Information Technology

Members include Avast, DuckDuckGo, and Insurgo. More

The Iranian hacker group who’s been attacking corporate VPNs for months is now trying to monetize some of the hacked systems by selling access to some networks to other hackers. More

A Russian cyber-crime group named Cosmic Lynx has been focused on tricking companies into sending over huge wire transfers. More

These days we almost all use personal Infrastructure-as-a-Service (IaaS) clouds at work, such as Dropbox, Google Drive, and Microsoft OneDrive. But, if privacy and security are at the top of your mind, these public clouds are, well, public. That’s where the open-source, private IaaS cloud software Nextcloud enters. You control your data. Now with Kaspersky Scan Engine added on, you make sure your files are free of malware before they’re loaded into the cloud.

Like any of the personal IaaS clouds, with clients on mobile and desktop operating systems and files saved to your server, users can unknowingly upload and share infected files. The integrated antivirus Scan Engine intercepts and blocks such potentially dangerous files as they’re uploaded on the server-side. This makes sure malware isn’t spread to other users.
The Kaspersky Scan Engine uses heuristic analysis and machine learning-based technologies to protect against a wide array of malware. It protects against Trojans, spyware, and adware. It also filters out malicious, phishing, and adware URLs. 
Frank Karlitschek, Nextcloud’s CEO, explained Nextcloud “strives to provide the most secure online collaboration platform on the market. By integrating Kaspersky’s powerful protection capabilities, enterprises can rest assured malicious content can not easily spread through their document exchange technology.”
This feature is often requested by security managers, but curiously you rarely find it. For example, of all the major personal cloud storage services only OneDrive, to my knowledge, includes antivirus detection as a default service.
In NextCloud, customers can install the antivirus application from the program’s app store. The free version comes with the open-source ClamAV virus scanning engine. Large business customers, though, have been asking for a bigger and better security engine. So, in partnership with Kaspersky, you can now buy an on-premises Kaspersky Scan Engine and a special version of the Nextcloud antivirus app, which works hand in glove with the Scan Engine.
Must read:
“The integration of Kaspersky anti-malware technology into Nextcloud,” said  Alexander Karpitsky, Kaspersky’s head of Technology Alliances, “provides its customers with the certainty that files accessed through or downloaded from their content collaboration platform will be secure. It is extremely difficult for businesses to fight millions of web threats on their own — that’s why technology partners are needed. Together we can make our online world safer.”
For support, and the required Kaspersky Scan Engine component, customers must contact Nextcloud. You can also try the Kaspersky Scan Engine with a free trial license. More

