Information Technology

The Chromium-based Vivaldi browser has removed FLoC, Google’s controversial alternative identifier to third-party cookies for tracking users across websites.FLoC, or Federated Learning of Cohorts, has just been released by Google for Chrome as its answer to improving privacy while still delivering targeted ads.But Vivaldi has called it a “dangerous step that harms user privacy”.”Google’s new data harvesting venture is nasty,” it declared in a blog post that begins with the header “FLoC off! Vivaldi does not support FLoC”.”At Vivaldi, we stand up for the privacy rights of our users. We do not approve tracking and profiling, in any disguise. We certainly would not allow our products to build up local tracking profiles.”It presents FLoC as part of a set of so-called ‘privacy’ technologies, but let’s remove the pretence here; FLoC is a privacy-invasive tracking technology.”Vivaldi is based on Chromium. But while it relies on the Chromium engine to render pages correctly, it said this is where Vivaldi’s similarities with Chrome and other Chromium-based browsers end.

It said the FLoC experiment does not work in Vivaldi as it relies on some hidden settings that are not enabled in Vivaldi.The FLoC component in Chrome needs to call Google’s servers to check if it can function since Google is only enabling it in parts of the world that are not covered by Europe’s GDPR. As the blog explained, Vivaldi does not allow such a call to be made to Google.”We will not support the FLoC API and plan to disable it, no matter how it is implemented. It does not protect privacy and it certainly is not beneficial to users, to unwittingly give away their privacy for the financial gain of Google,” it said. FLoC has been widely criticised by privacy advocates, even though it is an improvement to third-party cookies. The Electronic Frontiers Foundation (EFF) called it a “terrible idea” because now Chrome shares a summary of each user’s recent browsing activity with marketers.  As Vivaldi explained, an ad company could previously only see the aspects of a user’s personality relating to the websites where its ads were used. An ad provider that was only used for 1,000 websites might only have seen each visitor on one or two of their sites, so they could not build up much tracking data about a user.”FLoC changes this completely. Its core design involves sharing new information with advertisers,” it continued. “Now every website will get to see an ID that was generated from your behaviour on every other website.”You might visit a website that relates to a highly personal subject that may or may not use FLoC ads, and now every other site that you visit gets told your FLoC ID, which shows that you have visited that specific kind of site.”FLoC, Vivaldi said, has very serious implications for people who live in an environment where aspects of their personality are persecuted, such as their sexuality, political viewpoint, or religion. “All can become a part of your FLoC ID,” it said.”This is no longer about privacy but goes beyond. It crosses the line into personal safety.”We reject FLoC. You should too.”RELATED COVERAGE More

It’s possible that if you were running an Exchange server in the United States, it could have been compromised, and somewhat mitigated by the FBI without your knowledge. The Department of Justice revealed on Tuesday that the FBI gained authorisation to remove web shells installed on compromised servers related to the Exchange vulnerabilities. “Many infected system owners successfully removed the web shells from thousands of computers. Others appeared unable to do so, and hundreds of such web shells persisted unmitigated,” the department said. “This operation removed one early hacking group’s remaining web shells which could have been used to maintain and escalate persistent, unauthorized access to US networks.” Despite the operation, those that run Exchange servers are still recommended to follow Microsoft’s advice as well as ensure servers are properly patched. “The FBI conducted the removal by issuing a command through the web shell to the server, which was designed to cause the server to delete only the web shell (identified by its unique file path),” it said. “This operation was successful in copying and removing those web shells. However, it did not patch any Microsoft Exchange Server zero-day vulnerabilities or search for or remove any additional malware or hacking tools that hacking groups may have placed on victim networks by exploiting the web shells.”

