"Since 2012 researchers in the Georgia Tech Cyber Forensics Innovation Laboratory have uncovered 47,337 malicious plugins across 24,931 unique WordPress websites through a web development tool they named YODA," warns an announcement released Friday: According to a newly released paper about the eight-year study, the researchers found that every compromised website in their dataset had two or more infected plugins.

The findings also indicated that 94% of those plugins are still actively infected.

"This is an under-explored space," said Ph.D. student Ranjita Pai Kasturi who was the lead researcher on the project. "Attackers do not try very hard to hide their tracks and often rightly assume that website owners will not find them."

YODA is not only able to detect active malware in plugins, but it can also trace the malicious software back to its source. This allowed the researchers to determine that these malicious plugins were either sold on the open market or distributed from pirating sites, injected into the website by exploiting a vulnerability, or in most cases, infected after the plugin was added to a website. According to the paper written by Kasturi and her colleagues, over 40,000 plugins in their dataset were shown to have been infected after they were deployed. The team found that the malware would attack other plugins on the site to spread the infection.

"These infections were a result of two scenarios. The first is cross-plugin infection, in which case a particular plugin developer cannot do much," said Kasturi. "Or it was infected by exploiting existing plugin vulnerabilities. To fix this, plugin developers can scan for vulnerabilities before releasing their plugins for public use."

Although these malicious plugins can be damaging, Kasturi adds that it's not too late to save a website that has a compromised plugin. Website owners can purge malicious plugins entirely from their websites and reinstall a malware free version that has been scanned for vulnerabilities. To give web developers an edge over this problem, the Cyber Forensics Innovation Laboratory has made the YODA code available to the public on GitHub.

Microsoft has confirmed to Sky News that criminals are posting counterfeit packages designed to appear like Office products in order to defraud people. From the report: One such package seen by Sky News is manufactured to a convincing standard and contains an engraved USB drive, alongside a product key. But the USB does not install Microsoft Office when plugged in to a computer. Instead, it contains malicious software which encourages the victim to call a fake support line and hand over access to their PC to a remote attacker.

Microsoft launched an internal investigation into the suspect package after being contacted by Sky News. The company spokesperson confirmed that the USB and the packaging were counterfeit and that they had seen a pattern of such products being used to scam victims before. They added that while Microsoft had seen this type of fraud, it is very infrequent. More often when fraudulent products are sold they tend to be product keys sent to customers via email, with a link to a site for downloading the malicious software.

The hackers that breached Twilio earlier this month also compromised more than 130 other organizations during their hacking spree that netted the credentials of close to 10,000 employees. TechCrunch: Twilio's recent network intrusion allowed the hackers to access the data of 125 Twilio customers and companies -- including end-to-end encrypted messaging app Signal -- after tricking employees into handing over their corporate login credentials and two-factor codes from SMS phishing messages that purported to come from Twilio's IT department. At the time, TechCrunch learned of phishing pages impersonating other companies, including a U.S. internet company, an IT outsourcing company and a customer service provider, but the scale of the campaign remained unclear.

Now, cybersecurity company Group-IB says the attack on Twilio was part of a wider campaign by the hacking group it's calling "0ktapus," a reference to how the hackers predominantly target organizations that use Okta as a single sign-on provider. Group-IB, which launched an investigation after one of its customers was targeted by a linked phishing attack, said in findings shared with TechCrunch that the vast majority of the targeted companies are headquartered in the U.S. or have U.S.-based staff. The attackers have stolen at least 9,931 user credentials since March, according to Group-IB's findings, with more than half containing captured multi-factor authentication codes used to access a company's network.

New submitter alfabravoteam writes: Password management company LastPass has published information about a security incident. "We have determined that an unauthorized party gained access to portions of the LastPass development environment through a single compromised developer account and took portions of source code and some proprietary LastPass technical information," reads the official message published.

They also clarify that no user data was lost. "We never store or have knowledge of your Master Password," the firm said in an FAQ. "We utilize an industry standard Zero Knowledge architecture that ensures LastPass can never know or gain access to our customers' Master Password", they inform. Hence, no action is required to users to follow.

