Information Technology

Google has announced on Monday plans to permanently shut down the Chrome Web Store “Payments API.”

This is the system that Google was using to handle payments on the Web Store, such as one-time fees, monthly subscriptions, and free trials for commercial Chrome extensions.
The move to shut down the Payments API — and effectively support for Chrome paid extensions — comes after reports of widespread fraud last winter.
Google originally reacted by suspending the ability to publish and update Chrome paid extensions in January, and later temporarily disabled the entire Payments API in March.
Initially, Google promised to crack down on the fraudulent actors, but on Monday, in a surprise announcement, the company did the opposite by shutting down the Web Store payments system instead.
Google is now asking extension developers to migrate their extensions to use a third-party, non-Web Store payments processor.
Since the Payments API has been down since March, Google said it’s not planning on bringing it back on. Going forward, Google provided the following timeline:
Sept. 21, 2020: You can no longer create new paid extensions or in-app items. This change, in effect since March 2020, is now permanent.
Dec. 1, 2020: Free trials are disabled. The “Try Now” button in CWS will no longer be visible, and in-app free trial requests will result in an error.
Feb. 1, 2021: Your existing items and in-app purchases can no longer charge money with Chrome Web Store payments. You can still query license information for previously paid purchases and subscriptions. (The licensing API will accurately reflect the status of active subscriptions, but these subscriptions won’t auto-renew.)
At some future time: The licensing API will no longer allow you to determine license status for your users.
Image: Google
Google’s move has sparked some outrage among the Chrome extensions developer community. Because Google doesn’t provide details on paying customers to extension owners, many developers are now facing a situation where they might not be able to migrate their entire userbases to their new payments processor of choice.

If you have built a bootstrapped or a lifestyle business on the Chrome Extension store and have used their payments API, you now have to scramble to integrate an alternative provider and hope that you can find a way to reach your users so they can continue their subscription.
— Arvid Kahl (@arvidkahl) September 22, 2020 More

TikTok removed more than 104.54 million videos from its platform in the first half of this year for breaching its community guidelines or terms of service. The number accounts for less than 1% of all videos uploaded on the Chinese app maker’s platform, with the largest volumes removed from India and the US at 37.68 million and 9.82 million, respectively. 
Some 96.4% of the videos were identified and removed before users reported them, while 90.3% were removed before they clocked any views, according to TikTok’s latest transparency report released Tuesday. The majority, at 30.9% were removed for containing nudity and sexual activities, while 22.3% were taken out for violating minor safety and 19.6% were removed for containing illegal activities and regulated goods.  

Singapore must look beyond online falsehood laws as elections loom
Country’s government is missing the point with its use of correction directives, when it should be looking more closely at how the legislation can be used to address bigger security threats as it prepares for its first elections since the emergence of technology, such as deepfake, and increased online interference.
Read More

