WebProNews

Category: CybersecurityUpdate

CybersecurityUpdate

  • TrafficGuard Launches Free PPC Fraud Protection

    TrafficGuard Launches Free PPC Fraud Protection

    Advertising fraud protection firm TrafficGuard has announced the launch of free PPC fraud protection, as well as a pay-as-you-go Pro option.

    According to founder and COO Luke Taylor, the company sees “ad fraud draining almost 30% of every new clients’ advertising spend.” Unfortunately, in times past, advertising fraud protection was outside the means of many small startups. TrafficGuard is working to change that.

    “Our mission is to drive trust and transparency in the digital advertising ecosystem,” continues Tayler. “A reflection of this mission is our effort to democratise transparency. With our free PPC protection, transparency isn’t just the purview of big brand advertisers and agencies – Businesses of all sizes can get the visibility they need to fight ad fraud.

    “We believe that if every business takes steps to protect their own ad spend from fraud, the cumulative effect is a strengthened industry and less funds flowing through to the perpetrators of ad fraud. Most fraud prevention tools are aimed at the big advertisers. By offering a free version of TrafficGuard, small and medium businesses also have the tools they need to protect their own spend.”

    TrafficGuard’s announcement is good news for companies looking to maximize their advertising budget.

  • DOJ Inspector General Lends Support to Microsoft’s JEDI Win Over Amazon

    DOJ Inspector General Lends Support to Microsoft’s JEDI Win Over Amazon

    The Department of Justice (DOJ) Inspector General (IG) has reviewed Microsoft’s JEDI win and found no interference by the Trump administration.

    Microsoft stunned the industry when it won the Pentagon’s Joint Enterprise Defense Infrastructure (JEDI) contract, worth some $10 billion. Amazon had widely been considered the likely candidate to win the contract, especially given the company’s history of working on sensitive government contracts in the past. In short order, Amazon launched legal challenges to try to have the Pentagon’s decision overturned. One of the alleged discrepancies was disparaging comments President Trump made that Amazon believed may have played a part in Microsoft winning.

    With the DOJ watchdog’s report, however, those concerns seem to have been put to rest—albeit with a bit of a caveat. While acknowledging investigators did encounter some interference from the White House, they said: “However, we believe the evidence we received showed that the DoD personnel who evaluated the contract proposals and awarded Microsoft the JEDI Cloud contract were not pressured regarding their decision on the award of the contract by any DoD leaders more senior to them, who may have communicated with the White House.”

    At the same time, Microsoft has used the DOJ’s report to accuse Amazon of unfairly trying to gain an advantage in the bidding process. In a blog post following the DOJ’s report, Microsoft said the following:

    “That brings us to where we are today. The DoD is seeking to be responsive to the issue the Court raised in issuing the preliminary injunction. But that’s not good enough for Amazon. Amazon doesn’t want a solution that addresses the Court’s concerns and sticks to the original pricing in the competitors’ bids. According to its brief, it wants no ‘constraint on the offerors’ ability to revise their pricing.’

    “This, according to the government, is a ‘a transparent effort to undercut Microsoft on price, now that [Amazon] has a target at which to aim.’ Amazon dresses its argument in the language of fairness and level playing fields, but the government’s brief looks right through it: ‘That AWS now regrets its pricing strategy is no reason to allow AWS a do-over, after it gained significant information about its competitor’s pricing, enabling it to use the currently prevailing information asymmetry to underbid its competitor in an effort to secure the contract.’”

    While not clearing Microsoft to move forward with the contract, the IG’s findings certainly lend weight to Microsoft’s win and undermine Amazon’s complaints.

  • TikTok Adds Family Pairing to Help Protect Children

    TikTok Adds Family Pairing to Help Protect Children

    TikTok has launched Family Pairing, a new feature designed to give parents more control over their children’s accounts.

    TikTok has quickly risen to become one of the most widely downloaded apps on either the Apple App Store or Google Play Store. The company’s meteoric rise has not been without controversy. The company has been accused of uploading data to Chinese servers without user consent, and has been banned by numerous government agencies over security concerns.

