News: Security & Privacy News

Watch out for "I can't believe he is gone" Facebook phishing posts

Mon, 22 Jan 2024 03:47:18 +0000

A widespread Facebook phishing campaign stating, "I can't believe he is gone. I'm gonna miss him so much," leads unsuspecting users to a website that steals your Facebook credentials.

This phishing attack is ongoing and widely spread on Facebook through friend's hacked accounts, as the threat actors build a massive army of stolen accounts for use in further scams on the social media platform.

As the posts come from your friends' hacked accounts, they look more convincing and trustworthy, leading many to fall for the scam.

The phishing campaign started around a year ago, with Facebook having trouble blocking the posts as they continue to this day. However, when new posts are created and reported, Facebook deactivates the Facebook.com redirect link in the post so that they no longer work.

"I can't believe he is gone" scam

The Facebook phishing posts come in two forms, with one simply stating, "I can't believe he is gone. I'm gonna miss him so much," and containing a Facebook redirect link.

The other uses the same text but shows what appears to be a BBC News video of a car accident or other crime scene, as shown below.

Facebook "I'm gonna miss him so much" phishing postsSource: BleepingComputer

When BleepingComputer tested the links in the phishing posts, they brought us to different sites depending on the type of device you are using.

Clicking on the link from the Facebook app on a mobile device will bring visitors to a fake news site called 'NewsAmericaVideos' that prompts them to enter their Facebook credentials to confirm their identity and watch the video.

To entice a visitor to enter their password, they show what appears to be a blurred-out video in the background, which is simply an image downloaded from Discord.

Facebook phishing pageSource: BleepingComputer

If you enter your Facebook credentials, the threat actors will steal them, and the site will redirect you to Google.

While it is not known what the stolen credentials are used for, the threat actors likely use them further to promote the same phishing posts through the hacked accounts.

Visiting the phishing pages from a desktop computer causes a different behavior, with the phishing sites redirecting users to Google or other scams promoting VPN apps, browser extensions, or affiliate sites.

This phishing scam is widely spread, with BleepingComputer seeing numerous posts created each day by friends and family who unwittingly had their accounts hacked through the same scam.

As this phishing attack does not attempt to steal two-factor authentication (2FA) tokens, it is strongly advised that Facebook users enable 2FA to prevent their accounts from being accessed if they fall for a phishing scam.

Once enabled, Facebook will prompt you to enter a unique one-time passcode each time your credentials are used to log in to the site from an unknown location. As only you will have access to these codes, even if your credentials are stolen, they cannot log in.

For the best security, when enabling two-factor authentication on Facebook, use an authentication app rather than SMS texts, as your phone number can be stolen in SIM swapping attacks.

Update 1/21/24: Article updated to clarify this phishing campaign started a year ago.

Source

Google ends support for less secure passwords in third-party apps (workaround)

Sat, 20 Jan 2024 17:40:06 +0000

If you use an application or service that requires a Google username and password, then you may not be able to use it anymore after September 30, 2024. This may impact third-party app access to Google, e.g. in email clients or Calendar apps.

There is a Google suggested option and another that still works, so read on to find out all about the change and how to deal with it.

Google announced that it is ending support for Less Secure Apps. This authentication method may be used by apps to integrate a Google account. Basic examples include email clients that accept the Google username and password, or Calendar apps that integrate the Google Calendar after authentication.

Google planned to introduce the change in 2020 already but postponed it because of the "impact of COVID-19".

The company is dropping support for Less Secure Apps, but that does not mean that third-party apps and services can't be used anymore. Google supports OAuth for authentication. If affected apps and services do support OAuth as well, users may switch to this authentication method to continue using their Google account.

The email client Thunderbird, for instance, switched to Oauth authentication for Google Mail (Gmail) accounts back in 2022. Users were either migrated automatically or asked to complete the authentication process to regain access to their Gmail account in the email client.

One downside of using OAuth in Thunderbird is that it requires cookies to store the token on the user's device. This led to issues if cookies were not enabled in Thunderbird. Google is also ending support for Google Sync.

The advantages of OAuth

OAuth is an open standard authorization protocol. One of the main benefits of it when compared to traditional username and password access is that it may allow access without handing over the password to third-parties.

With username and password authentication, you'd have to share the password with the app or service. With Oauth, you still have to authenticate your account, but you do that with the first-party.

You tell Google, or any other company that supports OAuth, that you want to give a specific app or service access to your data. Authentication happens with Google in that case and the third-party app or service gets just an authentication token in the process.

The use of Less Secure Apps authentication makes it easier for bad actors to gain unauthorized access to user accounts.

The disadvantages

The disabling of Less Secure Apps support at Google impacts all Google customers who still use the authentication method.

Google lists email clients, calendar and contacts applications that may still support Less Secure Apps or do not support OAuth.

This is the case for Outlook 2016 or earlier versions. Google suggests to move to Microsoft 365, a subscription-based service. It gives access to the latest Outlook version. Another suggestion is to switch to the "new" Outlook for Windows or Mac, which also support OAuth.

The new Outlook replaces Mail and Calendar on Windows. It has been criticized recently for sharing data with data collection services and, in some cases, giving Microsoft access to third-party emails and logins.

Any app that does not support OAuth won't provide access to Google account data anymore after end of support. Some apps and services support both, and it may only be a matter of switching to OAuth to regain access.

App Passwords and Timeline

Google will end support for Less Secure Apps on September 30, 2024. On this day and in the weeks that follow, impacted Google customers will notice that they can't access their accounts and data anymore in third-party apps.

Most may be able to switch to using OAuth, but some may not. It appears that app passwords continue to work.

Google customers may create app passwords for use in third-party apps. An app password is always a 16-digit password that gives an app, service or device access to a Google account. App passwords require that 2-step verification is enabled for the Google account.

You may create app passwords in the following way:

Sign-in to the Google Account.
Switch to Security.
Select 2-step verification under "Signing in to Google".
Find and select App passwords at the bottom of the page.
Type a name to help with identification of the password.
Select generate.
Follow the instructions.
Select Done.

You may now use the app passwords in third-party apps for authentication and linking of the Google account.

To sum it up: Google customers who use connect third-party apps or services to their account may either use OAuth or app passwords to do so.

Now You: do you use third-party apps with your Google account?

Source

Experts think they've found a great new way to see if your iPhone is infected with malware iOS spyware remains a prominent threat, but Kaspersky has a new solution

Sat, 20 Jan 2024 16:06:22 +0000

iOS spyware remains a prominent threat, but Kaspersky has a new solution

Top antivirus company Kaspersky has released Python scripts to automate the analysis of Shutdown.log, an Apple iOS system log file that covers device activity during a reboot, in an effort to curb spyware on the world’s most popular mobile platform.

Per an announcement on its Securelist blog aimed at security researchers, the collection of scripts known as iShutdown, available now on Github, avoids any byzantine technical solution, such as attempting to access encrypted backups, in favour of the relatively easily accessible Shutdown.log file.

Spyware, a specific form of malware that seeks to send sensitive and private user data, as well as device activity to unknown assailants, should be of great concern to employers who issue Apple iPhones to employees as corporate phones. As such, sysadmins would also be wise to take an interest in the iShutDown scripts in order to identify device intrusions.

iShutDown scripts in detail

There are three scripts in the package, designed to find and access data inside the Shutdown.log file, which is itself stored within ‘Sysdiagnose.tar’.

That amount of scripts appear to be necessary to search for the .log file inside the archive, extract it, and then go onto extract reboot data from it. The good news is that, despite this being an iterative, multi-script process written in Python, you could use Python to automate that, too.

Despite being freely available on GitHub, the tools are geared towards security researchers, meaning that the output of the scripts could be impenetrable to those who aren’t sure of what they’re looking for. We doubt this will be a huge problem, as this is a very niche bit of news, unlikely to pique the interest of anyone who doesn’t already know what a Python interpreter is.

For those who do know what they’re doing, the main caveat will be that, because the iShutdown scripts retrieve reboot data, this will require quite a lot of rebooting, probably. Enough that Kaspersky is being deliberately evasive on the point, preferring in the announcement to “leave this as an open-ended question”, depending on the user’s “threat profile”.

Even with all this, security researchers’ lives are about to get easier. The obvious potential caveat with this kind of ‘it just works’ solution is that spyware developers already know, now, where these scripts are checking for aberrations in logs.

iShutdown will likely lead to some disruption for black-hat developers, such as those responsible for the notorious Pegasus spyware package, but likely just mean that the cat-and-mouse game to detect spyware, to then see it avoid detection, on repeat forever, will just intensify.

Source

Microsoft says a Russian intelligence group got access to emails from its top executives

Sat, 20 Jan 2024 15:51:35 +0000

Microsoft has announced that a hacker group that is sponsored by Russia got access to a number of email accounts from some of the company's executives. The company first announced this attack as part of a regulatory filing today (via CNBC)

More details about the attack were posted on the Microsoft Security Response Center Blog. It states that back in November 2023, the hacker group, which is known by the names Nobelium and Midnight Blizzard, "used a password spray attack to compromise a legacy non-production test tenant account." This cyberattack successfully gained access to a number of corporate email accounts.

Microsoft says the email accounts were used by "members of our senior leadership team and employees in our cybersecurity, legal, and other functions." The group also "exfiltrated some emails and attached documents."

The company says it only detected this attack last week, on January 12. It took steps to "mitigate the attack, and deny the threat actor further access." Microsoft added:

The attack was not the result of a vulnerability in Microsoft products or services. To date, there is no evidence that the threat actor had any access to customer environments, production systems, source code, or AI systems.

In November, Microsoft announced a new effort to improve its digital security after Chinese hackers gained access to Outlook-based government email accounts in the US and Europe. The Secure Future Initiative would use new and improved methods to detect cyber threats more quickly, including the use of AI-based measures.

Today, Microsoft said that this new attack by Nobelium-Midnight Blizzard on its own systems "has highlighted the urgent need to move even faster." It added:

We will act immediately to apply our current security standards to Microsoft-owned legacy systems and internal business processes, even when these changes might cause disruption to existing business processes.

The company also said it would work with law enforcement authorities and regulators as it continues its investigation into this cyberattack and will offer up more details "as appropriate."

Source

Also: Hackers breached Microsoft to find out what Microsoft knows about them.

How to watch age-restricted content on YouTube without signing in to your Google account

Fri, 19 Jan 2024 19:56:21 +0000

Do you use YouTube without signing in to your account? Have you ever come across an age-restricted video that prompts you to log in to watch the content? We have some workarounds for this annoyance.

Videos on YouTube can have age-restrictions based on the content in the media, e.g. violence, nudity, disturbing images, profanity, etc., which are not appropriate for kids. Martin has a tutorial that shows you how to access age-restricted content on YouTube, but it requires you to sign in to your Google account. I'm going to show you a few ways to bypass these restrictions without using a Google account.

Ever since Google started showing anti ad block banners on YouTube, I've been using the streaming service without signing in to my account. I created a separate container for YouTube on Firefox, and have been using it ever since. I reset my PC recently, and lost some settings that I had saved in some applications, including some customizations and tweaks that I had applied to the browser. Today, I opened YouTube to watch the Developer Direct 2024 video that was streamed last night, to see the new games that were announced at the Xbox showcase event. But, YouTube asked me to sign in to my account, because it is an age restricted video.

Yeah, I'm not doing that. That's when I remembered I had forgotten to set up some userscripts in Violentmonkey, a userscript manager extension for browsers.

How to watch age-restricted content on YouTube without signing in to your Google account

First method - With a userscript

The first method involves using an userscript called Simple YouTube Age Restriction Bypass. Here's how to install it in Firefox and Chrome.

1. Install one of the following extensions: Violentmonkey (Firefox, Chrome), Greasemonkey or FireMonkey.

2. Go to the GitHub page for Simple YouTube Age Restriction Bypass, and scroll down to the userscript section to get the link for the userscript. Click on it.

3. Your userscript manager will open a new tab, where you can choose to install the script. Do so.

4. That's it, you can now access age-restricted content on YouTube even when you are not signed in to your account.

Warning: Do NOT use Tampermonkey. It is closed source (not updated since v2.9 in 2013). I recommend Violentmonkey, or Greasemonkey or FireMonkey. All three extensions are open source, but only Violentmonkey is available for Firefox and Chrome, the other two add-ons are only available for Firefox.

Note: According to the author of the userscript, the script uses a proxy to unlock some video information, but it does not send your personal data to the server (no IP Address or account details are sent). Only the video ID and some information like the version of the YouTube website. I cannot access the privacy policy of the proxy's server, it throws an error.

Method 2 - Using YouTube clients

If you don't want to use the script, there are some alternative ways that you can watch age-restricted videos via Piped, FreeTube or Invidious or NewPipe.

Piped - Piped is a privacy-friendly YouTube frontend that you can access via any web browser on any operating system, and watch videos without ads. Simply paste the URL of a YouTube video, or use the search bar to find the video that you want and watch it. It even displays the comments from YouTube. Example: https://piped.video/watch?v=ELFSdlFmDNI.

Invidious - It is similar to Piped, but Invidious has several instances (servers) around the globe. Select a server, paste a URL or search for a video, and the player will unlock the restricted video for you. Example: https://iv.melmac.space/watch?v=ELFSdlFmDNI.

FreeTube - FreeTube is a YouTube app for Windows, macOS and Linux. The open source program blocks ads and sponsored sections on YouTube, and lets you watch age-restricted videos without an account. You can also use the app to download videos.

NewPipe - NewPipe is an open source YouTube client for Android devices. It allows you to watch videos without ads, and also removes age-restrictions automatically. The app can be used to download videos or audio content from the streaming service.

Yattee - Yattee is a YouTube client for iOS, iPadOS macOS and tvOS. Follow the instructions given here to install the open source app and configure it to work with your iPhone, iPad, Mac or Apple TV. The app is based on Piped.

Note: Add-ons like Skip Redirect may interfere with the third-party services like Invidious and open the video on YouTube. You can whitelist the sites in the add-on's settings to prevent the issue from happening.

Source

AdGuard Temp Mail: new temporary email service launched

Fri, 19 Jan 2024 19:37:37 +0000

AdGuard, best known for its content blocking solutions, has launched a temporary email service. Temporary email, also known as disposable email, gives Internet users access to email addresses that they may use for a set period only.

Advanced temporary email services may give users more control over email addresses, for instance by allowing them to create accounts and linking the generated emails to these accounts, or by supporting multiple domain names or even custom domains.

Temporary email services may be used to sign-up to services and apps without revealing a personal or work email addresses. It is ideal to gain access to sites or apps that you don't trust fully or don't want linked to your personal email addresses.

These services should not be confused with email forwarding services such as Firefox Relay Simple Login, Email Protection by DuckDuckGo or AnonAddy. These generate forwarding emails that forward all emails to another email address by default.

Note that AdGuard Temp Mail is considered Beta at this stage by the developers.

AdGuard Temp Mail

AdGuard's Temp Email service keeps email addresses alive for at least 7 days. The service deletes email addresses after 7 days of inactivity. Inactivity refers to the user's inactivity. Opening the inbox resets the timer.

Individual emails are kept for 24 hours before they are deleted. Emails may be deleted manually at any time with a click on the trash icon after selecting them on the Temp Email website.

