Version 88 of Microsoft Edge adds a new security feature for users. A built-in password manager makes it easy to keep your logins safe. It also scans for breached passwords on the dark web and notifies you if it finds a match.
Password Monitor will begin rolling out today with Microsoft Edge 88, but it may take a couple weeks for you to see it in your browser. For more information on how Password Monitor works, take a look at the latest blog from Microsoft Research.
Malwarebytes co-founder and current CEO Marcin Kleczynski reveals the company was hacked. He believes it was the same nation state actor behind the SolarWinds attack. The state is believed to be Russia.
After an extensive investigation, we determined the attacker only gained access to a limited subset of internal company emails. We found no evidence of unauthorized access or compromise in any of our internal on-premises and production environments.
Crazy stuff, and we’ll probably hear of the fallout for a long time.
Google’s Project Zero security team found a bug that lets audio and video be transmitted without user interaction in five messaging apps. These are Signal, JioChat, Mocha, Google Duo, and Facebook Messenger. All bugs have been fixed.
I investigated the signalling state machines of seven video conferencing applications and found five vulnerabilities that could allow a caller device to force a callee device to transmit audio or video data. All these vulnerabilities have since been fixed. It is not clear why this is such a common problem, but a lack of awareness of these types of bugs as well as unnecessary complexity in signalling state machines is likely a factor.
Origin Wireless announced Hex Home, a wave-based home security system at Pepcom’s Digital Experience! at CES 2021.
Security researchers at John Hopkins University studied the security measures of Android and iOS, specifically encryption.
In macOS Big Sur, Apple deprecated third-party kernel extensions including Network Kernel Extensions (NKEs). NKEs are used by apps like firewalls to monitor network traffic. Apple’s new user-mode Network Extension Framework had a side-effect: Apple’s own apps wouldn’t be routed through it and thus could bypass third-party firewalls. But now that has changed.
I of course also wondered if malware could abuse these “excluded” items to generate network traffic that could surreptitiously bypass any socket filter firewall. Unfortunately the answer was yes! It was (unsurprisingly) trivial to find a way to abuse these items, and generate undetected network traffic.
After rolling out on platforms like Windows, Android, and iOS, the Mozilla VPN arrives on macOS and Linux for US$5/month.
The Mozilla VPN isn’t the cheapest option on the market. However, Mozilla has said that, because it uses fewer lines of code than other VPNs, the service is faster than many rival ones. You can connect to more than 280 servers in more than 30 countries via the VPN without any bandwidth restrictions.
I think US$5/mo is definitely one of the cheapest VPNs on the market.
Secretary of State Mike Pompeo announced the creation of a new bureau within the state department for cybersecurity.
Andrew Orr joins host Kelly Guimont to discuss Security Friday news, including what’s up with WhatsApp (sorry) and some things to know about encryption.
We’re barely a week into 2021 and a piece of Mac malware has already been spotted. Dubbed “ElectroRAT” its primary goal is to steal personal information from cryptocurrency users.
These [malicous] applications were promoted in cryptocurrency and blockchain-related forums such as bitcointalk and SteemCoinPan. The promotional posts, published by fake users, tempted readers to browse the applications’ web pages, where they could download the application without knowing they were actually installing malware.
Juspay, a payment processor for Amazon and others has reported a data breach that leaked the data of over 100 million credit and debit cardholders.
The latest T-Mobile data breach (this is the third time and the second breach in 2020) has affected an estimated 200,000 people.
The data accessed did NOT include any names associated with the account, financial data, credit card information, social security numbers, passwords, PINs or physical or email addresses. The information that was accessed may have included phone numbers, number of lines subscribed to and in a small number of cases some call-related information collected as part of normal operation and service.
In the wake of the SolarWinds cyber attack on the U.S. government, CISA urges agencies to update their software by the end of the year.
Apple has lost a copyright battle against security company Corellium, a company that virtualizes iOS for security research.
GetSchooled, a charity run by the Bill & Melinda Gates Foundation, has leaked the details of over 900,000 children in a data breach.
The breached information contains extensive personal details of children, teenagers and young adults including: full addresses, schools, full student PII including student phone numbers and emails, graduation details, ages, genders and more…
Full everything. What could be “and more”, medical records? GetSchooled got schooled.
An e-commerce app called 21 Buttons has exposed the private data of hundreds of people across Europe.
Among the millions of photos and videos, we also viewed hundreds of invoices detailing payments to users in the 21 Buttons Rewards program, covering the last few months. Some of these invoices appear to be test data, but many of them were definitely legitimate invoices detailing real records of payments made.
On Tuesday, security company Cellebrite claimed to have broken the encryption that Signal uses to keep user communication safe. The blog post has since been removed, but the BBC has an archived version here. But Signal says that claim isn’t true.
It is important to understand that any story about Cellebrite Physical Analyzer starts with someone other than you physically holding your device, with the screen unlocked, in their hands. Cellebrite does not even try to intercept messages, voice/video, or live communication, much less “break the encryption” of that communication. They don’t do live surveillance of any kind.
The SolarWinds cyber attack didn’t just affect government agencies; big tech companies were affected too. Intel, Nvidia, Cisco, Belkin, and VMware were also infected. The Wall Street Journal reports. If the link below is paywalled, try this article from The Verge.
Intel downloaded and ran the malicious software, the Journal’s analysis found. The company is investigating the incident and has found no evidence the hackers used the backdoor to access the company’s network, a spokesman said.
Apple, Google, Microsoft, and Mozilla are teaming up to ban a root certificate used by the Kazakhstan government to decrypt HTTPS traffic for residents in the country’s capital, the city of Nur-Sultan.
Kazakh officials justified their actions claiming they were carrying out a cybersecurity training exercise for government agencies, telecoms, and private companies.
The government’s explanation did, however, make zero technical sense, as certificates can’t prevent mass cyber-attacks and are usually used only for encrypting and safeguarding traffic from third-party observers.
Apple has a new 20-page guide available called Device and Data Access when Personal Safety is at Risk.
Good news for users of Signal. The app now supports group video calls, and they are end-to-end encrypted like the rest of the app’s communications.
Now when you open a group chat in Signal, you’ll see a video call button at the top. When you start a call, the group will receive a notification letting them know a call has started.
When you start or join a group call, Signal will display the participants in a grid view. You can also swipe up to switch to a view that automatically focuses the screen on who is speaking, and it will update in real time as the active speaker changes.
In November, security researchers found a Walmart-branded router called Jetstream contained a way for a third party to remotely control the router and devices connected to it. Walmart responded and said it stopped selling these routers. The manufacturer, Wavlink, also responded. A firmware update includes the following:
Removed unnecessary diagnostic pages; Deleted tcpdump tool; Added codes to block CSRF attack; Improved Web authentication routine.
The researchers haven’t yet tested the update to see if it has been effective.
A group of Russian hackers known as Cozy Bear has hacked several U.S. government agencies like the Treasury and Commerce departments.
On Sunday night, FireEye said the attackers were infecting targets using Orion, a widely used business software app from SolarWinds. After taking control of the Orion update mechanism, the attackers were using it to install a backdoor that FireEye researchers are calling Sunburst.
Andrew Orr joins host Kelly Guimont to discuss Security Friday news and updates, and offer some tips on how to avoid credit card shenanigans.
