Reservation Management System version 1.0 suffers from a backup disclosure vulnerability.

**Reservation Management System 1.0 Backup Disclosure**

Posted Sep 24, 2024

Authored by indoushka

Reservation Management System version 1.0 suffers from a backup disclosure vulnerability.

tags | exploit, info disclosure

SHA-256 | 3fdb31b63dd3dffcc359c8fe22cdbfc2692c268e17a6a1cc41302fd995ff1353

Download | Favorite | View

**Reservation Management System 1.0 Backup Disclosure**

    =============================================================================================================================================| # Title     : Reservation Management System 1.0 Backup Disclosure Vulnerability                                                           || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 129.0.1 (64 bits)                                                            || # Vendor    : https://www.sourcecodester.com/sites/default/files/download/oretnom23/reservation.zip                                       |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Appears to leave backups in a world accessible directory under the document root.  [+] use Payload : /admin/backup/[+] http://127.0.0.1/reservation/admin/backup/Greetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

**File Tags**

*   ActiveX (933)
*   Advisory (86,935)
*   Arbitrary (17,095)
*   BBS (2,859)
*   Bypass (1,925)
*   CGI (1,047)
*   Code Execution (7,919)
*   Conference (693)
*   Cracker (845)
*   CSRF (3,431)
*   DoS (25,287)
*   Encryption (2,395)
*   Exploit (54,293)
*   File Inclusion (4,275)
*   File Upload (1,018)
*   Firewall (822)
*   Info Disclosure (2,920)
*   Intrusion Detection (919)
*   Java (3,156)
*   JavaScript (908)
*   Kernel (7,303)
*   Local (14,856)
*   Magazine (587)
*   Overflow (13,225)
*   Perl (1,435)
*   PHP (5,277)
*   Proof of Concept (2,412)
*   Protocol (3,749)
*   Python (1,661)
*   Remote (31,900)
*   Root (3,672)
*   Rootkit (530)
*   Ruby (643)
*   Scanner (1,658)
*   Security Tool (8,050)
*   Shell (3,305)
*   Shellcode (1,219)
*   Sniffer (904)
*   Spoof (2,297)
*   SQL Injection (16,731)
*   TCP (2,463)
*   Trojan (690)
*   UDP (919)
*   Virus (675)
*   Vulnerability (33,120)
*   Web (10,141)
*   Whitepaper (3,785)
*   x86 (970)
*   XSS (18,303)
*   Other

**File Archives**

*   September 2024
*   August 2024
*   July 2024
*   June 2024
*   May 2024
*   April 2024
*   March 2024
*   February 2024
*   January 2024
*   December 2023
*   November 2023
*   October 2023
*   Older

**Systems**

*   AIX (430)
*   Apple (2,115)
*   BSD (378)
*   CentOS (61)
*   Cisco (1,954)
*   Debian (7,125)
*   Fedora (1,693)
*   FreeBSD (1,247)
*   Gentoo (4,591)
*   HPUX (881)
*   iOS (390)
*   iPhone (108)
*   IRIX (220)
*   Juniper (71)
*   Linux (51,312)
*   Mac OS X (696)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (490)
*   RedHat (16,885)
*   Slackware (941)
*   Solaris (1,615)
*   SUSE (1,444)
*   Ubuntu (9,861)
*   UNIX (9,458)
*   UnixWare (188)
*   Windows (6,772)
*   Other

Reservation Management System 1.0 Backup Disclosure

Hold on tight, folks, because last week's cybersecurity landscape was a rollercoaster! We witnessed everything from North Korean hackers dangling "dream jobs" to expose a new malware, to a surprising twist in the Apple vs. NSO Group saga. Even the seemingly mundane world of domain names and cloud configurations had its share of drama. Let's dive into the details and see what lessons we can glean

Cybersecurity / Cyber Threat

Hold on tight, folks, because last week's cybersecurity landscape was a rollercoaster! We witnessed everything from North Korean hackers dangling "dream jobs" to expose a new malware, to a surprising twist in the Apple vs. NSO Group saga. Even the seemingly mundane world of domain names and cloud configurations had its share of drama. Let's dive into the details and see what lessons we can glean from the past week.

****⚡ Threat of the Week****

**Raptor Train Botnet Dismantled:** The U.S. government announced the takedown of the Raptor Train botnet controlled by a China-linked threat actor known as Flax Typhoon. The botnet consisted of over 260,000 devices in June 2024, with victims scattered across North America, Europe, Asia, Africa, and Oceania, and South America. It also attributed the Flax Typhoon threat actor to a publicly-traded, Beijing-based company known as Integrity Technology Group.

