Red Hat Security Advisory 2024-4352-03 - An update for kernel-rt is now available for Red Hat Enterprise Linux 8. Issues addressed include double free, memory leak, null pointer, spoofing, and use-after-free vulnerabilities.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_4352.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: kernel-rt security and bug fix update  
Advisory ID:        RHSA-2024:4352-03  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:4352  
Issue date:         2024-07-08  
Revision:           03  
CVE Names:          CVE-2020-26555  
====================================================================

Summary: 

An update for kernel-rt is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

[Updated 03 July 2024]

The text of this advisory has been updated with the correct product name (Red  
Hat Enterprise Linux 8) in the Topics section. In the Problem Description  
section, CVEs of the same sub-components have been grouped together. The  
packages included in this revised update have not been changed in any way from  
the packages included in the original advisory.

Description:

The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements.

Security Fix(es):

* kernel: tls (CVE-2024-26585,CVE-2024-26584, CVE-2024-26583

* kernel-rt: kernel: PCI interrupt mapping cause oops [rhel-8] (CVE-2021-46909)

* kernel: ipc/mqueue, msg, sem: avoid relying on a stack reference past its expiry (CVE-2021-47069)

* kernel: hwrng: core - Fix page fault dead lock on mmap-ed hwrng (CVE-2023-52615)

* kernel-rt: kernel: drm/amdgpu: use-after-free vulnerability (CVE-2024-26656)

* kernel: Bluetooth: Avoid potential use-after-free in hci_error_reset CVE-2024-26801)

* kernel: Squashfs: check the inode number is not the invalid value of zero  (CVE-2024-26982)

* kernel: netfilter: nf_tables: use timestamp to check for set element timeout (CVE-2024-27397)

* kernel: wifi: mac80211: (CVE-2024-35789, CVE-2024-35838, CVE-2024-35845)

* kernel: wifi: nl80211: reject iftype change with mesh ID change (CVE-2024-27410)

* kernel: perf/core: Bail out early if the request AUX area is out of bound (CVE-2023-52835)

* kernel:TCP-spoofed ghost ACKs and leak initial sequence number (CVE-2023-52881)

* kernel: Bluetooth BR/EDR PIN Pairing procedure is vulnerable to an impersonation attack (CVE-2020-26555)

* kernel: ovl: fix leaked dentry (CVE-2021-46972)

* kernel: platform/x86: dell-smbios-wmi: Fix oops on rmmod dell_smbios (CVE-2021-47073)

* kernel: mm/damon/vaddr-test: memory leak in damon_do_test_apply_three_regions() (CVE-2023-52560)

* kernel: ppp_async: limit MRU to 64K (CVE-2024-26675)

* kernel: mm/swap: fix race when skipping swapcache (CVE-2024-26759)

* kernel: RDMA/mlx5: Fix fortify source warning while accessing Eth segment (CVE-2024-26907)

* kernel: x86/mm: Disallow vsyscall page read for copy_from_kernel_nofault() (CVE-2024-26906)

* kernel: net: ip_tunnel: prevent perpetual headroom growth (CVE-2024-26804)

* kernel: net/usb: kalmia: avoid printing uninitialized value on error path (CVE-2023-52703)

* kernel: KVM: SVM: improper check in svm_set_x2apic_msr_interception allows direct access to host x2apic msrs (CVE-2023-5090)

* kernel: EDAC/thunderx: Incorrect buffer size in drivers/edac/thunderx_edac.c (CVE-2023-52464)

* kernel: ipv6: sr: fix possible use-after-free and null-ptr-deref (CVE-2024-26735)

* kernel: mptcp: fix data re-injection from stale subflow (CVE-2024-26826)

* kernel: net/bnx2x: Prevent access to a freed page in page_pool (CVE-2024-26859)

* kernel: crypto: (CVE-2024-26974, CVE-2023-52813)

* kernel: can: (CVE-2023-52878, CVE-2021-47456)

* kernel: usb: (CVE-2023-52781, CVE-2023-52877)

* kernel: net/mlx5e: fix a potential double-free in fs_any_create_groups (CVE-2023-52667)

* kernel: usbnet: sanity check for maxpacket (CVE-2021-47495)

* kernel: gro: fix ownership transfer (CVE-2024-35890)

* kernel: erspan: make sure erspan_base_hdr is present in skb->head (CVE-2024-35888)

* kernel: tipc: fix kernel warning when sending SYN message (CVE-2023-52700)

* kernel: net/mlx5/mlxsw: (CVE-2024-35960, CVE-2024-36007, CVE-2024-35855)

* kernel: net/mlx5e: (CVE-2024-35959, CVE-2023-52626, CVE-2024-35835)

* kernel: mlxsw: (CVE-2024-35854, CVE-2024-35853, CVE-2024-35852)

* kernel: net: (CVE-2024-35958, CVE-2021-47311, CVE-2021-47236, CVE-2021-47310)

* kernel: i40e: Do not use WQ_MEM_RECLAIM flag for workqueue (CVE-2024-36004)

* kernel: mISDN: fix possible use-after-free in HFC_cleanup() (CVE-2021-47356)

* kernel: udf: Fix NULL pointer dereference in udf_symlink function (CVE-2021-47353)

Bug Fix(es):

* kernel-rt: update RT source tree to the latest RHEL-8.10.z kernel (JIRA:RHEL-40882)

* [rhel8.9][cxgb4]BUG: using smp_processor_id() in preemptible [00000000] code: ethtool/54735 (JIRA:RHEL-8779)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2020-26555

