A collection point
...and some of my own.
OK, same old shoes, but we do have some new news for you"s". Android 11 system update from Google adds privacy controls By Leo Kelion: New privacy controls and a screen-recording tool are among features being added to Android phones in the latest major update to Google's mobile operating system (OS). Android 11 also makes it easier to keep track of chat messages across multiple apps, and control smart home gadgets. Google has made efforts to encourage third-party device manufacturers to roll out its system updates more quickly than they used to. But some brands lag behind others. The tech giant has said that in addition to its own Pixel brand, the following firms would be the first to offer downloads of Android 11: OnePlus Xiaomi Oppo RealMe Nokia has also tended to be an early adopter, while Samsung, Huawei and LG typically take a little longer to adapt new features to their own user interfaces. In any case, one expert said the fact that Google had detached app and security updates from its major system releases a while back meant delays were now less of an issue than they had once been. "There's a lot of features that drip into Android phones across the year via app updates, which happen independently of the manufacturers," explained Chris Hall from the tech review site Pocket-lint. "That contrasts with Apple's iOS, where iPhone users wait for a big dump of features to happen all at once." Users can now control smart home gadgets from different brands via a single screen rather than multiple apps Even so, Mr Hall acknowledged that some of the privacy changes could prove timely. They include: the ability to give apps single-use - rather than perpetual - access to a device's microphones, cameras and location a permissions auto-reset function that retracts apps' access to such functions if they have not been launched for a few months limiting apps to launching the phone's built-in camera app rather than a third-party alternative. This has been done to close a loophole that allowed some developers to harvest location data without the user's say-so "People often grant permissions without realizing what they are doing as they just click on an option to accept all features, allowing an app to go off and do what it wants," commented Mr Hall. "So building in one-time permissions is actually quite a big deal, especially after some high-profile cases of microphones and cameras being accessed without users realizing what was going on." Connected cars Many of Android 11's other changes are focused on trying to simplify use of a smartphone. A smart devices feature, for example, lets owners call up controls for all their connected devices in one place by holding down the power button. Another tool is designed to help users manage multiple messaging apps, such as Facebook Messenger, Android Messages, Twitter, WhatsApp, Slack and Telegram. Posts received via all these platforms are now grouped together in a new "conversations" section of the notifications screen that appears when you swipe down from the top of the phone's display. This separates them out from other types of alerts, helping owners avoid missing an important message. Users can also give certain chats priority over others, so they appear at the top of the screen and can still pop up when the device is put in Do Not Disturb mode if desired. In addition, new Chat Bubbles can be set to appear above other apps, allowing users to quickly respond to friends' queries via a floating panel. This avoids them having to switch out of the app they were using at the time in order to respond. Chat Bubbles allow conversations to be carried out in floating panels that appear above apps updated to support the facility Devices also gain the ability to natively record the screen without having to install a dedicated app, mirroring a feature already available on iOS. This could be useful for capturing game footage or recording a video chat. And the update should also allow all smartphones running it to connect via wi-fi to car entertainment systems powered by Android Auto. Until now only Pixel and Samsung phones could do this, meaning users of other brands had needed to resort to a USB cable if they wanted to stream music, have chat messages read aloud via the vehicle's speakers or get-real time alerts on their navigation display. TikTok Rejects Microsoft Offer, Oracle Sole Remaining Bidder The Wall Street Journal and The New York Times reported that Oracle had won the bidding war, citing people familiar with the deal, although the company did not immediately confirm that to AFP. But two Chinese state media outlets -- CGTN and China News Service -- said Monday that ByteDance will not sell TikTok to Oracle either, citing unnamed sources. Microsoft had indicated at the beginning of August that it was interested in acquiring TikTok's US operations, but announced Sunday that bid had been