STE WILLIAMS

A huge wave of attacks is targeting home routers in South Africa for recruitment into a Hakai-based botnet.

A new malware campaign is attempting to build a bigger botnet, and it’s raising warning flags for its attack vector — and the location of the victims.

According to NetScout, IoT honeypots run by its ATLAS Security Engineering Response Team (ASERT) saw, from April 22 to May 10, a 5,043% increase of exploit attempts that originated in Egypt and targeted consumer routers in South Africa. The attacks, with a payload that attempted to recruit the routers into a botnet using a Hakai DDoS bot variant, exploit (CVE-2014-8361) a remote command execution exploit in the Realtek SDK managed SOAP service.

According to Rich Hummel, threat research manager for NetScout ASERT, these consumer routers are almost never patched or updated, with many consumers having no idea that a management interface exists, or how to use it. And unfortunately, “There are a lot of different factors here, and there are different layers, but it’s really on the consumer or owner of the devices to protect themselves against the threats,” Hummel says.

Asked about a possible motivation for this attack, at this time, Hummel says that ASERT can only speculate about any “deep” motivation. The most logical answer, though, is that someone simply decided to spin up a new botnet.

“This is a target of opportunity,” Hummel says. “These attacks are automated, so it could be that something was seen and an automated attack was launched.” As for what was seen, Hummel says that it could have been something as simple as a Shodan script looking for exposed devices with an automated attack script aimed at the results file.

Attack automation and malware as a service make botnet creation something that’s available to just about anyone, Hummel says. “It can be done on a Raspberry Pi.”

For more, read here.

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/new-soap-attack-hits-south-african-home-routers/d/d-id/1334855?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

As if we don’t already have enough facial-recognition dystopia, someone’s claiming to have used the technology to match the faces of porn actresses to social media profiles in order to “help others check whether their girlfriends ever acted in those films.”

A Germany-based Chinese programmer said he and some friends have identified 100k porn actresses from around the wor… twitter.com/i/web/status/1…

—
Yiqin Fu (@yiqinfu) May 28, 2019

… because what more noble thing could possibly be done with powerful FR technology, programming skills, an abundance of spare time, access to the internet and a lot of computing power?

He could, for example, use the technology to actually help people, instead of shaming them and exposing them to creeps and stalkers – for example, by identifying and (privately) notifying women who’ve been victimized by sextortionists, or revenge porn antagonists, or the operators of hidden webcams, or by partners who post intimate videos or images without their partners’ knowledge or permission, or who’ve never appeared in intimate photos or videos at all but who’ve still been convincingly depicted in DeepFakes ..?

Facial recognition could be used to inform such victims, so they could act to stop the privacy invasion and/or stalking or whatever harm it’s caused. But that’s not what this guy had in mind.

“More than 100,000 young ladies”

The programmer in question claims to have “successfully identified more than 100,000 young ladies” in the adult industry “on a global scale.” He’s a user of the Chinese social media app Weibo and claims to be based in Germany. He said that this is all legally kosher, given that sex work is legal in Germany and that he’s been keeping the data safely tucked away.

The OP was asked whether he knew what sort of legal jeopardy he could be in. He said everything he did was legal be… twitter.com/i/web/status/1…

—
Yiqin Fu (@yiqinfu) May 28, 2019

Commenters noted that while sex work is indeed legal in Germany, there are strict laws about privacy that make what the he claims to be doing – and, mind you, these are just claims, as there’s no proof he’s done it at all – emphatically illegal.

Motherboard independently verified the translations of the Weibo user’s posts that were posted to Twitter by Yiqin Fu, a Stanford political science PhD candidate.

The posts have gone viral in both China on Weibo and in the US on Twitter and have given rise to heated discussion about the implications with regard to privacy, technology and misogyny.

Says you

As Motherboard points out, the OP hasn’t provided proof for his claims. He’s published neither code nor databases. The only thing he’s posted to prove his claims is a GitLab page… one that’s empty, mind you. When Motherboard contacted the user over Weibo chat, he told the publication that he’ll release “database schema” and “technical details” next week – no further comments.