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=1918601  
https://bugzilla.redhat.com/show_bug.cgi?id=2248122  
https://bugzilla.redhat.com/show_bug.cgi?id=2258875  
https://bugzilla.redhat.com/show_bug.cgi?id=2265517  
https://bugzilla.redhat.com/show_bug.cgi?id=2265519  
https://bugzilla.redhat.com/show_bug.cgi?id=2265520  
https://bugzilla.redhat.com/show_bug.cgi?id=2265800  
https://bugzilla.redhat.com/show_bug.cgi?id=2266408  
https://bugzilla.redhat.com/show_bug.cgi?id=2266831  
https://bugzilla.redhat.com/show_bug.cgi?id=2267513  
https://bugzilla.redhat.com/show_bug.cgi?id=2267518  
https://bugzilla.redhat.com/show_bug.cgi?id=2267730  
https://bugzilla.redhat.com/show_bug.cgi?id=2270093  
https://bugzilla.redhat.com/show_bug.cgi?id=2271680  
https://bugzilla.redhat.com/show_bug.cgi?id=2272692  
https://bugzilla.redhat.com/show_bug.cgi?id=2272829  
https://bugzilla.redhat.com/show_bug.cgi?id=2273204  
https://bugzilla.redhat.com/show_bug.cgi?id=2273278  
https://bugzilla.redhat.com/show_bug.cgi?id=2273423  
https://bugzilla.redhat.com/show_bug.cgi?id=2273429  
https://bugzilla.redhat.com/show_bug.cgi?id=2275604  
https://bugzilla.redhat.com/show_bug.cgi?id=2275633  
https://bugzilla.redhat.com/show_bug.cgi?id=2275635  
https://bugzilla.redhat.com/show_bug.cgi?id=2275733  
https://bugzilla.redhat.com/show_bug.cgi?id=2278337  
https://bugzilla.redhat.com/show_bug.cgi?id=2278354  
https://bugzilla.redhat.com/show_bug.cgi?id=2280434  
https://bugzilla.redhat.com/show_bug.cgi?id=2281057  
https://bugzilla.redhat.com/show_bug.cgi?id=2281113  
https://bugzilla.redhat.com/show_bug.cgi?id=2281157  
https://bugzilla.redhat.com/show_bug.cgi?id=2281165  
https://bugzilla.redhat.com/show_bug.cgi?id=2281251  
https://bugzilla.redhat.com/show_bug.cgi?id=2281253  
https://bugzilla.redhat.com/show_bug.cgi?id=2281255  
https://bugzilla.redhat.com/show_bug.cgi?id=2281257  
https://bugzilla.redhat.com/show_bug.cgi?id=2281272  
https://bugzilla.redhat.com/show_bug.cgi?id=2281350  
https://bugzilla.redhat.com/show_bug.cgi?id=2281689  
https://bugzilla.redhat.com/show_bug.cgi?id=2281693  
https://bugzilla.redhat.com/show_bug.cgi?id=2281920  
https://bugzilla.redhat.com/show_bug.cgi?id=2281923  
https://bugzilla.redhat.com/show_bug.cgi?id=2281925  
https://bugzilla.redhat.com/show_bug.cgi?id=2281953  
https://bugzilla.redhat.com/show_bug.cgi?id=2281986  
https://bugzilla.redhat.com/show_bug.cgi?id=2282394  
https://bugzilla.redhat.com/show_bug.cgi?id=2282400  
https://bugzilla.redhat.com/show_bug.cgi?id=2282471  
https://bugzilla.redhat.com/show_bug.cgi?id=2282472  
https://bugzilla.redhat.com/show_bug.cgi?id=2282581  
https://bugzilla.redhat.com/show_bug.cgi?id=2282609  
https://bugzilla.redhat.com/show_bug.cgi?id=2282612  
https://bugzilla.redhat.com/show_bug.cgi?id=2282653  
https://bugzilla.redhat.com/show_bug.cgi?id=2282680  
https://bugzilla.redhat.com/show_bug.cgi?id=2282698  
https://bugzilla.redhat.com/show_bug.cgi?id=2282712  
https://bugzilla.redhat.com/show_bug.cgi?id=2282735  
https://bugzilla.redhat.com/show_bug.cgi?id=2282902  
https://bugzilla.redhat.com/show_bug.cgi?id=2282920

Red Hat Security Advisory 2024-4352-03

Red Hat Security Advisory 2024-4211-03 - An update for kernel is now available for Red Hat Enterprise Linux 8. Issues addressed include double free, memory leak, null pointer, spoofing, and use-after-free vulnerabilities.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_4211.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: kernel security and bug fix update  
Advisory ID:        RHSA-2024:4211-03  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:4211  
Issue date:         2024-07-02  
Revision:           03  
CVE Names:          CVE-2020-26555  
====================================================================

Summary: 

An update for kernel is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

The kernel packages contain the Linux kernel, the core of any Linux operating system.

Security Fix(es):

* kernel: Bluetooth BR/EDR PIN Pairing procedure is vulnerable to an impersonation attack (CVE-2020-26555)

* kernel:TCP-spoofed ghost ACKs and leak leak initial sequence number (CVE-2023-52881,RHV-2024-1001)

* kernel: ovl: fix leaked dentry (CVE-2021-46972)

* kernel: platform/x86: dell-smbios-wmi: Fix oops on rmmod dell_smbios (CVE-2021-47073)

* kernel: mm/damon/vaddr-test: memory leak in damon_do_test_apply_three_regions() (CVE-2023-52560)

* kernel: ppp_async: limit MRU to 64K (CVE-2024-26675)

* kernel: mm/swap: fix race when skipping swapcache (CVE-2024-26759)

* kernel: net: ip_tunnel: prevent perpetual headroom growth (CVE-2024-26804)

* kernel: RDMA/mlx5: Fix fortify source warning while accessing Eth segment (CVE-2024-26907)

* kernel: x86/mm: Disallow vsyscall page read for copy_from_kernel_nofault() (CVE-2024-26906)

* kernel: powerpc/powernv: Add a null pointer check in opal_event_init() (CVE-2023-52686)

* kernel: powerpc/imc-pmu: Add a null pointer check in update_events_in_group() (CVE-2023-52675)

* kernel: KVM: SVM: improper check in svm_set_x2apic_msr_interception allows direct access to host x2apic msrs (CVE-2023-5090)

* kernel: EDAC/thunderx: Incorrect buffer size in drivers/edac/thunderx_edac.c (CVE-2023-52464)

* kernel: ipv6: sr: fix possible use-after-free and null-ptr-deref (CVE-2024-26735)

* kernel: mptcp: fix data re-injection from stale subflow (CVE-2024-26826)

* kernel: net/bnx2x: Prevent access to a freed page in page_pool (CVE-2024-26859)

* kernel: crypto: qat - resolve race condition during AER recovery (CVE-2024-26974)

* kernel: net/mlx5e: fix a potential double-free in fs_any_create_groups (CVE-2023-52667)

* kernel: net/mlx5: Properly link new fs rules into the tree (CVE-2024-35960)

* kernel: net/mlx5e: Fix mlx5e_priv_init() cleanup flow (CVE-2024-35959)

* kernel: net: ena: Fix incorrect descriptor free behavior (CVE-2024-35958)

* kernel: i40e: Do not use WQ_MEM_RECLAIM flag for workqueue (CVE-2024-36004)

