Getty Images/iStockphoto Microsoft has detailed a workaround for admins to protect their networks from a zero-day flaw in a Windows tool that hackers have been exploiting via malicious Word documents.  Over the weekend, security researchers discovered a malicious Word document that was uploaded to Google-owned VirusTotal on 25 May from an IP address in Belarus.  […] More

TCL 60 XE Nxtpaper 5G <!–> ZDNET’s key takeaways This budget Android phone features a large, paper-like display, 128GB of storage, and more. It has a feature set that promotes minimalism and digital wellbeing. I just wish the camera system and general performance were better. –> Looking at smartphones all day can be exhausting on […] More

The founder of a Turkish cryptocurrency exchange has reportedly fled the country with billions of dollars in user assets. 

According to local media reports, Turkey has issued an international arrest warrant for Faruk Fatih Özer, who has allegedly been spotted leaving Turkey via Istanbul airport in order to enter Albania. Özer, the CEO and founder of the Thodex cryptocurrency exchange platform, has allegedly taken approximately $2 billion in funds with him which belongs to 391,000 investors.  On Thursday, Istanbul-based Thodex posted a notice on its website informing users that the exchange would be closed for several days in order to handle a “sales” process.  However, suddenly unable to access their cryptocurrency accounts or withdraw funds, users began to voice concerns that they had been scammed.  Thousands of Turkish citizens have now filed criminal complaints against the company, alleging that they have been victims of an exit scheme. A lawyer acting for the complainants said the allegedly stolen funds were “irretrievable.” Bloomberg reports that the Justice Ministry has issued a red notice for the former CEO, which are used by Interpol to warn “police in all our member countries about internationally wanted fugitives,” although it is up to each country whether or not to act on them and potentially launch extradition proceedings. 

Last week, law enforcement issued arrest warrants for 80 individuals suspected of being linked to the platform and 68 suspects have, so far, been apprehended, according to the Anadolu Agency (AA).  The local media outlet says Özer is being sought for alleged fraud and “founding a criminal organization.” However, in a statement on its website (translated), Thodex called the claims “baseless” and a “smear campaign.” The organization claims that an “abnormality” was found in company accounts and Thodex temporarily closed to get to the bottom of the matter — and at the same time, Özer left Turkey to meet with “foreign investors.”  Thodex added that a previously undisclosed “cyberattack” impacted roughly 30,000 users causing a “suspicious situation.” According to the statement, Özer will be returning to Turkey in order to cooperate with local authorities. “As a result of the perception of victimization created in the public [space], our company is prevented from continuing its commercial life,” the statement reads. Özer’s original Twitter profile has since been closed down. A new profile, apparently belonging to the executive, shared the latest Thodex statement on April 22 and has since claimed the company is creating an “interface” to allow users to request their funds. Furthermore, Thodex says that no user will be “victimized.”  Turkey intends to impose a ban on the use of cryptocurrency to purchase goods and to make payments by the end of April. While this does not mean there is an outright ban on holding cryptocurrency as an asset, Turkey’s central bank says the payment restrictions are necessary due to a lack of a regulatory, “central” authority.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

GitHub has announced support for security keys to prevent account compromise in SSH Git operations.

When you add a security key to SSH operations, you can use these devices to protect you and your account from accidental exposure, account hijacking, or malware, GitHub security engineer Kevin Jones said in a blog post on May 10.  Security keys, including the YubiKey, Thetis Fido U2F Security Key, and Google Titan Security Keys, are physical, portable dongles that implement an additional layer of security to your online services and accounts.  Strong passwords are still important but due to the prevalence of data leaks and cyberattacks, they are becoming less effective as a single security measure — leading to the creation of password managers that also monitor for credential exposure online, biometrics, and security keys.   GitHub, too, wants to move away from typical passwords and to more secure authentication standards. At present, users can now use a password, personal access token (PAT), or an SSH key to access Git — but the company intends to remove support for passwords later this year.  “We recognize that passwords are convenient, but they are a consistent source of account security challenges,” Jones commented. “We believe passwords represent the present and past, but not the future. […] By removing password support for Git, as we already successfully did for our API, we will raise the baseline security hygiene for every user and organization, and for the resulting software supply chain.” In order to make the transition, users need to log in and follow GitHub’s documentation on how to create a new key and add it to their account, and users will find the process somewhat similar to how you would add an SSH key to an account in the past. The same security key can be used for both web and SSH authentication. 

Remote Git operations — including push, fetch, and pull — will require an additional key tap in an attempt to prevent malware from initiating requests on your behalf. However, if you are already locally authenticated, you can still perform operations such as branch and merge without the need to go through this step again.  GitHub will also remove unused, inactive keys over time.  The organization was one of the first to support FIDO Universal 2nd Factor (U2F) authentication.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Michael Burrell/Getty NordPass users looking for a quick and easy way to access vital documents can now store them online. In a Tuesday blog post, NordPass introduced Documents, a new storage option that uses an encrypted vault to house digital copies of physical documents in the cloud. In its post, NordPass cited passports, IDs, and […] More