STE WILLIAMS

Pervasive surveillance through digital technologies is the business model of Facebook and Google. And now governments are considering the web giants’ tools to track COVID-19 carriers for the public good.

Among democracies, Israel appears to have gone first: prime minister Benjamin Netanyahu has announced “emergency regulations that will enable the use of digital means in the war on Corona. These means will greatly assist us in locating patients and thereby stop the spread of the virus.”

Speaking elsewhere, Netanyhau said the digital tools are those used by Israeli security agency Shin Bet to observe terrorists. Netanyahu said the tools mean the government “will be able to see who they [people infected with the virus] were with, what happened before and after [they became infected].”

Strict oversight and a thirty-day limit on the use of the tools is promised. But the tools’ use was announced as a fait accompli before Israel’s Parliament or the relevant committee could properly authorise their use. And that during a time of caretaker government!

The idea of using tech to spy on COVID-carriers may now be catching.

The Washington Post has reported that the White House has held talks with Google and Facebook about how the data they hold could contribute to analysis of the virus’ spread. Both companies already share some anonymised location with researchers. The Post suggested anonymised location data be used by government agencies to understand how people are behaving.

Thailand recently added a COVID-19-screening form to the Airports of Thailand app. While the feature is a digital replica of a paper registration form offered to incoming travellers, the app asks for location permission and tries to turn on Bluetooth every time it is activated. The Register has asked the app’s developers to explain the permissions it seeks, but has not received a reply in 48 hours.

Computer Emergency Response Team in Farsi chief incident response officer Nariman Gharib has claimed that the Iranian government’s COVID-diagnosis app tracks its users.

China has admitted it’s using whatever it wants to track its people – the genie has been out of the bottle there for years.

If other nations follow suit, will it be possible to put the genie back in?

Probably not: plenty of us give away our location data to exercise-tracking apps for the sheer fun of it and government agencies gleefully hoover up what they call “open source intelligence”. ®

Sponsored:
Webcast: Why you need managed detection and response

Article source: https://go.theregister.co.uk/feed/www.theregister.co.uk/2020/03/18/digital_surveillance_covid_19_coronavirus/

Cryptojacking, the theft of computing power to mine digital currency, has been around at least since 2013 – and has shrunk in use dramatically with the death of Monero-mining service Coinhive.

Since Coinhive’s closure last year, cryptojacking has been almost eliminated, according to a group of researchers from the University of Cincinnati in America, and Lakehead University in Canada, because online ads generate more revenue.

Coinhive provided JavaScript code that websites could incorporate to make visitors’ computers mine Monero, a cryptocurrency that happens to appeal to cybercriminals because it’s difficult to trace. Though Coinhive’s code was marketed as a monetization alternative to advertising, it was quickly abused – a mining script can also be injected into a website by hackers without the site owner’s knowledge.

Cryptojacking isn’t a path to riches – payout is a lousy $5.80 a day

READ MORE

When the service launched in September 2017, Monero could be exchanged for about $100 apiece. By early January, 2018, its price peaked at almost $500.

On March 8, 2019, Coinhive shutdown because, the company said, the project was no longer economically viable. The price of Monero then was about $50 and today it’s trading at around $35.

In a paper [PDF] distributed through ArXiv, “Is Cryptojacking Dead after Coinhive Shutdown?”, presented earlier this month at the third International Conference on Information and Computer Technologies in Santa Clara, Calif., boffins Said Varlioglu, Murat Ozer, and Bilal Gonen (U. Cincinnati), and Mehmet F. Bastug (Lakehead U.) found that cryptojacking mostly vanished with the departure of Coinhive.

The researchers used a cryptojacking detector known as CMTracker to look for cryptojacking code. They evaluated 2,770 websites, manually and automatically, that had been flagged by CMTracker before the Coinhive shutdown. And 99 per cent of them no longer run cryptojacking code. The remaining 1 per cent still do, using eight distinct mining scripts.

