Wednesday 5 September 2018

Google Chrome Will No Longer Show 'Protected' At HTTPS Sites



To celebrate the tenth anniversary of Google Chrome, a new version of the browser has appeared that does not show the word 'secured' at https sites, makes using Flash Player more difficult, introduces an improved password manager and fixes 40 security vulnerabilities.

On 2 September 2008 , Google launched its own browser, which has since become the dominant browser. According to StatCounter, Chrome has a market share of almost 68 percent on the desktop . In the Netherlands, around 54 percent of desktop users would browse with Chrome. Yesterday evening the 69th version of Chrome appeared that contains all kinds of new features and improvements.

This allows Chrome 69 to enter passwords, address details and credit card numbers more accurately. It is data stored in the user's Google account and accessible directly from the Chrome toolbar. The browser also has an improved password manager that can generate unique passwords for websites and accounts. Saved passwords are then available to users with a Google account on both the computer and mobile devices.

Furthermore, Chrome 69 does not show the word "secured" on websites with a secure connection. Only the lock icon indicates that a secure connection is being used. Eventually the lock icon will also disappear. Google decided in July to display the message "Unprotected" at all http sites. The internet giant wants https sites to be the norm and users will only see a notification at http sites.

Also, in the browser measures have been taken to make the use of Adobe Flash Player more difficult. Previously, users could whitelists websites that wanted to access the built-in Flash Player. That has now changed. Users must allow this separately each time a website wants to enable Flash content, regardless of whether they have done so in previous sessions.

In addition, Google has fixed 40 vulnerabilities in the browser that prevented an attacker from stealing or modifying data from other websites in the worst case scenario. Updating to Chrome 69.0.3497.81 will happen automatically on most systems. For Android users, Chrome 69.0.3497.76 has been made available.

MEGA Warns Against An Infected Chrome Extension That Steals Data



The popular cloud storage service MEGA has warned users of an infected version of its own Chrome extension that was distributed through the official download channel and tried to steal all kinds of user data. According to MEGA, the cloud storage service of internet entrepreneur Kim Dotcom, an attacker has gained access to the official Chrome Web Store account of the company.

Then an infected version of the MEGA Chrome extension was placed in the Web Store and automatically offered to existing users. This version required permission to read data on all websites. As soon as users granted this permission, the extension tried to steal private keys for cryptocurrency wallets and user names and passwords for Amazon, GitHub, Google and Microsoft accounts.

After five hours, the infected Chrome extension was removed from the Chrome Web Store by Google. MEGA states that it has initiated an investigation to find out how the Web Store account could be taken over. The cloud storage service also gets to Google because it does not allow developers to sign their Chrome extensions. The extensions are now automatically signed after being uploaded to the Chrome Web Store. According to MEGA, this will remove an important measure that must protect against attackers.

Before MEGA gave the warning, Jeremy Nation of MetaCert already came up with an analysis of the infected extension. It is not the first time that attackers get access to the Web Store account of an extension developer and then distribute an infected update or version. At the end of last year, eight Chrome extensions were discovered that had been hacked and adware was installed by the 4.6 million users. The attackers had been able to trace the login data for the Web Store through these phishing attacks.

Tuesday 4 September 2018

Google Employee Hacks RFID Access System Own Office



A Google employee hacked the RFID access system of Google's own office in Sunnyvale, allowing him to open doors without an access pass and prevent other employees from gaining access. Google uses the iStar Ultra and IP-ACM systems from supplier Software House. The access system works via an RFID access pass.

Google employee David Tomaschik monitored the encrypted network traffic of the iStar Ultra and IP-ACM systems. The encrypted traffic turned out not to be random, whereas it should have been the case. Further research by Tomaschik revealed that all Software House devices used a hard-coded encryption key. This made it possible to forge commands, such as the command to open a door. He was also able to replay captured network traffic and thus open or block a door.

Furthermore, it was possible to perform these actions without creating a log. Software House has developed a solution, but organizations where the vulnerable systems are in use are still at risk, according to business magazine Forbes. Google also mentions that it has segmented its own network to provide protection against vulnerable systems.

British Man Gets 14 Months In Prison For Not Giving Up Facebook Password



A 24-year-old British man has been sentenced to 14 months in prison for not giving up his Facebook password. The man is suspected of the murder of a 13-year-old girl. The police had twice asked for his credentials for the social network site, but the Brit refused to provide it.

Under the British Regulation of Investigatory Powers Act (Ripa), the man was subsequently charged with not providing 'access codes to an electronic device'. The Ripa legislation gives UK investigative authorities the power to force people to give their password, encryption key or other log-in details to investigate an electronic device such as a telephone or computer, according to The Independent . The Ripa legislation was originally intended as an anti-terrorist measure, but the police can use it much more broadly, according to a British law firm. A maximum term of imprisonment of 5 years is imposed on not giving up a password.

The Briton told the judge that relinquishing his password would reveal information about cannabis. The judge called the defense "entirely inadequate" and stated that the man had thwarted the police investigation into the murder through his actions. The British police are trying to get access to the man's Facebook account through the US Department of Justice, the Daily Mail and The Sun report . In the past, people in the United Kingdom have more often been sentenced to prison terms for not relinquishing their login details.

Mozilla's New VP Will Focus On Privacy & Security



Mozilla has a new security chief who will focus on privacy and security. Alan Davidson is the new vice president for "Policy, Trust and Security" with the open source developer. He will be responsible for promoting an open internet and a 'healthy web'.

He will also lead a 'trust and security' team that will focus on promoting innovative privacy and security features in Mozilla products. Previously, Davidson worked at the US Department of Commerce and in 2011 he was the policy leader at Google. "I am very happy to work for an organization that is so dedicated to putting the user first", Davidson said.