Tech News - Cybersecurity

Ahead of today’s congressional hearing on social media companies’ efforts to thwart election meddling in advance of November’s midterm races, Alphabet Inc.’s Google posted a “testimony”. The Senate had invited Alphabet Inc. CEO Larry Page, and also extended the invitation to Google CEO, Sundar Pichai to testify in the hearing. However, both officials aren’t attending the hearing, and Google has planned to send its Chief legal officer Kent Walker, instead, to testify before the panel. The Senate Intelligence Committee has rejected Google’s Chief Legal Officer Kent Walker as a witness. The committee finds Walker as not placed high-level enough in the company to testify at Wednesday’s hearing. The panel expects to hear testimony from Twitter Inc. Chief Executive Jack Dorsey and Facebook Inc. Chief Operating Officer Sheryl Sandberg as well on Wednesday. Kent Walker says in his blog post, “I will be in Washington briefing Members of Congress on our work on this and other issues and answering any questions they have, and will be submitting this testimony.” Here are the key highlights of the testimony: Verification program: A verification program has been rolled out for anyone who wants to purchase a federal election ad on Google in the U.S. Google will require advertisers to provide government-issued identification information and other key information to confirm they are a U.S. citizen or lawful permanent resident or a U.S.-based organization, as per the law. In-ad disclosures: To help people better understand who is paying for an election ad Google has incorporated In-ad ​Disclosures. It means Google will be able to identify by name advertisers running election-related campaigns on Search, YouTube, Display and Video 360, and the Google Display Network. Transparency report: Google launched a “Political advertising on Google” Transparency Report​ for election ads, which will provide data about the entities buying election-related ads on the platforms, how much money is spent across states and congressional districts on such ads, and who the top advertisers are overall. The report will also show the keywords advertisers have spent the most money on ads of political importance during the current U.S. election cycle from May 31st, 2018 onwards. Searchable election Ad library: Finally, Google will offer a searchable election Ad ​Library ​within their ​public Transparency Report which will show things like which ads had the highest views, what the latest election ads running on our platform are, and deep dives into specific advertisers’ campaigns. The data shows the overall amount spent and number of ads run by each election advertiser, and whether the advertiser targeted its ad campaigns geographically or by age or gender. It will also show the approximate amount spent on each individual ad, the approximate impressions generated by each ad, and the dates each ad ran on the platform. In addition to the transparency efforts, Google has implemented a number of initiatives to improve the cybersecurity posture of candidates, campaigns, and the election infrastructure. In October 2017, they unveiled the Advanced Protection Program​, which they claim, will provide the strongest account protection that Google offers. Second, in May 2018, Google’s Jigsaw project, dedicated to building technology to address significant security challenges, announced the availability of Project Shield ​to U.S. political organizations (e.g., candidates, campaigns, political action committees) registered with the 3 appropriate electoral authorities. Project Shield is a free service that will use Google technology to prevent distributed denial of service (DDoS) attacks that block access to content. Lastly Google continues to issue warnings to users​ when they are suspicious about the risk of state-sponsored efforts hijacking their accounts. But they also acknowledge that combating disinformation campaigns is next to impossible for any single company to shoulder. “We have deployed our most advanced technologies to increase security and fight manipulation, but we realize that no system is going to be 100% perfect. Our algorithms are designed to identify content that many people find relevant and useful. We are constantly looking to find signals that help us identify deceptive content, while promoting content that is authoritative, relevant, and current. We have made substantial progress in preventing and detecting abuse, and are seeing continued success in stopping bad actors attempting to game our systems. And as threats evolve, we will continue to adapt in order to understand and prevent new attempts to misuse our platforms. We certainly can’t do this important work alone. Combating disinformation campaigns requires efforts from across the industry. We’ll continue to work with other companies to better protect the collective digital ecosystem, and, even as we take our own steps, we are open to working with governments on legislation that promotes electoral transparency.” Kent concluded saying, “While the nature of our services and the way we run our advertising operations appears to have limited the amount of state-sponsored interference on our platforms, no system is perfect—and we are committed to taking continuing action to address the issue. Over the course of the last 18 months.” Facebook COO, Sandberg’s Senate testimony: On combating foreign influence, fake news, and upholding election integrity Twitter’s CEO, Jack Dorsey’s Senate Testimony: On Twitter algorithms, platform health, role in elections and more

