Latest Tech News

There is a security flaw in Microsoft Teams that allows threat actors to log into other people’s accounts, even if those accounts are protected with multi-factor authentication, researchers have claimed.

Cybersecurity analysts from Vectra say the Teams desktop application for Windows, Linux, and Mac, stores user authentication tokens in cleartext, without any locks guarding the access. Anyone with local access to a system with Teams installed can steal these tokens and use them to log into the accounts. 

"This attack does not require special permissions or advanced malware to get away with major internal damage," Vectra’s Connor Peoples said - Microsoft, on the other hand, says the whole deal is blown out of proportion and it is not interested in addressing the issue at this time.

Active tokens

The problem lies in the fact that Microsoft Teams is an Electron app, running in a browser windows. As Electron does not come with support for encryption, or protected file locations by default, it is somewhat easier to use, but also risky on the data protection side of things. Deeper analysis uncovered that the tokens were not stored in error, or as part of a previous data dump. 

"Upon review, it was determined that these access tokens were active and not an accidental dump of a previous error. These access tokens gave us access to the Outlook and Skype APIs,” Vectra explained. What’s more, the “cookies” folder also held tokens, account information, session data, and other valuable information. 

But Microsoft played the whole thing down, saying it isn’t that severe and that it doesn’t meet the criteria for patching.

In a statement sent to BleepingComputer, Microsoft said “The technique described does not meet our bar for immediate servicing as it requires an attacker to first gain access to a target network. We appreciate Vectra Protect’s partnership in identifying and responsibly disclosing this issue and will consider addressing in a future product release.”

Read more

> This brutal hacking tool could steal virtually all of your logins

> Best authenticator apps today: add an extra layer of online security

> These are the best VoIP headsets right now

Vectra, on the other hand, disagrees, and to prove its point, it developed an exploit that abuses an API call, allowing a user to send messages to themselves. By reading the cookies database through SQLite engine, the exploit was able to receive the authentication tokens in a message. 

If you’re worried about your business having its tokens snatched, you should switch to the browser version of the Teams client, Vectra suggests. Linux users should migrate to a different collaboration platform, as well. 

• These are the best VoIP solutions right now

Via: BleepingComputer

from TechRadar - All the latest technology news https://ift.tt/ELhyK7Q

Best Game Pass and Xbox Live Deals - CNET

The best places to get an Xbox gaming subscription at a bargain.

from CNET https://ift.tt/cQPrOqe

Best TV Streaming Service Deals - CNET

Take advantage of savings from HBO Max, Hulu, Paramount Plus and more with these streaming service discounts.

from CNET https://ift.tt/6tuwY0l

2022 Emmy Awards: The Complete List of Winners - CNET

Succession, Ted Lasso and The White Lotus picked up major awards on Monday night. Here's the full list of 74th Emmy Award winners.

from CNET https://ift.tt/gTeWj2H

Latest Tech News

A zero-day vulnerability found in a premium WordPress plugin is being actively exploited in the wild, researchers are saying, urging users to remove it from their websites until a patch is released.

WordPress security plugin makers WordFence uncovered a flaw in WPGateway, a premium plugin helping admins manage other WordPress plugins and themes from a single dashboard.

According to the researchers, the flaw is tracked as CVE-2022-3180, and carries a severity score of 9.8. It allows threat actors to create an admin user on the platform, meaning they’d have the ability to take over the entire website if they so pleased. 

Millions of attacks

"Part of the plugin functionality exposes a vulnerability that allows unauthenticated attackers to insert a malicious administrator," said Ram Gall, Wordfence researcher.

Wordfence added it successfully blocked more than 4.6 million attacks, against more than 280,000 sites, in the last month, alone. That also means that the number of attacked (and possibly compromised) websites is probably much, much larger. 

A patch for the flaw is not yet available, the researchers said, and there is no workaround. The only way to stay safe, for the time being, is to remove the plugin from the website altogether, and wait for the patch to arrive, researchers stressed. 

Webmasters looking for indicators of compromise should check their sites for admin accounts named “rangex”. Furthermore, they should look for requests to "//wp-content/plugins/wpgateway/wpgateway-webservice-new.php?wp_new_credentials=1" in the access logs, as that is a sign of an attempted breach. This sign, however, doesn’t necessarily mean it was successful.

Read more

> WordPress plugin exposes half a million sites to attack

> Yet another WordPress plugin puts hundreds of thousands of sites at risk

> These are the best WordPress Plugins right now

Other details are scarce for the moment, given the fact that the flaw is being actively exploited, and that the fix is not yet available. 

WordPress is the world’s most popular website builder, and as such, is under constant attack by cybercriminals. While the platform itself is generally considered safe, its plugins, of which there are hundreds of thousands, are often the weak link that leads to compromise.

• Here are the best managed WordPress hosting providers today

Via: The Hacker News

from TechRadar - All the latest technology news https://ift.tt/knNzjPS

Nintendo Switch Sports' Free Golf Update Now Coming This Holiday - CNET

The game's next free update has been delayed slightly.

from CNET https://ift.tt/FOnYeTH

Latest Tech News

The Linux Foundation has announced plans to form a new entity, the OpenWallet Foundation (OWF), which will provide the basis for companies to create digital wallets on an open source platform.

