WebProNews

Category: CybersecurityUpdate

CybersecurityUpdate

  • 100,000 WordPress Sites Vulnerable To Being Wiped

    100,000 WordPress Sites Vulnerable To Being Wiped

    A security issue in a popular WordPress plugin has left some 100,000 websites vulnerable to being completely wiped.

    Security firm WebARX discovered a flaw in the ThemeGrill Demo Importer plugin. The plugin imports other plugins developed by ThemeGrill. When WebARX first discovered the flaw, some 200,000 websites had the plugin installed, although that number has now dropped to 100,000. This is likely due to companies uninstalling the plugin to mitigate the risk.

    To make matters worse, this vulnerability is being actively exploited. WebARX has already stopped over 16,000 attacks attempting to exploit the plugin.

    “This is a serious vulnerability and can cause a significant amount of damage,” writes WebARX. “Since it requires no suspicious-looking payload just like our previous finding in InfiniteWP, it is not expected for any firewall to block this by default and a special rule needs to be created to block this vulnerability.”

    ThemeGrill has updated the plugin to fix the vulnerability. All impacted sites would install the new version immediately.

  • Symphony Technology Group Buys RSA From Dell Technologies

    Symphony Technology Group Buys RSA From Dell Technologies

    Dell Technologies has agreed to sell RSA to Symphony Technology Group, in an effort to streamline its business portfolio and strategy.

    The Symphony Technology Group consortium, which includes the Ontario Teachers’ Pension Plan Board (Ontario Teachers’) and AlpInvest Partners (AlpInvest), agreed to an all-cash deal of $2.075 billion. The deal includes RSA Archer, RSA NetWitness Platform, RSA SecurID, RSA Fraud and Risk Intelligence and RSA Conference, and should be completed in the next six to nine months.

    RSA currently has 12,500 customers and provides “risk, security and fraud teams with the ability to holistically manage digital risk, including threat detection and response, identity and access management, integrated risk management and omnichannel fraud prevention.”

    Dell is looking at the deal as a way of focusing its business and better aligning its portfolio with its long-term strategy.

    “This is the right long-term strategy for Dell, RSA and our collective customers and partners,” said Jeff Clarke, Chief Operating Officer and Vice Chairman, Dell Technologies. “The transaction will further simplify our business and product portfolio. It also allows Dell Technologies to focus on our strategy to build automated and intelligent security into infrastructure, platforms and devices to keep data safe, protected and resilient.”

  • Ring Making Major Changes To Improve Privacy

    Ring Making Major Changes To Improve Privacy

    After ongoing issues, Ring has informed users it is implementing a number of changes to improve privacy and security.

    Ring’s blog post comes as the company is trying to do damage control over a number of mishandled privacy issues. First there were multiple reports of the company’s cameras being hacked, followed by VICE investigating the service’s security and finding it wanting, to say the least. The worst revelation came when the Electronic Frontier Foundation (EFF) found that Ring was sharing personally identifiable data with a number of companies, without properly disclosing it to consumers. Ring’s response did nothing to help the situation, admitting they were sharing data with more companies than they said, but that customers should trust they were doing it responsibly.

    In the company’s blog post, Ring tries to address multiple concerns, beginning with two-factor authentication.

    “While we already offered two-factor authentication to customers, starting today we’re making a second layer of verification mandatory for all users when they log into their Ring accounts,” reads the blog post. “This added authentication helps prevent unauthorized users from gaining access to your Ring account, even if they have your username and password.”

    The company also addressed its data sharing policies.

    “Ring does not sell your personal information to anyone. We occasionally collaborate with third-party service providers that specialize in delivering different benefits, such as identifying and solving your problems faster when you contact Ring Community Support, providing you with personalized Ring offers and discounts, and communicating important alerts about your devices, like when your battery is low. Collaborating with these third-party service providers allows us to deliver the best possible Ring experience to you.”

    Ring says it is implementing a number of changes. First it is temporarily pausing most third-party analytics data sharing. Second, the company is also providing customers a way of opting out of third-party data sharing for personalized ads.

    Overall, this is a good first step for the company. If Ring had built its service with these steps already in place, they would not have spent the last couple of months losing customer trust and doing damage control.

