Facebook-owned WhatsApp has published a new FAQ that aims to clear up misunderstandings over a planned update to its privacy policy, which some people thought would force them to permit WhatsApp to share profile data, phone numbers and diagnostic data with Facebook.    
Chatter on social media about the policy change caused a mini exodus among WhatsApp’s two billion users to Signal – a messaging app that most security experts recommend. Signal also provides the end-to-end encryption protocol that WhatsApp uses. 

WhatsApp’s wording in the notification about its privacy update said users must accept the policy update after February 8 and suggested an alternative was to delete the WhatsApp account. WhatsApp’s previous policy let users opt-out of most sharing of user data with Facebook.
SEE: 5G smartphones: A cheat sheet (free PDF) (TechRepublic)
The surge in new Signal signups was probably helped by Elon Musk tweeting “Use Signal” following reports of WhatsApp’s upcoming privacy policy changes by Ars Technica and PCMag.  
Telegram also claimed to have gained 25 million new users in the past three days, pushing its user numbers beyond 500 million.  
Facebook has now explained the policy changes, which take effect on February 8, are actually about WhatsApp users messaging a business on WhatsApp. 

“We want to be clear that the policy update does not affect the privacy of your messages with friends or family in any way. Instead, this update includes changes related to messaging a business on WhatsApp, which is optional, and provides further transparency about how we collect and use data,” WhatsApp says in the FAQ. 
WhatsApp stressed that Facebook can’t see private WhatsApp messages and nor can WhatsApp because of end-to-end encryption. Additionally, neither WhatsApp nor Facebook can see users’ locations shared with each other. WhatsApp says it doesn’t share users’ contacts with Facebook or its other apps.
However, the FAQ also explains the three key scenarios where WhatsApp user data and communications can end up on Facebook’s servers, but these are limited to communications with businesses via WhatsApp. Those communications can be used to target ads to the user on Facebook.  
WhatsApp explains it is “giving businesses the option to use secure hosting services from Facebook to manage WhatsApp chats with their customers, answer questions, and send helpful information like purchase receipts.”
“Whether you communicate with a business by phone, email, or WhatsApp, it can see what you’re saying and may use that information for its own marketing purposes, which may include advertising on Facebook. To make sure you’re informed, we clearly label conversations with businesses that are choosing to use hosting services from Facebook.”
SEE: WhatsApp vs. Signal vs. Telegram vs. Facebook: What data do they have about you?
Additionally, with Facebook commerce features like Shops, Facebook is allowing businesses to display their goods within WhatsApp. Facebook says that when WhatsApp users choose to use these features, it will inform users within the WhatsApp app how a person’s data is being shared with Facebook. 
The third way is via ads on Facebook with a button to message a business using WhatsApp. 
“If you have WhatsApp installed on your phone, you’ll have the option to message that business. Facebook may use the way you interact with these ads to personalize the ads you see on Facebook,” said WhatsApp.  More

The Commonwealth Ombudsman, Michael Manthorpe, has revealed that law enforcement agencies are being given the full URLs of web pages visited by people under investigation. Australia’s mandatory telecommunications data retention scheme was meant to deliver only so-called “metadata” to the cops and spooks. Under the scheme, a warrant is not required. But according to Manthorpe, […] More

Security vulnerabilities in millions of Internet of Things devices (IoT) could allow cyber criminals to knock devices offline or take control of them remotely, in attacks that could be exploited to gain wider access to affected networks.The nine vulnerabilities affecting four TCP/IP stacks – communications protocols commonly used in IoT devices – relate to Domain Name System (DNS) implementations, which can lead to Denial of Service (DoS) or Remote Code Execution (RCE) by attackers. Over 100 million consumer, enterprise and industrial IoT devices are potentially affected.

Internet of Things

Uncovered and detailed by cybersecurity researchers at Forescout and JSOF, the vulnerabilities have been dubbed Name:Wreck after the way the parsing of domain names can break DNS implementations in TCP/IP stack, leading to potential attacks.SEE: Sensor’d enterprise: IoT, ML, and big data (ZDNet special report) | Download the report as a PDF (TechRepublic)The report follows Forescout’s previous research into vulnerabilities in Internet of Things devices and forms part of Project Memoria, an initiative examining vulnerabilities in TCP/IP stacks and how to mitigate them. Vulnerabilities were uncovered on popular stacks including Nucleus NET, FreeBSD and NetX. While security patches are now available to fix the vulnerabilities, applying security updates to IoT devices can be difficult – if it’s even possible at all – meaning that many could remain vulnerable, potentially providing a means for cyber attackers to compromise networks and services.”This can be an entry point, a foothold into a network and from there you can decide, basically, what the attack is,” Daniel dos Santos, research manager at Forescout research labs, told ZDNet.

