Besides the official support website, messages about the inevitable death of the service have started to appear on the Google One app on Android.

If the shutdown of VPN by Google One directly affects you, Google has got your back with a few alternatives to consider. For example, Google Fi Wireless offers a VPN. Also, if you own a Pixel smartphone, you can use a built-in VPN service. Older Pixel models will get a built-in VPN (VPN by Google) through a system update on June 3, 2024. That applies to the Pixel 7, Pixel 7 Pro, Pixel 7a, and Pixel Fold. Finally, you can always find a third-party VPN service in the Google Play Store.

Those using the VPN by Google One can learn how to uninstall the service from their devices using Google's documentation. It covers all sorts of devices, including Android, iOS, macOS, and Windows (some users may have already uninstalled it after the recent issues).

If you still use VPN by Google One on your Windows machine, you can uninstall it by heading to Settings > Apps > Apps & Features > VPN by Google One > Uninstall.

Here is how Google explains its decision to shut down VPN by Google One:

With the focus to provide the most in-demand features, VPN by Google One is discontinued. However, it’ll continue to be available as a built-in capability on Pixel 7 and up devices and via Google Fi Wireless.

In other words, very few customers use VPN by Google One, so the company decided to pull the plug.

Source

For those unaware, Fedora Linux is one of the most popular Linux distributions around. It's similar to Ubuntu in that it comes out with new releases every six months or so but typically includes more cutting edge software with each new release.

Like any operating system, Fedora versions reach their end of life where they no longer receive security updates. Usually they lose support a month after the release of the version two iterations ahead, Fedora 40 came out in April so that means Fedora 38 is getting shelved in May.

Users need only upgrade to Fedora 39 but can also jump to Fedora 40 if they wish. Fedora 39 will be supported until one month after the release of Fedora 41, which is currently slated for release in mid-October, that means Fedora 39 will be ok until mid-November.

Upgrading a Fedora system is very easy, just open up Software and go to the Updates tab. You should apply any available update and then you should see a notification to upgrade to the next version, click on that and go through the flow - with a decent internet connection the upgrade won’t take too much of your time.

According to Samyak Jain from the Fedora Packaging Team, once updates end for Fedora 38, no more security updates or security announcements will be given. All other updates for it will end too.

With no security updates coming in, Fedora 38 will grow more and more vulnerable to exploits with every day that passes. You could carry on running that version on your system, it won’t just stop working, but the longer you wait the more you’re increasing your risk.

Over time, the lack of updates will mean that your browser becomes out of date and that could be very dangerous for you as it’s used a lot and more targeted than the base Linux system itself.

Source: Fedora Discussion

Source

Version 124.0.2478.105: May 14, 2024

 

This update to Stable channel (and Extended Stable channel) contains a fix for CVE-2024-4761, which has been reported by the Chromium team as having an exploit in the wild. For more information, see the Security Update Guide.

According to the CVE website, CVE-2024-4761 is a high-severity V8 vulnerability in Chromium that allowed a remote attacker to perform an out-of-bounds memory write using a specifically crafted HTML page. The vulnerability affects browser versions prior to 124.0.6367.207. Google keeps the details about CVE-2024-4761 under wraps until more users download and install the necessary fixes.

Like other modern browsers, Microsoft Edge updates itself automatically in the background. However, you can force-install the latest update by navigating to Menu > Help and Feedback > About Microsoft Edge or edge://settings/help. Chrome has also received the same security update, so you can get it as well if you prefer Google's browser over Microsoft's.

You can also check out this and this article to learn more about Microsoft Edge's recent security updates and patched vulnerabilities (both Chromium-related and exclusive to Microsoft Edge).

In other Edge news, Microsoft has just updated its official documentation to mention that Edge 126, which is expected next month, is dropping support for computers powered by CPUs without the SSE3 instruction set. But do not panic—you need a very old PC to be affected by the change since SSE3 debuted two decades ago.

Source

The seizure occurred on Wednesday morning, soon after the site was used last week to leak data stolen from a Europol law enforcement portal.

The website is now displaying a message stating that the FBI has taken control over it and the backend data, indicating that law enforcement seized both the site's servers and domains.

"This website has been taken down by the FBI and DOJ with assistance from international partners," reads the seizure message.

"We are reviewing this site's backend data. If you have information to report about cyber criminal activity on BreachForums, please contact us," continues the seizure banner.

The seizure message also shows the two forum profile pictures of the site's administrators, Baphomet and ShinyHunters, overlaid with prison bars.

If law enforcement has gained access to the hacking forum's backend data, as they claim, they would have email addresses, IP addresses, and private messages that could expose members and be used in law enforcement investigations.

The FBI has also seized the site's Telegram channel, with law enforcement sending messages stating it is under their control.

One of the messages posted to the seized Telegram channel by law enforcement came directly from Baphomet's account, possibly indicating that the threat actor was arrested and his devices are now in the hands of law enforcement.

In a Telegram message shared with BleepingComputer, the threat actor known as IntelBroker is also claiming that Baphomet was arrested in the law enforcement operation.

The FBI is requesting victims and individuals contact them with information about the hacking forum and its members to aid in their investigation.

The seizure messages include ways to contact the FBI about the seizure, including an email, a Telegram account, a TOX account, and a dedicated page hosted on the FBI's Internet Crime Complaint Center (IC3).

"The Federal Bureau of Investigation (FBI) is investigating the criminal hacking forums known as BreachForums and Raidforums," reads a dedicated subdomain on the FBI's IC3 portal.

"From June 2023 until May 2024, BreachForums (hosted at breachforums.st/.cx/.is/.vc and run by ShinyHunters) was operating as a clear-net marketplace for cybercriminals to buy, sell, and trade contraband, including stolen access devices, means of identification, hacking tools, breached databases, and other illegal services."

"Previously, a separate version of BreachForums (hosted at breached.vc/.to/.co and run by pompompurin) operated a similar hacking forum from March 2022 until March 2023. Raidforums (hosted at raidforums.com and run by Omnipotent) was the predecessor hacking forum to both version of BreachForums and ran from early 2015 until February 2022."

This IC3 subdomain hosts a form that victims and other individuals can use to share information about BreachForums and its members.

BleepingComputer contacted the FBI and Department of Justice with further questions, but no response was immediately available.

