Proprietary Software and Security Leftovers

posted by Roy Schestowitz on Mar 03, 2023

• Stop using your phone number to log in

  Countless apps and services rely on your phone number to identify you, and that number is not necessarily permanent. Phone numbers are also vulnerable to hackers. They were never meant to be permanent identifiers, so incidents like what happened to Ugo are widespread, ongoing problems that the industry has known about for years. There are at least two research papers about phone number recycling that lay out the potential risks, from targeted attacks by hackers or people who easily buy up recently discarded phone numbers to being cut off from your accounts entirely and a stranger getting access to your life.

  Yet the burden is often on users to protect themselves from a security issue that was created for them by some of their favorite apps. Even things that those services might recommend as an added security measure — like text, SMS, or multi-factor authentication — can actually introduce more vulnerabilities.

• [Attackers] use phishing, malware to target job seekers amid layoffs

  The current economic climate globally is grim due to the ongoing recession, and taking advantage of this environment, cybercriminals are using phishing and malware campaigns to target job seekers in a bid to steal sensitive information, a new report said on Thursday.

• Bug Bounty Radar // The latest bug bounty programs for March 2023

  New web targets for the discerning hacker

• We’re going teetotal: It’s goodbye to The Daily Swig

  PortSwigger today announces that The Daily Swig is closing down

• OAuth vulnerabilities on Booking.com could have resulted in account takeovers

  Security researchers at Salt Security Inc. today released new threat research that highlights critical security flaws found on the website of popular hotel booking service Booking Holdings Inc.

• Decentralized Twitter alternative Bluesky launches on App Store in beta

  Decentralized social network Bluesky, a project started by former Twitter Inc. Chief Executive Jack Dorsey, launched today in beta test mode.

• As Twitter Goes Down Yet Again, Report Highlights How Fragile Its Infrastructure Has Become

  On Wednesday there was yet another major global outage at Twitter, something that feels like it’s becoming a recurring issue and bringing us back to the days when Twitter regularly crashed and had to put up a “Fail Whale” graphic.

• At Citrix, 'perpetual licenses' means 'we'd rather move you to a subscription'

  Citrix has announced a licensing scheme that's bad news for holders of so-called perpetual licenses because the vendor will stop maintaining products sold to "larger customers" under that scheme.

  The vendor stopped selling new perpetual licenses in 2019, so license-holders are sitting on old code that has almost certainly been updated over the years with new features or security fixes – and will need more.

  Citrix has not previously set the expectation that such customers could be denied maintenance. Indeed the very word "perpetual" more or less implies the opposite.

• India ranks 2nd in total number of breaches exposed in 2022 [iophk: Windows TCO]

  Further, the report said that about 33 percent of the attackers were a result of ransomware, while 17 percent of cyberattacks were due to unsecured databases in India.

• A gotcha with Systemd's DynamicUser, supplementary groups, and NFS (v3)

  So the end moral is supplemental groups don't work over NFSv3 with systemd dynamic users. More generally, supplemental groups with anonymous UIDs don't work over NFS; systemd dynamic users are merely one way to get anonymous UIDs. For our uses this isn't a fatal problem, but I'll want to remember it for the future.

• Indigo won't pay ransom for stolen employee data [iophk: Windows TCO]

  In a statement to CBC News, the company said while it has been informed that "some or all of the data" could become available, it does not believe it's appropriate to pay the ransom because it cannot guarantee the money would not "end up in the hands of terrorists."

• It's official: BlackLotus malware can bypass Secure Boot on Windows machines

  BlackLotus, a UEFI bootkit that's sold on hacking forums for about $5,000, can now bypass Secure Boot, making it the first known malware to run on Windows systems even with the firmware security feature enabled.

  Secure Boot is supposed to prevent devices from running unauthorized software on Microsoft machines. But by targeting UEFI the BlackLotus malware loads before anything else in the booting process, including the operating system and any security tools that could stop it.

• Microsoft Has No Idea How Stupid to Make Its AI

  It's only been a few days since Microsoft announced that it was majorly restricting its unhinged Bing artificial intelligence chatbot — but apparently, the tech giant is already having major second thoughts about its decision.

  In a statement issued yesterday, Microsoft seemed to reverse course on its previous announcement that it was seriously restricting the AI's abilities by putting caps on the number and length of responses, noting that many users seemed to want the "long and intricate chat sessions" with the bot codenamed "Sydney" back.

• Microsoft's new AI chatbot has been saying some 'crazy and unhinged things'

  As a tech reporter, O'Brien knows the Bing chatbot does not have the ability to think or feel. Still, he was floored by the extreme hostility.

  "You could sort of intellectualize the basics of how it works, but it doesn't mean you don't become deeply unsettled by some of the crazy and unhinged things it was saying," O'Brien said in an interview.