By Waqas
This comprehensive Web3 guide explores its core principles, and real-world applications, and addresses the challenges and opportunities that…
This is a post from HackRead.com Read the original post: The Idea of Web3 and 7 Global Web3 Agencies

This comprehensive Web3 guide explores its core principles, and real-world applications, and addresses the challenges and opportunities that lie ahead. Learn how Web3 empowers users, fosters community ownership, and paves the way for a new era of a more open and equitable web.

The concept of Web3 has been building momentum and inspiring innovation worldwide. It promises a revolutionary change in the way we interact with the internet, offering a decentralized, community-driven alternative to the centralized platforms that dominate today’s web.

But what exactly is Web3, and why has it become such a buzzword? In this feature article, we delve into the origins of Web3, unpack its key principles, and explore the potential impact it could have on our digital lives.

Web3, also known as Web 3.0, is a vision for the third generation of internet development and usage. It builds upon the foundations of the current web (Web 2.0) but aims to address some of its inherent issues, such as centralized control, privacy concerns, and the platform-centric nature that often disadvantages users.

Fundamentally, Web3 is about decentralizing the internet, giving users greater control over their data, identity, and online interactions. It leverages blockchain technology, distributed systems, and cryptographic security to create a more open, transparent, and user-centric web.

**The Key Principles:**

*   **Decentralization (a)** **–** Web3 advocates for a distributed web where users can connect directly with each other without relying on centralized intermediaries. This is achieved through peer-to-peer networks and blockchain technology, which enables trustless interactions and shared control.
*   **Decentralization (b) –** Unlike Facebook or Google, which control vast amounts of user data, Web3 applications are built on decentralized networks like blockchain. This means data is distributed across multiple nodes, making it resistant to censorship and single points of failure.
*   **User Control and Ownership** **–** In Web3, users are meant to have sovereign control over their data, content, and digital assets. This means personal information is not siloed by large corporations, and users can choose how and when to share their data. Digital ownership is also enhanced through non-fungible tokens (NFTs) and blockchain-based assets, which are uniquely identifiable and transferable.
*   **Community Governance –** A key aspect of Web3 is the idea of community-driven governance. Many Web3 platforms are designed as decentralized autonomous organizations (DAOs), where decisions are made through consensus mechanisms and token-based voting. This shifts power from centralized entities to the community of users and creators.
*   **Interoperability and Open Standards** **–** Web3 promotes interoperability between different platforms, services, and blockchains. Using open standards and APIs, enables seamless interaction and data portability across the web, reducing platform lock-in.
*   **Incentivized Participation** **–** Web3 introduces new economic models where users are incentivized to contribute and engage. Through token rewards, users can earn value for their participation, content creation, or provision of resources. This aligns the interests of users and platforms more closely.

**Practical Examples:**

*   **Social Media and Content Platforms:** In Web3, social media platforms could be decentralized, with users owning their content and having a stake in the platform’s success. Platforms like Hive, Steemit, and Lens offer user-controlled content creation and reward systems, challenging the centralized models of Facebook or Twitter.
*   **NFTs and Digital Art:** Non-fungible tokens (NFTs) have become a prominent feature of Web3, allowing artists and creators to mint unique digital assets that can be traded or sold. Platforms like OpenSea and Rarible enable a new economy for digital art, collectibles, and even utility tokens with real-world benefits.
*   **Decentralized Finance (DeFi):** DeFi applications leverage blockchain technology to offer financial services without traditional intermediaries like banks. Users can borrow, lend, earn interest, and trade digital assets directly with each other. Platforms like MakerDAO and Compound are pioneering this space, offering decentralized alternatives to traditional finance.
*   **Metaverse and Virtual Worlds:** The metaverse, a persistent online virtual world, is closely tied to the Web3 vision. Decentraland and The Sandbox, for example, offer users the ability to own virtual land, create experiences, and interact with others in a decentralized, blockchain-based metaverse.

****Challenges and Criticisms:****

Web3 is not without its challenges and criticisms. Some question the scalability and user experience of decentralized platforms, while others raise concerns about regulatory complexities and potential misuse of blockchain-based systems. The environmental impact of certain blockchain consensus mechanisms has also been a point of contention, although many projects are now exploring more energy-efficient alternatives.

****7 Best Global Web3 Agencies****

Now that Web3 has become a global phenomenon, it also requires management. That’s where Web3 agencies come in. They provide expertise in blockchain, cryptocurrency, and decentralized applications, guiding companies into the future of the Internet. Therefore, here are 7 global Web3 agencies

**Coinband**

Coinband.io is a full-service web3 marketing agency with first-class customer experience and advanced growth marketing tools. With head offices in Dubai and Warsaw, the agency is at the forefront of Web3 marketing, specializing in token sales for projects and post-listing stage development.

Coinband offers a range of services including social media marketing (SMM), community management, public relations (PR), influencer marketing, paid advertising (PPC), SEO promotion, and website development. Among Coinband’s esteemed clientele are industry giants such as ByBit, OKX, ChainGPT, DAO Maker, Poolz, Uniswap, and NEAR.

****MarketAcross****

MarketAcross is a leading Web3, blockchain, and cryptocurrency PR and marketing agency. Established in 2015, it provides a comprehensive range of services tailored to the needs of startups and established blockchain companies.

Their offerings include public relations, content marketing, brand reputation management, social media promotions, influencer outreach, SEO, and community growth. The firm works with brands like Crypto.com, Binance, Avalanche, and Polkadot.

****Chainwire****

Chainwire is a specialized newswire syndication service tailored for the Web3, cryptocurrency, and blockchain sectors. It automates the distribution of press releases to a network of over 300 crypto-focused media outlets and mainstream news platforms such as Bloomberg, Yahoo Finance, MarketWatch, Benzinga, and NASDAQ.

This ensures that news and announcements from blockchain companies, cryptocurrency projects, and exchanges reach a wide and relevant audience. Chainwire has over 1,000 active clients and works with leading brands like Binance, BitGet, SUI, OKX, ByBit, and many more.

****Coinbound****

Coinbound is a leading digital marketing agency specializing in the cryptocurrency, blockchain, NFT, and Web3 sectors. Established in 2018, Coinbound offers a comprehensive suite of services designed to help Web3 companies grow and achieve their business goals.

