Security-Portal.cz je internetový portál zaměřený na počítačovou bezpečnost, hacking, anonymitu, počítačové sítě, programování, šifrování, exploity, Linux a BSD systémy. Provozuje spoustu zajímavých služeb a podporuje příznivce v zajímavých projektech.

Kategorie

New Case Study: Unmanaged GTM Tags Become a Security Nightmare

The Hacker News - 2 hodiny 2 min zpět
Are your tags really safe with Google Tag Manager? If you've been thinking that using GTM means that your tracking tags and pixels are safely managed, then it might be time to think again. In this article we look at how a big-ticket seller that does business on every continent came unstuck when it forgot that you can’t afford to allow tags to go unmanaged or become misconfigured.  Read the The Hacker Newshttp://www.blogger.com/profile/[email protected]
Kategorie: Hacking & Security

New Threat Actor 'Void Arachne' Targets Chinese Users with Malicious VPN Installers

The Hacker News - 2 hodiny 42 min zpět
Chinese-speaking users are the target of a never-before-seen threat activity cluster codenamed Void Arachne that employs malicious Windows Installer (MSI) files for virtual private networks (VPNs) to deliver a command-and-control (C&C) framework called Winos 4.0. "The campaign also promotes compromised MSI files embedded with nudifiers and deepfake pornography-generating software, as well asNewsroomhttp://www.blogger.com/profile/[email protected]
Kategorie: Hacking & Security

Warning: Markopolo's Scam Targeting Crypto Users via Fake Meeting Software

The Hacker News - 2 hodiny 57 min zpět
A threat actor who goes by alias markopolo has been identified as behind a large-scale cross-platform scam that targets digital currency users on social media with information stealer malware and carries out cryptocurrency theft. The attack chains involve the use of a purported virtual meeting software named Vortax (and 23 other apps) that are used as a conduit to deliver Rhadamanthys, StealC, Newsroomhttp://www.blogger.com/profile/[email protected]
Kategorie: Hacking & Security

Top 10 Windows productivity tips

Computerworld.com [Hacking News] - 3 hodiny 5 min zpět

Each week, I ask Windows Intelligence readers to share their favorite Windows PC tips with me. There are some I see submitted over and over — the top productivity tips many of my most enthusiastic readers think everyone should know.

Now, I want to share them with you, bringing them into one place for an easily skimmable guide filled with tweaks and upgrades you can put straight to work.

There are more PC tips where these came from! Sign up for my free Windows Intelligence newsletter to get free Windows Field Guides and three new things to try every Friday.

Windows productivity tip #1: Clipboard history

Windows has a built-in clipboard history. Just press Windows+V to find it. If you haven’t activated it, you can turn it on in one click from there.

You can copy multiple things and access both text and images you’ve recently copied within it. Or, if you find yourself pasting the same things again and again, you can “pin” items to your clipboard history for easy future access.

The clipboard history tool can help you perform other advanced tasks, too: You can sync your clipboard between PCs with your Microsoft account, for example, or paste items as plain text.

To configure the clipboard history, head to Settings > System > Clipboard. It’s available on both Windows 10 and Windows 11.

The clipboard history is stored entirely on your PC — unless you choose to sync it in Settings.

Chris Hoffman, IDG

Windows productivity tip #2: The power user menu

The “power user menu” was added during the Windows 8 days, when Microsoft removed the Start menu. It’s still useful today, offering a quick way to access a variety of useful system options and administrative tools. Whether you want to shut down your PC, launch File Explorer, or open a Terminal window, you can do it from the power user menu.

To open it, right-click your Start button on the taskbar or press Windows+X on your keyboard. You can then select an item in the menu with one more click.

Windows productivity tip #3: Plain-text pasting

Copy-pasting text on a PC can be a pain. You often end up copying formatting — fonts, colors, links, and other junk — when you just want plain old text.

You can paste just the plain text in nearly any application — if you use the right shortcut. Just press Ctrl+Shift+V instead of Ctrl+V to paste. This works in most applications, including web browsers like Google Chrome. (It now even works in Microsoft Word by default, too.)

Windows productivity tip #4: A website as an app

If you frequently use web apps, you might want to install them as applications, giving them their own separate windows, shortcuts, and taskbar icons for convenient access.

To do this in Google Chrome, visit the website you want to turn into an “app” — like Gmail, for example. Then, click the menu button on Chrome’s toolbar and select Save and Share > Create shortcut. Name it whatever you like, check “Open as window,” and you’re done.

If the website offers a Progressive Web App (PWA), you will see an “Install” button in the menu. You can use that instead.

This works in Google Chrome, Microsoft Edge, and other Chromium-based browsers. (Firefox, unfortunately, doesn’t support the option.)

This is the closest thing you can get to a Windows desktop app for Gmail.

Chris Hoffman, IDG

Windows productivity tip #5: Ctrl key shortcuts

There’s a good chance you already know some basic text-editing keyboard shortcuts. For example, you can hold Shift and use the left and right arrow keys to select text. But the Ctrl key makes all those keyboard shortcuts work with entire words and not individual characters.

Here’s how the Ctrl key upgrades other keyboard shortcuts while working with text in nearly any application, from your web browser and email client to Microsoft Word:

  • Ctrl+Backspace: Backspace entire words to the left of the cursor at once — not just individual letters.
  • Ctrl+Delete: Delete entire words to the right of the cursor at once — not just individual letters.
  • Ctrl+Left arrow or Ctrl+Right arrow: Move the cursor to the previous word or the next word.
  • Ctrl+Shift+Left arrow or Ctrl+Shift+Right arrow: Select entire words at once.
Windows productivity tip #6: Window snapping

The Snap feature is an incredibly useful way to quickly arrange multiple windows on your screen. In addition to clicking a window title bar and dragging it to the left or right edge of your screen, you can also use shortcuts such as Windows+Left arrow and Windows+Right arrow to snap windows to one side of your screen or the other.

On Windows 11, you have access to Snap Layouts for even more options — press Windows+Z to open Snap Layouts. (Here’s my ultimate guide to the Windows Snap feature to learn all the tricks you need.)

Snap is an absolutely useful tool for multitasking on Windows.

Chris Hoffman, IDG

Windows productivity tip #7: A Task Manager time-saver

The Windows Task Manager is a critical tool for all PC users. You might want to open it to see what applications are using resources, close an application that’s frozen, or just manage the startup applications that launch when you sign into your PC.

There’s no need to press Ctrl+Alt+Delete and click “Task Manager” to open it. Just press Ctrl+Shift+Esc, and the Task Manager will appear immediately. You can also right-click an empty spot on your taskbar and select “Task Manager” to launch it on either Windows 11 or Windows 10.

Windows productivity tip #8: Easy emoji insertions

Like it or not, emoji are part of modern communication. You can insert them anywhere on your PC — type them in emails, place them in Word documents, or even use them in file names.

To open the emoji picker on Windows, press Windows+. or Windows+; (that’s the Windows key along with a period or a semicolon).

You can then start typing to search for an emoji or browse through them. This works on Windows 10 and 11. You’ll also find other things you can insert in this pane — like special characters, for example.

With this shortcut, inserting emoji is just as easy on Windows as it is on your phone.

Chris Hoffman, IDG

Windows productivity tip #9: Pinned app shortcuts

The Windows key opens the Start menu, Windows+Tab launches Task View, and Windows+C opens Copilot. But you can activate the favorite apps you have pinned to your taskbar using the keyboard, too.

Just press Windows+1, Windows+2, or the Windows key along with any other number — 1 through 0. For example, if you press Windows+1, Windows will activate the first application shortcut from the left on your PC’s taskbar.

