Episode 349 of the Transatlantic Cable podcast kicks off with a discussion on Microsoft’s newly announced Copilot+ feature for personal computers. This feature, touted to give PCs a “photographic memory,” raises significant privacy concerns as it can log everything a user does by taking screenshots every few seconds. Privacy advocates fear the potential for exploitation by hackers and the implications of such extensive data collection.

Next, the podcast discusses the recent floods in Rio Grande do Sul, Brazil, and the rise of AI-generated misinformation during the disaster. The team highlights how false images and videos have been spreading on social media, complicating rescue efforts and public awareness.

The episode then delves into the vulnerabilities of high-end car keyless entry systems. Despite advancements like ultra-wideband communications, a recent demonstration by Chinese researchers showed that the latest Tesla Model 3 is still susceptible to relay attacks, allowing thieves to unlock and steal the vehicle with minimal equipment.

To wrap up, the team discusses the arrest of Lin Rui-siang, who was living a double life as an IT specialist and a dark web drug market operator. Lin, under the alias “Pharoah,” ran the Incognito Market, which facilitated over $100 million in narcotics sales before executing an exit scam and attempting to extort users. His arrest at JFK airport by the FBI brought an end to his criminal activities.

If you liked what you heard, please consider subscribing.

Microsoft’s AI screenshot function is being called a privacy nightmare.

Brazil’s flood disaster set off a torrent of AI misinformation.

Teslas can still be stolen with a cheap radio hack despite new keyless tech.

He Trained Cops to Fight Crypto Crime—and Allegedly Ran a $100M Dark-Web Drug Market.

Kaspersky official blog – ​Read More

At the recent I/O 2024 developer conference in California, Google presented the second beta version of its Android 15 operating system — codenamed Vanilla Ice Cream. The company also gave us a closer look at the new security and privacy features coming with the update.

While the final release of Android 15 is still a few months away — slated for the third quarter of 2024 — we can already explore the new security features this operating system has in store for Android users.

AI-powered smartphone theft protection

The most significant security upgrade (but by no means the only one) is a suite of new features designed to protect against theft of the smartphone and the user data contained within. Google plans to make some of these features available not only in Android 15 but also for older versions of the operating system (starting with Android 10) through service updates.

First up is factory reset protection. To prevent thieves from wiping a stolen phone and quickly selling it, Android 15 will let you set up a lock that prevents resetting the device without the owner’s password.

Android 15 will also introduce a so-called “private space” for apps. Some apps like banking ones or instant messengers can be hidden and protected with an additional PIN code — preventing thieves from accessing sensitive data.

Furthermore, Google plans to add protection for the most critical settings in case a thief manages to get  hold of an unlocked smartphone. Disabling Find My Device or changing the screen lock timeout will require authentication using a PIN, password, or biometrics.

But that’s not all: there’ll also be protection against thieves who’ve snooped on or otherwise obtained the PIN code. Accessing critical settings like changing the PIN, disabling anti-theft, or using passkeys will require biometric authentication. According to Google, this settings protection will be available on some devices “later this year”.

Now let’s talk about the new features that will be available not only in Android 15 but also in versions 10 and above. First, there’s AI-powered, accelerometer-based automatic screen locking. The screen will automatically lock if the system detects movements characteristic of someone snatching the phone and quickly running or driving away.

Additionally, the smartphone will automatically lock if a thief tries to keep it disconnected it from the internet for a long time. Automatic locking can also be set for other situations — for example, after a significant number of unsuccessful authentication attempts. Finally, Android will feature remote locking — allowing you to lock the phone’s screen from a different device.

Protection of personal data when screen sharing and recording

Android 15 also focuses on protecting user data from scams such as fake tech-support. Attackers might ask the user to share their screen (or record their actions and send a video) and instruct them to perform dangerous actions (such as logging in to an account). This way, scammers can obtain valuable information like login credentials, financial data, and so on.

First, screen sharing in Android 15 will (by default) only share the specific app the user is interacting with, and not the system interface (such as the status bar and notifications, which might contain personal information). But switching to full-screen sharing will still be possible if needed.

