Search Results for “Dan Goodin”

April 9, 2020
Dan Goodin / Ars Technica

Dan Goodin / Ars Technica  
Newly Discovered IoT Botnet dark_nexus Is Purportedly One of the Most Advanced Ever Seen, Developed by Well-Known Botnet Author

A newly discovered IoT botnet dubbed dark_nexus that preys on home routers, video recorders, and other network-connected devices is one of the most advanced Internet-of-things platforms ever seen, researchers at Bitdefender report. Bitdefender says the botnet uses the name dark_nexus in one of its earliest versions, using the name in its user agent string when carrying out exploits over HTTP: dark_NeXus_Qbot/4.0, citing Qbot as its influence. Although dark_nexus uses some Qbot and Mirai code, its core modules are mostly original. The IoT botnet seems to have been developed by a known botnet author, @greek.helios, who has been selling DDoS services and botnet code for years, Bitdefender says.

Related: Gixtools, Security Affairs, ZDNet, The Hacker News, CSO Online, Security Brief, SecurityWeek,, Bitdefender

Dan Goodin / Ars Technica

Dan Goodin / Ars Technica  
Fingerprint Molds Were Able to Bypass Authentication Locks of Apple, Microsoft, Samsung, Huawei Around 80% of the Time

Over a test period that lasted several months, fake fingerprints were able to bypass sensors at least once roughly 80 percent of the time for fingerprint authentication offered by Apple, Microsoft, Samsung, Huawei, and three lock makers, researchers at Cisco Talos report. The researchers used more than 50 fingerprint molds, attempting 20 times for each model using the best fingerprint models of the lot, so this kind of fingerprint cloning would be challenging to replicate in the real world.  The AICase padlock and Huawei’s Honor 7x and Samsung’s Note 9 Android phones were the easiest to fool and were bypassed 100 percent of the time. Fingerprint authentication in the iPhone 8, MacBook Pro 2018, and the Samsung S10 came next, where the success rate was more than 90 percent. Five laptop models running Windows 10 and two USB drives—the Verbatim Fingerprint Secure and the Lexar Jumpdrive F35—performed the best, with researchers achieving a 0-percent success rate.

Related:, Dark Reading, TechTarget, Slashdot, ZDNet, SiliconANGLE, Talos Intel, Infosecurity Magazine, Talos Blog

May 3, 2020
Dan Goodin / Ars Technica

Dan Goodin / Ars Technica  
New Damaging Ransomware Strain Called LockBit Is Self-Replicating, Rapidly Spreading Malware That Aborts Itself on Machines in Russia, Commonwealth of Independent States

A new ransomware strain called LockBit, most prevalent in the US, the UK, France, Germany, Ukraine, China, India, and Indonesia, rampantly ran through a poorly secured network in a matter of hours leaving leaders with no choice but to pay the ransom, researchers at McAfee recently observed. After getting in, self-replicating LockBit used a dual method to map out and infect the victimized network, using ARP tables and server message blocks to allow infected nodes to connect to uninfected nodes.  Before the ransomware encrypted data, it connected to an attacker-controlled server and then used the machine’s IP address to determine where it was located. If the computer were in Russia or another country belonging to the Commonwealth of Independent States, it would abort the process. LockBit is sold in underground broker forums that often require sellers to put up a deposit that customers can recover in the event the wares don’t perform as advertised.

May 15, 2020
Dan Goodin / Ars Technica

Dan Goodin / Ars Technica  
Google Rolls Out New Feature in Chrome That Limits Machine Resources Used by Abusive Ads

Google developers are rolling out a feature that neuters abusive ads that covertly leach users’ CPU resources, bandwidth, and electricity, the Chrome team announced. Google says that while the percentage of abusive ads is meager, somewhere around 0.3 percent, they account for 28 percent of CPU usage and 27 percent of network data. Most of these ads mine cryptocurrency, are poorly programmed or are unoptimized for network usage. To address this problem, Chrome is limiting the resources a display ad can consume before a user interacts with it. If the limit is reached, the ad frame will navigate to an error page that informs the user the ad has consumed too many resources.

Related:, The Verge, WCCFtech, Android Police, Chromium Blog, Trusted Reviews, MacRumors, Slashdot, Venture Beat

May 21, 2020
Dan Goodin / Ars Technica

Dan Goodin / Ars Technica  
New PipeMon Backdoor Infected Several Multiplayer Games Developers to Push Malware-Tainted Apps That Steal In-Game Currencies

Researchers from ESET report that one of the world’s most prolific hacking groups, Winnti, recently infected several Massively Multiplayer Online game makers which made it possible for the attackers to push malware-tainted apps to one target’s users and to steal in-game currencies of a second victim’s players. These recent attacks used a never-before-seen backdoor that ESET has dubbed PipeMon, which used installers that bore the imprimatur of a legitimate Windows signing certificate stolen from Nfinity Games during a 2018 hack of that gaming developer. Pipemon used the location of Windows print processors so it could survive reboots. The infected companies were not identified, but ESET said they were several South Korean and Taiwan-based developers of MMO games that are available on popular gaming platforms and have thousands of simultaneous players.