Image: ZDNet

A recently published study conducted by three Mozilla employees has looked at the privacy provided by browsing histories.
Their findings show that most users have unique web browsing habits that allow online advertisers to create accurate profiles.
These profiles can then be used to track and re-identify users across different sets of user data that contain even small samples of a user’s browsing history.
Effectively, the study comes to dispel an online myth that browsing history, even the anonymized one, isn’t useful for online advertisers. In reality, the study shows that even a small list of 50 to 150 of the user’s favorite and most accessed domains can let advertisers create a unique tracking profile.
Confirming a similar 2012 study
The Mozilla research paper is named “Replication: Why We Still Can’t Browse in Peace: On the Uniqueness and Reidentifiability of Web Browsing Histories” [PDF].
The paper was presented earlier this month at the USENIX security conference, and is a follow-up to another academic study published in 2012 [PDF].
This first study was one of the biggest projects analyzing user privacy at the time, and a massive undertaking for the research team, which was involved in collecting browser history data from more than 380,000 internet users.
Between January 2009 and May 2011, researchers asked users to access an online test site where they used some clever CSS code to determine which websites from a predefined list of 6,000 domains users had visited.
The 2012 study found out that 97% of the users who accessed this test site had a unique list of sites in their browsing history, making browser history a solid user fingerprinting vector.
Furthermore, when users were asked to access the test site again, researchers said they were able to re-identify users based on their browsing history profiles from the first visit.
Accuracy rates were 38% when researchers looked at browsing history datasets of 50 of the user’s most popular domains, and 70% when they analyzed data sets with 500 domains.
The Mozilla 2020 paper
But last year, Mozilla researchers wanted to re-evaluate if browsing history was still a valid fingerprinting vector and if the 2012 study still holds true.
The new experiment got underway between July 16 and August 13, 2019, when Mozilla prompted Firefox users to take part of this experiment.
Mozilla researchers said that more than 52,000 users agreed to take part and agreed to provide anonymous browsing data.
However, this time around, since the data was collected from Firefox itself and not through a web page performing a time-lengthy CSS test, the data was much more accurate and reliable. Furthermore, the data Mozilla researchers collected is also about the same type of data that today’s online analytics companies also collect about users — either through data partnerships, mobile apps, online ads, or other mechanisms.
Just like before, the data collection took place across two stages, in two weeks, with users sharing browsing history in the first week, and then again in the second, so Mozilla researchers could see if they could re-identify users.
In total, the Mozilla team said it collected data about 35 million website visits to 660,000 unique domains. And this access to better quality data was immediately reflected in the study’s findings.
Mozilla said that 99% of the browsing profiles they collected for the study were unique to each user.
This uniqueness allowed Mozilla researchers to easily re-identify users during the second week of the study.
Accuracy was also superior to the 2012 study, with Mozilla claiming it had a nearly 50% reidentifiability rate for data sets containing 50 domains of a user’s browsing history. This reidentifiability rate grew to over 80% when Mozilla researchers expanded the browsing history data set to 150 domains.
This latter finding suggests that analytics firms and online advertisers don’t need huge lists of browsing history data in order to track users, and that each user’s browsing quirks and their favorite sites eventually give them away, even when the data is anonymized, and URLs truncated to remove usernames and leave only core domains.
A video of the Mozilla team’s presentation is available here. More

Last August, I deactivated my Facebook account, that is, indefinitely disabled it as opposed to permanently deleting it. It wasn’t done in protest or out of principle or as a savvy step to protect my privacy. Indeed, the departure was marked more by apathy than passion. The corporate entity is still wise to my activity, as I’ve kept using Messenger (albeit much less) and stayed on Instagram, where I have far fewer connections than I did on Facebook’s eponymous service. And I maintain an active social presence on Twitter and LinkedIn.

The whole idea of Facebook puzzled me, as it emerged from college campuses to national prominence. I understood the value of LinkedIn, which allowed one to make and maintain business connections. But Facebook? Why did I need a service to stay in digital touch with people I already knew? Isn’t that what email and instant messaging were for? I’d come to learn that Facebook’s value lay not in its functionality but its membership; it is the closest thing we have to a global directory. The best gift the service gave me was helping me to reconnect with two old friends who were barely sufficiently active on the service to reconnect. Soon after reconnecting though, our future exchanges all occurred off the platform.
Monotony and a desire to minimize distractions led to my drift from the social network. It was service clutter. First, I began posting less and feeling less inclined to robotically click Like in response to posts. If a friend posted something significant about their lives, I would comment. Then, I deleted the app from my phone. After posting that I needed a break, I effectively left digital society. Or at least tried to. Over the years and despite my avoiding using Facebook to log in to various sites and services, a few had slipped through and I would unwittingly reactivate. After a few weeks, though, I’d finally disentangled myself.
Likely because of my gradual scaling back, I didn’t encounter much withdrawal. In the months since leaving and even in this extraordinary time that has impeded in-person connections, I have loved catching up with old friends through emails, direct messages, and phone calls. I’ve found these communications to strengthen real relationships as opposed to wading through the flotsam and forwarding that would fill the timeline. Leaving Facebook confirmed my sense that many of the “friendships” on Facebook are the relationship equivalent of junk food. They’re easy to obtain and quickly digested, but they’re not very nourishing.
For me, Facebook offered too low a signal-to-noise ratio, but there are occasionally some important signals. For that, I recommend having a Facebook-friendly friend or family member who is connected to many of the same folks you would be (or would want to be). Indeed, my deactivation was in part inspired by two college friends who never had Facebook accounts, but whose wives acted as conduits. Now, my wife, who enjoys being on Facebook more than I did, has graciously become my Facebook ambassador. When I organized a small group late last year, I turned to Band, which offers a Facebook Groups-like interface that people have found less imposing than Slack or Microsoft Teams.
One topic I’ve long considered is the chasm in public perception between Facebook and Google. The two internet giants have similar business models, but Google is largely beloved while Facebook is widely reviled. Much of this is due to the many political and privacy-related scandals that Facebook has suffered and is primed to endure. But, fundamentally, Google simply offers not only greater utility to most people than Facebook, but wisely associates itself with positive emotional connections. My favorite example of this is Google Maps, which has guided — and now welcomes — millions of people home every day. In contrast, when a photo shared on Facebook touches our hearts, we ascribe that positive emotion to the person sharing the photo. But when we read a political post that infuriates us, we grow angry at Facebook for showing it to us.
While I kept a door open to returning to Facebook, I’ve had little temptation to step back through it. So, how then should I mark the anniversary of Facebook forfeiture? A celebration of friendships seems fitting — one that includes writing and calling and lots of liking, but no emotion-swallowing buttons.
PREVIOUS AND RELATED COVERAGE
Zuckerberg: Facebook’s failure to remove militia page sooner was an ‘operational mistake’ The “Kenosha Guard” page was taken down by Facebook after a deadly shooting at a racial justice protest.
Facebook sues company allegedly behind data-stealing schemeIn November, the social network accused MobiBurn of harvesting people’s data. Now it’s taking the company to court.
Facebook reportedly prepping in case Trump tries to delegitimize election Twitter, and Google’s YouTube, are also reportedly formulating plans to deal with election trouble. More

