A threat actor can use DNS poisoning or DNS spoofing to redirect the victim to a malicious website hosted at an IP address on a server controlled by the attacker instead of the legitimate location.

The library uClibc and its fork from the OpenWRT team, uClibc-ng. Both variants are widely used by major vendors like Netgear, Axis, and Linksys, as well as Linux distributions suitable for embedded applications.

According to researchers at Nozomi Networks, a fix is not currently available from the developer of the developer of uClibc, leaving products of up to 200 vendors at risk.

Vulnerability details

The uClibc library is a C standard library for embedded systems that offers various resources needed by functions and configuration modes on these devices.

The DNS implementation in that library provides a mechanism for performing DNS-related requests like lookups, translating domain names to IP addresses, etc.

Nozomi reviewed the trace of DNS requests performed by a connected device using the uClibc library and found some peculiarities caused by an internal lookup function.

After investigating further, the analysts discovered that the DNS lookup request's transaction ID was predictable. Because of this, DNS poisoning might be possible under certain circumstances.

Flaw implications

If the operating system doesn't use source port randomization, or if it does but the attacker is still capable of brute-forcing the 16-bit source port value, a specially-crafted DNS response sent to devices using uClibc could trigger a DNS poisoning attack.

DNS poisoning is practically tricking the target device into pointing to an arbitrarily defined endpoint and engaging in network communications with it.

By doing that, the attacker would be able to reroute the traffic to a server under their direct control.

Mitigation and fixing

Nozomi discovered the flaw in September 2021 and informed CISA about it. Then, in December, it reported to the CERT Coordination Center, and finally, in January 2022, it disclosed the vulnerability to over 200 potentially impacted vendors.

As mentioned above, there's currently no fix available for the flaw, which is now tracked under ICS-VU-638779 and VU#473698 (no CVE yet).

Currently, all stakeholders are coordinating to develop a viable patch and the community is expected to play a pivotal role in this, as this was precisely the purpose of the disclosure.

As the affected vendors will have to apply the patch by implementing the new uClibc version on firmware updates, it will take a while for the fixes to reach end consumers.

Even then, end-users will have to apply the firmware updates on their devices, which is another choke point that causes delays in fixing critical security flaws.

"Because this vulnerability remains unpatched, for the safety of the community, we cannot disclose the specific devices we tested on," says Nozomi

"We can, however, disclose that they were a range of well-known IoT devices running the latest firmware versions with a high chance of them being deployed throughout all critical infrastructure."

Users of IoT and router devices should keep an eye on new firmware releases from vendors and apply the latest updates as soon as they become available.

Unpatched DNS bug affects millions of routers and IoT devices

Botnet that hid for 18 months boasted some of the coolest tradecraft ever

Not only couldn't he access the journal article he sought, but he couldn't even get to the issue's table of contents. "I was shocked," he says. "I still have a lot of idealism around academia, and that felt antithetical to the mission of these journals, which is to share knowledge."

At that point, Friedman couldn't do much more than accept cookies when he needed to view something that required them. But the experience stuck with him, to the point that he incorporated the subject into his research agenda, which otherwise centers around gerontology and geriatric emergency medicine.

Out of that grew the Penn-CMU Digital Health Privacy Initiative, which Friedman now runs with Penn Medicine's Matthew McCoy and Lujo Bauer, a computer scientist at Carnegie Mellon University. Funded by the Public Interest Technology University Network (PIT-UN), facilitated at Penn by the SNF Paideia Program, the initiative aims to pinpoint precisely how the routine collection of non-health data might inadvertently reveal a person's health profile and what implications this has for a range of areas, from insurance coverage to credit scores.

During its first year, the group has worked toward comprehensively mapping third-party tracking across the online health ecosystem, including on websites for medical journals and hospitals. The next step, according to McCoy and Friedman, is to assess how this tracking might lead to inferences about a person, targeted ads, and more.

"In a lot of different corners of the web, you can't access health information without being tracked," says McCoy, an assistant professor of medical ethics and health policy. "Most people probably know about cookies, but they likely don't think about their implications, about what it means to have an entity know all the pages you look at. We want to help people understand why this matters."

Online browsing during a pandemic

When Friedman joined the faculty at Penn's Perelman School of Medicine in 2019, he began thinking about the trajectory of his research agenda.

During one early conversation with Penn medical ethicist Atheendar Venkataramani, Friedman described the wall he'd hit turning off cookies for a medical journal website. Venkataramani suggested he talk to McCoy, and soon the two began collaborating, partnering with Timothy Libert, a Penn alum then at CMU, who has since left for a job in the private sector.

Then the pandemic hit. "It's almost hard to put yourself back in this head space, but one thing people really worried about early on were the privacy implications of these contact-tracing and proximity-detection apps," McCoy says. Conversely, people weren't concerned about the dozens of entities pinged each time someone visited a website related to COVID-19.

The researchers decided to analyze 500 or so of the most highly trafficked COVID-related websites, places people were turning to learn about symptoms of the new virus, for example, or find a testing location. "We wanted to figure out, if you visited one of these sites, how many parties would be able to tell that you did?" McCoy says. "Even on academic and government sites where people aren't expecting to be tracked, this kind of third-party tracking was prevalent."

Specifically, the researchers found that 99% of these webpages included a third-party data request, and 89% included a third-party cookie, results they shared in the Journal of the American Medical Association in October 2020.

Around the same time, Friedman and McCoy learned about PIT-UN, a partnership of colleges and universities that Penn joined in 2020. For several years, PIT-UN has given millions of dollars in seed funding for projects aimed at "promoting public interest in technology at the university level."

Through the 2021 PIT-UN Challenge and backed by support from the SNF Paideia Program, the researchers secured funding to officially launch the Penn-CMU Digital Health Privacy Initiative.

Implications and long-term solutions

Since their initial paper on COVID-19 websites, they've put out findings about medical journal websites, including one in JAMA Network Open on the denial of access for users who block cookies (work inspired by the original experience that led to the initiative), and another in JAMA Health Forum on the prevalence of third-party tracking on such sites. In mid-April, they published their latest results, in the journal Gerontology and Geriatric Medicine, about online health privacy risks for older adults.

"Right now, we're really in the first quarter of year two, taking the next steps to understand how the companies that are doing this tracking then use it to make inferences about your health and to target different ads to you," McCoy says. "For example, does somebody whose browsing history suggests a diagnosis of diabetes get different ads than someone whose doesn't?"

"We've documented over and over again that most health-related webpages have some tracking," says Friedman. "What are the implications of that?"

Though he and McCoy don't yet know the answer, they have some guesses. These range from relatively innocuous ad targeting to much more damaging privacy loss and the domino effect that could have on credit scores, insurance coverage, and many as-yet-undiscovered facets of someone's life. For that reason, they say they hope this research also makes consumers more aware of the potential reverberations of their browsing history.

Most people simply click "yes" on the pop-up asking about cookie use, without much thought behind what they're agreeing to, McCoy says. "The way the web is set up, right now, you don't often have an alternative to protect yourself from tracking besides unilaterally opting out of online life." The Digital Health Privacy Initiative team knows that's not realistic in most cases. Rather, they say the solutions need to come at the policy level and should address data privacy and transparency.

