New Chrome, Firefox versions fix security bugs, bring productivity features

Chrome gets a new way of managing tabs while Firefox now features a new add-ons blocklist

Google and Mozilla have each released new stable versions of their web browsers for desktop platforms, with both Chrome and Firefox bringing a slew of new features and security fixes that are being rolled out to Windows, Mac and Linux.

What’s new in Chrome 85?

The new version of Google’s web browser includes 20 security fixes; and while the company won’t disclose the details of all of them until the updates are delivered to the majority of its user base, it did highlight the patches for 14 vulnerabilities that were reported by external researchers. Two flaws were classified as high-risk, seven were considered medium and the rest were designated as low in severity.

Chrome has also introduced new features that include improved tab management and the option to fill out PDF forms directly in the browser. Tabs can now be added into groups and are visually distinguishable by tasks, topics, or even priority; the Chrome team has also ushered in performance improvements, including to allow pages to load up to 10% faster on Mac and Windows.

The enhancements are achieved by the introduction of Profile Guided Optimization (PGO) and tab throttling. The latter will be first released to the Beta Channel. “Chrome will give more resources to the tabs you’re using by taking them back from tabs that have been in the background for a long time. We see improvements not only in loading speed but also battery and memory savings,” said Chrome engineering director Max Christoff.

Chrome 85 will also natively support the AVIF image format, which will reduce bandwidth and data consumption and add HDR color support. It’s worth mentioning that Google has implemented this into its Chromium browser engine, which means that web browsers running on its code will probably support AVIF as well.

Firefox 80

Meanwhile, Firefox 80 includes fixes for 10 vulnerabilities, three of which were designated as high severity, four were classified moderate and the rest were considered low in severity. To boost its security, Firefox now also sports a new add-ons blocklist, which is supposed to improve performance and scalability. The browser already has add-on blocking processes that it deploys when its policies are violated; however, the previous version of the blocklist wasn’t meeting the demands of the ever-growing ecosystem.

“After investigating potential solutions, we decided the new add-ons blocklist would be powered by a data structure created from cascading bloom filters, which provides an efficient way to store millions of records using minimal space,” said Stuart Colville, the Engineering Manager for Firefox Add-ons.

Beyond the security fixes and updates, Firefox also now adds the option of choosing it as your default PDF viewer.

You can download the latest releases of Chrome here and Firefox here. Chrome commands a 66% market share while Firefox is the third most popular browser with a 4% market share.

FBI, CISA warn of spike in vishing attacks

Cybercriminals take aim at teleworkers, setting up malicious duplicates of companies’ internal VPN login pages

The United States’ Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) have issued a joint advisory to warn about a surge in voice phishing (vishing) attacks targeting staff at a number of companies.

The spike in phone-based phishing attacks can in part be attributed to the COVID-19 pandemic, which has forced companies to shift to telework and led to a boom in the use of virtual private networks (VPN) and the elimination of in-person verification.

According to the advisory, shared by security journalist Brian Krebs, since around mid-July cybercriminals have been able to steal login details into employee tools at a number of companies. “The actors then used the employee access to conduct further research on victims, and/or to fraudulently obtain funds using varying methods dependent on the platform being accessed,” noted the alert.

As part of the campaigns, the black hats created phishing websites that duplicated or resembled the internal VPN login pages of various companies, obtained Secure Socket Layer (SSL) certificates for their domains and gave them various names that use a combination of the company’s name and hyphen and words such as “support” or “employee”.

RELATED READING: 6 tips for safe and secure remote working

The threat actors also gathered information about their targets. “Actors then compiled dossiers on the employees at the specific companies using mass scraping of public profiles on social media platforms, recruiter and marketing tools, publicly available background check services, and open-source research,” reads the advisory. The amassed information included the targets’ names, home addresses, personal cell/phone numbers, and their job roles.

The attackers then went on to contact their marks, first using Voice over Internet Protocol (VoIP) numbers and later using the spoofed numbers of employees and departments from the victim’s company. Using social engineering techniques, the fraudsters impersonated IT help desk workers and used the information from their dossiers to gain the victims’ trust.

From there, the attackers convinced the targets that they would receive a new VPN link that would require their login, including two-factor authentication (2FA) or a one-time password (OTP). In some cases, the 2FA or OTP prompts were approved by employees mistakenly believing access had been granted earlier to the IT desk impersonator, while in other cases attackers employed SIM swapping attacks to circumvent the security measures.

The agencies also shared advice on how companies could mitigate the risks of such attacks. This includes restricting VPN connections to managed devices, employing domain monitoring, and actively scanning and monitoring web applications for unauthorized access.

