This posting is here to collect cyber security news in January 2025.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
This posting is here to collect cyber security news in January 2025.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
154 Comments
Tomi Engdahl says:
https://cybersecuritynews.com/poc-windows-ldap-rce-vulnerability/
Tomi Engdahl says:
What’s REALLY Behind the TP-Link Ban? What You’re NOT Being Told!
https://m.youtube.com/watch?v=ArKU6WnnvnA
Explore the fascinating story of TP-Link, a leading Chinese networking company that has become a global powerhouse in Wi-Fi routers. In this video we dive into its rise from humble beginnings, its innovative products, and the controversies surrounding the company—including the reasons it might face a ban in the USA.
Tomi Engdahl says:
Puolustusvaliokunta penää hallitukselta toimia kriittisten kohteiden turvaamiseksi – ”On oltu hyväuskoisia”
Puolustusvaliokunta odottaa, että hallitus suitsii kriittisestä infrastruktuurista jaettavaa tietoa. Valiokunta käsittelee viimeaikaisia merikaapelivaurioita huomenna.
https://yle.fi/a/74-20134158?origin=rss&fbclid=IwY2xjawHjxWNleHRuA2FlbQIxMQABHRZAYhJcwGSqd4TO6XN9VGn57zUv8D9NLrFHDUECOJZQmuTpuA0O334eEQ_aem_T8ZA5OHDTiOUBMnogOfxiA
Tomi Engdahl says:
Windows 11 BitLocker Encryption Bypassed To Extract Volume Encryption Keys
https://cybersecuritynews.com/windows-11-bitlocker-encryption-bypassed/?fbclid=IwY2xjawHkrT5leHRuA2FlbQIxMQABHeYm0mgVOXghSNNnqK6ct3xw0miv8wPPRTkujBuyKFHoijBTcrFbxqZx8w_aem_PEKqpxhUr-ldhvqflNecPw
Tomi Engdahl says:
Time to check if you ran any of these 33 malicious Chrome extensions
Two separate campaigns have been stealing credentials and browsing history for months.
https://arstechnica.com/security/2025/01/dozens-of-backdoored-chrome-extensions-discovered-on-2-6-million-devices/
Tomi Engdahl says:
https://www.achilleus.io/post/openssh-alert-unpacking-the-cve-2024-6387-vulnerability#:~:text=OpenSSH%20users%2C%20take%20note%3A%20a%20new%20vulnerability%20has,and%20potentially%20older%20versions%20depending%20on%20specific%20configurations.
The Vulnerability
Affected Versions: OpenSSH 9.0 to 9.3, and possibly older versions based on configuration.
A Brief History of Discovery
The vulnerability has a complex history, characterized by periods of vulnerability, safety, and then vulnerability again:
OpenSSH < 4.4p1: These versions were susceptible to a signal handler race condition unless patched against CVE-2006-5051 or CVE-2008-4109.
4.4p1 ≤ OpenSSH < 8.5p1: These versions were safe due to a modification in the sigdie() function introduced by the CVE-2006-5051 patch.
8.5p1 ≤ OpenSSH < 9.8p1: Vulnerability re-emerged due to the accidental removal of a crucial #ifdef in the sigdie() function by commit 752250c. This regression was introduced in October 2020 with OpenSSH 8.5p1.
The vulnerability allows remote exploitation on glibc-based Linux systems, where the syslog() function invokes async-signal-unsafe functions.
Qualys' whitepaper states that exploiting this vulnerability is highly complex, typically requiring around 10,000 attempts to succeed under lab conditions. Given login timeouts and maximum concurrent connections, about 5 attempts can be made per minute, meaning it would take around 1.4 days for 10,000 attempts in an ideal lab setting. Real-world conditions, such as network lag and SSH scanner activity, could significantly increase this time.
A proof-of-concept (PoC) exists for certain 32-bit versions of OpenSSH with a static glibc base address, which does not require ASLR bypass. However, newer 64-bit systems would take much longer to exploit due to needing to bypass ASLR. Therefore, widespread exploitation of this vulnerability is unlikely due to the complexity and time needed.
Tomi Engdahl says:
PoC Exploit Released For OpenSSH Arbitrary Code Execution Vulnerability
https://cybersecuritynews.com/regresshion-code-execution-vulnerability/
The Vulnerability: A Regression Of A 2006 Issue
CVE-2024-6387 arises from a signal handler race condition in OpenSSH’s server (sshd). This issue occurs when an unauthenticated client fails to log in within the `LoginGraceTime` limit (120 seconds by default).
The server’s SIGALRM handler, triggered in this scenario, calls non-async-signal-safe functions such as `syslog()`, creating a race condition that can be exploited to achieve remote code execution (RCE).
This vulnerability is particularly critical because it reintroduces a flaw first patched in 2006 (CVE-2006-5051), making it a regression issue. The vulnerability was uncovered by Qualys Threat Research Unit.
It impacts OpenSSH versions 8.5p1 through 9.8p1 on glibc-based Linux systems. OpenBSD systems remain unaffected due to their different signal-handling mechanisms.
While the vulnerability is severe, exploiting it is not straightforward. Security researchers have described it as a “statistical exploit,” requiring numerous attempts to win the race condition.
