hacking

https://therecord.media/microsoft-bug-in-janet-jacksons-rhythm-nation-could-crash-a-laptop/

the vulnerability comes from a phenomenon discovered by Microsoft where playing “Rhythm Nation” would cause any laptop with a certain hard drive to crash.

In its CVE page, the MITRE organization said the 5400 RPM OEM hard drives were shipped primarily with many laptop PCs around 2005. If played near these laptops, the song causes “a denial of service (device malfunction and system crash) via a resonant-frequency attack.”

https://arstechnica.com/information-technology/2022/08/north-korea-backed-hackers-have-a-clever-way-to-read-your-gmail/

The malware, dubbed SHARPEXT by researchers from security firm Volexity, uses clever means to install a browser extension for the Chrome and Edge browsers, Volexity reported in a blog post. The extension can’t be detected by the email services, and since the browser has already been authenticated using any multifactor authentication protections in place, this increasingly popular security measure plays no role in reining in the account compromise. The extension isn’t available in Google’s Chrome Web Store, Microsoft’s add-ons page, or any other known third-party source and doesn’t rely on flaws in Gmail or AOL Mail to get installed.

Volexity President Steven Adair said in an email that the extension gets installed “by way of spear phishing and social engineering where the victim is fooled into opening a malicious document.

https://www.binance.com/en/blog/community/scammers-created-an-ai-hologram-of-me-to-scam-unsuspecting-projects-6406050849026267209

Over the past month, I’ve received several online messages thanking me for taking the time to meet with project teams regarding potential opportunities to list their assets on Binance.com. This was odd because I don’t have any oversight of or insight into Binance listings, nor had I met with any of these people before.

It turns out that a sophisticated hacking team used previous news interviews and TV appearances over the years to create a “deep fake” of me. Other than the 15 pounds that I gained during COVID being noticeably absent, this deep fake was refined enough to fool several highly intelligent crypto community members. 

https://www.wired.com/story/starlink-internet-dish-hack/

It cost a researcher only $25 worth of parts to create a tool that allows custom code to run on the satellite dishes.

https://therecord.media/report-mercenary-spyware-exploited-google-chrome-zero-day-to-target-journalists/

A zero-day vulnerability in Google Chrome was discovered when attackers exploited it to target users in the Middle East, including journalists, cybersecurity firm Avast said Thursday. 

The company attributed the attacks to a secretive Israeli firm known as Candiru — named after a notorious parasitic fish — that sells spyware to governments. 

https://www.vice.com/en/article/z34xnw/hackers-say-they-can-unlock-and-start-honda-cars-remotely

The Honda models that Kevin2600 and his colleagues tested the attack on use a so-called rolling code mechanism, which means that—in theory—every time the car owner uses the keyfob, it sends a different code to open it. This should make it impossible to capture the code and use it again. But the researchers found that there is a flaw that allows them to roll back the codes and reuse old codes to open the car, Kevin2600 said.

https://www.reuters.com/investigates/special-report/usa-hackers-litigation/

A trove of thousands of email records uncovered by Reuters reveals Indian cyber mercenaries hacking parties involved in lawsuits around the world – showing how hired spies have become the secret weapon of litigants seeking an edge.

…

Reuters identified 35 legal cases since 2013 in which Indian hackers attempted to obtain documents from one side or another of a courtroom battle by sending them password-stealing emails.

The messages were often camouflaged as innocuous communications from clients, colleagues, friends or family. They were aimed at giving the hackers access to targets’ inboxes and, ultimately, private or attorney-client privileged information.

https://tidbits.com/2022/06/27/why-passkeys-will-be-simpler-and-more-secure-than-passwords/

Apple has unveiled its version of passkeys, an industry-standard replacement for passwords that offers more security and protection against hijacking while simultaneously being far simpler in nearly every respect.

https://www.reuters.com/technology/tesla-cars-bluetooth-locks-vulnerable-hackers-researchers-2022-05-17/

Millions of digital locks worldwide, including on Tesla cars, can be remotely unlocked by hackers exploiting a vulnerability in Bluetooth technology, a cybersecurity firm said on Tuesday.

In a video shared with Reuters, NCC Group researcher Sultan Qasim Khan was able to open and then drive a Tesla using a small relay device attached to a laptop which bridged a large gap between the Tesla and the Tesla owner’s phone.

“This proves that any product relying on a trusted BLE connection is vulnerable to attacks even from the other side of the world,” the UK-based firm said in a statement, referring to the Bluetooth Low Energy (BLE) protocol – technology used in millions of cars and smart locks which automatically open when in close proximity to an authorised device.

…

NCC Group said such a vulnerability was not like a traditional bug which could be fixed with a software patch and added BLE-based authentication was not originally designed for use in locking mechanisms.

https://www.nrk.no/norge/advarer-mot-skreddersydd-svindel-etter-datalekkasje-1.15963551

Personopplysningene som er på avveie etter det store datainnbruddet mot Norkart, kan åpne for mer utspekulerte former for svindel, tror ekspert.

[…]

De neste månedene anbefaler han å være ekstra varsom for spesielle brev, e-poster og telefoner.

– Bruk god dømmekraft, og være skeptisk – hver eneste gang du får en henvendelse, hvor du ikke enkelt kan identifisere hvem som står bak, påpeker Jøsang.