The Android app of Ring, the Amazon-owned firm that offers doorbells and indoor and outdoor surveillance cameras, had a vulnerability that could have allowed threat actors to steal identity data including geolocation and camera recordings.
Cybersecurity researchers from Checkmarx found the vulnerability in the com.ringapp/com.ring.nh.deeplink.DeepLinkActivity activity, noting that this was, "implicitly exported in the Android Manifest and, as such, was accessible to other applications on the same device.
"These other applications could be malicious applications that users could be convinced to install. This activity would accept, load, and execute web content from any server, as long as the Intent’s destination URI contained the string “/better-neighborhoods/”.
Stealing sensitive data
In other words, a malicious app installed on an Android device could access sensitive data generated by the Ring app, not only geolocation and camera recordings, but also full names, emails, phone numbers, and postal addresses.
The Android Ring app has more than 10 million downloads so far.
Checkmarx even took it a step further, using Rekognition (machine learning image and video analysis tool) to automate the analysis of the stolen video content and extract additional useful information, such as faces, text, public figures, information from computer screens, intel on people’s movements, etc.
Checkmarx notified Amazon of the vulnerability on May 1, this year, and less than a month later, on May 27, the company pushed a fix. Therefore, from version .51 (3.51.0 for Android and 5.51.0 for iOS), the vulnerability has been mitigated.
Amazon has seen it as a high-severity issue and moved fast to issue a patch.
“We issued a fix for supported Android customers on May 27, 2022, soon after the researchers’ submission was processed. Based on our review, no customer information was exposed. This issue would be extremely difficult for anyone to exploit, because it requires an unlikely and complex set of circumstances to execute,” the company concluded.
Here's our rundown of the best video doorbells to let you see and speak to anyone who comes to your doorstep
Apple has released macOS Monterey 12.5.1, iOS 15.6.1, and iPadOS 15.6.1 which addresses two zero-day vulnerabilities being actively exploited in the wild.
One of the flaws, affecting all three forms of the software is an out-of-bounds write vulnerability in the OS Kernel which can be abused to grant malicious applications highest privileges - in other words, an attacker could use it to fully take over a vulnerable endpoint.
The second vulnerability, tracked as CVE-2022-32893, is an out-of-bounds write flaw in WebKit, Safari’s engine used by other apps with web access. This can also be used to take over a vulnerable device, as it allows threat actors to perform arbitrary code execution.
Keep your devices safe
The company said it had been tipped off to the flaws by an anonymous user tipped Apple off, adding that it improved had bounds checking for both bugs.
If your organization runs either Macs with macOS Monterey, iPhone 6s or later devices, all iPad Pros, iPad Air 2 and newer devices, iPads 5th gen and beyond, iPads mini 4 and newer, or iPod touch 7th generation devices, you should patch immediately, especially because the flaws are being actively exploited.
Apple’s been quite busy fixing zero-day vulnerabilities in recent months. In January 2022, it fixed two such flaws, namely CVE-2022-22578, and CVE-2022-22594, which allowed arbitrary code execution with kernel privileges. A month later, it fixed another zero-day, affecting iPhones, iPads, and Macs, and allowing threat actors to crash the OS and run remote code execution.
In March, it patched CVE-2022-22674, and CVE-2022-22675, both zero-days abused to execute code with Kernel privileges.
If your computer crashes every time it hears Janet Jackson’s 1989 song Rhythm Nation, it’s not because it shares the same musical tastes as you. Instead, it is happening because you’re running an old, 5400 RPM hard drive that simply can’t handle a specific frequency that the video resonates.
Not only would playing the video crash such a device - it would also crash a nearby device that isn’t even playing the video. All it takes is for the frequency to physically reach the affected endpoint to have it crash.
It sounds too odd to be true, but according to a blog fromMicrosoft’s Raymond Chen, “a colleague of mine shared a story from Windows XP product support. A major computer manufacturer discovered that playing the music video for Janet Jackson’s “Rhythm Nation” would crash certain models of laptops.”
Unique frequencies
“It turns out that the song contained one of the natural resonant frequencies for the model of 5400 rpm laptop hard drives that they and other manufacturers used," Chen noted.
"The manufacturer worked around the problem by adding a custom filter in the audio pipeline that detected and removed the offending frequencies during audio playback.”
Even though the flaw might sound trivial, researchers found it relevant enough to list it on the register of Common Vulnerabilities and Exposures (CVEs).