Visit the official website of the email generator. You may need to solve a "not a robot" captcha before the temporary email address is revealed on the page. You may receive emails from that moment on. There is no option to send emails from the temporary email address.

The page functions as the inbox at the same time. A default email from AdGuard is already in the inbox. It contains instructions and information about the service.

The Temp Email page saves a cookie to the system. This cookie is used to remember the generated email address. Clearing the cookies or selecting to generate a new email address on the Temp Email website will remove access to the previously generated email address. You may close the page and reopen it later to access the inbox again, provided that 7 days of inactivity have not passed yet.

Using the temporary email address is simple. Use the copy button on the Temp Email website to copy the email address to the Clipboard. You may now use it for sign-ups and other activities that require an email address.

Temporary email services may be blocked by services on the Internet. This is the case especially for services that use a single domain. The majority of Internet sites do not block temporary email addresses, but some do. It is likely that AdGuard's temporary email domain is already on the blocklist of some of these services.

The roadmap includes several interesting features. Besides zero-access encryption and SMTP server TLS support, AdGuard plans to proxy images and run security checks on links.

Image proxies protect user IP addresses from remote services. Security checks may reveal phishing links or malware, and protect users from these.

Closing Words

Adguard is a respected company. Millions of users use Adguard's content blocking solutions. The company launched AdGuard for Android TV recently and also maintains its secure DNS service.

Now You: do you use temporary email services?

Source

Google search is losing the fight with SEO spam, study says

Fri, 19 Jan 2024 19:35:30 +0000

Study finds "search engines seem to lose the cat-and-mouse game that is SEO spam."

It's not just you—Google Search is getting worse. A new study from Leipzig University, Bauhaus-University Weimar, and the Center for Scalable Data Analytics and Artificial Intelligence looked at Google search quality for a year and found the company is losing the war against SEO spam.

The study, first spotted by 404media, "monitored Google, Bing and DuckDuckGo for a year on 7,392 product review queries," using queries like "best headphones" to study search results. The focus was on product review queries because the researchers felt those searches were "particularly vulnerable to affiliate marketing due to its inherent conflict of interest between users, search providers, and content providers."

Overall, the study found that "the majority of high-ranking product reviews in the result pages of commercial search engines (SERPs) use affiliate marketing, and significant amounts are outright SEO product review spam." Search engines occasionally update their ranking algorithms to try to combat spam, but the study found that "search engines seem to lose the cat-and-mouse game that is SEO spam" and that there are "strong correlations between search engine rankings and affiliate marketing, as well as a trend toward simplified, repetitive, and potentially AI-generated content."

The study found "an inverse relationship between a page’s optimization level and its perceived expertise, indicating that SEO may hurt at least subjective page quality." Google and its treatment of pages is the primary force behind what does and doesn't count as SEO, and to say Google's guidelines reduce subjective page quality is a strike against Google's entire ranking algorithm.

The bad news is that it doesn't seem like this will get better any time soon. The study points out generative AI sites one or two times, but that was only in the past year. The elephant in the room is that generative AI is starting to be able to completely automate the processes of SEO spam. Some AI content farms can scan a human-written site, use it for "training data," rewrite it slightly, and then stave off the actual humans with more aggressive SEO tactics. There are already people bragging about doing AI-powered "SEO heists" on X (formerly Twitter). The New York Times is taking OpenAI to court for copyright infringement, and a class-action suit for book publishers calls ChatGPT and LLaMA (Large Language Model Meta AI) "industrial-strength plagiarists." Artists are in the same boat from tools like Midjourney and Stable Diffusion. Most websites do not have the legal capacity to take on an infinite wave of automated spam sites enabled by these tools. Google's policy is to not penalize AI-generated content in its search results.

Source

How a 27-year-old busted the myth of Bitcoin’s anonymity

Thu, 18 Jan 2024 20:23:06 +0000

Once, drug dealers and money launderers saw cryptocurrency as perfectly untraceable.

JUST OVER A DECADE AGO, Bitcoin appeared to many of its adherents to be the crypto-anarchist holy grail: truly private digital cash for the Internet.

Satoshi Nakamoto, the cryptocurrency’s mysterious and unidentifiable inventor, had stated in an email introducing Bitcoin that “participants can be anonymous.” And the Silk Road dark-web drug market seemed like living proof of that potential, enabling the sale of hundreds of millions of dollars in illegal drugs and other contraband for bitcoin while flaunting its impunity from law enforcement.

This is the story of the revelation in late 2013 that Bitcoin was, in fact, the opposite of untraceable—that its blockchain would actually allow researchers, tech companies, and law enforcement to trace and identify users with even more transparency than the existing financial system. That discovery would upend the world of cybercrime. Bitcoin tracing would, over the next few years, solve the mystery of the theft of a half-billion dollar stash of bitcoins from the world’s first crypto exchange, help enable the biggest dark-web drug market takedown in history, lead to the arrest of hundreds of pedophiles around the world in the bust of the dark web’s largest child sexual abuse video site, and result in the first-, second-, and third-biggest law enforcement monetary seizures in the history of the US Justice Department.

That 180-degree flip in the world’s understanding of cryptocurrency’s privacy properties, and the epic game of cat-and-mouse that followed, is the larger saga that unfolds in the book Tracers in the Dark: The Global Hunt for the Crime Lords of Cryptocurrency, out this week in paperback.

All of it began with the work of a young, puzzle-loving mathematician named Sarah Meiklejohn, the first researcher to pull out traceable patterns in the apparent noise of Bitcoin’s blockchain. This excerpt from Tracers in the Dark reveals how Meiklejohn came to the discoveries that would launch that new era of crypto criminal justice.

IN EARLY 2013, the shelves of a windowless storage room in a building of the University of California, San Diego, began to fill up with strange, seemingly random objects. A Casio calculator. A pair of alpaca wool socks. A small stack of Magic: The Gathering cards. A Super Mario Bros. 3 cartridge for the original Nintendo. A plastic Guy Fawkes mask of the kind popularized by the hacker group Anonymous. An album by the classic rock band Boston on CD.

Periodically, the door would open, the light would turn on, and a petite, dark-haired graduate student named Sarah Meiklejohn would enter the room and add to the growing piles of miscellaneous artifacts. Then Meiklejohn would walk back out the door, down the hall, up the stairs, and into an office she shared with other graduate students at the UC San Diego computer science department. One wall of the room was almost entirely glass, and it looked out onto the sunbaked vista of Sorrento Valley and the rolling hills beyond. But Meiklejohn’s desk faced away from that expanse. She was wholly focused on the screen of her laptop, where she was quickly becoming one of the strangest, most hyperactive Bitcoin users in the world.

Meiklejohn had personally purchased every one of the dozens of items in the bizarre, growing collection in the UCSD closet using bitcoin, buying each one almost at random from a different vendor who accepted the cryptocurrency. And between those ecommerce orders and trips to the storage room, she was performing practically every other task that a person could carry out with bitcoin, all at once, like a kind of cryptocurrency fanatic having a manic episode.

She moved money into and out of 10 different bitcoin wallet services and converted dollars to bitcoins on more than two dozen exchanges such as Bitstamp, Mt. Gox, and Coinbase. She wagered those coins on 13 different online gambling services, with names like Satoshi Dice and Bitcoin Kamikaze. She contributed her computer’s mining power to 11 different mining “pools,” groups that collected users’ computing power for mining bitcoins and then paid them a share of the profits. And, again and again, she moved bitcoins into and then out of accounts on the Silk Road, the first-ever dark-web drug market, without ever actually buying any drugs.

In all, Meiklejohn carried out 344 cryptocurrency transactions over the course of a few weeks. With each one, she carefully noted on a spreadsheet the amount, the Bitcoin address she had used for it, and then, after digging up the transaction on the Bitcoin blockchain and examining the public record of the payment, the address of the recipient or sender.

Meiklejohn’s hundreds of purchases, bets, and seemingly meaningless movements of money were not, in fact, signs of a psychotic break. Each was a tiny experiment, adding up to a study of a kind that had never been attempted before. After years of claims about Bitcoin’s anonymity—or lack thereof—made by its users, its developers, and even its creator, Meiklejohn was finally putting its privacy properties to the test.

All of her meticulous, manual transactions were time-consuming and tedious. But Meiklejohn had time to kill: As she was carrying them out and recording the results, her computer was simultaneously running queries on a massive database stored on a server that she and her fellow UCSD researchers had set up, algorithms that sometimes took as long as 12 hours to spit out results. The database represented the entire Bitcoin blockchain, the roughly 16 million transactions that had occurred across the entire Bitcoin economy since its creation four years earlier. For weeks on end, Meiklejohn combed through those transactions while simultaneously tagging the vendors, services, markets, and other recipients on the other end of her hundreds of test transactions.

When she had started that process of probing the Bitcoin ecosystem, Meiklejohn had seen her work almost as anthropology: What were people doing with bitcoin? How many of them were saving the cryptocurrency versus spending it? But as her initial findings began to unfold, she had started to develop a much more specific goal, one that ran exactly counter to crypto-anarchists’ idealized notion of bitcoin as the ultimate privacy-preserving currency of the dark web: She aimed to prove, beyond any doubt, that bitcoin transactions could very often be traced. Even when the people involved thought they were anonymous.

A collage from Meiklejohn’s research paper showing every object she bought with Bitcoin in her tracing experiments.

Sarah Meiklejohn

AS MEIKLEJOHN PAINSTAKINGLY fiddled with bitcoins and watched the digital trails they created, she found herself having flashbacks to a particular day, decades earlier, in her mother’s downtown Manhattan office. That morning, Meiklejohn and her mother had taken the subway together, all the way from their Upper West Side apartment near the American Museum of Natural History to the federal building at Foley Square, across from the city’s intimidating, stone-columned courthouses.

Meiklejohn was still in elementary school, but it was take-your-daughter-to-work day, and Meiklejohn’s mother was a federal prosecutor. Over the years that followed, the elder Meiklejohn would make her career taking on contractors who were bilking the city government out of tax dollars—bribing government staffers to choose overpriced school food or street-paving services—or else banks colluding to sell low-performing investments to the city’s financiers. Many of her targets in those corruption probes would be sentenced to years in prison.

That day in the Justice Department’s New York office, Sarah Meiklejohn, not yet 10 years old, was put to work. She was assigned to comb through a pile of paper checks, searching for clues of a corrupt kickback scheme in one of her mother’s investigations.

It was that feeling, the drive to manually assemble tiny data points that built into a larger picture, that would give Meiklejohn a kind of déjà vu 20 years later as she studied the Bitcoin blockchain, even before she consciously knew what she was doing.

“Somewhere in the back of my mind was this idea,” says Meiklejohn, “the idea of following the money.”

As a child, Meiklejohn loved puzzles—the more complex, the better. On road trips, in airports, or any other time the small-for-her-age, hyper-inquisitive girl needed to be distracted, her mother would hand her a book of puzzles. One of the first websites Meiklejohn remembers visiting on the nascent World Wide Web was a GeoCities page devoted to deciphering the Kryptos sculpture on the campus of the CIA, whose copper, ribbonlike surface contained four coded messages that even the cryptanalysts at Langley hadn’t been able to crack. By the age of 14 she would finish the New York Times crossword puzzle every day of the week.

On a vacation to London, Meiklejohn’s family visited the British Museum, and Meiklejohn became fixated on the Rosetta stone, along with the broader notion of ancient languages—the remnants of entire cultures—that could be deciphered if the puzzler simply found the right key. Soon she was reading about Linear A and Linear B, a pair of written scripts used by the Minoan civilization on Crete until roughly 1500 BC. Linear B had been deciphered only in the 1950s, thanks in large part to a classicist at Brooklyn College named Alice Kober who labored in obscurity over samples of the Bronze Age language for 20 years, writing her notes on 180,000 index cards.

Meiklejohn became so obsessed with Linear A and B that she persuaded a teacher at her middle school to organize an evening seminar on the subject (only she and one friend attended). More tantalizing than even the story of Alice Kober’s work on Linear B, for Meiklejohn, was the fact that no one had been able to decipher Linear A, even after a century of study. The best puzzles of all were the ones that had no answer key—the ones for which no one even knew if a solution existed.

When Meiklejohn started college at Brown in 2004, she discovered cryptography. This branch of computer science appealed directly to her puzzle addiction—what was an encryption system, after all, but another secret language demanding to be deciphered?

There was a maxim in cryptography, often referred to as Schneier’s law after the cryptographer Bruce Schneier. It asserted that anyone can develop an encryption system clever enough that they can’t themselves think of a way to break it. Yet, like all the best conundrums and mysteries that had fascinated Meiklejohn since childhood, another person with a different way of approaching a cipher could look at that “unbreakable” system and see a way to crack it and unspool a whole world of decrypted revelations.

Studying the science of ciphers, Meiklejohn began to recognize the importance of privacy and the need for surveillance-resistant communications. She was not quite a cypherpunk: The intellectual appeal of building and breaking codes drove her more than any ideological drive to defeat surveillance. But like many cryptographers, she nonetheless came to believe in the need for truly unbreakable encryption, technologies that could carve out a space for sensitive communications—whether dissidents organizing against a repressive government or whistleblowers sharing secrets with journalists—where no snoop could reach. She credited her intuitive acceptance of that principle to her years as a teenager who kept to herself, trying to maintain her own privacy in a Manhattan apartment, with a federal prosecutor for a mother.

MEIKLEJOHN SHOWED REAL talent as a cryptographer and soon became an undergraduate teaching assistant to Anna Lysyanskaya, a brilliant and highly accomplished computer scientist. Lysyanskaya had herself studied under the legendary Ron Rivest, whose name was represented by the R in the RSA algorithm that formed the basis for most modern encryption, used everywhere from web browsers to encrypted email to instant messaging protocols. RSA was one of the few fundamental encryption protocols that had not succumbed to Schneier’s law in more than 30 years.

Lysyanskaya was at the time working on a pre-Bitcoin cryptocurrency called eCash, first developed in the 1990s by David Chaum, a cryptographer whose groundbreaking work on anonymity systems had made possible technologies from VPNs to Tor. After finishing her undergraduate degree, Meiklejohn began a master’s degree at Brown under Lysyanskaya’s wing, researching methods to make Chaum’s eCash, a truly anonymous payment system, more scalable and efficient.

The cryptocurrency scheme they were laboring to optimize was, Meiklejohn admits in hindsight, difficult to imagine working in practice. Unlike Bitcoin, it had a serious problem: An anonymous spender of eCash could essentially forge a coin and pass it off to an unsuspecting recipient. When that recipient deposited the coin at a kind of eCash bank, the bank could perform a check that would reveal the coin to be a forgery and the fraudster’s anonymity protections could be stripped away to reveal the identity of the bad actor. But by then, the fraudster might have already run off with their ill-gotten goods.

Still, eCash had a unique advantage that made it a fascinating system to work on: The anonymity it offered was truly uncrackable. In fact, eCash was based on a mathematical technique called zero-knowledge proofs, which could establish the validity of a payment without the bank or recipient learning anything else at all about the spender or their money. That mathematical sleight of hand meant that eCash was provably secure. Schneier’s law did not apply: No amount of cleverness or computing power would ever be able to undo its anonymity.