****🔔 Top News****

*   **Lazarus Group's New Malware:** The North Korea-linked cyber espionage group known as UNC2970 (aka TEMP.Hermit) has been observed utilizing job-themed phishing lures to target prospective victims in energy and aerospace verticals and infect them with a previously undocumented backdoor dubbed MISTPEN. The activity is also tracked as Operation Dream Job.
*   **iServer and Ghost Dismantled:** In yet another big win for law enforcement agencies, Europol announced the takedown of an international criminal network that leveraged a phishing platform to unlock stolen or lost mobile phones. The agency, in partnership with the Australian Federal Police (AFP), dismantled an encrypted communications network called Ghost that enabled serious and organized crime across the world.
*   **Iranian APT Acts as Initial Access Provider:** An Iranian threat actor tracked as UNC1860 is acting as an initial access facilitator that provides remote access to target networks by deploying various passive backdoors. This access is then leveraged by other Iranian hacking groups affiliated with the Ministry of Intelligence and Security (MOIS).
*   **Apple Drops Lawsuit against NSO Group:** Apple filed a motion to "voluntarily" dismiss the lawsuit it's pursuing against Israeli commercial spyware vendor NSO Group, citing a shifting risk landscape that could lead to exposure of critical "threat intelligence" information. The lawsuit was filed in November 2021.
*   **Phishing Attacks Exploit HTTP Headers:** A new wave of phishing attacks is abusing refresh entries in HTTP headers to deliver spoofed email login pages that are designed to harvest users' credentials. Targets of the campaigns include entities in South Korea and the U.S.

****📰 Around the Cyber World****

*   **Sandvine Leaves 56 "Non-democratic" Countries:** Sandvine, the company behind middleboxes that have facilitated the delivery of commercial spyware as part of highly-targeted attacks, said it has exited 32 countries and is in process of ceasing operations in another 24 countries, citing elevated threats to digital rights. Earlier this February, the company was added to the U.S. Entity List. "The misuse of deep packet inspection technology is an international problem that threatens free and fair elections, basic human rights, and other digital freedoms we believe are inalienable," it said. It did not disclose the list of countries it's exiting as part of the overhaul.
*   **.mobi Domain Acquired for $20:** Researchers from watchTowr Labs spent a mere $20 to acquire a legacy WHOIS server domain associated with the .mobi top-level domain (TLD) and set up a WHOIS server on that domain. This led to the discovery that over 135,000 unique systems still queried the old WHOIS server over a five day period ending on September 4, 2024, including cybersecurity tools and mail servers for government, military and university entities. The research also showed that the TLS/SSL process for the entire .mobi TLD had been undermined as numerous Certificate Authorities (CAs) were found to be still using the "rogue" WHOIS server to "determine the owners of a domain and where verification details should be sent." Google has since called for stopping the use of WHOIS data for TLS domain verifications.
*   **ServiceNow Misconfigurations Leak Sensitive Data:** Thousands of companies are inadvertently exposing secrets from their internal knowledge base (KB) articles via ServiceNow misconfigurations. AppOmni attributed the issue to "outdated configurations and misconfigured access controls in KBs," likely indicating "a systematic misunderstanding of KB access controls or possibly the accidental replication of at least one instance's poor controls to another through cloning." ServiceNow has published guidance on how to configure their instances to prevent unauthenticated access to KB articles.
*   **Google Cloud Document AI Flaw Fixed:** Speaking of misconfigurations, researchers have found that overly permissive settings in Google Cloud's Document AI service could be leveraged by threat actors to hack into Cloud Storage buckets and steal sensitive information. Vectra AI described the vulnerability as an instance of transitive access abuse.
*   **Microsoft Plans End of Kernel Access for EDR Software:** Following the massive fallout from the CrowdStrike update mishap in July 2024, Microsoft has highlighted Windows 11's "improved security posture and security defaults" that allow for more security capabilities to security software makers outside of kernel mode access. It also said it will collaborate with ecosystem partners to achieve "enhanced reliability without sacrificing security."

**🔥 **Cybersecurity Resources & Insights******— **Upcoming Webinars****

*   **Zero Trust: Anti-Ransomware Armor**: Join our next webinar with Zscaler's Emily Laufer for a deep dive into the 2024 Ransomware Report, uncovering the latest trends, emerging threats, and the zero-trust strategies that can safeguard your organization. Don't become another statistic – Register now and fight back!
*   **SIEM Reboot: From Overload to Oversight:** Drowning in data? Your SIEM should be a lifesaver, not another headache. Join us to uncover how legacy SIEM went wrong, and how a modern approach can simplify security without sacrificing performance. We'll dive into the origins of SIEM, its current challenges, and our community-driven solutions to cut through the noise and empower your security. Register now for a fresh take on SIEM!

**— **Ask the Expert****

*   **Q:** How does Zero Trust differ fundamentally from traditional Perimeter Defense, and what are the key challenges and advantages when transitioning an organization from a Perimeter Defense model to a Zero Trust architecture?

*   **A:** Zero Trust and perimeter defense are two ways to protect computer systems. Zero Trust is like having multiple locks on your doors AND checking IDs at every room, meaning it trusts no one and constantly verifies everyone and everything trying to access anything. It's great for stopping hackers, even if they manage to sneak in, and works well when people work from different places or use cloud services. Perimeter defense is like having a strong wall around your castle, focusing on keeping the bad guys out. But, if someone breaks through, they have easy access to everything inside. This older approach struggles with today's threats and remote work situations. Switching to Zero Trust is like upgrading your security system, but it takes time and money. It's worth it because it provides much better protection. Remember, it's not just one thing, but a whole new way of thinking about security, and you can start small and build up over time. Also, don't ditch the wall completely, it's still useful for basic protection.

