Information Technology

These days we almost all use personal Infrastructure-as-a-Service (IaaS) clouds at work, such as Dropbox, Google Drive, and Microsoft OneDrive. But, if privacy and security are at the top of your mind, these public clouds are, well, public. That’s where the open-source, private IaaS cloud software Nextcloud enters. You control your data. Now with Kaspersky Scan Engine added on, you make sure your files are free of malware before they’re loaded into the cloud.

Like any of the personal IaaS clouds, with clients on mobile and desktop operating systems and files saved to your server, users can unknowingly upload and share infected files. The integrated antivirus Scan Engine intercepts and blocks such potentially dangerous files as they’re uploaded on the server-side. This makes sure malware isn’t spread to other users.
The Kaspersky Scan Engine uses heuristic analysis and machine learning-based technologies to protect against a wide array of malware. It protects against Trojans, spyware, and adware. It also filters out malicious, phishing, and adware URLs. 
Frank Karlitschek, Nextcloud’s CEO, explained Nextcloud “strives to provide the most secure online collaboration platform on the market. By integrating Kaspersky’s powerful protection capabilities, enterprises can rest assured malicious content can not easily spread through their document exchange technology.”
This feature is often requested by security managers, but curiously you rarely find it. For example, of all the major personal cloud storage services only OneDrive, to my knowledge, includes antivirus detection as a default service.
In NextCloud, customers can install the antivirus application from the program’s app store. The free version comes with the open-source ClamAV virus scanning engine. Large business customers, though, have been asking for a bigger and better security engine. So, in partnership with Kaspersky, you can now buy an on-premises Kaspersky Scan Engine and a special version of the Nextcloud antivirus app, which works hand in glove with the Scan Engine.
Must read:
“The integration of Kaspersky anti-malware technology into Nextcloud,” said  Alexander Karpitsky, Kaspersky’s head of Technology Alliances, “provides its customers with the certainty that files accessed through or downloaded from their content collaboration platform will be secure. It is extremely difficult for businesses to fight millions of web threats on their own — that’s why technology partners are needed. Together we can make our online world safer.”
For support, and the required Kaspersky Scan Engine component, customers must contact Nextcloud. You can also try the Kaspersky Scan Engine with a free trial license. More

Image: ZDNet

A recently published study conducted by three Mozilla employees has looked at the privacy provided by browsing histories.
Their findings show that most users have unique web browsing habits that allow online advertisers to create accurate profiles.
These profiles can then be used to track and re-identify users across different sets of user data that contain even small samples of a user’s browsing history.
Effectively, the study comes to dispel an online myth that browsing history, even the anonymized one, isn’t useful for online advertisers. In reality, the study shows that even a small list of 50 to 150 of the user’s favorite and most accessed domains can let advertisers create a unique tracking profile.
Confirming a similar 2012 study
The Mozilla research paper is named “Replication: Why We Still Can’t Browse in Peace: On the Uniqueness and Reidentifiability of Web Browsing Histories” [PDF].
The paper was presented earlier this month at the USENIX security conference, and is a follow-up to another academic study published in 2012 [PDF].
This first study was one of the biggest projects analyzing user privacy at the time, and a massive undertaking for the research team, which was involved in collecting browser history data from more than 380,000 internet users.
Between January 2009 and May 2011, researchers asked users to access an online test site where they used some clever CSS code to determine which websites from a predefined list of 6,000 domains users had visited.
The 2012 study found out that 97% of the users who accessed this test site had a unique list of sites in their browsing history, making browser history a solid user fingerprinting vector.
Furthermore, when users were asked to access the test site again, researchers said they were able to re-identify users based on their browsing history profiles from the first visit.
Accuracy rates were 38% when researchers looked at browsing history datasets of 50 of the user’s most popular domains, and 70% when they analyzed data sets with 500 domains.
The Mozilla 2020 paper
But last year, Mozilla researchers wanted to re-evaluate if browsing history was still a valid fingerprinting vector and if the 2012 study still holds true.
The new experiment got underway between July 16 and August 13, 2019, when Mozilla prompted Firefox users to take part of this experiment.
Mozilla researchers said that more than 52,000 users agreed to take part and agreed to provide anonymous browsing data.
However, this time around, since the data was collected from Firefox itself and not through a web page performing a time-lengthy CSS test, the data was much more accurate and reliable. Furthermore, the data Mozilla researchers collected is also about the same type of data that today’s online analytics companies also collect about users — either through data partnerships, mobile apps, online ads, or other mechanisms.
Just like before, the data collection took place across two stages, in two weeks, with users sharing browsing history in the first week, and then again in the second, so Mozilla researchers could see if they could re-identify users.
In total, the Mozilla team said it collected data about 35 million website visits to 660,000 unique domains. And this access to better quality data was immediately reflected in the study’s findings.
Mozilla said that 99% of the browsing profiles they collected for the study were unique to each user.
This uniqueness allowed Mozilla researchers to easily re-identify users during the second week of the study.
Accuracy was also superior to the 2012 study, with Mozilla claiming it had a nearly 50% reidentifiability rate for data sets containing 50 domains of a user’s browsing history. This reidentifiability rate grew to over 80% when Mozilla researchers expanded the browsing history data set to 150 domains.
This latter finding suggests that analytics firms and online advertisers don’t need huge lists of browsing history data in order to track users, and that each user’s browsing quirks and their favorite sites eventually give them away, even when the data is anonymized, and URLs truncated to remove usernames and leave only core domains.
A video of the Mozilla team’s presentation is available here. More