• minero.cc/lib/minero.min.js
• webminepool.com/lib/base.js
• hashing.win/46B8.js
• */perfekt/perfekt.js
• */tkefrep/tkefrep.js
• enaure.co/javas.js
• lasimakiz.xyz/sadig6.js
• uvuvwe.bid/jo/jo/miner_compressed/webmr.js

These scripts were subsequently spotted on 632 websites in the wild. That’s a significant decrease from 2017 when Coinhive code alone could be found on more than 30,000 websites.

The researchers point to a 2019 research paper [PDF], “Truth in Web Mining: Measuring the Profitability and the Imposed Overheads of Cryptojacking,” that found ads are 5.5x more profitable than web-based cryptocurrency mining and that mining-focused websites need to keep a visitor’s mining tab open for at least 5.53 minutes to generate more revenue than online ads.

That’s based on a website with three ad slots priced at $1 per thousand impressions that receives 100,000 visitors a month.

That same paper also noted the consequences of cryptojacking to victims: increasing device temperature by up to 52.8 per cent, decreasing performance by up to 57 per cent, and multiplying CPU usage up to 1.7x, all of which show up in the victim’s electricity bill.

Among those still carrying out cryptojacking operations, modern web technology like WebSockets, WebWorkers and WebAssembly commonly play a role. The researchers from U. Cincinnati and Lakehead U. observe that miscreants tend to place their code on free movie websites because victims will remain there on the same page for a long time.

“It is still alive but not as appealing as it was before,” the researchers explain in their paper. “It became less attractive not only because Coinhive discontinued their service, but also because it became a less lucrative source of income for website owners. For most of the websites, ads are still more profitable than mining.” ®

Sponsored:
Practical tips for Office 365 tenant-to-tenant migration

Article source: https://go.theregister.co.uk/feed/www.theregister.co.uk/2020/03/17/cryptojacking_coinhive/

Criminal activity related to the pandemic cannot be tolerated, William Barr states in memo.

US Attorney General William Barr has urged attorneys in the Department of Justice to focus attention on cybercriminals seeking to take advantage of coronavirus fears to spread malware and commit fraud.

In a memo first reported by the AP, Barr reminds US attorneys that “it is essential that the Department of Justice remain vigilant in detecting, investigating, and prosecuting wrongdoing related to the crisis.” He goes on to specifically call out those selling fake cures for COVID-19, and criminals using the crisis to entice victims into downloading malware.

Barr goes on to write, “The pandemic is dangerous enough without wrongdoers seeking to profit from public panic and this sort of conduct cannot be tolerated. Every U.S. Attorney’s Office is thus hereby directed to prioritize the detection, investigation, and prosecution of all criminal conduct related to the current pandemic.”

For more, read here and here.

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s featured story: “Beyond Burnout: What Is Cybersecurity Doing to Us?“

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/attorney-general-directs-doj-to-prioritize-coronavirus-crime/d/d-id/1337336?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Netskope reports the total number of remote employees is the highest it has ever observed.

The number of people working remotely has jumped 15% in the past two weeks as businesses and governments encourage employees to work from home to prevent the spread of COVID-19. 

Researchers at Netskope estimate the number of remote workers with “user dispersion,” which refers to the ratio of the number of distinct globally routable IP addresses from which people are working to the total number of workers. If everyone is on the same network, as they would be in an office or on the same VPN, the ratio approaches zero. If people are working remotely from several locations and don’t use a VPN, the ratio approaches one.

Using this method, they learned 27% of users worked remotely on an average weekday prior to COVID-19. The numbers have gradually increased for the first eight weeks of 2020 and spiked over the past two weeks as more companies enforced work-from-home policies. For the week ending on March 6, the average percentage of remote workers reached 30% and peaked at 32% on Friday. For the week ending March 13, the average grew to 35% and with a Friday peak of 42%.

For comparison, 42% is only slightly less than the average number of people who work remotely on weekends (43%), and it’s higher than any holiday in the past six months. Netskope reports the total number of remote employees is the highest it has ever observed.

Read more details here. 

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s featured story: “Beyond Burnout: What Is Cybersecurity Doing to Us?“

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/cloud/remote-workforce-jumps-15--in-two-weeks/d/d-id/1337331?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

As security professionals, it’s easy to get cynical about the continued proliferation of tax ID theft and blame the consumers themselves. But that doesn’t help anyone.

