WebProNews

Category: CybersecurityUpdate

CybersecurityUpdate

  • Dutch Athletes Warned Not to Bring Electronics to Beijing Olympics

    Dutch Athletes Warned Not to Bring Electronics to Beijing Olympics

    Dutch athletes are being warned not to bring their phones and laptops to China for the Beijing Winter Olympics over espionage fears.

    China has one of the worst reputations in the world for surveillance and espionage, regularly monitoring its own citizens and censoring internet traffic. The country has also been behind numerous hacks and hacking groups.

    It seems the Dutch Olympic Committee (NOCNSF) is taking the threat seriously, warning athletes and staff not to bring their personal electronics into the country, according to Reuters. Instead, personnel will be provided with a clean device, devoid of their personal data.

    “The importance of cybersecurity of course has grown over the years”, NOCNSF spokesman Geert Slot said. “But China has completely closed off its internet, which makes it a specific case.”

  • US Carriers Deny Blocking iCloud Private Relay — Mostly

    US Carriers Deny Blocking iCloud Private Relay — Mostly

    Following reports that T-Mobile was blocking Apple’s iCloud Private Relay, all three major US carriers have denied actively blocking it — for the most part.

    iCloud Private Relay is a feature introduced as a beta in iOS 15 and macOS Monterey. The feature is similar to a VPN, and hides a person’s internet traffic. Some users reported that T-Mobile was starting to block the feature, something that 9to5Mac confirmed.

    According to The Verge, all three carriers are trying to reassure users they are not intentionally or actively blocking Private Relay. Verizon and AT&T, in particular, said they are not blocking the feature in any way.

    Things are a bit more complicated with T-Mobile. The vast majority of customers will not experience any issues, but accounts that are using T-Mobile’s Family Controls won’t be able to use Private Relay.

    “Customers who chose plans and features with content filtering (e.g. parent controls) do not have access to the iCloud Private Relay to allow these services to work as designed. All other customers have no restrictions,” T-Mobile’s spokesperson The Verge.

    That explanation is inline with Apple’s own description of Private Relay:

    Networks that require the ability to audit traffic or perform network-based filtering will block access to Private Relay.

    T-Mobile also told The Verge that it discovered an issue with Private Relay that could cause it to not work, and informed Apple so they could fix it.

    “Overnight our team identified that in the 15.2 iOS release, some device settings default to the feature being toggled off. We have shared this with Apple. This is not specific to T-Mobile.” 

    A Potential Future Showdown

    Hopefully all three carriers maintain their current stance. As The Verge points out, European carriers — including T-Mobile — have been campaigning against Private Relay, even asking the EU Commission to block the feature. The carriers claim it is “cutting off other networks and servers from accessing vital network data and metadata, including those operators in charge of the connectivity.”

    There’s two issues with the carriers’ actions:

    First, should the carriers succeed in convincing the EU Commission to block the feature, it’s a reasonable assumption that VPNs will likely be next on the chopping block, given that Private Relay offers many of the same benefits.

    Successfully blocking Private Relay — let alone if the carriers target VPNs next — will significantly undermine many users’ privacy and security online.

    Second, if the EU Commission gives in and blocks Private Relay, it will essentially confirm the right of companies to mine at least some datafrom paying customers, regardless of whether the customer agrees to it.

    As we have written about before, it’s one thing for the provider of a free service to mine data from their customers. Since they’re providing a service for free, profiting from the customer’s data is often the accepted trade-off.

    On the other hand, when a customer is paying for a service, there should be an expectation that’s where the transaction ends — the company provides a service in exchange for a fair amount of money, end of story.

    If the carriers are successful in their goals, it will set a dangerous precedent that will erode privacy for everyone.

  • Microsoft’s Security Update Fixes 96 Flaws, Including 6 Zero-Day

    Microsoft’s Security Update Fixes 96 Flaws, Including 6 Zero-Day

    Microsoft’s latest Patch Tuesday includes fixes for 96 security vulnerabilities, including six that are zero-day.

    The latest patch covers a slew of Microsoft products, including the .Net Framework, Microsoft Dynamics, Microsoft Exchange, Office, Windows Defender, Remote Desktop, and more.

