Firefox 88 was released on Monday, and among the changes is a shift in how the browser will handle the window.name property.
Previously, this property persisted across the life of a tab, meaning that as a user shifted from one site to another, the value in the property remained, and data from one site could be read by another.
“Tracking companies have been abusing this property to leak information, and have effectively turned it into a communication channel for transporting data between websites,” Firefox Privacy engineer Tim Huang said in a blog post.
“Worse, malicious sites have been able to observe the content of window.name to gather private user data that was inadvertently leaked by another website.”
Going forward, Firefox will now clear the property when shifting between sites, and if a user goes back to a site, that site’s window.name value will be restored.
“Together, these dual rules for clearing and restoring window.name data effectively confine that data to the website where it was originally created, similar to how Firefox’s Total Cookie Protection confines cookies to the website where they were created,” Huang said.
“This confinement is essential for preventing malicious sites from abusing window.name to gather users’ personal data.”
With the release of Firefox 88, the usage of FTP in the browser is now disabled, with the code implementing the protocol to be ripped out in Firefox 90.
Clicking on an FTP link will now see Firefox attempt to pass it off to an external application.
“FTP is an insecure protocol and there are no reasons to prefer it over HTTPS for downloading resources,” Mozilla software engineer Michal Novotny said last year.
“Also, a part of the FTP code is very old, unsafe and hard to maintain and we found a lot of security bugs in it in the past.”
The screenshot button was also removed from the URL bar, and developers gained a toggle to switch between raw and formatted JSON responses.
328 weaknesses found by WA Auditor-General in 50 local government systems
The Auditor-General of Western Australia on Wednesday tabled a report into the computer systems used at 50 local government entities, revealing 328 control weakness across the group.
It was Auditor-General Caroline Spencer’s intention to list the entities, but given the nature of her findings, all case studies included in Local Government General Computer Controls [PDF] omit entity, and system, names.
“Included in the case studies are real life examples of how extremely poor general computer controls can result in system breaches, loss of sensitive and confidential information and financial loss,” Spencer said. “They serve as important reminders of the need to remain ever vigilant against constant cyber threats.”
The report states that none of the 11 entities that the Auditor-General performed capability maturity assessments on met minimum targets. For the remaining 39, general computer controls audits were conducted.
The audit probed information security, business continuity, management of IT risks, IT operations, change control, and physical security.
Of the 328 control weaknesses, 33 rated as significant and 236 as moderate. Like last year, nearly half of all issues were about information security.
The capability assessment results, meanwhile, showed that none of the 11 audited entities met the auditor’s expectations across the six control categories, with 79% of the audit results below the minimum benchmark.
“Poor controls in these areas left systems and information vulnerable to misuse and could impact critical services provided to the public,” the report added.
“Five of the entities were also included in last year’s in-depth assessment and could have improved their capability by promptly addressing the previous year’s audit findings but, overall, did not discernibly do so.”
Among the findings were entities having a poor awareness of cyber threats, with one case study revealing a user’s account details were stolen because of a phishing attack that was not detected or prevented by the entity’s security controls.
“The attack resulted in a fraudulent credit card transaction on the user’s corporate credit card, which was immediately cancelled,” the report said. “Further investigation by the entity revealed the attacker downloaded 10GB of entity information in the form of sensitive emails.”
Another common weakness was that entities did not have policies, procedures, and processes to effectively manage technical vulnerabilities. At one entity, public facing and internal systems sat in the same network; the same entity also did not monitor devices on its network.
Many entities were also not managing privileged access to their networks and systems.
One entity was found to not have changed the password for the default network administrator account since 2002, even though various staff who knew the password had since left.
“We found instances where this account was used out of office hours and the entity was unable to explain this use,” the report said.
Probing the management of IT risks, weaknesses found included no policies and procedures to document, assess, review, and report IT risks; key risks were not documented, meaning entities were left unaware if appropriate controls were in place to protect their information; and entities had not reviewed their risk registers within a reasonable time.
IT operations, meanwhile, also revealed many weaknesses, including a lack of user access reviews, no logging of user access and activity, a lack of incident management procedures, and no requirement for IT staff privy to certain sensitive information being required to complete a background check.