Mitigation Measures
To address this critical vulnerability:
Upgrade to OpenSSH 9.8 or Later: The latest version includes patches that resolve the race condition.
Temporary Workaround: Set `LoginGraceTime` to `0` in the sshd configuration file. While this prevents exploitation of the vulnerability, it may expose systems to denial-of-service risks.
Restrict Access: Use network-based controls to limit SSH access.
Monitor for Indicators of Compromise (IoCs): Organizations should deploy intrusion detection systems and monitor logs for unusual activity.
https://vulcan.io/blog/cve-2024-6387-how-to-fix-regresshion-vulnerability/
In addition, Qualys’s recommendations for enterprises to safeguard against the threat:
Restrict Access: Limit SSH access to trusted networks and users only. Implement network access controls to restrict who can connect to your SSH servers.
Use Strong Authentication: Enhance security by using key-based authentication and disabling password-based logins where possible.
Monitor and Audit: Regularly monitor SSH access logs for unusual activity and audit your SSH configuration to ensure it follows security best practices.
Finally, if sshd cannot be updated or recompiled, this signal handler race condition can be fixed by simply setting LoginGraceTime to 0 in the configuration file.
Tomi Engdahl says:
https://vulcan.io/blog/cve-2024-6387-how-to-fix-regresshion-vulnerability/
Tomi Engdahl says:
CVE-2024-6387 – PoC
https://github.com/l0n3m4n/CVE-2024-6387
The flaw, discovered by researchers at Qualys in May 2024, and assigned the identifier CVE-2024-6387, is due to a signal handler race condition in sshd that allows unauthenticated remote attackers to execute arbitrary code as root.
“If a client does not authenticate within LoginGraceTime seconds (120 by default), then sshd’s SIGALRM handler is called asynchronously and calls various functions that are not async-signal-safe,”
“A remote unauthenticated attacker can take advantage of this flaw to execute arbitrary code with root privileges.”
Tomi Engdahl says:
https://www.qualys.com/2024/07/01/cve-2024-6387/regresshion.txt
Tomi Engdahl says:
The regreSSHion Bug
An Unauthenticated Remote Code Execution (RCE) vulnerability in OpenSSH’s server (sshd) on glibc-based Linux systems.
https://www.qualys.com/regresshion-cve-2024-6387/
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-6387
https://access.redhat.com/security/cve/cve-2024-6387
Tomi Engdahl says:
PoC Exploit Released For OpenSSH Arbitrary Code Execution Vulnerability
https://cybersecuritynews.com/regresshion-code-execution-vulnerability/
Tomi Engdahl says:
Vihaatko mainoksia? Saatat vihata tätä vielä enemmän
Microsoft on päättänyt näyttää Windows 10:n käyttäjille uuden mainoksen. Ikävä kyllä se joillain käyttäjillä kaataa tietokoneen.
https://www.iltalehti.fi/digiuutiset/a/cff7096b-c2cd-4487-84e9-9ab3ead3c6a6
Ilmoituksessa kehotetaan käyttäjiä aloittamaan päivityssuunnitelman laatiminen.
Kiusalliseksi Microsoftin kannalta tilanteen tekee se, että kyseinen ilmoitus saa jotkin laitteet reagoimaan jäätymällä ja kaatumalla. Mainossivu muuttuu harmaaksi ja päälle ilmestyy virheilmoitus, jossa kerrotaan sovelluksen lakanneen vastaamasta.
Windows 10:n tukiaika on päättymässä ensi lokakuussa, ja Microsoftilla on kiire siirtää massat uuden Windowsin pariin. Yhtiö ei kuitenkaan ole tehnyt sitä turhan helpoksi, sillä Windows 11:llä on tiukat laitevaatimukset, joita kaikki laitteet eivät täytä.
Windows 10:ssä pysytteleminen lokakuun takarajan jälkeen ei ole suositeltavaa, sillä näin käyttäjä altistaa itsensä haittaohjelmille ja muille internetin ikäville yllätyksille.
Tavallinen kuluttaja voi ostaa Microsoftilta jatkotukea Windows 10:lle 30 dollarin eli noin 29 euron hintaan. Tukea on kuitenkin mahdollista ostaa vain yhden vuoden ajaksi.
Tomi Engdahl says:
As Windows 10 end of support looms, Windows 11 upgrade pop-up is crashing PCs for some
Microsoft shows us how to make something even worse
https://www.techspot.com/news/106221-microsoft-windows-11-upgrade-pop-up-crashing-users.html
Facepalm: What’s worse than (another) full-screen pop-up from Microsoft warning Windows 10 users that they should be planning for Windows 11′s arrival? A pop-up that freezes and crashes as soon as it appears. It’s not a good look for Microsoft and does little to instill confidence in Windows 10 users who refuse to upgrade despite the OS’ impending end-of-support date.
Most people still using Windows 10 have little intention of upgrading until they absolutely have to, which means intrusive, full-screen pop-ups aren’t something they want to see. Incredibly, Microsoft has managed to make its latest one even worse for some users.
The Reusable UX Interaction Manager (RUXIM) is a component of Windows primarily associated with Windows Update. It assists in scheduling and delivering these updates and managing interaction campaigns, which includes full-screen notifications or messages related to system updates or promotions, such as the Windows 11 campaign.
