Researchers found a flaw in a Kia web portal that let them track millions of cars, unlock doors, and start engines at will—the latest in a plague of web bugs that’s affected a dozen carmakers.

When security researchers in the past found ways to hijack vehicles' internet-connected systems, their proof-of-concept demonstrations tended to show, thankfully, that hacking cars is hard. Exploits like the ones that hackers used to remotely take over a Chevrolet Impala in 2010 or a Jeep in 2015 took years of work to develop and required ingenious tricks: reverse engineering the obscure code in the cars’ telematics units, delivering malicious software to those systems via audio tones played over radio connections, or even putting a disc with a malware-laced music file into the car’s CD drive.

This summer, one small group of hackers demonstrated a technique to hack and track millions of vehicles that’s considerably easier—as easy as finding a simple bug in a website.

Today, a group of independent security researchers revealed that they'd found a flaw in a web portal operated by the carmaker Kia that let the researchers reassign control of the internet-connected features of most modern Kia vehicles—dozens of models representing millions of cars on the road—from the smartphone of a car’s owner to the hackers’ own phone or computer. By exploiting that vulnerability and building their own custom app to send commands to target cars, they were able to scan virtually any internet-connected Kia vehicle’s license plate and within seconds gain the ability to track that car’s location, unlock the car, honk its horn, or start its ignition at will.

After the researchers alerted Kia to the problem in June, Kia appears to have fixed the vulnerability in its web portal, though it told WIRED at the time that it was still investigating the group’s findings and hasn’t responded to WIRED’s emails since then. But Kia’s patch is far from the end of the car industry’s web-based security problems, the researchers say. The web bug they used to hack Kias is, in fact, the second of its kind that they’ve reported to the Hyundai-owned company; they found a similar technique for hijacking Kias' digital systems last year. And those bugs are just two among a slew of similar web-based vulnerabilities they’ve discovered within the last two years that have affected cars sold by Acura, Genesis, Honda, Hyundai, Infiniti, Toyota, and more.

“The more we’ve looked into this, the more it became very obvious that web security for vehicles is very poor,” says Neiko “specters” Rivera, one of the researchers who both found the latest Kia vulnerability and worked with a larger group responsible for the previous collection of web-based car security issues revealed in January of last year.

“Over and over again, these one-off issues keep popping up,” says Sam Curry, another member of the car hacking group, who works as a security engineer for Web3 firm Yuga Labs but says he did this research independently. “It's been two years, there's been a lot of good work to fix this problem, but it still feels really broken.”

**Read a License Plate, Hack a Car**

Before they alerted Kia to its latest security vulnerability, the research group tested their web-based technique on a handful of Kias—rentals, friends’ cars, even cars on dealer lots—and found that it worked in every case. They also showed the technique to WIRED, demonstrating it on the 2020 Kia Soul of a security researcher introduced to them just minutes earlier in a parking lot in Denver, Colorado, as seen in the video above.

The group’s web-based Kia hacking technique doesn’t give a hacker access to driving systems like steering or brakes, nor does it overcome the so-called immobilizer that prevents a car from being driven away, even if its ignition is started. It could, however, have been combined with immobilizer-defeating techniques popular among car thieves or used to steal lower-end cars that don't have immobilizers—including some Kias.

Even in cases when it didn't allow outright theft of a car, the web flaw could have created significant opportunities for theft of a car's contents, harassment of drivers and passengers, and other privacy and safety concerns.

“If someone cut you off in traffic, you could scan their license plate and then know where they were whenever you wanted and break into their car,” says Curry. “If we hadn’t brought this to Kia’s attention, anybody who could query someone’s license plate could essentially stalk them.” For Kias that come installed with a 360-degree camera, that camera, too, was accessible to hackers. Beyond allowing the hijacking of connected features in cars themselves, Curry says, the web portal flaw also allowed hackers to query a broad range of personal information about Kia customers—names, email addresses, phone numbers, home addresses, and even past driving routes in some cases—a potentially massive data leak.

