Tag: security
A Single Flaw Broke Every Layer of Security in MacOS
Security researcher reveal Zoom flaws that could’ve allowed attackers to take over your Mac
Zoom’s automatic update option can help users ensure that they have the latest, safest version of the video conferencing software, which has had multiple privacy and security issues over the years. A Mac security researcher, however, has reported vulnerabilities he found in the tool that attackers could have exploited to gain full control of a victim’s computer at this year’s DefCon. According to Wired, Patrick Wardle presented two vulnerabilities during the conference. He found the first one in the app’s signature check, which certifies the integrity of the update being installed and examines it to make sure that it’s a new version of Zoom. In other words, it’s in charge of blocking attackers from tricking the automatic update installer into downloading an older and more vulnerable version of the app.
Wardle discovered that attackers could bypass the signature check by naming their malware file a certain way. And once they’re in, they could get root access and control the victim’s Mac. The Verge says Wardle disclosed the bug to Zoom back in December 2021, but the fix it rolled out contained another bug. This second vulnerability could have given attackers a way to circumvent the safeguard Zoom set in place to make sure an update delivers the latest version of the app. Wardle reportedly found that it’s possible to trick a tool that facilitates Zoom’s update distribution into accepting an older version of the video conferencing software.
Zoom already fixed that flaw, as well, but Wardle found yet another vulnerability, which he has also presented at the conference. He discovered that there’s a point in time between the auto-installer’s verification of a software package and the actual installation process that allows an attacker to inject malicious code into the update. A downloaded package meant for installation can apparently retain its original read-write permissions allowing any user to modify it. That means even users without root access could swap its contents with malicious code and gain control of the target computer.
The company told The Verge that it’s now working on a patch for the new vulnerability Wardle has disclosed. As Wired notes, though, attackers need to have existing access to a user’s device to be able to exploit these flaws. Even if there’s no immediate danger for most people, Zoom advises users to “keep up to date with the latest version” of the app whenever one comes out.
Solana Wallet Slope Says no Evidence Linking Security Flaw to $4 Million Hack
FTC kicks off efforts to regulate data security and surveillance tech
The Federal Trade Commission is officially starting its efforts to broadly regulate data security. The agency has published an early notice of proposed rulemaking that asks the public to comment on commercial surveillance and data gathering practices, such as camera monitoring or protections for sensitive info. Officials not only want to understand the harms and benefits of technologies, but gauge interest in rules that could require stricter safeguards (such as tougher encryption) and bans on deceptive security claims.
The FTC’s request for input also touches on specific issues, such as biased surveillance systems and algorithmic errors. Similarly, regulators are interested in whether or not existing data security practices hurt children.
In explaining the proposal, the FTC was concerned that enforcement by itself wasn’t enough to protect consumers. The Commission can’t seek civil penalties for first-time violators, for instance. In theory, new rules would encourage stronger security policies, provide more relief to hack victims and ensure a more consistent approach to cases.
On top of the comments, you’ll have a chance for more direct feedback. The FTC is hosting a virtual public forum on September 8th that will give people two minutes each to share their views. The session will also include a panel discussion.
The FTC is still far from outlining rules, let alone putting them into effect. Even so, there’s plenty of pressure to act. Governments at multiple levels in the US are increasingly banning or withdrawing at least some uses of surveillance tech, and there’s a growing backlash against companies that either misuse personal data or are prone to data breaches. New regulations could reduce violations and otherwise ensure that data holders show more respect for your privacy.
Critical Infrastructure Attacks Remain a Major Threat, Top Security Writer Warns – CNET
Prince Andrew ‘to keep’ taxpayer-funded police bodyguards after security review
Shamed Prince Andrew will KEEP police bodyguards after review of security detail in wake of Jeffrey Epstein scandal
PRINCE Andrew will continue to have round-the-clock police protection, funded by the taxpayer, despite no longer undertaking royal duties.
The decision follows a complete review of his security by the Metropolitan Police and Home Office in the wake of the Jeffrey Epstein sex abuse scandal.
Prince Andrew will keep his police protection despite no longer being a working royal[/caption]
The review was undertaken in the wake of the Jeffrey Epstein scandal, seen here with Ghislaine Maxwell in 2005[/caption]
The Duke of York, 62, was effectively exiled as a working royal earlier this year when the Queen prevented him from using his HRH title and stripped him of his military and charitable associations.
The Executive Committee for the Protection of Royalty and Public Figures (known as Ravec) assessed the security threat but decided that he was still entitled to police bodyguards, The Daily Telegraph reports.
Its decision is likely to be seen as controversial in the wake of Prince Harry’s claim in the High Court against the committee’s decision to deny him and his family automatic security when he is in the UK.
Prince Andrew, who is ninth in line to the throne, agreed a significant financial settlement with Virginia Giuffre, who had brought a legal case against him in the US, claiming he had sexually abused her three times in 2001 when she was 17 after she had been trafficked by the disgraced paedophile financier Jeffrey Epstein.
Read More on the Royals
The Duke has always denied any wrongdoing.
Initially, it was suggested the settlement cost £12million but reports which emerged last weekend claimed lawyers for the Prince negotiated a deal between £3-5m.
The decision by the committee will mean Andrew will continue to have a personal protection officer whenever he leaves his home.
His property on the Windsor estate has permanent security arrangements.
Most read in The Sun
The cost of his personal protection is unknown but it has been estimated to be between £500,000 and £3m every year.
Andrew’s daughters, Princesses Beatrice and Eugenie, had their royal security removed a number of years ago.
Other non-working royals, such as Peter Phillips and Zara Tindall, do not receive protection as adults.
Prince Andrew was targeted by a number of intruders last year who tried to gain access to the Grade II-listed Windsor home he shares with his former wife the Duchess of York.
In April, a 43-year-old Spaniard, who claimed to be “Irene Windsor” was waved into the property after telling security she had a lunch date with the Duke.
Read More on The Sun
She was arrested on suspicion of burglary and later sectioned under the Mental Health Act.
A few days later a 31-year-old man and 29-year-old woman were arrested after being found trespassing on the grounds.
Prince Andrew suffered a number of security scares at his Windsor home last year[/caption]
California’s Officials Order Celsius to Halt Security Sales
Celsius continues to face regulations from various states and countries after declaring bankruptcy.
Home Security System Films Ghost Cat? – Coast to Coast
— Delivered by Feed43 service