IT NEWS

Not all data privacy rights are the same.

There’s the flimsy, the firm, the enforceable, and the antiquated, and, unfortunately, much of what determines the quality of your own data privacy rights is little more than your home address.  

Those in Chile, for example, enjoy a globally rare constitutional right to data protection, and if any Chilean feels their rights have been disturbed or threatened, they can file a “Constitutional Protection Action.” People in the European Union and the United Kingdom enjoy strong data protections because of the General Data Protection Regulation, the sweeping data privacy law which gave the public many new rights in 2018, including a “right to access”—which allows an individual to ask a company to hand over all the data it has collected on them—and a “right to erasure,” which allows a person to ask that company to delete that data. In Germany, already  covered by GDPR, the newly-agreed-upon government is reportedly considering the addition of a “right to encryption,” which, depending on how it is defined, could be the first of its kind, and a much-needed defense against other international efforts, like in Australia, to weaken encryption through regulation. That anti-encryption thrust is not too different in America, where federal law enforcement officials have repeatedly blamed strong encryption as one of the largest reasons that they cannot stop crime before it happens.

Speaking of America, the variety in data privacy rights around the world applies just as well to the country itself: People who live mere miles apart enjoy wildly different data privacy protections because, in the absence of a comprehensive, federal data privacy law for all Americans, individual states have passed data privacy laws for their residents and their residents alone.

This segmented, legislative push has created a patchwork quilt of privacy in the country. In its most north-eastern reaches, those east of the Salmon Falls River—which serves as a dividing line between Vermont and Maine—are protected from having their Internet Service Provider (ISP) sell, share, or grant access to their data without their specific approval. Those west of the river, however, have no such protection. And Californians, separately, have the fortune of data privacy protections similar to those included in GDPR, but their neighbors in Arizona, Utah, and Oregon are without luck.

This is the frustrating state of data privacy rights today, but you have a role to play to make it better.

Thankfully, in many countries around the world, the public can still use online tools to protect their own data privacy. No legal regime to worry about, no case law to be cited. Just user choice.

So, want to hide your internet activity specifically from your ISP, or from eavesdroppers while you’re connected to a public, unprotected network? Use a VPN. Want to gain even more privacy and send your Internet traffic through a few layers of encryption? Use the TOR network and its related browser. Want to stop invasive ad tracking? Use a more private-forward browser or download a devoted browser extension. Want to hide your online searches? This one is easy—use a private search engine.

This Data Privacy Day—which we are celebrating for the whole week— don’t limit yourself to just the data privacy rights you’re given by your country or state. Instead, broaden and deepen your own data privacy by finding out which of the many data privacy tools is right for you.

The tangled web of US data privacy rights and laws

In the United States, there is no federal law protecting all types of data for all Americans.

Instead, the national data rights that every American enjoys are purely sectoral—isolated, industry-specific protections regarding, for example, healthcare information, credit reporting accuracy, children’s data, and, bizarrely enough, VHS rental records. (Since that law has not been found to apply to streaming services, it is presumably only of use to the residents of Bend, Oregon, home to the so-called “Last Blockbuster.”)

This piecemeal strategy is the consequence of occasional laser-focus from US Congress members on only the problems facing them at that very moment. That VHS rental history law? That was passed in 1988 after a newspaper published the video rental records of then-Supreme Court nominee Robert Bork. (The journalist who wrote the story succinctly proved a point—that, as Bork himself had argued, Americans had no real rights to privacy beyond those explicitly encoded in law.) A separate law protecting children’s privacy was signed in 1998 as the public feared wanton collection of kids’ data online.  

For about two years, though, that laser-focus found an ironic subject: Broader protections.

Starting in 2018, US Congress members homed in on crafting a comprehensive data privacy law that would restrict how companies and organizations collect, use, share, and sell Americans’ data. Roughly a dozen bills were introduced in the House of Representatives and the Senate, and substantive, new ideas on data privacy were considered.

There was also Senator Ron Wyden’s bill, which recommended jail time as a consequence for tech company executives who played a vital part in violating Americans’ data privacy rights. There was Senator Amy Klobuchar’s bill, which tried to standardize perplexing, yawn-inducing—and potentially unfair—“Terms of Service” agreements by requiring that those agreements be written in “language that is clear, concise, and well-organized.” There was Senator Marco Rubio’s bill and its light touch on regulation, which simply asked that the US Federal Trade Commission write its own rules on privacy that Congress later adopt. And there were other, novel proposals, like the ACCESS Act, which focused on data portability, and the Data Accountability and Transparency Act, which erred away from today’s singular focus on user “consent,” which, even under the best intentions, can often translate to a deluge of webpages all asking: “Do you agree to our use of cookies?”

Disappointingly, none of these bills moved forward, and following the US presidential election in 2020, new priorities were mapped out for Congress. Thankfully, in the United States, there are more legislative machines at work that can pass data privacy laws at home—the individual states themselves.

