Carbon Chemist

Tag: security

  • The Pig Butchering Invasion Has Begun

    The Pig Butchering Invasion Has Begun

    [ad_1]

    “What we’ve seen is criminal groups who are invested in this region here, looking beyond this region for establishing similar operations,” Hofmann says of the international expansion.

    The wealthy, authoritarian city of Dubai, within the United Arab Emirates, has emerged since 2021 as the largest epicenter of pig butchering outside Southeast Asia. According to the UN, international migrants comprise more than 88 percent of the UAE’s population, making a uniquely diverse, and potentially vulnerable, workforce readily available.

    “Dubai is both a destination and also a transition country,” says Mina Chiang, the founder and director of Humanity Research Consultancy, a social enterprise focusing on human trafficking. “We can see lots of compounds that are actually operating in Dubai itself.”

    In July, Humanity Research Consultancy identified at least six alleged scam compounds believed to be operating around Dubai. The research—based on testimony from forced laborers, data leaked from a cyberattack, and social media posts—identified potential compounds around industrial and investment parks. These operations “to the best of our knowledge are managed by Chinese-speaking criminals,” the research says, adding that they operate in a similar way to compounds in Southeast Asia.

    “They call it a typing center. But a huge scam call center,” reads a one-star review left for a location in Dubai on Google Maps. Another says: “Mostly poor people from Africa working there and mosltly jailed in Dubai. No matter how much they offer you everything is scammed. Highly suggest never ever go there.”

    Dubai’s police force did not respond to WIRED’s request for comment about potential scam centers located in the city.

    Pig butchering operations may have emerged in Dubai because of immigration and workforce dynamics, but in multiple African countries the activity has started to appear because of an existing culture of organized scamming.

    In Nigeria, where digital scamming has been a prominent illicit industry for years across numerous platforms, it was all but inevitable that attackers would adopt the conceits and tactics of pig butchering. The scheme is mature enough that there are now readily available prefab cryptocurrency investment platforms, templates, and scripts available for sale online to anyone who wants to get started. A gang that is already used to carrying out romance scams or business email compromise schemes could easily adapt to the premise and cadence of pig butchering.

    “If you look at West Africa’s history with social engineering stuff, it’s a potent mix,” says Sean Gallagher, senior threat researcher at Sophos. “You’ve got a lot of people who have seen this as a way to make a living, especially in Nigeria. And the technology is easily transferable. We’ve seen pig butchering packages for sale that include fake crypto sites and scripts that appear to be tailored to targeting African victims.”

    Nigerian law enforcement have been increasingly pursuing cases and even securing convictions related specifically to pig butchering. Gallagher and Intelligence for Good’s Tokazowski also say that in studying and interacting with scammers, they have seen technical indicators that pig butchering attacks may be coming out of Ghana as well. The US Embassy in Ghana has warned about the potential for financial scams originating in the country.

    [ad_2]

    Source link

  • The US Could Finally Ban Inane Forced Password Changes

    The US Could Finally Ban Inane Forced Password Changes

    [ad_1]

    Researchers found a vulnerability in a Kia web portal that allowed them to track millions of cars, unlock doors, honk horns, and even start engines in seconds, just by reading the car’s license plate. The findings are the latest in a string of web bugs that have impacted dozen of carmakers. Meanwhile, a handful of Tesla Cybertrucks have been outfitted for war and are literally being-battle tested by Chechen forces fighting in Ukraine as part of Russia’s ongoing invasion.

    As Israel escalates its attacks on Lebanon, civilians on both sides of the conflict have been receiving ominous text messages—and authorities in each country are accusing the other of psychological warfare. The US government has increasingly condemned Russia-backed media outlets like RT for working closely with Russian intelligence—and many digital platforms have removed or banned their content. But they’re still influential and trusted alternative sources of information in many parts of the world.