The Kia hacking technique the group found works by exploiting a relatively simple flaw in the backend of Kia's web portal for customers and dealers, which is used to set up and manage access to its connected car features. When the researchers sent commands directly to the API of that website—the interface that allows users to interact with its underlying data—they say they found that there was nothing preventing them from accessing the privileges of a Kia dealer, such as assigning or reassigning control of the vehicles' features to any customer account they created. “It’s really simple. They weren't checking if a user is a dealer,” says Rivera. “And that's kind of a big issue.”

Kia's web portal allowed lookups of cars based on their vehicle identification number (VIN). But the hackers found they could quickly find a car's VIN after obtaining its license plate number using the website PlateToVin.com.

More broadly, Rivera adds, any dealer using the system seemed to have been trusted with a shocking amount of control over which vehicles' features were linked with any particular account. “Dealers have way too much power, even over vehicles that don’t touch their lot,” Rivera says.

**A Dozen Carmakers Websites, Millions of Hackable Cars**

Curry and Rivera, who worked with two other researchers to develop their hacking technique, reported their findings to Kia shortly after demonstrating them to WIRED in June, and the company responded to an inquiry from WIRED to note that it was investigating their findings. “We take this matter very seriously, and value our collaboration with security researchers,” a spokeperson wrote.

Shortly after the researchers reported the issue, Kia did make a change to its web portal API that appeared to block their technique, the researchers say. Then, in August, Kia told the researchers it had validated their findings but was still working on implementing a permanent fix for the problem. Kia hasn't updated the researchers since or responded to WIRED's questions. But after the standard 90-day window given to companies to fix security issues that researchers report, the hackers decided to go public with their findings—though they haven't released their Kia-hacking proof-of-concept application and don't plan to.

The Kia-hacking research group first began to assemble around the idea of probing carmakers' websites and APIs for vulnerabilities in late 2022. A few of them were staying with a friend on a college campus and messing around with the app for a mobile scooter company when they accidentally triggered all the company's scooters across the campus to honk and flash their lights for 15 minutes. At that point, the group “became super interested in trying more ways to make more things honk,” as Curry would write—including vehicles more significant than scooters. Soon after, Curry discovered that Rivera, who'd long been focused on car hacking and had previously worked at the carmaker Rivian, was already looking at web vulnerabilities in vehicle telematics.

In January 2023, they published the initial results of their work, an enormous collection of web vulnerabilities affecting Kia, Honda, Infiniti, Nissan, Acura, Mercedes-Benz, Hyundai, Genesis, BMW, Rolls Royce, and Ferrari—all of which they had reported to the automakers. For at least half a dozen of those companies, the web bugs the group found offered at least some level of control of cars' connected features, they wrote, just as in their latest Kia hack. Others, they say, allowed unauthorized access to data or the companies' internal applications. Still others targeted fleet management software for emergency vehicles and could have even prevented those vehicles from starting, they believe—though they didn't have the means to safely test out that potentially dangerous trick.

In June of this year, Curry says, he discovered that Toyota appeared to still have a similar flaw in its web portal that, in combination with a leaked dealer credential he found online, would have allowed remote control of Toyota and Lexus vehicles' features like tracking, unlocking, honking, and ignition. He reported that vulnerability to Toyota and showed WIRED a confirmation email seeming to demonstrate that he'd been able to reassign himself control of a target Toyota's connected features over the web. Curry didn't film a video of that Toyota hacking technique before reporting it to Toyota, however, and the company quickly patched the bug he'd disclosed, even temporarily taking its web portal offline to prevent its exploitation.

“As a result of this investigation, Toyota promptly disabled the compromised credentials and is accelerating security enhancements of the portal, as well as temporarily disabling the portal until enhancements are complete,” a Toyota spokesperson wrote to WIRED in June.

