Lowyat.NET: Latest topics by daisiesdontdoit92

Korea wins world’s top hacking contest for

Thu, 01 Jan 1970 07:30:00 +0800

Korea wins world’s top hacking contest for

daisiesdontdoit92 — Wed, 13 Aug 2025 02:12:14 +0800

QUOTE

Korean white hat hacker team Maple Mallard Magistrates (MMM) won the Capture the Flag (CTF) hacking competition at this year’s DEF CON conference, held in Las Vegas from Thursday through Sunday (local time).

The final round of CTF, the largest open computer security hacking competition, was held during the security conference, with four Korean teams — SuperDiceCode, Cold Fusion, Friendly Maltese Citizens and MMM — among the 12 finalists.

MMM clinched first place for a fourth consecutive year, showcasing their world-class skills, while SuperDiceCode took third.

“I thank the four teams for their tireless effort and passion in proving the skill of Korea’s white hat hackers at the world’s top international hacking competition,” Science and ICT Minister Bae Kyung-hoon said Monday.

“We will continue to actively train elite white hackers to operate on the front lines of cyberspace defense.”

The win came just a day after a team from Samsung, KAIST and Pohang University of Science and Technology claimed first place in the conference’s two-year artificial intelligence (AI) competition, AI Cyber Challenge.

The final four teams in the CTF competition were made up of graduates and mentors from Best of the Best (BoB), Korea’s top white hat hacker training program run by the Ministry of Science and ICT and the Korea Information Technology Research Institute (KITRI).

BoB is a nine‑month program that includes customized training from top information security experts and team projects.

A team of BoB mentors and alumni also won the conference’s annual CTF challenge called Red Alert Industrial Control Systems (ICS), which focuses specifically on defending ICS used in ships and airports. This year’s challenge centered on securing smart cities against cyberattacks, such as those that could cause power outages.

Another team of mentors and alumni presented their research results on vessel cybersecurity during the conference.

“Since 2015, BoB mentors and alumni have achieved strong results in various fields,” KITRI President Yoon Joon-sang said.

“As we enter a new era where AI plays a critical role in both cyberoffense and cyberdefense, BoB will not rest on past achievements but will pursue a fundamental evolution to further elevate its capabilities.”

https://www.koreatimes.co.kr/business/tech-...onsecutive-year

X can now ask users for government IDs

daisiesdontdoit92 — Sat, 16 Sep 2023 00:03:03 +0800

X users who choose to verify their Premium account using a government ID may receive ‘additional benefits’ in the future.

QUOTE

Social media platform X (formerly known as Twitter) will now let paid users verify their accounts using a government ID in a bid to prevent impersonation and “maintain the integrity of the platform.” According to X’s updated verification policy (first seen via TechCrunch), the company may also request a government-issued ID “when needed” and is exploring additional measures to protect users from spam, malicious accounts, and content that isn’t age-appropriate. The new verification system was first leaked back in August.

A pop-up window for the feature notes that X is partnering with Israel-based verification company AU10TIX to facilitate the new authorization feature. All verification information — including photographs of user IDs and “extracted biometric data” — may be stored by AU10TIX for up to 30 days. This may explain why X updated its privacy policy at the end of August to include carveouts for “biometric information.”

ID verification benefits for X Premium subscribers will include a line that says “this account is ID verified” when anyone clicks their blue checkmark and prioritized support from X services. Additional benefits like a simplified review process needed to obtain a blue checkmark and greater flexibility to make account changes (including profile photo, display name, and user handle) are also in development.

Users may be asked to reverify their account using a government-issued ID if the account’s name or intended purpose is changed, if ownership of the account has been transferred to another user, if the account is inactive, or for undisclosed “safety and security purposes.”

X says it will also provide the option to use ID verification for “certain X features” as a means to increase trust in its platform. The company didn’t elaborate on what these features might entail but claims those who choose to participate could receive “additional benefits associated with the specific X feature” in the future. These benefits will only be available to individual users, excluding business and organization accounts.

ID-based verification is currently available in “numerous countries,” but X did not elaborate on specific locations. It does not currently include the European Union, the European Economic Area, or the UK, however, likely because these regions have strict data protection laws. X says it’ll extend ID verification to these regions “soon.”

https://www.theverge.com/2023/9/15/23874854...ccount-benefits

Court to deliver verdict on hacker behind

daisiesdontdoit92 — Wed, 13 Sep 2023 23:39:08 +0800

QUOTE

LISBON: A Portuguese court was due on Monday to deliver its verdict on hacker Rui Pinto, whose flood of "Football Leaks" revelations exposed dirty dealings in international football.

It was the biggest information leak in sports history and sparked criminal investigations in Belgium, Britain, France, Spain and Switzerland.

The verdict, which has been postponed several times, was due to be delivered at a hearing in Lisbon starting at 2:30 pm (1330 GMT).

Pinto, 34, is charged with 89 hacking offences, and with attempted extortion, a crime punishable in Portugal by between two and 10 years in prison.

He argues he is a whistleblower, whose actions exposed underhand dealings involving top football stars, clubs and agents.

Between 2015 and 2018, he shared 18.6 million documents on the internet and with a consortium of European newspapers, which published details.

The revelations shook the football world.

They included the salaries of Lionel Messi and Neymar, an accusation of rape against Cristiano Ronaldo, alleged financial sleight of hand at Manchester City and ethnic profiling at Paris Saint Germain.

