Categories
Security

The Zoom installer let a researcher hack his way to root access on macOS

A security researcher has found a way that an attacker could leverage the macOS version of Zoom to gain access over the entire operating system.

Details of the exploit were released in a presentation given by Mac security specialist Patrick Wardle at the Def Con hacking conference in Las Vegas on Friday. Some of the bugs involved have already been fixed by Zoom, but the researcher also presented one unpatched vulnerability that still affects systems now.

The exploit works by targeting the installer for the Zoom application, which needs to run with special user permissions in order to install or remove the main Zoom application from a computer. Though the installer requires a user to enter their password on first adding the application to the system, Wardle found that an auto-update function then continually ran in the background with superuser privileges.

When Zoom issued an update, the updater function would install the new package after checking that it had been cryptographically signed by Zoom. But a bug in how the checking method was implemented meant that giving the updater any file with the same name as Zoom’s signing certificate would be enough to pass the test — so an attacker could substitute any kind of malware program and have it be run by the updater with elevated privilege.

The result is a privilege escalation attack, which assumes an attacker has already gained initial access to the target system and then employs an exploit to gain a higher level of access. In this case, the attacker begins with a restricted user account but escalates into the most powerful user type — known as a “superuser” or “root” — allowing them to add, remove, or modify any files on the machine.

Wardle is the founder of the Objective-See Foundation, a nonprofit that creates open-source security tools for macOS. Previously, at the Black Hat cybersecurity conference held in the same week as Def Con, Wardle detailed the unauthorized use of algorithms lifted from his open-source security software by for-profit companies.

Following responsible disclosure protocols, Wardle informed Zoom about the vulnerability in December of last year. To his frustration, he says an initial fix from Zoom contained another bug that meant the vulnerability was still exploitable in a slightly more roundabout way, so he disclosed this second bug to Zoom and waited eight months before publishing the research.

“To me that was kind of problematic because not only did I report the bugs to Zoom, I also reported mistakes and how to fix the code,” Wardle told The Verge in a call before the talk. “So it was really frustrating to wait, what, six, seven, eight months, knowing that all Mac versions of Zoom were sitting on users’ computers vulnerable.”

A few weeks before the Def Con event, Wardle says Zoom issued a patch that fixed the bugs that he had initially discovered. But on closer analysis, another small error meant the bug was still exploitable.

In the new version of the update installer, a package to be installed is first moved to a directory owned by the “root” user. Generally this means that no user that does not have root permission is able to add, remove, or modify files in this directory. But because of a subtlety of Unix systems (of which macOS is one), when an existing file is moved from another location to the root directory, it retains the same read-write permissions it previously had. So, in this case, it can still be modified by a regular user. And because it can be modified, a malicious user can still swap the contents of that file with a file of their own choosing and use it to become root.

While this bug is currently live in Zoom, Wardle says it’s very easy to fix and that he hopes that talking about it publicly will “grease the wheels” to have the company take care of it sooner rather than later.

In a statement to The Verge, Matt Nagel, Zoom’s security and privacy PR lead, said: “We are aware of the newly reported vulnerability in the Zoom auto updater for macOS and are working diligently to address it.”

Update August 12th, 11:09 PM ET: Article updated with response from Zoom.

Repost: Original Source and Author Link

Categories
Security

Nomad crypto bridge loses $200 million in ‘chaotic’ hack

After a few quiet months, it’s happened again: another blockchain bridge hack with losses in the hundreds of millions of dollars.

Nomad, a cryptocurrency bridge that lets users swap tokens between blockchains, is the latest to be hit after a frenzied attack on Monday, which left almost $200 million of its funds drained.

The hack was acknowledged by the Nomad project’s official Twitter account on Monday, August 1st, initially as an “incident” that was being investigated. In a further statement released early Tuesday morning, Nomad said that the team was “working around the clock to address the situation” and had also notified law enforcement.

In another Twitter thread, samczsun — a researcher at the crypto and Web3 investment firm Paradigm — explained that the exploit was made possible by a misconfiguration of the project’s main smart contract that allowed anyone with a basic understanding of the code to authorize withdrawals to themselves.

“This is why the hack was so chaotic,” samczsun wrote. “[Y]ou didn’t need to know about Solidity or Merkle Trees or anything like that. All you had to do was find a transaction that worked, find/replace the other person’s address with yours, and then re-broadcast it.”