(Since 0 appears to the right of 9 on the number row on your keyboard, the 0 key will activate the 10th shortcut from the left.)

Windows productivity tip #10: Instant key transformation

Want to put your keyboard to better use? You can turn a key into any other key. For example, many people transform their Caps Lock key into something else. Here’s one idea: If your keyboard doesn’t have a convenient Play/Pause key, you could “remap” the Caps Lock key into a Play/Pause key.

There are a variety of ways to remap a key; my favorite is the Keyboard Manager included with Microsoft’s free PowerToys package.

To use it, install Microsoft PowerToys on your PC. Launch PowerToys from your Start menu or system tray, select “Keyboard Manager,” and use the “Remap a key” tool here to make a key function as another key. Microsoft has even more in-depth documentation on using the Keyboard Manager tool.

With a few clicks, you can transform a key on your keyboard into another key.

Chris Hoffman, IDG

Microsoft’s PowerToys package is packed with useful tools, too — Keyboard Manager is just scratching the surface of what you can do with it. For example, it has a convenient Always on Top tool for making any window “always on top” of all other windows. That can be a big productivity boost in the right situation.

Want more PC tips like these? Sign up for my Windows Intelligence newsletter today — you’ll get three things to try in your inbox each Friday. Plus, get free copies of Paul Thurrott’s Windows 11 and Windows 10 Field Guides as a special welcome bonus.

Kategorie: Hacking & Security

Důležitá volba v nenápadných paragrafech. EU rozhoduje, kolik soukromí obětujeme boji proti zločinu

Zive.cz - bezpečnost - 4 hodiny 20 min zpět
Právě proběhlé volby do Evropského parlamentu se často pejorativně označují za „volby druhé kategorie“, ale ve skutečnosti europoslanci a zástupci vlád jednotlivých členských států rozhodují o legislativě, která ovlivňuje náš život víc než většina našich vlastních českých zákonů. Nebo se do nich v ...
Kategorie: Hacking & Security

Mailcow Mail Server Flaws Expose Servers to Remote Code Execution

The Hacker News - 5 hodin 29 min zpět
Two security vulnerabilities have been disclosed in the Mailcow open-source mail server suite that could be exploited by malicious actors to achieve arbitrary code execution on susceptible instances. Both shortcomings impact all versions of the software prior to version 2024-04, which was released on April 4, 2024. The issues were responsibly disclosed by SonarSource on March 22, 2024. The flawsNewsroomhttp://www.blogger.com/profile/[email protected]
Kategorie: Hacking & Security

AR/VR headset sales decline is temporary: IDC

Computerworld.com [Hacking News] - 18 Červen, 2024 - 23:18

Shipments of augmented reality and virtual reality (AR/VR) headsets dropped 67.4% year over year in the first quarter of 2024 as a result of an evolution in the market, new data from International Data Corp. (IDC) reveals.

“The decline in shipments was expected as the market transitions to include new categories such as Mixed Reality (MR) and Extended Reality (ER),” IDC noted Tuesday. “Despite the decline, the average selling price (ASP) rose to over $1,000 as Apple entered the market and incumbents such as Meta focused on premium headsets such as the Quest 3.”

The future of such products in the enterprise is in flux, with Microsoft pulling back and laying off workers from its HoloLens division last year, while Apple is clearly targeting the enterprise market with its Apple Vision Pro.

However, IDC’s projections for shipments and selling prices may be thrown off by news that broke later the same day: Apple is reportedly abandoning plans to build a Vision Pro 2, concentrating instead on developing a lower-specced, lower-cost model for release in late 2025.

The research firm said that it recently revised its taxonomy of headsets to incorporate two new categories: “Mixed Reality which occludes the user’s vision but provides a view of the real world with outward facing cameras, and Extended Reality, which employs a see-though display but mirrors content from another device or offers a simplistic heads-up display.”

Headset market in flux

Meta again led the market in the first quarter in terms of share, while Apple’s recent entry into the market enabled it to capture the second position. ByteDance, Xreal, and HTC rounded out the top five, IDC said.

When online pre-sales of Apple’s Vision Pro AR/VR headsets began on Jan. 19 they sold out quickly, but as Computerworldnoted soon after, stable delivery dates could indicate limited demand for the $3,500 device.

Fast forward to April, and Apple said that it had cut Vision Pro production due to low demand, according to Ming-Chi Kuo, an Apple analyst at TF International Securities.

Jitesh Ubrani, research manager for worldwide mobile device trackers at IDC, said that with mixed reality on the rise, “expect strictly virtual reality headsets to fade in the coming years as brands and developers devise new hardware and experiences to help users eventually transition to augmented reality further down the line. Meanwhile, extended reality displays are set to garner consumer attention as they offer a big screen experience today while incorporating AI and heads-up displays in the near future.”

Meanwhile, Ramon T. Llamas, research director with IDC’s augmented and virtual reality team, said that although ASPs for the overall market crested above the $1,000 mark, this is not representative of all products.

“ASPs for augmented reality (AR) headsets have almost always been above this price point, but ASPs for VR, MR, and ER headsets have typically been lower,” he said. “Apple’s Vision Pro drove ASPs higher for MR headsets, but the addition of lower-cost devices from Meta and HTC have kept those ASPs from going much higher. Meanwhile, there were many devices for VR and ER priced below $500.”

Return to growth

Looking ahead, Llamas said that IDC is anticipating ASP erosion across all products: “Because the overall market is still in its early stages with more expensive first- and second-generation devices, prices will be high even as early adopters buy them. In order to reach scale in the mass market, vendors will need to reduce prices on later and upcoming devices.”

IDC is forecasting that “headset shipments will return to growth later this year with volume growing 7.5% over 2023. Newer headsets and lower price points will help with the turnaround expected later this year. Beyond that, headset shipment volume is expected to see a compound annual growth rate (CAGR) of 43.9% from 2024–2028.”

Updated on June 19, 2024, to add report that Apple is abandoning development of the Vision Pro 2.