After offering them for over a decade, Heroku announced this week that it will eliminate all of its free services -- pushing users to paid plans. From a report: Starting November 28, the Salesforce-owned cloud platform as a service will stop providing free product plans and shut down free data services and soon (on October 26) will begin deleting inactive accounts and associated storage for accounts that have been inactive for over a year. In a blog post, Bob Wise, Heroku general manager and Salesforce EVP, blamed "abuse" on the demise of the free services, which span the free plans for Heroku Dynos and Heroku Postgres as well as the free plan for Heroku Data for Redis.

[...] Wise went on to note that Heroku will be announcing a student program at Salesforce's upcoming Dreamforce conference in September, but the details remain a mystery at this point. For the uninitiated, Heroku allows programmers to build, run and scale apps across programming languages including Java, PHP, Scala and Go. Salesforce acquired the company for $212 million in 2010 and subsequently introduced support for Node.js and Clojure and Heroku for Facebook, a package to simplify the process of deploying Facebook apps on Heroku infrastructure. Heroku claims on its website that it's been used to develop 13 million apps to date.

Last year, DuckDuckGo announced a free service designed to fend off email trackers and help people protect their privacy. The Email Protection beta was initially available through a waitlist. Now, it's now in open beta, meaning everyone can try it without having to wait for access. From a report: Email Protection is a forwarding service that removes trackers from messages. DuckDuckGo will tell you which trackers it scrubs as well. During the waitlist beta, DuckDuckGo says it found trackers in 85 percent of testers' emails. Anyone can now sign up for an @duck.com email address, which will work across desktop, iOS and Android. DuckDuckGo says you can create unlimited private email addresses, including a throwaway one for every website, if you prefer. You can also deactivate an address at any time.

The kingdom of Google's third major operating system, Fuchsia, is growing a little wider today. ArsTechnica: 9to5Google reports Google completed the rollout of Fuchsia to the Google Nest Hub Max. Along with the original Nest Hub/Google Home Hub, that puts two of Google's three smart displays on the new OS, with the one holdout being the 2nd Gen Nest Hub. The Nest Hub Max is the first device running Fuchsia that Google is currently selling -- the Home Hub only got Fuchsia after it had been discontinued. The Google smart display user interface is written in Flutter, a Google programming language designed for portability, which runs on Android, iOS, Fuchsia, and the weird cast platform Nest Hubs typically use. So it's not right to describe the user interface as "similar" after the OS swap -- it's the exact same code because Flutter runs on nearly everything.

You are getting a slightly newer code version, though, and it comes with a Bluetooth menu. If you dive into the settings and hit "about device," you'll see a "Fuchsia Version" field that will say something like "6.20211109.1.3166243." It's a bit weird to do an entire OS switch to the futuristic, secretive Fuchsia project and then have basically nothing to show (or say) for it in terms of obvious improvements in performance or security. You can dive into the minutia of the Fuchsia source code, but it continues to be a mystery in terms of what practical benefits it offers consumers. Google never talks about Fuchsia, so not much is known about what, exactly, Google is accomplishing here.

An anonymous reader shares a report: While mostly of benefit to server administrators with large fleets of hardware, Linux 6.1 aims to make it easier to help spot problematic CPUs/cores by reporting the likely socket and core when a segmentation fault occurs, which can help in spotting any trends if routinely finding the same CPU/core is causing problems. Queued up now in TIP's x86/cpu branch for the Linux 6.1 merge window in October is a patch to print the likely CPU at segmentation fault time. Printing the likely CPU core and socket when a seg fault occurs can be beneficial if routinely finding seg faults happening on the same CPU package or particular core.

Lockdown Mode disables a series of features that can be used to hack iPhone users. But the lack of these features also makes it easier to figure out who is using Lockdown Mode. From a report: Once Apple launches the new iPhone and iPad operating system early next month, users will be able to turn on a new privacy mode that the company calls "extreme." It's made for journalists, activists, politicians, human rights defenders, and anyone else who may be worried about getting targeted by sophisticated hackers, perhaps working for governments armed with spyware made by companies such as NSO Group. Apple calls it "Lockdown Mode" and it works by disabling some regular iPhone features that have been exploited to hack users in the past. But if users turn on Lockdown Mode, they will be easy to fingerprint and identify, according to a developer who created a proof of concept website that detects whether you have Lockdown Mode enabled or not.

John Ozbay, the CEO of privacy focused company Cryptee, and a privacy activist, told Motherboard that any website or online ad can detect whether some regular features are missing, such as loading custom fonts, one of the features that Lockdown Mode disables. "Let's say you're in China, and you're using Lockdown Mode. Now, any website that you visit could effectively detect you are using Lockdown Mode, they have your IP address as well. So they will actually be able to identify that the user with this IP address is using Lockdown Mode," Ozbay said in a call. "It's a tradeoff between security and privacy. [Apple] chose security."