Apart from India and the US, the highest numbers of videos also were removed from Pakistan, Brazil, and the UK at 6.45 million, 5.53 million, and 2.95 million, respectively. 
TikTok also complied with “valid” government and law enforcement requests across the globe for user information. Such requests would have to be submitted with the appropriate legal documents such as subpoena, court order, warrant, or emergency request. Amongst these, India submitted the most requests at 1,206, of which TikTok complied with 79%, followed by the US at 290, of which 85% were complied with. Israel made 41 requests, of which TikTok complied with 85%, while Germany submitted 37 requests, but just 16% were complied with.
In limited emergency situations, TikTok said it would disclose user information without legal process. This typically occurred when it had reason to believe the disclosure of information was required to prevent the imminent risk of death or serious physical injury to any person. 
China was notably missing from the list of government requests. 
In addition, TikTok said it also received legal requests from governments and law enforcement agencies as well as IP (intellectual property) rights holders to restrict or remove certain content. These, the company said, would be honoured if made through “proper channels” or required by law.
Amongst these, Russia submitted requests that identified the most number of accounts at 259, of which 29% were complied with. India submitted requests that specified 244 accounts, of which 22% were complied with.
Pointing to its efforts to “connect” its users, TikTok said it promoted content — amidst the global pandemic — thru in-app info pages and hosted hashtag challenges with partners such as World Health Organization, UNICEF India, and well-known individuals such as Bill Nye the Science Guy and Prince’s Trust. It also developed dedicated pages within its app that enabled users to learn more about Black history, in support of the Black community. 
Proposal for global group to safeguard against harmful content 
In a separate statement Tuesday, TikTok said its interim head Vanessa Pappas sent a letter to the heads of nine social and content platforms, proposing a Memorandum of Understanding aimed at encouraging companies to warn one another of violent, graphic content on their own platforms. 
“Social and content platforms are continually challenged by the posting and cross-posting of harmful content, and this affects all of us [including] our users, our teams, and the broader community,” the company said. “As content moves from one app to another, platforms are sometimes left with a whack-a-mole approach when unsafe content first comes to them. Technology can help auto-detect and limit much, but not all of that, and human moderators and collaborative teams are often on the frontlines of these issues.”
“Each individual effort by a platform to safeguard its users would be made more effective through a formal, collaborative approach to early identification and notification amongst companies,” TikTok said. “By working together and creating a hashbank for violent and graphic content, we could significantly reduce the chances of people encountering it and enduring the emotional harm that viewing such content can bring — no matter the app they use.”
TikTok said it previously launched a fact-checking program across eight markets to help verify misleading content, such as misinformation about COVID-19, elections, and climate change. It also introduced in-app educational public service announcements on hashtags related to important topics in the public discourse, such as the elections, Black Lives Matter, and harmful conspiracies, including QAnon.
RELATED COVERAGE More

Singapore has inked a deal with British vendor iProov to provide face verification technology used in the Asian country’s national digital identity system. Already launched as a pilot earlier this year, the feature allows SingPass users to access e-government services via a biometric, bypassing the need for passwords. 
The agreement also sees Singapore-based digital government services specialist, Toppan, involved in the deployment of the facial verification technology. Both vendors were selected following an open tender issued by Government Technology Agency (GovTech) and months of user tests, the companies said in a joint statement Tuesday.
iProov’s Genuine Presence Assurance technology is touted to have the ability to determine if an individual’s face is an actual person, and not a photograph, mask or digital spoof, and authenticate that it is not a deepfake or injected video. Its agreement with the Singapore government also is the first time the vendor’s cloud facial verification technology is used to secure a country’s national digital identity. 