A further post-mortem from blockchain security auditing firm CertiK noted that this dynamic created its own momentum, where people who saw funds being stolen using the above method were able to substitute their own addresses to replicate the attack. This led to what one Twitter user described as “the first decentralized crowd-looting of a 9-figure bridge in history.”

In a more optimistic take, Nassim Eddequiouaq, crypto CISO at Andreessen Horowitz, suggested the funds could be reclaimed from the “whitehats that drained preventively,” though the identities of those that obtained the funds from Nomad appear to be largely unknown.

Blockchain bridges are now routinely the targets of the most high-profile hacks in the cryptocurrency industry due to the large value of assets they often hold and the complexity (and thus potential vulnerability) of the smart contract code they run on. This year, just two hacks alone have accounted for almost a billion dollars of stolen funds: in February, the Wormhole bridge platform was hacked for $325 million after a hacker spotted an error in open-source code uploaded to GitHub and exploited it. Then, in March, a hacker stole around $625 million from the Ronin blockchain, which underlies the Axie Infinity crypto game.

“Protecting cross-chain bridges from lucrative attacks such as this are one of the most urgent problems facing the Web3 community,” said Professor Ronghuio Gu, CEO and co-founder of CertiK. “Their security posture needs to be iron clad and is where many of the new developments in Web3 security will be most needed.”



Repost: Original Source and Author Link

Categories
Computing

Nvidia DLSS isn’t magic, and this FSR hack proves it

Nvidia’s Deep Learning Super Sampling (DLSS) has been an undeniable selling point for RTX GPUs since its launch, and AMD’s attempts to fight back haven’t exactly been home runs.

But what if FidelityFX Super Resolution (FSR) could grant the huge performance gains of DLSS without all the restrictions imposed by Nvidia? If that sounds too good to be true, I wouldn’t blame you. After all, Nvidia’s special sauce of machine learning wasn’t supposed to be easily replicated.

Well, hold on to your hat because a modder recently discovered how easily FSR could ape off DLSS. And after trying out the solution myself, it’s made me more excited about the potential for FSR than ever.

What we have now

Before we get to the mod itself, it’s worth setting the stage for how we got here. FSR was AMD’s first attempt at a DLSS killer, and unfortunately, it left a bad taste in our mouths. Despite the rapid adoption in the first generation of FSR 1.0, the performance and image quality just didn’t cut it.

All that changed with the release of the technology’s second generation. I’ve tested FSR 2.0 in its launch title, Deathloopand the results are clear: DLSS provides a slightly higher performance boost, but FSR 2.0 is almost identical in terms of image quality. Based on Deathloop, you should use DLSS if you can, but FSR 2.0 is a very close second if you don’t have a supported GPU.

My expectations were surpassed further when I tested God of War, seeing the margin with DLSS shrink even more. In fact, FSR 2.0 was actually around 4% faster than DLSS with the Ultra Performance preset. You’re not trading much of anything with image quality, either. Even at the intense Ultra Performance preset, it’s nearly impossible to spot any differences between FSR 2.0 and DLSS while playing.

FSR and DLSS performance in God of War.

This is the real deal. The only problem? FSR 2.0 is available technically, but it’s not seeing the rapid adoption that the first version did. It’s available in only four games now: Deathloop, Farming Simulator 22, God of War, and Tiny Tina’s Wonderlands. The upcoming list isn’t all that exciting, either, headlined by Hitman 3, Eve Online, and the recently delayed Forspoken. 

Hence, the need for a seemingly impossible solution that takes the goodness of FSR 2.0 and widely expands its effect to as many titles as possible. And that’s where the fun begins.

A look into the future

An enemy swings a sword at the main character of Cyberpunk 2077.

About a month ago, modder PotatoOfDoom released an FSR 2.0 “hack” for Cyberpunk 2077. What the modder realized was that DLSS and FSR 2.0 require basically the same information — motion vectors, color values, and the depth buffer. That allowed PotatoOfDoom to create a simple instruction translation, using the DLSS backbone to send FSR 2.0 instructions. It’s like how Wine works for Windows games on Linux, according to the modder.