    The zero-day vulnerabilities include the following:

    • CVE-2021-22947: Open Source Curl Remote Code Execution Vulnerability
    • CVE-2021-36976: Libarchive Remote Code Execution Vulnerability
    • CVE-2022-21874: Windows Security Center API Remote Code Execution Vulnerability
    • CVE-2022-21919: Windows User Profile Service Elevation of Privilege Vulnerability
    • CVE-2022-21839: Windows Event Tracing Discretionary Access Control List Denial of Service Vulnerability
    • CVE-2022-21836: Windows Certificate Spoofing Vulnerability

    Fortunately, Microsoft has no indication the above vulnerabilities are currently being exploited.

  • Norton 360 Upsets Customers By Installing a Cryptominer

    Norton 360 Upsets Customers By Installing a Cryptominer

    Norton 360 isn’t winning any popularity contests with its latest move, as the software is installing a cryptomining program on customers’ computers.

    Hackers often try to compromise computers in an effort to install crypto mining software and use networks of such devices for their own profit. In view of that, it’s surprising that one of the most popular security and antivirus packages is now installing crypto mining software of its own.

    First noticed by KrebsOnSecurity, Norton Crypto will mine Ethereum when the computer is idle, splitting profit between the user and Norton. The user will make 85%, while Norton keeps 15%.

    According to the company, the feature is opt-in, and users can turn it off if they change their mind. Unfortunately, some users are finding that opting out and removing Norton Crypto is easier said than done.

    Needless to say, borrowing a page from hackers’ playbooks and installing a cryptominer without making its intentions clear is not going over well with customers, and could lead to more than a few defections to other security suites.

  • When Big Websites Crash: The Importance of a Reliable CDN

    When Big Websites Crash: The Importance of a Reliable CDN

    Remember when the New York Times and BBC websites went down in June this year? They were not the only major websites that suffered unexpected downtime on the same day. Many others including the Financial Times, The Guardian, and Le Monde went offline. So did the popular Reddit platform.

    Many initially thought that there was a concerted attack against these multiple Western sites. The suspects ranged from state-sponsored hackers to hacktivists that supposedly sought to “punish” the mainstream media. The real story, however, is not as nefarious as many thought.

    When Big Websites Crash

    The reason for the June 2021 downtime of several major websites was determined to be a technical problem in their content delivery network (CDN) provider. The CDN provider admitted the mistake through a tweet: “We identified a service configuration that triggered disruptions across our POP’s globally and have disabled that configuration”

    What is a content delivery network? It is basically a geographically distributed network of servers deployed to ensure the efficient delivery of online content. Pages and content load faster when they are provided by a server that is geographically closer to the user requesting the page or content. With multiple servers located across different parts of the world, CDNs help ensure the fast and efficient delivery of content to users regardless of their location.

    This reliance on content delivery networks, however, has a crucial downside. When the CDN provider goes down, everybody who relies on it also goes down. This is what happened with the crashing of major websites in June. The configuration problem on the CDN provider’s side was enough to stir a worrisome event that generated various speculations. The downtime was not that long, but imagine if the crash was caused by something else more serious, like a state-sponsored hack attack. Recovery would have taken way longer.

    It is for this reason that organizations are advised to only use dependable content delivery networks and ascertain that the providers they are choosing to have adequate content delivery or CD security. A good CDN should not only be able to optimize site performance, but it should also provide adequate protection for active and legacy applications, third-party apps, APIs, microservices, virtual machines, and more.

    Several other major sites share the same CDN provider, and it is incumbent upon their provider to ascertain the reliability and security of their network. If a persistent cyberattack manages to pull the plug on Medium.com’s CDN, for example, numerous other websites will also go down including ResearchGate, Yelp, Shopify, the World Health Organization, Digg, ScienceDirect, Patreon, and Discord.

    CDNs: Added Defense or an Additional Threat?

    Many view content delivery networks as a solution to the possibility of getting attacked by cybercriminals. For example, with DDoS attacks, which have increased by 341 percent during the pandemic, CDNs are viewed as a protective setup as they have vast resources to absorb massive DDoS attacks. They also have the expertise to better deal with various other threats that are designed to

    However, there is also the alternative view that sees CDNs as leverage to amplify attacks. A study by researchers from multiple universities explored this idea. “This paper uncovers a vulnerability which not only allows an attacker to penetrate CDN’s protection but to actually use a content delivery network to amplify the attack against a customer website,” reads the study’s abstract.