“The mission of the OWF is to develop a secure, multi-purpose open source engine anyone can use to build interoperable wallets," the organization explained.

“The OWF aims to set best practices for digital wallet technology through collaboration on open source code for use as a starting point for anyone who strives to build interoperable, secure, and privacy-protecting wallets.”

Linux OpenWallet Foundation

The idea behind the OWF is not to create a wallet to rival the likes of Apple Wallet and Google Wallet, but rather to create a “multi-purpose open source engine anyone can use to build interoperable wallets”, which the foundation sees being utilized for things like secure payments and digital keys.

Companies will then be able to leverage the work of the OWF and develop their own digital wallets, which the Linux body says will enhance interoperability, security, and privacy.

Read more

> The best Linux distros for developers

> Meta is handing over its PyTorch AI platform to the Linux Foundation

> The kids are ditching their physical wallets in favor of mobile payments 

Linux Foundation Executive Director Jim Zemllin said in a statement that “digital wallets will play a critical role for digital societies”, thus the work of the OWF could prove valuable to ensuring a more level playing field in years to come.

Moving forward, Global Metaverse Continuum Business Group & Blockchain Lead at Accenture, David Treat, believes that “universal digital wallet infrastructure will create the ability to carry tokenized identity, money, and objects from place to place in the digital world.”

Meanwhile, Pramod Varma, Chief Architect at Aadhaar & India Stack, sees “verifiable credentials… becoming an essential digital empowerment tool for billions of people and small entities”, which emphasizes the standardization work that the OWF hopes to carry out.

The body’s goal is to launch the new entity later in 2022, and interest to collaborate can be expressed on the OpenWallet Foundation website.

• These are the best laptops for programming and the best Linux laptops

from TechRadar - All the latest technology news https://ift.tt/x7EkNj9

Latest Tech News

Steam users are being targeted by cybercriminals looking to steal accounts, a new report from Group-IB has claimed.

The experts uncovered a group of hackers using an elusive phishing kit to try and lure gamers into giving away their Steam login credentials, and once they do, the crooks will try to sell their accounts on the black market.

The thefts can allegedly be rather lucrative, with some of the more high-profile accounts reportedly selling for as much as $100,000 to $300,000 apiece.

Fake popups 

The group gathers either on Discord or Telegram and uses a phishing kit capable of “browser-in-browser” attacks, something not as widely distributed among the cybercrime community as some other tools. 

What they’ll do is try and reach out to pro gamers on Steam and invite them to a tournament for one of the more popular titles, such as League of Legends, Counter-Strike, Dota 2, or PUBG. The invitation will carry a link, which will bring the victim to a website that looks like it belongs to an organization sponsoring and hosting esports tournaments. 

To sign up for the tournament, the victims will be asked to log into their Steam accounts, which will look like a regular login pop-up page. However, that login page isn’t a browser popup, but rather an entire fake window, created within the current page. That makes it extremely difficult for the victim to spot they’re being attacked, especially because the link in the search bar will look legitimate.

Read more

> Watch out - that WeTransfer link could be a phishing scam

> This Facebook Messenger phishing scam may have trapped millions of users

> Here's our pick for the best ID management software around

After typing in their credentials, the targets will also be asked for their 2FA code, and if they fail to provide the right one, the website will display an error message. If they provide the right code, however, they’ll be redirected to a legitimate URL, further hiding the theft. 

Generally speaking, the best way to defend from these types of attacks is to block JavaScript, but given that such an aggressive measure would break many popular websites, it can’t be recommended. Instead, gamers are urged to be extra vigilant when receiving any links anywhere, Discord and Telegram included.

• These are the best firewalls right now

Via: BleepingComputer

from TechRadar - All the latest technology news https://ift.tt/PO6gIF3

Disney World Hints at Encanto, Coco and Villains Expansions in Magic Kingdom - CNET

Animal Kingdom and Magic Kingdom will be getting all new areas.

from CNET https://ift.tt/QqtV2a8

Latest Tech News

New findings from cloud storage and backup company Backblaze has shed light on the long-term reliability of SSDs versus HDDs, when deployed as boot drives.

The second edition of the Backblaze drive statistics report, based on the storage hardware deployed across the company’s data centers, shows the annualized failure rate (AFR) of HDD boot drives is roughly twice that of SSD equivalents.

The longevity of SSDs is accentuated particularly beyond the fifth year of usage, at which point 3.55% of hard drives suffer a failure, compared with only 0.92% of SSDs.

SSD vs HDD

Although the data collected by Backblaze is representative of performance in only one environment, and cannot be used as a marker for the reliability of SSDs and hard drives outside of a boot drive context, the company believes it is sufficient to draw clear conclusions about the longevity of both types of storage device.

“At this point, we can reasonably claim that SSDs are more reliable than HDDs, at least when used as boot drives in our environment. This supports the anecdotal stories and educated guesses made by our readers in the past year or so,” wrote Backblaze.