  • Elon Musk Believes AI Development Should Be Regulated, Even Tesla’s

    Elon Musk Believes AI Development Should Be Regulated, Even Tesla’s

    Elon Musk, a long-time critic of AI, has come out in favor of government regulation of AI development, including at his own company.

    While many working on AI believe it is the key to solving countless world problems, there are just as many who are convinced the technology will create far more problems than it solves, perhaps even bringing about the downfall of humanity. Musk has tended to be in the latter camp, even being quoted as saying “I have exposure to the most cutting-edge AI and I think people should be really concerned about it. I keep sounding the alarm bell but until people see robots going down the street killing people, they don’t know how to react because it seems so ethereal.”

    That concern didn’t stop Musk from co-founding OpenAI, dedicated to the ongoing development of the technology, however. In fact, Musk’s concerns were one of the driving motivations, as he believed the technology needed responsible development, as opposed to being left in the hands of just a few companies—such as Google and Facebook—who have poor track records protecting user privacy.

    Now, in response to a piece by Karen Hao in the MIT Technology Review that covers “OpenAI’s bid to save the world,” Elon Musk has tweeted his support of AI regulation.

    All orgs developing advanced AI should be regulated, including Tesla

    — Elon Musk (@elonmusk) February 17, 2020

    When a user asked whether that regulation should be enacted by local governments or on a global scale, Musk replied “both.”

  • Google Accuses Samsung of Making Android Less Secure

    Google Accuses Samsung of Making Android Less Secure

    Samsung may be one of the most popular Android device makers, but that hasn’t stopped Google from taking it to task for making Android more vulnerable.

    Jann Horn, Google Project Zero researcher, outlined how Samsung’s efforts to customize the Android kernel—or core of the operating system (OS)— for specific devices was not only unnecessary, but introduced security vulnerabilities. Horn was researching the kernel of the Galaxy A50 specifically, and had not yet tested his findings on other Samsung device kernels.

    “On Android, it is normal for vendors to add device-specific code to the kernel,” writes Horn. “This code is a frequent source of security vulnerabilities. Android has been reducing the security impact of such code by locking down which processes have access to device drivers, which are often vendor-specific. Modern Android phones access hardware devices through dedicated helper processes, which form the Hardware Abstraction Layer (HAL).”

    In the case of the A50, Horn wrote an exploit for a memory corruption issue in Samsung’s kernel that was aided by yet another kernel vulnerability. That second kernel issue had long since been fixed in the Android common kernel, but Samsung had yet to address it in their customized version.

    The entire blog post is a long, extremely detailed breakdown of the technical issues at play. Google has been working hard to address security issues with Android, but those improvements are only as good as the vendors that implement them. Horn makes a compelling case that vendors who customize the Android kernel are putting their users at serious risk for questionable benefits.

    “In my opinion, some of the custom features that Samsung added are unnecessary, and can be removed without any loss of value,” adds Horn.

    “I believe that device-specific kernel modifications would be better off either being upstreamed or moved into userspace drivers, where they can be implemented in safer programming languages and/or sandboxed, and at the same time won’t complicate updates to newer kernel releases.”

    One thing is clear: Android vendors need to take security as seriously as Google does.

  • Microsoft Removes Windows Security Update, Warns Users

    Microsoft Removes Windows Security Update, Warns Users

    Microsoft has had a rough go of its Windows updates, with the company pulling one of its latest ones and warning users about it.

    Windows 10 update KB4524244 was pulled by Microsoft after four days following reports it was causing crashes and freezes on every available version of Windows 10. On a support page, the company made the following statement:

    “To help a sub-set of affected devices, this standalone security update has been removed and will not re-offered from Windows Update, Windows Server Update Services (WSUS) or Microsoft Update Catalog.”

    Although Microsoft has pulled KB4524244, Windows Latest is reporting that update KB4532693 may be just as bad, or worse.

    “For some folks, the update is reportedly deleting files, while others report that Microsoft has moved all their desktop data to a temporary folder,” writes Windows Latest.

    “Microsoft’s latest update has now run into more trouble, as users are reporting serious issues after applying Build 18363.657 or 18362.657. The update, which had previously been deleting files and failing to install for some users, is now causing boot failures.”