    The company has promised to increase transparency and security measures in an effort to alleviate concerns. In its latest move, TikTok is working to help protect children and young people, by allowing parents to link their accounts to their children’s and have control over their settings.

    “Today, we are advancing our commitment to building for the safety of our users by introducing Family Pairing, which allows parents and teens to customize their safety settings based on individual needs,” reads the statement. “Family Pairing enhances our suite of safety tools and complements our work to provide greater access to product features as users reach key milestones for digital literacy. It is part of our continued work toward providing parents better ability to guide their teen’s online experience while allowing time to educate about online safety and digital citizenship.”

    Given its popularity, it’s good to see TikTok working to improve security and safety for children.

  • Zoom to Allow Paid Customers to Route Their Data

    Zoom to Allow Paid Customers to Route Their Data

    Beginning April 18, Zoom will allow paid subscribers to choose which region their data is routed through.

    Zoom has experienced unprecedented growth, quickly becoming the option of choice for videoconferencing as millions of people work from home. Despite its popularity, and in part because of it, the company has faced withering criticism for lapses in its security and privacy measures, prompting it to put a 90-day moratorium on new features in an effort to focus on privacy and security improvements. One such criticism is that some calls, as well as the encryption keys used to protect them, were routed through China—despite originating in North America.

    True to its promise to focus on beefing up security, Zoom has announced that paying customers will be able to choose where their calls and data are routed. The company began sending out emails to paid subscribers, notifying them of the change, on Monday.

    In a blog post, Zoom CTO Brendan Ittelson explained further:

    Beginning April 18, every paid Zoom customer can opt in or out of a specific data center region. This will determine the meeting servers and Zoom connectors that can be used to connect to Zoom meetings or webinars you are hosting and ensure the best-quality service.

    1. Starting April 18, with respect to data in transit, Zoom admins and account owners of paid accounts can, at the account, group, or user level:
    • Opt out of specific data center regions
    • Opt in to specific data center regions

    You will not be able to change or opt out of your default region, which will be locked. The default region is the region where a customer’s account is provisioned. For the majority of our customers, this is the United States.

    This feature gives our customers more control over their data and their interaction with our global network when using Zoom’s industry-leading video communication services.

    This is good news for paid subscribers, and further demonstrates the lengths to which Zoom is going to regain the trust they lost.

  • Apple and Google Working Together on Contact Tracing Tech

    Apple and Google Working Together on Contact Tracing Tech

    Apple has announced it is working with Google on contact tracing technology in an effort to stop the spread of the pandemic.

    Contact tracing involves tracing the contacts of an infected person, checking for further infections and tracing the ongoing and spreading network of contacts. In a press release, Apple described the initiative as “a joint effort to enable the use of Bluetooth technology to help governments and health agencies reduce the spread of the virus, with user privacy and security central to the design.”

    The two companies will launch an API and “operating system-level technology” that will play a role in the contact tracing. Both companies are committed to trying to protect user privacy. To aid in that goal, the project will be rolled out in two phases.

    “First, in May, both companies will release APIs that enable interoperability between Android and iOS devices using apps from public health authorities,” the release continues. “These official apps will be available for users to download via their respective app stores.

    “Second, in the coming months, Apple and Google will work to enable a broader Bluetooth-based contact tracing platform by building this functionality into the underlying platforms. This is a more robust solution than an API and would allow more individuals to participate, if they choose to opt in, as well as enable interaction with a broader ecosystem of apps and government health authorities. Privacy, transparency, and consent are of utmost importance in this effort, and we look forward to building this functionality in consultation with interested stakeholders. We will openly publish information about our work for others to analyze.”

    According to information on Google’s blog, the apps will not collect personally identifiable information, and the list of people a user has been in contact with will not leave their phone. The apps will also not track location. Instead, the phones, using anonymous Bluetooth keys will keep track of the phones it has been in close proximity with. If someone tests positive, and updates the app accordingly, anyone who has been in close proximity will be notified that they have been exposed and need to take the necessary measures.

