🎓️ Vulnerable U | #065

Microsoft Recall feature is a privacy nightmare, Google's take on Phishing simulations, Scam Call Centers being scammed, Teslas can be stolen with cheap radio hack, Backdoored Courtroom AV App, Spyware on lots of US hotel check-in computers

Read Time: 7 minutes

Howdy friends!

Back on the West Coast for me this week, writing this from SF again. It felt like I showed back up at Moscone Center, and all my friends were just gone. I was going to try and sneak down to San Diego and LA since I’m a big Yankees fan, and they’re in SoCal this week, but no such luck due to some personal family commitments.

Summer is about to punch us in the face back in Texas, so we’re already getting all of our water plans in place because you can’t survive outside for the next few months without being underwater. Catch me at the pool or on a boat or not at all.

🤘 

ICYMI

🖊️ Something I wrote: My thread on the CISA official speaking out about telecom weaknesses being abused to track U.S. citizens

🎧️ Something I heard: You all love when I share songs I’m listening to - This one spoke to me on shuffle this week as almost all of my grandparents are from Brooklyn.

🎤 Something I said: My breakdown of the Telegram vs. Signal debate raging recently

🔖 Something I read: This thread on Reddit talking about if it is outdated advice that public wifi is super scary and dangerous.

📣 Sponsor

Data theft is up 13% since last year, keep your assets safe

Learn about the shortcomings of traditional security approaches to securing modern infrastructure from IAM analyst Jack Poller in "Modernizing Secure Access to Infrastructure." 

  • Surprising Source of Breaches: Only 5% result from software vulnerabilities—where should we really focus our efforts?

  • Human Factor Dominance: 74% of breaches involve human error. Is your security strategy human-proof?

  • Stolen Credentials Surge: A staggering 71% year-over-year increase in incidents. How secure are your access points?

  • Server Vulnerabilities: With 85% of breaches involving servers, how can we better protect these critical assets?

Vulnerable News

Alright, this one caused some controversy this week. I’m sensing a theme at this phase in the AI race where we’ll constantly be having the debate between cool new tool that boosts productivity and AI privacy and security nightmare.

Microsoft's fresh Copilot+ PCs feature, called Recall, which is a carbon copy of an AI tool called rewind.ai (rebranded as limitless.ai). Basically, it keeps a constant log of your screen—every move you make, every word you type is recorded and made searchable. Handy for retracing steps, sure, but it also means if a hacker gets in, they've hit the jackpot. While the data stays on your device, and there are some built-in privacy guards, if malware gets through, it could swipe months of your digital life. Cool tech, but potentially a huge security headache. (read more)

I’ve been a long time critic of phishing tests. Security has a street cred problem already at most orgs as the “department of no” and making a staple of your relationship with your users trying to trick them with a lie isn’t winning any favors. There are better and worse ways to do this with opt-in, gamification, and not using hot buttons like messing with people’s emotions around their money, but overall this practice is just lying to your users.

Google's pushing a big rethink on how we handle phishing tests, sort of like how fire drills evolved from risky surprises to structured safety practices. Instead of springing fake phishing emails on folks to see if they bite, Google suggests a more upfront approach—kind of like a practice run. They want to train folks to spot and report dodgy emails effectively, without the gotcha moment. It's all about making the whole process less about catching people out and more about building real skills. They're big on using this to not only boost security smarts but also to cut down on the false alarms that bog down security teams. (read more)

What do you think?

I'm not sure there is a universal right answer here. Obviously you can tell my opinion, but I've seen others be staunch defenders of this.

Login or Subscribe to participate in polls.

A hacker infiltrated a scam call center, swiped their code, and shot a heads-up email to the folks who got duped, warning them they’d been scammed. This scoop comes from 404 Media, which reports that this call center, known as Waredot, was peddling bogus antivirus software at sky-high prices, mainly targeting those not too savvy with tech.

The scam was so blatant that a YouTuber even got footage of the scam in action from Waredot’s own CCTV. Despite an apparent raid on their office, the scammers were still at it, which got the hacker to expose their shady software and disrupt their operations further. Waredot hasn't responded to any of this buzz yet. (read more)

The whole “Flipper Zero will steal your car” stuff is generally overblown due to protections from those kinds of attacks on all modern cars. Whelp, some researchers proved that might not be the case on Teslas.