    Microsoft has had a troubled history with Windows 10 updates, and these latest missteps only reinforce that perception. What’s worse, these issues are impacting security updates, increasing the likelihood users will avoid critical updates altogether, leaving them vulnerable.

  • Android Malware Keeps Reinstalling Itself

    Android Malware Keeps Reinstalling Itself

    An Android malware application has been discovered reinstalling itself even after a factory reset.

    Malwarebytes is a cybersecurity firm that was contacted by an Android user who was having trouble removing a particularly nasty and persistent malware, xHelper. No matter what the user did, the malware kept reinstalling itself, even after a factory reset.

    Malwarebytes’ researchers initially thought it might be a preinstalled malware, since the device was not from a mainstream manufacturer. Lesser-known manufacturers have been known to have malware preinstalled on their devices. Even taking that into consideration, however, the malware continued reinstalling.

    Ultimately, the researchers realized the reinfections were being triggered by Google Play, even though the malware is not on Google Play. Even when an Android device is reset, unlike applications, files and directories remain. In one of those directories, the researchers found an Android application package (APK) that seemed to be triggered by Google Play. Once triggered, it would install, run and then uninstall itself to minimize the chance of being detected. In those few seconds it was installed, however, it would reinfect the phone with the xHelper malware, which would then install even more malware.

    Malwarebytes entire report is well worth a read—especially the instructions on how to remove the malware. It remains to be seen, however, exactly how the malware is using Google Play as a trigger.

  • Ring Is a Case Study In Bad Privacy Policy

    Ring Is a Case Study In Bad Privacy Policy

    Ring has been in the news for its ongoing struggles with privacy issues. Its latest response, not to mention its approach in general, could serve as a case study of what not to do.

    Ring was first in the news over a number of incidents where individuals were able to hack the cameras, spy on and interact with the owners. Following that, VICE tested Ring’s security and found it was abysmal. The nail in the coffin was the Electronic Frontier Foundation’s (EFF) investigation that showed Ring was sharing a load of identifiable information with third-parties. The worst part is that users were not notified of what data was being collected and shared, let alone given a way to control or opt-out of the collection.

    Now CBS News is reporting that “although it confirmed that it shares more data with third parties than it previously told users, the company said in a statement that it contractually limits its partners to use the data only for ‘appropriate purposes,’ including helping Ring improve its app and user experience.”

    Essentially, the company is saying “yes, we got caught doing something we shouldn’t have been doing, but you should totally trust us that we’re doing it responsibly.”

    Ring’s troubles and their response should be a lesson to every company that deals with customers’ private data: A strong commitment to privacy should NEVER be an afterthought, add-on or damage control. In an era when hackers are eager to take advantage of weak data policies, when companies look to profit from their customers’ data and when an interconnected world means that a single breach can have far-reaching consequences—privacy must be built-in from the ground up.

    The fact that it should especially be built-in from the ground up in a service that is designed specifically to protect user privacy and security should go without saying. However, since Ring obviously needed someone to say it, the company should stand as an example of what not to do when it comes to protecting customer privacy.

  • Senator Kirsten Gillibrand: ‘The U.S. Needs a Data Protection Agency’

    Senator Kirsten Gillibrand: ‘The U.S. Needs a Data Protection Agency’

    Senator Kirsten Gillibrand is introducing new legislation to create a Data Protection Agency.

    Senator Gillibrand makes the case that people have untold amounts of data about them scattered across the internet. Even worse, much of that data was collected without consent or, at the very least, without users knowingly agreeing to it being collected. In the digital age, that data represents a gold mine for countless companies who profit from it.

    “I believe that this needs to be fixed, and that you deserve to be in control of your own data,” writes Gillibrand. “You have the right to know if companies are using your information for profit. You need a way to protect yourself, and you deserve a place that will look out for you.”

    Specifically, the legislation Gillibrand is introducing, The Data Protection Act, would “establish an independent federal agency, the Data Protection Agency, that would serve as a ‘referee’ to define, arbitrate, and enforce rules to defend the protection of our personal data.”

    The agency would focus on returning control of their data to Americans, support innovation while ensuring fair competition and help advise Congress of digital threats as they emerge, making sure the government is educated and prepared to meet those threats.

