This Week In Security: Windows 10 Gets Another Year, SmartTV Botnets, Hiding Payloads, And LastPass Customer Leak

Unsurprisingly to many of us, app stores for smart televisions are also trash. Perhaps even more full of trash than other app stores due to the smaller ecosystem and fewer reviewers.

Spur analyzed the LG smart TV app store, and found that almost half of the apps available contain proxy software, turning your TV into a node in their proxy network. Are these apps malware? Many of the analyzed apps provided a thin veneer of user consent: they offer you the tradeoff of seeing an ad every 15 seconds, or allowing their “occasional web indexing” to run permanently in the background. Watch the fishtank app for five minutes, join their proxy network for life.

Spur notes that the proxy SDK in use appears to block connections to private network ranges (internal IP ranges like 192.168.x.x and 10.x.x.x), but that the SDK restricting access to those ranges is the only protection against accessing whatever network the TV is connected to.

Amazon and Roku ban proxy apps on their devices. Samsung and LG do not.

Win 10 Security Updates Extended

Microsoft has added another year of security updates to Windows 10. Despite trying to kill the platform, so many users remain on Windows 10 that Microsoft likely has no choice.

The extended support program was previously due to end in October 2026 but has now been pushed to October 2027. The security updates will be available for free in the UI, but users in other regions must activate OneDrive and sync system settings, or pay 1000 Microsoft credits (about $30).

The death of Windows 10 is near, but for those unwilling or unable to let go, it shuffles along.

Signal Phishing Attempts

Bleeping Computer has an article about increased phishing attempts from hacker groups in Russia targeting Signal users.

The phishing messages target politicians, government officials, military, and other high-profile intelligence targets, and claim that Signal is introducing mandatory two-factor authentication, before prompting the target to enable remote Signal backups. A second follow-up phishing attempt then prompts the user to copy the backup authentication tokens from Signal and provide them to the attacker.

Signal remote backups are a relatively recent addition to the messenger, making a backup on the Signal servers of a users messages and images, encrypted with a key known only to the user. While convenient, and likely fundamentally secure given the track record of the Signal team, this phishing campaign highlights a major weakness: once private content is accessible somewhere else, an attacker simply needs to obtain the keys to access it, which is significantly simpler than obtaining the message content directly from the victims phone.

Continue reading “This Week In Security: Windows 10 Gets Another Year, SmartTV Botnets, Hiding Payloads, And LastPass Customer Leak”

This Week In Security: Annoyed Researchers, Dangling DNS, And Hacks That Could Have Been Worse

The author of the BlueHammer exploit, which was released earlier this month and addressed in the last Patch Tuesday, continues to be annoyed with the responses from the Microsoft security research and vulnerability response team, and has released another Windows zero-day attack against Windows Defender.

The RedSun exploit targets a logic and timing error in Windows Defender, convincing it to install the target file in the system, instead of quarantining the file and protecting the system. Not, generally, what you would hope would happen.

Since the RedSun attack requires local access in the first place, it seems unlikely Microsoft will release an out-of-sequence patch for it, however with public code available, we can probably expect to see malware leveraging it to establish higher permissions on an infected system.

Releasing exploits out of spite feels like a return to the late 1990s, and I almost don’t hate it.

University Domains Hijacked

Reported in Bleeping Computer, a group tracked as “Hazy Hawk” has been hijacking unmaintained DNS records of universities and government institutions to serve ad click spam.

The attack seems simple and doesn’t even require compromising the actual institution, using dangling DNS “CNAME” records. A “CNAME” entry in DNS acts essentially as an alias, pointing one domain name at another, which can be used to provide content from an official domain that is hosted on a cloud service where the IP address of the service might change.

A DNS “A” (or “AAAA” if you speak IPv6) record points a hostname – like “foo.example.com” – to an IP address – like “1.1.1.1”. A “CNAME” record points a hostname to another hostname, like “foo.some_cloud_host.com”. Scanning “high value” domains (like Ivy League universities) for “CNAME” records which point to expired domains (or domains on cloud hosted providers which no longer exist) lets anyone able to register that domain (or create an account with the proper naming scheme on the cloud host) to post any content they wish, and still appear to be the original name.

At least 30 educational institutions have been impacted, along with several government agencies including the CDC.

Continue reading “This Week In Security: Annoyed Researchers, Dangling DNS, And Hacks That Could Have Been Worse”

This Week In Security: Signal DRM, Modern Phone Phreaking, And The Impossible SSH RCE

Digital Rights Management (DRM) has been the bane of users since it was first introduced. Who remembers the battle it was getting Netflix running on Linux machines, or the literal legal fight over the DVD DRM decryption key? So the news from Signal, that DRM is finally being put to use to protect users is ironic.