    The study demonstrates how a CDN can be “recruited” to amplify an attack on multiple websites. It found vulnerabilities in two leading commercial CDNs, Akamai and Limelight, that help enable attacks. In particular, both of these content delivery networks allow trackers to send a request to an arbitrary edge server within the CDN platforms that can override the CDNs’ server selection mechanisms. Also, this request can penetrate CDN caching to reach the origin site and use an edge server to exhaust bandwidth by processing the request from the origin site.

    These weaknesses may have already been addressed by more established content delivery networks at present. However, the same weaknesses or their variations/evolution may be present in newer CDNs that have yet to establish their expertise in handling more aggressive and sophisticated attacks.

    There is no question that CDNs can be a form of defense for websites. However, the wrong choices can easily turn them into a burden. Using a poorly secured CDN, including those that take time to respond to newly discovered threats, is more of a threat than a veil of protection.

    The Need for a Better CDN

    The CDN market is growing rapidly. According to BCC Research, it is set to be worth $34.3 billion in 2024, more than triple its value of $11.5 billion in 2019 or a CAGR of 24.5 percent for the 2019-2024 period. More and more websites are relying on CDNs for their efficient content delivery and supposed protection from the usual attacks, especially DDoS.

    This staggering growth only shows how important it is for content delivery network providers to secure their systems. At the same time, it shows how CDN users should be wary of the providers they are choosing. With numerous new CDNs sprouting, customers benefit from the broader range of options and lower price of services because of the growing competition. However, this also means the higher possibility of encountering scrupulous and run-of-the-mill providers that can endanger a company’s website more than create advantages.

    It is advisable to select a CDN provider that can guarantee a 99.999 percent uptime while ensuring low latency (50ms minimum) for the vast majority of its global network. Also, it is recommended to pick a content delivery network that can provide an efficient issue resolution through a service-level agreement (SLA).

    The unsightly and highly inconvenient of big websites going down together is going to become a common occurrence because of the growing reliance on CDNs and the inability of CDN providers to implement improved security measures. Content delivery networks are now becoming the new targets for concerted cyberattacks, especially state-sponsored ones, because of the kind of impact that results from their downtime.

    It is reassuring to know that CDN companies, at least the leading ones and those associated with established cybersecurity firms, are constantly updating their security and technologies to keep up not only with the growing demand for their services but also to anticipate cyberattacks that target them.

  • Google Cloud Acquires Security Firm Siemplify

    Google Cloud Acquires Security Firm Siemplify

    Google is making security a priority, acquiring Siemplify, one of the top security orchestration, automation and response (SOAR) providers.

    With rising ransomware attacks and security threats, cybersecurity has become one of the biggest issues facing businesses and government agencies alike. As the third-largest cloud provider, Google is working to ensure the security of its clients, and Siemplify is poised to play a large role in that.

    “Providing a proven SOAR capability unified with Chronicle’s innovative approach to security analytics is an important step forward in our vision,” writes Sunil Potti, VP/GM, Google Cloud Security. “Building an intuitive, efficient security operations workflow around planet-scale security telemetry will further realize Google Cloud’s vision of a modern threat management stack that empowers customers to go beyond typical security event and information management (SIEM) and extended detection and response (XDR) tooling, enabling better detection and response at the speed and scale of modern environments.”

    Siemplify’s CEO Amos Stern said the acquisition will help his company further its mission of providing security options to customers.

    “Beyond Google’s resources, expertise and overall commitment to cybersecurity (including a recent pledge to invest $10 billion in cybersecurity over the next five years), we have found a remarkable partner in Google Cloud,” writes Stern. “A partner that truly shares our mission, vision, values and culture. We could not be more excited to join forces with Google Cloud to drive innovation and help many more security teams take their operations to a whole new level.”

  • LastPass: Master Passwords Not Compromised

    LastPass: Master Passwords Not Compromised

    Popular password manager LastPass says master passwords are safe, despite many users believing otherwise.