* kernel: mISDN: fix possible use-after-free in HFC_cleanup() (CVE-2021-47356)

* kernel: udf: Fix NULL pointer dereference in udf_symlink function (CVE-2021-47353)

* kernel: net: ti: fix UAF in tlan_remove_one (CVE-2021-47310)

Bug Fix(es):

* Kernel panic - kernel BUG at mm/slub.c:376! (JIRA:RHEL-29783)

* Temporary values in FIPS integrity test should be zeroized [rhel-8.10.z] (JIRA:RHEL-35361)

* RHEL8.6 - kernel: s390/cpum_cf: make crypto counters upward compatible (JIRA:RHEL-36048)

* [RHEL8] blktests block/024 failed (JIRA:RHEL-8130)

* RHEL8.9: EEH injections results  Error:  Power fault on Port 0 and other call traces(Everest/1050/Shiner) (JIRA:RHEL-14195)

* Latency spikes with Matrox G200 graphic cards (JIRA:RHEL-36172)

For more details about the security issue(s), including the impact,   
            a CVSS score, acknowledgments, and other related information, refer to the CVE page(s)  
            listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2020-26555

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=1918601  
https://bugzilla.redhat.com/show_bug.cgi?id=2248122  
https://bugzilla.redhat.com/show_bug.cgi?id=2258875  
https://bugzilla.redhat.com/show_bug.cgi?id=2265517  
https://bugzilla.redhat.com/show_bug.cgi?id=2265519  
https://bugzilla.redhat.com/show_bug.cgi?id=2265520  
https://bugzilla.redhat.com/show_bug.cgi?id=2265800  
https://bugzilla.redhat.com/show_bug.cgi?id=2266408  
https://bugzilla.redhat.com/show_bug.cgi?id=2266831  
https://bugzilla.redhat.com/show_bug.cgi?id=2267513  
https://bugzilla.redhat.com/show_bug.cgi?id=2267518  
https://bugzilla.redhat.com/show_bug.cgi?id=2267730  
https://bugzilla.redhat.com/show_bug.cgi?id=2270093  
https://bugzilla.redhat.com/show_bug.cgi?id=2271680  
https://bugzilla.redhat.com/show_bug.cgi?id=2272692  
https://bugzilla.redhat.com/show_bug.cgi?id=2272829  
https://bugzilla.redhat.com/show_bug.cgi?id=2273204  
https://bugzilla.redhat.com/show_bug.cgi?id=2273278  
https://bugzilla.redhat.com/show_bug.cgi?id=2273423  
https://bugzilla.redhat.com/show_bug.cgi?id=2273429  
https://bugzilla.redhat.com/show_bug.cgi?id=2275604  
https://bugzilla.redhat.com/show_bug.cgi?id=2275633  
https://bugzilla.redhat.com/show_bug.cgi?id=2275635  
https://bugzilla.redhat.com/show_bug.cgi?id=2275733  
https://bugzilla.redhat.com/show_bug.cgi?id=2278337  
https://bugzilla.redhat.com/show_bug.cgi?id=2278354  
https://bugzilla.redhat.com/show_bug.cgi?id=2280434  
https://bugzilla.redhat.com/show_bug.cgi?id=2281057  
https://bugzilla.redhat.com/show_bug.cgi?id=2281113  
https://bugzilla.redhat.com/show_bug.cgi?id=2281157  
https://bugzilla.redhat.com/show_bug.cgi?id=2281165  
https://bugzilla.redhat.com/show_bug.cgi?id=2281251  
https://bugzilla.redhat.com/show_bug.cgi?id=2281253  
https://bugzilla.redhat.com/show_bug.cgi?id=2281255  
https://bugzilla.redhat.com/show_bug.cgi?id=2281257  
https://bugzilla.redhat.com/show_bug.cgi?id=2281272  
https://bugzilla.redhat.com/show_bug.cgi?id=2281311  
https://bugzilla.redhat.com/show_bug.cgi?id=2281334  
https://bugzilla.redhat.com/show_bug.cgi?id=2281346  
https://bugzilla.redhat.com/show_bug.cgi?id=2281350  
https://bugzilla.redhat.com/show_bug.cgi?id=2281689  
https://bugzilla.redhat.com/show_bug.cgi?id=2281693  
https://bugzilla.redhat.com/show_bug.cgi?id=2281920  
https://bugzilla.redhat.com/show_bug.cgi?id=2281923  
https://bugzilla.redhat.com/show_bug.cgi?id=2281925  
https://bugzilla.redhat.com/show_bug.cgi?id=2281953  
https://bugzilla.redhat.com/show_bug.cgi?id=2281986  
https://bugzilla.redhat.com/show_bug.cgi?id=2282394  
https://bugzilla.redhat.com/show_bug.cgi?id=2282400  
https://bugzilla.redhat.com/show_bug.cgi?id=2282471  
https://bugzilla.redhat.com/show_bug.cgi?id=2282472  
https://bugzilla.redhat.com/show_bug.cgi?id=2282581  
https://bugzilla.redhat.com/show_bug.cgi?id=2282609  
https://bugzilla.redhat.com/show_bug.cgi?id=2282612  
https://bugzilla.redhat.com/show_bug.cgi?id=2282653  
https://bugzilla.redhat.com/show_bug.cgi?id=2282680  
https://bugzilla.redhat.com/show_bug.cgi?id=2282698  
https://bugzilla.redhat.com/show_bug.cgi?id=2282712  
https://bugzilla.redhat.com/show_bug.cgi?id=2282735  
https://bugzilla.redhat.com/show_bug.cgi?id=2282902  
https://bugzilla.redhat.com/show_bug.cgi?id=2282920

Red Hat Security Advisory 2024-4211-03

Democratic leader Hakeem Jeffries has joined US intelligence officials in ignoring repeated inquiries about Israel’s “malign” efforts to covertly influence US voters.

Federal lawmakers in the US have dodged repeated inquiries over the past week about a covert operation ordered by the Israeli government to artificially boost support among Americans for its war in Gaza. At the same time, senior White House officials charged with advising President Joe Biden on matters of national security are claiming to have no knowledge of the operation—first disclosed publicly more than four months ago.

The operation, formally tied to the Israeli government by a New York Times reporter last week, kicked off in October 2023 following the surprise attack by Hamas in southern Israel. Researchers internationally began work to expose the campaign in February, identifying a flood of “suspicious accounts” on US-based social networking apps, most masquerading as Americans avowing support for the Israeli military response.

