The researchers looked at the privacy terms of 25 car brands, which were found to collect a range of customer data, from facial expressions, to sexual activity, to when, where and how people drive.

They also found terms that allowed this information to be passed on to third parties. Cars were "the official worst category of products for privacy" they had ever reviewed, they concluded.

Australia's privacy laws aren't up to the task of protecting the vast amount of personal information collected and shared by car companies. And since our privacy laws don't demand the specific disclosures required by some US states, we have much less information about what car companies are doing with our data.

Australia's privacy laws need urgent reform. We also need international cooperation on enforcing privacy regulation for car manufacturers.

How do cars collect sensitive data?

Apart from data entered directly into a car's "infotainment" system, many cars can collect data in the background via cameras, microphones, sensors and connected phones and apps.

These data include:

• speed

• steering, brake and accelerator pedal use

• seat belt use

• infotainment settings

• phone contacts

• navigation destinations

• voice data

• your location and surroundings

• and even footage of you and your family outside your car. (Between 2019 and 2022, Tesla employees internally circulated intimate footage collected from people's private cars for their own amusement, according to reports.)

• A lot of these data are used, at least in part, for legitimate purposes such as making driving more enjoyable and safer for the driver, passengers and pedestrians.

But they can also be supplemented with data collected from other sources and used for other purposes. For instance, data may be collected from your website visit, your test drive at a dealership, or from third parties including "marketing agencies" and "providers of data-collecting devices, products or systems that you use."

The latter is very broad since our TVs, fridges and even our baby monitors can collect data about us.

Mozilla points out these combined data can be used "to develop inferences about a driver's intelligence, abilities, characteristics, preferences and more."

Connected cars transmit data in real time

While cars have been collecting large amounts of information since they became "computers on wheels", this information has generally been stored in modules in the vehicle and accessed only when the car is physically connected to diagnostic equipment.

Now, however, vehicles are being sold with connected features "in the sense that they can exchange information wirelessly with the vehicle manufacturer, third party service providers, users, infrastructure operators and other vehicles."

This means your connected car can transmit data about you and your activities, generally via the internet, to various other companies as you go about your life.

Where do the data go?

In Australia, we have little information about how our information can be used and by whom.

In its US-based study, Mozilla found data from consumers' cars was being disclosed to other companies for marketing and targeted advertising purposes. It was also sold to data brokers.

Mozilla was able to uncover highly detailed information, largely because the laws of California and Virginia require specific disclosures about who personal data is disclosed to and for what purposes (among other higher privacy standards).

Australian privacy law doesn't require such specific disclosures. This is one reason car brands often have separate privacy policies for Australia.

A look at the privacy policies of various companies supplying connected cars in Australia reveals several vague, broad statements. Aside from using your data to provide you with connected services, these companies will:

• disclose it to others for "customer research"

• use it to "profile" the type of person interested in their products

• use it, along with "related companies" around the world, for vague "data analysis" and "research and development purposes" or

• provide the data to unspecified "third parties in connection with" developing new "marketing strategies."

Some may disclose your information to law enforcement or the government even when not required by law, such as when they believe "the use or disclosure is reasonably necessary to assist a law enforcement agency."

Trust us—we invented a 'voluntary code'

It's safe to say car manufacturers generally don't want privacy laws tightened. The Federal Chamber of Automotive Industries (FCAI) represents companies distributing 68 brands of various types of vehicles in Australia.

During the recent review of our privacy legislation, the FCAI made a submission to the Attorney General's department arguing against many of the privacy law reforms under consideration.

Instead, it promoted its own Voluntary Code of Conduct for Automotive Data and Privacy Protection. This weak document seems designed to comfort consumers without adding any privacy protections beyond existing legal obligations.

For example, signatories don't say they're bound by the code. Nor do they promise to follow its terms. They only say its principles will "drive their approach to treatment of vehicle-generated data and associated personal information." There are no penalties for ignoring the code.

It even states signatories will "voluntarily notify" consumers of certain matters when the Privacy Act already requires this as a matter of law.

The code also notes third parties are increasingly interested in accessing and using consumers' data to provide services, including insurance companies, parking garage operators, entertainment providers, social networks and search engine operators.

It says companies making data available to such third parties "will strive to inform you" about this.

We need privacy law reform

The government recently proposed important and wide-ranging privacy law reforms, following the Privacy Act Review which began in 2020. These changes are long overdue.

Proposals such as an updated definition of "personal information" and higher standards for "consent" could help protect consumers from intrusive and manipulative data practices.

The proposed "fair and reasonable test" would also assess whether a practice is substantively fair. This would help avoid claims data practices are lawful just because consumers had to provide consent.

The FCAI points out many cars aren't specifically designed for Australia's relatively small market, so increased privacy standards might result in some vehicles not being released here. But this isn't a reason to carve out vehicles from privacy law reform.

Privacy laws are also being upgraded in numerous jurisdictions overseas. Australia's government agencies should coordinate with their international counterparts to protect drivers' privacy.

Source

Microsoft displays a lot of promotions and advertisement in its Windows 11 operating system. The lock screen is but one of the locations that Microsoft uses to display promotions to users of the operating system.

This guide walks you through the steps of disabling lock screen ads and promotions in the Windows 11 operating system.

The lock screen is the first screen that users see when they boot the operating system. While it is possible to bypass the screen entirely, by configuring Windows 11 to sign-in to a user account automatically, it is the first screen that most Windows users see.

The lock screen may display changing photos and also options to find out more about the current image. What users may also see are promotions. The main image of this article demonstrates that. It shows an advert for Microsoft's Age of Empires IV game and another ad for PC Game Pass.

Disabling lock screen ads -- not as straightforward as possible

Windows 11 includes an option to turn off lock screen advertisement, but not for every display mode.

The lock screen of the operating system displays changing photos, powered by Microsoft's Windows Spotlight feature, by default. As long as Windows Spotlight is enabled, lock screen ads will be displayed.

There is no option to prevent this while the mode is active. The only option that users have is to switch to a different personalization option.

Here is how that is done:

1. Select Start and then Settings to load the Settings app. You may also press Ctrl-I on the keyboard to open it.
2. Switch to Personalization > Lock screen.
3. Use the menu next to "Personalize your lock screen" to change the setting to either Picture or Slideshow.
   1. Picture -- a single image is displayed whenever the lock screen is shown.
   2. Slideshow -- several images are rotated randomly whenever the lock screen is shown.
4. Uncheck "Get fun facts, tips, tricks, and more on your lock screen" to turn off ads and promotions. The option is available for both Picture and Slideshow modes.

Windows 11 won't display ads and promotions anymore on the lock screen once you have made the change. The only downside to this is that you won't get a new photo every now and then automatically as the background image of the lock screen.

Closing Words

It is unfortunate that Microsoft is not giving its customers a say in the matter. While it is possible to switch from Spotlight to another display mode to stop ads from being displayed on the lock screen, some users may prefer the changing lock screen photos that Spotlight provides.

There is no technical barrier in adding the "tips" setting to Spotlight as well. Microsoft has made the decision deliberate and it looks as if it won't have a change of heart in the near future. In fact, more and more locations in Windows display ads and promotions.

Now You: do you display the lock screen on your PCs?

Source

This week, we learned of three attacks impacting well-known companies, with BianLian claiming the attack on Air Canada and ALPHV claiming an attack on state courts across Northwest Florida (part of the First Judicial Circuit) last week.

A cyberattack on Simpson Manufacturing caused the company to shut down IT systems, but it has not been confirmed as a ransomware attack.

In other news, a threat actor released the source code for the first version of Hello Kitty ransomware, claiming to be developing a new one that will rival LockBit.

Finally, researchers and government agencies released some interesting news this week:

• A new Q3 2023 Ransomware Trends Summary shows that ransomware continues to explode, with Q3 being the most successful quarter ever recorded.
• The FBI shared technical details, defense tips, and IOCs for the AvosLocker ransomware, which has not been active lately.
• Ransomware attacks have now started to target unpatched WS_FTP servers. However, these attacks are more encryption-focused rather than for data theft.

