China issues new zero-day rules
New rules issued by the Cyberspace Administration of China state that no one in the country “may ‘collect, sell or publish information on network product security vulnerabilities.” China’s 2017 national intelligence law already requires all Chinese nationals to support, assist and cooperate with national intelligence efforts. But industry analysts expect this law to further funnel zero-day exploits directly to Chinese APTs, rather than making them available for sale to third-parties, tightening already limited flexibility by security researchers in China. The law does allow for disclosing zero-days to foreign product manufacturers, but it’s unclear if bug-bounty programs or contents like Pwn2Own would qualify as “publishing” under the law.
Google discloses four zero-days tied to Russian APT
Google’s Threat Analysis Group published the details of the exploits, found in Google Chrome, Internet Explorer, and WebKit. The researchers tied the exploits back to a commercial surveillance vendor seemingly providing support to government-backed attackers, and another directly to a Russian APT. Google didn’t name the actor but Microsoft claims there are ties to the Nobelium group. While three of the flaws were not used in any known high-profile campaigns, the WebKit flaw was used to send malicious links in LinkedIn Messaging to government officials from western Europe. According to Google there have been 33 zero-days used in publicly disclosed attacks this year, already up 50% from all the zero-days used in 2020.
Microsoft announces Windows 365 at Inspire 2021
This is a new virtualized desktop service running on top of Azure Virtual Desktop that lets businesses easily deploy and stream Cloud-based PCs. The service will be available on August 2nd, initially streaming Windows 10 and later Windows 11 once the new OS becomes available. Microsoft claims Windows 365 is ideal for hybrid work environments, and lets admins manage security configuration with direct integration to Microsoft Endpoint Manager. The service can run within an HTML5 browser or the Remote Desktop app, comes in 1-8 vCPUs as a per-user, per-month subscription.
Campaign looks to end use of facial recognition in retail
A group of 35 organizations, led by the privacy non-profit Fight for the Future, have created the Ban Facial Recognition in Stores campaign to highlight the use of the technology in retail environments and, as the name suggests, put pressure on them to stop. The group notes that Apple, Lowe’s, Albertsons, Macy’s, and Ace Hardware use facial recognition, while some large retailers like Walmart, Home Depot, and Target have committed to not using it. While some states and cities have bans on government use of facial recognition, only Portland, Oregon has included private businesses in legislative bans.
Thanks to our episode sponsor,
MasterCard the latest payment network barred in India
Starting July 22nd, the Reserve Bank of India will indefinitely bar MasterCard from issuing new debit, credit, or prepaid cards to customers in the country, citing failure to comply with local data storage laws. Since 2018, India has required all Indian transaction data stored within domestic servers. The order will not impact existing customers. American Express and Diners Club faced similar restrictions earlier this year for the same reasons. Several payment networks and the US government have urged India to reconsider these regulations as causing potential overreach by regulatory authorities.
SonicWall warns of critical ransomware risk to VPN appliances
The company issued an urgent security notice that ransomware attacks are targeting unpatched Secure Mobile Access (SMA) 100 series and Secure Remote Access devices running end-of-life firmware. Attackers are using stolen credentials to exploit 8.0 firmware on the devices. SonicWall notes that newer firmware versions fix the issue, and that it doesn’t impact SMA 1000 series devices. The company recommends updating to newer firmware or disconnecting the devices as soon as possible, characterizing the risk of ransomware attack as “imminent.”
Firefox keeps third-party logins in Private Browsing
Mozilla released a privacy-focused update in Firefox 90 that lets you use Facebook to login to websites in Private Browsing or Strict Mode. Firefox uses Smartblock 2.0, the new version of the third-party tracking blocker introduced in Firefox 87, which cleans up web pages that are broken by Firefox’s content protections, and replaces tracking scripts with “stand-ins” so sites can render normally.
Chrome getting HTTPS-only mode
We previously reported that Chromium code pointed to Google planning to offer an HTTPS-First mode in Chrome. Google has now officially announced the feature, coming first to Chrome 94, which is slated for a September 21st release. This will be an optional setting that will default to HTTPS even when clicking links using HTTP or if HTTP is typed into the URL bar. Sites not supporting HTTPS will show a full page warning before loading. The company said it’s also “re-examining” the use of the lock icon when browsing HTTPS sites, with plans to experiment with alternate looks. Google said the vast majority of users assume the lock means that the site is secure, not the connection.