Our episode today discusses the latest on the Apex Legends Global Series hacking fiasco, Microsoft’s Bing popup controversy, critical WordPress plugin vulnerabilities, innovative acoustic side-channel attacks, and the cunning world of HTML smuggling. Explore the evolving challenges and ingenious exploits shaking up the cybersecurity realm. Uncover what these developments mean for your digital safety and privacy.
Article URLs:
- Apex Legends Tournament Hacking: https://www.bleepingcomputer.com/news/security/apex-legends-players-worried-about-rce-flaw-after-algs-hacks/
- Microsoft’s Bing Popup Ads: https://www.bleepingcomputer.com/news/microsoft/microsoft-again-bothers-chrome-users-with-bing-popup-ads-in-windows/
- WordPress Plugin Vulnerability: https://thehackernews.com/2024/03/wordpress-admins-urged-to-remove.html
- Acoustic Side-channel Attack: https://www.bleepingcomputer.com/news/security/new-acoustic-attack-determines-keystrokes-from-typing-patterns/
- HTML Smuggling in Cyberattacks: https://thehackernews.com/2024/03/hackers-using-sneaky-html-smuggling-to.html
Thanks to Jered Jones for providing the music for this episode. https://www.jeredjones.com/
Logo Design by https://www.zackgraber.com/
Tags: cybersecurity, Apex Legends, Microsoft Bing, WordPress vulnerabilities, acoustic side-channel attack, HTML smuggling, digital privacy, hacking incidents, software vulnerabilities, web security
Search Phrases:
- Apex Legends tournament hack
- Microsoft Bing popup ads controversy
- How to protect against WordPress plugin vulnerabilities
- What is an acoustic side-channel attack
- Understanding HTML smuggling in cyberattacks
- Latest cybersecurity threats and protections
- Hacking incidents in esports
- Preventing digital privacy breaches
- Addressing software vulnerabilities
- Enhancements in web security
Transcript:
Mar 19
[00:00:00]
[00:00:02] offsetkeyz: Alright, welcome back to the Daily Decrypt.
Researchers have developed a new method to deduce keystrokes, or manually entered passwords, from the sounds your keyboard makes,
revealing a new attack
that poses challenges to users even in noisy environments. How can you stay safe from this type of attack?
Hackers have disrupted the Apex Legends Global Tournament
using a remote code execution flaw. Imagine if these gamers spent that much time learning cyber security. We might have these world problems solved. And Google Chrome users on Windows are getting unsolicited ads from Microsoft trying to get them to set their default search engine to Bing.
If I’m already using Google Chrome, I know what I want to be doing, so thanks Microsoft.
And for our nerdier listeners, cybercriminals are exploiting HTML smuggling
[00:00:56] offsetkeyz: to deliver malware through fake Google documents [00:01:00] which circumvents traditional security defenses by embedding malicious payloads in normal appearing web content,
okay, so since yesterday’s episode was focused on a discussion and didn’t really bring the news, I’m going to deliver three pieces of news really quick. In a lightning round style. So up first,
The North American finals of the Apex Legends Global Series were postponed after a shocking security breach. Hackers using a remote code execution flaw managed to infiltrate the game mid match, compromising the integrity of the whole competition.
One player reported seeing a cheat tool. I mean, I’d report that too if I was cheating.
While another was given an aimbot, which is another form of cheating, enhancing the user’s aiming abilities, which led to the suspension of the tournament.
And this incident has raised [00:02:00] concerns about the security of gaming environments, and the potential vulnerabilities within Apex Legends client or the associated anti cheat software.
Meanwhile, Microsoft has stirred up frustration among Windows users by pushing unsolicited Bing pop up ads to Google Chrome users,
suggesting a switch to Bing as the default search engine.
This marketing strategy, which included pixelated that led some to suspect malware, has been met with criticism for its intrusive nature.
Microsoft claims this is a one time notification, but I personally have gotten this notification multiple times and dismissed it multiple times.
And like I said during the intro, I downloaded Google Chrome and I set my default search to DuckDuckGo or Google. I don’t want to switch it to Bing, and if I did, I would. So sending me a popup If you’ve listened to any of my previous episodes and how much I hate pop ups, is going to do the opposite thing, [00:03:00] Microsoft.
And especially a pixelated pop up that looks like malware? Figure it out!
And finally, in more cyber security related news, there’s a WordPress plugin series called Mini Orange that, according to the developer, has been deprecated for a couple weeks now, and There’s now a vulnerability with I believe a CVE rating of 9. 8 out of 10 for these plugins So WordPress is recommending just removing these plugins.
These plugins are security features like firewalls and anti malware So go out there, try to find a new plugin that does your security for you. This one is going to do the opposite of what you want it to do.
And just to clarify, that is Mini Orange, specifically their malware scanner and their web application firewall.
[00:03:47] transition: uh, uh, uh,
[00:03:53] offsetkeyz: Okay. So there’s a new acoustic side channel attack that could potentially. allow attackers to [00:04:00] determine your keystrokes, or manually entered passwords, based on the sound that your typing makes.
So this was developed by security researchers, and as far as we know is not being exploited in the wild, though, if it is possible, it probably is being exploited in the wild. We can’t ask a breached account how to do that. The attacker breached it, and attackers aren’t really giving up that information, so we can assume that it’s being used in the wild, though there’s no direct evidence at this time.
This article comes from Bleeping Computer, but the research was completed at Augusta University,
and the researchers claim that you don’t need a quiet environment to perform this attack,
or even the consistency of a mechanical keyboard, per se. Like the keyboard on my Macbook uses what’s butterfly keys that are really light and to us they sound entirely the same.
But yes, this attack can be performed on any type of [00:05:00] keyboard.
Currently the attack only has an average success rate of 43%, but that success rate is much higher than other attacks like credential stuffing,
which is where attackers find your credentials on the dark web and then put them into A myriad of websites that accept usernames and passwords.
For more information on this attack, you can check out the article by bleeping computer in the show notes. But you might be wondering how can you protect yourself from this type of attack? Well, first of all, if you’re still manually entering passwords, you cannot protect yourself from this type of attack.
You can get little rubber keyboard covers, you can do whatever, but this attack can be used when you’re manually entering your passwords. So there’s no way to get around manually entering some passwords. So what I’m trying to get at here is You should be using a password manager, which only requires you to copy and paste your [00:06:00] passwords, which makes no sound.
You will have to occasionally enter in your master password for the password manager, and I would recommend doing that at home, And try to avoid doing it while you’re making Instagram videos, or live streaming, or something like that.
But the ultimate way to protect yourself from this is to start using a password manager. It’s amazing how many of these hacks using a password manager can prevent. If you have any questions about using a password manager, switching over your routine, I’ve developed a four day plan. with about 10 to 30 minutes per day to ease yourself into this new lifestyle. Reach out to us in the comments or in a direct message on any of our social media platforms, and I’ll be happy to get you that four day plan.
[00:06:56] offsetkeyz: Alrighty, and our final piece of news for the day comes from [00:07:00] thehackernews. com,
and it involves an attack called HTML smuggling, which has been
developed only recently thanks to the innovations in new versions of HTML. And if you’re not familiar, HTML is essentially the backbone of all websites. It’s the coding language used, hypertext markup language,
to develop websites. That HTML might integrate with JavaScript or CSS or a myriad of other languages. HTML tends to be the backbone of all websites. So HTML5 introduces new interactive features that kind of blur the lines between software, computer apps, and web based. applications or websites,
and allows for more sophisticated interaction with the user’s browser and system.
So, to back up a little bit, cybercriminals are creating counterfeit pages that mimic Google Docs. When someone visits these pages, they unknowingly trigger the download of malware onto their [00:08:00] devices. And this malware is not to be underestimated. It can steal a wide range of personal information, including credentials from web browsers, documents, and even data from cryptocurrency wallets.
So as I said before, this attack is thanks to the innovations and advancements brought about through HTML 5
specifically including the support for blobs or binary large objects blobs allow for the manipulation and direct handling of binary data such as executable files or images from within the browser
So this feature enables web applications to create, read, and manipulate binary data client side, which is crucial for modern web applications that handle rich media and documents without relying on additional plugins or server side processing. So the further we advance in technology, the more processing we’re going to be able to do on our independent machines, as opposed to relying on [00:09:00] processing in the cloud and then transitioning that data back to our machines.
It allows for much faster loading times and such when you’re interacting with a web application.
So essentially attackers are creating fake websites that utilize these blobs by writing JavaScript code that essentially creates malware in the browser. So the malware isn’t embedded per se, the code that’s being executed in the browser creates the malware, usually in the form of a PDF, and then downloads it to your computer.
And mind you, downloading files from a web application is a relatively normal process.
It takes place all the time, you might not even know it. But this one is usually downloaded in the form of a PDF, and once that PDF is opened, the malware is created and run. And it uses some pretty cool techniques. If you’re interested in that type of thing, they’re outlined in the articles linked in the show notes.
But the key [00:10:00] takeaways from this are that attackers are innovating, and they’re using these new advancements in technology against us. So we just have to be extra vigilant and careful as we navigate throughout the web, clicking on links, and when you’re searching for something specific on Google, Make sure not to click Google Ads, as attackers can buy these. And this is probably how it’s mostly getting disseminated, is fake websites that look like the real websites, and as you interact with it, it’s downloading things to your computer.
So try to avoid clicking on Google Ads as much as possible.
All right, that’s all I’ve got for you today. I’ll see you If you haven’t had a chance yet, check out the episode we released yesterday about Texas and the age verification. It’s an open ended discussion and we’d love to hear your thoughts on it. We’ve thrown out some kind of radical ideas in there about what’s happening in Texas and what’s happening with these age verification methods.
So take a listen, let us know what you think,
and we will talk to you some more tomorrow. [00:11:00]
Leave a Reply