Lowyat.NET: Latest topics in Security & Privacy

Axios npm package hacked,

Moogle Stiltzkin — Wed, 01 Apr 2026 17:28:23 +0800

[YOUTUBE]AT7x16mqGMc[/YOUTUBE]

QUOTE

In late March and early April 2026, the Axios npm package was the victim of a high-impact supply chain attack, while the npm registry itself was not "hacked" in the traditional sense. Instead, an attacker gained control of a lead maintainer's account to publish malicious versions of the library.

QUOTE

Safe versions: Anything 1.14.0 or lower, or 0.30.3 or lower.

Malicious versions: 1.14.1 or 0.30.4

in my case, i don't have npm container running, but it does auto update image.....

QUOTE

If a Docker image containing the malicious Axios versions (1.14.1 or 0.30.4) was downloaded but never run as a container, you are likely safe from the Remote Access Trojan (RAT) that triggers during the package's execution. However, the presence of the image on your system is a significant risk that must be addressed immediately to prevent accidental activation.

Why You Are Likely Safe (For Now)

Execution-Based Trigger: The 2026 npm hack involving Axios relies on a postinstall script in the plain-crypto-js@4.2.1 dependency. This script only runs when npm install is executed—typically during a docker build or when a container starts if it's configured to install dependencies at runtime.
Dormant Threat: If the image was pulled (downloaded) rather than built locally, and the container was never started, the malicious code remains dormant as a static file in your Docker storage.

Immediate Actions to Take
Even if the container hasn't run, you must sanitize your environment to ensure no one accidentally deploys it.

using truenas

so what i did was, go to truenas shell...

CODE

Grep Search: If you have a long list of images, you can search for a specific ID:

summary

CODE

Find the Container ID:
docker ps -a | grep <IMAGE_ID_OR_NAME>

Remove the Container:
docker rm <CONTAINER_ID>

Now Delete the Image:
docker rmi <IMAGE_ID>

because i use dockge, i just click stop, inactivate. this releases it.

then i can do the

CODE

docker rmi -f <IMAGE_ID>

then

CODE

docker image prune -a

This removes all images that are not currently associated with a running container.

for safest,

Option 3: Nuclear Cleanup (Best for Security)
Since you are dealing with a potential npm hack, it is safer to wipe all stopped containers and unused images at once:

CODE

docker system prune -a

(This will ask for confirmation and then delete all stopped containers and all images not currently running.)

lastly, for my docker compose, since i use watch towerr for auto updates, just add this to stop watch towerr from auto updating npm.

3. Use Environment Variables (Docker Compose)
If you use Docker Compose, add this environment variable to your Watchtower service to stop all automatic updates globally:
yaml

CODE

services:
watchtower:
image: containrrr/watchtower
volumes:
- /var/run/docker.sock:/var/run/docker.sock
environment:
- WATCHTOWER_MONITOR_ONLY=true

can remove later once this issues dies down (or not). Or set watchtowerr to not update daily, and defer updates to every 2-3 weeks to avoid a situation like this the next time.

if you are a homelabber and u use npm for your docker container, take action NOW if you haven't already

In my situation, i didn't have the container actively running, so dodged a bullet narrowly. but it did make me rethink the auto update for npm that has been targeted more than once. so either a longer deferred update, or not auto update might be in order

Also this is another reminder, WHY, you need to pay close attention to how you deploy your docker containers. so it's not running as root. so create a docker user, then use that for docker containers for deployment. hopefully that will limit any issues.

[YOUTUBE]RxxYESQ7rW0[/YOUTUBE]

android removing ability to install apk?,

Moogle Stiltzkin — Tue, 10 Mar 2026 08:29:27 +0800

[YOUTUBE]Qfo6xdVMFmM[/YOUTUBE]

install apk aka sideload (i call this installing.....) seems like google will be removing the ability to install apks manually if i am not mistaken? watch the youtube.

that is crazy if true. then what is the point of going android if you can't do that? may as well go ios (which was one of the main reasons people went android to begin with).

so why is this bad?

ok, imagine u have a project on github to install an apk. Sounds like you may not be able to use something like obtainium to install an apk from your favourite android app project. cause they are removing the ability to do so

i hope i am misunderstanding, but i dont think i am. watch the youtube.

if u r an android user, you should be very concerned. not all good apps are on googleplay. this is anti competition by forcing people to be locked into googleplay ecosystem.

MY Internet Ads Are Hacking Your Phone Now,

Moogle Stiltzkin — Sat, 07 Mar 2026 09:20:40 +0800

[YOUTUBE]lnaZ6bRyTF8[/YOUTUBE]

malvertising was always a thing... where ads load up, and u get malware. they said ads are harmless and needed to keep sites up, but at user expense.

use adblockers. pfsense blocker at router better.

QUOTE

Yes, pfBlockerNG is a powerful tool for network-wide ad blocking on the pfSense firewall. It functions by preventing your devices from connecting to known ad-serving domains and IP addresses.

How it Blocks Ads

DNSBL (DNS Blackhole List): This feature intercepts DNS requests for ad-serving domains. If a device on your network tries to load an ad from a domain on a blocklist, pfBlockerNG prevents the connection.

IP Filtering: It can block entire ranges of IP addresses associated with malicious activity, trackers, or specific geographical regions (GeoIP).

Feeds and Lists: You can subscribe to popular, community-maintained blocklists like EasyList or The Firebog to keep your protections up to date.