Contributors and those who provided new ransomware information and stories this week include: @fwosar, @demonslay335, @billtoulas, @Ionut_Ilascu, @serghei, @BleepinComputer, @malwrhunterteam, @Seifreed, @LawrenceAbrams, @SophosXOps, @3xp0rtblog, @AlvieriD, @pcrisk, @cyber_int, and @LikelyMalware.

October 8th 2023

New STOP ransomware variants

PCrisk found new STOP ransomware variants that append the .mlwq and .mlrd extensions to encrypted files.

October 9th 2023

ALPHV ransomware gang claims attack on Florida circuit court

The ALPHV (BlackCat) ransomware gang has claimed an attack that affected state courts across Northwest Florida (part of the First Judicial Circuit) last week.

HelloKitty ransomware source code leaked on hacking forum

A threat actor has leaked the complete source code for the first version of the HelloKitty ransomware on a Russian-speaking hacking forum, claiming to be developing a new, more powerful encryptor.

New STOP ransomware variants

PCrisk found new STOP ransomware variants that append the .mlza and .mlap extensions to encrypted files.

New Hazard ransomware variant

PCrisk found a Hazard ransomware variant that appends the .hazard18 (the digit may be different per victim) and drops a ransom note named HOW_TO_BACK_FILES.html.

New MedusaLocker ransomware variant

PCrisk found a MedusaLocker ransomware variant that appends the .locknet and drops a ransom note named HOW_TO_BACK_FILES.html.

October 10th 2023

Air Europa data breach: Customers warned to cancel credit cards

Spanish airline Air Europa, the country's third-largest airline and a member of the SkyTeam alliance, warned customers on Monday to cancel their credit cards after attackers accessed their card information in a recent data breach.

October 11th 2023

BianLian extortion group claims recent Air Canada breach

The BianLian extortion group claims to have stolen 210GB of data after breaching the network of Air Canada, the country's largest airline and a founding member of Star Alliance.

Simpson Manufacturing shuts down IT systems after cyberattack

Simpson Manufacturing disclosed via a SEC 8-K filing a cybersecurity incident that has caused disruptions in its operations, which are expected to continue.

Distribution of Magniber Ransomware Stops (Since August 25th)

Through a continuous monitoring process, AhnLab Security Emergency response Center (ASEC) is swiftly responding to Magniber, the main malware that is actively being distributed using the typosquatting method which abuses typos in domain addresses. After the blocking rules of the injection technique used by Magniber were distributed, ASEC published a post about the relevant information on August 10th.

Ransomware Trends 2023, Q3 Report

Q3 will be remembered as a new record for the ransomware industry as it was the most successful quarter ever recorded.

October 12th 2023

FBI shares AvosLocker ransomware technical details, defense tips

The U.S. government has updated the list of tools AvosLocker ransomware affiliates use in attacks to include open-source utilities along with custom PowerShell, and batch scripts.

Ransomware attacks now target unpatched WS_FTP servers

Internet-exposed WS_FTP servers unpatched against a maximum severity vulnerability are now targeted in ransomware attacks.

That's it for this week! Hope everyone has a nice weekend!

Source

All modern web browsers come with import options to import the browsing activity of other browsers. It is a useful feature for users who want to migrate to another browser or run it side-by-side on their devices. Imports may include the browsing history, open tabs, passwords, bookmarks and other personal data.

Users do get a say in the matter. The installed browser displays a popup with the option to import data. Likewise, users may select the import option later in the browser.

Microsoft Edge's auto-import feature

Microsoft is testing a new auto-import feature. It imports data from Google Chrome automatically. This happens when Edge is opened and naturally only if Chrome is also installed. The feature seems to be Windows-specific at the time and limited to development versions of Edge.

The auto-import option was not available in Edge Stable 117 but in Edge Canary 120. This does not necessarily mean that the feature is not being tested in Edge Stable, as Microsoft has the habit of A-B testing features.

Some Edge users may stumble upon the feature by accident, for example, when they try to sign-in to a website and get the option to fill out the password automatically, which they never added to Edge.

The data that Edge imports automatically

The feature is on by default and Microsoft Edge will import the following data from Google Chrome whenever it starts:

• The entire browsing history.
• Autofill settings.
• All browser cookies.
• Payment information.
• Saved passwords.

The automatic import includes sensitive information. Besides saved passwords, Edge is also importing payment information and browser cookies, which may contain session information, from Google Chrome.

Some Edge users may like the new functionality. Those who use both browsers may want all information to be available in both browsers.

These users may add open tabs to the automatic import feature. Microsoft is working on adding extensions and bookmarks to the list of supported items.

The main problem with the feature is that it is enabled by default and that Edge does not inform users about it. If sync is enabled, all the data will be synced to all devices with Microsoft Edge, provided that you are signed-in with the same user account.

Turn off automatic browser imports in Microsoft Edge

Windows users who don't want Edge to import data from Chrome automatically need to become active to prevent this.  The best option is to load edge://settings/profiles/importBrowsingData in Microsoft Edge directly.

This opens the Import browser data preferences page in the web browser. Microsoft Edge lists the supported browsers on the page. The new "Import browsing data at each browser launch" option is listed under Google Chrome. It is the only web browser for which the feature is available at the time.

Do the following to stop automatic browsing activity imports from Chrome to Edge:

1. Activate the Edit preferences button next to Import browsing data at each browser launch.
2. Select "turn off" at the top to stop the automated process. You may alternatively turn off individual items off, if you prefer that.

Microsoft Edge displays a verification prompt when the turn off button is activated.

You can check a box to clear the browsing data from all Microsoft Edge instances, but do not have to. Select the confirm button to turn the feature off and stop automatic imports from Chrome.

Closing Words

The new automatic import feature is in testing currently. Some may argue that unwanted behavior like this should be expected in development builds. However, there needs to be some checks in place, especially where sensitive data is processed.

All Edge users on Windows should check the import settings of their browser and turn the feature off, if they don't want it.

Now You: do you use multiple web browsers?

Source

The new version is already available for download. Users still have the choice between an installer and a portable version. The installer may update any existing installation to the latest version.

Selecting Help > About KeePass in the interface displays the current version. There is also Help > Check for updates, which runs a check for updates. KeePass does not include automatic update capabilities though.

KeePass 2.55

KeePass users who create new encrypted password databases using AES-KDF, one of the supported algorithms, benefit from an increased default number; this improves protection against brute force and guessing attacks. The new number of iterations is 600000.

Existing users may get a notification when they open one of their databases.  This happens if the value of iterations is smaller than the new default value. A click on yes upgrades iterations immediately.

The new setting can be turned off under Tools > Options > Security > Show warning when the key transformation settings are weak.

Selecting File > Database Settings > Security in KeePass displays the current  encryption algorithm that is used and an option to change its iterations or migrate to another algorithm entirely.  We recommended changing the number of iterations for AES-KDF back in February or switching to Argon instead.

Password imports from several third-party password managers have also been improved. Google Chrome and mSecure CSV imports support new formats now, and imports from 1Password support the new password field/type as well.

KeePass makes a few usability improvements next to that. Changes made to the HTML export and print dialog are remembered now by the application. KeePass is now also highlighting the option that it will use when users select "do not show this dialog again". Report dialogs may be closed with a tap on the Esc-key in the new version.

A new feature is the compare entries command, which enables users of the software to compare two entries.

You can check out the full changelog here.

Verdict

KeePass 2.55 may be a lighter release, but it improves default iterations for one of its core algorithms and informs users if the current iteration count is smaller than the new default. A single-click on "yes" updates the iteration count of the database, which improves security against brute force and guessing attacks.

Source

Source

Windows 11 create Google passkey (Image credit: Future)

On Windows 11, you can now create passkeys to sign in to apps and services, such as your Google account, without a password, and in this guide, you will learn the steps to complete this task.

Starting with the October 2023 and 2023 Updates (version 23H2), Windows 11 ships a new passkeys integration that allows you to create and save a unique token for a specific service or application using Windows Hello. After the process, when you have to sign in again, you can authenticate (in this to your Google services) using Windows Hello instead of typing a password. 

This sign-in approach makes it easier to access apps and services without a password and makes it more difficult for malicious individuals to steal your credentials. 