Last August, I deactivated my Facebook account, that is, indefinitely disabled it as opposed to permanently deleting it. It wasn’t done in protest or out of principle or as a savvy step to protect my privacy. Indeed, the departure was marked more by apathy than passion. The corporate entity is still wise to my activity, as I’ve kept using Messenger (albeit much less) and stayed on Instagram, where I have far fewer connections than I did on Facebook’s eponymous service. And I maintain an active social presence on Twitter and LinkedIn.

The whole idea of Facebook puzzled me, as it emerged from college campuses to national prominence. I understood the value of LinkedIn, which allowed one to make and maintain business connections. But Facebook? Why did I need a service to stay in digital touch with people I already knew? Isn’t that what email and instant messaging were for? I’d come to learn that Facebook’s value lay not in its functionality but its membership; it is the closest thing we have to a global directory. The best gift the service gave me was helping me to reconnect with two old friends who were barely sufficiently active on the service to reconnect. Soon after reconnecting though, our future exchanges all occurred off the platform.
Monotony and a desire to minimize distractions led to my drift from the social network. It was service clutter. First, I began posting less and feeling less inclined to robotically click Like in response to posts. If a friend posted something significant about their lives, I would comment. Then, I deleted the app from my phone. After posting that I needed a break, I effectively left digital society. Or at least tried to. Over the years and despite my avoiding using Facebook to log in to various sites and services, a few had slipped through and I would unwittingly reactivate. After a few weeks, though, I’d finally disentangled myself.
Likely because of my gradual scaling back, I didn’t encounter much withdrawal. In the months since leaving and even in this extraordinary time that has impeded in-person connections, I have loved catching up with old friends through emails, direct messages, and phone calls. I’ve found these communications to strengthen real relationships as opposed to wading through the flotsam and forwarding that would fill the timeline. Leaving Facebook confirmed my sense that many of the “friendships” on Facebook are the relationship equivalent of junk food. They’re easy to obtain and quickly digested, but they’re not very nourishing.
For me, Facebook offered too low a signal-to-noise ratio, but there are occasionally some important signals. For that, I recommend having a Facebook-friendly friend or family member who is connected to many of the same folks you would be (or would want to be). Indeed, my deactivation was in part inspired by two college friends who never had Facebook accounts, but whose wives acted as conduits. Now, my wife, who enjoys being on Facebook more than I did, has graciously become my Facebook ambassador. When I organized a small group late last year, I turned to Band, which offers a Facebook Groups-like interface that people have found less imposing than Slack or Microsoft Teams.
One topic I’ve long considered is the chasm in public perception between Facebook and Google. The two internet giants have similar business models, but Google is largely beloved while Facebook is widely reviled. Much of this is due to the many political and privacy-related scandals that Facebook has suffered and is primed to endure. But, fundamentally, Google simply offers not only greater utility to most people than Facebook, but wisely associates itself with positive emotional connections. My favorite example of this is Google Maps, which has guided — and now welcomes — millions of people home every day. In contrast, when a photo shared on Facebook touches our hearts, we ascribe that positive emotion to the person sharing the photo. But when we read a political post that infuriates us, we grow angry at Facebook for showing it to us.
While I kept a door open to returning to Facebook, I’ve had little temptation to step back through it. So, how then should I mark the anniversary of Facebook forfeiture? A celebration of friendships seems fitting — one that includes writing and calling and lots of liking, but no emotion-swallowing buttons.
PREVIOUS AND RELATED COVERAGE
Zuckerberg: Facebook’s failure to remove militia page sooner was an ‘operational mistake’ The “Kenosha Guard” page was taken down by Facebook after a deadly shooting at a racial justice protest.
Facebook sues company allegedly behind data-stealing schemeIn November, the social network accused MobiBurn of harvesting people’s data. Now it’s taking the company to court.
Facebook reportedly prepping in case Trump tries to delegitimize election Twitter, and Google’s YouTube, are also reportedly formulating plans to deal with election trouble. More

