Month: August 2024
This new Android malware can steal your card details via the NFC chip
Security researchers spot a sophisticated attack that steals people’s NFC data and can be used to steal money, and more.
Cybercriminals have reportedly found a way to steal from smartphone users by exfiltrating the data read by their device’s near-field communications (NFC) chip.
The scam was revealed by cybersecurity researchers at ESET, who said it includes progressive web apps (PWA), advanced WebAPKs, and significant social engineering in a multi-step approach that requires a bit of naivety from the victim.
But it’s not just about stealing money, as many different services use NFC technology – including access cards, transportation tickets, and more, opening victims up to a potential world of hurt.
Enter NGate
It all starts with an SMS message, or an automated call to the victim, in which the crooks impersonate the victim’s bank and urge them to install a malicious PWA or a WebAPK, claiming they were important updates. Since these apps don’t work in the same manner as classic apps, they don’t require the same permissions. Instead, they get the necessary access by abusing the browser’s API.
Once that part is out of the way, the fraudsters call up the victim, impersonating a bank employee, and warn them of a security incident. The only way to secure their funds, the scammers explain, is to download an app that verifies the payment card, and more importantly – the PIN number.
The app is NGate, the malware that can capture NFC data from payment cards close to the infected device, and then send it to the attackers, either directly, or via a proxy. It does so through an open-source component called NFCGate, a research project that allows on-device capturing, relaying, replaying, and cloning features.
Obviously, once the victim shares their PIN number, it’s mostly game over. The crooks would use the data to clone the card on their smartphones, and either make cash withdrawals from ATM machines, or make purchases on POS endpoints.
Commenting on the findings, Google told the publication that Google Play Protect, Android’s default security tool, detects this malware.
“Based on our current detections, no apps containing this malware are found on Google Play.
Generally, Google is doing a solid job at keeping its mobile app repository clean, and the majority of fake and malicious apps are usually hosted elsewhere around the internet. Therefore, the best way to remain secure is to only download Android apps from reputable sources.
Via BleepingComputer
More from TechRadar Pro
This security flaw could let hackers unlock hotel doors across the world by hijacking keycardsHere’s a list of the best firewall software around todayThese are the best endpoint security tools right now
As EV sales slump, Volkswagen scales back battery factories buildout
VW might only need 170 GWh of cells in 2030 if demand stays depressed.
Enlarge / A VW worker on the assembly line at Emden in Germany. (credit: Volkswagen)
Volkswagen will wait to see what electric car demand is like before building out all six of its previously planned battery factories. Thomas Schmall, VW’s board member in charge of technology, told a German newspaper that “building battery cell factories is not an end to itself” and that a goal of 200 GWh of lithium-ion cells by 2030 was not set in stone.
It’s a bit too simplistic to say that all new technologies conform to the now-infamous Gartner hype cycle, but it’s hard not to think of that squiggly line when discussing EVs. After years of hearing lofty goals of all-electric lineups and an end to internal combustion engines from OEMs, Tesla’s skyrocketing valuation got investors interested in electrification, and for a while, things just went mad.
But the promised fall in battery costs never really materialized, and in the US, EVs still command a price premium, at least for the first owner. The initial hype, coupled with the limited availability of new models, saw dealers load the cars and trucks they could get with hefty markups, further alienating potential customers. And now, when those markups and inventory shortages are mostly a thing of the past, interest rates have soared.
Best 6-Month CD Rates for August 2024
You can secure an APY up to three times the national average with one of the best six-month CD rates.
You can secure an APY up to three times the national average with one of the best six-month CD rates.
Microsoft to host CrowdStrike and others to discuss Windows security changes
Image: The Verge
Microsoft is hosting an important summit on Windows security at its Redmond, Washington, headquarters next month. The Windows Endpoint Security Ecosystem Summit on September 10th will bring together Microsoft engineers and vendors like CrowdStrike to discuss improvements to Windows security and third-party best practices to try and prevent another CrowdStrike incident.
“Microsoft, CrowdStrike and key partners who deliver endpoint security technologies will come together for discussions about improving resiliency and protecting mutual customers’ critical infrastructure,” says Aidan Marcuss, corporate vice president of Microsoft Windows and devices. “Our objective is to discuss concrete steps we will all take to improve security and resiliency for our joint customers.”
The buggy CrowdStrike update that forced 8.5 million Windows devices offline last month has triggered broader discussions about how such an incident can be avoided in the future. Microsoft has already called for changes to Windows to improve resiliency and has dropped some subtle hints about moving security vendors out of the Windows kernel.
CrowdStrike’s software runs at the kernel level — the core part of an operating system that has unrestricted access to system memory and hardware. That enabled the faulty update to cause a Blue Screen of Death at startup on affected machines last month, thanks to CrowdStrike’s special driver that allows it to run at a lower level than most apps so it can detect threats across a Windows system.