When Meiklejohn first heard about Bitcoin in 2011, she had started her PhD studies at UCSD but was spending the summer as a researcher at Microsoft. A friend at the University of Washington had mentioned to her that there was a new digital payment system that people were using to buy drugs on sites like the Silk Road. Meiklejohn had moved on from her eCash studies by then; she was busy with other research—systems that would allow people to pay road tolls without revealing their personal movements, for instance, and a thermal camera technique that revealed PIN codes typed into an ATM by looking for heat remnants on the keypad. So, with heads-down focus, she filed Bitcoin’s existence away in her brain, barely considering it again for the next year.

Then, one day on a UCSD computer science department group hike in late 2012, a young UCSD research scientist named Kirill Levchenko suggested to Meiklejohn that perhaps they should start looking into this burgeoning Bitcoin phenomenon. Levchenko was fascinated, he explained as they trekked around the jagged landscape of the Anza Borrego Desert State Park, by Bitcoin’s unique proof-of-work system. That system demanded that anyone who wanted to mine the currency expend enormous computing resources performing calculations— essentially a vast, automated puzzle-solving competition—whose results were then copied into transactions on the blockchain. By then, ambitious bitcoiners were already developing custom mining microprocessors just for generating this strange new form of money, and Bitcoin’s ingenious system meant that any single bad actor who might want to write a false transaction into the blockchain would have to use a collection of computers that possessed more computational power than all those many thousands of miners. It was a brilliant approach that added up to a secure currency with no central authority.

Considering Bitcoin’s mechanics for the first time, Meiklejohn was intrigued. But when she got home from the hike and began poring over Satoshi Nakamoto’s Bitcoin white paper, it immediately became clear to her that Bitcoin’s trade-offs were the exact opposite of the eCash system she knew so well. Fraud was prevented not by a kind of after-the-fact forgery analysis carried out by a bank authority but with an instantaneous check of the blockchain, the unforgeable public record of who possessed every single bitcoin.

But that blockchain ledger system came at an enormous privacy cost: In Bitcoin, for good and for ill, everyone was a witness to every payment. Yes, identities behind those payments were obscured by pseudonymous addresses, long strings of between 26 and 35 characters. But to Meiklejohn, this seemed like an inherently dangerous sort of fig leaf to hide behind. Unlike eCash, whose privacy protections offered snoops no hint of revealing information to latch onto, Bitcoin offered an enormous collection of data to analyze. Who could say what sorts of patterns might give away users who thought they were cleverer than those watching them?

The temptation was more than Meiklejohn could resist. The blockchain, like a massive, undeciphered corpus of an ancient language, hid a wealth of secrets in plain view.

WHEN MEIKLEJOHN BEGAN digging into the blockchain in late 2012, she started with a very simple question: How many people were using bitcoin?

That number was much harder to pin down than it might seem. After downloading the entire blockchain onto a UCSD server and organizing it into a database that she could query, like a gargantuan, searchable spreadsheet, she could see that there were more than 12 million distinct Bitcoin addresses, among which there had been nearly 16 million transactions. But even amid all that activity, there were plenty of recognizable events in Bitcoin’s history visible to the naked eye. Spenders and recipients might have been hidden behind pseudonymous addresses, but some transactions were unmistakable, like distinctive pieces of furniture hidden under thin sheets in someone’s attic.

She could see, for instance, the nearly 1 million bitcoins that were mined by Satoshi in the early days of the cryptocurrency, before others started using it, as well as the first transaction ever made when Satoshi sent 10 coins as a test to the early Bitcoin developer Hal Finney in January 2009. She spotted, too, the first payment with real value, when a programmer named Laszlo Hanyecz famously sold a friend two pizzas for 10,000 bitcoins in May 2010 (as of this writing worth hundreds of millions of dollars).

Plenty of other addresses and transactions had been recognized and widely discussed on forums like Bitcointalk, and Meiklejohn spent hours cutting and pasting long strings of characters into Google to see if someone had already claimed credit for an address or if other Bitcoin users had been gossiping about certain high-value transactions. By the time Meiklejohn began to look, anyone with enough interest and patience to wade through a sea of garbled addresses could see money transfers between mysterious parties just beneath the surface of the blockchain’s obfuscation that, even at the time, were often worth small fortunes.

Getting beyond that obfuscation, however, was the real challenge. Sure, Meiklejohn could see transactions between addresses. But the problem was drilling down further, definitively drawing a boundary around the bitcoin hoard of any single person or organization. A user could have as many addresses as they chose to create with one of the many wallet programs that managed their coins—like a bank that allows you to spread your wealth across as many accounts as you liked, creating new ones with a mouse click. Plenty of those programs even automatically generated new addresses every time the user received a bitcoin payment, adding to the confusion.

Still, Meiklejohn was sure that searching for patterns in the mess of transactions would allow her to untangle at least some of them. In Satoshi Nakamoto’s own original white paper, Meiklejohn recalled that he had briefly alluded to a technique that could be used to collapse some addresses into single identities. Often, a single bitcoin transaction has multiple “inputs” from different addresses. If someone wants to pay a friend 10 bitcoins but holds those coins at two different addresses of five coins each, the spender’s wallet software creates a single transaction that lists the two five-coin addresses as inputs and the address receiving 10 coins as the output. To make the payment possible, the payer would need to possess both of the so-called secret keys that allow the five coins at each address to be spent. That means anyone looking at the transaction on the blockchain can reasonably identify both of the input addresses as belonging to the same person or organization.

Satoshi had hinted at the privacy dangers this introduced. “Some linking is still unavoidable with multi-input transactions, which necessarily reveal that their inputs were owned by the same owner,” Satoshi wrote. “The risk is that if the owner of a key is revealed, linking could reveal other transactions that belonged to the same owner.”

So, as Meiklejohn’s first step, she simply tried the technique Satoshi had inadvertently suggested—across every bitcoin payment ever carried out. She scanned her blockchain database for every multi-input transaction, linking all of those double, triple, or even hundredfold inputs to single identities. The result immediately reduced the number of potential Bitcoin users from 12 million to date to around 5 million, slicing away more than half of the problem.

Only after that initial step—practically a freebie—did Meiklejohn switch her brain into true puzzle-solving mode. Like a 20th-century archaeologist scanning hieroglyphics for identifiable words or phrases that might help to decipher a passage of text, she began to hunt through Bitcoin’s transactions for other clues that might reveal identifying information. Messing around with bitcoin wallets—making test payments to herself and her colleagues—she began to understand a quirk of the cryptocurrency. Many bitcoin wallets only allowed spenders to pay the entire amount of coins sitting at a certain address. Each address was like a piggy bank that has to be smashed open to spend the coins inside. Spend less than the whole amount in that piggy bank and the leftovers have to be stored in a newly created piggy bank.

This second piggy bank, in Bitcoin’s system, is called a “change” address: When you pay someone 6 bitcoins from a 10-coin address, 6 coins go to their address. Your change, 4 coins, is stored at a new address, which your wallet software creates for you. The challenge, when looking at that transaction on the blockchain as a sleuthing observer, is that the recipient’s address and the change address are both simply listed as outputs, with no label to tell them apart.

But sometimes, Meiklejohn realized, spotting the difference between the change address and the recipient address was easy: If one address had been used before and the other hadn’t, the second, totally fresh address could only be the change address—a piggy bank that had materialized on the spot to receive leftover coins from the one that had just been shattered. And that meant these two piggy banks—the spender’s address and the change address—must belong to the same person.

Meiklejohn began to apply that change-making lens, looking for instances where she could link spenders and the remainders of their payments. She began to see how powerful the simple act of tracking bitcoin change could be: In instances where she couldn’t distinguish a recipient address from a change address, she would be stuck at a fork in the road with no signposts. But if she could link change addresses to the addresses they had split off from, she could make her own signposts. She could follow the money despite its branching paths.

The result was that Meiklejohn could now link together entire chains of transactions that had previously been unlinked: A single sum of coins would move from change address to change address as the spender paid fractions of the total pile of coins in one small payment after another. The remainder of the pile might move to a fresh address with each payment, but those addresses must all represent the transactions of a single spender.

She’d come to refer to those chains of transactions as “peeling chains” (or sometimes just “peel chains”). She thought of them like someone peeling bills off a roll of dollar bills: Though the roll of bills might be put back in a different pocket after a bill was peeled off and spent, it was still fundamentally one wad of cash with a consistent owner. Following these peeling chains opened avenues to trace the digital money’s movements like never before.

Meiklejohn now had two clever techniques, both of which were capable of linking multiple Bitcoin addresses to a single person or organization, what she came to call “clustering.” What had initially looked like disparate addresses could now be connected into clusters that encompassed hundreds or, in some cases, even thousands of addresses.

Already, she was tracing bitcoins in ways that many of the cryptocurrency’s users wouldn’t have believed possible. But following coins didn’t necessarily mean understanding who owned them. The identities behind those coins remained a mystery, and each of her clusters remained just as pseudonymous as the single, disconnected addresses had been originally. To put a name to those clusters, she began to realize, she’d have to take a much more hands-on approach: not simply observing the artifacts of the Bitcoin economy after the fact like an archaeologist, but becoming a player in it herself—in some cases, an undercover one.

SEARCHING FOR GUIDANCE in her budding Bitcoin research, Meiklejohn turned to Stefan Savage, a UCSD professor who was on the other end of the spectrum from the deeply mathematical cryptography research Meiklejohn had spent years on. Savage was a hands-on, empirical researcher, more interested in real-world experiments with real-world results than abstractions. He had been one of the lead advisers of a now-legendary team of researchers who had first shown it was possible to hack a car over the Internet, demonstrating to General Motors in 2011 that his team could remotely take over a Chevy Impala’s steering and brakes via the cellular radio in its OnStar system, a shocking feat of hacker wizardry.

More recently, Savage had helped lead a group that included Kirill Levchenko—the scientist who’d introduced Meiklejohn to Bitcoin on their desert hike—working on a massively ambitious project to track the spam email ecosystem. In that research, as with the earlier car-hacking breakthrough, Savage’s team hadn’t been afraid to get their hands dirty: They’d collected hundreds of millions of web links in junk marketing emails, mostly ones intended to sell real and fake pharmaceuticals. Then, as Savage describes it, they acted out the role of “the world’s most gullible person,” using bots to click through on every one of those links to see where they led and spending more than $50,000 on the products the spammers were hawking—all while working with a cooperative credit card issuer to trace the funds and see which banks ended up with the money.

Several of those shady banks were ultimately shut down as a result of the researchers’ tracing work. As another UCSD professor working on the project, Geoffrey Voelker, described it at the time, “Our secret weapon is shopping.”

So when Meiklejohn began talking over her Bitcoin tracking project with Savage, the two agreed she should take the same approach: She would manually identify Bitcoin addresses one by one by doing transactions with them herself, like a cop on the narcotics beat carrying out buy-and-busts.

That’s how Meiklejohn found herself in the early weeks of 2013 ordering coffee, cupcakes, trading cards, mugs, baseball hats, silver coins, socks, and a closet’s worth of other truly random objects from online vendors who accepted bitcoin; joining more than a dozen mining collectives; fiendishly gambling bitcoins at every online crypto casino she could find; and moving bitcoins into and out of accounts on practically every existing bitcoin exchange—and the Silk Road—again and again.

The hundreds of addresses Meiklejohn identified and tagged manually with those 344 transactions represented only the tiniest fraction of the overall bitcoin landscape. But when she combined her address tagging with her chaining and clustering techniques, many of those tags suddenly identified not just a single address but an enormous cluster belonging to the same owner. With just a few hundred tags, she had put an identity to more than a million of Bitcoin’s once-pseudonymous addresses.

A chart from Meiklejohn’s paper showing her “clustering” of Bitcoin addresses for early cryptocurrency entities.

Sarah Meiklejohn

With just the 30 addresses she had identified by moving coins into and out of Mt. Gox, for instance, she could now link more than 500,000 addresses to the exchange. And based on just four deposits and seven withdrawals into wallets on the Silk Road, she was able to identify nearly 300,000 of the black market’s addresses. This breakthrough didn’t mean Meiklejohn could identify any actual users of the Silk Road by name, nor could she unmask, of course, the mysterious kingpin of that site, the ultra libertarian Dread Pirate Roberts. But it would directly contradict DPR’s claims to me that his Bitcoin “tumbler” system could prevent observers from even seeing when users moved cryptocurrency into and out of their Silk Road accounts.

When Meiklejohn brought her results back to Savage, her adviser was impressed. But as they began to plan to publish a paper on her findings, he wanted a concrete demonstration for readers, not a bunch of arcane statistics. “We need to show people,” Meiklejohn remembers him saying, “what these techniques can actually do.”

So Meiklejohn went a step further: She began to look for specific bitcoin transactions she could track—particularly criminal ones.

AS MEIKLEJOHN HAD trawled cryptocurrency forums for discussions of interesting addresses worth scrutinizing, one mysterious mountain of money in particular stood out: This single address had, over the course of 2012, accumulated 613,326 bitcoins—5 percent of all the coins in circulation. It represented around $7.5 million at the time, a figure nowhere near the billions it would represent today, but a heady sum nonetheless. Rumors among Bitcoin users suggested that the hoard was possibly a Silk Road wallet, or perhaps the result of an unrelated, notorious Bitcoin Ponzi scheme carried out by a user known as pirate@40.

Meiklejohn couldn’t say which of the two rumors might be correct. But with her clustering techniques, she could now follow that giant sum of cryptocurrency. She saw that after conspicuously gathering at one address, the pile of money had been broken up in late 2012 and sent on forking paths around the blockchain. Meiklejohn’s understanding of peel chains meant she could now trace those sums of hundreds of thousands of bitcoins as they split, distinguishing the amount that remained in the control of the initial owner from the smaller sums that were peeled off in subsequent payments. Eventually, several of those peel chains led to exchanges like Mt. Gox and Bitstamp, where they seemed to be cashed out for traditional currency. For an academic researcher, this was a dead end. But anyone with the subpoena power of law enforcement, Meiklejohn realized, could very likely force those exchanges to hand over information about the accounts behind those transactions and solve the mystery of the $7.5 million stash.

Looking for more coins to hunt, Meiklejohn turned her focus to another sort of dirty money. Large-scale cryptocurrency heists were, in early 2013, a growing epidemic. After all, bitcoin was like cash or gold. Anyone who stole a Bitcoin address’s secret key could empty out that address like a digital safe. Unlike with credit cards or other digital payment systems, there was no overseer who could stop or reverse the money’s movement. That had made every bitcoin business and its stash of crypto revenue a ripe target for hackers, especially if the holders of those funds made the mistake of storing their secret keys on Internet-connected computers—the equivalent of carrying six- or seven-figure sums of cash in their pockets while strolling through a dangerous neighborhood.