Five months after Facebook founder Mark Zuckerberg appeared before Congress, the US government once again invited top tech executives from Facebook, Twitter, and Google to the fourth and final installment of the series of high profile hearings on social media’s role in US democratic proceedings. Facebook COO Sheryl Sandberg and Twitter CEO Jack Dorsey faced the Senate Select Intelligence Committee, for the purpose to discuss the National Security issues and foreign interference through social media platforms in US elections. Google was notably absent from the proceedings, after the firm failed to send a senior executive ‘at the right level’ to Washington. Google submitted a written testimony ahead of the hearing, which the Senate discarded. In place of a Google representative, the Senate committee left an empty chair. Opening Remarks from the Senate Chairman Richard Burr and the Vice Chairman Mark Warner Chairman of the Senate Richard Burr made his opening remarks welcoming Jack Dorsey CEO Twitter and Sheryl Sandberg COO Facebook. He started with some words from the recently passed John McCain. McCain's place at the hearing was marked with a single white rose on a black cloth. "He will be dearly missed," Chairman Burr says. He opened his speech discussing about social media in the last 18 months. He acknowledged its immense potential for good but highlighted how the recent past has show how vulnerable social media can be to corruption and misuse. He said the committee takes this issue very seriously and appreciates the fact that Facebook and Twitter have taken responsibility with an equivalent and appropriate measures of seriousness and unlike their peer Google, have shown up for the hearing with the ‘appropriate level of corporate representation’. He further added that the purpose of this hearing was to discuss the role social media plays into the execution of foreign influence operations. The Chairman precisely made a point that its important we be candid with our language because that is what the significance of this threat demands. He said, “We need to be precise about the foreign actors we talking about. We need to be precise about the consequences of not acting and we need to be candid about being responsible for solving this problem and where it lies.” Chairman Burr's said that "business as usual" for these tech firms is not good enough. "We've identified the problem, now we've got to find a solution," he added. He also adds a jibe at Google for failing to send the "right senior executive". His sentiments were echoed by Vice Chairman Mark Warner, who took over from Burr. He was "deeply disappointed" in Google for not taking the issues being discussed yesterday seriously enough. Vice Chairman Mark, also put forward some thoughts and open questions to Twitter and Facebook to improve their policies and systems: Users should have the right to know when they are interacting with bots or humans on the platform Isn't there a public interest in ensuring there is more anonymised data to help researchers and academics identify potential problems and misuse. Why are your terms of service so difficult to find and nearly impossible to read and understand Ideas like data portability, data immunization or first party consent should be adopted After encountering numerous situations of misuse, what kind of accountability should be implemented to the flawed advertising model Sheryls Sandberg’s defending comments The Facebook CEO Sheryl Sandberg smoothly projected the impression that the company is always doing something. Whether that’s on combating hate speech, hoaxes and “inauthentic” content, or IDing and blocking state-level disinformation campaigns — thereby shifting attention off the deeper question of whether Facebook is doing enough. Many of her answers courteously informed senators that Facebook would ‘follow up’ with answers and/or by providing some hazily non-specific ‘collaborative work’ at some undated future time — which is the most professional way to kick awkward questions. Sheryl started her opening remarks by thanking the committee for giving her the opportunity to talk in the Senate Hearing. Referring to her written testimony which goes into more detail and here few points Sandberg reiterated in the session. Russia used our platform to interfere in the US elections and Facebook was too slow to spot this and too slow to act and that is on us, she said She mentioned about taking collaborative efforts with government and law enforcement committees. She further stated that at Facebook they are investing in long term security, and have doubled the number of people working in safety and security. They are able to view security reports in 50 languages 24 hours a day. They use better ML and AI techniques to be more proactive in finding abuse. Their first line of defense is finding and taking down the fake accounts and pages. Blocking millions of attempts to make fake accounts. Making progress on fake news and limiting their distribution as well. They demark articles by third party fact checkers and warn people who give them or about to share them. They show them related articles with more facts for a more well rounded opinion. Strong steps taken to prevent abuse and increase transparency on their advertising platform. For political issue you can now see who paid for the ads, how much they paid and the demographics of the advertisers. Advertisers are also required to go through a long authorization process to confirm their authentic identity. Finally Sandberg concluded by saying these steps wont stop people who are trying to game the system but it will make it a lot harder. She emphasized on working more collaboratively with the government and law enforcement agencies. She continued that Facebook is more determined than its opponent and they are in a grey area working together to meet this challenge. Jack dorsey’s defence “We weren’t expecting any of this when we created Twitter over 12 years ago. We acknowledge the real-world negative consequences of what happened, and we take full responsibility to fix it.” Here's the opening to Jack Dorsey's prepared statement: “Thank you for the opportunity to appear before the Committee today so I may speak to you and the American people. Twitter’s purpose is to serve the public conversation. We are an American company that serves our global audience by focusing on the people who use our service, and we put them first in every step we take. Twitter is used as a global town square, where people from around the world come together in an open and free exchange of ideas. We must be a trusted and healthy place that supports free and open discussion. Twitter has publicly committed to improving the collective health, openness, and civility of public conversation on our platform. Twitter’s health is measured by how we help encourage more healthy debate, conversations, and critical thinking. Conversely, abuse, malicious automation, and manipulation detracts from the health of our platform. We are committed to hold ourselves publicly accountable towards progress of our health initiative. Today, I hope my testimony before the Committee will demonstrate the challenges that we are tackling as a global platform. Twitter is approaching these challenges with a simple question: How do we earn more trust from the people using our service? We know the way we earn more trust around is how we make decisions on our platform to be as transparent as possible. We want to communicate how our platform works in a clear and straightforward way.” Jack mentions, “Abuse, harassment, troll armies, propaganda through bots and human coordination, misinformation campaigns, and divisive filter bubbles…that‘s not a healthy public square. Worse, a relatively small number of bad-faith actors were able to game Twitter to have an outsized impact. We weren’t expecting any of this when we created Twitter over 12 years ago. We acknowledge the real-world negative consequences of what happened, and we take full responsibility to fix it. We’ve seen positive results from our work. We‘re now removing over 200% more accounts for violating our policies. We’re identifying and challenging 8-10 million suspicious accounts every week. And we’re thwarting over a half million accounts from logging in to Twitter every day. Today we‘re committing to the people, and this committee, to do that work, and do it openly. We‘re here to contribute to a healthy public square, not compete to have the only one.” Few Questions to the witnesses from the Senators in the committee Senator James E. Risch Questions on Hate Speech “Who sets the security standards or the descriptions of authority of manipulative content and if there is any kind of unanimity amongst them or are there any debates or hate speeches in the team” Sandberg said that language that leads to violence is not permitted on their platform and Twitter CEO Dorsey shares the same views. Risch asked whether there was any way for Facebook to find any distinction between US citizens and people from other countries. Sandberg responded saying Facebook asks people to declare where they are from. People are allowed to talk about any country, but are not allowed to talk about hate. They are not allowed to interfere or influence elections. Facebook is also looking to dive further into transparency reporting. Twitter is focusing on behavioural patterns. It tracks common patterns of behaviour and utilizes that information to find out the unauthentic content. They have built deep learning and machine learning technologies to recognize these patterns quickly and shut them before they spread in other areas. Senator Martin Heinrich on Threat to Elections “What is it that you have learned from the past elections since 2016 as the platforms have been used throughout the course of a number of elections around the world. And how you have informed your current posture in terms of how you are gaining transparency in this activity?” Sandberg said that Facebook is getting smarter at detecting and preventing threats to elections but warned that the opponents are getting smarter as well. Dorsey followed by mentioning how Twitter is working with AI tools to recognise patterns of behaviour that allow people to artificially amplify information. Senator Susan Collins on why Twitter doesn't intimate individuals “Once you’ve taken down accounts that are linked to Russia, these imposter accounts, what do you do to notify the followers of those accounts that they have been following or engaged in accounts that originated in Russia and are not what they appear to be.” “We simply haven’t done enough… we do believe transparency is a big part of where we need improvement... We need to meet people where they are... We are going to do our best to make sure that we catch everything via external partnership and other channels. We recognise we need to communicate more directly,” said Jack Dorsey. He also added, “We are looking to incentivise people not only based on the number of followers they have but also the way they share content online. By what kind of content they share. We are also looking to expand our transparency report and extend the same to the public.” How Can Facebook & Twitter Clean Their Systems? “We have been investing heavily in identifying bad actors in the system. Most of our takedown have been on our own, but we have coordinated with external parties to make this successful.” said Sandberg. Dorsey had his own response saying, “There are a number of short term risks involved but the only way we'll grow is by building the platform's health and we have strengthened our partnership with government agencies and law enforcement partners.” The stock prices of Twitter and Facebook don’t seem to be holding up to the questioning and have been dropping since the hearing began. Sandberg added, “the most important determinant is what people choose to follow. If you don’t want to follow someone we encourage that. We are going to do a contribution to investing in technology to figure out a solution to battle deep fake news.” “I encourage both of you to work closely with academia… I hope that you will commit to providing data that goes beyond a 3 year window to researchers who are looking into Russian influence on your platforms”, concluded Senator Collins Senator Harris on business incentive alignment and policy inconsistencies at Facebook “What metric are you using to calculate the revenue generated associated with those [inorganic] ads? And what is the dollar amount that is associated with that revenue?... What percentage of content on Facebook is inorganic?.. You must know.” Sandberg answered, “Ads don’t run with inorganic content on our service. So there is no way to firmly ascertain how much ads are attached to how much organic content and that’s not how we work.” Harris further asked “How can you reconcile an incentive to create and increase your user engagement when the content that generates a lot of engagement is often inflammatory in nature?” Sandberg gave a specific example of Facebook’s hate speech moderation failure, a financially incentivized policy and moral failure. She referenced a ProPublica report from June 2017, which revealed the company had told moderators to delete hate speech targeting white men but not black children as they were a protected class. She continued that it was a bad policy and they had fixed it. Harris questioned whether the policy was changed after the report? To which Sandberg uncomfortably responded about getting back to the committee on the specifics of when and what would have happened. Senator Blunt on liability implications and learning from attempts at improving the platforms this year “In the interest of transparency and public education…, are you willing to archive suspended accounts...?” Dorsey opened by saying, “As we think about our singular priority of improving the health of public conversations, we are not going to be able to do long term work unless we’re look at the incentives that our product is asking people to do everyday.” Dorsey agreed that archiving historical data is a great idea, but further understanding of the legal implications of such an action is needed. “The business implications, the liability implications of what we’re asking you to do are pretty grey,... what’s the challenge here?” asked Blunt. Tighter co-ordination helps, said Sandberg responded. We’d like regular cadence of meetings with our law enforcement partners, we’d love to understand the secular trends that they are aware of in our peer companies our other mediums or more broadly that would inform us on how to act faster. We’d appreciate consolidating to a single point of contact instead of bouncing between multiple agencies to do our work,” added Dorsey. Senator Lankford on Data of Suspended Accounts Both Twitter and Facebook keep records of the suspended accounts for later analysis and also for referrals by law and enforcement bodies. Sandberg was also questioned on the number of fake accounts on Facebook. Senator Manchin on Why Facebook & Twitter Don't Operate in China Both Facebook and Twitter do not operate in China because the Chinese government hasn’t allowed both these platforms in the country. Sandberg and Dorsey unanimously replied to the senator. US Senator Cotton on Why Wikileaks is Active on Facebook and Twitter WikiLeaks and Julian Asange remain active on Facebook & Twitter. Sandberg said that these accounts don’t violate any of Facebook's terms. Dorsey also supported the viewpoint and clarified that Twitter is open to inviting law and enforcement to investigate if needed. US Senate Vice Chairman Mark Warner Wraps It Up Warner thanked both Dorsey and Sandberg for their presence and urged both to make their platforms safer for users across the US. He also thanked them for taking down bad actors online and in helping fight against fake news. US Senate Chairman Richard Burr also thanked both the individuals for being present and addressing the senators’ questions. To watch the full coverage of the hearing visit the US Senate Select Intelligence official page. Google’s Senate testimony, “Combating disinformation campaigns requires efforts from across the industry.” Twitter’s CEO, Jack Dorsey’s Senate Testimony: On Twitter algorithms, platform health, role in elections and more Facebook, Twitter takes down hundreds of fake accounts with ties to Russia and Iran, suspected to influence the US midterm elections