    There are still many details left to be fleshed out, but hopefully the two companies will live up to their promise of protecting user privacy. While Google does not have the best track record in this regard, Apple is one of the foremost privacy proponents. Hopefully Apple’s involvement will help ensure user privacy is truly respected.

    Image Credit: Apple

  • Coming or Going? In the Encryption Debate, U.S. Government Doesn’t Know

    Coming or Going? In the Encryption Debate, U.S. Government Doesn’t Know

    Senator Blumenthal has issued a call for the FTC to investigate Zoom’s security, illustrating a schism within the government over the issue of encryption.

    Few issues have polarized politicians, scientists, researchers and citizens as much as end-to-end encryption. Many officials, including multiple FBI directors, have warned that strong encryption makes it nearly impossible to properly investigate cases and contributes to criminals “going dark.” Others, such as Senators Ron Wyden and Rand Paul, have been staunch proponents of strong encryption. Similarly, mathematicians and security experts have repeatedly made the case that strong encryption cannot have backdoors or built-in weaknesses and still offer the necessary protection.

    Currently, the biggest threat to encryption in the U.S. is the upcoming EARN IT Act. The bill is designed to combat online sexual exploitation of children. While absolutely a worthwhile goal that should be a priority for companies, governments and individuals alike, the bill is a pandora’s box of uncertainty when it comes to encryption. The bill addresses protection under Section 230 of the Communications Decency Act, wherein companies are not held liable for things people say or do on their communications platforms.

    Under the proposed EARN IT Act, in order to maintain their protected status under Section 230, companies would need to comply with vague “best practices” established by a committee. This committee, and the U.S. Attorney General, would have wide discretion to determine what those “best practices” are. So what happens if the Attorney General is William Barr, an individual who has voiced staunch opposition to end-to-end encryption? Might “best practices” include the requirement that companies build in backdoors? Very likely.

    Backers of the bill, have said the bill is not an attack on encryption and that necessary safeguards are in place. However, nearly every expert who has reviewed the bill has arrived at a completely different conclusion, and believe the bill will absolutely lead to an all-out attack on encryption.

    Should that happen, many companies will have to choose between weakening their encryption, and thereby endangering their users, or move their businesses outside the U.S. One example is the encrypted messaging app Signal, ussed by the U.S. military, as well as senators and their staff. Signal developer Joshua Lund made it clear (an excellent read) the app will likely no longer be available in the U.S. if EARN IT passes.

    What makes this story all the more interesting is a recent tweet by Senator Richard Blumenthal, one of the sponsors of the EARN IT Act:

    I am calling on FTC to investigate @zoomus. Zoom’s pattern of security failures & privacy infringements should have drawn the FTC’s attention & scrutiny long ago. Advertising privacy features that do not exist is clearly a deceptive act.

    The facts & practices unearthed by researchers in recent weeks are alarming—we should be concerned about what remains hidden. As Zoom becomes embedded in Americans’ daily lives, we urgently need a full & transparent investigation of its privacy & security.

    Richard Blumenthal (@SenBlumenthal) April 7, 2020

    One of the biggest privacy and security issues with Zoom is the fact that it advertised end-to-end encryption, but failed to deliver. Based on Senator Blumenthal’s tweet, the message is clear: end-to-end encryption is a wonderful thing for government officials, so long as said government officials can still spy on the average citizen.

    In other words, the U.S. government is stuck in a strange dichotomy where it wants to punish companies for not supporting end-to-end encryption, while at the same time undermining and legislating backdoors in that very encryption.

  • DHS: Zoom Responding to Security Concerns

    DHS: Zoom Responding to Security Concerns

    The Department of Homeland Security (DHS) has issued a memo in support of Zoom and the company’s efforts to improve its security.