Meiklejohn found a thread on Bitcointalk that listed addresses of many of the biggest, most conspicuous crypto thefts in recent memory, and she began to follow the money. Looking at a robbery of 3,171 coins from an early bitcoin gambling site, she immediately found she could trace the stolen funds across no fewer than ten hops, from address to address, before different branches of the money were cashed out at exchanges. Another theft of 18,500 bitcoins from the exchange Bitcoinica similarly led her along a winding series of peel chains that ended at three other exchanges, where the robbers were no doubt cashing in their ill-gotten gains. Sitting in front of Meiklejohn, on her screen, was a bonanza of leads, each just waiting for any actual criminal investigator with a handful of subpoenas to follow them.Now, when Meiklejohn showed Savage her results, he agreed: They were ready to publish.

In the final draft of the paper Meiklejohn and her coauthors put together, they definitively stated conclusions—based for the first time on solid, empirical evidence—that flew in the face of what many Bitcoin users believed at the time: Far from being untraceable, they wrote, the blockchain was an open book that could identify vast swaths of transactions between people, many of whom thought they were acting anonymously.

“Even our relatively small experiment demonstrates that this approach can shed considerable light on the structure of the Bitcoin economy, how it is used, and those organizations who are party to it,” the paper read. “We demonstrate that an agency with subpoena power would be well placed to identify who is paying money to whom. Indeed, we argue that the increasing dominance of a small number of Bitcoin institutions (most notably services that perform currency exchange), coupled with the public nature of transactions and our ability to label monetary flows to major institutions, ultimately makes Bitcoin unattractive today for high-volume illicit use such as money laundering.”

Having set down those words, and blowing a gaping hole in the myth of Bitcoin’s inherent untraceability, Meiklejohn, Savage, and her other adviser Geoffrey Voelker started brainstorming a clever title. In an homage to the Wild West of the economy they were chronicling—and her advisers’ mutual love of spaghetti Westerns—they started with the phrase “A Fistful of Bitcoins,” an allusion to the 1960s Clint Eastwood classic A Fistful of Dollars. They settled on a subtitle that evoked both Eastwood’s most famous cowboy vigilante and the world of shadowy figures their nascent techniques could unmask. When the UCSD paper hit the Internet in August 2013, it was introduced with a description that, to those involved, had come to seem inevitable: “A Fistful of Bitcoins: Characterizing Payments Among Men with No Names.”

In the new era of cryptocurrency tracing that would follow Meiklejohn’s work, they wouldn’t remain nameless for long.

Adapted from the book Tracers in the Dark: The Global Hunt for the Crime Lords of Cryptocurrency.

Source

Researcher uncovers one of the biggest password dumps in recent history

Thu, 18 Jan 2024 05:45:23 +0000

Roughly 25 million of the passwords have never been seen before by widely used service.

Nearly 71 million unique credentials stolen for logging into websites such as Facebook, Roblox, eBay, and Yahoo have been circulating on the Internet for at least four months, a researcher said Wednesday.

Troy Hunt, operator of the Have I Been Pwned? breach notification service, said the massive amount of data was posted to a well-known underground market that brokers sales of compromised credentials. Hunt said he often pays little attention to dumps like these because they simply compile and repackage previously published passwords taken in earlier campaigns.

Post appearing on breach site advertising the availability of naz.api password data.

Not your typical password dump

Some glaring things prevented Hunt from dismissing this one, specifically the contents indicating that nearly 25 million of the passwords had never been leaked before:

319 files totaling 104GB
70,840,771 unique email addresses
427,308 individual HIBP subscribers impacted
65.03 percent of addresses already in HIBP (based on a 1,000 random sample set)

“That last number was the real kicker,” Hunt wrote. “When a third of the email addresses have never been seen before, that's statistically significant. This isn't just the usual collection of repurposed lists wrapped up with a brand-new bow on it and passed off as the next big thing; it's a significant volume of new data. When you look at the above forum post the data accompanied, the reason why becomes clear: it's from ‘stealer logs’ or in other words, malware that has grabbed credentials from compromised machines.”

A redacted image that Hunt posted showing a small sample of the exposed credentials indicated that account credentials for a variety of sites were swept up. Sites included Facebook, Roblox, Coinbase, Yammer, and Yahoo. In keeping with the claim that the credentials were collected by a “stealer”—malware that runs on a victim’s device and uploads all user names and passwords entered into a login page—the passwords appear in plaintext. Account credentials taken in website breaches are almost always cryptographically hashed. (A sad aside: Most of the exposed credentials are weak and would easily fall to a simple password dictionary attack.)

Screenshot showing a sample of 20 credential pairs, with usernames redacted.

Have I Been Pwned?

Data collected by Have I Been Pwned indicates this password weakness runs rampant. Of the 100 million unique passwords amassed, they have appeared 1.3 billion times.

“To be fair, there are instances of duplicated rows, but there's also a massive prevalence of people using the same password across multiple different services and completely different people using the same password (there are a finite set of dog names and years of birth out there...),” Hunt wrote. “And now more than ever, the impact of this service is absolutely huge!”

Hunt confirmed the authenticity of the dataset by contacting people at some of the listed emails. They confirmed that the credentials listed there were—or at least once were—accurate. For added assurance, Hunt also checked a sample of the credentials to see if the email addresses were associated with accounts on the affected websites. All of them did. Some of Hunt’s users reported that the passwords appeared to be valid as of 2020 or 2021. Whatever the date of the passwords, it stands to reason that unless they’ve been updated, they remain valid. The underground market post advertising the dataset said it came from a breach dubbed naz.api that had been donated to a different site earlier.

Hunt said that a large percentage of the credentials came not from stealer malware as claimed, but from credential stuffing, a form of account-hijacking attack that collects large numbers of stolen account credentials from previous breaches. Hunt said credential stuffing sources explained how a password he used "pre-2011" landed in the dump.

"Some of this data does not come from malware and has been around for a significant period of time," he wrote. "My own email address, for example, accompanied a password not used for well over a decade and did not accompany a website indicating it was sourced from malware."

Making passwords safe

There are dozens of useful primers online explaining how to properly secure accounts. The two main ingredients to account security are: (1) choosing strong passwords and (2) keeping them out of the sight of prying eyes. This means:

Creating a long, randomly generated password or passphrase. These passcodes should be at least 11 characters for passwords and for passphrases at least four words randomly chosen from a dictionary of no fewer than 50,000 entries. Bitwarden, a free, open-source password manager is a good choice and a great way for less experienced people to get started. Once a password is created, it should be stored in the password-manager vault.
Preventing strong passwords from being compromised. This entails not entering passwords into phishing sites and keeping devices free of malware.
Use two-factor authentication, preferably with a security key or authenticater app, whenever possible. This doubly applies to protecting the password manager with 2FA.
Better yet, use passkeys, a new, industry-wide authentication standard that's immune to theft through stealer apps and credential phishing.

It’s also a good idea to either create an account with Have I Been Pwned? or periodically enter email addresses into the site search box to check if they appear in any breaches. To prevent abuse of the search, the site doesn’t log entered email addresses and no corresponding passwords are loaded with password data stored on the site. Have I Been Pwned also accepts a single email address at a time, except in certain cases. You can find more on the service and the security of using it here.

Have I Been Pwned also allows users to search its database for specific passwords. More about k-anonymity and other measures Hunt uses to prevent password exposure and abuse of his service is here.

This post has been updated to correct inferences about how Hunt's password ended up in the dataset.

Source

New UEFI vulnerabilities send firmware devs industry wide scrambling

Wed, 17 Jan 2024 18:18:12 +0000

PixieFail is a huge deal for cloud and data centers. For the rest, less so.

UEFI firmware from five of the leading suppliers contains vulnerabilities that allow attackers with a toehold in a user's network to infect connected devices with malware that runs at the firmware level.

The vulnerabilities, which collectively have been dubbed PixieFail by the researchers who discovered them, pose a threat mostly to public and private data centers and possibly other enterprise settings. People with even minimal access to such a network—say a paying customer, a low-level employee, or an attacker who has already gained limited entry—can exploit the vulnerabilities to infect connected devices with a malicious UEFI.

Short for Unified Extensible Firmware Interface, UEFI is the low-level and complex chain of firmware responsible for booting up virtually every modern computer. By installing malicious firmware that runs prior to the loading of a main OS, UEFI infections can’t be detected or removed using standard endpoint protections. They also give unusually broad control of the infected device.

Five vendors, and many a customer, affected

The nine vulnerabilities that comprise PixieFail reside in TianoCore EDK II, an open source implementation of the UEFI specification. The implementation is incorporated into offerings from Arm Ltd., Insyde, AMI, Phoenix Technologies, and Microsoft. The flaws reside in functions related to IPv6, the successor to the IPv4 Internet Protocol network address system. They can be exploited in what’s known as the PXE, or Preboot Execution Environment, when it’s configured to use IPv6.

PXE, sometimes colloquially referred to as Pixieboot or netboot, is a mechanism enterprises use to boot up large numbers of devices, which more often than not are servers inside of large data centers. Rather than the OS being stored on the device booting up, PXE stores the image on a central server, known as a boot server. Devices booting up locate the boot server using the Dynamic Host Configuration Protocol and then send a request for the OS image.

PXE is designed for ease of use, uniformity, and quality assurance inside data centers and cloud environments. When updating or reconfiguring the OS, admins need to do so only once and then ensure that hundreds or thousands of connected servers run it each time they boot up.

A diagram showing how PXE boot works when using IPv6.

By exploiting the PixieFail vulnerabilities, an attacker can cause servers to download a malicious firmware image rather than the intended one. The malicious image in this scenario will establish a permanent beachhead on the device that’s installed prior to the loading of the OS and any security software that would normally flag infections.

The vulnerabilities and proof-of-concept code demonstrating the presence of the vulnerabilities were developed by researchers from security firm Quarkslab, which published the findings Tuesday.

The network presence required to exploit most of the vulnerabilities is relatively minor. Attackers need not establish their own malicious server or gain high-level privileges. Instead, the attacker only needs the ability to view and capture traffic as it traverses the local network. This kind of access may be possible when someone has a legitimate account with a cloud service or after first exploiting a separate vulnerability that gives limited system rights. With that, the attacker can then exploit PixieFail to plant a UEFI-controlled backdoor in huge fleets of servers.

Quarkslab Chief Research Officer Iván Arce said in an interview:

An attacker doesn't need to have physical access neither to the client nor the boot server. The attacker just needs to have access to the network where all these systems are running and it needs to have the ability to capture packets and to inject packets or transmit packets. When the client-{based server] boots, the attacker just needs to send the client a malicious packet in the [request] response that will trigger some of these vulns. The only access that the attacker needs is access to the network, not physical access to any of the clients, nor to the boot server or DHCP server. Just capture packets or send packets in the network, where all these servers are running.

For PixieFail to be exploited, PXE must be turned on. For the overwhelming number of UEFIs in use, PXE isn’t turned on. PXE is generally used only in data centers and cloud environments for rebooting thousands or tens of thousands of servers. Additionally, PXE must be configured to be used in combination with IPv6 routing.

A motley bunch

PixieFail is a motley mix of different vulnerability types, ranging from buffer overflows and integer underflows, both of which allow for remote code execution, to the lack of standard but crucial security practices, such as a properly functioning pseudorandom number generator. There was also a TCP implementation that didn’t follow a basic IETF RFC that has been recommended since 2012. The nine vulnerabilities are:

https://nvd.nist.gov/vuln/detail/CVE-2023-45229: an integer underflow when processing configurations contained in a DHCPv6 advertise message. The underflows from the failure of EDK II—and all the affected UEFIs that rely on it—perform basic “sanity checking” that is designed to flag when memory contents are too small. The base score severity rating is 6.5 out of a possible 10.
https://nvd.nist.gov/vuln/detail/CVE-2023-45230: A buffer overflow in the DHCPv6client. This vulnerability also stems from a sanity-checking failure. It can be exploited by choosing an overly long Server ID option during what’s known in PXE as the Solicit/Advertise exchange. Base score 8.3.
https://nvd.nist.gov/vuln/detail/CVE-2023-45231: An out-of-bounds read that can occur during the Network Discovery phase. Base score 6.5
https://nvd.nist.gov/vuln/detail/CVE-2023-45232: An infinite loop when parsing unknown options in the Destination Options header. Base score 7.5
https://nvd.nist.gov/vuln/detail/CVE-2023-45233: An infinite loop when parsing a PadN option in the Destination Options header. Base score 7.5
https://nvd.nist.gov/vuln/detail/CVE-2023-45234 A buffer overflow when processing DNS Servers option in a DHCPv6 Advertise message. Base score 8.3
https://nvd.nist.gov/vuln/detail/CVE-2023-45235: A buffer overflow when handling a Server ID option from a DHCPv6 proxy Advertise message. Base score 8.3
https://nvd.nist.gov/vuln/detail/CVE-2023-45236: Predictable TCP Initial Sequence Numbers. Base score 5.7
https://nvd.nist.gov/vuln/detail/CVE-2023-45237: Use of a weak pseudorandom number generator. Base score 5.3

The makers of the affected UEFIs are in the process of getting updates pushed out to customers. And from there, those customers are making patches available to their customers, who usually are end users. AMI confirmed the vulnerability affects its Optio V line of firmware and said it has made patches available to its customers. AMI provided a public advisory here and customer-only ones here and here.

Microsoft, meanwhile, issued a statement that said the company was taking “appropriate action” without saying what that was. Microsoft also claimed—in error, Arce said—that exploiting the vulnerability required the attacker to first establish a malicious server on the affected network. Arce says no such requirement exists.

"An attack only needs to be able to send packets on that network," he said. "Also, the proof of concept code which we provided to all vendors, including Microsoft, does not set up any server."

Microsoft didn’t have a response to Arce’s analysis. Microsoft also noted the requirement of using PXE over an IPv6 network.

“As a security best practice, we recommend disabling unused boot capabilities, only using PXE or other protocols on trusted networks, and using TLS over the internet,” Microsoft officials added.

Officials with Arm Insyde and Phoenix didn’t respond or didn't have a comment.

As noted, PixieFail isn’t something most people need to worry about. The vulnerabilities, however, are most definitely something that cloud environments and data centers should greatly care about. After all, exploits allow someone with limited network access to suddenly backdoor any server in a network the next time it reboots. Over the course of a matter of weeks, that could lead to an entire fleet of infected machines.

Out of an abundance of caution and in keeping with security in-depth principles, all end users should patch the vulnerabilities as well, but the urgency in this case is fairly relaxed. Users generally should look to their device or motherboard maker for an update.

Source

MacOS info-stealers quickly evolve to evade XProtect detection

Wed, 17 Jan 2024 05:54:23 +0000

Multiple information stealers for the macOS platform have demonstrated the capability to evade detection even when security companies follow and report about new variants frequently.

A report by SentinelOne highlights the problem through three notable malware examples that can evade macOS's built-in anti-malware system, XProtect.

XProtect works in the background while scanning downloaded files and apps for known malware signatures.

Despite Apple constantly updating the tool's malware database, SentinelOne says info-stealers bypass it almost instantly thanks to the quick response of the malware authors.

Evading XProtect

The first example in SentinelOne's report is KeySteal, a malware first documented in 2021, which has evolved significantly since then.

Currently, it is distributed as an Xcode-built Mach-O binary, named 'UnixProject' or 'ChatGPT,' and attempts to establish persistence and steal Keychain information.

Keychain is macOS's native password management system serving as a secure storage for credentials, private keys, certificates, and notes.

