American university researchers have developed a novel attack called “Near-Ultrasound Inaudible Trojan” (NUIT) that can launch silent attacks against devices powered by voice assistants, like smartphones, smart speakers, and other IoTs.

The team of researchers consists of professor Guenevere Chen of the University of Texas in San Antonio (UTSA), her doctoral student Qi Xia, and professor Shouhuai Xu of the University of Colorado (UCCS).

The team demonstrated NUIT attacks against modern voice assistants found inside millions of devices, including Apple’s Siri, Google’s Assistant, Microsoft’s Cortana, and Amazon’s Alexa, showing the ability to send malicious commands to those devices.

Inaudible attacks

The main principle that makes NUIT effective and dangerous is that microphones in smart devices can respond to near-ultrasound waves that the human ear cannot, thus performing the attack with minimal risk of exposure while still using conventional speaker technology.

In a post on USTA’s site, Chen explained that NUIT could be incorporated into websites that play media or YouTube videos, so tricking targets into visiting these sites or playing malicious media on trustworthy sites is a relatively simple case of social engineering.

The researchers say the NUIT attacks can be conducted using two different methods.

The first method, NUIT-1, is when a device is both the source and target of the attack. For example, an attack can be launched on a smartphone by playing an audio file that causes the device to perform an action, such as opening a garage door or sending a text message.

The other method, NUIT-2, is when the attack is launched by a device with a speaker to another device with a microphone, such as a website to a smart speaker.

Source: Inaudible ultrasound attack can stealthily control your phone, smart speaker

This is like smart units like Amazon Echo / Alexa being controlled by TV commercials

Health data and other personal information of members of Congress and staff were stolen during a breach of servers run by DC Health Care Link and are now up for sale on the dark web.

The FBI is investigating the intrusion, which came to light Wednesday after Catherine Szpindor, the House of Representatives’ chief administrative officer, sent a letter to House members telling them of the incident. Szpindor wrote that she was alerted to the hack by the FBI and US Capitol Police.

DC Health Link is the online marketplace for the Affordable Care Act that administers the healthcare plans for members of Congress as well as their family and staff.

Szpindor called the incident “a significant data breach” that exposed the personal identifiable information (PII) of thousands of DC Health Link employees and warned the Representatives that their data may have been compromised.

“Currently, I do not know the size and scope of the breach,” she wrote, adding the FBI informed her that account information and PII of “hundreds” of House and staff members were stolen. Once Szpindor has a list of the data taken, she will directly contact those people affected.

[…]

Thousands of House Members and employees from across the United States have enrolled in health insurance through DC Health Link for themselves and their families since 2014,” McCarthy and Jeffries wrote. “The size and scope of impacted House customers could be extraordinary.”

Szpindor in her letter recommended House members consider freezing their credit at Equifax, Experian, and TransUnion until the breadth of the breach is known, particularly which representatives and staff members had their data compromised.

According to CNBC, the Senate may also have been impacted by the breach, with an email sent to offices in that side of Congress saying the Senate at Arms was told of the breach from law enforcement and the “data included the full names, date of enrollment, relationship (self, spouse, child), and email address, but no other Personally Identifiable Information (PII).”

The FBI in a terse statement to the media said it was “aware of this incident and is assisting. This is an ongoing investigation.” Capitol Police said they were working with the FBI.

[…]

At least some of the PII taken during the breach found its way onto a dark web marketplace. In their letter, McCarthy and Jeffries noted the FBI was able to buy the PII and other enrollee information that was breached. The information included names of spouses and dependent children, Social Security numbers, and home addresses.

CNBC said a post on a dark web site put up for sale the data of 170,000 Health Link members and posted data from 11 users as a sample.

[…]

Organizations in the healthcare field have come under increasing attacks in recent years, which is unsurprising given the vast amounts of PII and health data – from medical records to Social Security numbers – they hold on doctors, staff, and patients.

Cybersecurity firm Check Point in a report said the number of cyberattacks around the world jumped 38 percent year-over-year in 2022 and that healthcare, education and research, and government were the top three targeted sectors

Source: US House reps, staff health data stolen in cyberattack • The Register

BlackLotus, a UEFI bootkit that’s sold on hacking forums for about $5,000, can now bypass Secure Boot, making it the first known malware to run on Windows systems even with the firmware security feature enabled.

Secure Boot is supposed to prevent devices from running unauthorized software on Microsoft machines. But by targeting UEFI the BlackLotus malware loads before anything else in the booting process, including the operating system and any security tools that could stop it.

Kaspersky’s lead security researcher Sergey Lozhkin first saw BlackLotus being sold on cybercrime marketplaces back in October 2022 and security specialists have been taking apart piece by piece ever since.

[…]

BlackLotus exploits a more than one-year-old vulnerability, CVE-2022-21894, to bypass the secure boot process and establish persistence. Microsoft fixed this CVE in January 2022, but miscreants can still exploit it because the affected signed binaries have not been added to the UEFI revocation list, Smolár noted.

“BlackLotus takes advantage of this, bringing its own copies of legitimate – but vulnerable – binaries to the system in order to exploit the vulnerability,” he wrote.

Plus, a proof-of-concept exploit for this vulnerability has been publicly available since August 2022, so expect to see more cybercriminals using this issue for illicit purposes soon.

Making it even more difficult to detect: BlackLotus can disable several OS security tools including BitLocker, Hypervisor-protected Code Integrity (HVCI) and Windows Defender, and bypass User Account Control (UAC), according to the security shop.

[…]

Once BlackLotus exploits CVE-2022-21894 and turns off the system’s security tools, it deploys a kernel driver and an HTTP downloader. The kernel driver, among other things, protects the bootkit files from removal, while the HTTP downloader communicates with the command-and-control server and executes payloads.