    Gillibrand’s announcement comes amid a growing focus on privacy. Salesforce co-CEO Keith Block recently said the U.S. needed a national privacy law; the California Consumer Privacy Act (CCPA) became law January 1; and Clearview AI has gained infamy as the company “that can end privacy.”

    It remains to be seen if Gillibrand will have the necessary support to pass The Data Protection Act, but it definitely will be welcomed in many circles as a step in the right direction.

  • Senators Introduce Bill to Temporarily Ban Law Enforcement Facial Recognition

    Senators Introduce Bill to Temporarily Ban Law Enforcement Facial Recognition

    Two senators have introduced a bill to temporarily ban facial recognition technology for government use.

    The proposed bill (PDF) comes in the wake of revelations that law enforcement agencies across the country have been using Clearview AI’s software. The company claims to have a database of billions of photos it has scraped from millions of websites, including the most popular social media platforms, such as Facebook, Twitter and YouTube. Those companies, along with Google, have sent cease-and-desist letters to the facial recognition firm, demanding it stop scraping their sites and delete any photos it has already acquired. The New Jersey Attorney General even got in on the action, ordering police in the state to stop using the software when he was made aware of it.

    Now Senators Jeff Merkley (Oregon) and Cory Booker (New Jersey) are calling for a “moratorium on the government use of facial recognition technology until a Commission recommends the appropriate guidelines and limitation for use of facial recognition technology.”

    The bill goes on to acknowledge the technology is being marketed to law enforcement agencies, but often disproportionately impacts “communities of color, activists, immigrants, and other groups that are often already unjustly targeted.”

    The bill also makes the point that the congressional Commission would need to create guidelines and limitations that would ensure there is not a constant state of surveillance of individuals that destroys a reasonable level of anonymity.

    Given the backlash and outcry against the Clearview AI revelations, it’s a safe bet the bill will likely pass.

  • 500 Chrome Extensions Caught Uploading Private Data

    500 Chrome Extensions Caught Uploading Private Data

    Independent research Jamila Kaya, in cooperation with Cisco-owned Duo Security, helped uncover approximately 500 Chrome extensions that were uploading private data from millions of users.

    Kaya used Duo Security’s CRXcavator—an automated tool designed specifically to help assess Chrome extensions— to “uncover a large scale campaign of copycat Chrome extensions that infected users and exfiltrated data through malvertising while attempting to evade fraud detection on the Google Chrome Web Store.” Initially, Kaya discovered 70 malicious extensions being used by 1.7 million users. Kaya and Duo Security notified Google, who went on to find an additional 430 similar extensions.

    “In the case reported here, the Chrome extension creators had specifically made extensions that obfuscated the underlying advertising functionality from users,” wrote Kaya and Duo Security’s Jacob Rickerd. “This was done in order to connect the browser clients to a command and control architecture, exfiltrate private browsing data without the users knowledge, expose the user to risk of exploit through advertising streams, and attempt to evade the Chrome Web Store’s fraud detection mechanisms.”

    Google quickly removed all 500 extensions, and implemented new policies to make it harder for these type of extensions to reappear. As Duo Security recommends, individuals should periodically review the extensions they’re using and delete any they don’t recognize or no longer use.

  • Huawei Takes the Gloves Off, Highlights US History of Spying

    Huawei Takes the Gloves Off, Highlights US History of Spying

    Following the U.S. disclosure of evidence supporting its claims that Huawei represents a security risk, the Chinese firm is hitting back by highlighting the United States’ own history of spying.

    All telecom manufactures are required to create interception backdoors that network operations can use to grant law enforcement access when needed. According to the U.S., however, Huawei covertly maintains access to those backdoors, giving it the ability to spy on networks using its equipment.

    In a statement to the media, the company refutes the claim, saying “Huawei has never and will never covertly access telecom networks, nor do we have the capability to do so.” The company touts the fact that it adheres to all industry standards regarding its network equipment, including how intercept interfaces are installed. The company insists it has no involvement with intercept backdoors beyond this.

    “Huawei is only an equipment supplier. In this role, accessing customer networks without their authorization and visibility would be impossible. We do not have the ability to bypass carriers, access control, and take data from their networks without being detected by all normal firewalls or security systems.”

