Microsoft Edge Update Adds Built-in Password Manager

Version 88 of Microsoft Edge adds a new security feature for users. A built-in password manager makes it easy to keep your logins safe. It also scans for breached passwords on the dark web and notifies you if it finds a match.

Password Monitor will begin rolling out today with Microsoft Edge 88, but it may take a couple weeks for you to see it in your browser. For more information on how Password Monitor works, take a look at the latest blog from Microsoft Research.

Malwarebytes Reveals it Was Hacked by Nation State Behind ‘SolarWinds’

Malwarebytes co-founder and current CEO Marcin Kleczynski reveals the company was hacked. He believes it was the same nation state actor behind the SolarWinds attack. The state is believed to be Russia.

After an extensive investigation, we determined the attacker only gained access to a limited subset of internal company emails. We found no evidence of unauthorized access or compromise in any of our internal on-premises and production environments.

Crazy stuff, and we’ll probably hear of the fallout for a long time.

Bug Lets Audio, Video be Transmitted Without Consent in Apps Like Signal

Google’s Project Zero security team found a bug that lets audio and video be transmitted without user interaction in five messaging apps. These are Signal, JioChat, Mocha, Google Duo, and Facebook Messenger. All bugs have been fixed.

I investigated the signalling state machines of seven video conferencing applications and found five vulnerabilities that could allow a caller device to force a callee device to transmit audio or video data. All these vulnerabilities have since been fixed. It is not clear why this is such a common problem, but a lack of awareness of these types of bugs as well as unnecessary complexity in signalling state machines is likely a factor.

Apple Apps No Longer Bypass macOS Big Sur Firewalls

In macOS Big Sur, Apple deprecated third-party kernel extensions including Network Kernel Extensions (NKEs). NKEs are used by apps like firewalls to monitor network traffic. Apple’s new user-mode Network Extension Framework had a side-effect: Apple’s own apps wouldn’t be routed through it and thus could bypass third-party firewalls. But now that has changed.

I of course also wondered if malware could abuse these “excluded” items to generate network traffic that could surreptitiously bypass any socket filter firewall.  Unfortunately the answer was yes! It was (unsurprisingly) trivial to find a way to abuse these items, and generate undetected network traffic.

Mozilla VPN Arrives on macOS and Linux

After rolling out on platforms like Windows, Android, and iOS, the Mozilla VPN arrives on macOS and Linux for US$5/month.

The Mozilla VPN isn’t the cheapest option on the market. However, Mozilla has said that, because it uses fewer lines of code than other VPNs, the service is faster than many rival ones. You can connect to more than 280 servers in more than 30 countries via the VPN without any bandwidth restrictions.

I think US$5/mo is definitely one of the cheapest VPNs on the market.

‘ElectroRAT’ is the First Mac Malware Spotted in 2021

We’re barely a week into 2021 and a piece of Mac malware has already been spotted. Dubbed “ElectroRAT” its primary goal is to steal personal information from cryptocurrency users.

These [malicous] applications were promoted in cryptocurrency and blockchain-related forums such as bitcointalk and SteemCoinPan. The promotional posts, published by fake users, tempted readers to browse the applications’ web pages, where they could download the application without knowing they were actually installing malware.

Latest T-Mobile Data Breach Exposes Customer Data

The latest T-Mobile data breach (this is the third time and the second breach in 2020) has affected an estimated 200,000 people.

The data accessed did NOT include any names associated with the account, financial data, credit card information, social security numbers, passwords, PINs or physical or email addresses. The information that was accessed may have included phone numbers, number of lines subscribed to and in a small number of cases some call-related information collected as part of normal operation and service.

‘GetSchooled’ Charity Data Breach Exposes Data of 900,000 Kids

GetSchooled, a charity run by the Bill & Melinda Gates Foundation, has leaked the details of over 900,000 children in a data breach.

The breached information contains extensive personal details of children, teenagers and young adults including: full addresses, schools, full student PII including student phone numbers and emails, graduation details, ages, genders and more…

Full everything. What could be “and more”, medical records? GetSchooled got schooled.

Fashion App ‘21 Buttons’ Exposes Data of European Influencers

An e-commerce app called 21 Buttons has exposed the private data of hundreds of people across Europe.

Among the millions of photos and videos, we also viewed hundreds of invoices detailing payments to users in the 21 Buttons Rewards program, covering the last few months. Some of these invoices appear to be test data, but many of them were definitely legitimate invoices detailing real records of payments made.

Cellebrite Has Not Broken Signal’s Encryption

On Tuesday, security company Cellebrite claimed to have broken the encryption that Signal uses to keep user communication safe. The blog post has since been removed, but the BBC has an archived version here. But Signal says that claim isn’t true.

It is important to understand that any story about Cellebrite Physical Analyzer starts with someone other than you physically holding your device, with the screen unlocked, in their hands. Cellebrite does not even try to intercept messages, voice/video, or live communication, much less “break the encryption” of that communication. They don’t do live surveillance of any kind.

SolarWinds Hack Affected Tech Companies Like Intel, Cisco, VMware

The SolarWinds cyber attack didn’t just affect government agencies; big tech companies were affected too. Intel, Nvidia, Cisco, Belkin, and VMware were also infected. The Wall Street Journal reports. If the link below is paywalled, try this article from The Verge.

Intel downloaded and ran the malicious software, the Journal’s analysis found. The company is investigating the incident and has found no evidence the hackers used the backdoor to access the company’s network, a spokesman said.

Apple, Google, Microsoft, Mozilla Take on Kazakhstan Government

Apple, Google, Microsoft, and Mozilla are teaming up to ban a root certificate used by the Kazakhstan government to decrypt HTTPS traffic for residents in the country’s capital, the city of Nur-Sultan.

Kazakh officials justified their actions claiming they were carrying out a cybersecurity training exercise for government agencies, telecoms, and private companies.

The government’s explanation did, however, make zero technical sense, as certificates can’t prevent mass cyber-attacks and are usually used only for encrypting and safeguarding traffic from third-party observers.

Private Messenger ‘Signal’ Adds Encrypted Group Video Calls

Good news for users of Signal. The app now supports group video calls, and they are end-to-end encrypted like the rest of the app’s communications.

Now when you open a group chat in Signal, you’ll see a video call button at the top. When you start a call, the group will receive a notification letting them know a call has started.

When you start or join a group call, Signal will display the participants in a grid view. You can also swipe up to switch to a view that automatically focuses the screen on who is speaking, and it will update in real time as the active speaker changes.

Jetstream Routers Get Firmware Update to Fix Backdoor

In November, security researchers found a Walmart-branded router called Jetstream contained a way for a third party to remotely control the router and devices connected to it. Walmart responded and said it stopped selling these routers. The manufacturer, Wavlink, also responded. A firmware update includes the following:

Removed unnecessary diagnostic pages; Deleted tcpdump tool; Added codes to block CSRF attack; Improved Web authentication routine.

The researchers haven’t yet tested the update to see if it has been effective.

Russian ‘Cozy Bear’ Hacking Team Hits US Government Networks

A group of Russian hackers known as Cozy Bear has hacked several U.S. government agencies like the Treasury and Commerce departments.

On Sunday night, FireEye said the attackers were infecting targets using Orion, a widely used business software app from SolarWinds. After taking control of the Orion update mechanism, the attackers were using it to install a backdoor that FireEye researchers are calling Sunburst.