The notorious BreachForums

BreachForums was the successor of a string of hacking forums used to trade, sell, and leak stolen data, as well as sell access to corporate networks and other illegal cybercrime services.

The first of these sites was known as RaidForums, which initially launched in 2015 and became the largest site for distributing stolen data, and was commonly used by ransomware and extortion groups.

The site was eventually seized by law enforcement, with the police arresting the owner known as "Omnipotent".

Soon after, one of its more active members, Pompompurin, created a new forum called 'Breached' to fill the void left behind by RaidForums.

The site quickly grew in popularity and was used by thousands of members to brag about their cybercrime activities and to leak and sell stolen data.

However, the site soon drew the ire of law enforcement after one of its members, IntelBroker, leaked the stolen data of D.C. Health Link, a healthcare provider for U.S. House members, their staff, and their families.

Soon after, Breached was seized by law enforcement, and its admin, Conor Fitzpatrick (aka Pompompurin), was arrested.

Once again, those in this cybercrime community were left without a home, so one of Breached's previous admins, known as Baphomet, teamed with ShinyHunters, a notorious seller of stolen data, to launch a new site named BreachForums.

Like the other sites, BreachForums quickly became popular with stolen corporate data being leaked from new breaches, including those on AT&T, 23andMe, Hewlett Packard Enterprise, Home Depot, Dell, PandaBuy, and The Post Millenial.

Today's seizure message indicates that law enforcement has had access to the site's servers, potentially for a long time, as they monitored threat actors' activities.

However, the breach that went too far may have been the recent leak of data stolen from Europol's Platform for Experts (EPE) portal by a threat actor known as IntelBroker, forcing law enforcement to take action.

Source

The company addressed the security flaw (tracked as CVE-2024-27834) on systems running macOS Monterey and macOS Ventura with improved checks.

While Apple only said that the vulnerability was reported by Manfred Paul, working with Trend Micro's Zero Day Initiative, this is one of the bugs the security researcher chained with an integer underflow bug to gain remote code execution (RCE) and earn $60,000 during Pwn2Own.

"An attacker with arbitrary read and write capability may be able to bypass Pointer Authentication," Apple explains in a Monday advisory.

Pointer authentication codes (PACs) are used on the arm64e architecture to detect and guard against unexpected changes to pointers in memory, with the CPU triggering app crashes following memory corruption events linked to authentication failures.

While Safari 17.5 is also available for iOS 17.5, iPadOS 17.5, macOS Sonoma 14.5, and visionOS 1.2, Apple has yet to confirm if it also patched the CVE-2024-27834 bug on these platforms.

If you run macOS Ventura or macOS Monterey, you can update Safari without updating macOS by going to  > System Settings > General > Software Update and clicking "More info…" under "Updates Available."

Pwn2Own Vancouver 2024

Security researchers collected $1,132,500 after exploiting and reporting 29 zero-days at this year's Vancouver hacking contest.

Manfred Paul emerged as the winner and earned $202,500 in cash after demoing an RCE zero-day combo against Apple's Safari web browser and a double-tap RCE exploit targeting an Improper Validation of Specified Quantity in Input weakness in the Google Chrome and Microsoft Edge web browsers during the first day of the hacking competition.

On the second day, Manfred Paul exploited an out-of-bounds (OOB) write zero-day bug to gain RCE and escaped Mozilla Firefox's sandbox via an exposed dangerous function weakness.

Google and Mozilla fixed the zero-days exploited at Pwn2Own Vancouver 2024 within days after the contest ended, with Google releasing patches five days later and Mozilla after just one day.

However, vendors rarely hurry to fix security flaws exploited at Pwn2Own since Trend Micro's Zero Day Initiative publicly discloses bug details after 90 days.

On Monday, Apple also backported security patches released in March to older iPhones and iPads, fixing an iOS zero-day tagged as exploited in attacks.

Source

The specification titled "Detecting Unwanted Location Trackers" makes it possible to notify users across Android and iOS if a Bluetooth-enabled tracker is being used to track them without their knowledge.

Apple announced in a blog post that it is "implementing this capability in iOS 17.5, and Google is now launching this capability on Android 6.0+ devices." The Cupertino giant will continue working with Google to develop an official standard for this technology.

An alert about an unwanted tracking device could look like, "[Item] Found Moving With You."

These tracking notifications can work regardless of the operating system the tracking device is paired with. In other words, an iPhone can show alerts about a Bluetooth tracker paired with an Android device, view the tracker's identifier, play sound to locate it, and access instructions to disable it, if required.

It works with AirTags, Find My network accessories and third-party Bluetooth trackers that support the specification. Bluetooth tag manufacturers, including Pebblebee, Motorola, Jio, eufy, and Chipolo have assured that their future tags will be compatible with the specification.

The roots of the tracking notifications feature lie in the early days of Apple's AirTag when bad actors used it to steal cars and stalk people, including Android users. The situation escalated to the point that Apple had to bake unwanted accessory detection into its software and launch an anti-stalking app for Android.

Google's Find My Device network, launched in the US and Canada earlier this year, was officially delayed to allow Apple to include unwanted tracking detection into its software.

Source

What you need to know

• It appears that Microsoft will completely remove an Edge feature that allowed you to follow content creators through the browser.
• Microsoft removed the option to follow creators through the address bar last year, but you were still able to keep track of new content from creators you had already followed.
• That is no longer the case, as the latest Edge Canary build lacks the "Following" tab altogether.
• The follow creators feature was mired with privacy concerns, since the feature seemed connected to a bug that would send the details of URLs visited by a person to Bing.

Microsoft Edge will soon lose a feature that allows you to follow content creators through the browser. Or at least that appears to be the case based on the latest Edge Canary build. Leo Varela spotted that the most recent Canary build of Edge lacks the "Following" tab in the Collections pane and any mentions of the ability to follow content creators within Edge's Settings.

Microsoft removed the option to follow creators by clicking a button in the address bar last year. But it appears the ability to follow content creators will soon be gone altogether.

While the feature was popular among certain Edge users, there were privacy concerns connected to it, making its apparent deprecation a relief to some.

Privacy concerns

The ability to follow content creators within Edge was a useful feature, though a bit redundant since so many sites allow you to follow people and get notifications about new content. But Edge housed the creators you followed in a simple pane that was easy to access. Unfortunately, the history of the feature is tied to privacy concerns.

