The post The Fall of Versus: Dark Web Mastermind Extradited to the US to Face Life Behind Bars appeared first on Daily CyberSecurity.

Earlier this year, YouTube began rolling out a row of algorithmically recommended videos at the top of the Subscriptions page. The section, labeled "most relevant," surfaces content the algorithm predicts the user will engage with, pulled from channels the user already follows. The subscription feed still exists below it. But the default view, the first thing a user sees when navigating to a page they built through deliberate choices, now leads with what YouTube's algorithm thinks they should watch.

The post The Engagement Ratchet: How YouTube, Instagram, and Amazon Trained Users to Accept Less Control appeared first on Security Boulevard.

When Microsoft reintroduced its redesigned Recall feature, security took center stage. The architecture was built around hardened components, including Virtualization-Based Security (VBS) enclaves, AES-256-GCM encryption, Windows Hello authentication, and a Protected Process Light (PPL) host.  On paper, this layered approach suggested a tightly sealed system where sensitive data, screenshots, OCR text, and metadata would remain protected at every stage. However, findings from TotalRecall Reloaded reveal that, while the vault itself is secure, the path data that results from decryption raises serious concerns. 

A Strong Core with a Fragile Edge 

Recall’s encryption model is technically sound. Data resides inside a secure enclave, with cryptographic keys never leaving its boundary. The use of AES-256-GCM encryption ensures both confidentiality and integrity. But the weakness does not lie in storage; it lies in how decrypted data is handled once it exits the enclave.  The process responsible for rendering Recall’s timeline, AIXHost.exe, lacks the protections applied elsewhere. Unlike aihost.exe, which runs under PPL, AIXHost.exe operates without PPL enforcement, AppContainer isolation, or strict code integrity checks. This creates a critical gap where other processes running under the same user account can interact with it. Once a user authenticates through Windows Hello, decrypted Recall data begins flowing through AIXHost.exe. At that moment, the system implicitly trusts everything inside that process, whether legitimate or malicious. 

How TotalRecall Exploits the Gap 

TotalRecall Reloaded takes advantage of this trust boundary issue. It uses a classic DLL injection technique to embed itself into AIXHost.exe. The tool consists of two parts: an injector (totalrecall.exe) and a payload DLL (totalrecall_payload.dll).   Using standard Windows APIs like CreateToolhelp32Snapshot, VirtualAllocEx, WriteProcessMemory, and LoadLibraryW, injects code into the target process. No administrative privileges or kernel exploits are required. The attack relies entirely on user-level permissions and legitimate system functionality.   This is important because Windows allows processes under the same user to interact freely by default. 

Authentication: Timing Instead of Bypassing 

Importantly, TotalRecall Reloaded does not bypass Windows Hello. Instead, it waits for authentication to occur naturally or triggers it indirectly.  In “launch” mode, it simulates the Win+J shortcut, prompting the user to authenticate. Once authenticated, decrypted data becomes accessible. In “stealth” mode, the tool modifies the DiscardDataAccess function so that access is never revoked after Recall closes. It then waits for normal user activity and begins extraction silently, without triggering another authentication prompt.  A third mode, “wait,” simply monitors for Recall activity and acts once authentication occurs. 

What Data Gets Extracted 

Once embedded, the payload uses Recall’s own internal COM interfaces to extract data. This includes: 

• Full-resolution screenshots (PNG format)  
• OCR text, including lines and individual words with pixel-level bounding boxes  
• Metadata such as application names, URLs, timestamps, and window dimensions  
• Named entities like people, locations, and email addresses  
• AI-generated activity descriptions  

Recall captures data every few seconds, building a detailed behavioral profile. It stores this in an encrypted SQLite database (ukg.db) protected by AES-256-GCM encryption. Default retention is 90 days with a 75 GB storage limit.  The dataset includes everything from browser activity and document edits to terminal commands and messaging conversations, fully indexed and searchable. 