Key Limitations

Encrypted Traffic (DoH/DoT): Some modern devices and browsers use DNS over HTTPS (DoH) to bypass local DNS filters. You may need to manually block known DoH servers within pfBlockerNG to ensure its effectiveness.

Same-Domain Ads (YouTube/Hulu): pfBlockerNG struggle to block ads served from the same domain as the content (e.g., YouTube video ads), as blocking the ad would also block the video itself.

Visual Layout: Unlike browser-based extensions (e.g., uBlock Origin), pfBlockerNG cannot "hide" the empty space left behind by a blocked ad; it simply prevents the content from loading.

For the most comprehensive protection, many users combine pfBlockerNG with a browser-based extension for a "layered" approach.

or router where you can use an ad filter list.

also if possible, use ublock origin on firefox for browser.

QUOTE

Yes, uBlock Origin prevents ads from being downloaded to your hard drive.

Unlike "cosmetic" blockers that merely hide an ad once it arrives, uBlock Origin is a network request blocker. It intercepts and cancels the request for an ad before it leaves your browser, meaning the ad data never reaches your network or your computer's storage.

How it Protects Your Storage

Network Request Blocking: When a website tries to fetch an ad, tracker, or malware from a remote server, uBlock Origin identifies that server on its blocklists and "nips the request in the bud". This saves both bandwidth and disk space.

Preventing Local Caching: Because the ad content (images, video files, scripts) is never downloaded, it cannot be stored in your browser's temporary cache files on your hard drive.

Efficiency: It is designed to be lightweight, using less CPU and memory than other blockers while preventing the accumulation of "junk" data from advertising scripts.

Important Distinction

While uBlock Origin stops the ad data from being written to your disk, the extension itself and its filter lists do occupy a small amount of space on your hard drive to function. However, this is negligible compared to the amount of data saved by blocking video ads and heavy tracking scripts over time.

some good filterlists are like Hagezi ultimate. this is more than enough for most things

for ads on youtube on android, you may need to use something like newpipepipe where the ads wont load at all but you can still use youtube.

Which Malaysia website support PASSKEY login?,

Skylinestar — Tue, 03 Mar 2026 17:11:13 +0800

I can only think of AirAsia

7zip Malware: Beware 7zip.com,

Moogle Stiltzkin — Sat, 14 Feb 2026 06:32:34 +0800

[YOUTUBE]bpLxXH37Hs8[/YOUTUBE]

So how do you know whats the actual og site?

well, you can go to wikipedia and search for the app, then there is the actual site linked there.

And once you know the actual site, go there then ADD a bookmark star e.g. firefox. So whenever u visit the sites you verified, it would have that star to indicate it's bookmarked. meaning at a glimpse you can check if it's bookmarked, then you know you are at the correct site. If you don't see it, be on your toes as you may have simply googled then it brought you to a fake site due to careless web browsing

also in google search, the other trick is the search results at top usually will be shown as a google ad, and that usually points to some malware site which uses the same name as the app site. google doesn't seem to care about that apparently so just because something appears at the very top don't be too trusting. check if it's an advert firstly, because that is the most sus.

Or what i would suggest instead for installing apps, is to use unigetui which can download apps using winget
https://github.com/marticliment/UniGetUI

QUOTE

How Signature & Integrity Checking Works

Because UniGetUI is a "manager of managers," it inherits the security protocols of whichever tool is actually downloading the software:

WinGet (Microsoft): Primarily uses SHA256 hash validation. When a package is submitted, Microsoft runs automated scans (including SmartScreen and static analysis) to ensure the file's hash matches the one in the verified manifest. While WinGet does not strictly require every package to be digitally signed by the developer, it validates that the file has not been tampered with since its official review.

Chocolatey: Uses checksums (hashes) to verify that the installer you download is exactly what was intended. It does not mandate digital signatures for all packages but relies on maintainers to provide correct hashes.

UniGetUI Internal Integrity: Recent updates (version 3.3.1+) added self-healing mechanisms. If UniGetUI’s own executable files are corrupted or show integrity violations, the app will prompt you to reinstall itself to ensure its own safety.

Security Caveats

Third-Party Risk: UniGetUI, Microsoft, and Scoop do not host the software themselves; they provide the scripts to download them from third parties. Theoretically, if a third-party server is compromised, a package could be at risk if the hash isn't updated accordingly.

Official Signature Check: The UniGetUI tool itself is digitally signed by its developer (Martí Climent). You can verify this by right-clicking the installer and checking the Digital Signatures tab to ensure it is authentic.

Summary: UniGetUI uses checksum/hash verification via its package managers to ensure you get the correct, untampered file, but it doesn't always mandate a "digital signature" from the software publisher unless that specific package manager requires it.

So rather than go to the app site, just use unigetui, download via the winget (or the other options). That seems to be safest. It also makes updating apps easier as well. Because it will notify you on updates, and with few clicks you can immediately update all your apps on windows.

well you could always go direct to the app site as long as you properly verified it's the actual one. but updating for so many apps can be annoying since you have to do this for ALL the apps you installed. this is why i use unigetui it makes things much easier, and safer while at it.