Second, regardless of the screen sharing mode, the system will only display notification content if the app developer has provided a special “public version” for it. Otherwise the content will be hidden.

Third, Android 15 will automatically detect and hide windows that contain one-time passwords. If a user opens an app window with a one-time password (for example, Messages) while sharing or recording their screen, the window contents won’t be displayed. Additionally, Android 15 will automatically hide login, password, and card data entered during screen sharing.

These measures protect not only against attackers specifically targeting user data, but also against accidental disclosure of personal information during screen sharing or recording.

Enhanced Restricted Settings

We’ve already discussed the so-called Restricted Settings that Android features from version 13 onward. This is additional protection against the misuse of two potentially dangerous features — access to notifications and Accessibility services.

You can read about the risks associated with these features at the link above. Here, let’s briefly recall the main idea of this protection: Restricted Settings prevent users from granting permission to these features for apps not downloaded from the app store.

Unfortunately, in both Android 13 and 14, this protective mechanism is very easy to bypass. The problem is that the system determines whether an app was downloaded from the store or not by the method used to install it. This allows a malicious app downloaded from any source using an “incorrect” method to subsequently install another malicious app using the “correct” method.

As a result of this two-step process, the second app is no longer considered dangerous, isn’t subject to restrictions, and can both request and gain access to notifications and Accessibility services.

In Android 15, Google plans to use a slightly different mechanism called Enhanced Confirmation Mode. From the user’s perspective, nothing will change — the interface will function as before. However, “under the hood”, instead of checking the app installation method, this mechanism will refer to an XML file built into the operating system containing a list of trusted installers.

Simply put, Google is going to hardcode a list of safe sources for downloading apps. Apps downloaded from elsewhere will be automatically blocked from accessing notifications and Accessibility services. Whether this will close the loophole, we’ll find out after the official release of Android 15.

Protecting one-time codes in notifications

In addition to the improved Restricted Settings, Android 15 will feature additional protection against apps intercepting one-time passwords when accessing notifications from other apps.

Here’s how it works: when an app requests access to a notification, the operating system analyzes the notification and removes the one-time password from its contents before passing it to the app.

However, some app categories — for example, apps of wearables connected through the Companion Device Manager — will still have access to the full content of notifications. Therefore, malware creators may be able to exploit this loophole to continue intercepting one-time passwords.

Warnings about insecure cellular networks

Android 15 will also introduce new features to protect against attackers using malicious cellular base stations to intercept data or spy on smartphone owners.

Firstly, the operating system will warn users if their cellular connection is unencrypted — meaning their calls and text messages could be intercepted in plain text.

Secondly, Android 15 will notify users if a malicious base station or specialized tracking device is recording their location using their device ID (IMSI or IMEI). To do this, the operating system will monitor requests from the cellular network to these identifiers.

It should be noted that both these functions must be supported by the smartphone’s hardware. Therefore, they’re unlikely to appear on older devices upgraded to Android 15. Even among new models initially shipping with Vanilla Ice Cream, probably not all will support these features — it’ll be up to the smartphone manufacturers whether to implement these functions or not.

New app protection features

Next up in the Android 15 security enhancements are improvements to the Play Integrity API. This service allows Android app developers to identify fraudulent activity within their apps, as well as instances where the user is at risk, and use various additional security measures in such cases.

In particular, in Android 15, app developers will be able to check if another app is running simultaneously with their app and recording the screen, displaying its windows on top of their app’s interface, or controlling the device on behalf of the user. If such threats are detected, developers can, for example, hide certain information or warn the user about the threat.

Developers will also be able to check if Google Play Protect is running on the device and if any known malware has been detected in the system. Again, if a threat is detected, the app can restrict certain actions, request additional confirmation from the user, and so on.

On-device Google Play Protect

Finally, another security innovation in Android 15 is that Google Play Protect will now operate not only within the official Google Play app store but also directly on user devices. Google calls this “live threat detection”.