Security gaps have been identified in both Washington State’s and North Carolina’s voter registration systems. Spotted by cybersecurity experts, these vulnerabilities could potentially be exploited to interfere with citizens’ eligibility to cast ballots in last week’s elections. Fortunately, it seems like that hasn’t happened. Officials in both Washington and North Carolina expressed confidence they would spot any widespread tampering with voter registration records. According to The Seattle Times, “cyber experts said Washington appears to have failed to plug all the holes after the U.S. Department of Homeland Security warned last year that Russian cyber operatives had downloaded voter records from Illinois’ database in advance of the 2016 presidential election and attempted to do so in 20 other states.” Washington Secretary of State Kim Whyman assures voters systems are secure Washington Secretary of State Kim Whyman was keen to stress that the Washington electoral infrastructure is secure. In a statement on her website, she said “voters can rest assured that Washington’s election system is secure.” It was only in May that the Senate Intelligence Committee alleged that in “a small number of states,” cyberattackers affiliated with the Russian government “were in a position to” alter or delete voter registration information during the 2016 election. As part of that report, the Committee urged “federal grant funds to improve cybersecurity by hiring additional Information Technology staff, updating software, and contracting vendors to provide cybersecurity services.” However, cybersecurity experts have been quick to pick up on vulnerabilities that still haven’t been tackled. Susan Greenhalgh, policy director for the National Election Defense Coalition, said “the gaping vulnerability found in Georgia should be sending shock waves, not just in the Georgia Secretary of State’s office, but in all the other states that are using the same technology. The vendor left a door wide open that allows an attacker, anywhere in the world, to execute a voter suppression operation using election technology.” The vendor who installed Georgia’s computer programming has been identified as PCC Technologies, at the time a Connecticut-based firm. Cyber experts examined four states’ registration sites for McClatchy, including North Carolina and Washington, because PCC had listed them alongside 15 other states for whom it had performed work. Officials in both Washington and North Carolina said PCC did not program their voter registration databases, but the cyber experts said they still could see vulnerabilities. According to The Seattle times, “[cybersecurity experts] said hackers could get around authentication requirements in the voter registration system for Washington’s statewide vote-by-mail operation.” This would mean that “if data were deleted, the affected voters would not be mailed ballots, creating significant challenges, especially if the voter failed to act before Election Day.” Georgia’s online registration system is out of date, cybersecurity expert claims Harri Hursti, a New York-based cybersecurity expert who monitored Georgia’s election on Tuesday, said the design of its online registration system was acceptable 15 years ago. But today, he said, it would violate “every single manual” because it exposes “critical information” to any viewer. Erich Ebel, a spokesperson for Kim Wyman, said “the state has a very robust election security protocol, both physical and electronic. Our firewalls are state-of-the-art, and we have a number of other measures in place to identify, block and report suspicious activity”. “Bernhard and a prominent cyber expert who evaluated Washington’s security on condition of anonymity said there’s still a way for a bad actor to manipulate the system.”, according to Seattle Times. A group of computer geeks created a website named Highprogrammer.com, which can easily obtain driver’s licenses for residents of Washington and a number of other states to show how easily systems can be breached. Patrick Gannon, a spokesman for North Carolina’s elections board, also acknowledged that a North Carolina law makes state’s voter registration data widely available. This includes personal information such as ages and addresses and could allow anyone to pluck names off the list, fill out a form and mail fake address changes to state or county officials.

