Microsoft has patched a Windows vulnerability that hackers are actively exploiting. If you own a system that uses Windows 7 and up, you’ll want to update your computer as soon as possible (via Bleeping Computer).
The security flaw, called Follina (CVE-2022-30190) by researchers, lets bad actors hijack users’ computers through programs like Microsoft Word. Security researchers have been aware of the threat since late May, but Microsoft reportedly dismissed their initial findings.
In an attack documented by security company Proofpoint, hackers associated with the Chinese government sent malicious Word documents to Tibetan recipients. When opened, these documents use the Follina exploit to take control of the Microsoft Support Diagnostic Tool (MSDT) to execute commands that could be used to install programs, create new user accounts, and access, delete, or change data stored on a computer. The exploit has also been used in phishing campaigns targeting American and European government agencies.
Microsoft’s original warning about the threat offered workarounds to protect against the threat, but this update (KB5014699 for Windows 10 and KB5014697 for Windows 11) should eliminate the need for that. “Microsoft strongly recommends that customers install the updates to be fully protected from the vulnerability,” Microsoft says. “Customers whose systems are configured to receive automatic updates do not need to take any further action.”
As part of today’s announcements at WWDC 2022, Apple briefly mentioned a new addition to its security tools that will apply to iPhone, iPad, and Mac platforms called Rapid Security Response. It didn’t go into a lot of detail about what Rapid Security Response is, but Apple is promising to have important security updates that get to your devices even faster. Currently, iOS and macOS users get their security updates rolled in with full system patches, usually with .1 or .0.1 version numbers, which can take quite some time for users to download and install.
Now, Apple says its Rapid Security Response updates include important security improvements that “can be applied automatically between standard software updates.” MacRumors reports that for users who’ve installed the iOS 16 developer beta, there’s a new toggle under the Automatic Updates section of settings for “Install System and Data Files” to apply new security configuration and system data files. It says that “some updates may only take effect once you restart your iPhone,” which suggests that some won’t require a reboot.
That’s the case on macOS Ventura, where Apple’s breakdown of the new features coming in version 13.0 includes the Rapid Security Response, however on this platform “This isn’t a standard software update. These improvements can be applied automatically between normal updates — without a restart.” The Verge has contacted Apple for more information about the new updates, and with beta testers already running the new software, we should know more about how they work soon.
The FBI, Department of Justice (DoJ), and Internal Revenue Service (IRS) have worked together to shut down the SSNDOB Marketplace, a collection of darknet sites that listed the personal information of around 24 million U.S. citizens, and which generated more than $19 million in sales revenue.
For the uninitiated, the darknet, also known as the dark web, is an encrypted part of the online world that isn’t indexed by search engines and can only be accessed using specialized browsers. While the darknet is popular with cybercriminals selling illegal products and services online, others such as political activists or whistleblowers might also use the network to share highly sensitive information.
The DoJ said this week that the SSNDOB Marketplace, which had been operating for a number of years, sold personal information such as names, dates of birth, and Social Security numbers belonging to individuals in the U.S.
Efforts to dismantle the service involved working with law enforcement in Cyprus and Latvia, and earlier this week seizure orders were enacted against the domain names used by the SSNDOB Marketplace, leading to its shutdown.
The SSNDOB Marketplace appeared to be an efficiently run business operated by administrators who placed ads on darknet criminal forums for the SSNDOB’s services while also offering customer support, the DoJ said.
It added that the administrators “employed various techniques to protect their anonymity and to thwart detection of their activities, including using online monikers that were distinct from their true identities, strategically maintaining servers in various countries, and requiring buyers to use digital payment methods, such as bitcoin.”
Commenting on the case, Special Agent in Charge Darrell Waldon of the IRS-CI Washington, D.C. Field Office, said: “Identity theft can have a devastating impact on a victim’s long-term emotional and financial health. Taking down the SSNDOB website disrupted ID theft criminals and helped millions of Americans whose personal information was compromised.”
Waldon added that the U.S. and international law enforcement community will continue to work to end what he called “these complex scams.”
With apparently no arrests made in connection with the case, the perpetrators behind SSNDOB remain free to set up a new operation, while other cybercriminals could also come in to try to fill the hole left by the shutdown. In that sense, it’s a game of whack-a-mole for the FBI, though its efforts will stall and disrupt the perpetrators while also sending out a message that it’s on their case.
In another recent win for investigators targeting nefarious online outfits, the “biggest dark web marketplace in the world” was knocked offline in April. The platform, Hydra Market, made its money through sales of drugs and money-laundering services.
