The passwordless future just became closer to reality, as Microsoft, Apple, and Google pledge to make the standard possible across operating systems and browsers.

Apple, Google, and Microsoft will expand support for FIDO Alliance's passwordless standard to make logins easier across mobile devices and desktops.

By expanding support for the password-free sign-in standard from the FIDO Alliance and the World Wide Web (W3) Consortium, Google, Microsoft, and Apple will make it possible for anyone to use their mobile device to sign into an app or website on a nearby device. More importantly, users will be able to access passkeys – their FIDO sign-in credentials – across multiple devices without having to re-enroll every account on each device. This will be a key change from the current reality, where users have to sign into each website or app with each device before they can take advantage of the passwordless feature.

"We plan to implement passwordless support for FIDO Sign-in standards in Android & Chrome. Apple and Microsoft have also announced that they will offer support for their platforms," writes Sampath Srinivas, a product management director for secure authentication at Google and the president of the FIDO Alliance. "This will simplify sign-ins across devices, websites, and applications no matter the platform — without the need for a single password. These capabilities will be available over the course of the coming year."

**Case for No More Passwords**  
Passwords do not provide sufficient security – they can be stolen or guessed if the password itself isn't very good. Weak passwords accounted for more than 80% of all data breaches, according to Verizon's annual Data Breach Investigations Report. Passwords are the single largest attack vector and the root cause of most attacks -- including account takeovers, advanced persistent threats, and ransomware, says Jasson Casey, CTO of Beyond Identity. Four out of five times adversaries rely on stolen credentials for initial access and lateral movement, he says.

"Password-based authentication has failed us. Full stop," Casey says.  

There are more than 921 password attacks every second, writes Vasu Jakkal, corporate vice president of security, compliance, identity, and management at Microsoft. That represents more than double the figure over the past 12 months.

A new Google/Ipsos survey found that one in three Americans share passwords with someone else or have access to someone else's passwords, and 65% of respondents say they reuse passwords. One in five use common words or easy-to-guess terms for passwords, and 52% say they incorporate personal information such as name and birthday into the password.

"The alternatives \[to passwords\] often are unworkable, unwieldy, or just not likely to be adopted by consumers, especially the non-tech-savvy ones or those who are on the lower end of the socio-economic scale," says John Bambenek, principal threat hunter at Netenrich.  

Passwords are still ubiquitous despite the issues because they are relatively easy to implement and people know how to use them, which is why passwords still haven't gone away. Instead, security teams rely on technologies such as multifactor authentication and password managers to provide additional protection to strengthen the security around accounts, platforms, and data. 

However, these controls have made "marginal security gains," Casey says, mainly because they still rely on passwords and the second factors can be intercepted via social engineering methods (such as one-time passwords sent over SMS).

**Cross-Platform Passwordless**  
The good news is that technology is now in place to make passwordless authentication a reality, Casey says. Secure enclaves are prevalent (and resident in nearly every device), and almost all enterprise and consumer apps can leverage secure enclaves to easily delegate passwordless authentication.

The announcement from Google, Microsoft, and Apple indicates the expanded support will be implemented in macOS and Safari, Android and Chrome, and Windows and Edge. The actions used to unlock the mobile device — such as fingerprint, face scan, and device PIN — will give access to the passkey stored on the device. Signing in with the passkey is more secure because it's based on public key cryptography, Srinivas says. Even if the device is lost, the passkeys will sync back to the mobile device from cloud backup, he says.

All of this will be cross-platform. Ideally, a user would be able to sign into a website via Google Chrome on a Windows machine using a passkey on an Apple device.

"This new approach protects against phishing and sign-in will be radically more secure when compared to passwords and legacy multi-factor technologies such as one-time passcodes sent over SMS," the FIDO Alliance said in a statement.  

Implementations that rely on secure enclaves, especially those already built into modern devices, such as the Trusted Platform Module on laptops and desktops, combined with the security posture of the device itself make passwordless authentication a reality, Casey says.

Jennifer Easterly, director of the US Cybersecurity and Infrastructure Security Agency (CISA), praises the announcement, calling it "the type of forward-leaning thinking that will ultimately keep the American people safer online."

Passwordless needs to be easy. "If you don’t consider usability, your users will create your next vulnerability," Casey warns.