**More Smart Features, More Dumb Bugs**

The extraordinary number of vulnerabilities in carmakers' websites that allow remote control of vehicles is a direct result of companies' push to appeal to consumers—particularly young ones—with smartphone-enabled features, says Stefan Savage, a professor of computer science at UC San Diego whose research team was the first to hack a car's steering and brakes over the internet in 2010. “Once you have these user features tied into the phone, this cloud-connected thing, you create all this attack surface you didn’t have to worry about before,” Savage says.

Still, he says, even he is surprised at the insecurity of all the web-based code that manages those features. “It’s a little disappointing that it’s as easy to exploit as it has been,” he says.

Rivera says he's observed firsthand in his time working in automotive cybersecurity that car companies often put more focus on “embedded” devices—digital components in non-traditional computing environments like cars—rather than web security, in part because updating those embedded devices can be far more difficult and lead to recalls. “It was clear ever since I started that there was a glaring gap between embedded security and web security in the auto industry,” Rivera says. “These two things mix together very often, but people only have experience in one or the other.”

UCSD's Savage hopes that the Kia-hacking researchers' work might help shift that focus. Many of the early, high-profile hacking experiments that affected cars' embedded systems, like the 2015 Jeep takeover and the 2010 Impala hack pulled off by Savage's team at UCSD, persuaded automakers that they needed to better prioritize embedded cybersecurity, he says. Now car companies need to focus on web security too—even, he says, if it means making sacrifices or changes to their process.

“How do you decide, ‘We’re not going to ship the car for six months because we didn’t go through the web code?’ That’s a a tough sell,” he says. “I would like to think this kind of event causes people to look at that decision more fully.”

Millions of Vehicles Could Be Hacked and Tracked Thanks to a Simple Website Bug

Red Hat Security Advisory 2024-7103-03 - An update for grafana-pcp is now available for Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_7103.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: grafana-pcp security updateAdvisory ID:        RHSA-2024:7103-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:7103Issue date:         2024-09-25Revision:           03CVE Names:          CVE-2024-34156====================================================================Summary: An update for grafana-pcp is now available for Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The Grafana plugin for Performance Co-Pilot includes datasources for scalable time series from pmseries and Redis, live PCP metrics and bpftrace scripts from pmdabpftrace, as well as several dashboards.Security Fix(es):* encoding/gob: golang: Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion (CVE-2024-34156)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-34156References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2310528

Red Hat Security Advisory 2024-7103-03

Red Hat Security Advisory 2024-7102-03 - An update for grafana is now available for Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_7102.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: grafana security updateAdvisory ID:        RHSA-2024:7102-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:7102Issue date:         2024-09-25Revision:           03CVE Names:          CVE-2024-34156====================================================================Summary: An update for grafana is now available for Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Grafana is an open source, feature rich metrics dashboard and graph editor for Graphite, InfluxDB & OpenTSDB. Security Fix(es):* encoding/gob: golang: Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion (CVE-2024-34156)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-34156References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2310528

Red Hat Security Advisory 2024-7102-03

Altered versions of legitimate Android apps associated with Spotify, WhatsApp, and Minecraft have been used to deliver a new version of a known malware loader called Necro.
Kaspersky said some of the malicious apps have also been found on the Google Play Store. They have been cumulatively downloaded 11 million times. They include -

Wuta Camera - Nice Shot Always (com.benqu.wuta) - 10+ million

Mobile Security / Malware

Altered versions of legitimate Android apps associated with Spotify, WhatsApp, and Minecraft have been used to deliver a new version of a known malware loader called Necro.

Kaspersky said some of the malicious apps have also been found on the Google Play Store. They have been cumulatively downloaded 11 million times. They include -

*   Wuta Camera - Nice Shot Always (com.benqu.wuta) - 10+ million downloads
*   Max Browser-Private & Security (com.max.browser) - 1+ million downloads

As of writing, Max Browser is no longer available for download from the Play Store. Wuta Camera, on the other hand, has been updated (version 6.3.7.138) to remove the malware. The latest version of the app, 6.3.8.148, was released on September 8, 2024.