Unfortunately, it’s all too easy to believe him. After all, the technology is accessible. Besides, if he did what he says he did, he’s not the first.

Three years ago, porn actresses and sex workers were being outed to friends and family by people using a Russian facial recognition service to strip them of anonymity. Users of an imageboard called Dvach in early April 2016 began to use the “FindFace” service to match explicit photos with images posted to the Russian version of Facebook: the social network VK (formerly known as Vkontakte).

The imageboard Dvach – Russian for 2chan – is called the Russian version of 4chan. Its popularity exploded after photographer Egor Tsvetkov showed how easy it was to deanonymize people by taking photos of riders on the metro and matching the images with their VK social network profiles.

His project was called “Your Face Is Big Data.”

Seeking to illustrate how invasive facial recognition can be, Tsvetkov photographed people sitting in front of him on the subway, then used FindFace to look for them in social networks.

Users could feed FindFace an image, whether taken on the metro or in whatever stalking situation presented itself, and the service matched it to public domain images and profile details in VK. Within three days of media coverage of Tsvetkov’s art project, Dvach users ran with it, launching the campaign to deanonymize actresses who appear in pornography.

For a short time, the doxing campaign included a community on VK that was created by Dvach users to upload links to files containing copies of women’s social media pages. It was intended to preserve information in the case of women deleting accounts or altering their privacy settings. The social network quickly banned the Dvach group following a complaint.

The “if they didn’t want it to be public…” line of thinking

Twitter is rife with commenters rolling out the oft-heard refrain: if they didn’t want this to be public, why did they [fill in the blank]?”

You would think that the growth of DeepFakes and surreptitiously taken images would silence the “why’d you take that photo/video in the first place” crowd, but there is a point to be made when it comes to publicly posted porn videos.

Perhaps it’s legal if the content is publicly posted. But that doesn’t make it ethical to use FR and/or AI to stitch together what has until recently been the separate public and private personas maintained by many porn stars in order to shield their privacy.

As the lawyer Jonathan Turley once said, it isn’t Big Brother knowing our every move we need to worry about. It’s Little Brother. As in, what we really need to worry about are the consequence of countless millions of cameras in the hands of private individuals. Turley:

We’ve got a Constitution to protect us against Big Brother. The problem is Little Brother. And there is not anything in the Constitution to protect us against them.

No, there’s not. But at the very least, we have the ability to set our Facebook photos and posts to private.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/4hig_ZkGZDY/

Before we get into the latest scary-virtual private network (VPN) news, let’s do as Naked Security’s Paul Ducklin advises and repeat after him:

A VPN doesn’t magically improve security. All it really does is to make your VPN provider into your new ISP – your “first hop” on the internet. That first hop is the one place where a single provider gets to see all your traffic, whether it’s encrypted or not. You need to trust your VPN provider. A lot.

Many people do trust their VPN provider. A lot. Unfortunately, some of them shouldn’t, going by what a Department of Homeland Security (DHS) higher-up recently said.

In a letter sent to Senators Ron Wyden and Marco Rubio on 22 May 2019, Chris Krebs, director of DHS’s Cybersecurity and Infrastructure Security Agency (CISA), wrote that foreign adversaries are interested in exploiting VPN services. From the letter:

Open-source reporting indicates nation-state actors have demonstrated intent and capability to leverage VPN services and vulnerable users for malicious purposes.

Krebs was writing in response to a 7 February 2019 letter sent to him by the senators, who are concerned about threats posed by apps created in countries of national security concern to the US.

The senators noted that mobile browsers such as Yandex, Dolphin and Opera use their own servers as an intermediary for user traffic, compressing the pages before delivering them to users in order to save data. Similarly, VPN providers route traffic through their own servers in order to mitigate privacy concerns – nominally, at least, the senators said.

Potential security risks are of particular concern when it comes to government employees using VPNs, mobile data proxies, or other apps that might be vulnerable to foreign government surveillance, the senators said. They noted that the US government has already recognized the national security risks posed by Chinese telecom equipment, for one: a year ago, the Pentagon banned Chinese smartphones from military exchanges.

