Popular open source libraries leaked keys for “research”
Several developers reported that two popular open source libraries, Python’s “ctx” and PHP’s “PHPass” had been altered to steal AWS credentials and keys. Combined these libraries have been downloaded over 3 million times. The actor behind the change came forward to Bleeping Computer as security researcher Yunus Aydın, who goes by SockPuppets online. He said he made the alternation to show the “maximum impact” of such an attack, claiming it was ethical research. Aydin claims all data received has been deleted and not used. He was able to take over the libraries by using a bot to crawl open source registries looking for maintainers with custom domain names that had expired, letting him buy the domain and reset the password.
DuckDuckGo gives Microsoft a pass on trackers
After being discovered by security researchers, DuckDuckGo CEO Gabriel Weinberg confirmed that its privacy-focused mobile browser allows Microsoft trackers on third-party sites due to the terms of a search agreement with the company. Weinberg said DuckDuckGo is working with Microsoft to try to remove this restriction and that Microsoft does not associate ad-click behavior with a user profile. This agreement does not impact the DuckDuckGo search engine. In a statement to Bleeping Computer, DuckDuckGo claimed its browser still offered better tracking protection compared to other browsers, as it blocks trackering scripts prior to loading.
Microsoft weathers the vulnerability storm
An analysis of NIST’s National Vulnerability Database by the pentesting firm Redscan found that 2021 broke all records for reported vulnerabilities with 18,439 recorded, or about 50 flaws per day. Of this, Microsoft saw 1,212 vulnerabilities reported, down 5% on the year, the first time Microsoft saw vulnerabilities decrease. More significantly, critical vulnerabilities decreased 47% on the year, and Windows Server vulnerabilities down 50%. This was somewhat balanced by a 280% increase in Microsoft browser vulnerabilities across Internet Explorer and Edge. Remote Code Execution and Privilege Elevation vulnerabilities accounted for 75% of those reported.
Researchers find way to search for hidden cameras
A new paper by researchers at Carnegie Mellon University outlines a system called Lumos that could use a phone or laptop to visualize hidden cameras in an AR interface. Lumos collects encrypted wireless packets over the air to detect concealed devices, estimating location by combining signal strength with relative user position. Changes in signal strength are monitored as a user moves, increasing the accuracy of the prediction. It can also identify devices based on MAC addresses. In a 1000 square foot apartment, the researchers claim to be able to identify hidden devices with 95% accuracy with a median error of 1.5 meters within 30 minutes.
Thanks to today’s episode sponsor, Optiv
Senate panels votes to advance intelligence sharing bill
The Senate Homeland Security Committee voted to advance the Intragovernmental Cybersecurity Information Sharing Act, which now heads to the Senate floor for a vote. This bill would require that officials in both chambers of Congress receive “direct and timely” information about digital threats and network vulnerabilities from the executive branch. This would likely require formal data sharing agreements with the Department of Homeland Security with both the House and Senate.
Legal sector fighting the impacts of insider threats
According to official figures from the UK’s Information Commissioner’s Office, 68% of data breaches at UK law firms were the result of insiders in Q3 2021, with the rest coming from outside threats. The analysts at NetDocuments estimate this number to be inflated as a result of the so-called “Great Resignation” with workers changing jobs at increased rates since the start of the COVID-19 pandemic. 54% of these insider threat data breaches were caused by human error, like forwarding information to the wrong parties. 10% of breaches were due to data loss, while 25% were the result of phishing attacks, which really feels like a more specialized instance of human error.
ProtonMail unifies its products
The privacy-focused email and VPN provider rebranded as Proton, updating its tiers to combine encrypted mail, calendar, and VPN access. A free tier now offers 1GB of storage and access to one calendar, a Mail Plus tier costs €5 a month with 15GB of storage and support for 20 calendar. The Unlimited tier cost €12 a month, offers 500GB of storage, gets you three custom domains, as well as full access to Proton VPN’s network with Tor over VPN features. Proton VPN will continue to be offered as a standalone product as well.
(Engadget)
Terra blockchain restart approved
The proposal from Terraform Labs CEO Do Kwon to relaunch the embattled blockchain received approval from 65.5% of governance votes, with 13.2% voting no and the rest abstaining. This new blockchain will airdrop tokens proportionately to those impacted by the sudden collapse of the TerraUST algorithmic stablecoin, with many of these initial drops subject to vesting periods. Based on the proposal, this Terra 2.0 blockchain will hit the mainnet by the end of the week. This rebooted blockchain will exist without the UST token, which was the primary purpose of the original.