Due to each shell having a unique file path and name, the department added it may have been difficult for “individual server owners” to find and remove them. As of the end of March, the department was aware of “hundreds” of shells still working on US servers. Microsoft released its first alerts on the vulnerabilities at the start of March. The FBI is now attempting to alert server owners that it removed shells from. Affected users with publicly available contact information will receive an “e-mail message from an official FBI e-mail account (@FBI.gov) notifying the victim of the search”, and failing that, ISPs will be contacted to provide notice. All fbi.gov emails are genuine: This phishing attack pretends to come from someone you trust “Today’s court-authorized removal of the malicious web shells demonstrates the department’s commitment to disrupt hacking activity using all of our legal tools, not just prosecutions,” Assistant Attorney General for national security John C. Demers said. “Combined with the private sector’s and other government agencies’ efforts to date, including the release of detection tools and patches, we are together showing the strength that public-private partnership brings to our country’s cybersecurity. “There’s no doubt that more work remains to be done, but let there also be no doubt that the department is committed to playing its integral and necessary role in such efforts.” On March 24, Microsoft said 92% of vulnerable servers were patched or mitigated.In Australia, the government’s Australian Cyber Security Centre has been running scans to find vulnerable servers in the country. Related Coverage More

Microsoft is advising businesses to patch four new previously undisclosed Exchange Server vulnerabilities just weeks after zero-day attacks that affected global installations. In Microsoft’s Patch Tuesday roundup, the software giant and US National Security Agency (NSA) urged fixes. Microsoft credited the NSA for finding two remote code execution vulnerability flaws (CVE-2021-28480 and CVE-2021-28481) in Exchange Server. Both bugs found by the NSA carry a CVSS score of 9.8 due to the risks of attacks without user interaction. Recent:Overall, Microsoft released patches for 114 CVEs that cover everything from Windows to Edge (Chromium based), Azure, Microsoft Office, SharePoint Server and Exchange Server among others. According to TippingPoint’s ZDI the patch bundle is the most this year. Also: Microsoft details its legacy Edge browser phase-out strategyRegarding the Exchange bugs, Microsoft said:We have not seen the vulnerabilities used in attacks against our customers. However, given recent adversary focus on Exchange, we recommend customers install the updates as soon as possible to ensure they remain protected from these and other threats.

The attacks on Exchange have been a major headache for Microsoft and enterprises. Microsoft released emergency patches for Microsoft Exchange Server 2013, Exchange Server 2016, and Exchange Server 2019 on March 2. At the time, the company said that four zero-day vulnerabilities which could lead to data theft and overall server hijacking were being actively exploited in “limited, targeted attacks.”However, it was not long before multiple advanced persistent threat (APT) groups began to join in Exchange Server-based campaigns and it is estimated that thousands of systems belonging to organizations worldwide have been compromised. Alongside the emergency patches, Microsoft has also published a mitigation guide and created a one-click mitigation tool including a URL rewrite for one of the vulnerabilities to stop an attack chain from forming.  More

Microsoft is advising businesses to patch four new previously undisclosed Exchange Server vulnerabilities just weeks after zero-day attacks that affected global installations. In Microsoft’s Patch Tuesday roundup, the software giant and US National Security Agency (NSA) urged fixes. Microsoft credited the NSA for finding two remote code execution vulnerability flaws (CVE-2021-28480 and CVE-2021-28481) in Exchange Server. Both bugs found by the NSA carry a CVSS score of 9.8 due to the risks of attacks without user interaction. Recent: Overall, Microsoft released patches for 114 CVEs that cover everything from Windows to Edge (Chromium based), Azure, Microsoft Office, SharePoint Server and Exchange Server among others. According to Trend Micro’s ZDI the patch bundle is the most this year. Also: Microsoft details its legacy Edge browser phase-out strategy Regarding the Exchange bugs, Microsoft said: We have not seen the vulnerabilities used in attacks against our customers. However, given recent adversary focus on Exchange, we recommend customers install the updates as soon as possible to ensure they remain protected from these and other threats.

