Information Technology

Image: Omar Al-Ghossen
When users are on the web they can opt out of a lot of tracking present, thanks to a combination of GDPR-induced prompts, ad and trackers blocks, and incognito modes — however, this is far from the case on mobile phones and apps. In an effort to close the gap, Apple believes efforts like its Identifier For Advertisers can help advertisers and preserve privacy. “Identifiers such as the Identifier For Advertisers (IDFA) and email address help identify a specific device across a network. They also allow advertisers to create a detailed profile of your activity across different apps or websites when they see your device identifier and associate your activity with it,” Apple says in an updated version of its A Day in the Life of your Data document. “The Identifier For Advertisers (IDFA) is a user-controllable identifier assigned by iOS to each device. As a software-based identifier rather than one that is tied to the hardware itself, the IDFA can be blocked for a particular app by the user via the App Tracking Transparency prompt. This gives the user control over IDFA-based tracking.” The updated document has added a pair of pages on advertising auctions and ad attribution, with Apple stating advertisers can track ad performance without tracking users. The mechanisms for this are its SKAdNetwork API and Private Click Measurement. Pointing to the way web browsers have clamped down on trackers on the web, Apple has dismissed concerns that clamping down on trackers in apps will force app creation to be less profitable. The tech giant believes advertisers will have to respond by providing users with a higher level of privacy and app makers will still be able to monetise from apps.

Apple said it would remove apps from its app store if a new way of fingerprinting was developed. Last month, Apple claimed in Australia that its store was not the most dominant app marketplace because the internet was an alternative. “Apple perceives and treats other distributors of apps, for platforms other than iOS, as significant competitors whose pricing and policies constrain Apple’s ability to exercise power over developers,” the iPhone maker said in a submission to the Australian Competition and Consumer Commission (ACCC).”Apple is not in a position to disregard the environment in which its app marketplace operates and does not accept the Commission’s characterisation of the Apple App Store as ‘the most dominant app marketplace by a large margin’.” Apple said it does not consider it has a substantial degree of power in any market relevant to the issues that are the subject of the ACCC’s current inquiry, nor does it agree there is a market failure that requires regulatory intervention or legal action. “Apple faces competitive constraints from distribution alternatives within the iOS ecosystem (including developer websites and other outlets through which consumers may obtain third party apps and use them on their iOS devices) and outside iOS,” it said. “Even if a user only owns iOS-based devices, distribution is far from limited to the Apple App Store because developers have multiple alternative channels to reach that user. “The whole web is available to them, and iOS devices have unrestricted and uncontrolled access to it. One common approach is for users to purchase and consume digital content or services on a website.” Days earlier, Apple said it was surprised to hear that developers have legitimate concerns about their ability to engage with Apple in the app review process. Related Coverage More

A man has been jailed for trying to buy a chemical weapon online capable of killing “hundreds” of people. 

On Tuesday, the US Department of Justice (DoJ) announced that Jason William Siesser, a resident of Missouri, will spend 12 years behind bars in federal prison without the possibility of parole. The 46-year-old tried to buy two and three 10ml vial batches of a “highly toxic chemical” through the dark web between June 14 and August 23, 2018. According to US prosecutors, three 10ml units of the chemical was enough to kill roughly 300 people.  The orders were made in the name of a minor and the equivalent of $150 in Bitcoin (BTC) was handed over. While in contact with the seller, Siesser told the trader he planned “to use it soon” after receipt.  However, the first delivery never arrived, leading to the second delivery — one Siesser thought was the chemical — but was in fact a controlled delivery sting by US police.  The man signed for the package and law enforcement, having obtained a warrant, raided his home. The investigating officers discovered 10 grams of toxic — and potentially deadly — cadmium arsenide, 100 grams of cadmium, and 500 ml of hydrochloric acid, compounds which were also ordered by the suspect in the same year.  When it comes to intent, the DoJ says, “writings located within the home articulated Siesser’s heartache, anger and resentment over a breakup, and a desire for the person who caused the heartache to die.”