I’ll circle back to what these similarities between DLSS and FSR 2.0 mean, but let’s get games out of the way first. I followed the instructions and was able to implement the mod in Cyberpunk 2077, Dying Light 2, and Doom Eternal — all games that don’t currently support FSR 2.0. Doom Eternal was the only game that struggled with the mod, blocking out the DLSS option in the settings menu entirely. That was a no-go.

But Cyberpunk 2077 and Dying Light 2 were an absolute treat. The mod isn’t quite as powerful as a native implementation, but it’s still very close. The difference is less than 10% at most, even with all of the settings cranked up at 4K (including the highest ray tracing options).

DLSS and FSR performance in Cyberpunk 2077 and Dying Light 2.

Image quality was just as good, even on this self-described hack. In a still image, Dying Light 2 actually looked slightly better with FSR 2.0, and it was nearly identical in Cyberpunk 2077. The main difference, as was the case in God of War and Deathloop, is that FSR 2.0 doesn’t handle distant fine detail as well. You can see that on the phone lines in Cyberpunk 2077 below. It’s damn close, though.

DLSS and FSR aliasing in Cyberpunk 2077.

DLSS and FSR 2.0 look largely the same with a still image, but it’s the motion that matters. I saw heavy ghosting in Dying Light 2 that wasn’t present with DLSS or FSR 1.0, and flat textures cause some issues with masking.

Certain elements, like the smog from the sewer in the Cyberpunk 2077 screenshot below, don’t include motion vectors. FSR 2.0 and DLSS get around the issue with masking the element (like in Photoshop) so it’s not included in the supersampling. Unfortunately, they go about the masking in different ways, leading to the nasty pixelation with the FSR 2.0 hack that you can see below.

Sewer texture in Cyberpunk 2077.

Even with those issues, it’s remarkable how close DLSS and FSR 2.0 are, both on a gameplay and a technical level. PotatoOfDoom summed up how much they share in an interview with Eurogamer: “I expected to work on [adding FSR 2.0] for several days, but was pleasantly surprised that it only took me a few hours to integrate.”

The point isn’t that you should necessarily go out and use this mod to add FSR 2.0 to every game. Rather, this mod reveals the deep similarities between DLSS and FSR 2.0 — something Nvidia might not want to readily admit.

Taking deep learning out of supersampling

DLSS is all about machine learning; it’s right there in the name. And to this point, Nvidia has insisted for years that DLSS only works on its most recent graphics cards because they provide the AI cores necessary to perform the supersampling. That’s true, but FSR 2.0 is proof that the advantage provided by AI is small and, for the most part, unnecessary.

A big reason why Nvidia’s GPUs sell above list price is DLSS, even if it doesn’t need to be.

There are a lot of similarities between DLSS and FSR 2.0, even concerning Nvidia’s machine learning bit. DLSS is using a neural network and FSR 2.0 is using an algorithm, but both are fed with the same inputs and use the same overall system to render the final output. The fact that PotatoOfDoom was able to develop one mod that works across several DLSS titles in a few hours is a testament to that.

The main issue now isn’t that DLSS is bad — it’s excellent, and you should use it if you can — but that the feature is exclusive to only a few expensive graphics cards. Even when GPU prices are falling, Nvidia’s low-end and midrange models continue to sell for above list price. And a big reason why is DLSS, even if it doesn’t need to be.

Akito attacks enemies with magic in Ghostwire: Tokyo.
Ghostwire: Tokyo is an early show of Unreal Engine’s TSR, which is very similar to FSR 2.0.

General-purpose solutions like FSR 2.0 and Unreal Engine’s TSR (temporal super resolution) are the way of the future. They work with basically all modern hardware, and developers consistently insist that they only take a few hours to get working.

DLSS doesn’t need to go away, but it would be nice to see Nvidia leverage its relationships with developers to get a general-purpose supersampling feature into games that support DLSS already. And no, Nvidia Image Sharping, which is basically FSR 1.0, doesn’t count.

Catching up

The list of available DLSS supporting games.
In the chicken and egg game of supporting games and supportive gamers, DLSS has one major advantage over FSR. Nvidia

FSR 2.0 is genuinely impressive, but game support is holding it back. Far more games support DLSS than even FSR 1.0, and the official list of four FSR 2.0 is embarrassing. I’m not excited for too many of the upcoming FSR 2.0 titles, either, with the list mostly comprised of older or smaller games.

