The fastest, most secure browser? Microsoft Edge apparently

Microsoft may have taken the decision to ditch the Edge's browser engine for Google's Chromium too soon.

According to the Security Council of Certificate Authorities (CASC), the current Edge browser is in fact the fastest and more secure browser on the market when it comes to identifying and blocking dodgy websites.

The CASC has put out a set of predictions for 2019 – including the claim that more than 90 per cent of the world's http traffic will be secured over SSL/TLS in 12 months' time – but also reviewed where we are in terms in security now.

And, remarkably, it is Edge, rather than Chrome or Firefox that has the, um, edge when it comes to phishing websites.

The industry group gave Edge a "protection score" of 93.6 per cent, compared with just 87.9 per cent for Chrome and 87.0 per cent for Firefox. The score was created by identifying what percentage of phishing sites each browser identified and blocked over time.

Edge succeeded in identifying 98 per cent of phishing sites and the other two just 96 per cent but the key metric was in how fast they did so – because phishers now understand that their sites will be blocked within days and so focus all their efforts into having a big impact as fast as possible.

Edge outperformed Chrome and Firefox when it came to quickly spotting and blocking: It immediately stops 89 per cent of phishing sites in their tracks; some 10 per cent higher Chrome and 12 per cent more than Firefox.

In two days, Edge had closed off 97 per cent of dodgy sites, with Chrome and Firefox trailing with 95 per cent. Even this improved performance isn't good enough though, complains CASC.

"While browser filters such as Microsoft Smart Screen and Google Safe Browsing do a good job at detecting many phishing sites… most phishing sites are set up and taken down in a matter of hours, not days, this means many thousands of users are not meaningfully protected by browser filters," it said.

Here phishy phishy

Why does this matter? Because, the CASC warns, while some aspects of browser security are getting better, it expects the number of phishing sites to rocket next year. "We predict the problem of encrypted phishing sites that imitate real websites will get significantly worse in 2019," it states.

And it has produced an interesting graph showing the number of malware versus phishing sites from 2012 through to this year. The trends are stark: while malware sites peaked at around 600,000 in 2017, the introduction of new security measures has had a significant impact over 2018, pulling them down to around 100,000. By contrast, phishing has taken off: in one year they have doubled in size from 500,000 to over one million.


"It's not too dramatic to say there has been an explosion of phishing sites using encryption to trick users," the CASC notes, flagging recent findings from another study that show phishing sites are using anonymous and free TLS certificates to circumvent security checks – at least for a time.

"This growth in encrypted phishing has primarily occurred via Domain Validated certificates," the CASC notes. "These certificates can be acquired via automation [and] are anonymous [with] no identity information required."

It's not hard to see an incentive in the CASC pointed out the phishing problem: If browsers gave its members' certificates a higher level of credibility and/or downgraded free alternatives, they would benefit immediately and companies offering free certificates would face a tougher market.

But the point is still valid: we are getting a more secure internet thanks to secure certificates and browsers put up warnings if websites don't have one, but companies offering free certificates risk undermining that improvement because they have become the focus of online criminals.

Logging

One interesting point in the report: the CASC predicts that in 2019 there will be "a major state-sponsored attack on Certificate Transparency (CT) logs causing Internet outages."


That's referencing Chrome and Safari's requirement that certificates be logged before they are trusted by the browsers. Firefox has said it will join the initiative soon. In order to smooth things, certificate authorities will "pre log" their certificates before they officially issue them so a website is trusted from day one. But the CASC warns, that makes the log a tempting target.

CT logging represents a "single point-of-failure for websites worldwide," the CASC warns, "after all, if a website can’t obtain or renew a certificate recognized as logged and therefore 'trusted' by the browsers, that website will essentially be brought down and can no longer communicate with users."

As such, a denial of service attack on the key CT logs are likely to attract "the kind of attack that a state-sponsor could launch for the purpose of shutting down major websites around the world."

CASC points out that one suspected attack happened just last month, when Google's CT logs were hit hard for over an hour. Google publishedits post-mortem on the incident this week and noted that the attack was actually the result of additional traffic generated by it migrating the logs from C++ to Trillian: something that its automated system interpreted as an attack.