**— **Cybersecurity Jargon Buster****

*   **Polymorphic Malware:** Imagine a sneaky virus that keeps changing its disguise (signature) to trick your antivirus. It's like a chameleon, making it tough to catch.
*   **Metamorphic Malware:** This one's even trickier! It's like a shapeshifter, not just changing clothes, but completely transforming its body. It rewrites its own code each time it infects, making it nearly impossible for antivirus to recognize.

**— **Tip of the Week****

**"Think Before You Click" Maze:** Navigate a series of decision points based on real-world scenarios, choosing the safest option to avoid phishing traps and other online threats.

****Conclusion****

"To err is human; to forgive, divine." - Alexander Pope. But in the realm of cybersecurity, forgiveness can be costly. Let's learn from these mistakes, strengthen our defenses, and keep the digital world a safer place for all.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

THN Cybersecurity Recap: Last Week's Top Threats and Trends (September 16-22)

Popular social messaging platform Discord has announced that it's rolling out a new custom end-to-end encrypted (E2EE) protocol to secure audio and video calls.
The protocol has been dubbed DAVE, short for Discord's audio and video end-to-end encryption ("E2EE A/V").
As part of the change introduced last week, voice and video in DMs, Group DMs, voice channels, and Go Live streams are expected to

Encryption / Data Protection

Popular social messaging platform Discord has announced that it's rolling out a new custom end-to-end encrypted (E2EE) protocol to secure audio and video calls.

The protocol has been dubbed **DAVE**, short for Discord's audio and video end-to-end encryption ("E2EE A/V").

As part of the change introduced last week, voice and video in DMs, Group DMs, voice channels, and Go Live streams are expected to be migrated to use DAVE.

That said, it's worth noting that messages on Discord will remain unencrypted and are subject to its content moderation approach.

"When we consider adding new privacy features like E2EE A/V, we do not do so in isolation from safety," Discord said. "That is why safety is integrated across our product and policies, and why messages on Discord are unencrypted."

"Messages will still be subject to our content moderation approach, allowing us to continue offering additional safety protections."

DAVE is publicly auditable and has been reviewed by Trail of Bits, with the protocol leveraging WebRTC encoded transforms and Message Layer Security (MLS) for encryption and group key exchange (GKE), respectively.

This allows for media frames, outside of the codec metadata, to be encrypted after they are encoded and decrypted before being decoded on the receiver side.

"Each frame is encrypted or decrypted with a per-sender symmetric key," Discord said. "This key is known to all participants of the audio and video session but crucially is unknown to any outsider who is not a member of the call, including Discord."

The use of MLS, on the other hand, makes it possible for users to join or leave a voice or video session on Discord in such a manner that neither new participants can decrypt media sent before they joined nor leaving members can decrypt any media sent in the future.

"Discord's existing transport encryption for audio and video between the client and our selective forwarding unit (SFU) is retained, ensuring only audio and video from authenticated call participants is forwarded," it noted.

"While the SFU still processes all packets for the call, audio or video data inside each packet is end-to-end encrypted and undecryptable by the SFU."

The development comes days after the GSM Association (GSMA), the governing body that oversees the development of the Rich Communications Services (RCS) protocol, said it's working towards implementing E2EE to secure messages sent between the Android and iOS ecosystems.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Discord Introduces DAVE Protocol for End-to-End Encryption in Audio and Video Calls

A list of topics we covered in the week of September 16 to September 22 of 2024

September 20, 2024 - The FTC published a report about the ways social media and video streaming services collect and use our data

September 19, 2024 - German law enforcement agencies have managed to de-anonymize Tor users after putting surveillance on Tor servers for months.

September 18, 2024 - Scammers are creating fake Walmart virtual shopping lists that look like a contact page for customer service.

September 18, 2024 - Snapchat reserves the right to use your selfies to add a personal touch, as in your face, to its advertisements.

September 17, 2024 - Apple has released iOS 18. We discuss the new privacy and security related features like the very handy Passwords app.

 A week in security (September 16 &#8211; September 22) 

Plus: The FBI dismantles the largest-ever China-backed botnet, the DOJ charges two men with a $243 million crypto theft, Apple’s MacOS Sequoia breaks cybersecurity tools, and more.

The week was dominated by news that thousands of pagers, walkie-talkies and other devices were exploding across Lebanon on Tuesday and Wednesday in an attack targeting the militant group Hezbollah. At least 32 people were killed, including at least four children, and more than 3,200 people were injured. The covert campaign has widely been attributed to Israel, though none of the country's government agencies have commented.

In addition to the carnage, the attacks have—seemingly by design—had the effect of sowing paranoia and fear, not just among members of Hezbollah but also in the general Lebanese public. Hardware and warfare experts say that the incident is unlikely to establish a global precedent that people's most trusted communication devices and electronics, like smartphones, are rigged with explosives left and right. But it does create the potential to inspire copycats and puts defenders on notice that such attacks are possible.