June 3, 2020
Dan Goodin / Ars Technica

Dan Goodin / Ars Technica  
Google Issues Patches for Dozens of Android Vulnerabilities Two of Which Allow Remote Code Execution With Extremely High System Rights

Google has pushed out patches for dozens of vulnerabilities in its Android mobile operating system, two of which could allow hackers to execute malicious code with extremely high system rights remotely. The two vulnerabilities ranked as critical in Google’s June security bulletin are indexed as CVE-2020-0117 and CVE-2020-8597. They’re among four System flaws located in the Android system (the other two are ranked with a severity of high). The critical vulnerabilities reside in Android versions 8 through the most recent release of 11.

March 27, 2020
Dan Goodin / Ars Technica

Dan Goodin / Ars Technica  
Google’s Threat Analysis Group Says Number of Warnings Sent to Users of Government-Backed Attacks Drop Nearly 25% in 2019 to 40,000

Google’s Threat Analysis Group (TAG) said that in 2019, it sent almost 40,000 warnings to users that it had detected government-backed phishing or malware attempts against them, a nearly 25 percent drop from 2018. One big reason for the decline, according to the company, is that new protections Google has implemented are working. Attackers’ efforts have been slowed down, and they’re more deliberate in their attempts, meaning attempts are happening less frequently as attackers adapt, Google said. However, Google has seen a rising number of attackers, including those from Iran and North Korea, impersonating news outlets, or journalists. Google’s data also shows that geopolitical rivals, government officials, journalists, dissidents, and activists are still the main targets of government-backed attackers and that these government attackers go after their targets repeatedly. TAG also said it discovered many zero-day vulnerabilities affecting Android, Chrome, iOS, Internet Explorer and Windows throughout the year.

March 11, 2020
Dan Goodin / Ars Technica

Dan Goodin / Ars Technica  
Microsoft Leaks Word of New ‘Wormable’ Flaw in Windows That Could Unleash Self-Replicating Attacks

Microsoft leaked word of a new ‘wormable’ vulnerability in recent versions of Windows that has the potential to unleash the kind of self-replicating attacks that allowed the WannaCry and NotPetya worms to cripple business networks around the world. The vulnerability tracked as CVE-2020-0796 exists in version 3.1.1 of the Server Message Block 3.1.1 that’s used to share files, printers, and other resources on local networks and over the Internet. In a cryptic advisory, Microsoft said attackers who successfully exploit the flaw could execute code of their choice on both servers and end-user computers that use the vulnerable protocol. No patches are available for the vulnerability which affects Windows 10 and Windows Server 2019, which are relatively new releases that Microsoft has invested vast amounts of resources hardening against precisely these types of attacks. Microsoft said vulnerable servers could be protected by disabling compression to block unauthenticated attackers from exploiting the vulnerability against an SMBv3 server.  Security firms Fortinet and Cisco Talos released but then pulled their advisories about the flaw for reasons unknown.

Related: CyberSecurity Help s.r.o., SecurityWeek, Sec.Today, WCCFtech, Reddit – cybersecurity, BetaNews, Tenable Blog, CERT Recently Published Vulnerability Notes, IT News,, Microsoft, ZDNet

Tweets:@campuscodi @zackwhittaker @campuscodi

CyberSecurity Help s.r.o.: Microsoft discloses a new wormable Win SMBv3 CVE-2020-0796 flaw
SecurityWeek: Microsoft Working on Patches for Wormable SMB Vulnerability
Sec.Today: CERT/CC Vulnerability Note VU#872016
WCCFtech: Microsoft Inadvertently Leaks Details of a New SMB Wormable Bug – Time to Block Ports & Disable SMBv3 Compression
Reddit – cybersecurity: CVE-2020-0976: Wormable Windows SMBv3 flaw
Beta News : Microsoft provides mitigation advice for critical vulnerability in SMBv3 protocol
Tenable Blog: CVE-2020-0796: “Wormable” Remote Code Execution Vulnerability in Microsoft Server Message Block SMBv3 (ADV200005)
CERT Recently Published Vulnerability Notes: VU#872016: Microsoft SMBv3 compression remote code execution vulnerability
IT News : Microsoft leaks critical, remotely exploitable Windows bug Windows Alert: Critical SMB_v3 Flaw Requires Workaround
Microsoft: ADV200005 | Microsoft Guidance for Disabling SMBv3 Compression
ZDNet: Details about new SMB wormable bug leak in Microsoft Patch Tuesday snafu

@campuscodi: Details about new SMB wormable bug leak in Microsoft Patch Tuesday snafu - Bug is tracked as CVE-2020-0796 - Impacts SMBv3, and described as wormable - Was announced in some security feeds, but not actually included with the March 2020 Patch Tuesday
@zackwhittaker: A critical bug in Microsoft's SMBv3 implementation was published under mysterious circumstances.
@campuscodi: I have now seen/talked to 3 different people claiming they found the bug in less than 5 minutes. I won't be surprised if exploits pop up online by the end of the day.