This how-to guide will walk you through the steps to create and delete a passkey for your Google account on Windows 11.

Create a passkey through Windows Hello for a Google account

To generate a passkey for your Google account on Windows 11, use these steps:

1. Open Chrome or Edge browser.
2. Open the Google account page.
3. Sign in with your credentials (if applicable).
4. Click on Security from the left navigation page.
5. Click the Passkeys option under the "How you sign in to Google" section.

(Image credit: Future)

6. Click the "Create a passkey" button.
7. Confirm your Windows Hello credentials. 

(Image credit: Future)

• Quick note: You may need to confirm the credentials more than once.

8. Click the OK button.

9. Click the Done button.

Once you complete the steps, the system will save the passkey on the computer, and the next time you have to sign in to your Google account or related services, you can use the Windows Hello authentication methods to access the account.

Delete your Google account passkey from Windows 11

To delete your Google account passkey on Windows 11, use these steps:

1. Open Settings.
2. Click on Accounts.
3. Click the Passkeys settings page on the right side.

(Image credit: Future)

4. Click the menu for the passkey to remove and choose the "Delete passkey" option.

(Image credit: Future)

5. Click the Delete button.

After you complete the steps, the passkey for your Google account will no longer be available on your computer, and you will need to use the original password of your account to access your Google account.

Source

As recently observed by Sophos X-Ops incident responders, threat actors self-described as the Reichsadler Cybercrime Group attempted, unsuccessfully, to deploy ransomware payloads created using a LockBit 3.0 builder stolen in September 2022.

"The ransomware actors didn't wait long to abuse the recently reported vulnerability in WS_FTP Server software," Sophos X-Ops said.

"Even though Progress Software released a fix for this vulnerability in September 2023, not all of the servers have been patched. Sophos X-Ops observed unsuccessful attempts to deploy ransomware through the unpatched services."

The attackers attempted to escalate privileges using the open-source GodPotato tool, which allows privilege escalation to 'NT AUTHORITY\SYSTEM' across Windows client (Windows 8 to Windows 11) and server (Windows Server 2012 to Windows Server 2022) platforms.

Fortunately, their attempt to deploy the ransomware payloads on the victim's systems was thwarted, preventing the attackers from encrypting the target's data.

Even though they failed to encrypt the files, the threat actors still demanded a $500 ransom, payable by October 15, Moscow Standard Time.

The low ransom demand hints at Internet-exposed and vulnerable WS_FTP servers likely being targeted in mass automated attacks or by an inexperienced ransomware operation.

Tracked as CVE-2023-40044, the flaw is caused by a .NET deserialization vulnerability in the Ad Hoc Transfer Module, enabling unauthenticated attackers to execute commands on the underlying OS via HTTP requests remotely.

On September 27, Progress Software released security updates to address the critical WS_FTP Server vulnerability, urging admins to upgrade vulnerable instances.

"We do recommend upgrading to the most highest version which is 8.8.2. Upgrading to a patched release, using the full installer, is the only way to remediate this issue," Progress said.

Assetnote security researchers who discovered the WS_FTP bug released proof-of-concept (PoC) exploit code just days after it was patched.

"From our analysis of WS_FTP, we found that there are about 2.9k hosts on the internet that are running WS_FTP (and also have their webserver exposed, which is necessary for exploitation). Most of these online assets belong to large enterprises, governments and educational institutions," Assetnote said.

Cybersecurity company Rapid7 revealed that attackers began exploiting CVE-2023-40044 on September 3, the day the PoC exploit was released.

"The process execution chain looks the same across all observed instances, indicating possible mass exploitation of vulnerable WS_FTP servers," Rapid7 warned.

Shodan lists almost 2,000 Internet-exposed devices running WS_FTP Server software, confirming Assetnote's initial estimates.

Organizations that cannot immediately patch their servers can block incoming attacks by disabling the vulnerable WS_FTP Server Ad Hoc Transfer Module.

The Health Sector Cybersecurity Coordination Center (HC3), U.S. Health Department's security team also warned Healthcare and Public Health sector organizations last month to patch their servers as soon as possible.

Progress Software is currently dealing with the aftermath of a widespread series of data theft attacks that exploited a zero-day bug in its MOVEit Transfer secure file transfer platform earlier this year. 

These attacks impacted over 2,500 organizations and more than 64 million individuals, as estimated by Emsisoft.

Source

Cybersecurity matters -- I've been espousing this hot take on Linux for a very long time. It seems, however, that the phrase "there's no time like the present" is more apropos today than it has ever been. And given it's Cybersecurity Awareness Month, it's a great time to talk about desktop computer security. 

Threats to security and privacy never abate. They are constant and they grow more widespread and effective with every passing attack. Bad actors are savvy and know the best ways to hit you with malware, ransomware, and other attacks that could steal your information and your identity. Once your identity is stolen, the sky's the limit on what a threat actor could do. 

One of the reasons for the scale of this threat is because, most likely, you use Windows as your primary desktop and laptop operating system. Unfortunately, the number of cybersecurity threats targeting Windows continues to increase, year after year.

Before you start to get upset, this isn't another one of those articles that trashes Windows as a launching point. I'm not going to tell you how awful Microsoft Windows is. I'm not even going to mention how easy it is for ne'er-do-wells to use your operating system against you for the purpose of either stealing or ransoming your data. I also won't mention how vulnerable Windows is to numerous types of cybersecurity attacks.

Instead, my goal is to explain the problems with Windows in a way that makes sense to anyone, regardless of how much knowledge they have of computers, IT, and technology as a whole.

A target on Windows' back

Imagine that you play on a sports team. It doesn't matter what team or what sport. For a very long time, your team has been absolutely dominant.

Eventually, however, other teams start beating you. Next thing you know, every team has your number. How did this happen? 

Because your team was so dominant for so long, other teams got wise and started intensely studying the film of your wins to finally understand every play in your playbook. And because there was no need for you to fix something that wasn't broken, you continued playing those plays until, one fateful night, some bad actor (from another team) got their hands on your playbook to confirm what everyone else was starting to learn -- your team had weaknesses that could be exploited.

Essentially, your team was hacked. Now, you're always on the defensive, having to scramble to come up with other plays to get back in the game.

And that's kind of what's happened to Windows over the years -- hackers know it so well because everyone has used it for so long. The proprietary operating system became so dominant that it developed a massive target on its back that is still "in play".

Linux and security

Linux, on the other hand, has not had a target on its back for decades and that different position has helped to lend it a level of security Microsoft cannot compete with.

What's more, I can think of at least four other primary reasons why Linux has been more secure than Windows, which are:

• User permissions: Linux has a much more structured and sane permissions system

• Software installation: With Windows, you can find .exe and .msi files all over the net, many of them carrying a malicious payload. With Linux, you generally are installing from your distributions package manager, which is more secure

• Open source: By design, the Linux code has been -- and can be -- vetted by thousands of software engineers

• Frequency of updates: Linux updates not only happen regularly, but when a vulnerability is discovered, it's fixed immediately

I've been using Linux for almost three decades and I've only had one instance where a machine was hacked -- and that was a small business server that was also being used as a desktop (it was the only option for that business at the time). 

That incident was also almost 20 years ago and I was doing some things with Linux that weren't exactly in the best interest of security, such as using the same machine as a mail server and an HTTP server while not using the firewall properly. That issue was totally on me, and I did finally fix the problem before any data was stolen. 

Had I been using Windows for that same purpose, the chances are pretty good that the second I discovered the problem, it would have been too late.

As far as the desktop is concerned, I've not once had a security issue: no viruses, malware, ransomware, trojans…nothing. For the most part, my life with Linux on the desktop has been trouble- and worry-free since 1997. That doesn't mean issues don't exist, because they do. In fact, over the past five years, the amount of Linux-based malware has increased, but it's nowhere near the level found within the Windows OS.

The big question for me is why are so many people continuing to use the Windows operating system when a much more secure, user-friendly, and future-proof operating system exists? Even better, that alternative OS can be used for free, can be installed on older hardware, performs like a champ, and has thousands upon thousands of free applications available to install.