For the first time ever, Microsoft is allowing individual users, not just those in enterprise and education, to continue receiving Critical and Important security updates for Windows 10 after the October 14 end-of-support date. The caveats are that it will cost $30 for a year and new features, bug fixes, and technical support will not be included in the program.
Despite Microsoft’s efforts, Windows 10′s global market share increased over the previous two months to 62.7% while Windows 11 fell to 34.1%, according to Statcounter. The Steam survey paints a different picture, though: Windows 11 is the most popular OS among participants. It holds a 55% share while Windows 10 has dropped to 42%.
Tomi Engdahl says:
CISA: No Federal Agency Beyond Treasury Impacted by BeyondTrust Incident
CISA says no federal agencies other than Treasury were impacted by the recent compromise of a BeyondTrust cloud-based service.
https://www.securityweek.com/cisa-no-federal-agency-beyond-treasury-impacted-by-beyondtrust-incident/
Tomi Engdahl says:
Critical Infrastructure Ransomware Attack Tracker Reaches 2,000 Incidents
Temple University’s Critical Infrastructure Ransomware Attacks (CIRA) database now contains over 2,000 entries.
https://www.securityweek.com/universitys-critical-infrastructure-ransomware-attack-tracker-reaches-2000-incidents/
Roughly 2,000 ransomware attacks were launched over the past decade against critical infrastructure organizations in the United States and other countries, according to data collected as part of a project maintained at Temple University in Philadelphia.
SecurityWeek first wrote about the project in 2020, when it covered more than 680 ransomware attacks targeting critical infrastructure. By February 2022, the number of entries exceeded 1,100, and it has now reached just over 2,000.
The project is maintained by Aunshul Rege, professor in the Department of Criminal Justice at Temple University, and Rachel Bleiman, PhD candidate and graduate research assistant.
The Critical Infrastructure Ransomware Attacks (CIRA) database currently covers more than 2,000 attacks documented since 2013, and includes nearly 300 entries for incidents that came to light in 2024.
Tomi Engdahl says:
Venäjän TV: ”Me katkoimme kaapelit, siitä saitte”
Venäläisohjelmassa kerrotaan Itämeren muuttuneen sotanäyttämöksi.
https://www.iltalehti.fi/ulkomaat/a/2758bd19-59c3-413d-8d3b-e8ec78b925b6
Venäjän NTV-televisiokanavan Mesto Vstretši -ajankohtaisohjelmassa käsiteltiin Itämeren epäiltyjä kaapelisabotaasitapauksia sekä lännen taistelua Venäjän varjolaivastoa vastaan.
Ohjelma esitettiin 27. joulukuuta viime vuoden puolella.
Ohjelmassa käytiin läpi viimeaikaisia tapahtumia Itämerellä, mitkä johtivat siihen, että Suomen viranomaiset ottivat kaapelisabotaasista epäillyn Eagle S -aluksen haltuunsa.
Juontaja Ivan Truskin pohtii kaapelisabotaasin järkevyyttä. Naton läsnäolon odotetaan lisääntyvän Itämerellä tapauksen seurauksena.
– Ymmärtäisin, jos Eurooppa jäisi ilman sähköä kolmeksi viikoksi. Tässä tapauksessa vain muutaman tuhannen ihmisen sähköt katkesivat hetkeksi.
Myöhemmin ohjelmassa kuullaan erilaisia teorioita mitä tapauksen taustalla oikein oli.
Venäjän entinen varaulkoministeri Andrei Fedorov ei usko tapauksen olleen vahinko vaan tarkoituksena on ”aiheuttaa ongelmia”.
Siitä saitte
Venäjän valtioduuman jäsen Aleksander Kazakov menee vieläkin pidemmälle ja näkee kysymyksessä olevan Itämeren muuttuminen sotanäyttämöksi.
Kazakovin mukaan tällä hetkellä Venäjä pyrkii palauttamaan herruuteensa Mustalla merellä ja sama on edessä seuraavaksi Itämerellä.
– Itämerestä on tullut sotatapahtumien näyttämö. Se mitä nyt tapahtuu on eskalaatiota. Meikäläiset sanoivat, että tehdään vahinkoa Natolle. Katkotaan esimerkiksi heidän kaapeleitaan.
– Siitä saitte, me katkomme niitä.
Sitten juontaja kysyy Kazakovilta miten Itämeri vapautetaan.
Kazakovin mukaan se onnistuu vaan maateitse.
– Tarvitsemme Baltian maiden rannikon, tarvitsemme oman Suwalkin käytävän Kaliningradista Leningradiin.
Ehdotuksesta seuraa tyrmistynyt hiljaisuus. Sitten eräs ohjelman vieraista huutaa kuinka se tarkoittaisi hyökkäämistä Viroon.
Kazakov vastaa ettei pelkästään Viroon, vaan myös Latviaan ja Liettuaan.
Tähän juontaja kommentoi Kazakovin pääsevän ”saarille” ohjelman loppuun mennessä, tarkoittaen mahdollisesti Ahvenanmaata sekä Gotlantia, jotka ovat viime aikoina olleet esillä Venäjän mediassa.
