Security – Page 3

Here are 3 science-backed strategies to rein in election anxiety

2024 election, anxieities, anxiety, health, Mental Health, Security, syndication / Tim Belzer / November 3, 2024

In this scenario, I encourage my patients to move past that initial thought of how awful it will be and instead consider exactly how they will respond to the inauguration, the next day, week, month, and so on.

Cognitive flexibility allows you to explore how you will cope, even in the face of a negative outcome, helping you feel a bit less out of control. If you’re experiencing a lot of anxiety about the election, try thinking through what you’d do if the undesirable candidate takes office—thoughts like “I’ll donate to causes that are important to me” and “I’ll attend protests.”

Choose your actions with intention

Another tool for managing your anxiety is to consider whether your behaviors are affecting how you feel.

Remember, for instance, the goal of 24-hour news networks is to increase ratings. It’s in their interest to keep you riveted to your screens by making it seem like important announcements are imminent. As a result, it may feel difficult to disconnect and take part in your usual self-care behavior.

Try telling yourself, “If something happens, someone will text me,” and go for a walk or, better yet, to bed. Keeping up with healthy habits can help reduce your vulnerability to uncontrolled anxiety.

Post-Election Day, you may continue to feel drawn to the news and motivated to show up—whether that means donating, volunteering, or protesting—for a variety of causes you think will be affected by the election results. Many people describe feeling guilty if they say no or disengage, leading them to overcommit and wind up overwhelmed.

If this sounds like you, try reminding yourself that taking a break from politics to cook, engage with your family or friends, get some work done, or go to the gym does not mean you don’t care. In fact, keeping up with the activities that fuel you will give you the energy to contribute to important causes more meaningfully.

Shannon Sauer-Zavala, Associate Professor of Psychology & Licensed Clinical Psychologist, University of Kentucky. This article is republished from The Conversation under a Creative Commons license. Read the original article.

Here are 3 science-backed strategies to rein in election anxiety Read More »

As North Korean troops march toward Ukraine, does a Russian quid pro quo reach space?

ICBM, military space, North Korea, russia, Science, Security, Space, Ukraine / Tim Belzer / November 2, 2024

Earlier this week, North Korea apparently completed a successful test of its most powerful intercontinental ballistic missile, lofting it nearly 4,800 miles into space before the projectile fell back to Earth.

This solid-fueled, multi-stage missile, named the Hwasong-19, is a new tool in North Korea’s increasingly sophisticated arsenal of weapons. It has enough range—perhaps as much as 9,320 miles (15,000 kilometers), according to Japan’s government—to strike targets anywhere in the United States.

The test flight of the Hwasong-19 on Thursday was North Korea’s first test of a long-range missile in nearly a year, coming as North Korea deploys some 10,000 troops inside Russia just days before the US presidential election. US officials condemned the missile launch as a “provocative and destabilizing” action in violation of UN Security Council resolutions.

The budding partnership between Russia and North Korea has evolved for several years. Russian President Vladimir Putin has met with North Korean leader Kim Jong Un on multiple occasions, most recently in Pyongyang in June. Last September, the North Korean dictator visited Putin at the Vostochny Cosmodrome, Russia’s newest launch base, where the leaders inspected hardware for Russia’s Angara rocket.

In this photo distributed by North Korean state media, a Hwasong-19 missile fires out of a launch tube somewhere in North Korea on October 31, 2024. Credit: KCNA

The visit to Vostochny fueled speculation that Russia might provide missile and space technology to North Korea in exchange for Kim’s assistance in the fight against Ukraine. This week, South Korea’s defense minister said his government has identified several areas where North Korea likely seeks help from Russia.

“In exchange for their deployment, North Korea is very likely to ask for technology transfers in diverse areas, including the technologies relating to tactical nuclear weapons technologies related to their advancement of ICBMs, also those regarding reconnaissance satellites and those regarding SSBNs [ballistic missile submarines] as well,” said Kim Yong-hyun, South Korea’s top military official, on a visit to Washington.

As North Korean troops march toward Ukraine, does a Russian quid pro quo reach space? Read More »

Thousands of hacked TP-Link routers used in years-long account takeover attacks

Biz & IT, botnets, microsoft, password spraying, Security, tp-link / Tim Belzer / November 2, 2024

Hackers working on behalf of the Chinese government are using a botnet of thousands of routers, cameras, and other Internet-connected devices to perform highly evasive password spray attacks against users of Microsoft’s Azure cloud service, the company warned Thursday.