    Password managers are important elements in cybersecurity. A good password manager saves the many different passwords users collect, notifies them when one is too easy or has been compromised, and suggest strong passwords. A good password manager secures its database of passwords with a master password that must be input to access the saved ones.

    LastPass is one of the most popular of these programs. Early Tuesday, users began noticing suspicious activity, with login attempts from different locations using their master passwords.

    According to AppleInsider many of the cases involve accounts that haven’t been used in a while, accounts using old master passwords. While this would seem to indicate a hack involving the list of master passwords, specifically a hack involving an old list, some users report continued login attempts even after changing their password.

    Despite the anecdotal evidence to suggest the list of master passwords was compromised, LastPass says its service was not breached or compromised.

    Our initial findings led us to believe that these alerts were triggered in response to attempted “credential stuffing” activity, in which a malicious or bad actor attempts to access user accounts (in this case, LastPass) using email addresses and passwords obtained from third-party breaches related to other unaffiliated services. We quickly worked to investigate this activity and, at this time, have no indication that any LastPass accounts were compromised by an unauthorized third-party as a result of these credential stuffing attempts, nor have we found any indication that user’s LastPass credentials were harvested by malware, rogue browser extensions, or phishing campaigns.

    It remains to be seen if LastPass is correct, or if further investigation will reveal additional details. Either way, it is a disconcerting turn of events for a service that many people rely on to keep their online activity safe.

  • End-to-End Encryption Comes to Microsoft Teams One-to-One Calls

    End-to-End Encryption Comes to Microsoft Teams One-to-One Calls

    Microsoft has rolled out end-to-end encryption (E2EE) to one-to-one calls in Microsoft Teams.

    E2EE is considered the gold standard for messaging and communication, as it encrypts the messages so that only the sender and recipient can view them. Not even the service provider can access the information.

    Microsoft announced the rollout in a blog post, significantly improving the privacy and security of one-on-calls.

    In October, we announced the public preview of end-to-end encryption (E2EE) support for Microsoft Teams calls. Today, we are happy to announce that E2EE for Teams calls is now generally available. IT admins will have the option to enable and control the feature for their organization once the update has been received.

  • iOS/iPadOS 15.2 Released With Major Privacy and Security Fixes

    iOS/iPadOS 15.2 Released With Major Privacy and Security Fixes

    Apple has just dropped iOS and iPadOS 15.2, and it includes 38 privacy and security improvements, and should be a top priority for all users.

    iOS/iPadOS 15.2 includes privacy and security fixes for several sections of the mobile operating system (OS), including the kernel, audio frameworks, FaceTime, I/O frameworks, Notes, Preferences, sandboxing and the Webkit engine that powers Safari.

    All users should download and install 15.2 immediately. To update, open Settings > General > Software Update.

  • Companies Race to Fix Critical Zero-Day Vulnerability

    Companies Race to Fix Critical Zero-Day Vulnerability

    Companies around the world are racing to patch a critical zero-day vulnerability that is among the worst ever found.

    Cyber security experts and government officials began warning Friday of a critical bug in “Log4j,” a Java-based logging framework used in Apache. As news of the vulnerability became known, the list of impacted companies grew to include some of the biggest in the world.

    Palo Alto Networks reported that iCloud, Twitter, Amazon, Baidu and Minecraft were impacted, to name just a few. Even worse, the vulnerability is actively being exploited and attacked, putting many companies at risk.

    The director of the Cybersecurity & Infrastructure Security Agency (CISA) issued a statement outlining the seriousness of the vulnerability.

    “We are taking urgent action to drive mitigation of this vulnerability and detect any associated threat activity. We have added this vulnerability to our catalog of known exploited vulnerabilities, which compels federal civilian agencies — and signals to non-federal partners — to urgently patch or remediate this vulnerability. We are proactively reaching out to entities whose networks may be vulnerable and are leveraging our scanning and intrusion detection tools to help government and industry partners identify exposure to or exploitation of the vulnerability. 

    To be clear, this vulnerability poses a severe risk. We will only minimize potential impacts through collaborative efforts between government and the private sector. We urge all organizations to join us in this essential effort and take action.” 