Last year, a Reddit user discovered that Microsoft Edge seemed to share almost all visited URLs with Bing. That behavior was connected to the follow creators feature, which was enabled by default. Investigation by The Verge determined that poor implementation of a feature within Edge was likely the culprit. As a result, just about every website you visited was sent to Bing.

That situation raised privacy concerns among users. Microsoft told The Verge it would investigate the situation and address any issues. "We’re aware of reports, are investigating and will take appropriate action to address any issues," said a Microsoft spokesperson to The Verge. Now, it appears those at the company determined the best way to handle the privacy issue was to remove the feature entirely.

Microsoft removed the "Follow this creator" button from the Edge address bar last year, but it was still possible to use the feature in a limited capacity. If you already followed creators, you could continue to follow them through Edge and see new content in the "Following" tab inside the Collections panel. That is no longer the case in the latest Edge Canary build. The "Following" tab is gone entirely, suggesting Microsoft plans to deprecate the feature.

Without official word from Microsoft, it's impossible to confirm plans for the follow creators feature in Edge, but it seems likely the tech giant has shifted away from any plans related to following creators through Edge.

Source

Microsoft has a fix for CVE-2024-4671 to Microsoft Edge Stable Channel (Version 124.0.2478.97) and Extended Stable channel (Version 124.0.2478.97), which has been reported by the Chromium team as having an exploit in the wild. For more information, see the Security Update Guide.

 

This update also contains the following Microsoft Edge-specific update:

 

• CVE-2024-30055

According to the description on the CVE website, CVE-2024-4671, the vulnerability allows remote attackers to exploit heap corruption with a specially crafted HTML page. Google has reported that the exploit "exists in the wild" (in other words, it is already used for malicious intents), so be sure to install the latest security updates as soon as possible.

As for the second one, CVE-2024-30055 is a low-severity spoofing vulnerability that is exclusive to Microsoft Edge. Exploiting it requires the user to click a special link, after which the attacker could get "limited information" from the victim's browser.

The user would have to click on a specially crafted URL to be compromised by the attacker. Limited information from the victim's browser associated with the vulnerable URL can be sent to the attacker by the malicious code. The attacker is only able to modify the content of the vulnerable link to redirect the victim to a malicious site.

Patches for CVE-2024-4671 and 2024-30055 are now available in the Stable Channel and Extended Stable Channel. It is a special release option made for enterprise customers who want to get fewer Microsoft Edge updates. The company ships new Edge versions in the Extended Stable Channel every 8 weeks unlike the "regular" Stable Channel with its 4-week release cycle. The idea behind Microsoft Edge Extended Stable Channel is to give enterprise customers more time to adopt the latest changes and features in the browser.

Source

On February 19, Operation Cronos took down LockBit's infrastructure and converted its data leak site into a law enforcement press release site where they released information about the police actions.

After being inactive for months, the site went live again on Sunday, teasing new information that would be released, including the possible identity of the LockBit admin.

On Tuesday, the NCA, Europol, and the FBI revealed the identity of LockBitSupp, a 31-year-old Russian national named Dmitry Yuryevich Khoroshev.

Since then, the LockBit operation has been on a revenge spree, leaking the names of 119 victims allegedly attacked by the ransomware operation.

While LockBitSupp says they are not going anywhere and will continue to conduct attacks, it would not be surprising to see them shut down and rebrand a new operation in the near future.

In other news, an attack on healthcare giant Ascension has caused massive disruption to the healthcare system, causing ambulances to be diverted from several hospitals and systems offline, including medical records.

According to CNN, the attack has been linked to the Black Basta ransomware operation.

Other ransomware attacks we learned more about this week are:

• The City of Wichita cyberattack was claimed by LockBit ransomware.
• LockBit demanded a massive $200 million ransom from Boeing in a November cyberattack.
• Ohio Lottery ransomware attack impacts over 538,000 individuals.
• Brandywine Realty Trust had data stolen in a ransomware attack.
• The University System of Georgia finally confirmed 800,000 people were impacted by the 2023 MOVEit data theft attacks.

Contributors and those who provided new ransomware information and stories this week include: @billtoulas, @serghei, @fwosar, @LawrenceAbrams, @malwrhunterteam, @Seifreed, @Ionut_Ilascu, @BleepinComputer, @demonslay335, @snlyngaas, @pcrisk, @AJVicens, @chainalysis, @F_A_C_C_T_ , @zackwhittaker, @H4ckManac, and @JakubKroustek.

May 6th 2024

Examining the Impact of Ransomware Disruptions: Qakbot, LockBit, and BlackCat

A historic surge of ransomware incidents and payment totals in 2023 was not without resistance, as significant actions were taken against ransomware actors in 2023 and early 2024, including notable disruptions on Qakbot malware, and the LockBit and ALPHV-BlackCat ransomware-as-a-service (RaaS) groups.

Lockbit's seized site comes alive to tease new police announcements

The NCA, FBI, and Europol have revived a seized LockBit ransomware data leak site to hint at new information being revealed by law enforcement this Tuesday.

City of Wichita shuts down IT network after ransomware attack

The City of Wichita, Kansas, disclosed it was forced to shut down portions of its network after suffering a weekend ransomware attack.

New STOP ransomware variants

Jakub Kroustek found new STOP ransomware variants that append the .qepi, .qehu, and .baaa extensions.

May 7th 2024

LockBit ransomware admin identified, sanctioned in US, UK, Australia

The FBI, UK National Crime Agency, and Europol have unveiled sweeping indictments and sanctions against the admin of the LockBit ransomware operation, with the identity of the Russian threat actor revealed for the first time.

New XAM ransomware

PCrisk found a new ransomware that appends the .xam extension and drops a ransom note named unlock.txt.

Darkness is coming: a new group of MorLock ransomware has increased the intensity of attacks on Russian businesses

MorLock, like many others we covered in our above-mentioned review, is attacking Russian companies using LockBit 3 (Black) and Babuk ransomware . In the current environment, there is a collaboration of cyber gangs; they use similar tactics, techniques and procedures (TTPs), as well as an arsenal of tools. All this creates certain “interference” that makes it difficult to identify attackers, but it is still possible to identify the attackers’ unique handwriting, which allows them to be attributed to a particular group.