Coinbound provides a wide range of services such as Influencer Marketing, Public Relations, PPC & Paid Ads, SEO, Lead Generation, Design & Development, and Fractional CMO Services. The agency has collaborated with prominent clients like MetaMask, Cosmos, Litecoin, and Immutable, solidifying its reputation as a leading agency in the Web3 marketing industry.

****NeoReach****

NeoReach is a California, United States-based crypto, blockchain, NFT and Web3 marketing agency focused on influencer marketing, assisting brands and agencies in connecting with influencers to develop and manage marketing campaigns. It offers tools for finding influencers, managing relationships, and evaluating campaign performance.

By utilizing data and analytics, NeoReach identifies the most suitable influencers for each brand, ensuring precise and effective marketing strategies. Companies use NeoReach to boost their social media reach and engagement by partnering with influencers across different sectors.

****Blockwiz****

Blockwiz is a Toronto, Canada-based full-service marketing agency dedicated to the cryptocurrency, Web3, and blockchain sectors. It provides services such as influencer marketing, content marketing, social media management, community management, and performance marketing.

Blockwiz supports blockchain projects and cryptocurrency businesses in increasing their visibility, engagement, and growth through customized marketing strategies.

****Lemonade****

Lemonade is a California, United States-based Web3 marketing agency that provides a comprehensive suite of services to help crypto and blockchain startups achieve their marketing goals. Their services include social media marketing, content marketing, influencer marketing, community management, and public relations.

**Conclusion:**

Web3 represents a bold vision for the future of the internet, offering a decentralized, user-controlled alternative to the centralized platforms of today. While it is still in its early stages, Web3 has the potential to reshape how we interact with the digital world, empowering users and fostering more open and equitable online communities.

As with any new model, there are challenges to overcome, but the principles of Web3 provide a compelling direction for the evolution of the web.

1.  Best Paid and Free OSINT Tools for 2024
2.  6 of the Best Crypto Bug Bounty Programs
3.  20 Best Amazon PPC Management Agencies
4.  The 10 Best Cybersecurity Companies in the UK
5.  10 Top DDoS Attack Protection and Mitigation Companies
6.  15 Best SaaS SEO Experts That Will Help You Dominate Online

The Idea of Web3 and 7 Global Web3 Agencies

Stalkerware app pcTattleWare had its websites defaced and databases leaked after researchers found several security flaws.

The idea behind the software is simple. When the spying party installs the stalkerware, they grant permission to record what happens on the targeted Android or Windows device. The observer can then log in on an online portal and activate recording, at which point a screen capture is taken on the target’s device.

What goes around comes around, you might say. As you may have read many times before on our blog, some spyware companies have a surprisingly low standard of security .

In 2021, we reported that “employee and child-monitoring” software vendor pcTattleTale hadn’t been very careful about securing the screenshots it sneakily took from its victims’ phones. A security researcher found an issue while using a trial version of pcTattleTale, noticing that the company uploaded the screenshots to an unsecured online database (meaning anyone could view the screenshots as they weren’t protected by any form of authentication—such as a user name and password).

Last week another security researcher, Eric Daigle, found the company appears to have learned nothing from its previous security issue. Daigle found that pcTattleTale’s Application Programming Interface (API) allows any attacker to access the most recent screen capture recorded from any device on which the spyware is installed. Despite repeated warnings from Daigle and others, no improvements were made.

Then, yet another researcher found yet another bug in pcTattletale which allowed them to gain full access to the backend infrastructure. This allowed them to deface the website and steal the AWS credentials which turned out to be the same for all devices. Amazon has now locked pcTattletale’s entire AWS infrastructure.

After a quick sweep, stalkerware researcher, Maia Crimew stated:

> “pcTattletale currently holds over 17 terabytes of victim device screenshots (upwards of 300 million of them from over 10 thousand devices), with some of them dating back to 2018.”

According to 2023 research from Malwarebytes, 62 percent of people in the United States and Canada admitted to monitoring their romantic partners online in one form or another, from looking through a spouse’s or significant other’s text messages, to tracking their location, to rifling through their search history, to even installing monitoring software onto their devices.

Given the low security of the apps available to home users, this is extremely concerning. Installing monitoring software is not just a huge invasion of privacy, there is a big chance that it will backfire.

**Removing stalkerware**

Malwarebytes, as one of the founding members of the Coalition Against Stalkerware, makes it a priority to detect and remove stalkerware-type apps from your device. It is good to keep in mind however that by removing the stalkerware-type app you will alert the person spying on you that you know the app is there.

Because the apps install under a different name and hide themselves from the user, it can be hard to find and remove them. That is where Malwarebytes can help you.

1.  Open your Malwarebytes dashboard
2.  Tap **Scan** **now**
3.  It may take a few minutes to scan your device.

 If malware is detected you can act on it in the following ways:

*   **Uninstall**. The threat will be deleted from your device.
*   **Ignore Always**. The file detection will be added to the Allow List, and excluded from future scans. Legitimate files are sometimes detected as malware. We recommend reviewing scan results and adding files to Ignore Always that you know are safe and want to keep.
*   **Ignore Once**: A file has been detected as a threat, but you are not sure whether to add it to your Allow List or delete. This option will ignore the detection this time only. It will be detected as malware on your next scan.

On Windows machines Malwarebytes detects pcTattleTale as PUP.Optional.PCTattletale.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 pcTattleTale spyware leaks database containing victim screenshots, gets website defaced 

By Cyber Newswire
Cary, United States, 28th May 2024, CyberNewsWire
This is a post from HackRead.com Read the original post: INE Security Enables CISOs to Secure Board Support for Cybersecurity Training

If there is a single theme circulating among Chief Information Security Officers (CISOs) right now, it is the question of how to get stakeholders on board with more robust cybersecurity training protocols.

There are key points debated about why you should provide cybersecurity training to your IT professionals, like the alarming increase in cyberattacks (an increase of 72% over the all-time high in 2021, according to the Identity Theft Research Center’s 2023 Data Breach Report), or the rapid evolution in technology, creating a constant game of catch-up.

