STE WILLIAMS

Stung by criticism over its creepy cookie hoarding and automatic sign-in in Chrome, Google has pulled a swift U-turn. Kind of.

That syncing feeling when you realise you may be telling Google more than you thought

READ MORE

Chrome 70, due in October, walks back controversial changes in the browser that had the privacy world all aflutter as Google said it heard and “appreciates” the feedback it got from users.

Doubtless still hiding behind the sofa in Google HQ, Chrome product manager Zach Koch trotted out the earlier excuse that automatically signing a user into Chrome when logging into a Google property was absolutely fine. He went further, showing a blown-up image of the browser to, er, demonstrate how clear the signed-in indicator was.

While still insisting that everything was peachy because this didn’t also auto-enable a Sync slurp of the browser history, Koch proffered a compromise. An option to prevent the sign-in will be tucked away in the Privacy and Security settings, and if turned off, Chrome would behave as it always has.

The Register has contacted Google to check what the default behaviour of this switch is going to be. After all, if it silently defaults to On and the user has to hunt through the UI to turn the thing off, this is little more than a gesture.

Koch also highlighted tweaks to the Chrome UI to make it clearer if Sync is running or not. In our testing, the option “everything” was the default for Sync, requiring a user to opt out of a full slurp rather than opt in.

Finally, Koch assured users that Chrome’s greedy hoarding of Google cookies will stop. Deleting all cookies will mean all cookies are deleted, you lucky, lucky people.

Independent cybersecurity and privacy researcher Dr Lukasz Olejnik reckoned that the changes, introduced silently in Chrome 69, were significant enough to merit a data protection impact assessment (DPIA) under GDPR.

Olejnik went on to say that the tweaks appearing in Chrome 70 further enriched the case. “In effect, Chrome 70 is shipping changes, addressing the issue in a reactive fashion. It is interesting to see Privacy by Design (not) at work.”

For many, it is too little and too late.

Anyway, a big shoutout to the Chrome team for listening and doing damage control. I realize that this is about as good as it’s going to get, so I promise not to complain much about it anymore. I am, however, going to use this as my impetus to start separating from Google.

— Matthew Green (@matthew_d_green) September 26, 2018

The final word goes to Olejnik, who observed: “Would that [have] happened had nobody noticed? What if no privacy/trust-fluent folks had uninstalled Chrome? Who would watch then?”

Who indeed. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/09/26/google_backtrack_chrome/

UK-based insurance services firm Premium Credit has hauled itself back online following a malware-based attack that struck the business more than a week ago.

Premium Credit underwrites insurance premiums for a network of brokers, business and personal customers and has 400 staffers across the UK and Ireland.

In a statement on its website yesterday that accompanied its return after nine days offline, the UK and Ireland firm played down the episode, adding it had found “no evidence of data loss” following an unspecified “cyber incident”.

External experts continue to investigate. “We have now restored many key systems, and are working around the clock to complete our full restoration,” the statement concluded.

So what happened? The insurance premiums financer told El Reg that it had suffered from an unspecified malware outbreak, adding that it had taken its systems offline as a “precaution“. In a follow-up statement, received via email, Adam Morghem, strategy and marketing director at Premium Credit, provided a fuller rundown of events.

On Sunday 16th September, our virus monitoring alerted us to a cyber incident. We followed our extensive security protocols designed to protect our systems and isolate our partners from harm. We then began the investigation into the incident with external 3rd party experts.

Since then, we have been working around the clock to restore our services for our brokers. Our trading systems are live with our brokers.

Our call centres have been open since Monday 17th to support customers and producers during the outage.

He told us the internal and external probes by infosec specialists had not turned up any evidence of data loss. He said it has told customers that any payment that was delayed due to the outage will not be treated as a deafult so no default charge will be levied.

“We can only apologise for the disruption this has caused our partners and their customers,” said Morghem.

El Reg checked in with Troy Hunt, the security researcher behind the Have I been Pwned breach notification service and normally among the first people to hear about any customer data leak. He said he hadn’t heard anything yet, a good sign, though hardly definitive. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/09/26/premium_credit_outage/

Broadcast On 26 September 2018 at 10am PDT, 11am MT, 6pm UK, we’ll have a studio full of experts lined up to talk about insider threats and how even the best organisations can suffer from occasional bouts of “bad employee syndrome”.

It’s clearly a challenge that’s not going to go away as more companies develop mobile workforces and the ability to spot bad practices and actors has become more difficult than ever.

During the hour long broadcast, we’ll be exploring:

• What is the new face of the insider threat – how do bad apples manifest themselves in today’s organisations?
• What are the costs of doing nothing – how much damage is being done, day on day, and why is nothing being done?
• What does a solution look like – how do best practices, tools and roles combine to mitigate the insider threat?
• Where to start – what is the best approach to take an organisation from a denial state to a clear view?

The gig is hosted by our own Jon Collins and includes experts from LogRhythm and analysts from Freeform Dynamics. They’re all geared up to answer your questions so come along, come prepared and learn a lot. You can register here.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/09/25/the_evolution_of_the_insider_threat/

Mozilla on Tuesday debuted a service called Firefox Monitor that it has been testing to help people see whether their email addresses have been compromised.

“We’ll let you know if your email address and/or personal info was involved in a publicly known past data breach,” said Nick Nguyen, Mozilla’s VP of Firefox Product, in a blog post. “Once you know where your email address was compromised you should change your password and any other place where you’ve used that password.”

Firefox Monitor is basically a wrapper for Have I Been Pwned (HIBP), a sprawling database of several billion email addresses (and, separately, passwords) that have shown up in spilled data. Monitor consists of an input form – with Firefox download links – submits hashed email addresses to HIBP and performs a bit of processing on the returned data.