Microsoft, Apple, and Google Promise to Expand Passwordless Features

Reproductive rights are still largely guaranteed in the United States. Here are some key privacy concepts to adopt in the event that they're not.

While it may be increasingly important for people in the US to consciously consider what they're posting when it comes to their own abortions or those of loved ones, Hayley McMahon, an independent public health researcher who studies abortion access, notes that the goal of this advice is not to chill speech, but to keep people safe.

“I don’t ever want to tell someone they shouldn’t talk about their experience or they can’t talk about their experience, because there’s tons of power in abortion storytelling,” McMahon says. “But I think people need to have all of the information and an understanding of the risks, and then they can make choices about what to say where.”

Know Your Rights

Researchers emphasize, too, that people in the US should know and feel secure in their rights when it comes to dealing with law enforcement. If you are being questioned by police, you can simply say, “I am exercising my right to remain silent and I want to speak with an attorney.” Resources like the Repro Legal Helpline can help connect you with specific legal advice. Additionally, lock your devices with a strong, unique PIN number, keep them locked, and simply ask for an attorney if a cop attempts to compel you to unlock your device. 

McMahon also adds that in the very rare case of a complication with a medication abortion, people should not feel pressure to disclose the treatment to clinicians in the emergency room or other health care settings. Simply saying, “I think I'm having a miscarriage” will suffice.

“People need to understand that it's impossible to tell the difference between spontaneous miscarriage and medication abortion,” McMahon says. “Medication abortion simply induces a miscarriage. And of course, we typically want everyone to disclose their health history to their clinician, but in this case, the treatment is the same, so nothing is lost by not disclosing that information.”

Deluge of Data

Using apps, browsing the web, and using search engines are all activities that can expose personal details, creating a major challenge in controlling the flow of personal information as people research or seek abortions. And often by the time someone is seeking an abortion, they have already generated data that could reveal their health status. Period-tracking apps, for example, gather data that may seem benign but is clearly sensitive in the context of potential abortion criminalization. In one recent case, the Federal Trade Commission investigated and sanctioned the fertility-tracking app Flo Health for sharing user health data with marketing and analytics firms, including Facebook and Google. And researchers have also found numerous examples of health websites sharing personal data with third parties or conducting targeted ad-tracking without adequately informing users and in violation of their privacy policies.

Using a search engine that doesn't track potentially sensitive user data, like DuckDuckGo, and browser extensions that block web trackers, like EFF's Privacy Badger, are all steps you can take to significantly cut down on how much of your browsing data ends up in tech companies' hands. And consider analog options, if possible, for recording and storing reproductive information, like a notebook or paper calendar where you log details of your menstrual cycle.

One of the most pernicious and complicated aspects of attempting to rein in your personal data as you research or seek an abortion is the question of how to mitigate the collection of your location data. Always turn off location services for as many apps as possible—iOS and Android both make this relatively easy now. And if you're traveling to receive an abortion, you might consider leaving your phone at home or keeping it in a faraday bag for as much of the trip as possible.

“A lot of those data-generating activities that you’ve already engaged in in the past are already out there,” says Andrea Downing, founder of the nonprofit Light Collective and a security and privacy researcher focused on patient populations and social media. “You can delete apps from here forward, turn off location services, stop using a fertility app, and those are all great steps. But it's also reasonable if people can't remember everything all the time. Patient populations are susceptible and vulnerable online, and we need to focus on protecting them.”

McMahon, the independent public health researcher, echoes this sentiment, noting that any small steps a person can take to defend their data are positive and should be celebrated.

“I want to emphasize, it is definitely not someone's fault if they forget to do any of these things and then get criminalized,” she says. “People may feel like they made a mistake if they reach out to others for help, but no! You did a normal human thing and the system is criminalizing you.”

While issues of digital privacy are extremely salient to people seeking abortions, they impact every marginalized and disenfranchised group. And as the Light Collective's Downing points out, they ultimately affect everyone.

_“Roe v. Wade_ is about privacy, it was always the core thing underlying that case,” she says. “So even if you are not a person seeking an abortion, you need to be thinking in terms of how your rights may be next.”

How to Protect Your Digital Privacy if Roe v. Wade Falls

By Jon Munshaw. 
Welcome to this week’s edition of the Threat Source newsletter. 
Emotet made headlines last week for being “back” after a major international law enforcement takedown last year. But I’m here to argue that Emotet never left, and honestly, I’m not sure it ever...