PotatoOfDoom’s mod is a hopeful sign, but we need more FSR 2.0 games for it to even stand a chance against DLSS. It might be tempting to root for AMD here, but it’s important to remember that DLSS still has a minor lead and is supported in far more games. AMD has a lot of ground to cover, and FSR 2.0 isn’t being added into games at nearly the rate that FSR 1.0 was.

Still, it will be interesting to see how the dynamic between DLSS and FSR 2.0 adjusts over the rest of the year. AMD just released the FSR 2.0 source code in June, after all. For now, DLSS is still the way to go for its game support and slightly better image quality, but it’s not a selling point on an Nvidia GPU like it once was.

This article is part of ReSpec – an ongoing biweekly column that includes discussions, advice, and in-depth reporting on the tech behind PC gaming.

Editors’ Choice




Repost: Original Source and Author Link

Categories
Game

‘Axie Infinity’ CEO moved $3 million in crypto tokens before disclosing massive hack

On March 23rd, hackers broke into Axie Infinity’s Ronin network to steal Ethereum and USDC stablecoins that were then worth over $600 million. In response to the massive theft, Axie developer Sky Mavis disabled token withdrawal — but apparently not before its CEO moved $3 million worth of Axie’s main token, AXS, into Binance. According to Bloomberg, company CEO and co-founder Trung Nguyen made the large transfer mere hours before Sky Mavis disclosed on March 29th that the “play to earn” game was hacked. 

It was YouTube user Asobs who first identified the transaction and who shared his documentation with Bloomberg. The news organization then worked with associate professors of mathematics at Winthrop University to confirm his findings. Asobs analyzed the transaction details and connected it to a wallet controlled by Nguyen based on previous transactions, such as the initial distribution of tokens for the game during its early years. 

When asked, company spokesperson Kalie Moore has confirmed the transaction to Bloomberg. Moore said Nguyen made the transfer to shore up the company’s finances and ensure it could provide liquidity to its users. Nguyen apparently had to do so on the down-low so that people tracking official Axie wallets wouldn’t be able to front-run the news and cash out before the rest of the players even find out what’s going on.

Moore said:

“At the time, we (Sky Mavis) understood that our position and options would be better the more AXS we had on Binance. This would give us the flexibility to pursue different options for securing the loans/capital require. The Founding Team chose to transfer it from this wallet to ensure that short-sellers, who track official Axie wallets, would not be able to front-run the news.”

Nguyen posted a Twitter thread after Bloomberg’s report went up and said that his team had been in contact with Binance after the hack was discovered to “ensure user funds would be restored as soon as possible.” The executive added: “This discussion included the fact that Sky Mavis would provide liquidity while we worked on a full backing of the bridge.” He also called speculations of insider trading as “baseless and false.”

In Axie Infinity, people can earn cryptocurrency by playing the game and completing tasks, such as winning Arena battles and breeding Axie monsters, which are non-fungible tokens. The attack on its Ronin network is now known as one of the biggest in crypto history. According to previous reporting by The Block, bad actors gained entry into its system by sending a spyware-filled PDF to one employee who thought he was getting a job offer with higher pay from another firm. Turns out the company didn’t exist, and the offer, according to the US government, came from North Korean hacker group Lazarus.

Sky Mavis has secured $150 million in funding to help reimburse users since then, and Nguyen said all players’ funds are now backed 1:1. The value of Ethereum dropped considerably since March, however, so players will not get the money they could’ve gotten if they had cashed out months ago. As for the game itself, it opened back up in late June with a new system to flag “large, suspicious withdrawals” and a new land-staking feature that enables players to earn passive income.

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.



Repost: Original Source and Author Link

Categories
Security

Latest LAPSUS$ victims include Facebook, DHL in massive hack

Hacking group LAPSUS$ has revealed its latest target: Globant, an IT and software development company whose clientele includes the likes of technology giant Facebook.

In a Telegram update where the hackers affirmed they’re “back from a vacation,” — potentially referring to alleged members of the group getting arrested in London — LAPSUS$ stated that they’ve acquired 70GB of data from the cyber security breach.

Justin Sullivan/Getty Images

Not only have they seemingly obtained sensitive information belonging to several large organizations, the group decided to release the entire 70GB via a torrent link.

As reported by Computing, the group shared evidence of the hack via an image displaying folders that are named after Facebook, DHL, Stifel, and C-Span, to name but a few.