In August 2020, Siesser pleaded guilty to one count of attempting to acquire a chemical weapon and one count of aggravated identity theft. The dark web is a layer beyond the ‘clear’ web which is not indexed by standard search engines. A handful of websites in this area are dedicated to illegal purposes, such as marketplaces for weapons, drugs, data dumps, and counterfeit documents.  The DeepDotWeb (DDW) portal, now defunct, used to provide links to dark web resources including marketplaces. Last week, the US agency said a former administrator of the portal has pleaded guilty for providing links to illegal trading posts and receiving millions of dollars in kickbacks via commission links.   Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

A new variant of Android malware has been discovered in an app on Google Play that entices users by promising free Netflix subscriptions.  On Wednesday, Check Point Research (CPR) said the “wormable” mobile malware was discovered in the Google Play Store, the official repository for Android apps. The malicious software, dubbed “FlixOnline,” disguises itself as a legitimate Netflix application and appears to focus on targeting the WhatsApp messaging application. The ongoing COVID-19 pandemic has forced many of us to stay at home for long durations, and with shops closed, bars shut, and limited trips outside permitted, we have turned to streaming services to pass the time. By the end of 2020, paid Netflix subscriber numbers smashed through the 200 million mark — likely spurred on due to COVID-19 — and malware operators have decided to jump on this trend. The fraudulent app promised global “unlimited entertainment” and two months of a premium Netflix subscription for free due to the pandemic. 

Once downloaded, however, the malware ‘listens in’ on WhatsApp conversations and auto-responds to incoming messages with malicious content. Upon installation, the app asks for overlay permissions — a common ingredient in the theft of service credentials — as well as Battery Optimization Ignore, which stops a device from automatically closing down software to save power. In addition, FlixOnline requests notification permissions that give the malware access to notifications related to WhatsApp communication, as well as the ability to ‘dismiss’ or ‘reply’ to messages.  Auto-responses to WhatsApp messages include the following, sent to contacts of the victim:

“2 Months of Netflix Premium Free at no cost For REASON OF QUARANTINE (CORONA VIRUS)* Get 2 Months of Netflix Premium Free anywhere in the world for 60 days. Get it now HERE https:// bit[.]ly/3bDmzUw.” According to the researchers, the malware can propagate further via malicious links, steal WhatsApp conversation data, and has the ability to spread false information or harmful content through the messaging service when installed on Android devices.  The malicious link used in this campaign sends victims to a fake Netflix website that attempts to obtain a user’s credit card information and credentials. However, as this message is fetched from a command-and-control (C2) server, other campaigns could link to different phishing websites or malware payloads.  Approximately 500 victims were claimed by FlixOnline before detection, over a period of roughly two months, and it is likely the malware will appear again.  CPR informed Google of its findings and the app has now been removed from the Play Store. WhatsApp was also made aware of the campaign as a courtesy but as there is no exploitable vulnerability or issue that the malware uses to propagate through the messaging app, no action was required.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Information belonging to 553 million Facebook users has been posted online in an incident the company says was due to scraping and not a cyberattack. 

Facebook IDs, names, dates of birth, gender, location, and relationship status, among other data points, were leaked, with each dataset broken up by country and made freely available online. The mass data collection took place in 2019. In a blog post on Tuesday, the social media giant said that scraping was to blame, in which automated software lifts publicly available data from internet resources. In this case, a functionality issue in Facebook’s contact importer, prior to September 2019, allowed individuals to “imitate our app and upload a large set of phone numbers to see which ones matched Facebook users, [allowing them to] query a set of user profiles and obtain a limited set of information about those users included in their public profiles,” according to the company.While this did not include user credentials, it still allowed for the mass-scraping of profile data.  The social media giant has since updated the contact importer to hinder future scraping efforts, but the information already gathered is now out there.  In terms of data age, 2019 – 2021 is not a long period and this information can be valuable not just to threat actors — who may use contact details and phone numbers for purposes including phishing and social engineering — but also unscrupulous marketers in creating profiles for targeted ads, spam, or robocalls.

To see if you have been included in this data breach, you can go over to Have I Been Pwned, a search engine service offered by security expert Troy Hunt.  As data leaks occur, data dumps are added to the engine in order to allow the general public to type in an email address or phone number — in an international format — and see if their information has been published online.  Facebook’s record leak is the latest set to be added to the engine and you should check both your email and phone number, as only 2.5 million records contain an email address. Therefore, links to the Facebook breach might not appear if you just search your email but not your phone number.  While there is little that can be done once your data is exposed, if you have been involved in the leak, you should be wary of potential phishing scams or fraudulent cold calls.  Conducting a regular and general privacy check on your social media profiles is always worthwhile, and this can include whether or not you allow others to look you up on Facebook through an email address or phone number. “We are confident that the specific issue that allowed them to scrape this data in 2019 no longer exists,” Facebook says. “We’re focused on protecting people’s data by working to get this data set taken down and will continue to aggressively go after malicious actors who misuse our tools wherever possible.” The Irish Data Protection Commission is attempting to “establish the full facts” surrounding the data leak and noted that the watchdog has “received no proactive communication from Facebook.” “As the price of personal data climbs, breaches of any size — let alone half a billion users — should no longer be tolerated,” commented Adam Enterkin, Global SVP of Sales at BlackBerry. “Organizations have full responsibility for the data stolen; even seemingly low-stakes data can be used to exploit customers. If you collect it, protect it.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