    And there’s more. Each week, we round up the privacy and security news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

    A new draft of the US National Institute of Standards and Technology’s “Digital Identity Guidelines” finally takes steps to eliminate reviled password management practices that have been shown to do more harm than good. The recommendations, which will be mandatory for US federal government entities and serve as guidelines for everyone else, ban the practice of requiring users to periodically change their account passwords, often every 90 days.

    The policy of regularly changing passwords evolved out of a desire to ensure that people weren’t choosing easily guessable or reused passwords; but in practice, it causes people to choose simple or formulaic passwords so they will be easier to keep track of. The new recommendations also ban “composition rules,” like requiring a certain number or mix of capital letters, numbers, and punctuation marks in each password. NIST writes in the draft that the goal of the Digital Identity Guidelines is to provide “foundational risk management processes and requirements that enable the implementation of secure, private, equitable, and accessible identity systems.”

    The US Department of Justice unsealed charges on Friday against three Iranian men who allegedly compromised Donald Trump’s presidential campaign and leaked stolen data to media outlets. Microsoft and Google warned last month that an Iranian state-sponsored hacking group known as APT42 had targeted both the Joe Biden and Donald Trump presidential campaigns, and successfully breached the Trump campaign. The DOJ claims the hackers compromised a dozen people as part of its operation, including a journalist, a human rights advocate, and several former US officials. More broadly, the US government has said in recent weeks that Iran is attempting to interfere in the 2024 election.

    “The defendants’ own words made clear that they were attempting to undermine former President Trump’s campaign in advance of the 2024 U.S. presidential election,” Attorney General Merrick Garland said at a press conference on Friday. “We know that Iran is continuing with its brazen efforts to stoke discord, erode confidence in the US electoral process, and advance its malign activities.”

    The Irish Data Protection Commission fined Meta €91 million, or roughly $101 million, on Friday for a password storage lapse in 2019 that violated the European Union’s General Data Protection Regulation. Following a report by Krebs on Security, the company acknowledged in March 2019 that a bug in its password management systems had caused hundreds of millions of Facebook, Facebook Lite, and Instagram passwords to be stored without protection in plaintext in an internal platform. Ireland’s privacy watchdog launched its investigation into the incident in April 2019.

    “It is widely accepted that user passwords should not be stored in plaintext, considering the risks of abuse that arise from persons accessing such data,” Irish DPC deputy commissioner Graham Doyle said in a statement. “It must be borne in mind that the passwords, the subject of consideration in this case, are particularly sensitive, as they would enable access to users’ social media accounts.”

    The digital anonymity nonprofit the Tor Project is merging with privacy- and anonymity-focused Linux-based operating system Tails. Pavel Zoneff, the Tor Project’s communications director, wrote in a blog post on Thursday that the move will facilitate collaboration and reduce costs, while expanding both groups’ reach. “Tor and Tails provide essential tools to help people around the world stay safe online,” he wrote. “By joining forces, these two privacy advocates will pool their resources to focus on what matters most: ensuring that activists, journalists, other at-risk and everyday users will have access to improved digital security tools.”

    [ad_2]

    Source link

  • Forcing people to change their passwords is officially a bad idea

    Forcing people to change their passwords is officially a bad idea

    [ad_1]

    Many people struggle to think of new passwords and remember them

    rawf8/Shutterstock

    Many organisations make staff regularly change their computer passwords for security reasons. Now the US government is saying those who make and run software and online tools should stop the practice. So, what should people really be doing?

    The latest advice from the US National Institute of Standards and Technology (NIST) isn’t coming out of the blue. It is based on decades of research showing forcing website and software users to periodically change their passwords actually harms security.

    [ad_2]

    Source link

  • Amid Air Strikes and Rockets, an SMS From the Enemy

    Amid Air Strikes and Rockets, an SMS From the Enemy

    [ad_1]

    At the start of September, Nour was having an ordinary evening at home in Beirut—eating pumpkin seeds and watching Netflix—when the SMS hit her device like the smartphone version of a brick through her window. The sender name appeared as eight question marks, “????? ???”, and in the message preview she could read, in clunky, hard-to-understand Arabic, a threat: “We have enough bullets for everyone who needs them.”