The bootkit research follows UEFI vulnerabilities in Lenovo laptops that ESET discovered last spring, which, among other things, allow attackers to disable secure boot.

[…]

Source: It’s official: BlackLotus malware can bypass secure boot • The Register

On Wednesday, I phoned my bank’s automated service line. To start, the bank asked me to say in my own words why I was calling. Rather than speak out loud, I clicked a file on my nearby laptop to play a sound clip: “check my balance,” my voice said. But this wasn’t actually my voice. It was a synthetic clone I had made using readily available artificial intelligence technology.

Ad Block Choices

“Okay,” the bank replied. It then asked me to enter or say my date of birth as the first piece of authentication. After typing that in, the bank said “please say, ‘my voice is my password.’”

Again, I played a sound file from my computer. “My voice is my password,” the voice said. The bank’s security system spent a few seconds authenticating the voice.

“Thank you,” the bank said. I was in.

I couldn’t believe it—it had worked. I had used an AI-powered replica of a voice to break into a bank account. After that, I had access to the account information, including balances and a list of recent transactions and transfers.

Banks across the U.S. and Europe use this sort of voice verification to let customers log into their account over the phone. Some banks tout voice identification as equivalent to a fingerprint, a secure and convenient way for users to interact with their bank. But this experiment shatters the idea that voice-based biometric security provides foolproof protection in a world where anyone can now generate synthetic voices for cheap or sometimes at no cost. I used a free voice creation service from ElevenLabs, an AI-voice company.

Now, abuse of AI-voices can extend to fraud and hacking. Some experts I spoke to after doing this experiment are now calling for banks to ditch voice authentication altogether, although real-world abuse at this time could be rare.

[…]

Source: How I Broke Into a Bank Account With an AI-Generated Voice

Microsoft Edge has been spotted inserting a banner into the Chrome download page on Google.com begging people to stick with the Windows giant’s browser.

As noted this week by Neowin, an attempt to download and install Chrome Canary using Edge Canary – both experimental browser builds – led to the presentation in the Edge browser window of a banner graphic celebrating the merits of Edge.

Screenshot of Edge injecting an anti-Chrome banner ad into Google.com’s Chrome download page … Source: Chris Frantz

“Microsoft Edge runs on the same technology as Chrome, with the added trust of Microsoft,” the banner proclaims atop a button labeled “Browse securely now.”

This was on a Google web page, google.com/chrome/canary/thank-you.html, and it’s not clear how this ad surfaced. Edge appears to display the banner by itself when the user surfs to the Chrome download page on Google.com, which is just a little bit aggressive.

Microsoft did not immediately respond to a request to explain the promotion and the mechanics behind it.

The ad does not appear to have been delivered through normal ad servers based on its page placement. There’s debate among those discussing the banner online whether the ad consists of code injected by Edge into Google’s webpage, which would make it detectable and removable as part of the Document Object Model.

It has also been suggested that the ad may come from Edge as an interface element that’s stacked atop the rendered web page. We believe this is the case.

An individual familiar with browser development confirmed to The Register that he could reproduce the ad, which was said to be written in HTML but wasn’t placed “in” the page. He described the ad as its own browser window that, surprisingly, was viewable with Edge’s “Inspect” option for viewing source code.

Our source speculated the ad was implemented in a way that pushes down the “Content area” – the space where loaded web pages get rendered – to make space for a second rendering area that holds the ad.

The main content area and the ad content area do not interact with each other – they exist in separate worlds, so to speak. But the presence of the ad content area can be inferred by checking the main window’s innerHeight and outerHeight parameters.

Given two browser windows, one with the ad and one without, the main window with the ad will have an innerHeight value that’s less than a similarly sized window without the ad. The difference in the two measurements should correspond to the height of the ad content area.

Similar behavior can be found when visiting the Chrome Web Store using Microsoft Edge on macOS: the Chrome Web Store page is topped by an Edge banner that states, “Now you can add extensions from the Chrome Web Store to Microsoft Edge,” followed by a boxed button that says, “Allow extensions from other stores.”

[…]

Source: Microsoft begs people to stick to Edge after Chrome download • The Register

Wait, what the fuck is MS doing a) monitoring where I am browsing and b) changing what it looks like when I get there?!

The US Cybersecurity and Infrastructure Security Agency (CISA) has released a recovery script to help companies whose servers were scrambled in the recent ESXiArgs ransomware outbreak.

The malware attack hit thousands of servers over the globe but there’s no need to enrich criminals any more. In addition to the script, CISA and the FBI today published ESXiArgs ransomware virtual machine recovery guidance on how to recover systems as soon as possible.

The software nasty is estimated to be on more than 3,800 servers globally, according to the Feds. However, “the victim count is likely higher due to Internet search engines being a point-in-time scan and devices being taken offline for remediation before a second scan,” Arctic Wolf Labs’ security researchers noted.

Uncle Sam urged all organizations managing VMware ESXi servers to update to the latest version of the software, harden ESXi hypervisors by disabling the Service Location Protocol (SLP) service, and make sure that ESXi isn’t exposed to the public internet.

VMware has its own guidance here for administrators.

Also: the government agencies really don’t encourage paying the ransom, except when they do.

Bad news, good news

Last Friday, France and Italy’s cybersecurity agencies sounded the alarm on the ransomware campaign that exploits CVE-2021-21974 – a 9.1/10 rated bug disclosed and patched two years ago.

The bad news: the ransomware infects ESXi, VMware’s bare metal hypervisor, which is a potential goldmine for attackers. Once they’ve compromised ESXi, they could move onto guest machines that run critical apps and data.

The good news is that it’s not a very sophisticated piece of malware. Sometimes the encryption and data exfiltration doesn’t work, and shortly after government agencies sounded the alarm, security researchers released their own decryption tool. Now CISA’s added its recovery tool to the pool of fixes.

Organizations can access the recovery script on GitHub.

