Two years after promising to report all HTTP-based web pages as insecure, Mozilla is about to deliver. Soon, whenever you visit one of the shrinking number of sites that doesn’t use a security certificate, the Firefox browser will warn you. Firefox developer Johann Hofmann announced the news this week: In desktop Firefox 70, we intend to show an icon in the “identity block” (the left hand side of the URL bar which is used to display security / privacy information) that marks all sites served over HTTP (as well as FTP and certificate errors) as insecure. Firefox 70 will ship in October. The change is an attempt to crack down on sites that don’t secure their communications.
U.S. Senate minority leader Chuck Schumer called on the FBI and the Federal Trade Commission to conduct a national security and privacy investigation into FaceApp, a face-editing photo app developed in Russia, in a letter sent on Wednesday. The viral smartphone application, which has seen a new surge of popularity due to a filter that ages photos of users’ faces, requires “full and irrevocable access to their personal photos and data,” which could pose “national security and privacy risks for millions of U.S. citizens,” Schumer said in his letter to FBI Director Christopher Wray and FTC Chairman Joe Simons.
In a move that is bound to piss off more than a couple of publishers, Google is readying to fix the “loophole” that allowed sites to see when you’re browsing in Incognito Mode. Google announced in a blog post on Thursday that the update will arrive with the release of Chrome 76 later this month. The tip-off to sites that you’re browsing in private mode is an unintended result of Chrome’s FileSystem API, which is disabled in Incognito. If a site searches for the FileSystem API and gets an error message, it can, as Google puts it, “give the user a different experience.” “With the release of Chrome 76 scheduled for July 30, the behavior of the FileSystem API will be modified to remedy this method of Incognito Mode detection,” the company said.
Microsoft has demonstrated its ElectionGuard electronic vote system at the Aspen Security Forum under way in Colorado and warned that nearly 10,000 of its customers have been targeted by nation-state attacks. ElectionGuard aims to enable end-to-end verification of voting. Voters receive a tracking code and can check via a web portal that their vote has been counted, and, crucially, not altered. The portal does not show the content of the vote, protecting voter confidentiality. "It will not be possible to 'hack' the vote without detection," said Microsoft's Tom Burt, CVP of Customer Security and Trust, in a post about the company's latest efforts to counter threats against democracy. The system uses homomorphic encryption to allow data to be used in computation while still encrypted.
At least 62 US universities have been targeted by hackers who stole student data and used it to create thousands of fake accounts, according to a security alert the Department of Education's Federal Student Aid page released this week. The attackers reportedly exploited a weakness in a popular banner system made by the company Ellucian. According to the alert, hackers were able to use this vulnerability to access data from the admissions and enrollment sections of schools and then use that to create thousands of fake accounts in order to conduct cybercrime. Six hundred fake accounts appeared in just 24 hours before the alert went live on Monday. The Ellucian banner software at the center of all this works as a drop down menu meant to simplify admissions and enrollments at schools.
Israeli spyware company NSO Group’s powerful Pegasus malware—the same spyware implicated in a breach of WhatsApp earlier this year—is capable of scraping a target’s data from the servers of Apple, Google, Amazon, Facebook, and Microsoft, according to a report in the Financial Times on Friday. According to the Times, “people familiar with its sales pitch” as well as leaked sales documents show that NSO Group’s parent company Q-Cyber is advertising Pegasus as having the capability to copy authentication keys to services including Google Drive, Facebook Messenger, and iCloud from an infected phone to a web server that is then capable of independently downloading the target’s entire online history.
A former National Security Agency contractor who stored two decades’ worth of classified documents at his Maryland home was sentenced Friday to nine years in prison. Harold Martin, 54, apologized to the federal judge who sentenced him for a theft that prosecutors have called “breathtaking” in scope. “My methods were wrong, illegal and highly questionable,” Martin told U.S. District Judge Richard Bennett. The punishment was in line with the nine-year sentence called for under his plea agreement, in which he admitted guilt to a single count of willful retention of national defense information. The charge carries a maximum sentence of 10 years in prison. Martin gets credit for the nearly three years he has spent behind bars since his arrest.
Red faces in Moscow this weekend, with the news that hackers have successfully targeted FSB—Russia's Federal Security Service. The hackers managed to steal 7.5 terabytes of data from a major contractor, exposing secret FSB projects to de-anonymize Tor browsing, scrape social media, and help the state split its internet off from the rest of the world. The data was passed to mainstream media outlets for publishing. FSB is Russia's primary security agency with parallels with the FBI and MI5, but its remit stretches beyond domestic intelligence to include electronic surveillance overseas and significant intelligence-gathering oversight. It is the primary successor agency to the infamous KGB, reporting directly to Russia's president.
The Internal Revenue Services' internal financial reporting systems and IT infrastructure have 14 new security vulnerabilities, along with a long list of previously unresolved deficiencies, according to the U.S. Government Accountability Office. The findings were part of an annual audit of the IRS's financial security control systems, the government watchdog noted in a report released Thursday. The GAO report also includes 20 recommendations for improving security and mitigating flaws and misconfigurations within IRS IT systems. The security recommendations are aimed at safeguarding the IRS' infrastructure and databases, which contains financial data and other personal information on millions of U.S. taxpayers.