Kategorie: Hacking & Security

Embracing Anonymity and Privacy: Tails 6.4 Release Insights

LinuxSecurity.com - 18 Červen, 2024 - 22:59
As digital privacy and security evolves, anonymity cannot be overemphasized. Tails is a live operating system designed to keep its focus on privacy and anonymity. Its unique focus allows you to boot it on almost any computer using a USB stick or DVD drive and use state-of-the-art cryptographic tools for protecting files, emails, and instant messaging conversations without leaving a trace behind on your machine. With its focus on anonymity and its use of state-of-the-art cryptographic tools to encrypt files and instant messaging conversations from being kept under lock and key.TAILS (an acronym for The Amnesic Incognito Live System) leverages the Tor network to protect online privacy and evade censorship. Each Tails session acts like a clean slate when shutting down; no data remains from session to session unless saved into an encrypted Persistent Storage space.New Features in Tails 6.4Tails version 6.4 brings many notable updates that will appeal to Linux administrators and privacy-minded users alike. Cryptography Strength Reinforced with Random SeedOne of the key enhancements for Tails is including a random seed on USB flash drives as part of our cryptographic strength enhancement. This feature is invaluable in strengthening cryptography across our system''such as Tor, HTTPS connections, and the Persistent Storage feature''by strengthening cryptography across them. By keeping this random seed outside Persistent Storage itself, all users benefit from increased cryptographic protections regardless of configuration differences.Tails 6.4 Switches to HTTPS over Onion Services for APT RepositoriesIn an unconventional move from past versions, Tails 6.4 has transitioned away from using onion services for Debian and Tails APT repositories in favor of HTTPS addresses to improve reliability for the Additional Software feature and streamline software management for users.Software Updates and Bug FixesOne compelling factor in adopting Tails 6.4 is its current software stack and array of fixed problems. Tails 6.4 offers an updated Tor Browser (13.0.16) and Tor client (0.4.8.12) to give users access to the latest developments in secure browsing; email communication has also been improved thanks to an upgraded Thunderbird (115.12.0).Numerous bugs have been addressed to enhance user experience significantly. Problem resolution includes fixing and unlocking Persistent Storage issues, connecting to mobile broadband networks on particular hardware, and reenabling Thunderbird's previously disabled PDF reader due to security. Furthermore, user experience refinements such as more informative error messages in Tails Cloner and smooth interactions when using the Unlock VeraCrypt Volumes utility demonstrate developers' attentiveness towards user feedback.Upgrading and New InstallationsFor existing users, upgrading to Tails 6.4 should be straightforward, with automatic upgrades from as early as version 6.0 being available for automatic upgrading. Newcomers or those wishing for manual upgrades can follow detailed installation instructions provided by the Tails project, which are explicitly tailored for various platforms.Why Linux Administrators Should Take NoteLinux administrators who prioritize security and seek to safeguard their systems against surveillance and censorship will find Tails 6.4 indispensable. With its enhanced cryptographic measures, commitment to updating core components like the Tor Browser and client, and quick bug resolution, Tails exudes an environment designed specifically to secure its systems.Administrators will appreciate Tor's operational transparency--all network traffic is automatically routed through it, eliminating risks related to network surveillance. Furthermore, its persistent storage feature enables safekeeping of essential files, configurations and software across sessions without jeopardizing its security posture.Alternatives to Tails for Privacy and SecurityTails stands out for its anonymity and security features, but it isn't alone in this respect. Linux distributions such as Whonix and Qubes OS also provide similar functionality; Whonix operates by isolating user internet connections within an isolated virtual machine that routes all traffic via Tor. Meanwhile, Qubes takes an alternative approach by compartmentalizing various aspects of its OS into isolated VMs to prevent malware from crossing boundaries. Open Source choices ftw!Learn More about Tails and PrivacyTails 6.4 is evidence of this project's ongoing dedication to privacy, security, and user experience. With every update, Tails equips the global community with toolsets designed to increase online anonymity while guarding against surveillance intrusions. Linux administrators who place great value in security measures will find this release compelling enough to upgrade existing systems or implement this OS into their operations in an increasingly monitored digital world.Best distro for privacy and security in 2024Which distros are most focused on privacy ?How to Encrypt Files on LinuxEnhanced Privacy with Predator-OS
Kategorie: Hacking & Security

Apple’s cautious AI strategy is absolutely right

Computerworld.com [Hacking News] - 18 Červen, 2024 - 20:45

(Editor’s note: This column originally appeared on Computerworld Sweden on June 14, 2024.)

Just as everyone expected, and almost demanded, Apple finally started talking about artificial intelligence — in its own way, of course. The big keynote at WWDC on Monday might not have been the AI ​​event many had thought was coming. For example, the deal with Open AI, where Chat GPT will be used as an extension of Apple devices’ own AI capabilities, was negotiated in a matter of minutes.

Apple appears to be approaching AI with caution. Cautious, you might call it, but I actually think this strategy is the right one, and it aligns with what I called for earlier: AI that integrates seamlessly and easily into solutions we already know and use.

Apple Intelligence (of course Apple’s AI has been trademarked) is not a special app, or a special assistant or a “Copilot.” These are small, clever features, built on small, specialized models, sprinkled throughout the software. In Siri, in the photo app, as a writing aid, and so on, all in a seemingly non-intrusive way — an extra function, or help, that is there, if you want it.

The latter is important because it bothers me enormously is when AI is shoved down one’s throat. Just because an AI feature exists, maybe I don’t want to use it? No one but I knows what tasks I’m better at than AI, and it obviously varies from person to person.

For example, I am very good at writing and processing text. I definitely don’t want any AI getting in there (I even turn off the spell check in Word). On the other hand, sitting with transcriptions and translations is boring as hell, so I’m happy to take help there.

I’m a decent hobby photographer and don’t need an AI to make my photos “better” unsolicited. However, it can be fun or effective to take AI help to remove some ugly detail, play with the depth of field, or expose subjects.

I’m also a frequent user of chat, both privately and at work, but I think it feels a bit dirty to click on the suggested answers in Microsoft Teams chat (“Great”, “That sounds good.”) because it feels quite disrespectful to the person I’m communicating with.

BAbove all, I am seriously uninterested in Google’s new “AI Overviews,” which have now been rolled out, starting in the US. The AI ​​function in Google’s search engine takes the liberty of using AI to try to guess what you are looking for — and answer it.

I’m extremely good at Googling; it’s a skill I’ve developed over many years. And when I do research with the help of Google, it’s not one answer I’m looking for, but a balanced assessment that I make based on the information I google, thank you very much. Even if Google’s AI in the future gives “correct” answers instead of suggesting to glue the cheese on pizza, that’s just not what I want to use a search engine for.

So that’s why I think Apple is right here. It is through these kinds of simple, friendly and optional functions that do not require advanced “prompt engineering” that the masses will be introduced to and actually use AI tools. Because even though it might sound like it sometimes, most people don’t use Chat GPT at all.

Now Apple has the luxury, if you call it that, of not having to position itself as an “AI company” as a number of other tech giants want to do, although there has been pressure from investors to start delivering in this area. Apple sells mobile phones (and other hardware, but mainly phones). Therefore, it can be worthwhile to focus more on data protection and privacy, and on introducing features at a pace and in a way that makes mobile phone buyers see value in their presence.

Moreover, Apple isn’t charging extra for it, as most others do. Of course, Apple Intelligence is so far only available on the iPhone 15 Pro and Pro Max (and Mac computers with M-chip). And, presumably, that sprinkling of AI isn’t so sparkling yet as to warrant an immediate upgrade for most people.

But even if this particular iteration of Apple Intelligence will not become everyone’s everyday AI — anymore than the first iPhone became everyone’s smartphone — I believe, this is the way development will go. AI is fundamentally a commodity, a general-purpose technology.

It’s a feature, not a product.

This column is taken from CS Veckobrev, a personal newsletter with reading tips, link tips and analysis sent directly from Computerworld Sweden‘s editor-in-chief, Marcus Jerräng. Do you also want the newsletter on Fridays? Sign up for a free subscription here.

Kategorie: Hacking & Security

Signal Foundation Warns Against EU's Plan to Scan Private Messages for CSAM

The Hacker News - 18 Červen, 2024 - 18:22
A controversial proposal put forth by the European Union to scan users' private messages for detection child sexual abuse material (CSAM) poses severe risks to end-to-end encryption (E2EE), warned Meredith Whittaker, president of the Signal Foundation, which maintains the privacy-focused messaging service of the same name. "Mandating mass scanning of private communications fundamentally Newsroomhttp://www.blogger.com/profile/[email protected]
Kategorie: Hacking & Security

Varjo wants you to create photorealistic VR ‘scenes’ with your phone

Computerworld.com [Hacking News] - 18 Červen, 2024 - 17:25

Varjo has unveiled an app that lets users scan physical spaces with their smartphone to create photorealistic 3D “scenes” for virtual reality (VR) devices. 

