Read Time: 7 minutes

Howdy friends!

Back on the West Coast for me this week, writing this from SF again. It felt like I showed back up at Moscone Center, and all my friends were just gone. I was going to try and sneak down to San Diego and LA since I’m a big Yankees fan, and they’re in SoCal this week, but no such luck due to some personal family commitments.

Summer is about to punch us in the face back in Texas, so we’re already getting all of our water plans in place because you can’t survive outside for the next few months without being underwater. Catch me at the pool or on a boat or not at all.

ICYMI

🖊️ Something I wrote: My thread on the CISA official speaking out about telecom weaknesses being abused to track U.S. citizens

🎧️ Something I heard: You all love when I share songs I’m listening to - This one spoke to me on shuffle this week as almost all of my grandparents are from Brooklyn.

🎤 Something I said: My breakdown of the Telegram vs. Signal debate raging recently

🔖 Something I read: This thread on Reddit talking about if it is outdated advice that public wifi is super scary and dangerous.

Vulnerable News

How the new Microsoft Recall feature fundamentally undermines Windows security

Alright, this one caused some controversy this week. I’m sensing a theme at this phase in the AI race where we’ll constantly be having the debate between cool new tool that boosts productivity and AI privacy and security nightmare.

Microsoft's fresh Copilot+ PCs feature, called Recall, which is a carbon copy of an AI tool called rewind.ai (rebranded as limitless.ai). Basically, it keeps a constant log of your screen—every move you make, every word you type is recorded and made searchable. Handy for retracing steps, sure, but it also means if a hacker gets in, they've hit the jackpot. While the data stays on your device, and there are some built-in privacy guards, if malware gets through, it could swipe months of your digital life. Cool tech, but potentially a huge security headache. (read more)

On Fire Drills and Phishing Tests

I’ve been a long time critic of phishing tests. Security has a street cred problem already at most orgs as the “department of no” and making a staple of your relationship with your users trying to trick them with a lie isn’t winning any favors. There are better and worse ways to do this with opt-in, gamification, and not using hot buttons like messing with people’s emotions around their money, but overall this practice is just lying to your users.

Google's pushing a big rethink on how we handle phishing tests, sort of like how fire drills evolved from risky surprises to structured safety practices. Instead of springing fake phishing emails on folks to see if they bite, Google suggests a more upfront approach—kind of like a practice run. They want to train folks to spot and report dodgy emails effectively, without the gotcha moment. It's all about making the whole process less about catching people out and more about building real skills. They're big on using this to not only boost security smarts but also to cut down on the false alarms that bog down security teams. (read more)

Hacker Breaches Scam Call Center, Warns Victims They've Been Scammed

A hacker infiltrated a scam call center, swiped their code, and shot a heads-up email to the folks who got duped, warning them they’d been scammed. This scoop comes from 404 Media, which reports that this call center, known as Waredot, was peddling bogus antivirus software at sky-high prices, mainly targeting those not too savvy with tech.

The scam was so blatant that a YouTuber even got footage of the scam in action from Waredot’s own CCTV. Despite an apparent raid on their office, the scammers were still at it, which got the hacker to expose their shady software and disrupt their operations further. Waredot hasn't responded to any of this buzz yet. (read more)

Teslas Can Still Be Stolen With a Cheap Radio Hack—Despite New Keyless Tech

The whole “Flipper Zero will steal your car” stuff is generally overblown due to protections from those kinds of attacks on all modern cars. Whelp, some researchers proved that might not be the case on Teslas.

This hack allows thieves to unlock and even start a Tesla, circumventing the car's security measures unless the owner activates the additional PIN-to-drive feature. The vulnerability exists because while Teslas use ultra-wideband tech, it’s not yet employed for securing against theft, highlighting a gap in expected vs. actual security efficacy. (read more)

Providers urge HHS to clarify Change data breach reporting requirements

Providers are urging the HHS to clarify if UnitedHealth can handle the breach notifications after Change Healthcare suffered a major cyberattack. They’re stressing this to prevent patients from getting multiple notifications about the same breach, which could confuse everyone involved. It's a big deal because Change, now under UnitedHealth, deals with a huge volume of claims and touches about a third of U.S. medical records.