rejected. "ByteDance let us know today they would not be selling TikTok's US operations to Microsoft," it said in a statement. A deal with Microsoft could also have included Walmart, which joined forces with the tech giant during negotiations. Ives said that even with Microsoft out of the picture, "while Oracle is technically the remaining bidder, without willing to sell its core algorithm we see no TikTok sale on the horizon." "Given the need now to get a green light from Beijing after its export rules were changed a few weeks ago, TikTok's days in the US likely are numbered with a shutdown now the next step." Misconfigured Database Leaks 370 Million Dating Site Records With Dating site use skyrocketing during the pandemic it's only to be expected that someone would set the database to open, light it up pn a public facing interface and walk away. So it was that vPnMentor stumbled across Mail-fire's Elasticsearch 882 Gb database comprising over 70 dating websites worth of data. Although the DB only had 4 days or records, they included: full names, ages and dates of birth, gender, email addresses, locations, IP addresses and profile pics were exposed, as well as potentially embarrassing conversations between dating site users occurring in 100 countries. Reading through some of the data, a large number of the dating websites appeared to themselves be scams, with false photos and misleading billing statements. Love is never easy. US: As Election Day Nears, Kremlin Leans on Hackers-for-Hire Jack Monahan: the “big-four” (Russia, China, Iran, North Korea), nations in the Middle East, Asia, and South America are showing evidence that hacker-for-hire groups are on the rise. With a little over fifty days until election day, the U.S. Department of Justice (DOJ) on Thursday charged Artem Mikhaylovich Lifshits, a Russian national, for his alleged role in a conspiracy to use the stolen identities of U.S. persons to open fraudulent accounts at banking and cryptocurrency exchanges. Why online voting is harder than online banking Tim Lee: Every electronic transaction in the conventional banking system is tied to a specific sender and recipient who can confirm that a transaction is valid or raise the alarm if it isn't. Banks count on customers to periodically review their transactions—either online or in paper statements—and notify the bank if fraudulent transactions occur. By contrast, elections are supposed to be secret. In-person elections don't just allow voters to cast a secret ballot, they typically require them to do so. Mandatory secrecy insulates voters from coercion. Banks' security efforts are also aided by the fact that people hacking financial networks are typically trying to divert stolen funds to themselves. Often banks can "follow the money" to figure out who was responsible for a particular hack, recovering the stolen funds and deterring others from trying a similar attack. Bank hacking is also of little interest to foreign governments, most of which have plenty of money. Election hacking is different. We talk metaphorically about people "stealing" votes, but someone hacking an election isn't trying to directly profit from their hack. This means that the authorities can't follow the money to identify suspects. When fraudulent transactions are flagged after the fact, banks automatically credit lost funds back to customers. They try to identify the culprits and make them pay, but if that's not possible, banks absorb the losses themselves. This approach is totally unworkable for voting. Voting officials can't issue voters after-the-fact credits for their stolen votes the way banks do for stolen funds. An election needs to produce a definitive result that is quickly and widely accepted as legitimate. Even a small number of fraudulent votes could flip the results of an election and destroy public confidence in the voting process. Major elections, including the US presidency, have been decided by a few hundred votes out of millions cast. So a voting infrastructure needs to be a lot more secure than our online banking infrastructure. Researcher kept a major Bitcoin bug secret for two years to prevent attacks Catalin Cimpanu for Zero Day: In 2018, a security researcher discovered a major vulnerability in Bitcoin Core, the software that powers the Bitcoin blockchain, but after reporting the issue and having it patched, the researcher opted to keep details private in order to avoid hackers exploiting the issue. INVDoS was discovered in 2018 by Braydon Fuller, a Bitcoin protocol engineer. Fuller found that an attacker could create malformed Bitcoin transactions that, when processed by Bitcoin blockchain nodes, would lead to uncontrolled consumption of the server's memory resources, which would eventually crash impacted systems. "At the time of the discovery, this represented more than 50% of publicly-advertised Bitcoin nodes with inbound traffic, and likely a majority of