For years now, the majority of US states have at least attempted to lasso companies into better handling the consumer data that is collected whenever users interact with their websites, use their products, or respond to their social media posts. In fact, according to a recent analysis by The New York Times, only 15 states have essentially ignored consumer data privacy legislation; every other state has either introduced, passed, or signed a law, or replaced a comprehensive data privacy bill with a task force committed to researching the topic.

Within those 35 states, though, only three have found success—California, Colorado, and Virginia all passed consumer data privacy laws in the past few years. And not to immediately rob those successes of their merit, but each of those laws has its own problems, and the law in Virginia, especially, has drawn rebuke from Electronic Frontier Foundation (EFF) and American Civil Liberties Union (ACLU).

Kate Ruane, senior legislative counsel at ACLU, said in speaking with The New York Times that Virginia’s law, when it was still a bill, was “pretty weak.”

“It essentially allows big data-gathering companies to continue doing what they have been doing,” Ruane said.

At this point, it’s easy to think that US data privacy rights are following a sad trend of one step forward, two steps back. Just a few years ago, federal lawmakers were interested in data privacy. Then, they weren’t. Stateside, multiple states introduced broad data privacy laws for their residents. Then, only three such laws actually passed, and each law has its own problems.

The good news here is that you don’t have to—you shouldn’t have to—wait around for your government representatives to decide when you deserve data privacy rights. You deserve those rights today.

Here’s how you can take some first steps forward.

The right data privacy tools for you

In the US and in many countries abroad, one of the most powerful data privacy rights you have is the right to use a tool that can put data privacy into your own hands.

Data privacy tools are actually a lot like US data privacy rights, in that there are specific tools that protect specific types of data, or they protect your data in specific circumstances. While this variety is appreciated, it also means there is no one single solution to keep your information private online at all times.

To avoid any confusion about what tool can protect what data, here’s a quick run-down of what is available and how it can help you:

• A privacy-forward web browser or a devoted web browser extension can block third-party ad tracking
• A private search engine keeps your online searches private, protecting your interests from being sold to advertisers who want to serve you more ads
• A VPN can obscure your Internet traffic from your Internet Service Provider and encrypt your data on public networks
• The Tor Network and the Tor browser can route your Internet traffic through multiple “relays,” or servers, encrypting the data multiple times along the way

Knowing all that, let’s start with the simplest option that can also protect you from the most subversive and invisible form of data privacy invasion.

Privacy-forward web browsers and browser extensions

If you’re using a web browser that is made by a company that makes the majority of its money from online advertising (according to Wired, Google’s advertising revenue alone in one quarter of 2020 was $26 billion), your online browsing behavior is being stealthily watched across nearly every website you visit. As your browsing habits start to form a profile of who you are, where you live, what you like, and what you typically buy, you’ll start to see ads that follow you around constantly.

This is the work of third-party ad tracking. Due to the implementation of cookies in nearly every corner of the public-facing Internet, nearly all of our Internet behavior is tracked online. That information then gets packaged and sold to companies that want to deliver ads specifically to you and people like you.

To stop this type of invisible, online tracking, you should use a web browser that takes your privacy seriously. Options like Firefox, Safari, and Brave all block many types of ad tracking by default, which means that from the first time you launch these programs, you’ll start being protected, no user intervention needed.

If you’re too attached to your web browser to ditch it, you can also download a browser extension for this very same purpose. Several browser extensions that block ad trackers include Malwarebytes Browser Guard, EFF’s Privacy Badger, and the self-titled ad-and-tracker blocking extension made by Ghostery.

For those interested, Ghostery has also released a web browser that, with a monthly subscription fee, comes with a host of other privacy tools, including the company’s web analytics tool and a private search engine.

Speaking of which…

Private search engines

A private search engine, like the ones built by DuckDuckGo or, more recently, Brave, will keep your searches yours. Both companies promise that they do not collect or track your searches, and that they do sell that search data to third parties.

Though Brave’s search engine is newer and still in beta, DuckDuckGo has been in business for years, and this month, it passed the 100 billion total search mark.

VPNs

Any discussion on data privacy wouldn’t be complete without talking about VPNs. VPNs, or virtual private networks, are tools that can help you hide your Internet traffic from your Internet Service Provider, which might appeal to you in the United States because your ISP could actually take what it knows about you and then sell that data to the highest bidder, who will then use your information to send you even more ads across the Internet.

VPNs can also provide vital protection to you whenever you connect to the Internet on a public network, like at a coffee shop, an airport, or hotel. If those networks are not password-protected, then it is easier for eavesdroppers to watch your Internet traffic on that network. With a VPN, your traffic is encrypted and illegible to outside parties.

Because there are so many options out there, you can read our guide about how to choose the best VPN for you.

The Tor network and browser

The Tor network, in a way, is the Internet run by people—not companies, not conglomerates, not revenue-chasing decision-makers. The way it works is that volunteers around the world set up individual servers for Tor users to connect to—and through—when browsing online. This means that whenever you browse the Internet through the Tor network, your Internet traffic actually moves through three separate servers, which Tor calls “relays.” The last relay that you connect to then connects you to your final destination online, like a website. Because your traffic has been sent through three relays and encrypted each time it goes through a relay, the website you eventually connect to does not actually know who you are. It cannot collect any meaningful data about your age, your gender, your location, your politics, or your interests.