Seuraavaksi ääneen pääsee politologi Viktor Olevitš, jonka mukaan Venäjän tulisi ensin arvioida omat voimansa eikä aliarvioida vastustajaa.
Juontaja kertoo kuinka länsimaat aikovat vaatia varjolaivastoon kuuluvilta aluksilta vakuutustodistukset ja kutsuu toimintaa lähes merisaartoon verrattavaksi sotilaalliseksi toimenpiteeksi.
Keskustelijoiden mukaan Venäjän tulisi vastata asettamalla omat sota-aluksensa saattamaan kauppalaivoja. Venäjän Itämeren laivaston alivoima tunnustetaan suhteessa Nato-maihin. Johtopäätöksenä on järjestää liikenne suuriksi laivasaattueiksi.
Tällöin eskalaatioriskin uskotaan nousevan niin suureksi, etteivät Nato-maat uskaltaisi reagoida.
Tomi Engdahl says:
Cinia: Kaapeli toimii
Suomen ja Saksan välinen suora merikaapeliyhteys on nyt toimintakuntoinen.
https://www.iltalehti.fi/kotimaa/a/2797a011-dcc0-4eac-88e4-6e99d0489c5f
Cinia tiedottaa, että C-Lion-1-merikaapelissa ollut katkos on korjattu. Suora merikaapeliyhteys Suomen ja Saksan välillä on palautettu täysin toimintakuntoiseksi.
Vikatilanne havaittiin joulupäivänä, ja sen aiheuttajaksi epäillään Eagle S -säiliöalusta. Korjaustyöt saatiin valmiiksi Suomenlahdella Porkkalanniemen kaakkoispuolella maanantaina 6. tammikuuta kello 13.37. Korjausalus pääsi aloittamaan paluumatkansa sen jälkeen, kun kaapelikorjauksen jälkityöt oli päätetty.
Samassa tiedotteessa Cinia kertoo, että se on jättänyt Eagle S -aluksen takavarikointihakemuksen Helsingin käräjäoikeuteen tiistaina 7. tammikuuta. Cinia teki myös tutkintapyynnön keskusrikospoliisille jo 25. joulukuuta. Viranomaisten tutkinta jatkuu kaapelikatkoon liittyen.
Tomi Engdahl says:
Cinian ja Elisan merikaapelit korjattu – sähkökaapelin korjaus kestää pitempään.
https://www.uusiteknologia.fi/2025/01/07/cinian-ja-elisan-merikaapelit-korjattu-sahkokaapelin-korjaus-kestaa-pitempaan/
Elisan ja Cinian tietoliikennekaapelit Suomenlahdella on saatu korjattua. Valtion omistama Cinion kertoi C-Lion1-merikaapelin olevan jälleen toiminnassa ja myös Elisan Viroon menevien kahden tietoliikennekaapelit ovat toiminnassa. Sen sijaan katkenneen Viron merisähköyhteyden korjaaminen kestää pitempään. Katkoksien aiheuttajaksi epäilty Venäjän varjolaivastoon kuuluva Eagle S-alus on viime päivät ollut Porvoon edustalla tutkimuksien kohteena.
Kaapeliviasta Cinia teki tutkintapyynnön Keskusrikospoliisille 25.12.2024, ja viranomaiset jatkavat tutkintaa kaapelikatkoon liittyen. C-Lion1 on Cinian omistama Suomen ja Saksan välillä kulkeva tietoliikenteen merikaapeli
Katkenneet muut merikaapelit ovat Suomesta Viroon kulkeva Fingridin EstLink 2 -sähkönsiirtokaapeli sekä kaksi Elisan Helsingistä Tallinnaan kulkevaa yhteyttä. Elisa kertoi maanantai-aamuna omien Viron kaapelinsa olevan nyt korjattuna. Alkuaan kaksi Elisan Suomen ja Viron välistä merikaapelia vaurioituivat keskiviikkoiltana 25.12.2024. Sen sijaan Estlink2-sähköäyhteyden korjaamista vasta suunnitellaan ja sen uskotaan kestävän kuukausia. Viroon on tarjolla myös EstLink1-yhteys, mutta sen kapasiteettia on 2-kaapelia pienempi.
Tomi Engdahl says:
Catarina Demony / Reuters:
The UK plans to make it a crime to create and share sexually explicit deepfakes; the UK criminalized revenge porn in 2015, but that law doesn’t cover deepfakes
Britain to make sexually explicit ‘deepfakes’ a crime
https://www.reuters.com/world/uk/britain-make-sexually-explicit-deepfakes-crime-2025-01-07/
LONDON, Jan 7 (Reuters) – Creating and sharing sexually explicit “deepfakes” will become a criminal offence in Britain, the government said on Tuesday, in a bid to tackle a surge in the proliferation of such images, mainly targeting women and girls.
Deepfakes are videos, pictures or audio clips made with artificial intelligence to look real, and such technology can be used to digitally alter pornographic images into the likeness of someone else.
Publishing intimate photos or videos without consent and with the intent to cause distress – so-called revenge porn – was criminalised in Britain in 2015, but that legislation does not cover the use of fake images.
Data from UK-based Revenge Porn Helpline showed image-based abuse using deepfakes has increased more than 400% since 2017.
“There is no excuse for creating a sexually explicit deepfake of someone without their consent,” the justice ministry said in a statement.
