now browsing by tag
Google Chrome’s seamless updates have long been a big part of its appeal. But perhaps not anymore. With the latest version of Chrome already installed on hundreds of millions of computers and smartphones around the world, a significant warning has been issued that you might not like what it has running inside.
Picked up by The Register, Chrome 80 (check your version by going to Settings > About Chrome) contains a new browser capability called ScrollToTextFragment. This is deep linking technology tied to website text, but multiple sources have revealed it is a potentially invasive privacy nightmare.
To understand why requires a brief guide to how ScrollToTextFragment works. The simple version is it allows Google to index websites and share links down to a single word of text and its position on the page. It does this by creating its own anchors to text (using the format: #:~:text=[prefix-,]textStart[,textEnd][,-suffix]) and it doesn’t require the permission of the web page author to do so. Google gives the harmless example:
“[https://en.wikipedia.org/wiki/Cat#:~:text=On islands, birds can contribute as much as 60% of a cat’s diet] This loads the page for Cat, highlights the specified text, and scrolls directly to it.”
The deep linking freedom of ScrollToTextFragment can be very useful for sharing very specific links to parts of webpages. The problem is it can also be exploited. Warning about the development of ScrollToTextFragment in December, Peter Snyder, a privacy researcher at Brave Browser explained:
“Consider a situation where I can view DNS traffic (e.g. company network), and I send a link to the company health portal, with [the anchor] #:~:text=cancer. On certain page layouts, I might be able [to] tell if the employee has cancer by looking for lower-on-the-page resources being requested.”
And it was Snyder who spotted that ScrollToTextFragment is now active inside Chrome 80 stating that “Imposing privacy and security leaks to existing sites (many of which will never be updated) REALLY should be a ‘don’t break the web’, never-cross, redline. This spec does that.”
David Baron, a principal engineer at Mozilla, maker of Firefox, also warned against the development of ScrollToTextFragment, saying: “My high-level opinion here is that this a really valuable feature, but it might also be one where all of the possible solutions have major issues/problems.”
Defending the decision, Google’s engineers have issued a document outlining the pros/cons of the deep linking technology in ScrollToTextFragment and Chromium engineer David Bokan wrote this week that “We discussed this and other issues with our security team and, to summarize, we understand the issue but disagree on the severity so we’re proceeding with allowing this without requiring opt-in.”
Bokan says the company will work on an opt-out option, but how many will even know ScrollToTextFragment exists? And here lies the nub of it: Google has such power it can be judge and jury to decide what is or isn’t acceptable. So ScrollToTextFragment, with its unresolved privacy concerns and lack of support from other browser makers, is now out there, running in the background of hundreds of millions of Chrome installations.
Whether you want to be part of that is up to you.
Follow Gordon on Facebook
More On Forbes
Google Pixel 4, Pixel 4 XL Review: Smart Phones, Dumb Decisions
Google Pixel 3a Review: The Best Smartphone Under $500
Apple iPhone 12: Everything We Know So Far
Apple AirPods Pro Vs AirPods: What’s The Difference?
The post #deepweb | <p> Google Just Gave Millions Of Users A Reason To Quit Chrome <p> appeared first on National Cyber Security.
View full post on National Cyber Security
Source: National Cyber Security – Produced By Gregory Evans If you receive a phone call from anyone claiming to be an employee of an online shopping site or ‘buy first – pay later’ business advising you there are issues associated with your account – just hang up and contact the company using an independently verified […] View full post on AmIHackerProof.com
Source: National Cyber Security – Produced By Gregory Evans When Clop was discovered by Jakub Kroustek in February 2019, all indicators showed that it was a new CryptoMix with the .CLOP, or in some circumstances .CIOP, extension tagged onto encrypted files. Since this discovery, the ransomware operators behind Clop have steadily been developing it to […] View full post on AmIHackerProof.com
#cybersecurity | #infosec | Man who hacked National Lottery for just £5 is jailed for nine months – HOTforSecurity
A 29-year-old British man has been jailed for nine months after admitting using hacking tools to break into UK National Lottery gambling accounts.
Anwar Batson, of Notting Hill, West London, downloaded the readily-available Sentry MBA hacking tool to launch a credential stuffing attack against the National Lottery website.
Credential stuffing takes lists of usernames and passwords exposed in data breaches and uses the same credentials to see if they will unlock other accounts online. As so many users make the mistake of reusing passwords on different websites, credential stuffing is a technique commonly deployed by attackers and tools such as Sentry MBA make the process even easier for the attacker.