Lest we forget: vishing was also at the root of last month’s breach at Twitter, where some 130 high-profile accounts were hijacked to peddle a Bitcoin scam.

Cyber attacks: Several Canadian government services disrupted

Several services, including the national revenue agency, had to be shut down following a series of credential-stuffing attacks

Cybercriminals set their sights on the Canadian government at the beginning of August, when several government services were disabled following a series of cyberattacks. On August 15, the Treasury Board Secretariat announced that approximately 11,000 online government services accounts, originating from the Government of Canada Key service (GCKey) and Canada Revenue Agency (CRA) accounts, had been victims of hacking attempts. The GCKey allows Canadians to access the online services of several Government of Canada programs and services, including Employment Insurance services, while the CRA manages Canadians’ tax services as well as Canada Emergency Benefit (ECP) payments, a support program for employees who have lost their jobs due to the pandemic.

On August 7, CRA noticed the first signs of credential-stuffing attacks on its website. Credential stuffing means criminals try to use previously stolen credentials to log into another account owned by the same victim. Unlike a brute-force attack, bad actors therefore use previously stolen user/password combinations to access a third-party service.

Annette Butikofer, CRA’s Chief information officer, explains that the agency did not notify the RCMP until August 11, then informing the general public and suspending access to its online services on August 15. She mentioned: “We were very confident that the monitoring was good, but after [the events involving] the KEICC, we noticed an attack on Saturday and decided to block and close our portal.” The agency’s online services were restored on August 19.

Figure 1. The federal government issued a warning via Twitter

The government estimates that approximately 11,200 accounts have been hacked. Of these, approximately were 5,600 for the CRA and 9,000 for the KeyGC system. Of the CRA accounts affected, more than half were hacked using the GCKey access. The CRA states that it is sending a letter to all those whose accounts were hacked.

What can we do?

We don’t at this time have details as to the types of data that the bad actors have had access to, and whether all victims of these attacks have already been reached out to by the government so far.

Related reading: 20 tips for 2020: Mistakes to avoid

However, since we are talking about credential-stuffing attacks, we can point out that people who use the same credentials for multiple sites and programs are at risk of being victims of this type of attack. Various resources are available to help you find out if one of your accounts has ever been the victim of a data breach. We recommend that you consult our recent article on this subject for more details.

Even if you might not have been a victim of cyber attackers this time around, adopt better security habits now to avoid being a victim of the next attack.

First and foremost, we can never say it too much: never recycle a password. This is an easy and essential step to ensure the security of you and your data. In this case, the bad actors used previously stolen login/password combinations for their attacks.

Use passwords – or better yet, passphrases – that are strong and unique for each of your accounts. You can use a reliable password manager to help you create and, above all, memorize strong and unique passwords. Enable multi-factor authentication, whenever it’s available, to add an extra layer of security to your accounts. Regularly check your personal records for anomalies, especially if you have been the victim of data theft.

Photo credit (caption): Kyle Pearce, Canada Flags in English Bay, Flickr.

Related reading: How much is your personal data worth on the dark web?

How to secure your TikTok account

From keeping your account safe to curating who can view your liked content, we look at how you can increase your security and privacy on TikTok

TikTok, one of the most recent additions to the roster of major social media platforms, has been enjoying immense popularity since its debut three years ago. The app is available across more than 150 countries and has hundreds of millions of active users worldwide. Millions of people create, share, and watch videos, as well as engage with each other on a daily basis, with some doing for it fun, while others are trying to make a career out of it hoping to be the next big influencer.

TikTok is also making headlines for other reasons, with India instituting a ban on the video app and the US government taking steps to ban all transactions with ByteDance, TikTok’s parent company. The video app has also been fined by the United States’ Federal Trade Commission for violating the Children’s Online Privacy Protection Act and by South Korean authorities for mishandling children’s data.

The app’s users face challenges similar to those on other social media platforms; these include scammers, spammers, and cyberbullies. In this article, we’ll guide you through the privacy and security options TikTok provides its users in order to secure and protect their accounts.

Securing your TikTok account

When you sign up, you have the option to do so using one of the popular single sign-on options as well as using your phone number or email. As far as managing your account goes, TikTok keeps it pretty much straightforward and the settings are all unsurprisingly housed under “Manage my account”.

 

The platform allows you to authenticate your account either by sending a verification text message to your phone number or authenticating it using your email. To be on the safe side, you can go for both options. If you want to add a password, you’ll again be authenticated using a text message; only then can you create one. It may look like a nifty option, but it is worth noting that besides these text messages there is no two-factor authentication option, something that most prominent social media platforms offer.