Although there is a folder titled “apple-health-app,” it is not directly related to the iPhone maker.

Instead, The Verge highlights how the data it contains is actually associated with Globant’s BeHealthy app, which was developed in partnership with Apple due to its use of the Apple Watch.

Meanwhile, LAPSUS$ posted an additional message on its Telegram group listing all of the passwords of Globant’s system admins and the company’s DevOps platforms. Vx-underground, which has conveniently documented all of the group’s recent hacks, confirmed the passwords are extremely weak.

LAPSUS$ also threw their System Admins under the bus exposing their passwords to confluence (among other things). We have censored the passwords they displayed. However, it should be noted these passwords are very easily guessable and used multiple times… pic.twitter.com/gT7skg9mDw

— vx-underground (@vxunderground) March 30, 2022

Notably, login credentials for one of those platforms seemingly offered access to “3,000 spaces of customer documents.”

Following the Telegram message and subsequent leak on March 30, Globant itself confirmed it was compromised in a press release.

“We have recently detected that a limited section of our company’s code repository has been subject to unauthorized access. We have activated our security protocols and are conducting an exhaustive investigation.

According to our current analysis, the information that was accessed was limited to certain source code and project-related documentation for a very limited number of clients. To date, we have not found any evidence that other areas of our infrastructure systems or those of our clients were affected.

We are taking strict measures to prevent further incidents.”

Earlier in March, seven alleged members of the group, reportedly aged 16 to 21, were arrested in London, before being released pending further investigations. According to reports, the alleged ringleader of the group, a 16-year-old from Oxford, U.K., has also apparently been outed by rival hackers and researchers. “Our inquiries remain ongoing,” City of London police stated.

Security researchers have suggested other members of LAPSUS$ could be based out of South America.

Hacking scene’s newcomer causing a lot of noise

LAPSUS$ has gained a reputation by injecting activity into the hacking scene in an extremely short span of time.

Amazingly, the majority of its hacks seem to come to fruition by simply targeting engineers of large companies and their access points via weak passwords. The group even stresses this fact repeatedly in its Telegram updates.

It’s understandable when an average user from home is subjected to a hack due to weak passwords, but we’re not talking about individuals here. LAPSUS$ has successfully infiltrated some of the largest corporations in history without the apparent need to resort to complicated and sophisticated hacking methods.

Moreover, hackers are now even exploiting weak passwords that make your PC’s own power supply vulnerable to a potential attack, which could lead to threat actors causing it to burn up and start a fire. With this in mind, be sure to strengthen your passwords.

LAPSUS$ has already leaked the source codes for Microsoft’s Cortana and Bing search engine. That incident was preceded by a massive 1TB Nvidia hack. Other victims include Ubisoft, as well as the more recent cyber security breach of Okta, which prompted the latter to issue a statement acknowledging a mistake in how it reported the situation.

Editors’ Choice




Repost: Original Source and Author Link

Categories
Security

World’s most sensitive data could be vulnerable to a new hack

A possible security attack has just been revealed by researchers, and while difficult to carry out, it could potentially endanger some of the most sensitive data in the world.

Dubbed “SATAn,” the hack turns a typical SATA cable into a radio transmitter. This permits the transfer of data even from devices that would otherwise not allow it at all.

As data protection measures grow more advanced and cyberattacks become more frequent, researchers and vicious attackers alike reach new heights of creativity in finding possible flaws in software and hardware. Dr. Mordechai Guri from the Ben-Gurion University of the Negev in Israel just published new findings that, once again, show us that even air-gapped systems aren’t completely secure.

An air-gapped system or network is completely isolated from any and all connections to the rest of the world. This means no networks, no internet connections, no Bluetooth — zero connectivity. The systems are purposely built without any hardware that can communicate wirelessly, all in an effort to keep them secure from various cyberattacks. All of these security measures are in place for one reason: To protect the most vulnerable and sensitive data in the world.

Hacking into these air-gapped systems is exceedingly difficult and often requires direct access in order to plant malware. Removable media, such as USB stealers, can also be used. Dr. Guri has now found yet another way to breach the security of an air-gapped system. SATAn relies on the use of a SATA connection, widely used in countless devices all over the globe, in order to infiltrate the targetted system and steal its data.