[[ This is only the beginning! Please visit the blog for the complete entry ]]

_By Jon Munshaw._ 

Welcome to this week’s edition of the Threat Source newsletter. 

As Nick Biasini and I covered in a December episode of Talos Takes, these takedowns are always incredibly helpful and a show of strength among the international community. But it doesn’t mean they’re a final nail in the coffin.  

Nick pointed out to me in that Talos Takes that there weren’t any arrests associated with the takedown, so the operators were always still out there ready to come back. And we started seeing Emotet send spam again as soon as nine-ish months after the takedown announcement.  

“In this particular case, we saw a botnet disruption, more than anything else,” Nick said. 

So it really shouldn’t be a surprise to anyone that Emotet is re-loading again. It’s known to go on months-long breaks, usually picking up around major holidays or international events like Black Friday and Cyber Monday. 

I admittedly don’t know enough about the ins and outs of taking down a botnet to say if something like this could ever be permanent or if there ever really is a way to truly end it for good. But if Emotet goes quiet for another few months and then magically pops up again in September, no one should be surprised. 

Take Silk Road, an infamous dark website for drug trade, needed three international takedown efforts over two years to truly shut down the site and stop any predecessors from popping up, even after its initial founder was arrested. 

As all these threats have shown us, as defenders, we can never let our guard down that a threat is ever truly gone no matter how impressive a press release sounds.  

**The one big thing **

Our researchers recently studied a trove of leaked chat logs between the Conti and Hive ransomware operators and their victims. From them, we learned more about how the groups choose their victims, how a triple-extortion attempt usually goes down and more about the inner workings of these actors. In our latest research paper, we run through these findings and provide a look into these chats so other security researchers and potential targets can be more prepared to fight these groups and spot their weaknesses.  

> **Why do I care? **
> 
> The chats we studied are completely new from the Conti leaks from earlier this year, so we continue to learn more about this group as time goes on. For starters, victims should take away from this research that if the plan is to pay the ransom, never take the actor’s first offer, they almost always reduce their asking price over time. We now know more about these groups’ negotiating tactics, which can be helpful for anyone who may be a future target or victim of these groups.  
> 
> **So now what? **Pretty much the same as always if the goal is to never be hit with one of these ransomware attacks. This is a reminder to all organizations to implement a strong patch management system and keep all systems up to date. Organizations should also perform general system hardening that includes removing services or protocols running on endpoints where they are unnecessary. 

**Other newsy nuggets **

For many years, Russia was viewed as off-limits for cyber attacks over the risk of potential retaliation. But after the country’s invasion of Russia, the floodgates have opened to hactivists and volunteers who are hitting the country’s networks at an unprecedented rate. Even some ransomware groups have gotten in on the action. Even early in the invasion, Russia suffered a major setback because actors in Belarus disrupted the country’s railway system that was still relying on Windows XP, slowing down Russia’s supply lines and potentially staving off an invasion of Kyiv, the country’s capital. (Washington Post, Wired, ComputerWorld) 

Users can now opt-out of having their personal information appear in Google search results. The search engine recently loosened its policies on this opt-out. Previously, users had to show a threat of doxxing or other harm that could come to them should something like their phone number, address or email show up when you searched their name. Now, the company says people can ask for their information to be removed even if there is no clear risk. This is not a catch-all step to protecting your identity online, but it’s a solid start for anyone looking to be more privacy-conscious. (NPR, CNET) 

A Chinese state-sponsored actor has been snooping on more than 30 major companies’ networks for more than two years to steal intellectual property. Security researchers say the APT41 threat actor used what they dubbed "Operation Cuckoo Bees” to steal trillions of dollars' worth of everything from engineering blueprints to experimental diabetes treatments and solar panel designs. As of this week, the campaign is still ongoing. (SC Magazine, CBS News) 

**Can’t get enough Talos? **

*   Talos Takes Ep. #94: Everything you need to know about the BlackCat ransomware group
*   Vulnerability Spotlight: Two vulnerabilities in Accusoft ImageGear could lead to DoS, arbitrary free
*   Threat Roundup for April 22 - April 29

**Upcoming events where you can find Talos ****RSA 2022 (June 6 – 9, 2022)  
San Francisco, California ****Cisco Live U.S. (June 12 – 16, 2022)  
Las Vegas, Nevada ****Most prevalent malware files from Talos telemetry over the past week  **