If the thought of using a much more secure, reliable desktop sounds like the smart move to you, I would suggest you start by reading through this post about the various Ubuntu flavors to see if one appeals to you. Otherwise, your search for user-friendly Linux distributions should start with one of the following:

• Ubuntu
• Linux Mint
• Zorin OS
• elementary OS

Any one of the above distributions will not only keep you more secure, but will keep you productive and entertained for years to come (without having to upgrade your hardware). Enjoy!

Source

YouTube's financial model heavily relies on ad revenue to sustain the platform and reward content creators. Ad blockers disrupt this ecosystem by preventing ads from displaying. As a result, YouTube is taking action to stop users with the new YouTube Adblockers policy from bypassing their ads. This move, however, raises questions about user choices and freedom on the web.

The problem? The new YouTube Adblock policy is blocking users from accessing content. But there's a simple solution.

How does YouTube Adblock policy affect Edge browser?

Users of the Microsoft Edge browser have been caught in the crossfire of this clash between YouTube and ad blockers. Some users have reported being unable to watch YouTube videos, and a warning message pops up, stating that ad blockers violate YouTube's terms of service. But there's a twist – the problem isn't necessarily with the browser itself; it's a setting that some users have chosen.

Microsoft Edge provides users with three levels of tracking protection:

• Basic
• Balanced
• Strict

While "Basic" offers minimal protection, "Strict" aims to block most trackers across websites. However, opting for "Strict" can lead to issues with website behavior, including problems with video playback and sign-ins.

But what's the benefit of this system? Here is how Microsoft describes Edge's tracking protection system:

How to change Microsoft Edge tracking protection level

So, the fix in the new YouTube Adblock case is straightforward: switch to "Basic" or "Balanced" tracking protection settings to enjoy uninterrupted access to YouTube.

To change the Edge tracking protection level and fix the issues that arise from YouTube Adblock policy on Edge:

1. Open Microsoft Edge
2. Click the three dots in the top right corner of the window
3. Click Settings
4. Click Privacy, search, and services
5. Under Tracking prevention select ''Balanced'' or ''Basic''
6. Click Save changes

You can also add exceptions to tracking prevention for specific websites so that you will not be affected by YouTube Adblock policy while remaining safe on your Edge Browser. To do so:

1. Open the website you want to add an exception for
2. Click the lock icon in the address bar
3. Click Site permissions
4. Under Tracking prevention, select Allow all trackers
5. Click Save

Note: disabling tracking prevention or adding exceptions can allow websites to track your browsing activity.

If you are on a different browser and still want to enjoy an ad-free YouTube experience without paying a penny, check out our article titled ''YouTube is cracking down on ad blockers more aggressively, here's how to bypass it''.

Now You: Do you think YouTube has been making the right moves recently?

Source

The malware is a backdoor with a variety of functions that let it manage plugins and hide itself from active ones on the compromised websites, replace content, or redirect certain users to malicious locations.

Fake plugin details

Analysts at Defiant, the makers of the Wordfence security plugin for WordPress, discovered the new malware in July while cleaning a website.

Taking a closer look at the backdoor, the researchers noticed that it came "with a professional looking opening comment" to disguise as a caching tool, which typically helps reduce server strain and improve page load times.

The decision to mimic such a tool appears deliberate, ensuring it goes unnoticed during manual inspections. Also, the malicious plugin is set to exclude itself from the list of “active plugins” as a means to evade scrutiny.

The malware features the following capabilities:

• User creation – A function creates a user named ‘superadmin’ with a hard-coded password and admin-level permissions, while a second function can remove that user to wipe the trace of the infection

• Bot detection – When visitors were identified as bots (e.g. search engine crawlers), the malware would serve them different content, such as spam, causing them to index the compromised site for malicious content. As such, admins could see a sudden increase in traffic or reports from users complaining about being redirected to malicious locations.
• Content replacement – The malware can alter posts and page content and insert spam links or buttons. Website admins are served unmodified content to delay the realization of the compromise.
• Plugin control – The malware operators can remotely activate or deactivate arbitrary WordPress plugins on the compromised site. It also cleans up its traces from the site’s database, so this activity remains hidden.

• Remote invocation – The backdoor checks for specific user agent strings, allowing the attackers to remotely activate various malicious functions.

"Taken together, these features provide attackers with everything they need to remotely control and monetize a victim site, at the expense of the site’s own SEO rankings and user privacy," the researchers say in a report.

At the moment, Defiant does not provide any details about the number of websites compromised with the new malware and its researchers have yet to determine the initial access vector.

Typical methods for compromising a website include stolen credentials, brute-forcing passwords, or exploiting a vulnerability in an existing plugin or theme.

Defiant has released a detection signature for its users of the free version of Wordfence and added a firewall rule to protect Premium, Care, and Response users from the backdoor.

Hence, website owners should use strong and unique credentials for admin accounts, keep their plugins up to date, and remove unused add-ons and users.

Source

Cloudflare, Google, Microsoft, and Amazon all say they successfully mitigated what two of the companies called the biggest DDoS layer 7 attacks they’ve recorded in August and September, though none said who the attacks were directed against. The companies say the attacks were possible because of a zero-day vulnerability in the HTTP/2 protocol they’ve named “HTTP/2 Rapid Reset.”

HTTP/2 speeds up page loading by allowing for multiple simultaneous requests to a website over a single connection. Cloudflare writes that these attacks apparently involved an automated cycle of sending and immediately canceling “hundreds of thousands” of requests to websites that use HTTP/2, overwhelming servers and taking them offline.

Google recorded the heaviest assault at over 398 million requests per second, which it says is more than seven times larger than any such attack it has recorded before. (The record was last held by a 2022 attack that “peaked at 46 million requests per second.”) Cloudflare saw 201 million requests per second at the peak, which it also called record-breaking, while Amazon recorded the fewest requests, maxing out at 155 million per second. Microsoft did not disclose its own figures.

DDoS attacks are common — in June, Microsoft reported a large-scale layer 7 attack that downed Outlook for thousands of its users. The same month, fan-fiction website AO3 was also affected by DDoS attacks. A group called Anonymous Sudan claimed credit for both attacks.

Google goes into detail in a blog post about how the attacks worked, so do head over there if you want to roll your sleeves up and read about it.

Update October 10th, 2023, 1:20PM ET: Added that Microsoft has disclosed that its cloud infrastructure was affected as well.

Source

Chrome users may check the installed version by loading chrome://settings/help in the browser's address bar. Selecting Menu > Help > About Google Chrome opens the same page. Chrome lists its version on the page and it runs a check for updates. The new update should be picked up at that point and installed. A restart of the browser is required to complete the process.

The following versions are the latest at the time of writing:

• Chrome for Mac and Linux: 118.0.5993.70
• Chrome for Windows: 118.0.5993.70 and 118.0.5993.71
• Chrome Extended for Mac: 118.0.5993.70
• Chrome Extended for Windows: 118.0.5993.71
• Chrome for Android: 118.0.5993.65

Google Chrome 118

Google informs users on the official Chrome Releases blog that it has patched 20 unique security issues in the Chrome web browser. 14 of those are listed on the page, the remaining six were discovered internally.

The main issue is CVE-2023-5218. It is a critical security issue, an use after free in Site Isolation. The remaining publicly disclosed vulnerabilities have a severity rating of medium or low. They address additional use after free and heap buffer overflow issues, as well as "inappropriate implementations".

Chrome 118 is the first stable version of Google's web browser with Encrypted Client Hello support. Google introduced support in Chrome Canary back in 2022 and has been working on the feature since.

Without going into too many details, Encrypted Client Hello protects the domain name from being leaked to network operators when users open sites and services in the browser. It improves privacy as a consequence, as network operators such as the ISP, do not know anymore which sites a user accesses. One effect of this is that DNS-based blocking is no longer working, provided that the site and server in question support the new technology.

Mozilla introduced support for Encrypted Client Hello in Firefox 118 and most Chromium-based browsers will support the feature soon.

Another security feature gives Google the ability to disable extensions remotely that were not installed from the Chrome Web Store. Enhanced Safe Browsing needs to be enabled in Chrome for this to work and Google claims that it will use the feature only to disable malicious extensions. The disabling may happen manually or through automated detection systems according to Google.