Providers are stuck waiting for guidance on how to handle notifications without stepping on toes or duplicating efforts. They're really hoping for a clear directive from the authorities to streamline the process and ensure consistent communication to those affected. (read more)

Deep Dive Into Unfading Sea Haze: A New Threat Actor in the South China Sea

Bitdefender Labs recently uncovered a stealthy cyber threat group dubbed, "Unfading Sea Haze," targeting strategic entities in the South China Sea region. The focus is on military and governmental targets, suggesting motives aligned with Chinese interests. This group isn't new to the game; their digital footprint goes back to 2018, using complex tools and tactics like advanced versions of Gh0st RAT and various .NET payloads for deep surveillance and data extraction. Their method involves spear-phishing to gain initial access, followed by exploiting weak credential hygiene and patch management to maintain presence and control over compromised systems. Their toolkit has evolved over the years, incorporating more modular and stealthy components to avoid detection. (read more)

UK to propose mandatory reporting for ransomware attacks and licensing regime for all payments

The UK is rolling out a plan to make it mandatory for companies to report ransomware attacks. Plus, they're thinking about setting up a licensing system for ransom payments, especially to clamp down on paying off attackers in critical sectors. This move aims to cut down the incentives for hitting these crucial services and shed some light on how widespread these ransomware troubles are.

There's a public consultation coming to flesh out these ideas. If it all goes through, we might not see these changes set in law until after the next general election. (read more)

CVE-2024-4978: Backdoored Justice AV Solutions Viewer Software Used in Apparent Supply Chain Attack

Great writeup on a trojan that hit software that is used to record courtroom proceedings. Talk about a sensitive attack surface.

Justice AV Solutions (JAVS), known for its courtroom AV tech, got hit with a backdoor hack in their Viewer software, version 8.3.7. This sketchy version packed a secret file, fffmpeg.exe, that let hackers remotely control the system. Caught by Rapid7, this backdoor turned out to be part of the nasty GateDoor/Rustdoor malware family, which is no stranger to wreaking havoc. If you've got this version, you gotta wipe your system clean and reset all your passwords before jumping to the latest software version. (read more)

Conservative cell carrier Patriot Mobile hit by data breach

When political hot button firms get compromised, you have to wonder the motive of the threat actor. Was this one to disrupt this, admittedly tiny, cell carrier? Or were they trying to get info on a particular voter group to use for other purposes?

Patriot Mobile, a conservative U.S. cell carrier, recently suffered a data breach exposing customer details like names, emails, ZIP codes, and account PINs. This MVNO uses AT&T and T-Mobile's networks and is known for supporting conservative and Christian causes. TechCrunch confirmed the breach through a data sample provided by the hacker, finding overlaps with exposed data on Patriot Mobile’s own website. (read more)

GitHub warns of SAML auth bypass flaw in Enterprise Server

GitHub just fixed a major vulnerability in their Enterprise Server, CVE-2024-4985, a full 10.0 on the CVSS scale. This bug, specifically in setups using SAML SSO with encrypted assertions, allowed bad actors to fake a SAML response to gain admin access without needing a password. Basically, anyone could waltz in and take control. The patches rolled out across several versions, so if you're on this setup, updating should be your next move. (read more)

Spyware found on US hotel check-in computers

Here’s a fun one. Some hotel check-in systems, specifically at some Wyndham hotels, got hit by a nasty piece of spyware. This app, pcTattletale, was sneakily snapping screenshots of guest details and leaking them online due to a flaw. The spyware's leak lets anyone grab these screenshots directly from its servers. The real kicker? No one knows who installed the spyware or why. TechCrunch reached out but got radio silence from the hotels and the spyware company. (read more)

Microsoft to start killing off VBScript in second half of 2024

VBScript is dead. Long live VBScript.

That’s right, Microsoft's finally phasing out VBScript. It'll be a gradual goodbye, starting with turning it into an optional add-on in the second half of 2024. They're moving towards more robust languages like JavaScript and PowerShell, which are just better suited for today's web and automation needs. This change means tighter security and less clutter from outdated tech. If you're still hanging onto VBScript for old times' sake, you'll have to manually add it back in future updates. (read more)

Miscellaneous mattjay

mattjayy

View more on Instagram

Parting Thoughts:

Community was foundational in launching and propelling my career. Community is the only reason I can stand being in Texas during the summer months. Community is the point. Today, I invite you to embrace discomfort on the road to a more vulnerable you.

Stay safe, Matt Johansen
@mattjay