We hear about it every year at this time: consumer-targeted phishing scams in which hackers are after tax returns. We’re all well aware of the motivations behind these schemes. It has now reached the point that the IRS issues a warning about phishing scams every January, urging consumers to file as early as possible to avoid being victims.

The biggest challenge with tax ID theft through phishing is that the victims aren’t aware they’ve been targeted until it’s too late. As security professionals, it’s easy to get cynical about the continued proliferation of these scams and blame the consumers themselves. I’ve been seeing articles by members of the security community that take a tone of condescension and snark. You can almost hear the authors sighing deeply and picture the exasperated eye rolls.

I’m appealing to my fellow security professionals: This tax season, let’s drop the scorn toward victims of phishing scams. Underestimating the effectiveness of phishing and blaming its victims doesn’t help anyone. For example, in February, cybercriminals intentionally preyed on the public’s fears and concerns about the coronavirus by sending out malicious links masquerading as information consumers can use to protect themselves from the virus. With the coronavirus all over the media, can you blame consumers for clicking on a URL that promises safety and information?

A tone of condescension also ignores the real and increasing damage phishing does to the trust relationship between consumers and brands, tech firms, and government agencies. In addition, it’s worth noting that the tips we often give to consumers aren’t foolproof. Almost half of all spoofed sites are now SSL-registered, exploiting the trust consumers have placed in visiting what they believe are secure “https” URLs with the familiar padlock icon. And phishing domains and emails sent to customers are both more sophisticated than ever. In fact, 97% of people around the world are unable to identify a sophisticated phishing email.

Focus on What Matters
I ask that we focus on better ways to shut down these insidious attacks before they can take hold. The good news is, the security community has already created the tools and technology it takes to solve this problem. We just need to refine them and point them in the right direction.

Right now, defenders are placing much emphasis on email filtering and domain monitoring. Both of these tools are valuable, but they’re only pieces to a larger, more complex puzzle. For example, it’s smart to use anti-phishing email filtering to make sure fake email messages don’t get through to your company’s employees, but a growing number of phishing scams employ social engineering techniques to trick people into giving up sensitive information, particularly over text. 

Additionally, email filtering helps to keep your employees safe, but what about the email accounts of your customers? And, yes, it is your problem if customers are duped. Don’t forget that under consumer privacy laws such as GDPR and the newly enacted CCPA, your company is legally responsible for customer data loss caused by phishing, even if you never knew your brand was being targeted by a campaign.

As for domain monitoring software solutions, they are designed to alert businesses when certain domains have had a status change or need to be renewed. But they don’t alert security teams when a new spoof URL has been published or spot all of the fakes. According to Dell Technologies, an estimated 30,000 spoof URLs are launched every day. These URLs typically cycle back and forth between malicious and legitimate, as reported in a recent Anti-Phishing Working Group report. The sheer volume and constant state of flux make it difficult for any domain monitoring solution to monitor and identify them all.

Defenders should consider scalable, real-time strategies that improve detection from the moment a spoof site or page has launched. [Editor’s note: The author’s company offers a related solution.] The problem with the current approach to phishing detection is that by the time the victim clicks on the link and visits the spoof site, it’s too late. The consumer who tries to file a real tax return only to learn that someone else already filed one in their name is a perfect example.

End the Victim Blaming
It’s easy to heap blame on customers, telling ourselves that they “should know better” than to click on a URL in an email from someone they don’t know. But as the saying goes, “You don’t know what you don’t know.” Customers believe that the emails and texts containing spoof URLs are coming from a brand they know and trust. And it could very well be your brand. That’s the most insidious part of a phishing attack. It’s up to us, the defenders, to innovate new ways to solve this vexing problem.