"The next generation of cookies isn't going to look like cookies," Friedman says. "Eventually, we hope to address just how much tracking you need to figure out someone's health status." They'll keep peeling back the layers of this opaque system—this "black box," as Friedman describes it—until they can fully follow the path these data travel across the web.

Source

In October, the REvil ransomware gang shut down after a law enforcement operation hijacked their Tor servers, followed by arrests of members by Russian law enforcement.

However, after the invasion of Ukraine, Russia stated that the US had withdrawn from the negotiation process regarding the REvil gang and closed communications channels.

REvil's Tor sites come back to life

Soon after, the old REvil Tor infrastructure began operating again, but instead of showing the old websites, they redirected visitors to URLs for a new unnamed ransomware operation.

While these sites looked nothing like REvil's previous websites, the fact that the old infrastructure was redirecting to the new sites indicated that REvil was likely operating again. Furthermore, these new sites contained a mix of new victims and data stolen during previous REvil attacks.

While these events strongly indicated that REvil rebranded as the new unnamed operation, the Tor sites had also previously displayed a message in November stating that "REvil is bad." 

This access to the Tor sites meant that other threat actors or law enforcement had access to REvil's TOR sites, so the websites themselves were not strong enough proof of the gang's return.

The only way to know for sure whether REvil was back was to find a sample of the ransomware encryptor and analyze it to determine if it was patched or compiled from source code.

A sample of the new ransomware operation's encryptor was finally discovered this week by AVAST research Jakub Kroustek and has confirmed the new operation's ties to REvil.

Ransomware sample confirms return

While a few ransomware operations are using REvil's encryptor, they all use patched executables rather than having direct access to the gang's source code.

However, BleepingComputer has been told by multiple security researchers and malware analysts that the discovered REvil sample used by the new operation is compiled from source code and includes new changes.

Security researcher R3MRUM has tweeted that the REvil sample has had its version number changed to 1.0 but is a continuation of the last version, 2.08, released by REvil before they shut down.

In discussion with BleepingComputer, the researcher said he could not explain why the encryptor doesn't encrypt files but believes it was compiled from source code.

"Yes, my assessment is that the threat actor has the source code. Not patched like "LV Ransomware" did," R3MRUM told BleepingComputer.

Advanced Intel CEO Vitali Kremez also reverse-engineered the REvil sample this weekend and has confirmed to BleepingComputer that it was compiled from source code on April 26th and was not patched.

Kremez told BleepingComputer that the new REvil sample includes a new configuration field, 'accs,' which contains credentials for the specific victim that the attack is targeting.

Kremez believes that the 'accs' configuration option is used to prevent encryption on other devices that do not contain the specified accounts and Windows domains, allowing for highly targeted attacks.

In addition to the 'accs' option, the new REvil sample's configuration has modified SUB and PID options, used as campaign and affiliate identifiers, to use longer GUID-type values, such as '3c852cc8-b7f1-436e-ba3b-c53b7fc6c0e4.'

BleepingComputer also tested the ransomware sample, and while it did not encrypt, it did create the ransom note, which is identical to REvil's old ransom notes.

Furthermore, while there are some differences between the old REvil sites and the rebranded operation, once a victim logs into the site, it is almost identical to the originals, and the threat actors claim to be 'Sodinokibi,' as shown below.

While the original public-facing REvil representative known as 'Unknown' is still missing, threat intelligence researcher FellowSecurity told BleepingComputer that one of REvil's original core developers, who was part of the old team, relaunched the ransomware operation.

As this was a core developer, it would make sense that they also had access to the complete REvil source code and potentially the Tor private keys for the old sites.

It's not surprising that REvil has rebranded under the new operation, especially with the declining relations between USA and Russia.

However, when ransomware operations rebrand, they typically do it to evade law enforcement or sanctions preventing the payment of ransoms.

Therefore, it is unusual for REvil to be so public about their return, rather than trying to evade detection like we have seen in so many other ransomware rebrands.

REvil ransomware returns: New malware sample confirms gang is back

In a pilot run that lasted less than a month, the open source project released on GitHub, was able to identify over 200 malicious npm and PyPI packages.

Project aims to combat malware in open source registries

This week, OpenSSF released its initial prototype version of the 'Package Analysis' project on GitHub.

The project repository contains tools that analyze open source packages, particularly, to hunt for malicious npm and PyPI packages.

"The Package Analysis project seeks to understand the behavior and capabilities of packages available on open source repositories: what files do they access, what addresses do they connect to, and what commands do they run?" explain Caleb Brown and David A. Wheeler, who are involved in  OpenSSF's Securing Critical Projects working group.

"The project also tracks changes in how packages behave over time, to identify when previously safe software begins acting suspiciously." 

In its test run that lasted under a month, Package Analysis was able to identify more than 200 malicious PyPI and npm components, according to OpenSSF.

The vast majority of these malicious packages, says OpenSSF, are dependency confusion and typosquatting attacks.

Among all malicious packages identified by Package Analysis, one of them is 'colorsss' that has been previously deemed malicious:

The 'colorsss' package is a typosquat of the popular colors npm library, select versions of which had been sabotaged by its developer this January, as first reported by BleepingComputer.

In addition to containing some legitimate files from the colors library, malicious 'colorsss' packs obfuscated malware, according to an archived copy of the package obtained by BleepingComputer from open source security firm Sonatype:

The obfuscated code in 'colorsss' contains Discord token stealers, a recurring theme among malicious npm packages.

"Though the project has been in development for a while, it has only recently become useful following extensive modifications based on initial experiences," states OpenSSF in a blog post released this week.

"There are lots of opportunities for involvement with this project, and we welcome anyone interested in contributing to the future goals of... detecting differences in package behavior over time; automating the processing of the Package Analysis results; storing the packages themselves as they are processed for long-term analysis; and improving the reliability of the pipeline."

Full disclosure: I regularly attend OpenSSF group meetings as a member. The malicious typosquat, 'colorsss' mentioned in the piece had previously been analyzed by the Sonatype security research team, which includes me.

Open source 'Package Analysis' tool finds malicious npm, PyPI packages

Threat Protection is a beta feature right now. The client may notify customers of the feature, but it is turned off by default. A click on the Shield icon in the Nord VPN client displays the available options.

Threat Protection blocks "ads, trackers, malicious websites and files" according to NordVPN; this is a core difference to the previously supported CyberSec feature of the NordVPN client, which blocked ads and malicious websites only using DNS filtering.

The CyberSec preference is no longer available under General in the Settings, and some customers may wonder whether it has been removed completely in favor of Threat Protection.

It appears, that NordVPN moved the feature to the Threat Protection preferences page. There, users find two options that they may enable. The full Threat Protection feature, or a Lite version; the description of the Lite version sounds similar to what CyberSec offered.

The full Threat Protection feature goes beyond the blocking of resources on the DNS level. It blocks ads and tracking on the web, but also malicious websites and files:

Block malware-ridden websites -- browse without a fear of accidentally catching malware.

Avoid malicious ads -- elevated your browsing experience and enjoy a cleaner web.