Pinto is both a defendant and a protected witness in Portugal.

When his trial began in September 2020, Pinto told the court he had been shocked by what he had discovered and was proud of bringing it to public knowledge.

But he has admitted he used illegal means to obtain documents.

His alleged victims include top Portuguese football club Sporting Lisbon, the Portuguese Football Federation, lawyers, magistrates and Doyen Sports -- a Malta-based investment fund run by Kazakh-Turkish oligarchs.

Pinto was arrested in Hungary in 2019 and extradited to Portugal, where he spent a year behind bars before agreeing to cooperate with the Portuguese authorities on other cases, giving them access to encrypted documents he had obtained.

The French authorities have also sought his cooperation over the "Luanda Leaks", a release of 715,000 documents providing compromising information on Angolan billionaire Isabel dos Santos, daughter of former president Jose Eduardo dos Santos.

Dos Santos, once the richest woman in Africa, has faced several court cases on charges she syphoned billions of dollars from Angolan state companies during her father's four decades in office. -- AFP

https://www.nst.com.my/sports/football/2023...ootball-history

Vietnamese Hackers Deploy Python-Based Stealer via

daisiesdontdoit92 — Tue, 12 Sep 2023 10:39:59 +0800

QUOTE

A new phishing attack is leveraging Facebook Messenger to propagate messages with malicious attachments from a "swarm of fake and hijacked personal accounts" with the ultimate goal of taking over the targets' accounts.

"Originating yet again from a Vietnamese-based group, this campaign uses a tiny compressed file attachment that packs a powerful Python-based stealer dropped in a multi-stage process full of simple yet effective obfuscation methods," Guardio Labs researcher Oleg Zaytsev said in an analysis published over the weekend.

In these attacks, dubbed MrTonyScam, potential victims are sent messages that entice them into clicking on the RAR and ZIP archive attachments, leading to the deployment of a dropper that fetches the next-stage from a GitHub or GitLab repository.

This payload is another archive file that contains a CMD file, which, in turn, harbors an obfuscated Python-based stealer to exfiltrate all cookies and login credentials from different web browsers to an actor-controlled Telegram or Discord API endpoint.

A clever tactic adopted by the adversary involves deletes all cookies after stealing them, effectively logging victims out of their own accounts, at which point the scammers hijack their sessions using the stolen cookies to change their passwords and seize control of them.

The threat actor's links to Vietnam comes from the presence of Vietnamese language references in the source code of the Python stealer and the inclusion of Cốc Cốc, a Chromium-based browser popular in the country.

Despite the fact that triggering the infection requires user interaction to download a file, unzip, and execute the attachment, Guardio Labs found that the campaign has witnessed a high success rate where 1 out of 250 victims are estimated to have been infected over the last 30 days alone.

A majority of the compromises have been reported in the U.S., Australia, Canada, France, Germany, Indonesia, Japan, Nepal, Spain, the Philippines, and Vietnam, among others.

"Facebook Accounts with reputation, seller rating, and high number of followers can be easily monetized on dark markets," Zaytsev said. "Those are used to reach a broad audience to spread advertisements as well as more scams."

https://thehackernews.com/2023/09/vietnames...thon-based.html

Millions Infected by Spyware Hidden in Fake

daisiesdontdoit92 — Mon, 11 Sep 2023 03:09:55 +0800

Spyware masquerading as modified versions of Telegram have been spotted in the Google Play Store that's designed to harvest sensitive information from compromised Android devices.

According to Kaspersky security researcher Igor Golovin, the apps come with nefarious features to capture and exfiltrate names, user IDs, contacts, phone numbers, and chat messages to an actor-controlled server.

The activity has been codenamed Evil Telegram by the Russian cybersecurity company.

The apps have been collectively downloaded millions of times before they were taken down by Google. Their details are as follows -

電報,紙飛機-TG繁體中文版 or 電報,小飛機-TG繁體中文版 (org.telegram.messenger.wab) - 10 million+ downloads
TG繁體中文版-電報,紙飛機 (org.telegram.messenger.wab) - 50,000+ downloads
电报,纸飞机-TG简体中文版 (org.telegram.messenger.wob) - 50,000+ downloads
电报,纸飞机-TG简体中文版 (org.tgcn.messenger.wob) - 10,000+ downloads
ئۇيغۇر تىلى TG - تېلېگرامما (org.telegram.messenger.wcb) - 100+ downloads
The last app on the list translates to "Telegram - TG Uyghur," indicating a clear attempt to target the Uyghur community.

It's worth noting that the package name associated with the Play Store version of Telegram is "org.telegram.messenger," whereas the package name for the APK file directly downloaded from Telegram's website is "org.telegram.messenger.web."

The use of "wab," "wcb," and "wob" for the malicious package names, therefore, highlights the threat actor's reliance on typosquatting techniques in order to pass off as the legitimate Telegram app and slip under the radar.

"At first glance, these apps appear to be full-fledged Telegram clones with a localized interface," the company said. "Everything looks and works almost the same as the real thing. [But] there is a small difference that escaped the attention of the Google Play moderators: the infected versions house an additional module:"

The disclosure comes days after ESET revealed a BadBazaar malware campaign targeting the official app marketplace that leveraged a rogue version of Telegram to amass chat backups.