In addition to eroding support for the United Nations Relief and Works Agency, which provides assistance to 5.6 million Palestinian refugees, a chief aim of the Israeli operation, researchers say, was to sway the opinions of Black Americans. Per the Times—which cited four current and former Israeli officials in confirming their government had commissioned the campaign—its primary targets included the account of US congressman Hakeem Jeffries, the leader of the Democrats in the House, among others who are “Black and Democratic.”

Accounts tied to the operation—many of which, at the time of writing, remain active on X, despite being suspended on other platforms—promoted a Black Lives Matter hashtag and shared images of Martin Luther King Jr. alongside fabricated quotes. A website created for the operation included articles with titles such as “The leaders of the Civil Rights Movement and Their Support of Jewish People and Israel.”

Several examples of accounts used in the operation, many of which were created weeks prior to the Hamas attack on October 7 that killed an estimated 1,200 people, advertised themselves as “Christian.” One of the stolen identities used in the operation, first identified by a researcher in Qatar, was that of Kyle Jean-Baptiste, an up-and-coming Broadway star who died in 2015 after falling from a fire escape.

**Got a Tip?**

_If you have information about the work of the intelligence community or its congressional overseers, contact Dell Cameron at dell\_cameron@wired.com or via Signal at dell.3030._

Multiple inquiries placed with senior members of Jeffries’ staff, including his communications director, Andy Eichar, have gone unacknowledged for nearly a week. WIRED has attempted to resolve whether Jeffries ever received notification of the operation from US intelligence while Congress was in the midst of debating $14 billion in funding to supplement Israel’s war effort.

Israeli forces have killed more than 36,000 Palestinians since Hamas’ October 7 attack, according to Gaza health officials’ estimates, including dozens last Thursday at a United Nations school compound, where the Israeli military is accused of making “improper use” of a US-made bomb.

With the exception of the White House’s National Security Council, which on Thursday claimed to have no knowledge of the operation, and Senate Intelligence Committee chair Mark Warner, whose office told WIRED it planned to request a briefing on the matter, press inquiries concerning Israel’s attempts to secretly influence US opinion on the war have been met with a stonewall.

It is unclear whether Biden may have received a briefing on the operation that included information not shared with his own national security advisers. Said a spokesperson for the National Security Council: “We take all allegations of foreign malign influence seriously.”

The Office of the Director of National Intelligence, led by Avril Haines—formerly No. 2 at the CIA—declined to say whether US intelligence had any knowledge of the operation prior to the June 5 New York Times’ story. It would not reveal whether it issued any notifications to Jeffries or any other US officials targeted by Israel.

The ODNI maintains what it calls a “disclosure framework” for notifying victims of influence operations connected with US elections. It is unclear, however, whether the ODNI considers the operation election-related, despite national elections approaching and the deep political divide among US voters over Congress’ support for the Israeli war effort.

Haines has previously spoken publicly on how US intelligence responds to this scenario: “When relevant intelligence is collected concerning a foreign influence operation aimed at our election,” she said, a “notification framework” exists to ensure “appropriate notice is given to those who are being targeted so that they can take action.”

Multiple attempts to solicit comment over the past week from the House Intelligence Committee have likewise gone unacknowledged by representatives Mike Turner and Jim Himes, the committee’s chair and ranking member, respectively. It is unclear whether they are taking steps similar to their Senate counterparts to investigate the matter.

Many of the Israeli operation’s fake posts were found to have been generated using ChatGPT, the digital assistant software developed by OpenAI, which is being integrated into everything from Apple’s new iPhones to the next Microsoft Windows operating system. Notably, OpenAI’s CEO, Sam Altman, was recently appointed an adviser to the Homeland Security Department. According to the agency, his role is to advise the US government on how to “prevent and prepare for AI-related disruptions.”

Both OpenAI and social media giant Meta have publicly confirmed that the operation was launched by a Tel Aviv–based company called Stoic. Neither US company, however, has disclosed having any knowledge of Stoic being commissioned by the Israeli government.

Oft described as an Israeli “campaign marketing firm,” Stoic is reminiscent of Russia’s Internet Research Agency, which similarly used fake accounts registered on social media to promote the Kremlin’s interests, namely by working to influence the outcome of the 2016 US presidential election. OpenAI disclosed earlier this month that Stoic had similarly been tracked using fraudulent accounts in an effort to influence the outcome of India’s recent elections.

Meta and OpenAI have not responded to requests for comment.

A US intelligence assessment published in February that identified threats from foreign countries accused of launching malign influence operations against the US references Israel dozens of times; however, it strictly portrays the Middle East ally as the victim of such campaigns.

The annual assessment, published by the ODNI three days after Israel’s “multi-platform deception operation” was first revealed publicly by Marc Owen Jones—an assistant professor of Qatar University specializing in disinformation—speaks only broadly of the influence efforts of US rivals and contains few if any details about any specific operations. The report mentions, for instance, that the Chinese government “reportedly targeted” US politicians on TikTok using accounts run by a propaganda office ahead of the 2022 midterm elections.

The revelation of Israel’s involvement follows months of hearings in Washington concerning the impact of what US intelligence calls “malign foreign influence campaigns.” Much of the focus by lawmakers centered on allegations that China might potentially manipulate TikTok to sway public opinion in the US.

Jeffries, who is rumored to be the Democratic party’s next choice to become Speaker of the House, was among the 360 US representatives to support taking drastic steps in April that may soon lead to a ban on TikTok in US app stores.

Jeffries has joined other US leaders in extending an invitation to Israeli prime minister Benjamin Netanyahu to address Congress next month. A letter from Jeffries and Senate minority leader Mitch McConnell to the prime minister last week read: “To build on our enduring relationship and to highlight America's solidarity with Israel, we invite you to share the Israeli government's vision for defending democracy, combatting terror, and establishing a just and lasting peace in the region.”

_Update 1 pm ET, June 11, 2024: Added additional details about the Israeli influence campaign._

US Leaders Dodge Questions About Israel’s Influence Campaign

In response to recent public outcry, Recall is getting new security accouterments. Will that be enough to quell concerns?

Source: Photo 12 via Alamy Stock Photo

Microsoft is adding new security measures to assuage widely publicized concerns over its new "Recall" AI feature. Some, though, still aren't convinced the company went far enough.

It's now just eight days until Microsoft releases Recall, a new artificial intelligence (AI)-driven program that will periodically take, store, and analyze screenshots of Copilot+ PCs as they're being used day-to-day. Recall is supposed to act like a kind of memory bank, allowing users to instantly find and reference things they've come across recently: apps, websites, images, and documents.