Stop web tracking -- experience a whole next level of privacy.

Protect your device from infected files -- get rid of malicious files before they do damage.

According to NordVPN's description on its website, Threat Protection protects a user's browsers even without active VPN connections. NordVPN achieves this by installing certificates in the browsers. The current version supports Chrome, Safari, Edge and Firefox. For Firefox, it is necessary to restart the browser before it can be used after the certificate has been installed.

The installation of certificates gives NordVPN a high level of control of the supported browsers and activity.

Threat Protection will scan executable files that do get downloaded automatically. These may be uploaded to the cloud for checking, but only if they have a size of 20 Megabytes or less.

Closing Words

Threat Protection is a beta feature at the time of writing. NordVPN needs to provide additional information on the inner workings of the feature, as the two setup pages in the client and the informational page on the NordVPN website lack details, for instance, whether it is using its own scanning capabilities for uploaded files or using third-party services.

The client does not explain how Threat Protection is installed, only what it does once it is enabled. Installing certificates in browsers gives NordVPN a lot of control over data in the browser, and users should at least be aware of this before they hit the turn on button in the interface.

Most NordVPN customers may want to stick with the lite mode feature, or keep everything disabled in the client and use other solutions, e.g., content blockers such as uBlock Origin and antivirus solutions, to keep their devices secure.

Now You: Would you use Threat Protection on your devices?

First look at NordVPN's Threat Protection feature

This new report comes via BleepingComputer which noticed a lot of user reports regarding this new infection that seems to be affecting people worldwide. The malicious updates pretend to be real and some of them even have fake knowledge base (KB) IDs attached with them. Here are some of these fake malicious updates:

• Win10.0_System_Upgrade_Software.msi
• Security_Upgrade_Software_Win10.0.msi

• System.Upgrade.Win10.0-KB47287134.msi

• System.Upgrade.Win10.0-KB82260712.msi

• System.Upgrade.Win10.0-KB18062410.msi

• System.Upgrade.Win10.0-KB66846525.msi

   

These malicious updates are being spread via warez and piracy websites. Here is one such example:

Once the malicious files are installed, they go on to delete the backup volume shadow copy of the encrypted drives and creates a "README" HTML file that contains the ransom notes (shown in image on the bottom):

On the ransomware payment site, the threat actors ask the victims to pay up around $2,600 or 0.068 bitcoins (BTC), and the ransom is set to double if five days go without payment.

To protect yourself from such a campaign, it is best to avoid such unofficial sources of downloading Windows updates and directly download them via your settings. You can also look for standalone updates on the Microsoft Update Catalog website.

Source and images: BleepingComputer

Beware: Magniber ransomware now spreading via fake malicious Windows updates

Desktop users may select Menu > Help and Feedback > About Microsoft Edge, or load edge://settings/help directly in the browser's address bar, to display the current version of the browser. Edge runs a check for updates when the page is opened, and the new update should be downloaded and installed at this point.

Microsoft Edge 101

Microsoft Edge 101.0.1210.32 patches 25 different security issues in the browser. The majority address issues in Chromium, the core that Microsoft's browser shares with browsers such as Google Chrome, Brave, Vivaldi or Opera.

Two vulnerabilities, CVE-2022-29146 and CVE-2022-29147, are Edge-specific. The first has a severity rating of moderate and successful exploitation could lead to a browser sandbox escape. The second has a severity rating of low, and it could lead to a spoofing attack. Both vulnerabilities require "user interaction or preconditions", and that is the reason why Microsoft reduced the exploitation rating.

The official release notes highlight non-security changes and improvements in Edge 101. Here is a quick overview of important changes. Please note that not all of them may be available yet on all systems:

• An Apps icon can be added to the favorites bar to launch Progressive Web Apps directly from the toolbar.
• An option to clear remembered certificates to get the certificate picker to reappear for a site is now supported.
• The ability to configure shared cookies between Microsoft Edge and Internet Explorer is now available in the Enterprise site list.
• The ControlDefaultStateOfAllowExtensionFromOtherStoresSettingEnabled policy supports setting a default state for the "allow extensions from other stores" preference.
• The EdgeDefaultProfileEnabled policy supports setting a specific profile as the default profile when the browser is opened.

Several policies have been added in Edge 101:

• ConfigureKeyboardShortcuts - Configure the list of commands for which to disable keyboard shortcuts
• ControlDefaultStateOfAllowExtensionFromOtherStoresSettingEnabled - Configure default state of Allow extensions from other stores setting
• EdgeAssetDeliveryServiceEnabled - Allow features to download assets from the Asset Delivery Service
• EdgeDefaultProfileEnabled - Default Profile Setting Enabled
• InternetExplorerModeEnableSavePageAs - Allow Save page as in Internet Explorer mode
• KioskSwipeGesturesEnabled - Swipe gestures in Microsoft Edge kiosk mode enabled
• MicrosoftOfficeMenuEnabled - Allow users to access the Microsoft Office menu
• SiteSafetyServicesEnabled - Allow users to configure Site safety services

Closing words

Microsoft Edge 101 is a security update first and foremost that addresses 25 different security issues in the browser. The update will roll out to most systems automatically in the coming days and weeks, but administrators may speed up the process using the method described above.

Now You: do you use Microsoft Edge?

Microsoft Edge 101 patches 25 security issues

Google has for years accepted requests to remove certain sensitive data such as bank account or credit card numbers from search results. In a blog post on Wednesday, Google’s Michelle Chang wrote that the company’s expanded policy now allows for the removal of additional information that may pose a risk for identity theft, such as confidential log-in credentials, email addresses and phone numbers when it appears in Search results.

“When we receive removal requests, we will evaluate all content on the web page to ensure that we’re not limiting the availability of other information that is broadly useful, for instance in news articles,” Chang wrote. “We’ll also evaluate if the content appears as part of the public record on the sites of government or official sources. In such cases, we won’t make removals.”

Google says a removal request will be considered if the search result in question includes the presence of “explicit or implicit threats” or “explicit or implicit calls to action for others to harm or harass.” The company says if it approves your request, it may respond by removing the provided URL(s) for all queries, or for only queries including your name.

While Google’s removal of a search result from its index will do nothing to remove the offending content from the site that is hosting it, getting a link decoupled from Google search results is going to make the content at that link far less visible. According to recent estimates, Google enjoys somewhere near 90 percent market share in search engine usage.

KrebsOnSecurity decided to test this expanded policy with what would appear to be a no-brainer request: I asked Google to remove search result for BriansClub, one of the largest (if not THE largest) cybercrime stores for selling stolen payment card data.

BriansClub has long abused my name and likeness to pimp its wares on the hacking forums. Its homepage includes a copy of my credit report, Social Security card, phone bill, and a fake but otherwise official looking government ID card.

The login page for perhaps the most bustling cybercrime store for stolen payment card data.

Briansclub updated its homepage with this information in 2019, after it got massively hacked and a copy of its customer database was shared with this author. The leaked data — which included 26 million credit and debit card records taken from hacked online and brick-and-mortar retailers — was ultimately shared with dozens of financial institutions.

