InfoSec News Nuggets – September 11, 2018

Home / InfoSec News Nuggets / InfoSec News Nuggets – September 11, 2018

US government releases post-mortem report on Equifax hack

The Government Accountability Office (GAO) has published a report to detail how the Equifax hack went down and how the credit reporting company answered during and after the incident. The report comes a day before the one-year anniversary of the public announcement of the Equifax breach that exposed the personal details of 145.5 million Americans, but also of millions of British and Canadian citizens. Some of the details included in the report were already known and previously reported, but there was also some new information.

Chrome 69 Removing WWW and M subdomains From the Browser’s Address Bar

With the release of Chrome 69, Google has decided to strip the “www” and “m” subdomains from the URL displayed in Chrome’s address bar. For example, when a user visits www.bleepingcomputer.com, the www would be stripped and displayed as bleepingcomputer.com in the address bar. When this was discovered, users and security experts expressed concerns that this new behavior will cause confusion for users who may think that they are going to a particular site, but may actually be going to a completely different one. Furthermore, due to bugs in this implementation, the “www” string could be stripped incorrectly and thus display an incorrect URL in the address bar. As stated by a Chromium developer in the behavior’s bug report, the www and m (for mobile) subdomains are being classified by Google as “trivial” subdomains because they feel most people do not need to be concerned with the information they represent.

ARE NEW YORK’S FREE LINKNYC INTERNET KIOSKS TRACKING YOUR MOVEMENTS?

According to Meyers, the “LinkNYC Mobile Observation” code collects the user’s longitude and latitude, as well as the user’s browser type, operating system, device type, device identifiers, and full URL clickstreams (including date and time) and aggregates this information into a database. In Meyers’s view, this code — along with the functions of the “RxLocation” codebase — suggests that the company is interested in tracking the locations of Wi-Fi users in real time. If such code were run on a mobile app or kiosk, he said, the company would be able to make advertisements available in real time based on where and who someone was, and that this would constitute a potential violation of the company’s privacy policy. In 2016, LinkNYC’s privacy policy made it clear that it did not collect information about users’ precise locations. “However,” it states, “we know where we provide WiFi services, so when you use the services we can determine your general location.”

Microsoft ‘Confirms’ Windows 7 New Monthly Charge

Microsoft MSFT -0.45% has always described Windows 10 “as a service” and leaks have already revealed new monthly charges are coming. Of course, for Windows 7 owners this was never something they expected to pay. But times change. In a new blog post entitled “Helping customers shift to a modern desktop”, Microsoft has announced that it will indeed start charging Windows 7 customers a monthly fee from January 14th 2020, if they want to keep their computers safe. If this date rings a bell, that’s because it is the day Microsoft will end ‘Extended Support’ for Windows 7 according to the company’s Lifecycle page. This means no more patches or security updates unless, as we now learn, you pay. Furthermore, Microsoft says it will increase the cost of this every year.

The Netherlands Emerges as a Global Leader in Cybersecurity

Long recognized as the digital gateway to Europe, The Netherlands has emerged as a hotbed for cybersecurity. There are now more than 400 cybersecurity companies in The Hague, the Netherlands, alone – the location of the third-annual Cyber Security Week. The conference, taking place Oct. 2-5, will bring together industry leaders from 70 countries to discuss emerging trends and innovations in cybersecurity. The Hague’s dense cybersecurity sector makes it the ideal location for Cyber Security Week. It is home to The Hague Security Delta, the world’s leading security cluster, which fosters collaboration between businesses, governments and knowledge institutions. As further testament to The Hague’s cybersecurity expertise, the EU European Cybercrime Centre, the European Network for Cyber Security, the NATO Cyber Security Agency, and the Cyber Security Academy are all located in the region.

Ottawa probes Huawei equipment for security threats

The Canadian government has publicly acknowledged it has been conducting security tests since 2013 on telecommunication equipment sold in Canada by Chinese giant Huawei, a company the United States and Australia regard as a potential tool for state-sponsored cyberspying. Under pressure from the United States to ban Huawei, which is a major sponsor of Hockey Central on Rogers Sportsnet, from supplying equipment in Canada for new wireless cellular networks known as 5G, Ottawa has said safeguards are in place to prevent security breaches by the Chinese telecom firm. Until now, the government had refused to say how it is protecting Canadians in light of a law that requires China’s companies to “support, co-operate with and collaborate in national intelligence work” when requested by the Beijing government.