The attacks on Exchange have been a major headache for Microsoft and enterprises. Microsoft released emergency patches for Microsoft Exchange Server 2013, Exchange Server 2016, and Exchange Server 2019 on March 2. At the time, the company said that four zero-day vulnerabilities which could lead to data theft and overall server hijacking were being actively exploited in “limited, targeted attacks.” However, it was not long before multiple advanced persistent threat (APT) groups began to join in Exchange Server-based campaigns and it is estimated that thousands of systems belonging to organizations worldwide have been compromised.  Alongside the emergency patches, Microsoft has also published a mitigation guide and created a one-click mitigation tool including a URL rewrite for one of the vulnerabilities to stop an attack chain from forming.  More

Developed together with SK Telecom, the Galaxy Quantum 2 is the second quantum-equipped smartphone released by Samsung.    
Image: SK Telecom
Samsung is launching a new smartphone equipped with quantum cryptography technology, which promises to deliver a new level of security to consumer applications like mobile banking. Developed together with South Korean telecoms giant SK Telecom, the Galaxy Quantum 2 device will be — at least for the foreseeable future — only available to the South Korean public, and is the second quantum-equipped smartphone released by Samsung.  With a 6.7-inch display, a 64MP main camera, and a Qualcomm Snapdragon 855+ chipset, the Quantum 2’s feature set matches some of Samsung’s flagship smartphones, with the additional security of quantum cryptography for some of the device’s services. 

The Quantum 2’s predecessor, called the Galaxy A Quantum, made its debut last year in South Korea, as the world’s first 5G smartphone with integrated quantum cryptography technology. Like the new Quantum 2, the Galaxy A includes a quantum random number generator (QRNG) that’s designed to secure sensitive transactions against the most sophisticated attacks. Developed by ID Quantique, the QRNG comes in the form of a 2.5mm-by-2.5mm chipset that leverages the unpredictable properties of quantum particles to generate completely random numbers. This is key to making cryptography keys more robust: the more random a security key, the harder it is to use logical mathematics to crack the code. Most classical systems rely on number generators that are deterministic, which means that it’s possible, with enough compute power, to figure out what makes up the cryptography keys that protect sensitive data on a device.ID Quantique’s system, on the other hand, uses an LED light source that beams photons onto a CMOS sensor. According to the laws of physics, the behaviour of photons as they are picked up by the sensor is random, and can therefore be translated into a key that’s completely unpredictable. 

In the Galaxy A Quantum, those unhackable keys are used to protect various transactions, for example by generating stronger one-time-passwords during two-factor authentication. QRNG also increases the security of storage for sensitive data such as biometrics, which is needed to authorise payments through SK Telecom’s Pay app, for example.  SK Telecom also lets users create “quantum wallets” on their phones, where useful identity documents like licences, insurance claim documents or even graduation certificates can be encrypted with QRNG. The new Quantum 2 smartphone extends the number of services that can be secured with quantum encryption. SK Telecom’s services like T World, Pass and T Membership, as well as mobile banking services with Shinhan Bank and Standard Chartered Bank Korea will be provided using QRNG. “The Galaxy Quantum 2 includes more quantum-secured applications than ever before, bringing applications and services to a new level of security in the mobile phone industry,” said Grégoire Ribordy, CEO and co-founder of ID Quantique. The ID Quantique chip’s capabilities will also work automatically with apps that use the Android Keystore APIs, which means that developers will have the opportunity to access the technology to develop more apps that support quantum cryptography. It’s hard to tell how much excitement the news of quantum-secure services on a smartphone will generate among consumers. The technology seems rather niche from a user’s perspective, and the Quantum 2’s predecessor has, so far, made little impact outside of South Korea.That said, according to SK Telecom’s latest statistics, the Galaxy A Quantum sold more than 300,000 units in the first six months following its release, figures the company described as among the highest sales volumes for Galaxy 5G smartphones released that year in South Korea — with numbers comparable, for example, to sales for the S20 and Note 20. It’s worth noting that the Galaxy S20 and the Note 20 recorded drastically lower sales than previous generations due to the impact of the COVID-19 crisis. SK Telecom nevertheless confirmed that discussions are ongoing to expand the lineup of quantum-equipped smartphones, with plans to open the technology to new applications, including to services provided by Samsung Card. “With the Galaxy Quantum 2, we have successfully expanded the application of quantum security technologies to a wider variety of services including financial and security services,” said Han Myung-jin, Vice President and Head of Marketing Group of SK Telecom. “Our efforts will continue to keep expanding services that are safely and securely provided via the Galaxy Quantum 2.” Pre-orders for the Galaxy Quantum 2 will open in South Korea from April 13 to 19, and the device will officially launch in the country on April 23.  More