Besides the standard array of options we’ve already mentioned, you also have the Security option in the same menu. This has an overview of any security alerts that you should know about, such as any suspicious account activity. You can also monitor all the devices that you’re logged in on. It shows you the device, the means by which you logged into the account (e.g. Facebook account), and when. You can simply log out of the devices by tapping on them in the menu and then tapping Remove.

Privacy and safety options

This basically functions as your hub for managing all the permissions and access related to your account. When you create your account on TikTok, it’s public by default; you can toggle the option in the Discoverability section as well as whether the app should suggest your account to users who might be interested in it.

 

As for safety, you could say TikTok tries to take a comprehensive approach. One of the options it gives you is to decide whether other users can or can’t download your videos, but currently, it is running only on a trial basis. However, users can circumvent the ban on downloading videos by screen-grabbing it.

 

To exchange messages with anyone, you have to follow them, and they have to follow you back. The social media app considers these contacts your “friends”. So, spam or abusive messages from trolls that are abundant on other social media are limited by your contact list, which mitigates the risk since you handpick the people who can message you. On the other hand, you’re probably going to follow a lot of creators, so it doesn’t eliminate the risk of receiving dubious messages. However, what does eliminate the risk is disabling your direct messages completely. If you don’t want to go down that road you can also block users on a case-by-case basis; those will appear in your block list.

You can also decide whether users can duet with your videos, which means that they combine your videos with their own. You can choose between turning it off, allowing everyone to duet with you or limit it just to your friends.

As you browse TikTok, you will also see videos you might want to revisit later, so you like them. These will be collected in the liked videos section of your profile and you can allow everyone to see what you’ve liked or keep it private by toggling a switch in the privacy settings.

Moderating comments is also one of the options afforded to users. Again, you can turn it off completely, limit it to friends, or allow everyone to comment. The app also offers a filter, which will automatically filter spam and offensive comments when turned on, and you can fine-tune it further by adding specific keywords, which when mentioned, will automatically hide the comment.

 

Before and after uploading you can still edit some privacy options for individual videos such as allowing duets, comments, and making the video public or private.

In summary

This article should give you a pretty good idea of the privacy and security settings that TikTok offers. However, as with all social media, these settings tend to go through overhauls from time to time, especially since these platforms tend to be scrutinized about how they handle user privacy and data, so the best advice is to regularly audit your security and privacy settings. And while you’re at it, why not check up on your Facebook and Google accounts too?

If you are a parent, you might be interested in what kinds of parental control tools TikTok has to offer, which we will cover in an article next week.

Week in security with Tony Anscombe

This week, ESET researchers analyze fraud emails from the infamous Grandoreiro banking Trojan, impersonating the Agencia Tributaria, Spain’s tax agency. Our security expert Jake Moore demonstrates how easily it is to clone an Instagram account and lure people to give money; learn how to protect yourself. Finally, have you thought about what will happen to your

This week, ESET researchers analyze fraud emails from the infamous Grandoreiro banking Trojan, impersonating the Agencia Tributaria, Spain’s tax agency. Our security expert Jake Moore demonstrates how easily it is to clone an Instagram account and lure people to give money; learn how to protect yourself. Finally, have you thought about what will happen to your digital life after your death? Advises to prepare your digital legacy. All this – and more – on WeLiveSecurity.com.

How to prepare and protect your digital legacy

It’s never too soon to plan for what will happen to your digital presence after you pass away

Forgive me for writing about what may seem, at first glance, like a sensitive topic while many parts of the world continue to struggle with the COVID-19 pandemic.

I, like many people, use the internet as a daily part of life and in ways that cause my online and offline worlds to be entwined. Recent events have provoked me into thinking about creating guidance while preparing my own digital world so that, if something unexpected happens to me, those that I leave behind will be less stressed when dealing with my digital legacy.

The important elements of a digital footprint may include, but are not limited to, financial accounts, family photographs, music collections and playlists through to social media and email accounts. Some service providers may have a broad range of services: for example, Google could be providing email, photos and cloud storage, while Spotify may be storing your favorite playlists. Accessing the data or managing the online accounts could be important both short-term: to inform people about a situation, and long-term: to ensure no important data needed by those you leave behind is lost. If, as in my situation, you store important documents and family photographs in the cloud, when you pass others may need to access, and possibly to manage, this storage so matters can be dealt with and memories captured in photos are preserved.