It's listed as CVE-2022-38392 and, according to The Register, has already been acknowledged by security vendor Tenable.
So in the highly unlikely case that you’re running a computer with an old, sluggish 5400-RPM hard disk drive, make sure to keep it away from anyone who might still enjoy Janet Jackson's music.
Many cybersecurity attacks are often highly-developed, well thought-out schemes that look to get the better of victims through skilled programming and malware deployment - but sometimes you just want to go the simple route.
A new scam has been uncovered that uses the incredibly low-tech technique of sending a USB flash drive through the post in the hope that unsuspecting victims will plug it in.
The USB drive claims to be carrying a version of Microsoft Office Professional Plus, but in fact carries scamming software, which once installed on a victim's PC, tricks them into calling a fake support line and handing over bank details.
Microsoft Office USB
The packages, which featured legitimate-looking Microsoft Office branding including an engraved USB drive and product key, were reported by Martin Pitman, a cybersecurity consultant for security firm Atheniem.
He told Sky News that his mother had alerted him to the delivery arriving at the home of a retired friend. This man was in the middle of trying to "install" whatever was on the USB drive, which had prompted him to call a support line which was asking for his personal details.
(Image credit: Martin Pitman)
In this case, after plugging in the USB drive, a warning appeared saying that a virus had been detected, and to call a toll-free number to get this removed. However doing so passed the victim through to the scammers, who pretended to remove the "virus" before looking to complete the subscription process by taking the victim's payment details.
Microsoft has confirmed that the packages are not genuine, telling Sky News that the scam is becoming sadly common as criminals look for new ways to defraud victims.
"Microsoft is committed to helping protect our customers. We take appropriate action to remove any suspected unlicensed or counterfeit products from the market and to hold those targeting our customers accountable," a company spokesperson said.
"We'd like to reassure all users of our software and products that Microsoft will never send you unsolicited packages and will never contact you out of the blue for any reason."
Three dozen malicious Android apps have been discovered on the Google Play Store, showing once again that downloading from a proven source is not a sufficient security practice.
Cybersecurity researchers from Bitdefender discovered a total of 35 Android apps on the Google Play Store that serve dangerous ads to their victims, and try their hardest to hide and prevent the users from removing them.
The malware, ranging from GPS apps, to photo editors, to charging screensavers, have been downloaded more than two million times, the researchers said, “if we consider the available public data”. That means the total number is probably even greater.
Hiding from the users
Simply serving ads to the endpoints isn’t malicious in itself, the researchers explained, but the problem lies in the fact that these apps do it through their own framework, meaning nothing’s stopping them from serving more dangerous malware, too, or even ransomware. What’s more, if the ads are served aggressively (which they are), they hurt the user experience, as well.
Another aspect that makes these apps malicious is that they hide from the victims in order to avoid being deleted.
As soon as the victim downloads one of the malicious apps, it will change its entire appearance (both icon and name) into something else, often into apps users would be afraid to delete (System Settings, or something along those lines).
Even though Google has improved its Play Store vetting system throughout the years, malicious developers still manage to squeeze quite a few apps past the bouncers, and into one of the world’s greatest app repositories.
That’s why the researchers are suggesting that even when users want to download an app from the official play store, they should double-check that it has enough downloads, and enough positive reviews and comments. Threat actors can use bots to fake reviews and ratings, but they can’t do it en masse. Furthermore, having a mobile antivirus wouldn't hurt.
The programs that are available for making vector graphics are numerous. Out of those, Adobe Illustrator is the most popular which has also led to it becoming the industry standard.
However, it comes with a fee and, apart from using the free trial version of it, you’d have to pay some bucks to be able to make use of its features. Fortunately, there are some great free options available, out of which, Vecteezy and Inkscape are often considered as two of the best free Adobe Illustrator vector alternatives around.
So how else do the two vector art programs stack up? Let's dig in and see.
Vecteezy vs Inkscape: Platforms and support
The difference between Vecteezy vs inkscape in terms of deployment type is significant. Inkscape features on-premise deployment while Vecteezy is a web-based application. To put it more simply, Inkscape is locally installed while Vecteezy is hosted by its own server and accessed via a web browser.
Both programs are currently available for desktop use and have not been designed for other devices as of yet. Inkscape is an open-source application which means it has multiple advantages for users but comes with its fair share of cons as well.