Pre-Authentication Concerns 

Some functions exposed by Recall do not require Windows Hello authentication at all. For example, GetRecentCaptureThumbnail can return a full-resolution screenshot simply by requesting a large size. Similarly, IDataStoreManager::DeleteEvents allows complete deletion of the recall history without authorization checks.  Additional metadata, such as storage paths, database size, and capture counts, can also be accessed without authentication. Microsoft’s design assumes that data remains safe within the enclave and PPL-protected processes. However, once decrypted data reaches AIXHost.exe, that assumption no longer holds.  There is no verification of which code is making requests inside AIXHost.exe. Whether it’s legitimate UI logic or injected malware, the system treats all requests equally. This effectively ends the trust boundary too early, leaving decrypted data exposed. 

Inconsistent Access Controls 

Further issues arise from inconsistent COM interface protections. Some methods enforce access restrictions properly, returning errors when accessed without authorization. Others, such as alternate interface versions, allow access to the same data without checks. This inconsistency enables attackers to bypass intended safeguards by simply calling different interfaces.  Once Windows Hello authentication is completed, the authenticated state is cached in the PPL-protected aihost.exe for the entire Windows session. Restarting AIXHost.exe does not reset this state.  By patching the DiscardDataAccess function, TotalRecall Reloaded ensures that access persists indefinitely. Even after Recall is closed, the tool can reinject itself and continue extracting data without further prompts or user awareness. 

The Bigger Picture 

Recall’s underlying technologies—VBS enclaves, AES-256-GCM encryption, TPM-backed keys, and Windows Hello- are implemented correctly. The issue is not cryptographic weakness or flawed authentication. It is the decision to pass decrypted data into a process that lacks equivalent protections.  In simple terms, the vault is secure, but once opened, its contents are left unguarded.   This research was submitted to the Microsoft Security Response Center (MSRC) on March 6, 2026. After review, the case (109586) was closed on April 3, 2026, as “Not a Vulnerability.” Microsoft stated that the observed behavior aligns with the system’s documented security design. 

Tested Environment 

• OS: Windows 11 25H2 (Build 26300.8155)  
• Architecture: ARM64  
• AIXHost.exe version: 2126.7602.0.0  
• Privilege level: Standard user (medium integrity, no elevation) 

The Federal Communications Commission (FCC) is proposing stricter Know-Your-Customer (KYC) rules for robocalls as part of a broader effort to curb illegal calls and protect consumers. In a newly released Further Notice of Proposed Rulemaking, the agency outlined plans to tighten requirements for originating voice service providers, which are considered the first line of defense against unlawful robocalls. The proposal reflects growing concern that existing KYC rules for robocalls are not being consistently enforced, allowing bad actors to exploit gaps in the system. The FCC emphasized that stopping illegal calls before they enter the network remains the most effective way to reduce fraud and abuse.

Why the FCC Is Expanding KYC Rules for Robocalls

Under current FCC robocall regulations, voice service providers are required to take “affirmative, effective” steps to know their customers. However, regulators say some providers are failing to carry out adequate checks, resulting in a surge of illegal robocalls that defraud consumers and expose telecom networks to misuse. “Combatting illegal calls is our top consumer protection priority, and we are taking a holistic approach by attacking them at every point in their lifecycle.” The FCC noted that weak KYC rules for robocalls not only enable scams but also make it harder for law enforcement to track criminal activities, including drug trafficking and human exploitation that rely on anonymous communication channels.

Proposed Changes to KYC Rules for Robocalls

The FCC is seeking public comment on several measures aimed at strengthening KYC rules for robocalls and improving telecom KYC compliance. One key proposal is to require providers to collect more detailed customer information before granting access to calling services. This includes name, physical address, government-issued identification number, and an alternate contact number for all new and renewing customers. For high-volume callers, such as businesses or bulk calling services, the FCC is considering additional requirements. These may include collecting information on how the service will be used—such as marketing or political campaigns—as well as technical data like IP addresses used to place calls. The Commission believes these enhanced Know-Your-Customer rules for robocalls could deter fraudsters from entering the network and make it easier to identify them if illegal activity occurs.