“At one entity, staff could redirect payments for council rates, infringements, licence and application fees to another bank account by changing a file hosted on a shared server,” the report details. “Access to the server was not appropriately controlled because staff used a shared generic account to access and manage the server.”
Physical security was also flagged as weak, with one example showing an entity had no monitoring process regarding its server room, meaning anyone could access it.
Further weaknesses under the physical security banner included no backups and no appropriate environmental controls to protect IT infrastructure.
The report provided six recommendations, one for each of the security types audited.
These included implementing appropriate frameworks and management structures, identifying IT risks, and patching.
MORE FROM THE OAG
Time to patch against FragAttacks but good luck with home routers and IoT devices
Security researcher Mathy Vanhoef, who loves to poke holes in Wi-Fi security, is at it again, this time finding a dozen flaws that stretch back to cover WEP and seemingly impact every device that makes use of Wi-Fi.
Thankfully, as Vanhoef explained, many of the attacks are hard to abuse and require user interaction, while others remain trivial.
Another positive is Microsoft shipped its patches on March 9, while a patch to the Linux kernel is working its way through the release system. The details of FragAttacks follow a nine-month embargo to give vendors time to create patches.
“An adversary that is within radio range of a victim can abuse these vulnerabilities to steal user information or attack devices,” Vanhoef said in a blog post.
“Experiments indicate that every Wi-Fi product is affected by at least one vulnerability and that most products are affected by several vulnerabilities.”
Several of the identified flaws relate to the ability to inject plaintext frames, as well as certain devices accepting any unencrypted frame or accept plaintext aggregated frames that look like handshake messages.
Vanhoef demonstrated how this could be used to punch a hole in a firewall and thereby take over a vulnerable Windows 7 machine.
“The biggest risk in practice is likely the ability to abuse the discovered flaws to attack devices in someone’s home network,” the security researcher wrote.
“For instance, many smart home and internet-of-things devices are rarely updated, and Wi-Fi security is the last line of defense that prevents someone from attacking these devices. Unfortunately … this last line of defense can now be bypassed.”
Other vulnerabilities relate to how Wi-Fi frames are fragmented and how receivers reassemble them, allowing an attacker to exfiltrate data. Even devices that do not support fragmentation were at risk.
“Some devices don’t support fragmentation or aggregation, but are still vulnerable to attacks because they process fragmented frames as full frames,” Vanhoef wrote. “Under the right circumstances this can be abused to inject packets.”
Some networking vendors such as Cisco and Juniper are starting to push patches for some of their impacted products, while Sierra has planned some of its products to be updated over the next year, and others will not be fixed.
The CVEs registered to due FragAttacks have been given a medium severity rating and have CVSS scores sitting between 4.8 to 6.5.
“There is no evidence of the vulnerabilities being used against Wi-Fi users maliciously, and these issues are mitigated through routine device updates that enable detection of suspect transmissions or improve adherence to recommended security implementation practices,” the Wi-Fi Alliance wrote.
Vanhoef said anyone with unpatched devices can protect against data exfiltration by using HTTPS connections.
“To mitigate attacks where your router’s NAT/firewall is bypassed and devices are directly attacked, you must assure that all your devices are updated. Unfortunately, not all products regularly receive updates, in particular smart or internet-of-things devices, in which case it is difficult (if not impossible) to properly secure them,” the researcher wrote.
“More technically, the impact of attacks can also be reduced by manually configuring your DNS server so that it cannot be poisoned. Specific to your Wi-Fi configuration, you can mitigate attacks (but not fully prevent them) by disabling fragmentation, disabling pairwise rekeys, and disabling dynamic fragmentation in Wi-Fi 6 (802.11ax) devices.”
Trade with the Official CFD Partners of AC Milan
Apple prevented 1 million risky or vulnerable apps from entering App Store in 2020
Apple stopped nearly 1 million risky or vulnerable apps from being included in the App Store in 2020 as part of efforts to protect users from being manipulated.