Related Content:

• Researchers Find 670+ Microsoft Subdomains Vulnerable to Takeover
• Cybersecurity Industry: It’s Time to Stop the Victim Blame Game
• 7 Tax Season Security Tips
• 6 Emerging Cyber Threats That Enterprises Face in 2020

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s featured story: “Beyond Burnout: What Is Cybersecurity Doing to Us?“

Dr. Salvatore Stolfo is the founder and CTO of Allure Security. As a professor of artificial intelligence at Columbia University since 1979, Dr. Stolfo has spent a career figuring out how people think and how to make computers and systems think like people. Dr. Stolfo has … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/this-tax-season-save-the-scorn-and-protect-customers-from-phishing-scams/a/d-id/1337279?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Takeaways about fighting new fires, securely enabling remote workforces, and human nature during difficult times.

As the crisis surrounding the novel coronavirus COVID 19 continues to spread around the globe, businesses everywhere have little choice but to make changes and put business continuity plans into action (assuming they have one). These pivots are stressing out just about everyone, from frontline workers to internal departments. Of course, this stress is acutely felt by security leaders who are being asked to deploy accommodations both quickly and securely.

On their plates? Defending against cybercriminals who we’ve already seen in the past few weeks taking advantage of the panic to craft new phishing and malware campaigns. Security leaders are also scrambling to both enable larger-scale work at home arrangements and educate users about the new risks of remote work.

That’s just scratching the surface of all that must be done in the security department during this trying time.

The Edge asked security leaders what they have so far learned about securing business in a pandemic.

 

 

Joan Goodchild is a veteran journalist, editor, and writer who has been covering security for more than a decade. She has written for several publications and previously served as editor-in-chief for CSO Online. View Full Bio

Article source: https://www.darkreading.com/edge/theedge/security-lessons-weve-learned-(so-far)-from-covid-19/b/d-id/1337332?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Axis Security has raised $17 million in VC funding.

A new security-as-a-service (SaaS) startup officially launched today that provides end users with access to an organization’s private applications while keeping them off the corporate network and application server as a way to help prevent endpoint-borne threats.

Axis Security, which had been operating in stealth mode, uses a cloud-based platform that doesn’t use endpoint agents. It’s currently geared for organizations integrating users in the wake of a merger and acquisition (MA) or for third-party suppliers, such as consultants or other contractors, who need access to corporate apps, such as travel and logistics, for example.

Axis Security’s emergence from stealth also comes amid a massive, global work-from-home movement underway by businesses and organizations in an effort to quell the spread of Coronavirus-19 (COVID-19). Company executives say the initial use of Axis’s technology has been companies providing new users access to their internal apps in the wake of MAs, as well as for third-party suppliers and contractors, but the SaaS offering also applies to any work-from-home setup.

“We’re not launching as a solution for that scenario,” meaning as a COVID-19 work-from-home technology, says Tamir Hardof, chief marketing officer at Axis Security. But he admits that is likely to become an attractive option for its SaaS offering in the coming months as offices remain closed during the pandemic.

“Making it easier for enterprises to enable all users — employees and non-employees — in a highly managed and secure way is a very increasingly relevant story and solution today,” he says.

The typical scenario for getting employees and contractors access to internal apps after an MA can be manually configuring laptops and shipping them to users, he notes, and that is labor-intensive and time-consuming.

Axis Security’s early customers who adopted the technology for getting their new MA and third-party users access to private apps are now also facing the work-from-home shift in the current COVID-19 pandemic, he explains. “They are now asking us how we can help if they are closing offices” and using work-from-home for users, he says.

Axis Security, which was founded by Dor Knafo and Gil Azrielant, former members of the Israeli Defense Forces Unit 8200, has raised some $17 million in funding. Its investors are venture capital firm Cyberstarts, which includes backing from founders and entrepreneurs from Sequoia Capital, Palo Alto Networks, Check Point, and Imperva; Ten Eleven Ventures’ Alex Doll; and individual investors Dan Amiga, founder of Fireglass, and Michael Fey, former president of Symantec and Blue Coat.