The malicious network, made up almost entirely of TP-Link routers, was first documented in October 2023 by a researcher who named it Botnet-7777. The geographically dispersed collection of more than 16,000 compromised devices at its peak got its name because it exposes its malicious malware on port 7777.

Account compromise at scale

In July and again in August of this year, security researchers from Serbia and Team Cymru reported the botnet was still operational. All three reports said that Botnet-7777 was being used to skillfully perform password spraying, a form of attack that sends large numbers of login attempts from many different IP addresses. Because each individual device limits the login attempts, the carefully coordinated account-takeover campaign is hard to detect by the targeted service.

On Thursday, Microsoft reported that CovertNetwork-1658—the name Microsoft uses to track the botnet—is being used by multiple Chinese threat actors in an attempt to compromise targeted Azure accounts. The company said the attacks are “highly evasive” because the botnet—now estimated at about 8,000 strong on average—takes pains to conceal the malicious activity.

“Any threat actor using the CovertNetwork-1658 infrastructure could conduct password spraying campaigns at a larger scale and greatly increase the likelihood of successful credential compromise and initial access to multiple organizations in a short amount of time,” Microsoft officials wrote. “This scale, combined with quick operational turnover of compromised credentials between CovertNetwork-1658 and Chinese threat actors, allows for the potential of account compromises across multiple sectors and geographic regions.

Some of the characteristics that make detection difficult are:

The use of compromised SOHO IP addresses
The use of a rotating set of IP addresses at any given time. The threat actors had thousands of available IP addresses at their disposal. The average uptime for a CovertNetwork-1658 node is approximately 90 days.
The low-volume password spray process; for example, monitoring for multiple failed sign-in attempts from one IP address or to one account will not detect this activity.

Thousands of hacked TP-Link routers used in years-long account takeover attacks Read More »

Android Trojan that intercepts voice calls to banks just got more stealthy

android, bank fraud, Biz & IT, malware, Security, trojans / Paul Patrick / October 30, 2024

Much of the new obfuscation is the result of hiding malicious code in a dynamically decrypted and loaded .dex file of the apps. As a result, Zimperium initially believed the malicious apps they were analyzing were part of a previously unknown malware family. Then the researchers dumped the .dex file from an infected device’s memory and performed static analysis on it.

“As we delved deeper, a pattern emerged,” Ortega wrote. “The services, receivers, and activities closely resembled those from an older malware variant with the package name com.secure.assistant.” That package allowed the researchers to link it to the FakeCall Trojan.

Many of the new features don’t appear to be fully implemented yet. Besides the obfuscation, other new capabilities include:

Bluetooth Receiver

This receiver functions primarily as a listener, monitoring Bluetooth status and changes. Notably, there is no immediate evidence of malicious behavior in the source code, raising questions about whether it serves as a placeholder for future functionality.

Screen Receiver

Similar to the Bluetooth receiver, this component only monitors the screen’s state (on/off) without revealing any malicious activity in the source code.

Accessibility Service

The malware incorporates a new service inherited from the Android Accessibility Service, granting it significant control over the user interface and the ability to capture information displayed on the screen. The decompiled code shows methods such as onAccessibilityEvent() and onCreate() implemented in native code, obscuring their specific malicious intent.

While the provided code snippet focuses on the service’s lifecycle methods implemented in native code, earlier versions of the malware give us clues about possible functionality:

Monitoring Dialer Activity: The service appears to monitor events from the com.skt.prod.dialer package (the stock dialer app), potentially allowing it to detect when the user is attempting to make calls using apps other than the malware itself.

Automatic Permission Granting: The service seems capable of detecting permission prompts from the com.google.android.permissioncontroller (system permission manager) and com.android.systemui (system UI). Upon detecting specific events (e.g., TYPE_WINDOW_STATE_CHANGED), it can automatically grant permissions for the malware, bypassing user consent.

Remote Control: The malware enables remote attackers to take full control of the victim’s device UI, allowing them to simulate user interactions, such as clicks, gestures, and navigation across apps. This capability enables the attacker to manipulate the device with precision.

