Google’s cookie replacement performs well in tests

In tests, the Federated Learning of Cohorts or FLoC API, a proposed replacement for third-party cookies, showed that advertisers can expect to see at least 95% of the conversions per dollar spent on ads, compared to cookie-based advertising. FLoC is a Chrome browser extension right now, which uses machine learning to group people into cohorts of thousands of similar users that advertisers can target, rather than targeting individuals.  Google’s “Privacy Sandbox” effort has other third-party cookie alternatives in development, so this may not be its ultimate third-party cookie replacement. 

(Axios)

Twitter Birdwatch pilot launches

Birdwatch was previously confirmed by Twitter last year, and is a system that lets users flag and discuss tweets believed to be misleading or false. Birdwatch is a standalone section of Twitter, initially rolling out to a small group of users with accounts tied to real phone numbers and email addresses. Tweets get flagged in Twitter’s main interface, then notes can be added to the Birdwatch section for context. Users can also rate others’ notes to prevent bad-faith usage. Twitter says eventually it wants notes to appear on Tweets themselves for its global audience with Birdwatchers acting as moderators. A sample UI and waitlist are available at birdwatch.twitter.com.

(TechCrunch)

WhatsApp wormable malware found on Android

Security researchers at ESET discovered the malware, which looks like an adware campaign sending links to download a fake Huawei Mobile app. The link takes users to a lookalike Google Play Store to spur a further software download. Once completed, the malware asks users for notification access, which will allow it to spam a user’s WhatsApp contacts with similar links thanks to the app’s quick reply feature that allows replies directly from a notification. The ultimate aim is to have users fall for a subscription scam, but the researchers warn the app asks for permission to draw over other apps and to run in the background, opening the door to other types of exploits down the line. While currently limited to WhatsApp messages, the researchers warn updates could abuse quick reply access to spread to other apps as well. 

(Hacker News)

Short sellers allege hacking after a subreddit squeezes a stock

Investors on the subreddit WallStreetBets had propped up the stock of Gamestop from $20 on January 11 to $73 on the 15th. This came as more traditional investors, like Citron Research founder Andrew Left established short positions, effectively betting that the stock would fall back below $20 in the near future, with plans to hold a Twitter livestreaming explaining why the stock would fall. Later in the week, Left established a second Twitter account, claiming people had tried to hack his primary account, with the same group harassing a minor, ordering pizzas to his home, and signing him up for Tinder in the past 48 hours. Moderators for the subreddit said they were not aware of these activities, “and if they did, it’s not something we condone or promoted.”

(Wired)

And now our sponsor Nucleus Security brings you “The Top 5 Antipatterns in Vulnerability Management”:

Antipattern #2: “CVSS prioritization”: CVSS scores are useful, but you need much more than scores to determine what to fix and when to fix it; Business context and vulnerability intelligence are key to prioritizing vulnerabilities in large enterprises. Learn how Nucleus can help with intelligent vulnerability prioritization at nucleussec.com/demo

Scotland’s EPA won’t use public funds on ransomware

The agency has been dealing with the fallout of a ransomware attack that began on December 24th, 2020. Since the attack, the agency confirmed that about 1.2GB of data, about 4000 files, were exfiltrated in the attack, including staff and business records. SEPA confirmed it will not engage with the attackers in addition to withholding paying ransoms with public funds. The investigation is still ongoing, so no details about what ransomware operator was behind the attack has been revealed. 

(Security Magazine)

Australian Securities and Investments Commission reports unauthorized server access

The financial services regulator ASIC became aware of the access on January 15th, and was “related to Accellion software used by ASIC to transfer files and attachments.” The accessed server contained documents related to Australian credit applications, with the regulator warning that limited information may have been viewed by the threat actor, although there is no current evidence that any files were opened or downloaded. As a precaution ASIC has disabled the server and is working on an alternative system to submit credit application attachments. This is the second major state server managed by Accellion to be accessed this month, with the Reserve Bank of New Zealand reporting a breach in a third-party sharing service on January 11th. Both incidents seem to be the result of an exploit in a twenty year old File Transfer Appliance, with Accellion having already issued a patch. 

(The Register)

ADT tech hacked customer cameras

A former technician for the home security company ADT admitted to accessing customer home security camera more than 9,600 times over four years, particularly spying on women. As part of a guilt plea on charges of computer fraud, the technician said he often added his personal email address to customers’ “ADT Pulse” accounts, which provided real-time access to the video feeds from their homes. This was done either without a customer’s knowledge or disclosed to customers as a temporary short-term test of the system. The FBI agents investigating the case recommends anyone with connected devices regularly check who are listed as authorized users, and regularly change passwords. 

(Security Magazine)

The case for standalone password managers

PCWorld Senior Editor Brad Chacos makes the case that while password managers integrated into modern browsers have come a long way, users would be better off, and more secure, using a discrete third-party solution. He notes that additions like two-factor authentication and strong password generators have made browser-based solutions certainly a better password manager than nothing, they also lock you into just one browser. This results in either fragmented password vaults across multiple ecosystems, or requires cumbersome logins to different accounts to access passwords, especially kludgy on mobile. Third-party password managers usually have secure tools to share passwords, are built to work on the OS level rather than in one particular app, and are broadly now supported on iOS and Android. 

(PCWorld)