The US agency compiled the tool using publicly available resources, including the decryptor and tutorial by Enes Sonmez and Ahmet Aykac. “This tool works by reconstructing virtual machine metadata from virtual disks that were not encrypted by the malware,” according to CISA.

Source: Among ESXiArgs’ ransomware victims? FBI, CISA here to help • The Register

[…]

Kaspersky discovered two new Prilex variants in early 2022 and found a third in November that can target NFC-enabled credit cards and block contactless transactions, forcing payers over to the less-secure PIN machines.

“The goal here is to force the victim to use their physical card by inserting it into the PIN pad reader, so the malware will be able to capture the data coming from the transaction,” the researchers write in a report published this week.

The malware’s new capabilities build on those that already make Prelix the most advanced POS threat, they add. It has a unique cryptographic scheme and can patch target software in real time, force protocol downgrades, run GHOST transactions, and run credit card fraud, including on the most sophisticated CHIP and PIN technologies.

Once the buyer puts the credit card into the PIN machine, all those techniques can go into action.

[…]

The tap-to-pay system activates the card’s RFID chip, which sends a unique ID number and transaction to the terminal, neither of which can be used again. There is nothing for a cybercriminal to steal.

[…]

When Prilex detects and blocks a contactless transaction, the EFT software will have the PIN system show an error message that reads “Contactless error, insert your card.”

It also can filter credit cards by segment and create different rules for each segment.

“For example, these rules can block NFC and capture card data only if the card is a Black/Infinite, Corporate or another tier with a high transaction limit, which is much more attractive than standard credit cards with a low balance/limit,” the researchers wrote.

[…]

Source: Fast-evolving POS malware can block contactless payments • The Register

A Dutch hacker arrested in November obtained and offered for sale the full name, address and date of birth of virtually everyone in Austria, the Alpine nation’s police said on Wednesday.

A user believed to be the hacker offered the data for sale in an online forum in May 2020, presenting it as “the full name, gender, complete address and date of birth of presumably every citizen” in Austria, police said in a statement, adding that investigators had confirmed its authenticity.

The trove comprised close to nine million sets of data, police said. Austria’s population is roughly 9.1 million. The hacker had also put “similar data sets” from Italy, the Netherlands and Colombia up for sale, Austrian police said, adding that they did not have further details.

[…]

The police did not elaborate on the consequences for Austrians’ data security.

Source: Dutch hacker obtained virtually all Austrians’ personal data, police say | Reuters

Thousands of people who use Norton password manager began receiving emailed notices this month alerting them that an unauthorized party may have gained access to their personal information along with the passwords they have stored in their vaults.

Gen Digital, Norton’s parent company, said the security incident was the result of a credential-stuffing attack rather than an actual breach of the company’s internal systems. Gen’s portfolio of cybersecurity services has a combined user base of 500 million users — of which about 925,000 active and inactive users, including approximately 8,000 password manager users may have been targeted in the attack, a Gen spokesperson told CNET via email.

[…]

Norton’s intrusion detection systems detected an unusual number of failed login attempts on Dec. 12, the company said in its notice. On further investigation, around Dec. 22, Norton was able to determine that the attack began around Dec. 1.

“Norton promptly notified both regulators and customers as soon as the team was able to confirm that data was accessed in the attack,” Gen’s spokesperson said.

Personal data that may have been compromised includes Norton users’ full names, phone numbers and mailing addresses. Norton also said it “cannot rule out” that password manager vault data including users’ usernames and passwords were compromised in the attack.

“Systems have not been compromised, and they are safe and operational, but as is all too commonplace in today’s world, bad actors may take credentials found elsewhere, like the Dark Web, and create automated attacks to gain access to other unrelated accounts,”

[…]

Source: Norton LifeLock Accounts Targeted: What to Know and How to Protect Your Passwords – CNET

how to completely own an airline in 3 easy steps

and grab the TSA nofly list along the way

note: this is a slightly more technical* and comedic write up of the story covered by my friends over at dailydot, which you can read here

*i say slightly since there isnt a whole lot of complicated technical stuff going on here in the first place

step 1: boredom

like so many other of my hacks this story starts with me being bored and browsing shodan (or well, technically zoomeye, chinese shodan), looking for exposed jenkins servers that may contain some interesting goods. at this point i’ve probably clicked through about 20 boring exposed servers with very little of any interest, when i suddenly start seeing some familar words. “ACARS“, lots of mentions of “crew” and so on. lots of words i’ve heard before, most likely while binge watching Mentour Pilot YouTube videos. jackpot. an exposed jenkins server belonging to CommuteAir.

step 2: how much access do we have really?

ok but let’s not get too excited too quickly. just because we have found a funky jenkins server doesn’t mean we’ll have access to much more than build logs. it quickly turns out that while we don’t have anonymous admin access (yes that’s quite frequently the case [god i love jenkins]), we do have access to build workspaces. this means we get to see the repositories that were built for each one of the ~70 build jobs.

step 3: let’s dig in

most of the projects here seem to be fairly small spring boot projects. the standardized project layout and extensive use of the resources directory for configuration files will be very useful in this whole endeavour.

the very first project i decide to look at in more detail is something about “ACARS incoming”, since ive heard the term acars before, and it sounds spicy. a quick look at the resource directory reveals a file called application-prod.properties (same also for -dev and -uat). it couldn’t just be that easy now, could it?

well, it sure is! two minutes after finding said file im staring at filezilla connected to a navtech sftp server filled with incoming and outgoing ACARS messages. this aviation shit really do get serious.

here is a sample of a departure ACARS message:

from here on i started trying to find journalists interested in a probably pretty broad breach of US aviation. which unfortunately got peoples hopes up in thinking i was behind the TSA problems and groundings a day earlier, but unfortunately im not quite that cool. so while i was waiting for someone to respond to my call for journalists i just kept digging, and oh the things i found.

