Subterms
Image: Getty/Bloom Productions Keeping on top of cybersecurity risks is a constant challenge. Threats including phishing, malware and ransomware are continually evolving and adapting, as cyber criminals regularly find new, innovative ways to conduct malicious hacking campaigns, break into computer systems and find a way to stay there. Special Feature This combination is proving difficult […] More
Google says it will automatically delete location logs when it detects visits to abortion clinics and domestic violence shelters. In a blog post, Jen Fitzpatrick, senior vice president of Google Core Systems & Experiences, said the changes would be rolling out in the coming weeks.Following the overturning of the landmark Roe v. Wade ruling, which enshrined the right to legal abortion in the United States, there are fears that data collected through search histories, medical tracking apps, and GPS location data, among other technologies, could be used in prosecutions. According to Fitzpatrick, while many privacy controls are on offer for users, the tech giant will also contribute by ensuring that some datasets are automatically wiped before such a future becomes a reality. “Given that these issues apply to healthcare providers, telecommunications companies, banks, tech platforms, and many more, we know privacy protections cannot be solely up to individual companies or states acting individually,” the executive says. Location history on your Google account is off by default, but some users may find it useful for personalized recommendations. However, if location history is enabled and a user visits a sensitive area, Google will now delete these logs automatically. Suppose the company’s systems detect a visit to places including medical facilities, counseling centers, domestic violence shelters, abortion and fertility clinics, or addiction treatment centers. In that case, Fitzpatrick says, “we will delete these entries from Location History soon after they visit.” Period tracking apps and software are also of concern. At the moment, the logs of menstruation trackers in Google Fit and Fitbit can be deleted one record at a time, but the company intends to expand this to allow multiple logs to be removed at once. Google has also reiterated its stance on law enforcement data demands. In some cases, the company is legally obligated to hand over user information. Still, users are informed when their data is shared unless Google is barred from doing so or a situation is considered an emergency. The company also publishes a regular transparency report that shares the number of law enforcement requests it receives and how many are successful. Google may push back against over-broad requests or object to providing records at all. “We remain committed to protecting our users against improper government demands for data, and we will continue to oppose demands that are overly broad or otherwise legally objectionable,” Fitzpatrick commented. “We also will continue to support bipartisan legislation, such as the NDO Fairness Act recently passed by the House of Representatives, to reduce secrecy and increase transparency around government data demands.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More
It’s not often that I say you absolutely need to buy something. But this is something you need to buy.Two-factor authentication — a combination of something you remember (such as a password) and something you have (a smartphone or a token) — offers far better security than relying on passwords alone. And while SMS-based authentication is better than nothing, what’s even better is hardware-based authentication.I’ve tested dozens of hardware-based security keys, and the one that I use to secure my online accounts is the Yubikey 5C NFC More
The Cybersecurity & Infrastructure Security Agency (CISA) is now advising federal agencies and others to patch a Windows flaw from Microsoft’s May Patch Tuesday. CISA has re-added the Windows flaw CVE-2022-26925 to its Known Exploited Vulnerabilities (KEV) Catalog and has told federal agencies to patch it by 22 July. The bug is in Windows Local Security Authority (LSA), which “contains a spoofing vulnerability where an attacker can coerce the domain controller to authenticate to the attacker using NTLM.”NTLM or NT Lan Manager (NTLM) is a legacy Microsoft authentication protocol for Active Directory that was implemented in Windows 2000. LSA allows applications to authenticate and log users on to a local system. CISA on May 15 temporarily removed CVE-2022-26925 from the KEV catalog because of login issues customers faced after applying the update on Windows Servers used as domain controllers, that is, Windows servers used for user authentication. Besides potentially breaking logins for users at many federal agencies, it’s also a complicated fix to roll out. CISA on July 1 noted in separate guidance for applying the patch for CVE-2022-26925 that it contains fixes for two related flaws addressed in the May Patch Tuesday update: CVE-2022-26923, an Active Directory domain services elevation of privilege flaw; and CVE-2022-26931, a Windows Kerberos elevation of privilege vulnerability. (Kerberos is the successor to NTLM for authentication in Active Directory). But as CISA explains, these updates caused logins failures at “many federal agencies” that use Personal Identity Verification (PIV)/Common Access Card (CAC) certificates for authentication. The breakage stems from Active Directory, after the May 2022 update, looks for “strong mapping between the certificate and account”. To avoid these login issues, CISA now recommends following its steps for setting two registry keys on domain controllers.The registry key settings allow admins to control whether the domain controller is in “Compatibility Mode” or “Full Enforcement Mode”. Microsoft explains the reason for tighter checks on certificates in Compatibility Mode is that prior to May 2022 security update, certificate-based authentication would not account for a dollar sign ($) at the end of a machine name, allowing for spoofing attacks. Applying the May 2022 security update puts devices in Compatibility Mode. And next year, on May 9, 2023, Microsoft will update all devices to Full Enforcement Mode if they are not already in it. “Once you have installed the May 10, 2022 Windows updates, devices will be in Compatibility mode. If a certificate can be strongly mapped to a user, authentication will occur as expected. If a certificate can only be weakly mapped to a user, authentication will occur as expected,” Microsoft explains in an FAQ. “However, a warning message will be logged unless the certificate is older than the user. If the certificate is older than the user and Certificate Backdating registry key is not present or the