From the outset, Recall has been criticized as a potential goldmine for personal data theft. The noise got loud enough that, on Friday, Microsoft announced three new security-oriented updates for it:

*   In a reversal of its initial stance, Microsoft will now ship Recall turned off by default.
    
*   Users will need to enroll in Windows Hello in order to enable it, and so-called "proof of presence" will be required to use its primary features.
    
*   Recall data will be encrypted, and only decrypted and accessible once a user authenticates via Windows Hello.
    

Though they may represent a step in the right direction, experts remain skeptical that these changes will be enough to protect users' most sensitive passwords, photos, personally identifying information (PII), and financial information from hackers.

**Risks in Recall: A Case Study**

Many security experts cringed when Recall was announced, but few more than Marc-André Moreau, CTO of Devolutions. He worried that Windows' newest toy would inevitably capture and store visible passwords from his company's software for managing remote connections. With such passwords in hand, hackers would be able to easily connect to and manipulate any victim PC.

"Looking at documentation for how Recall works," he recalls, "it literally said that it wouldn't make an effort of removing sensitive information, credentials, or PII — anything which you would want scraped out, it would just keep in local files."

Microsoft's logic, it seemed, was that because Recall screenshots were stored only on the user's machine, they would remain safe from remote access. "Microsoft has this new chip which makes it possible to do the processing locally, and they thought that everybody would be fine since the data isn't uploaded to the cloud," Moreau explains. "But you wouldn't install a keylogger on your machine just because the files are stored locally. Files can be grabbed by malware. So why would you enable Recall?"

To demonstrate the point, he performed a simple red team exercise. In his telling, "I didn't have to do much. I just set up an environment, used some tool that somebody made online to force-install it, and then I installed \[Devolutions'\] Remote Desktop Manager. I clicked 'view password,' then 'record,' and then I found the database. I opened it, and I could see the extracted password alongside the screenshot that includes the password."

> Here's Recall capturing temporarily visible passwords from Remote Desktop Manager in a test Azure VM. It's less effective that I would have thought, the search results are screenshots, and it's unclear how one can obtain the full OCR text it used for the match pic.twitter.com/RUiLs57bKz  
> — Marc-André Moreau (@awakecoding) June 3, 2024

Other researchers have also found simple ways of accessing sensitive data in Recall screenshots. One has already developed and released an open source tool to help speed up the job.

To try to protect his customers, Moreau next looked for a way to exclude his company's software from Recall by default. He came up short.

**Are Microsoft's New Updates Enough?**

Users will have more control over their data privacy now, thanks to Microsoft's turning off Recall by default.

Moreau is skeptical, though, that Windows Hello can be fully and properly integrated into Recall without delaying its preview release, which is mere days away. "I'm in software, things don't happen that fast," he says.

Dark Reading reached out to Microsoft for comment on how it will be able to marry Windows Hello and Recall in time for June 18. In response, Microsoft said in a statement: "As we shared in our May 3 blog, security is our top priority at Microsoft, in line with our ⁠Secure Future Initiative (SFI), and we are evaluating Recall through that lens. As we implement SFI across Microsoft, we may shift some feature release dates and will update our public roadmaps as this happens."

In the barely a month since that blog post, and Satya Nadella's letter "prioritizing security above all else," for some critics, Recall recalls other AI products that are getting rushed to market.

Ironically, AI could well solve these programs' most pressing security flaws. "I could upload a Recall screenshot to ChatGPT today and tell it to identify the data which looks sensitive, and it will be able to," Moreau notes. "They could have used their AI chip to help solve this \[data leakage\] but they didn't even try. They were too eager to ship."

**About the Author(s)**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Microsoft Modifies 'Recall' AI Feature Amid Privacy, Security Failings

After weeks of withering criticism and exposed security flaws, Microsoft has vastly scaled back its ambitions for Recall, its AI-enabled silent recording feature, and added new privacy features.

When Microsoft named its new Windows feature Recall, the company intended the word to refer to a kind of perfect, AI-enabled memory for your device. Today, the other, unintended definition of “recall”—a company's admission that a product is too dangerous or defective to be left on the market in its current form—seems more appropriate.

On Friday, Microsoft announced that it would be making multiple dramatic changes to its rollout of its Recall feature, making it an opt-in feature in the Copilot+ compatible versions of Windows where it had previously been turned on by default, and introducing new security measures designed to better keep data encrypted and require authentication to access Recall's stored data.

“We are updating the set-up experience of Copilot+ PCs to give people a clearer choice to opt-in to saving snapshots using Recall,” reads a blog post from Pavan Davuluri, Microsoft's corporate vice president for Windows and devices. “If you don’t proactively choose to turn it on, it will be off by default.”

The changes come amid a mounting barrage of criticism from the security and privacy community, which has described Recall—which silently stores a screenshot of the user's activity every five seconds as fodder for AI analysis—as a gift to hackers: essentially unrequested, preinstalled spyware built into new Windows computers.

In the preview versions of Recall, that screenshot data, complete with the user's every bank login, password, and porn site visit would have been indefinitely collected on the user's machine by default. And though that highly sensitive data is stored locally on the user's machine and not uploaded to the cloud, cybersecurity experts have warned that it all remains accessible to any hacker who so much as gains a temporary foothold on a user's Recall-enabled device, giving them a long-term panopticon view of the victim's digital life.

"It makes your security very fragile,” as Dave Aitel, a former NSA hacker and founder of security firm Immunity, described it—more charitably than some others—to WIRED earlier this week. “Anyone who penetrates your computer for even a second can get your whole history. Which is not something people want.”

In addition to making Recall an opt-in feature, Microsoft’s Davuluri also writes that the company will make changes to better safeguard the data Recall collects and more closely police who can turn it on, requiring that users prove their identity via its Microsoft Hello authentication function any time they either enable Recall or access its data, which can require a PIN or biometric check of the user’s face or thumbprint. Davuluri says Recall’s data will remain encrypted in storage until the user authenticates.

All of that is a “great improvement,” says Jake Williams, another former NSA hacker who now serves as VP of R&D at the cybersecurity consultancy Hunter Strategy, where he says he's been asked by some of the firm's clients to test Recall's security before they add Microsoft devices that use it to their networks. But Williams still sees serious risks in Recall, even in its latest form.