Trend Micro Apps Leak User Data, Removed from Mac App Store

Multiple apps developed by Trend Micro are no longer available in the Mac App Store after researchers showed they were collecting browser history and information about users’ computers. On Friday, Apple removed Adware Doctor, a top security app, from its store, on the exact same grounds. The apps are Dr. Antivirus, Dr. Cleaner, and Dr. Unarchiver, all under the developer account Trend Micro, Incorporated. Until removal, all products were top-sellers, with thousands of positive reviews that averaged their ratings between 4.6 and 4.9. Trend Micro released less than an hour ago a statement denying that its apps were stealing user data. The company says that an initial investigation confirms that Dr Cleaner, Dr Cleaner Pro, Dr. Antivirus, Dr. Unarchiver, Dr. Battery, and Duplicate Finder collected browser snapshots, but the behavior was disclosed in the EULAs of each product.

Exploit vendor drops Tor Browser zero-day on Twitter

Zerodium, a company that buys and sells vulnerabilities in popular software, has published details today on Twitter about a zero-day vulnerability in the Tor Browser, a Firefox-based browser used by privacy-conscious users for navigating the web through the anonymity provided by the Tor network. In a tweet, Zerodium said the vulnerability is a full bypass of the “Safest” security level of the NoScript extension that’s included by default with all Tor Browser distributions. NoScript is a browser extension that uses a whitelist approach to let the user decide from what domains the browser can execute JavaScript, Flash, Java, or Silverlight content. It is included with all Tor Browser distributions because it provides an extra layer of security for Tor Browser users.

Tech support scammers find a home on Microsoft TechNet pages

Tech support scammers have created over 3,000 pages on the Microsoft TechNet portal to promote various shady services. The reason for invading Microsoft’s portal was to gain a reputational boost from the microsoft.com domain, allowing their shady ads to appear higher in search results than if they would have if they used self-hosted websites. All scammy pages were created on Microsoft TechNet, a portal that contains documentation for Microsoft products, discussion forums, and a downloads center for various Microsoft-related software and trialware. The vast majority of tech support scams were set up on the gallery.technet.microsoft.com, the subdomain for the TechNet free downloads library.

Safari, Edge fans: Is that really the website you think you’re visiting?

A security researcher has disclosed a flaw that could be used to spoof website addresses in either Edge or Safari. Rafay Baloch told The Register that while Microsoft has since patched the flaw (CVE-2018-8383) in its browser, Apple has been dragging its feet on a fix for Safari for weeks, and the browser remains vulnerable. The vulnerability is the result of what Baloch describes as a race condition that would potentially allow the attacker to load a page and then re-write code in the body without changing the URL displayed in the address bar.

In a Few Days, Credit Freezes Will Be Fee-Free

A credit freeze — also known as a “security freeze” — restricts access to your credit file, making it far more difficult for identity thieves to open new accounts in your name. Currently, many states allow the big three bureaus — Equifax, Experian and TransUnion — to charge a fee for placing or lifting a security freeze. But thanks to a federal law enacted earlier this year, after Sept. 21, 2018 it will be free to freeze and unfreeze your credit file and those of your children or dependents throughout the United States. KrebsOnSecurity has for many years urged readers to freeze their files with the big three bureaus, as well as with a distant fourth — Innovis — and the NCTUE, an Equifax-operated credit checking clearinghouse relied upon by most of the major mobile phone providers.

Dear America: Want secure elections? Stick to pen and paper for ballots, experts urge

The upcoming 2020 US presidential election should be conducted on paper, since there is no way currently to make electronic and internet voting secure. That’s according to a dossier from the National Academies of Sciences, Engineering, and Medicine, which probed the fallout of alleged Russian meddling with America’s 2016 elections, and concluded that voting systems anywhere near the internet or a computer network were too vulnerable to be relied on to collect and tabulate vote counts. “Elections should be conducted with human-readable paper ballots. These may be marked by hand or by machine (using a ballot-marking device); they may be counted by hand or by machine (using an optical scanner),” the US-based academics recommended in their report this week.