TechCrunch writes that the policy expansion comes six months after Google started allowing people under 18 or their parents request to delete their photos from search results. To do so, users need to specify that they want Google to remove “Imagery of an individual currently under the age of 18” and provide some personal information, the image URLs and search queries that would surface the results. Google also lets you submit requests to remove non-consensual explicit or intimate personal images from Google, along with involuntary fake pornography, TechCrunch notes.

This post will be updated in the event Google responds one way or the other, but that may take a while: Google’s automated response said: “Due to the preventative measures being taken for our support specialists in light of COVID-19, it may take longer than usual to respond to your support request. We apologize for any inconvenience this may cause, and we’ll send you a reply as soon as we can.”

You Can Now Ask Google to Remove Your Phone Number, Email or Address from Search Results

This requirement was promoted by India's Computer Emergency Response Team (CERT-In), who states it has identified specific gaps causing difficulties in security incident analysis and response, and to address them, it needs to impose more aggressive measures.

These measures and various other provisions were published via a notice yesterday and were integrated into section 70B of the Information Technology (IT) Act, 2000, so they are part of the Indian law, entering into force in 60 days.

Instant notice about incidents

The most notable new requirement is that any internet service provider, intermediary, data center, or government organization, shall report these incidents to CERT-In within six hours of noticing them.

The same applies to incidents reported to these entities by third parties, so these service providers must ensure that incoming tips aren’t lost or ignored but timely processed and evaluated.

The types of cybersecurity incidents that will have to be reported to CERT-In are the following:

• Targeted scanning/probing of critical networks/systems
• Compromise of critical systems/information
• Unauthorized access to IT systems/data
• Defacement of website or intrusion into a website and unauthorized changes such as inserting malicious code links to external websites, etc.
• Malicious code attacks such as the spreading of viruses/worm/trojan/bots/ spyware/ransomware/cryptominers
• Attack on servers such as database, mail, and DNS and network devices such as Routers
• Identity Theft, spoofing, and phishing attacks
• Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks
• Attacks on Critical infrastructure, SCADA and operational technology systems, and Wireless networks
• Attacks on applications such as E-Governance, E-Commerce, etc.
• Data Breach
• Data Leak
• Attacks on Internet of Things (IoT) devices and associated systems, networks, software, servers
• Attacks or incidents affecting Digital Payment systems
• Attacks through Malicious mobile Apps
• Fake mobile Apps
• Unauthorized access to social media accounts
• Attacks or malicious/ suspicious activities affecting cloud computing systems/servers/software/applications
• Attacks or malicious/suspicious activities affecting systems/ servers/ networks/ software/ applications related to Big Data, Blockchain, virtual assets, virtual asset exchanges, custodian wallets, robotics, 3D and 4D Printing, additive manufacturing, and drones

For proper coordination, all of the entities mentioned above will be required to connect to the NTP server of the National Informatics Center (NIC) or that of the National Physical Laboratory (NPL) and synchronize their system clocks with them.

Finally, all system logs of the aforementioned service providers must be maintained securely within Indian jurisdiction for a rolling period of 180 days and shall be provided to CERT-In along with any security incident reports or when requested by the agency.

Retaining user data

The new guidelines also include a section on VPS (virtual private server) and VPN (virtual private network) service providers, who will now be obliged to maintain a record of their users.

The data acquisition period stretches for five years after the cancellation or withdrawal of the user registration, or even longer if future regulations mandate so.

The data that will be maintained includes the following:

• Validated names of subscribers/customers hiring the services
• Period of hire, including dates
• IPs allotted to / being used by the members
• Email address and IP address, and time stamp used at the time of registration / on-boarding
• The purpose for engaging the services
• Validated address and contact numbers
• Ownership pattern of the subscribers/customers leasing services 

The same will apply to virtual asset (cryptocurrency) service providers, including exchanges and wallet management services, who will now retain customer details for at least five years.

Bleeping Computer discussed the potential impact of these new requirements with Beenu Arora, the founder of Cyble, a cyber-intelligence firm with a strong presence in India, and he expects a challenging implementation.

While the government's intent is noteworthy, complying with this directive will not be an easy task as it will require organizations to appoint additional staff and devote significant management time to meet the reporting requirements.

The industry is already grappling with a massive shortage of skilled cyber security professionals, and considering that a typical organization experiences several cyber-attacks daily, reporting each of these attacks to CERT-IN in a prescribed format could pose an operational challenge.

An automated incident reporting platform that allows individual organizations to submit their incident reports seamlessly to CERT-IN could help in ensuring more effective implementation. - Beenu Arora

India to require cybersecurity incident reporting within six hours

Edge's Secure Network is powered by Cloudflare - one of the most trusted DNS hosts in the industry - and it aims to protect your device and sensitive data as you browse. The feature is in the early stage of development available to select users in Edge Canary and it's not a full-fledged VPN service offered in rival browsers like Opera.

So how does Microsoft Edge's Secure Network actually work? As per the support document and our tests, Edge uses Cloudflare's routing to encrypt your internet connection and protect your data from online threats like hackers.

Microsoft says Edge Secure network feature sends your traffic through an encrypted tunnel to create a secure connection, which means even HTTP URLs are accessed securely in a bid to make it harder for attackers to obtain your browsing data and it also eliminates any possibilities of online tracking.

Since your traffic is routed through Cloudflare, your location is apparently private and your actual IP address is hidden behind Cloudflare's network. It replaces your geolocation with a similar regional address (closest Cloudflare server) to make it more difficult for online trackers to follow you on the internet.

Edge Secure Network is not a replacement for your VPN

While Edge Secure Networks sounds like an appealing solution, it isn't like a regular VPN.

In fact, it's possible that the feature uses Cloudflare's Warp - a free service that ensures all your traffic is kept private between your device and the origin server.

In our tests, we observed that Edge's VPN doesn't let you choose your location. It only protects your traffic with encryption and uses 1.1.1.1 to optimize your DNS for a faster connection.

The good news is that we can still use Edge's Secure Network (powered by Cloudflare) to pass through the local restrictions placed by the ISP or government.

In the above example, we were able to use Edge Secure Network to access a Torrent site blocked by the ISP.

However, the Cloudflare-based Edge Secure Network isn't good for streaming. Since it doesn’t let you choose your location, it is not possible to stream geo-restricted content on platforms like Netflix and Amazon Prime.

Another problem with Edge Secure Network is its 1GB limitation. According to the support document, only 1 gigabyte of free data will be offered every month when you sign into Microsoft Edge with your Microsoft Account.

Edge's Secure Network is safe, reliable, and useful, but it is currently not a good alternative to the more traditional VPNs out there or the built-in VPN offered in Opera.

Hands on with Microsoft Edge's new built-in VPN feature

The Japan CERT has released a new version of their EmoCheck utility to detect new 64-bit versions of the Emotet malware that began infecting users this month.

Emotet is one of the most actively distributed malware spread through emails using phishing emails with malicious attachments, including Word/Excel documents, Windows shortcuts, ISO files, and password-protected zip files.

The phishing emails use creative lures to trick users into opening the attachments, including reply-chain emails, shipping notices, tax documents, accounting reports, or even holiday party invites.

Once a device is infected, Emotet will steal users' emails to be used in future reply-chain phishing attacks and download further malware payloads on the computer.

