6 weeks?, Yeah!. Let the streak continue!
Introduction
Hello, and welcome to this week's security review. I am your host Habdul Hazeez.
In this week's review, we'll look at some really scary news, like seriously scary, from printers going AWOL to Artificial Intelligence systems being fooled into identifying someone else as Elon Musk and ATM being hacked by .... wait for it....waving a phone š¤¤.
I told you it was scary šØ.
Let's begin.
NFC flaws let researchers hack an ATM by waving a phone
NFC is short for Near Field Communications, and like all tech developed by man, it can be manipulated and abused.
In this scenario, security researchers used it to hack an Automated Teller Machine popularly known as an ATM.
Excerpt:
One researcher has found a collection of bugs that allow him to hack ATMsāalong with a wide variety of point-of-sale terminalsāin a new way: with a wave of his phone over a contactless credit card reader.
The researcher built an Android app that made the following possible:
With a wave of his phone, he can exploit a variety of bugs to crash point-of-sale devices, hack them to collect and transmit credit card data, invisibly change the value of transactions, and even lock the devices while displaying a ransomware message.Ā
A well-meaning feature leaves millions of Dell PCs vulnerable
Not so innocent š.
The excerpt says it all:
Now a well-intentioned mechanism to easily update the firmware of Dell computers is itself vulnerable as the result of four rudimentary bugs. AndĀ these vulnerabilitiesĀ could be exploited to gain full access to target devices.
"These vulnerabilities are on easy mode to exploit. It's essentially like traveling back in timeāit's almost like the '90s again," says Jesse Michael, principal analyst at Eclypsium."
The industry has achieved all this maturity of security features in the application and operating system-level code, but they're not following best practices in new firmware security features."
Microsoft Edge Bug Could've Let Hackers Steal Your Secrets for Any Site
Bugs, bugs, Oh No! Bugs!
Excerpt from the article:
Tracked as CVE-2021-34506 (CVSS score: 5.4), the weakness stems from a universal cross-site scripting (UXSS) issue that's triggered when automatically translating web pages using the browser's built-in feature via Microsoft Translator.
Microsoft digitally signs malicious rootkit driver
You just read that correctly.
Excerpt from the article:
Microsoft gave its digital imprimatur to a rootkit that decrypted encrypted communications and sent them to attacker-controlled servers, the company and outside researchers said.
The blunder allowed the malware to be installed on Windows machines without users receiving a security warning or needing to take additional steps.
Global police shut down VPN service favored by cybercriminals
The VPN in question is DoubleVPN.
Excerpt from the article:
Servers were seized across the world where DoubleVPN had hosted content, and the web domains were replaced with a law enforcement splash page. This coordinated takedown was carried out in the framework of the European Multidisciplinary Platform Against Criminal Threats (EMPACT)
Microsoft Warns of Critical "PrintNightmare" Flaw Being Exploited in the Wild
Printers? š
Excerpt from the article:
A remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations.
An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges.
Becoming Elon Musk ā the Danger of Artificial Intelligence
Here we have it, I saved the scariest of stories for the last.
Quick summary: It's an attack developed by Adversa.ai that fooled PimEyes, a database of over 900 million images into believing that Alex Polyakov (CEO and Cofounder of Adversa.ai) is Elon Musk.
The reality is, it could have been anyone else.
Now, think about this scenario: A global hunt for an alleged criminal who happens to use this attack method to divert the authorities to another person in another country.
Yeah, let that sink in for a while.
Where is the excerpt? An excerpt won't do justice to what is contained in the article. I'll implore you to read the whole article, but, if you don't have that time, the quick summary above is enough to send shivers down your spine.
Credits
Cover photo by Debby Hudson on Unsplash.
That's it for this week, I'll see you next Friday.