Similar copycat Telegram and WhatsApp apps were uncovered by the Slovak cybersecurity firm previously in March 2023 that came fitted with clipper functionality to intercept and modify wallet addresses in chat messages and redirect cryptocurrency transfers to attacker-owned wallets.

https://thehackernews.com/2023/09/millions-...-hidden-in.html

How to disable Chrome’s new targeted ad tracking

daisiesdontdoit92 — Wed, 06 Sep 2023 23:48:57 +0800

Google is replacing third-party cookies with a Topics API, which can be turned off if you know how.

QUOTE

This summer, Google began rolling out its new Topics API, which “allows a browser to share information with third parties about a user’s interests while preserving privacy.” A part of Google’s new Privacy Sandbox, the API is supposed to replace the third-party cookies that have been following us around for many years now, reporting where we go and what we buy, among other info.

The Topics API was included in July’s Chrome 115 release, and if you don’t have it yet, you will soon. If the idea of sharing information about your interests with third parties doesn’t thrill you, you can easily turn it off. Here’s how:

In Chrome, start at the three dots in the upper-right corner and go to Settings > Privacy and Security > Ad privacy. (Or just type chrome://settings/adPrivacy into your address field.)

You’ll see three categories:
Ad topics, which assumes your interests based on your browsing history.
Site-suggested ads, which suggests ads based on the sites you’ve visited.
Ad measurement, which shares data with sites to help them measure the effectiveness of their advertising.

Click on each. If you want, you can pause to find out more about what interests and sites Google has been associated with you. You can even just turn off subcategories for each — for example, under Ad topics, you can block Business and industrial but keep Computer and video games active.

However, if you want to save yourself time, as you go into each of the three categories, just toggle each one off. And you’re done.

Of course, this isn’t a foolproof privacy method — for example, individual sites can have their own cookies, tracking pixels, and other methods of collecting data about you. But it’s a start. And if it isn’t enough, you can look into some of the more privacy-centric browsers, such as DuckDuckGo and Brave.

https://www.theverge.com/23860050/chrome-ads-topics-sandbox

Meta says it disrupted largest known cross-platfom

daisiesdontdoit92 — Tue, 05 Sep 2023 23:42:11 +0800

QUOTE

Meta, the parent company of Facebook and Instagram, said Tuesday it disrupted the “largest known cross-platform covert influence operation in the world” and found links to Chinese law enforcement.

The social media company took down 7,704 Facebook accounts, 954 Pages, 15 Groups and 15 Instagram accounts tied to the operation, according to Meta’s second-quarter Adversarial Threat Report.

The cross-platform activity used in the operation, known as “Spamouflage,” targeted more than 50 platforms and forums, according to the report. In addition to Facebook and Instagram, the disinformation campaign’s targets included X — the platform formerly known as Twitter — YouTube, TikTok, Reddit and Pinterest.

Meta found that distinct clusters of the fake accounts were run from different parts of China in groups that “may have worked from a shared location, such as an office,” and operated in “clear” shifts.

“Each cluster worked to a clear shift pattern, with bursts of activity in the mid-morning and early afternoon, Beijing time, with breaks for lunch and supper, and then a final burst of activity in the evening,” the report noted.

The groups often shared the same proxy internet infrastructure and posted identical content —typically supportive of China and critical of the U.S., Western foreign policies and Chinese detractors — across various platforms, according to the report.

Despite efforts to conceal their identities, Meta said in the report it found “links to individuals associated with Chinese law enforcement.”

The disinformation campaign had lower operational security compared to similar networks Meta has identified because it repeatedly used the same accounts and often posted the same articles with “highly distinctive headlines” across multiple platforms and accounts, according to the report.

Meta noted that headlines with typos, language mixes and unique formulations created distinct indicators that open-source researchers could use to find other activity connected to the operation.

The operation also “consistently struggled to reach beyond its own (fake) echo chamber” despite its large size, the report said, which Meta attributed to poor quality control.

https://thehill.com/policy/technology/41765...ation-campaign/

A Skype app vulnerability could expose your

daisiesdontdoit92 — Wed, 30 Aug 2023 21:48:58 +0800

Microsoft says it doesn’t require an ‘immediate’ fix, according to 404 Media.

QUOTE

Microsoft is reportedly dragging its feet on fixing yet another security vulnerability. This time, it’s a flaw in the Skype mobile app that could let hackers obtain your IP address by opening a message with a link — no clicking required, according to a report from 404 Media.

The flaw, which was uncovered by the independent security researcher Yossi, allows hackers to see a user’s general location by having them open a message containing a link. While Yossi told Microsoft about the flaw earlier this month, 404 Media reports that the company only promised to issue a patch after the outlet reached out.

To attest to the severity of the flaw, it doesn’t seem to matter what website the link takes you to. The researcher demonstrated the flaw to 404 Media by having its reporter open links to Google.com and 404media.co. Yossi was able to obtain the reporter’s IP address both times — even when they used a virtual private network (VPN), which is supposed to mask your location.

When Yossi reached out to Microsoft about the issue on August 12th, the company reportedly told the researcher that the “disclosure of an IP address is not considered a security vulnerability on it’s [sic] own,” adding that the flaw “does not meet the definition of a security vulnerability” that would “require immediate servicing.”

When 404 Media contacted Microsoft, the company said it would address the flaw in “a future product update” but didn’t provide an estimated timeline. While 404 Media doesn’t provide specifics on how hackers can exploit the flaw, it states that “it is trivially easy to exploit and involves changing a certain parameter related to the link.”

That means hackers can continue exploiting it until Microsoft decides to fix it, potentially exposing users’ information without their knowledge. The Verge reached out to Microsoft with a request for comment and didn’t immediately hear back.