Researchers say that China’s 2023 Zhujian Cup, a hacking competition with ties to the country's military, took the unusual step of requiring participants to keep the content of the exercise secret—and they may have been targeting a real victim as part of the event. Apple’s new stand-alone app Passwords that launched with iOS 18 may help solve your login problems. And a now-deleted post from billionaire Elon Musk that questioned why no one has attempted to assassinate Joe Biden and Kamala Harris renewed concerns this week that Musk is willing to inspire extremist violence and is a national security threat in the United States.

And there's more. Each week, we round up the privacy and security news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

Last month, media outlets, Microsoft, and Google warned that an Iranian state-sponsored hacking group known as APT42 had targeted both the Joe Biden and Donald Trump political campaigns, and that it had successfully stolen emails from the Trump campaign that were later shared with reporters. Now the FBI has chimed in with the added revelation that the same hackers also sent those stolen Trump communications to the Democrats, too—though for now there's no sign that the Democrats solicited those emails from the Iranians or necessarily even received the Iranians' message.

Republicans were nonetheless quick to compare the news to accusations that the Trump campaign “colluded” with the Russian hackers, part of the Kremlin's GRU military intelligence agency, who breached the Democratic National Committee and the Clinton Campaign in 2016 to carry out a hack-and-leak operation. In a statement, the Trump campaign demanded that the Democrats “must come clean on whether they used the hacked material.” The Harris campaign told CNN that it has cooperated with law enforcement and that it was “not aware of any material being sent directly to the campaign,” believing the emails to be spam or phishing attempts. “We condemn in the strongest terms any effort by foreign actors to interfere in US elections, including this unwelcome and unacceptable malicious activity,” Morgan Finkelstein, the national security spokesperson for the Harris campaign, told CNN.

**FBI Dismantles the Largest-Ever Chinese State-Sponsored Botnet**

The FBI announced this week that it had taken down a network of hacked machines being secretly controlled by a Chinese state-sponsored hacking group known as Flax Typhoon. The botnet, made up of 260,000 routers and internet-of-things devices, was allegedly being run by a Chinese contractor known as the Beijing Integrity Technology Group, a rare instance of a known, publicly traded company operating essentially a massive collection of hacked devices on behalf of the Chinese state. The botnet, according to the FBI and security firm Black Lotus Labs, had been used to hack government agencies, defense contractors, telecoms, and other US and Taiwanese targets. At the time of its takedown, the botnet still encompassed 60,000 machines, making it the largest Chinese state-sponsored botnet ever, according to Black Lotus Labs.

**Two Men Charged With Stealing $243M in Cryptocurrency Using Social Engineering Scam**

On Wednesday night, two young men were arrested after they allegedly stole hundreds of millions of dollars of cryptocurrency and spent the earnings on luxury cars, watches, jewelry, and designer handbags. In an unsealed indictment, the US Department of Justice charged Malone Lam, 20, known online as “Anne Hathaway” and Jeandiel Serrano, 21, aka “VersaceGod,” with stealing $243 million in cryptocurrency and laundering the proceeds through mixing services to conceal the origin.

CoinDesk reported that the men allegedly tricked the heist’s victim, a creditor of the now-defunct trading firm Genesis, using a social engineering scam that led them to reset their Gemini two-factor authentication and transfer 4,100 bitcoin to a compromised wallet. An analysis of the transaction by blockchain investigator ZachXBT revealed that the $243 million was divided among multiple wallets and then distributed to over 15 exchanges.

**Apple MacOS Update Breaks Some Cybersecurity Tools**

On Thursday, TechCrunch reported that Apple's latest desktop operating system update, macOS 15 (Sequoia), breaks some functionality of major security tools made by CrowdStrike, SentinelOne, and Microsoft. It’s unclear what specifically in the update is causing the issues, but social media posts and internal Slack messages reviewed by the tech outlet show that the update has frustrated engineers working on macOS-focused security tools.

A CrowdStrike sales engineer informed colleagues via Slack, as seen by TechCrunch, that the company would not be able to support Sequoia on day one, despite its usual practice of quickly supporting new OS releases. While they hope for a quick patch, they will likely need to scramble to resolve the issue with an update in their own code, assuming no immediate fix is available from Apple, which has not yet commented on the issue.

**Leader of Crypto Extortion Gang Sentenced to 47 Years**

Cryptocurrency theft has become practically a common-garden form of cybercrime. But one brutal gang took that form of thievery to a new level of cruelty and violence, breaking into a series of victims' homes to threaten and extort them into handing over their crypto holdings, sometimes even resorting to kidnapping and torture. This week, that disturbing story came to a close with the sentencing of the group's ring leader, a Florida man named Remy St. Felix, to 47 years in prison. St. Felix is one of 12 members of the gang to have now been charged, convicted, and sentenced. Prior to the home invasions that St. Felix led, another member of the group named Jarod Seemungal allegedly stole millions with more traditional crypto hacking techniques. But St. Felix's more violent, offline extortion attempts netted his gang only around $150,000 in cryptocurrency before they were caught and sentenced to years behind bars. The lesson: Crime doesn't pay—or at least, not the physical kind.