Axis Security’s approach falls into the zero-trust realm. But unlike network-access, cloud-based security services like Zscaler Private Access, which sends traffic via Zscaler’s network, Axis Security’s Application Access Cloud is all about the application layer. “Zscaler utilizes an agent, whereas Axis does not. Zscaler offers a broader Web security portfolio … whereas Axis is focused solely on secure application access,” explains John Grady, cybersecurity analyst at Enterprise Strategy Group, who adds that many other vendors in this space have varying approaches that include using VPNs.

“Axis is starting with very specific use cases, which is still the predominant approach we see in this market: One of their customers has a massive network of third-party vendors and partners that require access to their systems and are utilizing Axis for that purpose. Another is using Axis to accelerate an acquired company’s access to the acquirer’s applications,” he says. “I think a solution like Axis Security’s can replace much of the functionality of a VPN solution down the line, but many organizations are starting smaller before advancing down that path.”

Corporate VPNs increasingly have come under scrutiny for their potential for abuse and inadvertently give users too much access to corporate resources.

“The user is never part of the network and stays isolated from the network,” explains Knafo, co-founder and CEO of Axis Security. For now, it’s focused on providing access to internal applications, he says, but the company is working on adding access to other applications, including Google Hangouts, for example.

The end user accesses internal apps from any of their devices, and there’s a management console for the IT and security teams to monitor and oversee user activity. “We actually operate at the application layer,” explains Azrielant, co-founder and CTO of Axis Security. Users have an URL interface to the applications, he says, and software-based components from the corporate network communicate with Axis Security’s cloud service and check user authenticity and policies.

Secure remote access is as crucial as ever, according to security experts. “Improving secure remote access has been top-of-mind for the last year or so I’d say, but I think that is going to accelerate with the current circumstances we’re facing. So this was a market poised for growth a month ago, but it’s even more important in today’s environment,” ESG’s Grady says.

Related Content:

• Planning a Zero-Trust Initiative? Here’s How to Prioritize
• IT Careers: Tech Drives Constant Change
• 7 Cloud Attack Techniques You Should Worry About
• Security Lessons We’ve Learned (So Far) from COVID-19

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “Beyond Burnout: What Is Cybersecurity Doing to Us?“

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise … View Full Bio

Article source: https://www.darkreading.com/application-security/startup-offering-secure-access-to-corporate-apps-emerges-from-stealth/d/d-id/1337334?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

After months-long, cross-border investigations, Europol announced on Friday that it’s arrested more than two dozen people suspected of draining bank accounts by hijacking victims’ phone numbers via SIM-swap fraud.

Following a ramp-up in SIM-jacking over recent months, police across Europe have been gearing up to dismantle criminal networks that organize these attacks, Europol says.

That growth mirrors what’s happening in the US: In October, the FBI warned that bad guys were getting around some types of two-factor authentication (2FA). The easiest – and, therefore, the most common – way to sneak past 2FA is SIM-swap fraud, where an attacker convinces a mobile network (or bribes an employee) to port a target’s mobile number or plants malware on a victim’s phone, thereby allowing them to intercept 2FA security codes sent via SMS text.

How the crooks swing a SIM swap

As we’ve explained, SIM swaps work because phone numbers are actually tied to the phone’s SIM card – in fact, SIM is short for subscriber identity module, a special system-on-a-chip card that securely stores the cryptographic secret that identifies your phone number to the network.

Most mobile phone shops out there can issue and activate replacement SIM cards quickly, causing your old SIM to go dead and the new SIM card to take over your phone number… and your telephonic identity.

That comes in handy when you get a new phone or lose your phone: your phone carrier will be happy to sell you a new phone, with a new SIM, that has your old number.

But if a SIM-swap scammer can get enough information about you, they can just pretend they’re you and then social-engineer that swap of your phone number to a new SIM card that’s under their control.

By stealing your phone number, the crooks start receiving your text messages along with your phone calls, and if you’ve set up SMS-based two-factor authentication (2FA), the crooks now have access to your 2FA codes – at least, until you notice that your phone has gone dead, and manage to convince your account providers that somebody else has hijacked your account.

Europol’s announcement came after the fruition of two operations targeting SIM hijackers: Operation Smart Cash, and Operation Quinientos Dusim.