But it isn’t a question of ”if” an organization will be targeted, but “when.” CISOs are increasingly anxious because while they realize the axe will fall on them when the inevitable breach occurs, securing boardroom support for heavy investment in preventative measures, like training, is challenging in a world where revenue is demanded each dollar spent.

“The path to securing the boardroom’s buy-in is more complex than simply having the right statistics and studies on paper,” says Dara Warn, the CEO of INE Security, a global cybersecurity training and certification provider. “To bridge the gap between CISOs and stakeholders, CISOs must adopt a strategic approach that combines financial impact data, relevant case studies, and compelling narratives. Framing cybersecurity training as an essential investment rather than an optional expense is critical.”

****The Human Factor in Cybersecurity****

Cybersecurity is not just about technology; it’s about people. Human error remains one of the leading causes of security breaches. A study by Verizon in their 2023 Data Breach Investigations Report found that 68% of breaches involved a human element, such as social engineering, misuse of privileges, or simple mistakes. This highlights the importance of equipping employees with the knowledge and skills to recognize and respond to potential threats.

****Case Study: Capital One Data Breach****

In 2019, Capital One experienced a data breach that exposed the personal information of over 100 million customers. The breach was caused by a misconfigured web application firewall, which allowed an attacker to access sensitive data stored on Amazon Web Services (AWS). This incident underscores the importance of training employees on cloud security practices and the proper configuration of security tools. In response, Capital One enhanced its cybersecurity training programs to include cloud security, emphasizing the need for regular audits and configuration checks. This case illustrates how specialized training can prevent costly breaches and protect sensitive data.

****The ROI of Cybersecurity Training****

Investing in cybersecurity training is not just a defensive measure; it’s a strategic investment that can yield significant returns. A well-trained workforce, not just security awareness but the SOC and networking teams, can serve as the first line of defense against cyber threats, reducing the likelihood of breaches and minimizing potential damages. According to the Ponemon Institute’s 2023 Cost of Data Breach Report, organizations with extensive incident response planning and testing programs saved $1.49 million compared to those with lower levels.

****Case Study: Maersk NotPetya Attack****

In 2017, shipping giant Maersk was hit by the NotPetya malware, which spread rapidly through its global network, causing a complete shutdown of its IT systems. The attack was initiated by a compromised software update, exploiting poor cybersecurity hygiene and a lack of employee training on identifying malicious software. The incident cost Maersk over $300 million in losses.

In response, Maersk implemented a comprehensive cybersecurity training program focusing on recognizing malicious software, securing software updates, and responding to cyber incidents. This case highlights the necessity of training employees on the latest cyber threats and best practices.

****Crafting a Compelling Narrative for the Boardroom****

The company’s financial data and case studies are important to secure, but communicating that to the boardroom remains a challenge for CISOs. To get the message across, CISOs must also craft a compelling narrative that resonates with the board members. Here are some key strategies:

****1\. Speak the Board’s Language****

Board members are often more attuned to financial metrics and business outcomes than technical jargon. CISOs should frame cybersecurity training as a business enabler that protects the organization’s bottom line. Highlighting the potential financial losses from breaches and the ROI of training programs can make a compelling case.

****2\. Use Real-World Examples****

Real-world case studies, like the attacks on Maersk NotPetya and Capital One, can illustrate the tangible impact of cybersecurity training. These examples provide relatable scenarios that underscore the importance of investing in employee education.

****3\. Leverage Data and Statistics****

Presenting data from reputable sources can lend credibility to the argument. Statistics that demonstrate the prevalence of human error in breaches and the financial benefits of training can be powerful tools in persuading the board.

****4\. Emphasize Regulatory Compliance****

Regulatory requirements, such as GDPR and CCPA, mandate stringent data protection measures. Failure to comply can result in hefty fines and reputational damage. Emphasizing how cybersecurity training can help meet these regulatory requirements can be an effective angle to secure board buy-in.

****5\. Highlight Competitive Advantage****

In an increasingly competitive market, robust cybersecurity measures can be a differentiator. Companies known for their strong security posture are more likely to attract and retain customers. CISOs can highlight how a comprehensive training program can enhance the organization’s reputation and competitive edge.

****Overcoming Common Objections****

Board members may raise objections regarding the cost and time required for cybersecurity training. CISOs should be prepared to address these concerns with data-driven arguments and strategic insights.

****Cost Concerns****

While the initial investment in training programs may seem significant, CISOs can emphasize the long-term cost savings from preventing breaches. According to the Ponemon Institute, the average cost of a data breach in 2023 was $4.45 million. Investing in training can mitigate these costs by reducing the likelihood and severity of breaches.

****Time Constraints****

Board members may worry about the time employees will spend on training. CISOs can advocate for flexible, modular training programs that allow employees to learn at their own pace without disrupting productivity. Additionally, emphasizing the efficiency of targeted training programs can alleviate concerns about time investment.

CISOs are key players in protecting their organizations from cyber threats. Getting the boardroom to buy into an investment in cybersecurity training is no easy task, but utilizing some of these strategies can make it more successful. Including these steps in the process of communicating your needs to stakeholders will help secure the support and resources needed to roll out effective training programs and ultimately better safeguard the organization’s digital and physical assets. The stakes are high, and having all stakeholders on the same team is critical to the long-term success and security of an organization.

****About INE Security****

INE Security is the premier provider of online technical training and cybersecurity certifications. Harnessing the world’s most powerful hands-on lab platform, cutting-edge technology, global video distribution network, and world-class instructors, INE is the top training choice for Fortune 500 companies worldwide, and for IT professionals looking to advance their careers. INE’s suite of learning paths offers an incomparable depth of expertise across cybersecurity, cloud, networking, and data science. INE is committed to delivering advanced technical training, while also lowering the barriers worldwide for those looking to enter and excel in an IT career.

**Contact**

**Press Team**  
**INE**  
**\[email protected\]**

INE Security Enables CISOs to Secure Board Support for Cybersecurity Training

By Deeba Ahmed
Fake Cloud, Real Theft!
This is a post from HackRead.com Read the original post: Top Cloud Services Used for Malicious Website Redirects in SMS Scams

SMS scammers are using cloud storage from Google, Amazon, and IBM to trick you! Learn how they’re doing it and how to protect yourself from these sneaky cloud phishing scams.