**SHA 256:** e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934  **MD5:** 93fefc3e88ffb78abb36365fa5cf857c  **Typical Filename:** Wextract    
**Claimed Product:** Internet Explorer    
**Detection Name:** PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg  

**SHA 256:** 59f1e69b68de4839c65b6e6d39ac7a272e2611ec1ed1bf73a4f455e2ca20eeaa **MD5:** df11b3105df8d7c70e7b501e210e3cc3 **Typical Filename:** DOC001.exe   
**Claimed Product:** N/A   
**Detection Name:** Win.Worm.Coinminer::1201 

**SHA 256:** 5616b94f1a40b49096e2f8f78d646891b45c649473a5b67b8beddac46ad398e1    **MD5:** 3e10a74a7613d1cae4b9749d7ec93515**Typical Filename:** IMG001.exe      
**Claimed Product:** N/A    **Detection Name:** Win.Dropper.Coinminer::1201 

**SHA 256:** 1b94aaa71618d4ecba665130ae54ef38b17794157123675b24641dc85a379426    
**MD5:** a841c3d335907ba5ec4c2e070be1df53  **Typical Filename:** chip 1-click installer.exe    
**Claimed Product:** chip 1-click installer     
**Detection Name:** Win.Trojan.Generic::ptp.cam  

**SHA 256:** 7cfdf65b1f93bd600a4e7cadbcfeccc634d0c34b5b098740af1cf2afa7c64b97   **MD5:** 258e7698054fc8eaf934c7e03fc96e9e   **Typical Filename:** samsungfrp2021.exe     
**Claimed Product:** N/A   **Detection Name:** W32.7CFDF65B1F-85.TPD2.RET.SBX.TG34

Threat Source newsletter (May 5, 2022) — Emotet is using up all of its nine lives

With 80% of companies using cloud collaboration tools, cybercriminals are using multichannel phishing attacks to exploit security gaps in the hybrid work model.

The modern workforce is hybrid, and remote work is here to stay. With 80% of companies using cloud or hybrid cloud collaboration tools, it's fertile ground for a cybercriminal to expand the threat surface. Multichannel phishing is becoming the preferred way to deliver these attacks as threat actors exploit security gaps in the hybrid work model. While organizations focus on protecting email from phishing and malware, there are gaps in defenses for other channels. In a recent report on how to respond to the cyberthreat landscape, Gartner warns of the use of multichannel phishing approaches that combine social engineering, vishing, smishing, email, and Web phishing attacks in a single campaign.

Today, 91% of all cyber breaches include a phishing attack because these types of attacks often succeed. Cybercriminals are so successful because these attacks are increasingly sophisticated, zero-hour spear-phishing threats designed specifically to slip past traditional security controls Threats to the mobile channel continue to grow with malicious apps, as well as malicious SMS messages with and without malicious links, spear-phishing, and malicious Web content. Mobile devices are an excellent opportunity because they are less protected, URL inspection is harder on mobile devices, phones have smaller screens than computers, and content is often truncated. Cybercriminals take advantage of distracted users who conduct quick work tasks and transactions, which offers the perfect environment for launching multichannel attacks.

Cybercriminals are capitalizing on digital channels that aid the productivity of remote workers like SMS/text, Slack, LinkedIn, Zoom, Microsoft Teams, Google Meet, and WhatsApp. These channels are less protected and provide an easy way to trick users, steal credentials, and ultimately exfiltrate data from an organization. A growing trend for cybercriminals is to use WhatsApp and SMS to send malicious URLs that appear identical to a Microsoft Teams meeting invite, which they use to harvest Microsoft 365 credentials. This benign invite contains a malicious URL that takes the user to a landing page asking them to enter their Microsoft 365 credentials, and, just like that, a user has given up their login credentials. These credentials now enable the cybercriminal to take over an account and continue to deliver phishing attacks from legitimate services like AWS, Azure, Outlook, and SharePoint.

In most cases, these attacks will bypass most phishing detection tools. SlashNext Threat Labs saw a 57% increase in phishing attacks from trusted services from the fourth quarter of 2021 to the first months of 2022. The trusted reputation of these domains enables cybercriminals to easily evade current detection technologies using domain reputation and blocklists like SEG, proxy, SASE, and endpoint security tools. Attackers use shared services to get around domain reputation technologies with increased frequency. Using mainstream, legitimate commercial infrastructure sites to avoid detection has been a successful tactic, and the growth in these threats continues in 2022.

