leaking it on a hacker forum for free after first planning to sell the stolen files to the highest bidder.

In September 2020, GitHub warned of a phishing campaign targeting users to compromise their accounts. The campaign used emails pushing fake CircleCI notifications to steal their GitHub credentials and two-factor authentication (2FA) codes by relaying them through reverse proxies.

GitHub said that the attackers almost immediately began exfiltrating data from victims' private repositories after the compromise, adding new user accounts to the organizations to maintain persistence if it used management permissions.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every single day for many years.

2023: Over 5,800 news posts | 2024 (till end of May): Nearly 2,400 news posts

Kaspersky released a free Linux virus removal tool - but is it necessary?

Wed, 05 Jun 2024 16:47:01 +0000

No operating system is 100% safe. As long as your computer is connected to a network, there is always the possibility that it can be compromised. These compromises can come by way of viruses, malware, or ransomware, each of which holds a particular danger.

Such a possibility is why Kaspersky released its Virus Tool for Linux. According to the official announcement the "application can scan system memory, startup objects, boot sectors, and all files in the operating system for known malware. It scans files of all formats -- including archived ones."

Antivirus solutions for the Linux operating system are not plentiful, and for good reason. I've been vocal about this topic for years, landing on the side that Linux doesn't need such solutions.

But for those migrating from Windows, antivirus tools are ingrained in the psyche, and using the OS without them may feel like a danger no one should take. On top of that, virus creators are getting more sophisticated to the point where the security of nothing (not even Linux) is certain. Although Linux itself is about as safe an operating system as you'll ever use, malicious code is finding its way into open-source projects. Should a malicious application make its way to your Linux desktop, there's no guarantee the operating system alone will be able to prevent bad things from happening.

I decided to kick the tires of Kaspersky's new tool, with the help of the EICAR malware test files to see if it could catch anything. I saved the files to my home directory and then copied the .txt version of the file to /usr/lib. I also downloaded the EICAR COM and ZIP files (saving them to the same directories).

To my surprise, the Kaspersky tool did not detect any of the EICAR files in my ~/ directory but did catch all files copied to /usr/lib. Once found, it gave me the options to Disinfect, Delete, Copy to Quarantine, or Skip. It then gave me the option to disinfect with or without a reboot.

It didn't take me long to figure out why the EICAR files in the home directory weren't found. By default, the Kaspersky tool for Linux doesn't scan user's home directories. To make that happen, you have to go to Settings and then add /home as an object.

Once I did that, the app caught the files in my home directory and gave me the same options it did when it discovered them in /usr/lib.

I'm not saying you should shrug off the idea of an antivirus solution for Linux because who knows what the future holds. But that Kaspersky has created a free tool for Linux users shouldn't be discounted.

You can download the new Kaspersky tool from the official download page. Once you've downloaded it, you'll need to give it executable permissions with the command:

chmod u+x kvrt.run

To run the application, you can either right-click the downloaded file and select Run As Program, or issue the command (from within the directory housing the file):

./kvrt.run

You'll be asked for your sudo password before the app will run.

If you're paranoid about viruses on your computer, this is certainly as good an antivirus option as you'll find for Linux. The one caveat is that the Kaspersky Antivirus for Linux doesn't work in real-time (you have to run it manually every time). Even so, it's good to know companies like Kaspersky have Linux's back.

Source

361 million stolen accounts leaked on Telegram added to HIBP

Mon, 03 Jun 2024 20:01:18 +0000

A massive trove of 361 million emails in credentials stolen by password-stealing malware, in credential stuffing attacks, and from data breaches was added to the Have I Been Pwned data breach notification service, allowing anyone to check if their accounts have been compromised.

Cybersecurity researchers collected these credentials from numerous Telegram cybercrime channels, where the stolen data is commonly leaked to the channel's users to build reputation and subscribers.

The stolen data is usually leaked as username and password combinations (usually stolen via credential stuffing attacks or data breaches), username and passwords along with a URL associated with them (stolen via password-stealing malware), and raw cookies (stolen via password-stealing malware).

Stolen credentials shared for free on TelegramSource: Troy Hunt (left) and BleepingComputer (right)

The researchers, who asked BleepingComputer to remain anonymous, shared 122 GB of credentials with Troy Hunt, the owner of Have I Been Pwned, collected from many Telegram channels.

According to Hunt, this data is massive, containing 361 million unique email addresses, with 151 million never previously seen by the data breach notification service.

"It contained 1.7k files with 2B lines and 361M unique email addresses of which 151M had never been seen in HIBP before," posted Hunt.

"Alongside those addresses were passwords and, in many cases, the website the data pertains to."

With a dataset this large, it is impossible to verify that all of the leaked credentials are legitimate.

However, Hunt said that he utilized sites' password reset forms to confirm that many leaked email addresses are correctly associated with the website listed in the stolen credentials. Hunt could not confirm the password, as that would require him to log into the account, which would be illegal.

Using website password recovery forms to confirm breachesSource: Troy Hunt

No site unaffected

With a dataset this large, no site that allows logins is unaffected by these leaked credentials, including BleepingComputer.

Last week, the same researchers shared with BleepingComputer a list of credentials stolen by information-stealing malware associated with the BleepingComputer forums.

Information-stealing malware is an infection that steals passwords, cookies, browser history, cryptocurrency wallets, and other data from an infected device.

This data is compiled into an archive called a "log" and then transmitted back to the threat actor's servers, where it is sold on cybercrime marketplaces, shared with other threat actors, or used to breach a victim's other accounts.

This type of malware is commonly distributed through social media, cracked software, fake VPN products, or simply through malicious email campaigns sent through hacked gaming company support sites.

The data shared with BleepingCompute includes the username, password, and URL that a member used to log into our forums, which was then saved in their browser's password manager.

Subset of BleepingComputer accounts stolen by information-stealing malware

Source: BleepingComputer

As you can see from the URLs above, many users visited BleepingComputer because they suspected their computer was infected, which we now know was true.

BleepingComputer is currently analyzing the data and removing duplicates so we can proactively reset impacted members' passwords and warn them that they were infected at some point with information-stealing malware.

Users who are infected with information-stealing malware will now have to reset every password on every account that was saved in their browser's password manager, and any other site using the same credentials.

Unfortunately, stolen credentials are usually not shared with a timestamp to indicate when they are stolen. Therefore, impacted users must consider that all of their credentials have been compromised.

While this will be an arduous task, at least they will know why their accounts and services have exhibited strange behavior over the years.

BleepingComputer is commonly contacted by people who tell us that their accounts continuously get hacked, even when they change the password over and over. These people constantly report strange behavior on their devices or networks, but no malware infections are ever found.

The user can now gain some closure, knowing that they were not crazy, but that the malicious activity is likely attributed to their credentials previously being stolen and threat actors abusing them for their own amusement or malicious activity.

Information-stealing malware has become a scourge of cybersecurity, used by threat actors to conduct massive attacks, such as ransomware and data theft attacks.

Some well known attacks caused by credentials being stolen by information stealing malware, including attacks on the Costa Rican government, Microsoft, CircleCi, and an account at Orange Spain RIPE that led to a intentional BGP misconfiguration.

More recently threat actors stole data from Snowflake databases using what is believed to be compromised credentials stolen using information-stealing malware.

Unfortunately, there is no easy solution to prevent information-stealing attacks, as they are low complexity, making them have have wide distribution through a variety of attacks.

The best defense is to practice good cybersecurity habits, including not opening attachments from untrusted sources, downloading software only from trusted sources, enabling file extensions in Windows, using antivirus software, and keeping your software updated.

A more detailed guide related to ransomware but still applicable can be found here.

Source

Hope you enjoyed this news post.

Windows 11's new AI feature makes it way too easy to steal everything you viewed or typed

Sun, 02 Jun 2024 21:48:45 +0000

Microsoft unveiled "Recall" at its special event on May 20. This Copilot+ PC-exclusive feature promises to bring "photographic memory" to your computer, allowing going back to any app or file you worked with. To combat privacy concerns, Microsoft published a page with details on how Recall works. However, security researchers strongly disagree with the company's statements.

Kevin Beaumont, a cybersecurity expert, published a detailed blog post on Medium where he dug deeper into how Recall works. The verdict is a rather harsh one: stealing everything you viewed or typed on your computer is now very easy.

Beaumont claims that the idea of Recall is an interesting feature that requires "incredibly careful communication, cybersecurity, engineering, and implementation." Sadly, Recall allegedly has none of those.