KeySteal masqueraded as a ChatGPT app (SentinelOne)

Apple last updated its signature for KeySteal in February 2023, but the malware has received enough changes since then to pass undetected by XProtect and most AV engines.

Its only current weakness is using hardcoded command and control (C2) addresses, but SentinelOne believes it's only a matter of time before KeySteal's creators implement a rotation mechanism.

The next malware highlighted as an example of evasion is Atomic Stealer, first documented by SentinelOne in May 2023 as a new Go-based stealer and revisited by Malwarebytes in November 2023.

Apple last updated XProtect's signatures and detection rules this month, but SentinelOne reports already observing C++ variants that can evade detection.

The latest Atomic Stealer version has replaced code obfuscation with cleartext AppleScript that exposes its data-stealing logic, includes anti-VM checks, and prevents executing the Terminal alongside it.

Auto-shutting the Terminal (SentinelOne)

The third example in the report is CherryPie, also known as 'Gary Stealer' or 'JaskaGo,' first seen in the wild on September 9, 2023.

The Go-based cross-platform malware features anti-analysis and virtual machine detection, Wails wrapping, ad hoc signatures, and a system that disables Gatekeeper using admin privileges.

Attempting to disable Gatekeeper (SentinelOne)

The good news is that Apple updated its XProtect signatures for CherryPie in early December 2023, which work really well even for newer iterations. However, malware detections do not fare as well on Virus Total.

It becomes clear from the above that the continual development of malware with the goal of evading detection makes this a risky game of whack-a-mole for users and operating system vendors alike.

Relying solely on static detection for security is inadequate and potentially risky. A more robust approach should incorporate antivirus software equipped with advanced dynamic or heuristic analysis capabilities.

Additionally, vigilant monitoring of network traffic, implementing firewalls, and consistently applying the latest security updates are essential components of a comprehensive cybersecurity strategy.

Source

A Flaw in Millions of Apple, AMD, and Qualcomm GPUs Could Expose AI Data

Tue, 16 Jan 2024 18:27:57 +0000

Patching every device affected by the LeftoverLocals vulnerability—which includes some iPhones, iPads, and Macs—may prove difficult.

As more companies ramp up development of artificial intelligence systems, they are increasingly turning to graphics processing unit (GPU) chips for the computing power they need to run large language models (LLMs) and to crunch data quickly at massive scale. Between video game processing and AI, demand for GPUs has never been higher, and chipmakers are rushing to bolster supply. In new findings released today, though, researchers are highlighting a vulnerability in multiple brands and models of mainstream GPUs—including Apple, Qualcomm, and AMD chips—that could allow an attacker to steal large quantities of data from a GPU’s memory.

The silicon industry has spent years refining the security of central processing units, or CPUs, so they don’t leak data in memory even when they are built to optimize for speed. However, since GPUs were designed for raw graphics processing power, they haven’t been architected to the same degree with data privacy as a priority. As generative AI and other machine learning applications expand the uses of these chips, though, researchers from New York–based security firm Trail of Bits say that vulnerabilities in GPUs are an increasingly urgent concern.

“There is a broader security concern about these GPUs not being as secure as they should be and leaking a significant amount of data,” Heidy Khlaaf, Trail of Bits’ engineering director for AI and machine learning assurance, tells WIRED. “We’re looking at anywhere from 5 megabytes to 180 megabytes. In the CPU world, even a bit is too much to reveal.”

To exploit the vulnerability, which the researchers call LeftoverLocals, attackers would need to already have established some amount of operating system access on a target’s device. Modern computers and servers are specifically designed to silo data so multiple users can share the same processing resources without being able to access each others’ data. But a LeftoverLocals attack breaks down these walls. Exploiting the vulnerability would allow a hacker to exfiltrate data they shouldn’t be able to access from the local memory of vulnerable GPUs, exposing whatever data happens to be there for the taking, which could include queries and responses generated by LLMs as well as the weights driving the response.

In their proof of concept, as seen in the GIF below, the researchers demonstrate an attack where a target—shown on the left—asks the open source LLM Llama.cpp to provide details about WIRED magazine. Within seconds, the attacker’s device—shown on the right—collects the majority of the response provided by the LLM by carrying out a LeftoverLocals attack on vulnerable GPU memory. The attack program the researchers created uses less than 10 lines of code.

An attacker (right) exploits the LeftoverLocals vulnerability to listen to LLM conversationsVideo: Trail of Bits

Last summer, the researchers tested 11 chips from seven GPU makers and multiple corresponding programming frameworks. They found the LeftoverLocals vulnerability in GPUs from Apple, AMD, and Qualcomm, and launched a far-reaching coordinated disclosure of the vulnerability in September in collaboration with the US-CERT Coordination Center and the Khronos Group, a standards body focused on 3D graphics, machine learning, and virtual and augmented reality.

The researchers did not find evidence that Nvidia, Intel, or Arm GPUs contain the LeftoverLocals vulnerability, but Apple, Qualcomm, and AMD all confirmed to WIRED that they are impacted. This means that well-known chips like the AMD Radeon RX 7900 XT and devices like Apple’s iPhone 12 Pro and M2 MacBook Air are vulnerable. The researchers did not find the flaw in the Imagination GPUs they tested, but others may be vulnerable.

An Apple spokesperson acknowledged LeftoverLocals and noted that the company shipped fixes with its latest M3 and A17 processors, which it unveiled at the end of 2023. This means that the vulnerability is seemingly still present in millions of existing iPhones, iPads, and MacBooks that depend on previous generations of Apple silicon. On January 10, the Trail of Bits researchers retested the vulnerability on a number of Apple devices. They found that Apple’s M2 MacBook Air was still vulnerable, but the iPad Air 3rd generation A12 appeared to have been patched.

A Qualcomm spokesperson told WIRED that the company is “in the process” of providing security updates to its customers, adding, “We encourage end users to apply security updates as they become available from their device makers.” The Trail of Bits researchers say Qualcomm confirmed it has released firmware patches for the vulnerability.

AMD released a security advisory on Wednesday detailing its plans to offer fixes for LeftoverLocals. The protections will be “optional mitigations” released in March.

For its part, Google says in a statement that it “is aware of this vulnerability impacting AMD, Apple, and Qualcomm GPUs. Google has released fixes for ChromeOS devices with impacted AMD and Qualcomm GPUs.”

The Trail of Bits researchers caution that actually getting these various fixes to proliferate will not be easy. Even when GPU makers release usable patches, the device makers that incorporate their chips into personal computers and other devices must then package and relay the protections to end users. With so many players in the global tech ecosystem, it’s difficult to coordinate all parties.

Though exploiting the vulnerability would require some amount of existing access to targets’ devices, the potential implications are significant given that it is common for highly motivated attackers to carry out hacks by chaining multiple vulnerabilities together. Furthermore, establishing “initial access” to a device is already necessary for many common types of digital attacks.

“If you manage to get on the same system, you can just listen in on somebody and the responses of the LLM chat session—this was a straightforward thing to do,” says Tyler Sorensen, the security research engineer at Trail of Bits who found the vulnerability and is a security engineering researcher at the University of California, Santa Cruz.

The researchers note that leaks from machine learning processes in other applications could be very sensitive—for example, if a mobile medical health app is incorporating AI patient support. But a GPU could process any number of things, and data privacy in memory is a foundational element that must be built into silicon from the start. In the six years since disclosure of the Spectre and Meltdown CPU processor vulnerabilities, chipmakers have invested significant energy into strengthening and refining memory protections, not just through firmware patches for existing chips, but by making physical improvements to how CPUs are designed. These hardware changes take years to implement because the manufacturing pipeline is planned far in advance.

“If a user is running on the same local machine as malicious software, then the final contents of the GPU program scratchpad memory that is used for temporary storage of data during operation could be viewable by a bad actor,” AMD said of the Trail of Bits research. The company stipulated that “AMD also believes there is no exposure to any other part of the system and no user data is compromised.”

In practice, though, years of processor memory vulnerabilities have illustrated the potential risks and the importance of addressing such flaws. “We have seen these leaks that have been patched, that were revealing things like web browser data and that’s very sensitive,” Trail of Bits’ Khlaaf says, referring to past examples of memory-related leaks from chips.

In recent months, other findings about GPU insecurity have underscored the potential threat of information leakage in these increasingly popular and vital processors. As generative AI has boomed in the past 18 months, companies have raced to buy—and in some cases build their own—faster and more capable GPUs. The Trail of Bits researchers say the LeftoverLocals vulnerability highlights that many of the components needed to develop and run machine learning in general have “unknown security risks” and “have not been rigorously reviewed by security experts.”

The researchers say that LeftoverLocals is part of a crucial movement to raise awareness about the need for GPU security refinements similar to those that have been implemented for CPUs. This is especially pressing as more vendors, like Apple, incorporate CPUs and GPUs together for maximum efficiency in schemes known as “systems-on-a-chip,” or SoCs.

“The GPU has access to that full memory and, as we’re seeing, can be quite insecure,” Trail of Bits’ Sorensen says. “Rather than having it separated out, you're just dropping it into the thick of it in a SoC. And so we need to think hard about GPU security, especially in that context where the GPU now potentially has access to CPU memory as well.”

The researchers also caution that GPU memory security issues and vulnerabilities like LeftoverLocals will become even more consequential as GPU virtualization becomes more common in public cloud infrastructure and more AI applications move from being implemented locally to running in shared cloud environments. Without significant reforms in GPU memory privacy, these transitions could create fertile ground for attackers to easily grab large amounts of data from numerous targets in a single attack.

“I think we came across this at the right time,” Sorensen says. “A lot of the major cloud providers do not allow multiple users on the same GPU machine, but this is likely something that will change going forward. So I think we just need to be hyperaware of this and have more of a security model for GPUs and how they are deployed. This should inspire people to say, ‘We need to be careful when we do this.’”

Source

New malware bypassing Windows SmartScreen is hungry for your data, and it wants it all

Tue, 16 Jan 2024 18:25:11 +0000

The researchers from Trend Micro have discovered a previously unknown strain of malware, dubbed Phemedrone Stealer, that is actively exploiting already patched Windows Defender SmartScreen vulnerability CVE-2023-36025, Security Week reports.

Phemedrone Stealer is a data-harvesting malware focusing on a variety of specific types of files and information across a wide range of popular software products – browsers, file managers, and communication platforms, among others.

The malware even collects extensive system details (including geolocation data such as IP, country, city, and postal code) about Windows 10 or 11 and takes screenshots in the process. Trend Micro specifically lists the following targets:

Chromium-based browsers. The malware harvests data, including passwords, cookies, and autofill information stored in apps such as LastPass, KeePass, NordPass, Google Authenticator, Duo Mobile, and Microsoft Authenticator, among others.
Crypto wallets. It extracts files from various cryptocurrency wallet applications such as Armory, Atomic, Bytecoin, Coninomi, Jaxx, Electrum, Exodus, and Guarda.
Discord. Phemedrone extracts authentication tokens from the Discord application, enabling unauthorized access to the user's account.
FileGrabber. The malware uses this service to gather user files from designated folders such as Documents and Desktop.
FileZilla. Phemedrone captures FTP connection details and credentials from FileZilla.
Gecko. The malware targets Gecko-based browsers for user data extraction. (Firefox being the most popular one.)
System Information. Phemedrone collects extensive system details, including hardware specs, geolocation, and operating system information, and takes screenshots.
Steam. Phemedrone accesses files related to the Steam gaming platform.
Telegram. The malware extracts user data from the installation directory, specifically targeting authentication-related files within the “tdata” folder. This includes seeking out files based on size and naming patterns.

An attack vector in this case is represented by crafted .url files that download and execute malicious scripts, bypassing the Windows Defender SmartScreen in the process. Therefore, the user tricked to open a dangerous file won’t see a SmartScreen warning that this type of file can potentially harm the computer.

Once the malicious software avoids detection, it downloads the payload and establishes a permanent presence in the system.

Then, the search for specific files and information follows. The harvested data are sent to the hackers via the API of Telegram, a popular IM communication platform in some countries around the globe. The system information is sent first, followed by a compressed ZIP file containing all collected data.

The good news is that Microsoft already addressed the CVE-2023-36025 vulnerability on November 14. Therefore, maintaining the necessary IT hygiene and regularly applying the latest security patches should protect you – unlike in the case of many zero-day vulnerabilities living in the wild, yet to be tamed.

Source: Trend Micro via Security Week

Source

Google updates Chrome's Incognito Mode disclaimer to admit it is tracking users

Tue, 16 Jan 2024 18:23:33 +0000

Google is rolling out a change to the Incognito Mode disclaimer of the company's Chrome web browser. It admits in it that it is tracking users even while the mode is active. The company settled a $5 billion privacy lawsuit over tracking in Incognito Mode in December 2023.

The lawsuit accused Google of tracking Chrome users across Google and non-Google websites while Incognito Mode was active. Google operates some of the world's largest Internet sites, but these pale when it comes to the company's access to data on non-Google properties. Google ads and analytics are widely used on the Internet.

DuckDuckGo estimates that Google has access to 93 sites out of every 100 sites that users visit on the Internet.

Google Chrome Incognito Mode

Google has updated the disclaimer in Google Chrome Canary already. To better understand the difference, here is the current Disclaimer when users launch Incognito Mode.

You may launch Incognito Mode by selecting Menu (three dots) > New incognito window, or through the keyboard shortcut Ctrl-Shift-N on desktop systems.

Here is the relevant part of the old disclaimer: "Now you can browse privately, and other people who use this device won’t see your activity. However, downloads, bookmarks and reading list items will be saved."

Here is a screenshot of the new Incognito Mode disclaimer.

It contains the following text: "Others who use this device won’t see your activity, so you can browse more privately. This won't change how data is collected by websites you visit and the services they use, including Google. Downloads, bookmarks and reading list items will be saved."

Basically, what Google did is clarify what Incognito Mode does and does not do for the privacy of users. Users who use the same browser on the device using the same user account won't see activity that happens in Incognito Mode.

The second sentence of the new disclaimer admits that Google and other websites will still see the activity and may still track users because of that, even while in Incognito Mode. Ads and trackers collect data and communicate with company servers. The data is not blocked by Incognito Mode.

Long-time readers here on this site knew that already. Private browsing modes, including Incognito Mode, are only of use when a single user account is shared across multiple users. Only then can it be used to hide certain activity from other users. A better solution is to create individual user accounts on a device to avoid any privacy issues regarding activity in the first place.

Google is merely adjusting the description to highlight that Incognito Mode does nothing against website tracking.

Chrome users may install content blockers and enable them for use in Incognito Mode to limit this form of tracking. Extensions are only supported on desktop platforms in Chrome, however.

Google launched the first phase to end third-party cookies in Chrome. About 1% of all Chrome installations have third-party cookies disabled by default. The company calls the feature Tracking Protection and users should see a prompt in Chrome when they are selected.

All Chrome users may disable off third-party cookies already. Just load chrome://settings/cookies in the browser's address bar and switch the "Default behavior" setting to "Block third-party cookies" on the page.

The chance to run into compatibility issues is small, but it exists. You may add sites that misbehave to the allow list on the same page.