Operation Quinientos Dusim

In January, Europol investigators teamed up with Spanish police to target suspects across the country whom they suspected were part of a hacking ring that stole over €3 million (USD $3.35m, £2.74m) in a series of SIM-swapping attacks. They arrested a dozen people: five in Benidorm, six in Granada and one in Valladolid.

The suspected SIM-jackers were between the ages of 22 and 52 and hailed from Italy, Romania, Colombia and Spain. Europol says the gang hit over 100 times, stealing between €6,000 (£5,480, USD $6,700) and €137,000 (USD $152,880, £125,210) per attack from bank accounts of unsuspecting victims.

Europol says the suspects’ modus operandi was simple: they allegedly got their victims’ online banking credentials by a variety of malware, including banking Trojans. Once they had the credentials, the suspects allegedly applied for a duplicate of the victims’ SIM cards by showing fake documents to the mobile service providers. After they got the duplicate SIM cards, they could transfer funds out of their victims’ accounts by intercepting the 2FA codes sent via SMS to the rightful account owners’ phone numbers on file.

Whoosh! went the bank accounts’ balances, transferred over to bank accounts controlled by the SIM-jackers’ money mules in the blink of an eye. Europol said the whole thing took between 1 to 2 hours: just about as much time as it would take for a victim to realize that their phone number wasn’t working any more.

Operation Smart Cash

The second operation, Operation Smart Cash, was an eight-month, joint project between police from Romania and Austria, with support from Europol. The ultimate results: the arrest of 14 people who were allegedly part of another SIM-swap attack gang.

Earlier in February, investigators arrested the suspects in simultaneous raids throughout Romania.

Europol says that this gang’s thefts targeted dozens of victims in Austria. The alleged crooks carried out the thefts through a series of SIM-swapping attacks in the spring of 2019.

After they got their clutches on a victim’s phone number, the alleged SIM-jackers would then use stolen banking credentials to log onto a mobile banking app to generate a transfer, which they then validated with a one-time password sent by the bank via SMS. Next, this gang allegedly had its members withdraw the money at cardless ATMs.

The gang managed to steal over half a million euros, Europol says (£456,975, USD $558,350).

What to do?

Whether they’re breaking into regular old bank accounts or Bitcoin accounts, the crime is obviously extremely costly for the victims who watch helplessly as their accounts drain.

So, here are our tips:

• Watch out for phishing emails or fake websites that crooks use to acquire your usernames and passwords in the first place. Generally speaking, SIM swap crooks need access to your text messages as a last step, meaning that they’ve already figured out your account number, username, password and so on.
• Avoid obvious answers to account security questions. Consider using a password manager to generate absurd and unguessable answers to the sort of questions that crooks might otherwise work out from your social media accounts. The crooks might guess that your first car was a Toyota, but they’re much less likely to figure out that it was a 87X4TNETENNBA.
• Use an on-access (real-time) anti-virus and keep it up-to-date. One common way for crooks to figure out usernames and passwords is by means of keylogger malware, which lies low until you visit specific web pages such as your bank’s login page, then springs into action to record what you type while you’re logging on. A good real-time anti-virus will help you to block dangerous web links, infected email attachments and malicious downloads.
• Be suspicious if your phone drops back to “emergency calls only” unexpectedly. Check with friends or colleagues on the same network to see if they’re also having problems. If you need to, borrow a friend’s phone to contact your mobile provider to ask for help. Be prepared to attend a shop or service center in person if you can, and take ID and other evidence with you to back yourself up.
• Consider switching from SMS-based 2FA codes to codes generated by an authenticator app. This means the crooks have to steal your phone and figure out your lock code in order to access the app that generates your unique sequence of login codes.

Having said that, Naked Security’s Paul Ducklin advises that we shouldn’t think of switching from SMS to app-based authentication as a panacea:

Malware on your phone may be able to coerce the authenticator app into generating the next token without you realizing it – and canny scammers may even phone you up and try to trick you into reading out your next logon code, often pretending they’re doing some sort of “fraud check”.