Since Chinese hackers breached US government emails through Microsoft Azure in July, the company has faced growing criticism for its handling of security vulnerabilities. Earlier this month, Amit Yoran, the CEO of the cybersecurity company Tenable, called out the company’s “blatantly negligent” practices while citing his own example of Microsoft delaying a critical fix spotted by the firm. Microsoft only patched the issue after Yoran’s post was published.

https://www.theverge.com/2023/8/28/23848823...dress-microsoft

Gmail may ask for verification to

daisiesdontdoit92 — Sun, 27 Aug 2023 07:14:02 +0800

Gmail’s extra verification might help prevent a bad actor from intercepting your emails.

QUOTE

Gmail may add an extra verification step when you try to do things like adding a forwarding address and editing your filters, Google announced in a blog post on Wednesday. The extra step could help prevent a bad actor who has access to your account from filtering emails in ways you don’t expect or forwarding emails to a new address without you knowing.

Here are the specific scenarios where Google may add the additional step, from Google’s post:

Filters: creating a new filter, editing an existing filter, or importing filters.

Forwarding: Adding a new forwarding address from the Forwarding and POP/IMAP settings.

IMAP access: Enabling the IMAP access status from the settings. (Workspace admins control whether this setting is visible to end users or not)

If you try and change those settings and Google deems the action “risky,” you’ll be prompted to verify that you are the person actually trying to make the change. If that challenge fails or isn’t completed, you’ll get a “critical security alert” to help let you know that something might be wrong.

The additional protection will be available to all Google Workspace customers and people with personal Google accounts, though Google notes that “this feature only supports users that use Google as their identity provider and actions taken within Google products.” Google introduced a similar verification prompt for “sensitive actions taken in your Google Workspace account” last year.

https://www.theverge.com/2023/8/23/23843682...ters-protection

Google is improving security for

daisiesdontdoit92 — Fri, 25 Aug 2023 23:44:29 +0800

A 2FA challenge to stop account takeover attempts from cyber-criminals or thieves

QUOTE

Why it matters: Google is bringing stronger safeguards to Gmail, which is one of the main services in the company's productivity platform (Workspace). In a few days, users will be required to pass an extra security check-up to confirm their identity while trying to modify certain options in their webmail.

A year after introducing an additional ID check for Workspace accounts, Google is now extending the extra protection layer to Gmail as well. The most popular webmail in the world is also one of the central pillars for the Workspace productivity and collaboration platform, so Google is clearly trying to cut account takeover risks by following a two-step verification approach.

The Mountain View corporation says that the extra verification step will be extended to some "sensitive actions" taken in Gmail options. Users will need to verify their identity (again) when they try to tinker with filters, add a new forwarding email address in the Forwarding and POP/IMAP settings, and enable IMAP access.

When the user engages in one of these actions, Google says, Gmail will evaluate the session where the attempt is occurring. If the attempt is deemed "risky," Google will challenge the user with a "Verify it's you" prompt on a trusted device. A 2-step verification code will then be provided to confirm the action in Gmail settings.

If the ID check-up fails or is not completed, Google will show a "critical security alert" notification on the aforementioned trusted device. The alert should also work as a scare tactic to discourage account takeover by a thief who stole the user's laptop, or for malicious remote desktop apps trying to do the same. In this case, already being logged in with Gmail won't be enough to compromise a user's Google account.

Google also notes that the new, improved security feature only supports users trusting the company as their "identity provider." SAML users are not supported yet. The feature's gradual rollout on "rapid release" domains began on August 23, 2023, with up to 15 days for "feature visibility." Scheduled rollout should start on September 6, 2023.

All Workspace customers and users with personal Google Accounts should have access to the new security feature, Mountain View says. The company also provided some additional resources for system admins to learn how to set the feature up. End users will have no settings to choose from, as they will be automatically served with a "Verify it's you" challenge if an action on their account is deemed risky.

https://www.techspot.com/news/99921-google-...e-settings.html

TP-Link Tapo smart bulb vulnerabilities could

daisiesdontdoit92 — Fri, 25 Aug 2023 10:02:16 +0800

Fixes will be released "in due course"

QUOTE

Why it matters: You're probably familiar with TP-Link's Tapo smart bulbs. They're incredibly popular, especially on Amazon, and the companion app has over 10 million downloads on Google Play. But researchers have discovered four vulnerabilities in a specific model of bulb and the Tapo app that could allow attackers to steal Wi-Fi passwords, among other things.

As reported by Bleeping Computer, researchers from Universita di Catania and the University of London wrote in a paper that IoT products are becoming increasingly pervasive. As such, they wanted to conduct a vulnerability assessment and penetration testing session on the Tapo L530E, currently the best-selling smart bulb on Amazon Italy.

The results were not good for TP-Link. Researchers found four vulnerabilities, the first of which was calculated as having the highest CVSS v3.1 vulnerability score: 8.8, making it high severity. It's due to a lack of smart bulb authentication with the Tapo app, allowing attackers to impersonate the bulb during the session key exchange step.

The vulnerability, present in all Tapo smart devices that use the TSKEP protocol, allows hackers to retrieve Tapo user passwords and manipulate Tapo devices.

The second flaw is also classed as high severity (7.6 score) and stems from a hard-coded short checksum shared secret. This lets an adjacent attacker obtain the secret used for authentication during the Bulb Discovery phase via a brute-force attack or by decompiling the Tapo app.