I have never been an avid user of social media apps other than LinkedIn and Twitter, and then really only for business purposes, so my footprint may be much lighter than the typical user. However, I do have a relatively unused account on Facebook and Instagram so there are considerations to ensure they are taken care of in the right way. One of the key considerations is whether you want your social media profiles to be memorialized or deleted, or to leave this decision to others after your passing. The suggested actions below may not cover all services or accounts, but it should constitute a good starting point for making the preparations needed to ensure your data lives on, that loved ones can gain the access needed or your right to be forgotten is observed.

Getting your digital affairs in order

Appoint a digital executor. It’s common practice to appoint an executor in a will, someone trusted who takes care of property, finances and assets and distributes them according to your wishes. Today’s world means you may also need a digital executor to take charge of and handle digital assets – deleting, converting, downloading and managing accounts and profiles. In the same way that you list important financial assets, you may wish to list digital assets and what your specific instructions are for each one, so that there is no confusion or disagreement among the people you leave behind. Currently, not all states or countries recognize the legal status of a digital executor, but it does demonstrate the precise wishes of the deceased and would hopefully be respected by companies where permitted by law.

Entrusting a person with the information needed to access a service or data may be imperative in some instances. For example: if you hold any cryptocurrency in a digital wallet, it would be challenging, or impossible, for the executor or a beneficiary of  your estate to access this without knowing the personal private key. It’s estimated by Coin Metrics that at least 1.5 million bitcoins are assumed lost for a variety of reasons, including death, which equates to over US$16 billion dollars in just one cryptocurrency. It’s not recommended to store the details of the private key in a will, since this may become a public document after death. Whether you share the passwords and PIN with a loved one, write them down and keep them in a safe, or distribute different parts of the key to a group of friends: it is clear that you need to take advance preparations so that any assets held in cryptocurrency can be passed on.

Another option is to use a password manager to create a single repository where account credentials are stored. This option has the benefit of enabling extremely complex (and hence secure) passwords to be generated, since the need to remember them all is removed; all you need to remember is one single, very strong, password to unlock the password manager. It’s also a protection against keyloggers, as they cannot monitor something that is not being typed in. Some password managers include a variety of options including creating a family plan, a file vault providing each user a secure place to store important documents and information and a variety of options for password recovery should it be needed.

There is commonality among most service providers on the documentation they require to be submitted when notifying them that someone has passed; for the requester these include, power of attorney, birth certificate, the will or an estate letter. Official documents validating the death, such as a death certificate or link to an obituary, will also need to be submitted. Below are some examples of information required and options offered by some of the most popular services and a few helpful links.

Facebook allows you to appoint a legacy contact; this gives the nominated person the ability to memorialize the account and post a final message. The legacy contact can also delete any unwanted tribute posts, remove tags, respond to friend requests, request account deletion and such like. Be cautious, though, for they can also see all posts you made even if marked as ‘Only Me’ in the privacy settings. The instructions to assign a legacy contact on Facebook can be found here. The other option is to request deletion of the account – note, though that once deleted, access can never be regained; the details to make a deletion request can be found here. Curiously, Instagram, which is owned by Facebook,

Ritz London clients scammed after apparent data breach

Armed with personal data stolen from the hotel’s dining reservation system, fraudsters trick guests into handing over their credit card details

The Ritz London has launched an investigation into a potential data breach that affected its food and beverage reservation system. The information stolen in the breach seems to have been used by fraudsters to worm their way into the wallets of the hotel’s clients.

In a series of tweets shared over the weekend, the luxury hotel confirmed that it was made aware of the potential breach on August 12th, adding that the compromised data did not include any credit card or payment details. The hotel went on to notify all of its affected customers as well as the authorities about the breach while it investigates the incident further.

We can confirm that on 12th August 2020, we were aware of a potential data breach within our food and beverage reservation system, which may have compromised some of our clients’ personal data. This does not include any credit card details or payment information.

— The Ritz London (@theritzlondon) August 15, 2020

Even though no payment information was compromised according to the hotel, it seems that the cybercriminals behind the attack were after just that. According to the BBC, the miscreants leveraged the information obtained from the breach to pull off a very convincing social engineering attack. To make their ruse even more believable, they also spoofed the hotel’s official number.

Posing as hotel staff, the scammers contacted clients who had made restaurant reservations at the Ritz, asking them to “confirm” their bookings by disclosing their payment card details. One of the victims speaking to the BBC confirmed that she was contacted a day before her reservation.

RELATED READING: 5 things you need to know about social engineering

The fraudsters claimed that her card was declined and requested that she provide an alternative bank card. Once they were able to obtain the information, the ne’er-do-wells went on to rack up charges of over £1,000 (some US$1,300) at Argos, a catalog retailer.