Through this technique, Dr. Guri was able to turn a SATA cable into a radio transmitter and send it over to a personal laptop located less than 1 meter away. This can be done without making any physical modifications to the cable itself or the rest of the targeted hardware. Feel free to dive into the paper penned by Dr. Guri (first spotted by Tom’s Hardware) if you want to learn the ins and outs of this tech.

In a quick summary of how SATAn is able to extract data from seemingly ultra-secure systems, it all comes down to manipulating the electromagnetic interference generated by the SATA bus. Through that, data can be transmitted elsewhere. The researcher manipulated this and used the SATA cable as a makeshift wireless antenna operating on the 6GHz frequency band. In the video shown above, Dr. Guri was able to steal a message from the target computer and then display it on his laptop.

“The receiver monitors the 6GHz spectrum for a potential transmission, demodulates the data, decodes it, and sends it to the attacker,” said the researcher in his paper.

Dr. Mordechai Guri

The attack can only be carried out if the target device has malicious software installed on it beforehand. This, of course, takes the danger levels down a notch — but not all too much, seeing as USB devices can be used for this. Without that, the attacker would need to obtain physical access to the system to implant the malware before attempting to steal data through SATAn.

Rounding up the paper, Dr. Guri detailed some ways in which this type of attack can be mitigated, such as the implementation of internal policies that strengthen defenses and prevent the initial penetration of the air-gapped system. Making radio receivers forbidden inside facilities where such top-secret data is stored seems like a sensible move right now. Adding electromagnetic shielding to the case of the machine, or even just to the SATA cable itself, is also recommended.

This attack is certainly scary, but we regular folk most likely don’t need to worry. Given the complexity of the attack, it’s only worthy of a high-stakes game with nationwide secrets being the target. On the other hand, for those facilities and their air-gapped systems, alarm bells should be ringing — it’s time to tighten up the security.

Editors’ Choice




Repost: Original Source and Author Link

Categories
Security

Hunter Biden phone hack claims test platforms’ misinformation policies

Once again, search and social media platforms are facing moderation challenges tied to data allegedly leaked from the president’s son’s devices.

Over the weekend, users of 4Chan’s /pol/ messageboard were whipped into a frenzy of excitement by one poster claiming to have hacked into Hunter Biden’s phone. Exact details are hard to confirm, but the original poster suggests they have used a tool called iPhone Backup Extractor to recover backup copies of the contents of an iPhone and iPad belonging to Hunter Biden — possibly by compromising his iCloud account and downloading the data from the cloud.

The 4Chan poster shared further instructions about how to decrypt the backup files, and other users began to share images, video, and messages allegedly taken from the phone. No news outlet has confirmed that the content is genuine, but Motherboard reports that at least some of the images shared on 4Chan haven’t previously appeared anywhere else online. Meanwhile, the Secret Service said on Monday evening that it was aware of the alleged hack but was “not in a position to make public comments on potential investigative actions.”

Some videos appear to show Hunter Biden smoking crack cocaine or in sexual encounters with women believed to be escorts. It’s great fodder for conservative pundits, but there’s no real argument that publishing these clips is in the public interest — especially since so much similar material emerged when the contents of Hunter Biden’s laptop hard drive were shared with the New York Post in 2020. (Many of the details about his hard partying lifestyle were released by Hunter Biden himself in his 2021 memoir, Beautiful Things.)

There have been legitimate corruption concerns around Hunter Biden’s business links to China and Ukraine, but so far, no evidence of wrongdoing has been produced — and nothing from the latest leak gives any insight into those concerns. As a result, the story has been a difficult one for mainstream news outlets, with most outlets holding off on early coverage of the leak.

Twitter did not make any public statements about restricting links to the 4Chan posts and / or other references to the iCloud hack, though it is unclear what decisions may have been made behind the scenes. Twitter has a policy that prohibits the sharing of materials obtained by hacking, and while the hashtag #HunterBiden was listed as trending at the start of the week, it no longer seemed to be a visible trending topic on Tuesday afternoon. Twitter had not responded to questions about moderation sent by The Verge at time of publication.

Meta spokesperson Dave Arnold told The Verge that the content was permitted on Facebook, as references to the story were considered news.

“Despite these posts appearing to have come from hacked sources, they are still allowed as newsworthy content under our community standards,” Arnold said.

Google took more identifiable action, showing users a notification box for certain search terms related to the allegedly hacked material. In response to queries such as “hunter biden crack,” users were shown a message telling them that results were changing quickly, with a prompt to return later for more reliable information. Results then appeared below the message box.