It's long been known that phishing attacks are getting through gaps in current defenses like secure email gateways, advanced threat protection, and identity graph technology. In addition, some users are accessing corporate tools outside of all security defenses. It should be on every cybersecurity leader's list to address multichannel phishing in 2022. So, how do you know if multichannel phishing is a problem in your organization? Start by assessing the phishing attack surface in your organization. Here are a few questions to get started: Where are your employees protected from phishing? Are they protected when accessing URLs on their browser or their mobile device? Are your users protected from zero-hour threats in real time? Answering no to these questions can indicate that your users and the organization are at risk.

A cyber readiness plan to protect against multichannel phishing should include people, processes, and tools. Ensure the plan includes educating users about the risk of multichannel phishing. Communicate about preventative strategies for how to identify social engineering tactics and suspected compromises. Implement an abuse inbox, and enable alerts for suspicious activity, such as foreign logins. Install security tools that leverage AI and computer vision to detect and block malicious zero-hour threats across email, Web, and mobile.

**About the Author**

    

Patrick Harr is CEO of SlashNext, the authority in multichannel phishing and human hacking protection across email, Web, and mobile.

Multichannel Phishing Concerns Cybersecurity Leaders in 2022

Google has released updates for Android and its Pixel phone. We discuss the three vulnerabilities that were classified as critical.
The post Google fixes two critical Pixel vulnerabilities: Get your updates when you can! appeared first on Malwarebytes Labs.

Google has made updates available for Android 10, 11, 12 and 12L. The May Android Security Bulletin contains details of security vulnerabilities affecting Android devices.

The Pixel Update Bulletin contains details of security vulnerabilities and functional improvements affecting supported Pixel devices. Pixel phones are Google’s “pure Android” phones.

In total, these two bulletins mention three vulnerabilities rated as critical. Two of those vulnerabilities only concern Pixel users.

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). Below we will discuss the CVEs that were rated as critical.

**Bootloader**

CVE-2022-20120: A remote code execution (RCE) vulnerability in the bootloader. On Android, the bootloader is a piece of software that loads the OS every time you boot your phone. By default, it will only load software that was signed by Google. But if you unlock the bootloader, it will load whatever software you tell it to. The exact issue has (not yet) been disclosed, but depending on the level of access needed to exploit this vulnerability, this could be very serious.

**Titan-M**

CVE-2022-20117: An information disclosure (ID) vulnerability in Titan M. Titan M is an enterprise-grade security chip custom built for Pixel phones to secure the most sensitive on-device data and operating system. Titan M helps the bootloader make sure that you’re running the right version of Android. Again, details about the issue have (not yet) been disclosed. But being able to steal information from the part that is supposed to secure the most sensitive data doesn’t bode too well.

**Qualcomm**

Qualcomm’s chipsets are the most common ones in the Android smartphone space. The severity assessment of their issues is provided directly by Qualcomm.

CVE-2021-35090: CVSS 9.3 out of 10. Listed by Qualcomm as a Time-of-check Time-of-use (TOC TOU)  Race Condition in Kernel. And specified as a possible hypervisor memory corruption due to TOC TOU race condition when updating address mappings. In general a TOC TOU occurs when a resource is checked for a particular value, such as whether a file exists or not, and that value then changes before the resource is used, invalidating the results of the check. A race condition occurs when two or more threads can access shared data and they try to change it at the same time.

**Mitigation**

None of the vulnerabilities have been flagged as being used in the wild. Google discloses that the most severe of these issues is a high security vulnerability in the Framework component that could lead to local escalation of privilege (EoP) with user execution privileges needed, but does not tell us which of the four candidates that is.

For Google and other Android devices, security patch levels of 2022-05-05 or later address all issues in these bulletins. To learn how to check a device’s security patch level, see Check and update your Android version. We encourage all users to update to the latest version of Android where possible.

The Pixel 3a and Pixel 3a XL series will receive security updates for the last time this month. Then they reach the End-of-Life (EOL) stage when it comes to support. For the Pixel 4 and Pixel 4 XL, this will be the case in October 2022.

Stay safe, everyone!

Google fixes two critical Pixel vulnerabilities: Get your updates when you can!