It’s like the classic locked-room mystery with a twist. Instead of a crime with no way out, we’re looking at making sure there’s no way in. Deep within the corporate world of nondisclosure agreements and hush-hush secret projects, there’s the clause known as the locked room.

Typically, such a private space is designed into a working office, but in our work-at-home pandemic world of COVID-19, some office exiles need to implement a locked room protocol at home. That’s what we’re going to discuss in this article and show in the accompanying video.
Those of you who haven’t spent a lot of time in and around the corporate or federal world may not be familiar with the whole locked room clause, but the basic idea is that confidential materials, information, documents, and hardware often need to be brought in and kept secure. In many companies, there are rooms or a room that is designated as a locked room and they can often be inspected by the party who is the other half of that nondisclosure agreement or confidentiality clause.
We’re now working from home a lot more, and so we need to implement that kind of function here at home. For some of us, that’s not as big a problem because we’re not dealing with kids, teenagers, guests, and that sort of stuff. But for some families, the room with all the goodies is irresistible to the teenagers and that room has to be locked, both because of the job and the contractual requirements, and because there might be things in there that are dangerous or delicate that you would normally have at work and are now working with at home.
Also: It’s not your imagination: Work-from-home tech prices have surged in the pandemic
The accompanying video shows two things: I’m going to replace the original room doorknob with a Yale Smart Lock and then show a safe that we can use to store some of the most confidential items.
The existing doorknob
The first step is taking out the existing doorknob and replacing it with the Yale Smart Lock. In the accompanying video, you’ll see that the doorknob being removed does not have a deadbolt. It’s an interior door only, and interior doors tend to not to have deadbolts.
However, many smart locks do. If you’re putting a smart lock inside your home, look for a smart lock that has an interior lock without a deadbolt. The Yale YRL256 Assure Lever lock that I installed in the video is one such smart lock.
Installing this is not terribly hard. I needed to remove the old lock first. That can be easy or difficult depending on the door in question and how the original doorknob was installed. In this case, it was just taking a couple of screws out for the latch and then removing the doorknobs themselves.
Also: Work from home and now you’re moving? Here’s what to know before you rent or buy
Once I had the knob out, I put in the new latch in backward. It’s always a good idea to read the directions (can you say RTFM? Sure, I knew you could).