Search terms related to the leaked data returned a notice from Google about quickly changing results.

Google spokesperson Ned Adriance told The Verge that the notices were first rolled out in June 2021 as part of the company’s attempt to boost information literacy by giving additional context around search results.

“These notices automatically appear when our systems detect that a topic is rapidly evolving, like in a breaking news situation, and a range of sources have not yet weighed in,” Adriance said. “There is no manual triggering involved … Our automated search systems don’t understand the political ideology of content, and it’s not a ranking factor for search results.”

Nonetheless, some conservative sources accused Google of censoring the search results, despite the fact that search hits did appear directly below the notice. It’s a sensitive topic, especially in connection with Hunter Biden, because of the aggressive moderation of the New York Post’s original story about the laptop. When the story was first released in 2020 — just a month before the presidential election — Facebook and Twitter both restricted sharing of the URL on the platforms, citing the need to limit the spread of potentially false information.

Google’s strategy seems designed to prevent the exploitation of “data voids”: search queries that turn up low-quality information in the time before well-researched material has been published to fill the gap. Emily Dreyfuss, a senior fellow on the Technology and Social Change team at Harvard’s Shorenstein Center for Media, Politics, and Public Policy, says that Google is making the right call in this case by giving context without blocking results from being seen.

“As the most powerful arbiter of information online in the US, Google has a responsibility to prioritize high-quality information,” Dreyfuss said. “Here Google is informing the searcher that what they are looking for is contested in some way—it’s breaking news or the story is in flux—and therefore the results are not necessarily reliable, but importantly it is not censoring those results.”

The Google notification was similar to labels introduced by Twitter to deal with election misinformation in 2020, Dreyfuss said.

Update July 12th, 3:39PM ET: Story updated to include comment from Meta.



Repost: Original Source and Author Link

Categories
Game

‘Axie Infinity’ is back open for business following $625 million hack

After a massive $625 million hack, the cryptocurrency pay-to-earn game Axie Infinity is once again open for business. The hack took advantage of flaws in the Ronin network, an Ethereum sidechain the game’s owner, Sky Mavis, propped up to facilitate faster transactions. Surprisingly, the news today is that Axie Infinity will… continue to use Ronin, which has been revived after a few audits. In a blog post, the company described a new “circuit-breaker” system designed to flag “large, suspicious withdrawals,” withdrawal limits and human reviewers. It also promised players that a new land staking feature — which claims to allow the game’s owners of digital land to earn passive income — will be released later this week.

In March, a group of hackers pilfered nearly 173,600 Ethereum and nearly 26 million USDC (worth roughly $26 million) from the game’s network. US officials have since linked the North Korean-backed hacking group Lazarus to the heist. Last week Sky Mavis said it would begin reimbursing the victims of the hack — but didn’t account for Ethereum’s drop in value over the past three months, which means that users would only recover about a third of their losses. In all, Sky Mavis is returning $216.5 million in funds to its users.

Moving forward, Axie Infinity players are warned not to send funds directly to Ronin Bridge’s smart contract address. “The Ronin Bridge should only be accessed and used for deposits/withdrawals through the Ronin Bridge UI. Any funds sent directly to the Ronin Bridge’s contract addresses will be permanently lost,” wrote the company in its post.

Esports.net recently pointed out a flaw in Axie Infinity’s design — a drop in the number of players causes the value of its in-game currency to plummet. Bloomberg noted earlier this month that the game’s user base has declined by 40 percent since the hack. As of this writing, the value of AXS is at $15.30 (a drop from its high of $160.36 in July 2021) and the value of SLP is at 0.0039 (down from an all-time high of 0.364).

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.

Repost: Original Source and Author Link

Categories
Game

‘Axie Infinity’ hack victims will only get back around a third of what they lost

Sky Mavis, the developer of blockchain game Axie Infinity, says it will start reimbursing the victims of a $617 million hack that took place earlier this year. The attackers took $25.5 million in USDC (a stablecoin that’s pegged to the value of the US dollar) and 173,600 ether, which was worth around $591.2 million at the time. The FBI claimed North Korean state-backed hacker groups were behind the attack.