Google today announced plans to implement support for passwordless logins in Android and the Chrome web browser to allow users to sign in across different devices and websites irrespective of the platform.
"This will simplify sign-ins across devices, websites, and applications no matter the platform - without the need for a single password," Google said.

Apple and Microsoft are

Google today announced plans to implement support for passwordless logins in Android and the Chrome web browser to allow users to sign in across different devices and websites irrespective of the platform.

"This will simplify sign-ins across devices, websites, and applications no matter the platform - without the need for a single password," Google said.

Apple and Microsoft are also expected to extend the support to iOS, macOS, and Windows operating systems as well as Safari and Edge browsers.

The new Fast IDentity Online (FIDO) sign-in system does away with passwords entirely in favor of displaying a prompt asking a user to unlock the phone when signing into a website or an application.

This is made possible by storing a cryptographically secured FIDO credential called a passkey on the phone that's used to log in to the online account after unlocking the device.

"Once you've done this, you won't need your phone again and you can sign-in by just unlocking your computer," Google said.

"Even if you lose your phone, your passkeys will securely sync to your new phone from cloud backup, allowing you to pick up right where your old device left off."

In a way, the method can be viewed as an extension of its own Google prompts for logging into accounts secured with two-factor authentication (aka 2-Step Verification).

The development comes as code hosting platform GitHub announced that it will "require all users who contribute code on GitHub.com to enable one or more forms of two-factor authentication (2FA) by the end of 2023" to prevent account takeover attacks.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Google to Add Passwordless Authentication Support to Android and Chrome

The 96 internet service providers were told to enforce the orders “by any technological means available.”

A federal judge has ordered all internet service providers in the United States to block three pirate streaming services operated by Doe defendants who never showed up to court and hid behind false identities.

The blocking orders affect Israel.tv, Israeli-tv.com, and Sdarot.tv, as well as related domains listed in the rulings and any other domains where the copyright-infringing websites may resurface in the future. The orders came in three essentially identical rulings (see here, here, and here) issued on April 26 in the US District Court for the Southern District of New York.

Each ruling provides a list of 96 ISPs that are expected to block the websites, including Comcast, Charter, AT&T, Verizon, and T-Mobile. But the rulings say that all ISPs must comply even if they aren't on the list:

_It is further ordered that all ISPs (including without limitation those set forth in Exhibit B hereto) and any other ISPs providing services in the United States shall block access to the Website at any domain address known today (including but not limited to those set forth in Exhibit A hereto) or to be used in the future by the Defendants (“Newly Detected Websites”) by any technological means available on the ISPs' systems. The domain addresses and any Newly Detected Websites shall be channeled in such a way that users will be unable to connect and/or use the Website, and will be diverted by the ISPs' DNS servers to a landing page operated and controlled by Plaintiffs (the “Landing Page”)._

That landing page is available here and cites US District Judge Katherine Polk Failla's “order to block all access to this website/service due to copyright infringement.”

"If you were harmed in any way by the Court's decision you may file a motion to the Federal Court in the Southern District of New York in the above case," the landing page also says.

“Gone to Great Lengths to Conceal Themselves”

The three lawsuits were filed by Israeli TV and movie producers and providers against Doe defendants who operate the websites. Each of the three rulings awarded damages of $7.65 million. TorrentFreak pointed out the rulings in an article Monday.

The orders also contain permanent injunctions against the defendants themselves and other types of companies that provided services to the defendants or could do so in the future. That includes companies like Cloudflare, GoDaddy, Google, and Namecheap.

In all three cases, none of the defendants responded to the complaints or appeared in court, the judge's rulings said. “Defendants have gone to great lengths to conceal themselves and their ill-gotten proceeds from Plaintiffs' and this Court's detection, including by using multiple false identities and addresses associated with their operations and purposely deceptive contact information for the infringing Website,” the rulings say.