The amount of time cyber criminals are spending inside compromised networks is dropping. But while that might sound like a positive development, one reason hackers are spending less time inside networks is because of the surge in ransomware attacks.Researchers at cybersecurity company FireEye Mandiant analysed hundreds of cyber incidents and found that the global median dwell time – the duration between the start of a security intrusion and when it’s identified – has dropped to below a month for the first time, standing at 24 days.According to the M-Trends 2021 annual threat report, that means incidents are being identified twice as quickly as they were last year when the average dwell time was 56 days – and much more quickly than they were a decade ago, when it often took over a year for organisations to realise that cyber criminals had infiltrated the network.While some of this reduction in dwell time is thanks to better detection and response capabilities from organisations, the rise in ransomware has also played a role.SEE: Cybersecurity: Let’s get tactical (ZDNet/TechRepublic special feature) | Download the free PDF version (TechRepublic) Ransomware attacks have become an increasingly dangerous cybersecurity issue, with cyber criminals infiltrating networks, compromising all they can with file-encrypting malware and then demanding a ransom payment – most commonly in Bitcoin – in exchange for restoring the network.The attacks are highly lucrative for cyber criminals, but unlike most other forms of cyber attack, ransomware doesn’t remain under the radar – victims of ransomware attacks know they’ve become a victim when their network is suddenly encrypted and a ransom note is left by the attackers.

One of the key advantages of ransomware attacks for cyber criminals is that they have the potential to make them a lot of money in a relatively short space of time. Once they’ve compromised all the required assets on the network, there’s no point waiting around, so the criminals will execute the ransomware attack as quickly as possible.SEE: This company was hit by ransomware. Here’s what they did next, and why they didn’t pay upAs long as ransomware attacks remain successful, there’s no reason to believe cyber criminals will stop launching them against organisations with vulnerable networks.”The ransomware expansion demonstrates it proves valuable to attackers. Put simply, attackers will operate in ways that produce impacts for their motivations,” Steven Stone, senior director of advanced practices at Mandiant, told ZDNet. “More and more attackers are using ransomware for a wider variety of motivations. We expect this diversity to continue over time and provide for more challenging intrusions in 2021”.Ransomware isn’t the only threat organisations face: cyber criminals will, for example, continue attempting to compromise networks in phishing and malware campaigns.While being able to quickly detect attacks inside the network is better than not detecting them at all, the best way to protect the organisation from cyber threats is to detect or prevent them before they’ve even had a chance to compromise the network.To help this, the FireEye Mandiant report recommends security fundamentals including vulnerability and patch management, so that cyber attacks can’t take advantage of known vulnerabilities in the networks.MORE ON CYBERSECURITY More