Brandywine Realty Trust says data stolen in ransomware attack

U.S. realty trust giant Brandywine Realty Trust has confirmed a cyberattack that resulted in the theft of data from its network.

May 8th 2024

University System of Georgia: 800K exposed in 2023 MOVEit attack

The University System of Georgia (USG) is sending data breach notifications to 800,000 individuals whose data was exposed in the 2023 Clop MOVEit attacks.

City of Wichita breach claimed by LockBit ransomware gang

The LockBit ransomware gang has claimed responsibility for a disruptive cyberattack on the City of Wichita, which has forced the City's authorities to shut down IT systems used for online bill payment, including court fines, water bills, and public transportation.

Ascension healthcare takes systems offline after cyberattack

?Ascension, one of the largest private healthcare systems in the United States, has taken some of its systems offline to investigate what it describes as a "cyber security event."

Boeing confirms attempted $200 million ransomware extortion attempt

The cybercriminals who targeted Boeing using the LockBit ransomware platform in October 2023 demanded a $200 million extortion payment, the company said Wednesday.

New STOP ransomware variant

Jakub Kroustek found a new STOP ransomware variant that appends the .qeza extension.

May 10th 2024

Ohio Lottery ransomware attack impacts over 538,000 individuals

?The Ohio Lottery is sending data breach notification letters to over 538,000 individuals affected by a cyberattack that hit the organization's systems on Christmas Eve.

Ascension redirects ambulances after suspected ransomware attack

Ascension, a major U.S. healthcare network, is diverting ambulances from several hospitals due to a suspected ransomware attack that has been causing clinical operation disruptions and system outages since Wednesday.

That's it for this week! Hope everyone has a nice weekend!

Source

Password guidelines and rules have not changed all that much for users in the past ten or so years, however. Pick unique and strong, which means long and complex, passwords, and you are good to go.

While rules are relatively simple, especially when used in combination with a password manager, many Internet and computer users still do not follow them. They use passwords repeatedly or pick weak passwords that allow threat actors to crack them in a matter of seconds.

Brute force and dictionaries: two common attacks against passwords. Dictionary attacks use lists of passwords, often those found in leaks, as it is fast method to crack a percentage of passwords quickly. Brute forcing refers to trying any combination of a character set, say all numbers, upper- and lower-case letters on a password.

Password cracking chart 2024

Researchers at Hive Systems have updated the organization's  password cracking chart to reflect advancements in computing power and security.

It shows how long a system with twelve RTX 4090 graphics cards would need to crack a password. It reveals the information for the cases "numbers only", lowercase letters, upper and lowercase letters, "numbers, upper and lowercase letters, and "numbers, upper and lowercase letters, symbols".

An 8 character password consisting only of numbers is cracked by the setup in 37 seconds. Change that to lowercase letters, and the time increases to 22 hours. With everything included, it is taking the machine 7 years in worst case to crack the password.

To find out how secure, or insecure, a password is, count its characters. Once you have the character count, check its line. Now analyze the composition of the character. Does it have only numbers or lowercase letters? Or a combination? Check the column and read the value. This is the time it would take Hive System's machine to crack the password.

Note: more powerful setups reduce the time it takes to brute force passwords significantly. Even if the time looks fine on this chart, it may not be fine if more powerful machines target the password.

Password recommendations 2024

1. Always include numbers, upper and lowercase letters, and symbols, provided that the app or service supports this.
2. Pick 16 or more characters, again provided that the service or apps support the number.
3. Always use unique passwords.

Since it is impossible for most users to remember lots of unique 16 character passwords, it is recommended to use a password manager. You could give Bitwarden a try, it is open source and there is a free version available. The pro version has extra features and costs only $10 per year.

Improve security further

Certain attacks may reveal passwords without need to brute force or crack them. This is the case for phishing, which attempts to lure users on fake sites or get them to use fake apps to steal their credentials.

Two-factor authentication adds a second authentication step. While it sounds complicated on paper, it is not really.

What you need is an authenticator app and a few minutes to set up the security feature for important accounts. When you sign in next time, you still provide username and password in the first step, and then a code generated by the app in the second step.

If a threat actor steals the username and passwords, either through brute force attacks or other means, access is still prevented thanks to the second layer of security.

What about you? Do you use a password manager and two-factor authentication? How fast would your passwords be cracked?

Source

Ethan Zuckerman wants to release a tool that would allow Facebook users to control what appears in their newsfeeds. His privacy-friendly browser extension, Unfollow Everything 2.0, is designed to essentially give users a switch to turn the newsfeed on and off whenever they want, providing a way to eliminate or curate the feed.

 

The tool is nearly ready to be released, Zuckerman told Ars, but the University of Massachusetts Amherst associate professor is afraid that Facebook owner Meta might threaten legal action if he goes ahead. And his fears appear well-founded. In 2021, Meta sent a cease-and-desist letter to the creator of the original Unfollow Everything, Louis Barclay, leading that developer to shut down his tool after thousands of Facebook users had eagerly downloaded it.

 

Zuckerman is suing Meta, asking a US district court in California to invalidate Meta's past arguments against developers like Barclay and rule that Meta would have no grounds to sue if he released his tool.

 

Zuckerman insists that he's "suing Facebook to make it better." In picking this unusual legal fight with Meta, the professor—seemingly for the first time ever—is attempting to tip Section 230's shield away from Big Tech and instead protect third-party developers from giant social media platforms.

 

To do this, Zuckerman is asking the court to consider a novel Section 230 argument relating to an overlooked provision of the law that Zuckerman believes protects the development of third-party tools that allow users to curate their newsfeeds to avoid objectionable content. His complaint cited case law and argued:

 

Section 230(c)(2)(B) immunizes from legal liability "a provider of software or enabling tools that filter, screen, allow, or disallow content that the provider or user considers obscene, lewd, lascivious, filthy, excessively violent, harassing, or otherwise objectionable." Through this provision, Congress intended to promote the development of filtering tools that enable users to curate their online experiences and avoid content they would rather not see.

Unfollow Everything 2.0 falls in this "safe harbor," Zuckerman argues, partly because "the purpose of the tool is to allow users who find the newsfeed objectionable, or who find the specific sequencing of posts within their newsfeed objectionable, to effectively turn off the feed."