Although the data processing and encryption are indeed happening on-device only, all that info is not immune to hackers and malware. The encryption will protect your data if the attacker doesn't know your username and password, but things change when hackers get a hold of your credentials using infostealers.

Recall works by taking screenshots of everything that happens on your computer every few seconds. Then, the system OCRs (recognizes optical characters) that data and puts it into a database in the user folder. Everything is stored in plain text, and there is no need for system rights to access it.

They have tried to do a bunch of things but none of it actually works properly in the real world due to gaps you can drive a plane through.

Kevin Beaumont created a website that can process a Recall database and instantly search for anything inside it. However, he is holding the project back until Microsoft ships it or maybe does something to improve security. Kevin says, "the wider cyber community will have so much fun with this when generally available."

Things get worse when you realize what is stored in your Recall database:

Everything a user has ever seen, ordered by application. Every bit of text the user has seen, with some minor exceptions (e.g. Microsoft Edge InPrivate mode is excluded, but Google Chrome isn’t).

Every user interaction, e.g. minimizing a window. There is an API for user activity, and third party apps can plug in to enrich data and also view store data. It also stores all websites you visit, even if third party.

Customers should also know that deleting emails, messages, pictures, files, or anything else on your computer will not delete them from Recall—it stays there indefinitely or until manually deleted/overwritten.

Although Microsoft Defender is pretty good at detecting infostealers and malware, "off the shelf" malware can scrape the entire database before automated detection kicks in.

Beaumont claims Microsoft "should recall Recall" and rework the feature to address all the privacy concerns, especially in light of Satya Nadella saying engineers should prioritize security over any other priority.

You can read the full story in Kevin's Medium post. If you still want to try Recall and see how it works, check out this third-party app that makes it possible to enable the feature on existing hardware (with caveats).

It remains to be seen how Microsoft will address these revelations. For now, Recall is technically available in the Release Preview Channel of the Windows Insider program. It is expected to arrive for the general public with the first Copilot+ PCs, such as the new Surface Pro and Surface Laptop.

Source

Hope you enjoyed this news post.

Sincere thank you for your Feedback and Likes.

Kaspersky releases free tool that scans Linux for known threats

Sun, 02 Jun 2024 21:46:09 +0000

Kaspersky has released a new virus removal tool named KVRT for the Linux platform, allowing users to scan their systems and remove malware and other known threats for free.

The security firm notes that despite the common misconception that Linux systems are intrinsically secure from threats, there has been a constant supply of "in the wild" examples that prove otherwise, most recently, the XZ Utils backdoor.

Kaspersky's new tool isn't a real-time threat protection tool but a standalone scanner that can detect malware, adware, legitimate programs abused for malicious purposes, and other known threats and offers to clean them.

Copies of malicious files that are deleted or disinfected are stored in a quarantine directory at '/var/opt/KVRT2024_Data/Quarantine' (for root users) in a non-harmful form.

The application uses a frequently updated antivirus database to scan the entire system for matches, but users need to download a new copy each time for the latest definitions.

"Our application can scan system memory, startup objects, boot sectors, and all files in the operating system for known malware. It scans files of all formats — including archived ones," says Kaspersky.

One thing to note is that KVRT only supports 64-bit systems and requires an active internet connection to work.

Kaspersky has tested the tool on popular Linux distributions and confirmed it works on Red Hat Enterprise Linux, CentOS, Linux Mint, Ubuntu, SUSE, openSUSE, and Debian, among others.

Even if your distribution isn't on the list of supported systems, there's a good chance that KVRT will work without problems, so it wouldn't hurt to attempt to run a scan, Kaspersky says.

KVRT main window Source: Kaspersky

Using KVRT

KVRT can be downloaded from here, and once downloaded, the user needs to make the file executable and run it as root for maximum functionality.

KVRT can be executed both in a graphical user interface (GUI) or the terminal, as a command-line tool. So, it's also usable in lower init runlevels (down to 3) where people might be stuck following a malware infection.

If regular users execute the scanner, it won't have the required permissions to scan all directories and partitions where threats could be hiding.

During initialization, the scanner unpacks some necessary files into a temporary directory at '/tmp/

Kaspersky has provided detailed instructions on how to set up the binary for execution both via the GUI and the console on this webpage.

BleepingComputer has not tested the effectiveness, nor can it guarantee the safety of KVRT, so use the tool at your own risk.

Source

Hope you enjoyed this news post.

Sincere thank you for your Feedback and Likes.

Pirated Microsoft Office delivers malware cocktail on systems

Sat, 01 Jun 2024 16:34:39 +0000

Cybercriminals are distributing a malware cocktail through cracked versions of Microsoft Office promoted on torrent sites.

The malware delivered to users includes remote access trojans (RATs), cryptocurrency miners, malware downloaders, proxy tools, and anti-AV programs.

AhnLab Security Intelligence Center (ASEC) has identified the ongoing campaign and warns about the risks of downloading pirated software.

The Korean researchers discovered that the attackers use multiple lures, including Microsoft Office, Windows, and the Hangul Word Processor, which is popular in Korea.

Microsoft Office to malware

The cracked Microsoft Office installer features a well-crafted interface, letting users select the version they want to install, the language, and whether to use 32 or 64-bit variants.

The malicious installer's interfaceSource: ASEC

However, in the background, the installer launches an obfuscated .NET malware that contacts a Telegram or Mastodon channel to receive a valid download URL from where it will fetch additional components.

The URL points to Google Drive or GitHub, both legitimate services that are unlikely to trigger AV warnings.

The base64 payloads hosted on those platforms contain PowerShell commands that introduce a range of malware strains to the system, unpacked using 7Zip.

Fetching and unpacking malware componentsSource: ASEC

The malware component 'Updater' registers tasks in the Windows Task Scheduler to ensure it persists between system reboots.

According to ASEC, the following types of malware are installed by the malware on the breached system:

Orcus RAT: Enables comprehensive remote control, including keylogging, webcam access, screen capture, and system manipulation for data exfiltration.
XMRig: Cryptocurrency miner that uses system resources to mine Monero. It halts mining during high resource usage, such as when the victim is gaming, to avoid detection.
3Proxy: Converts infected systems into proxy servers by opening port 3306 and injecting them into legitimate processes, allowing attackers to route malicious traffic.
PureCrypter: Downloads and executes additional malicious payloads from external sources, ensuring the system remains infected with the latest threats.
AntiAV: Disrupts and disables security software by modifying its configuration files, preventing the software from operating correctly and leaving the system vulnerable to the operation of the other components.

Even if the user discovers and removes any of the above malware, the 'Updater' module, which executes upon system launch, will re-introduce it.

The attack chainSource: ASEC

Users should be cautious when installing files downloaded from dubious sources and generally avoid pirated/cracked software.

Similar campaigns have been used to push STOP ransomware, which is the most active ransomware operation targeting consumers.

As these files are not digitally signed and users are prepared to ignore antivirus warnings when running them, they are often used to infect systems with malware, in this case, an entire set.

Source

Google to begin phasing out Manifest V2 extensions in Chrome on June 3

Fri, 31 May 2024 19:43:30 +0000

Google is finally ready to begin phasing out Manifest V2 extensions in Chrome and its Web Store. The process will follow the timeline that was first announced in November 2023, with the first signs of Manifest V2 removal starting to appear in preview versions of Chrome as soon as June 3.

In the official Chromium Blog, Google reminded users that despite popular belief, the idea behind Manifest V3 was not to kill content blockers but to improve security, privacy, and performance in the extension ecosystem.

The road to Manifest V3 was a bumpy one, and after significant user and developer backlash, Google was forced to implement some important changes and even postpone the enforcement of Manifest V3. Community feedback resulted in Google implementing support for user scripts, increasing the number of rule sets, allowing DOM (Document Object Model) APIs, and more. As a result, a lot of popular extensions, namely ad blockers, are already on Manifest V3.

The process of phasing out Manifest V2 extensions will kick off on June 3, 2024, with Google Chrome showing a warning banner for customers running Beta, Dev, and Canary builds with Manifest V2 extensions. The message will notify that some of those extensions will soon be out of support. Also, outdated Manifest V2 extensions will lose their badges in the Chrome Web Store.

Killing Manifest V2 is a long and slow process that won't happen overnight. Chrome will direct customers to the store and recommend Manifest V3 alternatives for extensions that no longer work. Also, there will be a grace period during which the browser will allow disabled extensions to be turned back on. However, Google will eventually remove this option.

Users in Chrome Stable will get all those changes over the next few months. Google plans to finish the process by early 2025. Enterprise customers will have the option to avoid Manifest V2 changes with a special policy until June 2025.

