What you missed in cybersecurity this week – gpgmail


There’s not a week that goes by where cybersecurity doesn’t dominates the headlines. This week was no different. Struggling to keep up? We’ve collected some of the biggest cybersecurity stories from the week to keep you in the know and up to speed.

gpgmail: This was the biggest iPhone security story of the year. Google researchers found a number of websites that were stealthily hacking into thousands of iPhones every week. The operation was carried out by China to target Uyghur Muslims, according to sources, and also targeted Android and Windows users. Google said it was an “indiscriminate” attack through the use of previously undisclosed so-called “zero-day” vulnerabilities.

Hackers could steal a Tesla Model S by cloning its key fob — again

Wired: For the second time in two years, researchers found a serious flaw in the key fobs used to unlock Tesla’s Model S cars. It’s the second time in two years that hackers have successfully cracked the fob’s encryption. Turns out the encryption key was doubled in size from the first time it was cracked. Using twice the resources, the researchers cracked the key again. The good news is that a software update can fix the issue.

Microsoft’s lead EU data watchdog is looking into fresh Windows 10 privacy concerns

gpgmail: Microsoft could be back in hot water with the Europeans after the Dutch data protection authority asked its Irish counterpart, which oversees the software giant, to investigate Windows 10 for allegedly breaking EU data protection rules. A chief complaint is that Windows 10 collects too much telemetry from its users. Microsoft made some changes after the issue was brought up for the first time in 2017, but the Irish regulator is looking at if these changes go far enough — and if users are adequately informed. Microsoft could be fined up to 4% of its global annual revenue if found to have flouted the law. Based off 2018’s figures, Microsoft could see fines as high as $4.4 billion.

U.S. cyberattack hurt Iran’s ability to target oil tankers, officials say

The New York Times: A secret cyberattack against Iran in June but only reported this week significantly degraded Tehran’s ability to track and target oil tankers in the region. It’s one of several recent offensive operations against a foreign target by the U.S. government in recent moths. Iran’s military seized a British tanker in July in retaliation over a U.S. operation that downed an Iranian drone. According to a senior official, the strike “diminished Iran’s ability to conduct covert attacks” against tankers, but sparked concern that Iran may be able to quickly get back on its feet by fixing the vulnerability used by the Americans to shut down Iran’s operation in the first place.

Apple is turning Siri audio clip review off by default and bringing it in house

gpgmail: After Apple was caught paying contractors to review Siri queries without user permission, the technology giant said this week it will turn off human review of Siri audio by default and bringing any opt-in review in-house. That means users actively have to allow Apple staff to “grade” audio snippets made through Siri. Apple began audio grading to improve the Siri voice assistant. Amazon, Facebook, Google, and Microsoft have all been caught out using contractors to review user-generated audio.

Hackers are actively trying to steal passwords from two widely used VPNs

Ars Technica: Hackers are targeting and exploiting vulnerabilities in two popular corporate virtual private network (VPN) services. Fortigate and Pulse Secure let remote employees tunnel into their corporate networks from outside the firewall. But these VPN services contain flaws which, if exploited, could let a skilled attacker tunnel into a corporate network without needing an employee’s username or password. That means they can get access to all of the internal resources on that network — potentially leading to a major data breach. News of the attacks came a month after the vulnerabilities in widely used corporate VPNs were first revealed. Thousands of vulnerable endpoints exist — months after the bugs were fixed.

Grand jury indicts alleged Capital One hacker over cryptojacking claims

gpgmail: And finally, just when you thought the Capital One breach couldn’t get any worse, it does. A federal grand jury said the accused hacker, Paige Thompson, should be indicted on new charges. The alleged hacker is said to have created a tool to detect cloud instances hosted by Amazon Web Services with misconfigured web firewalls. Using that tool, she is accused of breaking into those cloud instances and installing cryptocurrency mining software. This is known as “cryptojacking,” and relies on using computer resources to mine cryptocurrency.


10 minutes mail – Also known by names like : 10minemail, 10minutemail, 10mins email, mail 10 minutes, 10 minute e-mail, 10min mail, 10minute email or 10 minute temporary email. 10 minute email address is a disposable temporary email that self-destructed after a 10 minutes. https://tempemail.co/– is most advanced throwaway email service that helps you avoid spam and stay safe. Try tempemail and you can view content, post comments or download something

Parallels’ KeyGenie lets you play for a free product key — but you can’t ever win – gpgmail


When is a game not a game? When you never win.