The VR headset maker on Tuesday announced the preview of its Teleport app, which it said will lower the barrier for 3D content creation — a time-consuming and costly process that typically involves high-endequipment and know-how. “One thing holding back VR and 3D applications is just how hard is to create content,” said Patrick Wyatt, chief product officer at Varjo. 

He described the Teleport app as “a self-serve way that anyone with a smartphone can start creating their own 3D scenes,” allowing them to share their surroundings with others. 

To create a 3D scene, users scan a physical space with their smartphone camera (an iPhone Pro 12 is the minimum requirement for Teleport) — a process that takes several minutes. It’s possible to film indoor or outdoor scenes  (anything up to the size of a small town square will work), though more dynamic environments with crowds of people or lots cars could result in blurred footage. 

The footage is uploaded to Varjo’s cloud servers to build a high-resolution 3D scene.  When accessed via a VR headset, users can then move around the virtual space and view a reproduction of the environment that was recorded. 

Given Varjo’s focus on enterprise mixed reality and VR, Wyatt said Teleport can be used for training, planning, and remote assistance. But he sees Teleport as “foundational tech” that could have broad applications. “We’re not too prescriptive on use cases,” he said. “We want to see all the cool things people will do with it.”

While VR environments are often created with computer graphics, photorealism is preferred for certain enterprise purposes. “Much of what businesses want and need has to be as close to the real thing as possible to use those assets for engineering, sales and marketing purposes,” said Anshel Sag, principal analyst at Moor Insights and Strategy. “Without photorealism, it becomes a lot less valuable and powerful.”

Until recently, photorealistic 3D content has been produced either with expensive Lidar scanners that can cost several thousand dollars, or photogrammetry techniques that are more accessible, but still require specialist skills. In both cases, there are limitations on quality, too, said Wyatt.

A key advantage of Teleport is the use of a machine learning technique called Gaussian splatting. This enables full 3D scenes to be produced from a set of photos, with more realistic lighting, textures, and reflections – ideal for immersive applications such as Teleport, said Wyatt.

Gaussian splatting simplifies the creation of photorealistic 3D environments, though the technology has its own limitations, said Sag. “The biggest challenge for creating 3D content has primarily been the cost and time it takes to generate the assets,” said Sag. “Gaussian splatting is a way to take some shortcuts in the creation of content to make it cheaper and faster with minimal tradeoffs in terms of quality.

“That said, it isn’t without its problems, as the Gaussian splats don’t always come out right or need very specific capture techniques to work right.”

Varjo isn’t the only company to use Gaussian splatting for 3D content creation. Others include Luma and Polycam. Wyatt said Teleport differs in its focus on the creation of 3D environments rather than smaller objects, as well as a need for a higher image resolution so that content can be viewed effectively on a VR headsets. 

Varjo plans to make Teleport commercially available towards the end of 2024. A waitlist for early access is available here.

Kategorie: Hacking & Security

When it comes to AI, Apple is opening up for intelligence

Computerworld.com [Hacking News] - 18 Červen, 2024 - 17:10

Apple’s artificial/machine/generative AI research team seems to be opening up as it explores new frontiers in this research, publishing more than 20 new Core ML models for on-device AI through the popular AI community site Hugging Face.

It’s a real change in the company’s customary rectitude in being open about what it’s doing, and it seems likely the move comes in response to demands from its research teams to be a bit more transparent. 

Cutting-edge AI capabilities

As first reported by VentureBeat, Apple has released dozens of Core ML models, complementing them with extensive datasets. The company seems to be posting new collections at a rapid clip — the latest item appeared in the collection within the last 24 hours. The collection is extensive and highlights two of the main aims of Apple’s teams: to build models that will eventually run on the device, and to ensure these also preserve user privacy.

Some of the AI functions promised by all this code includs tools for image classification, depth segmentation, text analysis, translation, and more. 

What, who, why?

They cover a wide range of applications, including FastViT for image classification, DepthAnything for monocular depth estimation, and DETR for semantic segmentation. 

The models are not intended for mass market use and are aimed at developers, who can download them, convert them to CoreML format, and then deploy them in their own code. The process for this was explained at WWDC 2024 in a presentation that details how the models can be deployed once converted. It is also worth noting CoreML is much, much faster in iOS 18, as Apple said.

The models available on Hugging Face are also ready to run at the edge. In addition to better privacy and security, on-device LLM models should also run far more swiftly than cloud-based code.

Apple is also working with Hugging Face on other AI-related tasks, including via the MLX Community. All in all, the company seems to have become more visibly open to open-source contributions as it seeks to build Apple Intelligence.

Not the first time Apple’s been open

Except, that’s not exactly the case. Apple is an active player in open-source development, and while this isn’t always fully understood, a cursory glance through company history shows support for the FreeBSD project, a GitHub repository that offers up source code for operating systems, developer tools and more. It also plays an active part across multiple standards bodies, such as Bluetooth SIG.

In other words, some degree of openness already does exist, though it seems to have opened up more for AI.

There’s a reason for this, of course. AI researchers like to collaborate as they explore these new frontiers, and it’s thought Apple’s customary corporate secrecy might have frustrated attempts to put its own work in artificial intelligence on the fast track. This certainly seems to have changed in the last year, as multiple research notes and AI tools have emerged from the company. This latest batch then is completely in keeping with Apple’s new approach, at least, its new tactics related to this part of tech.

Apple is, therefore, learning from the wider industry. 

And the industry is learning from it

Apple’s stance on privacy leads the industry, and as the potential pitfalls of AI systems become more widely understood it seems probable that more companies will follow its lead. 

That means an eventual multitude of small models capable of being run on edge devices to perform a variety of tasks. While the capabilities of such models will be limited by a ceiling comprised of processor speed, computational power, and on-device memory bandwidth, Apple’s approach also includes strategic use of highly secured private cloud services, itself a signal to others in the space to follow its example – particularly as increasingly authoritarian and ill-conceived legislation threatens to undermine the security of networked intelligence itself.

Please follow me on Mastodon, or join me in the AppleHolic’s bar & grill and Apple Discussions groups on MeWe.

Kategorie: Hacking & Security

Cybercriminals Exploit Free Software Lures to Deploy Hijack Loader and Vidar Stealer

The Hacker News - 18 Červen, 2024 - 15:30
Threat actors are luring unsuspecting users with free or pirated versions of commercial software to deliver a malware loader called Hijack Loader, which then deploys an information stealer known as Vidar Stealer. "Adversaries had managed to trick users into downloading password-protected archive files containing trojanized copies of a Cisco Webex Meetings App (ptService.exe)," Trellix security Newsroomhttp://www.blogger.com/profile/[email protected]
Kategorie: Hacking & Security

Analysis of user password strength

Kaspersky Securelist - 18 Červen, 2024 - 13:30

The processing power of computers keeps growing, helping users to solve increasingly complex problems faster. A side effect is that passwords that were impossible to guess just a few years ago can be cracked by hackers within mere seconds in 2024. For example, the RTX 4090 GPU is capable of guessing an eight-character password consisting of same-case English letters and digits, or 36 combinable characters, within just 17 seconds.

Our study of resistance to brute-force attacks found that a large percentage of passwords (59%) can be cracked in under one hour.

How passwords are typically stored

To be able to authenticate users, websites need a way to store login-password pairs and use these to verify data entered by the user. In most cases, passwords are stored as hashes, rather than plaintext, so that attackers cannot use them in the event of a leak. To prevent the password from being guessed with the help of rainbow tables, a salt is added before hashing.

