Slashdot

Google and its industry allies are making a late bid to water down the first major data-privacy law in the U.S., seeking to carve out exemptions for digital advertising, according to documents obtained by Bloomberg and people familiar with the negotiations. Bloomberg reports: A lobbyist for Google recently distributed new language to members of California’s state legislature that would amend the California Consumer Privacy Act. As currently drafted, the law limits how Google and other companies collect and make money from user data online, threatening a business model that generates billions of dollars in ad revenue. It’s due to kick in next year and there are only a few more days to amend the law. The lobbying push seeks legislative approval to continue collecting user data for targeted advertising, and in some cases, the right to do so even if users opt out, according to the documents and the people familiar with the negotiations. It’s unclear if the language circulating in the state capitol’s corridors was drafted by Google, and other lobbyists are likely asking for similar changes. Industry groups, such as the California Chamber of Commerce and the Internet Association, often help write legislation and have been the face of industry during two years of debate over the CCPA. It’s also common for interested parties to suggest late changes to bills. The Google representative, who distributed the revised language in recent weeks, has yet to find a lawmaker to sponsor the amendments, according to people familiar with negotiations. The proposal must be in a bill by Sept. 10 to be eligible for lawmakers to vote on it before they adjourn for the year on Sept. 13. One of the proposals would let Google and others use data collected from websites for their own analysis, and then share it with other companies that may find it useful. Currently, the CCPA prohibits the sale or distribution of user data if the user has opted out, with limited exceptions. Another proposal would loosen the definition of “business purpose” when it comes to selling or distributing user data. The law currently defines this narrowly and has a list of specific activities, such auditing and security, that will be allowed. Google’s lobbyist shared new language that significantly broadens the rule by replacing the phrase “Business purposes are” with “Business purposes include,” before the list of approved activities.

A new Google study this week confirmed the obvious: internet users need to stop using the same password for multiple websites unless they’re keen on having their data hijacked, their identity stolen, or worse. From a report: It seems like not a day goes by without a major company being hacked or leaving user email addresses and passwords exposed to the public internet. These login credentials are then routinely used by hackers to hijack your accounts, a threat that’s largely mitigated by using a password manager and unique password for each site you visit. Sites like “have I been pwned?” can help users track if their data has been exposed, and whether they need to worry about their credentials bouncing around the dark web. But it’s still a confusing process for many users unsure of which passwords need updating. To that end, last February Google unveiled a new experimental Password Checkup extension for Chrome. The extension warns you any time you log into a website using one of over 4 billion publicly-accessible usernames and passwords that have been previously exposed by a major hack or breach, and prompts you to change your password when necessary. The extension was built in concert with cryptography experts at Stanford University to ensure that Google never learns your usernames or passwords, the company says in an explainer. Anonymous telemetry data culled from the extension has provided Google with some interesting information on how widespread the practice of account hijacking and non-unique passwords really is.

CTF, a little-known Microsoft protocol used by all Windows operating system versions since Windows XP, is insecure and can be exploited with ease. From a report: According to Tavis Ormandy, a security researcher with Google’s Project Zero elite security team and the one who discovered the buggy protocol, hackers or malware that already have a foothold on a user’s computer can use the protocol to take over any app, high-privileged applications, or the entire OS, as a whole. Currently, there are no patches for these bugs, and a quick fix isn’t expected, as the vulnerabilities are deeply ingrained in the protocol and its design. What CTF stands is currently unknown. Even Ormandy, a well-known security researcher, wasn’t able to find what it means in all of Microsoft documentation. What Ormandy found out was that CTF is part of of the Windows Text Services Framework (TSF), the system that manages the text shown inside Windows and Windows applications. When users start an app, Windows also starts a CTF client for that app. The CTF client receives instructions from a CTF server about the OS system language and the keyboard input methods. It is unclear how Microsoft will patch the CTF problem.

Artem S. Tashkinov writes: Researchers from security company Eclypsium have discovered that more than forty drivers from at least twenty different vendors — including every major BIOS vendor, as well as hardware vendors like ASUS, Toshiba, NVIDIA, and Huawei — include critical vulnerabilities allowing an escalation of privileges to full system level access. Considering how widespread these drivers are, and the fact that they are digitally signed by Microsoft, they allow an attacker to more successfully penetrate target systems and networks, as well as remain hidden. Also while some of these drivers “are designed to update firmware, the driver is providing not only the necessary privileges, but also the mechanism to make changes” which means the attacker can gain a permanent foothold. Eclypsium has already notified Microsoft about the issues and at least NVIDIA has already released fixed drivers.

itwbennett writes: Researchers from security firm Bitdefender discovered and reported a year ago a new CPU vulnerability that “abuses a system instruction called SWAPGS and can bypass mitigations put in place for previous speculative execution vulnerabilities like Spectre,” writes Lucian Constantin for CSO. There are three attack scenarios involving SWAPGS, the most serious of which “can allow attackers to leak the contents of arbitrary kernel memory addresses. This is similar to the impact of the Spectre vulnerability.” Microsoft released mitigations for the vulnerability in July’s Patch Tuesday, although details were withheld until August 6 when Bitdefender released its whitepaper and Microsoft published a security advisory.

