Researchers from security firm ICEBRG found malicious extensions in the Google Chrome Web Store with more than 500,000 overall downloads. Firstly they discovered that “HTTP Request Header” extension were using for a click-fraud scam when they noticed unusual spike in outgoing network traffic. The extension visited advertising-related links in the Web from the infected machines to generate revenue from per-click rewards. Later they investigated another three Chrome extensions that did the same: Nyoogle, Stickies, and Lite Bookmarks.
Earlier this week, research published by the Project Zero security team at Google brought to public attention a group of security vulnerabilities affecting many modern processors. The vulnerabilities have been given the names Meltdown and Spectre, and could allow an attacker to read arbitrary locations in virtual memory (e.g. read data stored in memory belonging to other user or kernel processes).
The site Freedom to Tinker, which is hosted by Princeton’s Center for Information Technology Policy, has started publishing an ongoing series called “No Boundries” around the topic of how third-party scripts on sites can exploit browsers to collect/extract user data in growing ways.
Their second installment focuses on how the well-known vulnerabilities of browser login managers can provide trackers with user information – not for the purposes of stealing passwords which has been looked at many times, but for the purposes of web tracking which can then be monetized to other companies. Continue reading
In an age where the next major data security breach seems to be lurking just around the corner, or perhaps has already happened and we just don’t know about it yet, it’s refreshing to hear talk of sunsetting the archaic social security number as a universal identifier for US citizens. While it should come as no surprise, with cybersecurity at the forefront of international headlines, and regular password-update requirements all but ubiquitous with online accounts, the onus has been largely on the individual to vigilantly guard their own digital information. At the heart of this information lies a single, 9 digit identifier meant to last a lifetime – big red flag. Continue reading
The origin of this practice can be traced back to a password primer written by a man named Bill Burr in 2003 when he was a manager at the National Institute of Standards and Technology (NIST). He’s the reason I’ve sometimes had passwords based on whatever was in my line of sight at the time of the change (like Stapl3r2015!) and sometimes had password themes like colors+date (like Red!20160310, Blue!20160608, Yellow!20160906). Continue reading
Generally finding bugs is a problem, unless you can get paid for doing it! This week, The Tor Project announced a new bounty program for folks who can find bugs in Tor and Tor Browser. Earn up to $4,000 per bug depending on the severity.
Details are available at HackerOne, so sign up for an account and start trying to break stuff!
Although WannaCry, the massive worldwide ransomeware attack, is the biggest story these days when it comes to cyber crime, it’s definitely not the only issue causing problems for sites right now.
Last week, website security leader Sucuri identified code that appears to be WordPress API related, but is actually sending active cookie data to attackers. This is most problematic when the active user is a site admin because it gives someone the opportunity to create a new admin user which can be then used to do considerable damage to a site and/or gain access to user data.
It’s no surprise that we’re very interested in how our current administration is impacting topics like Net Neutrality and Internet Privacy. When Ajit Pai was appointed to be FCC chairman a couple months ago, we encouraged everyone to stay informed and keep an eye out for new issues. Well, this week the House voted to undo rules which prevented Internet Service Providers (ISPs) from selling user data to the highest bidder, just the latest roll back of protections that had been put in place by former President Obama. Although President Trump has not yet signed the roll back into effect, the White House has suggested that he will and the implications for Internet privacy concerns are pretty significant. (Update – As expected, President Trump did sign the bill in question on April 3rd, 2017, to repeal online privacy protections established under the previous administration.)
Delivering secure and reliable services has been a top priority for developers since day one. Applying the best, most reliable technologies has always been the key to securing a client’s data and traffic. But, due to multiple vulnerabilities found in some core products used to encrypt data and traffic, security practices need to be revisited.