Information Technology

The backlash against Google’s Federated Learning of Cohorts (FLoC) has continued, with a proposal raised in WordPress Core to block the controversial alternative identifier to third-party cookies by default. The WordPress proposal would see the blogging system use its weight to thwart FLoC. “WordPress powers approximately 41% of the web — and this community can help combat racism, sexism, anti-LGBTQ+ discrimination, and discrimination against those with mental illness with four lines of code,” it states. For users that want to enable FLoC, the proposal states those users would likely be able to do so themselves, and a little more code would allow FLoC to be toggled on and off in blog settings. “When balancing the stakeholder interests, the needs of website administrators who are not even aware that this is something that they need to mitigate — and the interests of the users and visitors to those sites, is simply more compelling,” the proposal states. In order to get the block out to current users, WordPress has floated that FLoC be treated as a security problem and backported, rather than waiting until the next major release in July. “Currently, 5.8. is only scheduled for July 2021. FLoC will likely be rolling out this month,” it states.

“Furthermore, a significant number of WordPress sites only update to minor versions. By back-porting, we can protect more sites and more visitors to those sites — and amplify the impact.” FLoC has received some stinging criticism, mostly based on how it would share a summary of recent browser history with marketers, something third-party cookies could try to do, but were never guaranteed to be able to do so. “Its core design involves sharing new information with advertisers,” Chromium-based browser maker Vivaldi said last week. “You might visit a website that relates to a highly personal subject that may or may not use FLoC ads, and now every other site that you visit gets told your FLoC ID, which shows that you have visited that specific kind of site.” Vivaldi said FLoC has very serious implications for people who live in an environment where aspects of their personality are persecuted, such as their sexuality, political viewpoint, or religion. “All can become a part of your FLoC ID,” it said. “This is no longer about privacy but goes beyond. It crosses the line into personal safety. The Electronic Frontiers Foundation said the era of third-party cookies was over, and the decision was now whether to allow users to decide what information to share, or have a behavioural label attached to users that is “rich with meaning to those in the know”. “Their recent history, distilled into a few bits, is ‘democratized’ and shared with dozens of nameless actors that take part in the service of each web page,” it said. “Users begin every interaction with a confession: Here’s what I’ve been up to this week, please treat me accordingly.” Related Coverage More

The Internet of Secure Things Alliance, an IoT security certification body (a.k.a. ioXt), has launched a new security certification for mobile apps and VPNs.The new ioXt compliance program includes a ‘mobile application profile’ – a set of security-related criteria against which apps can be certified. The profile or mobile app assessment includes additional requirements for virtual private network (VPN) applications. 

Google and Amazon had a hand in shaping the criteria, along with number of certified labs such as NCC Group and Dekra, and mobile app security testing vendors such as NowSecure. Google’s VPN within the Google One service is one of the first to be certified against the criteria.SEE: VPN: Picking a provider and troubleshooting tips (free PDF) (TechRepublic)Mobile app makers can get their apps certified against a set of security and privacy requirements. The ioXt Alliance has a broad cross-section of members from the tech industry, with its board comprising execs from Amazon, Comcast, Facebook, Google, Legrand, Resideo, Schneider Electric, T-Mobile, the Zigbee Alliance, and the Z-Wave Alliance.About 20 industry figures helped write the requirements for the mobile app profile, including Amit Agrawal, a principal security architect at Amazon, and Brooke Davis from the Strategic Partnerships team at Google Play. Both are vice-chairs of the mobile app profile group.

The mobile app profile certification includes checks for insecure interfaces, automatic updates, secure password management, security by default, as well as an assessment of whether the software has been verified. It also considers vulnerability reporting programs and end-of-life policies. According to Davis, since the ioXt Alliance already does security checks for IoT devices, it was decided to expand coverage to apps that managed these devices.   “We’ve seen early interest from Internet of Things and virtual private network developers, however the standard is appropriate for any cloud-connected service such as social, messaging, fitness, or productivity apps,” said Davis. SEE: Google: Here’s how we’re toughening up Android securityConsumer VPNs that have been certified include Google One (which has a built-in VPN services), ExpressVPN, NordVPN, McAfee Innovations, OpenVPN for Android, Private Internet Access VPN, and VPN Private.The accreditation for VPN apps could be handy for Android owners, given that every now and then Google needs to pull malicious VPNs from the Google Play Store.   