Many users will turn on Recall, he points out, partly due to Microsoft’s high-profile marketing of the feature. And when they do, they’ll still face plenty of unresolved privacy problems, from domestic abusers that often demand partners give up their PINs to subpoenas or lawsuits that compel them to turn over their historical data. “Satya Nadella has been out there talking about how this is a game changer and the solution to all problems,” Williams says, referring to Microsoft's CEO. “If customers turn it on, there’s still a huge threat of legal discovery. I can’t imagine a corporate legal team that’s ready to accept the risk of all of a user’s actions being turned over in discovery.”

For Microsoft, the Recall rollback comes in the midst of an embarrassing string of cybersecurity incidents and breaches—including a leak of terabytes of its customers' data and a shocking penetration of government email accounts enabled by a cascading series of Microsoft security slipups—that have grown so problematic as to become a sticking point given its uniquely close relationship with the US government.

Those scandals have escalated to the degree that Microsoft's Nadella issued a memo just last month declaring that Microsoft would make security its first priority in any business decision. “If you’re faced with the trade-off between security and another priority, your answer is clear: **Do security**,” Nadella's memo read (emphasis his). “In some cases, this will mean prioritizing security above other things we do, such as releasing new features or providing ongoing support for legacy systems.”

By all appearances, Microsoft's rollout of Recall—even after today's announcement—displays the opposite approach, and one that seems more in line with business as usual in Redmond: Announce a feature, get pummeled for its glaring security failures, then belatedly scramble to control the damage.

Microsoft Will Switch Off Recall by Default After Security Backlash

A security vulnerability in Ariane Allegro Hotel Check-In Kiosks exposed guest data and potentially compromised room access. However,…

A security vulnerability in Ariane Allegro Hotel Check-In Kiosks exposed guest data and potentially compromised room access. However, a patch has been developed and is now available to address this issue, enhancing the security of the system

Pentagrid, a Swiss cybersecurity firm, recently uncovered a vulnerability in Ariane Allegro Scenario Player, a widely used software program in hotel check-in kiosks. The vulnerability could allow someone to exit the kiosk’s intended use (kiosk mode) and access the underlying Windows Desktop OS. 

The software vendor, Ariane Systems, is a world leader in self-check-in and out solutions, serving 3,000 hotels and 500,000 rooms in over 25 countries. 

During a threat modelling workshop at a hospitality brand in Liechtenstein and Switzerland, Pentagrid’s Martin Schobert revealed that the app crashed in Kiosk mode after entering a single quote character into the guest search. 

The hotel brand uses this check-in terminal, likely a type Ariane Duo 6000 series, for smaller locations to facilitate room booking/check-in, initiate payment via a POS terminal, provision RFID transponders to open the booked hotel room, and print invoices.

Schobert found that guests/users have to search for room reservations by entering booking code or surname. If the name contains a single-quote, such as “O’YOLO,” the application hangs, the Windows OS prompts the user to wait or stop the task, and selecting stop terminates the kiosk mode application.

Screenshot: Pentagrid

When stopped, the Windows OS becomes accessible, which may have adverse consequences. such as allowing hotel network attacks, access to data stored on the terminal, including PII, reservations, and invoices, and RFID transponder allowing room keys to be created for other rooms. However, to exploit the flaw, the user must have physical access to the system, and the terminal must be in a self-service state, which hotels typically enable during specific times.

A CVE for the vulnerability is yet to be assigned whereas Kiosk Mode Bypass severity has been given as 6.3 (Medium). The vulnerability, discovered in March 2024, was promptly communicated to the vendor.

Ariane Systems clarified that these are “legacy systems,” in which the USB ports are disabled and “no PII or exploitable data can be retrieved from the kiosk.” Moreover, it believed the hotel must be using an outdated version of the software. However, Pentagrid asserted that the system’s design lets “the kiosk produces and keeps accessible invoice files.”  

Nevertheless, Ariane Systems confirmed the issue has been fixed. However, the exact version fixing the issue isn’t publicly known. Hackread suggests contacting the vendor directly for clarification and installing the latest version immediately to stay protected. 

John Bambenek, President of Cybersecurity and Threat Intelligence Consulting firm Bambenek Consulting commented on the issue emphasising the dangers of the potential access to victims’ rooms in domestic violence cases, theft of credit card data due to terminals doubling as POS devices.

_“_The biggest risk involves various domestic violence and stalking scenarios where unwanted guests could get keys to open a victim’s room. As these devices are also used as POS terminals to facilitate payments of hotel rooms, presumably the biggest risk there is stolen credit card information._“_

_“_The underlying issue seems to be that the specific terminals at this specific location had the vulnerability (albeit, a very simple one to find) and later versions did not. Kiosks tend to be “set and forget” devices which means operators may not know they need to be updated on a routine basis…or if they are updated at all,_“_ he added.

_“_These devices probably cannot be completely isolated from the main hotel network as part of the point is to issue keys and handle room management, however, the devices should be limited to sending only required machines and ports with everything else filtered,_“_ Bambenek advised.

1.  Vietnamese Group Hacks and Sells Bedroom Camera Footage
2.  Hotel reservation platform leaked data from online booking sites
3.  Vulnerability Exposed Ibis Budget Guest Room Codes to Hackers

Hotel Kiosks Vulnerability Exposed Guest Data, Room Access

A new discovery that the AI-enabled feature’s historical data can be accessed even by hackers without administrator privileges only contributes to the growing sense that the feature is a “dumpster fire.”

Microsoft's CEO Satya Nadella has hailed the company's new Recall feature, which stores a history of your computer desktop and makes it available to AI for analysis, as “photographic memory” for your PC. Within the cybersecurity community, meanwhile, the notion of a tool that silently takes a screenshot of your desktop every five seconds has been hailed as a hacker's dream come true and the worst product idea in recent memory.

Now, security researchers have pointed out that even the one remaining security safeguard meant to protect that feature from exploitation can be trivially defeated.

Since Recall was first announced last month, the cybersecurity world has pointed out that if a hacker can install malicious software to gain a foothold on a target machine with the feature enabled, they can quickly gain access to the user's entire history stored by the function. The only barrier, it seemed, to that high-resolution view of a victim's entire life at the keyboard was that accessing Recall's data required administrator privileges on a user's machine. That meant malware without that higher-level privilege would trigger a permission pop-up, allowing users to prevent access, and that malware would also likely be blocked by default from accessing the data on most corporate machines.