The US Department of Justice says it won’t subject “good-faith security research” to charges under anti-hacking laws, acknowledging long-standing concerns around the Computer Fraud and Abuse Act (CFAA). Prosecutors must also avoid charging people for simply violating a website’s terms of service — including minor rule-breaking like embellishing a dating profile — or using a work-related computer for personal tasks.
The new DOJ policy attempts to allay fears about the CFAA’s broad and ambiguous scope following a 2021 Supreme Court ruling that encouraged reading the law more narrowly. The ruling warned that government prosecutors’ earlier interpretation risked criminalizing a “breathtaking amount of commonplace computer activity,” laying out several hypothetical examples that the DOJ now promises it won’t prosecute. That change is paired with a safe harbor for researchers carrying out “good-faith testing, investigation, and/or correction of a security flaw or vulnerability.” The new rules take effect immediately, replacing old guidelines issued in 2014.
“The policy clarifies that hypothetical CFAA violations that have concerned some courts and commentators are not to be charged,” says a DOJ press release. “Embellishing an online dating profile contrary to the terms of service of the dating website; creating fictional accounts on hiring, housing, or rental websites; using a pseudonym on a social networking site that prohibits them; checking sports scores at work; paying bills at work; or violating an access restriction contained in a term of service are not themselves sufficient to warrant federal criminal charges.”
These guidelines reflect a newly limited interpretation of “exceeding authorized access” to a computer, a practice criminalized by the CFAA in 1986. As writer and law professor Orin Kerr explained in 2021, there’s been a decades-long conflict over whether people “exceed” their access by violating any rule laid down by a network or computer owner — or if they have to access explicitly off-limits systems and information. The former interpretation has led to cases like US v. Drew, where prosecutors charged a woman for creating a fake profile on Myspace. The Supreme Court leaned toward the latter version, and now, the DOJ theoretically does, too.
The policy doesn’t settle all criticisms of the CFAA, like its potential for disproportionately long prison sentences. It doesn’t make the underlying law any less vague since it only affects how prosecutors interpret it. The DOJ also warns that the security research exception isn’t a “free pass” for probing networks. Someone who found a bug and extorted the system’s owner using that knowledge, for instance, could be charged for performing that research in bad faith. Even with these limits, though, the rulemaking is a pledge to avoid slapping punitive anti-hacking charges on anyone who uses a computer system in a way its owner doesn’t like.
After the disclosure of a hack affecting its authentication platform, Okta has maintained that the effects of the breach were mostly contained by security protocols and reiterated that users of the service do not need to take corrective action as a result.
The statements were made by David Bradbury, chief security officer at Okta, in a video call with customers and press Wednesday morning.
On Monday, hacking group Lapsus$ released images demonstrating that the group had compromised Okta’s internal systems, putting thousands of businesses that rely on the authentication tool on high alert.
“The sharing of these screenshots is an embarrassment for myself and the entire Okta team,” Bradbury said at the start of the call. “Today I want to provide my perspective on what has transpired, and where we are with this investigation.”
In the course of a ten-minute briefing, Bradbury said that the hackers had compromised Okta’s systems by gaining remote access to a machine belonging to an employee of Sitel — a company subcontracted to provide customer service functions for Okta. Using a remote desktop protocol, the hackers were able to input commands into the compromised machine and view the monitor output, enabling them to take screenshots, Bradbury said.
None of Okta’s systems were directly breached, the CSO said, but the Sitel support engineer’s machine was logged into Okta when it was compromised and remained so from the date of compromise on January 16th until the Okta security team became aware and suspended the account on January 21st.
However, due to the use of least privilege access protocols — in which a network user is only allowed to perform the minimum set of actions necessary for their job — the hackers were limited in what they could access through a support engineer’s account, leading Okta to state that no corrective action was needed from users of the service.
Details of the breach were compiled by a forensic investigation firm that had been engaged shortly after the unauthorized access was discovered, but the full report had not been provided to Okta until recently, according to Bradbury.
“I am greatly disappointed by the long period of time that transpired between our initial notification to Sitel in January, and the issuance of the complete investigation report just hours ago,” Bradbury said.
While impacts of the breach appear to be less severe than first feared, the Lapsus$ hacker group is emerging as a prolific and persistent threat, having mounted confirmed hacks against a number of large tech companies, and claimed responsibility for other incidents that have not yet been concretely attributed to the group.