With the Tor network, then, you can obscure what advertising companies the world over want to know about you and what they spend countless dollars to discover.

Years ago, utilizing the Tor network required quite a bit of technical work, but with the nonprofit’s release of the Tor browser, much of that work can be done by the browser itself.

If you’re interested in taking your privacy to the next level, consider downloading the Tor browser and connecting to the Internet through a Tor connection, which the browser can configure the first time you start it up.

It’s not just about tools. Adopt new rules

While all the tools we described above can better protect your online privacy, there’s one more thing you should consider this Data Privacy Week, and that’s how you treat other people’s privacy online, too.

The devices that we carry in our hands every single day are capable of recording so much of our daily lives, and that includes private moments of other people’s lives, too. The photos you take with family, the conversations you have with friends, the videos you record and share—all of these can and do include people other than yourself who have their own idea of privacy, both online and off. Think about how much you care about your own privacy, and then think about what you can do to protect the privacy of others around you.

Don’t share private conversations, don’t post embarrassing videos, and don’t send photos around unless you know that other people in the photos are okay with it.

For years, we’ve heard that cybersecurity is a team sport. It’s time to treat data privacy like one, too.

The post Data Privacy Day: Know your rights, and the right tools to stay private appeared first on Malwarebytes Labs.

In a CISA Insights bulletin the Cybersecurity & Infrastructure Security Agency (CISA) warns that every organization in the United States is at risk from cyber threats that can disrupt essential services and potentially result in impacts to public safety.

The warning specifically reminds readers of the recent developments in the Ukraine where public and private entities have suffered a series of malicious cyber incidents. Especially highlighting the use of destructive malware against critical infrastructure and the potential damage it can do. The website defacements and data-wiping malware attacks in the Ukraine were originally thought to be different attacks, until it became clear that victims were hit by both, leading authorities to believe the attacks were coordinated.

CISA says it wants to ensure that senior leaders at every organization in the United States, regardless of sector or size, are aware of critical cyber-risks, and take urgent steps to reduce the likelihood and impact of a potentially damaging compromise.

In the document, CISA provides guidelines to make near-term progress toward improving cybersecurity and resilience.

Reducing the chance of an intrusion

To reduce the chance of an unwanted cyber-intrusion, CISA recommends that orgaizations:

• Ensure that all remote, privileged or administrative access requires multi-factor authentication (MFA).
• Update their software, prioritizing updates that address vulnerabilities identified by CISA.
• Disable all ports and protocols that are not essential for business purposes.
• Review and implement strong controls for Cloud services, as outlined in CISA’s guidance.
• Sign up for CISA’s free cyber hygiene services, including vulnerability scanning.

For those unfamiliar with the CISA list of known, actively exploited vulnerabilities, this is tied to Binding Operational Directive 22-01, Reducing the Significant Risk of Known Exploited Vulnerabilities. This directive applies to all software and hardware found on federal information systems managed on agency premises or hosted by third-parties on an agency’s behalf.

One of the most welcomed of the required actions set forth in the directive is that CISA will keep a catalog of vulnerabilities alongside timeframes in which they must be remediated. According to the plan, this catalog will list only the most important vulnerabilities that have proven to pose the biggest risks.

Although CISA can only require action from federal agencies, it’s clearly hoped that organizations outside its perview will see the benefit of using the catalog in the same way.

It is interesting to note that the latest list of vulnerabilities includes ProxyToken. ProxyToken is a vulnerability that was fixed in June of last year. It allows an unauthenticated attacker to perform configuration actions on mailboxes belonging to arbitrary users. For example, an attacker could use the vulnerability to forward your mail to their account, and read all of your email. All that organizations need to do to protect themselves from it is patch.

Detecting potential intrusions

The bulletin also offers some simple guidance on how to detect and deal with a potential intrusion:

• Ensure that cybersecurity/IT personnel are focused on identifying and quickly assessing any unexpected or unusual network behavior, and that they have the logging they need.
• Confirm that your network is protected by anti-malware software, and that signatures in these tools are updated.
• If working with Ukrainian organizations, take extra care to monitor, inspect, and isolate traffic from those organizations; closely review access controls for that traffic.

This last point was likely added to the list since there are indications that the attacks in the Ukraine were, at least partly, the result of supply-chain attacks. The Ukraine Cyber Police are investigating the use of Log4j vulnerabilities and stolen credentials as other means of access to the networks and servers.

If an intrusion is detected, CISA recommends that organizations should create a crisis team that already knows how it will respond. The team should have conducted tabletop exercises so that everyone understands their roles if an incident occurs.

Backups can be an important backstop during a cyber-incident such as a ransomware attack, and the bulletin reminds organizations that taking backups isn’t enough—they need to test their backup procedures too, so they know they can actually restore their critical data if they need to. Backups should, of course, be isolated and out of the reach of potential attackers.