Although hashes are inherently irreversible, an attacker with access to a leaked database can try to guess the passwords. They would have an unlimited number of attempts, as the database itself has no protection against brute-forcing whatsoever. Ready-made password-guessing tools, such as hashcat, can be found online.

Methodology

Our study looked at 193 million passwords found freely accessible on various dark web sites. Kaspersky does not collect or store user passwords. More details are available here and here.

We estimated the time it takes to guess a password from a hash using brute force and various advanced algorithms, such as dictionary attacks and/or enumeration of common character combinations. By dictionary we understand here a list of character combinations frequently used in passwords. They include, but are not limited to real English words.

Brute force attacks

The brute-force method is still one of the simplest and most straightforward: the computer tries every possible password option until one works. This is not a one-size-fits-all approach: enumeration ignores dictionary passwords, and it is noticeably worse at guessing longer passwords than shorter ones.

We analyzed the brute-forcing speed as applied to the database under review. For clarity, we have divided the passwords in the sample into patterns according to the types of characters they contain.

  • a: the password contains only lowercase or only uppercase letters.
  • aA: the password contains both lowercase and uppercase letters.
  • 0: the password contains digits.
  • !: the password contains special characters.

The time it takes to crack a password using the brute-force method depends on the length and the number of character types. The results in the table are calculated for the RTX 4090 GPU and the MD5 hashing algorithm with a salt. The speed of enumeration in this configuration is 164 billion hashes per second. The percentages in the table are rounded.

Password pattern Share of passwords of this type in the dataset, % Share of brute-forceable passwords (by pattern, %) Maximum password length in characters by crack time < 60 s 60 s to 60 min 60 min to 24 h 24 h to 30 d 30 d to 365 d > 365 d 24 h to 30 d 30 d to 365 d > 365 d aA0! 28 0,2 0,4 5 0 9 85 — 9 10 a0 26 28 13 15 11 10 24 11 12 13 aA0 24 3 16 11 0 15 55 — 10 11 a0! 7 2 9 0 14 15 59 9 10 11 0 6 94 4 2 0 0 0 — — — a 6 45 13 10 9 6 17 12 13 14 aA 2 15 22 11 14 0 38 10 — 11 a! 1 6 9 11 0 11 62 — 10 11 aA! 0,7 3 2 12 10 0 73 9 — 10 0! 0,5 10 27 0 18 13 32 10 11 12 ! 0,006 50 9 10 5 6 19 11 12 13

The most popular type of passwords (28%) includes lowercase and uppercase letters, special characters and digits. Most of these passwords in the sample under review are difficult to brute-force. About 5% can be guessed within a day, but 85% of this type of passwords take more than a year to work out. The crack time depends on the length: a password of nine characters can be guessed within a year, but one that contains 10 characters, more than a year.

Passwords that are least resistant to brute-force attacks are the ones that consist of only letters, only digits or only special characters. The sample contained 14% of these. Most of them can be cracked within less than a day. Strong letter-only passwords start at 11 characters. There were no strong digit-only passwords in the sample.

Smart brute-force attacks

As mentioned above, brute force is a suboptimal password-guessing algorithm. Passwords often consist of certain character combinations: words, names, dates, sequences (“12345” or “qwerty”). If you make your brute-force algorithm consider this, you can speed up the process:

  • bruteforce_corr is an optimized version of the brute-force method. You can use a large sample to measure the frequency of a certain password pattern. Next, you can allocate to each variety a percentage of computational time that corresponds to its real-life frequency. Thus, if there are three patterns, and the first one is used in 50% of cases, and the second and third in 25%, then per minute our computer will spend 30 seconds enumerating pattern one, and 15 seconds enumerating patterns two and three each.
  • zxcvbn is an advanced algorithm for gauging password strength. The algorithm identifies the pattern the password belongs to, such as “word, three digits” or “special character, dictionary word, digit sequence”. Next, it calculates the number of iterations required for enumerating each element in the pattern. So, if the password contains a dictionary word, finding it will take a number of iterations equal to the size of the dictionary. If a part of the pattern is random, it will have to be brute-forced. You can calculate the total complexity of cracking the password if you know the time it takes to guess each component of the pattern. This method has a limitation: successful enumeration requires specifying a password or assuming a pattern. However, you can find the popularity of patterns by using stolen samples. Then, as with the brute-force option, allocate to the pattern an amount of computational time proportional to its occurrence. We designate this algorithm as “zxcvbn_corr”.
  • unogram is the simplest language algorithm. Rather than requiring a password pattern, it relies on the frequency of each character, calculated from a sample of passwords. The algorithm prioritizes the most popular characters when enumerating. So, to estimate the crack time, it is enough to calculate the probability of the characters appearing in the password.
  • 3gram_seq, ngram_seq are algorithms that calculate the probability of the next character depending on n-1 previous ones. The proposed algorithm starts enumerating one character, and then sequentially adds the next one, while starting with the longest and most frequently occurring n-grams. In the study, we used n-grams ranging from 1 to 10 characters that appear more than 50 times in the password database. The 3gram_seq algorithm is limited to n-grams up to and including three characters long.
  • 3gram_opt_corr, ngram_opt_corr is an optimized version of n-grams. The previous algorithm generated the password from the beginning by adding one character at a time. However, in some cases, enumeration goes faster if you start from the end, from the middle or from several positions simultaneously. *_opt_* algorithms check the varieties described above for a specific password and select the best one. However, in this case, we need a password pattern that allows us to determine where to start generating from. When adjusted for different patterns, these algorithms are generally slower. Still, they can provide a significant advantage for specific passwords.

Also, for each password, we calculated a best value: the best crack time among all the algorithms used. This is a hypothetical ideal case. To implement it, you will need to “guess” an appropriate algorithm or simultaneously run each of the aforementioned algorithms on a GPU of its own.

Below are the results of gauging password strength by running the algorithms on an RTX 4090 GPU for MD5 with a salt.

Crack time Percentage of brute-forceable passwords ngram_seq 3gram_seq unogram ngram_opt
_corr
3gram_opt
_corr
zxcvbn
_corr
bruteforce
_corr
Best < 60 s 41% 29% 12% 23% 10% 27% 10% 45% 60 s to 60 min 14% 16% 12% 15% 12% 15% 10% 14% 60 min to 24 h 9% 11% 12% 11% 12% 9% 6% 8% 24 h to 30 d 7% 9% 11% 10% 11% 9% 9% 6% 30 d to 365 d 4% 5% 7% 6% 8% 6% 10% 4% > 365 d 25% 30% 47% 35% 47% 35% 54% 23%

The bottom line is, when using the most efficient algorithm, 45% of passwords in the sample under review can be guessed within one minute, 59% within one hour, and 73% within a month. Only 23% of passwords take more than one year to crack.

Importantly, guessing all the passwords in the database will take almost as much time as guessing one of them. During the attack, the hacker checks the database for the hash obtained in the current iteration. If the hash is in the database, the password is marked as cracked, and the algorithm moves on to working on the others.

The use of dictionary words reduces password strength

To find which password patterns are most resistant to hacking, we calculated the best value for an expanded set of criteria. For this purpose, we created a dictionary of frequently used combinations of four or more characters, and added these to the password pattern list.