Iranian Hackers Tried to Give Hacked Trump Campaign Emails to Dems

Taskhub version 3.0.3 suffers from an ignored default credential vulnerability.

**Taskhub 3.0.3 Insecure Settings**

Posted Sep 20, 2024

Authored by indoushka

Taskhub version 3.0.3 suffers from an ignored default credential vulnerability.

tags | exploit

SHA-256 | 7505071b9896db1b7f4f5cd911d9d07b06247bd94dbf46777a4481d4b83f1ddd

Download | Favorite | View

**Taskhub 3.0.3 Insecure Settings**

    =============================================================================================================================================| # Title     : Taskhub v3.0.3 Insecure Settings Vulnerability                                                                              || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                            || # Vendor    : https://codecanyon.net/item/taskhub-project-management-finance-crm-tool/25685874                                            |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Settings : appears to leave a default administrative account in place post installation.[+] use payload : user =  admin@gmail.com & pass = 12345678[+] https://www/127.0.0.1/tasks.octalfoxcom/auth/Greetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

**File Tags**

*   ActiveX (933)
*   Advisory (86,862)
*   Arbitrary (17,077)
*   BBS (2,859)
*   Bypass (1,923)
*   CGI (1,047)
*   Code Execution (7,902)
*   Conference (692)
*   Cracker (845)
*   CSRF (3,427)
*   DoS (25,263)
*   Encryption (2,395)
*   Exploit (54,266)
*   File Inclusion (4,274)
*   File Upload (1,017)
*   Firewall (822)
*   Info Disclosure (2,916)
*   Intrusion Detection (918)
*   Java (3,156)
*   JavaScript (908)
*   Kernel (7,281)
*   Local (14,850)
*   Magazine (587)
*   Overflow (13,223)
*   Perl (1,435)
*   PHP (5,271)
*   Proof of Concept (2,411)
*   Protocol (3,749)
*   Python (1,660)
*   Remote (31,888)
*   Root (3,671)
*   Rootkit (529)
*   Ruby (642)
*   Scanner (1,658)
*   Security Tool (8,048)
*   Shell (3,305)
*   Shellcode (1,219)
*   Sniffer (904)
*   Spoof (2,297)
*   SQL Injection (16,725)
*   TCP (2,463)
*   Trojan (690)
*   UDP (919)
*   Virus (675)
*   Vulnerability (33,092)
*   Web (10,138)
*   Whitepaper (3,784)
*   x86 (970)
*   XSS (18,301)
*   Other

**File Archives**

*   September 2024
*   August 2024
*   July 2024
*   June 2024
*   May 2024
*   April 2024
*   March 2024
*   February 2024
*   January 2024
*   December 2023
*   November 2023
*   October 2023
*   Older

**Systems**

*   AIX (430)
*   Apple (2,114)
*   BSD (378)
*   CentOS (61)
*   Cisco (1,954)
*   Debian (7,124)
*   Fedora (1,693)
*   FreeBSD (1,247)
*   Gentoo (4,567)
*   HPUX (881)
*   iOS (389)
*   iPhone (108)
*   IRIX (220)
*   Juniper (71)
*   Linux (51,237)
*   Mac OS X (696)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (490)
*   RedHat (16,845)
*   Slackware (941)
*   Solaris (1,615)
*   SUSE (1,444)
*   Ubuntu (9,852)
*   UNIX (9,456)
*   UnixWare (188)
*   Windows (6,772)
*   Other

Taskhub 3.0.3 Insecure Settings

Google on Thursday unveiled a Password Manager PIN to let Chrome web users sync their passkeys across Windows, macOS, Linux, ChromeOS, and Android devices.
"This PIN adds an additional layer of security to ensure your passkeys are end-to-end encrypted and can't be accessed by anyone, not even Google," Chrome product manager Chirag Desai said.
The PIN is a six-digit code by default, although it's

Encryption / Digital Security

Google on Thursday unveiled a Password Manager PIN to let Chrome web users sync their passkeys across Windows, macOS, Linux, ChromeOS, and Android devices.

"This PIN adds an additional layer of security to ensure your passkeys are end-to-end encrypted and can't be accessed by anyone, not even Google," Chrome product manager Chirag Desai said.

The PIN is a six-digit code by default, although it's also possible to create a longer alpha-numeric PIN by selecting "PIN options."

This marks a change from the previous status quo where users could only save passkeys to save passkeys to Google Password Manager on Android.

While the passkeys could be used on other platforms, it was necessary to scan a QR code using the device where they were generated.

The latest change removes that step, making it a lot easier for users to sign in to online services using passkeys by simply scanning their biometrics. Google noted that support for iOS is expected to arrive soon.

This, however, requires the users to know either the Password Manager PIN or the screen lock for their Android devices before using passkeys on a new device.