Digging deeper

The Malwarebytes Lock and Code podcast has a wealth of information for people looking to dig deeper into the topics raised by the CISA bulletin. The most recent episode, embedded below, examines why arguably the most important security practice of all—patching—is so hard for organizations.

Previous episodes have included deep dives into why we fail at getting the cybersecurity basics right, why getting backups right is difficult, and what it’s like to be at the centre of a ransomware attack—from a sysadmin who has been there.

Stay safe, everyone!

The post CISA calls for urgent action against critical threats appeared first on Malwarebytes Labs.

Rogue ads are a problem-causing menace which can strike in many ways. Malvertising often uses a combination of exploits to drop malware. Phishing campaigns get the job done with social engineering and bogus websites. This particular incident is an example of the latter, and a good reminder to be cautious when clicking.

Shall we take a look?

Balancing your gift cards

A Reddit user reports seeing an advert related to gift card balance searches. You may have been given a gift card at some point, but what you may not realise is that you can check the balance of a card online. Some cards can be topped up, which might make it even harder to remember how much you have. Very handy if you’re out and about and the cash value isn’t written down somewhere!

“Please submit your details”

The ad, which claims to let visitors “check their gift card balance”, rang a few alarm bells for the Reddit user. For one thing, the website’s domain seemed to be related to van hire. This isn’t, typically, what you’d expect to find in a gift card search.

The page, sporting a Target logo and banner at the top, asks visitors to check their balance via an entry form. It says:

“Gently remove the metallic strip on the back of your gift card to reveal both the card and the access numbers”.

Some people who tried the site out reported that it redirected them to the real Target page after hitting the submit button.

The site in question now resolves to a 404 error. It’s likely the site was compromised, with the bogus card check page added in afterwards.

But there are still many other examples of these sites online.

Digging into a card submission

There’s a few different examples of sites posted to the Reddit comment thread, all of which are now currently offline, likely due to multiple webhost reports. They use branding from multiple big name corporations, with incredibly long descriptions on how to check your balance. Much of it is clearly cut and pasted from somewhere else, to the extent that some also reference Amazon and McDonalds cards further down the page. This is designed to try and game SEO rankings on search engines, but all they really care about is having you click the redeem code button.

Clicking through on these kind of sites takes visitors to replicas of the balance check function on the real Target website, like so:

Like the page hosted on the van hire portal, the forms take submitted gift card/access numbers, then redirect to the genuine Target page.

Tips to avoid losing your gift card balance

With Christmas and New Year fading into the distance, there’ll be a lot of people with gift card balances waiting to be spent. No doubt many will want to check their balances at short notice. All it’ll take to be potentially parted with their credit is a few hurried searches and a bogus website.

If this sounds familiar, you may wish to take some steps to mitigate the threat. Here’s some general tips:

• Don’t open emails from senders you are not familiar with.
• Don’t click on a link inside an email unless you know exactly where it is going.
• To layer that protection, if you get an email from a source you are unsure of, navigate to the provided link manually by entering the legitimate website address into your browser.
• Just because a website is HTTPs, does not guarantee a site’s legitimacy. It’s easier than ever to set up a free HTTPs certificate, which is why manually navigating to websites is important.
• As you’ll likely check balances at short notice on your mobile, it’s worth finding official card pages now. Save them as bookmarks in your browser.
• There are many balance check sites out there and it’s not easy to figure out which ones are legit. Some deal with one card specifically, while others allow you to check multiple cards in one go. We’ve seen balance check sites which may well be genuine, but no link from the parent site seems to exist to it. So go to the official website of the service you’re using, and ask customer support where you can check balances.

All of these tips combined will help you avoid gift card scams. 

The post Steer clear of gift card balance scams appeared first on Malwarebytes Labs.

Popular website Open Subtitles has been breached. The impact so far: almost seven million accounts “breached and ransomed” back in August.

There’s a long and detailed post on Open Subtitles’ forum with regard to what’s happened. Notable points of interest:

The site received a message from someone with proof of having gained access to the data.

“He gained access to all users’ data – email, username, password…He promised the data would be erased and he would help us secure the site after the payment.

The site was created in 2006 with little knowledge of security, so passwords were stored in md5() hashes without salt”

Money troubles

One point of contention relates to paying off the ransom. Some coverage is claiming they paid up, but then the data eventually leaked anyway. The language in the post reads a little ambiguously:

He asked for a BTC ransom to not disclose this to public and promise to delete the data.

We hardly agreed, because it was not a low amount of money.

However you stack it up, and whether they paid the ransom or not, the data is now out there.

Dangers to your data

This one falls under the familiar banner of “password reuse is bad”. Lots of people do it, and almost everyone has likely reused login details on more than one site without realising it.

The uptake rate on two-factor authentication or similar methods of protection on accounts generally isn’t very good. I dread to think how many of the breached seven million have secondary measures applied to their various logins.

Unsalted password hashes are easy to crack. You should assume your password has been compromised and that criminals will try to use it to gain entry to all your online accounts. If you have used your Open Subtitles password on any other services, change your passwords on all of them, straight away.