On Tuesday – the same day that the Okta hack was confirmed – Lapsus$ also posted source code stolen from Microsoft’s Bing and Cortana products, obtained through compromise of an employee account.
Graphics card manufacturer Nvidia was also hacked by the group in late February, and had employee credentials leaked online. In a similar time frame, Lapsus$ claimed responsibility for a breach of South Korean tech giant Samsung in which source code for Galaxy devices was obtained, and also implied that the group was responsible for a ”cyber security incident” affecting games developer Ubisoft.
Security professionals see the group as a sophisticated and versatile threat actor and are advising potential targets to proactively guard against methods of compromise.
“This group’s ‘all in’ approach to target its victims with ransom, SIM swapping, exploits, dark web reconnaissance, and reliable phishing tactics shows the focus and open toolbox used to accomplish its goals,” said Mark Ostrowski, head of engineering at Check Point Software. “Companies and organizations across the globe should focus on education of these tactics to their users, deploy prevention strategies in all aspects of their cyber security programs, and inventory all points of access looking for potential weaknesses.”
The US Federal Communications Commission has added Russian cybersecurity company Kaspersky Lab to its list of entities that pose an “unacceptable risk to US national security,” according to a report from Bloomberg. This is the first time a Russian company has been added to the list, which is otherwise made up of Chinese companies, like Huawei and ZTE.
Businesses in the US are barred from using federal subsidies provided through the FCC’s Universal Service Fund to purchase any products or services from the companies on the list. In addition to Kaspersky, the FCC also added China Telecom and China Mobile International USA to its list on Friday.
“I am pleased that our national security agencies agreed with my assessment that China Mobile and China Telecom appeared to meet the threshold necessary to add these entities to our list,” FCC Chairwoman Jessica Rosenworcel in a press release (PDF). “Their addition, as well as Kaspersky Labs, will help secure our networks from threats posed by Chinese and Russian state backed entities seeking to engage in espionage and otherwise harm America’s interests.”
Kaspersky responded to the FCC’s move in a press release on its site, saying the agency’s decision was “made on political grounds” in light of Russia’s invasion of Ukraine, and that the company “remains ready to cooperate with US government agencies to address the FCC’s and any other regulatory agency’s concerns.”
In 2017, Russian intelligence allegedly used Kaspersky’s antivirus software to steal classified documents from the National Security Agency — a claim denied by the Moscow-based company. Later that year, Former President Donald Trump signed a bill banning the use of Kaspersky products by federal agencies after accusing the company of having ties to the Kremlin.
On March 24th, EU governing bodies announced that they had reached a deal on the most sweeping legislation to target Big Tech in Europe, known as the Digital Markets Act (DMA). Seen as an ambitious law with far-reaching implications, the most eye-catching measure in the bill would require that every large tech company — defined as having a market capitalization of more than €75 billion and a user base of more than 45 million people in the EU — create products that are interoperable with smaller platforms. For messaging apps, that would mean letting end-to-end encrypted services like WhatsApp mingle with less secure protocols like SMS — which security experts worry will undermine hard-won gains in the field of message encryption.
The main focus of the DMA is a class of large tech companies termed “gatekeepers,” defined by the size of their audience or revenue and, by extension, the structural power they are able to wield against smaller competitors. Through the new regulations, the government is hoping to “break open” some of the services provided by such companies to allow smaller businesses to compete. That could mean letting users install third-party apps outside of the App Store, letting outside sellers rank higher in Amazon searches, or requiring messaging apps to send texts across multiple protocols.
But this could pose a real problem for services promising end-to-end encryption: the consensus among cryptographers is that it will be difficult, if not impossible, to maintain encryption between apps, with potentially enormous implications for users. Signal is small enough that it wouldn’t be affected by the DMA provisions, but WhatsApp — which uses the Signal protocol and is owned by Meta — certainly would be. The result could be that some, if not all, of WhatsApp’s end-to-end messaging encryption is weakened or removed, robbing a billion users of the protections of private messaging.
Given the need for precise implementation of cryptographic standards, experts say that there’s no simple fix that can reconcile security and interoperability for encrypted messaging services. Effectively, there would be no way to fuse together different forms of encryption across apps with different design features, said Steven Bellovin, an acclaimed internet security researcher and professor of computer science at Columbia University.
“Trying to reconcile two different cryptographic architectures simply can’t be done; one side or the other will have to make major changes,” Bellovin said. “A design that works only when both parties are online will look very different than one that works with stored messages …. How do you make those two systems interoperate?”