However, the company also concedes the SSD failure rate is likely to rise dramatically after the fifth year of use, following a similar pattern to hard drives. For context, by the eighth year, HDD boot drives record an AFR of 6.41%.

Read more

> A whole new breed of SSDs is about to break through

> The largest SSDs and hard drives on the market

> The rise of SSDs is pushing the hard drive market closer to the brink

“It is highly certain that the failure rate of SSDs will eventually start to rise,” said the firm. “It is also possible that at some point the SSDs could hit the wall, perhaps when they start to reach their media wearout limits."

With this in mind, the company, which deployed SSD boot drives at scale for the first time in 2018, will monitor closely for signs of a dip in AFR, which will presumably be reflected in next year’s report.

The falling cost per capacity of SSDs, coupled with the performance advantage from a speed and reliability perspective, means there are few remaining reasons to opt for a hard disk drive - especially for use as a boot drive.

For organizations considering making the shift themselves, the new figures from Backblaze might just be enough to tip the scales.

• Our list of the best portable SSDs on the market

from TechRadar - All the latest technology news https://ift.tt/9Bd5ADp

Latest Gadgets News

Twitter shareholders have voted to approve Elon Musk's Twitter takeover deal on Tuesday. Musk's agreement to buy Twitter for $44 billion (roughly Rs. 3,49,800 crore) was approved by a majority of shareholders, a month ahead of the upcoming legal battle between the microblogging platform and the Tesla CEO, who has repeatedly attempted to walk away from the deal.

from Gadgets 360 https://ift.tt/igfzO1j

Xenoblade Chronicles 3 DLC Guide: Expansion Pass Price, Wave 2 Content and More - CNET

Here's everything you need to know about Xenoblade Chronicles 3's DLC pass.

from CNET https://ift.tt/H5v9FLC

Apple's New iOS 16 Is Here Now. Can Your iPhone Get It? - CNET

Not all iPhones are compatible with Apple's latest software update.

from CNET https://ift.tt/z5Kbv9t

How to Watch Firefly Rocket Try to Reach Space After Fiery First Attempt - CNET

The private space company is hoping its second attempt Monday doesn't have the same ending as its first.

from CNET https://ift.tt/h4xEBoe

Latest Tech News

With Apple set to launch its new iOS 16 operating system imminently, some security experts have warned that the software's headline privacy feature might not be all that it's cracked up to be.

The company announced that Lockdown Mode would be available as part of iOS 16, designed for the new iPhone 14 models and more, in a bid to offer users a stronger level of cybersecurity protection than ever before.

But exactly how useful the feature will be to the millions of everyday iPhone users had been called into question, with one leading VPN company calling out Apple just in time for the launch.

iOS 16 Lockdown Mode

"Using Lockdown Mode comes at a cost," explained Marijus Briedis, Chief Technology Officer at NordVPN. "Get behind the wheel of a tank and you’re unlikely to be setting any speed records and, in the same way, employing this security measure will limit your iPhone’s performance and what you can do with it."

“Most message attachments and links will be blocked, shared photo albums will be unavailable and anonymous FaceTime calls will be a thing of the past. Added to this, the mode is not something you can simply toggle on and off without a full system reset."

NordVPN's comments appear to make sense when considering some of the new features of Lockdown Mode, which include blocking most message attachment types other than images, disabling link previews and blocking wired connections with a computer or accessory when an iPhone is locked.

The tool will also disable or block some Apple services, such as requests for incoming FaceTime calls from unknown callers (ones where you haven't previously initiated a Facetime call), and in the company's Safari web browser, some web technologies, including just-in-time (JIT) JavaScript compilation, are disabled - although trusted sites can be excluded from Lockdown mode.

The launch looks to address possible security flaws exploited by a suspected state-sponsored attack against thousands of iPhone users, including government officials, back in 2021. Following this attack, Apple sued NSO, the company it believes was responsible for creating the surveillance software, a charge NSO has denied.

Read more

> There's a major new security update for iOS and macOS, so update now

> iOS 16 vs iOS 15: What's changed?

> Best iPhone antivirus apps in 2022: top iOS security protection

We raised our own concerns about the usefulness of iOS 16 Lockdown Mode after its reveal, with TechRadar US Editor in Chief Lance Ulanoff noting the tool "is not for everyone...In fact, you might argue it's for a select few: those who believe they could be targeted by state-sponsored cybersecurity attacks. In other words, this is software for the President of the United States."

Briedis and NordVPN seem inclined to agree, noting Lockdown Mode is, “the sort of feature that is probably standard issue among intelligence agents, now rolled out to a far wider audience."

“With just a few swipes users can set up the equivalent of Fort Knox on their iPhone, protecting data on their handset from the attention of would-be hackers."

“Unless you are a high-ranking government minister or privy to priceless state or commercial secrets, engaging Lockdown Mode to safeguard your phone is like using a sledgehammer to crack a nut. And if bad actors genuinely have your device in their sights, running the feature could convince anyone tracking your phone that you have something worth stealing.”

• These are the best business VPN around today

from TechRadar - All the latest technology news https://ift.tt/yDYBton