You can learn more about the end of the road for Manifest V2 extensions in Google Chrome on the official Chromium Blog. Microsoft Edge, which is also powered by Chromium, has its own timeline for Manifest V2 extensions, but most of it is still TBD. Firefox also has a similar one.

As an online publication, Neowin relies on ads for operating costs, and if you use an ad blocker, we'd appreciate being whitelisted. In addition, we have an ad-free subscription for $28 a year, which is another way to show support!

Source

Hope you enjoyed this news post.

Feedback welcome and Likes very much appreciated.

Internet Archive is continuing to face DDoS attacks after several days

Wed, 29 May 2024 08:22:38 +0000

Internet Archive, the San Fransisco-based non-profit known for its digital archive Wayback Machine, has been facing DDoS (Distributed Denial-of-Service) attacks for the last few days. The non-profit announced that an unknown attacker(s) has been launching tens of thousands of fake information requests per second since the attacks began on Sunday.

Internet Archive explained in a blog post:

The Internet Archive, the nonprofit research library that’s home to millions of historical documents, preserved websites, and media content, is currently in its third day of warding off an intermittent DDoS (distributed denial-of-service) cyber-attack.

According to library staff, the collections are safe, though service remains inconsistent. Access to the Internet Archive Wayback Machine – which preserves the history of more than 866 billion web pages – has also been impacted.

This came after the Internet Archive shared a series of updates about the DDoS attacks on the social media platform X (formerly Twitter). It notes that cyberattacks have become more frequent against libraries and other knowledge institutions, such as the British Library, Berlin Natural History Museum, and Ontario’s London Public Library, among the recent victims.

Internet Archive's founder Brewster Kahle assured the collections are safe and said the organization is hardening its defenses to offer more reliable access to the library. "What is new is this attack has been sustained, impactful, targeted, adaptive, and importantly, mean,” he added.

The cyberattacks share the timeline with the legal battle Internet Archive is facing from US book publishers, claiming copyright infringement and seeking combined damages of hundreds of millions of dollars from all libraries. Last year, the non-profit lost a lower court ruling against the book publishers in a case about its Controlled Digital Lending program.

Source

Google won’t comment on a potentially massive leak of its search algorithm documentation

Wed, 29 May 2024 02:07:37 +0000

A purported leak of 2,500 pages of internal documentation from Google sheds light on how Search, the most powerful arbiter of the internet, operates.

Google’s search algorithm is perhaps the most consequential system on the internet, dictating what sites live and die and what content on the web looks like. But how exactly Google ranks websites has long been a mystery, pieced together by journalists, researchers, and people working in search engine optimization.

Now, an explosive leak that purports to show thousands of pages of internal documents appears to offer an unprecedented look under the hood of how Search works — and suggests that Google hasn’t been entirely truthful about it for years. So far, Google hasn’t responded to multiple requests for comment on the legitimacy of the documents.

Rand Fishkin, who worked in SEO for more than a decade, says a source shared 2,500 pages of documents with him with the hopes that reporting on the leak would counter the “lies” that Google employees had shared about how the search algorithm works. The documents outline Google’s search API and break down what information is available to employees, according to Fishkin.

The details shared by Fishkin are dense and technical, likely more legible to developers and SEO experts than the layperson. The contents of the leak are also not necessarily proof that Google uses the specific data and signals it mentions for search rankings. Rather, the leak outlines what data Google collects from webpages, sites, and searchers and offers indirect hints to SEO experts about what Google seems to care about, as SEO expert Mike King wrote in his overview of the documents.

The leaked documents touch on topics like what kind of data Google collects and uses, which sites Google elevates for sensitive topics like elections, how Google handles small websites, and more. Some information in the documents appears to be in conflict with public statements by Google representatives, according to Fishkin and King.

“‘Lied’ is harsh, but it’s the only accurate word to use here,” King writes. “While I don’t necessarily fault Google’s public representatives for protecting their proprietary information, I do take issue with their efforts to actively discredit people in the marketing, tech, and journalism worlds who have presented reproducible discoveries.”

Google has not responded to The Verge’s requests for comment regarding the documents, including a direct request to refute their legitimacy. Fishkin told The Verge in an email that the company has not disputed the veracity of the leak, but that an employee asked him to change some language in the post regarding how an event was characterized.

Google’s secretive search algorithm has birthed an entire industry of marketers who closely follow Google’s public guidance and execute it for millions of companies around the world. The pervasive, often annoying tactics have led to a general narrative that Google Search results are getting worse, crowded with junk that website operators feel required to produce to have their sites seen. In response to The Verge’s past reporting on the SEO-driven tactics, Google representatives often fall back to a familiar defense: that’s not what the Google guidelines say.

But some details in the leaked documents call into question the accuracy of Google’s public statements regarding how Search works.

One example cited by Fishkin and King is whether Google Chrome data is used in ranking at all. Google representatives have repeatedly indicated that it doesn’t use Chrome data to rank pages, but Chrome is specifically mentioned in sections about how websites appear in Search. In the screenshot below, which I captured as an example, the links appearing below the main vogue.com URL may be created in part using Chrome data, according to the documents.

Chrome is mentioned in a section about how additional links are created.

Image: Google

Another question raised is what role, if any, E-E-A-T plays in ranking. E-E-A-T stands for experience, expertise, authoritativeness, and trustworthiness, a Google metric used to evaluate the quality of results. Google representatives have previously said E-E-A-T isn’t a ranking factor. Fishkin notes that he hasn’t found much in the documents mentioning E-E-A-T by name.

King, however, detailed how Google appears to collect author data from a page and has a field for whether an entity on the page is the author. A portion of the documents shared by King reads that the field was “mainly developed and tuned for news articles... but is also populated for other content (e.g., scientific articles).” Though this doesn’t confirm that bylines are an explicit ranking metric, it does show that Google is at least keeping track of this attribute. Google representatives have previously insisted that author bylines are something website owners should do for readers, not Google, because it doesn’t impact rankings.

Though the documents aren’t exactly a smoking gun, they provide a deep, unfiltered look at a tightly guarded black box system. The US government’s antitrust case against Google — which revolves around Search — has also led to internal documentation becoming public, offering further insights into how the company’s main product works.

Google’s general caginess on how Search works has led to websites looking the same as SEO marketers try to outsmart Google based on hints the company offers. Fishkin also calls out the publications credulously propping up Google’s public claims as truth without much further analysis.

“Historically, some of the search industry’s loudest voices and most prolific publishers have been happy to uncritically repeat Google’s public statements. They write headlines like ‘Google says XYZ is true,’ rather than ‘Google Claims XYZ; Evidence Suggests Otherwise,’” Fishkin writes. “Please, do better. If this leak and the DOJ trial can create just one change, I hope this is it.”

Source

How Researchers Cracked an 11-Year-Old Password to a $3 Million Crypto Wallet

Tue, 28 May 2024 18:13:36 +0000

Thanks to a flaw in a decade-old version of the RoboForm password manager and a bit of luck, researchers were able to unearth the password to a crypto wallet containing a fortune.

Two years ago when “Michael,” an owner of cryptocurrency, contacted Joe Grand to help recover access to about $2 million worth of bitcoin he stored in encrypted format on his computer, Grand turned him down.

Michael, who is based in Europe and asked to remain anonymous, stored the cryptocurrency in a password-protected digital wallet. He generated a password using the RoboForm password manager and stored that password in a file encrypted with a tool called TrueCrypt. At some point, that file got corrupted and Michael lost access to the 20-character password he had generated to secure his 43.6 BTC (worth a total of about €4,000, or $5,300, in 2013). Michael used the RoboForm password manager to generate the password but did not store it in his manager. He worried that someone would hack his computer and obtain the password.

“At [that] time, I was really paranoid with my security,” he laughs.

Grand is a famed hardware hacker who in 2022 helped another crypto wallet owner recover access to $2 million in cryptocurrency he thought he’d lost forever after forgetting the PIN to his Trezor wallet. Since then, dozens of people have contacted Grand to help them recover their treasure. But Grand, known by the hacker handle “Kingpin,” turns down most of them, for various reasons.

Grand is an electrical engineer who began hacking computing hardware at age 10 and in 2008 cohosted the Discovery Channel’s Prototype This show. He now consults with companies that build complex digital systems to help them understand how hardware hackers like him might subvert their systems. He cracked the Trezor wallet in 2022 using complex hardware techniques that forced the USB-style wallet to reveal its password.

