Fresh Technology Insights

Category: Cybersecurity (Page 1 of 12)

Microsoft coordinated worldwide effort across 35 countries to take down the Necurs botnet, one of the largest known to date, which had infecting 9 million computers

Catalin Cimpanu, ZDNet »

After Microsoft has taken control of existing Necurs infrastructure, the company and its industry partners have been able to sinkhole the botnet and receive information about all the bots located across the world.

As a final step part of this effort, Microsoft says it’s now working with ISPs and CERT teams to notify users who have been infected so that they can remove the malware from their computers.

More » Microsoft, The Hacker News, SecurityWeek

Australia sues Facebook for breaching the privacy of over 300K Australians in the Cambridge Analytica scandal

Facebook could face millions of dollars in fines over allegedly breaching the privacy of over 300,000 Australian citizens caught up in the Cambridge Analytica scandal.

Josh Taylor, The Guardian »

The Australian information commissioner Angelene Falk has alleged Facebook committed serious and repeated interferences with privacy in contravention of Australian privacy law because data collected by Facebook was passed onto the This is Your Digital Life app by Cambridge Analytica for political profiling, which was not what it was collected for.

Data included people’s names, dates of birth, email addresses, city location, friends list, page likes and Facebook messages for those who had granted the app access to the messages.
Guardian Today: the headlines, the analysis, the debate – sent direct to you
Read more

“We consider the design of the Facebook platform meant that users were unable to exercise reasonable choice and control about how their personal information was disclosed,” Falk said.

“Facebook’s default settings facilitated the disclosure of personal information, including sensitive information, at the expense of privacy.”

More » Office of the Australian Information Commissioner, Reuters, News.com.au, Seeking Alpha

Intel CPUs and chipsets have a serious hardware flaw that’s not fixable

Dan Goodin, Ars Technica »

Virtually all Intel chips released in the past five years contain an unfixable flaw that may allow sophisticated attackers to defeat a host of security measures built into the silicon. While Intel has issued patches to lessen the damage of exploits and make them harder, security firm Positive Technologies said the mitigations may not be enough to fully protect systems.

The flaw resides in the Converged Security and Management Engine, a subsystem inside Intel CPUs and chipsets that’s roughly analogous to AMD’s Platform Security Processor. Often abbreviated as CSME, this feature implements the firmware-based Trusted Platform Module used for silicon-based encryption, authentication of UEFI BIOS firmware, Microsoft System Guard and BitLocker, and other security features. The bug stems from the failure of the input-output memory management unit—which provides protection preventing the malicious modification of static random-access memory—to implement early enough in the firmware boot process. That failure creates a window of opportunity for other chip components, such as the Integrated Sensor Hub, to execute malicious code that runs very early in the boot process with the highest of system privileges.

More » Positive Technologies, The Register, ZDNet, Thurrott

UK government’s MI5 spies want “exceptional access” to your encrypted communications

Dan Sabbagh, The Guardian »

MI5’s director general has called on technology companies to find a way to allow spy agencies “exceptional access” to encrypted messages, amid fears they cannot otherwise access such communications.

Sir Andrew Parker is understood to be particularly concerned about Facebook, which announced plans to introduce powerful end-to-end encryption last March across all the social media firm’s services.

In an ITV interview to be broadcast on Thursday, Sir Andrew Parker says he has found it “increasingly mystifying” that intelligence agencies like his are not able to easily read secret messages of terror suspects they are monitoring.

Firefox begins the rollout of encrypted DNS over HTTPS (DoH) by default for US-based users

If you prefer, you can switch to NextDNS or disable it entirely in Network Settings.

More » Mozilla Blog

 

Updated » 01 March 2020

Dan Maloney, Hackaday »

Mozilla announced this week that Firefox would turn on DNS over HTTPS (DoH) by default in the United States. DoH encrypts the DNS requests that are needed to translate a domain name to an IP address, which normally travel in clear text and are therefore easily observed. Easily readable DNS transactions are also key to content blockers, which has raised the hackles of regulators and legislators over the plan, who are singing the usual “think of the children” song. That DoH would make user data collection and ad-tracking harder probably has nothing to do with their protests.

Apple and TikTok have each decline to testify – for a second time – at congressional hearings probing technology industry ties to the Chinese central government

Simple question » What are they trying to hide?

Tony Romm, Washington Post »

Republican Sen. Josh Hawley (Mo.), one of TikTok’s leading critics, had invited the two tech firms to appear at a March 4 session, his office confirmed Monday. Both previously had declined to testify at a hearing last year on the same issue.

TikTok confirmed Monday that it told Hawley it would dispatch a top aide to appear at an unspecified later date, just not next week, citing a recent raft of new hires at senior ranks of the company. Apple did not respond to a request for comment about its expected absence.

[…]

With TikTok, meanwhile, Hawley and other lawmakers have been sharply critical of its Chinese-based parent company, ByteDance. Despite its repeated assurances, TikTok has struggled to convince lawmakers that the app is operating independently from Beijing, which heavily censors online content.

Chinese companies are legally not allowed to be independent of their government. So it’s not unreasonable to be concerned. And both Apple and TikTok should be forthcoming and honest.

Researchers at Mysk show how any and all apps on your iOS devices have free and unrestricted access to everything that goes onto the clipboard

Developers at Mysk created a simple app with the sole purpose of displaying information gleaned from the clipboard, without user knowledge or consent.

When users copy images onto their clipboard, for example, the app can immediately read the content, including metadata that often includes the location of where the photo was taken.

The video demo below goes onto show that even the installed widgets can silently collect all data copied to the clipboard, without user knowledge.

Here’s a detailed explanation.

EU Commission recommends staff use the Signal messaging app

The EU and other world governments have suffered high profile data breaches, often because they were using insecure commercial apps, or apps that were handling data in ways that were not obvious or stated.

Signal is a true end-to-end messaging app that has been verified by security experts around the world. Journalist and activists dealing in sensitive areas where their lives are often at stake, depend on Signal.

Laurens Cerulus, Pro Publica »

The European Commission has told its staff to start using Signal, an end-to-end-encrypted messaging app, in a push to increase the security of its communications.

The instruction appeared on internal messaging boards in early February, notifying employees that “Signal has been selected as the recommended application for public instant messaging.”

[…]

Privacy experts consider that Signal’s security is superior to other apps’. “We can’t read your messages or see your calls,” its website reads, “and no one else can either.”

The Signal App is available free on several platforms (iOS, Android, etc) through the official web site.

« Older posts

© 2020 Tech Letter

Theme by Anders NorenUp ↑