While Microsoft doesn’t directly mention Windows kernel access in its blog post announcing its Windows security summit, it’s bound to be a big part of the discussions next month. “The CrowdStrike outage in July 2024 presents important lessons for us to apply as an ecosystem,” says Marcuss. “Our discussions will focus on improving security and safe deployment practices, designing systems for resiliency and working together as a thriving community of partners to best serve customers now, and in the future.”
Microsoft tried to close off access to the Windows kernel in Windows Vista in 2006, but it was met with pushback from cybersecurity vendors and regulators. This time, Microsoft is inviting government representatives to its security summit “to ensure the highest level of transparency to the community’s collaboration to deliver more secure and reliable technology for all.”
Microsoft’s security summit won’t only focus on the Windows kernel access question, simply because improving resiliency and security for Windows goes far beyond just a single issue. The summit will include technical sessions to discuss safe deployment practices, improvements to the Windows platform and API sets, and using more memory-safe programming languages like Rust.
The summit comes right in the middle of Microsoft’s broader security overhaul of its own, following years of security issues and criticisms. Microsoft employees are now being judged directly on their security work, so engineers are understandably keen to engage more closely with vendors like CrowdStrike.
There is bound to be pushback from security vendors at the prospect of being kicked out of the Windows kernel, though. On one side, third-party developers want to develop innovative security solutions for Windows that require deep access, and on the flip side, Microsoft doesn’t want its entire operating system being brought down by a faulty update it has no control over.
Security vendors also often fear that any changes Microsoft makes to Windows will benefit or prioritize its own Defender security products that it sells to businesses. Microsoft has a complicated and unique relationship with security vendors because it builds the Windows platform for them and then competes for paid security customers.
By calling for a summit, Microsoft is clearly hoping to ease some of those tensions and generate short- and long-term actions for everyone involved in improving security and resiliency for Windows. The software giant is planning to share updates on the conversations after the event, and hopefully, there’s a strong consensus on what steps to take to avoid this type of devastating outage again.
Image: The Verge
Microsoft is hosting an important summit on Windows security at its Redmond, Washington, headquarters next month. The Windows Endpoint Security Ecosystem Summit on September 10th will bring together Microsoft engineers and vendors like CrowdStrike to discuss improvements to Windows security and third-party best practices to try and prevent another CrowdStrike incident.
“Microsoft, CrowdStrike and key partners who deliver endpoint security technologies will come together for discussions about improving resiliency and protecting mutual customers’ critical infrastructure,” says Aidan Marcuss, corporate vice president of Microsoft Windows and devices. “Our objective is to discuss concrete steps we will all take to improve security and resiliency for our joint customers.”
The buggy CrowdStrike update that forced 8.5 million Windows devices offline last month has triggered broader discussions about how such an incident can be avoided in the future. Microsoft has already called for changes to Windows to improve resiliency and has dropped some subtle hints about moving security vendors out of the Windows kernel.
CrowdStrike’s software runs at the kernel level — the core part of an operating system that has unrestricted access to system memory and hardware. That enabled the faulty update to cause a Blue Screen of Death at startup on affected machines last month, thanks to CrowdStrike’s special driver that allows it to run at a lower level than most apps so it can detect threats across a Windows system.
While Microsoft doesn’t directly mention Windows kernel access in its blog post announcing its Windows security summit, it’s bound to be a big part of the discussions next month. “The CrowdStrike outage in July 2024 presents important lessons for us to apply as an ecosystem,” says Marcuss. “Our discussions will focus on improving security and safe deployment practices, designing systems for resiliency and working together as a thriving community of partners to best serve customers now, and in the future.”
Microsoft tried to close off access to the Windows kernel in Windows Vista in 2006, but it was met with pushback from cybersecurity vendors and regulators. This time, Microsoft is inviting government representatives to its security summit “to ensure the highest level of transparency to the community’s collaboration to deliver more secure and reliable technology for all.”
Microsoft’s security summit won’t only focus on the Windows kernel access question, simply because improving resiliency and security for Windows goes far beyond just a single issue. The summit will include technical sessions to discuss safe deployment practices, improvements to the Windows platform and API sets, and using more memory-safe programming languages like Rust.
The summit comes right in the middle of Microsoft’s broader security overhaul of its own, following years of security issues and criticisms. Microsoft employees are now being judged directly on their security work, so engineers are understandably keen to engage more closely with vendors like CrowdStrike.
There is bound to be pushback from security vendors at the prospect of being kicked out of the Windows kernel, though. On one side, third-party developers want to develop innovative security solutions for Windows that require deep access, and on the flip side, Microsoft doesn’t want its entire operating system being brought down by a faulty update it has no control over.
Security vendors also often fear that any changes Microsoft makes to Windows will benefit or prioritize its own Defender security products that it sells to businesses. Microsoft has a complicated and unique relationship with security vendors because it builds the Windows platform for them and then competes for paid security customers.