Now You: do you use Incognito Mode / Private Browsing? (via MSPoweruser)

Source

Hacker spins up 1 million virtual servers to illegally mine crypto

Sun, 14 Jan 2024 03:36:10 +0000

A 29-year-old man in Ukraine was arrested this week for using hacked accounts to create 1 million virtual servers used to mine $2 million in cryptocurrency.

As announced today by Europol, the suspect is believed to be the mastermind behind a large-scale cryptojacking scheme that involves hijacking cloud computing resources for crypto-mining.

By using the computing resources of others' servers to mine cryptocurrency, the cybercriminals can profit at the expense of the compromised organizations, whose CPU and GPU performance is degraded by the mining.

For on-premise compromises, the damage extends to having to pay for increased power usage, commonly generated by miners.

A 2022 report from Sysdig estimated the damage from cryptojacking to be about $53 for every $1 worth of Monero (XMR) the cybercriminals mine on hijacked devices.

Europol says they first learned of the cryptojacking attack in January 2023 from a cloud service provider who was investigating compromised cloud accounts on their platform.

Europol, the Ukrainian police, and the cloud provider worked together to develop operation intelligence that could be used to track down and identify the hacker.

The police say they arrested the hacker on January 9th, when they seized computer equipment, bank and SIM cards, electronic media, and other evidence of illegal activity.

Items seized during the suspect's arrestSource: cyberpolice.gov.ua

A separate report by the Ukrainian cyberpolice explains that the suspect has been active since 2021 when he used automated tools to brute force the passwords of 1,500 accounts of a subsidiary of one of the world's largest e-commerce entities.

Europol and Ukraine have not identified the e-commerce company or its subsidiary.

The threat actor then used these accounts to gain access to administrative privileges, which were used to create more than one million virtual computers for use in the cryptomining scheme.

The Ukrainian authorities confirmed that the suspect was using TON cryptocurrency wallets to move the illegal proceeds, with transactions equal to roughly $2 million.

The arrested individual now faces criminal charges under Part 5 of Art. 361 (unauthorized interference in the work of information, electronic communication, electronic communication networks) of the Criminal Code of Ukraine.

Mitigating the risk

Threat actors commonly target cloud services to hijack computing resources for illegal cryptocurrency mining.

Methods to defend against cryptojacking attacks include monitoring for unusual activity like unexpected spikes in resource usage, implementing endpoint protection and intrusion detection systems, and limiting administrative privileges and access to critical resources only to those needing them.

Cryptojackers often exploit documented flaws in cloud platforms to achieve an initial compromise. So, regularly applying the available security updates on all software is crucial to protecting systems against external threats.

Finally, all administrative accounts should have 2FA enabled in case their credentials are stolen.

Source

The Week in Ransomware - January 12th 2024 - Targeting homeowners' data

Sat, 13 Jan 2024 08:31:02 +0000

Mortgage lenders and related companies are becoming popular targets of ransomware gangs, with four companies in this sector recently attacked.

This week, we learned that mortgage lender loanDepot suffered a cyberattack, which the company later confirmed was ransomware.

This comes on the heels of similar attacks against Mortgage giant Mr. Cooper, which led to the exposure of data for 14 million people, and attacks on title insurance companies, including First American Financial and Fidelity National Financial.

As these companies obtain a large amount of sensitive information from their customers, they become attractive targets for ransomware gangs to conduct double-extortion attacks.

Other attacks we learned about this week include the Toronto Zoo, a Black Hunt ransomware attack on Tigo Business, and LockBit claiming to be behind the attack on the Capital Health hospital network.

Finland is also warning of Akira ransomware increasingly targeting companies in the country and wiping backups.

Cybersecurity researchers are back from the holidays, sharing new research on a BlackBasta affiliate's use of PikaBot, Microsoft SQL servers being targeted by the Mimic ransomware, and threat actors impersonating security researchers to offer victims a chance to hack back at ransomware gangs.

For some good news, a Dutch police operation with Cisco Talos led to the arrest of a ransomware operator and the retrieval of decryption keys. This key was added to Avast's decryptor, allowing victims of the Tortilla ransomware (based on Babuk) to recover their files for free.

Contributors and those who provided new ransomware information and stories this week include: @LawrenceAbrams, @malwrhunterteam, @fwosar, @BleepinComputer, @serghei, @demonslay335, @Ionut_Ilascu, @Seifreed, @billtoulas, @AWNetworks, @Securonix, @TalosSecurity, @criptoboi, @pcrisk, @TrendMicro, and @Unit42_Intel.

January 7th 2024

Mortgage firm loanDepot cyberattack impacts IT systems, payment portal

U.S. mortgage lender loanDepot has suffered a cyberattack that caused the company to take IT systems offline, preventing online payments against loans.

January 8th 2024

Capital Health attack claimed by LockBit ransomware, risk of data leak

The LockBit ransomware operation has claimed responsibility for a November 2023 cyberattack on the Capital Health hospital network and threatens to leak stolen data and negotiation chats by tomorrow.

Toronto Zoo: Ransomware attack had no impact on animal wellbeing

Toronto Zoo, the largest zoo in Canada, says that a ransomware attack that hit its systems on early Friday had no impact on the animals, its website, or its day-to-day operations.

US mortgage lender loanDepot confirms ransomware attack

?Leading U.S. mortgage lender loanDepot confirmed today that a cyber incident disclosed over the weekend was a ransomware attack that led to data encryption.

New Phobos ransomware variant

PCrisk found a new Phobos variant that appends the .jopanaxye extension and drops ransom notes named info.txt and info.hta.

New STOP Ransomware variants

PCrisk found new STOP ransomware variants that append the .cdwe and .cdaz extensions.

New Makops variant

PCrisk found a new Makops variant that appends the .SOG extension and drops a ransom note named +README-WARNING+.txt.

New Abyss ransomware

PCrisk found a new ransomware that appends the .abyss extension and drops a ransom note named WhatHappened.txt.

January 9th 2024

Paraguay warns of Black Hunt ransomware attacks after Tigo Business breach

The Paraguay military is warning of Black Hunt ransomware attacks after Tigo Business suffered a cyberattack last week impacting cloud and hosting services in the company's business division.

Decryptor for Babuk ransomware variant released after hacker arrested

Researchers from Cisco Talos working with the Dutch police obtained a decryption tool for the Tortilla variant of Babuk ransomware and shared intelligence that led to the arrest of the ransomware's operator.

Hackers target Microsoft SQL servers in Mimic ransomware attacks

A group of financially motivated Turkish hackers targets Microsoft SQL (MSSQL) servers worldwide to encrypt the victims' files with Mimic (N3ww4v3) ransomware.

Ransomware victims targeted by fake hack-back offers

Some organizations victimized by the Royal and Akira ransomware gangs have been targeted by a threat actor posing as a security researcher who promised to hack back the original attacker and delete stolen victim data.

Black Basta-Affiliated Water Curupira’s Pikabot Spam Campaign

A threat actor we track under the Intrusion set Water Curupira (known to employ the Black Basta ransomware) has been actively using Pikabot. a loader malware with similarities to Qakbot, in spam campaigns throughout 2023.

New Phobos variant

PCrisk found a new Phobos variant that appends the .2700 extension and drops a ransom note named +README-WARNING+.txt.

New Abyss ransomware

PCrisk found a new ransomware that appends the .abyss extension and drops a ransom note named WhatHappened.txt.

January 10th 2024

Fidelity National Financial: Hackers stole data of 1.3 million people

Fidelity National Financial (FNF) has confirmed that a November cyberattack (claimed by the BlackCat ransomware gang) has exposed the data of 1.3 million customers.

January 11th 2024

Finland warns of Akira ransomware wiping NAS and tape backup devices

The Finish National Cybersecurity Center (NCSC-FI) is informing of increased Akira ransomware activity in December, targeting companies in the country and wiping backups.

Medusa Ransomware Turning Your Files into Stone

Unit 42 Threat Intelligence analysts have noticed an escalation in Medusa ransomware activities and a shift in tactics toward extortion, characterized by the introduction in early 2023 of their dedicated leak site called the Medusa Blog. Medusa threat actors use this site to disclose sensitive data from victims unwilling to comply with their ransom demands.

New Phobos variant

PCrisk found a new Phobos variant that appends the .mango extension and drops a ransom note named +README-WARNING+.txt.

New STOP Ransomware variants

PCrisk found new STOP ransomware variants that append the .cdtt and .cdpo extensions.

New Ping ransomware

PCrisk found a new ransomware that appends the .pings extension and drops a ransom note named FILE RECOVERY.txt.

January 12th 2024

New Dharma variant

PCrisk found a new Dharma ransomware variant that appends the .AeR extension and drops ransom notes named info.txt and info.hta.

New Xorist variant

PCrisk found a new Xorist variant that appends the .CoV extension and drops a ransom note named HOW TO DECRYPT FILES.txt.

That's it for this week! Hope everyone has a nice weekend!

Source

Microsoft January 2024 Patch Tuesday fixes 49 flaws, 12 RCE bugs

Wed, 10 Jan 2024 07:53:28 +0000

Today is Microsoft's January 2024 Patch Tuesday, which includes security updates for a total of 49 flaws and 12 remote code execution vulnerabilities.

Only two vulnerabilities were classified as critical, with one being a Windows Kerberos Security Feature Bypass and the other a Hyper-V RCE.

The number of bugs in each vulnerability category is listed below:

10 Elevation of Privilege Vulnerabilities
7 Security Feature Bypass Vulnerabilities
12 Remote Code Execution Vulnerabilities
11 Information Disclosure Vulnerabilities
6 Denial of Service Vulnerabilities
3 Spoofing Vulnerabilities

The total count of 49 flaws does not include 4 Microsoft Edge flaws fixed on January 5th.

To learn more about the non-security updates released today, you can review our dedicated articles on the new Windows 11 KB5034123 cumulative update and Windows 10 KB5034122 update.

This month's interesting flaws

While there were no actively exploited or publicly disclosed vulnerabilities this month, some flaws are more interesting than others.

Microsoft fixes an Office Remote Code Execution Vulnerability tracked as CVE-2024-20677 that allows threat actors to create maliciously crafted Office documents with embedded FBX 3D model files to perform remote code execution.

"A security vulnerability exists in FBX that could lead to remote code execution. To mitigate this vulnerability, the ability to insert FBX files has been disabled in Word, Excel, PowerPoint and Outlook for Windows and Mac," explains Microsoft security bulletin.

"Versions of Office that had this feature enabled will no longer have access to it. This includes Office 2019, Office 2021, Office LTSC for Mac 2021, and Microsoft 365."

"3D models in Office documents that were previously inserted from a FBX file will continue to work as expected unless the Link to File option was chosen at insert time."

A critical Windows Kerberos bug tracked as CVE-2024-20674 was also fixed today, allowing an attacker to bypass the authentication feature.

"An unauthenticated attacker could exploit this vulnerability by establishing a machine-in-the-middle (MITM) attack or other local network spoofing technique, then sending a malicious Kerberos message to the client victim machine to spoof itself as the Kerberos authentication server," reads a support bulletin.

Recent updates from other companies

Other vendors who released updates or advisories in January 2023 include:

Cisco released security updates for a privilege elevation flaw in the Cisco Identity Services Engine.
Google released the Android January 2024 security updates.
Ivanti released security updates for a critical remote code execution (RCE) vulnerability in its Endpoint Management software (EPM).
A new KyberSlash attack puts numerous Quantum encryption projects at risk.
SAP has released its January 2024 Patch Day updates.

The January 2024 Patch Tuesday Security Updates

Below is the complete list of resolved vulnerabilities in the January 2023 Patch Tuesday updates.

To access the full description of each vulnerability and the systems it affects, you can view the full report here.

Tag	CVE ID	CVE Title	Severity
.NET and Visual Studio	CVE-2024-0057	NET, .NET Framework, and Visual Studio Security Feature Bypass Vulnerability	Important
.NET Core & Visual Studio	CVE-2024-20672	.NET Core and Visual Studio Denial of Service Vulnerability	Important
.NET Framework	CVE-2024-21312	.NET Framework Denial of Service Vulnerability	Important
Azure Storage Mover	CVE-2024-20676	Azure Storage Mover Remote Code Execution Vulnerability	Important
Microsoft Bluetooth Driver	CVE-2024-21306	Microsoft Bluetooth Driver Spoofing Vulnerability	Important
Microsoft Devices	CVE-2024-21325	Microsoft Printer Metadata Troubleshooter Tool Remote Code Execution Vulnerability	Important
Microsoft Edge (Chromium-based)	CVE-2024-0222	Chromium: CVE-2024-0222 Use after free in ANGLE	Unknown
Microsoft Edge (Chromium-based)	CVE-2024-0223	Chromium: CVE-2024-0223 Heap buffer overflow in ANGLE	Unknown
Microsoft Edge (Chromium-based)	CVE-2024-0224	Chromium: CVE-2024-0224 Use after free in WebAudio	Unknown
Microsoft Edge (Chromium-based)	CVE-2024-0225	Chromium: CVE-2024-0225 Use after free in WebGPU	Unknown
Microsoft Identity Services	CVE-2024-21319	Microsoft Identity Denial of service vulnerability	Important
Microsoft Office	CVE-2024-20677	Microsoft Office Remote Code Execution Vulnerability	Important
Microsoft Office SharePoint	CVE-2024-21318	Microsoft SharePoint Server Remote Code Execution Vulnerability	Important
Microsoft Virtual Hard Drive	CVE-2024-20658	Microsoft Virtual Hard Disk Elevation of Privilege Vulnerability	Important
Remote Desktop Client	CVE-2024-21307	Remote Desktop Client Remote Code Execution Vulnerability	Important
SQL Server	CVE-2024-0056	Microsoft.Data.SqlClient and System.Data.SqlClient SQL Data Provider Security Feature Bypass Vulnerability	Important
SQLite	CVE-2022-35737	MITRE: CVE-2022-35737 SQLite allows an array-bounds overflow	Important
Unified Extensible Firmware Interface	CVE-2024-21305	Hypervisor-Protected Code Integrity (HVCI) Security Feature Bypass Vulnerability	Important
Visual Studio	CVE-2024-20656	Visual Studio Elevation of Privilege Vulnerability	Important
Windows AllJoyn API	CVE-2024-20687	Microsoft AllJoyn API Denial of Service Vulnerability	Important
Windows Authentication Methods	CVE-2024-20674	Windows Kerberos Security Feature Bypass Vulnerability	Critical
Windows BitLocker	CVE-2024-20666	BitLocker Security Feature Bypass Vulnerability	Important
Windows Cloud Files Mini Filter Driver	CVE-2024-21310	Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability	Important
Windows Collaborative Translation Framework	CVE-2024-20694	Windows CoreMessaging Information Disclosure Vulnerability	Important
Windows Common Log File System Driver	CVE-2024-20653	Microsoft Common Log File System Elevation of Privilege Vulnerability	Important
Windows Cryptographic Services	CVE-2024-20682	Windows Cryptographic Services Remote Code Execution Vulnerability	Important
Windows Cryptographic Services	CVE-2024-21311	Windows Cryptographic Services Information Disclosure Vulnerability	Important
Windows Group Policy	CVE-2024-20657	Windows Group Policy Elevation of Privilege Vulnerability	Important
Windows Hyper-V	CVE-2024-20699	Windows Hyper-V Denial of Service Vulnerability	Important
Windows Hyper-V	CVE-2024-20700	Windows Hyper-V Remote Code Execution Vulnerability	Critical
Windows Kernel	CVE-2024-20698	Windows Kernel Elevation of Privilege Vulnerability	Important
Windows Kernel-Mode Drivers	CVE-2024-21309	Windows Kernel-Mode Driver Elevation of Privilege Vulnerability	Important
Windows Libarchive	CVE-2024-20697	Windows Libarchive Remote Code Execution Vulnerability	Important
Windows Libarchive	CVE-2024-20696	Windows Libarchive Remote Code Execution Vulnerability	Important
Windows Local Security Authority Subsystem Service (LSASS)	CVE-2024-20692	Microsoft Local Security Authority Subsystem Service Information Disclosure Vulnerability	Important
Windows Message Queuing	CVE-2024-20660	Microsoft Message Queuing Information Disclosure Vulnerability	Important
Windows Message Queuing	CVE-2024-20664	Microsoft Message Queuing Information Disclosure Vulnerability	Important
Windows Message Queuing	CVE-2024-20680	Windows Message Queuing Client (MSMQC) Information Disclosure	Important
Windows Message Queuing	CVE-2024-20663	Windows Message Queuing Client (MSMQC) Information Disclosure	Important
Windows Message Queuing	CVE-2024-21314	Microsoft Message Queuing Information Disclosure Vulnerability	Important
Windows Message Queuing	CVE-2024-20661	Microsoft Message Queuing Denial of Service Vulnerability	Important
Windows Nearby Sharing	CVE-2024-20690	Windows Nearby Sharing Spoofing Vulnerability	Important
Windows ODBC Driver	CVE-2024-20654	Microsoft ODBC Driver Remote Code Execution Vulnerability	Important
Windows Online Certificate Status Protocol (OCSP) SnapIn	CVE-2024-20662	Windows Online Certificate Status Protocol (OCSP) Information Disclosure Vulnerability	Important
Windows Online Certificate Status Protocol (OCSP) SnapIn	CVE-2024-20655	Microsoft Online Certificate Status Protocol (OCSP) Remote Code Execution Vulnerability	Important
Windows Scripting	CVE-2024-20652	Windows HTML Platforms Security Feature Bypass Vulnerability	Important
Windows Server Key Distribution Service	CVE-2024-21316	Windows Server Key Distribution Service Security Feature Bypass	Important
Windows Subsystem for Linux	CVE-2024-20681	Windows Subsystem for Linux Elevation of Privilege Vulnerability	Important
Windows TCP/IP	CVE-2024-21313	Windows TCP/IP Information Disclosure Vulnerability	Important
Windows Themes	CVE-2024-20691	Windows Themes Information Disclosure Vulnerability	Important
Windows Themes	CVE-2024-21320	Windows Themes Spoofing Vulnerability	Important
Windows Win32 Kernel Subsystem	CVE-2024-20686	Win32k Elevation of Privilege Vulnerability	Important
Windows Win32K	CVE-2024-20683	Win32k Elevation of Privilege Vulnerability	Important