It gives four million SingPass users the option to authenticate their identity with the biometric scan on their computers or at kiosks. Citizens use their SingPass account to log into and access 500 digital services provided by more than 180 government agencies as well as commercial entities, such as banks. 
Local bank DBS in July collaborated with GovTech to pilot the use of the face verification technology as part of efforts to speed up digital banking registration. The service enabled customers to sign up for DBS’ digital banking services without having to use their ATM, credit, or debit card, and pin to complete the verification process to activate their accounts. 
They would need to select SingPass Face Verification through the bank’s mobile app when signing up for a digital service before taking a photo of themselves. The user’s face then would be scanned and matched against the Singapore government’s national digital identity database, which also comprised biometric data. Once authenticated, DBS would send an SMS to the user’s register mobile number for verification. The bank had said data submitted through the process would not be collected or retained.
GovTech’s senior director of national digital identity Quek Sin Kwok said: “SingPass Face Verification, under our National Digital Identity (NDI) programme, will help partners enhance their customer service journeys. We will continue to extend useful and trusted NDI services to more private sector organisations to accelerate digitalisation and grow Singapore’s digital economy.”
Toppan Ecquaria’s managing director Foong Wai Keong added: “Allowing businesses to tap into the government-built digital identity infrastructure significantly reduces time and costs. And doing so using facial verification and on the cloud — that is revolutionary. As the world increasingly transacts online, cloud-native solutions are becoming the norm even in the public sector.”
According to DBS, the COVID-19 pandemic had pushed the adoption and use of digital banking services. The bank saw transactions on its retail digital platform climb 220% between January and May this year, compared to the same period in 2019. Transactions on its wealth digital platform iWealth also increased 198% year-on-year, DBS said in a statement Monday. 
The bank added that the volume of cash it handled between 2017 and 2019 dropped an average of 5%, or a reduction of SG$5 billion a year. Between June and August 2020, cash volumes dropped a further 34% year-on-year, amounting to a drop of SG$7 billion over three months. 
To tap growing adoption of mobile and online platforms, DBS said it had been introducing “intelligent banking” capabilities integrated with predictive analytics. Tapping data to provide more intuitive and personalised customer services, the bank said its Intelligent Banking engine generated up to 13 million insights a month across its digital banking services. These were used to help customers improve their financial planning and budgeting as well as make more timely investment decisions. 
DBS said it would introduce more of such features by the first quarter of 2021, including suggestions on equity stocks customised to a wealth customer’s investment pattern and prompts to speed up daily banking functions and enable customers to carry out transactions, such as bill payments, with a single tap or swipe on their mobile phone.
iProov’s partnership with GovTech also marks the UK firm’s foray into the Asia-Pacific region.
The Singapore government in 2018 said it was testing various sensors that could be incorporated into smart lampposts, including cameras that could support facial recognition capabilities. These would be part of its Lamppost-as-a-Plaform pilot, which could see all 110,000 lampposts across the island fitted with wireless sensors and cameras to “better support urban planning and operations”. The sensors, for example, could detect and monitor changes to environmental conditions such as humidity, rainfall, temperature, and air pollutants. Cameras would have analytic capabilities to count and analyse crowds as well as count, classify, and monitor the speed of Personal Mobility Devices to improve safety in public spaces, according to GovTech.
RELATED COVERAGE More

The US government’s cyber-security agency has issued a security advisory today warning federal agencies and the private sector about “a notable increase in the use of LokiBot malware by malicious cyber actors since July 2020.”
The Cybersecurity and Infrastructure Security Agency (CISA) said that its in-house security platform (the EINSTEIN Intrusion Detection System) has detected persistent malicious activity traced back to LokiBot infections.
The July spike in LokiBot activity seen by CISA was also confirmed by the Malwarebytes Threat Intelligence team, which told ZDNet in an interview today that they’ve also seen a similar spike in LokiBot infections over the past three months.

Image: Malwarebytes (supplied)
This is a cause of alarm as LokiBot is one of today’s most dangerous and widespread malware strains. Also known as Loki or Loki PWS, the LokiBot trojan is a so-called “information stealer.”
It works by infecting computers and then using its built-in capabilities to search for locally installed apps and extract credentials from their internal databases.
By default, LokiBot can target browsers, email clients, FTP apps, and cryptocurrency wallets.
However, the malware is far more than a mere infostealer. Across time, LokiBot evolved and now also comes with a real-time key-logging component to capture keystrokes and steal passwords for accounts that aren’t always stored in a browser’s internal database, and a desktop screenshot utility to capture documents after they’ve been opened on the victim’s computer.
Furthermore, LokiBot also functions as a backdoor, allowing hackers to run other pieces of malware on infected hosts, and potentially escalate attacks.
The malware made its debut in the mid-2010s when it was first offered for sale on underground hacking forums. Since then, the LokiBot malware has been pirated and broadly distributed for free for years, becoming one of today’s most popular password stealers, primarily among groups of low- and medium-skilled threat actors.
Multiple groups are currently distributing the malware, via a wide variety of techniques, from email spam to cracked installers and boobytrapped torrent files.
In terms of prevalence and numbers, SpamHaus ranked LokiBot as the malware strain with the most active command-and-control (C&C) servers in 2019. In the same ranking, LokiBot is currently second in the first half of 2020 [PDF].
LokiBot also ranks third on AnyRun’s all-time ranking of the most analyzed malware strains on its malware sandboxing service.
Credentials stolen via LokiBot usually end up on underground marketplaces like Genesis, where KELA believes LokiBot is the second most popular type of malware that supplies the store.
The CISA LokiBot advisory published today contains detection and mitigation advice on dealing with LokiBot attacks and infections. Additional resources for studying and learning about LokiBot are available on its Malpedia entry.
LokiBot should not be confused with a similarly named, now-defunct Android trojan. More

Vulnerability management is a key component of modern strategies to combat cyberattackers, but which industries perform well in this area?