But Michael stored his cryptocurrency in a software-based wallet, which meant none of Grand’s hardware skills were relevant this time. He considered brute-forcing Michael’s password—writing a script to automatically guess millions of possible passwords to find the correct one—but determined this wasn’t feasible. He briefly considered that the RoboForm password manager Michael used to generate his password might have a flaw in the way it generated passwords, which would allow him to guess the password more easily. Grand, however, doubted such a flaw existed.

Michael contacted multiple people who specialize in cracking cryptography; they all told him “there’s no chance” of retrieving his money. But last June he approached Grand again, hoping to convince him to help, and this time Grand agreed to give it a try, working with a friend named Bruno in Germany who also hacks digital wallets.

Grand and Bruno spent months reverse engineering the version of the RoboForm program that they thought Michael had used in 2013 and found that the pseudo-random number generator used to generate passwords in that version—and subsequent versions until 2015—did indeed have a significant flaw that made the random number generator not so random. The RoboForm program unwisely tied the random passwords it generated to the date and time on the user’s computer—it determined the computer’s date and time, and then generated passwords that were predictable. If you knew the date and time and other parameters, you could compute any password that would have been generated on a certain date and time in the past.

If Michael knew the day or general time frame in 2013 when he generated it, as well as the parameters he used to generate the password (for example, the number of characters in the password, including lower- and upper-case letters, figures, and special characters), this would narrow the possible password guesses to a manageable number. Then they could hijack the RoboForm function responsible for checking the date and time on a computer and get it to travel back in time, believing the current date was a day in the 2013 time frame when Michael generated his password. RoboForm would then spit out the same passwords it generated on the days in 2013.

There was one problem: Michael couldn’t remember when he created the password.

According to the log on his software wallet, Michael moved bitcoin into his wallet for the first time on April 14, 2013. But he couldn’t remember if he generated the password the same day or some time before or after this. So, looking at the parameters of other passwords he generated using RoboForm, Grand and Bruno configured RoboForm to generate 20-character passwords with upper- and lower-case letters, numbers, and eight special characters from March 1 to April 20, 2013.

It failed to generate the right password. So Grand and Bruno lengthened the time frame from April 20 to June 1, 2013, using the same parameters. Still no luck.

Michael says they kept coming back to him, asking if he was sure about the parameters he’d used. He stuck to his first answer.

“They really annoyed me, because who knows what I did 10 years ago,” he recalls. He found other passwords he generated with RoboForm in 2013, and two of them did not use special characters, so Grand and Bruno adjusted. Last November, they reached out to Michael to set up a meeting in person. “I thought, ‘Oh my God, they will ask me again for the settings.”

Instead, they revealed that they had finally found the correct password—no special characters. It was generated on May 15, 2013, at 4:10:40 pm GMT.

“We ultimately got lucky that our parameters and time range was right. If either of those were wrong, we would have … continued to take guesses/shots in the dark,” Grand says in an email to WIRED. “It would have taken significantly longer to precompute all the possible passwords.”

Grand and Bruno created a video to explain the technical details more thoroughly.

RoboForm, made by US-based Siber Systems, was one of the first password managers on the market, and currently has more than 6 million users worldwide, according to a company report. In 2015, Siber seemed to fix the RoboForm password manager. In a cursory glance, Grand and Bruno couldn’t find any sign that the pseudo-random number generator in the 2015 version used the computer’s time, which makes them think they removed it to fix the flaw, though Grand says they would need to examine it more thoroughly to be certain.

Siber Systems confirmed to WIRED that it did fix the issue with version 7.9.14 of RoboForm, released June 10, 2015, but a spokesperson wouldn’t answer questions about how it did so. In a changelog on the company’s website, it mentions only that Siber programmers made changes to “increase randomness of generated passwords,” but it doesn’t say how they did this. Siber spokesman Simon Davis says that “RoboForm 7 was discontinued in 2017.”

Grand says that, without knowing how Siber fixed the issue, attackers may still be able to regenerate passwords generated by versions of RoboForm released before the fix in 2015. He’s also not sure if current versions contain the problem.

“I'm still not sure I would trust it without knowing how they actually improved the password generation in more recent versions,” he says. “I'm not sure if RoboForm knew how bad this particular weakness was.”

Customers may also still be using passwords that were generated with the early versions of the program before the fix. It doesn’t appear that Siber ever notified customers when it released the fixed version 7.9.14 in 2015 that they should generate new passwords for critical accounts or data. The company didn’t respond to a question about this.

If Siber didn’t inform customers, this would mean that anyone like Michael who used RoboForm to generate passwords prior to 2015—and are still using those passwords—may have vulnerable passwords that hackers can regenerate.

“We know that most people don't change passwords unless they're prompted to do so,” Grand says. “Out of 935 passwords in my password manager (not RoboForm), 220 of them are from 2015 and earlier, and most of them are [for] sites I still use.”

Depending on what the company did to fix the issue in 2015, newer passwords may also be vulnerable.

Last November, Grand and Bruno deducted a percentage of bitcoins from Michael’s account for the work they did, then gave him the password to access the rest. The bitcoin was worth $38,000 per coin at the time. Michael waited until it rose to $62,000 per coin and sold some of it. He now has 30 BTC, now worth $3 million, and is waiting for the value to rise to $100,000 per coin.

Michael says he was lucky that he lost the password years ago because, otherwise, he would have sold off the bitcoin when it was worth $40,000 a coin and missed out on a greater fortune.

“That I lost the password was financially a good thing.”

Source

Newly discovered ransomware uses BitLocker to encrypt victim data

Sat, 25 May 2024 08:09:03 +0000

ShrinkLocker is the latest ransomware to use Windows' full-disk encryption.

A previously unknown piece of ransomware, dubbed ShrinkLocker, encrypts victim data using the BitLocker feature built into the Windows operating system.

BitLocker is a full-volume encryptor that debuted in 2007 with the release of Windows Vista. Users employ it to encrypt entire hard drives to prevent people from reading or modifying data in the event they get physical access to the disk. Starting with the rollout of Windows 10, BitLocker by default has used the 128-bit and 256-bit XTS-AES encryption algorithm, giving the feature extra protection from attacks that rely on manipulating cipher text to cause predictable changes in plain text.

Recently, researchers from security firm Kaspersky found a threat actor using BitLocker to encrypt data on systems located in Mexico, Indonesia, and Jordan. The researchers named the new ransomware ShrinkLocker, both for its use of BitLocker and because it shrinks the size of each non-boot partition by 100 MB and splits the newly unallocated space into new primary partitions of the same size.

“Our incident response and malware analysis are evidence that attackers are constantly refining their tactics to evade detection,” the researchers wrote Friday. “In this incident, we observed the abuse of the native BitLocker feature for unauthorized data encryption.”

ShrinkLocker isn’t the first malware to leverage BitLocker. In 2022, Microsoft reported that ransomware attackers with a nexus to Iran also used the tool to encrypt files. That same year, the Russian agricultural business Miratorg was attacked by ransomware that used BitLocker to encrypt files residing in the system storage of infected devices.

Once installed on a device, ShrinkLocker runs a VisualBasic script that first invokes the Windows Management Instrumentation and Win32_OperatingSystem class to obtain information about the operating system.

“For each object within the query results, the script checks if the current domain is different from the target,” the Kaspersky researchers wrote. “If it is, the script finishes automatically. After that, it checks if the name of the operating system contains 'xp,' '2000,' '2003,' or 'vista,' and if the Windows version matches any one of these, the script finishes automatically and deletes itself.”

A screenshot showing initial conditions for execution.

Kaspersky

The script then continues to use the WMI for querying information about the OS. It goes on to perform the disk resizing operations, which can vary depending on the OS version detected. The ransomware performs these operations only on local, fixed drives. The decision to leave network drives alone is likely motivated by the desire not to trigger network detection protections.

Eventually, ShrinkLocker disables protections designed to secure the BitLocker encryption key and goes on to delete them. It then enables the use of a numerical password, both as a protector against anyone else taking back control of BitLocker and as an encryptor for system data. The reason for deleting the default protectors is to disable key recovery features by the device owner. ShrinkLocker then goes on to generate a 64-character encryption key using random multiplication and replacement of:

A variable with the numbers 0–9;
The famous pangram, “The quick brown fox jumps over the lazy dog,” in lowercase and uppercase, which contains every letter of the English alphabet;
Special characters.

After several additional steps, data is encrypted. The next time the device reboots, the display looks like this:

Screenshot showing the BitLocker recovery screen.

Kaspersky

Decrypting drives without the attacker-supplied key is difficult and likely impossible in many cases. While it is possible to recover some of the passphrases and fixed values used to generate the keys, the script uses variable values that are different on each infected device. These variable values aren’t easy to recover.