It’s like the classic locked-room mystery with a twist. Instead of a crime with no way out, we’re looking at making sure there’s no way in. Deep within the corporate world of nondisclosure agreements and hush-hush secret projects, there’s the clause known as the locked room.

Typically, such a private space is designed into a working office, but in our work-at-home pandemic world of COVID-19, some office exiles need to implement a locked room protocol at home. That’s what we’re going to discuss in this article and show in the accompanying video.
Those of you who haven’t spent a lot of time in and around the corporate or federal world may not be familiar with the whole locked room clause, but the basic idea is that confidential materials, information, documents, and hardware often need to be brought in and kept secure. In many companies, there are rooms or a room that is designated as a locked room and they can often be inspected by the party who is the other half of that nondisclosure agreement or confidentiality clause.
We’re now working from home a lot more, and so we need to implement that kind of function here at home. For some of us, that’s not as big a problem because we’re not dealing with kids, teenagers, guests, and that sort of stuff. But for some families, the room with all the goodies is irresistible to the teenagers and that room has to be locked, both because of the job and the contractual requirements, and because there might be things in there that are dangerous or delicate that you would normally have at work and are now working with at home.
Also: It’s not your imagination: Work-from-home tech prices have surged in the pandemic
The accompanying video shows two things: I’m going to replace the original room doorknob with a Yale Smart Lock and then show a safe that we can use to store some of the most confidential items.
The existing doorknob
The first step is taking out the existing doorknob and replacing it with the Yale Smart Lock. In the accompanying video, you’ll see that the doorknob being removed does not have a deadbolt. It’s an interior door only, and interior doors tend to not to have deadbolts.
However, many smart locks do. If you’re putting a smart lock inside your home, look for a smart lock that has an interior lock without a deadbolt. The Yale YRL256 Assure Lever lock that I installed in the video is one such smart lock.
Installing this is not terribly hard. I needed to remove the old lock first. That can be easy or difficult depending on the door in question and how the original doorknob was installed. In this case, it was just taking a couple of screws out for the latch and then removing the doorknobs themselves.
Also: Work from home and now you’re moving? Here’s what to know before you rent or buy
Once I had the knob out, I put in the new latch in backward. It’s always a good idea to read the directions (can you say RTFM? Sure, I knew you could).