    Cybersecurity experts are echoing CISA’s assessment of the danger, calling the vulnerability a major issue for the tech and cybersecurity community.

    Dr. Richard Ford, CTO of cybersecurity research firm Praetorian, told WebProNews the Log4j is even worse than other, widely reported vulnerabilities.

    “Praetorian researchers weaponized the vulnerability within hours and have a fully working exploit that we can use in the field,” said Dr. Richard Ford. “As background, Praetorian is an Austin-based cybersecurity solutions company that helps solve complex cybersecurity problems across critical enterprise assets and product portfolios. Their combination of software and security expertise puts them at the forefront of vulnerabilities such as this. Earlier this year, Praetorian was at the forefront of another critical vulnerability, proxylogon. The company says, as critical as proxylogon was to resolve, it had a much smaller potential impact than Log4j.

    “The company’s engineers and researchers have been working since last night in a war room to scan its customers and are finding vulnerabilities in the field. Worse yet, we’re also inadvertently discovering the vulnerability in 3rd parties who are on adjacent or integrated systems. Naturally, we are following responsible disclosure policies so cannot call out these systems by name, but it is one of the largest exposures we have seen at Internet scale. All vulnerabilities are typically scored by how dangerous they are: this vulnerability has practically the highest score possible, and it seems likely that even some professionals are unaware of its potential impact. The situation is rapidly evolving, and we are learning a great deal about the scope and impact of this vulnerability as we quickly work with customers to help mitigate the risk in the short term while they work on a long term solution, which will require patching all instances of the vulnerable code – a process which could take months.”

    Due to Log4J’s widespread use, experts believe companies will continue to come under attack in the coming days as mitigation efforts are being taken.

    “ This vulnerability feels similar to ShellShock, first identified in 2014, and still observed by GreyNoise,” Andrew Morris, Founder and CEO of cybersecurity firm GreyNoise told WebProNews. “Due to ease of exploitation and prevalence of Log4J, GreyNoise researchers believe that this activity will continue to increase over the next few days.”

  • Cox Suffered Data Breach by Hacker Impersonating Support Staff

    Cox Suffered Data Breach by Hacker Impersonating Support Staff

    Cox Communications has notified customers of a data breach, a breach it suffered at the hands of a hacker posing as a support agent.

    Social engineering remains of the most successful attack vectors for hackers to exploit. Regardless of how hardened an organization’s security, the human element is often the weakest. 

    It appears Cox has learned this the hard way, with a hacker successfully posing as a support agent to gain access to customer information, including highly sensitive information, according to BleepingComputer.

    “On October 11, 2021, Cox learned that an unknown person(s) had impersonated a Cox agent and gained access to a small number of customer accounts. We immediately launched an internal investigation, took steps to secure the affected customer accounts, and notified law enforcement of the incident,” reads the notification, which was signed by Amber Hall, Chief Compliance and Privacy Officer, and obtained by BleepingComputer.

    “After further investigation, we discover that the unknown person(s) may have viewed certain types of information that are maintained in your Cox customer account, including your name, address, telephone number, Cox account number, Cox.net email address, username, PIN code, account security question and answer, and/or the types of services that you receive from Cox.”

    Cox doesn’t specifically say financial information was accessed, but the company is advising impacted customers to monitor their financial accounts, and is even offering them one year of free Experian IdentityWorks credit monitoring.

    The company has also not disclosed the number of users impacted, but said the breach “impacted a small number of customer accounts.” Cox is working with law enforcement to assist in their investigation.

  • EFF: Google Chrome’s ‘Manifest V3 is Deceitful and Threatening’

    EFF: Google Chrome’s ‘Manifest V3 is Deceitful and Threatening’

    The Electronic Frontier Foundation (EFF) is calling out Google’s Manifest V3 (MV3) browser extension plans, calling them “deceitful and threatening.”

    MV3 represents a significant change to how Chrome browser extensions are implemented. In an effort to increase compatibility, Mozilla has already announced that Firefox will adopt MV3 too.

    According to the EFF, however, MV3 represents a major threat to privacy and security, thanks to the limits it places on how extensions work.