[YOUTUBE]_tLDcyMWWmQ[/YOUTUBE]

And just another reminder, even if you regularly update, doesn't always mean you are safe. take the notepad++ issue i recently posted here
https://forum.lowyat.net/topic/5554168

in that scenario, the app update mechanism was hacked into and went undetected for 6 months or so. so people who updated thinking they were safe, were not necessarily so. welcome to the insane world of the internet in 2026 if you use the internet you have to be on-guard and read the tech news regularly least you realize too late that something is wrong.

popular notepad++ got hacked for 6months,

Moogle Stiltzkin — Tue, 03 Feb 2026 08:59:51 +0800

[YOUTUBE]uz3s401d42E[/YOUTUBE]

https://arstechnica.com/security/2026/02/no...ly-chain-attack

so the popular notepad++ got hacked for 6 months. so if you use this app, you may want to do something about it.

the dev said, update directly from the website using the latest version.

other things you may want to do is kaspersky removal tool, scan. malwarebytes, scan. windows defender offline scan.

in the most extreme, a clean reinstall of windows 11 (the nuclear option. why? rather than finding a needle in a hay stack, just nuke it all. then you can be sure it's fixed)

do you really need to go that far? it's up to you. just know that notepad++ got compromised.

usually the signs of a compromised system

- system feels sluggish even when not doing much
- high cpu usage? when not doing much
- lots of network traffic
- and other signs

Sh0pee i am not a robot,

JLA — Thu, 01 Jan 2026 07:31:39 +0800

IF shopee AI abuse security protection system keep showing up anti robot, that is u web browser behaviour are like a robot

Until it give up

and just blocked you

problem solve

ha ha ha

vpn
randomised mac address
privacy web browser
blocked tracker ads
IPv6 EUI-64 (Extended Unique Identifier)

You can't fully sign out Outlook email,

Skylinestar — Fri, 12 Dec 2025 08:15:21 +0800

UPDATE:
Day6 - still receive new mail notification

==========

TLDR:
1. hacker got your email login info & signed into his/her device.
2. you change password and sign out everywhere.
3. hacker still receives your emails, including new ones.

I just found out this Microsoft Outlook email security risk. you can't fully "sign out everywhere else". if someone have signed in your email on his/her devices, you are basically phucked forever.

this is how you can test/reproduce:

1. install outlook app on your phone (I'm on Android) and sign in. mail is now downloaded into the phone.

2. open web browser, go to outlook website, sign in.

3. in outlook web, go to your security settings and "sign out everywhere".

4. wait for 24 hours (that's what Ms said). I've tried checking new emails in the mobile app within 6 hours and everything still works like normal (not being signed out yet ).

5. after 24 hours, check outlook app again. it will tell you to sign in (this is actually false hope by Ms). of course, you can still view previously cached email. I wonder how many mails are downloaded by default.

6. on the outlook web, send a mail to yourself.

7. outlook app (despite already "signed out") will receive this new mail, and you get notification popup. this popup shows the sender name, the email title, and the content. this is the phuck up part.

many websites login send a 2FA code to email. some have titles like "Use code 123456 for website XX". this is just plain stupid.

is there any sysadmin or email expert here who can confirm when will the outlook app fully disconnect from the server (therefore stop receiving new email)?

inb4 use 2FA TOTP via authenticator app but that is different discussion.
inb4 old story but never fixed:
https://learn.microsoft.com/en-us/answers/q...tions-despite-s

Privacy connections manager,

JLA — Thu, 15 May 2025 14:30:02 +0800

random mac address
ipv6 EU164

private dns
https://dnscheck.tools/

New PC Cannot Open Certain Websites, Websites

tkyong1 — Thu, 21 Nov 2024 08:28:01 +0800

Hi guys,

I have just bought a new PC, I have tried Edge and Chrome, I could not open certain webistes (such as crypto exchange, movie site, japan av site). I can open all of these in my old PC no issue.

May I know what would be the problem? Security Setting?

Any solution?

The error message = hmmm......can't reach this page

Enable Password-less for your Windows Account ASAP,

1024kbps — Sun, 15 Sep 2024 01:12:45 +0800

Just checked my mail and received ransom attempt to expose me,
wanted me to pay 1700 USD in lite coin lol...

then i got curious and checked my account login attempt, welp, they tried to bruteforce login
just dont be lazy and enable password -less sign in now,

Best VPN For Streaming, Security and Privacy

MattSally — Sun, 28 Apr 2024 19:47:53 +0800

I am looking to subscribe to a decent VPN. I have used a couple of free VPNs but they throttle the speed so much that I can’t stream. Nord VPN and Express have been recommended to me but I can’t get their sign up processes to work for me. I keep getting error messages. Can anyone recommend a good, reliable VPN that is good for streaming please?

if u buying sercurity app and dont wanna use card,

Kravo — Mon, 02 Oct 2023 15:57:42 +0800

when my bitdefender sub is about end soon, i looking for new security software and definitely not that shit.

initially decided on getting fsecure, but online payment keep failed, call bank tell me card security code fail, which i verify is not.

at the end, bought eset, no need using card, online bank transfer, no need worry fucking auto-renewal.

New hacking forum leaks data of 478,000, RaidForums members

daisiesdontdoit92 — Wed, 31 May 2023 10:13:14 +0800

QUOTE

A database for the notorious RaidForums hacking forums has been leaked online, allowing threat actors and security researchers insight into the people who frequented the forum.

RaidForums was a very popular and notorious hacking and data leak forum known for hosting, leaking, and selling data stolen from breached organizations.

Threat actors who frequented the forum would hack into websites or access exposed database servers to steal customer information. The threat actors then attempted to sell the data to other threat actors, who use it for their campaigns, such as phishing attacks, cryptocurrency scams, or distributing malware.

In many cases, if data was not sold or some time had passed, the stolen data would be leaked for free on RaidForums to gain a reputation among the community.

In April 2022, the RaidForums website and infrastructure were seized in an international law enforcement operation, with the site's administrator, Omnipotent, and two accomplices arrested.