It’s very quick and easy to hijack several logins tied to one person. If an attacker manages to gain access to a primary email account used for password resets on lots of other accounts, then they really have hit the jackpot.

Those accounts can all be used for spamming, malware distribution, social engineering, phishing…the sky’s the limit.

If your data is in the breach, you absolutely must go and take stock of any accounts sharing login details as soon as you can. Get yourself a password manager, a temporary notepad file to jot down your possible duplicates, and kickstart the damage limitation process.

As for Open Subtitles, some folks still aren’t happy with the direction the fixer-upper has taken. Do your bit and address the lingering threat of password duplication. While it remains to be seen how the subtitle breach shakes out, there’s nothing wrong with ensuring the rest of your logins are in safe hands.

The post Open Subtitles breach: The dangers of password reuse appeared first on Malwarebytes Labs.

The UK’s National Cyber Secuity Centre (NCSC) has published a guide to help make your organization’s SMS and telephone messages effective and trustworthy.

SMS and telephone calls represent an extremely effective means of mass communication. As such they are essential tools for most organizations, especially those that deal directly with the general public. Of course, they’re also great tools for cybercriminals.

Due to the many options that cybercriminals have for impersonating and spoofing, it is almost impossible to reliably tell the recipient whether the sender is who they claim to be. This means that cybercriminals are able to pose as legitimate organizations, and mimic the style of their communications.

And when email recipients receive a message that appears to be from a brand they know and trust, they might well be more tempted into clicking on a malicious link.

Important elements for communication

As a rule of thumb, the NCSC gives a few pointers to keep in mind when using SMS or phone calls.

• Don’t ask for personal details
• Don’t include weblinks, if possible
• Where it is absolutely necessary to include weblinks, make sure they are human readable and easy to remember. Don’t use URL shorteners
• Consistency is important across all channels
• Avoid language that induces panic or implies urgency

These are exactly the points we have often given to our readers when explaining how they can recognize phishing messages. Phishers will often do the exact opposite. If you want your communication to have a positive impact on your customers or prospects, you do not want to come across as a scammer.

Speak with a single voice

As a general rule, you should make it easy for recipients to recognize the sender. Use only one or a few sender IDs, email addresses, and phone numbers, and ensure your messaging is consistent, It’s very important in larger organizations that all communications teams, including those involved in advertising, are aligned in their messaging.

Consistency has a number of benefits:

• If your messages come from a single, well known source, it’s easier for recipients to distinguish between legitimate and fraudulent messages
• Fewer communication channels can be better protected, making them harder for criminals to abuse
• Official sources can list these contact details definitively, so that they become well known and searchable
• Explaining the communications process to your customers. For example, detail the kind of information your organization would never ask for

Provide a way for your customers to independently check your communications and contact you independently, including guidance on how customers can report suspected scams impersonating your organization.

A specific tip for communications by telephone is that any service that only receives calls should be added to the Do Not Originate list. This helps prevent the number from being used to make outbound calls. In order to deal with the limitations of this protective measure, you should also make it clear that your customers will never receive a legitimate call from this number.

Planning ahead

The NCSC states that prior to starting SMS services, you should be able to answer these questions:

• Do you plan to use SMS at all? If so, who is the supplier?
• Does the service need two way communication?
• What SenderID, if any, do you propose to use? (Note: a SenderID does not support two way SMS)
• Are you planning to include weblinks?
• Are you planning a bulk SMS campaign?
• Is the message price lower than market rates or too low to be true? If it is, the supplier may be using ‘grey routes’ which can result in a customer data compromise.

Grey routes are basically fraudulent messaging. They’re A2P (application to person) messages, such as marketing or spam messages blasted to thousands of people, that are questionably riding on the dedicated P2P (person to person) connections of operators.

You should ensure your suppliers are signed up to the A2P Code of Conduct, take an active part in the MEF registry, and are transparent and willing to share all of their downstream providers. Unless suppliers provide data on the routing of the SMS, it is impossible to distinguish between legitimate and fraudulent SMS.

You should try to find a service provider who is as close to the operators as possible. The more suppliers between you and the operator, the more that can go wrong, including the loss or manipulation of customer data. And it also becomes harder to investigate any problems.

The post Combatting SMS and phone fraud: UK government issues guidance appeared first on Malwarebytes Labs.

Google has issued an update for the Chrome browser which includes 26 security fixes. What stands out is that one of these fixes is rated as “critical”. The critical vulnerability is a use after free bug in the Safe Browsing feature.

The Stable channel has been updated to 97.0.4692.99 for Windows, Mac and Linux which will roll out over the coming days/weeks. Extended stable channel has also been updated to 96.0.4664.110 for Windows and Mac which will roll out over the coming days/weeks

The vulnerability

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). The vulnerability in Safe Browsing that was rated critical has been assigned CVE-2022-0289. While Chrome vulnerabilities are rarely rated critical, this is already the second one this year. The previous one (CVE-2022-0096) was another use after free vulnerability that could lead to remote code execution (RCE). Only that one affected all Chromium based browsers.