It's currently not clear how both the apps were compromised with the malware in the first place, although it's believed that a rogue software developer kit (SDK) for integrating advertising capabilities is the culprit.

Necro (not to be confused with a botnet of the same name) was first discovered by the Russian cybersecurity company in 2019 when it was hidden within a popular document scanning app called CamScanner.

CamScanner later blamed the issue on an advertisement SDK provided by a third-party named AdHub that it said contained a malicious module to retrieve next-stage malware from a remote server, essentially acting as a loader for all kinds of malware onto victim devices.

The new version of the malware is no different, although it packs in obfuscation techniques to evade detection, particularly leveraging steganography to hide payloads.

"The downloaded payloads, among other things, could display ads in invisible windows and interact with them, download and execute arbitrary DEX files, install applications it downloaded," Kaspersky researcher Dmitry Kalinin said.

It can also "open arbitrary links in invisible WebView windows and execute any JavaScript code in those, run a tunnel through the victim's device, and potentially subscribe to paid services."

One of the prominent delivery vehicles for Necro is modded versions of popular apps and games that are hosted on unofficial sites and app stores. Once downloaded, the apps initialize a module named Coral SDK, which, in turn, sends an HTTP POST request to a remote server.

The server subsequently responds with a link to a purported PNG image file hosted on adoss.spinsok\[.\]com, following which the SDK proceeds to extract the main payload – a Base64-encoded Java archive (JAR) file – from it.

Necro's malicious functions are realized through a set of additional modules (aka plugins) that are downloaded from the command-and-control (C2) server, allowing it to perform a wide range of actions on the infected Android device -

*   NProxy - Create a tunnel through the victim's device
*   island - Generate a pseudo-random number that's used as a time interval (in milliseconds) between displays of intrusive ads
*   web - Periodically contact a C2 server and execute arbitrary code with elevated permissions when loading specific links
*   Cube SDK - A helper module that loads other plugins to handle ads in the background
*   Tap - Download arbitrary JavaScript code and a WebView interface from the C2 server that are responsible for covertly loading and viewing ads
*   Happy SDK/Jar SDK - A module that combines NProxy and web modules with some minor differences

The discovery of Happy SDK has raised the possibility that the threat actors behind the campaign are experimenting with a non-modular version as well.

"This suggests that Necro is highly adaptable and can download different iterations of itself, perhaps to introduce new features," Kalinin said.

Telemetry data gathered by Kaspersky shows that it blocked over ten thousand Necro attacks worldwide between August 26 and September 15, 2024, with Russia, Brazil, Vietnam, Ecuador, Mexico, Taiwan, Spain, Malaysia, Italy, and Turkey accounting for the most number of attacks.

"This new version is a multi-stage loader that used steganography to hide the second-stage payload, a very rare technique for mobile malware, as well as obfuscation to evade detection," Kalinin said.

"The modular architecture gives the Trojan's creators a wide range of options for both mass and targeted delivery of loader updates or new malicious modules depending on the infected application."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Necro Android Malware Found in Popular Camera and Browser Apps on Play Store

Red Hat Security Advisory 2024-7003-03 - An update for kernel-rt is now available for Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.4 Telecommunications Update Service, and Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions. Issues addressed include code execution and use-after-free vulnerabilities.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_7003.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: kernel-rt security updateAdvisory ID:        RHSA-2024:7003-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:7003Issue date:         2024-09-24Revision:           03CVE Names:          CVE-2024-26993====================================================================Summary: An update for kernel-rt is now available for Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.4 Telecommunications Update Service, and Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements.Security Fix(es):* kernel: TIPC message reassembly use-after-free remote code execution vulnerability (CVE-2024-36886)* kernel: fs: sysfs: Fix reference leak in sysfs_break_active_protection() (CVE-2024-26993)* kernel: wifi: mac80211: Avoid address calculations via out of bounds array indexing (CVE-2024-41071)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-26993References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2277238https://bugzilla.redhat.com/show_bug.cgi?id=2278314https://bugzilla.redhat.com/show_bug.cgi?id=2300448