Phone Listener Service

This service acts as a conduit between the malware and its Command and Control (C2) server, allowing the attacker to issue commands and execute actions on the infected device. Like its predecessor, the new variant provides attackers with a comprehensive set of capabilities (see the table below). Some functionalities have been moved to native code, while others are new additions, further enhancing the malware’s ability to compromise devices.

The Kaspersky post from 2022 said that the only language supported by FakeCall was Korean and that the Trojan appeared to target several specific banks in South Korea. Last year, researchers from security firm ThreatFabric said the Trojan had begun supporting English, Japanese, and Chinese, although there were no indications people speaking those languages were actually targeted.

Android Trojan that intercepts voice calls to banks just got more stealthy Read More »

Phone tracking tool lets government agencies follow your every move

Apple, Biz & IT, Google, location, Phones, privacy, Security, surveillance / Tim Belzer / October 23, 2024

Both operating systems will display a list of apps and whether they are permitted access always, never, only while the app is in use, or to prompt for permission each time. Both also allow users to choose whether the app sees precise locations down to a few feet or only a coarse-grained location.

For most users, there’s usefulness in allowing an app for photos, transit or maps to access a user’s precise location. For other classes of apps—say those for Internet jukeboxes at bars and restaurants—it can be helpful for them to have an approximate location, but giving them precise, fine-grained access is likely overkill. And for other apps, there’s no reason for them ever to know the device’s location. With a few exceptions, there’s little reason for apps to always have location access.

Not surprisingly, Android users who want to block intrusive location gathering have more settings to change than iOS users. The first thing to do is access Settings > Security & Privacy > Ads and choose “Delete advertising ID.” Then, promptly ignore the long, scary warning Google provides and hit the button confirming the decision at the bottom. If you don’t see that setting, good for you. It means you already deleted it. Google provides documentation here.

iOS, by default, doesn’t give apps access to “Identifier for Advertisers,” Apple’s version of the unique tracking number assigned to iPhones, iPads, and AppleTVs. Apps, however, can display a window asking that the setting be turned on, so it’s useful to check. iPhone users can do this by accessing Settings > Privacy & Security > Tracking. Any apps with permission to access the unique ID will appear. While there, users should also turn off the “Allow Apps to Request to Track” button. While in iOS Privacy & Security, users should navigate to Apple Advertising and ensure Personalized Ads is turned off.

Additional coverage of Location X from Haaretz and NOTUS is here and here. The New York Times, the other publication given access to the data, hadn’t posted an article at the time this Ars post went live.

Phone tracking tool lets government agencies follow your every move Read More »

FortiGate admins report active exploitation 0-day. Vendor isn’t talking.

Biz & IT, exploits, fortigate, Fortinet, Security, zeroday / Paul Patrick / October 22, 2024

Citing the Reddit comment, Beaumont took to Mastodon to explain: “People are quite openly posting what is happening on Reddit now, threat actors are registering rogue FortiGates into FortiManager with hostnames like ‘localhost’ and using them to get RCE.”

Beaumont wasn’t immediately available to elaborate. In the same thread, another user said that based on the brief description, it appears attackers are somehow stealing digital certificates authenticating a device to a customer network, loading it onto a FortiGate device they own, and then registering the device into the customer network.

The person continued:

From there, they can configure their way into your network or possibly take other admin actions (eg. possibly sync configs from trustworthy managed devices to their own?) It’s not super clear from these threads. The mitigation to prevent unknown serial numbers suggests that a speedbump to fast onboarding prevents even a cert-bearing(?) device from being included into the fortimanager.

Beaumont went on to say that based on evidence he’s seen, China-state hackers have “been hopping into internal networks using this one since earlier in the year, looks like.”

60,000 devices exposed

After this post went live on Ars, Beaumont published a post that said the vulnerability likely resides in the FortiGate to FortiManager protocol. FGFM is the language that allows Fortigate firewall devices to communicate with the manager over port 541. As Beaumont pointed out, the Shodan search engine shows more than 60,000 such connections exposed to the Internet.

Beaumont wrote:

There’s one requirement for an attacker: you need a valid certificate to connect. However, you can just take a certificate from a FortiGate box and reuse it. So, effectively, there’s no barrier to registering.