This hack allows thieves to unlock and even start a Tesla, circumventing the car's security measures unless the owner activates the additional PIN-to-drive feature. The vulnerability exists because while Teslas use ultra-wideband tech, it’s not yet employed for securing against theft, highlighting a gap in expected vs. actual security efficacy. (read more)

Providers are urging the HHS to clarify if UnitedHealth can handle the breach notifications after Change Healthcare suffered a major cyberattack. They’re stressing this to prevent patients from getting multiple notifications about the same breach, which could confuse everyone involved. It's a big deal because Change, now under UnitedHealth, deals with a huge volume of claims and touches about a third of U.S. medical records.

Providers are stuck waiting for guidance on how to handle notifications without stepping on toes or duplicating efforts. They're really hoping for a clear directive from the authorities to streamline the process and ensure consistent communication to those affected. (read more)

Bitdefender Labs recently uncovered a stealthy cyber threat group dubbed, "Unfading Sea Haze," targeting strategic entities in the South China Sea region. The focus is on military and governmental targets, suggesting motives aligned with Chinese interests. This group isn't new to the game; their digital footprint goes back to 2018, using complex tools and tactics like advanced versions of Gh0st RAT and various .NET payloads for deep surveillance and data extraction. Their method involves spear-phishing to gain initial access, followed by exploiting weak credential hygiene and patch management to maintain presence and control over compromised systems. Their toolkit has evolved over the years, incorporating more modular and stealthy components to avoid detection. (read more)

The UK is rolling out a plan to make it mandatory for companies to report ransomware attacks. Plus, they're thinking about setting up a licensing system for ransom payments, especially to clamp down on paying off attackers in critical sectors. This move aims to cut down the incentives for hitting these crucial services and shed some light on how widespread these ransomware troubles are.

There's a public consultation coming to flesh out these ideas. If it all goes through, we might not see these changes set in law until after the next general election. (read more)

Great writeup on a trojan that hit software that is used to record courtroom proceedings. Talk about a sensitive attack surface.

Justice AV Solutions (JAVS), known for its courtroom AV tech, got hit with a backdoor hack in their Viewer software, version 8.3.7. This sketchy version packed a secret file, fffmpeg.exe, that let hackers remotely control the system. Caught by Rapid7, this backdoor turned out to be part of the nasty GateDoor/Rustdoor malware family, which is no stranger to wreaking havoc. If you've got this version, you gotta wipe your system clean and reset all your passwords before jumping to the latest software version. (read more)

When political hot button firms get compromised, you have to wonder the motive of the threat actor. Was this one to disrupt this, admittedly tiny, cell carrier? Or were they trying to get info on a particular voter group to use for other purposes?

Patriot Mobile, a conservative U.S. cell carrier, recently suffered a data breach exposing customer details like names, emails, ZIP codes, and account PINs. This MVNO uses AT&T and T-Mobile's networks and is known for supporting conservative and Christian causes. TechCrunch confirmed the breach through a data sample provided by the hacker, finding overlaps with exposed data on Patriot Mobile’s own website. (read more)

GitHub just fixed a major vulnerability in their Enterprise Server, CVE-2024-4985, a full 10.0 on the CVSS scale. This bug, specifically in setups using SAML SSO with encrypted assertions, allowed bad actors to fake a SAML response to gain admin access without needing a password. Basically, anyone could waltz in and take control. The patches rolled out across several versions, so if you're on this setup, updating should be your next move. (read more)

Here’s a fun one. Some hotel check-in systems, specifically at some Wyndham hotels, got hit by a nasty piece of spyware. This app, pcTattletale, was sneakily snapping screenshots of guest details and leaking them online due to a flaw. The spyware's leak lets anyone grab these screenshots directly from its servers. The real kicker? No one knows who installed the spyware or why. TechCrunch reached out but got radio silence from the hotels and the spyware company. (read more)

VBScript is dead. Long live VBScript.

That’s right, Microsoft's finally phasing out VBScript. It'll be a gradual goodbye, starting with turning it into an optional add-on in the second half of 2024. They're moving towards more robust languages like JavaScript and PowerShell, which are just better suited for today's web and automation needs. This change means tighter security and less clutter from outdated tech. If you're still hanging onto VBScript for old times' sake, you'll have to manually add it back in future updates. (read more)

Miscellaneous mattjay

How'd I do this edition?

It's hard doing this in a vacuum. Screaming into a void. Feedback is incredibly valuable to make sure I'm making a newsletter you love getting every week.

Login or Subscribe to participate in polls.

Parting Thoughts:

Community was foundational in launching and propelling my career. Community is the only reason I can stand being in Texas during the summer months. Community is the point. Today, I invite you to embrace discomfort on the road to a more vulnerable you.

Stay safe, Matt Johansen
@mattjay