Red Hat Security Advisory 2024-7003-03

Red Hat Security Advisory 2024-7002-03 - An update for kernel is now available for Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.4 Telecommunications Update Service, and Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions. Issues addressed include code execution, null pointer, and use-after-free vulnerabilities.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_7002.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: kernel security updateAdvisory ID:        RHSA-2024:7002-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:7002Issue date:         2024-09-24Revision:           03CVE Names:          CVE-2024-26908====================================================================Summary: An update for kernel is now available for Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.4 Telecommunications Update Service, and Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The kernel packages contain the Linux kernel, the core of any Linux operating system.Security Fix(es):* kernel: x86/xen: Add some null pointer checking to smp.c (CVE-2024-26908)* kernel: TIPC message reassembly use-after-free remote code execution vulnerability (CVE-2024-36886)* kernel: fs: sysfs: Fix reference leak in sysfs_break_active_protection() (CVE-2024-26993)* kernel: wifi: mac80211: Avoid address calculations via out of bounds array indexing (CVE-2024-41071)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-26908References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2275744https://bugzilla.redhat.com/show_bug.cgi?id=2277238https://bugzilla.redhat.com/show_bug.cgi?id=2278314https://bugzilla.redhat.com/show_bug.cgi?id=2300448

Red Hat Security Advisory 2024-7002-03

Apple’s macOS Sequoia update is causing major compatibility issues with popular security tools. Reportedly, users are facing disruptions…

Apple’s macOS Sequoia update is causing major compatibility issues with popular security tools. Reportedly, users are facing disruptions and frustration as vendors scramble to find solutions. Learn about the affected software, potential workarounds, and the latest updates on this ongoing issue.

Apple’s latest macOS update, macOS Sequoia (version 15), is reportedly causing issues with security tools from major providers like CrowdStrike, SentinelOne, ESET, and Microsoft. The update appears incompatible with several popular security tools, rendering them inoperable. The issue, which affects macOS users and enterprises, has caused frustration among those working with macOS-focused security tools. 

For your information, Apple officially launched its AI-focused macOS Sequoia on Monday. It is a new operating system, first revealed at WWDC 2024, offering exclusive features like Apple Intelligence, which uses Apple silicon to create language, images, and actions across apps, leveraging users’ personal context. 

However, the update has raised concerns for certain security-related products and applications as several security researchers and users on social media, Reddit, and a Mac-focused Slack channel reported issues with these security tools after installing Sequoia.

On Mastodon, security researcher Will Dormann reported firewall-related and DNS issues in macOS Sequoia, noting that blocking incoming connections within the macOS Sequoia firewall can also block replies to DNS requests, causing problems.

Dormann also noted a related issue affecting Chrome and Chromium-based browsers on macOS Sequoia, where blocking incoming connections for Google Chrome in the macOS firewall causes large downloads to stall.

Meanwhile, Apple has not yet addressed the concerns regarding Sequoia’s compatibility with security software such as ESET Endpoint Security and CrodStrike Falcon, and the full scope of the compatibility issues with Sequoia remains unclear.  

Most companies have advised users not to update the OS until the issue is resolved, as they are unable to support macOS Sequoia. CrowdStrike confirmed the issue and announced a delay in supporting Sequoia.

The company is waiting for Apple to release a fix before updating their software.  Similarly, ESET acknowledged network connection problems after the update but later clarified that their products are compatible with Sequoia. 

While SentinelOne initially advised users against upgrading to Sequoia, they later clarified that full support was available. However, some users still reported problems with other functionalities like firewalls and DNS configurations. 