For years, virtualization software maker Parallels offered the chance to win a free product keys if you “stump the KeyGenie,” a virtual robot which users can play against. Normally, users must buy a product key to run the software beyond its two-week free trial. But if you can make it through five questions without the robot guessing what you’re thinking, the robot says a key “may be yours.”

But it turns out it’s an impossibility.

Security researcher John Wethington alerted gpgmail to the KeyGenie game, more than a year after he told Parallels that the game was impossible to win. He examined at the source code of the webpage to see how it worked. He quickly found that no matter what a user does, the code never allows a user to win a free product key.

“It’s to get people to sign up for a trial by pretending to give them a chance at a free license,” he said. “But the source code proves it never will.”

We asked three security researchers to independently verify our findings. Spoiler alert: they did.

Yonathan Klijnsma, a threat researcher at cyberthreat intelligence firm RiskIQ, looked at the code and found that the robot’s responses were hardcoded.

“There’s never any product key,” he told gpgmail. “You have that winning screen but there’s never a product key on the page,” he said. “You can trigger the case for getting a key but there is no way to get to it.”

Though it’s possible to trick the game into thinking you’ve won, nothing happens — and no key is ever awarded.

A screencap of the KeyGenie game. No product key is ever produced. (Image: gpgmail)

“It’s a bunch of hardcoded if-else statements that just take you to the same widget in the end,” said Edwin Foudil, a security researcher who also performed a cursory review of the site. And Baptiste Robert, who’s known for finding security vulnerabilities in apps and websites, said his own checks show nothing is ever pulled from the server after the user wins, suggesting the winner is never served a product key.

“It seems to be a fake game,” said Robert.

We contacted Parallels prior to publication but spokesperson John Uppendahl did not comment. If that changes, we’ll update.

The KeyGenie site was born more than five years ago after Parallels found its popular desktop emulation software was regularly falling victim to software piracy. Hackers would crack the software’s product key algorithm, then build and share their product key generators — known as keygens — on file-sharing sites. Quickly, these keygens floated to the top of search engines, making user piracy even easier.

Parallels built the aptly named “KeyGenie” game so it would rise to the top of search results and replace the illegal keygen search results.

One of Parallels’ marketing agencies at the time published a blog post claims that KeyGenie “will actually hand out keys,” and that the game was “programmed randomly.” The post, published seven months later, “generated dozens of trials” and “four-figures in revenue.”

The Federal Trade Commission, which regulates potentially deceptive advertising and marketing, did not comment outside business hours.




10 minutes mail – Also known by names like : 10minemail, 10minutemail, 10mins email, mail 10 minutes, 10 minute e-mail, 10min mail, 10minute email or 10 minute temporary email. 10 minute email address is a disposable temporary email that self-destructed after a 10 minutes. https://tempemail.co/– is most advanced throwaway email service that helps you avoid spam and stay safe. Try tempemail and you can view content, post comments or download something

Google, Mozilla team up to block Kazakhstan’s browser spying tactics – gpgmail


Google and Mozilla have taken the rare step of blocking an untrusted certificate issued by the Kazakhstan government, which critics say it forced its citizens to install as part of an effort to monitor their internet traffic.

The two browser makers said in a joint statement Wednesday it deployed “technical solutions” to block the government-issued certificate.

Citizens had been told to install the government-issued certificate on their computers and devices as part of a domestic surveillance program. In doing so it gave the government ‘root’ access to the network traffic on those devices, allowing the government to intercept and snoop on citizens’ internet browsing activities.

Researchers found that only a few sites were being monitored, like Facebook, Twitter, and Google.

Although the Kazakh government is said to have stopped what it called “system testing” and allowed citizens to delete the certificate, both Google and Mozilla said its measures would stop the data-intercepting certificate from working — even if it’s still installed.

“We don’t take actions like this lightly,” said Marshall Erwin, Mozilla’s senior director of trust and security. But Google browser chief Parisa Tabriz said the company would “never tolerate any attempt, by any organization — government or otherwise — to compromise Chrome users’ data.”