In an effort to reduce memory safety bugs, Google has announced that the open source version of Android will have support for parts of the operating system to be built in Rust. While apps on Android can be written with managed languages such as Java and Kotlin, these languages do not have the “control and predictability” of lower level languages such as C and C++ used to build the Android operating system. “They are light on resources and have more predictable performance characteristics. For C and C++, the developer is responsible for managing memory lifetime. Unfortunately, it’s easy to make mistakes when doing this, especially in complex and multithreaded codebases,” the Android team wrote in a blog post. “Rust provides memory safety guarantees by using a combination of compile-time checks to enforce object lifetime/ownership and runtime checks to ensure that memory accesses are valid. This safety is achieved while providing equivalent performance to C and C++.” As it currently stands in Android, if a process written in C/C++ is processing untrustworthy input, it runs in a sandbox, which Google said is expensive and still allows for the possibility of attackers chaining security vulnerabilities together to exploit systems. Additionally, Google found half of its memory bugs were in code from under a year old, and hence it made sense to target Rust at new code, rather than rewriting the OS in Rust. “Even if we redirected the efforts of every software engineer on the Android team, rewriting tens of millions of lines of code is simply not feasible,” the team said.

“The comparative rarity of older memory bugs may come as a surprise to some, but we’ve found that old code is not where we most urgently need improvement. Software bugs are found and fixed over time, so we would expect the number of bugs in code that is being maintained but not actively developed to go down over time.” One such system to get the Rust treatment is Gabeldorsche, which is billed as the successor to Bluetooth. The Android team also touched on the issue of trying to detect and replicate memory bugs to be able to fix them. “For complex C/C++ code bases, often there are only a handful of people capable of developing and reviewing the fix, and even with a high amount of effort spent on fixing bugs, sometimes the fixes are incorrect,” they wrote. “Bug detection is most effective when bugs are relatively rare and dangerous bugs can be given the urgency and priority that they merit. Our ability to reap the benefits of improvements in bug detection require that we prioritize preventing the introduction of new bugs.” One of the benefits of using Rust is the additional constraints and checking inherent in the language, such as forcing the initialization of variables, which could prevent the root cause of up to 5% of security vulnerabilities in Android, Google said. “Adding a new language to the Android platform is a large undertaking. There are toolchains and dependencies that need to be maintained, test infrastructure and tooling that must be updated, and developers that need to be trained,” the team said. “For the past 18 months we have been adding Rust support to the Android Open Source Project, and we have a few early adopter projects that we will be sharing in the coming months.” Earlier this year, Rust moved out of Mozilla and into its own foundation. Mozilla has used Rust to build its Servo browser engine and replace 160,000 lines of C++ with 85,000 lines of Rust. Mozilla recently ran ThreadSanitizer across Firefox to flush out any data races in the C/C++ left in the browser’s codebase. With the mixed codebase, Mozilla was concerned about races being obfuscated when passing through Rust code, but nevertheless picked up a pair of pure Rust races. “Overall Rust appears to be fulfilling one of its original design goals: Allowing us to write more concurrent code safely,” it said.”Both WebRender and Stylo are very large and pervasively multi-threaded, but have had minimal threading issues. What issues we did find were mistakes in the implementations of low-level and explicitly unsafe multithreading abstractions — and those mistakes were simple to fix. “This is in contrast to many of our C++ races, which often involved things being randomly accessed on different threads with unclear semantics, necessitating non-trivial refactorings of the code.” Unsurprisingly, Mozilla recommended any new projects be built in Rust rather than C or C++. Related Coverage More

Authentication and identity platform Okta is releasing a revamped developer experience that features improved documentation, new integrations and support for up to 15,000 monthly active users on a free plan. For context, Okta’s existing free plan caps monthly active users at 1,000, making this new release significantly more useful for small business applications. 