A potential workaround shared by security researcher Wacław Jacek on his blog involves using command-line tools to adjust firewall settings for specific applications. According to Jacek, to modify firewall settings, use the CLI tool /usr/libexec/ApplicationFirewall/socketfilterfw.

This will allow your browser to access the internet again, but other software may still not function. To disable the entire firewall, open the terminal app, find the path to your web browser, run ls -l, and add your browser to the firewall using /usr/libexec/ApplicationFirewall/socketfilterfw.

Until the situation is resolved, please proceed with caution when considering the Sequoia update, especially if you rely heavily on third-party security software.

Mr. Mayuresh Dani, Manager, Security Research, at Qualys Threat Research Unit, shared his concern over the situation with Hackread.com stating, “With the release of new operating systems, all security vendors must test and qualify their releases. It is a good thing that security vendors have been proactive in this situation and have already sent out steps to take in case their systems are facing issues with the latest Mac update.”

Mayuresh highlighted that “From the looks of it, the networking stack – or the macOS Sequoia firewall to be specific – has changed because the security tools that use it to provide security are not able to do so. Not just security tools, VPNs are also having a difficult time getting a DNS resolution.”

He also suggested the following to the security teams responsible for securing Macs:

1.  Avoid updating to macOS Sequoia unless their security vendor has officially certified it for use.
2.  Turn off auto-updates to major OS releases before internal certification.
3.  Internally certify new operating system releases by installing Dev, and Beta builds of operating systems with certified software before organization-wide deployments.

Nevertheless, the importance of comprehensive testing before deploying major updates in production environments should not be ignored. It also highlights the need for organizations to have proper backup plans and alternative security measures in place. Developing a multi-layered security approach that doesn’t rely solely on a single tool or vendor can enhance overall stability.

1.  **CrowdStrike Update Causes Havoc By Disrupting Businesses**
2.  **Webroot Marked Facebook as Phishing Site, Windows as Malware**
3.  **Apple mistakenly approved malware hidden as Adobe Flash Player**
4.  **Microsoft Releases Tool to Fix CrowdStrike-Caused Windows Chaos**
5.  **Microsoft Defender Flags Tor Browser as Win32/Malgent!MTB Malware**

Apple’s macOS Sequoia Update Breaks Security Tools

The FTC published a report about the ways social media and video streaming services collect and use our data

The US Federal Trade Commission (FTC) released a report that examines the data collection and use practices of major social media and video streaming services, finding that—and this will not come as a surprise to our regular readers—the companies engaged in vast surveillance of consumers in order to monetize their personal information while failing to adequately protect users online, especially children and teens.

The report, called A Look Behind the Scenes: Examining the Data Practices of Social Media and Video Streaming Services, is based on responses from nine companies to questions about how the companies collect, track, and use personal and demographic information, how they determine which ads and other content are shown to consumers, whether and how they apply algorithms or data analytics to personal and demographic information, and how their practices impact children and teens.

The companies that were ordered to respond own some of the household social media and streaming service names. They are Amazon (Twitch), Meta (Facebook and Instagram), YouTube, X (Twitter), Snap (Snapchat), ByteDance (TikTok), Discord, Reddit, and WhatsApp.

Some of the specific information that the FTC was looking for included:

*   How social media and video streaming services collect, use, track, estimate, or derive personal and demographic information.
*   How they determine which ads and other content are shown to consumers.
*   Whether they apply algorithms or data analytics to personal information.
*   How they measure, promote, and research user engagement.
*   How their practices affect children and teens.

The conclusions seemed to upset the FTC, but we weren’t even mildly surprised:

> “The amount of data collected by large tech companies is simply staggering. They track what we read, what websites we visit, whether we are married and have children, our educational level and income bracket, our location, our purchasing habits, our personal interests, and in some cases even our health conditions and religious faith. They track what we do on and off their platforms, often combining their own information with enormous data sets purchased through the largely unregulated consumer data market.”

