Russia tightens grip on its national net

BBC

Russia has formally adopted a law that gives its government more control over its domestic internet.

The law means the systems that exchange data between the networks forming the Russian internet must share more information with government regulators.

It also lets regulators exert direct control over what Russians can post, see and talk about online when national security is threatened.

Russian net firms have until 1 November to comply with the law.

Widespread protests were mounted in a bid to stop the law being passed.

Full article

A Mysterious Hacker Group Is On a Supply Chain Hijacking Spree

WIRED

A software supply chain attack represents one of the most insidious forms of hacking. By breaking into a developer’s network and hiding malicious code within apps and software updates that users trust, supply chain hijackers can smuggle their malware onto hundreds of thousands—or millions—of computers in a single operation, without the slightest sign of foul play. Now what appears to be a single group of hackers has managed that trick repeatedly, going on a devastating supply chain hacking spree—and becoming more advanced and stealthy as they go.

Over the past three years, supply chain attacks that exploited the software distribution channels of at least six different companies have now all been tied to a single group of likely Chinese-speaking hackers. They’re known as Barium, or sometimes ShadowHammer, ShadowPad, or Wicked Panda, depending on which security firm you ask. More than perhaps any other known hacker team, Barium appears to use supply chain attacks as their core tool. Their attacks all follow a similar pattern: Seed out infections to a massive collection of victims, then sort through them to find espionage targets.

Full article

Rape victims among those to be asked to hand phones to police

BBC

Victims of crimes, including those alleging rape, are to be asked to hand their phones over to police – or risk prosecutions not going ahead.

Consent forms asking for permission to access information including emails, messages and photographs have been rolled out in England and Wales.

It comes after a number of rape and serious sexual assault cases collapsed when crucial evidence emerged.

Victim Support said the move could stop victims coming forward.

Full article

Google’s Sensorvault Can Tell Police Where You’ve Been

EFF:

Do you know where you were five years ago? Did you have an Android phone at the time? It turns out Google might know—and it might be telling law enforcement.

In a new article, the New York Times details a little-known technique increasingly used by law enforcement to figure out everyone who might have been within certain geographic areas during specific time periods in the past. The technique relies on detailed location data collected by Google from most Android devices as well as iPhones and iPads that have Google Maps and other apps installed. This data resides in a Google-maintained database called “Sensorvault,” and because Google stores this data indefinitely, Sensorvault “includes detailed location records involving at least hundreds of millions of devices worldwide and dating back nearly a decade.”

Full article

Nitrokey partners with Gentoo Foundation to equip developers with USB keys

The Gentoo Foundation has partnered with Nitrokey to equip all Gentoo developers with free Nitrokey Pro 2 devices. Gentoo developers will use the Nitrokey devices to store cryptographic keys for signing of git commits and software packages, GnuPG keys, and SSH accounts.

Thanks to the Gentoo Foundation and Nitrokey’s discount, each Gentoo developer is eligible to receive one free Nitrokey Pro 2. To receive their Nitrokey, developers will need to register with their @gentoo.org email address at the dedicated order form.

Full article

Mysterious Hackers Hid Their Swiss Army Spyware for 5 Years

WIRED

It’s not every day that security researchers discover a new state-sponsored hacking group. Even rarer is the emergence of one whose spyware has 80 distinct components, capable of strange and unique cyberespionage tricks—and who’s kept those tricks under wraps for more than five years.

In a talk at the Kaspersky Security Analyst Summit in Singapore Wednesday, Kaspersky security researcher Alexey Shulmin revealed the security firm’s discovery of a new spyware framework—an adaptable, modular piece of software with a range of plugins for distinct espionage tasks—that it’s calling TajMahal. The TajMahal framework’s 80 modules, Shulmin says, comprise not only the typical keylogging and screengrabbing features of spyware, but also never-before-seen and obscure tricks. It can intercept documents in a printer queue, and keep track of “files of interest,” automatically stealing them if a USB drive is inserted into the infected machine. And that unique spyware toolkit, Kaspersky says, bears none of the fingerprints of any known nation-state hacker group.

Full article

Do you dare to use Facebook?

According an article at nikkasystems.com Facebook has done it again!

The normal way to verify an e-mail address is to get a mail with either a link or a code to your inbox. By clicking on the link in the mail or by copy-paste the code you could have your e-mail address verified.

Facebook have had a page where they asked for the password to your e-mail account.

This is, as you might have guessed, a very big no-no!

Do you ever trust Facebook from now on?

New Apache Web Server Bug Threatens Security of Shared Web Hosts

The Hacker News

Mark J Cox, one of the founding members of the Apache Software Foundation and the OpenSSL project, today posted a tweet warning users about a recently discovered important flaw in Apache HTTP Server software.

The Apache web server is one of the most popular, widely used open-source web servers in the world that powers almost 40 percent of the whole Internet.

The vulnerability, identified as CVE-2019-0211, was discovered by Charles Fol, a security engineer at Ambionics Security firm, and patched by the Apache developers in the latest version 2.4.39 of its software released today.

The flaw affects Apache HTTP Server versions 2.4.17 through 2.4.38 and could allow any less-privileged user to execute arbitrary code with root privileges on the targeted server.

Full article