 

Ramya Krishnan, a senior staff attorney at the Knight Institute who helped draft Zuckerman's complaint, told Ars that some Facebook users are concerned that the newsfeed "prioritizes inflammatory and sensational speech," and they "may not want to see that kind of content." By turning off the feed, Facebook users could choose to use the platform the way it was originally designed, avoiding being served objectionable content by blanking the newsfeed and manually navigating to only the content they want to see.

 

“Users don’t have to accept Facebook as it’s given to them," Krishnan said in a press release provided to Ars. "The same statute that immunizes Meta from liability for the speech of its users gives users the right to decide what they see on the platform.”

 

Zuckerman, who considers himself "old to the Internet," uses Facebook daily and even reconnected with and began dating his now-wife on the platform. He has a "soft spot" in his heart for Facebook and still finds the platform useful to keep in touch with friends and family.

 

But while he's "never been in the 'burn it all down' camp," he has watched social media evolve to give users less control over their feeds and believes "that the dominance of a small number of social media companies tends to create the illusion that the business model adopted by them is inevitable," his complaint said.

 

Source

In a blog post, Proton says the new feature is called Pass Monitor, and as the name suggests, the team scans the dark web to see if your passwords, along with your email addresses and aliases, have been a part of a security breach. The blog post states:

We use our own datasets of dark web hubs as well as those compiled by Have I Been Pwned(new window) and Constella Intelligence(new window), leaders in digital threat management. We only share custom email addresses (with your approval) with third parties for Dark Web Monitoring.

If a breach that involves your emails or passwords does happen, Proton Pass will send users alerts so they can make the necessary changes to their passwords and email. The alerts will offer info on which service had the data breach, what data was involved, and when the data was discovered. The new feature will also scan your current passwords and alert you if any of them have been reused or are considered weak.

Pass Monitor will also alert you if any services that you sign up for have two-factor authentication but have so far not been enabled, Finally, the new feature will add the company's Proton Sentinel program. It uses a combination of human analysts and AI to try to find and stop any attacks on your accounts.

The new Pass Monitor feature will be available for all Proton Pass users over the next few days. It's available with a Proton Pass subscription that starts at $4.99 a month.

Source

Source

Most scammers and cybercriminals operate in the digital shadows and don’t want you to know how they make money. But that’s not the case for the Yahoo Boys, a loose collective of young men in West Africa who are some of the web’s most prolific—and increasingly dangerous—scammers.

Thousands of people are members of dozens of Yahoo Boy groups operating across Facebook, WhatsApp, and Telegram, a WIRED analysis has found. The scammers, who deal in types of fraud that total hundreds of millions of dollars each year, also have dozens of accounts on TikTok, YouTube, and the document-sharing service Scribd that are getting thousands of views.

Inside the groups, there’s a hive of fraudulent activity with the cybercriminals often showing their faces and sharing ways to scam people with other members. They openly distribute scripts detailing how to blackmail people and how to run sextortion scams—that have driven people to take their own lives—sell albums with hundreds of photographs, and advertise fake social media accounts. Among the scams, they’re also using AI to create fake “nude” images of people and real-time deepfake video calls.

The Yahoo Boys don’t disguise their activity. Many groups use “Yahoo Boys” in their name as well as other related terms. WIRED’s analysis found 16 Yahoo Boys Facebook groups with almost 200,000 total members, a dozen WhatsApp channels, around 10 Telegram channels, 20 TikTok accounts, a dozen YouTube accounts, and more than 80 scripts on Scribd. And that’s just the tip of the iceberg.

Broadly, the companies do not allow content on their platforms that encourages or promotes criminal behavior. The majority of the Yahoo Boys accounts and groups WIRED identified were removed after we contacted the companies about the groups’ overt existence. Despite these removals, dozens more Yahoo Boys groups and accounts remain online.

“They’re not hiding under different names,” says Kathy Waters, the cofounder and executive director of the nonprofit Advocating Against Romance Scammers, which has tracked the Yahoo Boys for years. Waters says the social media companies are essentially providing the Yahoo Boys with “free office space” to organize and conduct their activities. “They’re selling scripts, selling photos, identifications of people, all online, all on the social media platforms,” she says. “Why these accounts still remain is beyond me.”

The Yahoo Boys aren’t a single, organized group. Instead, they’re a collection of thousands of scammers who work individually or in clusters. Often based in Nigeria, their name comes from formerly targeting users of Yahoo services, with links back to the Nigerian Prince email scams of old. Groups in West Africa can be often organized in various confraternities, which are cultish gangs.

“Yahoo is a set of knowledge that allows you to conduct scams,” says Gary Warner, the director of intelligence at DarkTower and director of the University of Alabama at Birmingham’s Computer Forensics Research Laboratory. While there are different levels of sophistication of Yahoo Boys, Warner says, many simply operate from their phones. “Most of these threat actors are only using one device,” he says.

The Yahoo Boys run dozens of scams—from romance fraud to business email compromise. When making contact with potential victims, they’ll often “bomb” people by sending hundreds of messages to dating app accounts or Facebook profiles. “They will say anything they can in order to get the next dime in their pocket,” Waters says.

Searching for the Yahoo Boys on Facebook brings up two warnings: Both say the results may be linked to fraudulent activity, which isn’t allowed on the website. Clicking through the warnings reveals Yahoo Boy groups with thousands of members—one had more than 70,000.

Within the groups—alongside posts selling SIM cards and albums with hundreds of pictures—many of the scammers push people toward other messaging platforms such as Meta’s WhatsApp or Telegram. Here, the Yahoo Boys are at their most bold. Some groups and channels on the two platforms receive hundreds of posts per day and are part of their wider web of operations.

After WIRED asked Facebook about the 16 groups we identified, the company removed them, and some WhatsApp groups were deactivated. “Scammers use every platform available to them to defraud people and constantly adapt to avoid getting caught,” says Al Tolan, a Meta spokesperson. They did not directly address the accounts that were removed or that they were easy to find. “Purposefully exploiting others for money is against our policies, and we take action when we become aware of it,” Tolan says. “We continue to invest in technology and cooperate with law enforcement so they can prosecute scammers. We also actively share tips on how people can protect themselves, their accounts, and avoid scams.”