range is outside the backdating compensation, authentication will fail, and an error message will be logged. If the Certificate Backdating registry key is configured, it will log a warning message in the event log if the dates falls within the backdating compensation.”After you install the May 10, 2022 Windows updates, watch for any warning message that might appear after a month or more. If there are no warning messages, we strongly recommend that you enable Full Enforcement mode on all domain controllers using certificate-based authentication. You can use the KDC registry key to enable Full Enforcement mode.” But CISA says agencies should not migrate to strong certificate-user mapping yet, partly because it could conflict with some valid use cases in the Federal PKI ecosystem. CISA says it is in discussions with Microsoft to find a less disruptive solution. CISA says that Microsoft pushing Windows Server devices to ‘Full Enforcement’ mode in May 2023 “will break authentication if agencies have not created a strong mapping or added SIDs to certificates.””CISA and the interagency working group are in active discussions with Microsoft for an improved path forward. At this time, CISA does not recommend agencies pursue migration to a strong mapping,” CISA says. More
Businesses in China should brace themselves for a potential spike in smishing attacks and identity theft, following reports that the personal data of 1 billion residents in the country has been put up for sale online. If legitimate, the massive data breach can result in phone swapping or other identity fraud activities, which can impact a Chinese user’s social credit scoring.Hackers claiming to have access to databases containing the data had offered the information for sale on an online forum, which specialised in the trading of stolen databases. Priced at 10 Bitcoins ($197,376) for 24TB worth of data, the personal details included date and place of birth, national identification number, residential address, and mobile number. The hackers claimed the data came from the Shanghai National Police and offered a sample dump. A report from Wall Street Journal said the details of at least nine residents from this sample were confirmed to be legitimate. According to data security vendor Acronis, the data sample contained three categories of information comprising the resident’s personal data file, phone location data or address and phone number, and police incident or criminal case registry. For the latter, information such as location of the crime and brief incident description appeared to be leaked, Acronis’ co-founder and technology president Stas Protassov told ZDNet. Most of the criminal case information involved minor incidents and descriptions of the scene, including “a fight” at a specific location in Zhujing Town and minor road incidents.Protassov noted that these police records referred to people involved in the incidents, which could be damaging to them. He added that the compromised data could be used to personalise future attacks, such as spear phishing, or to commit fraud using the identity of the victims. He urged organisations and individuals to be on the lookout for fraudulent activities and malicious email or text messages.Asked if the data breach could have greater impact in China, where the use of some services required registration based on personal information, Protassov said it was unlikely the compromised data on its own could result in hackers taking over such services. However, he warned that it could lead to phone swapping or other identity theft activities that could negatively impact a Chinese user’s scoring on social media platforms. Operators of apps that provide news, instant messaging, and other related services in China must require their users to register based on their mobile and identification card numbers. Users who refuse to do so or who use fraudulent identification data cannot be permitted to use the app. China operates a social credit system that aims to track and assess the trustworthiness of a person, company, and government agency. Each is tagged with a social credit score that is evaluated against various data sources, such as financial, government, and criminal records. The system is undergoing further refinement by the government. Protassov said while news of data leaks were common, this breach was unique due to its volume. According to Check Point Software Technologies’ threat intelligence group manager Sergey Shykevich, the significant size of the compromised data indicated a high likelihood cybercriminals might use the information to launch phishing and spear-phishing attacks. With the leaked data encompassing mobile numbers, Shykevich said businesses in China should be prepared for a potential wave of smishing or SMS phishing attacks. He added that the online forum touting the sale of the data also peddled other databases from China, including a courier database with 66 million user records that were allegedly stolen from ShunFeng Express in 2020, and data from driving schools in the country.A tweet from Binance CEO Changpeng Zhao suggested the latest data breach was the result of a government employee posting a tech blog on Chinese Software Developer Network that accidentally included user credentials. Without access to the log files, Protassov said it was impossible to confirm the attack vector. Based on the ID format, he surmised it was likely an Elasticsearch dump, but it was unclear whether the breach was due to leaked credentials or poorly configured systems. “Such data leaks most commonly happen when someone leaves unauthenticated Elastic instance available on the internet,” he added.RELATED COVERAGE More
Image: Shutterstock/GaudiLab A new phishing campaign on WhatsApp is scamming individuals who want to work in the United Kingdom. As documented by Malwarebytes, the scheme’s operators are sending out messages claiming to be from the UK government, offering a free visa and other benefits to individuals willing to move to the country. SEE: Google: Half […] More
Image: Getty Images Ukrainian police said they have arrested suspected members of a cyber-criminal gang conducting an EU payments phishing scheme. In a statement, Ukraine’s Cyber Police Department and the Kyiv-based Pechersk Police Department said the criminal group created and promoted roughly 400 phishing links to send to the county’s citizens. The links sent victims […] More
Image: 10’000 Hours/GETTY Google has released an update to Chrome 103 for Windows desktops that fixes a flaw in its implementation of WebRTC, which it warns is already under attack. The issue that Chrome update 103.0.5060.114 for Windows addresses is a “heap buffer overflow in WebRTC”, referring to when the buffer allocated in the heap […] More