Being open-source means it has greater chances of being affected by bugs, hence its users are advised to keep saving their work to avoid any kinds of unexpected losses. Vecteezy, on the other hand, isn’t open-source and doesn’t offer a public API, and so is a bit more stable in its application.
Inkscape is regularly updated, offering up to three to four updates in some years with a total of 17 updates since its launch. Vecteezy releases updates quite often as well.
Vecteezy vs Inkscape: Features
(Image credit: Shutterstock)
Vecteezy assists businesses with vector graphics by providing a library of shapes, templates, and tools. It supports multiple file formats including but not limited to PNG, SPG, and JPEG. Vecteezy’s top-line features include customizable templates, image-editing, an extensive image library, image tracing, multiple format support, and allowing data import/export.
Out of the various tools that the program features, the Selection Tool, Type Tool, Illustrations Tool, and Pen Tool are the most common. The Selection Tool allows users to select items and perform actions on them. These actions include deleting, resizing, modifying, and moving.
The Type Tool is used for changing the color, size, transparency, etc. of the font. To look up and add illustrations to the design, the Illustrations Tool is used. Lastly, the Pen Tool enables users to draw lines, curves, and shapes.
Inkscape also allows users to create objects by providing various tools. The program allows editing simple shapes such as rectangles and circles, creating objects such as grids and curves, and enhancing objects with color and patterns.
It also enables users to manipulate objects, including moving, rotating, resizing, and skewing objects and paths. Users can also make changes to text by tweaking text color, style, spacing, and so on. The layers feature enables users to stack various objects on a canvas and make certain objects visible/invisible.
Vecteezy vs Inkscape: Professional use
We have already seen how Inkscape is useful for a variety of tasks and offers excellent platform support. Considering you don’t have to pay for its service, it sounds like the ideal software to work with. However, it features one major drawback. It does not support CMYK as a color mode. Since SVG is its default file format, it only works with RGB.
The disadvantage of this feature is that it no longer renders Inkscape to be suitable for print. This includes all your brochures, business cards, flyers, and so on. The software is only recommendable if it’s used for online graphics. Hence, if you’re looking to print professional marketing material, Inkscape would not be a wise choice.
Apart from this certain shortcoming, Inkscape is generally a decent option for professionals. However, given its no-cost nature and the advanced features of other similar vector programs such as Adobe Illustrator, it usually takes a back seat when being considered for professional use. It stands out more to hobbyists or to someone requiring software for very basic vector graphics.
Vecteezy can be considered a little more professional than Inkscape. Offering a wider range of services and even more with the paid version, Vecteezy is often used professionally. It also doesn’t feature the CMYK drawback that Inkscape does, making it even more well-suited for professional use.
Vecteezy vs Inkscape: How to download
It’s fairly easy to download both programs. For Inkscape, all you have to do is visit its Inkscape download link and follow the necessary steps required to install the program on your desktop.
You can do this by clicking on the tab that says ‘Download’ and then choosing ‘Current Version’ from the drop-down list that appears. Next, select which system (Windows, Linux, etc.) you’re downloading for, and then follow the necessary steps for the download to start on your device. Similar to how we see with most programs, you can choose between downloading either a 64-bit or a 32-bit version of this software.
Vecteezy is a web-based program and you’re required to sign up on thewebsite in order to avail its services, but signing up will grant you access to millions of free resources that you can make use of for vector art. However, if you wish to take things a step ahead and gain extra rights on the platform, you must sign up for a Pro account.
While this option requires you to spend money, it will grant access to unlimited downloads, priority support, an ad-free experience, and exclusive access to bundles among a couple of other perks. Simply visit their signup link for a Pro account and choose whichever Pro option best suits your needs.
Multi-factor authentication is a great way to keep cybercriminals at bay, but some are apparently getting pretty good at bypassing this type of protection by stealing application and browser session cookies.
Cybersecurity researchers from Sophos say they're observing an increasing appetite for cookies, among malware of all sophistication levels. From infostealers such as Racoon Stealer, or RedLine Stealer, to destructive trojans such as Emotet, an increasing number of viruses and malware are getting cookie-stealing functionalities.
By stealing session cookies, threat actors are able to bypass multi-factor authentication because, with the cookies, the service already deems the user authenticated and just grants access immediately. That also makes them a high-value asset on the black market, with Sophos seeing cookies being sold on Genesis, where members of the Lapsus$ extortion group bought one that resulted in a major data theft from video games giant EA.