Another Enhanced Safe Browsing change improves the deep scanning functionality. Chrome 118 users may now be prompted to provide the password for an archive file to allow Safe Browsing to analyze it.

Chrome is now also collecting "telemetry information about chrome.tabs API calls made by extensions" if Enhanced Safe Browsing is enabled. The information is analyzed on Google servers to improve the "detection of malicious and policy violating extensions".

Google switched Safe Browsing to real-time checks recently.

Chrome users should update the browser immediately to protect it from attacks that target the patched vulnerabilities. Google plans to release all future Chrome releases a week early, starting with Chrome 119.

Source

In a blog post, Google stated:

This means the next time you sign in to your account, you’ll start seeing prompts to create and use passkeys, simplifying your future sign-ins. It also means you’ll see the “Skip password when possible” option toggled on in your Google Account settings.

While passkey sign-ins are now the default, the old-fashioned password is not going away anytime soon. Google says that the password signing option will remain on personal accounts and that they can turn off the “Skip password when possible" toggle in their account settings.

Google says that it has seen passkey support expand to other businesses, including Uber and eBay, and notes that the WhatsApp messaging service will soon add the passkey option sometime in the near future.

We have started to see even more passkey support being added to other platforms. In September, Apple released the iOS 17 update for its iPhones and iPads. Among other features, it allowed third-party iOS apps to enable passkey signing support. 1Password has already added that support for its iOS app and TikTok did the same for its own iOS app earlier this year. PayPal enabled passkey support for signing into its service in October 2022.

Microsoft is also adding passkey support with the latest "Moment 4" update for Windows 11. It will work while using a number of different browsers with this update, including Microsoft Edge, Chrome, Firefox, and more. Microsoft-owned Github recently enabled passkey support for its developer site for all users.

Source

In case you missed it, Google began detecting ad blockers such as uBlock Origin on YouTube a few months ago.

Disabling your ad blocker is not a good idea, as it could cause some privacy issues, in addition to wasting your time and impacting your laptop's battery. Google doesn't care about these problems. It is all about the money it wants to gain by pushing its YouTube Premium subscriptions.

While this pop-up is not new per se, I experienced it personally for the first time.  The strange thing is, I didn't run into such issues last night when I was watching some videos from a playlist that I had saved. Most of those videos were developer diaries of upcoming games, so I believe they may not have been monetized. That might explain why I didn't see any warning like the one above. However, when I tried to play some videos this morning, I ran into the pop-up.

Martin wrote a tutorial on how to fix the issue last month, but things have changed slightly since then, you need to do some additional steps to block the anti ad blocker on YouTube. According to the developers of uBlock Origin, the latest change in YouTube's anti-adblock was made on October 6, 2023. This is just for reference, but the anti-adblock script's ID is 7c155e84.

You can follow uBlock Origin's official guide on reddit, or follow the steps given below.

Note: Please backup your settings before proceeding. Open uBlock Origin's dashboard > Settings > scroll down and select back up to file. This will save a backup of your custom rules and filters in a TXT file.

How to fix YouTube Anti-adblock pop-up and block ads with uBlock Origin

1. Install the latest version of uBlock Origin (1.52.0 or above).

2. Backup and delete your custom filters. You can restore them at the end of this tutorial.

3. Disable all additional lists that you may have enabled. The only filters that should be enabled are the 5 built-in ones that can be found under the uBlock Origin dashboard > Filter Lists.

4. Click on the Purge all caches button.

5. Then click on Update now, to refresh the filter lists.

6. Disable your browser's built-in ad blocker, and other third-party ad blocker extensions. E.g. Firefox's Enhanced Tracking Protection, Brave Browser's Shield, etc.

You shouldn't use multiple ad blockers, as they will perform inefficiently. If you did everything correctly, you should no longer see the annoying pop-up on YouTube anymore. You may have to restart your browser for the changes to take effect. As a last resort, you may also try uninstalling and reinstalling uBlock Origin for Chrome and Firefox.

Note: uBlock Origin developers say that if you are using the Enhancer for YouTube add-on, you will need to disable its built-in ad-blocker. The option can be found under Enhancer for YouTube settings > Ads management > Block ads.

For what it's worth, I restored my backup with the custom settings and filter lists, and they seem to work fine. I'm not sure what happens if you don't disable the ad blocker, does Google block your account for violating its terms and services? Or only the ability to watch videos on YouTube. To be on the safer side, I'd recommend setting up a dedicated Firefox container for YouTube, which you can use with a secondary Google account. Chromium-based users may want to use a separate profile for YouTube with an alternative account.

Source

VBScript (also known as Visual Basic Script or Microsoft Visual Basic Scripting Edition) is a programming language similar to Visual Basic or Visual Basic for Applications (VBA) and was introduced almost 30 years ago, in August 1996.

It comes bundled with Internet Explorer (which was killed off by Redmond across some Windows 10 platforms in February), integrates active scripting into Windows environments, and communicates with host applications through Windows Script.

"VBScript is being deprecated. In future releases of Windows, VBScript will be available as a feature on demand before its removal from the operating system," the company said this week.

"Initially, the VBScript feature on demand will be preinstalled to allow for uninterrupted use while you prepare for the retirement of VBScript."

Features on Demand (FODs) are optional features within the Windows operating system like the .NET Framework (.NetFx3), Hyper-V, and the Windows Subsystem for Linux that aren't installed by default but can be added whenever necessary.

With the July 2019 Patch Tuesday cumulative updates, Microsoft also disabled VBScript by default in Internet Explorer 11 on Windows 10.

One less malware infection vector

Although not officially explained, Microsoft's decision to deprecate VBScript is likely tied to the earlier discontinuation of Internet Explorer this year. Fortunately, as a consequence, a prevalent infection vector employed by threat actors to infect Windows systems with malicious payloads has also been eliminated.

This move is part of a broader strategy to mitigate the increasing prevalence of malware campaigns exploiting various Windows and Office features for infections.

Malicious actors have used VBScript to distribute malware, including notorious strains like Lokibot, Emotet, Qbot, and, more recently, DarkGate malware, among others, onto victims' computers.

The effort traces back to 2018 when Microsoft extended support for AMSI to Office 365 applications, curbing attacks that utilized VBA macros.

Subsequently, Microsoft disabled Excel 4.0 (XLM) macros, introduced XLM macro protection, mandated default blocking of VBA Office macros, and began blocking untrusted XLL add-ins by default in Microsoft 365 tenants worldwide.

Source

Yet this reshaping of work, underpinned by technology, has also eroded our work-life boundaries – and persisting 20th-century attitudes are preventing us from successfully managing the new normal.

We find ourselves struggling with “productivity paranoia”: a term used to describe managers’ concerns that remote and hybrid workers aren’t doing enough when not under supervision.

As a result, we’re seeing a surge in the use of electronic monitoring and surveillance devices in the workplace. These devices allow managers to “watch over” employees in their absence. This practice raises serious legal and ethical concerns.

Big bossware is here

In a survey of 20,000 people across 11 countries, Microsoft reported 85% of managers struggled to trust their remote-working employees. In Australia, this figure was 90%.

In 2021, American research and consulting firm Gartner estimated the number of large firms tracking, monitoring and surveilling their workers had doubled to 60% since the start of the pandemic.

Electronic monitoring and surveillance technology can capture screenshots of an employee’s computer, record their keystrokes and mouse movements, and even activate their webcam or microphones.

On one hand, these “bossware” tools can be used to capture employee and production statistics, providing businesses with useful evidence-based analytics.

The other side is much darker. These devices are indiscriminate. If you’re working from home they can pick up audio and visual images of your private life.

Managers can be sent notifications when data “indicate” an employee is taking breaks or getting distracted.

Some aspects of electronic monitoring and surveillance are legitimate. For instance, it may be necessary to safeguard an organisation’s data access and transfers.

But where are the boundaries? Is your organisation legally obliged to tell you about electronic intrusions? Alternatively, what can you do if you find out you’re being watched without being informed?