December 21, 2017
Zack Whittaker / ZDNet

Zack Whittaker / ZDNet  
Password Software Company Keeper Sues Ars Technica, Journalist for Reporting Security Flaw

Password manager software maker Keeper has sued the online tech publication Ars Technica and its veteran security editor, Dan Goodin, in the U.S. District Court for the Northern District of Illinois for defamation in an article that reported a security flaw in Keeper’s software. Goodin’s story cited Google Project Zero security researcher Tavis Ormandy, who said in a vulnerability disclosure report he posted that a security flaw in Keeper allowed “any website to steal any password” through the password manager’s browser extension. The bug was fixed by Keeper, which triggered Goodin’s story. Although details in the article were modified twice after Keeper complained, the suit also calls for the retraction and removal of the article. This isn’t the first time Keeper has objected to reports of flaws in its software. In 2013, Keeper threatened to sue security firm Fox-IT for discovering unencrypted storage of confidential information in Keeper’s Password & Data Vault v5.3 for iOS.

Related: IT Wire

Ars Technica’s Goodin sued by security firm

July 18, 2019
Dan Goodin / Ars Technica

Dan Goodin / Ars Technica  
Thousands of Browser Extensions May Be Sharing Users’ Personally Identifiable Web Browsing Data With Murky Data Brokers, Chrome and Firefox Remove Six Such Extensions Installed by More Than Four Million Users

Thousands of extensions that gather browsing data are available in the online stores of Google and Mozilla, sending the data from users’ computers to be harvested for marketers, data brokers or hackers thanks to a new documented privacy issued called DataSpii. Sam Jadali who runs a hosting business discovered some of his clients’ data for sale online on a marketing intelligence firm called Nacho Analytics which sells users’ data that the firm says users have agreed to share.  Despite Nacho saying it scrubs personal information, Jadali found usernames, passwords and GPS coordinates in the data the company was selling. In addition to the personal data, Nacho exposed details of projects that corporate employees were working on, including top-secret material, and even information about internal corporate networks and firewall codes. Jadali’s research identified six suspect Chrome and Firefox extensions with more than a few users including Hover Zoom, SpeakIt!, SuperZoom, Helper, FairShare Unlock and PanelMeasurement, although there are likely at least 3,800 other extensions that leak users data, according to researchers at North Carolina State University. After being informed of the problem, Google and Mozilla removed the six extensions, which collectively had more than four million users. After the extensions were removed, Nacho posted a notice on its website that it had suffered a “permanent” data outage and would no longer take on new clients, or provide new data for existing ones.

Related: Security With Sam, Washington Post, GBHackers On Security,,,,

Tweets:@dangoodin001 @dangoodin001 @dangoodin001 @thepacketrat @hacks4pancakes @campuscodi @zackwhittaker @chronic @tonyromm @geoffreyfowler

Security With Sam: DataSpii: The catastrophic data leak via browser extensions (SUMMARY)
Washington Post: I found your data. It’s for sale.
GBHackers On Security: Chrome and Firefox Browser Extensions Steals Browsing Web Histories From Over 4M Users Chrome, Firefox browser extensions leaked millions of users’ data Chrome, Firefox browser extensions leaked millions of users’ data Browser Extensions Siphon Private Data From 4M Users, Then Leak It Popular Browser Extensions For Google Chrome and Mozilla Firefox Collecting And Possibly Profiting From User Data?

@dangoodin001: Several publications are crediting the Washington Post with breaking the story about browser extensions that collected browsing histories of 4.1 million users and publishing them in near-real time on a fee-based analytics site. In fact, Ars was first. 1/13
@dangoodin001: The independent researcher spent 7 months and $30,000 of his own money unraveling this massive leak. He has the receipts to prove it.
@dangoodin001: I'll be quiet about this soon, I promise. But here's an example of people thinking the writer did more than simply spend a few weeks reporting a researchers findings.
@thepacketrat: This is some awesome work by my colleague and friend Dan Goodin. Please read and disseminate. Delete those creepy browser extensions.
@hacks4pancakes: Hey you all, Dan wrote this outstanding and very important article today. Then it got sniped. Give it a read, a share, and show him some love.
@campuscodi: Things that have been ailing me for a while as well. NYT does it as well. Passes blog spam or re-reports as their own investigations.
@zackwhittaker: Wow. @dangoodin001 did months of hard work on the browser extension data leak story and it seems like the WaPo totally misrepresented its version of events after parachuting in at the last minute. …
@chronic: amazing read. scary peek into where your data may end up when siphoned off by sketchy software.
@tonyromm: Huge new investigation from @geoffreyfowler exposes how innocent sounding browser extensions left personal data for maybe 4 million up for sale. Will the government ever do anything about it?
@geoffreyfowler: FaceApp: We collect your data. Your Web browser: Hold my beer. My latest @washingtonpost privacy experiment found 4 million people leaking secrets through innocent-looking browser extensions. Here’s the privacy concern we’re not talking enough about