Buying cookies
After purchasing a Slack session cookie from Genesis, the threat actor managed to spoof an existing login of an EA employee and trick the company’s IT team into providing network access. This allowed them to steal 780 GB of data, including game and graphics engine source code, which was later used in an extortion attempt.
The biggest problem with cookies is that they last relatively long, especially for applications such as Slack. A longer-lasting cookie means threat actors have more time to react and compromise an endpoint. IT teams can program their browsers and apps to shorten the allowable timeframe that cookies remain valid, but it comes with a caveat - that means users would need to re-authenticate more often which, in turn, means IT teams need to strike the perfect balance between security and convenience.
Cookie abuse can also be prevented through behavioral rules, Sophos hints, saying that it’s able to stop scripts and untrusted programs “with a number of memory and behavior detections”.
The server market may be about to see a major shake-up following reports that Qualcomm is considering a return to the fold after several years away.
Sources have told Bloomberg that the San Diego-based firm, best known for its Snapdragon smartphone processors, is set to take on the likes of Intel and AMD for a slice of the billion-dollar market.
Qualcomm has reportedly already signed up Amazon Web Services (AWS) as a potential customer, the sources said, in what would be a huge coup for the company.
Qualcomm servers
Qualcomm has so far refused to comment on Bloomberg’s story, the move had been rumored for some time following its $1.4 billion purchase of chip startup Nuvia back in January 2021.
Nuvia, which was founded by two former senior Apple engineers who were part of the team that had worked on the custom ARM CPU development for the latest MacBooks and iPhones, specializes in building high performance, low-power processors - ideal for servers.
Qualcomm quit the server business in 2018 following a tumultuous period for the company.
It had begun selling the Centriq 2400, an Arm-based server chip in November 2017, but despite gaining interest from several big-name customers, was forced to halt sales following the departure of a key executive, as well as looking to focus on its smartphone business.
Qualcomm's possible entry into the lucrative server market comes at an intriguing time, as traditional industry heavyweights battle with ambitious start-ups and smaller players.
Although Intel has led the way for some time, recent figures suggest AMD is making strong ground in the market, with the company marking a 13th consecutive period of growth.
Intel's next-generation processors, codenamed Sapphire Rapids, have suffered multiple delays - originally scheduled to launch in 2021, the new server chips are now expected to come to market some time in Q1 2023.
Nvidia is also reportedly set to make a big push into the server market, with Arm's new Neoverse platform causing waves throughout the industry in a challenge to Intel's x86 architecture.
Experts have warned that the dangerous Lazarus group is now targeting Web3 developers on Mac devices.
The North Korean state-sponsored threat actor recently went after blockchain developers with fake lucrative job offers that turned out to be nothing more than infostealers and malware.
While these attacks were limited to Windows users at first, cybersecurity researchers from ESET have now discovered they are expanding into Apple territory, too.
Intel and Apple chips attacked
The campaign is pretty much the same for both platforms. The group would impersonate Coinbase, one of the largest and most popular cryptocurrency exchanges in the world, and reach out to blockchain developers via LinkedIn and other platforms with a job offer. After a little back-and-forth, and a few rounds of “interviews”, the attacker would serve the victim what seems to be a .pdf file with the job position’s details.
The file’s name is Coinbase_online_careers_2022_07, and while it looks like a .pdf (icon and all), it is actually a malicious DLL that allows Lazarus to send commands to the infected endpoint. The file is compiled for Macs with both Intel and Apple processors, the researchers further discovered, suggesting that the group is after both older, and newer device models.
Detailing the attack via Twitter, the researchers said the malware drops three files: the bundle FinderFontsUpdater.app, the downloader safarifontagent, and a decoy PDF called “Coinbase_online_careers_2022_07.pdf”.
Lazarus Group is no stranger to fake job offer attacks, and it’s conducted these attacks in the past with much success. In fact, one of the largest cryptocurrency heists in history, the $600+ million-heavy attack on the Ronin bridge, was done in that exact manner.
After reaching out to a software engineer and luring him into downloading the fake .pdf file, the attackers from Lazarus found their way into the system, obtained the necessary credentials, and siphoned out millions in cryptocurrency tokens.
In this case, however, the malware was signed on July 21, with a certificate issued to a developer going by the name Shankey Nohria. The team identifier was 264HFWQH63. While the certificate had not been revoked on August 12 when it was checked, BleepingComputer reports, the researchers did find that Apple didn’t scan it for malicious components.
Info-Direkt 