Facebook open-sourced a new library Fizz (a TLS 1.3 library) for securing websites against cyberattacks and improving its focus on safe data traversal across the internet. TLS  1.3 is now taking good shape, as Facebook has claimed that it’s secured and running more than 50% of its web traffic via TLS1.3 and Fizz. Since the Facebook infrastructure is so widespread, a protocol like the TLS is of much importance. Solving the SSL issues of both latency and data exposure, the TLS protocol also uses a stronger encryption for messages to maintain the privacy of certificates and redesigns the way secret keys are derived while using a zero round-trip connection setup to accelerate requests. Thus, TLS overcomes the shortcomings of the previously used SSL protocol. What problem does Fizz solve for Facebook? Assisting the Internet Engineering Task Force’s efforts to improve the TLS protocol, Fizz will now play its own part. One of the major issues faced by the engineers at Facebook was writing data to huge chunks of memory. This led to an increase in resource overhead and reduced the servers’ speed. To combat this issue, Fizz will divide the data into smaller chunks and then move it into memory while encrypting it in place. This simple technique called as “Scatter/gather I/O” processes data much more efficiently.   Scatter/Gather I/O Source: code.fb.com The next big thing that Fizz aims to do is replace the previously deployed Zero protocol with TLS 1.3. The zero protocol enabled Facebook to experiment with the 0-RTT secure connections. The 0-RTT reduced the latency of requests and the overhead needed to deploy TLS. Fizz has now taken over the zero protocol by providing zero copy encryption and decryption, tight integration with other parts of the infrastructure while reducing usage of memory and CPU. This improves user experience, particularly on app startup when there are no existing connections to reuse. All this is done at the same speed as the zero protocol but provides a 10-percent higher throughput. In today’s world, servers are scattered everywhere! Keeping in mind that these servers usually want to be able to make calls to services in other locations in the middle of a handshake, asynchronous IO becomes very important.  Fizz, therefore, provides a simple async application programming interface (API).  Any callback from Fizz can return an asynchronous response without blocking the service from processing other handshakes. It is also very easy to add new asynchronous callbacks to Fizz for other use cases. Fizz also provides developers with easy-to-use API’s to send “early data” immediately after the TCP connection is established. Early data reduces the latency of requests. Fizz is comprised of secure abstractions. This helps catch bugs during compile time rather than at runtime, thereby preventing mistakes. This open source provision from Facebook aims to be better than its SSL predecessor at preventing attacks. It would be interesting to see how the crowd takes advantage of the  library! Head over to the official FB documentation to know more about this robust library. Facebook is investigating data analytics firm Crimson Hexagon over misuse of data Facebook plans to use Bloomsbury AI to fight fake news Time for Facebook, Twitter and other social media to take responsibility or face regulation    

Barracuda Networks recently announced its new Cloud-Delivered Web Application Firewall service. This new service offers organizations various novel ways to manage, deploy and integrate application security into an application delivery stack. A WAF is a type of firewall purpose-built to help defend against application-layer threats and attacks. WAFs can be used to protect against known vulnerabilities in applications, such as input validation and SQL injection types of risks. Barracuda's WAF-as-a-Service application security is offered through a cloud service. It aims to simplify overall management and speed of deployments for customers. Barracuda also enables developers to use its WAF-as-a-Service for DevOps via an API. The WAF API allows developers to modify behavior of application traffic. Some features of the Cloud-Delivered Web Application Firewall service are: Secure Web applications: It delivers high level of protection via its synchronous integration with Barracuda's real-time threat intelligence network. The service defends against the OWASP Top 10, bots, DDoS, and other sophisticated attacks. For example, attacks that use XML or JSON, and even the most advanced zero-day threats. Automated vulnerability remediation and granular policy configuration: No extensive security expertise is required. This is because, the firewall service offers a simple 5-step setup wizard that starts protecting web applications in minutes. One can take full control and fine tune security policies for every application. One can even build baseline application security policies automatically with out-of-the-box automated vulnerability remediation, and pre-built templates for common applications such as WordPress and SharePoint and then take control and fine-tune as needed. Simplified cloud-delivered service: This new service is fast, with an intuitive UI. Now that one does not require any device to deploy or manage, it removes the complexity of WAF deployment. One can integrate security directly into the application development lifecycle as this solution is always available, and can reduce or eliminate the need to manually test code. To know more about this new Cloud-Delivered Web Application Firewall service visit Barracuda’s official blog post. Top 5 penetration testing tools for ethical hackers What is Digital Forensics? IoT Forensics: Security in an always connected world where things talk  