Impacted Axie Infinity players will be able to withdraw one ether token for each one they lost in the hack, Sky Mavis told Bloomberg (the company didn’t mention a USDC reimbursement). However, as with other cryptocurrencies, the value of Ethereum has plummeted since the attack in March. 

Because of that, Sky Mavis will return around $216.5 million to users. It’s possible that the price of Ethereum will rise again, but as things stand, affected users will get back around a third of what they lost.

In April, Sky Mavis raised $150 million in funding to help it pay back the victims. The developer plans to reimburse affected users on June 28th, when it restarts the Ronin software bridge that the hackers targeted. 

Axie Infinity is widely considered the most popular play-to-earn game. Players collect and mint NFTs representing creatures that battle each other, Pokémon-style. These NFTs can be sold to other players, with Sky Mavis charging a transaction fee. By February, Axie Infinity had facilitated $4 billion in NFT sales.

However, the NFT market has all but bottomed out, which has had a significant impact on Axie Infinity. For one thing, according to Bloomberg, the daily active user count dropped from 2.7 million in November to a quarter of that by the end of May.

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.

Repost: Original Source and Author Link

Categories
Security

Thief steals $1 million of Bored Ape Yacht Club NFTs with Instagram hack

A hacker has stolen NFTs worth millions of dollars after compromising the official Instagram account for Bored Ape Yacht Club (BAYC) and using it to post a phishing link that transferred tokens out of users’ crypto wallets.

The hack was disclosed on Twitter by BAYC just before 10AM ET on Monday morning. “There is no mint going on today,” the Tweet read. “It looks like BAYC Instagram was hacked.”

Another tweet from a user unaffiliated with the project claimed to show the image that had been posted from the BAYC account, promoting an “airdrop” — essentially a free token giveaway — for any users who connected their MetaMask wallets.

Unfortunately, BAYC’s warning came too late for a number of holders of the extremely expensive Bored Ape NFTs, along with many other valuable NFTs stolen in the hack. A screenshot posted by one Twitter user showed an OpenSea page for the hacker’s account receiving more than a dozen NFTs from the Bored Ape, Mutant Ape, and Bored Ape Kennel Club projects — all presumably taken from users who connected their wallets after clicking on the phishing link.

The profile page tied to the hacker’s wallet address was no longer visible on OpenSea at time of publication. OpenSea head of communications Allie Mack confirmed to The Verge that the hacker’s account had been banned on the platform, as OpenSea’s terms of service prohibited fraudulently obtaining items or otherwise taking them without authorization.

But given the decentralized nature of NFT, the contents of the hacker’s wallet can still be viewed on other platforms. Seen through NFT platform Rarible, the wallet contained 134 NFTs, among them four Bored Apes and many others items from projects made by Yuga Labs — the creators of BAYC — such as Mutant Apes and Bored Ape Kennel Club.

Independently, each of the stolen Apes is worth well into six figures based on the most recent sale price. The lowest priced Ape, #7203, last sold four months ago for 47.9 ETH — equivalent to $138,000 at current exchange price. Ape #6778 was last sold for 88.88 ETH ($256,200), while Ape #6178 sold for 90 ETH or $259,400. And Bored Ape #6623 was the most valuable of all, sold three months ago for 123 ETH ($354,500) — meaning that collectively the total value of the four stolen Apes is just over $1 million.

It is not known yet how the hacker was able to compromise the project’s Instagram account. In a statement sent to The Verge by email and also posted on Twitter, Yuga Labs said that two-factor authentication was enabled at the time of the attack and that the security of the Instagram account followed best practices. Yuga Labs also said that the team was actively working to establish contact with affected users.

Though NFTs can be bought and sold for huge sums of money, they are often held in smartphone wallets rather than more secure environments because the popular decentralized crypto wallet application MetaMask only supports NFT display on mobile. It also encourages users to manage NFTs through the smartphone app rather than the browser-based extension. This means that the use of Instagram to deliver a phishing link is an effective way to steal NFTs, as the phishing link is more likely to be interacted with from a mobile wallet.

While security advice in the crypto space suggests NFT holders never connect their wallet to an unknown or untrusted third party, the fact that the phishing link was sent through the official BAYC social media account likely convinced the victims that it was legitimate, raising difficult questions about where exactly the fault lies.

Yuga Labs did not respond to an email from The Verge asking whether victims of the hack would be compensated by the project for their losses.



Repost: Original Source and Author Link