    To Nour, whose name has been changed to protect her anonymity, it was obvious who had sent this message. “Israel,” she says, “that’s their tone.” The Israeli military did not reply to WIRED’s question about whether they were the source of the message. But the text appeared at a time when Lebanon was on edge, days after Israel and the Lebanese-based group Hezbollah had exchanged air strikes and rockets. It’s unclear how many other people received the SMS threat, although Nour says she saw screenshots on social media of the same message. She was worried the text might contain a malicious link. “I didn’t dare open it,” Nour says.

    In Lebanon, the idea of receiving a message from Israel is not new. In the early 2000s, people in Lebanon received recorded phone calls, asking for information about missing Israeli airman Ron Arad, whose plane went down during a bombing mission in the ’80s and is now presumed dead. The last time Nour received a message from a sender she believed to be Israel, it was 2006 and she was a teenager living in the southern suburbs of Beirut. She remembers picking up the landline to hear a robotic voice announce a message that started with the words: “Dear Lebanese people.” That call followed a monthlong war, which killed more than 1,000 people and forced 900,000 to flee their homes.

    Violence accompanied last week’s text message too. Israel and Hezbollah have traded fire since the start of the war in Gaza, with a major escalation taking place this week. The latest Israeli airstrikes on Hezbollah targets on Lebanon have been the deadliest in decades, with 558 people killed on Monday alone, according to the country’s health minister.

    On Wednesday, Hezbollah launched a rocket at Tel Aviv, which was shot down. There were no reports of casualties. As Lebanese people check on the safety of their family and friends, “most people are now more attached to their phones than usual,” says Mohamad Najem, executive director of the Beirut-based digital rights group SMEX. These messages puncture the feelings of safety people often feel around their phones. “It is definitely creating [a feeling of] insecurity for people and fear.”

    Across the border, civilians in Israel have also been receiving threatening texts, with the eerie messages demonstrating the psychological role that personal smartphones are now playing in the conflict, on both sides of the border.

    The week after Nour got that text, others in Lebanon reportedly began receiving messages via automated calls on their landlines or via text. “If you are in a building with Hezbollah weapons, stay away from the village until further notice,” the message said, echoing similar calls received in Gaza before an airstrike. Between 8 am and 8:30 am on Monday, 80,000 people across Lebanon received these messages, according to a spokesperson for Lebanese telecoms network Ogero who declined to be named. One of those calls rang through to the office of Lebanon’s minister of communication, Ziad Makary, who attributed the message to psychological warfare by the Israelis.

    [ad_2]

    Source link

  • Millions of Vehicles Could Be Hacked and Tracked Thanks to a Simple Website Bug

    Millions of Vehicles Could Be Hacked and Tracked Thanks to a Simple Website Bug

    [ad_1]

    In January 2023, they published the initial results of their work, an enormous collection of web vulnerabilities affecting Kia, Honda, Infiniti, Nissan, Acura, Mercedes-Benz, Hyundai, Genesis, BMW, Rolls Royce, and Ferrari—all of which they had reported to the automakers. For at least half a dozen of those companies, the web bugs the group found offered at least some level of control of cars’ connected features, they wrote, just as in their latest Kia hack. Others, they say, allowed unauthorized access to data or the companies’ internal applications. Still others targeted fleet management software for emergency vehicles and could have even prevented those vehicles from starting, they believe—though they didn’t have the means to safely test out that potentially dangerous trick.

    In June of this year, Curry says, he discovered that Toyota appeared to still have a similar flaw in its web portal that, in combination with a leaked dealer credential he found online, would have allowed remote control of Toyota and Lexus vehicles’ features like tracking, unlocking, honking, and ignition. He reported that vulnerability to Toyota and showed WIRED a confirmation email seeming to demonstrate that he’d been able to reassign himself control of a target Toyota’s connected features over the web. Curry didn’t film a video of that Toyota hacking technique before reporting it to Toyota, however, and the company quickly patched the bug he’d disclosed, even temporarily taking its web portal offline to prevent its exploitation.