Under its proposal, offenders would face fines and even jail time.
The government said it would also create new offences for the taking of intimate images without consent and the installation of equipment with intent to commit these offences. Those found guilty could face up to two years behind bars.
“This demeaning and disgusting form of chauvinism must not become normalised,” said Victims Minister Alex Davies-Jones.
Technology minister Margaret Jones said tech platforms hosting abusive images would face tougher scrutiny and significant penalties.
“Intimate-image abuse is a national emergency that is causing significant, long-lasting harm to women and girls who face a total loss of control over their digital footprint, at the hands of online misogyny,” said campaigner Jess Davies.
Tomi Engdahl says:
Ivanti warns of new Connect Secure flaw used in zero-day attacks
https://www.bleepingcomputer.com/news/security/ivanti-warns-of-new-connect-secure-flaw-used-in-zero-day-attacks/?fbclid=IwZXh0bgNhZW0CMTEAAR2iJtijm3gD03yiA81s295pbHCtmKaEy2RVuCJ75wvfR-o_-Ty-DPPdOiQ_aem_mJTO-c5L3Pj6oDN3E57SDw
Tomi Engdahl says:
Ivanti Warns of New Zero-Day Attacks Hitting Connect Secure Product
Ivanti confirms zero-day exploitation of a remotely exploitable code execution flaw in its Connect Security product line.
https://www.securityweek.com/ivanti-warns-of-new-zero-day-attacks-hitting-connect-secure-product/
Tomi Engdahl says:
Telegram Shared Data of Thousands of Users After CEO’s Arrest
After its CEO was arrested last summer, Telegram has been increasingly sharing user data at the request of authorities.
https://www.securityweek.com/telegram-shared-data-of-thousands-of-users-after-ceos-arrest/
Tomi Engdahl says:
Japan Links Chinese Hacker MirrorFace to Dozens of Cyberattacks Targeting Security and Tech Data
Japan says China-linked cyberattacks were systematic attacks with an aim of stealing data on Japanese national security and advanced technology.
https://www.securityweek.com/japan-links-chinese-hacker-mirrorface-to-dozens-of-cyberattacks-targeting-security-and-tech-data/
Tomi Engdahl says:
Rationalizing the Stack: The Case for Security Vendor Consolidation
Consolidating from an overly burdensome number of point solutions to an easier to manage platform-based approach brings with it a number of benefits.
https://www.securityweek.com/rationalizing-the-stack-the-case-for-security-vendor-consolidation/
Tomi Engdahl says:
Trolley Problem, Safety Versus Security of Generative AI
The only way to advance AI safety is to increase human interactions, human values and societal governance to promote a reinforced human feedback loop, much like we do with traditional AI training methods.
https://www.securityweek.com/trolley-problem-safety-versus-security-of-generative-ai/
Tomi Engdahl says:
New Labels Will Help People Pick Devices Less at Risk of Hacking
The US government is rolling out a consumer labeling system designed to help Americans pick smart devices that are less vulnerable to hacking.
https://www.securityweek.com/new-labels-will-help-people-pick-devices-less-at-risk-of-hacking/
Tomi Engdahl says:
Chrome 131, Firefox 134 Updates Patch High-Severity Vulnerabilities
Chrome and Firefox updates released this week resolve high-severity vulnerabilities in the two popular browsers.
https://www.securityweek.com/chrome-131-firefox-134-updates-patch-high-severity-vulnerabilities/
Tomi Engdahl says:
First Android Update of 2025 Patches Critical Code Execution Vulnerabilities
This year’s first batch of monthly security updates for Android resolves 36 vulnerabilities, including critical remote code execution flaws.
https://www.securityweek.com/first-android-update-of-2025-patches-critical-code-execution-vulnerabilities/
Tomi Engdahl says:
Philip Blenkinsop / Reuters:
EU rejects Zuckerberg’s claim that “Europe has an ever increasing number of laws institutionalizing censorship”, saying it only requires illegal content removal — The European Commission rejected on Wednesday Meta (META.O) chief Mark Zuckerberg’s assertion that European Union …
https://www.reuters.com/technology/we-do-not-censor-social-media-eu-says-response-meta-2025-01-08/
Sarah Perez / TechCrunch:
Mastodon CEO Eugen Rochko says Meta’s moderation changes are “deeply troubling”, and Mastodon will take action on Threads accounts violating Mastodon’s policies — Mastodon CEO Eugen Rochko has spoken out about the significant moderation changes announced by Meta on Tuesday …
https://techcrunch.com/2025/01/08/mastodon-ceo-calls-metas-moderation-changes-deeply-troubling-warns-users-cross-posting-from-threads/
Tomi Engdahl says:
Mari Yamaguchi / Associated Press:
Japan says Chinese hacking group MirrorFace is linked to 200+ cyberattacks from 2019 to 2024 targeting the country’s national security and advanced tech data — Japan on Wednesday linked more than 200 cyberattacks over the past five years targeting the country’s national security …
https://apnews.com/article/japan-police-cyberattack-china-government-68adcb293b2931da4c30ca0279720124
Tomi Engdahl says:
Julian Chokkattu / Wired:
A look at AI-enabled wearables like Bee AI and Omi, with embedded always-on microphones to record conversations around users and provide actionable insights — The latest crop of AI-enabled wearables like Bee AI and Omi listen to your conversations to help organize your life.