As further malware commonly leads to data theft and ransomware attacks, it is crucial to detect Emotet malware infections quickly before further damage is done.

EmoCheck udpated for 64-bit versions

In 2020, the Japan CERT (computer emergency response team) released a free tool called EmoCheck to scan a computer for Emotet infections.

If one is detected, it will display the full path to the malware infection so that it can be deleted.

However, earlier this month, the Emotet gang switched to 64-bit versions of their loader and stealers, making existing detections less useful. Furthermore, with this switch, the EmoCheck tool could no longer detect the new 64-bit Emotet versions.

This week, JPCERT released EmoCheck 2.2 to support the new 64-bit versions and can now detect them, as shown below.

To check if you are infected with Emotet, you can download the EmoCheck utility from Japan CERT's GitHub repository.

Once downloaded, double-click on the emocheck_x64.exe (64-bit version) or emocheck_x86.exe (32-bit version), depending on what you downloaded.

EmoCheck will scan for the Emotet Trojan, and if the malware is detected, display the process ID it is running under and the location of the malware DLL.

Emotet is currently being installed in a random folder under C:\Users\[username]\AppData\Local. While the Emotet malware is a DLL, it will not have the DLL extension but rather a random three-letter extension, like .bbo or .qvp.

An example of an installed Emotet malware infection can be seen below.

EmoCheck will also create a log in the same folder as the program that contains the detected information, allowing you to reference it as needed.

If you run EmoCheck and discover that you are infected, you should immediately open Task Manager and terminate the listed process, usually regsvr32.exe.

You should then scan your computer with trusted antivirus software to ensure other malware has not already been installed on your device.

This tool can be handy for Windows admins, who can execute it on login to detect Emotet infections on their network.

EmoCheck now detects new 64-bit versions of Emotet malware

This includes the financial burden imposed by the incident response effort, system restoration, legal fees, monitoring costs, and the overall impact of business disruption.

Ransomware attacks typically involve stealing data from the company and encrypting systems to pressure the victim into paying to decrypt files and to avoid a data leak.

Researchers at Check Point compiled ransomware statistics by analyzing data from public sources and several thousand cyber attacks in the Kovrr database, a cyber-risk and cyber-insurance expert.

Setting the ransom demand

Starting with the amount of the ransom, the threat actors appear to follow a specific pattern based on the victim's financial records to establish how much to ask.

According to Check Point's analysis, the ransom demand is typically between 0.7% and 5% of the victim's annual revenue, with the average percentage being 2.82%.

Many ransomware gangs offer discounts for fast payments, ranging between 20% and 25% if the ransom is paid within a few days.

Estimating the impact

The overall impact of a ransomware attack on an organization's financials is directly linked to the duration of the incident, from encryption to full system restoration.

In 2021, organizations demonstrated a better ability to handle the double-extortion tactics, which reduced the attack duration significantly.

However, this double-extortion tactic introduces additional cost for the victimized organization, which now has to deal with their customers losing trust and long-term reputational damage.

When hit by ransomware, the victimized entity has to cover the cost of lost income from business disruption, legal procedures, incident response and remediation, malware discovery and deletion, restoring data from backups, contracting third-party experts, and more.

Even if the organization pays the ransom, there's no way to avoid further financial losses, and restoring systems using the decryption keys from the attackers is often slower than using backups.

Preventing the incidents from happening in the first place is the most crucial element, far more critical even than relying on the most advanced incident response system.

From the actor's perspective

Ransomware gangs and operators of large ransomware-as-a-service (RaaS) programs understand the delicate economic balance that comes into play and take measures to keep payment the most practical option.

What they do is link the ransom payment to the collateral damage costs when negotiating with the victim, presenting the payment option as a more financially beneficial option.

In fact, ransomware actors often bring up the collateral damage costs in negotiations, like, for example, using GDPR violation fines (due to customer data leak) as an extortion argument.

Despite all the law enforcement action against these threat groups, and the evolution of defense tactics, ransomware continues to proliferate and break new records.

Both attackers and defenders are adjusting to new realities imposed by an ever-evolving landscape, and neither can afford to fall behind in this race.

Ransom payment is roughly 15% of the total cost of ransomware attacks

Google has highlighted that it banned 190,000 malicious and spammy developer accounts in 2021 alone. For context, this number was at 119,000 in 2020. In the same vein, 1.2 million apps which violated Google Play policies were removed, and the company says that this means that it prevented billions of potential harmful installs. Over 500,000 inactive and abandoned developer accounts were closed as well.

Google also gave a recap of its recent efforts in making Play Store a safer space for consumers. It referenced the launch of the data safety section, a central app policy management interface for developers, and efforts to make SDKs safer for the billions of consumers who use apps built using these SDKs.

The firm noted that 98% of apps which migrated to Android 11 reduced their access to sensitive APIs. This includes the Accessibility API, which is now only allowed for its intended use-cases rather than call recording. Google also mentioned that:

We also continued in our commitment to make Android a great place for families. Last year we disallowed the collection of Advertising ID (AAID) and other device identifiers from all users in apps solely targeting children, and gave all users the ability to delete their Advertising ID entirely, regardless of the app.

Finally, on the Pixel front, there is a Security hub that gives you a holistic view and recommendations about your device's security status. Google's smartphone hardware also utilizes newer machine learning models that leverage federated analytics to detect malicious apps.

Google banned 190,000 malicious developers from the Play Store last year

Last week, security researcher MalwareHunterTeam discovered that a new ransomware operation had launched called Onyx.

Like most of today's ransomware operations, Onyx threat actors steal data from a network before encrypting devices. This data is then used in double-extortion schemes where they threaten to publicly release the data if a ransom is not paid.

The ransomware gang has been reasonably successful so far, with six victims listed on their data leak page.

Onyx ransomware destroys most data

The technical functionality of the Onyx ransomware was not known until today, when MalwareHunterTeam found a sample of the encryptor.

What was found is concerning, as the ransomware will overwrite many files with random junk data rather than encrypting them.

As you can see from the source code below, Onyx encrypts files smaller than 2MB in size. However, according to MalwareHunterteam, Onyx will overwrite any files larger than 2MB with junk data.

As this is just randomly created data and not encrypted, there is no way to decrypt files larger than 2MB in size.

Even if a victim pays, the decryptor can recover only the smaller encrypted files.

According to Jiří Vinopal, a forensic analyst at the Czech Republic CERT, this ransomware is the based on Chaos ransomware, which includes the same damaging encryption routine.

As the destructive nature of the encryption routine is intentional rather than a bug, it is strongly advised that victims do not pay the ransom.

4/28/22: Corrected that it's files greater than 2MB that are destroyed and that this is a variant of the Chaos ransomware.

Beware: Onyx ransomware destroys files instead of encrypting them

Microsoft seems ready to deploy the Microsoft Edge Secure Network service. The VPN service will be powered by Cloudflare. The company assures it permanently deletes the diagnostic and support data collected, every 25 hours.