    “As a result of this investigation, Toyota promptly disabled the compromised credentials and is accelerating security enhancements of the portal, as well as temporarily disabling the portal until enhancements are complete,” a Toyota spokesperson wrote to WIRED in June.

    More Smart Features, More Dumb Bugs

    The extraordinary number of vulnerabilities in carmakers’ websites that allow remote control of vehicles is a direct result of companies’ push to appeal to consumers—particularly young ones—with smartphone-enabled features, says Stefan Savage, a professor of computer science at UC San Diego whose research team was the first to hack a car’s steering and brakes over the internet in 2010. “Once you have these user features tied into the phone, this cloud-connected thing, you create all this attack surface you didn’t have to worry about before,” Savage says.

    Still, he says, even he is surprised at the insecurity of all the web-based code that manages those features. “It’s a little disappointing that it’s as easy to exploit as it has been,” he says.

    Rivera says he’s observed firsthand in his time working in automotive cybersecurity that car companies often put more focus on “embedded” devices—digital components in non-traditional computing environments like cars—rather than web security, in part because updating those embedded devices can be far more difficult and lead to recalls. “It was clear ever since I started that there was a glaring gap between embedded security and web security in the auto industry,” Rivera says. “These two things mix together very often, but people only have experience in one or the other.”

    UCSD’s Savage hopes that the Kia-hacking researchers’ work might help shift that focus. Many of the early, high-profile hacking experiments that affected cars’ embedded systems, like the 2015 Jeep takeover and the 2010 Impala hack pulled off by Savage’s team at UCSD, persuaded automakers that they needed to better prioritize embedded cybersecurity, he says. Now car companies need to focus on web security too—even, he says, if it means making sacrifices or changes to their process.

    “How do you decide, ‘We’re not going to ship the car for six months because we didn’t go through the web code?’ That’s a a tough sell,” he says. “I would like to think this kind of event causes people to look at that decision more fully.”

    [ad_2]

    Source link

  • Iranian Hackers Tried to Give Hacked Trump Campaign Emails to Dems

    Iranian Hackers Tried to Give Hacked Trump Campaign Emails to Dems

    [ad_1]

    The week was dominated by news that thousands of pagers, walkie-talkies and other devices were exploding across Lebanon on Tuesday and Wednesday in an attack targeting the militant group Hezbollah. At least 32 people were killed, including at least four children, and more than 3,200 people were injured. The covert campaign has widely been attributed to Israel, though none of the country’s government agencies have commented.

    In addition to the carnage, the attacks have—seemingly by design—had the effect of sowing paranoia and fear, not just among members of Hezbollah but also in the general Lebanese public. Hardware and warfare experts say that the incident is unlikely to establish a global precedent that people’s most trusted communication devices and electronics, like smartphones, are rigged with explosives left and right. But it does create the potential to inspire copycats and puts defenders on notice that such attacks are possible.

    Researchers say that China’s 2023 Zhujian Cup, a hacking competition with ties to the country’s military, took the unusual step of requiring participants to keep the content of the exercise secret—and they may have been targeting a real victim as part of the event. Apple’s new stand-alone app Passwords that launched with iOS 18 may help solve your login problems. And a now-deleted post from billionaire Elon Musk that questioned why no one has attempted to assassinate Joe Biden and Kamala Harris renewed concerns this week that Musk is willing to inspire extremist violence and is a national security threat in the United States.

    And there’s more. Each week, we round up the privacy and security news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

    Last month, media outlets, Microsoft, and Google warned that an Iranian state-sponsored hacking group known as APT42 had targeted both the Joe Biden and Donald Trump political campaigns, and that it had successfully stolen emails from the Trump campaign that were later shared with reporters. Now the FBI has chimed in with the added revelation that the same hackers also sent those stolen Trump communications to the Democrats, too—though for now there’s no sign that the Democrats solicited those emails from the Iranians or necessarily even received the Iranians’ message.