Of those rejections, 48,000 were executed due to the apps containing hidden or undocumented features, while more than 150,000 apps were rejected because they were found to be spam, copycats, or misleading to users in ways such as manipulating them into making a purchase, Apple said in a blog post.
In 2020, Apple’s app review team also rejected over 215,000 apps due to developers either seeking more user data than they needed or mishandling user data.
Apple added that it terminated 470,000 developer accounts in 2020 and rejected an additional 205,000 developer enrolments over fraud concerns.
It claimed that its monitoring practices resulted in these fraudulent developer accounts, on average, being terminated less than a month after they were created.
“Unfortunately, sometimes developer accounts are created entirely for fraudulent purposes. If a developer violation is egregious or repeated, the offender is expelled from the Apple Developer Program and their account terminated,” Apple said.
By performing these monitor protocols, in addition to preventing more than 3 million stolen credit cards from being used, Apple claimed it prevented more than $1.5 billion in potentially fraudulent App Store transactions.
Apple’s App Store update comes shortly after documents were submitted into court that reportedly scrutinised its security capability.
In a 2015 email entered into court last week, Apple managers said they uncovered 2,500 malicious apps that were downloaded 203 million times by 128 million users.
Despite other emails indicating that Apple was considering whether to notify affected users of the malicious apps, Apple’s legal representatives did not provide evidence that they let users know they had installed malware, according to an ArsTechnica report.
The emails were submitted as part of an ongoing three-week trial for a legal stoush between Apple and Epic Games.
Epic Games raised the lawsuit against Apple in August last year, accusing the iPhone maker of misusing its market power to substantially lessen competition in-app distribution and payment processes.
Researchers found three flaws in ACT e-voting system that could affect election outcomes
The Australian Capital Territory Standing Committee on Justice and Community Safety has been looking into the 2020 ACT Election and the Electoral Act, covering among other things, systems for electronic voting.
The COVID-19 Emergency Response Legislation Amendment Act 2020 introduced temporary amendments to the Electoral Act for the October 2020 election. These included the deployment of an overseas electronic voting solution for eligible ACT electors who were abroad. The amendments expired in April.
The 2020 election also used the territory’s Electronic voting and counting (EVACS) system, which was previously used in the 2004, 2008, 2012, and 2016 elections.
EVACS uses a PC to register an individual’s vote. These e-voting stations were also made available at pre-polling stations.
Providing a submission [PDF] to the committee was a group of four security researchers — with vast experience in finding holes in electoral systems — who addressed the implementation, security, and transparency of electronic voting.
They declared they have identified “serious problems” in the accuracy and integrity of ACT elections, the privacy of votes in ACT elections, and the transparent demonstration of accuracy, integrity, and vote privacy in ACT elections.
“Secretive, unverifiable systems like the ones used in the ACT 2020 election, make it relatively easy to change the recorded list of votes cast, in a way that observers cannot notice,” they said. “It also makes accidental errors more likely to remain undetected.
“We are not claiming that corruption occurred, nor that the system was designed with that goal in mind. There certainly were errors undetected by Elections ACT, however.”
Dr Andrew Conway, Dr Thomas Haines, ANU acting professor Vanessa Teague, and T Wilson-Brown reported finding three errors with EVACS that could potentially change the results of an election.
The first is that EVACS incorrectly groups votes by transfer value, failing to recognise when votes deserve to be grouped because they acquired the same transfer value in different ways.
“In 2020 this caused some tallies to be wrong by more than 20 votes; in general, it could cause much larger divergences,” they added.
Another flaw was incorrect rounding. The ACT Electoral Act explicitly requires rounding down to six decimal places, but EVACS rounds to the nearest six decimal places.
Thirdly, the group said EVACS has some other inaccuracies that are consistent with rounding transfer values, despite this not being specified in the legislation.
“This is important because a transfer value’s effect may be multiplied by thousands of votes,” they wrote. “This causes errors on the order of thousandths of votes and could possibly make a difference in a very close race.”
Fortunately, they said, these flaws did not change the result of the 2020 election.
ACT uses four systems for processing votes: The EVACS Electronic Voting module that runs on computers in polling places; EVACS Paper Ballot Scanning module that scans and interprets paper ballots, recording the results electronically; the ACT Internet voting system (OSEV) that receives votes from the internet; and the EVACS Counting module tallies the votes and outputs a set of winning candidates.