An anonymous reader quotes a report from Motherboard: Hackers are breaking into unsuspecting victims' Cash App accounts, a massively popular payment app, and stealing hundreds of dollars, according to victims Motherboard spoke to. In one person's case, they said, Cash App has not reimbursed them for the stolen funds. "It's scary!" Liz Shelby, who said their son was a victim of the hacking, told Motherboard in an online chat. "My son saved up some cash for a small vacation with his grandma. We put it in his Cash App before he left. He called me on Aug. 9, and told me that his money was gone." Shelby said that after she looked at the account she found that someone else had logged into it and sent themselves the money. Shelby said she's been emailing Cash App support, without success. Marvis Herring, another target, told Motherboard that hackers attempted to steal $1,400, in the form of two installments of $700. In those cases, Herring believes his bank blocked the fraudulent transactions.

Motherboard saw many other people reporting on social media that their Cash App accounts had been compromised in some way. "The main thing I thought was weird is that I went to change my account password and there really isn't a password for Cash App accounts," Herring added. When users sign up to Cash App, they can use either an email address or a phone number to open an account. After doing so, they receive a login code sent to either of those. On fraud websites, dark web marketplaces, and social media, multiple people appear to be selling login details associated with Cash App accounts. Some of these peoples' listings specify that the logs contain the email address and password for a linked email account. Some of the listings may be scams, but those on the dark web marketplaces come from fraudsters who have received positive feedback from alleged customers, according to the review system that is common on such sites. One listing for hacked Cash App accounts said the vendor has sold that specific item multiple times.

Fraudsters also appear to be offering Cash App accounts for another purpose: laundering money. Motherboard found multiple listings on a dark web marketplace offering these newly created and verified accounts. Cash App requires users to verify their identity to use some features, and this can require them providing their Social Security Number with the platform. These already verified accounts will allow fraudsters to buy Bitcoin through the Cash App without having to verify their identity, the listing suggests. [...] On its website, Cash App encourages users to make sure their linked email address has two-factor authentication enabled. The app also has an extra feature called Security Lock which means that each transfer requires the user to enter a PIN. "Preventing fraud is critically important to Cash App. We continue to invest in and bolster fraud-fighting resources by both increasing staffing and adopting new technology. We are constantly improving systems and controls to help prevent, detect, and report bad activity on the platform," a Cash App spokesperson told Motherboard in a statement. "For those who believe they have fallen victim to an identity-theft or account take-over scams, we encourage them to reach out to Cash App Support where we will review the account in question. If deemed fraudulent, we will take the necessary action starting with account closure and disablement of all applicable products."

Both government and criminal hacking groups are still targeting Hikvision cameras with a vulnerability from 2021, according to reports from several security researchers. From a report: Cybersecurity firm CYFIRMA released a report this week saying Russian cybercriminal forums are awash with hackers looking to collaborate on exploiting Hikvision cameras using the command injection vulnerability CVE-2021-36260. "Specifically in the Russian forums, we have observed leaked credentials of Hikvision camera products available for sale," the company's researchers said. "These can be leveraged by hackers to gain access to the devices and exploit further the path of attack to target an organization's environment." CYFIRMA reported they found that more than 80,000 Hikvision cameras are still vulnerable to the critical command injection flaw, which carries a CVSS score of 9.8 out of 10. Of the more than 80,000 vulnerable cameras, more than 100 nations and 2,300 organizations are impacted.

An anonymous reader shares a report: Silicon Valley startup Sanas has a lofty goal: to make call center workers sound white and American, no matter the country they're from. And that's just the beginning of their grand plan. The voice tech company's website features a photo of a smiling man, cropped so you only see a disembodied, toothy grin. Underneath the anonymous mouth, a demo invites you to "Hear the Magic" of Sanas. As you press play, you hear one side of a simulated conversation; a man with an Indian accent reads a familiarly tortured call center script about a missing package. Click the "With Sanas" slider, and the voice transforms instantly into something slightly robotic, a tad uncanny and unmistakably white. Since its August 2021 launch, Sanas has been showered with funding by investors. Amid a trying time for the tech industry, the "accent translation" company -- founded by three former Stanford students, Maxim Serebryakov, Shawn Zhang and Andres Perez Soderi -- snagged a $32 million Series A funding round in June 2022, which they claim is the largest ever for a speech technology service. One press release boasts that investors who tried the service called it "magical."