Six years prior, the US House of Representatives issued a report recommending that Huawei and ZTE be banned because of concerns over spying. A year-long investigation had shown that the companies had maintained close ties to the Chinese Communist Party and People’s Liberation Army back home while trying to expand their US businesses.

No overarching policy to stop it

In Krebs’ reply to the senators, he said that there’s no overarching US policy preventing government mobile device users from downloading foreign VPN apps. He also referenced the National Institute of Standards and Technology (NIST), which has published Guidelines for Managing the Security of Mobile Devices in the Enterprise. From those guidelines:

Mobile devices are manufactured to easily find, acquire, install, and use third-party applications from mobile device application stores. This poses obvious security risks, especially for mobile device platforms and application stores that do not place security restrictions or other limitations on third-party application publishing.

Recent problems with third-party apps published to app stores have included government spyware hiding in plain sight in Google Play, for example.

Krebs said that according to “open-source reporting”, the Russian government in November 2017 enacted laws that force domestic and foreign VPN providers to participate in Russia’s blacklist enforcement system: a system that allows the government to “access and influence Russia-based VPN providers,” such as Yandex. Also, in December 2017, the Indian government issued an advisory to employees that the Chinese government had used popular mobile apps – including WeChat, Truecaller, Weibo, UC Browser, and UC News – to collect information on sensitive Indian security installations.

CISA believes the apps pose a “low to moderate” risk of affecting government operations, though Krebs notes that the agency has limited visibility into what government employees install on their federally contracted mobile devices.

VPNs don’t improve spotty security

For many, VPNs are synonymous with security and it’s not difficult to imagine a person of interest to foreign adversaries downloading one to a private phone in a misguided attempt to avoid becoming the next John Podesta. (Podesta’s Twitter account was hijacked and his Gmail compromised famously during the 2016 US presidential election.)

As Naked Security has pointed out many times over, your VPN is a bottleneck through which all your traffic flows. It works by encrypting your network traffic and transporting it to a server somewhere else on the internet. That server then strips off the encryption and sends your data on its way, as if it had originated from the VPN operator’s network, not from your phone or your laptop.

The encryption shields your traffic from all prying eyes other than the VPN itself, which becomes a box seat for reading your communications.

So when is a VPN useful? Paul describes it this way:

A VPN that you run at home or at work and use while you are on the road is great for what you might call ‘security predictability’: it helps you keep your security posture as good or as bad as it would be back at base. When you’re a stranger in a strange land, it can be a comfort to know your network data is nevertheless being handled as it would be at home.

But a VPN that someone else runs for you, in some other country, under someone else’s laws – well, *you* might well be at home, but now it’s your data that’s a stranger in a strange land, so your security might improve, or it might get worse. For all you know – and, of course, you *don’t* know – it might get a lot worse.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/tuwCmHv5eyY/

Popular news aggregation site Flipboard – one billion app downloads from Google Play and counting – has become the latest internet company to admit it has suffered a breach.

We’ve covered a lot of data breaches in recent years but this one has one or two wrinkles that are worth highlighting.

According to Flipboard, hackers gained access to data between 2 June 2018 and 23 March 2019, plus a short window between 21 and 22 April 2019.

It’s not clear how many Flipboard users had their data compromised. Data stolen included names, Flipboard user names, email addresses and hashed passwords.

The good news is that passwords on accounts created since 2012 were salted and hashed using Bcrypt, which should make life very hard for anyone trying to guess secure passwords on any scale. However, accounts created before 14 March 2012 (and not changed since) used the less secure SHA-1.

Password reset

The first question, then, “Should I change my password?” Flipboard’s advisory says:

As a precaution, we have reset all users’ passwords, even though the passwords were cryptographically protected and not all users’ account information was involved.

However, anyone who remains logged in (from their smartphone, say) won’t receive notice of the need to reset their password unless they either log out or attempt to access Flipboard from a new device.

Our advice is to ignore the uncertainty over how many users are affected and manually change the password to something secure as soon as possible. If you’ve not changed your password since March 2012, that becomes an absolute must (Flipboard’s userbase was approaching 20 million at that time.)