Broadcom will deliver its suite of Symantec and enterprise operations software including CA on Google Cloud. Under a strategic partnership, Broadcom said the partnership with Google Cloud will strengthen its “cloud services integration” throughout its portfolio of security, operations and DevOps applications. Broadcom said that it has migrated its Symantec Web Security Service and Cloud Access Security Broker onto Google Cloud and will soon move its other cybersecurity applications. Broadcom said the move modernized its security stack and improved service delivery. Here’s a look at how Broadcom built its software portfolio. According to Broadcom, Google Cloud’s infrastructure accelerates its development, cuts latency and scales more easily and enables it to diversify its public Internet options. For Google Cloud, landing a big SaaS player like Broadcom is a good win. Amazon Web Services frequently touts software vendors that ride on its infrastructure. Under the partnership, Broadcom will utilize Google Cloud’s analytics tools including Dataproc, Cloud SQL and Bigtable. Although Broadcom’s move to Google Cloud started with its security software the company’s business management, testing, DevOps, AIOps and agile management applications will also migrate. More

Brave, a Chromium-based browser, has removed FLoC, Google’s controversial alternative identifier to third-party cookies for tracking users across websites. FLoC, or Federated Learning of Cohorts, has just been released by Google for Chrome as its answer to improving privacy while still delivering targeted ads. “The worst aspect of FLoC is that it materially harms user privacy, under the guise of being privacy-friendly,” says Brave in a blogpost.  FLoC has been been widely criticised by privacy advocates, even though it is an improvement to third-party cookies. The Electronic Frontiers Foundation (EFF) calls it a “terrible idea” because now Chrome shares a summary of each user’s recent browsing activity with marketers.     “A browser with FLoC enabled would collect information about its user’s browsing habits, then use that information to assign its user to a “cohort” or group,” writes Bennett Cyphers, an EFF technologist.  “Users with similar browsing habits — for some definition of “similar” — would be grouped into the same cohort. Each user’s browser will share a cohort ID, indicating which group they belong to, with websites and advertisers.” Brave, a privacy-focused browser headed up by Mozilla co-founder and key JavaScript designer, Brendan Eich, says it has removed FLoC from the Nightly version of Brave for the desktop and Android. 

Brave notes the California Consumer Privacy Act of 2018 (CCPA) and Europe’s General Data Protection Regulation (GDPR) as signs that consumers are demanding privacy on the web. “In the face of these trends, it is disappointing to see Google, instead of taking the present opportunity to help design and build a user-first, privacy-first Web, proposing and immediately shipping in Chrome a set of smaller, ad-tech-conserving changes, which explicitly prioritize maintaining the structure of the Web advertising ecosystem as Google sees it,” Brave says in a blogpost.  The search engine DuckDuckGo last week released a Chrome extension to block FLoC tracking, comparing it to “walking into a store where they already know all about you”.  Brave argues that because the feature does impact user privacy, it should be something that users need to opt-in to.  “Given that FLoC can be harmful for site operators too, we recommend that all sites disable FLoC. In general, any new privacy-risking features on the web should be opt-in,” Brave says.  “This is a common-sense principle to respect Web users by default. One might wonder why Google isn’t making FLoC opt-in. We suspect that Google has made FLoC opt-out (for sites and users) because Google knows that an opt-in, privacy harming system would likely never reach the scale needed to induce advertisers to use it.” Microsoft, which is also using Chromium as the basis for its new Edge browser, responded to ZDNet’s request for its position on FLoC as follows:  “We believe in a future where the web can provide people with privacy, transparency and control while also supporting responsible business models to create a vibrant, open and diverse ecosystem. Like Google, we support solutions that give users clear consent, and do not bypass consumer choice. That’s also why we do not support solutions that leverage non-consented user identity signals, such as fingerprinting. The industry is on a journey and there will be browser-based proposals that do not need individual user ids and ID-based proposals that are based on consent and first party relationships. We will continue to explore these approaches with the community. Recently, for example, we were pleased to introduce one possible approach, as described in our PARAKEET proposal. This proposal is not the final iteration but is an evolving document.” According to the EFF, Google has rolled out FLoC to 0.5% of Chrome users in Australia, Brazil, Canada, India, Indonesia, Japan, Mexico, New Zealand, the Philippines, and the US. But the company hopes to roll it out to 5% of users.  Updated with Microsoft response at 17:30 BST, 13 April 2021 More