There are no protections specific to ShrinkLocker for preventing successful attacks. Kaspersky advises the following:

Use robust, properly configured endpoint protection to detect threats that try to abuse BitLocker;
Implement Managed Detection and Response (MDR) to proactively scan for threats;
If BitLocker is enabled, make sure it uses a strong password and that the recovery keys are stored in a secure location;
Ensure that users have only minimal privileges. This prevents them from enabling encryption features or changing registry keys on their own;
Enable network traffic logging and monitoring. Configure the logging of both GET and POST requests. In case of infection, the requests made to the attacker’s domain may contain passwords or keys;
Monitor for events associated with VBS execution and PowerShell, then save the logged scripts and commands to an external repository storing activity that may be deleted locally;
Make backups frequently, store them offline, and test them.

Friday’s report also includes indicators that organizations can use to determine if they have been targeted by ShrinkLocker.

Listing image by Getty Images

Source

Elon Musk calls Microsoft's controversial AI Recall a "Black Mirror episode" but NPUs will protect your privacy on Copilot+ PCs

Thu, 23 May 2024 19:23:35 +0000

Windows 11's new Recall feature allows apps to "travel back in time," and Microsoft says your privacy is safe with an NPU.

Having covered multiple Microsoft events in the past, this week's special press event where the company unveiled its new lineup of Surface hardware powered by Qualcomm's cutting-edge Snapdragon X Series SoCs (what our Editor-in-chief refers to as "The Great PC Reset") was by far the best I've seen yet.

And while we didn't get the beloved Windows Phone back or a Surface-themed variant, I'm stoked to see Microsoft go all in on Windows on Arm. We won't have to wait for long to lay hands on these shiny products, either. Microsoft promises that they will be available as early as next month.

On the Windows side of things, Microsoft is bringing a plethora of next-gen AI features to Windows 11 in June, including Recall, Live Captions, Windows Studio effects, and more. However, not everyone will have access to these sophisticated features. This is because they'll require a device with a neural processing unit (NPU) that can output up to 40 TOPS of power. Essentially, you'll need a Copilot+ PC to access them.

Is Windows 11's Recall feature diabolical?

There's no ETA on when Microsoft plans to ship these new features to 'traditional' Windows PCs in the wake of a new era of Windows PCs supercharged with AI. The Recall feature in particular caught my eye and is perhaps the most interesting feature shipping to Windows 11 next month. Simply put by our Senior Editor Zac Bowden:

"It's a tool that runs in the background and can capture snapshots of everything you see and do on your computer, enabling the ability to search for anything you've ever done on your PC with natural language."

Bowden's report also details that Recall will feature a timeline feature placed at the top of your screen that lets you scroll back based on your search input. The feature can achieve this because it has access to your screen which spans across apps, webpages, pictures, and more. Think of it like Microsoft Photos' scrollbar feature that lets you scheme through photos taken years ago in seconds, but the only difference here is that Recall has higher clearance to more than just photos.

I know, what does this mean for your privacy and security? Microsoft categorically stated that the feature is 100% privacy-focused. Simply put, the company won't use any of the data accessed by Recall to train its models.

This is because Recall runs on-device NPU, which essentially places you in the driver's seat with absolute control over how your data is handled. You can also restrict the feature from grabbing screenshots from specific apps or websites (which are stored locally on your PC). Users can also choose how long they'd like to have the screenshots stored and how much space is dedicated to this function. Lastly, you can turn off the feature if you don't find it useful.

100% privacy-focused, but concern continues to riddle users

(Image credit: Future)

Microsoft's just-announced Recall is a neat and handy feature that could potentially revolutionize how we interact with Windows PCs forever, saving time and resources while simultaneously promoting efficiency and effectiveness. That's one of the benefits of having access to AI anyway.

However, I've been silently keeping tabs on users' responses and reactions to the new feature. Right now, everything is sort of in the middle ground. No one is playing it too safe or throwing caution to the wind and exploring the wild side of things where an AI-powered feature spies on everything you're doing on your PC.

Users' privacy and security are warranted if the past has taught us anything.

In an interview with The Wall Street Journal's Joanna Stern, Microsoft CEO Satya Nadella indicated:

"One of the dreams we've always had is how do we introduce memory. Right? Photographic memory into what you do on your PC? And now we have it. So it's called Recall. It's not a keyword search, right, it's a semantic search over all your history. And it is not just about any document. It can recreate moments from the past essentially."

Microsoft's 100% privacy-focused promise for its Recall feature is seemingly being taken with a pinch of salt. Billionaire Elon Musk has blatantly expressed his reservations about the feature, while comparing it to a Black Mirror episode. He outrightly indicated that he'll be turning off the enabled-by-default feature once it ships.

Musk's sentiments are echoed loudly across social media platforms, with a user in Reddit's r/Windows 11 subreddit indicating that it might be time to transition to Linux from Windows after 20 years of being an avid Windows user.

I think I'm done. After 20 years of using Windows from r/Windows11

"This is ridiculous. What in the world are Microsoft executives thinking with this extreme spyware?

Just imagine: By 2025, the only PC people will be able to buy is this Copliot+ nonsense. Most people won't know about it or change their settings. And the security risk and attack surface of this thing is INSANE. And it won't censor sensitive information? This is a hacker's, law enforcement's, oppressive government's wet dream.

This is f**king outrageous.

I've been thinking about switching to Linux, but now I want to switch as soon as possible."

Microsoft's Recall feature is quite impressive, and I can't wait to try it out. It'll improve and enhance how I interact with my PC — a straightforward way to 'recall' where I saw Microsoft announcing WinUI 3 joining WPF as the recommended native UI platform for Windows in my broad list of Microsoft Build 2024 embargo documents. But the privacy and security concerns are valid, hopefully, the on-device NPU will have a definite answer.

Source

Lawyers say OpenAI could be in real trouble with Scarlett Johansson

Thu, 23 May 2024 07:52:36 +0000

Scarlett Johansson could invoke right to publicity laws in California to protect her against further use of ChatGPT’s Sky voice.

OpenAI could face legal consequences for making a ChatGPT voice that sounds a lot like Scarlett Johansson — whether the company did so intentionally or not. And the fact that OpenAI’s CEO referenced those similarities? That only makes matters worse, intellectual property lawyers tell The Verge.

“There are a few courses of actions she can take, but case law supports her position,” says Purvi Patel Albers, partner at the law firm Haynes Boone with a focus on trademarks and copyright.

After demoing updates to ChatGPT last week, OpenAI spurred commentary and headlines noting that the voice of its AI assistant — named Sky — sounded a lot like Johansson, especially her performance as an AI assistant in the movie Her.

Past celebrity likeness lawsuits “have clear implications for AI voice clones”

Albers says that Johansson and other celebrities can invoke right to publicity laws, which protect identifying features of a person from being used without their permission. “If you misappropriate someone’s name, likeness, or voice, you could be violating their right to publicity,” Albers says.

Celebrities have previously won cases over similar-sounding voices in commercials. In 1988, Bette Midler sued Ford for hiring one of her backup singers for an ad and instructing the singer to “sound as much as possible like the Bette Midler record.” Midler had refused to be in the commercial. That same year, Tom Waits sued Frito-Lay for voice misappropriation after the company’s ad agency got someone to imitate Waits for a parody of his song in a Doritos commercial. Both cases, filed in California courts, were decided in the celebrities’ favor. The wins by Midler and Waits “have clear implications for AI voice clones,” says Christian Mammen, a partner at Womble Bond Dickinson who specializes in intellectual property law.

To win in these cases, celebrities generally have to prove that their voice or other identifying features are unregistered trademarks and that, by imitating them, consumers could connect them to the product being sold, even if they’re not involved. That means identifying what is “distinctive” about her voice — something that may be easier for a celebrity who played an AI assistant in an Oscar-winning movie.

What makes things difficult is the lack of federal right to publicity laws — instead, the laws are state by state, and not all states have one on the books. Each state also designs its likeness laws differently; for example, New York recognizes every individual has the right to control the commercial use of personal characteristics like their name, picture, voice, and even their signature. This right extends to a deceased person, whose estate must give prior consent for the use of a computer-generated replica. California, where OpenAI is headquartered, does not mention using digital replicas like AI-generated voices in its law. But California protects a living person’s voice from being used in commercial activities without consent. It states that using a person’s “identity,” whether a voice, face, or name, could violate these protections.