Source

This smart lock can recognize your face

Mon, 08 Jan 2024 19:16:28 +0000

With the Lockly Visage, you can unlock your door as easily as you unlock your phone.

CES is where we get to see all those cool tech gadgets you see in movies become a reality, and with Lockly’s latest smart lock, facial recognition is finally coming to our front doors. Yes, now you can unlock your front door like Tom Cruise.

The smart lock company is showing off its newest product at CES 2024 this week. The $349 Lockly Visage smart lock with facial recognition can replace your standard deadbolt and turn your doorway into a high-tech haven. Just approach, and the door will unlock. The smart lock also works with Apple’s Home Key and a fingerprint reader for other high-tech home entry options.

The Lockly Visage has a fingerprint reader, digital keypad, keyed lock, and

facial recognition tech for multiple ways to unlock your front door.

Image: Lockly

Facial recognition is already a thing in video doorbells — Apple Home and Google Home both support it for telling you who is at your front door — but this is the first time it’s been incorporated into a consumer smart lock. While fingerprint unlocking is already a popular option on smart locks (and, in my opinion, the easiest, fastest way to unlock a door), facial recognition will make the whole process totally hands-free. Philips has also come out with a new biometric lock that it’s launching at CES this year: the $359.99 Wi-Fi Palm Recognition Smart Deadbolt uses a built-in palm scanner to unlock your door.

However, the Visage has real Minority Report vibes design-wise, and if you don’t like a high-tech look, this probably isn’t for you. According to Lockly, the face unlock uses binocular facial recognition through two 2MP-resolution IR sensors to unlock your door as you approach. It can store up to 100 face profiles, so you can have friends and family enter hands-free, too. The company says it will unlock when you are within 2.6 feet and should do it in under 1.5 seconds.

The lock has a digital keypad and RFID key cards and fobs as other access options beyond scanning your face. Plus, you can use a regular old key. The Visage works with the Lockly smartphone app for remote control of the lock and sharing and managing access. It’s also packed with radios to enable all of the above, including Wi-Fi, Bluetooth, NFC, and RFID.

For smart home and voice assistant integration, the lock will work with Apple Home, Amazon Alexa, and Google Assistant when it arrives this summer. The company says the Visage is compatible with the new Matter smart home standard, although it’s still waiting on official certification.

The $79.99 Lockly Matter Link Hub will connect Lockly’s existing locks to the new

Matter smart home standard.

Image: Lockly

Speaking of Matter, Lockly is making good on a promise it made at CES last year that it would add Matter support to its existing locks. The company is launching a $79.99 Matter Link Hub later this year. This is a plug-in device that Lockly says can bring most existing Lockly products into Matter, including the Flex Touch Fingerprint Deadbolt, Access Touch, and Secure Plus. This will also add Apple Home support to these locks for the first time. The Matter Link Hub will replace any existing Lockly hub you use with your lock, so you won’t need two.

Lockly also announced the first Z-Wave-certified fingerprint lock as a partnership with Alarm.com, meaning you can integrate it with any Alarm.com-powered home security system. The Lockly Guard Deadbolt Z-Wave and a version without fingerprint access will be available directly to pro installers.

Source

The New Digital Dark Age

Mon, 08 Jan 2024 18:51:18 +0000

Online trust will reach an all-time low thanks to unchecked disinformation, AI-generated content, and social platforms pulling up their data drawbridges.

For researchers, social media has always represented greater access to data, more democratic involvement in knowledge production, and great transparency about social behavior. Getting a sense of what was happening—especially during political crises, major media events, or natural disasters—was as easy as looking around a platform like Twitter or Facebook. In 2024, however, that will no longer be possible.

In 2024, we will face a grim digital dark age, as social media platforms transition away from the logic of Web 2.0 and toward one dictated by AI-generated content. Companies have rushed to incorporate large language models (LLMs) into online services, complete with hallucinations (inaccurate, unjustified responses) and mistakes, which have further fractured our trust in online information.

Another aspect of this new digital dark age comes from not being able to see what others are doing. Twitter once pulsed with publicly readable sentiment of its users. Social researchers loved Twitter data, relying on it because it provided a ready, reasonable approximation of how a significant slice of internet users behaved. However, Elon Musk has now priced researchers out of Twitter data after recently announcing that it was ending free access to the platform’s API. This made it difficult, if not impossible, to obtain data needed for research on topics such as public health, natural disaster response, political campaigning, and economic activity. It was a harsh reminder that the modern internet has never been free or democratic, but instead walled and controlled.

Closer cooperation with platform companies is not the answer. X, for instance, has filed a suit against independent researchers who pointed out the rise in hate speech on the platform. Recently, it has also been revealed that researchers who used Facebook and Instagram’s data to study the platforms’ role in the US 2020 elections had been granted “independence by permission” by Meta. This means that the company chooses which projects to share its data with and, while the research may be independent, Meta also controls what types of questions are asked and who asks them.

With elections coming in the US, India, Mexico, Indonesia, the UK, and the EU in 2024, the stakes are high. Until now, online “observatories” have been independently monitoring social media platforms for evidence of manipulation, inauthentic behavior, and harmful content. However, changes in data access by social media platforms, as well as the explosion of generative AI misinformation, means that the tools that researchers and journalists developed in prior national elections for monitoring online activity won’t work. One of my own collaborations, AI4TRUST, is developing new tools for combating misinformation, but our endeavor is stalled because of these changes.

We need to clean up our online platforms. The Center for Countering Digital Hate, a research, advocacy, and policy organization working to stop the spread of online hate and disinformation, has called for the adoption of its STAR Framework (Safety by Design, Transparency, Accountability, and Responsibility). This would ensure that digital products and services are safe before they are launched; increase transparency around algorithms, rule enforcement, and advertising; and work to hold companies both accountable to democratic and independent bodies, and responsible for omissions and actions that lead to harm. The EU’s Digital Services Act is a step in the right direction of regulation, including provisions to ensure that independent researchers can monitor social network platforms. However, these provisions will take years to be actionable. The UK’s Online Safety Bill—slowly making its way through the policy process—could also help, but again, these provisions will take time to implement. Until then, the transition from social media to AI-mediated information means that, in 2024, a new digital dark age will likely begin.

Source

AI Needs to Be Both Trusted and Trustworthy

Mon, 08 Jan 2024 18:50:16 +0000

Through sensors, actuators, and IoT devices, AI is going to be interacting with the physical plane on a massive scale. The question is, how does one build trust in its actions?

In 2016, I wrote about an internet that affected the world in a direct, physical manner. It was connected to your smartphone. It had sensors like cameras and thermostats. It had actuators: thermostats, drones, autonomous cars. And it had smarts in the middle, using sensor data to figure out what to do and then actually do it. This was the Internet of Things.

The classical definition of a robot is something that senses, thinks, and acts—that’s today’s internet. We’ve been building a world-sized robot without even realizing it.

In 2023, we upgraded the “thinking” part with large language models (LLMs) like GPT. ChatGPT both surprised and amazed the world with its ability to understand human language and generate credible, on-topic, humanlike responses. But what these are really good at is interacting with systems formerly designed for humans. Their accuracy will get better, and they will be used to replace actual humans.

In 2024, we’re going to start connecting those LLMs and other AI systems to both sensors and actuators. In other words, they will be connected to the larger world, through APIs. They will receive direct inputs from our environment, in all the forms I thought about in 2016. And they will increasingly control our environment, through IoT devices and beyond.

It will start small: summarizing emails and writing limited responses. Arguing with customer service—on chat—for service changes and refunds. Making travel reservations.

But these AIs will interact with the physical world as well, first controlling robots and then having those robots as part of them. Your AI-driven thermostat will turn the heat and air-conditioning on based on who's in what room, their preferences, and where they are likely to go next. It will negotiate with the power company for the cheapest rates by scheduling usage of high-energy appliances or car recharging.

This is the easy stuff. The real changes will happen when these AIs group together in a larger intelligence: a vast network of power generation and power consumption, with each building just a node, like an ant colony or a human army.

Future industrial-control systems will include traditional factory robots, as well as AI systems to schedule their operation. It will automatically order supplies, as well as coordinate final product shipping. The AI will manage its own finances, interacting with other systems in the banking world. It will call on humans as needed: to repair individual subsystems or to do things too specialized for the robots.

Consider driverless cars. Individual vehicles have sensors, of course, but they also make use of sensors embedded in the roads and on poles. The real processing is done in the cloud, by a centralized system that is piloting all the vehicles. This allows individual cars to coordinate their movement for more efficiency: braking in synchronization, for example.

These are robots, but not the sort familiar from movies and television. We normally think of robots as discrete metal objects, with sensors and actuators on their surface and processing logic inside. But our new robots are different. Their sensors and actuators are distributed in the environment. Their processing is somewhere else. They’re a network of individual units that become a robot only in aggregate.

This turns our notion of security on its head. If massive, decentralized AIs run everything, then who controls those AIs matters a lot. It’s as if all the executive assistants or lawyers in an industry worked for the same agency. An AI that is both trusted and trustworthy will become a critical requirement.

This future requires us to see ourselves less as individuals, and more as parts of larger systems. It’s AI as nature, as Gaia—everything as one system. It’s a future more aligned with the Buddhist philosophy of interconnectedness than Western ideas of individuality. (And also with science fiction dystopias, like Skynet from the Terminator movies.) It will require a rethinking of much of our assumptions about governance and economy. That’s not going to happen soon, but in 2024 we will see the first steps along that path.

Source

The Battle for Biometric Privacy

Mon, 08 Jan 2024 18:49:18 +0000

The pushback against ubiquitous surveillance and targeted deepfaking has begun—but regulation may fail to keep up with AI advances.

In 2024, increased adoption of biometric surveillance systems, such as the use of AI-powered facial recognition in public places and access to government services, will spur biometric identity theft and anti-surveillance innovations. Individuals aiming to steal biometric identities to commit fraud or gain access to unauthorized data will be bolstered by generative AI tools and the abundance of face and voice data posted online.

Already, voice clones are being used for scams. Take for example, Jennifer DeStefano, a mom in Arizona who heard the panicked voice of her daughter crying “Mom, these bad men have me!” after receiving a call from an unknown number. The scammer demanded money. DeStefano was eventually able to confirm that her daughter was safe. This hoax is a precursor for more sophisticated biometric scams that will target our deepest fears by using the images and sounds of our loved ones to coerce us to do the bidding of whoever deploys these tools.

In 2024, some governments will likely adopt biometric mimicry to support psychological torture. In the past, a person of interest might be told false information with little evidence to support the claims other than the words of the interrogator. Today, a person being questioned may have been arrested due to a false facial recognition match. Dark-skinned men in the United States, including Robert Williams, Michael Oliver, Nijeer Parks, and Randal Reid, have been wrongfully arrested due to facial misidentification, detained and imprisoned for crimes they did not commit. They are among a group of individuals, including the elderly, people of colour, and gender nonconforming individuals, who are at higher risk of facial misidentification.

Generative AI tools also give intelligence agencies the ability to create false evidence, like a video of an alleged coconspirator confessing to a crime. Perhaps just as harrowing is that the power to create digital doppelgängers will not be limited to entities with large budgets. The availability of open-sourced generative AI systems that can produce humanlike voices and false videos will increase the circulation of revenge porn, child sexual abuse materials, and more on the dark web.

By 2024 we will have growing numbers of “excoded” communities and people—those whose life opportunities have been negatively altered by AI systems. At the Algorithmic Justice League, we have received hundreds of reports about biometric rights being compromised. In response, we will witness the rise of the faceless, those who are committed to keeping their biometric identities hidden in plain sight.

Because biometric rights will vary across the world, fashion choices will reflect regional biometric regimes. Face coverings, like those used for religious purposes or medical masks to stave off viruses, will be adopted as both fashion statement and anti-surveillance garments where permitted. In 2019, when protesters began destroying surveillance equipment while obscuring their appearance, a Hong Kong government leader banned face masks.