Prosecutors told Southwark Crown Court that after Batson downloaded Sentry MBA he joined a WhatsApp group devoted to hacking under the alias of “Rosegold,” and provided to accomplices a configuration file specifically designed to launch Sentry MBA against the National Lottery website.
The attack, in late 2016, caused National Lottery operators Camelot to issue a warning to thousands of gamblers that their accounts may have been accessed, and forced a password reset on affected accounts.
Batson’s accomplices, Daniel Thompson and Idris Akinwunmi, were jailed in 2018 after admitting their involvement in the attack.
Batson was arrested in May 2017 by the National Crime Agency (NCA), and initially denied that he was involved in the attack – claiming that his devices had been cloned or hacked
by online trolls.
But when NCA officers examined his devices they uncovered the conversations between Rosegold and others on WhatsApp where they discussed hacking, the buying and selling of lists of usernames and password, and more.
In addition, officers found at Batson’s flat clothes which had been addressed to someone calling themself “Rosegold”.
Time and time again, people roll out the adage that “crime doesn’t pay.”
Well, it certainly doesn’t pay in the case of Batson.
As the NCA reports, Batson gave the username and password of one National Lottery player to Akinwunmi, who stole the entire contents of the account – a grand total of £13. Batson’s split of the ill-gotten gains? A mere £5.
Lottery operator Camelot says that responding to the attack cost it £230,000, and that 250 players had closed their accounts due to the negative publicity.
View full post on National Cyber Security
#cybersecurity | #hackerspace | Just 12% of ICS Security Pros Very Sure of Orgs’ Ability to Respond to Digital Attacks
Malicious actors are increasingly launching digital attacks against industrial organizations. Many of these campaigns have been successful, particularly those that have targeted energy utilities and manufacturing plants. In late spring 2019, for instance, aircraft parts manufacturer ASCO temporarily suspended operations worldwide after falling victim to a ransomware attack. It was about a month later when […]… Read More
The post Just 12% of ICS Security Pros Very Sure of Orgs’ Ability to Respond to Digital Attacks appeared first on The State of Security.
*** This is a Security Bloggers Network syndicated blog from The State of Security authored by David Bisson. Read the original post at: https://www.tripwire.com/state-of-security/ics-security/ics-security-respond-digital-attacks/
View full post on National Cyber Security
Source: National Cyber Security – Produced By Gregory Evans October was National Cybersecurity Awareness Month, and as it wrapped up for the 16th year, it’s never been more important. Cybercrime has reached epidemic levels, The University of Maryland found that an attack occurs every 39 seconds on average, affecting one in three Americans every year, and […] View full post on AmIHackerProof.com
A parody movie review show has, surprisingly enough, spawned an elaborate fictional universe spanning almost a decade. Now it’s making the jump to feature film, and there’s no sign of it losing steam.
The story of Mister America, the new mockumentary about a long-shot campaign for local office out on video on demand Friday, is a complicated one. It begins in 2011 when comedians Tim Heidecker and Gregg Turkington launched the spoof podcast On Cinema, episodes of which center around discussions of classic movies. But the amateur critics, fictional characters who share Heidecker and Turkington’s real names, supply the opposite of insightful commentary, generically declaring “it’s a classic!” before quickly wrapping up.
The gag continued as the podcast became a web series called On Cinema at the Cinema, a shabby Siskel and Ebert-type show with Tim and Gregg reviewing new releases. Once again, there’s no expertise to be found. Observations from the fumbling hosts are always either uproariously wrong or worthlessly broad, and nearly every film gets a glowing review. Both projects hilariously poke at the fact that the internet has fostered a culture of amateur creators oblivious to the uselessness of their creation and amateur commentators clueless about the very topics they’re commenting on.
But beyond being a spoof of pointless online content, On Cinema is also an examination of two pathetic, borderline psychopathic characters. Tim, an egotistical blowhard, and Gregg, a pretentious film “expert” who knows little about film, make each other miserable yet have nothing in their lives but this lousy show, meaning their constant on-screen fights and meltdowns always resolve with a return to set the following episode. The longer they continue coming back and failing to improve themselves or On Cinema, the bleaker, and funnier, it gets.
As On Cinema progresses, references to both characters’ dreary off-screen lives develop a deep mythology, and running jokes build a language for fans to use online while maintaining the charade that the show isn’t fiction. Heidecker and Turkington also further storylines with in-character tweets, essentially creating a year-round alternate reality game. Getting into the series requires patience, seeing as episodes don’t have obvious setups and punchlines. But once you start appreciating the dry humor of the hosts’ passive aggression and believably dumb remarks, there’s nothing quite like it.