Regardless, the point remains the same: CT logs could be a very effective way of disrupting the global internet. The CASC didn't offer a solution in its post. 

READ ORIGINAL ARTICLE...

Windows 10 can carry on slurping even when you're sure you yelled STOP!

Updated A feature introduced in the April 2018 Update of Windows 10 may have set off a privacy landmine within the bowels of Redmond as users have discovered that their data was still flowing into the intestines of the Windows giant, even with the thing apparently turned off.

In what is likely to be more cock-up than conspiracy, it appears that Microsoft is continuing to collect data on recent user activities even when the user has explicitly said NO, DAMMIT!

First noted in an increasingly shouty thread over on Reddit, the issue is related to Activity History, which is needed to make the much-vaunted and little-used Timeline feature work in Windows 10.

Introduced in what had previously been regarded as one of Microsoft's flakiest updates – prior to the glory of the October 2018 Update, of course – Timeline allows users to go back through apps as well as websites to get back to what they were doing at a given point.

Use a Microsoft account, and a user can view this over multiple PCs and mobile devices (as long you are signed in with that same Microsoft account). The key setting is that "Send my activity history to Microsoft" check box. Uncheck it and you'd be forgiven for thinking your activity would not be sent Redmondwards. Right?


Except, er, the slurping appears to be carrying on unabated.

The Redditors reported that if one takes a look at the Activity History in the Privacy Dashboard lurking within their account, apps and sites are still showing up.

The fellows over at How To Geek have speculated the issue may be something to do with Windows' default diagnostic setting, which is set to Full and will send back app and history unless changed to Basic. Of course, Windows Insiders have no option but to accept Full, although a bit of slurping is likely to be the least of their problems.

A thread at TenForums has also provided a guide to turning the thing off, ranging from tinkering with Group Policies through to diving headlong into the Registry. Neither are options likely to appeal to users who would expect that clearing the "Send data" box would stop data being sent.

Deliberate slurpage, or a case of poor QA and one team not talking to the other aside, it isn't a great look for Microsoft and users are muttering about potential legal action. Privacy lawyers will certainly be taking a close look – after all, the gang at Redmond are already under scrutiny for harvesting data and telemetry from lucky users of Windows 10.

Google has been on the receiving end of a sueball for slurping location data from user's phones and providing an over-complicated way to turn off the "feature".

It is all a bit of a mess and has left users unsure of what is being collected and when. We have contacted Microsoft to find out how it plans to deal with the situation (ideally before 2018's privacy bogeyman, GDPR, makes an appearance) and will update if a response is forthcoming. ®

Update 13 December 16.45UTC

Microsoft got in touch to insist it is committed to privacy and transparency, but admitted there is indeed a bit of naming problem, with "Activity History" cropping up in both Windows 10 and the Microsoft Privacy dashboard.

Marisa Rogers, Privacy Officer at the software giant, told us: "We are working to address this naming issue in a future update."

The slurpage collection is of course for your benefit and Rogers added that users have "controls to manage your data."

As for turning the thing off, Microsoft confirmed that, yes, you have to go to two places to actually stop your Activity History being shared with Redmond:

1. Under Settings->Privacy->Activity history: ensure the setting "Let Windows sync my activities from this PC to the cloud" is not checked

2. Under Settings->Privacy->Diagnostics & feedback: ensure Diagnostic data is set to Basic


READ ORIGINAL ARTICLE...

Computer genius built a fraud machine to con savings from hundreds of bank customers

A conman built a fraud machine which he used to dupe £500,000 from bank customers.

Metropolitan Police officers discovered the bizarre device when they raided the home of Tony Muldowney-Colston, a computer genius who had a history of carrying out sophisticated frauds.

The machine, known as a Semi-automatic Social Engineering Bank Telephone Machine, allowed Muldowney-Colston to alter his voice to pretend to be someone of any age or gender.

This allowed the 53-year-old to impersonate genuine customers when he spoke to banks. The machine also played pre-recorded bank messages in a bid to trick unsuspecting victims.

The Met Police said the machine was used in a scam that conned hundreds of people out money.

During the raid officers also seized a hard drive containing details of passports and identity cards, 32 credit cards, and a spreadsheet containing names, addresses, email addresses and phone numbers.