Once registered, there’s a vulnerability which allows remote code execution on the FortiManager itself via the rogue FortiGate connection.

From the FortiManager, you can then manage the legit downstream FortiGate firewalls, view config files, take credentials and alter configurations. Because MSPs — Managed Service Providers — often use FortiManager, you can use this to enter internal networks downstream.

Because of the way FGFM is designed — NAT traversal situations — it also means if you gain access to a managed FortiGate firewall you then can traverse up to the managing FortiManager device… and then back down to other firewalls and networks.

To make matters harder for FortiGate customers and defenders, the company’s support portal was returning connection errors at the time this post went live on Ars that prevented people from accessing the site.

FortiGate admins report active exploitation 0-day. Vendor isn’t talking. Read More »

Here’s how SIM swap in alleged bitcoin pump-and-dump scheme worked

account takeover, federal courts, indictment, Security, sim swap / Tim Belzer / October 17, 2024

Prosecutors said that Eric Council Jr., 25, of Athens, Alabama, was part of a criminal group that aimed to profit by publicizing the fake decision to drive a spike in the value of bitcoin and then sell large amounts of the currency they had acquired at a much lower price. Council’s alleged role in the conspiracy was to take control of a phone number that received text messages that received two-factor authentication codes for the SEC account.

Anatomy of a SIM swap

The indictment, filed in US District Court for the District of Columbia, lays out, step by step, how the alleged SIM swap worked:

12. COUNCIL, and others, executed a SIM swap of the cellular telephone account associated with victim C.L., among others, in order to obtain things of value.

a. On or about January 9, 2024, a co-conspirator identified victim C.L. as having authorized access over the telephone number linked to the SECGov

X account.

b. On or about January 9, 2024, COUNCIL received instruction from a coconspirator to perform a SIM swap of victim C.L.’s cellular telephone account, which was maintained by AT&T.

c. On or about January 9, 2024, COUNCIL traveled to an AT&T store in Huntsville, Alabama and presented an identification card in C.L.’s name. COUNCIL claimed to be an FBI employee who broke his phone and needed a new SIM card, and thereby obtained a new SIM card tied to C.L.’s account (the “C.L. SIM card”).

d. On or about January 9, 2024, after obtaining the C.L. SIM card, COUNCIL walked to a Huntsville Apple store and purchased a new iPhone for the purpose of effectuating the SIM swap. COUNCIL then inserted the C.L. SIM card into this iPhone in order to receive two-factor security reset codes associated with the @SECGov X account.

e. On or about January 9, 2024, COUNCIL received the “X confirmation code” to reset the @SECGov X account and promptly transmitted this code to a co-conspirator.

f. On or about January 9, 2024, a co-conspirator used this fraudulently obtained security code to gain access to the @SECGov X account.

g. On or about January 9, 2024, a co-conspirator, using such access, issued a fraudulent tweet on the @SECGov X account in the name of the SEC Chairman, falsely announcing the approval by the SEC of BIC ElF’s.

h. On or about January 9, 2024, after receiving the reset codes, COUNCIL drove to Birmingham, Alabama to return the iPhone for cash.

After the SIM swap was performed, prosecutors said, Council then performed Internet searches that incriminated him in the fraud conspiracy. The searches included: “SECGOV hack,” “telegram sim swap,” “how can I know for sure if I am being investigated by the FBI,” and “What are the signs that you are under investigation by law enforcement or the FBI even if you have not been contacted by them.”

Here’s how SIM swap in alleged bitcoin pump-and-dump scheme worked Read More »

Android 15’s security and privacy features are the update’s highlight

android, Android 15, Google, one-time passwords, otp, privacy, private space, Security, Tech / Rejus Almole / October 17, 2024

Android 15 started rolling out to Pixel devices Tuesday and will arrive, through various third-party efforts, on other Android devices at some point. There is always a bunch of little changes to discover in an Android release, whether by reading, poking around, or letting your phone show you 25 new things after it restarts.

In Android 15, some of the most notable involve making your device less appealing to snoops and thieves and more secure against the kids to whom you hand your phone to keep them quiet at dinner. There are also smart fixes for screen sharing, OTP codes, and cellular hacking prevention, but details about them are spread across Google’s own docs and blogs and various news site’s reports.