The threat intelligence unit at Enea, a software security firm based in Stockholm, Sweden, has uncovered a concerning trend: cybercriminals are exploiting cloud systems to perpetrate SMS scams including Smishing or SMS phishing.

According to the investigation by the company’s threat intelligence team, cloud storage services like Amazon S3, Google Cloud Storage, Backblaze B2, and IBM Cloud Object Storage are being exploited to redirect users to malicious websites, stealing their information through SMS.

(Screenshot: Enea)

****How Cloud Storage is Exploited?****

Cloud storage allows organizations and individuals to store, access, and manage files, including static websites. However, cybercriminals have exploited this facility to host static websites with embedded spam URLs in their source code.

These URLs are distributed via authentic text messages, bypassing firewall restrictions. Mobile users click on links containing cloud platform domains, which direct them to the static website stored in the storage bucket, automatically forwarding or redirecting them without user awareness.

****The Scam: From SMS to Fake Websites****

According to Enea’s blog post that the company shared with Hackread.com ahead of publication on Thursday 23rd, 2024, the attackers prioritize two main objectives: delivering scam messages without network firewall detection and convincing end users to perceive the messages or links as trustworthy. 

The scam starts with a seemingly harmless text message (SMS). These messages often contain enticing offers or create a sense of urgency, tricking recipients into clicking a link. This link redirects them to a malicious website cleverly disguised as a legitimate one.

As per the research, Google Cloud Storage’s domain, “storage.googleapis.com,” is used by attackers to link to a static webpage hosted in a bucket on the platform. The spam website is loaded from that webpage using the “HTML meta refresh” method, a technique used in web development to automatically refresh or redirect a web page after a certain time period.

These fake websites, typically hosted on cloud storage buckets with names like “dfa-b.html” on Google Cloud Storage, aim to steal personal and financial information once users enter it. Users are directed to fraudulent websites offering gift cards to trick users into revealing personal and financial information. 

These SMS scammers have also been observed using links to static websites hosted on Amazon Web Services (AWS), IBM Cloud, and Blackblaze B2 Cloud.

Malicious text messages sent through popular cloud storage services (Screenshot: Enea)

****Mitigation Strategies****

Detecting and blocking URLs containing genuine Google Cloud Storage domains is challenging due to their association with legitimate domains from reputable companies. To protect yourself from cloud phishing scams, be cautious with suspicious SMS links, check website legitimacy before entering personal information, and enable multi-factor authentication (MFA) to add an extra layer of security.

1.  The Top 5 Cloud Vulnerabilities You Should Know Of
2.  Cloud security – An ongoing struggle to keep sensitive data safe
3.  New Vulnerability LeakyCLI Leaks AWS, Google Cloud Credentials
4.  Shadow IT: Personal GitHub Repos Expose Employee Cloud Secrets
5.  Dropbox Abused in New Phishing, Malspam Scam to Steal SaaS Logins

Top Cloud Services Used for Malicious Website Redirects in SMS Scams

By Uzair Amir
Is End-to-End Encryption (E2EE) a Myth? Traditional encryption has vulnerabilities. Fully Homomorphic Encryption (FHE) offers a new hope…
This is a post from HackRead.com Read the original post: How FHE Technology Is Making End-to-End Encryption a Reality

Is End-to-End Encryption (E2EE) a Myth? Traditional encryption has vulnerabilities. Fully Homomorphic Encryption (FHE) offers a new hope for truly secure messaging, cloud storage, and data analysis.

Encryption is like waterproofing: it needs to be all or not at all. Just as it makes no sense to waterproof a left shoe and leave the right unprotected, encrypting the consumer component of a messaging app is pointless if content can later be decrypted on cloud servers.

It’s called end-to-end encryption (E2EE) for a reason, but up until now many services claiming to utilize this technology have fallen woefully short. From an architectural perspective, E2EE is difficult to implement, particularly in applications that serve millions of users.

However, the emergence of a relatively new encryption technology is raising hope that E2EE may become a reality rather than an aspiration. Its name is Fully Homomorphic Encryption (FHE) and its unique design makes it ideally suited to services that are reliant on true end-to-end encryption.

**How End-to-End Encryption Works**

End-to-end encryption is a technology that’s meant to ensure that only users communicating with one another can read the messages. This could be two individuals chatting via a messaging application or it could be a business exchanging payment data with another entity such as a bank. Data is encrypted on the sender’s device and decrypted on the recipient’s device, preventing intermediaries, including service providers, from accessing the content.

This is achieved by using cryptographic keys that encode the message before transmitting it in encrypted form. The counterparty then decodes the message using its own cryptographic key in order to read its content. In addition to messaging apps such as Signal and Telegram, the technology is used by email providers, cloud storage services, and file-sharing platforms. It’s no exaggeration to say that E2EE is the backbone of the internet.

While E2EE can prove very effective at preventing third parties from intercepting messages, it is by no means bulletproof. Concerted attempts by adversaries, ranging from governments to state-sponsored hackers, to weaken encryption and introduce backdoors have resulted in many services that purport to use E2EE being vulnerable.

Critically, from the user’s perspective, there is no easy means of verifying whether encryption has been maintained throughout. As a result, individuals are compelled to take service providers at their word when they promise that messages are fully encrypted.

**How Encrypted Is Fully Encrypted?**

When a service claims to be end-to-end encrypted, it should be just that. In reality, implementations can differ wildly in terms of encryption strength. While it’s theoretically possible for users to check that the service they’re using is implementing robust encryption, it’s technically complex to do so, placing this ability beyond the reach of most users.

Telegram, for instance, allows users to verify that its open-source code is the same as that being used within its mobile applications and on desktop. However, this requires running a series of Terminal commands.

Telegram founder Pavel Durov has previously taken aim at other messaging applications, questioning the integrity of their E2EE. In his personal Telegram channel, he’s claimed: “An alarming number of important people I’ve spoken to remarked that their “private” Signal messages had been exploited against them in US courts or media. But whenever somebody raises doubt about their encryption, Signal’s typical response is “we are open source so anyone can verify that everything is all right”. That, however, is a trick.”