miners and exchanges," Fuller said in a paper [PDF] published on Wednesday. Furthermore, INVDoS also impacted more than Bitcoin nodes (servers) running the Bitcoin Core software. Bitcoin nodes running Bcoin and Btcd were also impacted by the same bug as well. Other cryptocurrencies that were built on the original Bitcoin protocol were also impacted, such as Litecoin and Namecoin. The INVDoS bug was reported to all the responsible parties and patched, at the time, under the generic identifier of CVE-2018-17145, which didn't include that many details, so as not to tip off attackers. Full details about the entire INVDoS vulnerability were published last week, so other cryptocurrencies that forked older versions of the Bitcoin protocols could check and see if they were impacted as well. "There has not been a known exploitation of this vulnerability in the wild. Well, not as far as we know." 2020-09-09: HOT WALLETS COMPROMISED – OFFICIAL ANNOUNCEMENT Eterbase admits its systems were compromised with funds said to be worth $5.4m taken by hackers. "We want to inform our users that we have enough capital to meet all our obligations. At the same time, we want to reassure everyone that this event won't stop our journey. After the security audit of renowned global companies, our operations will continue. We will announce the date of the re-opening of the ETERBASE Exchange platform as soon as possible. Best regards, ETERBASE Team" Development Bank of Seychelles Hit by Ransomware Established in 1977, Development Bank of Seychelle is majority owned by the government of Seychelles, but it is non-budgetary dependent and operates on a commercial basis. “Since September 9 2020, Central Bank of Seychelles has been engaging with Development Bank of Seychelles to establish the exact nature and circumstances of the Ransomeware incident and closely monitor the developments, including the possible impact on the Development Bank of Seychelles' operations,” the bank said in a Friday announcement. The bank has yet to reveal whether customer data was compromised in the incident. Many of the ransomware attacks over the past couple of years, however, did result in sensitive data being stolen, to entice victim companies into paying the ransom. School's out for ransomware Iain Thomson for The Register: Students in Hartford, Connecticut, got an extra day of holiday after the school system was taken down by ransomware. The malware borked key logistics systems on Tuesday in the US city. Hartford Mayor Luke Bronin said the infection was “significantly limited” due to computer security systems installed last year. Schools were back up and running the following day, though we're sure students appreciated their digital snow day. UK: Travel Sites Riddled with Hundreds of Vulnerabilities Phil Muncaster: UK-based consumer rights group Which? and tech consultancy 6point6 studied 98 travel sector companies, probing websites, subdomains, employee portals and other web properties with lawful online tools. They found Marriott-owned websites were riddled with 497 bugs including over 100 assessed to be “high” (96) or “critical” (18). Some of these could have allowed an attacker to target users and their data, Which? said. “We reported our findings directly to Marriott (as we did with all the five providers in our snapshot test) and it said that it had ‘no reason to believe’ that its customer systems or data had been compromised,” Which? explained. Marriott is facing a large fine from regulator the Information Commissioner’s Office (ICO) after last year revealing a historic breach of 339 million customers’ data. Airline easyJet, which this year revealed a breach affecting nine million customers, was found to have 222 vulnerabilities across nine web domains, including one critical bug that could allow an attacker to hijack users’ browsing sessions. The firm apparently took three domains offline and remediated the disclosed vulnerabilities on the other six sites. British Airways was found to have 115 vulnerabilities on its websites including 12 judged to be critical. Although most of the issues identified were thought to be related to running old versions of software, the carrier gave no indication in its response to Which? that they would be updated. BA famously exposed the details of around 500,000 customers to Magecart attackers last year, in an incident which could also land it a major fine from the ICO. Elsewhere there were 291 potential vulnerabilities found at American Airlines, and a critical vulnerability at Lastminute.com which could allow attackers to create fake log-in accounts. “Our research suggests that Marriott, British Airways and easyJet have failed to learn lessons from previous data breaches and are leaving their customers exposed to opportunistic cyber-criminals,” argued Which? Travel editor, Rory Boland. Leave a Reply. |
Linking the world
Sharing is caring Archives
May 2024
Categories |