The vulnerability in Safe Browsing was reported by Sergei Glazunov of Google Project Zero on 2022-01-05. Project Zero is a team of security researchers at Google who study zero-day vulnerabilities in widely used hardware and software systems. This team also found a use after free vulnerability in Site Isolation, which is another Chrome security feature that acts as a sandbox to offer additional protection against some types of security bugs. The Site Isolation vulnerability was rated as high and not critical, because the exploitability is limited to the browser.

The vulnerability in Safe Browsing does not require any user interaction after the user has visited a malicious website that exploits this vulnerability. Any RCE vulnerability has the potential to take over the affected browser, which in this case could potentially lead to a complete system take-over.

Safe Browsing

Google Safe Browsing is a service that shows warnings to users when they attempt to navigate to dangerous sites or download dangerous files. Safe Browsing also notifies webmasters in case their websites are compromised by malicious actors and helps them diagnose and resolve the problem. And Google’s Ads Security team uses Safe Browsing to make sure that Google ads do not promote dangerous pages.

Many browsers like Google Chrome, Safari, Firefox, Vivaldi, and Brave use the lists of URLs for web resources that are known to contain malware or phishing content. These lists are provide by the Safe Browsing service. Google also provides a public API for the Safe Browsing service.

Use after free

Use after free (UAF) is a vulnerability that results from the incorrect use of dynamic memory during a program’s operation. If, after freeing a memory location, a program does not clear the pointer to that memory, an attacker can use the error to manipulate the program.

How to protect yourself

If you’re a Chrome user, you should update to version 97.0.4692.99 as soon as possible.

The easiest way to update Chrome is to allow Chrome to update automatically, which basically uses the same method as outlined below but does not require your attention. But you can end up lagging behind if you never close the browser or if something goes wrong, such as an extension stopping you from updating the browser.

So, it doesn’t hurt to check now and then. And now would be a good time, given the severity of the vulnerability. My preferred method is to have Chrome open the page chrome://settings/help which you can also find by clicking Settings > About Chrome.

If there is an update available, Chrome will notify you and start downloading it. Then all you have to do is relaunch the browser in order for the update to complete.

Stay safe, everyone!

The post Update now! Chrome patches critical RCE vulnerability in Safe Browsing appeared first on Malwarebytes Labs.

Restoring Family Links is a program most commonly associated with The Red Cross. It’s been around since 1870, and aims to reunite lost family members, repatriate individuals, prevent folks from disappearing, and much more. You may have seen them in the news during times of disaster, war, and other situations necessitating some form of international aid.

Sadly, someone has compromised a large chunk of data related to the Restoring Family Links program and nobody knows what they intend to do with it.

Unauthorised access of data

In an attack billed as “sophisticated”, personal and confidential data related to no fewer than 515,000 people has been pilfered by unknown attackers. Those impacted may be victims of disaster, conflict, or detention.

According to the ICRC (International Committee of the Red Cross), the data originated from “at least 60 Red Cross and Red Crescent National Societies around the world”. The plundering itself took place from an “external company” located in Switzerland contracted to manage the data by the ICRC.

The impact of the attack is already being felt. Should you visit the Restoring Family Links page at this time, you’ll see it’s down for maintenance. The whole program’s systems have been shut down while they figure out what exactly has happened, and which bits of their network are still insecure.

As the ICRC notes, an average of 12 missing people a day are reunited with their families. Humanitarian work such as this can have potentially fatal consequences if interfered with so the stakes here are very high indeed.

Under attack (again)

The Red Cross/ICRC have had a number of run-ins with hacks and leaks in the past. For example, 555,000 people had their details leaked in 2016 when Red Cross Australia blood donor information was accessed by someone without permission. In 2019, it happened again in Singapore but on a much smaller scale.

The ICRC takes this subject very seriously, to the extent there’s a handbook on data protection in humanitarian action. We don’t know yet how this aligns with whatever has happened at the external data host, however.

From untargeted to very targeted…

During the Japan tsunami and earthquake of 2011, a huge volume of scam attacks sank their claws into the disaster. We saw fake missing relative notices, bogus Red Cross websites, fake charity donation sites, 419 scams, and even radiation health e-books.

They all tried to exploit a crisis, but it was primarily very general and untargeted.

This breach could have severe consequences for both people in the data and those related to them. The pilfered details could be used for all manner of scam attempts. Phishing, social engineering, blackmail, fraud: all of these things and more could be in the running. Highly targeted, with a potentially very good chance of succeeding. Sensitive information could make its way to Governments who don’t have the best interest of those named at heart.

The humanitarian world holds its breath

We don’t know what’s going to happen to the compromised data. There’s a real worry it could simply be tossed out into the ether. As the ICRC put it:

Your actions could potentially cause yet more harm and pain to those who have already endured untold suffering. The real people, the real families behind the information you now have are among the world’s least powerful. Please do the right thing. Do not share, sell, leak or otherwise use this data.

Will they do the right thing? Unfortunately, we could be in for a long wait to find out.

The post Red Cross begs attackers to “Do the right thing” after family reunion service compromised appeared first on Malwarebytes Labs.

If you have been forgoing updating your Mac, this article might make you think twice.