He then elaborates on the inability for users to verify that Signal’s Github code is the same as that running in the app. It should be noted that despite its claims to offer superior encryption, Telegram has also fielded accusations of weaknesses in its own E2EE implementation.

One of the challenges is that even when a service provider has implemented robust encryption, there is still the potential for messages to be deciphered. From weak key management to compromised devices due to malware, there’s a multitude of ways in which content can be accessed by adversaries. And when a key is compromised, unless the provider generates new keys for every session, it’s possible to decrypt the entire messaging history.

Finally, even when E2EE is working optimally, its implementation places additional computational demands on networks, resulting in increased latency and reduced performance, especially on devices with limited processing power or on blockchains where resources are capped. For this reason, E2EE is by no means impregnable. Can FHE solve some of these challenges, or will it run into the same problems that have weakened existing encryption protocols?

****FHE Meets E2EE****

One of the weak points with traditional E2EE is when it comes to decrypting the data: it’s here that there’s potential for a third party to gain access to it. FHE, in comparison, allows computation to be performed directly on encrypted data without decryption, ensuring that data remains protected throughout the entire process. This is its greatest attribute and the one that differentiates it from other encryption technologies.

It may be hard to visualize the benefit FHE brings to bear in this respect when considering a messaging application, in which the data must be decrypted before it can be read by the recipient. But consider another instance in which FHE proves superior at safeguarding data within E2EE systems: email. Here, FHE makes it possible for an email provider or cloud service to return results from an encrypted database without actually seeing the data.

This capability can also be extended to numerous other use cases in which data can be analyzed without disclosing its contents: analysts can run algorithms on encrypted datasets, with the results only decryptable by the intended recipient. Or machine learning models can be trained using encrypted data. This allows organizations to leverage powerful AI tools without compromising the privacy of the underlying data.

Within a blockchain context, fully homomorphic encryption also has significant potential, particularly in the construction of end-to-end encrypted applications for messaging or transmitting financial data. Fhenix, for example, is powered by fhEVM, a variation of the Ethereum Virtual Machine, that supports confidential smart contracts. As a result, confidential data can be analyzed and transmitted without its contents being disclosed.

Given that data remains encrypted at all stages with FHE – in transit, at rest, and during processing – it’s easy to see why developers are so excited about its potential for strengthening E2EE systems.

FHE can reduce the attack surface and ensure that sensitive data is never exposed to unauthorized parties, even during processing. This eliminates the need to trust service providers since they only handle encrypted data and mitigates the risks associated with data breaches. 

If FHE can achieve wider adoption, both in blockchain and traditional systems, end-to-end encryption may soon live up to its name, providing truly unbreakable data protection.

1.  WhatsApp Engineers Fear Encryption Flaw Exposes User Data
2.  8 tips to protect company data sent via home internet connections
3.  Signal, AI Generated Art Least, Amazon, Facebook Most Invasive Apps

How FHE Technology Is Making End-to-End Encryption a Reality

4BRO versions prior to 2024-04-17 suffer from insecure direct object reference and API information disclosure vulnerabilities.