    Manifest V3, or Mv3 for short, is outright harmful to privacy efforts. It will restrict the capabilities of web extensions—especially those that are designed to monitor, modify, and compute alongside the conversation your browser has with the websites you visit. Under the new specifications, extensions like these– like some privacy-protective tracker blockers– will have greatly reduced capabilities. Google’s efforts to limit that access is concerning, especially considering that Google has trackers installed on 75% of the top one million websites.

    The EFF aren’t the only ones warning about MV3.

    “A web browser is supposed to act on behalf of the user and respect the user’s interests,” says Jonathan Mayer, Princeton University. “Unfortunately, Chrome now has a track record as a Google agent, not a user agent. It is the only major web browser that lacks meaningful privacy protections by default, shoves users toward linking activity with a Google Account, and implements invasive new advertising capabilities. Google’s latest changes will break Chrome privacy extensions, despite academic research demonstrating that no change is necessary. These user-hostile decisions are all directly attributable to Google’s surveillance business model and enabled by its dominance of the desktop browser market.”

    “Nearly all browser extensions as you know them today will be affected in some way: the more lucky ones will ‘only’ experience problems, some will get crippled, and some will literally cease to exist,” writes AdGuard’s Andrey Meshkov.

    It’s unlikely Google will back down from its MV3 plans, given how much it relies on the very kinds of trackers many privacy extensions are designed to combat. Hopefully, however, Mozilla will rethink its adoption of MV3, given the company’s commitment to privacy and security.

  • Google’s Mail-In Pixel Repair Service Accused of Hacking Accounts

    Google’s Mail-In Pixel Repair Service Accused of Hacking Accounts

    A best-selling author has accused Google’s mail-in Pixel repair service of hacking her accounts and trying to find sensitive photos.

    Jane McGonigal is a New York Times bestselling author who sent her Pixel 5a to Google for repair. Although she couldn’t factory reset the phone, due to it not turning on, McGonigal took every other step she could to protect her data, including using Google’s Lock my Phone and Erase my Phone services.

    The problem started when Google said her phone was not received at the repair facility — despite FedEx tracking showing it was delivered — and proceeded to charge her for a replacement. Days later, someone used the phone to log into her accounts, even creating a Gmail filter to flag security alert emails as spam in an effort to prevent McGonigal from realizing anything was wrong.

    The perpetrator looked through McGonigal’s photos, looking for anything that included skin, cleavage or anything the person thought could be a nude or scandalous photo.

    https://twitter.com/avantgame/status/1467192779973398531?s=20

    This is not the first time Google has faced these accusations. The company had better take significant measures to improve security if it hopes to prevent a class action lawsuit — if it’s not too late already.

  • Verizon Violates User Privacy in the Name of ‘Personalization’

    Verizon Violates User Privacy in the Name of ‘Personalization’

    Verizon’s latest feature is little more than a massive, privacy-killing data grab, sold under the banner of ‘personalization.’

    Verizon is the latest company that no longer seems content with charging a premium for a service, and instead wants to grab as much data from its users as possible in order to profit from that as well. In a recent email to customers, first noticed by Input, the company announced its “Verizon Custom Experience” program.

    The company says the program is designed to “personalize our communications with you, give you more relevant product and service recommendations, and develop plans, services and offers that are more appealing to you.”

    There’s only one problem: In order to “personalize” customer experiences, Verizon wants access to customers’ browsing history, app usage, location, and everyone a customer texts or calls. While it could be argued that, as a wireless provider, Verizon already has access to text and calling contacts, as well as location, there’s absolutely no reason the company should be accessing customers’ web browsing history or app usage.

    To make matters even worse, Verizon automatically enrolls customers in its new program, meaning they have to manually opt out in order to protect their privacy. To do so, customers open the My Verizon app and disable “Custom Experience” and “Custom Experience Plus” under “Privacy Settings.”

    Verizon should be ashamed for such a thinly veiled attempt to monetize its customers in such a manner. The company has a long-standing reputation of being among the most expensive US wireless carriers, specifically because it supposedly offers a premium experience for its customers.

    One would think that respecting and protecting its customers’ privacy would part of that premium service, instead of greedily trying to mine and profit from their data.