Some of the salient features of Microsoft Edge Secure Network Service:

• Encrypts connection: Encrypts internet connection to help protect user data from online threats like hackers.
  When using Microsoft Edge Secure network, user data is routed from Edge through an encrypted tunnel to create a secure connection, even when using a non-secure URL that starts with HTTP. This makes it harder for hackers to access browsing data on a shared public Wi-Fi network.
• Helps prevent online tracking: By encrypting web traffic directly from Microsoft Edge, Microsoft helps prevent users’ internet service provider from collecting browsing data like details about the websites users visit.
• Keeps user location private: Online entities can use user location and IP address for profiling and serving targeted ads. Microsoft Edge Secure Network lets users browse with a virtual IP address that masks users’ IP and replaces their geolocation with a similar regional address to make it more difficult for online trackers to follow users as they browse.
• Is free to use: Microsoft offers 1 gigabyte of free data every month when users sign into Microsoft Edge with their Microsoft Account.

Microsoft Edge Secure Network Service isn’t available to all users yet. The Microsoft VPN service should be available in an upcoming version of the Edge browser. Once Microsoft rolls it out, a new menu entry will be available in the Hamburger menu located in the upper right-hand corner of the browser.

It is important to note that users will need to sign in to their Microsoft account to use the VPN service. The feature will turn off automatically when the user closes the Edge window. Users will need to turn on Microsoft Edge Secure Network again for their next browsing session if they wish to use it. A shield icon will indicate if the service is active.

As mentioned above, Microsoft is limiting the VPN service to 1GB data. The company hasn't mentioned any subscription model that could allow users to extend the service beyond the free data cap.

Microsoft testing integrated VPN ‘Secure Network' in Edge powered by Cloudflare

Cloudflare has revealed that it stopped dead in its tracks one of the largest HTTPS DDoS attacks on record originating from multiple countries. The firm said that the botnet was making 15.3 million requests-per-second (rps), making it the largest HTTPS DDoS attack it has witnessed against one of its customers.

Cloudflare said that the target of the attack was a crypto launchpad company which aims to connect crypto projects with investors. The customer is on Cloudflare’s Professional plan and was defended by Cloudflare for the less than 15 seconds that the attack was going on. Other Cloudflare customers are automatically protected from this botnet too and no action needs to be taken.

The largest attack that Cloudflare has ever run into was reported last August when a botnet performed a 17.2 million rps DDoS attack but this was carried out with HTTP traffic rather than HTTPS traffic which was used in the latest attack. Cloudflare said the use of HTTPS makes the attack more expensive for the attacker and the victim attempting to mitigate it.

Cloudflare noted that this attack mostly came from data centres and that it’s noticing more attacks coming from cloud compute ISPs overall rather than residential network ISPs. This botnet involved 6,000 unique bots and originated from 112 countries around the world. The countries which hosted the most bots included Indonesia, Russia, Brazil, India, Colombia, and the United States. The attack came from over 1,300 networks with top ones including Hetzner Online GmbH, Azteca Comunicaciones Colombia, and OVH.

Cloudflare reports that it has blocked one of the largest HTTPS DDoS attacks ever seen

According to a report published by Bloomberg, Google has begun testing advertisements on Shorts. According to Philipp Schindler, Google's chief business officer, the company is currently experimenting with app-install ads and other promotions. "While it's still early days, we're encouraged by initial advertiser feedback and results," Schindler said on an investor call.

Google's decision to run commercials on Shorts comes at a time when YouTube has posted ad-revenue growth of 14%, which is less than analysts' expectations. According to the company, the reason why it fell a bit short of targets is due to a drop in direct response ads, like app-install campaigns.

YouTube Shorts launched in India first back in 2020, and it's expanded to other markets like the USA a year a later. Ever since the launch of Shorts, Google has introduced many changes to its short-form video platform to better the user experience. And now, the company will focus on monetization.

"As we've always done with products, we focus on building a great user experience first, and we'll work to build monetization over time," said Alphabet and Google CEO Sundar Pichai.

Source: Bloomberg; via Engadget

YouTube Shorts will soon run ads

The cybersecurity authorities urged organizations in a joint advisory to promptly patch these security flaws and implement patch management systems to reduce their attack surface.

Globally, malicious actors have been observed focusing their attacks on internet-facing systems, including email and virtual private network (VPN) servers, using exploits targeting newly disclosed vulnerabilities.

"U.S., Australian, Canadian, New Zealand, and UK cybersecurity authorities assess, in 2021, malicious cyber actors aggressively targeted newly disclosed critical software vulnerabilities against broad target sets, including public and private sector organizations worldwide," the advisory reads.

This might be due to malicious actors and security researchers releasing proof of concept (POC) exploits within two weeks since the initial disclosure for most of the top exploited bugs throughout 2021.

However, attackers focused some of their attacks on older vulnerabilities patched years before, which shows that some organizations fail to update their systems even when a patch is available.

The list of the top 15 most exploited security flaws is available below, with links to National Vulnerability Database entries and associated malware.

Mitigation and additional exploitation info

The US, Australian, Canadian, New Zealand, and UK cybersecurity agencies have also identified and revealed 21 additional security vulnerabilities commonly exploited by bad cyber actors during 2021, including ones impacting Accellion File Transfer Appliance (FTA), Windows Print Spooler, and Pulse Secure Pulse Connect Secure.

The joint advisory includes mitigation measures that should help decrease the risk associated with the topmost abused flaws detailed above.

CISA and the FBI also published a list of the top 10 most exploited security flaws between 2016 and 2019 and a top of routinely exploited bugs in 2020 in collaboration with the Australian Cyber Security Centre (ACSC) and the United Kingdom's National Cyber Security Centre (NCSC).

In November 2021, MITRE also shared a list of the topmost dangerous programming, design, and architecture security flaws plaguing hardware in 2021 and the top 25 most common and dangerous weaknesses plaguing software throughout the previous two years.

"We know that malicious cyber actors go back to what works, which means they target these same critical software vulnerabilities and will continue to do so until companies and organizations address them," said CISA Director Jen Easterly.

"CISA and our partners are releasing this advisory to highlight the risk that the most commonly exploited vulnerabilities pose to both public and private sector networks.

"We urge all organizations to assess their vulnerability management practices and take action to mitigate risk to the known exploited vulnerabilities."

Cybersecurity agencies reveal top exploited vulnerabilities of 2021

Security researchers at Microsoft disclosed the issues in a report today noting that they can be chained together to achieve root privileges on a vulnerable system.

Tracked as CVE-2022-29799 and CVE-2022-29800, the Nimbuspwn security issues were discovered in networkd-dispatcher, a component that sends connection status changes on Linux machines.

Discovering the vulnerabilities started with “listening to messages on the System Bus,” which prompted the researchers to review the code flow for networkd-dispatcher.

The Nimbuspwn security flaws refer to directory traversal, symlink race, and time-of-check-time-of-use (TOCTOU) race condition issues, explains Microsoft researcher Jonathan Bar Or says in the report.

One observation that piqued interest was that the networkd-dispatcher daemon was running at boot time with root privileges on the system.

The researcher noticed that the daemon used a method called “_run_hooks_for_state” to discover and run scripts depending on the detected network state.

The logic implemented by “_run_hooks_for_state” includes returning executable script files owned by the root user and the root group that are in the “/etc/networkd-dispatcher/.d” directory.