An anonymous reader quotes a report from PC Magazine: As Softpedia reports, the independent IT security institute AV-TEST spent May and June continuously evaluating 20 home user security products using their default settings to see which offered the best protection. Only four of those products achieved a top score, and one of them was Windows Defender. The other three are F-Secure SAFE 17, Kaspersky Internet Security 19.0, and Norton Security 22.17. The big difference between these and Windows Defender is the fact Microsoft includes Windows Defender for free with Windows 10, where as the others require a paid subscription to continue being fully-functional. “Of the other products evaluated, Webroot SecureAnywhere 9.0 came last,” adds PC Magazine. “Those just missing out on the top score while still earning an AV-TEST “Top Product” award include Avast Free AntiVirus 19.5, AVG Internet Security 19.5, Bitdefender Internet Security 23.0, Trend Micro Internet Security 15.0, and VIPRE AdvancedSecurity 11.0.”

An anonymous reader quotes ZDNet: On the three-year anniversary of the No More Ransom project, Europol announced today that users who downloaded and decrypted files using free tools made available through the No More Ransom portal have prevented ransomware gangs from making profits estimated at at least $108 million… However, an Emsisoft spokesperson told ZDNet that the $108 million estimate that Europol shared today is “actually a huge underestimate. They’re based on the number of successful decryptions confirmed by telemetry — in other words, when the tools phone home to confirm they’ve done their job,” Emsisoft told ZDNet… Just the free decryption tools for the GandCrab ransomware alone offered on the No More Ransom website have prevented ransom payments of nearly $50 million alone, Europol said. The project, which launched in July 2016, now hosts 82 tools that can be used to decrypt 109 different types of ransomware. Most of these have been created and shared by antivirus makers like Emsisoft, Avast, and Bitdefender, and others; national police agencies; CERTs; or online communities like Bleeping Computer. By far the most proficient member has been antivirus maker Emsisoft, which released 32 decryption tools for 32 different ransomware strains… All in all, Europol said that more than three million users visited the site and more than 200,000 users downloaded tools from the No More Ransom portal since its launch. One Emisoft researcher said they were “pretty proud” of their decryptor for MegaLocker, “as not only did it help thousands of victims, but it really riled up the malware author.”

An anonymous reader quotes a report from Phys.Org: Malicious apps from a campaign called “Agent Smith” have been downloaded to 25 million Android devices, according to new research by cyber-security firm Check Point. The apps, most of them games, were distributed through third-party app stores by a Chinese group with a legitimate business helping Chinese developers promote their apps on outside platforms. Check Point is not identifying the company, because they are working with local law enforcement. About 300,000 devices were infected in the U.S. The malware was able to copy popular apps on the phone, including WhatsApp and the web browser Opera, inject its own malicious code and replace the original app with the weaponized version, using a vulnerability in the way Google apps are updated. The hijacked apps would still work just fine, which hid the malware from users. Armed with all the permissions users had granted to the real apps, “Agent Smith” was able to hijack other apps on the phone to display unwanted ads to users. That might not seem like a significant problem, but the same security flaws could be used to hijack banking, shopping and other sensitive apps, according to Aviran Hazum, head of Check Point’s analysis and response team for mobile devices. There was also a “dormant” version of “Agent Smith” in 11 apps on the Play Store, which could have been triggered into action by a banner ad containing the keyword “infect.” The apps have since been removed from the Play Store, but had over 10 million downloads.

Earlier this month, Microsoft revealed a major Windows security vulnerability that could see a widespread “wormable” attack that spreads from one vulnerable computer to the next. “While Microsoft has released patches for Windows systems, even for older server and Windows XP machines, recent reports have revealed there are at least 1 million systems connected to the internet that can be attacked,” reports The Verge. “Microsoft is confident that an exploit exists for this vulnerability,” warns Simon Pope, director of incident response at Microsoft’s Security Response Center (MSRC). “It’s been only two weeks since the fix was released and there has been no sign of a worm yet. This does not mean that we’re out of the woods.” From the report: Pope notes that it was nearly two months after the release of patches for the previous EternalBlue exploit when WannaCry attacks began, and despite having 60 days to patch systems, a lot of machines were still infected. The EternalBlue exploit was leaked publicly, allowing hackers to create malware freely. This new BlueKeep flaw hasn’t yet been publicly disclosed, but that doesn’t mean there won’t be malware. “It is possible that we won’t see this vulnerability incorporated into malware,” says Pope. “But that’s not the way to bet.”

The WordPress content management system (CMS) is set to receive an assortment of new security features today that will finally add the protection level that many of its users have desired for years. From a report: These features are expected to land with the official release of WordPress 5.2, expected for later today. Included are support for cryptographically-signed updates, support for a modern cryptography library, a Site Health section in the admin panel backend, and a feature that will act as a White-Screen-of-Death (WSOD) protection — letting site admins access their backend in the case of catastrophic PHP errors. With WordPress being installed on around 33.8 percent of all internet sites, these features are set to put some fears at ease in regards to some attack vectors. Probably the biggest and the most important of today’s new security features is WordPress’ offline digital signatures system. Starting with WordPress 5.2, the WordPress team will digitally sign its update packages with the Ed25519 public-key signature system so that a local installation will be able to verify the update package’s authenticity before applying it to a local site.