Groups on Telegram were removed after WIRED messaged the company’s press office; however, the platform did not respond about why it had removed them.

Across all types of social media, Yahoo Boys scammers share “scripts” that they use to socially manipulate people—these can run to thousands of words long and can be copied and pasted to different victims. Many have been online for years. “I’ve seen some scripts that are 30 and 60 layers deep, before the scammer actually would have to go and think of something else to say,” says Ronnie Tokazowski, the chief fraud fighter at Intelligence for Good, which works with cybercrime victims. “It’s 100 percent how they'll manipulate the people,” Tokazowski says.

Among the many scams, they pretend to be military officers, people offering “hookups,” the FBI, doctors, and people looking for love. One “good morning” script includes around a dozen messages the scammers can send to their targets. “In a world full of deceit and lies, I feel lucky when see the love in your eyes. Good morning,” one says. But things get much darker.

The Yahoo Boys have been behind a recent wave of sextortion across the United States and elsewhere, says Paul Raffile, an intelligence analyst at the Network Contagion Research Institute who is closely tracking the criminals. Broadly speaking, during sextortion, a scammer will use intimate or explicit images to try to get someone to pay them money. “The Yahoo Boys are the principal threat actor behind the surge of sextortion that we’re seeing over the past 18 months,” Raffile says. “They are responsible for forcing dozens of teens to suicide.”

In a series of posts in one Telegram channel, highlighted by Warner, who is also involved in Intelligence for Good, one cybercriminal can be seen walking others through how to run a sextortion scam. They say they tricked people into sharing nude images—posting screenshots of the conversation—and explained ways other people can replicate it. “Hey I am posting your naked pictures on social media and Facebook,” says a sample message cybercriminals could use. “Am not just posting it am sending copies of it to your area,” the message says, before demanding $700.

While the scripts like these are shared on all social media channels, WIRED found at least 80 on the document-sharing service Scribd. The company removed them after WIRED got in touch, with a spokesperson saying there are limits on what people can upload and that the company has automated and manual reviews to remove content. “We’re actively building out new capabilities to broaden the scope of content moderation coverage to include a wider range of concerning text and image violations,” the spokesperson says. Some of the scripts had been online since 2020, and on pages where they were removed a “reading suggestions” section recommended other scam scripts.

Raffile says the Yahoo Boys have been able to “thrive” online “due to lack of moderation around all the illicit material” that they’re sharing. “They’re acting with impunity because they feel they will never get caught,” Raffile says.

Beyond the messaging platforms, the Yahoo Boys have a presence on TikTok and YouTube. “We design our app to be inhospitable to those who seek to exploit our community and we’ve removed this content for violating our policies,” a TikTok spokesperson says.

“Our policies prohibit spam, scams, or other deceptive practices that take advantage of the YouTube community,” a YouTube spokesperson says. “We also prohibit videos that encourage illegal or dangerous activities. As such, we have terminated the flagged channels for violating our policies and our terms of service.” They add that the company removed accounts for breaching policies about harmful content, spam, and generally violating its terms of service.

The accounts posted tutorials about how to scam people, link to groups on messaging apps, and promote technology for fake video calls. On TikTok, multiple accounts include carousels of images that the scammers can use in their efforts to create believable personas. Some of these include posts of elderly women for scammers who are in “need of grandma pictures for proof” of their fake identities and others for scammers who “need kids pics” for their victims.

As well as being a threat to thousands of people around the world, the Yahoo Boys can be quick to adopt new technologies. David Maimon, a professor at Georgia State University and the head of fraud insights at the identity-verification firm SentiLink, has monitored Yahoo Boys for years and says their techniques have evolved alongside new technologies.

“To build rapport with victims, the fraudsters first used text messages, then started sending recorded audio messages, to now using deepfake tools to communicate with victims live,” Maimon says. “On some of the markets we now also see the use of cloned voices. It is now accompanied with sending physical items to victims such as presents, food deliveries, and flowers.” Within some groups, they use “nudification” tools to turn photos of people clothed into nude photos, and deepfake video calls.

While the Yahoo Boys have been active for years, all the experts spoken to for this piece say they should be treated more seriously by social media companies and law enforcement. “It’s time that we start looking at Yahoo Boys as a dangerous organization, transnational organized crime, and start giving it some of those labels,” Raffile says.

Source

Source

In the blog post, Bell stated:

Microsoft plays a central role in the world’s digital ecosystem, and this comes with a critical responsibility to earn and maintain trust. We must and will do more. We are making security our top priority at Microsoft, above all else—over all other features.

This new emphasis on improvements in security comes after a number of recent and high profile breaches by hacker groups. That includes one in the summer of 2023, when a Chinese-based group got access to Outlook email accounts in the US and Europe. In early 2024, a Russia-based group managed to access the email accounts of some of Microsoft's top executives. That incident later caused the group to get a hold of some of Microsoft's source code.

In today's blog post, Bell says its Secure Future Initiative will now cover six specific categories:

• Protect identities and secrets
• Protect tenants and isolate production systems
• Protect networks
• Protect engineering systems
• Monitor and detect threats
• Accelerate response and remediation

Bell says its shift in security priorities has already yielded results. That includes adding support for "automatic enforcement of multifactor authentication" for over one million Entra ID users inside Microsoft. The company has also reduced the use or eliminated 730,000 apps in the company that were out of their support lifecycle or did not conform to the new SFI standard.

Ironically, Microsoft announced earlier this week it was now adding passkey support for all consumer Microsoft accounts in an attempt to improve security.

Source

In a post on the Microsoft Security blog, it announced that all Microsoft consumer accounts now support the use of passkeys. This support will extend to signing into your Microsoft account on Windows, Google, and Apple platforms. It can use biometric methods like your face or fingerprint or a device PIN.

If you have a Microsoft consumer account, you can set up your device for passkey support by going to this website. You can then select how you want to unlock your device: with a passkey PIN, your face, or your fingerprint.

Currently, you can use passkeys to sign into your Microsoft account, including services like Microsoft 365 and Copilot, on desktop and mobile browsers. The company said that passkey sign-in support for Microsoft's mobile apps will be added sometime in the coming weeks. You can learn more about this new security measure on Microsoft's support site.