It runs each script in the above location using the process called subprocess.Popen while supplying custom environment variables.

Microsoft’s report explains that “_run_hooks_for_state” has multiple security issues:

1. Directory traversal (CVE-2022-29799😞 none of the functions in the flow sanitize the OperationalState or the AdministrativeState. The states are used to build the script path, so a state could contain directory traversal patterns (e.g. “../../”) to escape from the “/etc/networkd-dispatcher” base directory.
2. Symlink race: both the script discovery and subprocess.Popen follow symbolic links.
3. Time-of-check-time-of-use (TOCTOU) race condition (CVE-2022-29800😞 there is a certain time between the scripts being discovered and them being run. An attacker can abuse this vulnerability to replace scripts that networkd-dispatcher believes to be owned by root to ones that are not.

An attacker with low privileges on the system could chain together the above vulnerabilities to escalate to root-level permissions by sending an arbitrary signal.

An overview of the steps for successful exploitation is captured in the image below, which covers three stages of the attack:

Bar Or notes that winning the TOCTOU race condition requires planting multiple files. In his experiment to implement a custom exploit, success was recorded after three attempts.

Leveraging Nimbuspwn successfully is possible when the exploit code can own a bus name under a privileged service or process.

The researcher says that there are many environments where this is possible, including Linux Mint where “the service systemd-networkd that normally owns the “org.freedesktop.Network1” [used in the research] bus name does not start at boot by default.”

Additionally, the Bar Or found additional “processes running as the systemd-network user” that executed arbitrary code from world-writable locations: e.g. several gpgv plugins (launched when apt-get installs or upgrades), the Erlang Port Mapper Daemon (epmd) that allows running arbitrary code under some scenarios.

Clayton Craft, the maintainer of networkd-dispatcher has deployed the necessary updates that address the Nimbuspwn vulnerabilities.

Linux users are recommended to patch their systems as soon as the fixes become available for their operating system.

New Nimbuspwn Linux vulnerability gives hackers root privileges

The document was written by Facebook privacy engineers that were on the Ad and Business Product team. The mission of this team is to “to make meaningful connections between people and businesses."

The team is responsible for building and maintaining Facebook's massive ads system - the core of its business. The document reveals a rather alarming tone from the engineers who are making a call for change with respect to how Facebook deals with user data. It is very common for Facebook to run into regulatory and compliance issues regarding privacy of its users. The US, India, Europe and other countries are becoming more stringent about regulations which is putting a lot of social media companies including Facebook in trouble recently.

“We can’t confidently make controlled policy changes or external commitments such as ‘we will not use X data for Y purpose.’ And yet, this is exactly what regulators expect us to do”

Last year, previously leaked documents had revealed Facebook's failure in handling misinformation, believing that the leadership made decisions to avoid angering the Indian government. A researcher who set up an account as a user in India in 2019 found that by following Facebook's algorithm recommendations, they saw “more images of dead people in the past three weeks than I’ve seen in my entire life total,” according to The New York Times.

Facebook's own engineers are admitting that they are struggling to keep track of where user data goes once it's inside their systems. However, regulations like the EU's GDPR limits platforms like Facebook about how they can use their users' data. In its article 5, the GDPR law mandates that personal data must be “collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.”

This essentially means that every bit of data Facebook collects, can only be collected and used for a specific purpose and cannot be reused for another purpose. Facebook had been under the fire for using its users' phone numbers for its "people you may know" feature. After getting caught, the company had to eventually stop the practice.

The engineers tried to explain what's wrong with Facebook using an analogy inside the document:

Imagine you hold a bottle of ink in your hand. This bottle of ink is a mixture of all kinds of user data (3PD, 1PD, SCD, Europe, etc.) You pour that ink into a lake of water (our open data systems; our open culture) … and it flows … everywhere,” the document read. “How do you put that ink back in the bottle? How do you organize it again, such that it only flows to the allowed places in the lake?”

For reference, 3PD means third-party data; 1PD means first-party data; SCD means sensitive categories data.

The leaked document throws light on the fact that how data can become a mess in the absence of any efforts for data regulation from the beginning. Facebook says that even though it does not have any technical control over every piece of data, it is investing in tools to build the infrastructure needed to meet the requirements it may face.

Source: Vice

Leaked document reveals Facebook has no control over user data and where it's going

The use of .LNK files is not new, as the Emotet gang previously used them in a combination with Visual Basic Script (VBS) code to build a command that downloads the payload. However, this is the first time that they utilized Windows shortcuts to directly execute PowerShell commands.

New technique after botched campaign

Last Friday, Emotet operators pulled the plug on a phishing campaign because they botched their installer after using a static file name to reference the malicious .LNK shortcut.

Launching the shortcut would trigger a command that extracted a string of VBS code and added it to a VBS file to execute.

However, as the distributed shortcut files had a different name than the static one they were looking for, it would fail to create the VBS file correctly. The gang fixed the problem yesterday.

Today, security researchers noticed that Emotet switched to a new technique that uses PowerShell commands attached to the LNK file to download and execute a script on the infected computer.

The malicious string appended to the .LNK file is obfuscated and padded with nulls (blank space) so that it does not show in the target field (the file the shortcut points to) of the file’s properties dialog box.

Emotet’s malicious .LNK file includes URLs for several compromised websites used for storing the PowerShell script payload. If the script is present at one of the defined locations, it is downloaded to the system’s temporary folder as a PowerShell script with a random name.

Below is the deobfuscated version of the malicious string Emotet attached to the .LNK payload:

This script generates and launches another PowerShell script that downloads the Emotet malware from a list of compromised sites and save it to the %Temp% folder. The downloaded DLL is then executed using the regsvr32.exe command.

Executing the PowerShell script is done using the Regsvr32.exe command-line utility and ends with downloading and launching Emotet malware.

Security researcher Max Malyutin says that along with using PowerShell in LNK files, this execution flow is new to Emotet malware deployment.

New technique on the rise

The Cryptolaemus researcher group, which is closely monitoring Emotet activity, notes that the new technique is a clear attempt from the threat actor to bypass defenses and automated detection.

Security researchers at cybersecurity company ESET also noticed that the use of the new Emotet technique has increased in the past 24 hours.

source: ESET

 

ESET’s telemetry data shows that the countries most affected by Emotet via the new technique are Mexico, Italy, Japan, Turkey, and Canada.

Apart from switching to PowerShell in .LNK files, the Emotet botnet operators have made a few other changes since they resumed activity to steadier levels in November, such as moving to 64-bit modules.

The malware is typically used as a gateway for other malware, particularly ransomware threats like Conti.

Emotet malware now installs via PowerShell in Windows shortcut files

Google is trialing two privacy-preserving ad profiling mechanisms in Chrome 101. These are the Topics API and First Locally-Executed Decision over Groups Experiment (FLEDGE), both included in Google's Privacy Sandbox initiative.