as i kept looking at more and more config files in more and more of the projects, it dawned on me just how heavily i had already owned them within just half an hour or so. hardcoded credentials there would allow me access to navblue apis for refueling, cancelling and updating flights, swapping out crew members and so on (assuming i was willing to ever interact with a SOAP api in my life which i sure as hell am not).

i however kept looking back at the two projects named noflycomparison and noflycomparisonv2, which seemingly take the TSA nofly list and check if any of commuteair’s crew members have ended up there. there are hardcoded credentials and s3 bucket names, however i just cant find the actual list itself anywhere. probably partially because it seemingly always gets deleted immediately after processing it, most likely specifically because of nosy kittens like me.

fast forward a few hours and im now talking to Mikael Thalen, a staff writer at dailydot. i give him a quick rundown of what i have found so far and how in the meantime, just half an hour before we started talking, i have ended up finding AWS credentials. i now seemingly have access to pretty much their entire aws infrastructure via aws-cli. numerous s3 buckets, dozens of dynamodb tables, as well as various servers and much more. commute really loves aws.

i also share with him how close we seemingly are to actually finding the TSA nofly list, which would obviously immediately make this an even bigger story than if it were “only” a super trivially ownable airline. i had even peeked at the nofly s3 bucket at this point which was seemingly empty. so we took one last look at the noflycomparison repositories to see if there is anything in there, and for the first time actually take a peek at the test data in the repository. and there it is. three csv files, employee_information.csv, NOFLY.CSV and SELECTEE.CSV. all commited to the repository in july 2022. the nofly csv is almost 80mb in size and contains over 1.56 million rows of data. this HAS to be the real deal (we later get confirmation that it is indeed a copy of the nofly list from 2019).

holy shit, we actually have the nofly list. holy fucking bingle. what?! :3

with the jackpot found and being looked into by my journalism friends i decided to dig a little further into aws. grabbing sample documents from various s3 buckets, going through flight plans and dumping some dynamodb tables. at this point i had found pretty much all PII imaginable for each of their crew members. full names, addresses, phone numbers, passport numbers, pilot’s license numbers, when their next linecheck is due and much more. i had trip sheets for every flight, the potential to access every flight plan ever, a whole bunch of image attachments to bookings for reimbursement flights containing yet again more PII, airplane maintenance data, you name it.

i had owned them completely in less than a day, with pretty much no skill required besides the patience to sift through hundreds of shodan/zoomeye results.

so what happens next with the nofly data

while the nature of this information is sensitive, i believe it is in the public interest for this list to be made available to journalists and human rights organizations. if you are a journalist, researcher, or other party with legitimate interest, please reach out at nofly@crimew.gay. i will only give this data to parties that i believe will do the right thing with it.

note: if you email me there and i do not reply within a regular timeframe it is very likely my reply ended up in your spam folder or got lost. using email not hosted by google or msft is hell. feel free to dm me on twitter in that case.

support me

if you liked this or any of my other security research feel free to support me on my ko-fi. i am unemployed and in a rather precarious financial situation and do this research for free and for the fun of it, so anything goes a long way.

Source: how to completely own an airline in 3 easy steps

[…]

The short version of the latest drama is this: data stolen from Twitter more than a year ago found its way onto a major dark web marketplace this week. The asking price? The crypto equivalent of $2. In other words, it’s basically being given away for free. The hacker who posted the data haul, a user who goes by the moniker “StayMad,” shared the data on the market “Breached,” where anyone can now purchase and peruse it. The cache is estimated to cover at least 235 million people’s information.

[…]

According to multiple reports, the breach material includes the email addresses and/or phone numbers of some 235 million people, the credentials that users used to set up their accounts. This information has been paired with details publicly scraped from users’ profiles, thus allowing the cybercriminals to create more complete data dossiers on potential victims. Bleeping Computer reports that the information for each user includes not only email addresses and phone numbers but also names, screen names/user handles, follower count, and account creation date.

[…]

The data that appeared on “Breached” this week was actually stolen during 2021. Per the Washington Post, cybercriminals exploited an API vulnerability in Twitter’s platform to call up user information connected to hundreds of millions of user accounts. This bug created a bizarre “lookup” function, allowing any person to plug in a phone number or email to Twitter’s systems, which would then verify whether the credential was connected to an active account. The bug would also reveal which specific account was tied to the credential in question.

The vulnerability was originally discovered by Twitter’s bug bounty program in January of 2022 and was first publicly acknowledged last August.

[…]

 

Source: 200 Million Twitter Users’ Data for Sale on the Dark Web for $2

Last week, just before Christmas, LastPass dropped a bombshell announcement: as the result of a breach in August, which led to another breach in November, hackers had gotten their hands on users’ password vaults. While the company insists that your login information is still secure, some cybersecurity experts are heavily criticizing its post, saying that it could make people feel more secure than they actually are and pointing out that this is just the latest in a series of incidents that make it hard to trust the password manager.

LastPass’ December 22nd statement was “full of omissions, half-truths and outright lies,” reads a blog post from Wladimir Palant, a security researcher known for helping originally develop AdBlock Pro, among other things. Some of his criticisms deal with how the company has framed the incident and how transparent it’s being; he accuses the company of trying to portray the August incident where LastPass says “some source code and technical information were stolen” as a separate breach when he says that in reality the company “failed to contain” the breach.

He also highlights LastPass’ admission that the leaked data included “the IP addresses from which customers were accessing the LastPass service,” saying that could let the threat actor “create a complete movement profile” of customers if LastPass was logging every IP address you used with its service.

Another security researcher, Jeremi Gosney, wrote a long post on Mastodon explaining his recommendation to move to another password manager. “LastPass’s claim of ‘zero knowledge’ is a bald-faced lie,” he says, alleging that the company has “about as much knowledge as a password manager can possibly get away with.”