    SEC Consult Vulnerability Lab Security Advisory < 20240522-0 >=======================================================================               title: Broken access control & API Information Exposure             product: 4BRO App  vulnerable version: before 2024-04-17       fixed version: 2024-04-17          CVE number: -              impact: Critical            homepage: https://www.4bro.de               found: 2023-05-07                  by: Max Rull (Office Bochum)                      SEC Consult Vulnerability Lab                      An integrated part of SEC Consult, an Eviden business                      Europe | Asia                      https://www.sec-consult.com=======================================================================Vendor description:-------------------"4BRO is a German company known for producing iced tea beverages. The brand offersa variety of flavors, including unique combinations such as peach, bubblegum,and watermelon mint. 4BRO emphasizes modern and appealing packaging, targetinga younger demographic. The company promotes its products through various platformsand incentivizes customer loyalty with their app, which allows users to collectpoints for rewards. The company's headquarters is located in Germany, and theirproducts are widely available both online and in retail stores."Source: https://www.4bro.deBusiness recommendation:------------------------The vendor has fixed the security issues in the API server as of 2024-04-17.SEC Consult highly recommends to perform a thorough security review of the productconducted by security professionals to identify and resolve potential furthersecurity issues.Vulnerability overview/description:-----------------------------------1) Broken access control via IDOR in 4BRO app APIAn IDOR vulnerability (Insecure Direct Object Reference) allows an attackerto change the username in the Bearer token used for authentication in the 4BRO app.This leads to account takeover as a result of broken access control (poor Bearertoken verification). Attackers are able to access all data or Bro points ("broins")from other users.2) API Information ExposureWhen opening the app as an unauthenticated user, the 4BRO app loads JSON datafrom a publicly available API endpoint containing sensitive data like e-mailaddresses of employees, internal invoices, a CV including personal information,a gift card etc.Proof of concept:-----------------1) Broken access control via IDOR in 4BRO app APIWhen logging in into the 4BRO app, the server returns a JWT (JSON Web Token).The "login" HTTP request looks like this:--------------------------------------------------------------------------------POST /api/user/signin HTTP/2Host: adminpanel.4bro.deContent-Type: application/json[...]{"email":"<login email>","password":"<login password>"}--------------------------------------------------------------------------------The server responds with a JWT used for authentication and additionalaccount-related data:--------------------------------------------------------------------------------HTTP/2 200 OKContent-Type: application/json; charset=utf-8[...]{     "token": "<JWT here>",     "userData": {         "isBlocked": false,         "_id": "[...]",         "userType": "USER",         "email": "<login email>",         "broins": 0,         "deviceId": null,         "userCreationDate": "2023-XX-XXTXX:XX:XX.XXXZ",         "address": [{                 "_id": "[...]",                 "streetName": "[...]",                 "streetNumber": "[...]",                 "postalcode": "[...]",                 "city": "[...]",                 "firstName": "[...]",                 "lastName": "[...]",                 "country": "at"             }         ],         "ratings": [],         "__v": 0,         "pushToken": "[...]",         "telekomUUID": "[...]"     }}--------------------------------------------------------------------------------Because the JWT is only base64-encoded, it is easy to decode the JWT'sheader and payload as clear text using JWT decoders like https://token.dev/:--------------------------------------------------------------------------------Header:{   "kid": "[...]",   "alg": "RS256"}--------------------------------------------------------------------------------Payload:{   "sub": "[...]",   "event_id": "[...]",   "token_use": "access",   "scope": "aws.cognito.signin.user.admin",   "auth_time": 1683565567,   "iss": "https://cognito-idp.eu-central-1.amazonaws.com/[...]",   "exp": 1683569167,   "iat": 1683565567,   "jti": "[...]",   "client_id": "[...]",   "username": "<login email>"}--------------------------------------------------------------------------------The payload of the JWT contains multiple values indicating that AWS Cognito is in use.By changing the "username" value of the JWT payload to a victim email, it is possibleto use the modified JWT for authenticating as the victim. The victim should alreadyhave a normally registered account in the 4BRO app. By trial and error, it turns outthat even the following modified JWT payload gets accepted by the server:--------------------------------------------------------------------------------{   "sub": "0",   "event_id": "0",   "token_use": "access",   "scope": "aws.cognito.signin.user.admin",   "auth_time": 0,   "iss": "",   "exp": 0,   "iat": 0,   "jti": "0",   "client_id": "0",   "username": "<login email>"}--------------------------------------------------------------------------------Meanwhile, the "kid" property in the JWT header must be a valid value, but can belongto any other already existing 4BRO app account. The JWT signature can be the sameand does not get verified at all.Using the modified JWT, all API methods supported by the 4BRO app can be executed.Because the server only checks the "username" property in the JWT payload and doesslim to none JWT verification, the server thinks that the request came from theaccount associated with the login email contained in the "username" property.This way, sensitive data such as the current "broin" balance, full user data as seenin the login response, previous transactions, redeemed vouchers and goodies etc.can be accessed without restrictions, using the 4BRO API. Also, the "sending broins"action can be performed so that earned "broins" could be transferred to an attacker'saccount balance.2) API Information ExposureBy monitoring the 4BRO app's requests over a proxy, it can be observed thatthe following HTTP request is made when opening the "Goodies" section of the app:--------------------------------------------------------------------------------GET /api/goodies?pageSize=1000 HTTP/2Host: adminpanel.4bro.de[...]--------------------------------------------------------------------------------The response is a JSON object containing all goodies that are or were at some pointavailable in the 4BRO app:--------------------------------------------------------------------------------HTTP/2 200 OKContent-Type: application/json; charset=utf-8Content-Length: 327138[...]{     "goodiesList": [{             "_id": "61950603005c650530b63aac",             "name": "1x 4BRO Getränk Imbiss",             "longDescription": "[...]",             "shortDescription": "Auf unseren Nacken!",             "imagePath":"https://broappasset-prod.s3.eu-central-1.amazonaws.com/dev/goodies/app_kachel_food_256x256.jpg",             "category": "Food",             "quantity": 999999999999808,             "costOfGoodie": 250,             "supplier": "<email removed>",             "totalGoodies": 999999999999861,             "goodieAvailableTime": "Unlimited",             "deliveryMethod": "partnerCoupon",             "isNewGoodie": false,             "inhouseAppVoucherUrl":"https://broappasset-prod.s3.eu-central-1.amazonaws.com/dev/inhouseAppVouchers/undefined",             "__v": 1,             "rating": {                 "value": 3.991869918699184,                 "total": 123             },             "forceGoodie": "true",             "goodieAvailableEndTime": null,             "goodieAvailableStartTime": null,             "restriction": [],             "hidden": false,             "slashedCostOfGoodie": null         },{    [...]    },    [...]    }     ],     "goodieCount": 371}--------------------------------------------------------------------------------This JSON object contains already sensitive data such as the goodie supplier's emailaddresses. Out of the 371 goodies, 36 of those have a URL to a PDF file containedwithin the "inhouseAppVoucherUrl" property. Because these files are hosted on anAWS S3 bucket, everyone can access these documents without authentication.These documents seem to contain various sensitive company internal and personalinformation.While discovering vulnerability 1), we found that old gift codes were also stored asPDF files on the AWS S3 bucket. The names of the gift code PDF files indicate thatthere may be more similarly named documents (IDOR) which could be detected in anautomated way. This could be leveraged to find additional gift code PDF files storedon the AWS S3 bucket.Vulnerable / tested versions:-----------------------------The following app version has been tested and downloaded through Google Play store,which was the most recent version available at the time of the test:* 3.14.7Because the vulnerability is actually server-side within the API, the iOS app wasalso affected at the time the vulnerabilities were discovered.Vendor contact timeline:------------------------2023-06-12: Contacting vendor through broservice@4bro.de (owner) and info@dev5310.com             (developers according to Google Play store)2023-06-15: Vendor asks about the risks of the identified vulnerabilities and which             parts of the application are affected and whether any costs would arise             before they provide us with a security contact.2023-06-16: Detailed answer regarding risk estimation, responsible disclosure and             that no costs are involved.2023-06-19: Vendor requests a phone conference, scheduled for 21st June.2023-06-21: Clarifying responsible disclosure, explaining vulnerabilities and next             steps in phone call. Providing security advisory to vendor.2023-06-29: Vendor has sent the advisory to the developer team for evaluation             and will notify SEC Consult about the release of the security patch.2023-08-18: Asking for a status update.2023-08-31: It is planned to release an Android/iOS app update end of September2023-09-18: Vendor needs to postpone update, no new date available.2023-11-08: Asking for a status update; no response.2023-11-21: Asking for a status update.2023-12-11: Vendor response, fix is available in test environment, production             will be fixed by end of this year.2024-01-24: Asking for a status update; no response.2024-02-12: Asking for a status update.2024-02-12: Vendor is still waiting for a response from their IT.2024-04-17: Asking for a status update.2024-04-17: Vendor states that the vulnerabilities have been fixed.2024-04-17: Asking for the fix date, whether an app update was needed for applying             the fix, and the fixed app version. No response.2024-05-13: Asking vendor again about fixed version, etc., setting preliminary release             date to 2024-05-21. No response.2024-05-22: Release of security advisorySolution:---------The vendor implemented a fix in the affected API server as of 2024-04-17.An app update on Android or iOS is not required to apply the fix.Workaround:-----------NoneAdvisory URL:-------------https://sec-consult.com/vulnerability-lab/~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~SEC Consult Vulnerability LabAn integrated part of SEC Consult, an Eviden businessEurope | AsiaAbout SEC Consult Vulnerability LabThe SEC Consult Vulnerability Lab is an integrated part of SEC Consult, anEviden business. It ensures the continued knowledge gain of SEC Consult in thefield of network and application security to stay ahead of the attacker. TheSEC Consult Vulnerability Lab supports high-quality penetration testing andthe evaluation of new offensive and defensive technologies for our customers.Hence our customers obtain the most current information about vulnerabilitiesand valid recommendation about the risk profile of new technologies.~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Interested to work with the experts of SEC Consult?Send us your application https://sec-consult.com/career/Interested in improving your cyber security with the experts of SEC Consult?Contact our local offices https://sec-consult.com/contact/~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Mail: security-research at sec-consult dot comWeb: https://www.sec-consult.comBlog: https://blog.sec-consult.comTwitter: https://twitter.com/sec_consultEOF M. Rull / @2024