After Raidforums closed, users flocked to a new forum called Breached to continue trading stolen databases. However, Breached shut down in March 2023 after its founder and owner, Pompompurin, was arrested by the FBI, and the site's other admin became concerned that law enforcement had access to their servers.

RaidForums database leaked online

Earlier this month, a forum called 'Exposed' was launched, aiming to fill the void left behind by the closure of Breached, and it has quickly become popular.

Today, one of the site's admins, 'Impotent,' leaked the RaidForums member database, exposing a wealth of information to other threat actors, researchers, and, potentially, law enforcement.

BleepingComputer has seen the leaked data, and it consists of a single SQL file for the 'mybb_users' table used by RaidForums' forum software to store registration information.

This table contains the registration information for 478,870 RaidForums members, including their usernames, email addresses, hashed passwords, registration dates, and a variety of other information related to the forum software.

The leaked table contains member information for users who registered between March 20th, 2015, and September 24th, 2020, likely when the database was dumped.

Impotent says that some RaidForums members have been removed from the database and that it is unknown when and why the dump was originally created.

BleepingComputer has confirmed that the information for numerous accounts in the database contain known registration information. Additionally, members of the Exposed forum have also confirmed that their information is in the MySQL table, indicating that the leaked table is legitimate.

While it's likely that the database is already in the hands of law enforcement after the forum was seized, this data could still be useful for security researchers who commonly build profiles of threat actors.

Using the leaked registration information, researchers can learn more about the threat actors and potentially link them to other malicious activities.

Update 5/30/23: Exposed's admin, Impotent, told BleepingComputer that the RaidForums data dump was originally not meant to be public, but they decided to leak it yesterday.

However, while the admin states they know where the data came from, they promised not to disclose any details about the source.

Impotent says the member database table still contains 99% of the original lines, with some removed to "cause no drama."

https://www.bleepingcomputer.com/news/secur...forums-members/

Sirius XM flaw could’ve let hackers, remotely unlock and start cars

daisiesdontdoit92 — Thu, 08 Dec 2022 06:22:03 +0800

QUOTE

A vulnerability affecting Sirius XM’s connected vehicle services could’ve let hackers remotely start, unlock, locate, flash the lights, and honk the horn on cars. Sam Curry, a security engineer at Yuga Labs, worked with a group of security researchers to discover the flaw and outlined their findings in a thread on Twitter.

In addition to providing a satellite radio subscription, Sirius XM also powers the telematics and infotainment systems used by a number of auto manufacturers, including Acura, BMW, Honda, Infiniti, Jaguar, Land Rover, Lexus, Nissan, Subaru, and Toyota. These systems collect a whole lot of information about your car that’s easy to overlook — and could pose potential privacy implications. Last year, a report from Vice called attention to a spy firm, called Ulysses, which collected and planned to sell over 15 billion telematics-based car locations to the US government.

While telematics systems obtain data about your car’s GPS location, speed, turn-by-turn navigation, and maintenance requirements, certain infotainment setups might track call logs, voice commands, text messages, and more. All of this data allows vehicles to provide “smart” features, like automatic crash detection, remote engine start, stolen vehicle alerts, navigation, and the ability to remotely lock or unlock your car. Sirius XM offers all these features and more, and says over 12 million vehicles on the road use its connected vehicle systems.

However, as Curry demonstrates, bad actors can take advantage of this system if the proper safeguards aren’t in place. In a statement to Gizmodo, Curry says Sirius XM “built infrastructure around the sending/receiving of this data and allowed customers to authenticate to it using some form of mobile app,” like MyHonda or Nissan Connected. Users can log into their accounts on these apps, which are linked to their vehicle’s VIN number, to execute commands and obtain information about their cars.

It’s this system that could give bad actors access to someone’s car, Curry explains, as Sirius XM uses the VIN number linked with a person’s account to relay information and commands between the app and its servers. By creating an HTTP request to fetch a user’s profile with the VIN, Curry says he was able to obtain the vehicle owner’s name, phone number, address, and car details. He then tried executing commands using the VIN and discovered that he could remotely control the vehicle, allowing him to lock or unlock it, start the car, and perform other functions.

Curry says he alerted Sirius XM of the flaw and that the company quickly patched it. In a statement to The Verge, company spokesperson Lynnsey Ross said the vulnerability “was resolved within 24 hours after the report was submitted,” adding that “at no point was any subscriber or other data compromised nor was any unauthorized account modified using this method.”

Separately, Curry uncovered another flaw within the MyHyundai and MyGenesis apps that could also potentially let hackers remotely hijack a vehicle, but says he worked with the automaker to fix the issue. In a statement shared with The Verge by Hyundai spokesperson Ira Gabriel, the company confirmed that “Hyundai worked diligently with third-party consultants to investigate the purported vulnerability as soon as the researchers brought it to our attention.” It also notes that “no customer vehicles or accounts — for either Hyundai or Genesis — were accessed by others as a result of the issues raised by the researchers,” and makes it clear that its vehicles weren’t affected by the Sirius XM vulnerability.

White hat hackers have found similar exploits in the past. In 2015, a security researcher uncovered an OnStar hack that could’ve let bad actors locate a vehicle remotely, unlock its doors, or start the car. Around the same time, a report from Wired showed how a Jeep Cherokee could be remotely hacked and controlled with someone at the wheel.

https://www.theverge.com/2022/12/3/23491259...lock-start-cars

Beijing people’s facial recognition was broken, Taiwan hackers stole 1.9 million deposit

FlierMate1 — Tue, 19 Jul 2022 19:14:26 +0800

Source: https://taiwan.postsen.com/world/10810/Beij...ology-News.html (and several other multiple sources)

QUOTE

If the face recognition system can be unlocked with photos, it may indicate a huge hidden worry in the current situation where cameras are all over the place.