LastPass claims its “zero knowledge” architecture keeps users safe because the company never has access to your master password, which is the thing that hackers would need to unlock the stolen vaults. While Gosney doesn’t dispute that particular point, he does say that the phrase is misleading. “I think most people envision their vault as a sort of encrypted database where the entire file is protected, but no — with LastPass, your vault is a plaintext file and only a few select fields are encrypted.”

Palant also notes that the encryption only does you any good if the hackers can’t crack your master password, which is LastPass’ main defense in its post: if you use its defaults for password length and strengthening and haven’t reused it on another site, “it would take millions of years to guess your master password using generally-available password-cracking technology” wrote Karim Toubba, the company’s CEO.

“This prepares the ground for blaming the customers,” writes Palant, saying that “LastPass should be aware that passwords will be decrypted for at least some of their customers. And they have a convenient explanation already: these customers clearly didn’t follow their best practices.” However, he also points out that LastPass hasn’t necessarily enforced those standards. Despite the fact that it made 12-character passwords the default in 2018, Palant says, “I can log in with my eight-character password without any warnings or prompts to change it.”

LastPass’ post has even elicited a response from a competitor, 1Password — on Wednesday, the company’s principal security architect Jeffrey Goldberg wrote a post for its site titled “Not in a million years: It can take far less to crack a LastPass password.” In it, Goldberg calls LastPass’ claim of it taking a million years to crack a master password “highly misleading,” saying that the statistic appears to assume a 12 character, randomly generated password. “Passwords created by humans come nowhere near meeting that requirement,” he writes, saying that threat actors would be able to prioritize certain guesses based on how people construct passwords they can actually remember.

Of course, a competitor’s word should probably be taken with a grain of salt, though Palant echos a similar idea in his post — he claims the viral XKCD method of creating passwords would take around 3 years to guess with a single GPU, while some 11-character passwords (that many people may consider to be good) would only take around 25 minutes to crack with the same hardware. It goes without saying that a motivated actor trying to crack into a specific target’s vault could probably throw more than one GPU at the problem, potentially cutting that time down by orders of magnitude.

Both Gosney and Palant take issue with LastPass’ actual cryptography too, though for different reasons. Gosney accuses the company of basically committing “every ‘crypto 101’ sin” with how its encryption is implemented and how it manages data once it’s been loaded into your device’s memory.

Meanwhile, Palant criticizes the company’s post for painting its password-strengthening algorithm, known as PBKDF2, as “stronger-than-typical.” The idea behind the standard is that it makes it harder to brute-force guess your passwords, as you’d have to perform a certain number of calculations on each guess. “I seriously wonder what LastPass considers typical,” writes Palant, “given that 100,000 PBKDF2 iterations are the lowest number I’ve seen in any current password manager.”

[…]

Source: The LastPass disclosure of leaked password vaults is being torn apart by security experts – The Verge

As smartphone manufacturers are improving the ear speakers in their devices, it can become easier for malicious actors to leverage a particular side-channel for eavesdropping on a targeted user’s conversations, according to a team of researchers from several universities in the United States.

The attack method, named EarSpy, is described in a paper published just before Christmas by researchers from Texas A&M University, Temple University, New Jersey Institute of Technology, Rutgers University, and the University of Dayton.

EarSpy relies on the phone’s ear speaker — the speaker at the top of the device that is used when the phone is held to the ear — and the device’s built-in accelerometer for capturing the tiny vibrations generated by the speaker.

[…]

Android security has improved significantly and it has become increasingly difficult for malware to obtain the required permissions.

On the other hand, accessing raw data from the motion sensors in a smartphone does not require any special permissions. Android developers have started placing some restrictions on sensor data collection, but the EarSpy attack is still possible, the researchers said.

A piece of malware planted on a device could use the EarSpy attack to capture potentially sensitive information and send it back to the attacker.

[…]

The researchers discovered that attacks such as EarSpy are becoming increasingly feasible due to the improvements made by smartphone manufacturers to ear speakers. They conducted tests on the OnePlus 7T and the OnePlus 9 smartphones — both running Android — and found that significantly more data can be captured by the accelerometer from the ear speaker due to the stereo speakers present in these newer models compared to the older model OnePlus phones, which did not have stereo speakers.

The experiments conducted by the academic researchers analyzed the reverberation effect of ear speakers on the accelerometer by extracting time-frequency domain features and spectrograms. The analysis focused on gender recognition, speaker recognition, and speech recognition.

In the gender recognition test, whose goal is to determine whether the target is male or female, the EarSpy attack had a 98% accuracy. The accuracy was nearly as high, at 92%, for detecting the speaker’s identity.

When it comes to actual speech, the accuracy was up to 56% for capturing digits spoken in a phone call.

Source: EarSpy: Spying on Phone Calls via Ear Speaker Vibrations Captured by Accelerometer

In a reminder of smart home security’s dark side, two people hacked Ring security cameras to livestream swattings, according to a Los Angeles grand jury indictment (according to a report from Bloomberg). The pair called in hoax emergencies to authorities and livestreamed the police response on social media in late 2020.

James Thomas Andrew McCarty, 20, of Charlotte, North Carolina, and Kya Christian Nelson, 21, of Racine, Wisconsin, hacked into Yahoo email accounts to gain access to 12 Ring cameras across nine states in November 2020 (disclaimer: Yahoo is Engadget’s parent company). In one of the incidents, Nelson claimed to be a minor reporting their parents for firing guns while drinking alcohol. When police arrived, the pair used the Ring cameras to taunt the victims and officers while livestreaming — a pattern appearing in several incidents, according to prosecutors.

[…]

Although the smart devices can deter things like robberies and “porch pirates,” Amazon admits to providing footage to police without user consent or a court order when it believes someone is in danger. Inexplicably, the tech giant made a zany reality series using Ring footage, which didn’t exactly quell concerns about the tech’s Orwellian side.