The Microsoft 365 Defender Research Team has discovered a vulnerability in macOS, which allows malicious apps to successfully bypass a user’s privacy preferences. This means attackers could access personal data that was once private, as well as install a malicious app—or hijack one that’s already installed—to access the microphone to record conversations or capture screenshots of the user’s screen without them knowing.

Dubbed “Powerdir,” it is the latest in a lengthening line of Transparency, Consent, and Control (TCC) security framework bypasses that have been hitting Apple these past few months. The Microsoft team is said to have reported Powerdir to Apple in mid-July 2021, and Apple patched it 6 months after. It is tracked as CVE-2021-30970.

The TCC is essentially the technology that keeps user data within a device private, so apps without full disk access rights cannot just access data without the user’s consent. It also houses a database of consent history for app requests.

While Apple has set up restrictions and blocking mechanisms against unauthorized code execution, the Microsoft team was able to successfully change a user’s home directory and plant a second TCC database (a specially crafted one, of course). In doing so, they were able to access protected user information.

A bypass similar to Powerdir was presented by Wojciech Reguła and Csaba Fitzl in Black Hat USA on August 2021, along with over 20 more TCC bypasses. This flaw was tracked as CVE-2020-27937. However, despite Apple patching this, the Microsoft team’s PoC still worked until Apple released macOS Monterey in October 2021.

The Microsoft team then modified their first Powerdir PoC to make it work in the new macOS. Here’s a link to the demo video of how it now works in Monterey. This, too, has been patched by Apple and included as part of CVE-2021-30970.

How to protect yourself from Powerdir

All Mac users have to do is download and apply the fixes. Easy!

Stay safe!

The post Mac users, update now! “Powerdir” flaw could allow attackers to spy on you appeared first on Malwarebytes Labs.

Researchers at FingerprintJS, a Chicago-based firm that specializes in online fraud prevention, have published a software bug introduced in Safari 15’s implementation of the IndexedDB API that lets any website track your internet activity and may even reveal your identity.

They found that in Safari 15 on macOS, and in all browsers on iOS and iPadOS 15, the IndexedDB API is violating the same-origin policy; a fundamental security mechanism that restricts how documents or scripts loaded from one origin can interact with resources from other origins.

Safari

Safari is developed by Apple and designed to be the default browser for the Operating Systems macOS, iOS and iPadOS. As such, it has a market share of around 20%, which makes it the most used browser after Chrome, which has a market share of over 60%.

The researchers found that the current version of WebKit, the browser engine that powers Safari on Macs as well as all browsers on iOS and iPadOS, can be tricked into skipping the same-origin check. To put it simply, the names of all IndexedDB databases are available to any site that you are visiting in the same session. Actual access to the content of each database is restricted however.

IndexedDB

IndexedDB is a browser API for client-side storage designed to hold significant amounts of data. It’s supported in all major browsers and is very commonly used. Normally, information stored in IndexedDB storage can only be accessed by a web page from the same domain that created it. If Google creates it, for example, the information cached there can only be accessed by another Google web page.

Google services store an IndexedDB instance for each of your logged in accounts, with the name of the database corresponding to your Google User ID. This ID can be retrieved using this leak as well.

The leak

The information that can be gathered by exploiting this bug may seem limited at first sight. But it can disclose information about your recent browsing history and even some info about the logged-in Google account. So, it lets arbitrary websites learn what other websites you visit(ed) in different tabs or windows.

Additionally, some websites use unique user-specific identifiers in database names, which means that authenticated users can be uniquely and precisely identified. This includes, for example, your Google profile picture, which can be looked up using an ID attached to certain sites’ IndexedDB caches.

Not only does this imply that untrusted or malicious websites can learn a user’s identity, but it also allows the linking together of multiple separate accounts used by the same user.

Exploitability

Note that these leaks do not require any specific user action. A tab or window that runs in the background and continually queries the IndexedDB API for available databases can learn what other websites a user visits in real-time. So, all the criminals have to do is get you to visit a site designed by them. In such a case of actively controlled exploitation, the attacker could tell websites to open any other website in an iframe or popup window in order to trigger an IndexedDB-based leak for that specific site.

Mitigation

Apple has acknowledged the bug and worked on a solution, marking the issue as resolved. This does not mean the fix will take effect immediately, however. Updates take time to roll out, and it could be a while before your devices receive the fix.

If you are worried about this leak, you can use private mode in Safari 15. But this only helps partially because private mode in Safari 15 is also affected by the leak. It only helps because private Safari windows are restricted to a single tab, which reduces the extent of information available via the leak. If you visit multiple different websites within the same tab, all databases these websites interact with are leaked to all subsequently visited websites.

Another way to limit the impact is to block all JavaScript by default and only allow it on sites that are trusted. But this makes web browsing very inconvenient and is likely not a good solution for everyone. Moreover, vulnerabilities like cross-site scripting make it possible to get targeted via trusted sites as well, although the risk is much smaller.

MacOS users can switch to another browser but, unfortunately, this is not an option on iOS and iPadOS as all browsers are affected on these operating systems.