Face recognition technology is widely used by the Bank of China, and various drawbacks have emerged. The facial recognition of some people in Beijing was breached, and nearly 430,000 RMB (about NT$1.892 million) was withdrawn from the bank account, but the IP of the registrant was displayed in Taiwan.

The latest report from China News Weekly describes what happened to Li Hong (pseudonym). The incident happened on June 19. She fell into the trap of fraudsters, her mobile phone text messages were intercepted, and her mobile phone number was set to call forwarding, so that her verification code fell into the hands of others, and she was unable to answer the bank’s confirmation call.

More seriously, her “face recognition” was broken. The backstage of the China Bank of Communications system shows that when resetting the password and transferring large amounts of money, “Li Hong” performed 6 face recognition comparisons, all of which showed “successful biopsy”.

But in fact, these face recognitions were not operated by Li Hong who was in Beijing. After investigation by the police, the IP address of the registrant was displayed in Taiwan, and the mobile phone model used was Motorola XT1686, which was also different from the Xiaomi Mi 8 used by Li Hong.

» Click to show Spoiler - click again to hide... «

Li Hong doubted the security of the Bank of Communications’ facial recognition system, and took the Bank of Communications to court on the grounds of a “debit card dispute”, demanding compensation. However, on June 30 this year, the Fengtai District People’s Court in Beijing rejected all Li Hong’s claims in the first instance. She is going to continue to appeal.

Banks believe that they have done their due diligence. Bank of Communications Beijing Changxindian Branch stated in court that “transaction passwords, dynamic passwords and customer authentication modes that assist face recognition” meet regulatory requirements, and they are in the process of Li Hong’s transfer. , the bank gave her a risk warning. After the big data analysis of the internal system found an abnormality, it called Li Hong’s mobile phone to verify the identity of the transferor and the transfer situation.

But Li Hong said that the bank claimed to have sent 22 SMS passwords and SMS risk alerts, but she only received 11 of them, and she did not receive the bank’s call. The reason behind this is that her text messages were intercepted by the scammers, and the calls were also transferred to the scammers’ mobile phones.

The report quoted Lao Dongyan, an expert who has long been concerned about personal information protection and a professor at the Law School of Tsinghua University in Beijing, who pointed out, “Facial recognition was introduced by banks as a participant in risk creation, and banks benefit more from this method. , should bear the risk responsibility proportional to the benefit it receives.”

She also pointed out that with the development of artificial intelligence, fraudulent methods are more high-tech, and banks should keep pace with the times so that their security technology exceeds that of criminal methods. If banks are held accountable for vulnerabilities in facial recognition technology, it will help urge banks to plug technical security loopholes and prevent possible fraud.

The report also pointed out that the difficulty of cracking facial recognition technology is sometimes unexpectedly simple. In 2019, several primary school students in Zhejiang used photos to crack the express cabinets in residential areas and easily take other people’s express delivery. In October 2021, a team of students from Tsinghua University successfully unlocked 20 mobile phones using only face photos.

Guo Bing, an associate professor at the School of Law and Politics of Zhejiang Sci-Tech University, believes that “photos of human faces are too easy to obtain.” If the face recognition system can be unlocked with photos, it may indicate a huge hidden worry in the current situation where cameras are all over the place.

QNAP Deadbolt, QNAP Deadbolt

Vanessatan97 — Fri, 15 Jul 2022 12:56:40 +0800

Hi , My company QNAP got deadbolt. May i know if paying the ransom 0.05 bitcoin will help us to retrieve back all the files? or is there any ways to solve the issue? thank you

Capital One identity theft hacker, finally gets convicted

daisiesdontdoit92 — Thu, 23 Jun 2022 00:36:50 +0800

QUOTE

Remember the Capital One breach?

We did, though we felt sure it had happened a long time ago.

Indeed, when we checked, it had: the story first broke almost three years ago, back in July 2019.

At the time, the company reported:

Capital One Financial Corporation announced […] that on July 19, 2019, it determined there was unauthorized access by an outside individual who obtained certain types of personal information relating to people who had applied for its credit card products and to Capital One credit card customers.

And we noted that:

So far, there are no details to suggest what sort of vulnerability was exploited, and therefore no indication of what has now been changed and how permanent or effective the fixes might be.

Was the breach down to an unpatched security bug, poor password choice, incorrrect access control, a cloud-related configuration blunder, or what?

All we knew back then was that this was a huge breach by any standards, affecting at least:

100,000,000 users in the USA
6,000,000 users in Canada
Any consumer or small business who applied for a credit card in the previous 14 years.
Personal data including names, addresses, zip codes, phone numbers, email addresses, dates of birth, and income.
Some customers also lost yet more intimate personal information such as credit scores, credit limits, balances, payment history, contact information, social security numbers (SSNs) and bank account numbers.

Fortunately, if that’s the right word in a case like this, “only” about 150,000 victims actually had their SSNs exposed (in the US, SSNs are effectively lifelong unique national ID numbers), meaning that about 99.9% of victims escaped that fate.

The cost of the breach
This breach cost Capital One dearly in more than one way.

Even though the company was itself the victim of a cybercrime, it was ultimately hit with a $190,000,000 class action settlement plus an $80,000,000 fine from the US Office of the Comptroller of the Currency (OCC).