Even though OpenAI didn’t mention Johansson, consumers pointed out the similarities

“The Ninth Circuit held that a celebrity with a distinctive voice could recover against someone who used a voice impersonator to create the impression that the celebrity had endorsed the product or was speaking in the advertisement,” Mammen says.

Johansson has not sued OpenAI, but she has lawyered up. On Monday, Johansson said that she had hired legal counsel to draft letters to OpenAI asking for an explanation about how the voice of Sky was created. Johansson said OpenAI had previously reached out to her about voicing the assistant and that she had refused the company’s request.

OpenAI says it did not intend for the Sky voice to sound like Johansson, but that doesn’t necessarily protect the company. Albers says that even though OpenAI did not explicitly mention Johansson, consumers were already pointing out the similarities. The commentary began while OpenAI’s demo of ChatGPT-4o was ongoing, and Saturday Night Live even joked about it.

Sam Altman, OpenAI’s CEO, may have complicated matters further. Altman posted the word “her” on X as the company’s event was happening last week, seemingly referencing the demo’s similarity to what was portrayed in the film. Albers says that could fuel the public’s opinion that the voice is meant to imitate Johansson.

OpenAI has pulled the voice of Sky for the time being, which could quell Johansson’s concerns. But Albers says OpenAI could further Johansson’s ire if they put the Sky voice back and it still sounds like the actor.

“The question we need to ask is why on Earth did OpenAI do this?” Albers says. “[Johansson] is a known advocate for protecting her rights, so she’s not going to shy away from going against them.”

Source

Microsoft's new Windows 11 Recall is a privacy nightmare

Thu, 23 May 2024 07:44:08 +0000

Microsoft's announcement of the new AI-powered Windows 11 Recall feature has sparked a lot of concern, with many thinking that it has created massive privacy risks and a new attack vector that threat actors can exploit to steal data.

Revealed during a Monday AI event, the feature is designed to help "recall" information you have looked at in the past, making it easily accessible via a simple search.

While it's currently only available on Copilot+ PCs running Snapdragon X ARM processors, Microsoft says they are working with Intel and AMD to create compatible CPUs.

Recall works by taking a screenshot of your active window every few seconds, recording everything you do in Windows for up to three months by default.

These snapshots will be analyzed by the on-device Neural Processing Unit (NPU) and an AI model to extract data from the screenshot. The data will be saved in a semantic index, allowing Windows users to browse through the snapshot history or search using human language queries.

Windows 11 Recall

Microsoft says that all of this data is encrypted using BitLocker tied to the user's Windows account and is not shared with other users on the same device.

While this sounds fun and interesting, it immediately raised concerns about obvious privacy risks and whether Microsoft plans on gobbling up all of this data.

However, Microsoft says Recall has been designed so that all of the data is saved directly on the user's device in an encrypted format, providing users with complete control over the feature, including if it's enabled and what apps it can take screenshots of.

"Recall is a key part of what makes Copilot+ PCs special, and Microsoft built privacy into Recall's design from the ground up. On Copilot+ PCs powered by a Snapdragon® X Series processor, you will see the Recall taskbar icon after you first activate your device. You can use that icon to open Recall's settings and make choices about what snapshots Recall collects and stores on your device. You can limit which snapshots Recall collects; for example, you can select specific apps or websites visited in a supported browser to filter out of your snapshots. In addition, you can pause snapshots on demand from the Recall icon in the system tray, clear some or all snapshots that have been stored, or delete all the snapshots from your device."

❖ Microsoft

Microsoft also says it will not create screenshots of Microsoft Edge's InPrivate windows (and other Chromium-based browsers) or content protected by DRM. However, they have not confirmed whether other browser's private modes, like Firefox, will be supported.

In a Monday press event, Yusuf Mehdi, Corporate Vice President & Consumer Chief Marketing Officer, assured journalists that Microsoft is taking a very conservative approach with Recall.

"We're going to keep your Recall index private and local and secure on just the device," said Mehdi.

"We won't use any of that information to train any AI model, and we put you completely in control with the ability to edit and delete anything that is captured."

Furthermore, Microsoft also reiterated to BleepingComputer that data for Recall will only be available locally and not be stored in the cloud, with the company once again restating that "data is not accessed by Microsoft."

Microsoft has also started to share more technical details, such as group policies that can be used to disable Recall company-wide and how end users can disable the feature.

Cybersecurity experts and regular users still concerned

Microsoft's promises have not done much to reassure the cybersecurity community or its customers, with our tweet regarding this new feature receiving over 90 comments, all negative.

So, why are most cybersecurity experts, researchers, and analysts so worried about this feature?

First and foremost, large companies have a history of exploiting users' data for their own profit, making it hard for users to trust Microsoft when they say they won't access the Recall data.

Users are not alone, as the United Kingdom's data protection agency, the Information Commissioner's Office (ICO), is also contacting Microsoft to ensure that users' data will be properly safeguarded and not used by the company.

"We expect organisations to be transparent with users about how their data is being used and only process personal data to the extent that it is necessary to achieve a specific purpose. Industry must consider data protection from the outset and rigorously assess and mitigate risks to peoples' rights and freedoms before bringing products to market," reads a press statement from the ICO.

"We are making enquiries with Microsoft to understand the safeguards in place to protect user privacy."

Even if we accept that Microsoft will not access Recall data, there are still massive security and privacy implications with this product.

Microsoft admits that the feature performs no content moderation, meaning it will gobble up anything it sees, including passwords in a password manager or your account numbers on your banking website.

Or if you are in Word, writing a confidential agreement, a screenshot of that content will be created, too. If you have a single PC and share it with others, then you may want to be careful about what pictures or videos you look at, as, guess what, those will be recorded as well.

Yes, you can block apps from being screenshotted by this feature, but most people will just let it run without mucking around with the feature's settings.

All of this information is now stored in Windows 11's semantic index and easily searchable by anyone with access to your PC, whether authorized or not.

That's just the tip of the iceberg, though.

If a threat actor or malware compromised your device, all of this data will already be decrypted by Bitlocker, making it accessible to the hacker.

For example, a threat actor or malware could simply steal a Recall database and upload it to their own servers for analysis. This information could then be used to extort users or potentially breach user's accounts if credentials were exposed.

Cybersecurity expert Kevin Beaumont, known to be an outspoken critic of Microsoft at times, also expressed concern about how this feature creates a massive attack surface, likening it to a keylogger "baked into Windows."

"If you look at what has happened historically with infostealer malware — malicious software snuck onto PCs — it has pivoted to automatically steal browser passwords stored locally," Beaumont explained in a new blog post.

"In other words, if a malicious threat actor gains access to a system, they already steal important databases stored locally. They can just extend this to steal information recorded by Copilot's Recall feature."

And it's not only information-stealing malware, as enterprise-targeting malware like TrickBot had previously included modules that would steal a domain's Active Directory database for offline cracking of credentials. There is nothing to stop malware from taking a similar approach and stealing the Recall databases as well.

Microsoft has always taken the stance with vulnerabilities and attacks that once a device is compromised, all bets are off, and security boundaries are thrown out the window.

Basically, you got infected or fell for a social engineering attack, so it's your fault all these bad things will happen to you.

However, as Microsoft is one of, if not the, largest caretakers of consumer data and computing security, it seems irresponsible to introduce additional risk into an already risky environment.

While we can go on and on expressing how this feature is a massive privacy risk, I will instead leave you with this quote from Microsoft's recent pledge to prioritize security above all else.

"If you're faced with the tradeoff between security and another priority, your answer is clear: Do security. In some cases, this will mean prioritizing security above other things we do, such as releasing new features or providing ongoing support for legacy systems," Microsoft's CEO Satya Nadella said in an email to Microsoft employees.

"This is key to advancing both our platform quality and capability such that we can protect the digital estates of our customers and build a safer world for all."

Update 5/22/24: This article previously said Microsoft is working with Intel and AMD to make all Windows 11 devices compatible, when they are instead working with them to make compatible CPUs.

Source

Microsoft shares more info about privacy controls in the new 'Recall' feature in Windows 11

Wed, 22 May 2024 16:00:02 +0000

Microsoft officially unveiled the "Recall" feature at its special event on May 20, 2024. The company pitched it as a new experience with "photographic" memory, capable of remembering literally everything you do on your computer so that you can go back to any app or file whenever you like it. Naturally, that sounds very fishy to some users, so Microsoft published a new support page with a detailed explanation of available privacy controls.

Microsoft says right off the bat that all the processing and snapshot storing happens on-device only. Windows 11 should not send any of that data to Microsoft or third parties. That also means you can use Recall without an internet connection. In addition, Windows 11 encrypts snapshots so that nobody can access your activities. Finally, users can pause or turn off the experience, filter apps, and delete taken snapshots at any time.