Demo

For those interested, the researchers have created a demo that demonstrates how a website can learn the Google account identity of any visitor. The demo is available at safarileaks.com.

If you open the page and start the demo in an affected browser, you will see how the current browsing context and your identity is leaked right away. Identity data will only be available if you are authenticated to your Google account in the same browsing session.

Stay safe, everyone!

The post Browsers on iOS, iPadOS and Mac leak your browsing activity and personal identifiers appeared first on Malwarebytes Labs.

The many issues surrounding end-to-end encryption (E2EE) are ever-present. They usually spring up when something that could potentially affect the safety of those who are vulnerable comes to light.

Back in November, Meta announced it had delayed plans to roll out E2EE on its Facebook and Instagram platforms until 2023, because the company needed more time to “get this right”. Not surprisingly, the UK government has been deeply concerned since it was first announced in 2019.

Child predators were busy in 2021

No Place To Hide, a UK-government backed child safety campaign, launched on Tuesday, aiming to “keep children safe online without compromising user privacy.”

The campaign is supported by Barnardo’s, the UK’s largest national children’s charity; The Lucy Faithfull Foundation, a charity that focuses on abused children; The Marie Collins Foundation, a charity that focuses on children abused using technology and the internet; and SafeToNet, a “cyber-safety company” that develops apps to keep online threats, such as cyberbullying, sexting, and aggression, against children at bay.

Child predators could be anywhere, especially online. And in a recent revelation from the Internet Watch Foundation (IWF), 2021 is most noteworthy as “the worst year on record for child abuse online” due to pandemic lockdowns. The IWF dealt with 361,000 cases just last year, a staggering 25,442 more than the 335,558 cases the foundation assessed in total during its first 15 years of service.

Younger and younger children have been targeted as they spend more time online, leaving them ever more vulnerable to communities of criminals eager and willing to manipulate them into capturing sexual abuse imagery via their own webcams. These are deemed “self-generated material” and, more often than not, they are freely exchanged in the open web.

“Children are being targeted, approached, groomed, and abused by criminals on an industrial scale,” says Susie Hargreaves OBE, Chief Executive of the IWF, in a press release, “So often, this sexual abuse is happening in children’s bedrooms in family homes, with parents being wholly unaware of what is being done to their children by strangers with an internet connection.”

And one of the things that probably keep child predators from getting caught is E2EE. Speaking to the BBC, a spokesperson from No Place To Hide has said that E2EE apps being rolled out would be “like turning the lights off on the ability to identify child sex abusers online.”

Although this may sound like the coalition is against E2EE, they’re not, “as long as it is implemented in a way that does not put children at risk.” They also said they are in full support of strong privacy and children’s online safety, and urge social media sites to protect both.

“We want social media companies to confirm they will not implement end-to-end encryption until they have the technology in place to ensure children will not be put at greater risk as a result,” No Place To Hide’s campaign website states. “They need to show that the changes will not make it easier for child sex abusers to groom children; make, share, or view sexual images of children; and avoid detection by law enforcement agencies.”

The upsides and downsides of using E2EE

There is no denying that end-to-end encryption has been essential—life-saving, even—in keeping the exchange of data and information private with only the sender and receiver able to read the messages between them. Not only has it made online banking possible, it protects people from scams, hacking attempts, fraud attempts, surveillance, and potential breaches.

Children, too, can benefit from using E2EE. Encryption protects them from tech and social media companies, for example, who are keen at gathering data, profiling their users, and targeting them for advertising purposes. Furthermore, E2EE gives children the safe space they need to just express themselves without fear of judgment.

On the flip side, law enforcement, governments, and service providers where E2EE is incorporated would not be able to access data that might be essential in their intelligence gathering efforts in the name of national security. This, along with child safety, is one of the two linchpin arguments that keeps the fight against E2EE alive, and many governments and international committees are backing it.

Parents and carers, take the lead

The distribution and promotion of child sexual abuse material (CSAM) online is a huge problem that every nation needs to address. But is it really at the cost of compromising end-to-end encryption—and to a larger degree, our privacy?

Everyone needs to be protected online, especially the most vulnerable members of our society. And everyone should be able to use E2EE and be given the option to stay anonymous. Unfortunately, the bad guys also benefit from good things created for everyone. And breaking the very technology that is designed to protect us from all sorts of threats online is no better than not having any form of protection at all.

We feel for the parents and carers who may find themselves in the middle of this now-political battle concerning everyone’s online privacy and the safety of their children. What are they to do?

If you think your child is old enough to be left alone, even for a little while, to use the Internet on their own, wouldn’t now be the perfect time to talk to them about the possible dangers they could meet online? Perhaps more than having E2EE, they need the proper guidance of their parents on how to navigate the web and how to interact with other people online. Not only that, young and pre-teen children need hands-on intervention, if certain situations call for it.

We encourage you to work together towards keeping your children secure wherever they are online.

Recommended reading:

• Internet Safety Month: How to protect your child’s privacy online

The post Campaign launched to delay social media end-to-end encryption appeared first on Malwarebytes Labs.