"These recovery factors will allow you to securely access your saved passkeys and sync new ones across your computers and Android devices," Desai said.

The development comes as the tech giant said passkeys are being used by more than 400 million Google accounts as of May 2024. Two months later, the phishing-resistant alternative was made available to high-risk users via its Advanced Protection Program (APP).

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Chrome Users Can Now Sync Passkeys Across Devices with New Google PIN Feature

By enhancing threat detection, enabling real-time risk assessment, and providing predictive insights, AI is empowering organizations to build more robust defenses against cyber threats.

Source: imageBROKER.com GmbH & Co. KG via Alamy Stock Photo

COMMENTARY

Traditional cybersecurity measures are increasingly inadequate against sophisticated threats in the rapidly evolving digital security landscape. Artificial intelligence (AI) has emerged as a transformative force to revolutionize risk assessment and management in the cybersecurity domain. As organizations grapple with an increasing array of cyber threats, AI-driven approaches to risk scoring are becoming more important and essential tools in the modern security arsenal.

At the forefront of this technological revolution is the development of AI-driven risk assessment models tailored specifically to cybersecurity threats. These systems are designed to identify vulnerabilities that often elude traditional methods by offering a more comprehensive and nuanced approach to risk scoring. Leveraging machine learning algorithms and deep neural networks, these AI models can analyze vast amounts of unstructured data, uncovering complex patterns and insights that might otherwise remain hidden from human analysts. These threats can range from univariate anomalies, like a user logging in from a different IP address, to more complex multivariate risks that involve deviations in user behavior patterns and anomalies in their typical sign-on activities.

A simple one-dimensional risk assessment approach is insufficient in real-life scenarios; instead, a weighted average risk system capable of detecting and evaluating these multivariate risks is essential. Each of these threat detection methodologies can and very well be independent of each other, assessing risks on different (combinations) of variables in play.

**An AI Advantage**

An important advantage of AI in cybersecurity is its ability to process and analyze data at a scale and speed far beyond human capabilities. These advantages enable real-time threat detection and dynamic risk scoring, which allows security teams to prioritize and respond to threats incredibly efficiently. By continuously analyzing network traffic, user behavior, and external threat intelligence, AI-driven systems can update risk scores in real time, providing a constantly evolving picture of an organization's security posture.

The integration of AI into risk-scoring systems also enhances the overall security strategy of an organization. These systems are not static, but rather learn and adapt over time, becoming increasingly effective as they encounter new threat patterns and scenarios. This adaptive capability is crucial in the face of rapidly evolving cyber threats, allowing organizations to stay one step ahead of potential attackers. An example of this in action is detecting anomalies during user sign-on by analyzing physical attributes and comparing them to typical behavior patterns. This approach helps prevent unauthorized access by identifying and blocking suspicious sign-ins before the user can enter the system.

**AI Is Not a Cure-All**

It's important, however, to realize that AI is not a cure-all for every cybersecurity challenge. The most impactful strategies combine the analytical power of AI with human expertise. While AI excels at processing vast amounts of data and identifying patterns, human analysts provide critical contextual understanding and decision-making capabilities. It's crucial for AI systems to continuously learn from the input of small and medium-sized enterprises (SMEs) through a feedback loop to refine their accuracy and minimize alert fatigue; this collaboration between human and artificial intelligence creates a robust defense against a wide range of cyber threats.

The application of AI in cybersecurity extends beyond threat detection. Advanced AI models are also being used to simulate potential attack scenarios, allowing organizations to proactively identify and address vulnerabilities before they can be exploited. This predictive capability represents a significant shift from reactive to proactive security measures, potentially saving organizations millions in breach-related costs.

AI's role in cybersecurity is expected to grow exponentially as AI technology continues to advance. Future developments may include more sophisticated predictive models, enhanced automation of threat response, and even AI systems capable of autonomously patching vulnerabilities. These advancements promise to create more resilient and adaptive security infrastructures, better equipped to handle the challenges of an increasingly digital world.

The integration of AI into cybersecurity risk-scoring systems represents a significant leap forward in the field of digital security. By enhancing threat detection, enabling real-time risk assessment, and providing predictive insights, AI is empowering organizations to build more robust defenses against cyber threats. As the digital landscape continues to evolve, embracing AI-driven approaches to cybersecurity will be crucial for organizations seeking to protect their assets and maintain their competitive edge in an increasingly interconnected world.

**About the Author**

AI and Data Science Leader, Cybersecurity Expert

Venkat Gopalakrishnan is an accomplished AI and data science leader with extensive experience driving AI initiatives in high-impact industries. The holder of two patents in AI and cybersecurity, Venkat has expertise in integrating traditional AI and generative AI into complex systems, having successfully led global teams and delivered innovative AI solutions across various domains, including cybersecurity, finance, and sales.

An AI-Driven Approach to Risk-Scoring Systems in Cybersecurity

Thousands of beepers and two-way radios exploded in attacks against Hezbollah, but mainstream consumer devices like smartphones aren’t likely to be weaponized the same way.

