This Week In Security: Windows 10 Gets Another Year, SmartTV Botnets, Hiding Payloads, And LastPass Customer Leak

Unsurprisingly to many of us, app stores for smart televisions are also trash. Perhaps even more full of trash than other app stores due to the smaller ecosystem and fewer reviewers.

Spur analyzed the LG smart TV app store, and found that almost half of the apps available contain proxy software, turning your TV into a node in their proxy network. Are these apps malware? Many of the analyzed apps provided a thin veneer of user consent: they offer you the tradeoff of seeing an ad every 15 seconds, or allowing their “occasional web indexing” to run permanently in the background. Watch the fishtank app for five minutes, join their proxy network for life.

Spur notes that the proxy SDK in use appears to block connections to private network ranges (internal IP ranges like 192.168.x.x and 10.x.x.x), but that the SDK restricting access to those ranges is the only protection against accessing whatever network the TV is connected to.

Amazon and Roku ban proxy apps on their devices. Samsung and LG do not.

Win 10 Security Updates Extended

Microsoft has added another year of security updates to Windows 10. Despite trying to kill the platform, so many users remain on Windows 10 that Microsoft likely has no choice.

The extended support program was previously due to end in October 2026 but has now been pushed to October 2027. The security updates will be available for free in the UI, but users in other regions must activate OneDrive and sync system settings, or pay 1000 Microsoft credits (about $30).

The death of Windows 10 is near, but for those unwilling or unable to let go, it shuffles along.

Signal Phishing Attempts

Bleeping Computer has an article about increased phishing attempts from hacker groups in Russia targeting Signal users.

The phishing messages target politicians, government officials, military, and other high-profile intelligence targets, and claim that Signal is introducing mandatory two-factor authentication, before prompting the target to enable remote Signal backups. A second follow-up phishing attempt then prompts the user to copy the backup authentication tokens from Signal and provide them to the attacker.

Signal remote backups are a relatively recent addition to the messenger, making a backup on the Signal servers of a users messages and images, encrypted with a key known only to the user. While convenient, and likely fundamentally secure given the track record of the Signal team, this phishing campaign highlights a major weakness: once private content is accessible somewhere else, an attacker simply needs to obtain the keys to access it, which is significantly simpler than obtaining the message content directly from the victims phone.

Continue reading “This Week In Security: Windows 10 Gets Another Year, SmartTV Botnets, Hiding Payloads, And LastPass Customer Leak”

This Week In Security: AI Is Terrible, Ransomware Wrenches, And Airdrop

So first off, go take a look at this curl bug report. It’s a 8.6 severity security problem, a buffer overflow in websockets. Potentially a really bad one. But, it’s bogus. Yes, a strcpy call can be dangerous, if there aren’t proper length checks. This code has pretty robust length checks. There just doesn’t seem to be a vulnerability here.

OK, so let’s jump to the punch line. This is a bug report that was generated with one of the Large Language Models (LLMs) like Google Bard or ChatGPT. And it shouldn’t be a surprise. There are some big bug bounties that are paid out, so naturally people are trying to leverage AI to score those bounties. But as [Daniel Stenberg] point out, LLMs are not actually AI, and the I in LLM stands for intelligence.

There have always been vulnerability reports of dubious quality, sent by people that either don’t understand how vulnerability research works, or are willing to waste maintainer time by sending in raw vulnerability scanner output without putting in any real effort. What LLMs do is provide an illusion of competence that takes longer for a maintainer to wade through before realizing that the claim is bogus. [Daniel] is more charitable than I might be, suggesting that LLMs may help with communicating real issues through language barriers. But still, this suggests that the long term solution may be “simply” detecting LLM-generated reports, and marking them as spam. Continue reading “This Week In Security: AI Is Terrible, Ransomware Wrenches, And Airdrop”

Airdropping Live Fish Is A Thing And It Looks Magnificent

Utah is a place that features a wonderful and varied wilderness. Its mountainous terrain is home to many valleys, ponds, and streams. They’re a particular favorite of recreational anglers who visit the region for the great fishing. Oftentimes, however, these areas are fished out by visitors and need to be restocked. Other environmental factors also come into play in reducing populations, too.

A plane delivering live fish to the lakes of Utah via air drop. Source: Utah DWR

When this happens in some areas, it’s as simple as driving up a truck full of water and fish and dumping them into the lake. The problem is that many of these lakes and streams are difficult to access by foot or by road. Believe it or not, the most practical method found to deal with the problem thus far is dropping in live fish by air. Here’s how it all goes down.

Live Cargo

Typically, the fish dropped into these remote watercourses are quite young, and on the order of 1-3″ long. The fish are specifically raised to later be fished, and are also usually sterile, making it easier for Utah’s Division of Wildlife Resources to manage numbers. When it comes time to restock remote lakes, waterbombing planes are pumped full of water and loaded up with fish.

Continue reading “Airdropping Live Fish Is A Thing And It Looks Magnificent”