Update: On August 6, 2019, TSARKA, a cyberattack prevention body in Kazakhstan, announced that those who have established the National Certificate may delete it since it will no longer be needed. "Officials explained that it was happening because of the new security system's testing," TSAR mentioned. TSAR was officially informed that the tests were completed, all the tasks set during the pilot were successfully solved.  However, they further said, "the need for its installation may arise in cases of strengthening the digital border of Kazakhstan within the framework of special regulations." On Wednesday, July 17, 2019, the Kazakhstan government started intercepting internet traffic within its borders. The government further instructed all the ISPs to force their users to install a government-issued root certificate by Quaznet Trust Network on all devices and in every browser. With the help of this security root certificate, the local government agencies will be able to decrypt users’ HTTPS traffic, sneak into their content, re-encrypt it with the government’s own certificate, and later send it to its destination; thus allowing for the possibility of a nation-wide man-in-the-middle (MITM) attack. Since Wednesday, all internet users in Kazakhstan have been redirected to a page instructing users to download and install the new certificate, be it in their desktops or on their mobile devices. Why is the Kazakhstan government forcing citizens to install the root certificate? A local media, Tengrinews.kz reported, the Kazakh Ministry of Digital Development, Innovation and Aerospace said only internet users in Kazakhstan's capital of Nur-Sultan will have to install the certificate; however, users from all across the country reported being blocked from accessing the internet until they installed the government's certificate. Olzhas Bibanov, head of public relations service at Tele2 Kazakhstan, said, "We were asked by authorized bodies to notify Nur-Sultan's subscribers about the need to establish a security certificate”. In an announcement sent to the local ISPs the government said the introduction of the root certificate was due to “the frequent cases of theft of personal and credentials, as well as money from bank accounts of Kazakhstan”. The government in the announcement mentioned, “The introduction of a security certificate will help in the protection of information systems and data, as well as in identifying hacker cyber attacks of Internet fraudsters on the country's information space systems, private, including the banking sector, before they can cause damage. (...) In the absence of a security certificate on subscriber devices, technical limitations may arise with access to individual Internet resources". The government further assured the tool “will become an effective tool to protect the country's information space from hackers, Internet fraudsters and other types of cyber threats.'' The Kazakh government has tried unsuccessfully before to get its root certificate implemented Similar to current situation, in December 2015, the government tried their first attempt to force Kazakh users to install the root certificate. The government also sent across a notice to all users warning to install the certificate by January 1, 2016. “The decision was never implemented because the local government was sued by several organizations, including ISPs, banks, and foreign governments, who feared this would weaken the security of all internet traffic (and adjacent business) originating from the country”, ZDNet reports. The Kazakh government approached Mozilla to include their root certificate into their Firefox by default. However, Mozilla declined their proposal. How can users ensure their safety from their own government? If users do not wish to install such a certificate that puts their personal data at risk, they can try encrypting their internet traffic themselves or avoid the installation of this certificate. One way is, by switching to Linux as according to the announcement, Linux users are exempted from downloading this certificate. “[…] the installation of a security certificate must be performed from each device that will be used to access the Internet (mobile phones and tablets based on iOS / Android, personal computers and laptops based on Windows / MacOS).” Eugene Ivanov, a member of the Mozilla team says, “I think both Mozilla and Google should intervene into this situation because it can create a dangerous precedent, nullifying all the efforts of enforcing HTTPS. If Kazakhstan will succeed, more and more governments (eg. Russian Federation, Iran, etc.) will start global MITM attacks on their citizens and this is not good. I think all CAs used for MITM attacks should be explicitly blacklisted both by Mozilla and Google to exclude even [the] possibility of such attacks.” The government claims that installing the certificate is entirely voluntary. However, a user on HackerNews adds to this claim saying, “Technically yes, installing the certificate is voluntary; it's just that if you don't install it you won't be able to access the internet anymore when the government starts MITMing your connections”.  This is possible.  The government can take strict measures, which may not be in favour of the public and in turn force them to indirectly and involuntarily handover their personal data In such cases people are highly dependent on browsers such as Firefox, Google, to fight for their rights. A Kazakhstan user writes on HackerNews, “Banning this certificate or at least warning the users against using it WILL help a lot. Each authoritarian regime is authoritarian in its own way. Kazakhstan doesn't have a very strong regime, especially since the first president resigned earlier this year. When people protest strongly against something, the government usually backs down. For example, a couple of years ago the government withdrew their plans of lending lands to foreign governments after backlash from ordinary people. If Kazakhs knew about the implications of installing this certificate, they would have been on the streets already.” The user further adds, “If Firefox, Chrome and/or Safari block this certificate, the people will show their dissatisfaction and the law will be revoked. Sometimes the people in authoritarian countries need a little bit of support from organizations to fight for their rights. I really hope the browser organizations would help us here.” Browser organizations are having a discussion to come up with a plan of action to deal with sites that have been (re-)encrypted by the Kazakh government's root certificate. However, nothing is yet officially disclosed. We will update this page on further updates to this news. Read Google’s discussion group to know more about this news in detail. An attack on SKS Keyserver Network, a write-only program, poisons two high-profile OpenPGP certificates Firefox releases v66.0.4 and 60.6.2 to fix the expired certificate problem that ended up disabling add-ons Apple revoked Facebook developer certificates due to misuse of Apple’s Enterprise Developer Program; Google also disabled its iOS research app

Earlier this month, a major vulnerability was discovered in Whatsapp by its security team that allowed attackers to remotely install surveillance software on iOS and Android smartphones. The malicious software was injected in users phone by making WhatsApp voice calls, regardless of whether the user has answered the call or not. In some cases, these calls just vanished from the call logs leaving the targeted users clueless of the attack. There is a possibility that this spyware would have allowed an attacker to read messages from the affected device. Facebook, who owns Whatsapp, published an advisory to security specialists yesterday, describing the attack as, “A buffer overflow vulnerability in WhatsApp VOIP stack that allowed remote code execution via specially crafted series of SRTCP packets sent to a target phone number.” What steps have been taken by WhatsApp? WhatsApp engineers worked through Sunday before deploying a patch for its 1.5 Billion customers yesterday and urging them to update their app as an added precaution. The Financial Times reported, “WhatsApp said that teams of engineers had worked around the clock in San Francisco and London to close the vulnerability. It began rolling out a fix to its servers on Friday last week, WhatsApp said, and issued a patch for customers on Monday.” Not much detail about the vulnerability or the impact of the attack has been revealed yet as WhatsApp is still in its early stages of the investigation. Reportedly, last week the company disclosed the attack to the United States Department of Justice. WhatsApp in a statement shared on Monday said, "This attack has all the hallmarks of a private company known to work with governments to deliver spyware that reportedly takes over the functions of mobile phone operating systems. We have briefed a number of human rights organisations to share the information we can, and to work with them to notify civil society.” Who was behind this attack? According to the Financial Times, this malicious software was developed by NSO Group, which is headquartered in the Israeli city of Herzliya. While the company tries to keep its work under wraps, it has been accused of selling its flagship software Pegasus to Saudi Arabia and UAE. It also licenses Pegasus to intelligence and law enforcement agencies worldwide. The NSO Group in its defense shared a statement: "NSO's technology is licensed to authorized government agencies for the sole purpose of fighting crime and terror. The company does not operate the system, and after a rigorous licensing and vetting process, intelligence and law enforcement determine how to use the technology to support their public safety missions. We investigate any credible allegations of misuse and if necessary, we take action, including shutting down the system. "Under no circumstances would NSO be involved in the operating or identifying of targets of its technology, which is solely operated by intelligence and law enforcement agencies. NSO would not or could not use its technology in its own right to target any person or organization." Human rights advocates against NSO Group NSO group does not have a good reputation with human rights organizations and groups. Its software has been linked to human rights abuses, unethical surveillance, and also to the gruesome murder of the Saudi Arabian critic Jamal Khashoggi. Back in 2016, it was revealed by Citizen Lab and Lookout Mobile Security that the company exploited three unpatched iOS vulnerabilities, which are also known as zero-days, to jailbreak on user phones. This allowed the installation of Pegasus on user phones, which is capable of reading texts, tracking calls, collecting passwords, tracking location, and gathering information from apps. Yesterday, human rights advocates, along with Amnesty International, shared their plans to file a petition against NSO Group. They are taking the Israeli Ministry of Defence (MoD) to court demanding the revocation of the mobile spyware vendor’s export license. This decision comes after an Amnesty International researcher was targeted by the company’s Pegasus surveillance software. Amnesty International wrote in a post, “In a petition to be filed tomorrow at the District Court of Tel Aviv, approximately 30 members and supporters of Amnesty International Israel and others from the human rights community set out how the MoD has put human rights at risk by allowing NSO to continue exporting its products.” To know more in detail, check out the report by the Financial Times. DARPA plans to develop a communication platform similar to WhatsApp The Indian government proposes to censor social media content and monitor WhatsApp messages Facebook hires top EEF lawyer and Facebook critic as Whatsapp privacy policy manager