Over the years, On Cinema has only grown more ambitious with numerous spin-offs, including Decker, a spy series Tim ineptly directs and stars in that subtly advances the larger story in a way that’s legitimately inventive. One edition of On Cinema, for instance, features Tim interviewing Gregg in front of a green screen for reasons that aren’t clear until Tim later that month uses the footage to insert Gregg into an episode of Decker without his permission, prompting yet another gut-busting squabble in a gag that takes weeks to show its true form. The wildest spin-off of all, though, came in 2017 when Tim faced murder charges in On Cinema‘s ninth season, the latest in a nutty sequence of soap opera level plot turns, and Adult Swim actually streamed a five-hour, surprisingly realistic trial.
This helped launch Mister America, the new mockumentary which follows Tim as he runs for district attorney to exact vengeance upon the prosector who charged him. Shot in a mind-boggling three days, it’s quite small in scale, and like On Cinema itself, it’s not so much about traditional setups and punchlines as it is about stewing in delusion and subtle stupidity; scenes often consist of little more than Tim dictating a nonsensical press release between burps or bloviating about Martin Luther King Jr. While unlikely to have much wide appeal, for On Cinema devotees, it’s a riot.
In a testament to how sprawling On Cinema has become, Mister America pulls from jokes that originated not only in the web series but on Decker, the murder trial, and even the comedians’ social media, where the election storyline unfolded last year. Naturally, it’s hard to imagine key scenes registering with newcomers. But when, for instance, Gregg speaks about Sully in an interview, it gets a huge laugh from those who realize the subtext: he’s only doing so to get in a petty dig at Tim as part of an argument they’ve had, primarily on Twitter, dating back years. When Tim watches Mister America and hears everything Gregg said, not to mention sees everything else he instructed the fictional director not to include, he’ll surely freak out on On Cinema, which is currently in the middle of a new season. This kind of slow burn multimedia storytelling is the series at its very best.
Mister America isn’t any sort of a masterpiece, to be sure; it’s limited by its tiny budget and isn’t as effective of a political satire as it could have been, especially seeing as a final monologue attempting to make a broader point feels at odds with the way the story actually played out. But it’s still consistently funny, and as a small piece of the larger project, it delivers.
This is in contrast to Between Two Ferns: The Movie, another spin-off of a web series about a terrible talk show. With that film, it was clear there had been little thought previously paid to the world the sketch occupies or who its central character is outside of the show, and so the struggle to turn it into a 90-minute feature was palpable. That Mister America, in contrast, feels like a natural evolution of everything that’s been cooking since 2011 is a testament to Heidecker and Turkington’s brilliant creation. It sounds strange to say about a silly spoof, but On Cinema has become a genuinely rich comedic world, and even after all this time, its creators are still finding new ways to expand it.
Want more essential commentary and analysis like this delivered straight to your inbox? Sign up for The Week’s “Today’s best articles” newsletter here.
The post #deepweb | <p> A fake movie review show just spawned one of the year’s best comedies <p> appeared first on National Cyber Security.
View full post on National Cyber Security
Source: National Cyber Security News
After it was reported last month that online dating app Tinder had a security flaw, which allows strangers to see users’ photos and matches, security firm, Appsecure has now uncovered a new flaw which is potentially more damaging.
Infiltrators who exploit the vulnerability will be able to get access to users’ account with the help of their login phone number. The issue has, however, been fixed after Tinder was alerted by Appsecure.
Appsecure says, the hackers could have taken advantage of two vulnerabilities to attack accounts, with one being Tinder’s own API and the other in Facebook’s Account Kit system which Tinder uses to manage the logins.
In a statement sent to The Verge, a Tinder spokesperson said, “Security is a top priority at Tinder. However, we do not discuss any specific security measures or strategies, so as not to tip off malicious hackers.”
The vulnerability exposed the access tokens of the users. If a hacker is able to obtain a user’s valid access token then he/she can easily take over a user account.
“We quickly addressed this issue and we’re grateful to the researcher who brought it to our attention,” The Verge quoted a Facebook representative as saying.
View full post on National Cyber Security Ventures
At this time of unparalleled cyber danger, it has been found that only half of companies in the UK believe they are equipped with adequate cybersecurity skills. The root of this shocking lack of confidence may be in another finding that just 51 per cent of IT workers in the UK said that cybersecurity has […] View full post on AmIHackerProof.com | Can You Be Hacked?