---

Latest Naked Security podcast

LISTEN NOW

Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/ORrtEW70IY8/

If WordPress had a list of the most requested features, the ability to automatically update plugins and themes would surely be near the top.

Some good news: according to a recent development update, the ability to do this is now being beta-tested in the form of a new plugin for WordPress 5.5, due in August.

WordPress itself, the Content Management System Core, has had auto-updating since version 3.7 in 2013, which meant that security updates could be applied automatically.

Given the number of attacks exploiting WordPress vulnerabilities in the years leading up to that change, it was a big moment.

Unfortunately, the same wasn’t true of that other area of WordPress exposure, namely plugins and themes.

Whereas many years ago such add-ons were viewed as optional for most sites, these days many have become essential additions that add important capabilities to WordPress sites.

Vulnerabilities in these now generate a steady stream of stories:

• Plugins affected by Cross site scripting (XSS) flaws
• A plugin with 100,000 users afflicted by a vulnerability that could allow attackers to wipe content.
• Plugins with admin account password bypass flaws

We didn’t cherrypick these – all of these were from 2020.

Admins can either hack the updating themselves, or get their hands grubby and do it manually. The latter option has the obvious weakness that admins fall behind in updating, or simply ignore the problem entirely.

But how would admins know to update at all? Only if they receive security notices and pay attention to them, a haphazard process at best.

Once auto-updating appears in WordPress Core, admins will be able to opt in via the WP-admin screen. The design will still allow admins to opt out on a plugin-by-plugin or theme-by-theme basis.

This is important because updates can sometimes cause problems. For many sites, the risk of not updating will be outweighed by the risk of this happening automatically.

If admins opt in, they will also get summaries notifying them of changes, an important feature given that updates now appear regularly. The WordPress team wrote:

Now, your help is needed to test, validate, and improve the current feature to ensure that it meets the needs of the WordPress community.

---

Latest Naked Security podcast

LISTEN NOW

Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/25i98IfHHJE/

The Tor browser has fixed a bug that could have allowed JavaScript to execute on websites even when users think they’ve disabled it for maximum anonymity.

The Tor Project revealed the issue in the release notes for version 9.0.6, initially suggesting users manually disable JavaScript for the time being if the issue bothered them.

That was subsequently revised after the NoScript extension – used by Tor to control the execution of JavaScript, Java, Flash and other plugins – was updated to version 11.0.17.

Whether the issue matters depends on how users have configured Tor to treat JavaScript.

Tor’s ‘standard’ setting enabled JavaScript by default, which users can upgrade to either ‘safer’, which disables JavaScript on non-HTTPS sites, or ‘safest’, which disables JavaScript completely.

Each setting has its pros and cons. Leaving JavaScript enabled opens users to the hypothetical risk that their anonymity might be compromised, for example using a vulnerability in the underlying Firefox browser.

There have been a small number of reports of this happening, for example in 2013, and again in 2016 when Mozilla issued a patch to fix a real-world JavaScript attack aimed at Tor by a government. On the other hand, many websites rely on JavaScript and disabling it can cause them to break, or at least work less well.

The new upgrade alert is urgent for anyone using Tor in the ‘safest’ setting. In short, the bug might in some circumstances allow JavaScript to continue to function even though this setting disallows that. Tor release notes advise that the extension will normally update automatically:

Noscript 11.0.17 should solve this issue. Automatic updates of Noscript are enabled by default, so you should get this fix automatically.

Why not just use NoScript to whitelist JavaScript on trusted sites, as is the case when used with non-Tor browsers?

Users can’t do this in Tor because doing so might make things even less secure – the act of enabling JavaScript only on some websites could itself become an inadvertent cookie used to fingerprint users as they pop up around the web.

That means that for everyone using Tor, JavaScript is either on or off with no ambiguous ‘on sometimes’ halfway house.

Things could be worse. Last year, a problem with digital signatures caused Firefox and Tor to temporarily stop trusting lots of add-ons, including NoScript. Unsure of what was going on, cautious users who understood NoScript’s importance had stopped using Tor until the problem was fixed.

---

Latest Naked Security podcast

LISTEN NOW

Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/es39u8LUhmk/