Okta, which is holding its Oktane21 virtual developer conference this week, is pitching the new developer experience as a toolkit that makes it easier for developers to embed the company’s authentication, access management and customer identity products across software supply chains in hybrid, cloud-native, or multi-cloud environments.The Okta Starter Developer Edition includes a redesigned console that the company said delivers full application development lifecycle support, as well as new integrations with DevOps, SecOps, and API security tooling. New integrations include Heroku to automate identity across CI/CD pipelines, Kong to protect APIs, and an updated Okta Terraform provider to replicate Okta configuration across environments.”Okta’s vision is to enable everyone to safely use any technology,” said Diya Jolly, Okta’s chief product officer. “Developers are foundational to bringing that vision to life, and it’s our goal to make every piece of the development process easier with Okta. Developers can ramp up at no cost with the Starter Developer Edition, and our reimagined developer experience delivers tools that seamlessly work with developers’ toolchains across whatever hybrid, cloud, or multi-cloud environment they’re building on.”Last month, Okta announced plans to acquire customer identity and access vendor Auth0 for $6.5 billion. In addition to expanding Okta’s total addressable market with Auth0’s identity and access management portfolio, the deal also gives Okta a way to reach developers and extend its platform. Auth0 has a free plan and then developer versions for the B2C and B2B markets. The new Okta Starter Developer Edition and integrations are generally available starting today.RELATED: More

If you dabble in bitcoin or other cryptocurrencies, then you may be able to get away with storing your private keys in a software wallet. But if you are serious about crypto, are mining your own bitcoins, or have serious cash invested in crypto, then a hardware wallet is something that you need to seriously consider.

A cutting-edge hardware wallet

Here we have a compact hardware wallet that not only holds your cryptocurrency private keys but can also a device that can be used to store passwords and even be used as a U2F hardware token.The Trezor Model T is easy to use thanks to its touchscreen display. Another nice feature of the Model T is that it is quick and easy to set up; you can be up and running after going through three simple setup steps.

$179 at Amazon

Everything is protected by a PIN code

This is a hardware bitcoin wallet that looks like a USB flash drive. The Ledger Nano S supports more than 30 different cryptocurrencies (including Bitcoin, Ethereum, XRP, Bitcoin Cash, EOS, Stellar, Dogecoin, and many more), and all ERC20 tokens, and everything is protected by an 8-digit PIN code.

$51 at Amazon

For those who want high security

This is the hardware wallet for those who are ultra-paranoid or who want high security. The ColdCard Mk3 device is a high-security device that is built around high-security hardware and open-source software. It also features a brilliant OLED display and a full-sized numeric keypad.You can augment the ColdCard with a range of accessories, including an adapter that allows you to power the ColdCard from a 9V PP3 battery, protecting you from attacks that might make use of a compromised USB charger.

$120 at Coinkite

Fireproof, waterproof, shockproof, and hacker-proof

Made from indestructible 316-marine grade stainless steel, this is a cold storage cryptocurrency wallet that’s designed and built to be fireproof, waterproof, shockproof, and hacker-proof. This is the perfect tool for keeping your seed phrases secure, which would allow you to recover your private keys in the event that you lose or break your electronic hardware wallet.

$106 at Amazon

What is a bitcoin wallet?

A bitcoin wallet is a device that stores and manages the private keys you hold for your cryptocurrency. They act much like how you keep money in your wallet or purse, or how your bank details are stored on your credit or debit cards.

What are the different kinds of cryptocurrency wallets?

There are two kinds of wallets: Hardware and software. A software wallet is an app that lives on your computer or smartphone, or even on the web, while a hardware wallet is a separate physical device (much like a wallet or purse). This hardware wallet is connected to a PC or mobile device to carry out transactions.Software wallets range in price from free to, well, not free, so they are great for those starting out. Since hardware wallets cost you money, there’s a financial investment that you have to make right from the beginning.

Why do you need a hardware wallet?

It’s important to note that you don’t need a hardware wallet to buy, store, or send bitcoins or any other cryptocurrency. Some people hold many thousands of dollars in bitcoin or other cryptocurrencies and don’t use a hardware wallet.However, where hardware wallets shine is the improved security that they offer compared to an app that lives on a smartphone, computer, or in the cloud. Having a device that puts an air gap between your private keys and other apps, the internet, and the bad guys offers vastly improved security from hackers and viruses.Hardware bitcoin wallets put you in complete and total control over your private keys.

What are the pros and cons of hardware crypto wallets?

ProsImproved security: Total air gap between your private keys and everything else.Better control: You hold your keys and can keep them separate from all your other devices.Easy transportation: Bitcoin hardware wallets are small and easily transported. But they can also be stored securely in a safe or safety deposit box.No reliance on a third-party app or web service: Apps and services come and go.ConsCost: Hardware bitcoin wallet solutions aren’t free.Extra complexity: There’s always a learning curve with hardware, and some bitcoin wallets have quite advanced features that will have you reaching for the manual.Loss, destruction, theft: Hardware can break, be lost, be stolen, become obsolete, or succumb to all sorts of mishaps.Another thing to take care of: If you need to make a transaction, you’ll need your wallet!

What should you consider when buying a cryptocurrency hardware wallet?