ZDNet Recommends More

The University of Hertfordshire has suffered a devastating cyberattack that knocked out all of its IT systems, including Office 365, Teams and Zoom, local networks, Wi-Fi, email, data storage and VPN.The university reported the hit by attackers on Wednesday, resulting in the cancellation of all online classes on Thursday and Friday. 

“Shortly before 22:00 on Wednesday 14 April, the University experienced a cyber-attack which has impacted all of our systems, including those in the Cloud such as Canvas, MS Teams and Zoom,” it said in an update on its website. SEE: Network security policy (TechRepublic Premium)Due to pandemic restrictions on in-person classes, the university and most students still depend on online learning and video-conferencing apps like Zoom. The UK government has allowed some students to return to in-person teaching if they require specialist equipment, but has banned a full return until at least May 17.The university noted that the outage may impact students submitting assignments, but assured them that no student would be disadvantaged as a result.Students were allowed to attend the university so long as computer access wasn’t necessary. 

“You will not be able to access computer facilities in the LRCs, Labs or the University Wi-Fi. Remote access to specialist software and PCs is currently unavailable,” the university said.Hertfordshire’s system status page, last updated 17 hours ago, shows the extent of the disruption.SEE: Phishing: These are the most common techniques used to attack your PCIt’s not clear what kind of cyberattack the university experienced, but the National Cyber Security Centre (NCSC) last month warned of a surge in ransomware attacks on schools, colleges and universities.”In recent incidents affecting the education sector, ransomware has led to the loss of student coursework, school financial records, as well as data relating to COVID-19 testing,” the agency said. More

Image: Mozilla
The handling of clicking on FTP links from within Firefox will soon be passed to other applications, as Mozilla will rip out Firefox’s FTP implementation. A year ago Mozilla announced its intention to shortly disable support for FTP, but it also said it would delay the move pending how the pandemic turned out. By February, FTP was disabled in Firefox’s nightly channel and it is currently also disabled in the Beta channel. For general release, FTP will be disabled in Firefox 88 released on April 19. At this point, when Firefox encounters an FTP link, it will attempt to pass it off to an external application. “Most places where an extension may pass ‘ftp’ such as filters for proxy or webRequest should not result in an error, but the APIs will no longer handle requests of those types,” Mozilla add-ons community manager Caitlin Neiman wrote in a blog post. “To help offset this removal, ftp has been added to the list of supported protocol_handlers for browser extensions. This means that extensions will be able to prompt users to launch a FTP application to handle certain links.” Two release cycles later in late June, Firefox 90 will have the FTP implementation removed altogether. This will also impact Firefox on Android.

“FTP is an insecure protocol and there are no reasons to prefer it over HTTPS for downloading resources,” Mozilla software engineer Michal Novotny said last year. “Also, a part of the FTP code is very old, unsafe and hard to maintain and we found a lot of security bugs in it in the past.” Related Coverage More

Swinburne University of Technology has confirmed personal information on staff, students, and external parties had inadvertently made its way into the wild.It said it was advised last month that information of around 5,200 Swinburne staff and 100 Swinburne students was available on the internet.This data, Swinburne said, was event registration information from multiple events from 2013 onwards. The event registration webpage is no longer available.The information made available was name, email address, and, in some cases, a contact phone number.”We took immediate action to investigate and respond to this data breach, including removing the information and conducting an audit across other similar sites,” the university said in a statement on Friday.”We sincerely apologise to all those impacted by this data breach and for any concerns this has caused.”Swinburne said it is currently in the process of contacting all individuals whose information was made available to apologise to them and offer appropriate support.

