Chances of destructive BlueKeep exploit rise with new explainer posted online

Chances of destructive BlueKeep exploit rise with new explainer posted online

Enlarge (credit: One of the slides posted to Github)

A security researcher has published a detailed guide that shows how to execute malicious code on Windows computers still vulnerable to the critical BlueKeep vulnerability. The move significantly lowers the bar for writing exploits that wreak the kinds of destructive attacks not seen since the WannaCry and NotPetya attacks of 2017, researchers said.

As of three weeks ago, more than 800,000 computers exposed to the Internet were vulnerable to the exploit, researchers from security firm BitSight said last week. Microsoft and a chorus of security professionals have warned of the potential for exploits to sow worldwide disruptions. The risk of the bug, found in Microsoft’s implementation of the remote desktop protocol, stems from the ability for attacks to spread from one vulnerable computer to another with no interaction required of end users.

“A pretty big deal”

One of

Read the rest
Verizon wants you to pay $650 plus $85 a month for a 5G hotspot

Verizon wants you to pay $650 plus $85 a month for a 5G hotspot

Enlarge / A Verizon booth at Mobile World Congress Americas in Los Angeles in September 2018. (credit: Verizon)

Verizon’s 5G mobile service is available in just a handful of cities, but the carrier is charging premium prices to the few people who live in range of the network.

Verizon yesterday announced its first 5G hotspot, namely the Inseego MiFi M1000 that Verizon is selling for $650. On top of the device cost, the monthly fees for 5G service will be higher than 4G even though Verizon’s 5G network barely exists.

Verizon said hotspot-only plans “start at $85 a month (plus taxes and fees).” Verizon describes the $85-per-month hotspot plan as “unlimited” when you go through the online checkout process. But the fine print states that customers get 50GB of high-speed 5G data, and 5G speeds are reduced to 3Mbps after that. The plan treats 5G and 4G data separately;

Read the rest
Chrome 76 prevents NYT and other news sites from detecting Incognito Mode

Chrome 76 prevents NYT and other news sites from detecting Incognito Mode

Enlarge / The Boston Globe and some other news sites prevent non-subscribers from viewing articles in a browser’s private mode. (credit: Boston Globe)

Google Chrome 76 will close a loophole that websites use to detect when people use the browser’s Incognito Mode.

Over the past couple of years, you may have noticed some websites preventing you from reading articles while using a browser’s private mode. The Boston Globe began doing this in 2017, requiring people to log in to paid subscriber accounts in order to read in private mode. The New York Times, Los Angeles Times, and other newspapers impose identical restrictions.

Chrome 76—which is in beta now and is scheduled to hit the stable channel on July 30—prevents these websites from discovering that you’re in private mode. Google explained the change yesterday in a blog post titled, “Protecting private browsing in Chrome.”

Read 9 remaining Read the rest

As Russian “FaceApp” gobbles up user photos, Schumer asks FBI to investigate

As Russian “FaceApp” gobbles up user photos, Schumer asks FBI to investigate

Enlarge / The FaceApp application displayed on Apple’s App Store. (credit: Getty Images | NurPhoto)

Senate Minority Leader Chuck Schumer (D-N.Y.) has called for a federal investigation into FaceApp, saying the Russian-operated mobile application “could pose national security and privacy risks for millions of US citizens.”

FaceApp for iOS and Android has been around since 2017 but just recently went viral as celebrities and many other people used it to alter photographs to make themselves look 20 years older. This has raised privacy concerns, as Americans are uploading photographs and device-related data to a service operated by a company based in Russia. The image alterations performed by FaceApp—which calls itself an “AI Face Editor”—are done on the company’s servers instead of on user devices.

The app now warns users that “Each photo you select for editing will be uploaded to our servers for image processing and face transformation.”

Read Read the rest

Nigerian scammers slide into DMs, so Ars trolls them

Nigerian scammers slide into DMs, so Ars trolls them

Enlarge / The heartbreak of being blocked by a romance scammer. The joy of burning an account used in a criminal operation.

I’ve got a history with Internet scammers. I’ve spent hours on the phone with tech support scammers, and I’ve hunted down bot networks spreading fake news. But for some reason, I’ve lately become a magnet for an entirely different sort of scammer—a kind that uses social media platforms to run large-scale wire-fraud scams and other confidence games. Based on anecdotal evidence, Twitter has become their favorite platform for luring in suckers.