Installing the smart lock
Once I installed the latch, it was important to test, and I tested from outside the room because there’s no exit in the room. If I couldn’t get the latch open, I wanted to make sure I was outside. I did make it work.
The next thing was to install the electronics. There are three basic parts. The keypad goes outside the room. There is a non-electronic part that basically provides the physical connection and holds the outside lock on the door. You just run the cable that passed through the hole in the door to the other side, which is where the batteries are and where you set your lock code.
I put on the handles, and I was very gratified to find out that they actually, in fact, worked.
Next, I put in the batteries. You get a great little welcome when you get the fourth battery in, which is kind of cute. You’ll have to watch the video to see and hear what that is.
At this point, your lock is a smart lock, but it’s not connected to your phone, watch, or Wi-Fi. In the case of the Yale lock, I needed to add a small module from August, a company that specializes in smart locks. The lock also supports Alexa, Home Kit, and Google Home, but I was uncomfortable allowing anyone who could say “open my door” to have access.
The second physical factor: the safe
Now that we have the door lock working, let’s take a look at the second part of our system, which is the safe. Most of the newly locked room satisfies the locked room clause. Most items will just be locked in the room, but some things, either of high value or high confidentiality, will need to be locked in the safe.
Yale provided me with a medium-size Alarm Value Safe, which is perfect for this sort of application. There are screw holes in the back and screw holes in the bottom, so the safe can be secured to a floor or a wall stud.
This safe is great for hard drives, thumb drives, SSDs, documents, any of those sorts of things or small components that you need to store more securely inside the locked room. The two-layer multi-factor locking is key to making sure that you have the necessary security to meet the standards you are expected to have at the office, now in your home.
Working at home in the “new normal”
There you go. You’ve seen how to install a smart lock on the door so you can come and go from the room as you need to — all while keeping others out.
Keep secure items, confidential items, and potentially dangerous items away from the rest of the family while at the same time abiding by the locked room clause and the various agreements you or your company or organization might have imposed.
That’s what we’re dealing with when we’re working at home. We’re reinventing our entire work environment to be able to do all that we were doing, or at least most of what we used to do in the office, now at home. It’s all part of keeping everybody safe, and hopefully staying productive and on track with all of our projects and our responsibilities.
Let us know whether you have a locked room requirement in the comments below. If you have any other unusual work requirements you have to translate to a home environment, let us know as well. And stay safe out there.
You can follow my day-to-day project updates on social media. Be sure to follow me on Twitter at @DavidGewirtz, on Facebook at Facebook.com/DavidGewirtz, on Instagram at Instagram.com/DavidGewirtz, and on YouTube at YouTube.com/DavidGewirtzTV.

remote work More

Image: Cisco // Composition: ZDNet
Cisco warned on Saturday about a new zero-day vulnerability impacting the Internetwork Operating System (IOS) that ships with its networking equipment.

The vulnerability, tracked as CVE-2020-3566, impacts the Distance Vector Multicast Routing Protocol (DVMRP) feature that ships with the IOS XR version of the operating system.
This version of the OS is usually installed on carrier-grade and data center routers, according to the company’s website.
Cisco says the DVMRP feature contains a bug that allows an unauthenticated, remote attacker to exhaust process memory and crash other processes running on the device. Cisco explains:

“The vulnerability is due to insufficient queue management for Internet Group Management Protocol (IGMP) packets. An attacker could exploit this vulnerability by sending crafted IGMP traffic to an affected device. A successful exploit could allow the attacker to cause memory exhaustion, resulting in instability of other processes. These processes may include, but are not limited to, interior and exterior routing protocols.”

Exploitation attempts discovered last week
Cisco says that it discovered last week attackers exploiting this bug. The attacks were detected during a support case the company’s support team was called in to investigate.
“On Aug. 28, 2020, the Cisco Product Security Incident Response Team (PSIRT) became aware of an attempted exploitation of this vulnerability in the wild,” Cisco said.
The company said its currently working on developing software updates for IOS XR. 
The patches are still a few days away. In the meantime, Cisco has provided several workarounds and mitigations for its customers in order to prevent that any exploitation fail — if they occur.
The Cisco security advisory also includes additional incident response instructions for companies to investigate their logs and see if they’ve been attacked using this IOS zero-day.
It is unclear how attackers are using this bug in the grand scheme of things. They may be using it to crash other processes on the router, such as security mechanisms, and gain access to the device. However, this is only a theory, and companies will need to thoroughly comb their logs after they spot any signs of CVE-2020-3566 exploitation. More