    According to Reuters, who gained access to the memo, DHS was addressing the recent issues Zoom has been facing regarding its security and privacy. The memo was “drafted by DHS’s Cybersecurity and Infrastructure Security Agency and the Federal Risk and Authorization Management Program, which screens software used by government bodies,” and circulated among the government’s top cybersecurity officials.

    Rather than calling for a moratorium on Zoom’s use, as some companies and governments have done, the DHS memo sought to put officials’ minds at ease by emphasizing that Zoom understood the seriousness of the concerns and was working hard to address them. The support is good news for Zoom and an indication its recent efforts to beef up privacy and security are beginning to yield much-needed fruit.

  • WhatsApp Limiting Message Forwarding to Combat Misinformation

    WhatsApp Limiting Message Forwarding to Combat Misinformation

    As tech companies continue to battle misinformation during the global crisis, WhatsApp has begun limiting message forwarding.

    In a blog post on the site, the company has announced it is limiting how much frequently forward messages—indicated by double arrows—can be spread, “introducing a limit so that these messages can only be forwarded to one chat at a time.”

    It is clear the company is endeavoring to balance the usefulness of forwarding messages with efforts to cut down on wide-scale forwarding from unreliable or unconfirmed sources.

    “As a private messaging service, we’ve taken several steps over the years to help keep conversations intimate,” reads the post. “For example, we previously set limits on forwarded messages to constrain virality. At the time, we saw a 25% decrease in total message forwards globally.

    “Is all forwarding bad? Certainly not. We know many users forward helpful information, as well as funny videos, memes, and reflections or prayers they find meaningful. In recent weeks, people have also used WhatsApp to organize public moments of support for frontline health workers. However, we’ve seen a significant increase in the amount of forwarding which users have told us can feel overwhelming and can contribute to the spread of misinformation. We believe it’s important to slow the spread of these messages down to keep WhatsApp a place for personal conversation.”

    This is a sensible step WhatsApp is taking, as it continues to walk a tightrope between protecting private conversation and limiting the spread of misinformation.

  • Zoom Pivots to Security Amid Ongoing Criticism

    Zoom Pivots to Security Amid Ongoing Criticism

    Zoom is taking drastic measures to improve its security and privacy amid criticism and scrutiny as it serves hundreds of millions of users.

    As the pandemic sweeps the globe, individuals, corporations and organizations of all types are making drastic changes to their daily workflows and routines. Zoom has become an integral part of those routines, and hundreds of millions of users have begun to rely on the platform for school, work and socializing.

    Unfortunately for the company, the increased usage has also brought increased scrutiny, especially in the realm of privacy and security. The company has been called to task for not using end-to-end encryption, as its marketing claims; for leaking email addresses; for sending data to Facebook without informing users, before finally removing the offending SDK; and for a rash of Zoom-bombing incidents where outside individuals gain access to a Zoom meeting and make a nuisance of themselves.

    In view of these challenges, Zoom is taking drastic action to beef up its security and privacy. In a blog post on the company’s site, founder and CEO Eric Yuan said the company is enacting a freeze for 90 days in order to shift all “engineering resources to focus on our biggest trust, safety, and privacy issues.”

    The company also plans to conduct a comprehensive review with third-party experts and release a transparency report. It will also enhance its bug bounty program, and engage in a number of white box penetration tests. Zoom has also improved its privacy policy, apologized for not handling its encryption issues clearly and tried to help individuals address Zoom-bombing.

    In short, the company is pulling out all the stops in an effort to improve its privacy and security, no small task given how quickly the platform has grown.

    “To put this growth in context, as of the end of December last year, the maximum number of daily meeting participants, both free and paid, conducted on Zoom was approximately 10 million,” writes Yuan. “In March this year, we reached more than 200 million daily meeting participants, both free and paid.”

    As we said in a previous article, “the increased scrutiny of Zoom is a good reminder to companies that privacy and security should never be an afterthought. Instead, they should be a core feature, built in to an app or service from day one.”