When the suspicious transactions were flagged by the victim’s bank, the cybercriminals contacted her again. However, this time they pretended to be from her bank and tried to deceive her into disclosing the security code she’d received, stating they need it to cancel the transaction, while the code would have, in fact, authorized it.

The Ritz is just the most recent addition to the list of hotels that have fallen victim to similar incidents. Last summer, MGM Resorts suffered a breach that affected 142 million of its former guests. Hotel giant Marriott, meanwhile, was hacked twice in a span of two years.

Attack of the Instagram clones

Could your social media account be spoofed, why would anybody do it, and what can you do to avoid having a doppelgänger?

Social media has some great advantages, such as keeping in touch with loved ones and sharing experiences with friends, but like almost anything on the internet, it can be easily abused. With some creative thinking and a little luck on the side, it is possible for it to be used as a vehicle to steal money from unwitting victims.

I had heard stories of account cloning, but I always assumed people would check with the account holder via another form of communication or at least think twice before sending money to an account they only recently connected with. Sadly, people are still being caught out with this scam and I want to help reach those who may be unaware of how the con works.

As with all my ways of getting a security message across, I needed to conduct a little experiment to test this scam in the real world and see first-hand the ease with which it can work. It’s easier to get your message across about the risks when they’re shown a real example of the scam working and then they want to better protect their accounts and themselves. All I needed was a volunteer who would be willing to allow me to set up a cloned account and then attempt to dupe their friends. However, wow am I quickly running out of friends to con! I looked far and wide, but no one wanted to play ball on this one.

Therefore, having failed to find someone happy for me to clone their account for the test, I decided I would have to clone my own Instagram. I follow nearly 900 accounts on Instagram and I am usually posting the same old seascape photos or pictures of me prancing around at the beach to my 1,400 followers. I decided to make a new account on my spare phone and took four screenshot copies rather than uploading the originals to make it as authentic as possible just like someone else would have done it. It was easy to duplicate these images but the only thing that could have been a difficulty is that when copying the profile picture, it would have needed to have been posted in the feed to make a quality replica.

Here is a screenshot of my real Instagram account, @jakemooreuk.

And here is my cloned Instagram account, @jakemoore_uk. Notice the change in bio to include “NEW ACCOUNT AFTER LOSING ACCESS TO ORIGINAL”.

I decided to follow 30 of my friends to see if they would follow me back and let the experiment begin. Ten were private accounts, therefore they required approval, and 20 were public accounts.

Within moments I had three private account owners accept my request and two followed me back. This was a good start. I was expecting someone to contact me via a different communication method and question this request, particularly due to my line of work and the embarrassment that I could have been subjected to, understanding that even I am susceptible to an account compromise!

But no one did. In fact, the numbers increased. Thirteen accounts followed me back on the same day and by the evening I decided to message these people and see what sort of responses I would receive.

Initially, I mentioned the account compromise and thanked them for accepting the new follow request and then went in with a request to catch up.

This received 8 replies from my 13 new followers. The goal of the test was to create a good enough back story to quickly request money without raising suspicion. This would be particularly rare if the contact had been unsolicited but when the victims believe they know who they are talking to they are far more likely to part with their cash.

One of my contacts replied with a hopeful message. She clearly felt bad for me and agreed how frustrating it would be.

Social engineering at its best requires believability, confidence and a little luck to make it all plausible and make sense. Simply asking people to wire money to a random bank account in the first message would have most likely raised the alarm bells, so I planned to divert the conversation to discuss my cashflow situation as soon as the thread allowed me.

Prior to the test, I created a new PayPal account in my name to make it seem more legitimate than a bank account number, which is similar to what a fraudster would do with a similar-sounding email address as my name in the PayPal account. I chose this as it was available – [email protected]

Here is how the conversation went:

What I found most disconcerting was how quickly it all escalated and I was able to trick the target into thinking it was genuine with no extra checks required. I was even able to make her be the one to offer to help me which was a nice little twist. This is usually a clever technique used by professional social engineers reversing the psychology to avoid the request of the money.

NB: I was able to get in touch with my contact before she deposited any money into this new PayPal account, but it proved one simple thing – this scam is easy to carry out when such a mass of information is offered online. All that is really needed is an account to clone and a set of contacts.

So how can people keep their social media accounts safe?

It is vital to try to reduce the amount of personal information and photos of ourselves online where possible. Although this is a huge task, it is important to teach the next generation of social media users to try to limit the amount of information that is posted online before it is out in the open forever. This

Google will test new feature in Chrome to curb phishing

The web browser will only display domain names as a way to help people recognize impostor websites

The post Google will test new feature in Chrome to curb phishing appeared first on WeLiveSecurity