Yes, a hardware bitcoin wallet offers greater security, but you still need to make sure that you are buying a decent device from a reputable source.You also need to decide how much security you need. For some, having the air gap of a separate wallet is good enough, while others will feel the need to beef up security, and have a device that offers higher levels of security, biometrics, and even isolating the device from possible sources of attack, such as USB chargers.You also need a backup, just in case. Maybe this is another hardware wallet, or maybe you’re going to go for a “cold storage” solution that might include having your private keys printed on paper, or even engraved, stamped, or etched into metal.Another consideration is price. Unless you’re planning to hold huge cryptocurrency investments, then it might sting a bit to spend over $100 on a wallet.

How did we choose these cryptocurrency hardware wallets?

There are a number of factors to consider here.Price: Not everyone wants to spend $200 on a wallet.Durability: A broken hardware wallet can leave you hating life (not to mention down the cost of the hardware), so choosing something that will last is a good investment.Reputable manufacturer: You could be trusting thousands of dollars of cryptocurrency to a hardware wallet, so you want to know that your wallet has been made by a reputable company with a track record in delivering secure and reliable products. Ease of use: Setting up a hardware wallet can be daunting enough, but it can be made all the more difficult if the documentation is poor (or non-existent) or the device itself is quirky and unpredictable.

ZDNet Recommends More

Researchers have warned that critical vulnerabilities in unpatched SAP applications are being widely exploited by cyberattackers worldwide. 

On Tuesday, SAP and Onapsis jointly released a report on the activities, in which security flaws with CVSS severity scores of up to 10, the highest possible, are being weaponized.  SAP applications are used by an estimated 400,000 enterprise organizations worldwide. While SAP is not aware of any direct customer-related breaches due to these activities, both the vendor and Onapsis say that there were at least 1,500 SAP application-related attack attempts tracked between June 2020 and March 2021, and at least 300 were successful.  The joint report says that enterprise resource planning, customer relationship management software, and supply chain systems — among others — are being targeted.  SAP issues security fixes for its products on a monthly basis, alongside organizations including Microsoft and Adobe.  However, the companies say that the critical issues being exploited are not being fixed by customers — and in some cases, vulnerable, internet-facing SAP applications are laden with bugs that remained unpatched for months, or even years.  Six vulnerabilities, in particular, are noted in the report as being actively exploited: CVE-2020-6287: CVSS: 10 

Also known as RECON, this remotely exploitable bug in SAP NetWeaver/Java was caused by a failed authentication check. No privileges are required and upon exploit, this vulnerability leads to the creation of admin accounts and full system hijacking.  A patch was issued on July 14, 2020, but Onapsis says attack activity utilizing this bug continues today.  CVE-2020-6207: CVSS 10 Impacting SAP Solution Manager (SolMan) version 7.2, this critical flaw permits attackers to obtain full administrative control over the hub of an organization’s SAP setup.  Proof-of-Concept (PoC) code was released for the security flaw following a patch issued by SAP on March 10, 2020. Exploit attempts have “increased significantly” since the release of the working PoC exploit code.CVE-2018-2380: CVSS 6.6This older vulnerability impacts the vendor’s SAP NetWeaver-based CRM solution and can be triggered to perform privilege escalation and to execute commands, eventually allowing for lateral movement through a corporate network. A patch was released on March 1, 2018.  CVE-2016-9563: CVSS 6.4Patched in August 2016, this vulnerability impacts a component in SAP NetWeaver/JAVA version 7.5, leading to remote — but low-privilege — authenticated attacks. CVE-2016-3976: CVSS 7.5Also found in SAP NetWeaver/JAVA, this security flaw, patched in March 2016, permits remote attackers to read arbitrary files via directory traversal sequences, leading to information leaks and potentially privilege escalation if they are able to access the right resources.CVE-2010-5326: CVSS 10A critical vulnerability caused by an authentication failure in the Invoker Servlet within SAP NetWeaver Application Server/JAVA platforms. The security flaw allows attackers to gain full control of SAP business processes. In 2016, the US Department of Homeland Security (DHS) issued an alert on the active exploit of this bug, which continues to this day. In addition, the report says that the window for patching is “significantly smaller than previously thought,” with some SAP vulnerabilities becoming weaponized in less than 72 hours after public disclosure.  “Observed exploitation could lead in many cases to full control of the unsecured SAP application, bypassing common security and compliance controls, and enabling attackers to steal sensitive information, perform financial fraud or disrupt mission-critical business processes by deploying ransomware or stopping operations,” the companies say. “These threats may also have regulatory compliance implications for organizations that have not properly secured their SAP applications processing regulated data.” CISA has also issued an alert on these activities.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More