The legal framework

A complex array of regulation governs workplace privacy and surveillance in Australia. Proposed reforms to the Privacy Act 1988 are set to strengthen privacy protections for private-sector employees.

However, this legislation doesn’t specifically cover workplace surveillance. Instead, a patchwork of laws in each state and territory regulate this matter.

Specific legislation regulates the surveillance of workers in New South Wales and the Australian Capital Territory. Importantly, surveillance must not be undertaken unless the employer has provided at least 14 days’ notice. This notice must include specific details about the surveillance that will be carried out. Employers must also develop and adhere to a surveillance policy.

In both states, employers can only record visual images of an employee while they’re “at work”. This is broadly defined to capture any place where work is carried out.

Covert surveillance is prohibited unless the employer has obtained a court order. In this case it’s restricted to situations where the employee is suspected of unlawful activity.

Even then, a covert surveillance order would not be granted where this unduly intrudes on the employee’s privacy. Covert surveillance for the purpose of monitoring work performance is expressly prohibited.

Other states and territories don’t have specific electronic workplace surveillance laws. Employers must instead comply with more general surveillance legislation.

Broadly speaking, employees must give consent, express or implied, to any surveillance. In practice, such consent is usually obtained through the implementation of a workplace surveillance policy, which employees must agree to when they accept the job. So if you’ve signed a contract without reading the fine print, you may have agreed to being surveilled via electronic monitoring tools.

Currently, Queensland and Tasmania provide the most limited protection for employees. Their surveillance legislation is limited to the regulation of listening devices.

Enterprise agreements, employment contracts and workplace policies may also limit or prohibit the use of surveillance devices. In practice, however, most employees will lack the bargaining power to negotiate the inclusion of any such terms in their employment contract.

The law is failing to keep up

In 2022, a parliamentary select committee reporting on the future of work in NSW observed the current regulatory framework is failing to keep pace with rapid advancements in electronic monitoring and surveillance.

The report criticised legislation that simply allows an employer to notify workers surveillance will be carried out, with no mechanism for this to be negotiated or challenged. The situation is slightly better in the ACT, where employers must consult with workers in good faith about any proposed surveillance activities.

Workers who suspect their employer is spying on them should review their workplace surveillance policies. They may need to reflect carefully on how they use their work computer.

Where an enterprise agreement applies, the Fair Work Commission can arbitrate surveillance disputes. A worker who is dismissed following intrusive surveillance may be able to challenge the dismissal on the basis of it being unfair.

Workers who haven’t been informed of their employer’s surveillance practices can also lodge a complaint with the relevant authority or regulator, who may have powers to investigate and prosecute offences.

To thrive in our “new normal” work landscape, we’ll need to address the gap between the existing legal protections and the capabilities (and potential harms) of electronic monitoring and surveillance. For now, it remains a significant legal and ethical challenge.

Source

More than five dozen British lawmakers across political parties as well as privacy rights organizations called for an "immediate stop" to real-time facial recognition in the United Kingdom.

In a petition signed by 65 parliamentarians and 31 civil society organizations, signatories denounced private sector and law enforcement use of the artificial intelligence technology that matches live images with a database of stored facial images.

Live facial recognition faces a continentwide ban in Europe through the anticipated enactment of the AI Act. Law enforcement use of facial recognition is banned in a handful of U.S. jurisdictions, according to a tally kept by advocacy group Fight for the Future.

The signatories, including Conservative politician and former Brexit Secretary David Davis, Leader of the Liberal Democrats Ed Davey and former Labour Party Shadow Attorney General Shami Chakrabarti, said their objections range widely. They include "serious concerns about its incompatibility with human rights, to the potential for discriminatory impact, the lack of safeguards" as well as a lack of evidence for the technology, the technology's legality "and the lack of a democratic mandate."

Unease about facial recognition's accuracy has dogged its use by law enforcement. A 2019 study by the U.S. National Institute of Standards and Technology found higher rates of false positives for Asian and Black faces relative to images of whites. The New York Times reported in August that six individuals have described being falsely accused of a crime as a result of a false facial recognition match.

The petition came shortly after U.K. Minister for Policing Chris Philp announced plans to make the national passport photo database available to police for facial recognition searches, "not just for shoplifting but for crime generally to get those matches," The Guardian reported. British police resumed using live facial recognition earlier this year after a report by the National Physical Laboratory found minimal false positives and no statistically significant deviations across gender and ethnicity. In early November, Prime Minister Rishi Sunak will host a summit on AI technologies (see: UK's AI Safety Summit to Focus on Risk and Governance).

"The U.K.'s reckless approach to face surveillance makes us a total outlier in the democratic world, especially against the backdrop of the EU's proposed ban," said Silkie Carlo, director of Big Brother Watch, which organized the petition. "This dangerously authoritarian technology has the potential to turn populations into walking ID cards in a constant police lineup."

Among the private artificial intelligence companies providing facial recognition technology in the U.K. are ClearviewAI, PimEyes and Facewatch. The Information Commissioner's Office in 2022 imposed a penalty of 7.5 million pounds against Clearview AI for using unlawfully obtained facial images of British citizens to power the company's AI database. The ICO initiated an investigation into live facial recognition provider Facewatch but concluded in March that the company had satisfied its concerns through measures such as "reducing the personal data they collect by focusing on repeat offenders or individuals committing significant offences."

Source

It is no secret that Linux is a far more secure option than Windows. From the ground up, Linux was designed to be highly secure. Since I started using Linux (back in '97), I've only had one cybersecurity threat arise, which was a rootkit on a server I inherited. Sadly, that server was so badly compromised that I had to re-install the OS and start from scratch.

That was the only instance, in decades, of having to suffer the consequence of a security breach. Otherwise, it's been smooth sailing.

You, too, can enjoy the heightened security that comes with the Linux OS. However, you shouldn't just assume that you can install Linux and never worry about security again. My take on security is if a device is connected to a network, it's vulnerable. 

To that end, I thought I'd share some advice that even those who are brand new to Linux can easily follow. Don't worry, I'm not going to have you editing init scripts, issuing complicated iptables commands, or installing software like fail2ban. Instead, this is all about what new users can do to help prevent malware, ransomware, or other attacks.

If you're a Linux admin, this might be a good thing to share with end users who are using Linux as their daily driver operating system.

With that said, let's get to the tips.

1. Upgrade regularly

This is the first piece of advice I give to any user, regardless of the operating system they use and I'm always shocked at how many people ignore it.

You see, upgrades aren't just about getting new features. More important in those upgrades are the security patches that address vulnerabilities. I check (and apply) updates daily. Sometimes those updates are minor but other times they include crucial patches that fix critical Common Vulnerabilities and Exposures (CVEs).

No matter what Linux distribution you've chosen, check daily (at best) or weekly for updates. As soon as you see updates available, apply them and (if the kernel is upgraded) reboot when the process completes.

2. Don't install apps from unknown sources

Similar to the advice I give to Android users, the safest thing you can do is only install applications from the built-in package manager(s). Whether your system uses apt, dnf, snap, flatpak, pacman, or zypper, I would highly recommend you only install apps using those methods.

I know what you're thinking: That removes a world of applications that can be installed. Although that's true, I always recommend the "safe over sorry" method when it comes to installing software.

Sure, you might find an app you really want to install that isn't found in the standard repositories. If that's the case, check to see if it's available as either a Snap or Flatpak package. If so, install with one of those methods. If not, and you seriously need that app, do a bit of research to see if the repository can be trusted.

It only takes the installation of one rogue app to compromise a system. A bit of caution can help you avoid such a problem.

3. Use a strong password

It's your desktop, not a server. Right? Although that may be true, it doesn't mean you should continue using password or 12345678 as your password. There are a couple of things you should keep in mind when setting your user password:

• Network attacks
• Prying eyes

The most likely cybersecurity breach on a desktop is someone logging into your computer and accessing your information. But just because you're using a desktop doesn't mean it can't be breached by a threat actor who's gained access to your network.

Because of that, it's essential that you use a strong/unique password. Remember, that password isn't only required to log into your desktop but to run upgrades, install apps, and handle other admin tasks.