Eventually, the company wants to expand beyond call centers by changing accents on consumer video and audio calls; Sanas has even mentioned an interest in film and TV. New voices are in the works, too: Someday, workers' accents may be "translated" into a Southern drawl for a caller in Louisville, or a Midwestern lilt for someone in Cleveland, instead of the more generic Standard American English, colloquially known as white person voice. "We don't want to say that accents are a problem because you have one," Sanas president Marty Sarim told SFGATE. "They're only a problem because they cause bias and they cause misunderstandings." The tacit promise of Sanas seems to be that callers will be more polite -- and more amenable to being helped -- if they think the person on the other end is more like them.

On Monday, Apple expanded its DIY repair program to include MacBook Air and MacBook Pro laptops equipped with M1 chips (including the Pro and Max). At least, in theory. The repairability experts at iFixit, who regularly dissect Apple's gadgets, have taken a look at the new program, and their outlook is...mixed. iFixit's Sam Goldheart writes that the new MacBook Pro guides "threw us for a loop." The issue: the documentation "makes MacBook Pros seem less repairable" than they have been in the past. From a report: The repair manual for replacing the 14-inch MacBook Pro's battery, for example, is a whole 162 pages long. (One of the first steps, of course, is "Read the entire manual first.") The reason the guide is so long, it turns out, is that replacing these batteries isn't just a matter of popping the battery out. A user needs to replace the entire top case and keyboard in order to replace the battery. Needless to say, it is unusual for a laptop battery replacement to require a full-computer teardown.

And then, as Goldheart points out, there's the matter of the money. The "top case with battery" part that you'll need to purchase for the 2020 and 2021 MacBook Pro models is not cheap -- after rooting around Apple's store, Verge editor Sean Hollister found that you can expect to pay well upwards of $400 for the top case with battery after the repair credit. "Apple is presenting DIY repairers with a excruciating gauntlet of hurdles: read 162 pages of documentation without getting intimidated and decide to do the repair anyway, pay an exorbitant amount of money for an overkill replacement part, decide whether you want to drop another 50 bucks on the tools they recommend, and do the repair yourself within 14 days, including completing the System Configuration to pair your part with your device," Goldheart writes in summary. "Which makes us wonder, does Apple even want better repairability?"

Ethereum's developers have officially confirmed September 6 as the date for Ethereum's long-anticipated transition from proof of work to proof of stake, known as The Merge. From a report: "Following years of hard work, Ethereum's proof-of-stake upgrade is finally here!" the Ethereum Foundation wrote in a blog post on Wednesday. "The successful upgrade of all public testnets is now complete, and The Merge has been scheduled for the Ethereum mainnet." The Merge will be split into two upgrades, called Bellatrix and Paris. Bellatrix is timed to occur at 11:34 AM UTC on September 6 and Paris will be triggered sometime between September 10 and September 20, according to the blog post. Proof of stake relies on validators instead of miners. Instead of expending lots of computing power, like proof-of-work miners do, proof-of-stake validators lock up sums of money to prove their trustworthiness to the network. The switch has been a long-held goal for Ethereum's developers. In the final testing step, the Goerli testnet successfully merged on August 10.

Streaming media platform Plex sent out an email to its customers earlier today notifying them of a security breach that may have compromised account information, including usernames, email addresses, and passwords. Although there is no sign that the encrypted passwords were exposed, Plex nevertheless is advising all users to change their passwords immediately. From a report: Plex is one of the largest media server apps available, used by around 20 million people to stream video, audio, and photos they upload themselves in addition to an increasing variety of content the service provides to paid subscribers. The email states, "yesterday, we discovered suspicious activity on one of our databases. We immediately began an investigation and it does appear that a third-party was able to access a limited subset of data that includes emails, usernames, and encrypted passwords." There is no confirmation that other personal account information has been compromised, and there's no mention of private media libraries (which may or may not include pirated content, private nudes, and other sensitive content) having been accessed in the breach.