And, if there’s a chance you reused your Flipboard password on another site then that will need to be changed too.

Third-party login

A Flipboard feature available since around 2015 is the ability to register a new account quickly via Google, Facebook and Twitter using Single Sign On (SSO). That is a concern, admitted Flipboard’s advisory:

The [breached] databases may have contained digital tokens used to connect your Flipboard account to that third-party account. As a precaution, we have replaced or deleted all digital tokens to eliminate any possibility of misuse.

Before they were changed, hackers could have used these tokens to:

Read or make posts and messages on the account and access some user account information, such as user name, profile information, posts to the site, and connections. In some cases, this access also allowed changes to this information, such as inviting new people to connect.

The company said it hadn’t detected abuse of these accounts but the fact the tokens have been refreshed means that anyone using SSO will need to re-authorise access via the account (the process for which varies depending on whether Android or iOS is being used).

What’s stopping the hackers from coming back?

After almost every data breach, companies promise to tighten up security, without explaining what this means. It’s no surprise to learn that Flipboard is doing the same:

To help prevent something like this from happening in the future, we implemented enhanced security measures and continue to look for additional ways to strengthen the security of our systems. For security reasons we are not sharing specific details.

What’s concerning in this breach is perhaps less that it happened but that it then went undetected for nearly 10 months, by Flipboard’s reckoning. That’s more than enough time for hackers to exploit stolen data.

For more information and advice from Flipboard, refer to their article.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/eNPSZEVYlM0/

There are lots of books on tools and techniques to secure software containers, but what happens when someone discovers a basic architectural flaw? And what do you do when there’s no working patch for it?

That’s the situation in the Docker universe this week after Suse developer Aleksa Sarai uncovered a bug in the way that the container framework handles path names.

The bug lies in FollowSymlinkInScope, which resolves file paths given to the Docker container system. Because the function doesn’t immediately use the file path after resolving it, it creates a race condition. An attacker who can interfere with the resolved file path could change it, potentially giving them read-write access to the host OS as a root user.

Containers are a software packages that contain an application and its dependencies. They’re designed to run in exactly the same way, regardless of infrastructure and work by virtualizing an operating system (unlike Virtual Machines that virtualizing hardware). Like Virtual Machines, Containers are not supposed to be able to influence their host container.

This all sounds very serious, and the National Vulnerability Database (NVD) ranks the bug severity as high. Nevertheless, Docker security engineer Justin Cormack had his own context for the flaw, in a statement mailed to Naked Security:

The vulnerability is a rare/unlikely scenario that would require an already compromised container, a copy being made without pausing the container, and a bad actor that knows when that copy is being made.

Someone would have to be using docker cp, a docker command used to copy files between the host OS and the container. The attacker would have to modify the files at the same time the copy was being made. That window is just a few milliseconds long, the company pointed out in its mail.

There’s no working software fix for this problem at the time of writing, according to Sarai, although he has submitted an upstream patch which is now under evaluation. This will automatically pause Docker during usage of the file system.

This sounds like the patch that Docker will use to fix the problem when it issues its next monthly release by automatically inserting a docker pause command. This will freeze the container when a copy is made, meaning that it can’t modify the data.

In the meantime, users can address the issue manually by running the docker pause command before using docker cp to copy files, the company added. They can then run docker unpause after making the copy. They could also disable docker cp, said Sarai, although he suspects there may be other avenues to exploit FollowSymlinkInScope.

In an email to Naked Security, Sarai suggested another mitigation technique, along with a possible way forward for Docker:

It would be good idea to run Docker underneath a restrictive AppArmor profile or with the correct SELinux configuration (which will restrict the scope of bad things that dockerd can do). The next release of Docker has experimental rootless containers support, and I hope in the medium-term people will start using that more often for deployments.

AppArmor is a Linux kernel security module that lets administrators limit what programs can do. SELinux is a set of secure kernel modifications for measures like mandatory access controls.