    Republicans were nonetheless quick to compare the news to accusations that the Trump campaign “colluded” with the Russian hackers, part of the Kremlin’s GRU military intelligence agency, who breached the Democratic National Committee and the Clinton Campaign in 2016 to carry out a hack-and-leak operation. In a statement, the Trump campaign demanded that the Democrats “must come clean on whether they used the hacked material.” The Harris campaign told CNN that it has cooperated with law enforcement and that it was “not aware of any material being sent directly to the campaign,” believing the emails to be spam or phishing attempts. “We condemn in the strongest terms any effort by foreign actors to interfere in US elections, including this unwelcome and unacceptable malicious activity,” Morgan Finkelstein, the national security spokesperson for the Harris campaign, told CNN.

    The FBI announced this week that it had taken down a network of hacked machines being secretly controlled by a Chinese state-sponsored hacking group known as Flax Typhoon. The botnet, made up of 260,000 routers and internet-of-things devices, was allegedly being run by a Chinese contractor known as the Beijing Integrity Technology Group, a rare instance of a known, publicly traded company operating essentially a massive collection of hacked devices on behalf of the Chinese state. The botnet, according to the FBI and security firm Black Lotus Labs, had been used to hack government agencies, defense contractors, telecoms, and other US and Taiwanese targets. At the time of its takedown, the botnet still encompassed 60,000 machines, making it the largest Chinese state-sponsored botnet ever, according to Black Lotus Labs.

    On Wednesday night, two young men were arrested after they allegedly stole hundreds of millions of dollars of cryptocurrency and spent the earnings on luxury cars, watches, jewelry, and designer handbags. In an unsealed indictment, the US Department of Justice charged Malone Lam, 20, known online as “Anne Hathaway” and Jeandiel Serrano, 21, aka “VersaceGod,” with stealing $243 million in cryptocurrency and laundering the proceeds through mixing services to conceal the origin.

    CoinDesk reported that the men allegedly tricked the heist’s victim, a creditor of the now-defunct trading firm Genesis, using a social engineering scam that led them to reset their Gemini two-factor authentication and transfer 4,100 bitcoin to a compromised wallet. An analysis of the transaction by blockchain investigator ZachXBT revealed that the $243 million was divided among multiple wallets and then distributed to over 15 exchanges.

    On Thursday, TechCrunch reported that Apple’s latest desktop operating system update, macOS 15 (Sequoia), breaks some functionality of major security tools made by CrowdStrike, SentinelOne, and Microsoft. It’s unclear what specifically in the update is causing the issues, but social media posts and internal Slack messages reviewed by the tech outlet show that the update has frustrated engineers working on macOS-focused security tools.

    A CrowdStrike sales engineer informed colleagues via Slack, as seen by TechCrunch, that the company would not be able to support Sequoia on day one, despite its usual practice of quickly supporting new OS releases. While they hope for a quick patch, they will likely need to scramble to resolve the issue with an update in their own code, assuming no immediate fix is available from Apple, which has not yet commented on the issue.

    Cryptocurrency theft has become practically a common-garden form of cybercrime. But one brutal gang took that form of thievery to a new level of cruelty and violence, breaking into a series of victims’ homes to threaten and extort them into handing over their crypto holdings, sometimes even resorting to kidnapping and torture. This week, that disturbing story came to a close with the sentencing of the group’s ring leader, a Florida man named Remy St. Felix, to 47 years in prison. St. Felix is one of 12 members of the gang to have now been charged, convicted, and sentenced. Prior to the home invasions that St. Felix led, another member of the group named Jarod Seemungal allegedly stole millions with more traditional crypto hacking techniques. But St. Felix’s more violent, offline extortion attempts netted his gang only around $150,000 in cryptocurrency before they were caught and sentenced to years behind bars. The lesson: Crime doesn’t pay—or at least, not the physical kind.