The end-to-end encryption email service, Tutanota, says they are receiving reports that Crunchyroll is not allowing the use of their email addresses when signing up for their service. After contacting their team requiring that their domains be unblocked, they received the following response: "The ban of your domains is because we encountered a lot of hackers that used your domains emails to hack our accounts." From a report: In other words, Crunchyroll believes that many hackers used Tutanota domain emails to hack their accounts, which is why they banned Tutanota from their list. Moreover, they recommend users to use email accounts powered by "Big Tech" companies for hassle-free sign up to their services. This is not entirely a new phenomenon, notes It's FOSS. "DeviantArt actively blocked Proton Mail in the past because spammers used the platform to create accounts. Now, they have unblocked them."

Tutanota recently called out Microsoft for blocking Tutanota users from registering an account with its cloud-based collaboration platform, Teams.

Microsoft could be preparing to name its next big OS update the "Windows 11 2022 Update." A report adds: References to this naming have appeared in near-final versions of the next big Windows 11 release, currently named 22H2. Twitter user XenoPanther spotted the Windows 11 2022 Update naming in the Get Started app that appears when you set up a new PC. The naming could simply be a placeholder, or it could indicate Microsoft is finally simplifying its often confusing update names for Windows. We've seen a variety of names over the years, including the Creators Update naming for a big Windows 10 update, more mundane naming like the Windows 10 May 2021 Update, and more recently, the Windows 10 21H2 moniker. Microsoft had considered naming its updates after animals or people but transitioned to the more safe monthly naming instead of point releases like Apple does with iOS, iPadOS, watchOS, and many other software updates. A move to just the yearly naming for Windows 11 updates would make sense if Microsoft is planning fewer big drops of features.

joshuark writes: Microsoft has found a bug in ChromeOS and given it a high vulnerability 9.8 out of 10. The bug was promptly fixed and, about a month later, merged in ChromeOS code then released on June 15, 2022. This is a reversal in that Google usually finds security bugs in software from Microsoft and other vendors after typically 90 days -- even if a patch had not been released -- in the interest of forcing companies to respond to security flaws more quickly. [...] The ChromeOS memory corruption vulnerability -- CVE-2022-2587 -- was particularly severe. As Jonathan Bar Or, a member of the Microsoft 365 Defender research team, explains in his post, the problem follows from the use of D-Bus, an Inter-Process-Communication (IPC) mechanism used in Linux. A D-Bus service called org.chromium.cras (for ChromiumOS Audio Server) provides a way to route audio to newly added peripherals like USB speakers and Bluetooth headsets. The service includes a function called SetPlayerIdentity, which accepts a string argument called identity as its input. And the function's C code calls out to strcpy in the standard library. Yes, strcpy, which is a dangerous function.

A group of hackers managed to impersonate Binance chief communications officer (CCO) Patrick Hillmann in a series of video calls with several representatives of cryptocurrency projects. The attackers used what Hillman described as an AI hologram, a deepfake of his image for this objective, and managed to fool some representatives of these projects, making them think Hillmann was helping them get listed on the exchange. From a report: Hackers and scammers are refining their methods by including more technological tools in their schemes. Binance chief communications officer (CCO), Patrick Hillmann, reported last week about a new and sophisticated way in which attackers have used his image to perform a listing scam operation. Hillmann stated that hackers managed to program an AI (artificial intelligence) hologram of him, a kind of deepfake that was used to scam representatives of several cryptocurrency projects in Zoom calls. The hologram was able to fool these projects into believing that they were being considered for listing on Binance and that Hillmann was part of this operation. The listing scheme was discovered when these members contacted Hillmann to thank him for his help in the alleged listing opportunities. However, he had no knowledge of these meetings because he is not part of the listing process at Binance.

"Hyundai predictably fails in attempting to secure their car infotainment system with a default key lifted from programming examples," writes Slashdot reader sinij. "This level of security is unfortunately expected from auto manufacturers, who also would like to sell you always-connected Car2Car self-driving automobiles." Cryptographer and security experience Bruce Schneier writes: "Turns out the [AES] encryption key in that script is the first AES 128-bit CBC example key listed in the NIST document SP800-38A [PDF]," writes an unidentified developer under the name "greenluigi1." Luck held out, in a way. "Greenluigi1" found within the firmware image the RSA public key used by the updater, and searched online for a portion of that key. The search results pointed to a common public key that shows up in online tutorials like "RSA Encryption & Decryption Example with OpenSSL in C." Two questions remain:
1.) How did the test key get left behind?
2) Was it by accident or design?