For two days this week, Hezbollah has been rocked by a series of small explosions across Lebanon, injuring thousands and killing at least 25. But these attacks haven’t come from rockets or drones. Instead, they’ve resulted from boobytrapped electronics—including pagers, walkie-talkies, and even, reportedly, solar equipment—detonating in coordinated waves. As details come into view of the elaborate supply chain attack that compromised these devices, citizens on the ground in Lebanon and people around the world are questioning whether such attacks could target any device in your pocket.

The campaign to compromise key Hezbollah communication infrastructure with explosives was clearly elaborate and involved. The operation, which is widely believed to have been perpetrated by Israel, goes far beyond past examples of hardware supply chain attacks and may be a source of inspiration for future spycraft around the world. But sources tell WIRED that the specific scale and scope of the effort would not be easily replicated in other contexts. And, more broadly, the resources and precision involved in carrying out such an attack would be prohibitively difficult to maintain over time for key consumer devices like smartphones—which are used so widely and regularly scrutinized by researchers, product testers, and repair technicians.

“I do think there is absolutely potential to see more of this in the longer term, not targeting civilians, but generally targeting other military actors,” says Zachary Kallenborn, an adjunct nonresident fellow with the Center for Strategic and International Studies. Kallenborn says militaries are increasingly relying on commercial technology—from drones to communications devices—all of which could be compromised if supply chains can be exploited by adversaries. “These systems are being sourced from all over the globe,” he says. “What that means, then, is that you also have these global supply chains supporting them.”

While full details of the attacks are still coming to light, the devices that detonated were seemingly compromised with explosives before they arrived in Hezbollah members’ hands. Alan Woodward, a cybersecurity professor at the University of Surrey, says he suspects that an attacker would plant explosives in a device during the manufacturing process, rather than intercepting gadgets after they are finished and then taking them apart to plant explosives. Reporting by the New York Times on Wednesday evening seemed to confirm this theory, indicating that Israel directly manufactured the compromised devices via shell companies. Israel has not commented on any of the attacks.

Early theories that cyberattacks caused device batteries to overheat and explode have been ruled out by cybersecurity experts. The force of the blasts seen in on-the-ground footage would not be consistent with battery fires or explosions, especially given the small size of pager and walkie-talkie batteries.

Lebanon’s political landscape and ongoing economic crisis, coupled with regional fighting between Hezbollah and Israel, created specific opportunities for sabotage. Hezbollah is isolated globally, with countries like the United States and United Kingdom classifying it as a terrorist organization while other countries, such as Russia and China, maintain relations. This impacts Hezbollah’s avenues for importing equipment and vetting suppliers.

Amid ongoing violent conflict with Israel, Hezbollah’s digital communications and activities are also under constant barrage from Israeli hackers. In fact, this constant digital assault reportedly played a role in pushing Hezbollah away from smartphone communication and toward pagers and walkie-talkies in the first place. “Your phone is their agent,” Hezbollah leader Hassan Nasrallah said in February, referring to Israel.

The commercial spyware industry has shown it is possible to fully compromise target smartphones by exploiting chains of vulnerabilities in their mobile operating systems. Developing spyware and repeatedly finding new operating system vulnerabilities as older ones are patched is a resource-intensive process, but it is still less complicated and risky than conducting a hardware supply chain attack to physically compromise devices during or shortly after manufacturing. And for an attacker, monitoring a target’s entire digital life on a smartphone or laptop is likely more valuable than the device’s potential as a bomb.

“I’d hazard a guess that the only reason we aren’t hearing about exploding laptops is that they’re collecting too much intelligence from those,” says Jake Williams, vice president of research and development at Hunter Strategy, who formerly worked for the US National Security Agency. “I think there’s also potentially an element of targeting, too. The pagers and personal radios could pretty reliably be expected to stay in the hands of Hezbollah operatives, but more general purpose electronics like laptops could not.”

There are other more practical reasons, too, that the attacks in Lebanon are unlikely to portend a global wave of exploding consumer electronics anytime soon. Unlike portable devices that were originally designed in the 20th century, the current generation of laptops and particularly smartphones are densely packed with hardware components to offer the most features and the longest battery life in the most efficient package possible.

University of Surrey’s Woodward, who regularly takes apart consumer devices, points out that within modern smartphones there is very limited space to insert anything extra, and the manufacturing process can involve robots precisely placing components on top of each other. X-rays show how tightly packed modern phones are.

“When you open up a smartphone, I think the only way to get any sort of meaningful amount of high explosive in there would be to do something like replace one of the components,” he says, such as modifying a battery to be half battery, half explosives. But “replacing a component in a smartphone would compromise its functionality,” he says, which could lead a user to investigate the malfunction.

In contrast, the model of pager linked to the explosions—a “rugged” device with 85 days of battery life—included multiple replaceable parts. Ang Cui, founder of the embedded device security firm Red Balloon Security, examined the schematics of the pager model apparently used in the attacks and told WIRED that there would be free space inside to plant explosives. The walkie-talkies that exploded, according to the manufacturer, were discontinued a decade ago. Woodward says that when opening up redesigned, current versions of older technologies, such as pagers, many internal electronic components have been “compressed” down as manufacturing methods and processor efficiency have improved.