    That statement remains true—security and privacy should never be an afterthought. At the same time, it’s time to give credit where credit is due: Zoom is stepping up to the plate and doing everything possible to provide its users with the privacy and security they expect and deserve.

  • Amazon Detective is The Investigator You Need For AWS

    Amazon Detective is The Investigator You Need For AWS

    Amazon has announced the release of Amazon Detective, a tool to automate the processing of investigating cloud security issues.

    Dealing with cloud security issues can tax even the largest companies. As organizations move to the cloud, it can open a whole new world of threats, requiring a completely different approach to security. Unfortunately, while cloud services often provide ample data to investigate any issues that arise, the sheer amount of data can be overwhelming.

    That’s where Amazon Detective come into play. “Amazon Detective is a fully managed service that empowers users to automate the heavy lifting involved in processing large quantities of AWS log data to determine the cause and impact of a security issue,” writes Sébastien Stormacq. “Once enabled, Detective automatically begins distilling and organizing data from AWS Guard Duty, AWS CloudTrail, and Amazon Virtual Private Cloud Flow Logs into a graph model that summarizes the resource behaviors and interactions observed across your entire AWS environment.”

    Amazon Detective was originally previewed at re:invent 2019, but is now available to all AWS customers as of March 31.

  • SpaceX Employees Won’t Be Zooming Anywhere

    SpaceX Employees Won’t Be Zooming Anywhere

    SpaceX has banned its employees from using Zoom for communication, in the latest challenge the popular videoconferencing app is facing.

    In a memo seen by Reuters, SpaceX cites “significant privacy and security concerns” as the reason behind the ban. The memo goes on to say: “We understand that many of us were using this tool for conferences and meeting support. Please use email, text or phone as alternate means of communication.”

    Zoom has been facing increasing scrutiny for its security and privacy, just as the app has become one of the most popular options for individuals sheltering in place and working from home. In short order, the app has been accused of not using end-to-end encryption, despite its marketing claims, as well as exposing users’ email addresses and phone numbers. Researchers have also discovered a serious security flaw in the Windows version of the app. New York Attorney General Letitia James is even looking into the company’s privacy practices.

    The increased scrutiny of Zoom is a good reminder to companies that privacy and security should never be an afterthought. Instead, they should be a core feature, built in to an app or service from day one.

  • FCC Sets Deadline For Carriers to Fight Robocallers

    FCC Sets Deadline For Carriers to Fight Robocallers

    The FCC has set a deadline for phone carriers to support the STIR/SHAKEN protocol, in an effort to fight robocalls.

    The STIR/SHAKEN protocol helps combat number spoofing, a favorite tactic of robocallers, whereby they make their number appear as though it is in the same exchange or area code as the recipient. When a call is placed, the carrier uses the protocol to confirm the authenticity of the call. If the call is placed to a number on another network, the carrier passes that verification on to the next carrier, who performs their own verification. Ultimately, when the receiving phone receives the call, if the number is verified, it will display that in the caller ID.

    The FCC had previously asked carriers to implement the protocol, but Chairman Ajit Pai was not happy with the level of adoption. As a result, the FCC has adopted new rules requiring carriers to implement the protocol no later than June 30, 2021.

    “The FCC estimates that the benefits of eliminating the wasted time and nuisance caused by illegal scam robocalls will exceed $3 billion annually, and STIR/SHAKEN is an important part of realizing those cost savings,” reads the press release. “Additionally, when paired with call analytics, STIR/SHAKEN will help protect American consumers from fraudulent robocall schemes that cost Americans approximately $10 billion annually. Improved caller ID authentication will also benefit public safety by reducing spoofed robocalls that disrupt healthcare and emergency communications systems. Further, implementation of STIR/SHAKEN will restore consumer trust in caller ID information and encourage consumers to answer the phone, to the benefit of consumers, businesses, healthcare providers, and non-profit organizations.”

    This is good news for everyone sick of being on the receiving end of robocalls and scam attempts.