The third security issue (4.6 score) is a lack of randomness during symmetric encryption that enables an attacker to make the cryptographic scheme predictable.

The final vulnerability (5.7 score) relates to insufficient message freshness, which keeps session keys valid for 24 hours and allows attackers to replay messages during that period.

There are several scenarios in which someone could exploit the vulnerabilities, the most serious being bulb impersonation and retrieval of Tapo user account details. This could allow an attacker access to the Tapo app and, among other things, steal a user's Wi-Fi password. While the device needs to be in setup mode for the attack to work, the attacker can repeatedly deauthenticate a bulb, forcing a user to run the setup again.

The researchers also warned of Man-In-The-Middle attacks with a configured and unconfigured Tapo L530E device, letting attackers intercept communications and retrieve Tapo passwords, SSIDs, and Wi-Fi passwords.

The good news is that the vulnerabilities have been reported to TP-Link via its Vulnerability Research Program (VRP). The company acknowledged all of them and said it has started working on fixes both at the app and at the bulb firmware levels. No word on when they will get here beyond their release "in due course."

https://www.techspot.com/news/99869-tp-link...uld-expose.html

Scraped data of 2.6 million Duolingo users

daisiesdontdoit92 — Wed, 23 Aug 2023 23:33:50 +0800

QUOTE

The scraped data of 2.6 million DuoLingo users was leaked on a hacking forum, allowing threat actors to conduct targeted phishing attacks using the exposed information.

Duolingo is one of the largest language learning sites in the world, with over 74 million monthly users worldwide.

In January 2023, someone was selling the scraped data of 2.6 million DuoLingo users on the now-shutdown Breached hacking forum for $1,500.

This data includes a mixture of public login and real names, and non-public information, including email addresses and internal information related to the DuoLingo service.

While the real name and login name are publicly available as part of a user's Duolingo profile, the email addresses are more concerning as they allow this public data to be used in attacks.

When the data was for sale, DuoLingo confirmed to TheRecord that it was scraped from public profile information and that they were investigating whether further precautions should be taken.

However, Duolingo did not address the fact that email addresses were also listed in the data, which is not public information.

As first spotted by VX-Underground, the scraped 2.6 million user dataset was released yesterday on a new version of the Breached hacking forum for 8 site credits, worth only $2.13.

"Today I have uploaded the Duolingo Scrape for you to download, thanks for reading and enjoy!," reads a post on the hacking forum.

This data was scraped using an exposed application programming interface (API) that has been shared openly since at least March 2023, with researchers tweeting and publicly documenting how to use the API.

The API allows anyone to submit a username and retrieve JSON output containing the user's public profile information. However, it is also possible to feed an email address into the API and confirm if it is associated with a valid DuoLingo account.

BleepingComputer has confirmed that this API is still openly available to anyone on the web, even after its abuse was reported to DuoLingo in January.

This API allowed the scraper to feed millions of email addresses, likely exposed in previous data breaches, into the API and confirm if they belonged to DuoLingo accounts. These email addresses were then used to create the dataset containing public and non-public information.

Another threat actor shared their own API scrape, pointing out that threat actors wishing to use the data in phishing attacks should pay attention to specific fields that indicate a DuoLingo user has more permission than a regular user and are thus more valuable targets.

BleepingComputer has contacted DuoLingo with questions on why the API is still publicly available but did not receive a reply at the time of this publication.

Scraped data regularly dismissed
Companies tend to dismiss scraped data as not an issue as most of the data is already public, even if it is not necessarily easy to compile.

However, when public data is mixed with private data, such as phone numbers and email addresses, it tends to make the exposed information more risky and potentially violate data protection laws.

For example, in 2021, Facebook suffered a massive leak after an "Add Friend" API bug was abused to link phone numbers to Facebook accounts for 533 million users. The Irish data protection commission (DPC) later fined Facebook €265 million ($275.5 million) for this leak of scraped data.

More recently, a Twitter API bug was used to scrape the public data and email addresses of millions of users, leading to an investigation by the DPC.

https://www.bleepingcomputer.com/news/secur...-hacking-forum/

Ford owners using Sync 3 infotainment

daisiesdontdoit92 — Mon, 21 Aug 2023 21:36:45 +0800

Wi-Fi driver vulnerability allows remote code execution

QUOTE

PSA: Owners of Ford vehicles made after 2015 should check if their infotainment systems use the company's Sync 3 software and, if so, deactivate Wi-Fi. The company recently disclosed a severe vulnerability in the firmware's Wi-Fi drivers enabling remote code execution. A patch is currently in development.

Texas Instruments recently alerted Ford to a Wi-Fi driver flaw that makes the software it supplies for the automaker's Sync 3 infotainment system susceptible to hijacking. The core problem is that the TI WiLink WL18xx MCP driver allows unlimited information elements (IEs) to be parsed in a management frame. Drivers can check their system's version number under Settings > General > About SYNC.

This flaw potentially enables an attacker to trigger a buffer overflow, overwrite the host processor's memory, and execute remote code. The exploit carries a CVSS severity ranging between 8.8 and 9.6 out of 10. It isn't clear what other devices or operating systems use the affected driver, but any that do would presumably be vulnerable.