Then on Wednesday, James Forshaw, a researcher with Google's Project Zero vulnerability research team, published an update to a blog post pointing out that he had found methods for accessing Recall data _without_ administrator privileges—essentially stripping away even that last fig leaf of protection. “No admin required ;-)” the post concluded.

“Damn,” Forshaw added on Mastodon. “I really thought the Recall database security would at least be, you know, secure.”

Forshaw's blog post described two different techniques to bypass the administrator privilege requirement, both of which exploit ways of defeating a basic security function in Windows known as access control lists that determine which elements on a computer require which privileges to read and alter. One of Forshaw's methods exploits an exception to those control lists, temporarily impersonating a program on Windows machines called AIXHost.exe that can access even restricted databases. Another is even simpler: Forshaw points out that because the Recall data stored on a machine is considered to belong to the user, a hacker with the same privileges as the user could simply rewrite the access control lists on a target machine to grant themselves access to the full database.

That second, simpler bypass technique “is just mindblowing, to be honest,” says Alex Hagenah, a cybersecurity strategist and ethical hacker. Hagenah recently built a proof-of-concept hacker tool called TotalRecall designed to show that someone who gained access to a victim's machine with Recall could immediately siphon out all the user's history recorded by the feature. Hagenah's tool, however, still required that hackers find another way to gain administrator privileges through a so-called “privilege escalation” technique before his tool would work.

With Forshaw's technique, “you don’t need any privilege escalation, no pop-up, nothing,” says Hagenah. “This would make sense to implement in the tool for a bad guy.”

In fact, just an hour after speaking to WIRED about Forshaw's finding, Hagenah added the simpler of Forshaw's two techniques to his TotalRecall tool, then confirmed that the trick worked by accessing all the Recall history data stored on another user's machine for which he didn't have administrator access. “So simple and genius,” he wrote in a text to WIRED after testing the technique.

That confirmation removes one of the last arguments Recall's defenders have had against criticisms that the feature acts as, essentially, a piece of pre-installed spyware on a user's machine, ready to be exploited by any hacker who can gain a foothold on the device. “It makes your security very fragile, in the sense that anyone who penetrates your computer for even a second can get your whole history,” says Dave Aitel, the founder of the cybersecurity firm Immunity and a former NSA hacker. “Which is not something people want.”

For now, security researchers have been testing Recall in preview versions of the tool ahead of its expected launch later this month. Microsoft said it plans to integrate Recall on compatible Copilot+ PCs with the feature turned on by default. WIRED reached out to the company for comment on Forshaw's findings about Recall's security issues, but the company has yet to respond.

The revelation that hackers can exploit Recall without even using a separate privilege escalation technique only contributes further to the sense that the feature was rushed to market without a proper review from the company's cybersecurity team—despite the company's CEO Nadella proclaiming just last month that Microsoft would make security its first priority in every decision going forward. “You cannot convince me that Microsoft's security teams looked at this and said ‘that looks secure,’” says Jake Williams, a former NSA hacker and now the VP of R&D at the cybersecurity consultancy Hunter Strategy, where he says he's been asked by some of the firm's clients to test Recall's security before they add Microsoft devices that use it to their networks.

“As it stands now, it’s a security dumpster fire,” Williams says. “This is one of the scariest things I’ve ever seen from an enterprise security standpoint.”

Microsoft’s Recall Feature Is Even More Hackable Than You Thought

A data breach at Tech in Asia has exposed the personal information of 221,470 users. Learn more about…

A data breach at Tech in Asia has exposed the personal information of 221,470 users. Learn more about the hack attributed to IntelBroker and the ongoing response to secure user data.

A database owned by Tech in Asia, a prominent technology news outlet focusing on startups and technological innovations across Asia, has been compromised. The breach was announced by a hacker known by the pseudonym “Sanggiero,” linked to the infamous hacking collective, IntelBroker.

Screenshot from the hacker’s post on Breach Forums (Credit: Hackread.com)

Tech in Asia, which has received backing from Eduardo Saverin, the co-founder of Facebook, operates from bases in Singapore and Jakarta. The platform is a critical resource for news on technological advancements and entrepreneurial ventures in the region.

Details of the breach were disclosed late last night on several dark web forums, including the infamous cybercrime and data leak forum Breach Forums. Sanggiero claimed responsibility for the hack, stating that it occurred in June 2024 and impacted over 221,470 individuals.

As seen by Hackread.com, the leaked information includes user data such as the following:

*   **Roles**
*   **Full names**
*   **Display names**
*   **Email addresses**
*   **Date of registration.**

Hackread.com analysed the leaked data

As confirmed by Tech in Asia to Hackread.com in an exclusive statement, these records belong to its users. However, the good news is that no passwords were leaked. According to Sanggiero, the data was accessed by exploiting several critical vulnerabilities in Tech in Asia’s API and other bugs that allowed access to the internal services of the website.

> _“We confirm that the Tech in Asia Indonesia site was compromised, but the main Tech in Asia site remains secure. The situation has been contained. We apologise to users affected by this incident and will contact them with safety measures. Only email addresses and names were leaked; account passwords remain secure. We are taking further measures to ensure that our users’ data remains safe.”_
> 
> Tech in Asia

The motives behind the breach are obvious. Additionally, IntelBrokers has been known for targeting high-profile companies and top security agencies. Some of the group’s previous hacks include Europol, Home Depot, ICE, USCIS, HSBC and Barclays Bank.

This incident leaves a critical lesson for all companies: Cybersecurity isn’t a one-time setup but a continual process. As cyber threats become more complex and frequent, it’s vital that businesses consistently enhance security. Doing so not only protects sensitive data but also builds and maintains the trust of its users.

_Follow our dedicated cybersecurity news coverage for updates on this story and more._

1.  AT&T Confirms Data Breach Affecting 73 Million Users
2.  Massive Data Breach Exposes Info of 43 Million French Workers
3.  API Misuse: Hacker Exposes 2.6M Duolingo Users’ Emails & Names
4.  American Express Cardholders Impacted by 3ed-Party Data Breach
5.  Dell Discloses Data Breach As Hacker Sells 49 Million Customer Data
6.  Ticketmaster Suffers Data Breach: 560M Users’ Info for Sale at $500K

Hackers Leak 221,470 Users’ Data in “Tech in Asia” News Outlet Breach

Windows Recall takes a screenshot every five seconds. Cybersecurity researchers say the system is simple to abuse—and one ethical hacker has already built a tool to show how easy it really is.