Windows 11 will notify you about Recall during the initial setup experience and offer you the option to customize some of its parts. Once turned on, Recall will place an icon in the tray area to notify you that the operating system is taking snapshots of what is going on. Clicking the icon will let you pause snapshots, open Racall, or go to Settings.

Speaking of settings, Recall options will sit under Privacy & Security > Recall & Snapshots. Available customization includes the ability to tweak how much space Windows reserves for snapshots, filtered apps, filtered websites, and more. Note, however, that website filters will only work in Microsoft Edge and other Chromium-based browsers.

You can learn more about privacy measures Microsoft uses in the new Recall experience in a document on the official support page. The first Copilot+ PCs with Recall and other AI-based experiences will start shipping in June 2024 (some features will arrive later).

Source

You're welcome.

Two students find security bug that could let millions do laundry for free

Mon, 20 May 2024 07:16:03 +0000

Who could have seen a free laundry exploit for internet-connected laundry machines coming?

A security lapse could let millions of college students do free laundry, thanks to one company. That’s because of a vulnerability that two University of California, Santa Cruz students found in internet-connected washing machines in commercial use in several countries, according to TechCrunch.

The two students, Alexander Sherbrooke and Iakov Taranenko, apparently exploited an API for the machines’ app to do things like remotely command them to work without payment and update a laundry account to show it had millions of dollars in it. The company that owns the machines, CSC ServiceWorks, claims to have more than a million laundry and vending machines in service at colleges, multi-housing communities, laundromats, and more in the US, Canada, and Europe.

CSC never responded when Sherbrooke and Taranenko reported the vulnerability via emails and a phone call in January, TechCrunch writes. Despite that, the students told the outlet that the company “quietly wiped out” their false millions after they contacted it.

The lack of response led them to tell others about their findings. That includes that the company has a published list of commands, which the two told TechCrunch enables connecting to all of CSC’s network-connected laundry machines. CSC ServiceWorks didn’t immediately respond to The Verge’s request for comment.

CSC’s vulnerability is a good reminder that the security situation with the internet of things still isn’t sorted out. For the exploit the students found, maybe CSC shoulders the risk, but in other cases, lax cybersecurity practices have made it possible for hackers or company contractors to view strangers’ security camera footage or gain access to smart plugs.

Often, security researchers find these security holes and report them before they can be exploited in the wild. But that’s not helpful if the company responsible for them doesn’t respond.

Source

Slack users horrified to discover messages used for AI training

Sat, 18 May 2024 08:16:07 +0000

Slack says policy changes are imminent amid backlash.

After launching Slack AI in February, Slack appears to be digging its heels in, defending its vague policy that by default sucks up customers' data—including messages, content, and files—to train Slack's global AI models.

According to Slack engineer Aaron Maurer, Slack has explained in a blog that the Salesforce-owned chat service does not train its large language models (LLMs) on customer data. But Slack's policy may need updating "to explain more carefully how these privacy principles play with Slack AI," Maurer wrote on Threads, partly because the policy "was originally written about the search/recommendation work we've been doing for years prior to Slack AI."

Maurer was responding to a Threads post from engineer and writer Gergely Orosz, who called for companies to opt out of data sharing until the policy is clarified, not by a blog, but in the actual policy language.

"An ML engineer at Slack says they don’t use messages to train LLM models," Orosz wrote. "My response is that the current terms allow them to do so. I’ll believe this is the policy when it’s in the policy. A blog post is not the privacy policy: every serious company knows this."

The tension for users becomes clearer if you compare Slack's privacy principles with how the company touts Slack AI.

Slack's privacy principles specifically say that "Machine Learning (ML) and Artificial Intelligence (AI) are useful tools that we use in limited ways to enhance our product mission. To develop AI/ML models, our systems analyze Customer Data (e.g. messages, content, and files) submitted to Slack as well as other information (including usage information) as defined in our privacy policy and in your customer agreement."

Meanwhile, Slack AI's page says, "Work without worry. Your data is your data. We don't use it to train Slack AI."

Because of this incongruity, users called on Slack to update the privacy principles to make it clear how data is used for Slack AI or any future AI updates. According to a Salesforce spokesperson, the company has agreed an update is needed.

"Yesterday, some Slack community members asked for more clarity regarding our privacy principles," Salesforce's spokesperson told Ars. "We’ll be updating those principles today to better explain the relationship between customer data and generative AI in Slack."

The spokesperson told Ars that the policy updates will clarify that Slack does not "develop LLMs or other generative models using customer data," "use customer data to train third-party LLMs" or "build or train these models in such a way that they could learn, memorize, or be able to reproduce customer data." The update will also clarify that "Slack AI uses off-the-shelf LLMs where the models don't retain customer data," ensuring that "customer data never leaves Slack's trust boundary, and the providers of the LLM never have any access to the customer data."

These changes, however, do not seem to address a key concern for users who never explicitly consented to sharing chats and other Slack content for use in AI training.

Users opting out of sharing chats with Slack

This controversial policy is not new. Wired warned about it in April, and TechCrunch reported that the policy has been in place since at least September 2023.

But widespread backlash began swelling last night on Hacker News, where Slack users called out the chat service for seemingly failing to notify users about the policy change, instead quietly opting them in by default. To critics, it felt like there was no benefit to opting in for anyone but Slack.

From there, the backlash spread to social media, where SlackHQ hastened to clarify Slack's terms with explanations that did not seem to address all the criticism.

"I'm sorry Slack, you're doing fucking WHAT with user DMs, messages, files, etc?" Corey Quinn, the chief cloud economist for a cost management company called Duckbill Group, posted on X. "I'm positive I'm not reading this correctly."

SlackHQ responded to Quinn after the economist declared, "I hate this so much," and confirmed that he had opted out of data sharing in his paid workspace.

"To clarify, Slack has platform-level machine-learning models for things like channel and emoji recommendations and search results," SlackHQ posted. "And yes, customers can exclude their data from helping train those (non-generative) ML models. Customer data belongs to the customer."

Later in the thread, SlackHQ noted, "Slack AI—which is our generative AI experience natively built in Slack—[and] is a separately purchased add-on that uses Large Language Models (LLMs) but does not train those LLMs on customer data."

Opting out is not necessarily straightforward, and individuals currently cannot opt out unless their entire organization opts out.

"You can always quit your job, right?" a Hacker News commenter joked.

And rather than adding a button to immediately turn off the firehose, Slack instructs customers to use a very specific subject line and contact Slack directly to stop sharing data:

Contact us to opt out. If you want to exclude your Customer Data from Slack global models, you can opt out. To opt out, please have your org, workspace owners or primary owner contact our Customer Experience team at feedback@slack.com with your workspace/org URL and the subject line ‘Slack global model opt-out request’. We will process your request and respond once the opt-out has been completed.

"Where is the opt-out button?" one Threads user asked Maurer.

Many commenters on Hacker News, Threads, and X confirmed that they were opting out after reading Slack's policy, as well as urging their organizations to consider using other chat services. Ars also chose to opt out today.

However, it remains unclear what exactly happens when users opt out. Commenters on Hacker News slammed Slack for failing to explain whether opting out deletes data from the models or "what exactly does the customer support rep do on their end to opt you out."

"You can't exactly go into the model and 'erase' parts of the corpus post-hoc," one commenter suggested.

All Slack's privacy principles state that "if you opt out, Customer Data on your workspace will only be used to improve the experience on your own workspace and you will still enjoy all of the benefits of our globally trained AI/ML models without contributing to the underlying models."

Slack’s consent model seems to conflict with GDPR

Slack's privacy policy, terms, and security documentation supposedly spell out how it uses customer data. However, The Stack reported that none of those legal documents mention AI or machine learning, despite Slack debuting machine-learning features in 2016.

There's no telling yet if Slack will make any additional changes as more customers opt out. What is clear from Slack's documents is that Slack knows that its customers "have high expectations around data ownership" and that it has "an existential interest in protecting" that data.

It's possible that lawmakers will force Slack to be more transparent about changes in its data collection as the chat service continues experimenting with AI.

It's also possible that Slack already doesn't default some customers to opt into data collection for ML training. The European Union's General Data Protection Regulation (GDPR) requires informed and specific consent before companies can collect data.

"Consent cannot be implied and must always be given through an opt-in," the strict privacy law says. And companies must be prepared to demonstrate that they've received consent through opt-ins, the law says.