Ford stresses that the infotainment system is firewalled from critical functions like steering, throttling, and braking, meaning anyone who hacks it can't endanger a vehicle's occupants. Furthermore, an attacker must be within Wi-Fi range with the ignition engaged to exploit the vulnerability. So far, there's no evidence of this occurring, but users should deactivate Wi-Fi in Settings > Wi-Fi > Vehicle connectivity to be safe. The automaker plans to issue a security update soon.

Usually, Ford vehicles update their infotainment systems over Wi-Fi. However, since the problem is the Wi-Fi, the company advises users to download the patch onto a USB drive using a PC. Those affected should regularly check Ford's support website for updates.

Sync 3 is either pre-installed or available in Ford models from 2015 onward. The company's newest infotainment system is Sync 4 – available in vehicles from 2021 and later. Ford hasn't disclosed any vulnerabilities in the newer version.

The Wi-Fi exploit impacts one of the primary pillars of Ford's recent push into high-tech cars – over-the-air updates that effectively turn the company's vehicles into connected computers. Last year, the company emphasized the need for tight cybersecurity that its new products require, with the unfortunate side effect of blocking access to third-party tuners. Critical security incidents like this wireless vulnerability will probably become more common.

Story correction (Aug. 18): A Ford representative reached out to us for a correction. We had stated earlier that some owners using Sync 3 could upgrade to Sync 4, but that is not accurate. Sync 3 and Sync 4 are completely different systems and use different hardware, so there's no upgrade path from one software system to the other.

https://www.techspot.com/news/99816-ford-ow...t-turn-off.html

Match Group pauses background checks on

daisiesdontdoit92 — Fri, 18 Aug 2023 23:03:10 +0800

Garbo, a nonprofit organization that offered background checks with just a last name and phone number, is ending its partnership with Match.

QUOTE

Garbo, a nonprofit organization that provided background checks to users of some of Match Group’s apps, is ending its partnership with the company, as reported earlier by The Wall Street Journal. As a result, Garbo will be shutting down its consumer-facing business and Match will be pausing its background checks in the affected apps.

Match Group first started offering background checks on Tinder in 2021 before rolling it out to its other dating apps, including Match and Stir, last year. The integration let users run a limited number of free background checks on a potential date using just their last name and phone number, allowing users to see public reports about violence, past arrests, convictions, and restraining orders.

While it’s not clear what went wrong between the two companies, Garbo appears to place the blame on Match Group. In a post on Garbo’s blog, founder Kathryn Kosmides says she made the decision to shut down the service after facing “a lack of support and real initiative from online platforms” as well as “continuous harassment and threats by bad actors on these platforms.”

According to the Journal, there were also some internal conflicts about how the background checks should work. While Match Group reportedly wanted to display a badge on people’s Tinder profiles to signal they had clean criminal histories, Kosmides disagreed, telling the Journal, “You can’t white-list someone or give them a ‘good guy, bad guy’ identity verification.” The Journal also points out that Tinder never really advertised the background checks to its users and that it was never made available within the Tinder app on iOS.

“It’s become clear that most online platforms aren’t legitimately committed to trust and safety for their users,” Kosmides says. “There are some great companies that do take our mission to heart, but the sad reality is that most social networks, dating apps and online platforms care more about the bottom-line than they care about you.”

The partnership’s discontinuation comes almost one year after Tracey Breeden, Match Group’s first head of safety and social advocacy who also spearheaded the partnership with Garbo, left the company. Match Group says it has plans to find a new background check provider. Meanwhile, Garbo will remain a 501c3 nonprofit organization and is shifting its focus toward creating tools to help protect users “from gender-based violence and other interpersonal harms in the digital age.”

“While we are disappointed that we were unable to come to an agreement, we are in advanced conversations with alternate providers and will announce a new partnership soon,” Match group spokesperson Kayla Whaling tells The Verge. “We are committed to continuously investing and building industry-leading features that give users more information and control over who they choose to connect with on our platforms.”

https://www.theverge.com/2023/8/17/23836215...partnership-end

China-Linked Bronze Starlight Group Targeting

daisiesdontdoit92 — Thu, 17 Aug 2023 23:49:13 +0800

QUOTE

An ongoing cyber attack campaign originating from China is targeting the Southeast Asian gambling sector to deploy Cobalt Strike beacons on compromised systems.

Cybersecurity firm SentinelOne said the tactics, techniques, and procedures point to the involvement of a threat actor tracked as Bronze Starlight (aka Emperor Dragonfly or Storm-0401), which has been linked to the use of short-lived ransomware families as a smokescreen to conceal its espionage motives.

"The threat actors abuse Adobe Creative Cloud, Microsoft Edge, and McAfee VirusScan executables vulnerable to DLL hijacking to deploy Cobalt Strike beacons," security researchers Aleksandar Milenkoski and Tom Hegel said in an analysis published today.

It also bears noting that the campaign exhibits overlaps with an intrusion set monitored by ESET under the name Operation ChattyGoblin. This activity, in turn, shares commonalities with a supply chain attack that came to light last year leveraging a trojanized installer for the Comm100 Live Chat application to distribute a JavaScript backdoor.

Attribution to an exact group remains a challenge due to the interconnected relationships and the extensive infrastructure and malware sharing prevalent among various Chinese nation-state actors.

The attacks are known to employ modified installers for chat applications to download a .NET malware loader that's configured to retrieve a second-stage ZIP archive from Alibaba buckets.

The ZIP file consists of a legitimate executable vulnerable to DLL search order hijacking, a malicious DLL that gets side-loaded by the executable when started, and an encrypted data file named agent.data.