4BRO Insecure Direct Object Reference / API Information Exposure

Two weeks before Russia invaded Ukraine in February 2022, a large, mysterious new Internet hosting firm called Stark Industries Solutions materialized and quickly became the epicenter of massive distributed denial-of-service (DDoS) attacks on government and commercial targets in Ukraine and Europe. An investigation into Stark Industries reveals it is being used as a global proxy network that conceals the true source of cyberattacks and disinformation campaigns against enemies of Russia.

Stark Industries Solutions: An Iron Hammer in the Cloud

Plus, SS7 vulnerabilities are being exploited and BreachForums is taken down again.

Thursday, May 23, 2024 14:00

Since the advent of products like the Tile and Apple AirTag, both used to keep track of easily lost items like wallets, keys and purses, bad actors and criminals have found ways to abuse them. 

These adversaries can range from criminals just looking to do something illegal for a range of reasons, but maybe just looking to steal a physical object, to just a jealous or suspicious spouse or partner who wants to keep tags on their significant other. 

Apple and other manufacturers who make these devices have since taken several steps to curb the abuse of these devices and make them more secure. Most recently, Google and Apple announced new alerts that would hit Android and iOS devices and alert users that their devices’ location is being connected to any location-tracking device.  

“With this new capability, users will now get an ‘\[Item\] Found Moving With You’ alert on their device if an unknown Bluetooth tracking device is seen moving with them over time, regardless of the platform the device is paired with,” Apple stated in its announcement. 

Companies Motorola, Jio and Eufy also announced that they would be adhering to these new standards and should release compliant products soon.  

Certainly, products like the AirTag and Samsung trackers that these companies have direct control over will now be more secure, and hopefully less ripe for abuse by a bad actor, but it’s far from a total solution to the problem that these types of products pose. 

As I’ve pointed out in the past with security cameras and any other range of internet-connected devices, online stores are filled with these types of products, promising to track users’ personal items with an app so they don’t lose common household items like their phones, wallets and keys.  

Amazon has countless listings under “location tag” for a range of AirTag-like products made by unknown manufacturers. Some of these products are slim enough to fit right into the credit card pocket of a wallet or purse,  and others are smaller than the average AirTag and even advertise that they can remain hidden inside a car.  

I admittedly haven’t been able to dive into these individual devices, but some of them come with their own third-party apps, which come with their own set of security caveats and completely take it out of platform developers’ hands.  

There are also other “find my device”-type services that pose additional security concerns outside of just buying a small tag. Android’s new, enhanced “Find My Device” network is a crowdsourced solution to help users potentially find their lost devices, similar to iOS’ Find My network.  

The Find My Device network works by using other Android devices to silently relay the registered device’s approximate location, even if the device being searched for is offline or turned off. In the wrong hands, there are a range of ways that can be abused on its own.  

So, rather than relying on developers and manufacturers to make these services more secure, I have a few tips for how to use AirTag-like devices safely, if you really can’t come up with a better solution for not losing your keys. 

*   Check for suspicious tracking devices. On iOS, this means opening the “Find My” app and navigating to Items > Items Detected Near You. Any unfamiliar AirTags will be listed here. On Android, you can do the same thing by going to Settings > Safety & Emergency > Unknown Tracker Alerts > Scan Now. 
*   Remove yourself from any “Sharing Groups” unless it’s a trusted contact in your phone using the Find My app on iOS. 
*   If location tracking is your primary concern (especially for parents and their children) using the Find My app on iOS and Android is generally a more secure option than trusting a third-party app downloaded from the app store or relying on a Bluetooth connection.  
*   Manage individual apps’ settings to ensure only the services that \*really\* need to track your device’s physical location are using it. (Ex., you probably don’t need Facebook tracking that information.) 
*   Since AirTags are connected to your Apple ID, ensure that login is secured with multi-factor authentication (MFA) or using a passkey.  

**The one big thing **

Cisco recently developed and released a new feature to detect brand impersonation in emails when adversaries pretend to be a legitimate corporation. Threat actors employ a variety of techniques to embed brand logos within emails. One simple method involves inserting words associated with the brand into the HTML source of the email. New data from Talos found that popular brands like PayPal, Microsoft, NortonLifeLock and McAfee are among some of the most-impersonated brands in these types of phishing emails.  

**Why do I care? **

Brand impersonation could happen on many online platforms, including social media, websites, emails and mobile applications. This type of threat exploits the familiarity and legitimacy of popular brand logos to solicit sensitive information from victims. In the context of email security, brand impersonation is commonly observed in phishing emails. Threat actors want to deceive their victims into giving up their credentials or other sensitive information by abusing the popularity of well-known brands. 

**So now what? **

Well-known brands can protect themselves from this type of threat through asset protection as well. Domain names can be registered with various extensions to thwart threat actors attempting to use similar domains for malicious purposes. The other crucial step brands can take is to conceal their information from WHOIS records via privacy protection. And users who want to learn more about Cisco Secure Email Threat Defense's new brand impersonation detection tools can visit this site. 