Yesterday, Apple started allowing U.S. users to download a copy of all their data the company stores as a part of their privacy data portal expansion. The company had announced this feature expansion earlier this year. Per Bloomberg, prior to making this functionality available to U.S users, Apple rolled out the same functionality in Europe earlier this year as part of the European Union’s General Data Protection Regulation (GDPR) rules. With this effort, U.S. users will be able to download data such as all of their address book contacts, calendar appointments, music streaming preferences and details about past Apple product repairs. Previously, customers could not get their data without contacting Apple directly. Apple launched its online privacy portal in May during which U.S users were allowed only to correct their data or delete their Apple accounts. Apple has also added messages across its apps that tell users how their data is being handled. The company is also rolling out an updated privacy page on its website today detailing what data it does and does not store. Apple says that it does not store much of user’s data, which was confirmed by Zack Whittaker, a security editor at TechCrunch, when he asked Apple for his own data and the company turned over only a few megabytes of spreadsheets, including his order and purchase histories, and marketing information. In his article on ZDNet, Zack says, “The zip file contained mostly Excel spreadsheets, packed with information that Apple stores about me. None of the files contained content information -- like text messages and photos -- but they do contain metadata, like when and who I messaged or called on FaceTime.” He further added, “Any other data that Apple stores is either encrypted — so it can’t turn over — or was only held for a short amount of time and was deleted.” About Apple’s privacy policy updates, it refreshes its privacy pages once a year, a month after its product launches. It first launched its dedicated privacy pages in 2014. A year later, the company blew up the traditional privacy policy in 2015 by going more full-disclosure. Zack says that, since then, Apple’s pages have expanded and continued to be transparent on how the company encrypts user data on its devices. To know more about how Apple encrypts user data in detail, visit Zack’s post on ZDNet. Apple bans Facebook’s VPN app from the App Store for violating its data collection rules Apple has introduced Shortcuts for iOS 12 to automate your everyday tasks Apple buys Shazam, and will soon make the app ad-free  

Last week, Swiss Post’s recently launched online voting system’s source code was leaked. The experts who examined the code reported that the system is poorly designed and makes it difficult to audit the code for security and configure it to operate securely. Swiss Post, Switzerland's national postal service also launched a fully verifiable system and a bug bounty program to test the system’s resilience to attacks this month. According to Motherboard report, “critics are already expressing concern about the system’s design and about the transparency around the public test.” Nathalie Dérobert, a spokeswoman for Swiss Post, said the public intrusion test is not meant to be an audit of the code “or to prove the security of the Swiss Post online voting system.” Instead, it’s meant to help inform the developers about improvements they need to make. In an email, Dérobert wrote, “Security is a process and even if the source code passed numerous previous security audits, we expected criticism and even outright negative comments. After all, that is the whole point of publishing the source code: we want a frank response and an honest discussion about the merits and shortcomings of our work… [W]e are determined to take up the negative comments, discuss them with our developing partner Scytl and to get in touch with the people where we see a benefit.” As for the public test of the new online system, more than 2,000 people have registered. The test will take place from February 25 to March 24. As per the rules, the bug bounty program will pay 20,000 Swiss francs to anyone who can manipulate votes in the mock election or 30,000 to 50,000 francs if they manage to manipulate votes without being detected. The Swiss Post is making the source code for the software available to participants. However, the code wasn’t supposed to be open to just anyone to examine. Swiss Post responded to the publication of the code, saying the source code was not leaked as it was already available to anyone who wanted to see it—as long as they registered with Swiss Post. Swiss Post also wrote that there is no NDA or confidentiality agreement around publishing information about the source code or citing parts of the code, but the statement did not say anything about the Scytl technical documents themselves and the architecture and protocol information that is contained in them. Cryptography experts, after examining the allegedly leaked code said: “the system is a poorly constructed and convoluted maze that makes it difficult to follow what’s going on and effectively evaluate whether the cryptography and other security measures deployed in the system are done properly.” Sarah Jamie Lewis, a former security engineer for Amazon and a former computer scientist for England’s GCHQ intelligence agency, said, “Most of the system is split across hundreds of different files, each configured at various levels. I’m used to dealing with Java code that runs across different packages and different teams, and this code somewhat defeats even my understanding.” Lewis said that the system uses cryptographic solutions that are fairly new to the field and that have to be implemented in very specific ways to make the system auditable, but the design the programmers chose thwarts this. “Someone could wire the thing in the wrong place and suddenly the system is compromised. And when you’re talking about code that is supposed to be protecting a national election, that is not a statement someone should be able to make”, Lewis added. The voting system was developed by Swiss Post and the Barcelona-based company Scytl, which was formed by a group of academics who spun it off of their research work at the Universidad Autónoma de Barcelona (Autonomous University of Barcelona) in 2001. “Local cantons, or states, in Switzerland are the ones who administer elections and would be responsible for the configuration. Scytl claims the system uses end-to-end encryption that only the Swiss Electoral Board would be able to decrypt. But there are reasons to be concerned about such claims”, Motherboard reports. Matthew Green, a noted cryptographer teaching cryptography at Johns Hopkins University, said that the system is highly complex and “at this point, I think the only appropriate way to evaluate it is through a professional evaluation by someone trained in this sort of advanced cryptography. And even then I’d be concerned, given the stakes.” To know more about this news, head over to Motherboard’s complete coverage. Drupal releases security advisory for ‘serious’ Remote Code Execution Vulnerability Google’s home security system, Nest Secure’s had a hidden microphone; Google says it was an “error” Firedome’s ‘Endpoint Protection’ solution for improved IoT security

A major Hong Kong based international airline, Cathay Pacific Airways Limited, revealed yesterday that it has discovered unauthorized access of data belonging to as many as 9.4 million Cathay passengers. This data includes the passenger name, nationality, date of birth, phone number, email address, passport number, identity card number, customer service remarks, and historical travel information. Moreover, 403 expired credit card numbers and 27 credit card numbers with no CVV were also accessed. Cathay Pacific has its head office and main hub located at Hong Kong International Airport and serves flights around North America, Europe, China, Taiwan, Japan, Southeast Asia, and the Middle East. The company has taken immediate measures to investigate the data breach further. So far, Cathay hasn’t found any evidence of misuse of personal information. The airlines also mentioned that because of the recent data breach, part of the IT security processes have been affected, but and is the flight operations systems which are insulated from the IT security systems remain uncompromised.   Cathay Pacific posted about the data breach on Twitter: https://twitter.com/cathaypacific/status/1055117720444854273 “We are very sorry for any concern this data security event may cause our passengers. We acted immediately to contain the event, commence a thorough investigation with the assistance of a leading cybersecurity firm, and to further strengthen our IT security measures”, said Rupert Hogg, CEO, Cathay Pacific. Cathay is currently contacting the affected passengers, using multiple communications channels, and is providing them with information on steps that can be taken to protect users. “We have no evidence that any personal data has been misused. No-one’s travel or loyalty profile was accessed in full, and no passwords were compromised. Cathay Pacific has notified the Hong Kong Police and is notifying the relevant authorities. We want to reassure our passengers that we took and continue to take measures to enhance our IT security. The safety and security of our passengers remain our top priority”, said Hogg. Timehop suffers data breach; 21 million users’ data compromised Facebook’s largest security breach in its history leaves 50M user accounts compromised Facebook says only 29 million and not 50 million users were affected by last month’s security breach