“We are also contacting around 200 other individuals not connected to Swinburne who had registered for the event and whose information was also made available,” it said.The breach has been reported to the Office of the Australian Information Commissioner (OAIC), the Office of the Victorian Information Commissioner (OVIC), the Tertiary Education Quality and Standards Agency (TESQA), and the Victorian Education Department.Need to disclose a breach? Read this: Notifiable Data Breaches scheme: Getting ready to disclose a data breach in AustraliaThe higher education sector in Australia could soon find itself considered as systems of national significance, with the government ready to enforce an “enhanced framework to uplift security and resilience” upon universities via the Security Legislation Amendment (Critical Infrastructure) Bill 2020.The Group of Eight (Go8) — comprising eight Australian universities — believe the government has in fact not yet identified any critical infrastructure assets in the higher education and research sector and, therefore, does not feel higher education and research should be included as a critical infrastructure sector, given the regulatory ramifications.”The Go8 considers the catch-all nature of the legislation as proposed for the higher education and research sector to be highly disproportionate to the likely degree and extent of criticality of the sector,” it said in February.The Go8 comprises the University of Adelaide, the Australian National University, the University of Melbourne, Monash University, UNSW Sydney, the University of Queensland, the University of Sydney, and the University of Western Australia.Swinburne made its own views available to the committee probing the Bill, in February saying that the cost of positive security obligations and enhanced cybersecurity measures for assets deemed to be systems of national significance would be difficult for universities to absorb, given the current funding situation and decrease in income from international student enrolments.”Therefore, the Commonwealth must ensure that universities are adequately funded to meet their responsibility of providing quality education and respond to these new security requirements,” it wrote [PDF].”While security from foreign interference is of paramount importance, equally important is the economic security provided by having a robust tertiary sector. We recommend that the government work closely with the sector to ensure that the legislation has minimal impact on essential university operations.”The Australian National University (ANU) in late 2018 suffered a massive data breach that was discovered in May 2019, and revealed two weeks later in June.The hackers gained access to up to 19 years’ worth of data in the system that houses the university’s human resources, financial management, student administration, and “enterprise e-forms systems”.Then there was Melbourne’s RMIT University, which in February responded to reports it fell victim to a phishing attack, saying progress was slowly being made in restoring its systems.At a recent Parliamentary Joint Committee on Intelligence and Security (PJCIS) hearing on the national security risks affecting the Australian higher education and research sector, discussions around the two security incidents were used by Home Affairs representatives to justify the inclusion of higher education and research in the Critical Infrastructure Bill.AUSTRALIA ALSO BLAMES RUSSIA FOR SOLARWINDS HACKElsewhere, the Australian government has joined international partners in holding Russia to account for its cyber campaign against US software firm, SolarWinds.Hackers working for the Russian foreign intelligence service are behind the SolarWinds attack, cyber espionage campaigns targeting COVID-19 research facilities, and more, according to the United States and the United Kingdom.  The US accusation comes in a joint advisory by the National Security Agency, the Cybersecurity and Infrastructure Security Agency, and the Federal Bureau of Investigation, which also describes ongoing Russian Foreign Intelligence Service exploitation of five publicly known vulnerabilities in VPN services.The UK has also attributed the attacks to the Russian intelligence service.  “In consultation with our partners, the Australian government has determined that Russian state actors are actively exploiting SolarWinds and its supply chains,” a statement from Minister for Foreign Affairs Marise Payne, Minister for Defence Peter Dutton, and Minister for Home Affairs Karen Andrews said.”Over the past 12 months, Australia has witnessed Russia use malicious activity to undermine international stability, security, and public safety. Australia condemns such behaviour.”The supply chain attacks targeting IT management software company SolarWinds represented one of the biggest cybersecurity incidents in recent years, with hackers gaining access to the networks of tens of thousands of organisations around the world, including several US government agencies, as well as cybersecurity companies.”Russia’s campaign has affected thousands of computer systems worldwide. Australia acknowledges the high costs borne by the US private sector,” Australia’s statement continued.Updated 16 April 2021 at 3:20pm AEST: Added Australian attribution of SolarWinds breach to Russia.RELATED COVERAGE More

