Microsoft on Thursday warned thousands of its cloud computing customers, including some of the world's largest companies, that intruders could have the ability to read, change or even delete their main databases, according to a copy of the email and a cyber security researcher. The vulnerability is in Microsoft Azure's flagship Cosmos DB database. A research team at security company Wiz discovered it was able to access keys that control access to databases held by thousands of companies. Wiz Chief Technology Officer Ami Luttwak is a former chief technology officer at Microsoft's Cloud Security Group. Because Microsoft cannot change those keys by itself, it emailed the customers Thursday telling them to create new ones. Microsoft agreed to pay Wiz $40,000 for finding the flaw and reporting it, according to an email it sent to Wiz. "We fixed this issue immediately to keep our customers safe and protected. We thank the security researchers for working under coordinated vulnerability disclosure," Microsoft told Reuters. Microsoft's email to customers said there was no evidence the flaw had been exploited. "We have no indication that external entities outside the researcher (Wiz) had access to the primary read-write key," the email said. “This is the worst cloud vulnerability you can imagine. It is a long-lasting secret,” Luttwak told Reuters. “This is the central database of Azure, and we were able to get access to any customer database that we wanted.” Luttwak's team found the problem, dubbed ChaosDB, on Aug. 9 and notified Microsoft on Aug. 12, Luttwak said. The flaw was in a visualization tool called Jupyter Notebook, which has been available for years but was enabled by default in Cosmos beginning in February. After Reuters reported on the flaw, Wiz detailed the issue in a blog post. Luttwak said even customers who have not been notified by Microsoft could have had their keys swiped by attackers, giving them access until those keys are changed. Microsoft only told customers whose keys were visible this month, when Wiz was working on the issue. Microsoft told Reuters that "customers who may have been impacted received a notification from us," without elaborating. The disclosure comes after months of bad security news for Microsoft. The company was breached by the same suspected Russian government hackers that infiltrated SolarWinds, who stole Microsoft source code. Then a wide number of hackers broke into Exchange email servers while a patch was being developed. A recent fix for a printer flaw that allowed computer takeovers had to be redone repeatedly. Another Exchange flaw last week prompted an urgent U.S. government warning that customers need to install patches issued months ago because ransomware gangs are now exploiting it. Problems with Azure are especially troubling because Microsoft and outside security experts have been pushing companies to abandon most of their own infrastructure and rely on the cloud for more security. But though cloud attacks are rarer, they can be more devastating when they occur. What's more, some are never publicized. Learn more by visiting OUR FORUM.
If you notice you’re having network & internet connection problems on your Windows 10 or Windows 11 PC. Issues like Unidentified network appearing, the Wi-Fi connection is limited, low Wi-Fi signal strength or the WiFi adapter is not working at all, then this post is intended to help you with solutions to the issue.
Install a VPN and you might think your internet activities are fully protected from snoopers. With every site you access, all the data you transfer is sent through the VPN's secure encrypted tunnel and so keeping it safe from prying eyes. Unfortunately, if the VPN connection fails (e.g. server problem, weak Wi-Fi signal, overloaded network, etc) then your device may switch to your regular unprotected connection. Sites then get your real IP address, Wi-Fi hotspots might see the websites you're accessing, and the VPN won’t be encrypting any of your data. Most VPN providers handle this situation by offering a kill switch - although some give it a different name, like ExpressVPN's Network Lock or Windscribe's Firewall. But is this an effective solution? In this article we'll explain what a kill switch does, the different types of kill switches available, and how you can make sure your VPN kill switch is set up correctly. The idea behind a kill switch is simple. Essentially, if the VPN connection drops, the kill switch activates and blocks your device's internet access. This prevents you from accidentally sending data outside of the secure VPN tunnel, because if the tunnel fails then you won't be able to send any data at all. Every platform has its own tools for making this happen. An Android VPN app might use Android's built-in 'Always-on VPN' setting, for instance (Settings, Connections, More Connection Settings, VPN.) But Windows VPNs often use the Windows Filtering Platform (the technology behind Windows Firewall), and Mac and iPhone VPN apps have further techniques of their own. If the VPN drops, then however the kill switch kicks in, your VPN app usually tries to reconnect. Once the tunnel is up again, your internet access is automatically restored. As an aside, all this cross-platform complexity makes it challenging for VPN providers to offer a kill switch on every device type. Keep that in mind if you visit a provider's website and it boasts about having a great kill switch but doesn't list the supported platforms. Check the rest of the site, maybe in the Support pages, to find out if there's a kill switch on all apps. Although the concept of a kill switch is simple, the reality is more complicated, because every provider and app has its own way of working. There are two common approaches. The most popular type, such as ExpressVPN's Network Lock on Windows, only blocks your internet access if the VPN drops unexpectedly. If you manually disconnect or close the VPN app, the kill switch is disabled and you're free to browse as usual. But others (including NordVPN's Windows app) don't allow any internet access at all unless you're connected to the VPN. If you manually disconnect or close the app, you won't be able to get online until the VPN connection is re-established. This technology monitors your system, and if it detects a dropped connection, closes the apps you specify. You might tell the VPN app to shut down your browser and torrent client, for instance, ensuring they won't use an unprotected connection. Application-level kill switches don't offer much security. But they're also less likely to get in your way than the usual type, as they only affect the apps you specify and won't block anything else. If you only need the most basic protection for one or two apps, an application-level kill switch might be useful. But if you're looking for something more comprehensive, we'd stick with a system-wide kill switch. For more on this visit OUR FORUM.