Its main virtue is the hashing, a mathematical mechanism for encoding data. The service creates an SHA-1 hash of the submitted email address and takes the first six characters – [email protected], for example, becomes 567159, from 567159D622FFBB50B11B0EFD307BE358624A26EE – and submits them to HIBP’s hash range query API. HIBP then returns a range of possible matches, if any, to the six character string, without ever handling the full email address.

Mozilla changes Firefox policy from ‘do not track’ to ‘will not track’

READ MORE

Firefox Monitor then iterates through the supplied list, searching for a match of the full email address hash. If found, it tells the user that the email address at issue has been spotted in a data dump, which means the account owner should change the password to avoid being hacked.

HIBP works fine without Firefox Monitor – and has been integrated into other products like 1Password – but other systems involve submitting an email address directly to the site without hashing. This may seem like a quaint concern when looking into whether one’s email address and password have already been exposed online. But it may matter to some.

In an email to The Register, a Mozilla spokesperson explained that Firefox partnered with Troy Hunt, who runs HIBP, to make it easier for internet users to access the service.

“Our first step is to bring the data in HIBP and surface it to users through our website and in-product notifications for Firefox users,” Mozilla’s spokesperson said.

“One difference for now is that sensitive sites will only be sent to you after you’ve verified your email to help keep you safe. There are future plans to integrate it more deeply into the Firefox and future products that are underway.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/09/25/mozilla_firefox_monitor/

The United Nations has been hit with two damning data leak allegations in as many days.

The global organization has seen researchers uncover a pair of flaws that had left a number of its records, and those of its employees, accessible to hackers online.

Word of the first issue came out yesterday when security researcher Kushagra Pathak found that the UN had left an unsecured set of Trello, Jira and Google Docs projects exposed to the internet.

Pathak, who has specialized in uncovering vulnerable Trello boards and web apps, said the exposed information included account credentials and internal communications and documents used by UN staff to plan projects.

After stumbling onto the vulnerable Trello board, he was able to then get access to the Jira and Google Docs deployments where he harvested other sensitive data. Pathak privately reported the issue to UN, who has since locked down the vulnerable web app instances.

The second exposure was uncovered by researcher Mohamed Baset of Seekurity and resulted in the exposure of “thousands” of résumés submitted by job applicants.

Baset reports that the UN failed to patch vulnerabilities in one of the WordPress CMS systems it uses to handle job applications. This would potentially allow anyone who chose to exploit the local path disclosure the ability to access the thousands of CVs people had submitted when they applied for a job with a UN agency.

The vulnerability was reported to the UN in August, but after getting the full bureaucratic runaround, Baset decided to go public with the flaw this week, and share a proof of concept video:

Youtube Video

It wasn’t all long faces at the UN this week, however.

Members of the org had a moment of levity this morning when US President Donald Trump addressed the General Assembly. The Commander-in-Chief’s boasts of historic accomplishments at the helm of America sparked chuckling and guffawing by foreign diplomats witnessing his speech…

WATCH: Laughter in UN General Assembly as President Trump touts his administration’s progress in past 2 years: “Didn’t expect that reaction, but that’s OK.” pic.twitter.com/V7GViB5g4B

— NBC News (@NBCNews) September 25, 2018

A nice chuckle was had by most. Meanwhile, at last estimate, Trump was custodian to some 4,000 nuclear warheads. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/09/25/un_trello_jira_wordpress_vulnerability/

The now-former NSA employee at the heart of the Kaspersky Lab exploit siphoning scandal has been thrown behind bars for five and a half years.

Nghia Hoang Pho, 68, was sent down on Tuesday in the same Baltimore US district court where last year he plead guilty to one felony count of willful retention of national defense information.

Back in 2015, Pho was working for the NSA as a programmer on its highly secretive Tailored Access Operations (TAO) hacking team, when he took top-secret exploit code from America’s surveillance nerve-center home with him to Ellicott City, Maryland, to study.

When Pho loaded the classified security vulnerability exploits up on his home Windows PC, they were scanned by his Kaspersky Lab antivirus software, detected as particularly interesting by the toolset, and subsequently uploaded to the Russian biz’s backend for analysis. From there, the exploit code supposedly fell into the hands of Kremlin agents.

It would later surface that Pho had been taking his highly classified work home with him for roughly five years prior to the incident, and had amassed what US prosecutors called “massive troves” of classified information.

Winner, Winner, prison dinner: Five years in the clink for NSA leaker

READ MORE

Though Kaspersky would deny that it knowingly handed any of the exploit code over the Russian government, the fallout from the brouhaha resulted in the security biz being slapped with a ban on doing business with Uncle Sam’s Homeland Security and the rest of the federal government.

Kaspersky was accused of handing, directly or indirectly, the slurped NSA cyber-weapons to Russian government spies to study and use, but the antivirus maker denied any direct link: the biz claimed it deleted the uploaded files as soon as it realized they were leaked NSA tools.

Pho, meanwhile, took a plea deal, and faced the unenviable position of being made an example US prosecutors set for other intelligence workers who may be tempted to compromise their own classified work by taking it off government premises.

“Pho’s intentional, reckless, and illegal retention of highly classified information over the course of almost five years placed at risk our intelligence community’s capabilities and methods, rendering some of them unusable,” said Assistant US Attorney General John Demers.

“Today’s sentence reaffirms the expectations that the government places on those who have sworn to safeguard our nation’s secrets.”

Well, kind of. Remember David Petraeus, the US general who shared classified military secrets with his mistress? He got probation. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/09/26/nsa_worker_jailed/