Image: Getty Images
Google Project Zero will be shifting from a fairly hard 90-day deadline to a new model that incorporates a new 30-day grace period to gives users time to install patches before technical details are revealed. The project is keeping its famous 90-day disclosure period intact for vulnerabilities that remain unpatched, however, if a patch appears within the disclosure period, the technical details will appear 30 days after the patch is released. For in-the-wild exploits, disclosure will occur a week after notification, along with technical details if unfixed. If a patch is released in the 7-day notification window, the technical details will appear 30 days later. Vendors will now be able to ask for a 3-day grace period In rare instances where Project Zero has granted vendors a fortnight’s grace on disclosure, or a new 3-day period for in-the-wild exploits, that period will use up part of the 30-day grace on technical details. Last year, Project Zero introduced a policy where it gave vendors a complete 90-day window before it disclosed exploits. That shift was also made in an effort to boost user patching, but it was far from successful. “The idea was if a vendor wanted more time for users to install a patch, they would prioritise shipping the fix earlier in the 90-day cycle rather than later,” Project Zero manager Tim Willis wrote.

“In practice, however, we didn’t observe a significant shift in patch development timelines, and we continued to receive feedback from vendors that they were concerned about publicly releasing technical details about vulnerabilities and exploits before most users had installed the patch. In other words, the implied timeline for patch adoption wasn’t clearly understood.” Willis said the new 90+30-day system will start to be dialled down in the future, but the policy would need to start with deadlines that can be met by vendors. “Based on our current data tracking vulnerability patch times, it’s likely that we can move to a ’84+28′ model for 2022 (having deadlines evenly divisible by seven significantly reduces the chance our deadlines fall on a weekend),” he said. “Moving to a ’90+30′ model allows us to decouple time to patch from patch adoption time, reduce the contentious debate around attacker/defender trade-offs and the sharing of technical details, while advocating to reduce the amount of time that end users are vulnerable to known attacks. “Disclosure policy is a complex topic with many trade-offs to be made, and this wasn’t an easy decision to make.” Related Coverage More

If you’re a pro Mac user, you’ll likely know the OWC name. OWC has been the go-to place to go for RAM and storage upgrades, or for docks and external storage devices.Today, OWC announced that it would make Acronis True Image OEM software available on OWC storage solutions that include SoftRAIDRead more: Who do I pay to get the ‘phone’ removed from my iPhone?
The addition of Acronis True Image OEM will make sure that when users make a backup of their system onto an OWC external storage system, a reliable copy of data is made ready in case it is needed for a speedy recovery.But making and maintaining a backup means making sure that malware doesn’t make it onto the system. “OWC has partnered with Acronis to bring the number one personal backup software to your workflow along with industry-leading antimalware protection,” said Larry O’Connor, CEO and Founder of OWC. “Adding Acronis True Image Technology to our OWC storage solutions is truly amazing. This partnership will tremendously add to our customers feeling their data is safe and protected for years to come.”You also want to make sure that your backup doesn’t fall victim to ransomware and cryptojacking. To combat this, Acronis True Image OEM features AI-enhanced anti-ransomware technology, called Acronis Active Protection, which uses behavioral heuristics to be on the lookout for ransomware and cryptojacking attacks in real-time.

The solution is battle-tested, stopping more than 600,000 ransomware attacks last year alone.Acronis True Image OEM will be shipped with OWC storage solutions on MacSales.com.

ZDNet Recommends More

Credit: Microsoft
Microsoft is rolling out its latest version of its new Edge browser to mainstream users today, April 15 — the same day Google is rolling out Chrome 90. Microsoft’s Edge 90 includes a number of new features, including new history-search options and Kids Mode, which have been in testing for the last few months. Password Monitor, which is meant to protect users’ passwords by notifying them if their credentials have been compromised, also is considered part of the Edge 90 rollout. Microsoft began rolling out Password Monitor in January 2021 as part of Edge 88, but as of Edge 90, it is now available to all usersOther new features that are part of Edge 90, according to Microsoft’s Edge “What’s Next” page,  include support for TLS token binding for policy-configured sites; a “current page” option for printing PDF documents; the ability to bulk-delete passwords; improvements to font rendering; and synced browser-history support for history search. As of version 90, Edge also now supports easier search terms so customers can search their browsing history in their own words with terms like “news articles from last week,” officials said. Kids Mode is a browsing mode designed specifically for kids ages five to eight and nine to 12. This new mode includes “guardrails” meant to steer kids away from inappropriate content via a built-in allow list and Bing SafeSearch and tracking prevention automatically set to Strict. Parents can review and make changes in the allowed content from their Edge Settings. More