Source: Two people charged with hacking Ring security cameras to livestream swattings | Engadget

Amazing that people don’t realise that Amazon is creating a total and constant surveillance system with hardware that you paid for.

Password locker LastPass has warned customers that the August 2022 attack on its systems saw unknown parties copy encrypted files that contains the passwords to their accounts.

In a December 22nd update to its advice about the incident, LastPass brings customers up to date by explaining that the August 2022 attack saw “some source code and technical information were stolen from our development environment and used to target another employee, obtaining credentials and keys which were used to access and decrypt some storage volumes within the cloud-based storage service.”

Those creds allowed the attacker to copy information “that contained basic customer account information and related metadata including company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service.”

The update reveals that the attacker also copied “customer vault” data – the file LastPass uses to let customers record their passwords.

That file “is stored in a proprietary binary format that contains both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data.”

Which means the attackers have users’ passwords. But thankfully those passwords are encrypted with “256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user’s master password”.

LastPass’ advice is that even though attackers have that file, customers who use its default settings have nothing to do as a result of this update as “it would take millions of years to guess your master password using generally-available password-cracking technology.”

One of those default settings is not to re-use the master password that is required to log into LastPass. The outfit suggests you make it a complex credential and use that password for just one thing: accessing LastPass.

Yet we know that users are often dumfoundingly lax at choosing good passwords, while two thirds re-use passwords even though they should know better.

[…]

LastPass therefore offered the following advice to individual and business users:

If your master password does not make use of the defaults above, then it would significantly reduce the number of attempts needed to guess it correctly. In this case, as an extra security measure, you should consider minimizing risk by changing passwords of websites you have stored.

Enjoy changing all those passwords, dear reader.

LastPass’s update concludes with news it decommissioned the systems breached in August 2022 and has built new infrastructure that adds extra protections.

Source: LastPass admits attackers copied password vaults

[…]

this modchip-based hack of a Starlink terminal brings us.

[Lennert Wouters]’ team has been poking and prodding at the Starlink User Terminal, trying to get root access, and needed to bypass the ARM Trusted Firmware boot-time integrity checks. The terminal’s PCB is satellite-dish-sized, so things like laser fault injection are hard to set up – hence, they went the voltage injection route. Much poking and prodding later, they developed a way to reliably glitch the CPU into verifying a faulty firmware, and got to a root shell – the journey described in a BlackHat talk embedded below.

To make the hack more compact, repeatable and cheap, they decided to move it from a mess of wires and boards into slim form-factor, and that’s where the modchip design was made. For that, they put the terminal PCB into a scanner, traced a board outline out, loaded it into KiCad, and put all the necessary voltage glitching and monitoring parts on a single board, driven by the venerable RP2040 – this board has everything you’d need if you wanted to get root on the Starlink User Terminal. Thanks to the modchip design’s flexibility, when Starlink released a firmware update disabling the UART output used for monitoring, they could easily re-route the signal to an eMMC data line instead. Currently, the KiCad source files aren’t available, but there’s Gerber and BOM files on GitHub in case we want to make our own!

Hacks like these, undoubtedly, set a new bar for what we can achieve while bypassing security protections. Hackers have been designing all kinds of modchips, for both proprietary and open tech – we’ve seen one that lets you use third-party filters in your “smart” air purifier, another that lets you use your own filament with certain 3D printers, but there’s also one that lets you add a ton of games to an ArduBoy. With RP2040 in particular, just this year we’ve seen used to build a Nintendo 64 flash cart, a PlayStation 1 memory card, and a mod that adds homebrew support to a GameCube. If you were looking to build hardware addons that improve upon tech you use, whether by removing protections or adding features, there’s no better time than nowadays!

Source: A Modchip To Root Starlink User Terminals Through Voltage Glitching | Hackaday

Thousands of smartphone applications in Apple (AAPL.O) and Google’s (GOOGL.O) online stores contain computer code developed by a technology company, Pushwoosh, that presents itself as based in the United States, but is actually Russian, Reuters has found.

[…]

The U.S. Army said it had removed an app containing Pushwoosh code in March because of the same concerns. That app was used by soldiers at one of the country’s main combat training bases.

[…]

According to company documents publicly filed in Russia and reviewed by Reuters, Pushwoosh is headquartered in the Siberian town of Novosibirsk, where it is registered as a software company that also carries out data processing. It employs around 40 people and reported revenue of 143,270,000 rubles ($2.4 mln) last year. Pushwoosh is registered with the Russian government to pay taxes in Russia.

On social media and in U.S. regulatory filings, however, it presents itself as a U.S. company, based at various times in California, Maryland and Washington, D.C., Reuters found.

Pushwoosh provides code and data processing support for software developers, enabling them to profile the online activity of smartphone app users and send tailor-made push notifications from Pushwoosh servers.

On its website, Pushwoosh says it does not collect sensitive information, and Reuters found no evidence Pushwoosh mishandled user data. Russian authorities, however, have compelled local companies to hand over user data to domestic security agencies.

Pushwoosh’s founder, Max Konev, told Reuters in a September email that the company had not tried to mask its Russian origins. “I am proud to be Russian and I would never hide this.”

He said the company “has no connection with the Russian government of any kind” and stores its data in the United States and Germany.

Cybersecurity experts said storing data overseas would not prevent Russian intelligence agencies from compelling a Russian firm to cede access to that data, however.

[…]

Pushwoosh code was installed in the apps of a wide array of international companies, influential non-profits and government agencies from global consumer goods company Unilever Plc (ULVR.L) and the Union of European Football Associations (UEFA) to the politically powerful U.S. gun lobby, the National Rifle Association (NRA), and Britain’s Labour Party.