The fraud machine built by Tony Muldowney–Colston CREDIT: METROPOLITAN POLICE

Muldowney-Colston built his device while on licence for masterminding a £1.25million cyber bank heist which targeted scores of individuals, including comedian Stephen Merchant.

He had been jailed for five and a half years in 2014 for leading a gang that planted a hi-tech computer hacking device in a bank to empty high-value accounts.

Six high-worth accounts were emptied, with the University of Portsmouth and the London Metropolitan University among the victims.


Prior to his criminal career Muldowney-Colston had been a successful professional gambler, who had astounded teachers as a teenager by passing a special O-level in fruit machine technology aged just 16.

At the height of his gambling career he raked in £23,000 a day before he was barred from every casino in Britain.

He rose to notoriety in the 1980s when became known as the "King of Acid House" for organising some of Britain’s more notorious raves, one of which was banned by then home secretary Douglas Hurd.

Then in 2003, Muldowney-Colston travelled to Hong Kong where he set up an engineering company which produced a component for a Formula One car.

But it was when he moved back to Britain to marry and start a family that police believe he became an accomplished fraudster.

Jailing Muldowney-Colston for 20 months at Southwark Crown Court on Tuesday, Judge Jeffrey Pegden, QC, said: “In July 2016 you then had a significant period where you complied with your licence but you then returned to fraudulent behavior.

“Over a period of months and with a very significant degree of planning you made a whole variety of items for use in fraud.”

Muldowney-Colston, of Clifton Street, Brighton, admitted nine counts of possession of an article for use in fraud and two counts of making or supplying an article for use in fraud and was jailed for 20 months.


Following the sentencing Det Insp Philip McInerney from the Met Police's Cyber Crime Unit said: “The scam carried out by Muldowney-Colston affected hundreds of people across the UK, and had the potential to affect many more.

“He is an audacious criminal who only recently was released from prison for carrying out very similar offences.

“He shows no concern for the welfare of any individual or organisation, and has made it clear he will use a range of methods to achieve significant financial gain for himself.”

READ ORIGINAL ARTICLE...





How safe is hotel WiFi?

ublic WiFi isn't safe and, without the right protection, your personal information could become public. Unfortunately, hotel WiFi networks are no safer than other public WiFi and should be treated with the same caution. More alarmingly, recent reports have revealed that hotel WiFi networks are being targeted because of the high-value information accessible on the laptops of people travelling for work.

What is alarming about last week's massive hack of the Marriott International hotel group was that investigators suspect multiple hacking groups may have been inside Marriott's computer networks since 2014 (Reuters quoted one of the sources as saying)! This follows a recent report explaining that communal WiFi used by hotel chains is particularly vulnerable to hackers.

Public WiFi is unsecured; this means data you transmit or receive is unprotected. Anybody on the same network could spy on your information if they have the know-how.

If you do decide to use public WiFi, be careful about the types of sites you visit.

It's safest not to log in to any sites that require a password, because hackers could be using software kits to capture yours. Avoid any websites that hold any of your sensitive information, like banking sites or transactional sites on which you store credit card information.

If you must use the WiFi at your hotel, you can protect yourself by using virtual private network (VPN) software. Even if the network you're connecting to has been compromised by malware, sniffers, or some other tactic, if you use a VPN, all the attackers can see is encoded and encrypted versions of what you're doing. They can't intercept it, can't read it, and can't capture the private information you transmit.

As an alternative, when you need to bank, buy or browse securely, rather use a cellular connection. Using a local or travel SIM in your phone (as a hotspot), or a separate mobile WiFi router is much more secure. It also provides mobility, allowing you to connect on the go for essential travel services such as Google Maps, Uber, etc.

Sunscreen, caution and maybe a travel SIM or PocketWiFi = happy holidays

READ ORIGINAL ARTICLE...

Satan Ransomware Variant Exploits 10 Server-Side Flaws

Windows, Linux systems vulnerable to self-propagating 'Lucky' malware, security researchers say.

A new version of ransomware that first surfaced about two years ago is garnering attention for its ability to spread via as many as ten different vulnerabilities in Windows and Linux server platforms.