Software engineer Gaël Duval who is working to create an ‘ethical operating system’ called /e/ wrote an open letter to Apple CEO Tim Cook today in response to Cook’s talk about privacy at ICDPPC on Oct 24. Duval argued that Cook’s pro-privacy comments and actions are brilliant PR moves that work in favor of Apple. His open letter to Tim Cook reads, “your strategists know that Google, that owns 80% of the smartphone market worldwide, is in a difficult position on this topic because their business model essentially relies on collecting personal data and profiting from it through advertizing. That’s a great opportunity for Apple to communicate, because Apple’s business model is selling devices, not advertising.” Why Duval finds Apple’s privacy claims disingenuous Duval further dived into why he is skeptical of Apple’s concern for user privacy on its products. Apple’s privacy claims can’t be verified as it a closed ecosystem iOS and macOS are mostly proprietary, closed operating systems. Users can only ‘trust Apple’s claims’ of the OS being secure. As there is no source code in the open, there is no guarantee that the security measurements put in place are enough to protect users against all privacy threats. He pointed out that if the source code was open source, the community and experts could verify the security and privacy measures themselves. Personal information for profit According to Apple’s privacy policy: “Personal information will only be shared by Apple to provide or improve our products, services and advertising; it will not be shared with third parties for their marketing purposes.” Duval says that Apple explicitly accepted using personal information for their own profit. Apple allows Google to collect user data on iPhone for the right price The price was $9B for this year! It was $1B in 2014, speculated to be $3B in 2017 and to be $13B in 2019! This hefty fee allows Google to collect a lot of data from iOS users. Apple hasn’t been in the news for privacy issues mostly because they don’t collect that much personal data, or so Apple users should hope. Will Apple open-source their OSes? I don’t think so. Apple OSes are also less susceptible to less attacks because of it being a closed system. Apple, /e/, and privacy What about Apple user data collected by Google being the default search engine? Now you may argue that it is just the default engine and can be changed. Yes, but how many regular consumers do you picture doing that? Most people would just pull out their phone go to the browser and start typing on the search bar. While all of the above points are valid and call out Apple on its practices, the open letter ends up doing what Duval accused Cook of doing in the first place - cease the opportunity to promote his product. This letter does serve as a promotional medium for Duval’s new mobile OS project /e/ that follows a privacy by design ethos. We aren’t complaining though, more competition and diverse business models in the mobile OS space can only be a good thing in the age of data harvesting and security breaches . To read the letter, visit Duval’s Medium post. Tim Cook talks about privacy, supports GDPR for USA at ICDPPC, ex-FB security chief calls him out ‘Ethical mobile operating system’ /e/, an alternative for Android and iOS, is in beta Apple now allows U.S. users to download their personal data via its online privacy data portal

FireEye, a US cybersecurity firm, have disclosed details about their DNS hijacking campaign. In their recent report, the company shared that they have identified huge DNS hijacking affecting multiple domains belonging to government, telecommunications and internet infrastructure entities across the Middle East and North Africa, Europe and North America. FireEye analysts believe an Iranian-based group is the source behind these attacks, although they do not have a definitive proof. The analysts also said that “they have been tracking this activity for several months, mapping and understanding the innovative tactics, techniques and procedures (TTPs) deployed by the attacker”. The FireEye Intelligence team has also identified an access from Iranian IPs to machines used to intercept, record and forward network traffic. The team also mentions that these IP addresses were previously observed during the response to an intrusion attributed to Iranian cyber espionage actors. The FireEye report highlights three different techniques used to conduct these attacks. Techniques to manipulate the DNS records and enable victim compromises 1. Altering DNS A Records Source: FireEye Here the attackers first logged into a proxy box used to conduct non-attributed browsing and as a jumpbox to other infrastructure. The attacker then logs into the DNS provider’s administration panel, utilising previously compromised credentials. Attackers change the DNS records for victim’s mail server in order to redirect it to their own mail server. They have used Let’s Encrypt certificates to support HTTPS traffic, and a load balancer to redirect victims back to the real email server after they've collected login credentials from victims on their shadow server. The username, password and domain credentials are harvested and stored. 2. Altering DNS NS Records Source: FireEye This technique is the same as the previous one. However, here the attacker exploits a previously compromised registrar or ccTLD. 3. A DNS Redirector Source: FireEye This technique is a conjunction of the previous two. The DNS Redirector is an attacker operations box which responds to DNS requests. Here, if the domain is from inside the company, OP2 responds with an attacker-controlled IP address, and the user is re-directed to the attacker-controlled infrastructure. Analysts said that a large number of organizations have been affected by this pattern of DNS record manipulation and fraudulent SSL certificates. These include telecoms and ISP providers, internet infrastructure providers, government and sensitive commercial entities. According to FireEye report, “While the precise mechanism by which the DNS records were changed is unknown, we believe that at least some records were changed by compromising a victim's domain registrar account.” To know more about this news in detail, read the FireEye report. FireEye reports North Korean state sponsored hacking group, APT38 is targeting financial institutions Reddit posts an update to the FireEye’s report on suspected Iranian influence operation Justice Department’s indictment report claims Chinese hackersbreached business and government network  

Data Theorem, a company that delivers mobile app security to developers, has launched an automated API discovery and security analysis solution. This solution will address API security threats prevalent in enterprise serverless and microservices applications. This solution will allow developers to integrate API discovery and security assessment into their DevOps practices and CI/CD processes to protect any modern application. Data Theorem has come up with two new products: API Discover and API Inspect. These tools address security concerns such as Shadow APIs, Serverless Applications, and API Gateway cross-check validation by conducting continuous security assessments on API authentication, encryption, source code, and logging. The new API security solutions support Amazon’s Lambda and API Gateway tools to discover modern APIs and to compute the specification using standards such as Swagger and Open API 3.0. By these solutions, users will be alerted of important and critical vulnerabilities caused by insufficient security protection. It will also alert users of newly created APIs built upon serverless frameworks and will deliver continuous, automated security analysis of these newly created APIs. “Data Theorem uniquely addresses threat models related to modern apps, helping us identify issues related to privacy and application-layer attacks and the potential loss of sensitive data,” said Rich Tener, Director of Security for Evernote, a note-taking app. He further adds, “With Data Theorem, we have continuous security testing in place for all of our apps in the app stores. Traditional API security checks are not enough in our environment. The new API discovery and analysis products Data Theorem has delivered are truly differentiated – I haven’t seen anyone else in the industry building automated API security services like this.” Data Theorem’s new API Discover and API Inspect security tools are available from Data Theorem website. Annual pricing starts at $300 per API operation. How the Titan M chip will improve Android security. How to stop hackers from messing with your home network (IoT). IBM launches Industry’s first ‘Cybersecurity Operations Center on Wheels’ for on-demand cybersecurity support.