  • US Diplomats Among Those Hacked by Pegasus Spyware

    US Diplomats Among Those Hacked by Pegasus Spyware

    Apple has alerted 11 US diplomats that they are among those hacked by the NSO Group’s Pegasus spyware.

    The Washington Post broke a story in July that NSO Group’s Pegasus software was being used to hack iPhones and spy on journalists, diplomats and human rights activist around the world. The reaction was swift and severe, with AWS banning the NSO Group, US lawmakers blacklisting the company and Apple suing it.

    According to The Washington Post, Apple has now informed 11 US diplomats that their phones were among those hacked. The NSO Group says it sells its software to government and law enforcement agencies for the purpose of fighting terrorism, but the revelations put the company’s actions in an entirely different light.

    NSG Group says it has suspended the accounts of clients who used Pegasus to access US diplomats’ phones, although the company declined to name which clients were responsible.

  • AT&T Enterprise Customers Hit by Data-Stealing Malware

    AT&T Enterprise Customers Hit by Data-Stealing Malware

    AT&T customers are being hit with a malware attack that uses a network edge device to steal data.

    According to Ars Technica, researchers at Qihoo 360 discovered a new botnet that is targeting the EdgeMarc Enterprise Session Border Controller. The device is commonly used by small to medium-sized enterprises on AT&T’s network.

    “However, during this brief observation, we confirmed that the attacked devices were EdgeMarc Enterprise Session Border Controller, belonging to the telecom company AT&T, and that all 5.7k active victims that we saw during the short time window were all geographically located in the US,” wrote Qihoo 360’s Alex Turing and Hui Wang.

    The vulnerability traces back to 2017 when a researcher discovered a way to attack the devices using an on-device account that used “root” and “default” as the username and password. Despite being discovered years ago, Ars says it’s unclear if AT&T ever notified customers of the vulnerability.

    A patch was released 19 months later, in December 2018. Because the patch required manual installation, however, it’s a safe bet many companies never installed the fix.

    Qihoo 360’s researchers have already found more than 100,000 devices using the same TLS certificate as infected devices. This may indicate the vulnerability is far more widespread than just the confirmed victims.

    “We are not sure how many devices corresponding to these IPs could be infected, but we can speculate that as they belong to the same class of devices the possible impact is real,” the researchers added.

  • Crypto Miners Compromising Google Cloud Accounts for Mining

    Crypto Miners Compromising Google Cloud Accounts for Mining

    Google is warning that crypto miners are compromising Google Cloud accounts for mining operations.

    Crypto mining is a profitable endeavor that relies on significant computing resources. According to Google, malicious actors have been compromising Google Cloud instances and using them for mining.

    Google outlined the extent of the threat in an executive summary of their Threat Horizons cybersecurity report.

    Malicious actors were observed performing cryptocurrency mining within compromised Cloud instances. Of 50 recently compromised GCP instances, 86% of the compromised Cloud instances were used to perform cryptocurrency mining, a Cloud resource-intensive, for-profit activity. Additionally, 10% of compromised Cloud instances were used to conduct scans of other publicly available resources on the Internet to identify vulnerable systems, and 8% of instances were used to attack other targets. While data theft did not appear to be the objective of these compromises, it remains a risk associated with the cloud asset compromises as bad actors start performing multiple forms of abuse.

    Google recommends conducting regular audits to ensure credentials are not exposed, hashing downloaded code and using a multi-layered defense strategy.

  • Mozilla Pulling the Plug on Firefox Lockwise

    Mozilla Pulling the Plug on Firefox Lockwise

    Mozilla is killing off its Firefox Lockwise password manager, with the end-of-life (EOL) date set for December 13, 2021.

    Password managers are a popular, and important, cybersecurity option. Password managers help users keep track of the myriad of passwords they use for various websites and services, even generating stronger passwords that would otherwise be difficult to remember. Security experts recommend consumers make use of such apps, given the protection they offer.

    Firefox Lockwise is Mozilla’s password manager, but its functions are already present in the Firefox web browser, across the various platforms it supports. As a result, Mozilla is killing off Firefox Lockwise.