In 2024, we will start to see a bifurcation of mass surveillance and free-face territories, areas where you have laws like the provision in the proposed EU AI Act, which bans the use of live biometrics in public places. In such places, anti-surveillance fashion will flourish. After all, facial recognition can be used retroactively on video feeds. Parents will fight to protect the right for children to be “biometric naive”, which is to have none of their biometrics such as faceprint, voiceprint, or iris pattern scanned and stored by government agencies, schools, or religious institutions. New eyewear companies will offer lenses that distort the ability for cameras to easily capture your ocular biometric information, and pairs of glasses will come with prosthetic extensions to alter your nose and cheek shapes. 3D printing tools will be used to make at-home face prosthetics, though depending on where you are in the world, it may be outlawed. In a world where the face is the final frontier of privacy, glancing upon the unaltered visage of another will be a rare intimacy.

Source

Twilio will ditch its Authy desktop 2FA app in August, goes mobile only

Mon, 08 Jan 2024 18:45:25 +0000

The Authy desktop apps for Windows, macOS, and Linux will be discontinued in August 2024, with the company recommending users switch to a mobile version of the two-factor authentication (2FA) app.

Authy is an authenticator app that allows users to set up two-factor authentication (2FA) for their online accounts, generating a unique validation code every 30 seconds to facilitate authorized access.

The app's popularity is due to its ability to generate offline codes, cross-device syncing, the option to keep encrypted backups in the cloud for account recovery in case of device loss, and strong token encryption for security.

Its vendor, Twilio, warned today that it plans to sunset the desktop app this summer to concentrate its development efforts and resources on areas with higher demand.

"We made this difficult decision to sunset the Twilio Authy desktop apps in order to streamline our focus and provide more value on existing product solutions for which we see increasing demand," explains Twilion in a new support document.

Twilio is going through a turbulent period of restructuring, and the company announced today the stepping down of its co-founder Jeff Lawson as CEO and board member amid slowing sales growth and pressure from investors.

Recommendations for users

Existing users of the Authy app for the desktop are "strongly recommended to immediately switch" to using the iOS or Google app, sourced from the Apple App Store and Google Play, respectively.

Twilio notes that the iOS app will remain available to download on M1/M2 Apple computers, so macOS users on Apple Silicon hardware won't be affected for now.

Enabling Authy's backups feature will cause your tokens in the desktop client to automatically synchronize with your mobile app.

Applications and platforms relying on Authy's API to authenticate their users must inform their customers of the need to switch by August 2024.

Twilio lists alternative desktop apps for users who can't or prefer not to use a mobile device for 2FA, with recommendations including 1Password, KeepassXC, Authenticator, Step Two, and Secrets.

It is noted that the Authy app lacks an export feature, so those who switch to another 2FA app will have to first disable Authy from every platform it's used on and then set up 2FA again on the new app.

Users are warned not to delete their tokens on Authy before they disable 2FA on their accounts first, as this may result in them being locked out of their accounts.

Depending on what action impacted users take, it is crucial to consider and perform the manual process steps with caution, as a single error could lead to losing access to accounts.

Source

X users fed up with constant stream of malicious crypto ads

Sat, 06 Jan 2024 17:07:21 +0000

Cybercriminals are abusing X advertisements to promote websites that lead to crypto drainers, fake airdrops, and other scams.

Like all advertising platforms, X, formerly known as Twitter, claims to show advertisements based on a user's activity, leading to ads that match users' interests.

While Elon had previously tweeted that YouTube is nonstop scam ads, X appears to have its own problem, increasingly showing advertisements promoting cryptocurrency scams.

These scams include links to Telegram channels promoting pump and dumps, phishing pages, and links to sites hosting crypto drainers, which are malicious scripts that steal all the assets in a connected wallet.

As X shows advertisements based on users' interests, those not involved in cryptocurrency may not see these ads. However, those who frequent the space are now bombarded by what appears to be an endless stream of malicious ads.

"Im not lying when I say EVERY single ad I am seeing on X is a scam link targeted at crypto to drain peoples wallets," reads a post on X.

While attackers have been abusing X's ad platform for some time, the sheer volume of malicious ads has increased rapidly over the past month, causing security researcher MalwareHunterTeam to track them.

The researcher has been posting screenshots of X ads containing crypto scams, almost all coming from verified users.

Examples of malicious advertisements on X

It has gotten so bad that other X users must leave community notes on ads to warn others that they are scams or wallet drainers.

Community notes warning an ad is a scam

Last month, ScamSniffer reported that a cryptocurrency drainer named 'MS Drainer' that is promoted in Google Search and X advertisements, had stolen $59 million from 63,210 victims over nine months.

On X, the threat actors created advertisements that pretended to be a limited-edition NFT collection called Ordinals Bubbles, fake airdrops, and new token launches.

It's unclear what vetting process X has in place to prevent these ads, but many users are frustrated that there is not much scrutiny on what ads are allowed to run on the site.

Bloomberg reported last month that X's ad revenue is projected to drop by $2.5 billion, an over 50% drop in revenue from 2022.

This has led X users to believe that Twitter is turning a blind eye to these malicious ads to bolster its dwindling advertising revenue.

BleepingComputer did not contact X about this story, as they have not responded to our previous press emails.

Source

The Week in Ransomware - January 5th 2024 - Secret decryptors

Sat, 06 Jan 2024 02:22:17 +0000

With it being the first week of the New Year and some still away on vacation, it has been slow with ransomware news, attacks, and new information.

However, last weekend, BleepingComputer tested a new decryptor for the Black Basta ransomware to show how it could be used to decrypt victims' files for free.

BleepingComputer learned that this method was used by disaster recovery and incident response firms for months until the ransomware operation fixed the encryption flaw in mid-December 2023.

The Black Basta data leak site is down now, but this appears to be caused by technical difficulties rather than a law enforcement operation, as the negotiation sites are still active.

In other news, Xerox confirmed one of its subsidiaries, Xerox Business Solutions (XBS), suffered a cyberattack.

The INC Ransomware operation, which claimed to be responsible for the attack, told BleepingComputer that they had much greater access to Xerox than is being disclosed. BleepingComputer has not been able to confirm if this is true independently.

We also learned this week that Australia's Court Services Victoria (CSV) suffered a ransomware attack, allowing the threat actors to view recordings of hearings, even potentially sensitive ones.

Finally, the source code and a builder for a new version of the Zeppelin Ransomware (Zeppelin2) was sold on a hacking forum, allegedly fixing an encryption bug that allowed law enforcement and incident responders to recover files for free.

This source code and a builder could allow cybercriminals to launch a ransomware-as-a-service operation, so this will be something to keep an eye on.

Contributors and those who provided new ransomware information and stories this week include: @billtoulas, @Seifreed, @LawrenceAbrams, @Ionut_Ilascu, @malwrhunterteam, @fwosar, @BleepinComputer, @serghei, @demonslay335, @Intel_by_KELA, @pcrisk, @BushidoToken, @BrettCallow, @emsisoft, @AlvieriD, and @srlabs

December 30th 2023

New Black Basta decryptor exploits ransomware flaw to recover files

Researchers have created a decryptor that exploits a flaw in Black Basta ransomware, allowing victims to recover their files for free.

January 2nd 2024

Xerox says subsidiary XBS U.S. breached after ransomware gang leaks data

The U.S. division of Xerox Business Solutions (XBS) has been compromised by hackers with a limited amount of personal information possibly exposed, according to a statement by the parent company, Xerox Corporation.

Victoria court recordings exposed in reported ransomware attack

Australia's Court Services Victoria (CSV) is warning that video recordings of court hearings were exposed after suffering a reported Qilin ransomware attack.

The State of Ransomware in the U.S.: Report and Statistics 2023

In 2023, the U.S. was once again battered by a barrage of financially-motivated ransomware attacks that denied Americans access to critical services, compromised their personal information, and probably killed some of them.

New Shuriken ransomware

PCrisk found a new ransomware that appends the .Shuriken and drops ransom note names READ-ME-SHURKEWIN.txt.

New Xorist variant

PCrisk found a new Xorist variant that appends the .BaN extension.

New Mallox ransomware variants

PCrisk found new Mallox ransomware variants that append the .cookieshelper and .karsovrop extensions and drops a ransom note named FILE RECOVERY.txt.

New Empire ransomware

PCrisk found a new ransomware variant that appends the .emp extension and drops a ransom note named HOW-TO-DECRYPT.txt.

January 4th 2024

Zeppelin ransomware source code sold for $500 on hacking forum

A threat actor announced on a cybercrime forum that they sold the source code and a cracked version of the Zeppelin ransomware builder for just $500.

Russian hackers wiped thousands of systems in KyivStar attack

The Russian hackers behind a December breach of Kyivstar, Ukraine's largest telecommunications service provider, have wiped all systems on the telecom operator's core network.

That's it for this week! Hope everyone has a nice weekend!

Source

How to Be More Anonymous Online

Fri, 05 Jan 2024 17:08:40 +0000

Being fully anonymous is next to impossible—but you can significantly limit what the internet knows about you by sticking to a few basic rules.

On the internet, everyone wants to know who you are. Websites are constantly asking for your email address or trying to place tracking cookies on your devices. A murky slurry of advertisers and tech firms track which websites you visit, predicting what your interests are and what you may want to buy. Search engines, browsers, and apps can log each search or scroll you make.

At this stage of the internet, being totally anonymous across your entire online life is incredibly hard to achieve. Phones, SIM cards, browsers, Wi-Fi networks, and more use identifiers that can be linked to your activity. But there are steps you can take to obscure your identity for everyday browsing.

If you’re looking to be truly anonymous or to protect your identity for a specific purpose—such as whistleblowing or activism—you should consider your threat model and individual security situation. But many of the changes you can make, which are listed below, are straightforward switches that can stop you from being tracked as much and apply to most people.

Block the Trackers

You’re constantly being tracked online. Often the main culprit is the advertising industry and the tech companies heavily reliant on advertising to make money (think: Google and Meta). Invisible trackers and cookies embedded in websites and apps can follow you around the web.

Start with your web browser. Ideally, you want to block invisible trackers and ads that have tracking tech embedded. Advertisers can also track you using fingerprinting, a sneaky profiling method where the settings of your browser and device (such as language, screen size, and many other details) are used to single you out. If you want to see how your current browser tracks you, the Electronic Frontier Foundation’s Cover Your Tracks tool can run a real-time test on your system. Using Chrome, the world’s most popular browser, neither tracking ads nor invisible trackers are blocked for me, and my browser has a unique fingerprint.

For the most anonymity, the Tor Browser is best. Downloadable in the same way as any other browser, it encrypts your traffic by sending it through a number of servers and also deploys anti-censorship, anti-fingerprinting, and other privacy measures. Because of its advanced protections, however, Tor can sometimes be slower than other browsers. Several privacy-focused browsers such as FireFox, the Mullvad Browser, and Brave offer enhanced protections against trackers and offer further customizable privacy settings.

If you don’t want to switch browsers, there are some browser extensions that can block trackers within Chrome. Both the Ghostery extension and EFF’s Privacy Badger will block trackers, with the latter not blocking ads unless they are specifically tracking you. On Walmart’s homepage, while using Chrome, for example, Privacy Badger blocked four trackers that were in use, while Ghostery identified five.

Beyond the web, trackers embedded in your mobile applications can gather data on your activity. On Android, you should turn off personalized ads through Google’s My Ad Center, simply toggling the setting to off. Also, delete your device’s advertising ID by going to Settings, Privacy, Ads and clicking on the Delete advertising ID option. There are also Android apps that will block cross-app trackers, such as DuckDuckGo’s browser app or the University of Oxford–developed TrackerControl. If you use iOS, go to Settings, Privacy & Security, Tracking, and toggle off Allow Apps to Request to Track to stop apps from tracking you across apps and websites.

For some people, a VPN may be useful for stopping their internet service provider from viewing their web traffic. VPNs can, however, see your online activity—in some cases keeping logs of it—and many are problematic. Our is Mullvad’s VPN, which is open source and accepts payments via cash mailed to its offices in Sweden.

Pick the Most Private Option

Every app, website, and service you use is likely to collect some data about you, but some collect more than others. Picking services that purposefully don’t collect information about you or that use end-to-end encryption, which stops companies from seeing the contents of your communications or data transfers, can help limit your exposure to the web. Generally, you want to avoid Big Tech.

For messaging, Signal collects very little information about who uses it, and it’s encrypted by default, meaning it cannot see the contents of the messages you send. For searching, DuckDuckGo, Brave Search, Kagi, Startpage, and Mojeek are our picks of the most privacy friendly search engines. For email, Proton and Tuta (formerly Tutanota) provide free end-to-end encryption options. OnionShare uses the Tor network to allow you to anonymously share files. Proton Drive offers encrypted file storage online, and Apple’s advanced data protection settings allow iCloud storage to be end-to-end encrypted once it is enabled.

If you're using a work laptop or phone, it's also worth keeping in mind that your employer can likely see many, if not all, of the things you do on those devices. If you're searching for a new job or running personal tasks, you likely want to do them on personal devices.

Check What You Post

As much as anything, being more anonymous online is linked to your mentality. Simply put, the less you share about yourself online, the less identifiable you will be. That means being careful about what you post on social media—not sharing information that could identify you, your location, or others around you.

For instance, if you want to create a new social media account that’s not tied to your identity, keep any names or personal information out of the account name. You should also not sign up using your primary phone number, email address, physical address, or any similar information that could be linked back to you. This doesn’t apply just to a new account you’re creating; it should be the wider way you think about all of your online behavior.

There are also steps that you can take to try to delete yourself from the internet: opt out from data brokers who buy and sell information about you; update old or outdated websites and remove information from Google searches; delete old social media posts and accounts you no longer use. These steps can take a lot of work, especially if you’re delving into years-old social media accounts, but doing them a little at a time can help.

Burner Everything

As well as being cautious about what you post online, there’s also the option to use one-time accounts or masked identities for certain parts of your life. If you require a messaging account that’s not tied to your current phone number—over time, phone numbers have become common ways to identify people—it may be worth considering a separate phone and SIM that you can use for that specific purpose.

It has also become easier in recent years to hide your email address from websites and services that you are signing up to. Apple’s Hide My Email tool keeps your main email address private and generates a random email address when you sign up to a new service. If you pay for an iCloud+ subscription, the tool can generate email addresses on demand in the Settings app. Similarly, the Firefox Relay tool, which has a limited amount of free use, can generate email addresses for you that forward to your main inbox.

Take It Up a Level

Being totally anonymous online is incredibly hard to do—and the level of anonymity you require will depend on why you’re trying not to be identified. Beyond what we’ve outlined here (and how paranoid you are), there are more advanced steps that you can take.

It may be worth considering an operating system for your phone or computer that is focused on privacy and anonymity. The Tails operating system, which you need install and run from a USB stick each time you use it, includes Tor, OnionShare, and multiple other tools you can use on your computer. For Android devices, GrapheneOS is an open source operating system that strips away the Google-linked Android elements and focuses on privacy.

There are also a number of extreme security measures you can take if you want to further harden your digital life, without going all the way into what is needed for being anonymous online. You can remove the microphones on your devices, sweep for bugs, or potentially use faraday cages or air gap your devices so that they're not connecting to the outside world. For the majority of people, though, this level of protection may be more trouble than it’s worth.

Source