Installing the smart lock
Once I installed the latch, it was important to test, and I tested from outside the room because there’s no exit in the room. If I couldn’t get the latch open, I wanted to make sure I was outside. I did make it work.
The next thing was to install the electronics. There are three basic parts. The keypad goes outside the room. There is a non-electronic part that basically provides the physical connection and holds the outside lock on the door. You just run the cable that passed through the hole in the door to the other side, which is where the batteries are and where you set your lock code.
I put on the handles, and I was very gratified to find out that they actually, in fact, worked.
Next, I put in the batteries. You get a great little welcome when you get the fourth battery in, which is kind of cute. You’ll have to watch the video to see and hear what that is.
At this point, your lock is a smart lock, but it’s not connected to your phone, watch, or Wi-Fi. In the case of the Yale lock, I needed to add a small module from August, a company that specializes in smart locks. The lock also supports Alexa, Home Kit, and Google Home, but I was uncomfortable allowing anyone who could say “open my door” to have access.
The second physical factor: the safe
Now that we have the door lock working, let’s take a look at the second part of our system, which is the safe. Most of the newly locked room satisfies the locked room clause. Most items will just be locked in the room, but some things, either of high value or high confidentiality, will need to be locked in the safe.
Yale provided me with a medium-size Alarm Value Safe, which is perfect for this sort of application. There are screw holes in the back and screw holes in the bottom, so the safe can be secured to a floor or a wall stud.
This safe is great for hard drives, thumb drives, SSDs, documents, any of those sorts of things or small components that you need to store more securely inside the locked room. The two-layer multi-factor locking is key to making sure that you have the necessary security to meet the standards you are expected to have at the office, now in your home.
Working at home in the “new normal”
There you go. You’ve seen how to install a smart lock on the door so you can come and go from the room as you need to — all while keeping others out.
Keep secure items, confidential items, and potentially dangerous items away from the rest of the family while at the same time abiding by the locked room clause and the various agreements you or your company or organization might have imposed.
That’s what we’re dealing with when we’re working at home. We’re reinventing our entire work environment to be able to do all that we were doing, or at least most of what we used to do in the office, now at home. It’s all part of keeping everybody safe, and hopefully staying productive and on track with all of our projects and our responsibilities.
Let us know whether you have a locked room requirement in the comments below. If you have any other unusual work requirements you have to translate to a home environment, let us know as well. And stay safe out there.
You can follow my day-to-day project updates on social media. Be sure to follow me on Twitter at @DavidGewirtz, on Facebook at Facebook.com/DavidGewirtz, on Instagram at Instagram.com/DavidGewirtz, and on YouTube at YouTube.com/DavidGewirtzTV.

remote work More

Image: Cisco // Composition: ZDNet
Cisco warned on Saturday about a new zero-day vulnerability impacting the Internetwork Operating System (IOS) that ships with its networking equipment.

The vulnerability, tracked as CVE-2020-3566, impacts the Distance Vector Multicast Routing Protocol (DVMRP) feature that ships with the IOS XR version of the operating system.
This version of the OS is usually installed on carrier-grade and data center routers, according to the company’s website.
Cisco says the DVMRP feature contains a bug that allows an unauthenticated, remote attacker to exhaust process memory and crash other processes running on the device. Cisco explains:

“The vulnerability is due to insufficient queue management for Internet Group Management Protocol (IGMP) packets. An attacker could exploit this vulnerability by sending crafted IGMP traffic to an affected device. A successful exploit could allow the attacker to cause memory exhaustion, resulting in instability of other processes. These processes may include, but are not limited to, interior and exterior routing protocols.”

Exploitation attempts discovered last week
Cisco says that it discovered last week attackers exploiting this bug. The attacks were detected during a support case the company’s support team was called in to investigate.
“On Aug. 28, 2020, the Cisco Product Security Incident Response Team (PSIRT) became aware of an attempted exploitation of this vulnerability in the wild,” Cisco said.
The company said its currently working on developing software updates for IOS XR. 
The patches are still a few days away. In the meantime, Cisco has provided several workarounds and mitigations for its customers in order to prevent that any exploitation fail — if they occur.
The Cisco security advisory also includes additional incident response instructions for companies to investigate their logs and see if they’ve been attacked using this IOS zero-day.
It is unclear how attackers are using this bug in the grand scheme of things. They may be using it to crash other processes on the router, such as security mechanisms, and gain access to the device. However, this is only a theory, and companies will need to thoroughly comb their logs after they spot any signs of CVE-2020-3566 exploitation. More