4. Don't use Chrome

Most Linux distributions default to either the Firefox web browser or Chromium. Although Chrome is available to easily install on the open-source operating system (and is the most widely-used web browser on the planet), it's also one of the least secure.

If you check out our list of most secure browsers for 2023, you'll notice that Chrome is nowhere to be found. On that list you'll find Brave, Firefox, Tor, DuckDuckGo, and Mullvad. Of those browsers, I would suggest either Firefox or Tor for Linux.

5. Enable your firewall

It might come as a surprise to you but some Linux distributions ship without the firewall enabled. For example, many distributions based on Ubuntu do not enable Uncomplicated Firewall out of the box. And most of the popular Ubuntu-based Linux distributions also don't ship with a firewall GUI.

To avoid having to run commands (although enabling UFW from the command line is as simple as sudo ufw enable), you could install the gufw GUI app (which can be installed from your distribution's app store). Once installed, you can enable the firewall by switching the On/Off slider to the On position.

Gufw is one of the simplest firewall GUIs you'll ever use.
Jack Wallen/ZDNET

After you've enabled the firewall, you can enable any service (such as SSH or Samba) that you need to allow in, without having to run commands (such as sudo ufw allow ssh).

6. Never log in as root

Although Ubuntu-based distributions disable the root account, some distributions (such as Debian and Fedora) leave it enabled, so you could easily log in as the root user and do whatever you want without having to worry about sudo.

This is not good. If you log in as the root user, you open a hyper-privileged account. Should anyone breach your system, they too would have unfettered access to every service, app, and all of the data you've stored.

To that end, never log in as the root user. Ever. Always use sudo for admin tasks, so as to not leave your system open to heightened attacks.

7. Use Full Disk Encryption

If you're the one installing Linux on your machine, and your distribution of choice offers Full Disk Encryption (FDE), your best bet is to opt in. Why? Simple. Say someone were to steal your laptop. Without full disk encryption, they could remove the drive, mount it on another machine (which would avoid having to crack your user password) and have at the data within.

With FDE enabled, if that threat actor were to remove your drive and attempt to mount it, they would be unsuccessful, unless they knew your encryption password. Of course, this also isn't a guarantee. Remember the old saying, where there's a will, there's a way. But if you enable FDE, you'll make it considerably harder for someone to access your data without that encryption password.

Conclusion

You don't have to be a sysadmin to keep your Linux desktop distribution safe from cybersecurity threats. Follow these pieces of advice and you'll go a long way to keeping all of the data you have on your machine safe from attacks.

Source

The leak was first discovered by cybersecurity researcher 3xp0rt, who spotted a threat actor named 'kapuchin0' releasing the "first branch" of the HelloKitty ransomware encryptor.

While the source code was released by someone named 'kapuchin0,' 3xp0rt told BleepingComputer that the threat actor also utilizes the alias 'Gookee.'

A threat actor named Gookee has been previously associated with malware and hacking activity, attempting to sell access to Sony Network Japan in 2020, linked to a Ransomware-as-a-Service operation called 'Gookee Ransomware,' and trying to sell malware source code on a hacker forum.

3xp0rt believes kapuchin0/Gookee is the developer of the HelloKitty ransomware, who now says, "We are preparing a new product and much more interesting than Lockbit."

The released hellokitty.zip archive contains a Microsoft Visual Studio solution that builds the HelloKitty encryptor and decryptor and the NTRUEncrypt library that this version of the ransomware uses to encrypt files.

Ransomware expert Michael Gillespie confirmed to BleepingComputer that this is the legitimate source code for HelloKitty used when the ransomware operation first launched in 2020.

While the release of ransomware source code can be helpful for security research, the public availability of this code does have its drawbacks.

As we saw when HiddenTear was released (for "educational reasons") and Babuk ransomware source code was released, threat actors quickly used the code to launch their own extortion operations.

To this day, over nine ransomware operations continue using the Babuk source code as the basis for their own encryptors.

Who is HelloKitty?

HelloKity is a human-operated ransomware operation active since November 2020 when a victim posted to the BleepingComputer forums, with the FBI later releasing a PIN (private industry notification) on the group in January 2021.

The gang is known for hacking corporate networks, stealing data, and encrypting systems. The encrypted files and stolen data are then utilized as leverage in double-extortion machines, where the threat actors threaten to leak data if a ransom is not paid.

HelloKitty is known for numerous attacks and is used by other ransomware operations, but their most publicized attack was the one on CD Projekt Red in February 2021.

During this attack, the threat actors claimed to have stolen Cyberpunk 2077, Witcher 3, Gwent, and other games' source code, which they claimed was sold.

In the Summer of 2021, the ransomware group began utilizing a Linux variant that targets the VMware ESXi virtual machine platform.

The HelloKitty ransomware or its variants have also been used under other names, including DeathRansom, Fivehands, and possibly, Abyss Locker.

The FBI shared an extensive collection of indicators of compromise (IOCs) in their 2021 advisory to help cybersecurity professionals and system admins guard against attack attempts coordinated by the HelloKitty ransomware gang.

However, as the encryptor has changed over time, these IOCs have likely become outdated.

Source

Google Chrome is rolling out a new feature that lets you delete the last 15 minutes of browsing data – surely, this must be good news if you’re keen on privacy.

This feature is currently being tested in the experimental Chrome Canary, as spotted in version 120, and is expected to be rolled out to all users in a future update.

To use the new feature, users simply need to open the History hub by pressing the shortcut Ctrl + H and click Clear browsing data on the left side of your screen. 

This will open a confirmation dialog box, asking users to confirm that they want to delete their browsing data. Once the user confirms, Chrome will delete all browsing history, cookies, site data, and cached images and files from the last 15 minutes – just like the last hour, day, week, month, or all time.

You can enable this feature in Chrome Canary v120 build by enabling the below flag:

In case you missed it, this very feature was introduced in Chrome for Android under a flag called #quick-delete-for-android in the browser that, once activated, would trigger an option to delete browsing data from 15 minutes prior.

Elsewhere, Microsoft also worked on simplifying the process of clearing browsing data on its Edge browser.

Source

A programmer in northern China has been ordered to pay more than 1m yuan to the authorities for using a virtual private network (VPN), in what is thought to be the most severe individual financial penalty ever issued for circumventing China’s “great firewall”.

The programmer, surnamed Ma, was issued with a penalty notice by the public security bureau of Chengde, a city in Hebei province, on 18 August. The notice said Ma had used “unauthorised channels” to connect to international networks to work for a Turkish company.

The police confiscated the 1.058m yuan (£120,651) Ma had earned as a software developer between September 2019 and November 2022, describing it as “illegal income”, as well as fining him 200 yuan (£23).

Ma said on Weibo that the police had first approached him a year ago, believing him to be the owner of a Twitter account they were investigating.

Ma said the account did not belong to him. “I stated that I was currently working for an overseas company, and my personal Twitter only occasionally liked and retweeted the company’s tweets,” Ma wrote. His post has since been deleted but was archived by China Digital Times.

Ma said the police seized his phone, laptop and several computer hard drives upon learning that he worked for an overseas company, holding them for a month. He was later asked to provide details about his work, his bank details, his employment contract and other information, before being issued with the penalty in August. Ma said he would be appointing a lawyer to appeal against the decision.

Charlie Smith (a pseudonym), the co-founder of GreatFire.org, a website that tracks internet censorship in China, said: “Even if this decision is overturned in court, a message has been sent and damage has been done. Is doing business outside of China now subject to penalties?”

VPNs, which help users circumvent the “great firewall” of internet censorship by making it look as if their device is in a different country, operate in a legal grey area in China. Technically, companies are allowed to use government-approved VPNs for commercial activities. Businesses and universities rely on the software to communicate with international partners.

The government generally turns a blind eye to the relatively small number of individuals who use the technology to access websites such as Google, Facebook, Twitter and, often, view pornography. But in recent years the government has been making it harder for people to access the VPNs, and in rare cases has punished their use.