Verification, Monitoring, and Data Retention

Beyond data collection, the FCC is also proposing stricter verification and monitoring under its updated KYC rules for robocalls. Providers may be required to verify customer identities using supporting documents such as government-issued IDs or business registration records. The agency is also exploring whether companies should retain KYC records for up to four years after a customer relationship ends, allowing time for investigations into illegal robocalls. Another key focus is ongoing monitoring. The FCC is considering whether providers should re-verify customer information when unusual activity is detected, such as sudden spikes in call volume or changes in traffic patterns. These measures aim to ensure that telecom networks are not continuously exploited by bad actors using false or stolen identities.

Tougher Penalties to Enforce Compliance

To strengthen enforcement, the FCC has proposed financial penalties tied directly to violations of KYC rules for robocalls. The agency is considering a base fine of $2,500 per illegal call, aligning penalties with the scale of harm caused. This per-call penalty structure is designed to discourage large-scale robocall operations, where millions of fraudulent calls can generate significant profits. The FCC believes that stronger enforcement will push providers to take telecom KYC compliance more seriously and close existing loopholes.

Recent Enforcement Highlights Gaps

The push for stronger KYC rules for robocalls comes amid ongoing enforcement challenges. In a recent case, the FCC proposed a $4.5 million fine against Voxbeam Telecommunications for allegedly routing illegal robocalls into U.S. networks. The investigation found that Voxbeam accepted traffic from Axfone, a Czech-based provider not listed in the FCC’s Robocall Mitigation Database. Under existing rules, such traffic should have been blocked, raising concerns about gaps in compliance and oversight. If adopted, the new rules could significantly reshape how voice service providers onboard and monitor customers, bringing telecom practices closer to the stricter identity verification standards already seen in the financial sector.

Master granular policy enforcement for hybrid classical-quantum AI workflows. Secure your MCP servers with post-quantum encryption and advanced threat detection.

The post Granular Policy Enforcement for Hybrid Classical-Quantum AI Workflows appeared first on Security Boulevard.

AI-driven and “legitimate” bots now make up a growing share of web traffic, blurring the line between value and risk. Security teams must treat bot traffic as a governance, cost, and cyber supply chain issue, guided by long-term visibility and analytics.

The post Monitoring Legitimate Bot Traffic is Now a Cybersecurity Requirement  appeared first on Security Boulevard.

A Florida software distributor has been sentenced to federal prison after being convicted of Microsoft certificate of authenticity trafficking, a scheme that involved selling genuine software authentication labels separately from the software they were meant to accompany. Heidi Richards, 52, of Brandon, was sentenced to 22 months in prison and ordered to pay a $50,000 fine after a jury found her guilty of conspiring to traffic in illicit Microsoft Certificate of Authenticity (COA) labels. The sentencing was announced by U.S. Attorney Gregory W. Kehoe. The case sheds light on a lesser-known corner of software-related cybercrime where legitimate authentication components are diverted into illegal distribution channels. Investigators say the Microsoft certificate of authenticity trafficking operation allowed product activation codes to be resold and potentially used to enable unauthorized software installations.

How the Microsoft Certificate of Authenticity Trafficking Scheme Worked

According to court documents and evidence presented at trial, Richards operated a company called Trinity Software Distribution. Through the business, she purchased thousands of genuine standalone Microsoft COA labels from co-conspirators. Prosecutors said Richards paid millions of dollars for the labels, often at prices significantly below the retail value of the software products they were originally linked to. Instead of selling them alongside licensed software, Richards and her employees allegedly extracted the product key codes printed on the labels. Those activation keys were then sold in bulk to customers. Federal law prohibits the sale or trafficking of COA labels separately from the software programs and hardware they were designed to accompany. In other words, the labels themselves cannot be treated as standalone products in the marketplace. The Microsoft certificate of authenticity trafficking case demonstrates how genuine licensing components can still be misused to bypass legitimate software distribution channels.