The general public faces phishing attempts, spam, malvertising, and more in their daily lives. However, in the business realm, successfully targeting major companies — including banks, industrial giants, and medical facilities — can be far more lucrative for cybercriminals.
Stolen bank account data can be used to conduct fraudulent payments; information can be taken for the purposes of cyberespionage, and in the industrial sector, disrupting core operations can impact everything from energy supplies to water availability for customers. 
One of the common avenues for attacks against the enterprise is the exploitation of unpatched vulnerabilities, and so it is crucial for organizations to maintain frequent patch cycles that tackle the most high-risk security issues for their networks promptly. 
However, not every business — and not in every industry — perform patch management equally. According to new research from Kenna Security and the Cyentia Institute, there are significant gaps in how different markets deal with vulnerabilities, including high-risk security flaws. 
“Finance companies have a big target on their backs,” the company says. “Tech companies have the skills to get the job done. Manufacturing firms are insulated from danger with lots of custom and rare applications that few hackers would bother to develop exploits for. And the healthcare industry? Well, the conventional wisdom says that it’s crammed full of tech, but hacks aren’t easy to monetize.”
See also: SigRed: A 17-year-old ‘wormable’ vulnerability for hijacking Microsoft Windows Server
On Tuesday, the cybersecurity firm released a report into vulnerability management conducted by the financial, manufacturing, medical, and technological industries.
Manufacturing: Kenna Security says that industrial companies tend to take “twice as long” to fix bugs in comparison to other sectors, and also have double the number of vulnerabilities per asset — such as printers, IoT devices, and PCs in use.
However, only 5% of bugs are deemed high-risk, and the industry may be further protected as few threat actors have developed exploit kits focused on this area. In total, 44% of manufacturing companies reduce their exposure to bugs that can be weaponized every month, but 39% “end each month with more high-risk vulnerabilities than they started with.” In total, 17% are reported as “breaking even.”
Technology: Given their nature, tech companies tend to have fewer vulnerabilities per asset than other industries, and patch management is generally conducted more quickly. 
According to the research, a typical company will close approximately 25% of newly-disclosed vulnerabilities within 19 days. In comparison, a technology firm will close 25% in seven days; 50% in 17 days; and 75% in 67 days. 

High-risk vulnerabilities, too, are tackled rapidly. In total, tech firms will close roughly 90% of them per month, whilst 80% of organizations will either hold their ground or reduce their security ‘debt’ each month. 
Healthcare: When cyberattacks disrupt healthcare providers, the consequences can be fatal — as we saw in the recent death of a patient at a German hospital. As a result, the medical industry is often subject to attacks including ransomware as threat actors bet they will pay up rather than put lives at risk. 
CNET: Trump administration reportedly looking at Tencent’s investments after scrutinizing TikTok
To deploy such malware, phishing or the weaponization of vulnerabilities are common attack vectors. 
The report says that a typical healthcare organization has roughly 34 bugs per asset and 50% of common bugs take 50 days to patch, causing a “lag” in comparison to other sectors. 

However, many healthcare providers do gain ground when it comes to critical issues, with 67% of overall companies reducing their high-risk exposure every month. In total, 25% fall behind. 
Finance: There will always be cybercriminals that target financial companies as many are motivated by money, and if they can obtain access to corporate networks or customer data, they may be able to earn themselves an illicit fortune. 
TechRepublic: Mozilla’s VPN service works across mobile and desktop platforms
It should not be a surprise, then, that financial companies tend to deal with half of newly-disclosed vulnerabilities within 44 days — in comparison to an average of 34 days across other industries — an achievement when you consider they often have four times the number of vulnerabilities than others when it comes to assets. 