Sarai reported this privately to Docker a year ago, and the company agreed to the release of the bug information before a patch was available. Sarai told us:

We agreed going through the embargo process would be overkill for a somewhat unlikely attack scenario, not to mention that there was a suspicion this vulnerability existed for quite a few years.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/8VNtgDOnMqY/

Leicester City Football Club has quietly told people who bought stuff from its website that their financial details have been stolen by hackers – and those details include credit card numbers and CVVs.

Reg reader Yazza, a Foxes follower, received an email from the club ‘fessing up to the data breach, which affected its merchandise site, shop.lcfc.com.

The breach itself took place on 6 May, with a follow-up email being sent earlier this week. That email read, in part:

Technical investigations are still ongoing, but we can confirm that as a result of the incident your payment card information was compromised. This includes your card number, name of card holder, expiry date and CVV. We can confirm that your SecureCode was not compromised. That information is needed to attempt to conduct transactions using your account.

The PCI-DSS standards explicitly state that if your business is storing card details, they must be encrypted – ideally, salted and hashed. It’s also a ridiculously bad idea to capture and store CVVs alongside card numbers and expiry dates.

SecureCode is an optional Mastercard thing that adds an extra layer of authentication to online card transactions.

Yazza suspected that LCFC’s site is running the Magento ecommerce platform and suggested to The Register that one potential attack vector could have been the Magecart malware. We have no information to support this theory, though a recent Magecart infection on a third-party site wound up infecting rent-a-blogger serious business news website Forbes. It is possible that an infection of a third-party site whose elements are used by LCFC’s online shop could have spread to the football club.

LCFC itself didn’t respond to our questions, though we suspect asking them about something other than pink away shirts or their ninth-place finish in the Premier League probably needs a bit more explanation.

Nonetheless, the footie club wasted an opportunity to tell us they are desperately sorry for leaking data and that they take the security of customers’ data very seriously.

It is not clear how many fans were caught up in this breach.

An LCFC fan forum features posts where some appear to suggest that fraudulent transactions have been made on their credit cards following the breach. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/05/31/leicester_city_fc_hacked_credit_card_data/

Following disquiet over the IEEE’s decision to block Huawei-linked researchers from doing various academic tasks, a Chinese computer research body has reportedly severed ties with the IEEE in retaliation.

The China Computer Federation (CCF) declared that it is suspending communications with the US-based Institute of Electrical and Electronic Engineers’ Computer Society (IEEE CS), according to Reuters.

This comes hot on the heel of an academic backlash against the IEEE for what amounts to blacklisting of researchers with links to Huawei. The IEEE insisted that as a US-based corporation it is subject to US law and thus has no real choice in the matter, though others disagree with their interpretation of the US sanctions on Huawei.

In a post on China’s WeChat platform, the CCF said the IEEE CS “was once considered an open international academic organization” before describing the Huawei ban as something which “seriously violates the open, equal and non-politicized nature of being an international academic organization”.

A subset of the IEEE, the IEEE CS concentrates, as its name suggests, on computer technology. The wider institute covers a number of additional fields as well as computer tech. The effect of the CCF ban will be that its members stop contributing to IEEE CS events as well as reviewing its papers or submitting their own.

The current Huawei hullaballoo isn’t the first time the IEEE itself has gotten caught up in US politics. Back in 2003, the organisation was criticised for a similar move targeted against Iranian members’ benefits. ®

Bootnote

Do you know more about the likely impact of Huawei-linked researchers being shut out of non-public IEEE events and processes? Click the author’s name at the top of this article to send him a message in confidence, or use Signal on +44 7714 750 783.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/05/31/china_ccf_hits_back_at_ieee_cs/

Three security experts offer a sneak peek into their upcoming Black Hat USA talk on organizing female infosec communities in Korea, Japan and Taiwan.

We recently spoke (via email) with Asuka Nakajima, Suhee Kang, and Hazel Yen who will be sharing their success stories about building a thriving network of cybersecurity communities for women during to Black Hat USA in Las Vegas this August,

Hey there! Please tell us a bit about yourselves.