The FTC also mentions that some of these companies increasingly rely on hidden pixels and other means of tracking visitors, not only on their own, but also on other websites, to track our behavior down to every click.

Some of the responders were even unable to identify all the data points they collected or all of the third parties they shared that data with.

The report comes to the conclusion that self-regulation is not the answer to these problems. We can see all around the news that with the rise of the artificial platforms that many of these companies are developing, the incentive to use our data for their own purposes is only growing.

> “Predicting, shaping, and monetizing human behavior through commercial surveillance is extremely profitable.”
> 
> US Federal Trade Commission, “A Look Behind the Screens: Examining the Data Practices of Social Media and Video Streaming Services”

This has created a number of companies that have a huge influence on our economy, our democracy, and our society as a whole. Companies that, it appears, believe they can dodge the obligation to provide the Commission with complete answers while hiding their collection practices with limited, incomplete, or unhelpful responses that appear to have been carefully crafted to be self-serving, and to avoid revealing key pieces of information.

While their services provide us with the option to connect with the world from the palm of your hand, many of them have been at the forefront of building the infrastructure for mass commercial surveillance. They have access to information about every aspect of our lives and our behavior.

This comes not only with costs to our privacy, it harms our competitive landscape and affects the way we communicate and our well-being, especially the well-being of children and teens.

Some of the key findings of the report are:

*   Many of the companies collected and could indefinitely retain troves of data from and about users and non-users, and they did so in ways consumers might not expect.
*   Many of the responding companies relied on selling advertising services to other businesses based largely on using the personal information of their users. The technology powering this ecosystem took place behind the scenes and out of view to consumers, posing significant privacy risks.
*   Algorithms, data analytics, and/or AI were applied to users’ and non-users’ personal information. These technologies controlled everything from content recommendation to search, advertising, and inferring personal details about users, while the users lacked any meaningful control over how personal information was used for AI-fueled systems.
*   The trend among the responding companies was that they failed to adequately protect children, but especially teens, who are not covered by the Children’s Online Privacy Protection Rule (COPPA).

The recommendations of the FTC focus on legislation about the transparency of the data-usage, disclosure of sensitive personal data for advertising purposes, and the need to protect young users from the information-absorbing tech giants.

For more details and specific answers from each of the companies, you can check the 129 page report.

I want to close this off with a quote from the report that we whole-heartedly agree with:

> “Our privacy cannot be the price we pay to accomplish ordinary basic daily activities”

**We don’t just report on threats – we help protect your social media**

Cybersecurity risks should never spread beyond a headline. Protect your social media accounts by using Cyrus, powered by Malwarebytes.

 &#8220;Simply staggering&#8221; surveillance conducted by social media and streaming services, FTC finds 

Red Hat Security Advisory 2024-6892-03 - An update for firefox is now available for Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions, and Red Hat Enterprise Linux 8.6 Telecommunications Update Service.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_6892.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: firefox  updateAdvisory ID:        RHSA-2024:6892-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:6892Issue date:         2024-09-19Revision:           03CVE Names:          CVE-2024-7652====================================================================Summary: An update for firefox is now available for Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions, and Red Hat Enterprise Linux 8.6 Telecommunications Update Service.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability.For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-7652References:https://access.redhat.com/security/updates/classification/#important

Red Hat Security Advisory 2024-6892-03

Red Hat Security Advisory 2024-6891-03 - An update for firefox is now available for Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions, and Red Hat Enterprise Linux 8.4 Telecommunications Update Service.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_6891.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: firefox  updateAdvisory ID:        RHSA-2024:6891-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:6891Issue date:         2024-09-19Revision:           03CVE Names:          CVE-2024-7652====================================================================Summary: An update for firefox is now available for Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions, and Red Hat Enterprise Linux 8.4 Telecommunications Update Service.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability.For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-7652References:https://access.redhat.com/security/updates/classification/#important

Tag

#sap