In another post on the Microsoft Entra blog, the company revealed that it is also adding support for device-bound passkeys in the Microsoft Authenticator iOS and Android apps as a public preview for business customers. The blog stated:

Instead of provisioning separate devices, high-security organizations can now configure Entra ID to let employees sign-in using their existing phone and their device-bound passkey. Users get a familiar phone interface, including biometrics or local lockscreen PIN or password, while their organizations meet strict security requirements because users can’t sync, share, or recover any device-bound passkey hosted in Microsoft Authenticator.

It will be interesting to see how quickly passkey support will be adopted by Microsoft account holders.

Editors note: Initially this article was published claiming that today was "World Passport Day" in the headline and article body; neither the author or editor saw this mistake until two hours after the article went online, we apologize for the mistake.

Source

You're welcome

Microsoft confirmed on Tuesday that its April 2024 Windows update may cause VPN connections to fail. The company wrote in its health dashboard that Windows devices with the KB5036893 update, released on April 9, or the April 2024 nonsecurity preview update, "might face VPN connection failures," adding that it is working on a resolution, which will be rolled out in a future release.

The issue affects various Windows 11 and Windows 10 versions, specifically Windows 11 version 23H2, Windows 11 version 22H2, Windows 11 version 21H2, Windows 10 version 22H2 and Windows 10 version 21H2, according to Microsoft.

The company did not provide additional information regarding the cause of the VPN connection issue or its potential scope. However, if you’re a VPN user and have the update installed on your Windows device running one of the affected software versions, you should assume that your VPN connections could be at risk. 

In this case, you can attempt to uninstall the Windows update. But keep in mind that security updates are rolled out for a reason. Uninstalling a security update could put you at even more risk by leaving your device vulnerable to security gaps that were patched by the latest update. You should only uninstall the update if it's rendering your VPN unusable and you’re aware of the risks associated with uninstalling a security update.

The other option is to make sure that your VPN’s kill switch is enabled and working properly. A kill switch cuts your internet if your VPN connection drops for any reason, ensuring that none of your online traffic is exposed outside of the encrypted VPN tunnel. A kill switch is an essential VPN privacy feature that all of CNET’s recommended VPNs include, and can help protect your data in case the latest Windows update is affecting the stability of your VPN connection.  

https://www.cnet.com/tech/services-and-software/latest-windows-11-security-update-might-break-your-vpn-microsoft-confirms/

The company made these changes to the Mobile Vulnerability Rewards Program (Mobile VRP) and they apply to what it describes as Tier 1 applications.

The list of in-scope apps includes Google Play Services, the Android Google Search app (AGSA), Google Cloud, and Gmail.

Google now also wants security researchers to focus on flaws that could lead to sensitive data theft and will now pay them $75,000 for exploits that don't require user interaction and can be used remotely.

For exceptional quality reports that include a proposed patch or effective mitigation and a root cause analysis to help find other issue variants, the company will pay 1.5x the total reward amount, allowing researchers to earn up to $450,000 for an RCE exploit in a Tier 1 Android app.

However, they'll get half the reward for low-quality bug reports that don't provide:

• Accurate and detailed descriptions,
• A proof-of-concept exploit,
• Easy steps to reproduce the vulnerability reliably,
• A clear demonstration of the bug's impact.

"Some additional, smaller changes were also made to our rules. For example, the 2x modifier for SDKs is now baked into the regular rewards. This should increase overall rewards, and will make panel decisions easier," Google information security engineer Kristoffer Blasiak said.

Google introduced the Mobile VRP last May to pay security researchers for vulnerabilities in the company's Android applications.

The bug bounty program's main goal was to speed up the process of discovering and fixing security weaknesses in first-party Android apps maintained or developed by Google.

"The Mobile VRP launched in May 2023, and after one year, it's time to take a look back at what we've achieved," Blasiak added.

"Most importantly, we received over 40 valid security bug reports, nearing $100,000 in rewards paid to security researchers."

Source

What you need to know

• Microsoft recently released its earnings report for FY24 Q3.
• The company CEO Satya Nadella also disclosed security remains a top priority for the tech firm and will be doubling down on its efforts there.
• The tech giant has suffered two major security breaches this year.

Microsoft just released its impressive earnings report for FY24 Q3 with a 17% increase in revenue and more. The company attributes the leap forward to its AI advances and Copilot. Its AI efforts also contributed to Bing surpassing over 140 million daily active users.

The tech giant is arguably one of the biggest companies providing cloud computing services across government institutions, hospitals, banks, and other large organizations. As such, it has become a preying ground for hackers seeking to access personal data and credentials from unsuspecting users by compromising their systems.

Microsoft CEO Satya Nadella confirmed to analysts that the company will heighten its focus on cybersecurity during the earnings call (via Axios). In the past few months, there's been a growing concern among users and top government users over Microsoft's cascade of security failures and its susceptibility to deceitful ploys by bad actors.

According to the company's CEO:

While details remain slim regarding Microsoft's plans on this front, it's apparent that the company is putting elaborate measures in place to prevent the reoccurrence of such instances in the future while simultaneously keeping hackers at bay.

Is Microsoft untouchable because of its big stake in the cloud computing business?

(Image credit: Windows Central | Image Creator from Designer)

As we speak, Microsoft is under scrutiny by antitrust watchdog regulators for alleged 'anti-competitive' practices in the cloud business. As shared by trade group CISPE in 2022 while lodging its complaints against Microsoft for anti-competitive cloud business practices to the European Union:

This year, Microsoft has faced two major attacks that allowed hackers to access confidential information. The first attack was deployed by a hacker group called Midnight Blizzard onto Microsoft's systems, allowing them to access confidential emails between the company and its clients. 

The second encounter involved the Russian hacker group, Nobelium. Reports indicate the attack was designed to allow the hackers to access emails belonging to top Microsoft executives. 

Microsoft's big stake in the cloud computing business worldwide has led some of its competitors to believe that government institutions are lenient on its not-so-fireproof security systems. This is attributed to the government's overreliance on Microsoft's systems for operations. 

Source

Google started testing the post-quantum secure TLS key encapsulation mechanism in August and has now enabled it in the latest Chrome version for all users.

The new version utilizes the Kyber768 quantum-resistant key agreement algorithm for TLS 1.3 and QUIC connections to protect Chrome TLS traffic against quantum cryptanalysis.