Suhee Kang: I work at POC Security in South Korea as a researcher. I am also the organizer of POC, Zer0Con and MOSEC international hacking conferences. In addition, I founded a hacking contest called Power of XX CTF to cultivate female hackers. All these things start from POC and my university’s cybersecurity club, SISS (Sookmyung Information Security Study).

Asuka Nakajima: I am a founder and leader of CTF for GIRLS, which is the first female infosec community for women in Japan. Currently, I work for NTT Secure Platform Laboratories as a security researcher. My research interests include reverse engineering, vulnerability discovery, and IoT security. I also serve as a Regional Review Board member of Black Hat Asia.

Hazel Yen:I am a co-founder and coordinator of HITCON GIRLS which is the first security GIRLS. During this time, I used to be the leader of the malware analysis group. Now I work for DEVCORE, focusing on web application security. Last year, I was the coordinator of the Hack in Taiwan Conference (HITCON CMT 2018).

What are you going to be speaking about at Black Hat?

We will share three things as follows: The history and current status/activities of three representative Asian female communities, Power of XX, CTF for GIRLS, and HITCON GIRLS, which are established in Korea, Japan, and Taiwan (respectively). Also, how we build and maintain our communities and how we tackle the various challenges, such as having a sustainable community.

We revealed the crucial factors in starting and continuing a female community by contrasting the three communities. One of the examples is that every community had been started by a few tech-savvy women with the support of an existing local community.

For Power of XX, we’ll talk about the beginnings of the group, what we do to cultivate female hackers in Korea, what difficulties occur, and our efforts to overcome those difficulties.

For CTF for GIRLS, we’ll explain how the group works, how we visualized and established the CT for GIRLS community, and what we do to build it in a sustainable way.

Finally, we’ll discuss the purpose, origins, and current status of HITCON GIRLS. We believe the field of cybersecurity should be as accessible to girls as it is to boys, and we will show you what events, programs, and techniques we use to make that possible.

Why is this important right now?

Since the importance of getting more women into the infosec field is increasing, and the number of female communities has gradually increased these past few years (e.g., WiCyS, Black Hoodies, etc.), we think that this is the right time to discuss this topic publicly.

Some of our communities have been active since 2011. Over these eight years, we have faced and solved many challenges and obstacles to building the community. Moreover, a comparison of these three communities reveals some of the crucial factors (necessary) to start and continue a female community. We believe that this talk could help start a new female community and encourages other existing female communities.

Power of XX (Korea), CTF for GIRLS (Japan), and HITCON GIRLS (Taiwan) are all well-known communities in the Asian region. However, since there is a huge language barrier between Asian and Western countries, the information is still not widespread to the Western communities. Thus, we believe that this talk could help to understand the history and current status of the Asian female communities

Suhee: Throughout the talk, we hope attendees understand the true nature of our communities from the top to bottom. Also hope they can understand that our power is not trivial and the scale of ‘women in security’ is getting vast. Besides that, there are parts (where)  we want to support. We want to (create) an opportunity to cooperate with Western countries’ women InfoSec community so that we can increase the size of the society. We believe this will be a great start for both Asian Western communities.

Hazel: For myself, I wish our speech can help more women have a connection with each other. And spread propaganda: we may be a minority in InfoSec field, but not weak.

Where do you see the most need for such communities, and why?

Suhee: When I was in university infosec club SISS six years ago, it was a total disaster and few women were learning to hack. At the time, it was really hard for women to survive for several reasons (a small number of people, lack of community, difficulty in learning, etc) so a lot of female students either giving up on their degree or changed courses in the middle.

That’s why we made our community: to cultivate women researchers and hackers.

Asuka; Based on my personal experience and the opinions of my female friends, women who are interested in infosec field sometimes feel as following:

“To me, it is difficult to fit into a workshop (community) because most of the participants are men…”

“Because most of the security engineers are men, maybe infosec is not for women..”

“I really want to start learning infosec but I don’t know where to start, and I don’t have friends to ask about that kind of thing…”

Thus I thought, the first step to break the barriers is to make a female community and hold workshops for women.