  • FBI Warns of ‘Zoom-Bombing’ As Videoconferencing Soars

    FBI Warns of ‘Zoom-Bombing’ As Videoconferencing Soars

    The FBI is warning of ‘Zoom-bombing,’ where videoconferencing meetings are being hijacked by unwelcome participants.

    Zoom has quickly become one of the most popular videoconferencing platforms as millions of individuals self-isolate and work from home. The software is being used by companies, schools and individuals looking to continue some semblance of normalcy.

    Unfortunately, bad actors have been taking advantage of the platform and hijacking meetings. These disruptions have ranged from shouting profanities at the participants, to screen sharing pornography to the group. As a result, the FBI is recommending that Zoom users enable a number of settings to limit the risk, including:

    • Do not make meetings or classrooms public. In Zoom, there are two options to make a meeting private: require a meeting password or use the waiting room feature and control the admittance of guests.
    • Do not share a link to a teleconference or classroom on an unrestricted publicly available social media post. Provide the link directly to specific people.
    • Manage screensharing options. In Zoom, change screensharing to “Host Only.”
    • Ensure users are using the updated version of remote access/meeting applications. In January 2020, Zoom updated their software. In their security update, the teleconference software provider added passwords by default for meetings and disabled the ability to randomly scan for meetings to join.
    • Lastly, ensure that your organization’s telework policy or guide addresses requirements for physical and information security.

    These are excellent suggestions that everyone using Zoom should put into practice immediately.

  • Huawei Warns of Fallout If U.S. Cuts Off Chip Supplies

    Huawei Warns of Fallout If U.S. Cuts Off Chip Supplies

    Huawei is warning that Pandora’s box would be opened if the U.S. proceeds with its plans to cut the company off from its chip supplies.

    U.S. officials decided last week to move forward with alterations to the Foreign Direct Product Rule in an effort to keep Huawei from purchasing chips from companies such as Taiwanese firm TSMC. Under the rule, some foreign goods that are based, at least in part, on U.S. technology can be subjected to U.S. regulations and export rules. Officials hope to use the rule to enforce a stranglehold on Huawei.

    Huawei, however, is warning that such a move would have disastrous and far-reaching consequences. According to Bloomberg, Chairman Eric Xu told reporters:

    “If the Pandora’s box were to be opened, we’ll probably see catastrophic damage to the global supply chain — and it won’t just be one company, Huawei, destroyed. I don’t think the Chinese government will just watch and let Huawei be slaughtered on a chopping board. I believe the Chinese government will also take some countermeasures.”

    Given the number of companies that rely on China as a source of manufacturing, as well as their largest growing market, such a retaliation could have devastating consequences for many American firms.

  • Zoom Removes Facebook SDK From iOS Client

    Zoom Removes Facebook SDK From iOS Client

    The latest Zoom update removes the Facebook SDK responsible for the app sharing data with Facebook, even if a user did not have a Facebook account.

    The data sharing was originally discovered by Motherboard, and involved the Zoom app sharing a disturbing amount of data with Facebook, regardless of whether a user had a Facebook account or not. This didn’t sit well with many users, especially as the app has achieved near-default status as the videoconferencing tool of choice as millions of individuals work from home.

    Zoom has since released an update removing the offending SDK, as well as offering an explanation of what happened:

    “We originally implemented the ‘Login with Facebook’ feature using the Facebook SDK for iOS (Software Development Kit) in order to provide our users with another convenient way to access our platform. However, we were made aware on Wednesday, March 25, 2020, that the Facebook SDK was collecting device information unnecessary for us to provide our services. The information collected by the Facebook SDK did not include information and activities related to meetings such as attendees, names, notes, etc., but rather included information about devices such as the mobile OS type and version, the device time zone, device OS, device model and carrier, screen size, processor cores, and disk space.

    “Our customers’ privacy is incredibly important to us, and therefore we decided to remove the Facebook SDK in our iOS client and have reconfigured the feature so that users will still be able to log in with Facebook via their browser. Users will need to update to the latest version of our application that’s already available at 2:30 p.m. Pacific time on Friday, March 27, 2020, in order for these changes to take hold, and we strongly encourage them to do so.”