"Lucky," as the new malware is called, is a variant of Satan, a data encryption tool that first became available via a ransomware-as-a-service offering in January 2017. Like Satan, Lucky also is worm-like in behavior and capable of spreading on its own with no human interaction at all.

Security vendor NSFocus spotted the variant on systems belonging to some of its financial services customers in late November, and described it as likely to cause extensive infections worldwide. The malware is capable of exploiting previously known vulnerabilities in Windows SMB, JBoss, WebLogic, Tomcat, Apache Struts 2, and Spring Data Commons.

Sangfor Tech, another security vendor, also heard from a customer in the financial sector about Lucky infecting some of their Linux production servers. In a blog post, Sangfor said its researchers found the ransomware to encrypt files and append the name '.lucky' to the encrypted files.

NSFocus identified the ten vulnerabilities that Lucky uses to propagate itself: JBoss default configuration vulnerability (CVE-2010-0738); Tomcat arbitrary file upload vulnerability (CVE-2017-12615); WebLogic arbitrary file upload vulnerability (CVE-2018-2894); WebLogic WLS component vulnerability (CVE-2017-10271); Windows SMB remote code execution vulnerability (MS17-010); Spring Data Commons remote code execution vulnerability (CVE-2018-1273); Apache Struts 2 remote code execution vulnerability (S2-045); Apache Struts 2 remote code execution vulnerability (S2-057); and Tomcat Web admin console backstage weak password brute-force flaw.

"There is a risk of extensive infections because [of the] big arsenal of vulnerabilities that [the malware] attempts to exploit," says Apostolos Giannakidis, security architect at Waratek, which also posted a blog on the threat.

All of the vulnerabilities are easy to exploit, and actual exploits are publicly available for many of them that allow attackers to compromise vulnerable systems with little to no customization required, he says. Several of the vulnerabilities used by Lucky were disclosed just a few months ago, which means that the risk of infection is big for organizations that have not yet patched their systems, Giannakidis says.

All but one of the server-side vulnerabilities that Lucky uses affect Java server apps. "The vulnerabilities that affect JBoss, Tomcat, WebLogic, Apache Struts 2, and Spring Data Commons are all remote code execution vulnerabilities that allow attackers to easily execute OS commands on any platform," he notes.

Ransomware attacks have not been quite as high-profile this year as they were in 2017, with the WannaCry and NetPetya outbreaks. But as the new Lucky variant shows, ransomware still remains a popular tool in the attacker's arsenal.

SecureWorks recently analyzed threat data from over 4,000 companies and found that low and mid-level criminals especially are maintaining a steady level of malicious activity against enterprises using ransomware and cryptomining tools. The firm found no discernable difference in ransomware activity between this year and 2017.

Ransomware Pivots to Servers

Like other self-propagating malware, Lucky attempts to spread right after it completes encrypting files on the victim system. The malware scans for specific IPs and ports on the local network and then sends its malicious payload to any systems that are discovered to be vulnerable.

Lucky is an example of how attackers have evolved ransomware tools over the past two- to three years. Instead of targeting OS vulnerabilities—such as Windows SMB protocol—on desktop and other end-user systems, attackers have pivoted to attacking servers instead, Giannakidis notes.

"Instead of targeting OS vulnerabilities their focus is now applications and services on servers," Giannakidis says. "This is also evident by the fact that the ransomware targets Linux systems, which are primarily used for servers."

One reason for the shift in attacks could be that patching server-side applications is a considerably more difficult task than patching desktops. Servers with vulnerabilities in them are likely to remain unpatched—and therefore exposed to attack—for longer periods than vulnerable end-user systems, Giannakidis notes. "According to recent studies, organizations need on average at least three to four months to patch known vulnerabilities with windows of exposure of more than one year to be very common in the enterprise world."

What to Do

NSFocus recommends using an egress firewall or similar functionality to check for suspicious port scanning activity as well as for vulnerabilities getting exploited. Security admins also should check for requests to access to a list of four specific IP addresses and domains and provided steps that organizations can follow to remove the virus from infected systems.

And upgrade to the latest versions of affected software, NSFocus says, and install patches where available.

READ ORIGINAL ARTICLE...
Apple Repairs and Service
Member of the Internet Defense League
Internet Cafe available

BitcoinCash Accepted

download