The OCC noted:

[We] took these actions based on the bank’s failure to establish effective risk assessment processes prior to migrating significant information technology operations to the public cloud environment and the bank’s failure to correct the deficiencies in a timely manner. In taking this action, the OCC positively considered the bank’s customer notification and remediation efforts.

As you will notice from the OCC’s remarks above, the breach ultimately came down to poor cloud security, with data apparently exposed due to being shifted from a privately-controlled data store into the cloud.

There’s no reason why a public cloud deployment can’t be done securely, of course, but the potential consequences if it isn’t are huge.

A publicly visible cloud server is open to a much broader ranges of probes, attacks and hacks – what’s known in the jargon as “having a much larger and more exposed attack surface”.

Intriguingly, the fact that this was a cloud-related breach was quickly revealed after Capital One notified its customers of the attack, because the alleged perpetrator was soon arrested.

Cloud “anti-security” scanning
Paige Thompson, who was 33 at the time, was accused of the attack, apparently using what you might call “anti-security” tools of her own devising to scan cloud providers for vulnerable and misconfigured services, and from there to recover access credentials, gain acccess, exfiltrate data and infiltrate malware.

At the time, the US Department of Justice (DOJ) suggested that Thompson hadn’t tried to sell on the stolen data, but that she had used compromised services for what’s known as cryptojacking.

That’s where crooks deliberately install cryptomining software on other people’s devices – all the way from laptops and mobile phones, through powerful gaming rigs, to physical and virtual servers.

The victims end up paying for the electricity, cooling and server time, while the crimimals accumulate any cryptocurrency that gets earned in the process.

Anyway, the DOJ has just announced that Thompson has now been convicted, though she will only be sentenced in September 2022:

Thompson was found guilty of [w]ire fraud, five counts of unauthorized access to a protected computer and damaging a protected computer. The jury found her not guilty of access device fraud and aggravated identity theft.

Using Thompson’s own words in texts and online chats, prosecutors showed how Thompson used a tool she built to scan Amazon Web Services accounts to look for misconfigured accounts. She then used those misconfigured accounts to hack in and download the data of more than 30 entities, including Capital One bank. With some of her illegal access, she planted cryptocurrency mining software on new servers with the income from the mining going to her online wallet. Thompson spent hundreds of hours advancing her scheme, and bragged about her illegal conduct to others via text or online forums.

In the DOJ’s words, “Far from being an ethical hacker trying to help companies with their computer security, she exploited mistakes to steal valuable data and sought to enrich herself.”

https://nakedsecurity.sophos.com/2022/06/21...icted/#comments

Nintendo's Big Piracy Case Is A Very Sad Story,

daisiesdontdoit92 — Fri, 10 Jun 2022 01:21:08 +0800

There's a human element to these stories that is rarely seen by the public

QUOTE

Back in February, Gary Bowser—who in most media reports has been described as a ‘hacker’—was sentenced to 40 months in prison for his role in selling cheat and modification devices for Nintendo hardware. Being a court case, most of the reporting dealt only with names on a page and cold facts, but a transcript of Bowser’s sentencing hearing has just been released, giving us all a reminder that this was a very human case where the motivations, actions and outcomes were more complex than has mostly been reported.

The transcript—first reported by Axios— records everything that was said at Bowser’s sentencing, including statements by his lawyer, representatives from the United States Attorney’s Office and Department of Justice, Nintendo’s General Counsel, and the judge himself.

I’m not going to reprint the entire thing here, but there were a number of passages that I think paint this case in a more human light than we’d have otherwise been able to see through the lens of “Crime + Verdict” reporting. I thought these were worth sharing.

This is Anand Patel from the Department of Justice, pointing out how much Bowser made during his time with the hacking group Team Xecuter after his previous business had gone bust:

While he might have been an unlucky businessman, that doesn’t condone his actions here. The stipulated loss amount was the foreseeable result of the enterprise’s and Mr. Bowser’s conduct. But even if you do look at Mr. Bowser’s gain, the $320,000 over the course of seven years, it did provide a very comfortable lifestyle. That equates to about $3,800 a month, all of which was disposal income that would not have been available to him but for his involvement in the conspiracy. And you have to keep in mind that this was in the Dominican Republic, where the lifestyle is a little bit different than some of the other co-defendants in the case. That amount allowed Mr. Bowser to live a comfortable life. He bought a car, he was living in a nice apartment, after basically losing everything.

These are comments from Bowser’s lawyer, explaining the kind of conditions he has been detained in since he was first arrested, and which Nintendo were only so keen to send out a congratulatory press release boasting about back in February:

Your Honor, when I met with Mr. Bowser, when Mr. Sanders and I met with Mr. Bowser this morning in the lockup — it’s really interesting how you learn new things all the time, even after you have been with someone for a year — and we were just discussing the journey he took when he arrived in New Jersey, was taken into custody, and then went from one federal prison to another and ended up in Nevada. And he told me when he came in, he weighed 410 pounds — I didn’t know that he weighed that much — and by the time he got to the FDC, he was down to 320. He had lost 90 pounds. So I asked him, “Well, how did that happen?” Well, he said he wasn’t getting adequate treatment for the elephantiasis in his leg. And the one thing you have to really worry about is you have to worry about skin breakage, and when that happens, you’re very susceptible to a bad infection. He had a bad infection, they took him to a hospital in Pahrump, Nevada, and he got past that. But, you know, I asked him how he was doing this morning. He says, “Well, you know, I had this little break in my skin this morning.” I said, “Well, how are you dealing with that?” He said, “Well, I had some coffee and I made a little paste, and I’ve heard that that’s really good to take care of your skin.” And I think it just brought home for me that the physical challenges he has — they’re not life threatening; you know, the BOP will try to do the best they can to take care of him — it is a big challenge to get adequate medical care, and he has to essentially care for himself.