“Financial firms traditionally have a large digital footprint incorporating numerous software and services and that translates to more vulnerabilities,” Kenna Security notes. “More assets inherently means more strife for vulnerability management programs.”
Perhaps more importantly, financial organizations hold their own when it comes to critical bugs. Every month, 85% of the most dangerous vulnerabilities are closed, and 70% either break even or resolve additional security flaws. 

Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Can you get rich from reporting software bugs? For some, hunting down vulnerabilities in websites and apps is a challenge a bit like doing a crossword; for others it’s a major source of income.
Paying hackers to search for flaws in software or services is becoming increasingly common; these ‘bug bounty’ programmes allow hackers to get paid for spotting problems, while organisations benefit from the ability to tighten their security by paying a few thousand dollars per bug.
HackerOne, which runs bug bounty programmes for organisations including the US Department of Defense and Google, has published new data about the number of vulnerabilities found by hackers signed up to its projects — and how much they have been paid. To date, over 181,000 vulnerabilities have been reported, and over $100 million paid out to the hackers who have signed up to its service.
The company said that more than $44.75 million in bounties was awarded to hackers around the world over the past year — an 86 percent year-on-year increase. The vast majority of that is awarded by organisations in the US.
Some bugs can bring in a decent reward: HackerOne said the average bounty paid for critical vulnerabilities increased to $3,650, up eight percent year-over-year, while the average amount paid per vulnerability is $979. Critical vulnerabilities make around 8% of all reports, while high severity reports account for 21%.
HackerOne said that “hacking has remained a consistent and stable source of income,” for some signed-up hackers. Nearly nine out of ten are under 35 and one in five said that hacking is their only source of income.
Bug bounty millionaires
Nine individual hackers have now amassed $1 million in total bounty earnings via HackerOne in less than a decade, showing that bug bounty hunting can pay well for the elite. And over 200 hackers have earned more than $100,000, and 9,000 hackers have earned ‘at least something’. Of the hackers who have found at least one vulnerability, half have earned $1,000 or more.
But even if many aren’t making much money from bug hunting, the skills they are learning could be indirectly good for their careers; four out of five said they will use the skills and experience learned while hacking to help land a job.
The global coronavirus outbreak seems to have led to a surge in malicious attacks on organisations, but it has also prompted an increase in the number of hackers looking to help find and fix security flaws. HackerOne said that new hacker signups increased by 59% in the months following the start of the pandemic, while bug reports increased by 28% — perhaps because many people were forced to stay at home, giving them more time for bug hunting.
But bug hunting for money might be getting harder. As organisations fix more vulnerabilities, average bounty values are increasing, which is a good thing for hunters. However, remaining vulnerabilities also become more difficult to identify, requiring more skill and effort to discover.  More

As bot-driven misinformation campaigns flood our social feeds, aiming to guide voter choice, and fake accounts intend to undermine elections proliferate, users need to feel reassured that the information they see is authentic.

in 2020, the responsibility of electoral integrity is falling on US tech companies nearly as much as on the government. Social media platforms are so prevalent that any misinformation, if left unchecked on social media, could cause a massive swing of sentiment amongst voters.
As the US presidential election draws closer, questions are still asked about whether bots influenced the 2016 election in a significant way. Facebook noticed that in 2016 there were “coordinated online efforts by foreign governments and individuals to interfere in our elections.”
It also recently “took down a network of 13 accounts and 2 pages that were trying to mislead Americans and amplify division.” But what do users across the tech industry think?
San Francisco-based anonymous professional network Blind surveyed 1,332 users to ask the same two questions. It wanted to get a pulse on how tech employees felt whether Facebook was accountable for election misinformation compared to Facebook employees.
It asked “Do you believe it is the responsibility of Facebook to prevent misinformation about the election?” and “Are you surprised by Zuckerberg’s stance given his previous ‘free speech’ stance?”
in October 2019, Zuckerberg spoke at Georgetown University about the importance of protecting free expression and promised to:

“1. Write policy that helps the values of voice and expression triumph around the world; 2. Fend off the urge to define speech we don’t like as dangerous; and 3. build new institutions so companies like Facebook aren’t making so many important decisions about speech on our own.”