    This change is good news for everyone concerned with privacy. Given Facebook’s abysmal track record, there’s simply no reason to be sending the company data unless absolutely necessary—which in this case it was not.

  • Microsoft Parts Ways With AnyVision Following Investigation

    Microsoft Parts Ways With AnyVision Following Investigation

    Microsoft is selling its shares in facial recognition firm AnyVision, following allegations the company’s software was being used for West Bank mass surveillance.

    Microsoft previously invested $74 million in AnyVision, a facial recognition company that provides software for the Israeli military to use at border crossings. However, there were reports the software was secretly being used in a wide scale effort to monitor and surveil Palestinians throughout the West Bank. Given that compliance with Microsoft’s facial recognition principles was part of the investment, Microsoft exercised its right to audit AnyVision and hired Attorney General Eric Holder to perform it.

    In a joint statement by AnyVision and Microsoft, the results of the audit by Holder and his law firm, Covington & Burling, were revealed. The audit determined that “the available evidence demonstrated that AnyVision’s technology has not previously and does not currently power a mass surveillance program in the West Bank that has been alleged in media reports. As such, Covington could not substantiate a breach of the Microsoft Global Finance Portfolio Company Pledge on Facial Recognition.”

    In spite of the findings, Microsoft and AnyVision have decided to part ways, with Microsoft selling its shares in the company. According to the statement, “for Microsoft, the audit process reinforced the challenges of being a minority investor in a company that sells sensitive technology, since such investments do not generally allow for the level of oversight or control that Microsoft exercises over the use of its own technology. By making a global change to its investment policies to end minority investments in companies that sell facial recognition technology, Microsoft’s focus has shifted to commercial relationships that afford Microsoft greater oversight and control over the use of sensitive technologies.”

  • Adobe Urging Users to Upgrade to Address Critical Vulnerability

    Adobe Urging Users to Upgrade to Address Critical Vulnerability

    Adobe is urging Creative Cloud Desktop Application customers running Windows to upgrade immediately to prevent hackers from deleting their files.

    According to a blog post, “Adobe has released security updates for Creative Cloud Desktop Application (APSB20-11) for Windows. This update address a critical vulnerability. Successful exploitation could lead to arbitrary File Deletion in the context of the current user. Adobe recommends users update their product installations to the latest versions using the instructions referenced in the security bulletin.”

    The vulnerability was discovered by “Jiadong Lu of South China University of Technology and Zhiniang Peng of Qihoo 360 Core Security.” According to Adobe’s bulletin, the vulnerability is a Time Of Check To Time Of Use (TOCTTOU) race condition.

    According to CWE, with a TOCTTOU vulnerability, “the software checks the state of a resource before using that resource, but the resource’s state can change between the check and the use in a way that invalidates the results of the check. This can cause the software to perform invalid actions when the resource is in an unexpected state.

    “This weakness can be security-relevant when an attacker can influence the state of the resource between check and use. This can happen with shared resources such as files, memory, or even variables in multithreaded programs.”

    This is a major vulnerability and all impacted users should update immediately to ensure the security of their files.

  • U.S. Taking Measures to Limit Huawei’s Chip Supplies

    U.S. Taking Measures to Limit Huawei’s Chip Supplies

    U.S. officials are moving forward with plans to cut off Huawei’s chip supplies in an effort to blunt the company’s 5G dominance.

    The U.S. has banned Huawei and is pressuring allies to do the same. Officials claim the company serves as an arm of the Chinese government’s spying operations and opens countries that use the company’s equipment to spying by Beijing. Huawei has vehemently denied the claims, but that hasn’t stopped U.S. officials from taking almost every opportunity to target the company.

    Several weeks ago, officials began considering altering the Foreign Direct Product Rule to make it difficult for the Chinese firm to access the chips it needs. Now, according to Reuters, the U.S. is moving forward with those plans.

