Newsletters

A new paper, from researchers at Princeton and The Citizen Lab, has found that apps from the Xiaomi's Mi Store, which services mainland China, are an encryption horror show. Compared to apps found in Google's Play Store, Mi Store apps send significantly more unencrypted traffic. And the encrypted traffic they do send is typically vulnerable to decryption by eavesdroppers.

The researchers examined the top 1,699 apps from the Google Play Store and the Mi Store (more than 800 from each store) and ran them through a measurement pipeline they called WireWatch. The researchers developed WireWatch to automatically identify non-standard encryption. 

It found that nearly half of the top Mi Store apps used proprietary encryption. Only 3.51% of the top Google Play Store apps do the same. The authors then reverse-engineered the nine most popular cryptosystems identified by WireWatch. They found that eight of them sent network traffic that was vulnerable to decryption by adversaries. 

The EU's cybersecurity agency ENISA has launched its own vulnerability database designed to aggregate information on software bugs across the European ecosystem.

Although some infosec researchers might think this is the EU's reaction to the recent MITRE funding issues in the US, the new EUVD database was coming anyway, regardless of what was happening to the CVE program.

The EU actually ordered ENISA to create the new database via the NIS2 directive that passed in December 2022—see paragraphs 62 and 63.

Security researchers have discovered a new ad fraud operation named Kaleidoscope that uses the "evil twin app" technique to disguise the origin of its ad impressions.

The botnet consists of clean apps uploaded to the official Play Store and doppelgangers distributed through third-party stores.

These clones are the heart of the botnet and are the ones that use a malicious advertising SDK to bombard users with unwanted and unskippable ads.

VIGINUM, the French government's agency that hunts down and exposes foreign disinformation networks, says that Russian influence operations have now reached a mature level and are often achieving notable results.

The agency published a report this week on Storm-1516—what appears to be one of the Russian government's most sprawling and active disinformation clusters.

Unlike many previous disinformation reports that tend to play down the effectiveness of such operations, VIGINUM doesn't mince words and describes Storm-1516's efforts as successful and "a significant threat to French and European public debate."

The use of encrypted messaging apps by senior Trump officials has become a rolling security disaster. We've now learned that rather than using actual Signal, they've been using a bastardised version that undermines the app's security guarantees.  

Last week, President Trump's then-national security advisor Mike Waltz was photographed surreptitiously checking his phone for messages during a cabinet meeting. It gave a decent view of exactly what was on Waltz' screen. Rather than the official Signal app, he appeared to be using something called TM SGNL to communicate with Secretary of State Marco Rubio, Vice President JD Vance, Director of National Intelligence Tulsi Gabbard and special envoy Mike Wiktoff.

It turns out TM SGNL is a forked version of Signal maintained by a company called TeleMessage. The company makes clones of popular consumer messaging apps with the addition of archiving functions to store messages. 

Microsoft has joined rivals in the consumer email inbox market, such as Apple, Google, and Yahoo, and implemented stronger anti-spam features for its Outlook.com email platform.

The new rules entered into effect on Monday, May 5, and apply only to bulk senders, which are domains that send more than 5,000 emails per day to Outlook users.

Bulk senders must now authenticate their domains using modern email security standards such as DKIM, DMARC, and SPF.

Hackers activated secret backdoors they planted six years ago inside Magento plugins to hijack almost 1,000 Magento online stores.

The initial compromises took place in 2019 when the attackers allegedly gained access to the servers of three Magento software developers—Magesolution, Meetanshi, and Tigren.

According to security firm Sansec, the hackers modified the source code of 21 plugins. The backdoor was hidden in the License.php file, which is typically included in most plugins to check if the user holds a valid license.

Microsoft is making the passwordless login experience the default for all new user accounts, the company said in a blog post on World Password Day.

New users will have several passwordless options to choose from when creating their account, and they won't need to set up a password going forward.

Existing users also have a new option in their settings that will let them unlink and delete passwords from their accounts.

Security firm SentinelOne has published a new report that takes a deep dive into all the weird and wonderful ways threat actors are targeting it. Attacks against security vendors are nothing new, but they've scaled up and are now a constant threat. And as best we can remember, this is the first time a security company has publicly described the range of threats they're facing in detail. 

The report first looked at the North Korean (DPRK) IT worker threat, where North Koreans use fake identities to apply for legitimate remote jobs, is evolving and occurring at "staggering volume":

Instead of just deleting the applications and moving on, the company turned the tables on the North Korean applicants. In an effort to learn more about their fraudulent job application techniques, it strung them along in tailored recruitment processes. SentinelOne says it was able to make its detection processes more effective by bringing frontline teams such as recruiting and sales into the tent. By sharing potential threat information, recruiters were able to identify suspicious patterns. Those patterns were then used in automated systems to identify and even block dodgy applications. A kind of virtuous cross-team circle. 

After years and years of pretending like nothing serious happened, the French government has finally grown a spine and formally called out Russia for using military cyber units to meddle in its elections and to carry out destructive cyberattacks against French targets—a big no-no for countries not at war.

In a statement on Tuesday, the French Ministry of Foreign Affairs says that hackers linked to Russia's GRU military intelligence agency were behind some of the most notorious hacks in France's history, such as:

French officials blamed these attacks, and more, on a GRU hacking group known as APT28.