By calling for a summit, Microsoft is clearly hoping to ease some of those tensions and generate short- and long-term actions for everyone involved in improving security and resiliency for Windows. The software giant is planning to share updates on the conversations after the event, and hopefully, there’s a strong consensus on what steps to take to avoid this type of devastating outage again.
Last day for massive ticket savings to TechCrunch Disrupt 2024
Time is running out! These are the last hours to save up to $600 on TechCrunch Disrupt 2024 tickets — offer ends tonight at 11:59 p.m. PT. Join 10,000+ startup and VC leaders from October 28-30 at Moscone West in San Francisco. Be part of one of the year’s most anticipated tech events. Reserve your
© 2024 TechCrunch. All rights reserved. For personal use only.
Time is running out! These are the last hours to save up to $600 on TechCrunch Disrupt 2024 tickets — offer ends tonight at 11:59 p.m. PT. Join 10,000+ startup and VC leaders from October 28-30 at Moscone West in San Francisco. Be part of one of the year’s most anticipated tech events. Reserve your […]
© 2024 TechCrunch. All rights reserved. For personal use only.
Apple’s Rough iPhone Launch 10 Years Ago Compared to Now
Commentary: In 2014, Apple annoyed millions of users by putting U2 on every iTunes account — and that wasn’t the only drama that came from one iPhone event.
Commentary: In 2014, Apple annoyed millions of users by putting U2 on every iTunes account — and that wasn’t the only drama that came from one iPhone event.
SolarWinds left some serious security flaws in its Web Desk Help platform, and now it’s under attack
Hardcoded credentials grant crooks easy access, and they pop up more often than one would think.
Security researchers have uncovered a critical-severity vulnerability in one of SolarWinds’ most popular software products.
SolarWinds’ Web Help Desk is a web-based IT service management software that streamlines and automates help desk ticketing, asset management, and IT service management processes. It offers features like ticketing, incident and problem management, and a self-service portal, designed to improve the efficiency and responsiveness of IT support teams.
The bug, discovered by cybersecurity researcher Zach Hanley, from Horizon3.ai, is a simple (but too-often-seen) oversight – hardcoded admin credentials were left in the product. The vulnerability is tracked as CVE-2024-28987, and carries a severity score of 9.1/10. It affects Web Help Desk 12.8.3 HF1 and all previous versions.
The earliest clean version is 12.8.3 HF2.
Hardcoded credentials everywhere
A patch is already available, but it needs to be manually installed. Since the flaw allows unauthenticated threat actors to log into vulnerable endpoints, and fiddle with the data found there, users are urged to install the fix immediately.
One would think that for a product used by government, education, healthcare, and telecommunications companies (to name a few), such a simple error would not happen. However, hardcoded credentials are a frequent occurrence.
In October 2023, Cisco Emergency Responder (CER), the company’s emergency communication system used to respond to crises in a timely manner, had hardcoded credentials. In March 2024, researchers found that millions of GitHub projects had the same problem.
During the development stage, many IT pros would hardcode different authentication secrets in order to make their lives easier. However, they often forget to remove the secrets before publishing the code. Thus, should any malicious actors discover these secrets, they would get easy access to private resources and services, which can result in data breaches and similar incidents.
Via The Register
More from TechRadar Pro
Millions of secrets and auth keys were leaked on GitHub last yearHere’s a list of the best firewall software around todayThese are the best endpoint security tools right now
This autonomous yacht is a mobile green hydrogen factory
In recent years, there have been several attempts at building a hydrogen boat. But UK startup Drift is navigating new territory with a vessel that isn’t hydrogen-powered, but hydrogen-producing. Drift is developing an autonomous yacht capable of making green hydrogen at sea. It could offer a quicker, more efficient way to produce and transport the fuel, especially in remote regions. “One of our main advantages is that we can service the hard-to-reach places,” Drift’s founder and CEO, Ben Medland, told TNW. “This is a huge benefit when compared to having a fixed installation.” Wind pushes the sailboat, spinning a turbine…This story continues at The Next Web
In recent years, there have been several attempts at building a hydrogen boat. But UK startup Drift is navigating new territory with a vessel that isn’t hydrogen-powered, but hydrogen-producing. Drift is developing an autonomous yacht capable of making green hydrogen at sea. It could offer a quicker, more efficient way to produce and transport the fuel, especially in remote regions. “One of our main advantages is that we can service the hard-to-reach places,” Drift’s founder and CEO, Ben Medland, told TNW. “This is a huge benefit when compared to having a fixed installation.” Wind pushes the sailboat, spinning a turbine…
This story continues at The Next Web
Premier League Soccer: Livestream Tottenham vs. Everton From Anywhere
Spurs go in search of their first win of the season as they host the injury-hit Toffees.
Spurs go in search of their first win of the season as they host the injury-hit Toffees.