This is a picture of a typical cell at the detention center at SeaTac. Two people live in this space. I showed this to Mr. Bowser this morning — because this is not his cell — and he said, “Well, you know, I’m in a somewhat special cell. Mine is about 18-inches wider because it’s a special cell to accommodate the wheelchair that I was using much of the time, and I get the bottom bunk because of my problem.” But there are two people here. For six months of the last 16 months, he has been locked in this sized cell, plus 18 inches, for at least 23 hours a day. During the height of COVID, they only let people out every three days to go out to take a shower for maybe a half an hour and come back. So, you know, he gets out a little bit, but this is where he spent six months.

Bowser’s lawyer also took the opportunity to remind everyone that, while the defendant was commonly known now as a “hacker” thanks to news reports covering the case, his exact role with Team Xecuter was actually as a salesman and support guy:

One of the things that has happened over time is that facts get embellished when we’re talking about what the group did and what Mr. Bowser’s role was, and I think it’s important to keep those two things separate. Without Mr. Bowser, this enterprise would have gone on. There would have been another Mr. Bowser. Without Mr. Chen, without Mr. Louarn [the leaders of Team Xecuter], that’s not true. Mr. Bowser was not a developer. The developers, the people who actually made these devices and fixed them when Nintendo responded to it, they were paid very handsomely, much more than Mr. Bowser. He was not a reseller. He was not one of those independent contractors who was making a lot of money for that. That being said, the comments about Mr. Bowser’s role as being significant are accurate, and we’re not disputing that.

Bowser himself also took the stand, mostly to apologise to developers and publishers for his actions, but also to provide some further background as to what his 16 months in custody had been like:

It has been a very traumatic experience for me getting arrested, coming here, going through this. This is my first time actually in a jail going through the court process and everything. And the amount of time I’ve spent already, 16 months in custody, a lot of that time — I spent six months, basically, locked up due to COVID. I went through all three of the COVID waves before there was even a vaccine available. I personally haven’t got the vaccine, and the reason, I am skeptical with my medical condition, how it will affect me, and I haven’t been able to actually have proper medical treatment because I haven’t been able to have a one-on-one with a doctor to see if the vaccine would be possible with my health conditions. When I first got arrested, I was 410 pounds. I had to use a wheelchair. I spent my life drinking, since I was age 15, after my mom died, and this is the longest time I have been sober in my life.

This is Nintendo’s General Counsel Ajay Singh, repeating the same fallacy you always see in piracy cases—the false equivalence that every pirated game equals a lost sale, which is simply not true—before getting to the real meat of Nintendo’s pursuit: he claims that Team Xecuter, the group Bowser was part of, had been such a pain in Nintendo’s ass that the company had to release entirely new models of hardware, which seems like a much more likely motivating factor in this lawsuit than the games themselves:

With respect to Nintendo, the defendant and the government have stipulated to damages greater than $65 million. On top of that, Nintendo has spent enormous resources trying to stop Team Xecuter. We have been working on this for decades — well, at least for a decade, I would say. Nintendo has had to update its hardware to prevent Team Xecuter devices from working. That included releasing a new version of our console. It has also spent significant resources on software updates and, of course, on IP enforcement around the world.

And finally, here is the judge sentencing Bowser, saying that he’s somehow going hard on the defendant (by “sending a message”) while also simultaneously going easy on him (by saying under “normal circumstances” he would be sent to prison for “five years”):

...I always tell the jurors, “Your role is not to send a message. Your role is to decide guilt or innocence on the facts.” But my role sometimes does entail sending a message. For a long time, you know, white-color crime was considered not real crime and it flourished. We, in this community, still remember the Washington Mutual Bank disaster where nobody went to prison, nobody went to jail, nobody got criminally prosecuted, for what should have been serious criminal offenses. And when people do start getting charged with things, it does have an impact and provides general deterrence that this is not a joke, these are serious criminal offenses, with real victims and significant financial impacts on communities. So I think there is a role to be played here in terms of a message being sent out, and I want the message to be clear that, under normal circumstances, I would send Mr. Bowser to prison for five years. I don’t want to send any kind of mixed message to France. If Mr. Louarn [a more prominent figure in the piracy scene] comes in front of me for sentencing, he may very well be doing double-digit years in prison for his role and his involvement, and the same with the other individual. But we do have a situation here where Mr. Bowser, as terrible as his crimes were, is the least culpable of the three, and he has serious medical issues and challenges, and he’s been incarcerated under very difficult conditions for a significant period of time. So taking all of those things into consideration, I’m going to agree with Ms. Whaley here that a 40-month sentence is appropriate, and I will impose the 40 months.

None of this changes the fundamentals of the story, or Bowser’s guilt. The man committed a crime, knows he did and has been punished for it. But like I said, it does provide some context for the events beyond “man does crime,” and maybe helps show that cases like this are more complicated than press releases sent out by Nintendo and federal authorities are capable of getting across.

https://kotaku.com/nintendo-piracy-case-bow...rate-1849026479

Cybercriminals Are More Likely Than Ever, To Get Caught

daisiesdontdoit92 — Tue, 07 Jun 2022 03:33:09 +0800

QUOTE

Cyberattacks have become so common and costly that it has been easy to feel like cybercriminals are getting away with murder. But the truth is somewhat less glamorous — for the criminals — with authorities reporting dozens of high-profile takedowns this year alone.