  • dict: the password contains one or more dictionary words.
  • dict_only: the password contains only dictionary words.
Password pattern Share of passwords, % Share of passwords that can be cracked with a dictionary attack (by pattern, %) Maximum password length in characters by crack time < 60 s 60 s to 60 min 60 min to 24 h 24 h to 30 d 30 d to 365 d > 365 d 24 h to 30 d 30 d to 365 d > 365 d dict_a0 17 63 15 8 5 3 7 10 11 12 aA0! 14 5 6 5 5 3 76 6 7 8 dict_aA0 14 51 17 10 7 4 11 9 10 11 dict_aA0! 14 34 18 12 10 6 20 7 8 8 a0 10 59 22 6 6 1.8 6 10 11 12 aA0 10 19 13 13 6 7 42 9 10 11 0 6 92 5 1.5 1.3 0 0 15 — — dict_a0! 5 44 16 10 8 5 17 9 9 10 dict_a 4 69 12 6 4 2 6 11 12 13 a0! 2 31 19 13 9 5 23 9 9 10 a 1.2 76 7 6 3 3 6 11 12 13 dict_aA 1.2 56 15 8 6 3 11 9 10 10 dict_a! 0.8 38 16 10 8 5 23 8 9 10 aA 0.7 26 10 28 7 2 27 9 10 10 dict_aA! 0.5 31 17 11 10 6 26 8 9 9 0! 0.4 53 15 8 7 5 13 9 10 11 dict_only 0.2 99.99 0.01 0.0002 0.0002 0 0 18 — — dict_0 0.2 89 6 2 2 0 0 15 — — aA! 0.2 11 8 10 16 3 52 8 9 9 a! 0.1 35 16 10 9 5 25 8 9 10 dict_0! 0.06 52 13 7 6 4 17 9 10 11 ! 0.006 50 10 6 8 4 20 8 9 10

The majority (57%) of the passwords reviewed contained a dictionary word, which significantly reduced their strength. Half of these can be cracked in less than a minute, and 67% within one hour. Only 12% of dictionary passwords are strong enough and take more than a year to guess. Even when using all recommended character types (uppercase and lowercase letters, digits and special characters), only 20% of these passwords proved resistant to brute-forcing.

It is possible to distinguish several groups among the most popular dictionary sequences found in passwords.

  • Names: “ahmed”, “nguyen”, “kumar”, “kevin”, “daniel”;
  • Popular words: “forever”, “love”, “google”, “hacker”, “gamer”;
  • Standard passwords: “password”, “qwerty12345”, “admin”, “12345”, “team”.

Non-dictionary passwords comprised 43% of the sample. Some were weak, such as those consisting of same-case letters and digits (10%) or digits only (6%). However, adding all recommended character types (the aA0! pattern) makes 76% of these passwords strong enough.

Takeaways

Modern GPUs are capable of cracking user passwords at a tremendous speed. The simplest brute-force algorithm can crack any password up to eight characters long within less than a day. Smart hacking algorithms can quickly guess even long passwords. These use dictionaries, consider character substitution (“e” to “3”, “1” to “!” or “a” to “@”) and popular combinations (“qwerty”, “12345”, “asdfg”).

This study lets us draw the following conclusions about password strength:

  • Many user passwords are not strong enough: 59% can be guessed within one hour.
  • Using meaningful words, names and standard character combinations significantly reduces the time it takes to guess the password.
  • The least secure password is one that consists entirely of digits or words.

To protect your accounts from hacking:

  • Remember that the best password is a random, computer-generated one. Many password managers are capable of generating passwords.
  • Use mnemonic, rather than meaningful, phrases.
  • Check your password for resistance to hacking. You can do this with the help of Password Checker, Kaspersky Password Manager or the zxcvbn
  • Make sure your passwords are not contained in any leaked databases by going to haveibeenpwned. Use security solutions that alert users about password leaks.
  • Avoid using the same password for multiple websites. If your passwords are unique, cracking one of them would cause less damage.

The Annual SaaS Security Report: 2025 CISO Plans and Priorities

The Hacker News - 18 Červen, 2024 - 13:23
Seventy percent of enterprises are prioritizing investment in SaaS security by establishing dedicated teams to secure SaaS applications, as part of a growing trend of maturity in this field of cybersecurity, according to a new survey released this month by the Cloud Security Alliance (CSA). Despite economic instability and major job cuts in 2023, organizations drastically increased investment inThe Hacker Newshttp://www.blogger.com/profile/[email protected]
Kategorie: Hacking & Security

The rise of AI-powered killer robot drones

Computerworld.com [Hacking News] - 18 Červen, 2024 - 12:00

Remember former Google CEO Eric Schmidt? He now makes flying AI robots that target and kill autonomously. (Really!)

His robots are in high demand for one simple reason: GPS jamming.

I’ll explain more about Schmidt’s robots below. But first, it’s time to catch up on the rising trend of GPS, cell phone and other signal jamming, which is triggering a global arms race between jamming and anti-jamming technologies.

The FCC crackdown of 2012

All jamming devices in the United States were banned 90 years ago — long before jamming devices even existed. The Communications Act of 1934 explicitly prohibited deliberate interference with radio communications.

Both cell phone and GPS jamming works by “flooding the zone” with white noise in the same frequencies as phone and GPS receivers, basically a denial-of-service attack on the associated range of radio frequencies. But it was the rise in e-commerce that fueled an industry of online jammer sales. In 2012, a bus passenger in Philadelphia wanted some peace and quiet, so he used a cell phone jammer to jam all the phones on the bus. Later that year, the FCC took legal action against 20 online retailers in 12 states for illegally selling jamming devices. 

Despite the crackdown, the illegal use of jammers continued. In 2013, RNM Manufacturing in Houston, TX  used a jammer to block employees from using their phones at work and was fined $29,250. Not to be out-done by Houston, a Dallas company in 2022 called Ravi’s Import Warehouse also tried to jam employee calls and was also fined by the FCC, this time for $22,000.

Jammers are still available on the black market, which have led to calls for global enforcement of jamming bans. Signal jamming of every kind is illegal in the United States, which is why it might seem surprising to Americans to learn that thousands of commercial aircraft in Europe are put at risk every day by GPS jammers. 

The European jamming crisis

The current dramatic rise in GPS jamming is almost certainly done by the Russian military to protect its bases and assets from Ukrainian drone attacks. More than 46,000 aircraft GPS jamming incidents have been reported over the Baltic Sea, Kaliningrad, the Black Sea, the Caspian Sea and the Eastern Mediterranean since August 2021. New incidents are reported every day. 

(The website GPSJAM tracks and displays GPS interference in Europe and the Middle East.)

Major airlines like Ryanair (more than 2,300 flights), Wizz Air (nearly 1,400 flights), British Airways (82 flights) and easyJet (4 flights) have been affected by jamming. The GPS jamming has forced some flight cancellations or diversions. Finnair had to temporarily suspend flights to Tartu, Estonia. And a British Royal Air Force plane carrying the UK defense secretary experienced GPS jamming near Kaliningrad in March 2023.

The Ukraine/Russia conflict is a proving ground and laboratory for all kinds of both military and malicious cyberattack technologies. 

Specifically, the conflict is the world’s first large-scale drone war. The Ukraine side alone reportedly loses more than 10,000 drones a month, and the country itself has produced more than 1 million drones since the start of the war; it’s also received an unknown number from abroad, including familiar consumer and business drones like the DJI Mavic 2 Zoom, DJI Mavic 2 Enterprise, Autel EVO II Pro, the Bayraktar TB2 and others. 

Both sides are using huge numbers of drones for surveillance, reconnaissance, espionage, explosives delivery, hacking, malware delivery, counter-hacking and signal jamming. And while the Ukraine side leads in the creative use of drones, the Russian side is more advanced in drone GPS and signal jamming innovations.