[…]

Pushwoosh code has been embedded into almost 8,000 apps in the Google and Apple app stores, according to Appfigures, an app intelligence website. Pushwoosh’s website says it has more than 2.3 billion devices listed in its database.

“Pushwoosh collects user data including precise geolocation, on sensitive and governmental apps, which could allow for invasive tracking at scale,” said Jerome Dangu, co-founder of Confiant, a firm that tracks misuse of data collected in online advertising supply chains.

[…]

Pushwoosh never mentioned it was Russian-based in eight annual filings in the U.S. state of Delaware, where it is registered, an omission which could violate state law.

Instead, Pushwoosh listed an address in Union City, California as its principal place of business from 2014 to 2016. That address does not exist, according to Union City officials.

Pushwoosh used LinkedIn accounts purportedly belonging to two Washington, D.C.-based executives named Mary Brown and Noah O’Shea to solicit sales. But neither Brown nor O’Shea are real people, Reuters found.

[…]

Source: Exclusive: Russian software disguised as American finds its way into U.S. Army, CDC apps | Reuters

Hackers who stole customer data from Australia’s largest health insurer Medibank have released a file of pregnancy terminations.

It follows Medibank’s refusal to pay a ransom for the data, supported by the Australian government.

Medibank urged the public to not seek out the files, which contain the names of policy holders rather than patients.

CEO David Koczkaro warned that the data release could stop people from seeking medical attention.

Terminations can occur for a range of reasons including non-viable pregnancy, miscarriages and complications.

“These are real people behind this data and the misuse of their data is deplorable and may discourage them from seeking medical care,” he said.

The data of 9.7 million Medibank customers was stolen last month – the latest in a string of major data breaches in Australian companies in recent months.

The hackers this week published their first tranche of information after Medibank refused to pay a $10m (£8.7m; A$15.6m) ransom – about $1 for every customer.

Some Australians say they have been targeted by scammers after their medical details were posted online.

Former tennis champion Todd Woodbridge – who is recovering from a heart attack – said he had been pestered by calls from scammers who had known which hospital he had been in.

[…]

The files included people’s health claims data – including medical procedure history – as well as names, addresses, birthdates and government ID numbers.

[…]

Source: Medibank: Hackers release abortion data after stealing Australian medical records – BBC News

Doxxing abortion patients – that’s pretty damn low. Go take out big evil businesses.

Spy chiefs have ordered ministers to stop using their personal phones to conduct government business following a suspected Kremlin hack on Liz Truss’s mobile.

A Whitehall source said all ministers involved in national security would be expected to attend fresh training with the security services this week ‘to ensure everyone is aware how this material should be handled’.

Ministers will be warned they should never use their personal mobile phones to conduct Government business as they are likely to be the target of hostile states such as Russia, China, North Korea and Iran.

Pauline Neville-Jones, former chairman of Britain’s joint intelligence committee, yesterday said she was ‘not at all tolerant of the notion that it’s OK for ministers to use private mobile phones’.

The warnings follow astonishing revelations in yesterday’s Mail on Sunday that Miss Truss’s personal mobile was spied on by hackers thought to be working for Moscow while she was foreign secretary.

Spy chiefs have ordered ministers to stop using their personal phones to conduct government business following a suspected Kremlin hack on Liz Truss’s mobile

The hack was discovered during the Tory leadership contest in the summer, but a news blackout was ordered by Boris Johnson and Cabinet Secretary Simon Case. Even MPs and officials with top level security clearance were kept in the dark.

Miss Truss is said to have been so worried about the potential damage to her leadership bid that she ‘had trouble sleeping’ until the news was suppressed.

Messages dating back up to a year are thought to have been downloaded, including highly sensitive discussions with fellow foreign ministers about issues such as arms shipments to Ukraine.

Hacked messages are said to have included private criticisms of Mr Johnson by Miss Truss and Kwasi Kwarteng, potentially opening them up to blackmail attempts at a time when they were both senior ministers in his government.

Parliamentary sources yesterday said the shocking incident was now likely to be investigated by the Intelligence and Security Committee, which oversees the work of the security services.

[…]

Source: Suspected Kremlin hack on Liz Truss’s mobile sparks security clampdown  | Daily Mail Online

Medibank Private Ltd (MPL.AX), Australia’s biggest health insurer, said on Wednesday a cyber hack had compromised data of all of its of its nearly 4 million customers, as it warned of a A$25 million to A$35 million ($16 million to $22.3 million) hit to first-half earnings.

It said on Wednesday that all personal and significant amounts of health claims data of all its customers were compromised in the breach reported this month, a day after it warned the number of customers affected would grow. read more

Shares in the company fell more than 14%, its biggest one-day slide since listing in 2014.

Medibank, which covers one-sixth of Australians, said the estimated cost did not include further potential remediation or regulatory expenses.

“Our investigation has now established that this criminal has accessed all our private health insurance customers’ personal data and significant amounts of their health claims data,” chief executive David Koczkar said in a statement. “I apologise unreservedly to our customers. This is a terrible crime – this is a crime designed to cause maximum harm to the most vulnerable members of our community.”

The company reiterated that its IT systems had not been encrypted by ransomware to date and that it would continue to monitor for any further suspicious activity.

“Everywhere we have identified a breach, it is now closed,” John Goodall, Medibank’s top technology executive, told an analyst call on Wednesday.

[…]

Source: Australia’s Medibank says data of 4 mln customers accessed by hacker | Reuters

Cybercriminals have used two strains of point-of-sale (POS) malware to steal the details of more than 167,000 credit cards from payment terminals.

The backend command-and-control (C2) server that operates the MajikPOS and Treasure Hunter malware remains active, according to Group-IB’s Nikolay Shelekhov and Said Khamchiev, and “the number of victims keeps growing,” they said this week.

