Read Time:5 Second
The E2EE feature was first spotted by mobile researcher Jane Manchun Wong earlier this month
Daily Archives: November 28, 2022
AWS releases Wickr, its encrypted messaging service for enterprises
Read Time:9 Second
The release of the enterprise version of the encrypted messaging service, announced at AWS re:Invent, is designed to allow secure collaboration across messaging, voice, video and file sharing.
Phishing Campaign Impersonating UAE Ministry of Human Resources Grows
Read Time:3 Second
New cluster of phishing domains registered using similar naming schemes discovered
USN-5689-2: Perl vulnerability
Read Time:13 Second
USN-5689-1 fixed a vulnerability in Perl.
This update provides the corresponding update for Ubuntu 22.10.
Original advisory details:
It was discovered that Perl incorrectly handled certain signature verification.
An remote attacker could possibly use this issue to bypass signature verification.
CVE-2021-45036
Read Time:9 Second
Velneo vClient on its 28.1.3 version, could allow an attacker with knowledge of the victims’s username and hashed password to spoof the victim’s id against the server.
Website offering spoofing services taken offline after joint operation
Read Time:45 Second
Judicial and law enforcement authorities in Europe, Australia, the US, Ukraine, and Canada took down a so-called spoofing website that allowed fraudsters to impersonate trusted corporations or contacts in order to steal more than $120 million from victims.
In a coordinated action led by the UK and supported by Europol and EU judicial cooperation agency Eurojust, a total of 142 suspects were arrested, including the main administrator of the website, according to a statement posted by Europol on November 24.
The website provided a paid-for service that provided those who signed up with the ability to anonymously make spoofed calls, send recorded messages, and intercept one-time passwords. During the 16 months the website was live, Europol reported that the site took $3.8 million in fees, while enabling its customers to generate $120 million from illegal ‘spoofing’ campaigns.
Millions of Twitter Accounts Potentially Compromised
Read Time:5 Second
The breach affected any account with the “Let others find you by your phone” option enabled
Computer Repair Technicians Are Stealing Your Data
Read Time:1 Minute, 49 Second
Laptop technicians routinely violate the privacy of the people whose computers they repair:
Researchers at University of Guelph in Ontario, Canada, recovered logs from laptops after receiving overnight repairs from 12 commercial shops. The logs showed that technicians from six of the locations had accessed personal data and that two of those shops also copied data onto a personal device. Devices belonging to females were more likely to be snooped on, and that snooping tended to seek more sensitive data, including both sexually revealing and non-sexual pictures, documents, and financial information.
[…]
In three cases, Windows Quick Access or Recently Accessed Files had been deleted in what the researchers suspect was an attempt by the snooping technician to cover their tracks. As noted earlier, two of the visits resulted in the logs the researchers relied on being unrecoverable. In one, the researcher explained they had installed antivirus software and performed a disk cleanup to “remove multiple viruses on the device.” The researchers received no explanation in the other case.
[…]
The laptops were freshly imaged Windows 10 laptops. All were free of malware and other defects and in perfect working condition with one exception: the audio driver was disabled. The researchers chose that glitch because it required only a simple and inexpensive repair, was easy to create, and didn’t require access to users’ personal files.
Half of the laptops were configured to appear as if they belonged to a male and the other half to a female. All of the laptops were set up with email and gaming accounts and populated with browser history across several weeks. The researchers added documents, both sexually revealing and non-sexual pictures, and a cryptocurrency wallet with credentials.
A few notes. One: this is a very small study—only twelve laptop repairs. Two, some of the results were inconclusive, which indicated—but did not prove—log tampering by the technicians. Three, this study was done in Canada. There would probably be more snooping by American repair technicians.
The moral isn’t a good one: if you bring your laptop in to be repaired, you should expect the technician to snoop through your hard drive, taking what they want.
EU Council adopts NIS2 directive to harmonize cybersecurity across member states
Read Time:36 Second
The Council of the European Union (EU) has adopted a new cybersecurity directive designed to improve resilience and incident response capacities across the EU, replacing NIS, the current directive on the security of network and information systems.
The new directive, NIS2, will set the baseline for cybersecurity risk management measures and reporting obligations across sectors and aims to harmonize cybersecurity requirements and implementation of measures in different member states.
NIS2 enhances EU incident management cooperation
“NIS2 will set the baseline for cybersecurity risk management measures and reporting obligations across all sectors that are covered by the directive, such as energy, transport, health and digital infrastructure,” read an EU Council press release.
USN-5745-1: shadow vulnerability
Read Time:12 Second
Florian Weimer discovered that shadow was not properly copying and removing
user directory trees, which could lead to a race condition. A local attacker
could possibly use this issue to setup a symlink attack and alter or remove
directories without authorization.