The defendants are liable for copyright infringement and violated the anti-circumvention provision of the Digital Millennium Copyright Act (DMCA), the judge wrote, describing the infringement as follows:

_Through the Website, Defendants have been re-broadcasting and streaming Plaintiffs' original content, broadcasting channels and TV services which are only authorized for broadcasting and/or viewing in the territory of the State of Israel and under a license. The Infringing Broadcasting includes original content produced and owned by Plaintiffs, mostly in Hebrew, and also from major studios in the United States and elsewhere, licensed to Plaintiffs for broadcasting exclusively in Israel (except as expressly licensed for broadcast in the United States)._

Rulings Further Target Web Hosts and Banks

The plaintiffs are United King Film Distribution, D.B.S. Satellite Services (1998), HOT Communication Systems, Reshet Media, and Keshet Broadcasting. While the plaintiffs “transmit their programming in an encrypted form,” the defendants' “various services and hardware permit end-user consumers to bypass the Plaintiffs' encryption to view Plaintiffs' content,” the rulings said.

The judge ordered domain registrars and registries to transfer the domain names to the plaintiffs. The rulings include injunctions against “third parties providing services used in connection with Defendants' operations,” including web hosts, content delivery networks, DNS providers, VPN providers, web designers, search-based online advertising services, and others.

Financial institutions face similar bans on doing business with the blocked websites. The rulings directly target the defendants' monetary accounts, saying that plaintiffs “shall have the ongoing authority to serve this Order on any party controlling or otherwise holding such accounts” until they have “recovered the full payment of monies owed to them by any Defendant under this Order.” This applies to PayPal, banks, and payment providers in general.

_This story originally appeared on_ _Ars Technica__._

Every ISP in the US Must Block These 3 Pirate Streaming Services

The vulnerability is 'critical' with a CVSS severity rating of 9.8 out of 10.

The vulnerability is ‘critical’ with a CVSS severity rating of 9.8 out of 10.

Application service provider F5 is warning a critical vulnerability allows unauthenticated hackers with network access to execute arbitrary commands on its BIG-IP systems.

The F5 BIG-IP is a combination of software and hardware that is designed around access control, application availability and security solutions.

The vulnerability is tracked as CVE-2022-1388  with a severity rating of 9.8 out of 10 by the Common Vulnerabilities Scoring System (CVSS) version 3.90.  

According to F5, the flaw resides in the representational state transfer (REST) interface for the iControl framework which is used to communicate between the F5 devices and users.

Threat actors can send undisclosed requests and leverage the flaw to bypass the iControl REST authentication and access the F5 BIG-IP systems, an attacker can execute arbitrary commands, create or delete files or disable servers.

“This vulnerability may allow an unauthenticated attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands, create or delete files, or disable services,” said F5 in an advisory. “There is no data plane exposure; this is a control plane issue only,” they added.

A self-IP address is an IP address on a BIG-IP system, that a customer uses to associate with VLAN.

The Cybersecurity and Infrastructure Security Agency (CISA) issued an alert and advised users to apply the required updates.

****Affected Versions****

The security vulnerability that affects the BIG-IP product version are:

*   1.0 to 16.1.2
*   1.0 to 15.1.5
*   1.0 to 14.1.4
*   1.0 to 13.1.4
*   1.0 to 12.1.6
*   6.1 to 11.6.5

The F5 will not introduce fixes for versions 11.x (11.6.1 – 11.6.5) and 12.x (12.1.0 – 12.1.6).

The patches for versions v17.0.0, v16.1.2.2, v15.1.5.1, v14.1.4.6, and v13.1.5 were introduced by F5.

The advisory by F5 clarifies that the CVE-2022-1388 has no effect on other F5 products – BIG-IQ Centralized Management, F5OS-A, F5OS-C, or Traffic SDC.

F5 affected products and fixed versions (Source: F5)

The BIG-IP devices are commonly integrated into the enterprises there is a significant threat of widespread attack.

Security researcher Nate Warfield reported in a tweet that nearly 16,000 BIG-IP devices are exposed to the internet. A query shared by Warfield shows the exposed devices on Shodan.

Most of the exposed BIG-IP devices are located in the USA, China, India, and Australia. These systems are allocated to Microsoft corporation, Google LLC, DigitalOcean, and Linode.

****Mitigations****

Three “temporary mitigation” methods were advised by F5, for those who can’t deploy security patches immediately.

According to F5 “You can block all access to the iControl REST interface of your BIG-IP system through self IP addresses”. This can be done by changing the Port Lockdown settings to Allow None for each self-IP address in the system.

Another mitigation method is to restrict iControl REST access through the management interface or modify the BIG-IP httpd configuration.

Additionally, F5 has also released a more generic advisory to tackle another set of 17 high severity vulnerabilities discovered and fixed in BIG-IP.