Making different messaging services compatible can lead to a lowest common denominator approach to design, Bellovin says, in which the unique features that made certain apps valuable to users are stripped back until a shared level of compatibility is reached. For example, if one app supports encrypted multi-party communication and another does not, maintaining communications between them would usually require that the encryption be dropped.
Alternatively, the DMA suggests another approach — equally unsatisfactory to privacy advocates — in which messages sent between two platforms with incompatible encryption schemes are decrypted and re-encrypted when passed between them, breaking the chain of “end-to-end” encryption and creating a point of vulnerability for interception by a bad actor.
Alec Muffett, an internet security expert and former Facebook engineer who recently helped Twitter launch an encrypted Tor service, told The Verge that it would be a mistake to think that Apple, Google, Facebook, and other tech companies were making identical and interchangeable products that could easily be combined.
“If you went into a McDonald’s and said, ‘In the interest of breaking corporate monopolies, I demand that you include a sushi platter from some other restaurant with my order,’ they would rightly just stare at you,” Muffett said. “What happens when the requested sushi arrives by courier at McDonald’s from the ostensibly requested sushi restaurant? Can and should McDonald’s serve that sushi to the customer? Was the courier legitimate? Was it prepared safely?”
Currently, every messaging service takes responsibility for its own security — and Muffett and others have argued that by demanding interoperability, users of one service are exposed to vulnerabilities that may have been introduced by another. In the end, overall security is only as strong as the weakest link.
Another point of concern raised by security experts is the problem of maintaining a coherent “namespace,” the set of identifiers that are used to designate different devices in any networked system. A basic principle of encryption is that messages are encoded in a way that is unique to a known cryptographic identity, so doing a good job of identity management is fundamental to maintaining security.
“How do you tell your phone who you want to talk to, and how does the phone find that person?” said Alex Stamos, director of the Stanford Internet Observatory and former chief security officer at Facebook. “There is no way to allow for end-to-end encryption without trusting every provider to handle the identity management… If the goal is for all of the messaging systems to treat each other’s users exactly the same, then this is a privacy and security nightmare.”
Not all security experts have responded so negatively to the DMA. Some of the objections shared previously by Muffett and Stamos have been addressed in a blog post from Matrix, a project geared around the development of an open-source, secure communications standard.
The post, written by Matrix co-founder Matthew Hodgson, acknowledges the challenges that come with mandated interoperability but argues that they are outweighed by benefits that will come from challenging the tech giants’ insistence on closed messaging ecosystems.
“In the past, gatekeepers dismissed the effort of [interoperability] as not being worthwhile,” Hodgson told The Verge. “After all, the default course of action is to build a walled garden, and having built one, the temptation is to try to trap as many users as possible.”
But with users generally happy to centralize trust and a social graph in one app, it’s unclear whether the top-down imposition of cross-platform messaging is mirrored by demand from below.
“iMessage already has interop: it’s called SMS, and users really dislike it,” said Alex Stamos. “And it has really bad security properties that aren’t explained by green bubbles.”
If you want to verify your Google login and make it harder to access by anyone but yourself (always a good idea), one way is to use your iPhone or Android smartphone as a physical security key. While you can set up a third-party 2FA app such as Authy or even use Google’s own Authenticator, these require that you enter both your password and a code generated by the app. Google’s built-in security allows you to access your account by just hitting “Yes” or pressing your volume button after a pop-up appears on your phone. You can also use your phone as a secondary security key.
Use your phone to sign in
To set this up, your computer should be running a current version of Windows 10, iOS, macOS, or Chrome OS. Before you start, make sure that your phone is running Android 7 or later and that it has Bluetooth turned on.
While it’s unlikely you have an Android phone that doesn’t have a Google account associated with it, if you’re one of the few, you need to add a Google account to your phone by heading into Settings > Passwords & accounts, scroll down to and select Add account > Google
Once that’s done, open a Google Chrome browser on your computer
Enter your account password. You’ll be asked to satisfy three steps: choose a phone (if you have more than one), make sure you have either Touch ID (for an iPhone) or a screen lock (for an Android), and add a recovery phone number.
You’ll then be run through a test of the system and invited to turn it on permanently.
Use your phone as a secondary security key
You can also use your phone as a secondary security key to ensure that it is indeed you who are signing into your account. In other words, to get into the account, it will be necessary to be carrying the correct phone with a Bluetooth connection.
If you don’t have two-step verification set up yet, go back to your account security page, click on 2-Step Verification and follow the instructions. The TL;DR is that you’ll need to log in, enter a phone number, and select what secondary methods of verification you’d like.