Your Next AI Wearable Will Listen to Everything All the Time
The latest crop of AI-enabled wearables like Bee AI and Omi listen to your conversations to help organize your life. They are also normalizing embedded microphones that are always on.
https://www.wired.com/story/bee-ai-omi-always-listening-ai-wearables/
Tomi Engdahl says:
Steven Scheer / Reuters:NEW
YL Ventures: Israeli cybersecurity firms raised $4B in 2024, up over 100% YoY, across 89 rounds, including 50 seed or early-stage rounds that raised $400M — Israeli cybersecurity firms raised $4 billion in 2024, more than double that of 2023, led by firms seeking to protect the cloud along …
Israel cyber firms raise $4 bln in 2024 on surge of cloud, AI security needs
https://www.reuters.com/technology/israel-cyber-firms-raise-4-bln-2024-surge-cloud-ai-security-needs-2025-01-07/
Tomi Engdahl says:
Reuters:
In a first, an EU court fines the EC €400 for breaching its own data protection rules by transferring a citizen’s data to the US via “Sign in with Facebook”
In a first, EU Court fines EU for breaching own data protection law
https://www.reuters.com/world/europe/first-eu-court-fines-eu-breaching-own-data-protection-law-2025-01-08/
BRUSSELS, Jan 8 (Reuters) – In a first, the EU General Court ruled on Wednesday that the European Commission must pay damages to a German citizen for failing to comply with its own data protection regulations.
Tomi Engdahl says:
Carly Page / TechCrunch:
Ivanti warns that a zero-day in its widely-used Connect Secure VPN service has been exploited to compromise the networks of its corporate customers
Hackers are exploiting a new Ivanti VPN security bug to hack into company networks
https://techcrunch.com/2025/01/09/hackers-are-exploiting-a-new-ivanti-vpn-security-bug-to-hack-into-company-networks/
Tomi Engdahl says:
The ‘Worst in Show’ CES Products Put Your Data at Risk and Cause Waste, Privacy Advocates Say
https://www.securityweek.com/the-worst-in-show-ces-products-put-your-data-at-risk-and-cause-waste-privacy-advocates-say/
Some of the innovative products presented at CES can pose a serious risk to data and privacy.
So much of the technology showcased at CES includes gadgets made to improve consumers’ lives — whether by leveraging AI to make devices that help people become more efficient, by creating companions to cure loneliness or by providing tools that help people with mental and physical health.
But not all innovation is good, according to a panel of self-described dystopia experts that has judged some products as “Worst in Show.” The award that no company wants to win calls out the “least repairable, least private, and least sustainable products on display.”
“We’re seeing more and more of these things that have basically surveillance technology built into them, and it enables some cool things,” Liz Chamberlain, director of sustainability at the e-commerce site iFixit told The Associated Press. “But it also means that now we’ve got microphones and cameras in our washing machines, refrigerators and that really is an industry-wide problem.”
Vulnerable to hacking
TP-Link’s Archer BE900 router won for “least secure” of CES. The company is a top-selling router brand in the U.S. But its products are vulnerable to hacking, said Paul Roberts, founder of The Security Ledger.
“By Chinese law, TP-Link must report security flaws to the government before alerting the public, creating a significant national security risk,” he said. “Yet TP-Link showcased its Archer BE900 router at CES without addressing these vulnerabilities.”
Who asked for this?
The awards also feature a category called “who asked for this?” Top of that list was Samsung’s Bespoke AI Washing Machine, which Nathan Proctor, senior director of U.S. PIRG, a consumer advocacy group, said is filled “with features no one needs,” including the ability to make phone calls.
The worst overall
Gay Gordon-Byrne, executive director of The Repair Association called the LG “AI Home Inside 2.0 Refrigerator with ThinkQ” the worst product overall. The fridge adds “flashy features,” Gordon-Byrne said, including a screen and internet connection.
“But these come at a cost,”
Tomi Engdahl says:
https://www.securityweek.com/darktrace-to-acquire-incident-investigation-firm-cado-security/
Tomi Engdahl says:
From Silos to Synergy: Transforming Threat Intelligence Sharing in 2025
https://www.securityweek.com/from-silos-to-synergy-transforming-threat-intelligence-sharing-in-2025/
In the face of ever-growing threats and adversaries, organizations must break down the silos between ALL teams involved in security.
Tomi Engdahl says:
Korttimaksuissa ongelmia – Nyt selvisi syy
Korttimaksuissa vaikuttaisi olevan ongelmia 10. tammikuuta. Korttipalveluita tarjoavan yrityksen mukaan ongelmat ovat korjattu, mutta ongelmista raportoidaan yhä Downdetector-palveluun.
https://www.iltalehti.fi/digiuutiset/a/989f9368-33a1-42ba-8a51-38122e1318f5
Tomi Engdahl says:
Joseph Cox / Wired:
A hack of location data firm Gravy reveals Candy Crush, Tinder, and thousands of other apps are being used to steal user location data; apps may not even know
Candy Crush, Tinder, MyFitnessPal: See the Thousands of Apps Hijacked to Spy on Your Location
A hack of location data company Gravy Analytics has revealed which apps are—knowingly or not—being used to collect your information behind the scenes.
https://www.wired.com/story/gravy-location-data-app-leak-rtb/
Some of the world’s most popular apps are likely being co-opted by rogue members of the advertising industry to harvest sensitive location data on a massive scale, with that data ending up with a location data company whose subsidiary has previously sold global location data to US law enforcement.