    Mozilla will end support for the Firefox Lockwise app on Android and iOS, effective December 13, 2021. You will no longer be able to install or reinstall Firefox Lockwise from the App Store or Google Play Store. iOS version 1.8.1 and Android version 4.0.3 will be the last releases for Firefox Lockwise. The application may continue to work on your device, but it will no longer receive support or security updates.

    After December 13, 2021, you can continue to access your saved passwords and your password management in the Firefox desktop and mobile browsers.

  • Apple Sues NSO Group Over Pegasus Spyware

    Apple Sues NSO Group Over Pegasus Spyware

    Apple has sued NSO Group, as well as its parent company, in an attempt to hold it responsible for the Pegasus spyware incident.

    NSO Group made headlines when The Washington Post exposed the fact its Pegasus software was being used by regimes to target journalists and human rights activists. The company claims it only sells its software for legitimate law enforcement and anti-terrorism uses, but the Post’s exposé showed there was far more to it.

    In response, AWS banned the company from its services and the US Commerce Department’s Bureau of Industry and Security (BIS) added the company to its Entity List, banning it.

    Apple is now adding to NSO Group’s woes, suing the company for endangering iPhone users.

    “State-sponsored actors like the NSO Group spend millions of dollars on sophisticated surveillance technologies without effective accountability. That needs to change,” said Craig Federighi, Apple’s senior vice president of Software Engineering. “Apple devices are the most secure consumer hardware on the market — but private companies developing state-sponsored spyware have become even more dangerous. While these cybersecurity threats only impact a very small number of our customers, we take any attack on our users very seriously, and we’re constantly working to strengthen the security and privacy protections in iOS to keep all our users safe.” 

    Apple is also donating $10 million, along with any damages from the lawsuit, to further cybersecurity research, a move applauded by privacy proponents.

    “Mercenary spyware firms like NSO Group have facilitated some of the world’s worst human rights abuses and acts of transnational repression, while enriching themselves and their investors,” said Ron Deibert, director of the Citizen Lab at the University of Toronto. “I applaud Apple for holding them accountable for their abuses, and hope in doing so Apple will help to bring justice to all who have been victimized by NSO Group’s reckless behavior.”

  • US Government Blacklists NSO Group Behind Pegasus Spyware

    US Government Blacklists NSO Group Behind Pegasus Spyware

    The US Commerce Department’s Bureau of Industry and Security (BIS) has added NSO Group to the Entity List, effectively blacklisting it.

    The NSO Group made headlines when The Washington Post reported that its Pegasus spyware was being used to target the smartphones — including the Apple iPhone — of journalists, political dissidents, and human rights activists around the world. The software is commonly used by law enforcement to target criminals, but the Post’s reporting revealed that NSO Group was also selling the software to regimes with a history of oppressive behavior.

    The reaction to the Post’s exposé has been swift, with companies severing ties to the group and regulators calling for investigations and action.

    The US Commerce Department has now added NSO Group to its Entity List, which prevents US companies from selling their technology to the company.

    “The United States is committed to aggressively using export controls to hold companies accountable that develop, traffic, or use technologies to conduct malicious activities that threaten the cybersecurity of members of civil society, dissidents, government officials, and organizations here and abroad,” US Secretary of Commerce Gina M. Raimondo said in a statement.

  • Google Triples Linux Bug Bounties for the Next Three Months

    Google Triples Linux Bug Bounties for the Next Three Months

    Google has announced it is tripling its usual bug bounties for the Linux kernel for at least the next three months.

    Bug bounties are an important part of many companies’ efforts to improve and secure their products. Researchers and white hat hackers are paid bounties for bugs they find, in exchange for giving the companies time to fix them before the bug is disclosed.

    Although Google doesn’t own Linux, the operating system (OS) forms the backbone of much of the internet and cloud services, and serves as the basis for Google’s Android OS. As a result, Google has a vested interest in the core of Linux, the kernel, being as secure and bug-free as possible.

    The company made the announcement in a blog post on Monday:

    Starting today and for the next 3 months (until January 31 2022), we will pay 31,337 USD to security researchers that exploit privilege escalation in our lab environment with a patched vulnerability, and 50,337 USD to those that use a previously unpatched vulnerability, or a new exploit technique.