Nearly every effective drone and counter-drone action pioneered and tested in the Ukraine-Russia conflict will almost certainly be used against business and other targets in the years to come. Based on what’s happening in the war, cybersecurity professionals should be aware of the three main areas drones will be increasingly used by malicious actors: 

1. Bypassing physical security: Drones can fly over fences, down air ducts and land on roofs to observe security protocols and plan physical attacks using high-quality cameras.

2. Network sniffing and spoofing: Drones equipped with modifiable computers can mimic Wi-Fi networks to steal sensitive information.

3. Denial-of-Service attacks: Drones can perform de-authentication attacks and jam communications.

Another easy prediction is that businesses will be challenged by malicious drone use, given the illegality of jamming in the US.

The military industrial complex gets to work

As Western GPS-guided munitions are increasingly defeated by Russian jamming, the Pentagon is scrambling to innovate in countering the jamming threat. (This is somewhat ironic, given that the GPS system, the mobile cellular system and, in fact, the internet itself were all created by or founded upon Pentagon research programs.) 

One approach is to blow up the jammers. The US Air Force awarded a contract valued at around $23.5 million to Scientific Applications and Research Associates to enable guided bombs to home in on — and destroy — jamming equipment. 

The Air Force Research Lab is conducting research on using regular smartphones for real-time detection of jamming and spoofing. And while blowing up jamming devices is a short-term, immediate solution, the longer-term solution is to enable drones to work autonomously, without needing to phone home or be controlled remotely.

One fascinating project is the Pentagon’s Rapid Experimental Missionized Autonomy (REMA) program. The project is developing plug-ins or adaptors that can be fitted to ordinary commercial drones that would enable them to carry out their missions autonomously after being jammed. Contracts for the drone-autonomy adapter interface have been already awarded to companies like Anduril and RTX for the hardware and Leidos, Northrop Grumman and SoarTech for the software. 

Eric Schmidt’s flying killer robots

White Stork is a secretive startup founded by former Google CEO Eric Schmidt. The company is building small, low-cost ($400) drones that use AI to target and fly into those targets, thus blowing them up with attached bombs. The drones don’t rely on remote control or GPS navigation, but instead use cameras and AI for navigation and targeting. And because they’re low cost, they can be manufactured and deployed on a massive scale. 

Schmidt has been actively involved in supporting Ukraine’s war efforts, and travels to Ukraine frequently to meet with Ukrainian generals about using drones in combat. White Stork drones will soon enter the conflict, if they haven’t already. 

The future of jamming and counter-jamming

The future of warfare, as well as industrial espionage, terrorism and cyberattacks in general will involve drones in increasing numbers. History tells us that everything the Pentagon builds and buys for the good guys eventually ends up in the hands of the bad guys. That means we’ll likely need not only jamming, but also defensive technologies to counter weaponized drones that don’t rely on radio signals, but instead use AI for autonomous targeting and attacking. Drones are cheap. AI is free. The autonomous drones are coming. We need defenses that are legal to use.

The Olympics this summer will be our first test run. The terrorist group ISIS has circulated detailed manuals on adapting commercially available drones to carry explosives. The idea is to get the how-to information into the hands of “lone wolf” terrorists operating autonomously. The group has also explicitly called on its followers in Europe to launch drone attacks on Paris landmarks like the Eiffel Tower during this year’s summer Olympics. 

France has established an anti-drone coordination center at a military base near Paris in light of the threat. And it’s planning to use antiquated technologies like special guns called SkyWall Patrol that shoot nets designed to capture drones mid-flight, and even laser beam devices. That might be sufficient for the low-tech drones they face today, but the AI drones of tomorrow will require more advanced defenses. 

While American businesses, enterprises, and law enforcement remain mostly oblivious to the coming threat from drone-based attacks, Europe is proving to be a laboratory for what’s possible there now, and what’s coming to the United States in the future.

Kategorie: Hacking & Security

New Malware Targets Exposed Docker APIs for Cryptocurrency Mining

The Hacker News - 18 Červen, 2024 - 11:41
Cybersecurity researchers have uncovered a new malware campaign that targets publicly exposed Docket API endpoints with the aim of delivering cryptocurrency miners and other payloads. Included among the tools deployed is a remote access tool that's capable of downloading and executing more malicious programs as well as a utility to propagate the malware via SSH, cloud analytics platform Datadog Newsroomhttp://www.blogger.com/profile/[email protected]
Kategorie: Hacking & Security

VMware Issues Patches for Cloud Foundation, vCenter Server, and vSphere ESXi

The Hacker News - 18 Červen, 2024 - 10:24
VMware has released updates to address critical flaws impacting Cloud Foundation, vCenter Server, and vSphere ESXi that could be exploited to achieve privilege escalation and remote code execution. The list of vulnerabilities is as follows - CVE-2024-37079 & CVE-2024-37080 (CVSS scores: 9.8) - Multiple heap-overflow vulnerabilities in the implementation of the DCE/RPC protocol that could Newsroomhttp://www.blogger.com/profile/[email protected]
Kategorie: Hacking & Security

Singapore Police Extradites Malaysians Linked to Android Malware Fraud

The Hacker News - 18 Červen, 2024 - 09:38
The Singapore Police Force (SPF) has announced the extradition of two men from Malaysia for their alleged involvement in a mobile malware campaign targeting citizens in the country since June 2023. The unnamed individuals, aged 26 and 47, engaged in scams that tricked unsuspecting users into downloading malicious apps onto their Android devices via phishing campaigns with the aim of stealing Newsroomhttp://www.blogger.com/profile/[email protected]
Kategorie: Hacking & Security

Rethinking WiFi and Router Security: A Deep Dive into the Recent ASUS Flaw and Secure Alternatives