It was only two days ago when Jamie Kyle, a Lerna Developer decided to modify the Lerna’s license to ban companies who are the U.S. Immigration and Customs Enforcement ( ICE ) contractors from using the software. This decision has now been reverted by the Lerna Core team and Kyle has been removed from the development project. Now, any organization who wishes to use the Lerna software is free to use it. Kyle stated, on Wednesday, over Github how he has been deeply disturbed by ICE’s behavior with American immigrants and the companies who have collaborated with ICE “don’t have any licensing rights” and “any use of Lerna will be considered theft”. Daniel Stockman, a core Lerna contributor, removed Kyle from the project, yesterday morning and pointed out that the license change was a “rash decision” that was “unenforceable”. He also added that there were “several past violations of [Lerna’s] code of conduct” as there were instances when Kyle’s behavior was rude and impolite. As reported to Motherboard, Kyle thinks his removal from the team is a result of Stockman’s discussion of the issue with Microsoft employees. But, Stockman denied the characterization to Motherboard. “I think developers can be activists if they so choose, and I support tools and licenses designed to make this easier,” said Stockman. He also added that because he is willing to revoke the relicensing doesn’t mean that he is an ICE supporter, and described ICE as “monstrous” and “must be abolished”. Public opinion about Lerna’s current decision is varied: https://twitter.com/alicegoldfuss/status/1035214998375559173 https://twitter.com/xander76/status/1034842377775529984 https://twitter.com/chriseppstein/status/1034863523493339136 https://twitter.com/benwiley4000/status/1035031630333796352 https://twitter.com/siziyman/status/1035051041111326720 “Open source, even in a project where there is only one active contributor, is never just about one individual. Even acquiescence from multiple core contributors is not sufficient to justify a change like this,” says Stockman. For more coverage on the news, check out the post by Motherboard. Skepticism welcomes Germany’s DARPA-like cybersecurity agency – The federal agency tasked with creating cutting-edge defense technology Amazon calls Senator Sanders’ claims about ‘poor working conditions’ as “inaccurate and misleading” Google slams Trump’s accusations, asserts its search engine algorithms do not favor any political ideology  

On Tuesday, Firefox released a number of updates to its browser with the intention of putting “people’s privacy first”. The new features were detailed by Dave Camp, Senior Vice President of Firefox in a blog post. Firefox will roll out its Enhanced Tracking Protection, to all new users on by default. Additionally, they have upgraded Facebook Container extension, a Firefox desktop extension for Lockwise, and Firefox Monitor’s new dashboard to manage multiple email addresses. Enhanced Tracking Protection blocks third party cookies by default Firefox’s Enhanced Tracking Protection offers protection controls to users to block third party cookies at their own level of comfort with three settings - Standard, Strict, and Custom. Per the new update, for all new users who install and download Firefox for the first time, Enhanced Tracking Protection will automatically be set on by default as part of the ‘Standard’ setting in the browser. The standard settings block known trackers and their cookies. Strict will block known trackers in all Firefox windows. This includes third party trackers and tracking cookies The custom setting of enhanced tracking protection allows you to select which trackers and cookies you want to block. https://twitter.com/jensimmons/status/1134549448120578048 This feature will be present as a shield icon in the address bar next to the URL address. Users can also see which companies are blocked by clicking on the shield icon. For existing users, Enhanced Tracking Protection by default will be rolled out in the coming months. Manually, users can turn this feature on by clicking on the menu icon marked by three horizontal lines at the top right of the browser, then under Content Blocking. Firefox Monitor- see if you’ve been part of an online data breach Firefox Monitor has a new feature in the form of a breach dashboard that presents a quick summary of updates for all registered email accounts. Firefox Monitor was launched in September, last year, as a free service that notifies people if they’ve been part of a data breach. The new breach dashboard helps users track and manage multiple email addresses, including both personal and professional email accounts. Users can easily identify which emails are being monitored, how many known data breaches may have exposed their information, and specifically, if any passwords have been leaked across those breaches. Safe password management with Firefox Lockwise Firefox have rolled out a new desktop extension that offers users safe password management features, the Firefox Lockwise. It will provide an additional touchpoint to store, edit and access passwords. Firefox Lockwise is already available for iOS, Android and iPad. The new Firefox Lockwise desktop extension includes: A new dashboard interface to manage saved list of passwords. For frequently visiting sites, users can quickly reference and edit what is being stored. For sites with fewer or no visits, users can easily delete a saved password. The mobile app and desktop extension can help users quickly retrieve your password to access a site account. Facebook Container now blocks tracking from other sites Firefox have updated their Facebook Container extension to prevent Facebook from tracking users on other sites that have embedded Facebook capabilities such as the Share and Like buttons on their site. Facebook Container is an add-on/web extension that helps users take control and isolate their web activity from Facebook. This blocking reduces Facebook’s propensity to build shadow profiles of non-Facebook users. Users would know the blocking is in effect when they see Facebook Container purple fence badge. It is interesting that Mozilla released a slew of updates following Apple's privacy focused features announced at WWDC 2019. It almost feels like they are acting as a counter balance to Google and Facebook, who have been under scrutiny for their data misinformation and privacy scandals. Google Chrome has also banned ad blockers for all users by deprecating the blocking capabilities of the webRequest API in Manifest V3. Chrome’s capability to block unwanted content will be restricted to only paid, enterprise users of Chrome. https://twitter.com/dhh/status/1136058254608355328 https://twitter.com/queercommunist/status/1135906369599549440 https://twitter.com/johnwilander/status/1135911532779335680 Learn more about these privacy features on Mozilla Blog. Firefox 67 enables AV1 video decoder ‘dav1d’, by default on all desktop platforms Mozilla makes Firefox 67 “faster than ever” by deprioritizing least commonly used features Firefox 67 will come with faster and reliable JavaScript debugging tools