Specifically, this entails the use of Adobe Creative Cloud, Microsoft Edge, and McAfee VirusScan executables that are susceptible to DLL hijacking to decrypt and execute code embedded in the data file, which implements a Cobalt Strike beacon.

"The loader is executed through side-loading by legitimate executables vulnerable to DLL hijacking and stages a payload stored in an encrypted file," the researchers pointed out.

SentinelOne said one of the .NET malware loaders ("AdventureQuest.exe") is signed using a certificate issued to a Singapore-based VPN provider called Ivacy VPN, indicating the theft of the signing key at some point. Digitcert has since revoked the certificate as of June 2023.

The side-loaded DLL files are HUI Loader variants, a custom malware loader that has been widely used by China-based groups such as APT10, Bronze Starlight, and TA410. APT10 and TA410 are said to share behavioral and tooling overlaps with each other, with the former also related to another cluster referred to as Earth Tengshe.

"China-nexus threat actors have consistently shared malware, infrastructure, and operational tactics in the past, and continue to do so," the researchers said, adding the activities "illustrate the intricate nature of the Chinese threat landscape."

https://thehackernews.com/2023/08/china-lin...ight-group.html

Marketing scam targets kids

daisiesdontdoit92 — Wed, 16 Aug 2023 01:27:04 +0800

Scam links on .gov and .org domains lead to offers for free skins and in-game currency

QUOTE

A hot potato: Being among the most played games on the market has made Roblox and Fortnite prime targets for scams and cyberattacks. However, their popularity among kids has made them especially desirable for cybercriminals. A recent report found fraudulent links targeting Roblox and Fortnite players hiding on dozens of .gov and .org domains promising free in-game content in exchange for personal information.

Security researchers at multiple organizations have revealed a wide-reaching cyber scam campaign hiding malicious links in search results and websites that should be trustworthy. Wired notes that the schemes include fraudulent offers related to many popular services. The most alarming are advertisements for free Roblox and Fortnite rewards targeting the youngest players.

The scams are designed to appear as highly-ranked search results when users search for things like free skins and currency for Fortnite, Roblox, and other online games. The bogus results lead to PDFs containing links that lead through a labyrinth of pages asking for your username and operating system in exchange for "generators" granting free rewards. They also often ask users to complete surveys, enter personal information, or download apps.

Some appear to be fishing for account information or juicing advertising numbers, while others lead to malware, with most written to target kids. Researchers at Human Security found that the PDFs had infected dozens of .gov and .org domains. At least one, for instance, belonged to the New York State Department of Financial Services.

Online games with microtransactions and extremely young userbases have long been targets for abuse. Last year, cybersecurity company Kaspersky found that Minecraft, Roblox, and FIFA suffered more cyberattacks than any other games. Over 200,000 users downloaded and installed a Google Chrome extension advertising itself as a Roblox utility, but it was just a cleverly disguised backdoor used to steal user credentials.

Researchers linked the malicious PDF scam to servers owned by a US-registered advertising company called CPABuild. Searching the firm's name brings up YouTube guides for how to make fast profits by building pages with CPABuild's tools, many offering free in-game content or currency.

Epic Games stresses that there is no legitimate way for players to sell, trade, gift, or trade V-Bucks – Fortnite's in-game currency. Roblox developers also advise users that it doesn't allow the exchange of its Robux currency through third-party channels and that any pages offering them for free are likely scams. Parents with children who play Roblox, Fortnite, or other popular games with microtransactions should warn them to be careful where they enter their credentials.

https://www.techspot.com/news/99782-marketi...lox-offers.html

iPhone 14, 14 Pro owners complain about battery

daisiesdontdoit92 — Tue, 15 Aug 2023 03:50:08 +0800

iPhones that have been in use for less than a year are already down to 90 percent of their original capacity. If you have an iPhone 14, how is your battery health so far?

QUOTE

Some iPhone 14 and iPhone 14 Pro owners have complaints reminiscent of the bad old days of “batterygate,” reporting that with less than a year of service on the clock, their phones are already reporting more battery degradation than expected. Sam Kohl of AppleTrack tweeted in July that his iPhone 14 Pro had already dropped to a maximum capacity of 90 percent, a much faster dropoff than previous iPhones he’d owned, and the thread shows many other people with the same experience.

Kohl followed up with a video posted yesterday about the issue, saying it makes it hard for him to recommend the phone, especially considering how much it costs with a price of $999.

Officially, Apple says iPhone batteries should “retain up to 80 percent of its original capacity at 500 complete charge cycles.” The iPhone 15 series is expected to launch soon, and recent rumors have claimed those devices will see a battery size increase of 10 - 18 percent compared to current devices.

He’s not the only one seeing these kinds of numbers. Verge alum and Wall Street Journal senior tech columnist Joanna Stern wrote in her newsletter just this week that her iPhone 14 Pro is showing 88 percent battery capacity. Around The Verge, reports are mixed, with two 14 Pros down to 93 and 91 percent and another at 97 percent. In previous years, most haven’t seen a drop in reported capacity until two years of use, at least.

And that’s even before we account for the fact that it’s more expensive to replace the battery on an iPhone 14 or iPhone 14 Pro once it’s out of its one-year warranty (assuming you don’t have AppleCare or some other extended service plan). Last year the price went up by $30, from $69 on earlier devices to $99, although at least these days, you can always go the DIY route if you just don’t want to visit an Apple Store or third-party repair shop.