Smartphone production lines also operate under stricter security measures, especially for high-cost devices like Apple’s iPhones and Google’s flagship Pixel phones. This is partly to guarantee production quality, but also to ensure that employees don’t leak trade secrets or prototypes. Not all low-end Android phones are manufactured with such intense oversight, but it would be more difficult to secretly take over manufacturing of a smartphone than a forgotten pager model. In countries like China, where many devices are manufactured, there is always the possibility of a domestic operation to plant backdoors, but such a scheme would need to be elaborate to skirt international scrutiny of the devices

To find exploding cell phones, you have to go back to 20th century tech. In 1996, Palestinian bombmaker Yahya Ayyash was killed when his mobile phone exploded as he answered a call. His old-style phone—which the New York Times said was ”reportedly a small, slim model that fits in a pocket”—had 50 grams of explosives planted inside it, likely by Israel’s security services. The explosion was reportedly triggered by a radio signal emitted from a plane flying above. And unlike the pager and walkie-talkie attacks this week, Ayyash’s phone was part of a highly targeted attack on him alone.

Even if this week’s exploding device campaign doesn’t have immediate implications for every smartphone in every pocket, though, it expands enormously the specter of hardware supply chain attacks.

“I think that every shady organization worldwide will now be checking their new devices—especially those ordered in bulk from the manufacturer—for explosives,” says a longtime hardware hacker and tech procurement specialist who asked to be identified as Null Pointer. “This hit so hard because it was novel and no one in that community knew to look for it. It's ingenious.”

Your Phone Won’t Be the Next Exploding Pager

The U.S. Treasury sanctions the Intellexa Consortium and key figures for distributing Predator spyware, a serious national security…

The U.S. Treasury sanctions the Intellexa Consortium and key figures for distributing Predator spyware, a serious national security threat. Intellexa, a rival to NSO Group, offers invasive Android and iOS hacking services globally.

The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) has imposed sanctions on five individuals and one entity associated with the Intellexa Consortium. According to authorities, this group has been linked to developing and distributing spyware technology, posing substantial risks to U.S. national security.

The Intellexa Consortium, an international network of companies based in Europe, has emerged as a prominent organisation in the commercial spyware industry. Known primarily for its invasive “Predator” spyware, Intellexa Consortium has positioned itself as a rival to the NSO Group, the creators of the infamous Pegasus spyware.

As previously reported by Hackread.com, Intellexa offers hacking services targeting both Android and iOS devices, with contracts reportedly valued at up to $8 million.

“The United States will not tolerate the reckless propagation of disruptive technologies that threaten our national security and undermine the privacy and civil liberties of our citizens,” said Bradley T. Smith, Acting Under Secretary of the Treasury for Terrorism and Financial Intelligence in a press release. He emphasized that the government will hold accountable those responsible for the spread of exploitative technologies.

The sanctions reflect an ongoing effort to address the misuse of spyware by both state and non-state actors. Previous U.S. government measures have included sanctions, export controls, and visa bans targeting those involved in the commercial spyware market.

**Intellexa’s Global Reach**

Founded by Tal Jonathan Dilian, the Intellexa Consortium has a wide international footprint, with offices and research facilities spread across the European Union. The company’s flagship product, Predator spyware, can infiltrate devices through one-click and zero-click attacks, giving its operators access to sensitive data such as photos, geolocation, personal messages, and even microphone recordings.

Additionally, the spyware has been used by various state-sponsored actors to target government officials, journalists, political opponents, and policy experts.

The latest sanctions target key figures within the Intellexa network, including Felix Bitzios, Andrea Nicola Constantino Hermes Gambazzi, Merom Harpaz, Panagiota Karaoli, and Artemis Artemiou, along with the Aliada Group, a company based in the British Virgin Islands.

These individuals and entities have been accused of facilitating the development and distribution of Predator spyware, with several directly involved in supplying it to foreign governments.

**Sanctions and Legal Ramifications**

As a result of the sanctions, all U.S. assets and interests connected to the designated individuals and entities have been blocked. OFAC has prohibited U.S. persons from engaging in transactions involving the sanctioned parties.

Additionally, non-U.S. persons could face penalties for helping others evade these sanctions or otherwise violate U.S. regulations. Financial institutions and businesses engaging with the designated entities risk exposure to sanctions or enforcement actions themselves.

While initially marketed as tools for legitimate law enforcement purposes, these technologies have increasingly been misused to invade privacy and infringe upon civil liberties.

Nevertheless, with the rise of companies like Intellexa, which challenge known players such as the NSO Group, the stakes for regulating and controlling the spread of spyware are higher than ever.

1.  **Police confiscate surveillance van loaded with hacking tools**
2.  **QuaDream, Israeli iPhone hacking spyware firm, to shut down**
3.  **Amnesty Intl. accuses Indian cyber security firm of spyware attacks**

Tag

#ios