Here’s what is notable and new in how Android 15 handles privacy and security.

Private Space for apps

In the Android 15 settings, you can find “Private Space,” where you can set up a separate PIN code, password, biometric check, and optional Google account for apps you don’t want to be available to anybody who happens to have your phone. This could add a layer of protection onto sensitive apps, like banking and shopping apps, or hide other apps for whatever reason.

In your list of apps, drag any app down to the lock space that now appears in the bottom right. It will only be shown as a lock until you unlock it; you will then see the apps available in your new Private Space. After that, you should probably delete it from the main app list. Dave Taylor has a rundown of the process and its quirks.

It’s obviously more involved than Apple’s “Hide and Require Face ID” tap option but with potentially more robust hiding of the app.

Hiding passwords and OTP codes

A second form of authentication is good security, but allowing apps to access the notification text with the code in it? Not so good. In Android 15, a new permission, likely to be given only to the most critical apps, prevents the leaking of one-time passcodes (OTPs) to other apps waiting for them. Sharing your screen will also hide OTP notifications, along with usernames, passwords, and credit card numbers.

Android 15’s security and privacy features are the update’s highlight Read More »

Men accused of DDoSing some of the world’s biggest tech companies

Biz & IT, Security / Paul Patrick / October 16, 2024

Federal authorities have charged two Sudanese nationals with running an operation that performed tens of thousands of distributed denial of service (DDoS) attacks against some of the world’s biggest technology companies, as well as critical infrastructure and government agencies.

The service, branded as Anonymous Sudan, directed powerful and sustained DDoSes against Big Tech companies, including Microsoft, OpenAI, Riot Games, PayPal, Steam, Hulu, Netflix, Reddit, GitHub, and Cloudflare. Other targets included CNN.com, Cedars-Sinai Medical Center in Los Angeles, the US departments of Justice, Defense and State, the FBI, and government websites for the state of Alabama. Other attacks targeted sites or servers located in Europe.

Two brothers, Ahmed Salah Yousif Omer, 22, and Alaa Salah Yusuuf Omer, 27, were both charged with one count of conspiracy to damage protected computers. Ahmed Salah was also charged with three counts of damaging protected computers. Among the allegations is that one of the brothers attempted to “knowingly and recklessly cause death.” If convicted on all charges, Ahmed Salah would face a maximum of life in federal prison, and Alaa Salah would face a maximum of five years in federal prison.

Havoc and destruction

“Anonymous Sudan sought to maximize havoc and destruction against governments and businesses around the world by perpetrating tens of thousands of cyberattacks,” said US Attorney Martin Estrada. “This group’s attacks were callous and brazen—the defendants went so far as to attack hospitals providing emergency and urgent care to patients.”

The prosecutors said Anonymous Sudan operated a cloud-based DDoS tool to take down or seriously degrade the performance of online targets and often took to a Telegram channel afterward to boast of the exploits. The tool allegedly performed more than 35,000 attacks, 70 of which targeted computers in Los Angeles, where the indictment was filed. The operation allegedly ran from no later than January 2023 to March 2024.

Men accused of DDoSing some of the world’s biggest tech companies Read More »

DNA confirms these 19th century lions ate humans

animal behavior, animals, Biology, DNA analysis, forensic archaeology, lions, Security / Mike M. / October 16, 2024

For several months in 1898, a pair of male lions turned the Tsavo region of Kenya into their own human hunting grounds, killing many construction workers who were building the Kenya-Uganda railway. A team of scientists has now identified exactly what kinds of prey the so-called “Tsavo Man-Eaters” fed upon, based on DNA analysis of hairs collected from the lions’ teeth, according to a recent paper published in the journal Current Biology. They found evidence of various species the lions had consumed, including humans.

The British began construction of a railway bridge over the Tsavo River in March 1898, with Lieutenant-Colonel John Henry Patterson leading the project. But mere days after Patterson arrived on site, workers started disappearing or being killed. The culprits: two maneless male lions, so emboldened that they often dragged workers from their tents at night to eat them. At their peak, they were killing workers almost daily—including an attack on the district officer, who narrowly escaped with claw lacerations on his back. (His assistant, however, was killed.)