    Not content to merely defend itself, Huawei takes a shot at the U.S., pointing out its own history of spying on telecom networks both domestically and internationally.

    “As evidenced by the Snowden leaks, the United States has been covertly accessing telecom networks worldwide, spying on other countries for quite some time.”

    This is merely the latest chapter in the ongoing saga between the U.S. and Huawei, as both battle for the support of governments and network operators around the world.

  • WhatsApp Now Has Two Billion Users

    WhatsApp Now Has Two Billion Users

    Facebook-owned WhatsApp achieved a significant milestone, officially crossing the two billion user threshold.

    WhatsApp is the most popular messaging app on the planet and is a primary means of electronic communication in many countries. In addition to being cross-platform, the app supports audio and video calls, text and voice messages, file sharing and more. Significantly, the app supports end-to-end encryption, making it a vital element for many journalists and individuals who live under oppressive regimes.

    Not surprisingly, Facebook’s announcement regarding its user base focused heavily on the privacy aspects of the app. After acknowledging that the more people use the app, the more important it is to keep it secure, Facebook touted its commitment to continuing its strong stance on security and encryption.

    “That is why every private message sent using WhatsApp is secured with end-to-end encryption by default. Strong encryption acts like an unbreakable digital lock that keeps the information you send over WhatsApp secure, helping protect you from hackers and criminals. Messages are only kept on your phone, and no one in between can read your messages or listen to your calls, not even us. Your private conversations stay between you.

    “Strong encryption is a necessity in modern life. We will not compromise on security because that would make people less safe. For even more protection, we work with top security experts, employ industry leading technology to stop misuse as well as provide controls and ways to report issues — without sacrificing privacy.”

    As the war on privacy continues, it’s reassuring that one of the most widely used services remains more committed than ever to supporting strong encryption in an effort to protect its users.

  • Bad News For Uber: L.A. Wins Data-Sharing Appeal

    Bad News For Uber: L.A. Wins Data-Sharing Appeal

    Uber and Los Angeles have been fighting over a rule ordering scooter rental companies to share ride data with the city—a rule that was just upheld on appeal, according to the Los Angeles Times.

    The Los Angeles Department of Transportation (LADOT) passed a rule requiring scooter and electric bike sharing services to provide real-time data on riders’ trips, including start and end points, as well as the full route traveled.

    Uber has argued that providing that degree of data would unnecessarily risk riders’ privacy and make it all too easy to personally identify individual riders, and “reveal personal information about riders, including where they live, work, socialize or worship,” according the LA Times. After six months of arguing, the city suspended Uber’s operating license.

    Uber filed an appealed, which was heard “by David B. Shapiro, a lawyer who has handled appeals for multiple city departments, including the Los Angeles Fire Department and the Department of Cannabis Regulation.”

    Although Shapiro sided with the city in saying it was within its rights to terminate Uber’s operating permit, he said both sides had made weak arguments. Uber failed to provide examples of data being used improperly, while Shapiro did acknowledge Uber’s concerns. At the same time, LADOT failed to make a compelling case as to how it could use real-time data to solve the problems it says are the reason for the rule. Uber has already said it is willing to provide near-real-time, aggregated data that would protect privacy.

    Shapiro’s decision is a loss for privacy advocates and concerned citizens, but Uber has already promised to appeal.

  • U.S. Reveals Evidence on Huawei’s Spying Risk

    U.S. Reveals Evidence on Huawei’s Spying Risk

    According to The Wall Street Journal (WSJ), U.S. officials are finally disclosing the basis of their claims that Huawei poses a significant security risk.

    U.S. officials have been claiming for some time that Huawei represent a fundamental security risk for network operators and their countries, opening them up to spying by Beijing. The U.S. has engaged in an aggressive campaign to pressure its allies to ban Huawei from their networks. In spite of this, the U.S. has never officially said what it based the accusations on—until now.

    According to the report, U.S. officials say that Huawei is exploiting a legitimate backdoor that is reserved for law enforcement. Network equipment manufacturers are supposed to build backdoors in their equipment that carriers can use to grant access to law enforcement when required. Manufacturers, however, are supposed to build the backdoors in such a way that they are not able to access them, leaving only the carrier and law enforcement with access.