The operating system (with the help of AI) will analyze app behavior — in particular, the use of dangerous permissions and interaction with other apps and services. If potentially dangerous behavior is detected, the app will be sent to Google Cloud for review.

Does this mean you can now ditch your third-party antivirus for Android? Not so fast, tiger. Ultimately, the effectiveness of anti-malware protection depends on how thoroughly a vendor can search for and study new threats.

Automation is certainly important here — that’s why we started using machine learning for threat research many years ago, long before it became trendy. But the work of human experts is equally crucial. And on this score, as numerous cases of malware infiltrating Google Play demonstrate, Google is still not doing so well — often lacking the resources to solve this problem.

Therefore, we recommend usinga comprehensive security solution on all your Android devices — including those running Android 15. It’ll complement perfectly the new privacy and security features. Moreover, much of what will only be introduced in the upcoming update — for example the functions for theft protection, finding your device, or protecting individual apps with a PIN — we implemented a long time ago and support even on older versions of Android. Check out this detailed review of the most interesting features in Kaspersky: Antivirus & VPN.

Kaspersky official blog – ​Read More

Episode 348 of the Transatlantic Cable podcast kicks off with news that Google plan to introduce a new AI tool to help detect if you’re being scammed in a phone call – a boon for those who fall prey to scams.  From there the team discuss news that Scarlett Johansson isn’t best pleased about the likeness of ChatGPT’s new voice, which sounds eerily familiar to her own.

To wrap up the team discuss two stories, firstly around how an ‘AI porn-maker’ (yes people, that’s now a job) accidentally leaked his own customer data. The second story centres around BT’s decision to move away from copper-cable landlines in the UK to an all-digital future – and it’s got several people annoyed.

If you liked what you heard, please consider subscribing.

Android is getting an AI-powered scam call detection feature
ChatGPT suspends Scarlett Johansson-like voice as actor speaks out against OpenAI
Nonconsensual AI Porn Maker Accidentally Leaks His Customers’ Emails
BT scraps digital landline switch deadline

Kaspersky official blog – ​Read More

For many InfoSec teams, security information and event management (SIEM) is at the heart of what they do. A company’s security depends to a large extent on how well its SIEM system allows experts to focus directly on combating threats and avoid routine tasks. That’s why almost every update of our Kaspersky Unified Monitoring and Analysis Platform is aimed at improving the user interface, automating routine processes and adding features to make the work of security teams easier. Many of the improvements are based on feedback from our customers’ InfoSec experts. In particular, the latest version of the platform (3.0.3) introduces the following features and improvements.

Writing filter conditions and correlation rules as code

Previously, analysts had to set filters and write correlation rules by clicking the conditions they needed. In this update, the redesigned interface now allows advanced users to write rules and conditions as code. Builder mode remains: filter and selector conditions are automatically translated between builder and code modes.

What’s more, builder mode also lets you write conditions using the keyboard. As soon as you start entering a filter condition, Kaspersky Unified Monitoring and Analysis Platform will suggest suitable options from event fields, dictionaries, active sheets, etc. To narrow down the range of options, simply enter the appropriate prefix. For your convenience, condition types are highlighted in different colors.

Code mode lets you quickly edit correlation rule conditions, as well as select and copy conditions as code and easily transfer them between different rules or different selectors within a rule. The same code blocks can also be moved to filters (a separate system resource), which greatly simplifies their creation.

Extended event schema

Kaspersky Unified Monitoring and Analysis Platform retains Common Event Format (CEF) as the basis for the event schema, but we have added the ability to create custom fields, which means you can now implement any taxonomy. No more being limited to vendor-defined fields, you can name event fields anything you want to make it easier to write search queries. Custom fields are typed and must begin with a prefix that determines both its type and the array type. Fields with arrays can only be used in JSON and KV normalizers.