Scroll down the list of secondary methods and select Add security key.
And again, select Add security key.
You’ll be given the choice of adding your phone (or one of your phones, if you have more than one) or a physical USB or NFC key. Select your phone.
You’ll get a warning that you need to keep Bluetooth on and that you can only sign in using a supported browser (Google Chrome or Microsoft Edge).
That’s it! You’ve set up your phone as a security key and can now log in to Gmail, Google Cloud, and other Google services and use your phone as the primary or secondary method of verification.
Just make sure your phone is in close proximity to your computer whenever you’re trying to log in. Your computer will then tell you that your phone is displaying a prompt. Follow the directions to verify your login, and you’re all set!
Update March 29th, 2021, 11:20AM ET: This article was originally published on April 12th, 2019, and has been updated to account for changes in the Google interface.
Firefox 95, the latest version of Mozilla’s browser that’s rolling out starting today, introduces a new security feature that’s designed to limit the damage that bugs and security vulnerabilities in its code can cause, Mozilla announced today. The feature, called RLBox, was developed with help from researchers at the University of California San Diego and the University of Texas, and it was originally released as a prototype last year. It’s coming to both the desktop and mobile versions of Firefox.
At its core, RLBox is a sandboxing technology, which means that it’s effectively able to isolate code so that any security vulnerabilities it might contain can’t harm the overall system. Sandboxing is a widely used security method across the industry, and browsers already run web content in sandboxed processes to try to stop malicious or buggy sites from compromising the overall browser.
RLBox differs from this traditional approach, however, and doesn’t have the same costs to performance and memory usage. This makes it possible to sandbox critical browser subcomponents like its spell checker, effectively allowing it to treat them as untrusted code while still running in the same process. This places limits on how code can run or which memory it can access.
As of today’s release, Firefox is isolating five modules: its Graphite font rendering engine, Hunspell spell checker, Ogg multimedia container format, Expat XML parser, and Woff2 web font compression format. Mozilla says this means if bugs or vulnerabilities are discovered in one of these subcomponents, the Firefox team won’t need to scramble to stop them from compromising the entire browser. “Even a zero-day vulnerability in any of them should pose no threat to Firefox,” Mozilla says.
Mozilla admits that it’s not a catch-all solution and that the approach won’t work everywhere, such as particularly performance-sensitive browser components. But the developer says it hopes to see other browsers and software projects implement the technology and that it intends to use it with more of Firefox’s components in the future. Mozilla has also updated its bug bounty program and will now pay researchers if they’re able to bypass the new sandboxes.
There’s a new zero-day issue in Windows, and this time the bug has been disclosed to the public by an angry security researcher. The vulnerability relates to users leveraging the command prompt with unauthorized system privileges to share dangerous content through the network.
According to a report from Bleeping Computer, Abdelhamid Naceri, the security researcher who disclosed this bug, is frustrated with Microsoft over payouts from the bug bounty program. Bounties have apparently been downgraded significantly over the past two years. Naceri isn’t alone, either. One Twitter user reported in 2020 that zero-day vulnerabilities no longer pay $10,000 and are now valued at $1,000. Earlier this month, another Twitter user reported that bounties can be reduced at any time.
Microsoft apparently fixed a zero-day issue with the latest round of “Patch Tuesday” updates, but left another unpatched and incorrectly fixed. Naceri bypassed the patch and found a more powerful variant. The zero-day vulnerability impacts all supported versions of Windows, including Windows 8.1, Windows 10, and Windows 11.
“This variant was discovered during the analysis of CVE-2021-41379 patch. The bug was not fixed correctly, however, instead of dropping the bypass. I have chosen to actually drop this variant as it is more powerful than the original one,” explained Naceri in a GitHub post.
His proof of concept is on GitHub, and Bleeping Computer tested the exploit and ran it. It is also being exploited in the wild with malware, according to the publication.
In a statement, a Microsoft spokesperson said that it will do what is necessary to keep its customers safe and protected. The company also mentioned it is aware of the disclosure opf the latest zero-day vulnerability. It mentioned that attackers must already have access and the ability to run code on a target victim’s machine for it to work.
With the Thanksgiving holiday in the U.S., and the fact that a hacker would need physical access to a PC, it could be a while until a patch is released. Microsoft usually issues fixes on the second Tuesday of each month, known as “Patch Tuesday.” It also tests bug fixes with Windows Insiders first. A fix could come as soon as December 14.