Plus, Avast detects malware in Mongolia, and Trump’s new site gets hacked on day one
Twitter People Experience Designer Lena Emara tweeted 4 new Twitter security feature concepts, asking users for feedback on whether or not they should move into development. “Privacy is one of those things everyone wants, but it’s not a one-size-fits-all,” Emara tweeted, before going into detail on each idea. The first idea, “Replies,” gives users an easy way to make their tweets public if they’d like to make a response to a non-follower viewable. The second idea, “Account Breadcrumbs,” provides easy and quick switching between multiple profiles. “Privacy Sets,” allows users to pick from various security presets, depending on their needs. The final idea, “Discover Me (Or Not),” alerts users when someone searches their username. It also lets users choose whether or not they’d like to be found that way. “These are just ideas and not being built (yet), so your feedback is helpful!” Emara wrote.
Avast Security Evangelist Luis Corrons reminds users they should keep their expectations in check. “As a user, having more options to control your privacy is desirable and a good move,” he said. “But in this case it seems that they are thinking about making it easy to switch off or pause your privacy settings when, for example, replying to non-followers. Let’s be honest, a social network is the opposite of privacy, so we had better be extremely cautious whenever we use them.”
Researchers at Avast found that a public web server hosted by MonPass, a certification authority in Mongolia, had been compromised to secretly spread malware to unsuspecting users through a malicious installer. The installer utilized the legitimate installer, guaranteeing that everything would look normal to the user, but added an unsigned PE file which then retrieved Cobalt Strike binaries from the web. Cobalt Strike is a security testing tool, but bad actors can abuse it to deploy malware or exfiltrate data. Avast released an analysis of the discovery when MonPass confirmed it had taken steps to address the issue. For more on this story, see ZDNet.
Over the weekend, a couple of tech news websites warned users about popular open source audio editor Audacity, claiming the app’s new policy of collecting telemetry is “overarching and vague” and likening it to spyware. According to Ars Technica, “the negativity seems to be both massively overblown and quite late.” New Audacity owner Muse Group alerted users to the new policy of collecting telemetry on May 4. At that time, the data collection was presented as activated by default with an opt-out feature. Immediate pushback from the Audacity community convinced Muse Group to amend the policy 3 days later, saying that it would instead be deactivated by default with an opt-in feature. Also, Ars Technica adds, the data being collected is hardly different from that collected by other standard apps.
On July 4th, the official launch day of former President Donald Trump’s Twitter look-alike app Gettr, the platform was hacked. The accounts of Mike Pompeo, Steve Bannon, Marjorie Taylor-Greene, and Gettr CEO Jason Miller were among those that had been taken over and replaced with pro-Palestinian messages. The hack lasted less than 90 minutes, and the hacker told Business Insider that he did it simply because it was easy, taking only about 20 minutes of work. He said that while Gettr had fixed the bug he had used to infiltrate the platform, it was still easy for anyone to scrape personal data from the site. “They should not publish the website before making sure that everything, or at least almost everything, is secure,” he said.
Security researcher Carl Schou discovered that certain Wi-Fi networks that contain a percentage symbol (%) in their names can disable the Wi-Fi function in iOS devices. Even after resetting network settings, Schou found, the bug can continue to render Wi-Fi services unusable. 9to5mac suggested the reason is because the percentage symbol is commonly used to format variables into an output string, therefore the Wi-Fi subsystem might read the network name and pass it to an internal library for string formatting, thus causing a memory write, a buffer overflow, and the killing of the process. Apple has not commented on the bug yet. For more on this, see The Verge.
Recently, Avast Writer David Strom tried to remove his data from being collected by data brokers and found it to be a very frustrating online rabbit hole. The experience highlighted the fact that we don’t have full control over our personal information and data — read up to find out more.
While the app’s stated intention is good, there are some major potential privacy issues with it. Here’s what Jeff Williams, Avast Global Head of Security, found when he took a closer look at BeReal.
We are witnessing a full-scale cyberwar, in real time, take place in front of our eyes. Cybersecurity and digital freedom are now, quite literally, life and death issues in Europe.
CISA named GootLoader a top malware strain of 2021. Earlier this year, it targeted users searching for plea agreements, but lately, the threat actors are targeting users who are about to be laid off and searching for transition services and other employment-related documents.