In the United Kingdom, the Information Commissioner's Office (ICO) requires explicit consent, specifically directing companies to note that "consent requires a positive opt-in."

"Don’t use pre-ticked boxes or any other method of default consent," ICO said. "Keep your consent requests separate from other terms and conditions."

Salesforce's spokesperson declined to comment on how Slack's policy complies with the GDPR. But Slack has said that it's committed to complying with the GDPR, promising to "update our product features and contractual commitments accordingly." That did not seem to happen when Slack AI was launched in February.

Orosz warned that any chief technology officer (CTO) or chief information officer (CIO) letting Slack slide for defaulting customers into AI training data sharing should recognize that Slack setting that precedent could quickly become a slippery slope that other companies take advantage of.

"If you are a CTO or a CIO at your company and paying for Slack: why are you still opted in?" Orosz asked on Threads. "This is the type of thing where Slack should collect this data from free customers. Paying would be the perk that your messages don’t end up in AI training data. What company will try to pull this next with customers trusting them with confidential information/data?"

This post was updated on May 17 to correct quotes from SlackHQ's posts on X.

Source

The Week in Ransomware - May 17th 2024 - Mailbombing is back

Sat, 18 May 2024 08:14:43 +0000

This week was pretty quiet on the ransomware front, with most of the attention on the seizure of the BreachForums data theft forum.

However, that does not mean there was nothing of interest released this week about ransomware.

A report by CISA said that the Black Basta ransomware oepration has breached over 500 organizations worlwide since the group launched in April 2022.

After the Conti suffered a massive data breach, the ransomware operation shut down and its members splintered into different groups or launched their own ransomware operations.

One of those operations is Black Basta, which is believed to be composed of prior Conti members who operate it as a private group rather than as public ransomware-as-a-service.

It is widely believed that CISA released this report after news of massive disruption at Ascension Healthcare was caused by a Black Basta ransomware attack.

In other news, the relatively new Inc Ransomware was attempting to sell its source code for $300,000. However, it is unclear whether the group was selling older, unused code or shutting down the operation.

Ransomware phishing attacks also took front stage this week, with the Phorpiex botnet sending millions of emails that led to LockBit Black ransomware attacks, with the encryptor believed to have been created using LockBit's leaked source code.

BlackBasta was also found mailbombing employees in targeted organizations by subscribing their email addresses to various subscription services. They then contacted the target as IT support from their company to conduct a social engineering attack that let them gain access to the victim's computer.

Finally, Australian electronic prescription provider MediSecure shut down its IT systems and phones after suffering a 'large-scale' ransomware data breach.

Contributors and those who provided new ransomware information and stories this week include: @serghei, @BleepinComputer, @billtoulas, @fwosar, @demonslay335, @Ionut_Ilascu, @Seifreed, @LawrenceAbrams, @malwrhunterteam, @rapid7, @MsftSecIntel, @3xp0rtblog, @Intel_by_KELA, @NJCybersecurity, @proofpoint, @troyhunt, @CISAgov, @FBI, @AhnLab_SecuInfo, @briankrebs, @NCSC, @sekoia_io, @JakubKroustek, and @pcrisk.

May 11th 2024

CISA: Black Basta ransomware breached over 500 orgs worldwide

CISA and the FBI said today that Black Basta ransomware affiliates breached over 500 organizations between April 2022 and May 2024.

May 12th 2024

Largest non-bank lender in Australia warns of a data breach

Firstmac Limited is warning customers that it suffered a data breach a day after the new Embargo cyber-extortion group leaked over 500GB of data allegedly stolen from the firm.

New STOP ransomware variant

Jakub Kroustek found a new STOP ransomware variant that appends the .paaa extension.

May 13th 2024

Botnet sent millions of emails in LockBit Black ransomware campaign

Since April, millions of phishing emails have been sent through the Phorpiex botnet to conduct a large-scale LockBit Black ransomware campaign.

INC ransomware source code selling on hacking forums for $300,000

A cybercriminal using the name "salfetka" claims to be selling the source code of INC Ransom, a ransomware-as-a-service (RaaS) operation launched in August 2023.

Mallox affiliate leverages PureCrypter in MS-SQL exploitation campaigns

Recently, our team observed an incident involving our MS-SQL (Microsoft SQL) honeypot. It was targeted by an intrusion set leveraging brute-force tactics, aiming to deploy the Mallox ransomware via PureCrypter through several MS-SQL exploitation techniques.

How Did Authorities Identify the Alleged Lockbit Boss?

Last week, the United States joined the U.K. and Australia in sanctioning and charging a Russian man named Dmitry Yuryevich Khoroshev as the leader of the infamous LockBit ransomware group. LockBit’s leader “LockBitSupp” claims the feds named the wrong guy, saying the charges don’t explain how they connected him to Khoroshev. This post examines the activities of Khoroshev’s many alter egos on the cybercrime forums, and tracks the career of a gifted malware author who has written and sold malicious code for the past 14 years.

Malware Distributed as Copyright Violation-Related Materials (Beast Ransomware, Vidar Infostealer)

The distribution of a new malware strain has been identified based on a recent copyright infringement warning, and it will be covered here.

New STOP ransomware variant

Jakub Kroustek found a new STOP ransomware variant that appends the .vehu extension.

New STOP ransomware variant

PCrisk found a new STOP ransomware variant that appends the .vepi extension.

New ransomware variant

PCrisk found a new STOP ransomware variant that appends the .capibara extension and drops a ransom note named READ_ME_USER.txt.

May 14th 2024

Cyber insurance industry unites to bear down on ransom payments

Joint guidance from the NCSC with the Association of British Insurers (ABI), British Insurance Brokers’ Association (BIBA) and International Underwriting Association (IUA) aims to help organisations faced with ransomware demands minimise disruption and the cost of an incident.

Guidance for organisations considering payment in ransomware incidents

This guidance has been jointly developed by the insurance industry bodies ABI, BIBA, IUA and the NCSC. It is for organisations experiencing a ransomware attack and the partner organisations supporting them.

May 15th 2024

Nissan North America data breach impacts over 53,000 employees

Nissan North America (Nissan) suffered a data breach last year when a threat actor targeted the company's external VPN and shut down systems to receive a ransom.

Windows Quick Assist abused in Black Basta ransomware attacks

?Financially motivated cybercriminals abuse the Windows Quick Assist feature in social engineering attacks to deploy Black Basta ransomware payloads on victims' networks.

Tornado Cash cryptomixer dev gets 64 months for laundering $2 billion

Alexey Pertsev, one of the main developers of the Tornado Cash cryptocurrency tumbler has been sentenced to 64 months in prison for his part in helping launder more than $2 billion worth of cryptocurrency.

May 16th 2024

MediSecure e-script firm hit by ‘large-scale’ ransomware data breach

Electronic prescription provider MediSecure in Australia has shut down its website and phone lines following a ransomware attack believed to originate from a third-party vendor.

That's it for this week! Hope everyone has a nice weekend!

Source

Microsoft Edge gets fixes for five more security vulnerabilities

Fri, 17 May 2024 18:06:28 +0000

This month is full of Microsoft Edge security updates. Version 124 is now receiving its fourth patch aimed at resolving security vulnerabilities. You can now download version 124.0.2478.109, which contains fixes for five different vulnerabilities, some of which are exploited in the wild. Besides Chromium security patches, the update fixes one Microsoft Edge-specific vulnerability.

Here are the patched vulnerabilities in Microsoft Edge 124.0.2478.109:

CVE-2024-30056: Microsoft Edge (Chromium-based) Information Disclosure Vulnerability. Exposure of Private Personal Information to an Unauthorized Actor
CVE-2024-4947: Type Confusion in V8 in Google Chrome prior to 125.0.6422.60 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
CVE-2024-4948: Use after free in Dawn in Google Chrome prior to 125.0.6422.60 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
CVE-2024-4949: Use after free in V8 in Google Chrome prior to 125.0.6422.60 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium)
CVE-2024-4950: Inappropriate implementation in Downloads in Google Chrome prior to 125.0.6422.60 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)

Microsoft Edge 124.0.2478.109 is now available in the regular Stable Channel (four-week update schedule) and the Extended Stable Channel (eight-week update schedule). You can get to the latest version by heading to Menu > Help & Feedback > About Microsoft Edge or directly to the edge://settings/help page.

As a reminder, Microsoft will soon end Edge support on systems with processors that do not support the SSE3 instruction set. Edge 126 will be the last release that does not require SSE3. However, you should not fret if your PC is not a 20-year-old museum exhibit since PC processors have supported SSE3 since 2004.

Source