    In Huawei’s case, however, U.S. officials claim the company has built the backdoors in its equipment in such a way that it maintains access, without the carriers being able to detect it.

    “We have evidence that Huawei has the capability secretly to access sensitive and personal information in systems it maintains and sells around the world,” said Robert O’Brien, national security adviser.

    The U.S. has known of this capability for at least a decade, but has kept the information strictly classified until late last year, when the information was shared with Germany and the U.K. With these new revelations, it remains to be seen if countries will start taking a stronger stance against the Chinese firm, as the U.S. has been campaigning for.

  • U.S. Indicts 4 China Military Personnel for Equifax Breach

    U.S. Indicts 4 China Military Personnel for Equifax Breach

    TheStreet.com is reporting the U.S. has handed down a nine-count indictment against four Chinese military personnel, claiming they hacked into Equifax.

    “This was a deliberate and sweeping intrusion into the private information of the American people,” Attorney General William Barr said in a statement.

    “Today, we hold PLA hackers accountable for their criminal actions, and we remind the Chinese government that we have the capability to remove the Internet’s cloak of anonymity and find the hackers that nation repeatedly deploys against us.”

    The indictment accuses the hackers of stealing Americans’ personal data, as well as trade secrets from Equifax. The hackers evidently used a tor router to route their connection through nearly 20 countries and 34 different servers in an attempt to cover their tracks.

    While there’s virtually no chance the indictments will result in anyone being brought to justice—since they are active Chinese military personnel—it will likely be a source of embarrassment to Chinese officials, especially as the country is trying to end the trade war with the U.S.

  • Google Chrome Will Start Blocking Insecure Downloads

    Google Chrome Will Start Blocking Insecure Downloads

    Google announced in a blog post today that it is taking the next step toward protecting users from insecure downloads.

    Over the last couple of years, more and more websites are using HTTPS to secure traffic to their websites. One potential attack vector is when downloadable files are not secure on otherwise secure websites.

    “For instance, insecurely-downloaded programs can be swapped out for malware by attackers, and eavesdroppers can read users’ insecurely-downloaded bank statements,” the post reads.

    As a result, Google is planning to gradually start blocking “mixed content downloads,” or insecure downloads from secure pages.

    “As a first step, we are focusing on insecure downloads started on secure pages,” the post continues. “These cases are especially concerning because Chrome currently gives no indication to the user that their privacy and security are at risk.

    “Starting in Chrome 82 (to be released April 2020), Chrome will gradually start warning on, and later blocking, these mixed content downloads. File types that pose the most risk to users (e.g., executables) will be impacted first, with subsequent releases covering more file types. This gradual rollout is designed to mitigate the worst risks quickly, provide developers an opportunity to update sites, and minimize how many warnings Chrome users have to see.”

    Starting with Chrome 82 (released April 2020) the desktop version will start giving warnings when it encounters executable mixed content downloads, and increase the warnings and levels taken to block it with each subsequent release. By Chrome 86 (released October 2020) all mixed content downloads will be blocked. Because mobile platforms inherently provide a greater degree of security, Google plans to wait until Chrome 83 to implement warnings on iOS and Android.

    This is another good step by the world’s biggest browser maker to help keep users safe and secure.

  • EU Ramps Up Facebook Antitrust Inquiry

    EU Ramps Up Facebook Antitrust Inquiry

    European Union (EU) investigators are ramping up their antitrust inquiry into Facebook’s data practices, according to The Wall Street Journal.

    The EU’s investigators have been requesting “documents related to allegations by rival companies and politicians that Facebook leveraged access to its users’ data to stifle competition, rewarding partners and cutting off rivals, those people said.”

    One such example stems from how Facebook used VPN provider Onavo, which the company purchased in 2013. The WSJ reported in 2018 that Onavo was passing information about its users’ habits to Facebook, essentially serving as an early warning system for the social media giant. By providing information on what rival apps Onavo customers were using, Facebook could take action before those apps became a threat to Facebook’s business.

    According to the WSJ, the EU used a “law that allows for daily fines to punish noncompliance,” when requesting documents about how Facebook manages access to its user data. By using that law, the EU is tipping its hand that it doesn’t trust Facebook to comply with its requests unless it’s forced to do so. At the same time, by focusing on how Facebook manages data access, the EU’s investigation seems to be centering around these allegations of anticompetitive behavior.