    [ad_2]

    Source link

  • First Israel’s Exploding Pagers Maimed and Killed. Now Comes the Paranoia

    First Israel’s Exploding Pagers Maimed and Killed. Now Comes the Paranoia

    [ad_1]

    “They don’t trust their smartphones, so they reach back to these more archaic devices, and those blow up. What’s next?” says Schneier. “Everything becomes less efficient, because they can’t communicate well.”

    Schneier describes the paranoia-inducing effect of the operation as a kind of ongoing “tax” on Hezbollah as an organization. “There are a lot of things you can’t do if you can’t trust your comms,” he says. Schneier compares the end result to the nearly incommunicado state of a hunted figure like Osama bin Laden, who in his final years was reduced to sending messages only via the human couriers who visited his secret compound in Pakistan.

    That paranoia, in fact, has been seeded among Lebanon’s population for years. Israel’s pager- and walkie-talkie-based attacks follow repeated public warnings from Hezbollah leader Hassan Nasrallah about the surveillance dangers of smartphones, given Israeli intelligence’s well-known hacking prowess. “Please break it, bury it, lock it up in a metal box,” Nasrallah said in one speech. In another, he appeared on Lebanese television next to an image of an iPhone circled in red with a slash across it. “These are deadly spies,” he warned. Cell phones were reportedly banned from Hezbollah meetings in favor of pagers.

    Now the older, alternative devices Hezbollah has fallen back to carry even greater fears of injury or death. And that fear has come to encompass communications electronics more broadly: At Wednesday’s funeral for victims of Tuesday’s attack, for instance—an event that was itself the target of another attack—attendees were asked to remove the batteries from their phones.

    Creating distrust of communication devices within Hezbollah may well be Israel’s purposeful tactic of “preparing the battle space” ahead of impending Israeli military operations against Lebanon, says Thomas Rid, a professor of strategic studies at Johns Hopkins University and author of Active Measures, who specializes in disinformation and influence operations. He compares the operation to cyberattacks or physical attacks on “command-and-control” infrastructure at the beginning of a conflict, such as the United States’ efforts, documented in former NSA chief Michael Hayden’s book Playing to the Edge, to destroy the Iraqi military’s fiber-optics-based communications in 2003 in order to “herd” the enemy’s military toward more easily intercepted radio-based communications.

    “This is taking attacks on command-on-control to a whole new level,” Rid says. “They sent the message: ‘No, we’re not just penetrating these devices and bugging them, we’re literally blowing them up, taking away the confidence you might have had in your command-and-control and also in any future devices that you might procure.’”

    For Israeli intelligence, Rid notes, the attack also represents a stunning reassertion of its power and public image following its disastrous failure to prevent Hamas’ attacks of October 7. “This operation goes a long way in terms of demonstrating that they are, perhaps, the most creative and the most ruthless intelligence establishment on the planet right now,” he says.

    Thanks to the collateral damage of Israel’s brazen offensive, however, its effects—both physical and psychological—have by no means been limited to Hezbollah operatives. The French-Lebanese security researcher Kobeissi, who now works as the founder and CEO of Paris-based tech firm Symbolic Software, says he’s already seen false rumors and misleading videos spread among Lebanese people, suggesting for instance that iPhones, too, are exploding. “People are losing their minds, because it’s scary as shit, and that’s the point,” he says. “It’s impossible to think about this as limiting Hezbollah’s communications and capabilities without realizing it’s also going to have a terrorizing effect on the adjacent population.”

    Kobeissi argues that the attack’s collateral damage will shape how a generation of people think about Western technology in Lebanon and beyond. “The average Lebanese person doesn’t have a specific understanding of what it means to conduct a supply chain attack,” he says. “What they see is that a device made by an American ally, a device they rely on, may blow up. And it’s unfortunate that the Israeli intelligence community didn’t consider the knock-on effects that this could have globally.”

    Aside from that issue of trust, Israel’s attack also represents an escalation, says Harvard’s Bruce Schneier—a new kind of attack that, now that it’s been demonstrated, is sure to be seen again in some form, perhaps even in an act of retaliation against Israel itself.