**Top security headlines of the week **

**Adversaries have been quietly exploiting the backbone of cellular communications to track Americans’ location for years,** according to a U.S. Cybersecurity and Infrastructure Security Agency (CISA). The official broke ranks with their agency and reportedly shared this information with the Federal Communications Commission (FCC). The official said that attackers have used vulnerabilities in the SS7 protocol to steal location data, monitor voice and text messages, and deliver spyware. Other targets have received text messages containing fake news or disinformation. SS7 is the protocol used across the globe that routes text messages and calls to different devices but has often been a target for attackers. In the past, other vulnerabilities in SS7 have been used to gain access to telecommunications providers’ networks. In their written comments to the FCC, the official said that these vulnerabilities are the “tip of the proverbial iceberg” of SS7-related exploits used against U.S. citizens. (404 Media, The Economist) 

**The FBI once again seized the main site belonging to BreachForums,** a popular platform for buying and selling stolen personal information. Last year, international law enforcement agencies took down a previous version of the cybercrime site and arrested its administrator, but the new pages quickly emerged, using three different domains since the last disruption. American law enforcement agencies also took control of the forum’s official Telegram account, and a channel belonging to the newest BreachForums administrator, “Baphomet.” However, the FBI has yet to publicly state anything about the takedown or any potential arrests. BreachForums isn’t expected to be gone for long, as another admin named “ShinyHunters” claims the site will be back with a new Onion domain soon. ShinyHunters claims they’ve retried access to the seized clearnet domain for BreachForums, though they did not provide specific methods. BreachForums is infamous for being a site where attackers can buy and sell stolen data, offer their hacking services or share recent TTPs. (TechCruch, HackRead) 

**The U.S. Department of Justice charged three North Koreans with crimes related to impersonating others to obtain remote employment in the U.S., which in turn generated funding for North Korea’s military.** The three men, and another U.S. citizen, were charged with what the DOJ called “staggering fraud” in which they secured illicit work with several U.S. companies and government agencies using fraudulent identities from 60 real Americans. The U.S. citizen was allegedly placed laptops belonging to U.S. companies at various residences so the North Koreans could hide their true location. North Korean state-sponsored actors have used these types of tactics for years, often relying on social media networks like LinkedIn to fake their personal information and obtain jobs or steal sensitive information from companies. More than 300 companies may have been affected, with the perpetrators earning more than $6.8 million, most of which was used to “raise revenue for the North Korean government and its illicit nuclear program,” according to the DOJ. (ABC News, Bloomberg) 

**Can’t get enough Talos? **

*   Proactive Threat Hunting in Duo Data 
*   Talos Takes Ep. #184: Recapping RSA  
*   You have to look out for these hacks in 2024! 

**Upcoming events where you can find Talos **

**ISC2 SECURE Europe** **(May 29)** 

_Amsterdam, Netherlands_ 

> _Gergana Karadzhova-Dangela from Cisco Talos Incident Response will participate in a panel on “Using ECSF to Reduce the Cybersecurity Workforce and Skills Gap in the EU.” Karadzhova-Dangela participated in the creation of the EU cybersecurity framework, and will discuss how Cisco has used it for several of its internal initiatives as a way to recruit and hire new talent._  

**Cisco Live** **(June 2 - 6)** 

_Las Vegas, Nevada_ 

> _B_ill Largent from Talos' Strategic Communications team will be giving our annual "State of Cybersecurity" talk at Cisco Live on Tuesday, June 4 at 11 a.m. Pacific time. Jaeson Schultz from Talos Outreach will have a talk of his own on Thursday, June 6 at 8:30 a.m. Pacific, and there will be several Talos IR-specific lightning talks at the Cisco Secure booth throughout the conference.

**_AREA41_** **_(June 6 – 7)_** 

_Zurich, Switzerland_ 

> _Gergana Karadzhova-Dangela from Cisco Talos Incident Response will highlight the primordial importance of actionable incident response documentation for the overall response readiness of an organization. During this talk, she will share commonly observed mistakes when writing IR documentation and ways to avoid them. She will draw on her experiences as a responder who works with customers during proactive activities and actual cybersecurity breaches._ 

**Most prevalent malware files from Talos telemetry over the past week **

**SHA 256:** 9be2103d3418d266de57143c2164b31c27dfa73c22e42137f3fe63a21f793202   
**MD5:** e4acf0e303e9f1371f029e013f902262   
**Typical Filename:** FileZilla\_3.67.0\_win64\_sponsored2-setup.exe   
**Claimed Product:** FileZilla   
**Detection Name:** W32.Application.27hg.1201 

**SHA 256:** a024a18e27707738adcd7b5a740c5a93534b4b8c9d3b947f6d85740af19d17d0   
**MD5:** b4440eea7367c3fb04a89225df4022a6   
**Typical Filename:** Pdfixers.exe   
**Claimed Product:** Pdfixers   
**Detection Name:** W32.Superfluss:PUPgenPUP.27gq.1201 

**SHA 256:** 1fa0222e5ae2b891fa9c2dad1f63a9b26901d825dc6d6b9dcc6258a985f4f9ab   
**MD5:** 4c648967aeac81b18b53a3cb357120f4   
**Typical Filename:** yypnexwqivdpvdeakbmmd.exe   
**Claimed Product:** N/A    
**Detection Name:** Win.Dropper.Scar::1201 

**SHA 256:** d529b406724e4db3defbaf15fcd216e66b9c999831e0b1f0c82899f7f8ef6ee1   
**MD5:** fb9e0617489f517dc47452e204572b4e   
**Typical Filename:** KMSAuto++.exe   
**Claimed Product:** KMSAuto++   
**Detection Name:** W32.File.MalParent 

**SHA 256:** abaa1b89dca9655410f61d64de25990972db95d28738fc93bb7a8a69b347a6a6   
**MD5:** 22ae85259273bc4ea419584293eda886   
**Typical Filename:** KMSAuto++ x64.exe   
**Claimed Product:** KMSAuto++   
**Detection Name:** W32.File.MalParent

Tag

#amazon