For those who don't remember, Google killed off its Federated Learning of Cohorts (FLoC) experiment at the start of this year and pivoted to the Topics API for ad personalization in a privacy-preserving manner. Through Topics, your web browser will determine your top interests for the week based on your browsing activity. These interests will be stored locally on your device for a period of three weeks - after which they will be deleted - and will not be sent to any external server, even those belonging to Google. When you visit a website, only three topics belonging to you will be shared with the website and its ad partners. This will comprise of one topic from each week and no more. It's a tricky proposition that's under scrutiny from pretty much everyone.

The second ad profiling mechanism is FLEDGE, here's how Google describes its flow:

1. A user visits an advertiser site

2. The user's browser is asked to add an interest group

3. The user visits a site that sells ad space

4. An ad auction is run in the browser

5. The seller and participating buyers receive realtime data from trusted servers

6. The winning ad is displayed

7. The auction result is reported

8. An ad click is reported

    

Both of these implementations are currently available as Origin trials up until version 104 of Chrome, which means that developers can build and test upon them until then.

Meanwhile, the features enabled by default in this release include a new sRGB color specification called Hue-Whiteness-Blackness (HWB), changes to the windowFeatures argument for ease of development, priority hints for resources relative to the browser, and alignment of specifications for dedicated workers between the Blink rendering engine used by Chromium and Gecko used by Firefox.

Moreover, the WebSQL database standard has been deprecated and removed. Mozilla never implemented it in Firefox and Apple's WebKit deprecated it back in 2019 too. With Chrome dropping support as well, developers have been encouraged to use Web Storage or Indexed Database instead. Similarly, a method is being introduced for developers to forget connected USB devices and other technical changes have been made to USB objects too.

The ability to increase the nesting level threshold for the setTimeout function to optimize page loads is now behind a developer trial, which means that it can be toggled with a flag. In the same vein, the clamping function for this can be removed through an Origin trial too.

Yet another capability in Origin trials in Chrome 101 is the Attribution Reporting API. Google describes it as follows:

This API measures ad conversions (e.g. purchases) and attributes them to ad interactions without using cross-site persistent identifiers like third-party cookies. The API allows measurement through both event-level reports sent directly from the browser, and aggregatable reports which can be processed through a trusted service to create summary reports of attribution data.

[...] Currently, the web ad industry measures conversions via identifiers they can associate across sites. These identifiers tie information about which ads were clicked to information about activity on the advertiser's site (the conversion). This allows advertisers to measure ROI, and for the entire ads ecosystem to understand how well ads perform. Since the ads industry today uses common identifiers across advertiser and publisher sites to track conversions, these common identifiers can be used to enable other forms of cross-site tracking. This doesn’t have to be the case, though, especially in cases where identifiers like third party cookies are either unavailable or undesirable. A new API surface can be added to the web platform to satisfy this use-case without them, in a way that provides better privacy to users.

Chrome 101 will start rolling out in the later hours of today. If it does not update to version 101 automatically for you throughout the course of the day, head over to Help > About Google Chrome to trigger the update once it becomes available. Next up is Chrome 102 which will hit the Beta channel on April 28, and will land on Stable on May 24.

Chrome 101 has the first version of privacy-preserving ad profiling, landing today

Although both the firms haven't gone into the technical details of the implementation due to its (likely) proprietary nature, they have stated that it is an enhancement to the existing Digital Transactions Insights solution.

Improvements include real-time decision-making capabilities and next-gen authentication mechanisms. Essentially, Mastercard's network insights data is used in tandem with the data of a merchant in order to verify the identity of a customer. Mastercard's President of Cyber and Intelligence division had the following to say about the implementation:

Shopping online should be simple, quick and secure. But that isn’t always the case. We’re committed to developing advanced identity and fraud technology to help enhance the real-time intelligence we provide to financial institutions around the globe. This builds on our longstanding commitment of working across the industry to provide advanced technologies that enable trust, and help build a safe and thriving digital ecosystem for all.

Microsoft says that real-time decision-making capabilities in Digital Transactions Insights is due to integration with AI-powered Dynamics 365 Fraud Protection services. Companies can also make use of other insights provided in the solution to ensure a profitable balance between revenue opportunities and losses due to fraud and difficulties in checkout.

Microsoft's corporate vice president of Business Applications and Platforms Charles Lamanna noted that:

We are excited to partner with Mastercard to leverage our cloud-native, cutting-edge fraud assessment tools to empower issuers and merchants to prevent more fraud and approve more genuine users. This partnership lays the foundation for the future of global fraud prevention where data silos are no longer a barrier to security.

Mastercard's Digital Transactions Insights is powered by its global authentication solution Mastercard Identity Check and secured with EMV 3-D Secure protocol. Both of these implementations are GDPR-compliant, which means that global companies should be able to leverage them without regulatory hurdles.

Microsoft and Mastercard partner to announce "next-gen" identity solution

It is intriguing to say the least, and was a highly requested feature by the community. Having unique usernames can protect your privacy, and minimize the impact of identity theft. The feature was released for the web vault a few days ago, before it was added to the browser extension, and the desktop programs.

Note: The Bitwarden extension has not been updated to 1.58.0 on Mozilla Firefox's AMO, Google's Chrome Web store, Edge Add-ons, etc, at the time of writing this article. It is expected to be available shortly. The new version of the extension, v1.58.0, also fixes an issue related to importing notes and URLs in macOS and Safari.

I tried the web version and downloaded the desktop version to try the username generator.

How to generate unique usernames in Bitwarden

1. Open Bitwarden app on your compute, and go to the add new login page.

Ctrl + N on desktop (or) File > Add New Item.

2. Click the refresh icon in the username field.

3. It opens a new window, that has three options to derive the username from.

• Plus Addressed Email
• Catch-All Email
• Random Word

The first option, Plus Addressed Email, uses your email provider's alias service. E.g. If you used example@gmail.com, it can be used to generate a sub-address like example+5jh56y8t@gmail.com. The generated password is displayed at the top of the window, you can copy it to the clipboard using the icon next to it. Don't like the created username? Hit the refresh icon to generate a new one. Click the tick icon to accept the generated username.

Catch-All Email uses your domain to create a unique username. The Random Word option can be set to capitalize the first letter and include numbers in the username.

Download Bitwarden Password Manager 1.33.0 for Windows, macOS, and Linux from the official website, or the GitHub Page.

Web vault version

Oddly, the new feature is not available in the "add new login"popup in the web vault. Here's how you do it instead. Open the Tools page in the Bitwarden web vault, select the Username option (under Generator), and follow the above instructions given in step 3.

Bitwarden suffered an outage a few days ago, and since its servers were inaccessible, so were the passwords. A statement from the company said that users could access their vaults if they had already logged in, but many users were unable locked of their accounts during the downtime. I can confirm that the browser plugin logged me out as well, I only noticed this when it couldn't save the credentials that I typed on a login page.

I can't verify this claim as I don't use the desktop app, but a couple of users have reported that the Bitwarden app logged them out, and uninstalled itself. When users asked the company for an explanation about the outage, Bitwarden declined to reveal the details.

Tip: Having a backup option that you can use offline may help you during such outages. You can export your Bitwarden vault to a JSON or CSV file, and import them to a local password manager like KeePass.

Bitwarden Password Manager can now generate unique usernames

Frontpaged:   Bitwarden 1.33.0