    “It’s not just Hezbollah that should worry. If I were Ukraine, I’d be worried. If I were Russia, I’d worry. If I were Israel, I’d worry. This doesn’t just go one way,” he says. “Now we all live in a world of connected devices that can be weaponized in unexpected ways. What does that world look like?”

    [ad_2]

    Source link

  • Do You Need an Antivirus Program on Windows?

    Do You Need an Antivirus Program on Windows?

    [ad_1]

    Don’t underestimate the value of updates for your browser and for Windows itself either. A significant number of malware packages exploit older software, which is why Microsoft and the browser makers are continually issuing updates to plug holes and patch up vulnerabilities. If you’re running the latest version of Windows and the latest version of your browser, that’s another line of defense.

    Antivirus software typically adds several elements to the mix, though it varies between packages: You might get a VPN included, for example, as well as parental controls, a password manager, and some secure cloud storage for your files. There are also often monitoring tools to look out for data hacks and leaks that might include your personal information (from credit card numbers to login details).

    Dedicated antivirus programs will often be more proactive than Windows’ own solution, scanning incoming data as it arrives on the network and looking out for connected devices—like smart home gadgets—that may not have comprehensive privacy and security protections of their own. As the built-in Windows antivirus tool has improved, these third-party options have evolved to offer more and more functionality.

    Do You Need an Antivirus Program?

    Image may contain Computer Electronics Pc Computer Hardware and Hardware

    Antivirus packages cover multiple devices with multiple features.

    Courtesy of Norton

    There’s no simple yes or no answer as to whether you need an antivirus program on Windows. It’s your choice, and if you want to go without one, then you do so at your own risk. The products offered by the big names in the business like Bitdefender and Norton are certainly effective and reliable when it comes to keeping malicious code away from your Windows system.

    At the same time, an up-to-date version of Windows, plus Windows Security, plus a current web browser, is a pretty robust setup for most users—and one that a lot of viruses and other malware are going to struggle to get through. Your online activities affect your level of safety too: Spend a lot of time watching and downloading pirated content, for example, and your risk level goes up.

    It’s a bit like driving in some ways. Observe the speed limits, keep your eyes on the road, follow the signs, stick to the parts of town you’re most familiar with, and you’re going to stay out of trouble most of the time—but you’re going to be even safer in an armored car and with a police escort.

    It’s worth noting that neither setup is 100 percent guaranteed to keep you safe all of the time. Also, it’s ironic, but sometimes installing an antivirus program comes with its own security risks.

    What’s certainly true is that an antivirus program is no longer a must-have on a modern Windows system. It’s also no longer the first app you have to install. These antivirus packages are now optional extras, giving you some extra peace of mind and additional features that you might consider valuable for your setup.

    [ad_2]

    Source link

  • Did a Chinese University Hacking Competition Target a Real Victim?

    Did a Chinese University Hacking Competition Target a Real Victim?

    [ad_1]

    Capture the flag hacking contests at security conferences generally serve two purposes: to help participants develop and demonstrate computer hacking and security skills, and to assist employers and government agencies with discovering and recruiting new talent.

    But one security conference in China may have taken its contest a step further—potentially using it as a secret espionage operation to get participants to collect intelligence from an unknown target.

    According to two Western researchers who translated documentation for China’s Zhujian Cup, also known as the National Collegiate Cybersecurity Attack and Defense Competition, one part of the three-part competition, held last year for the first time, had a number of unusual characteristics that suggest its potentially secretive and unorthodox purpose.

    Capture the flag (CTF) and other types of hacking competitions are generally hosted on closed networks or “cyber ranges”—dedicated infrastructure set up for the contest so that participants don’t risk disrupting real networks. These ranges provide a simulated environment that mimics real-world configurations, and participants are tasked with finding vulnerabilities in the systems, obtaining access to specific parts of the network, or capturing data.

    There are two major companies in China that set up cyber ranges for competitions. The majority of the competitions give a shout out to the company that designed their range. Notably, Zhujian Cup didn’t mention any cyber range or cyber range provider in its documentation, leaving the researchers to wonder if this is because the contest was held in a real environment rather than a simulated one.