“The only system we have been able to examine is the counting module, and only because we can compare its inputs with its outputs and find errors without seeing the code,” they said.
“We believe that the Internet voting system is new, and that the voting, paper ballot scanning, and counting modules have been completely rewritten since 2016. But we cannot be certain, because we have not seen any of the 2020 source code.”
The group has asked that electronic voting code and system documentation be opened six months in advance to the research sector so serious errors and vulnerabilities could be found and rectified.
They have also asked that the on-site e-voting system have a voter-verifiable paper record, so that an immutable record of the vote can be verified by the voter independently of the software; and that internet voting be discontinued, due to the high levels of risk involved in current internet voting technology.
The Australian Electoral Commissioner said on Tuesday night that it is ‘very, very, very confident’ its systems are ‘incredibly robust’.
Researchers find myGovID is subject to an easily-implemented code proxying attack, while the digital identity solution from Australia Post does not possess a fundamental requirement for accreditation.
Analysis of source code published at the request of the NSW Electoral Commission shows that the state’s election system software was still vulnerable to attack.
Polystyrene Foam Market worth $32.2 billion by 2026 – Exclusive Report by MarketsandMarkets™
What Happened To Lufthansa’s Boeing 707 Aircraft?
How to Become a Cryptographer: A Complete Career Guide
Launch of Crypto Trading Team by Goldman Sachs
JetBlue Hits Back At Eastern Airlines On Ecuador Flights
Cybersecurity Degrees in Massachusetts — Your Guide to Choosing a School
How To Unblock Gambling Websites?
United Airlines Uses The Crisis To Diversify Latin American Network
Miten tekoälyä käytetään videopeleissä ja mitä tulevaisuudessa on odotettavissa
DOGE Co-founder Reveals the Reasons Behind its Price Rise
U.S. and the U.K. Published Attack on IT Management Company SolarWinds
“Privacy is a ‘Privilege’ that Users Ought to Cherish”: Elena Nadoliksi
SEC Chairman Says Crypto Markets Need Regulations to Prevent Fraud
This Dream Job Will Pay You to Gamble in Las Vegas on the Company’s Dime
The Spanish fintech Pecunpay strengthens its position as a leader in the issuance of corporate programs
Digital Currencies to Be Part of the Future, Says CEO of Rockefeller Capital Management
Nasdaq-Listed Metromile Backs Bitcoin for its Insurance Products
How to Become a Chief Information Security Officer: A Complete Career Guide
Chips Shortage May Be Exacerbated by Mining Giant Bitmain Order
Privacy Protection: How Secure is Telegram Messenger?
PR Newswire5 days ago
Polystyrene Foam Market worth $32.2 billion by 2026 – Exclusive Report by MarketsandMarkets™
Blockchain1 week ago
Munger ‘Anti-Bitcoin’ and Buffett ‘Annoyance’ Towards Crypto Industry
Blockchain1 week ago
Ethereum hits $3,000 for the first time, now larger than Bank of America
Blockchain1 week ago
The Reason for Ethereum’s Recent Rally to ATH According to Changpeng Zhao
Aviation1 week ago
American Airlines Passenger Arrested After Alleged Crew Attack
SPACS1 week ago
Deutsche Boerse expects 12 SPACs in Frankfurt in 2021
Nano Technology1 week ago
Less innocent than it looks: Hydrogen in hybrid perovskites: Researchers identify the defect that limits solar-cell performance
Blockchain6 days ago
Chiliz Price Prediction 2021-2025: $1.76 By the End of 2025
Business Insider1 week ago
SHAREHOLDER ALERT: Pomerantz Law Firm Investigates Claims On Behalf of Investors of BELLUS Health Inc. – BLU
Blockchain1 week ago
Mining Bitcoin: How to Mine Bitcoin
Blockchain1 week ago
Ethereum Market Capital Overtakes Bank of America
Blockchain1 week ago
Bitcoin Gains Bullish Momentum, Signals Another Major Rally