Automatic identification of event source

Kaspersky Unified Monitoring and Analysis Platform administrators no longer need to set up a separate collector for each event type or open ports for each collector on the firewall – in the new version we have implemented the ability to collect events of different formats with a single collector. The collector selects the correct normalizer based on the source IP address. Using a chain of normalizers is permitted. For example, the [OOTB] Syslog header normalizer accepts events from multiple servers and allows you to define a DeviceProcessName and direct bind events to the [OOTB] BIND Syslog normalizer and squid events to the [OOTB] Squid access Syslog normalizer.

The following event normalization options are now available:

1 collector – 1 normalizer. We recommend using this method if you have many events of the same type or many IP addresses from which events of the same type may originate. In terms of SIEM performance, configuring a collector with only one normalizer would be optimal.

1 collector – multiple normalizers, based on IP addresses. This method is available for collectors with a UDP, TCP or HTTP connector. If a UDP, TCP or HTTP connector is specified in the collector at the Transport step, then at the Event Parsing step, on the Parsing settings tab, you can specify multiple IP addresses and select which normalizer to use for events arriving from those addresses. The following types of normalizers are available: JSON, CEF, regexp, Syslog, CSV, KV, XML. For Syslog or regexp normalizers, you can specify additional normalization conditions depending on the value of the DeviceProcessName field.

These are by no means the only updates to Kaspersky Unified Monitoring and Analysis Platform. There are also changes related to context tables, simplified binding of rules to correlators and other improvements. All of them are designed to improve the user experience for InfoSec professionals – see the full list here. To learn more about our SIEM system, Kaspersky Unified Monitoring and Analysis Platform, please visit the official product page.

Kaspersky official blog – ​Read More

Phishers are increasingly using sophisticated targeted attacks. In addition to leveraging a variety of legitimate online services, they employ social engineering to trick the victim into following a link. We recently uncovered another in a series of unconventional multi-stage phishing schemes that merits at least a warning to employees who handle financial documents.

The first email

The attack begins with an email to the victim that appears to be from a real auditing firm. In it, the sender says that they tried to send an audited financial statement, but it was too large to email, so it had to be uploaded to Dropbox. Note that the email is sent from a real address on the company’s mail server (the attackers most likely hijacked the mailbox).

From the perspective of any mail security system, this email is perfectly legitimate – indistinguishable from normal business correspondence. It contains no links, comes from a legitimate company address, and merely informs the recipient of a failed attempt to send an audit via email. This message is bound to get the attention of the accountant reading it. It contains a disclaimer that the content is confidential and intended solely for the recipient, and the company in whose name it was sent has a large online presence. All in all, it looks pretty convincing.

The only small red flag is the information that the report had to be resent using Dropbox Application Secured Upload. There is no such thing. A file uploaded to Dropbox can be password-protected, but nothing more. The real purpose of this phrase is presumably to prepare the recipient for the fact that some form of authentication will be required to download the report.

The second email

Next comes a notification directly from Dropbox itself. It states that the auditor from the previous email has shared a file called “audited financial statements” and asked that it be reviewed, signed, and returned for processing.

There is nothing suspicious about this email either. It contains a link to a perfectly legitimate online data storage service (which is why they use Dropbox). If the notification had arrived without any accompanying message, it would most likely have been ignored. However, the recipient has been primed, so they are more likely to go to the Dropbox website and try to view the document.

Dropbox file

When the victim clicks the link, they see a blurred document and a window opens on top of it requesting authentication using office credentials. Here, however, seeing is not believing, for both the blurred background and the window with a button are in fact parts of a single image inserted into a PDF file.

The victim doesn’t even need to click the VIEW DOCUMENT button – the entire surface of the image is essentially one big button. The link underneath it leads (via an intermediate site with a redirect) to a script that launches a form to enter login credentials – just what the attackers want.

All company employees need to be aware that work passwords should only be entered on sites that clearly belong to their company. Neither Dropbox nor external auditors should know your work password and therefore cannot verify its authenticity.

How to stay safe

As attackers come up with ever more sophisticated schemes to steal corporate credentials, we recommend implementing solutions that provide information security on multiple levels. First, use corporate mail server protection, and second, install a security solution with reliable anti-phishing technologies on all internet-facing work devices.

Kaspersky official blog – ​Read More