Twitter clarifies its election results policy

The company had previously said it will label misleading tweets claiming premature victory in the US presidential election. Now the company says it will begin labeling on the night of November 3rd, and will consider US election results official when they are confirmed by state election authorities or confirmed by two of the following outlets: ABC news, Associated Press, CBS News, CNN, Decision Desk HQ, Fox News, and NBC news.

(Twitter)

Google discloses Windows zero-day 

Google believes the flaw is being actively exploited. According to Google’s Project Zero lead Ben Hawkes, the company expects the flaw to be patched on November 10th, Microsoft’s next Patch Tuesday. The exploit is a two stage attack, beginning with a zero-day Chrome vulnerability disclosed last week, that lets attackers run malicious code in Chrome. The Windows side allows the attackers to escape Chrome’s sandbox and run the code at the OS-level. The flaw impacts all Windows kernels from Windows 7 through the most current stable Windows 10 release. 

(ZDNet)

Maze ransomware operators call it quits

The ransomware group issued a press release titled “The Project is closed,” clarifying that any future use of its name or brand should be considered a scam. The Maze operators deny having formed a cartel with other ransomware groups. BleepingComputer’s sources say some Maze affiliates have moved on to a new ransomware operator called Egregor. Maze had been tied to ransomware attacks against Southwire, the City of Pensacola, Canon, LG Electronics, and Xerox. Maze has not responded to questions about whether they will release their master decryption keys.

(Bleeping Computer)

Devices still vulnerable to SMBGhost

A patch for the Windows SMB vulnerability was issued over six months ago, but security researcher Jan Kopriva reports that a search of Shodan found over 100,000 unpatched machines still vulnerable to the exploit. Taiwan appears to have the most vulnerable machines, followed by Japan, Russia, and the US. Shodan shows that after an initial rush to apply the patch, the number of vulnerable machines has remained flat for months. 

(Security Week)

Thanks to our sponsor, Trusona

Trusona enables enterprises to secure and simplify user access by removing passwords from the Windows 10 login experience. With a single desktop sign-in using Trusona’s passwordless MFA, employees are automatically authenticated into Office 365 or their SSO, giving them secure access to all of their corporate applications. Give your workforce a solution they don’t have to work around.

Google’s reCAPTCHA may have privacy problems

According to research by Victory Medium’s Zach Edwards, the Javascript for Google’s reCATCHA service, meant to filter out bots and automated web browsing, may allow for “triangle syncing,” letting two web domains associate cookies for an individual user and track them across an advertising domain, common in the advertising world. reCAPTCHA uses the gstatic.com domain which Edwards claims is doing a triangle sync to google.com. Google says gstatic is cookieless, but references in JavaScript mentions cookies, and reCAPTCHA embedded pages also set a “NID” preference cookie. Google maintains any data collected from reCAPTCHA isn’t used for personalized advertising and only to improve the product. 

(The Register)

How effective is Facebook fact-checking?

New research from Columbia’s Tow Center reviewed fact-check labels assigned to stories on Facebook from October 1st to 5th. Facebook’s ten US fact-checking partners debunked over seventy claims, many related to President Trump’s COVID-19 diagnosis and treatment. The researchers identified 1,100 posts across Facebook and Instagram and found less than 50% carried any fact-checking labels. The researchers found that Facebook’s automated AI review of content was often fooled by minor variations of memes. 

(CJR)

A look at the cyberthreats faced by the BBC

A recent Freedom of Information request in the UK revealed that the British Broadcasting Corporation blocked an average of 283,597 malicious emails per day during the first eight months of 2020. In that period the broadcaster blocked 51.9 million infected emails, with an average of 18,600 each month actively containing malware. Research by Barracuda Networks early in the COVID-19 pandemic found that phishing emails were up by 667%. 

(InfoSecurity Magazine)

Bridgefy gets end-to-end encryption

The offline messaging app Bridgefy has recently been used by protest groups, as its combination of Bluetooth and Wi-Fi allows for messages to be sent when the internet is blocked. Earlier this year, security researchers at Royal Holloway, University of London published a paper outlining a myriad of security vulnerabilities with the app, with messages not encrypted, and lacking basic sender verification, letting it be spoofed by third-parties. A new update to the app now adds end-to-end encryption. The update also prevents man-in-the-middle attacks, and one-to-one messages will no longer send user IDs in plain text.

(TechCrunch)