The block went into effect invisibly and no action is needed by users.

Kazakhstan has a population of 18 million. Researchers said that the Kazakh government’s efforts to intercept the country’s internet traffic only hit a “fraction” of the connections passing through the country’s largest internet provider.

The Central-Asian country currently ranks as one of the least free countries on the internet freedom score, based off data collected by watchdog Freedom House, trailing just behind Russia and Iran.

A spokesperson for the Kazakhstan consulate in New York did not respond to a request for comment.


10 minutes mail – Also known by names like : 10minemail, 10minutemail, 10mins email, mail 10 minutes, 10 minute e-mail, 10min mail, 10minute email or 10 minute temporary email. 10 minute email address is a disposable temporary email that self-destructed after a 10 minutes. https://tempemail.co/– is most advanced throwaway email service that helps you avoid spam and stay safe. Try tempemail and you can view content, post comments or download something

Yubico launches its dual USB-C and Lightning two-factor security key – gpgmail


Almost two months after it was first announced, Yubico has launched the YubiKey 5Ci, a security key with dual support for both iPhones, Macs and other USB-C compatible devices.

Yubico’s latest Yubikey is the latest iteration of its security key built to support a newer range of devices, including Apple’s iPhone, iPad, and MacBooks in a single device. Announced in June, the company said the security keys would cater for cross-platform users — particularly Apple device owners.

These security keys may be small enough to sit on a keyring, but they contain the keys to your online line. Your Gmail, Twitter, and Facebook account all support these plug-in devices as a second-factor of authentication after your username and password — a far stronger mechanism than the simple code sent to your phone.

Security keys offer almost unbeatable security and can protect against a variety of threats, including nation-state attackers.

Jerrod Chong, Yubico’s chief solutions officer, said the new key would fill a “critical gap in the mobile authentication ecosystem,” particularly given how users are increasingly spending their time across a multitude of mobile devices.

The new key works with a range of apps, including password managers like 1Password and LastPass, and web browsers like Brave, which support security key authentication.


10 minutes mail – Also known by names like : 10minemail, 10minutemail, 10mins email, mail 10 minutes, 10 minute e-mail, 10min mail, 10minute email or 10 minute temporary email. 10 minute email address is a disposable temporary email that self-destructed after a 10 minutes. https://tempemail.co/– is most advanced throwaway email service that helps you avoid spam and stay safe. Try tempemail and you can view content, post comments or download something

Google’s Titan security keys come to Japan, Canada, France and the UK – gpgmail


Google today announced that its Titan Security Key kits are now available in Canada, France, Japan and the UK. Until now, these keys, which come in a kit with a Bluetooth key and a standard USB-A dongle, were only available in the U.S.

The keys provide an extra layer of security on top of your regular login credentials. They provide a second authentication factor to keep your account safe and replace more low-tech two-factor authentication systems like authentication apps or SMS messages. When you use those methods, you still have to type the code into a form, after all. That’s all good and well until you end up on a well-designed phishing page. Then, somebody could easily intercept your code and quickly reuse it to breach your account — and getting a second factor over SMS isn’t exactly a great idea to begin with, but that’s a different story.

Authentication keys use a number of cryptographic techniques to ensure that you are on a legitimate site and aren’t being phished. All of this, of course, only works on sites that support hardware security keys, though that number continues to grow.

The launch of Google’s Titan keys came as a bit of a surprise, given that Google had long had a good relationship with Yubico and previously provided all of its employees with that company’s keys. The original batch of keys also featured a security bug in the Bluetooth key. That bug was hard to exploit, but nonetheless, Google offered free replacements to all Titan Key owners.

In the U.S., the Titan Key kit sells for $50. In Canada, it’ll go for $65 CAD. In France, it’ll be €55, while in the UK it’ll retail for £50 and in Japan for ¥6,000. Free delivery is included.

 


10 minutes mail – Also known by names like : 10minemail, 10minutemail, 10mins email, mail 10 minutes, 10 minute e-mail, 10min mail, 10minute email or 10 minute temporary email. 10 minute email address is a disposable temporary email that self-destructed after a 10 minutes. https://tempemail.co/– is most advanced throwaway email service that helps you avoid spam and stay safe. Try tempemail and you can view content, post comments or download something