In July 2020, a critical RCE bug left thousands of F5 BIG-IP users’ accounts vulnerable to an attacker.

F5 Warns of Critical Bug Allowing Remote Code Execution in BIG-IP Systems

Arbitrary Code Execution through Sanitizer Bypass in GitHub repository jgraph/drawio prior to 18.0.0. - Arbitrary (remote) code execution in the desktop app. - Stored XSS in the web app.

@@ -1,18 +1,6 @@ /\*\* \* Copyright (c) 2006-2012, JGraph Ltd \*/ // Workaround for allowing target="\_blank" in HTML sanitizer // see https://code.google.com/p/google-caja/issues/detail?can=2&q=&colspec=ID%20Type%20Status%20Priority%20Owner%20Summary&groupby=&sort=&id=1296 if (typeof html4 !== 'undefined') { html4.ATTRIBS\['a::target'\] \= 0; html4.ATTRIBS\['source::src'\] \= 0; html4.ATTRIBS\['video::src'\] \= 0; // Would be nice for tooltips but probably a security risk... //html4.ATTRIBS\['video::autoplay'\] = 0; //html4.ATTRIBS\['video::autobuffer'\] = 0; }  
// Workaround for handling named HTML entities in mxUtils.parseXml // LATER: How to configure DOMParser to just ignore all entities? (function() @@ -1670,62 +1658,21 @@ Graph.removePasteFormatting = function(elt) };  
/\*\* \* Sanitizes the given HTML markup. \* Sanitizes the given HTML markup, allowing target attributes and \* data: protocol links to pages and custom actions. \*/ Graph.sanitizeHtml \= function(value, editing) { // Uses https://code.google.com/p/google-caja/wiki/JsHtmlSanitizer // NOTE: Original minimized sanitizer was modified to support // data URIs for images, mailto and special data:-links. // LATER: Add MathML to whitelisted tags function urlX(link) { if (link != null && link.toString().toLowerCase().substring(0, 11) !== 'javascript:') { return link; }  
return null; }; function idX(id) { return id };  
return html\_sanitize(value, urlX, idX); return DOMPurify.sanitize(value, {ADD\_ATTR: \['target'\], ALLOWED\_URI\_REGEXP: /^(?:(?:(?:f|ht)tps?|mailto|tel|callto|cid|xmpp|data):|\[^a-z\]|\[a-z+.\\-\]+(?:\[^a-z+.\\-:\]|$))/i}); };  
/\*\* \* Removes all script tags and attributes starting with on. \* Sanitizes the SVG in the given DOM node in-place. \*/ Graph.sanitizeSvg \= function(div) { // Removes all attributes starting with on var all \= div.getElementsByTagName('\*');  
for (var i \= 0; i < all.length; i++) { for (var j \= 0; j < all\[i\].attributes.length; j++) { var attr \= all\[i\].attributes\[j\];  
if (attr.name.length \> 2 && attr.name.toLowerCase().substring(0, 2) \== 'on') { all\[i\].removeAttribute(attr.name); } } }  
function removeAllTags(tagName) { var nodes \= div.getElementsByTagName(tagName);  
while (nodes.length \> 0) { nodes\[0\].parentNode.removeChild(nodes\[0\]); } };  
removeAllTags('meta'); removeAllTags('script'); removeAllTags('metadata'); return DOMPurify.sanitize(div, {IN\_PLACE: true}); };  
/\*\* @@ -13734,12 +13681,12 @@ if (typeof mxVertexHandler !== 'undefined') mxEvent.consume(evt); }));  
this.linkHint.appendChildGraph.createRemoveIcon(mxResources.get('removeIt', this.linkHint.appendChild(Graph.createRemoveIcon(mxResources.get('removeIt', \[mxResources.get('link')\]), mxUtils.bind(this, function(evt) { this.graph.setLinkForCell(this.state.cell, null); mxEvent.consume(evt); })); }))); } }

CVE-2022-1575: 18.0.0 release · jgraph/drawio@f768ed7

By Jung soo An, Asheer Malhotra and Justin Thattil, with contributions from Aliza Berk and Kendall McKay.

In February 2022, corresponding roughly with the start of the Russian Invasion of Ukraine, Cisco Talos began observing the China-based threat actor Mustang Panda conducting phishing campaigns...


[[ This is only the beginning! Please visit the blog for the complete entry ]]

Tag

#google