When Microsoft CEO Satya Nadella revealed the new Windows AI tool that can answer questions about your web browsing and laptop use, he said one of the “magical” things about it was that the data doesn’t leave your laptop; the Windows Recall system takes screenshots of your activity every five seconds and saves them on the device. But security experts say that data may not stay there for long.

Two weeks ahead of Recall’s launch on new Copilot+ PCs on June 18, security researchers have demonstrated how preview versions of the tool store the screenshots in an unencrypted database. The researchers say the data could easily be hoovered up by an attacker. And now, in a warning about how Recall could be abused by criminal hackers, Alex Hagenah, a cybersecurity strategist and ethical hacker, has released a demo tool that can automatically extract and display everything Recall records on a laptop.

Dubbed TotalRecall—yes, after the 1990 sci-fi film—the tool can pull all the information that Recall saves into its main database on a Windows laptop. “The database is unencrypted. It’s all plain text,” Hagenah says.⁩ Since Microsoft revealed Recall in mid-May, security researchers have repeatedly compared it to spyware or stalkerware that can track everything you do on your device. “It’s a Trojan 2.0 really, built in,” Hagenah says, adding that he built TotalRecall—which he’s releasing on GitHub—in order to show what is possible and to encourage Microsoft to make changes before Recall fully launches.

The company unveiled Recall as part of a Surface laptop event last month. The tool continuously takes screenshots of whatever’s happening on your PC. Recall is intended to allow people to “retrieve” things you’ve done on your machine—whether it’s web pages you’ve visited or messages you’ve been sent—using natural language search queries. Microsoft’s description of the tool says Recall could be used to search for recipes you’ve looked at online but whose websites you’ve forgotten.

TotalRecall, Hagenah says, can automatically work out where the Recall database is on a laptop and then make a copy of the file, parsing all the data as it does so. While Microsoft’s new Copilot+ PCs aren’t out yet, it’s possible to use Recall by emulating a version of the devices. “It does everything automatically,” he says. The system can set a date range for extracting the data—for instance, pulling information from only one specific week or day. Pulling one day of screenshots from Recall, which stores its information in an SQLite database, took two seconds at most, Hagenah⁩ says.

Included in what the database captures are screenshots of whatever is on your desktop—a potential gold mine for criminal hackers or domestic abusers who may physically access their victim’s device. Images include captures of messages sent on encrypted messaging apps Signal and WhatsApp, and remain in the captures regardless of whether disappearing messages are turned on in the apps. There are records of websites visited and every bit of text displayed on the PC. Once TotalRecall has been deployed, it will generate a summary about the data; it is also possible to search for specific terms in the database.

Hagenah⁩ says an attacker could get a huge amount of information about their target, including insights into their emails, personal conversations, and any sensitive information that’s captured by Recall.

Hagenah’s work builds on findings from cybersecurity researcher Kevin Beaumont, who has detailed how much information Recall captures and how easy it can be to extract it. Beaumont also says he has built a website where a Recall database can be uploaded and instantly searched. He says he hasn’t released the site yet, to allow Microsoft time to potentially change the system. “InfoStealer trojans, which automatically steal usernames and passwords, are a major problem for well over a decade—now these can just be easily modified to support Recall,” Beaumont writes.

The criticisms come as hacks of Microsoft systems have led to various US government data breaches; Nadella has said security should be Microsoft’s “top priority.” Microsoft did not respond to WIRED’s request for comment about the security features of Recall by the time of publication.

Recall’s privacy pages say it is possible to disable saving screenshots (effectively turning Recall off), pause the system temporarily, filter applications where screenshots are taken, and delete what is gathered at any time. Recall runs on the laptop itself, storing data it captures on the device and not sending this information to Microsoft’s servers. Hagenah⁩ says this claim appears to be true, with no signs that data is sent to Microsoft.

Microsoft is, at least, aware of some of the possible privacy and security-related issues with Recall: Its help pages say the system does not perform any content moderation on what is contained in the images it saves. This means, Microsoft says in the guide, that it won’t “hide information such as passwords or financial account numbers.” Security researchers have already been able to extract passwords from Recall.

Recall’s main database is stored on the laptop’s system directory, and while it needs administrator rights to access, privilege escalation attacks have been around for years, making it theoretically possible for an attacker to gain initial access to a device remotely.

Hagenah⁩ says that in cases of employers with “bring your own devices” policies, there’s a risk of someone leaving with huge volumes of company data saved on their laptops. That’s a particular risk if they’re disgruntled or leave on bad terms, he says. The UK’s data protection regulator, the Information Commissioner’s Office, has asked Microsoft to provide more details about Recall and its privacy.

While Recall remains as a “preview” feature and, according to Microsoft’s small print, could change before it launches, Beaumont writes in his research that the company “should recall Recall and rework it to be the feature it deserves to be, delivered at a later date.” He adds: “They also need to review the internal decisionmaking that led to this situation, as this kind of thing should not happen.”

This Hacker Tool Extracts All the Data Collected by Windows’ New Recall AI

Data breach marketplace BreachForums has been seized by law enforcement agencies.

BreachForums—probably the largest dark web marketplace for stolen data to be leaked and sold—has been seized by law enforcement.

Now, both the regular and the TOR domain of BreachForums are plastered with a message telling visitors the site is now under control of the FBI.

The FBI said BreachForums and its predecessor Raidforums was:

> “…operating as a clear-net marketplace for cybercriminals to buy, sell, and trade contraband, including stolen access devices, means of identification, hacking tools, breached databases, and other illegal services.”

Raidforums ran from early 2015 until February 2022. The first iteration of BreachForums was then set up in March 2022 and ran until March 2023, when US law enforcement arrested the alleged operator, “Pompompurin”, in New York.

A new administrator then rose to the occasion and said they were working on a plan to get the forum through the problems caused by that arrest. But on March 21, 2023, the new administrator announced the decision to shut BreachForums down.

Another forum administrator going by the account name “Baphomet” then took over.

According to BleepingComputer, the FBI has also seized the site’s Telegram channel, with law enforcement sending messages to the channel on behalf of the forum’s operator “Baphomet”.

BreachForums was in use just last week for a big name breach when a cybercriminal put up for sale breached customer data taken from Dell between 2017-2024.

We’ll keep you posted on any new developments.

**Has your data been exposed?**

If you want to find out how much of your data has been exposed online, you can try our free Digital Footprint scan. Fill in the email address you’re curious about (it’s best to submit the one you most frequently use) and we’ll send you a free report.

**We don’t just report on threats – we help safeguard your entire digital identit**y

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection

Tag

#dell