Patterson finally managed to shoot and kill one of the lions on December 9 and the second 20 days later. The lion pelts decorated Patterson’s home as rugs for 25 years before being sold to Chicago’s Field Museum of Natural History in 1924. The skins were restored and used to reconstruct the lions, which are now on permanent display at the museum, along with their skulls.

Tale of the teeth

The Tsavo Man-Eaters naturally fascinated scientists, although the exact number of people they killed and/or consumed remains a matter of debate. Estimates run anywhere from 28–31 victims to 100 or more, with a 2009 study that analyzed isotopic signatures of the lions’ bone collagen and hair keratin favoring the lower range.

DNA confirms these 19th century lions ate humans Read More »

Startup can identify deepfake video in real time

AI, Ai video, Deepfakes, Security, syndication, Zoom / Tim Belzer / October 16, 2024

Real-time deepfakes are no longer limited to billionaires, public figures, or those who have extensive online presences. Mittal’s research at NYU, with professors Chinmay Hegde and Nasir Memon, proposes a potential challenge-based approach to blocking AI bots from video calls, where participants would have to pass a kind of video CAPTCHA test before joining.

As Reality Defender works to improve the detection accuracy of its models, Colman says that access to more data is a critical challenge to overcome—a common refrain from the current batch of AI-focused startups. He’s hopeful more partnerships will fill in these gaps, and without specifics, hints at multiple new deals likely coming next year. After ElevenLabs was tied to a deepfake voice call of US president Joe Biden, the AI-audio startup struck a deal with Reality Defender to mitigate potential misuse.

What can you do right now to protect yourself from video call scams? Just like WIRED’s core advice about avoiding fraud from AI voice calls, not getting cocky about whether you can spot video deepfakes is critical to avoid being scammed. The technology in this space continues to evolve rapidly, and any telltale signs you rely on now to spot AI deepfakes may not be as dependable with the next upgrades to underlying models.

“We don’t ask my 80-year-old mother to flag ransomware in an email,” says Colman. “Because she’s not a computer science expert.” In the future, it’s possible real-time video authentication, if AI detection continues to improve and shows to be reliably accurate, will be as taken for granted as that malware scanner quietly humming along in the background of your email inbox.

This story originally appeared on wired.com.

Startup can identify deepfake video in real time Read More »

North Korean hackers use newly discovered Linux malware to raid ATMs

banks, Biz & IT, hiddencobra, Linux, malware, North Korea, Security / Tim Belzer / October 15, 2024

The malware resides in the userspace portion of the interbank switch connecting the issuing domain and the acquiring domain. When a compromised card is used to make a fraudulent translation, FASTCash tampers with the messages the switch receives from issuers before relaying it back to the merchant bank. As a result, issuer messages denying the transaction are changed to approvals.

The following diagram illustrates how FASTCash works:

The switches chosen for targeting run misconfigured implementations of ISO 8583, a messaging standard for financial transactions. The misconfigurations prevent message authentication mechanisms, such as those used by field 64 as defined in the specification, from working. As a result, the tampered messages created by FASTCash aren’t detected as fraudulent.

“FASTCash malware targets systems that ISO8583 messages at a specific intermediate host where security mechanisms that ensure the integrity of the messages are missing, and hence can be tampered,” haxrob wrote. “If the messages were integrity protected, a field such as DE64 would likely include a MAC (message authentication code). As the standard does not define the algorithm, the MAC algorithm is implementation specific.”

The researcher went on to explain:

FASTCash malware modifies transaction messages in a point in the network where tampering will not cause upstream or downstream systems to reject the message. A feasible position of interception would be where the ATM/PoS messages are converted from one format to another (For example, the interface between a proprietary protocol and some other form of an ISO8583 message) or when some other modification to the message is done by a process running in the switch.

CISA said that BeagleBoyz—one of the names the North Korean hackers are tracked under—is a subset of HiddenCobra, an umbrella group backed by the government of that country. Since 2015, BeagleBoyz has attempted to steal nearly $2 billion. The malicious group, CISA said, has also “manipulated and, at times, rendered inoperable, critical computer systems at banks and other financial institutions.”

The haxrob report provides cryptographic hashes for tracking the two samples of the newly discovered Linux version and hashes for several newly discovered samples of FASTCash for Windows.

North Korean hackers use newly discovered Linux malware to raid ATMs Read More »