China has updated its export control rules to require certain technology companies to gain licensing approval if they wish to sell technology to an American buyer, adding yet another wrinkle to the potential sale of TikTok’s US operations.
According to a New York Times report, the country’s official Xinhua news agency also published commentary which said TikTok’s parent company, ByteDance, could be required to gain a licence if it is to sell the technology to a US company. 
The updated export rules reportedly add 23 items, including technologies such as personal information push services and artificial intelligence interactive interface technology, to the list of technologies that require licensing approval.
The changes to China’s export rules come less than a week after Kevin Mayar, TikTok’s former CEO, said in his resignation letter to staff that the company was expecting “to reach a resolution very soon”. 
“In recent weeks, as the political environment has sharply changed, I have done significant reflection on what the corporate structural changes will require, and what it means for the global role I signed up for,” Mayar wrote.
“Against this backdrop, and as we expect to reach a resolution very soon, it is with a heavy heart that I wanted to let you all know that I have decided to leave the company.”
There are currently two main suitors for the 15-second video platform, Microsoft and Oracle. 
Last week, there were reports Microsoft had teamed up with Walmart to be a potential suitor for TikTok’s US, Canadian, Australian, and New Zealand operations. Meanwhile, Oracle has reportedly been in preliminary talks about acquiring TikTok since mid-August.
All three companies are based in the United States.
The updated export rules, against the backdrop of US President Donald Trump’s executive orders that will ban TikTok in mid-September, puts both TikTok and its suitors in a pinch as Beijing may have the power to block the sale if a licence is not given.
United States President Donald Trump signed the executive orders at the start of the month, addressing what he has labelled as the threat posed by apps such as TikTok and WeChat.
The president called the pair of Chinese apps a “national emergency” with respect to the information and communications technology and services supply chain. 
“TikTok automatically captures vast swaths of information from its users, including internet and other network activity information such as location data and browsing and search histories,” the first order said.
“This data collection threatens to allow the Chinese Communist Party access to Americans’ personal and proprietary information — potentially allowing China to track the locations of federal employees and contractors, build dossiers of personal information for blackmail, and conduct espionage.”
TikTok has clocked over 175 million downloads in the US, and around 800 million globally.
More TikTok coverage More

The US Department of Justice (DoJ) has charged a Chinese researcher at the University of California, Los Angeles for allegedly destroying evidence relating to a federal investigation into the possible illegal transfer of US technology to China.
The charged individual, Guan Lei, allegedly threw a hard drive into a dumpster nearby his US residence prior to attempting to board a flight to China. 
The hard drive was recovered by the Federal Bureau of Investigation (FBI) after Guan refused a request from the intelligence agency to examine his computer when he attempted to board a flight to China.
Following his refusal of the request, Guan was not allowed to board the flight. 
According to an affidavit filed by the FBI in support of the charge, the hard drive was “irreparably damaged and that all previous data associated with the hard drive appears to have been removed deliberately and by force”.
The FBI has since commenced an investigation into whether Guan possibly transferred sensitive US software or technical data to China’s National University of Defense Technology (NUDT) or falsely denied his association with the Chinese military when he applied for a visa in 2018, the DoJ said.
As part of the investigation, Guan admitted that he participated in military training and occasionally wore a military uniform when he previously studied at NUDT but claimed he was a normal student.  
In addition to allegedly destroying evidence, Guan has also been accused of concealing digital storage devices from investigators and lying about making any contact with the Chinese consulate during his time in the US.
If charged, Guan could face up a maximum sentence of 20 years in federal prison.
Guan is the latest Chinese national to be put under investigation for possibly transferring US technology illegally to China, with another being sentenced to two years in prison earlier this year for stealing next-generation battery technology from a US petroleum company.
At the same time, Huawei is currently facing charges for allegedly stealing information on a T-Mobile phone-testing robot called Tappy in order to build its own version.
There has been a surge of these investigations since 2018, according to FBI Director Christopher Wray, when the DoJ launched the China Initiative campaign to counter and investigate Beijing’s economic espionage. 
“The FBI has about a thousand investigations involving China’s attempted theft of US-based technology in all 56 of our field offices and spanning just about every industry and sector,” Wray said earlier this year.
Related Coverage
Scientist sentenced to 2 years behind bars for stealing next-generation battery tech secrets
The intellectual property had an estimated value of $1 billion to the US company it belonged to.
DOJ indicts two Chinese hackers for attempted IP theft of COVID-19 research
The DOJ suggests in the indictment that the hackers were working for both themselves and for the benefit the Chinese government’s Ministry of State Security.
US charges Huawei with racketeering and conspiracy to steal trade secrets
US updates charges against Huawei, adds racketeering and IP theft allegations against the Chinese telco provider and its CFO.
FBI is investigating more than 1,000 cases of Chinese theft of US technology
US officials talk about all the methods the Chinese government and its agents have been using to target US companies and universities to steal intellectual property.
Engineer flees to China after stealing source code of US train firm
The 57-year-old is now considered a fugitive.  More