"After several months of experimentation for compatibility and performance impacts, we're launching a hybrid postquantum TLS key exchange to desktop platforms in Chrome 124," the Chrome Security Team explains.

"This protects users' traffic from so-called 'store now decrypt later' attacks, in which a future quantum computer could decrypt encrypted traffic recorded today."

Store now, decrypt later attacks are when attackers collect encrypted data and store it for the future when there may be new decryption methods, such as using quantum computers or encryption keys become available.

To protect against future attacks, companies have already started to add quantum-resistant encryption to their network stack to prevent these types of decryption strategies from working in the future. Some companies that have already introduced quantum-resistant algorithms include Apple, Signal, and Google.

However, as system admins have shared online since Google Chrome 124 and Microsoft Edge 124 started rolling out on desktop platforms last week, some web applications, firewalls, and servers will drop connections after the ClientHello TLS handshake.

The issue also affects security appliances, firewalls, networking middleware, and various network devices from multiple vendors (e.g., Fortinet, SonicWall, Palo Alto Networks, AWS).

"This appears to break the TLS handshake for servers that do not know what to do with the extra data in the client hello message," one admin said.

"Same problem here since version 124 of Edge, it seems to go wrong with the SSL decryption of my palo alto," said another admin.

These errors are not caused by a bug in Google Chrome but instead caused by web servers failing to properly implement Transport Layer Security (TLS) and not being able to handle larger ClientHello messages for post-quantum cryptography.

This causes them to reject connections that use the Kyber768 quantum-resistant key agreement algorithm rather than switching to classic cryptography if they don't support X25519Kyber768.

A website named tldr.fail was created to share additional information on how large post-quantum ClientHello messages can break connections in buggy web servers, with details on how developers can fix the bug.

Website admins can also test their own servers by manually enabling the feature in Google Chrome 124 using the chrome://flags/#enable-tls13-kyber flag. Once enabled, admins can connect to their servers and see if the connection causes an "ERR_CONNECTION_RESET" error.

How to fix connection issues

Affected Google Chrome users can mitigate the issue by going to chrome://flags/#enable-tls13-kyber and disabling the TLS 1.3 hybridized Kyber support in Chrome.

Administrators can also disable it by toggling off the PostQuantumKeyAgreementEnabled enterprise policy under Software > Policies > Google > Chrome or contacting the vendors to get an update for servers or middleboxes on their networks that aren't post-quantum-ready.

Microsoft has also released information on how to control this feature via the Edge group policies.

However, it's important to note that long-term, post-quantum secure ciphers will be required in TLS, and the Chrome enterprise policy allowing disabling it will be removed in the future.

"Devices that do not correctly implement TLS may malfunction when offered the new option. For example, they may disconnect in response to unrecognized options or the resulting larger messages," Google says.

"This policy is a temporary measure and will be removed in future versions of Google Chrome. It may be Enabled to allow you to test for issues, and may be Disabled while issues are being resolved."

Source

As first highlighted by StackDiary and The Register, Spy.pet website has scraped data, including profiles and individual messages of over 620 million Discord users, and is selling them off for payments made in cryptocurrency. Furthermore, Spy.pet was found to be stealing connected social media accounts, including Steam accounts, and offering an 'enterprise option' for anyone looking to train an AI model based on Discord's library of messages.

As noted by 404 media, Discord has banned accounts associated with Spy.pet, which was previously scraping as many as 14,000 Discord servers, bringing the number down to 0 by April 25. Moreover, the Spy.pet site itself is dead.

A Discord representative said, "our Safety team has been diligently investigating this activity, and we identified certain accounts that we believe are affiliated with the Spy.pet website, which we have subsequently banned."

Reportedly, Spy Pet was selling scraped data, which includes messages on the servers, logs of what voice channels were used, join and exit times, etc., for as little as $5. Impacted servers include those of Minecraft, Among Us, and Runescape, as well as cryptocurrency.

A Spy.pet administrator (via a Telegram channel) confirmed to 404 Media, that they are banned from Discord but said that the server counter on the website is showing zero because of a change in Spy.pet's code. They also added that the removal of the website has nothing to do with Discord's action to ban them and the associated bots.

Spy.pet has also denied that they are a 'tool to be used for harassment', despite reportedly offering the scraped content to Kiwi Farms, a website known for stalking, and harassment. As StackDiary notes, Spy.pet's actions were a violation of the European Union's General Data Protection Regulation (GDPR), and the collection and sale of data from minors is a violation of the Children's Online Privacy Protection Act (COPPA) in the US.

Source

Source

Tejas Karia, appearing for WhatsApp, told a Division Bench in New Delhi:

"As a platform, we are saying, if we are told to break encryption, then WhatsApp goes.

 

There is no such rule anywhere else in the world, not even Brazil. We will have to keep a complete chain and we don't know which messages will be asked to be decrypted. It means millions and millions of messages will have to be stored for a number of years".

Karia added that people use WhatsApp for the privacy feature it offers, and the service has more than 400 million users in India, which also makes the country the largest market for the platform.

The Meta-owned company challenges the Information Technology Rules of 2021 in India (PDF, via LiveLaw.in), which mandate tracing chats and identifying message originators for security reasons, such as curbing the spread of fake news. WhatsApp says that this weakens encryption and infringes on user privacy rights under the Indian Constitution.

Since then, WhatsApp has also published an explainer that highlights how the demand for message traceability, without explicitly naming the Indian government, violates human rights.

The IT Rules, 2021 were introduced by the Central Government of India to govern social media intermediaries and digital media platforms. These rules stem from section 87 of the Information Technology Act, 2000, and aim to place obligations on intermediaries to ensure an open, safe, and trusted internet in India.

The rules require intermediaries, like WhatsApp, to inform users of platform rules, prevent prohibited content, appoint compliance officers, establish grievance redressal mechanisms, and identify the originators of information. However, critics argue that these rules could potentially infringe on free speech by imposing restrictions on content removal, lack clarity on the definition of intermediaries, and raise issues regarding the calculation of user numbers.

Organizations like the Internet Freedom Foundation (IFF) have also raised concerns that the rules significantly undermine privacy rights in the country and interfere with the right to freedom of speech and expression.

Via The Times of India

Source

Source