If you’re prepared to do the crime, the old saying goes, you’d better be prepared to do the time — and, as the ever-growing list of takedowns on Cybercrime Magazine’s Hack Blotter has shown, many cybercriminals are doing just that after being tracked down online and in the real world.

And while ransomware may have become big business for cybercriminals — global ransomware damages are predicted to exceed $265 billion by 2031, according to Cybersecurity Ventures — but authorities have gotten better at disrupting the campaigns and identifying their perpetrators.

In mid-January, for one, Ukrainian authorities arrested five members of a Kyiv-based ransomware gang that had made more than $1 million infecting over 50 companies in Europe and the Americas.

A day later, reports came in that Russian authorities had launched a massive operation across 25 locations — at the request of US authorities — to shut down REvil, an aggressive ransomware criminal group responsible for compromising targets including meat processor JBS and Colonial Pipeline.

That attack had a chilling effect in the ransomware community, where reports of unusual US-Russian cooperation had many cybercriminals concerned they were no longer safe within Russia’s borders.

Neither was 16-year-old Nikita Uvarov, who was arrested and imprisoned for five years by Russian authorities who alleged his construction of a Minecraft version of FSB headquarters constituted “training for terrorist activities.”

Video games were also no longer fun and games for Gary Bowser, a hacker who was imprisoned for over three years for selling devices that enabled customers to play pirated video games on a variety of consoles.

Ransomware gang affiliate Sebastien Vachon-Desjardins was sentenced to seven years’ imprisonment after being implicated in 17 ransomware attacks that caused over $2.8 million in damages in Canada, while US authorities charged four Russian hackers for running a campaign of cyber attacks against global oil, gas, and nuclear power organizations around the world.

Thanks to better collaboration around the world, cybercriminal investigations are now reaching every corner of the globe — as with Interpol’s December takedown of a Nigerian business email compromise (BEC) gang that had been hoarding victim credentials and targeted more than 50,000 organizations.

Airport authorities are proving highly effective at nabbing wanted persons as they transit into and out of the US, with Simon & Schuster UK employee Filippo Bernardini arrested at New York’s JFK airport in January after using identity fraud and email addresses with typos to trick authors into sending him hundreds of unpublished book manuscripts.

Meanwhile, a 14-year-old Croatian was arrested for hacking communication company Tele Operator A1 and stealing around 10 percent of its user data. Seven UK teenagers were arrested for being part of the Lapsus$ hacking group, while an Estonian man was imprisoned for more than five years after being convicted of at least 13 ransomware attacks costing victims around $53m.

Corrupt government employees were also being picked up left, right and center — including a US Department of Defense employee who used other people’s identities to secure over $244,500 in loans, and the wife of a US Navy engineer who conspired with her husband to sell secret data about nuclear submarine programs to a foreign government.

And the horse you logged in on

As well as arresting the people committing ransomware offenses, authorities are also getting better at taking down the infrastructure they rely on — including an underground VPN provider called VPNLab.net shut down by Europol — and investigating the low-level mechanisms used to hide the proceeds of cybercrime.

Law enforcement agencies are also refining their techniques for identifying the operators of supposedly-hidden dark web sites, with Canadian authorities shutting down a dark web marketplace called Canadian HeadQuarters that marketed malware services — and fined its operators more than $300,000.

The international composition of authorities like Interpol — which has 194 member countries — has proven uniquely valuable for investigating online cybercrime, which rapidly and regularly spans international borders and is suited to multi-agency investigations.

“I’m viewed as someone from Interpol who is neutral,” Interpol director of cybercrime Craig Jones told Cybercrime Magazine, noting that cybercrime “is a transactional crime type and we need global solutions to this.”

Thanks to Interpol’s remit, Jones said, “I can go into any of our 194 member countries, and I’m working on behalf of Interpol — and our only aim is around prevention of crime.”

“It doesn’t matter who a threat actor is,” he said. “If the threat actors are causing harm to a community, using a prevention methodology we can then prevent crimes — whether it’s drug smuggling or cybercrime.”

Increasing global collaboration has also helped authorities improve their pursuit of cryptocurrency thieves, thanks to improved methods for tracing criminal transactions across the blockchain.

In January, for example, authorities indicted the former operator of cryptocurrency exchange Cryptsy for embezzling over $1 million in cryptocurrency from its users.

Justice Department authorities seized more than $3.6 billion worth of cryptocurrency that had been stolen from Hong Kong cryptocurrency exchange Bitfinex in 2016, arresting two suspects for trying to launder the money.

UK authorities recovered $5.4 million in cryptocurrency funds stolen from victims in a cryptocurrency scam, while the founder of Indian cryptocurrency exchange BitConnect was charged over a Ponzi scheme that took $2.4 billion from investors to whom he promised “substantial profits and guaranteed returns.”

Sometimes authorities use roundabout methods to convict cybercriminals — such as an action by Her Majesty’s Revenue and Customs to seize numerous NFTs from suspects that used fake identities and shell companies to avoid $1.8 million in value-added taxes on the NFTs.

“It might be that in a geopolitical sense, some countries are not able to have those conversations or carry out those investigations directly,” he said.

“That’s where Interpol steps into that space as a neutral organization on the crime side, and helping to be that neutral interlocutor between those countries. If we get the prevention piece right, then that will negate the crimes and the impact on our communities effectively.”

https://cybersecurityventures.com/cybercrim...-to-get-caught/