TeamBlind
The survey results showed that almost seven in 10 (68%) of surveyed tech professionals believe it is the responsibility of Facebook to prevent misinformation about the election.
This percentage contrasted markedly, with only 47% of Facebook employees believing Facebook should be responsible to prevent misinformation.
One in three (33%) of surveyed tech professionals are surprised by Zuckerberg’s stance given his previous “free speech” stance, contrasted by only 27% of Facebook employees.
Considering Facebook’s adherence to its “free speech” policy, any deviation to its political ad policies is worth looking at.
Last week, Zuckerberg said in a Facebook post that the platform will block new political and issue ads in the week leading up to the election, to prevent last-minute misinformation.
It will also expand its voter suppression policies and will remove posts with claims that people will get COVID-19 if they take part in voting.
These survey results suggest that Facebook’s employees disagree with other tech professionals about their hand in misinformation accountability.
Is it Facebook’s job to sway voters one direction or the other in November? Should people across Facebook be allowed to speak their minds, share their opinions, and come to their own conclusions based on the information they see?
If President Donald Trump is swaying public opinion via social media, then should former Vice President Joe Biden use social media to sway voters in the other direction?
Is it up to Facebook to decide who will win this election — or is it up to the voters getting the information they need across social platforms to make the right choice? More

More Microsoft Ignite

After rebranding Windows Defender as Microsoft Defender in early 2019, Microsoft is renaming and bringing more products under the Defender brand, the company announced today at its yearly Ignite developer conference.
Starting Sept. 22, the Microsoft Defender product line will be expanded and split across two branches as Microsoft 365 Defender for end-user environments and Azure Defender for cloud and hybrid infrastructure, respectively.
The Microsoft 365 Defender line will include:
Microsoft 365 Defender (previously Microsoft Threat Protection)
Microsoft Defender for Endpoint (previously Microsoft Defender Advanced Threat Protection)
Microsoft Defender for Office 365 (previously Office 365 Advanced Threat Protection)
Microsoft Defender for Identity (previously Azure Advanced Threat Protection)
Similarly, the Azure Defender line will include:
Azure Defender for Servers (previously Azure Security Center Standard Edition)
Azure Defender for IoT (previously Azure Security Center for IoT)
Azure Defender for SQL (previously Advanced Threat Protection for SQL)
Microsoft’s long-term plan is to unify all its cyber-security offerings under a simpler naming scheme that makes it easier to get a grasp on the company’s full security capabilities.
Although Microsoft is considered to have some of the best security products in the business, due to its deep knowledge of its own products, until now, the company’s different product naming schemes have made it hard for companies, executives, and IT staff to make their way around Microsoft’s product portfolio.
However, Microsoft plans to make things simpler than before.
Going forward, there will be Microsoft Defender and Azure Sentinel.
Microsoft Defender will be Microsoft’s XDR product, while Azure Sentinel will be the company’s SIEM line.
XDR stands for eXtended Detection and Response and is a cyber-security term that refers to products that detect and respond to active threats on endpoints (may them be workstations, servers, email accounts, or IoT devices).
SIEM stands for Security Information and Event Management and is a cyber-security term that refers to web applications that aggregate logs from all a company’s sources (OS, application, antivirus, database, or server logs) in order to analyze large quantities of data from a vantage point and search for anomalies and signs of a security breach.
“Azure Sentinel is deeply integrated with Microsoft Defender so you can integrate your XDR data in only a few clicks and combine it with all your security data from across your entire enterprise,” said Rob Lefferts, M365 Security CVP.
“Some vendors deliver XDR, some deliver SIEM. Microsoft believes that defenders can benefit from using deeply integrated SIEM and XDR for end-to-end visibility and prioritized actionable insights across all your enterprise assets.” More