    The competition also required students to sign a document agreeing to several unusual terms. They were prohibited from discussing the nature of the tasks they were asked to do in the competition with anyone; they had to agree not to destroy or disrupt the targeted system; and at the end of the competition, they had to delete any backdoors they planted on the system and any data they acquired from it. And unlike other competitions in China the researchers examined, participants in this portion of the Zhujian Cup were prohibited from publishing social media posts revealing the nature of the competition or the tasks they performed as part of it.

    Participants also were prohibited from copying any data, documents, or printed materials that were part of the competition; disclosing information about vulnerabilities they found; or exploiting those vulnerabilities for personal purposes. If a leak of any of this data or material occurred and caused harm to the contest organizers or to China, according to the pledge that participants signed, they could be held legally responsible.

    “I promise that if any information disclosure incident (or case) occurs due to personal reasons, causing loss or harm to the organizer and the country, I, as an individual, will bear legal responsibility in accordance with the relevant laws and regulations,” the pledge states.

    The contest was hosted last December by Northwestern Polytechnical University, a science and engineering university in Xi’an, Shaanxi, that is affiliated with China’s Ministry of Industry and Information Technology and also holds a top-secret clearance to conduct work for the Chinese government and military. The university is overseen by China’s People’s Liberation Army.

    [ad_2]

    Source link

  • Apple’s New Passwords App May Solve Your Login Nightmares

    Apple’s New Passwords App May Solve Your Login Nightmares

    [ad_1]

    Apple’s latest iPhone software update, iOS 18, arrives today and includes a new app: Passwords. For the first time, Apple is taking your phone’s ability to save login details and putting them in a standalone app. It could help improve millions of people’s terrible passwords.

    After years of being told you should create unique, strong passwords for every website and app you use, you probably fall into one of two camps: people that are fully signed up to the password manager life, or those still using “123456” for every other website.

    Apple’s new encrypted Passwords app is automatically included with iOS 18, and is a public-facing evolution of its Keychain and password-saving capabilities. The Keychain, which has existed for more than a decade, no longer has as prominent a home in the iPhone’s settings, and details previously saved there are being moved to the new app.

    The launch of the password manager app, which will also be available on macOS Sequoia and iPadOS 18, may help improve people’s relationships with their passwords but also could, to varying degrees, challenge existing password managers.

    “This move makes the app more visible to lay users and informs them about this secure method to store and manage passwords,” says Talal Haj Bakry and Tommy Mysk from security company Mysk. “You have a default password manager preinstalled on your device [that] provides end-to-end encryption when syncing data across devices.”

    New Passwords

    The Passwords app has a pretty barebones design. Six different tiles are presented when you open the app on an iPhone: All, Passkeys, Codes, Wi-Fi, Security, and Deleted. These are essentially the main functions of the app, allowing you to save each type of data within their relevant sections. The security section includes check-ups allowing weak and exposed passwords to be identified.

    “This will definitely boost the adoption of this preinstalled app and bolster user security,” Bakry and Mysk say. They add that it presents the saved data “in a more organized way than the Settings app.”

    Apple says the Passwords app uses end-to-end encryption to save your details, meaning nobody, not even Apple, knows what you have saved. Within the app, you can search for login details to your entries and set up groups to share passwords with other people.

    Your saved login details are synced across Apple devices using iCloud, meaning the encrypted data is shared with Apple’s cloud servers and available on all of your Apple devices. Within Apple’s settings, you can turn off syncing passwords on a specific device. The app is locked using Face ID.

    When using the Passwords app, any details you have previously saved in Keychain or AutoFill will be moved to the new location. This includes if you have used the Sign in with Apple login system on any websites or apps. It is unclear why Apple has decided to spin its Keychain system into a fully fledged password manager now, although the company has been building out the individual features over a number of years. (Apple has not responded to WIRED’s request for comment at the time of writing.)

    [ad_2]

    Source link