Security researchers discovered new vulnerabilities in the WPA3-Personal protocol which allow potential attackers to crack Wi-Fi network passwords and get access to the encrypted network traffic exchanged between the connected devices. According to a press release from the Wi-Fi Alliance, the devices impacted by these security vulnerabilities in the WPA3 Wi-Fi standard "allow the collection of side-channel information on a device running an attacker’s software, do not properly implement certain cryptographic operations, or use unsuitable cryptographic elements." WPA3 uses Wi-Fi Device Provisioning Protocol (DPP) instead of shared passwords to sign up new devices to the network, a protocol that allows users to scan QR codes or NFC tags to log devices onto the wireless network. Additionally, unlike WPA2, all network traffic will be encrypted after connecting to a network that uses WPA3 WiFi Security. The WPA3-Personal protocol replaces the Pre-shared Key (PSK) in WPA2-Personal with Simultaneous Authentication of Equals (SAE) to provide more robust password-based authentication. While the WPA3-Personal was designed to substitute the less secure 14-year-old WPA2, the newer protocol's Simultaneous Authentication of Equals (SAE) handshake—also known as Dragonfly—seems to be plagued by a number of underlying design flaws which expose users to password partitioning attacks as discovered by researchers. "These attacks resemble dictionary attacks and allow an adversary to recover the password by abusing timing or cache-based side-channel leaks. Our side-channel attacks target the protocol’s password encoding method" said Mathy Vanhoef (NYUAD) and Eyal Ronen (Tel Aviv University & KU Leuven) in their research paper. The researchers also mention on the website dedicated to the analysis of the attacks against WPA3's Dragonfly handshake that "This can be abused to steal sensitive transmitted information such as credit card numbers, passwords, chat messages, emails, and so on." As explained in the abstract of the research paper, "The resulting attacks are efficient and low cost: brute-forcing all 8-character lowercase passwords requires less than 125$in Amazon EC2 instances." Since the Dragonfly handshake is used by Wi-Fi networks that require usernames and passwords for access control, it is also used by the EAP-pwd protocol which makes all the Dragonblood attacks found to impact WPA3-Personal ready to be used against EAP-pwd. "Moreover, we also discovered serious bugs in most products that implement EAP-pwd. These allow an adversary to impersonate any user, and thereby access the Wi-Fi network, without knowing the user's password," state the two researchers, "Although we believe that EAP-pwd is used fairly infrequently, this still poses serious risks for many users, and illustrates the risks of incorrectly implementing Dragonfly." The flaws found within WPA3-Personal are of two types, side-channel leaks, and downgrade attacks, and they both can be used by potential attackers to find the Wi-Fi network's password. Follow this and more on OUR FORUM.
Time crystals sound like majestic objects from science fiction movies that unlock passageways to alternative universes. In the Marvel universe, the “time stone” gives wielders control over the past, present, and future. While that remains a fantasy, scientists have successfully created micro-scale time crystals for years — not for powering intergalactic spaceships but for energizing ultrapowerful computers. “Time crystals are like a rest stop on the road to building a quantum computer,” said Norman Yao, a molecular physicist at the University of California at Berkeley. It’s an area of interest for Google, which, along with physicists at Stanford and Princeton universities, claim to have developed a “scalable approach” to time crystal creation using the company’s Sycamore quantum computer. In a paper published last month on the research-sharing platform Arxiv.org, a team of over 100 scientists describes how they set up an array of 20 quantum particles, or qubits, to serve as a time crystal. During experiments, they applied algorithms that spun the qubits upward and downward, generating a controllable reaction that could be sustained “for infinitely long times,” according to the paper. Time crystals are scientific oddities made of atoms arranged in a repeating pattern in space. This design enables them to shift shape over time without losing energy or overheating. Since time crystals continuously evolve and don’t seem to require much energy input, they may be useful for quantum computers, which rely on extremely fragile qubits that are prone to decay. Quantum computing is weighed down by hard-to-control qubits, which are error-prone and often die. Time crystals might introduce a better method for sustaining quantum computing, according to Yao, who published a blueprint for making time crystals in 2017. “Time crystals are a weighted benchmark, showing that your system has the requisite level of control,” Yao said. The scientists involved in Google’s research say they can’t discuss their findings as they undergo peer review. However, the work tackles an area where physicists have long hoped for a breakthrough. “The consequence is amazing: You evade the second law of thermodynamics,” Roderich Moessner, a co-author of the Google paper, told Quanta Magazine. The time crystal concept was first proposed in 2012 by Nobel Prize-winning physicist Frank Wilczek, who wondered whether atoms could be arranged in time similar to their arrangement in ordinary crystals. Essentially, he wondered whether a closed system could spin, oscillate or move in a repetitious manner. What followed was a healthy dose of scrutiny from the broader physics community, years of university experiments with and without Wilczek, and testing to see whether his vision was possible. The definition expanded to include objects that would be activated by an external influence such as a shake, stir, or laser strike. “The definition is somewhat fluid. But if you want to call it a new state of matter, you want it to be autonomous and not have stirred,” Wilczek said. Early experiments pumped ions with lasers so they would artificially pulsate. It was useful but difficult to scale, Wilczek added. By 2017, scientists from Harvard University and the University of Maryland revealed they created micro-scale time crystals at frigid temperatures in a lab. Both passed peer review. More recently, a team from the Delft University of Technology in the Netherlands published findings in July on its approach to building a time crystal inside a diamond. (Those findings haven’t undergone peer review.) Time crystals are a tough concept to grasp, but scientists say you can think of them as a perpetual motion machine, adding a caveat to the second law of thermodynamics, which states that any isolated system will degenerate into a more disordered state or entropy. Their existence also undermines Newton’s first law of motion, detailing how an object must react to motion. To learn more visit OUR FORUM.