Recently, Twitter’s security team has been tracking a large amount of fraudulent activity coming out of Africa, including “romance schemes”—wherein the fraudster uses an emotional appeal of friendship or promised romance to lure a victim into a scam. Thousands of accounts involved in the ongoing campaign have been suspended. But that has hardly put a dent

Read the rest
More on DataSpii: How extensions hide their data grabs—and how they’re discovered

More on DataSpii: How extensions hide their data grabs—and how they’re discovered

Enlarge / You can trust us! (credit: Irakli Kalandarishvili / EyeEm / Getty)

In our 5,000 word piece on “DataSpii,” we explained how researcher Sam Jadali spent tens of thousands of dollars investigating the murky Internet ecosystem of browser extensions that collect and share your Web history. Those histories could end up at sites like Nacho Analytics, where they can reveal personal or corporate data.

Here, we want to offer more detail for the technically curious reader on exactly how these browser extensions work—and how they were discovered.

Obscurity

Discovering which browser extensions were responsible for siphoning up this data was a months-long task. Why was it so difficult? In part because the browser extensions appeared to obscure exactly what they were doing. Both Hover Zoom and SpeakIt!, for instance, waited more than three weeks after installation on Jadali’s computers to begin collection. Then, once collection started, it was carried

Read the rest
My browser, the spy: How extensions slurped up browsing histories from 4M users

My browser, the spy: How extensions slurped up browsing histories from 4M users

Enlarge (credit: Aurich Lawson / Getty)

When we use browsers to make medical appointments, share tax returns with accountants, or access corporate intranets, we usually trust that the pages we access will remain private. DataSpii, a newly documented privacy issue in which millions of people’s browsing histories have been collected and exposed, shows just how much about us is revealed when that assumption is turned on its head.

DataSpii begins with browser extensions—available mostly for Chrome but in more limited cases for Firefox as well—that, by Google’s account, had as many as 4.1 million users. These extensions collected the URLs, webpage titles, and in some cases the embedded hyperlinks of every page that the browser user visits. Most of these collected Web histories were then published by a fee-based service called Nacho Analytics, which markets itself as “God mode for the Internet” and uses the tag line

Read the rest
Microsoft warns 10,000 customers they’re targeted by nation-sponsored hackers

Microsoft warns 10,000 customers they’re targeted by nation-sponsored hackers

Enlarge / United Nations HQ in New York. (credit: Javier Carbajal)

Microsoft said on Wednesday that it has notified almost 10,000 customers in the past year that they’re being targeted by nation-sponsored hackers.

According to a post from Microsoft Corporate Vice President of Customer Security & Trust Tom Burt, about 84% of the attacks targeted customers that were large, “enterprise” organizations such as corporations. The remaining 16% of attacks targeted consumer email accounts. Burt said some of the 10,000 customers were successfully compromised while others were only targeted, but he didn’t provide figures.

“This data demonstrates the significant extent to which nation-states continue to rely on cyberattacks as a tool to gain intelligence, influence geopolitics, or achieve other objectives,” Burt wrote. Microsoft presented the figures Wednesday at the Aspen Security Forum.

Read 5 remaining paragraphs | Comments

Source link Read the rest

Turkey crosses “red line,” gets booted from F-35 partnership

Turkey crosses “red line,” gets booted from F-35 partnership

Enlarge / Turkey’s planned purchase of F-35A Joint Strike Fighters has been vetoed in the wake of the Turkish purchase of Russian anti-air defenses. (credit: US Air Force)

Today, the White House officially announced that Turkey would not be allowed to purchase the F-35 Joint Strike Fighter. The US government had warned Turkish President Recep Tayyip Erdoğan that his government’s purchase of S-400 surface-to-air missile systems from Russia would be incompatible with NATO systems and would trigger an exclusion of Turkey from the F-35 program. Turkey was a financial contributor to the F-35 development program and already had pilots in the US in training to fly the aircraft; those pilots were kicked off US training bases in June.

US and NATO partners are concerned that the S-400 systems, supported by Russian technicians, will essentially amount to an intelligence collection system for Russia on NATO aircraft and military operations. But

Read the rest
OneWeb’s low-Earth satellites hit 400Mbps and 32ms latency in new test

OneWeb’s low-Earth satellites hit 400Mbps and 32ms latency in new test

Enlarge / Illustration of a OneWeb satellite. (credit: OneWeb)

OneWeb says a test of its low-Earth orbit satellites has delivered broadband speeds of more than 400Mbps with average latency of 32ms.

“The tests, which took place in Seoul, South Korea, represent the most significant demonstration of the OneWeb constellation to date, proving its ability to provide superior broadband connectivity anywhere on the planet,” OneWeb said in an announcement yesterday.

The company said it’s on track toward creating “a fully functioning global constellation in 2021 and delivering partial service beginning as early as 2020.” The test described yesterday involved six OneWeb satellites that were launched in February. OneWeb says its commercial network “will start with an initial 650 satellites and grow up to 1,980 satellites.”

Read 6 remaining paragraphs | Comments

Source link Read the rest