Image: White Ops, ZDNet

special feature

Securing Your Mobile Enterprise
Mobile devices continue their march toward becoming powerful productivity machines. But they are also major security risks if they aren’t managed properly. We look at the latest wisdom and best practices for securing the mobile workforce.
Read More

Google has removed an undisclosed number of Android applications from the official Google Play Store that the company says were part of an ad fraud botnet.
Named Terracotta, this botnet was discovered by the Satori mobile security team at White Ops, a security firm specialized in identifying bot behavior.
White Ops researchers said they’ve been tracking Terracotta since late 2019 when the botnet seems to have become active.
Install a malicious app for a free product
Per the researchers, Terracotta operated by uploading apps on the Google Play Store that promised users free perks if they installed the applications on their devices.
The apps usually offered free shoes, sneakers, boots, and sometimes tickets, coupons, and expensive dental treatments. Users were told to install the app and then wait two weeks to receive the free products, during which time they had to leave the app installed on their smartphone.
However, the apps downloaded and ran a modified version of WebView, a slimmed-down version of Google Chrome. The Terracotta gang launched the modified WebView browser, hidden from the user’s view, and performed ad fraud by loading ads and gaining revenue from fake ad impressions.
The White Ops team described Terracotta as both complex and massive. It was complex because it used advanced techniques to avoid detection from the defrauded ad networks, and was massive because of the scale at which it operated.
For example, White Ops said that in the final week of June alone, the Terracotta botnet silently loaded more than two billion ads inside 65,000 infected smartphones alone.
Some Terracotta apps have been removed from Google Play
Currently, after Google’s intervention, the botnet’s presence on the Play Store has been reduced, but not removed altogether, with some devices still appearing to be infected.

Bid request volumes as a result of Play Store enforcement
Image: White Ops
Some users might think that because the malicious Terracotta apps were defrauding ad networks and not the users directly, this botnet might not be a problem for them, but, on infected devices, the malicious apps would often wear out batteries and consume mobile bandwidth traffic due to the fact the malicious apps are running around the clock.
Unfortunately, White Ops has not released a list of Terracotta-infected apps. However, the good news is that when Google removes malicious apps from the Play Store, the company also disables the malicious apps on all users’ devices, stopping their malicious behavior.
“Due to our collaboration with White Ops investigating the TERRACOTTA ad fraud operation, their critical findings helped us connect the case to a previously-found set of mobile apps and to identify additional bad apps. This allowed us to move quickly to protect users, advertisers and the broader ecosystem – when we determine policy violations, we take action,” a Google spokesperson said.
For security researchers, Android app developers, and software engineers, White Ops has published an in-depth technical report detailing Terracotta’s inner-workings. More