Several people have been jailed for selling VPNs. In 2017, a man named Wu Xiangyang was sentenced to five and a half years in prison, and fined 500,000 yuan, for selling the software. In June, Radio Free Asia reported that a Uyghur student, Mehmut Memtimin, was serving a 13-year sentence in Xinjiang for using a VPN to access “illegal information”.

Ma said he only used a VPN to access Zoom for meetings and that most of his work, which uses GitHub, could be done without scaling the firewall.

In discussion about the incident on Zhihu, China’s Reddit-like platform, one user wrote: “If we impose convictions and fines based on this reason, China’s IT industry would basically be wiped out.” The comment has since been deleted.

Ma and the Turkish company he is believed to have worked for did not respond to requests for comment.

The case raised questions that authorities were profit-seeking rather than crime-fighting. In a now-deleted Weibo post, an influencer wrote: “This incident has become an international laughing stock, and the police in a certain place have become synonymous with robbers.”

Local governments in China are laden with an estimated $23tn of debt, which economists see as a brewing crisis in the country’s economy. Already, several municipalities have struggled to pay for salaries and public services and have resorted to creative measures to boost their coffers. In Chengde, the city’s revenues from forfeitures reached nearly 990m yuan in 2022, a year-on-year increase of more than 7%.

Chengde’s public security bureau did not respond to calls from the Guardian.

Source

Does the public have a right to see gruesome photos of animal test subjects taken by a public university?

That question underpins an ongoing court battle between UC Davis and the Physicians Committee for Responsible Medicine, an animal welfare group, which is fighting for the release of photos of dead monkeys used in tests of Elon Musk–owned Neuralink’s brain-chip implants. A WIRED investigation this week revealed the extent to which Neuralink and UC Davis have gone to keep images of the tests secret.

Also this week, an investigation by the Markup, copublished with WIRED, analyzed crime predictions by Geolitica (formerly PredPol) in Plainfield, New Jersey, and found that they accurately predicted crime less than 1 percent of the time. As WIRED previously reported, Geolitica is shutting down at the end of this year and being sold for parts to SoundThinking, maker of the gunshot-detection system ShotSpotter.

Earlier this year, the data-extortion gang Clop exploited a vulnerability in the widely used file-transfer service MOVEit, racking up victims around the globe including major corporations and US government agencies. The full number of victim organizations continues to climb into the thousands, with more than 3.4 million people’s data potentially stolen, making it the biggest hack of 2023.

If you own an inexpensive Android TV streaming box, you may want to toss it into the sea—or recycle it responsibly. New research found that at least eight cheap streaming boxes contained a backdoor that connects the devices with servers in China and is used to commit fraud and other cybercrime. Researchers also found dozens of Android, iOS, and TV box apps that were used for fraudulent behavior. While at least some of the apps have been removed from the app stores, more than 120,000 Android devices and 150,000 iOS devices were impacted.

Speaking of phone security, we detailed how to know when your device will stop getting security updates and how to keep Google from using your data in its generative AI tool, Bard. Finally, we profiled the team at a UK-based nonprofit that’s helping women fight back against digital domestic violence.

That’s not all. Each week we round up the security and privacy news that we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

Apple’s Encryption Is Under Attack by a Mysterious Group

When WIRED first reported that Apple had sent a letter responding to demands from an anti-child-exploitation group called Heat Initiative, we had one big question: What the hell is Heat Initiative? An investigation by the Intercept now provides some clues.

According to the Intercept, the group is funded by “dark-money donors” linked to billionaire Democrats. Sarah Gardner, who leads the group, refused to comment on Heat Initiative’s funding and said she disagrees with Apple’s “privacy-absolutist” approach. The group, which had virtually no online presence when Apple sent that letter, is now waging a high-profile campaign to force the company to do more to scan for child sexual abuse material (CSAM) on users’ devices and iCloud storage, which would likely mean weakening encryption.

After Apple scrapped plans to scan images on users’ devices for CSAM amid widespread backlash, the company focused instead on tools known as Community Safety features for reporting CSAM. It also rolled out encrypted iCloud options. The company says it cannot meet Heat Initiative demands without compromising user privacy and security.

Sony Confirms Breach That Exposed Personal Information

Sony Interactive Entertainment confirmed this week that it is the latest victim of the aforementioned MOVEit breach. The company says it has informed some 6,800 people, including past and current employees, about the breach, which may have exposed Social Security numbers and personal information. Data-extortion gang Clop has claimed responsibility for the breach, which Sony says it detected on June 2. Sony says it is working with cybersecurity experts and law enforcement as part of its investigation into the intrusion.

US Federal Agents Illegally Purchased Phone Location Data

Agents working for the US Customs and Border Protection, Immigration and Customs Enforcement, and the US Secret Service broke the law by purchasing commercially available phone location data, according to a new report from the US Department of Homeland Security’s inspector general. Privacy and civil liberty advocates have long argued that the purchase of such data, known in the US government as commercial telemetry data (CTD), circumvents Fourth Amendment protections against unreasonable searches and seizures because agents don’t need to obtain a warrant to buy the information. But the inspector general report says the data was illegally accessed because agents failed to conduct a mandated privacy impact assessment before buying CTD.

US Accuses Chinese Firms of Using Crypto in Fentanyl Trafficking Operations

The US Department of Justice this week unsealed indictments against eight Chinese firms and 12 of their employees, accusing them of producing and distributing chemicals needed for the production of fentanyl, a deadly opioid, in the United States. The employees and companies were also sanctioned by the US Treasury Department, cutting them off from US financial institutions. According to the DOJ, the companies “tend to use cryptocurrency transactions to conceal their identities and the location and movement of their funds.”

“We have identified and blocked over a dozen virtual currency wallets associated with these actors,” Treasury deputy secretary Wally Adeyemo said during a press conference on October 3. “The blocked wallets, which received millions of USD funds over hundreds of deposits, illustrate the scope and scale of the operation targeted today.”

Source

Source

As security holes go, CVE-2023-4911, aka "Looney Tunables," isn't horrid. It has a Common Vulnerability Scoring System (CVSS) score of 7.8, which is ranked as important, not critical. 

On the other hand, this GNU C Library's (glibc) dynamic loader vulnerability is a buffer overflow, which is always big trouble, and it's in pretty much all Linux distributions, so it's more than bad enough. 

After all, its discoverers, the Qualys Threat Research Unit, were able to exploit "this vulnerability (a local privilege escalation that grants full root privileges) on the default installations of Fedora 37 and 38, Ubuntu 22.04 and 23.04, and Debian 12 and 13." Other distributions are almost certainly vulnerable to attack. The one major exception is the highly secure Alpine Linux. 

Thanks to this vulnerability, it's trivial to take over most Linux systems as a root user. As the researchers noted, this exploitation method "works against almost all of the SUID-root programs that are installed by default on Linux."

So, yeah, this is bad news with a capital B for Linux users. 

The vulnerability was introduced in April 2021 with the release of glibc 2.34. The flaw is a buffer overflow weakness in the glibc's ld.so dynamic loader, a crucial component responsible for preparing and executing programs on Linux systems. The vulnerability is triggered when processing the GLIBC_TUNABLES environment variable, making it a significant threat to system integrity and security.

So, how bad is this really? To quote Saeed Abbasi, Qualys Threat Research Unit Product Manager, "This environment variable, intended to fine-tune and optimize applications linked with glibc, is an essential tool for developers and system administrators. Its misuse or exploitation broadly affects system performance, reliability, and security. … The ease with which the buffer overflow can be transformed into a data-only attack … could put countless systems at risk, especially given the extensive use of glibc across Linux distributions."

And, yes, I'm sorry to say at least one exploit is already available to take advantage of this hole. 

So, what should you do about it? Patch. Patch it now. 

The good news is that Red Hat, Ubuntu, Debian, and Gentoo have all released their own updates. In addition, the upstream glibc code has been patched with the fix. 

If you can't patch it, Red Hat has a script that should work on most Linux systems to mitigate the problem by setting your system to terminate any setuid program invoked with GLIBC_TUNABLES in the environment. 

So, get out there, make the patches, run the scripts, and, if you have vulnerable Internet of Things (IoT) devices, lock them down behind a firewall until a fix is in. Finally, as Porky Pig says, "That's all, folks!"

Source