The Government Accountability Office (GAO) has published a report to detail how the Equifax hack went down and how the credit reporting company answered during and after the incident. The report comes a day before the one-year anniversary of the public announcement of the Equifax breach that exposed the personal details of 145.5 million Americans, but also of millions of British and Canadian citizens. Some of the details included in the report were already known and previously reported, but there was also some new information.
With the release of Chrome 69, Google has decided to strip the “www” and “m” subdomains from the URL displayed in Chrome’s address bar. For example, when a user visits www.bleepingcomputer.com, the www would be stripped and displayed as bleepingcomputer.com in the address bar. When this was discovered, users and security experts expressed concerns that this new behavior will cause confusion for users who may think that they are going to a particular site, but may actually be going to a completely different one. Furthermore, due to bugs in this implementation, the “www” string could be stripped incorrectly and thus display an incorrect URL in the address bar. As stated by a Chromium developer in the behavior’s bug report, the www and m (for mobile) subdomains are being classified by Google as “trivial” subdomains because they feel most people do not need to be concerned with the information they represent.
Microsoft MSFT -0.45% has always described Windows 10 “as a service” and leaks have already revealed new monthly charges are coming. Of course, for Windows 7 owners this was never something they expected to pay. But times change. In a new blog post entitled “Helping customers shift to a modern desktop”, Microsoft has announced that it will indeed start charging Windows 7 customers a monthly fee from January 14th 2020, if they want to keep their computers safe. If this date rings a bell, that’s because it is the day Microsoft will end ‘Extended Support’ for Windows 7 according to the company’s Lifecycle page. This means no more patches or security updates unless, as we now learn, you pay. Furthermore, Microsoft says it will increase the cost of this every year.
Long recognized as the digital gateway to Europe, The Netherlands has emerged as a hotbed for cybersecurity. There are now more than 400 cybersecurity companies in The Hague, the Netherlands, alone – the location of the third-annual Cyber Security Week. The conference, taking place Oct. 2-5, will bring together industry leaders from 70 countries to discuss emerging trends and innovations in cybersecurity. The Hague’s dense cybersecurity sector makes it the ideal location for Cyber Security Week. It is home to The Hague Security Delta, the world’s leading security cluster, which fosters collaboration between businesses, governments and knowledge institutions. As further testament to The Hague’s cybersecurity expertise, the EU European Cybercrime Centre, the European Network for Cyber Security, the NATO Cyber Security Agency, and the Cyber Security Academy are all located in the region.
The Canadian government has publicly acknowledged it has been conducting security tests since 2013 on telecommunication equipment sold in Canada by Chinese giant Huawei, a company the United States and Australia regard as a potential tool for state-sponsored cyberspying. Under pressure from the United States to ban Huawei, which is a major sponsor of Hockey Central on Rogers Sportsnet, from supplying equipment in Canada for new wireless cellular networks known as 5G, Ottawa has said safeguards are in place to prevent security breaches by the Chinese telecom firm. Until now, the government had refused to say how it is protecting Canadians in light of a law that requires China’s companies to “support, co-operate with and collaborate in national intelligence work” when requested by the Beijing government.
Multiple apps developed by Trend Micro are no longer available in the Mac App Store after researchers showed they were collecting browser history and information about users’ computers. On Friday, Apple removed Adware Doctor, a top security app, from its store, on the exact same grounds. The apps are Dr. Antivirus, Dr. Cleaner, and Dr. Unarchiver, all under the developer account Trend Micro, Incorporated. Until removal, all products were top-sellers, with thousands of positive reviews that averaged their ratings between 4.6 and 4.9. Trend Micro released less than an hour ago a statement denying that its apps were stealing user data. The company says that an initial investigation confirms that Dr Cleaner, Dr Cleaner Pro, Dr. Antivirus, Dr. Unarchiver, Dr. Battery, and Duplicate Finder collected browser snapshots, but the behavior was disclosed in the EULAs of each product.
Tech support scammers have created over 3,000 pages on the Microsoft TechNet portal to promote various shady services. The reason for invading Microsoft’s portal was to gain a reputational boost from the microsoft.com domain, allowing their shady ads to appear higher in search results than if they would have if they used self-hosted websites. All scammy pages were created on Microsoft TechNet, a portal that contains documentation for Microsoft products, discussion forums, and a downloads center for various Microsoft-related software and trialware. The vast majority of tech support scams were set up on the gallery.technet.microsoft.com, the subdomain for the TechNet free downloads library.
A security researcher has disclosed a flaw that could be used to spoof website addresses in either Edge or Safari. Rafay Baloch told The Register that while Microsoft has since patched the flaw (CVE-2018-8383) in its browser, Apple has been dragging its feet on a fix for Safari for weeks, and the browser remains vulnerable. The vulnerability is the result of what Baloch describes as a race condition that would potentially allow the attacker to load a page and then re-write code in the body without changing the URL displayed in the address bar.
A credit freeze — also known as a “security freeze” — restricts access to your credit file, making it far more difficult for identity thieves to open new accounts in your name. Currently, many states allow the big three bureaus — Equifax, Experian and TransUnion — to charge a fee for placing or lifting a security freeze. But thanks to a federal law enacted earlier this year, after Sept. 21, 2018 it will be free to freeze and unfreeze your credit file and those of your children or dependents throughout the United States. KrebsOnSecurity has for many years urged readers to freeze their files with the big three bureaus, as well as with a distant fourth — Innovis — and the NCTUE, an Equifax-operated credit checking clearinghouse relied upon by most of the major mobile phone providers.
The upcoming 2020 US presidential election should be conducted on paper, since there is no way currently to make electronic and internet voting secure. That’s according to a dossier from the National Academies of Sciences, Engineering, and Medicine, which probed the fallout of alleged Russian meddling with America’s 2016 elections, and concluded that voting systems anywhere near the internet or a computer network were too vulnerable to be relied on to collect and tabulate vote counts. “Elections should be conducted with human-readable paper ballots. These may be marked by hand or by machine (using a ballot-marking device); they may be counted by hand or by machine (using an optical scanner),” the US-based academics recommended in their report this week.