[…]

The MajikPOS and Treasure Hunter malware infect Windows POS terminals and scan the devices to exploit the moments when card data is read and stored in plain text in memory. Treasure Hunter in particular performs this so-called RAM scraping: it pores over the memory of processes running on the register for magnetic-stripe data freshly swiped from a shopper’s bank card during payment. MajikPOS also scans infected PCs for card data. This info is then beamed back to the malware operators’ C2 server.

MajikPOS and Treasure Hunter

Of the two POS malware strains used in this campaign, MajikPOS is the newest, first seen targeting POS devices in 2017. The malware operators likely started with Treasure Hunter, and then paired it with the newer MajikPOS due to the latter’s more advanced features.

This includes “a more visually appealing control panel, an encrypted communication channel with C2, [and] more structured logs,” compared to Treasure Hunter, according to Group-IB. “MajikPOS database tables contain information about the infected device’s geolocation, operation system name, and hardware identification number.”

[…]

Treasure Hunter first appeared in 2014 before the source code was leaked on a Russian-speaking forum. Its primary use is RAM scraping, and is likely installed the same way as MajikPOS.

Today both MajikPOS and Treasure Hunter can be bought and sold on nefarious marketplaces.

In a months-long investigation, Group-IB analyzed about 77,400 card dumps from the MajikPOS panel and another 90,000 from the Treasure Hunter panel, the researchers wrote. Almost all — 97 percent or 75,455 — of the cards compromised by MajikPOS were issued by US banks with the remaining 3 percent distributed around the world.

The Treasure Hunter panel told a similar story with 96 percent (86,411) issued in the US.

[…]

Source: Crooks use POS malware to steal 167,000 credit card numbers • The Register

A dark web carding market named ‘BidenCash’ has released a massive dump of 1,221,551 credit cards to promote their marketplace, allowing anyone to download them for free to conduct financial fraud.

Carding is the trafficking and use of credit cards stolen through point-of-sale malware, magecart attacks on websites, or information-stealing malware.

BidenCash is a stolen cards marketplace launched in June 2022, leaking a few thousand cards as a promotional move.

Now, the market’s operators decided to promote the site with a much more massive dump in the same fashion that the similar platform ‘All World Cards’ did in August 2021.

[…]

The freely circulating file contains a mix of “fresh” cards expiring between 2023 and 2026 from around the world, but most entries appear to be from the United States.

The dump of 1.2 million credit cards includes the following credit card and associated personal information:

• Card number
• Expiration date
• CVV number
• Holder’s name
• Bank name
• Card type, status, and class
• Holder’s address, state, and ZIP
• Email address
• SSN
• Phone number

Not all the above details are available for all 1.2 million records, but most entries seen by BleepingComputer contain over 70% of the data types.

The “special event” offer was first spotted Friday by Italian security researchers at D3Lab, who monitors carding sites on the dark web.

The analysts claim these cards mainly come from web skimmers, which are malicious scripts injected into checkout pages of hacked e-commerce sites that steal submitted credit card and customer information.

[…]

BleepingComputer has discussed the authenticity with analysts at D3Lab, who confirmed that the data is real with several Italian banks, so the leaked entries correspond to real cards and cardholders.

However, many of the entries were recycled from previous collections, like the one  ‘All World Cards’ gave away for free last year.

From the data D3Labs has examined so far, about 30% appear to be fresh, so if this applies roughly to the entire dump, at least 350,000 cards would still be valid.

Of the Italian cards, roughly 50% have already been blocked due to the issuing banks having detected fraudulent activity, which means that the actually usable entries in the leaked collection may be as low as 10%.

[…]

Source: Darkweb market BidenCash gives away 1.2 million credit cards for free – Bleeping Computer

Researchers at the Synopsys Cybersecurity Research Center (CyRC) have discovered an availability vulnerability in the IKEA TRÅDFRI smart lighting system. An attacker sending a single malformed IEEE 802.15.4 (Zigbee) frame makes the TRÅDFRI bulb blink, and if they replay (i.e. resend) the same frame multiple times, the bulb performs a factory reset. This causes the bulb to lose configuration information about the Zigbee network and current brightness level. After this attack, all lights are on with full brightness, and a user cannot control the bulbs with either the IKEA Home Smart app or the TRÅDFRI remote control.

The malformed Zigbee frame is an unauthenticated broadcast message, which means all vulnerable devices within radio range are affected.

To recover from this attack, a user could add each bulb manually back to the network. However, an attacker could reproduce the attack at any time.

CVE-2022-39064 is related to another vulnerability, CVE-2022-39065, which also affects availability in the IKEA TRÅDFRI smart lighting system. Read our latest blog post to learn more.

Source: CyRC Vulnerability Advisory: CVE-2022-39064 IKEA TRÅDFRI smart lighting | Synopsys

Iran state TV was apparently hacked Saturday, with its usual broadcast footage of muttering geriatric clerics replaced by a masked face followed by a picture of Supreme Leader Ali Khamenei with a target over his head, the sound of a gunshot, and chants of “Women, Life, Freedom!”

BBC News identifies the pirate broadcaster as Adalat Ali”, or Ali’s Justice, from social media links in the footage, which also included photographs of women killed in recent protests across the country.

Saturday’s TV news bulletin was interrupted at about 18:00 local time with images which included Iran’s supreme leader with a target on his head, photos of Ms Amini and three other women killed in recent protests. One of the captions read “join us and rise up”, whilst another said “our youths’ blood is dripping off your paws”. The interruption lasted only a few seconds before being cut off.

BREAKING: Islamic Republic’s state-owned TV network hacked during a Khamenei address and the message: “The blood of our youth is dripping from your fingers.” Another message displayed: Rise up and Join Us.#مهسا_امینی#MahsaAmini pic.twitter.com/GliPMHUgJo

— Masih Alinejad (@AlinejadMasih) October 8, 2022

Source: Protestors hack Iran state TV live on air | Boing Boing