LinuxSecurity.com - 18 Červen, 2024 - 02:42
At a time of rapid technological progress, the security of our digital tools - particularly WiFi routers - has become critical. Recent news from ASUS sent shockwaves through the cybersecurity community when multiple models of their routers were found with critical flaws that exposed an ongoing challenge of protecting networks against intrusions.Unpacking the Critical Flaw in ASUS RoutersAccording to an extensive report by RedPacket Security, ASUS recently resolved an authentication bypass vulnerability known as CVE-2024-3080, which scored 9.8 on the Common Vulnerability Scoring System scale, indicating its severity. This security hole allowed unauthenticated, remote attackers to access devices for unauthorized gains without authentication, granting them any legitimate privileges whatsoever.Another high-severity buffer overflow flaw, CVE-2024-3079, compounded this security hole by enabling remote attackers with administrative privileges to execute arbitrary commands remotely on devices with administrative rights. These vulnerabilities could constitute an exploit chain compromising all security protection on affected routers.ASUS routers such as the ZenWiFi XT8, RT-AX88U, RT-AX58U, and others were affected. ASUS quickly responded with software updates to address these vulnerabilities.This incident raises a fundamental issue regarding routers' reliance on proprietary software. While manufacturers frequently push out security patches, proprietary programs' closed nature means vulnerabilities remain unseen until a breach occurs, leaving users vulnerable.Embracing Open Source: A Route to Enhanced SecurityOpen-source firmware and operating systems offer an alternative to proprietary router software. Their publicly collaborative development processes make security flaws less likely to go undetected.OpenWRT OpenWrt is one of the most widely used open-source router operating systems available. It provides highly configurable control over performance and security settings, surpassing what most stock router firmware allows. OpenWrt also features an innovative package management system that enables users to add or remove features as desired, making the operating system leaner and more cost-effective than others.Here are five of the best features of OpenWrt:Extensive Hardware Support: OpenWrt supports a wide range of devices, from home routers to professional-grade equipment, making it adaptable to various networking situations.Fully Writeable Filesystem: With its roots in Linux, OpenWrt provides a fully writeable filesystem. Users can modify, add, or delete any file, similar to a traditional Linux distribution, offering unparalleled flexibility.Customizable Packages: OpenWrt allows users to install and remove packages to customize the router for specific needs without bloating the system with unnecessary features.Advanced Network Capabilities: OpenWrt contains many out-of-the-box network features, including IPv6 support, VLANs, traffic shaping, VPN, and firewall configurations, allowing for detailed network management.\Active Community and Development: The vibrant OpenWrt community and ongoing development mean the firmware is constantly updated. New features are regularly added, and security vulnerabilities are promptly addressed, enhancing your network's functionality and security.These features underscore OpenWrt's flexibility and capabilities, making it a powerful choice for users looking to maximize their router's potential. DD-WRTLike OpenWrt, DD-WRT is another Linux-based firmware that enhances routers by improving network stability, range expansion, and security features such as VPN integration and VLAN support. Furthermore, its community is quite active, providing resources and forums for help and advice regarding its usage. The five best features of DD-WRT include:Advanced Quality of Service (QoS): This technology enables intricate control over bandwidth allocation to prioritize traffic or devices for improved network performance.VPN Integration: Facilitates the integration of a Virtual Private Network directly within the router, securing all connected devices without individual configuration.Wireless Bridge and Repeater Modes: Allows routers to function as wireless repeaters or bridges, extending the wireless network's coverage or connecting wired devices to a wireless network.VLAN Support: Supports Virtual LANs for better network segmentation, enhancing security and management, and is especially useful for guest or separate IoT networks.DNS Caching: Stores DNS queries locally to speed up webpage loading times, resulting in a faster internet experience for all network users. Tomato Tomato firmware is known for its user-friendly interface and emphasis on real-time network monitoring, supporting many of the same models as DD-WRT while offering more secure security features than its stock counterpart.Here are five of the best features of Tomato firmware for routers:Bandwidth Monitoring: This allows users to monitor network traffic and bandwidth usage, making it easier to manage network resources effectively.Advanced Quality of Service (QoS) provides detailed settings to prioritize network traffic, which helps optimize performance for critical applications.Access Control: Offers robust options to manage and control access to the network, enhancing security by restricting unauthorized usage.Built-in OpenVPN Server/Client: Integrates support for OpenVPN, enabling secure VPN connectivity for enhanced privacy and secure remote access.IP/MAC Bandwidth Limiter: This tool enables setting bandwidth limits for specific IP addresses or MAC addresses, useful in managing bandwidth consumption per device.These features enhance network management, security, and performance, making Tomato firmware a valuable choice for users with compatible Broadcom-based routers. pfSenseWhile not specifically for routers, pfSense can transform an old computer into a powerful firewall and router. Based on FreeBSD and widely regarded as one of the safest and most flexible network administration solutions available today, pfSense handles everything from routing and firewalling to VPN provisioning easily. Here are the five best features of pfSense router firmware:Comprehensive Firewall Security: pfSense provides an advanced firewall with stateful packet inspection, anti-spoofing, and more, for robust network protection.Versatile VPN Support: It supports multiple VPN protocols, including IPsec, OpenVPN, and WireGuard, enabling secure and flexible remote access configurations.High Availability and Redundancy: This service offers features like CARP (Common Address Redundancy Protocol) and pfsync to ensure network uptime and reliability through failover and redundancy setups.Traffic Shaping and QoS: This allows detailed control over network traffic, enabling the prioritization of critical services to maintain optimal performance and reduce congestion.Extensibility with Packages: This can be extended with a wide range of packages for additional features, such as Snort for intrusion detection, Squid for web caching, and more, tailoring the system to specific needs. AsusWRT-Merlin: Custom Firmware Powering ASUS Routers AsusWRT-Merlin is a third-party firmware developed for select ASUS routers by Eric Sauvageau to improve upon the original AsusWRT firmware without drastically altering its user experience or user interface. Retaining all original features while adding improvements, bug fixes, and occasional new ones;Eric Sauvageau leads the development of AsusWRT-Merlin with support from The Merlin Group, users, and developers who contribute to its ongoing maintenance and enhancement. Their efforts focus on stability, improved performance, and better customization possibilities across ASUS router models supported by this open-source firmware project.Using AsusWRT-Merlin can bring many advantages for users who appreciate open source's philosophy and its associated benefits:Improved Security: Regular updates from the Merlin Group may include security patches which make your router less susceptible to vulnerabilities discovered over time.Enhanced Features: The AsusWRT-Merlin includes additional features not found in its predecessor AsusWRT, such as DNS over HTTPS support (DoH), enhanced Quality of Service capabilities (QoS), and the option to monitor real-time bandwidth usage.Customizability Freedom: Fans looking to tailor their network according to specific needs will appreciate the various settings and tweaks available.Active Community Support: Our vibrant community works tirelessly on improvements and shares knowledge for troubleshooting and advanced configurations. Open Source Firmware LimitationsAsusWRT-Merlin keeps users familiar with AsusWRT at ease since its GUI and overall design philosophy are the same as before, helping ease any learning curve. Open-source firmware such as this also comes with some restrictions users should be aware of:Warranty Concerns: Installing third-party firmware could void your device's manufacturer warranty; users should check their warranty terms before proceeding.Limited Support: While community support exists for using third-party firmware such as AsusWRT-Merlin, users will not receive official assistance from ASUS for issues caused by using such third-party solutions.Compatibility and Stability: Not all routers can support third-party firmware, and while open-source firmware tends to be stable, poorly executed updates or incompatible configurations could create stability issues.Learning Curve: For less tech-savvy, understanding all the additional features and configuration options may take more effort than familiarising themselves with stock firmware's user-friendly setups.No Guarantee of Features: Unfortunately, Merlin may not support all the proprietary features found in AsusWRT; some features present may also sometimes be removed if they pose significant bugs or security risks.Although open-source firmware such as AsusWRT-Merlin may have disadvantages, many advanced users find the advantages far outweigh them, particularly its enhanced control and security features. Individuals looking to maximize the potential of their router will discover that this version provides a robust upgrade from the original AsusWRT, offering both familiarity with stock firmware and access to more sophisticated capabilities of fully open-source solutions.Making the Switch to Open-Source Firmware for Enhanced Network SecurityTransitioning to open-source firmware like AsusWRT-Merlin can be an important strategic move for users who prioritize network security. However, this endeavor must be carefully prepared to ensure a successful transition.Before making the change, you must verify whether or not the open-source firmware you've selected is compatible with your router model. Not all routers support all firmware installations; installing incompatible ones could result in functional severe issues or even brick your device. Once compatibility has been confirmed, backing up existing router settings as a protective measure can prevent data loss and help ensure smooth transition processes.As installation processes can differ between router models, it is wise to refer to an after-installing guide tailored specifically for your router model for after-installation instructions and potential obstacles related to firmware upgrading processes. Such guides often offer step-by-step guidance and can help address common obstacles encountered during this process. The Bigger PictureThe ASUS incident highlights the need for more proactive security measures in network hardware. By turning to open-source solutions, users can take advantage of collective approaches to security where vulnerabilities can be quickly identified and patched by an international community of developers.Transitioning to open-source software might initially appear daunting; however, spending the time and energy learning how to utilize these powerful tools can significantly boost both the security and efficiency of home or office networks.Open source network management represents more than software changes; it represents a wider trend toward transparency and community in cybersecurity''an essential aspect in today's increasingly interconnected society.
Kategorie: Hacking & Security
Syndikovat obsah