The thousands of apps, included in hacked files from location data company Gravy Analytics, include everything from games like Candy Crush and dating apps like Tinder to pregnancy tracking and religious prayer apps across both Android and iOS. Because much of the collection is occurring through the advertising ecosystem—not code developed by the app creators themselves—this data collection is likely happening without users’ or even app developers’ knowledge.
Tomi Engdahl says:
Jonathan Stempel / Reuters:
A US judge rules that Google must face a class action claiming Google collected users’ personal data from their phones after they turned off Web & App Activity — Google failed to persuade a federal judge to dismiss a privacy class action claiming it collected personal data …
Google must face mobile phone privacy class action, possible trial
https://www.reuters.com/legal/google-must-face-mobile-phone-privacy-class-action-possible-trial-2025-01-08/
Tomi Engdahl says:
Ivan Mehta / TechCrunch:
X says it is rolling out labels for parody or satire accounts to differentiate them from others and boost transparency; accounts have to apply for the labels — X said today that it will now label parody or satire profiles to differentiate them from other accounts.
https://techcrunch.com/2025/01/09/x-says-it-is-rolling-out-labels-for-parody-accounts/
Tomi Engdahl says:
Yimou Lee / Reuters:
Taiwan’s National Security Bureau says daily average cyberattacks on government departments doubled YoY to 2.4M in 2024, and most were by Chinese cyber forces
Chinese cyberattacks on Taiwan government averaged 2.4 mln a day in 2024, report says
https://www.reuters.com/technology/cybersecurity/chinese-cyberattacks-taiwan-government-averaged-24-mln-day-2024-report-says-2025-01-06/
Tomi Engdahl says:
Ransomware
Critical Infrastructure Ransomware Attack Tracker Reaches 2,000 Incidents
Temple University’s Critical Infrastructure Ransomware Attacks (CIRA) database now contains over 2,000 entries.
https://www.securityweek.com/universitys-critical-infrastructure-ransomware-attack-tracker-reaches-2000-incidents/
Roughly 2,000 ransomware attacks were launched over the past decade against critical infrastructure organizations in the United States and other countries, according to data collected as part of a project maintained at Temple University in Philadelphia.
SecurityWeek first wrote about the project in 2020, when it covered more than 680 ransomware attacks targeting critical infrastructure. By February 2022, the number of entries exceeded 1,100, and it has now reached just over 2,000.
The project is maintained by Aunshul Rege, professor in the Department of Criminal Justice at Temple University, and Rachel Bleiman, PhD candidate and graduate research assistant.
The Critical Infrastructure Ransomware Attacks (CIRA) database currently covers more than 2,000 attacks documented since 2013, and includes nearly 300 entries for incidents that came to light in 2024.
https://sites.temple.edu/care/cira/
Tomi Engdahl says:
Financial Times:
Sources: Elon Musk and his right-wing allies discussed how to destabilize the UK Labour government and remove PM Keir Starmer, beyond Musk’s aggressive X posts — Technology billionaire interested in building support for another political party, notably Reform UK
https://www.ft.com/content/dd4b066c-30a1-4ce4-a95e-82c334a740cf
Financial Times:
Analysis: Elon Musk’s UK obsession is driven by a few X accounts; an ex-Twitter exec says Musk may be the first tech leader to be radicalized by his own product
https://www.ft.com/content/8e915955-e9f6-49ec-bcce-e702e0842b97?sharetype=blocked
Tomi Engdahl says:
Richard Lawler / The Verge:
Apple says it “has never used Siri data to build marketing profiles” and never sold it for advertising or other purposes, after paying $95M to settle a lawsuit
Apple says Siri isn’t sending your conversations to advertisers
/ A Siri lawsuit settlement over privacy issues has dredged up old rumors about iPhone ad targeting, but Apple says it ‘has never used Siri data to build marketing profiles.’
https://www.theverge.com/2025/1/8/24337477/apple-responds-rumors-siri-advertising-privacy-lawsuit
Tomi Engdahl says:
Jason Koebler / 404 Media:
Sources: many of Meta’s employees are furious about its moderation changes allowing “allegations of mental illness” when based on “gender or sexual orientation” — Meta’s decision to specifically allow users to call LGBTQ+ people “mentally ill” has sparked widespread backlash at the company.
‘It’s Total Chaos Internally at Meta Right Now’: Employees Protest Zuckerberg’s Anti LGBTQ Changes
https://www.404media.co/its-total-chaos-internally-at-meta-right-now-employees-protest-zuckerbergs-anti-lgbtq-changes/
Tomi Engdahl says:
Microsoft DRM Hacking Raises Questions on Vulnerability Disclosures
https://www.securityweek.com/microsoft-drm-hacking-raises-questions-on-vulnerability-disclosures/
A research project into vulnerabilities affecting Microsoft’s PlayReady DRM raises some questions on responsible disclosure.
