Cardi B Pleads Guilty To Strip Club Fights And Gets Light Sentence

“Part of growing up and maturing is being accountable for your actions,” the rapper said.

Microsoft Teams has been storing authentication tokens in plaintext

Microsoft Teams stores authentication tokens in unencrypted plaintext mode, allowing attackers to potentially control communications within an organization, according to the security firm Vectra. The flaw affects the desktop app for Windows, Mac and Linux built using Microsoft’s Electron framework. Microsoft is aware of the issue but said it has no plans for a fix anytime soon, since an exploit would also require network access.

According to Vectra, a hacker with local or remote system access could steal the credentials for any Teams user currently online, then impersonate them even when they’re offline. They could also pretend to be the user through apps associated with Teams, like Skype or Outlook, while bypassing the multifactor authentication (MFA) usually required. 

“This enables attackers to modify SharePoint files, Outlook mail and calendars, and Teams chat files,” Vectra security architect Connor Peoples wrote. “Even more damaging, attackers can tamper with legitimate communications within an organization by selectively destroying, exfiltrating, or engaging in targeted phishing attacks.”

Attackers can tamper with legitimate communications within an organization by selectively destroying, exfiltrating, or engaging in targeted phishing attacks.

Vectra created a proof-of-concept exploit that allowed them to send a message to the account of the credential holder via an access token. “Assuming full control of critical seats–like a company’s Head of Engineering, CEO, or CFO — attackers can convince users to perform tasks damaging to the organization.”  

The problem is mainly limited to the desktop app, because the Electron framework (that essentially creates a web app port) has “no additional security controls to protect cookie data,” unlike modern web browsers. As such, Vectra recommends not using the desktop app until a patch is created, and using the web application instead.

When informed by cybersecurity news site Dark Reading of the vulnerability, Microsoft said it “does not meet our bar for immediate servicing as it requires an attacker to first gain access to a target network,” adding that it would consider addressing it in a future product release. 

However, threat hunter John Bambenek told Dark Reading it could provide a secondary means for “lateral movement” in the event of a network breach. He also noted that Microsoft is moving toward Progressive Web Apps that “would mitigate many of the concerns currently brought by Electron.”

Uber Investigating Massive Security Breach by Alleged Teen Hacker

Uber is investigating a breach of the company’s most sensitive data—including financial documents, internal messages, and who knows what else—by someone who told the New York Times they’re just 18 years old. The hacker posted screenshots of their alleged exploits on Telegram on Thursday and even announced the hack in…

Read more…

Apple's MacBook Air M2 is $100 off right now

Apple’s MacBook Air M2 blends performance, battery life and a tiny size perhaps better than any previous model, but it’s also more expensive. If you’ve been waiting for a deal, now is a good time to act: The silver 256GB model is on sale at Amazon for $1,099, or $100 off the regular price — matching a deal we saw last month. 

Buy MacBook Air M2 (256GB) at Amazon – $1,100

The MacBook Air hit one of the best Engadget review scores ever for good reason. Apple went to a uniformly thin design with the MacBook Air M2, finally shedding the wedge shape that’s existed since Steve Jobs pulled one out of an envelope back in 2008. That makes it more balanced, but also thinner and lighter than ever at 11.3 millimeters and 2.7 pounds — less than an iPad Pro with its Smart Keyboard. 

Apple also managed to slightly increase the size of the 2,560 x 1,664 Liquid Retina screen to 13.6 inches by shrinking the size of the bezels, while nestling the webcam in a (slightly controversial) screen notch up top. It comes with improved speakers and a MagSafe power adapter, along with a pair of USB-C/Thunderbolt 3 ports with support for charging, displays, and data transfers up to 40Gb/s.

Apple's MacBook Air M2 is $100 off right now
Engadget

The M2 processor significantly boosts performance over the Air M1, running nearly as quickly as the 13-inch MacBook Pro M2. It starts rapidly, loads apps quickly and offers snappy performance across the board. And you won’t need to sweat if you’re far from a power outlet, as it lasted up 16.5 hours in our testing — enough for a plane trip from LA to Sydney. 

Follow @EngadgetDeals on Twitter and subscribe to the Engadget Deals newsletter for the latest tech deals and buying advice.

‘Stranger Things’ Star Maya Hawke Reveals Why She Would Love For Robin To Die

…And she’s not the only cast member with a death wish for their characters.

US border forces are seizing Americans' phone data and storing it for 15 years

If a traveler’s phone, tablet or computer ever gets searched at an airport, American border authorities could add data from their device to a massive database that can be accessed by thousands of government officials. US Customs and Border Protection (CBP) leaders have admitted to lawmakers in a briefing that its officials are adding information to a database from as many as 10,000 devices every year, The Washington Post reports. 

Further, 2,700 CBP officers can access the database without a warrant and without having to record the purpose of their search. These details were revealed in a letter Senator Ron Wyden wrote to CBP Commissioner Chris Magnus, where the lawmaker also said that CBP keeps any information it takes from people’s devices for 15 years. 

In the letter, Wyden urged the commissioner to update CBP’s practices so that device searches at borders are focused on suspected criminals and security threats instead of allowing “indiscriminate rifling through Americans’ private records without suspicion of a crime.” Wyden said CBP takes sensitive information from people’s devices, including text messages, call logs, contact lists and even photos and other private information in some cases. 

While law enforcement agencies are typically required to secure a warrant if they want to access the contents of a phone or any other electronic device, border authorities are exempted from having to do the same. Wyden also pointed out that travelers searched at airports, seaports and border crossings aren’t informed of their rights before their devices are searched. And if they refuse to unlock their electronics, authorities could confiscate and keep them for five days.

As The Post notes, a CBP official previously went on record to say that the agency’s directive gives its officers the authority to scroll through any traveler’s device in a “basic search.” If they find any “reasonable suspicion” that a traveler is breaking the law or doing something that poses a threat to national security, they can run a more advanced search. That’s when they can plug in the traveler’s phone, tablet or PC to a device that copies their information, which is then stored in the Automated Targeting System database.

CBP director of office of field operations Aaron Bowker told the publication that the agency only copies people’s data when “absolutely necessary.” Bowker didn’t deny that the agency’s officers can access the database, though — he even said that the number was bigger than what CBP officials told Wyden. Five percent of CBP’s 60,000 personnel have access to the database, he said, which translates to 3,000 officers and not 2,700.

Wyden wrote in his letter:

“Innocent Americans should not be tricked into unlocking their phones and laptops. CBP should not dump data obtained through thousands of warrantless phone searches into a central database, retain the data for fifteen years, and allow thousands of DHS employees to search through Americans’ personal data whenever they want.”

Two years ago, the Senator also called for an investigation into the CBP’s use of commercially available location data to track people’s phones without a warrant. CBP had admitted back then that it spent $500,000 to access a commercial database containing “location data mined from applications on millions of Americans’ mobile phones.”

Chess Player Insists He Didn’t Use Sex Toy To Defeat World Champion

“If they want me to strip fully naked, I will do it,” chess grandmaster Hans Niemann said about the outcry over his controversial win.

Chess Player Insists He Didn’t Use Sex Toy To Defeat World Champion

“If they want me to strip fully naked, I will do it,” chess grandmaster Hans Niemann said about the outcry over his controversial win.

Jimmy Kimmel Pokes Trump’s Sore Spot With An Insult He Really Hates

The late-night host says a new book confirms this notion about the former guy.

Seth Meyers Suspects Mike Lindell’s FBI Order Isn’t All It’s Cracked Up To Be

The MyPillow guy claimed he defied orders not to talk about the FBI seizing his phone in Minnesota.