Why COA Labels Attract Criminal Interest

Certificate of Authenticity labels play an important role in verifying legitimate Microsoft software. Each label contains security features and a unique product key that allows users to activate the software legally. These labels are typically attached to licensed devices or distributed with official software packages to confirm authenticity. However, the presence of valid activation codes has created an underground market where COA labels are bought and sold illegally. Criminal resellers can extract the codes and use them to activate unauthorized installations of software. This demand has contributed to cases like the Microsoft certificate of authenticity trafficking scheme uncovered in Florida, where authentic labels became the core commodity in an illicit resale operation. Authorities say the labels “are not to be sold separately from the license and hardware that they are intended to accompany, and they hold no independent commercial value.” Yet because the labels contain product keys that unlock software, they continue to attract interest in grey and illegal markets.

Part of a Larger Cybercrime Enforcement Effort

The case was supported by the Computer Crime and Intellectual Property Section, which focuses on investigating and prosecuting cybercrime and intellectual property offenses. The unit works with domestic and international law enforcement agencies and often collaborates with private-sector partners to track technology-related crimes. Since 2020, the section has secured more than 180 cybercriminal convictions and obtained court orders returning over $350 million in funds to victims. While the Microsoft certificate of authenticity trafficking case may appear narrower than typical cybercrime prosecutions, it reflects a broader challenge facing the software industry: protecting the integrity of licensing systems.

Learn how to secure Model Context Protocol (MCP) deployments with granular policy enforcement and post-quantum cryptography for prompt engineering.

The post Granular Policy Enforcement for Quantum-Secure Prompt Engineering appeared first on Security Boulevard.

A new diplomatic offensive against foreign privacy laws collides with fresh research showing that weakening data sovereignty protections is the last thing organizations need right now.

The post The Global Fight Over Who Controls Your Data Just Escalated — Here’s What the Numbers Say appeared first on TechRepublic.

AI agents have moved from novelty to operational reality, acting autonomously across business systems in ways traditional AI security posture management (AISPM) and IAM can’t fully govern. Learn why risk now emerges at runtime, where existing posture tools fall short, and how Agentic SPM enables continuous discovery, runtime decision control, and auditability for autonomous agents.

The post Why AISPM Isn’t Enough for the Agentic Era  appeared first on Security Boulevard.

It’s a demonstration of how toxic the surveillance-tech company Flock has become when Amazon’s Ring cancels the partnership between the two companies.

As Hamilton Nolan advises, remove your Ring doorbell.

Microsoft confirmed it can hand over BitLocker recovery keys stored in the cloud under warrant, reviving debate over who controls encrypted data.

The post Microsoft Shared BitLocker Keys With FBI, Raising Privacy Fears appeared first on TechRepublic.

A teacher in high school once quoted an old proverb to me: "Do something you love, and you'll never work a day in your life!"

Perhaps 18-year-old Alan Filion encountered a similar teacher during his school years in California, because once Filion learned that he truly loved making fake "swatting" calls to law enforcement—well, he turned the crime into a job, using handles like "Nazgul Swattings" and "Third Reich of Kiwiswats." Originally it was all about the "power trip," but it soon became about "money and the power trip."

"Prices: $40-Gas leak/Fire for EMS/Fire/Gas Leak [$35 for returning customers]," Filion wrote in a 2023 advertisement that ran on various social media channels. "$50 for a major police response to the house [$40 for returning customers]; $75 for a bomb threat/mass shooting threat (they will shut down the school or public location for a day) [$60 for returning customers]. All swats will be done ASAP or present time."

Read full article

Comments