    “The decision came when U.S. officials from various agencies met and agreed on Wednesday to alter the Foreign Direct Product Rule, which subjects some foreign-made goods based on U.S. technology or software to U.S. regulations,” Reuters’ sources said.

    Only time will tell how much of an impact the change will have, but U.S. officials will likely consider any impact a win.

  • U.S. Space Force Launches Military Satellite

    U.S. Space Force Launches Military Satellite

    The newest branch of the U.S. military carried out its first national security launch, sending a military communications satellite into orbit.

    According to CBS News, the $1.2 billion satellite is “the sixth and final relay station in a jam-resistant, blast-hardened constellation valued at more than $11 billion.” The goal of the Advanced Extremely High Frequency (AEHF) satellite network is to provide encrypted communications around the globe, while being jam-proof. The network will be used by the U.S., UK, Canada and the Netherlands for strategic command and control communications, as well as conducting tactical missions. The AEHF satellites can also handle 10 times the amount of data as the relay stations they replace.

    “This is the nation’s only strategic and tactical protected comm satellite network,” said Mike Cacheiro, Lockheed Martin AEHF program manager. “It’s also the only system that survives through a near nuclear burst and can provide communications through environments that other comm systems could not.

    “So on a really bad day, you really want to have this system in place,” he continued.

  • President Trump Signs Laws to Improve Broadband Availability and 5G Security

    President Trump Signs Laws to Improve Broadband Availability and 5G Security

    President Trump signed two bills into law Monday, aimed at improving both 5G security and broadband availability.

    According to a statement by the Whitehouse, the Secure 5G and Beyond Act of 2020, calls on the “President to develop a strategy to: (1) ensure the security of next generation mobile telecommunications systems and infrastructure in the United States; and (2) assist allies and strategic partners in maximizing the security of next generation mobile telecommunications systems and infrastructure.”

    This has been an ongoing concern for U.S. officials, as Huawei is one of the top three network equipment providers and is widely believed to be the leader in scale and technology. The U.S. has banned the firm from participating in its own networks, and engaged in a campaign to pressures allies to do the same over concerns the company is a conduit for Beijing to spy on governments and countries throughout the world. Throughout the process, the U.S. has framed the debate about network security as a national security issue. As a result, it’s not surprising Trump signed the bill into law.

    The second bill, the “Broadband Deployment Accuracy and Technological Availability Act or the Broadband DATA Act” is aimed at improving the accuracy of information about availability of broadband services. To do that, it “requires the Federal Communications Commission to issue rules relating to the collection of data with respect to the availability of broadband services.”

    The signing of the bills was met with bipartisan praise. The House Committee on Energy and Commerce issues the following statement:

    “The bills signed into law today by the President are critical to ensuring that all Americans can access broadband and that our networks are secure and trusted.”

  • Apple Safari Now Blocking All Third-Party Cookies

    Apple Safari Now Blocking All Third-Party Cookies

    Apple’s Safari web browser joins the Tor browser as one of only two that fully block all third-party cookies.

    The move has been a long time coming, and Safari has been gradually adding more features that limit the overall effectiveness of third-party cookies for tracking. As a result, in a WebKit blog post, the developers downplay the change as not a big deal, although they do highlight some of the significant benefits the move brings.

    One of the biggest advantages is disabling login fingerprinting. Login fingerprinting is a technique that “allows a website to invisibly detect where you are logged in and is viable in any browser without full third-party cookie blocking.”

    Similarly, the move “disables cross-site request forgery attacks against websites through third-party requests,” and “removes the ability to use an auxiliary third-party domain to identify users. Such a setup could otherwise persist IDs even when users delete website data for the first party.”

    There are a number of additional benefits, including paving the way for other browsers to adopt a similar approach, and simplifying things for developers. Overall, this is a good move for customers, helping protect their privacy. It will hopefully motivate site admins to adopt other ways of monetizing their content, such as the Firefox Better Web initiative.