Hazel: When it comes to talk about the most need for communities, my opinion is that we need to be telling girls that we are here at the early stage. According to our experience, we know there aren’t many women in the infosec field. For the above reasons, if there is a female community they can join, we believe that might change, because women with these interests would not feel left out anymore.

Whenever I start a community, I always tell my members that we are not behind the rest of the infosec field; everyone is good at something. I think what we need to remember most is, “self-trust is the first secret of success”.

Article source: https://www.darkreading.com/black-hat/black-hat-qanda-building-infosec-communities-for-women-/d/d-id/1334841?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Mozilla has published a series of objections to web packaging, a content distribution scheme proposed by engineers at Google that the Firefox maker considers harmful to the web in its current form.

At its developer conference earlier this month, Google engineers talked up the tech, which consists of several related projects – Signed Exchanges, the web packaging format and changes to the fetch specification – that allow website resources to be packaged and cryptographically signed for redistribution by third parties. Making websites portable, Google contends, facilitates more efficient delivery, easier sharing and offline access.

“With [web] packaging, the model for loading web pages changes from today’s model, which we all understand, where the browser requests a page from an origin server, to a new model where developers create a signed package that contains the page,” explained Ben Galbraith, senior product director at Google, during Google I/O.

“And the browser can load it from anywhere, even potentially other peer devices. And this can enable privacy-safe preloaded models because the data to fetch the package doesn’t go back to the origin server. And it gives the browser tremendous flexibility to preload pages more of the time.”

Mozilla developers have fretted about the potential security consequences for several years because it complicates the same-origin policy that limits how resources (e.g. scripts) loaded in one origin (domain) can interact with resources associated with a different origin.

‘Constrained’

“At its core, origin substitution enables a fundamental change to the way the web works,” Mozilla says in its position paper. “Content is no longer constrained to follow connections to origins, where that content is produced and where it is obtained can become completely decoupled.”

The Firefox maker worries that allowing aggregators to host content for others opens new security risks, for example a scenario in which an attacker compromises a server key or obtains a certificate through fraud, for the purpose of creating unauthorized or malicious content for the targeted origin.

Given that said content may be cached or stored multiple places, there would be a time lag of several days between certificate revocation and the invalidation of malicious distributed web packages.

Mozilla nonetheless appears to be optimistic that more robust security measures can be put in place. The company also voices several other concerns about the risk of reduced personalization arising from the pressure to keep package sizes small, the security cost of added complexity, the performance cost imposed by signed exchanges and the storage overhead for publishers and aggregators.

While further refinements may be able to overcome the cited technical concerns, Mozilla remains unconvinced web packaging is good for the web.

“The question remains about whether this fundamental change to the way that content is delivered on the web represents a problematic shift in the power balance between actors,” the browser maker muses. “We have to consider whether aggregators could use this technology to impose their will on publishers.”

This is Mozilla wondering whether web packaging will just make Facebook and Google more powerful as content distributors and kingmakers.

Given the way other technologies and market choices have affected the balance of power online – Google’s Accelerated Mobile Pages, Facebook Login, Google Search ranking changes, browser market share, and the like – Mozilla wants the implications of web packaging explored further before it signs on.

“The increased exposure to security problems and the unknown effects of this on power dynamics is significant enough that we have to regard this as harmful until more information is available,” the company concludes.

The Register asked Mozilla to elaborate on its position but the company declined. Google did not respond to a request for comment. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/05/30/mozilla_web_packaging/

The threat intelligence company went for $780 million in a cash deal.

In a transaction described by the companies as the largest-ever threat intelligence acquisition, Recorded Future has announced that Insight Partners will acquire a controlling interest in the threat intelligence firm. The new interest will be in addition to the minority stake in Recorded Future already owned by Insight Partners.

While all details of the deal have not been announced, the all-cash deal values Recorded Future at more than $780 million.

As part of the agreement, Insight Partners’ Mike Triplett and Thomas Krane will join Recorded Future’s board of directors.

For more, read here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/insight-partners-acquires-recorded-future/d/d-id/1334842?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple