It’s been a busy week in the area of Cybersecurity. The last few days have been marked by the discovery of vulnerabilities, an unusual case involving a US company, and research into Black Friday scams.
See the top 6 cybersecurity news of the week
1. Researchers find flaws in Windows Hello fingerprint authentication
Cybersecurity group Blackwing Intelligence circumvented Windows Hello biometric authentication. In tests, the team accessed computers from the brand’s Dell, Lenovo, and the Microsoft Surface line. The login was carried out due to a failure in the sensors that read the user’s fingerprint. To achieve this, the team performed reverse engineering on the software and hardware, detecting flaws in data encryption and Microsoft’s Secure Device Connection Protocol (SDCP) mechanism.
The process is not easy to replicate, but the risk is considered high. As the research was sponsored by Microsoft, it is aware of the case and should work with sensor manufacturers to fix the breach.
2. The new Microsoft Defender bounty program pays up to $20,000
Still the owner of Windows, Microsoft announced a new rewards program for the Microsoft Defender platform. Researchers or enthusiasts in the field will be able to submit reports of undiscovered vulnerabilities that affect security service APIs.
Participants can point out remote code execution loopholes, account privilege changes, data leaks, or openness to denial of service attacks, for example. Rewards range from US$500 to US$20,000 if the identified flaw is considered critical.
3. Research reveals passwords most used by Brazilians in 2023
Password manager NordPass revealed data showing the passwords most used by Brazilians in 2023. The result, once again, is worrying due to the low level of most access codes. According to the survey, the password “admin” is the most used password in the country. It is followed by “12345” and variants — such as the larger numerical sequence or the provisional “123mudar”, which ends up becoming definitive. Research claims that logins with this type of weak password can be hacked in less than 1 second.
The codes “password”, “UNKNOWN” (“unknown” in English), and “gvt12345”, referring to the internet operator that has not existed for years, were also commonly found.
4. Old cryptocurrency wallets like Bitcoin are targeted by criminals
Unciphered researchers discovered a new attack modality against old digital cryptocurrency wallets. The group found a vulnerability in the Bitcoin protocol that allows malicious actors to steal private keys and embezzle funds. In addition to Bitcoin itself, accounts with Dogecoin, Litecoin, and Zcash may be affected.
the breach affected digital wallets generated via browsers between 2011 and 2015. Up to US$2.1 billion in investments are at risk, but no scam using this vulnerability has yet been detected. If you own one of these old wallets, we recommend transferring your balance to newer, more secure versions.
5. Cybersecurity executive pleads guilty to hacking hospitals
Do you remember the series Mr. Robot, which featured an employee at a security company who was a hacker? A similar situation that mixes fiction with reality was revealed in the United States.
The case happened in June 2021, when the chief of operations (COO) of the network security company Securolytics was accused of breaking into systems and stealing data from hospitals in the US state of Georgia. The reason for the attack? Offer the company’s digital protection services, which have healthcare institutions as their main customers.
The accused executive is called Vikas Singla and he pleaded guilty in court in November 2023. The sentence has not yet been confirmed, but he will possibly have to pay US$817,000 in fines and serve 57 months of probation or house arrest.
6. Survey shows the biggest cybersecurity threats on Black Friday in 2023
A TechCrumz survey found that phishing remains the most used scam on Black Friday this year, with 43.5% of fraudulent links trying to lure victims to fake e-commerce pages that simulate the look of Amazon, AliExpress, and Mercado Livre, for example.
Additionally, from January to October 2023, TechCrumz identified and blocked 2.8 million attempts to access websites that imitate catalogs from companies like Apple, as well as pages that offer fake gift cards for lower-than-normal prices. Bank login screens account for 35.2% of scams, while the remaining percentage are clones of payment services such as PayPal.
Stay up to date on cybersecurity here at TechCrumz.