The battery health monitor for iPhones was added in the same iOS 11.3 update that allowed users to toggle the troublesome performance throttling that was the hallmark of batterygate, which Apple said was a measure to protect iPhones from aging batteries, and eventually led to some large settlements.

We’ve contacted Apple about these reports and will update if we receive any additional information.

https://www.theverge.com/2023/8/12/23829897...health-capacity

DARPA is hosting a Black Hat contest

daisiesdontdoit92 — Thu, 10 Aug 2023 22:54:01 +0800

A call to action for machine learning experts to secure code with AI

QUOTE

Forward-looking: The Black Hat Def Con conference portrays itself as an internationally recognized cybersecurity event showcasing the most "technical and relevant" information security research in the business. For the next two years, the event will host a DARPA-funded contest to put AI algorithms to work on the increasingly pressing software security problem.

DARPA's Artificial Intelligence Cyber Challenge (AIxCC) is a two-year competition for the "best and brightest" minds in the AI field, the contest's official site explains. The Pentagon's research agency wants companies and experts to create novel AI systems; machine learning models designed to secure the critical software code that runs beneath financial systems, public utilities and other digital infrastructures enabling modern life.

Software runs everything these days, DARPA states, which unfortunately provides an "expanding" attack surface for cyber-criminals and other malicious actors. The new AI capabilities developed during the past decade have shown "significant potential" to help address key societal challenges like cybersecurity, the US agency says. AIxCC will reward people and organizations that can actualize this theoretical potential.

DARPA says it will award a cumulative $18.5 million in prizes to the teams with the best AI systems. An additional $7 million will be awarded to small business ventures taking part in the contest. With AIxCC, the US military is seeking the development of ML models capable of identifying, and maybe fixing, dangerous security flaws within critical software projects.

DARPA will work with "leading" AI companies Anthropic, Google, Microsoft, and OpenAI to give AIxCC competitors access to the most advanced technology and expertise. With their help, contestants will likely increase their chances of developing a true "state-of-the-art" cybersecurity system infused with AI algorithms. The Open Source Foundation will contribute as well, as most modern software needing protection is based on open-source code projects.

The AIxCC challenge has already started during this year's Def Con conference held in Las Vegas. AI teams will compete in a series of preliminary trials during 2024, with the semifinal competition scheduled for next year's Def Con briefings. Finally, Def Con 2025 will host the finals, with five teams competing for a top prize of $4 million, a second prize of $3 million, and a third prize of $1.5 million.

Machine learning algorithms are mostly based on a "black box" principle, which doesn't get on very well with proper computer security. Recent studies have also highlighted how commercial LLM systems like ChatGPT provide the wrong answer to programming questions half the time. Therefore, the AIxCC contest will be pretty interesting to watch.

https://www.techspot.com/news/99736-darpa-h...r-security.html

Researchers develop AI that can log keystrokes

daisiesdontdoit92 — Thu, 10 Aug 2023 11:07:44 +0800

Even works remarkably well over Zoom and Skype

QUOTE

In a nutshell: Artificial intelligence researchers have devised a method of hacking passwords by listening to users type on a keyboard. They showed their AI algorithm can learn to recognize typed letters by their sounds when struck on a keyboard. Testing using multiple recording sources revealed the technique is highly accurate.

Durham University researchers in the UK have developed (PDF) a deep-learning model that malicious actors could use to steal passwords remotely. The researchers trained the AI on the sounds of characters typed on keyboards from various distances and angles to create sound profiles for each key. They tested the model using multiple methods, all producing accuracy results above 90 percent.

The most precise technique was using a smartphone's microphone to "listen" to someone tapping away on a MacBook Pro. In addition to this method being the most accurate (95 percent), it is the easiest way for a hacker to log the keystrokes of a target. Imagine it being used in a coffee shop setting, for example.

"When trained on keystrokes recorded by a nearby phone, the classifier achieved an accuracy of 95 percent, the highest accuracy seen without the use of a language model," the study reads.

The team also tested it using telecommuting apps Zoom and Skype since their use has risen dramatically in hybrid work scenarios. The AI was 93 percent accurate when monitoring Zoom calls and 92 percent with Skype.

The model records the patterns and differences of each keypress on a keyboard. For example, the lowercase 'k' keystroke sounds slightly different than the capital 'K' (shift+K). These subtle pattern differences, coupled with timing and proximity (the stroke volume), allow the AI to make educated guesses at the typed keys.

The student researchers attribute the AI's ability and precision to advancements in the quality of recording equipment over the last decade and a growth in the number of microphones within the auditory range of computing devices in contemporary settings.

The one caveat is that its accuracy falls off dramatically when analyzing keystrokes on a keyboard that was not part of its training, which makes complete sense. Not all keyboards are made equally, and each has a unique profile of sounds it can make. Of course, more training with a wide variety of keyboards and laptops can vastly increase the model's accuracy over time.

Mitigation for these types of attacks is limited. Mainly the researchers suggest varying your typing style. They noted that touch typing reduced the model's precision by 40 to 64 percent. Having more complicated passwords helps too. The team suggests passwords that use several case switches (upper and lower) also tend to foul up the AI's guesswork.

The study has not been peer-reviewed yet, but a pre-print version titled "A Practical Deep Learning-Based Acoustic Side Channel Attack on Keyboards" is up on Cornell University's arXiv for those interested in the full details.

https://www.techspot.com/news/99709-researc...tically-92.html