Daycare apps found insecure
The Electronic Frontier Foundation looked into the security used by daycare apps, which are often required when enrolling children. It found that almost all apps lack any kind of 2FA, with one of the more popular Brightwheel claiming it was the “1st partner to offer this level of security.” It also found many apps had weak password policies, used undisclosed Facebook trackers, and had cleartext traffic enabled. The EFF wasn’t the first to highlight these issues, but found that many app makers lacked basic emails to send security issues to, and often were unresponsive. A previous Australian study found that just 14% of vendors responded to security issues with daycare apps. The EFF also points out that regulations like COPPA don’t apply to these applications.
(EFF)
Encryption flaws found in Mega
The cloud storage and file sharing service Mega has made a name for itself for its strong stance on encryption, saying its end-to-end encryption means even it can’t decrypt content on its service, even if its architecture were seized by a third-party. However a new paper from researchers at ETH Zurich found that Mega’s system does “not protect its users against a malicious server” and would be trivial for anyone with control of the platform to perform a full key recovery attack on any user. They also built a proof-of-concept on how attackers could also insert malicious files that would pass client authenticity checks. The researchers alerted Mega to these findings in March, and on June 21st it began rolling out an update. However the researchers described the patch as ad hoc and does not fix key reuse issues, lack of integrity checks, and other system-wide problems. Mega said its unaware of any compromised user accounts exploiting these flaws.
Microsoft retires cloud facial recognition
The company is pulling public access to several of its Azure Face, facial analysis tools, including one that attempts to read emotions. Since releasing this feature, experts have been critical that it is unscientific to directly associate external facial expressions with internal emotion states. This comes as part of a larger review of its AI ethics policies. Microsoft will also retire Azure Face’s attempts to identify “attributes such as gender, age, smile, facial hair, hair, and makeup.” New customers lose access now and existing customers will lose access June 30th. Microsoft will continue to use the technologies in its own Seeing AI machine vision aid.
Splunk server vulnerability discovered
Splunk disclosed a vulnerability in its Enterprise Deployment Servers which could open the door to arbitrary code execution. The vulnerability ties back to Splunk Universal Forwarders that send data from a machine to a data receiver. If compromised, these Forwarders could be used to execute code on other Forwarder endpoints subscribed to the server. There are currently no reports of this being exploited in the wild, and Splunk has released a patch.
(CIS)
Thanks to today’s episode sponsor, Optiv
• Increasing security
• Decreasing risk
• Lowering cost
Learn more at www.optiv.com/IAM-Microsoft.
NSO dishes on European usage
The spyware firm’s General Counsel Chaim Gelfand told a European Parliament committee that at least five EU countries have used its software, with NSO terminating one country’s usage following an abuse of its Pegasus software. Gelfand maintained that NSO “made mistakes” but also passed up large amounts of potential revenue by canceling contracts for misuse. He maintained that NSO does “due diligence on in advance in order to assess the rule of law in that country.” Gelfand also said it was in favor of creating an international body to regulate spyware, akin to a “non-proliferation agreement.”
(Politico)
DARPA finds blockchains aren’t all that decentralized
A new report from the Defense Advanced Research Project looking into if blockchains are decentralized found some “unintended centralities” leading the authors to believe that many blockchains could eventually have power centralized with a few select individuals or groups. The paper found the cryptographic underpinning of blockchain “quite robust.” But it points out that three ISPs saw 60% of all Bitcoin traffic, opening the door to these providers having the ability to restrict certain transactions, letting it become a majority voice in consensus of what actually gets written to the blockchain. The report also points out that 21% of Bitcoin nodes run older versions of the Bitcoin client that are vulnerable to attacks.
(Gizmodo)
Brave Search growing quick, adding customization
Brave Software announced that its privacy-focused Brave Search engine came out of beta. Over the last year it saw search queries grow almost 5,000% to 2.5 billion, with query volume growing four times faster than rival DuckDuckGo, although its rival currently sees about 7x more queries overall. Brave also announced a new Goggles feature is coming to Brave Search, letting users customize how search results are ranked. A white paper shows this allowing users to exclude the top 1000 most popular domains from a search term or excluding product reviews with commercial backing.
European police disrupt major phishing operation
Police across Belgium and the Netherlands arrested nine individuals and conducted 24 house searches as part of a coordinated effort to dismantle the organization. The phishing group sent unsolicited emails, texts, and DMs to victims with links to phishing sites posing as banks, where they entered in banking credentials. While not the most innovative phishing scheme, the group stole several million euros from victims, with ties to drug trafficking operations. This comes as the Anti-Phishing Working Group reports an all-time high of reported phishing attacks in Q1 2022, surpassing one million for the first time.