    We will continue to provide updates as the story develops.

  • WhatsApp Bug Let Hackers Access Computers Via a Text Message

    WhatsApp Bug Let Hackers Access Computers Via a Text Message

    Facebook has just patched a vulnerability in WhatsApp that could allow a hacker to take control of a target’s computer via a single text message.

    Security research Gal Weizman, with PerimiterX, discovered the flaw and worked with Facebook to fix it. The flaw does not impact all users, only those using the iOS version paired with a desktop version, either macOS or Windows.

    According to Facebook’s security advisory, “a vulnerability in WhatsApp Desktop when paired with WhatsApp for iPhone allows cross-site scripting and local file reading. Exploiting the vulnerability requires the victim to click a link preview from a specially crafted text message.”

    As Weizman points out, much of this is because Facebook has not properly updated the underlying framework on which the desktop version of WhatsApp is built on. That framework is Electron, a platform that allows developers to use web technologies to create “native” apps. Electron, in turn, is based on Chromium, the open-source foundation of Google Chrome. In an era where cloud computing and web applications have become dominant, Electron gives companies the ability to maximize their developer talent by focusing on web languages, frameworks and technologies.

    Unfortunately, in this instance, WhatsApp was based on Electron 4.1.4, instead of the current 7.x.x. In version 4.1.4, the included version of Chromium was Chrome/69, instead of the current Chrome/78. If Facebook had updated to the latest version of Electron, and therefore the underlying Chromium, this bug would not have been possible, as it had been patched in Chromium and Electron some time ago.

    “It is 2020, no product should be allowing a full read from the file system and potentially a RCE from a single message,” Weizman writes.

    He’s absolutely right. At a time when hackers are developing more powerful tools and methods to compromise systems, there is no excuse for development this lazy and irresponsible.

  • CIA Opens Door For Amazon Rivals to Bid On Cloud Contracts

    CIA Opens Door For Amazon Rivals to Bid On Cloud Contracts

    Bloomberg is reporting that the CIA is “planning to hire multiple companies for lucrative cloud computing deals,” a move that will likely hurt Amazon.

    Amazon was the first company to gain the coveted Impact Level 6 security certification, allowing it to store classified data in the cloud. This gave the company a huge advantage when bidding on government contracts involving sensitive data. However, Microsoft ultimately beat out Amazon for the Pentagon’s JEDI contract, worth some $10 billion. In December 2019, Microsoft also became the second company to gain the Impact Level 6 certification, opening the door to more competition for Amazon.

    With the CIA’s latest move, however, that door has been flung wide open, giving multiple companies the chance to compete with the leading cloud provider for lucrative and prestigious contracts.

    According to Bloomberg, “the government said the contracts could last up to 15 years with a five-year base period and two five-year renewals. The estimated award date is September 2020.

    “The CIA has previously indicated that it intended to spend ‘tens of billions’ of dollars on cloud computing, Bloomberg has reported. It’s unclear whether the agency has finalized an amount it plans to spend.”

    With analysts already predicting Microsoft could unseat Amazon as the reigning cloud leader, this latest report is not good news for Amazon. With Microsoft expecting a “halo effect” from the JEDI contact, Amazon may well find itself losing a considerable amount of government work.

  • Huawei Takes Legal Action Against Verizon Alleging Patent Infringement

    Huawei Takes Legal Action Against Verizon Alleging Patent Infringement

    Huawei has announced it is taking legal action against Verizon, alleging patent infringement by the wireless carrier, according to a company press release.

    The lawsuit was filed in the United States District Courts for the Eastern and Western Districts of Texas and seeks compensation for Verizon’s alleged use of 12 patents.

    “Verizon’s products and services have benefited from patented technology that Huawei developed over many years of research and development,” said Dr. Song Liuping, Huawei’s Chief Legal Officer.

    Huawei claims it tried negotiating with Verizon “for a significant period of time” prior to filing the lawsuits, but that the two companies were unable to reach an agreement on license terms.”

    In the midst of the other legal challenges Huawei is facing, it will be interesting to see if its claims against Verizon hold up in court.