A research project targeting vulnerabilities in widely used content access and protection technology from Microsoft raises some questions over certain aspects of responsible disclosure.
For the past several years, Adam Gowdiak, founder and CEO of AG Security Research (formerly Security Explorations) has been looking into the security of digital content, specifically video streaming platforms. Gowdiak is best known for his Java and TV/streaming platform security research.
The researcher recently demonstrated that an attacker could obtain content keys protected by Microsoft’s PlayReady media file copying prevention technology and use those keys for unauthorized movie downloads from popular streaming services such as Netflix, HBO’s Max, Amazon Prime Video and Sky Showtime.
Microsoft says PlayReady is the most widely deployed content protection technology in the world.
Gowdiak’s hacking method leverages vulnerabilities in Protected Media Path (PMP) technologies, which enforce content security in Windows environments, and Warbird compiler technology, which is designed to make reverse engineering Windows components more difficult.
The researcher has been informing Microsoft about his findings since 2022, but he has been displeased with the tech giant. Microsoft initially said it was an implementation issue rather than a vulnerability in its technology.
Gowdiak said Microsoft started showing more interest in the research findings in April 2024 and informed him that his work may be eligible for a reward through its bug bounty program.
However, since they could not reach any agreement, Gowdiak decided in November 2024 to provide Microsoft — without expecting anything in return — with technical details that should make it easy for the company to confirm the impact of the research and address the vulnerabilities.
The tech giant may be able to fix some of the issues fairly easily, but architectural/design issues may pose a bigger problem, the researcher said.
Gowdiak also made public some technical information a few weeks after sharing his findings with Microsoft, but made sure it would not be easy for someone to abuse the publicly available details for piracy or other illegal activities.
Gowdiak has been frustrated with Microsoft’s handling of his findings and the story raises some questions on whether companies should be more open to bug bounty program alternatives for certain types of research.
“It’s hard to perceive Microsoft and its Rewards Program in other terms than a pawnshop,” Gowdiak said. “Researchers come to Microsoft and show the stuff they have. It is Microsoft that decides if something is valuable and how much is gonna be paid for it (remember, the price is non-negotiable, all IP gets transferred to Microsoft upon submission).”
The researcher added, “The situation is even worse than at a real pawnshop as the disclosure of vulnerability information immediately puts the reporting party at the losing side (no way back, in a real pawn shop one can say no to the offered price and take their toys back home). Does it look like a fair process?”
Regarding the Microsoft DRM hacking research, Ellis said, “While I sympathize with the circumstances around these findings and have seen similar situations many times before, I strongly discourage this approach. The idea of dangling incomplete research with the promise of the rest on payment pivots an otherwise good-faith conversation to one that begins to sound a lot like extortion.”
Asked about his thoughts on using bug bounty programs for some types of vulnerabilities and offering alternative disclosure avenues for more extensive research, Ellis said he fully agrees with the approach, but only when the research has been self-commissioned.
The expert concluded, “Security research isn’t one-size-fits-all. If a vulnerability exists on publicly accessible software and a researcher discovers it, what the researcher decides to do from that point forward is ultimately their decision. Companies can establish public bug bounty programs to incentivize the kinds of behavior they want, but it’s ultimately an exercise in soft power, not a guaranteed means of control. This is one of the reasons why reasonable disclosure terms and correctly set incentives are so important in public bounty and vulnerability disclosure programs.”
Microsoft Warbird and PMP
https://security-explorations.com/microsoft-warbird-pmp.html
Tomi Engdahl says:
https://etn.fi/index.php/13-news/17010-uusi-haittaohjelma-kiertaeae-macos-koneiden-sisaeisen-suojauksen
Check Point Research (CPR) on havainnut uuden version Banshee-haittaohjelmasta, joka kohdistuu MacOS-käyttäjiin ja varastaa selainkirjautumisia, kryptovaluuttalompakoita sekä muuta arkaluontoista tietoa. Banshee-haittaohjelma on pysynyt havaitsematta yli kahden kuukauden ajan, mikä korostaa sen kehittyneitä kykyjä välttää tietoturvajärjestelmien tunnistus.
Haittaohjelma käyttää salausmenetelmää, joka on kopioitu Applen omasta XProtect-järjestelmästä, ja levittää itseään kalastelusivustojen sekä väärennettyjen GitHub-arkistojen avulla.
Tomi Engdahl says:
https://www.securityweek.com/in-other-news-bank-of-america-warns-of-data-breach-trucking-cybersecurity-treasury-hack-linked-to-silk-typhoon/
Moxa vulnerabilities
Moxa recently informed customers about two potentially serious vulnerabilities affecting its routers and network security appliances. One of them, rated critical and tracked as CVE-2024-9140, can allow unauthenticated remote command execution, while the other, tracked as CVE-2024-9138 and rated high severity, allows privilege escalation. Lars Haulin, the researcher credited by Moxa for responsibly reporting the vulnerabilities, told SecurityWeek that there does appear to be a small number of impacted devices exposed to the internet, but noted that the flaws likely cannot be chained by a remote and unauthenticated attacker to fully compromise a device. The researcher also pointed out that impact is mitigated if proper segmentation is in place, as Moxa recommends.