Linux Mint fixes screensaver bypass discovered by two kids

ZDNet

The Linux Mint project has patched this week a security flaw that could have allowed a threat actor to bypass the OS screensaver and its password and access locked desktops.

This particularly nasty security flaw was discovered by two kids playing on their dad’s computer, according to a bug report on GitHub.

A few weeks ago, my kids wanted to hack my Linux desktop, so they typed and clicked everywhere while I was standing behind them looking at them play, wrote a user identifying themselves as robo2bobo.

According to the bug report, the two kids pressed random keys on both the physical and on-screen keyboards, which eventually led to a crash of the Linux Mint screensaver, allowing the two access to the desktop.

I thought it was a unique incident, but they managed to do it a second time, the user added.

Full article

Signal down after getting flooded with new users

Bleeping Computer

Signal users are currently experiencing issues around the world, with users unable to send and receive messages. When attempting to send messages via Signal, users are seeing loading screen and error message “502”.

According to DownDetector and user reports, Signal is currently experiencing an outage in the U.S, Europe, and other parts of the world. The problem was first reported at 10:09 AM EST.

For now, Signal users will have to wait until the company has resolved the issue.

Full article

Hackers leaked altered Pfizer data to sabotage trust in vaccines

Bleeping Computer

The European Medicines Agency (EMA) today revealed that some of the stolen Pfizer/BioNTech vaccine candidate data was doctored by threat actors before being leaked online with the end goal of undermining the public’s trust in COVID-19 vaccines.

EMA is the decentralized agency that reviews and approves COVID-19 vaccines in the European Union, and the agency that evaluates, monitors, and supervises any new medicines introduced to the EU.

The ongoing investigation of the cyberattack on EMA revealed that some of the unlawfully accessed documents related to COVID-19 medicines and vaccines have been leaked on the internet, the agency disclosed today.

This included internal/confidential email correspondence dating from November, relating to evaluation processes for COVID-19 vaccines.

Some of the correspondence has been manipulated by the perpetrators prior to publication in a way which could undermine trust in vaccines.

EMA revealed that the COVID-19 vaccine data stolen in December was leaked online in a previous update, on Tuesday.

Full article

How law enforcement gets around your smartphone’s encryption

Ars Technica

Westend61 | Getty Images

Lawmakers and law enforcement agencies around the world, including in the United States, have increasingly called for backdoors in the encryption schemes that protect your data, arguing that national security is at stake. But new research indicates governments already have methods and tools that, for better or worse, let them access locked smartphones thanks to weaknesses in the security schemes of Android and iOS.

Cryptographers at Johns Hopkins University used publicly available documentation from Apple and Google as well as their own analysis to assess the robustness of Android and iOS encryption. They also studied more than a decade’s worth of reports about which of these mobile security features law enforcement and criminals have previously bypassed, or can currently, using special hacking tools. The researchers have dug into the current mobile privacy state of affairs and provided technical recommendations for how the two major mobile operating systems can continue to improve their protections.

Full article

Signal is experiencing technical difficulties

Update #1

Update #2

Update #3

Update #4

Update #5

Update #6

Update #7

Three signals of a more privacy-friendly messaging app

Mullvad

Does your messaging app truly respect your privacy? Here are a few simple questions to ask to get a helpful answer. Plus, we tell you which messaging tool sends us all the right signals.

When a friend visits your home, you probably take for granted that your conversations are private. And the idea of someone keeping track of when you come and go, who visits, and how long they stay is something only found in a gripping thriller, right?

Now that most of our interactions have gone online, how do you know that your digital communications and encompassing habits are also private? Here are few ways to tell if a messaging app is privacy-friendly.

Full article

NSA warns against using DoH inside enterprise networks

ZDNet

The US National Security Agency has published today a guide on the benefits and risks of encrypted DNS protocols, such as DNS-over-HTTPS (DoH), which have become widely used over the past two years.

The US cybersecurity agency warns that while technologies like DoH can encrypt and hide user DNS queries from network observers, they also have downsides when used inside corporate networks.

DoH is not a panacea, the NSA said in a security advisory published today, claiming that the use of the protocol gives companies a false sense of security, echoing many of the arguments presented in a ZDNet feature on DoH in October 2019.

The NSA said that DoH does not fully prevent threat actors from seeing a user’s traffic and that when deployed inside networks, it can be used to bypass many security tools that rely on sniffing classic (plaintext) DNS traffic to detect threats.

Full article

Verified Twitter accounts hacked in $580k ‘Elon Musk’ crypto scam

Bleeping Computer

Threat actors are hacking verified Twitter accounts in an Elon Musk cryptocurrency giveaway scam that has recently become widely active.

There is nothing new about cryptocurrency scams on Twitter, especially ones pretending to be giveaways from Elon Musk. In 2018, scammers raked in $180,000 using a successful Elon Musk giveaway scam promoted on Twitter.

Over the past week, security researcher MalwareHunterTeam has seen an uptick in verified Twitter accounts hacked in a scam promoting another fake Elon Musk cryptocurrency giveaway.

Full article

Europol announces bust of “world’s biggest” dark web marketplace

Naked Security

You probably don’t need to be told what sort of products were on offer at an online retail site called DarkMarket.

As you can imagine, it operated on the so-called dark web, and you’d have needed the Tor browser to access it, using a special web address ending in .onion.

Onion addresses can only be reached via Tor – you don’t, and indeed can’t, look up the IP number where they can be reached on the internet, as you can with regular sites like nakedsecurity.sophos.com (192.0.66.200 at the time of writing, if you were wondering).

Instead, you need to connect to the Tor network and ask it to locate and connect to onion sites for you, assuming you know what onion address to use in the first place.

Using a special anonymising protocol, Tor arranges for the “other end” of your anonymised connection into Tor to be paired up with the “other end” of the relevant onion site’s connection into Tor, after which you can talk to each other.

Your traffic gets all the way to the onion site, but you have no idea where that site is because you can only trace your packets until they first enter the Tor network.

Similarly, the server’s replies get back to you, but the server has no idea where you are, for the same reason in reverse.

Full article