“One of the things that that you can do is just basically take devices offline by sending malicious packets that crash the device. Another thing is when you’re able to actually execute code on the device, that opens up the possibility of persistence on the network or moving laterally in the network to other kinds of our targets,” he explained. According to the report, organisations in healthcare could be among the most affected by the security flaws in the stacks, potentially enabling attackers to access medical devices and obtain private healthcare data, or even take devices offline to prevent patient care.The vulnerabilities could also help cyber attackers gain access to enterprise networks and steal sensitive information, and may have the potential to impact industrial environments by enabling attackers to tamper with — or disable — operational technology. It’s, therefore, recommended that organisations apply the necessary security patches as soon as possible to help protect their networks.”Complete protection against Name:Wreck requires patching devices running the vulnerable versions of the IP stacks and so we encourage all organisations to make sure they have the most up-to-date patches for any devices running across these affected IP Stacks,” said dos Santos.SEE: Security Awareness and Training policy (TechRepublic Premium)In some cases, it might not even be possible to apply patches to IoT devices. In these instances, there are additional steps organisations can take to help protect networks against exploitation.”Besides patching, which of course is the thing that everybody should try to do, there are other things that can be done, like segmentation and monitoring network traffic,” said dos Santos. It’s hoped that developers of TCP/IP stacks take heed of all of the Project Memoria reports in order to help build better security into devices in order to prevent similar security vulnerabilities being uncovered in future.”There is much work left to be done to understand the real dangers behind the foundations of IT/OT/IoT connectivity, and the more parties we can get involved in finding vulnerabilities, fixing them and providing higher-level solutions, the faster we can transition to a more secure world.” the research paper concludes.MORE ON CYBERSECURITY More

Image: Jan Kopriva
A year and a half after Microsoft disclosed the BlueKeep vulnerability impacting the Windows RDP service, more than 245,000 Windows systems still remain unpatched and vulnerable to attacks.

The number represents around 25% of the 950,000 systems that were initially discovered to be vulnerable to BlueKeep attacks during a first scan in May 2019.
Similarly, more than 103,000 Windows systems also remain vulnerable to SMBGhost, a vulnerability in the Server Message Block v3 (SMB) protocol that ships with recent versions of Windows, disclosed in March 2020.
Both vulnerabilities allow attackers to take over Windows systems remotely and are considered some of the most severe bugs disclosed in Windows over the past few years.
However, despite their severity, many systems have remained unpatched, according to research compiled over the past few weeks by SANS ISC handler Jan Kopriva [1, 2].
Kopriva says that BlueKeep and SMBGhost aren’t the only major remotely-exploitable vulnerabilities that still have a strong presence online these days, exposing systems to attacks.
According to the Czech security researcher, there are still millions of internet-accessible systems that administrators have failed to patch and are vulnerable to remote takeovers. These include systems like IIS servers, Exim email agents, OpenSSL clients, and WordPress sites.
CVE
PRODUCT
UNPATCHED SYSTEMS
CVSSv3
CVE-2019-0211
Apache web server
3,357,835
7.8
CVE-2019-12525
Squid
1,219,716
9.8
CVE-2015-1635
Microsoft IIS
374,113
10
CVE-2019-13917
Exim
268,409
9.8
CVE-2019-10149 (Return of the WIZard)
Exim
264,655
9.8
CVE-2019-0708 (BlueKeep)
Windows RDP
246,869
9.8
CVE-2014-0160 (Heartbleed)
OpenSSL
204,878
7.5
CVE-2020-0796 (SMBGhost)
Windows SMB
103,000
10
CVE-2019-9787
WordPress
83,951
8.8
CVE-2019-12815
ProFTPD
80,434
9.8
CVE-2018-6789
Exim
76,344
9.8

The causes why these systems have been left unpatched remain unknown, but even recent warnings from US government cyber-security agencies have not helped.
This includes two warnings from the US National Security Agency (NSA), one issued in May (for the Exim bug CVE-2019-10149 that was exploited by Russian state hackers), and a second in October (for the BlueKeep bug that was exploited by Chinese state hackers).
Yet, despite these warnings, there are still more than 268,000 Exim servers unpatched for the Exim bug and more than 245,000 unpatched for BlueKeep.
Kopriva says the numbers show that “even very well-known vulnerabilities are sometimes left unpatched for years on end.”
“Given how dangerous and well known BlueKeep is, it rather begs the question of how many other, less well-known critical vulnerabilities are still left unpatched on a similar number of systems,” Kopriva also adds. More

Image: Getty / Brothers91 A ransomware attack delivered by fake Windows 10 and antivirus software updates is targeting home users, using sneaky techniques to stay undetected before encrypting files and demanding a ransom payment of thousands of dollars.  The Magniber campaign, detailed by HP Wolf Security, is unusual for 2022 in the way it focuses […] More