The reason for this is Microsoft Recall — the AI powered feature that takes a snapshot of everything on the user’s desktop every few seconds. For whatever reason, you might want to exempt some windows from Recall’s memory window. It doesn’t speak well for Microsoft’s implementation that the easiest way for an application to opt out of the feature is to mark its window as containing DRM content. Signal, the private communications platform, is using this to hide from Recall and other screenshotting applications.

The Signal blogs warns that this may be just the start of agentic AI being rolled out with insufficient controls and permissions. The issue here isn’t the singularity or AI reaching sentience, it’s the same old security and privacy problems we’ve always had: Too much information being collected, data being shared without permission, and an untrusted actor having access to way more than it should. Continue reading “This Week In Security: Signal DRM, Modern Phone Phreaking, And The Impossible SSH RCE”

Dwingeloo telescope with sun shining through

Dwingeloo To Venus: Report Of A Successful Bounce

Radio waves travel fast, and they can bounce, too. If you are able to operate a 25-meter dish, a transmitter, a solid software-defined radio, and an atomic clock, the answer is: yes, they can go all the way to Venus and back. On March 22, 2025, the Dwingeloo telescope in the Netherlands successfully pulled off an Earth-Venus-Earth (EVE) bounce, making them the second group of amateurs ever to do so. The full breakdown of this feat is available in their write-up here.

Bouncing signals off planets isn’t new. NASA has been at it since the 1960s – but amateur radio astronomers have far fewer toys to play with. Before Dwingeloo’s success, AMSAT-DL achieved the only known amateur EVE bounce back in 2009. This time, the Dwingeloo team transmitted a 278-second tone at 1299.5 MHz, with the round trip to Venus taking about 280 seconds. Stockert’s radio telescope in Germany also picked up the returning echo, stronger than Dwingeloo’s own, due to its more sensitive receiving setup.

Post-processing wasn’t easy either. Doppler shift corrections had to be applied, and the received signal was split into 1 Hz frequency bins. The resulting detections clocked in at 5.4 sigma for Dwingeloo alone, 8.5 sigma for Stockert’s recording, and 9.2 sigma when combining both datasets. A clear signal, loud and proud, straight from Venus’ surface.

The experiment was cut short when Dwingeloo’s transmitter started failing after four successful bounces. More complex signal modulations will have to wait for the next Venus conjunction in October 2026. Until then, you can read our previously published article on achievements of the Dwingeloo telescope.

A Hacker’s Approach To All Things Antenna

When your homebrew Yagi antenna only sort-of works, or when your WiFi cantenna seems moody on rainy days, we can assure you: it is not only you. You can stop doubting yourself once and for all after you’ve watched the Tech 101: Antennas webinar by [Dr. Jonathan Chisum].

[Jonathan] breaks it all down in a way that makes you want to rip out your old antenna and start fresh. It goes further than textbook theory; it’s the kind of knowledge defense techs use for real electronic warfare. And since it’s out there in bite-sized chunks, we hackers can easily put it to good use.

The key takeaway is that antenna size matters. Basically, it’s all about wavelength, and [Jonathan] hammers home how tuning antenna dimensions to your target frequency makes or breaks your signal. Whether you’re into omnis (for example, for 360-degree drone control) or laser-focused directional antennas for secret backyard links, this is juicy stuff.

If you’re serious about getting into RF hacking, watch this webinar. Then dig up that Yagi build, and be sure to send us your best antenna hacks.

Continue reading “A Hacker’s Approach To All Things Antenna”

Bokeh photo of red light particles in the dark

Beam Me Up: Simple Free-Space Optical Communication

Let’s think of the last time you sent data without wires. We’re not talking WiFi here, but plain optical signals. Free-space optical communication, or FSO, is an interesting and easy way to transmit signals through light beams. Forget expensive lasers or commercial-grade equipment; this video by [W1VLF] offers a simple and cheap entry point for anyone with a curiosity for DIY tech. Inspired by a video on weak signal sources for optical experiments, this project uses everyday components like a TV remote-control infrared LED and a photo diode. The goal is simply to establish optical communication across distances for under $10. Continue reading “Beam Me Up: Simple Free-Space Optical Communication”

Visual of sound against a dark red sky

The 1924 Martian Signal: A Cosmic Curiosity

In an age where our gadgets allow us to explore the cosmos, we stumbled upon sounds from a future past: an article on historical signals from Mars. The piece, written by [Paul Gilster] of Centauri Dreams, cites a Times essay published by [Becky Ferreira] of August 20. [Ferreira]’s essay sheds light on a fascinating, if peculiar, chapter in the history of the search for extraterrestrial life.

She recounts an event from August 1924 when the U.S. Navy imposed a nationwide radio silence for five minutes each hour to allow observatories to listen for signals from Mars. This initiative aimed to capitalize on the planet’s close alignment with Earth, sparking intrigue and excitement among astronomers and enthusiasts alike.

Continue reading “The 1924 Martian Signal: A Cosmic Curiosity”