A French security researcher has found a critical vulnerability in the blockchain-based voting system Russian officials plan to use next month for the 2019 Moscow City Duma election.
Pierrick Gaudry, an academic at Lorraine University and a researcher for INRIA, the French research institute for digital sciences, found that he could compute the voting system’s private keys based on its public keys. This private keys are used together with the public keys to encrypt user votes cast in the election.
Facebook said it filed a lawsuit today against two Android app developers from Asia for orchestrating a “click injection fraud” scheme against Facebook ads.
The two app developers are LionMobi, based in Hong Kong, and JediMobi, based in Singapore. Facebook said the two companies created apps with malware-like features and made them available via the official Google Play Store.
Both LionMobi and JediMobi apps were using Facebook ads to monetize their apps. Once real users installed the apps on their phones, malicious code hidden inside the apps would generate fake user clicks on Facebook ads.
These fake clicks would give the Facebook advertising platform the false impression that real users had clicked on the ads.
The Senate Committee on Intelligence has released the first volume of its investigative report on Russian manipulation and interference of the 2016 US Election, revealing that all 50 states were probably targeted for attempted vote manipulation.
According to the heavily redacted, 67-page report [PDF], the Russian government conducted various intelligence-related activities against US election infrastructure at both state and local level, which began as early as 2014 and continued until at least 2017.
After the UK’s leading industry group of internet service providers named Mozilla an “Internet Villain” because of its intentions to support a new DNS security protocol named DNS-over-HTTPS (DoH) inside Firefox, the browser maker told ZDNet that such plans don’t currently exist.
“We have no current plans to enable DoH by default in the UK,” a spokesperson ZDNet last night.
It has been reported that China’s border guards are installing surveillance apps on the phones of some visitors as part of the government’s ever-increasing mass surveillance regime in the Xinjiang province.
According to an investigation by the Guardian, The New York Times, and Germany’s Süddeutsche Zeitung, the “secret” app allows for personal information to be downloaded. The app was discovered to be installed on the phones of visitors entering the country from Kyrgyzstan.
The report says people using the remote Irkeshtam border crossing into the country have routinely had their phones screened by guards. The Irkeshtam crossing is China’s most westerly border and is used by traders and tourists, some following the historic Silk Road.
The publication said specifically that the app extracts emails, text messages, contact information, as well as handset information. Visitors have not been informed this is happening.
Germany’s cyber-security agency is working on a set of minimum rules
that modern web browsers must comply with in order to be considered
The new guidelines are currently being drafted by the German Federal Office for Information Security (or the Bundesamt für Sicherheit in der Informationstechnik — BSI), and they’ll be used to advise government agencies and companies from the private sector on what browsers are safe to use.
A first version of this guideline was published in 2017, but a new standard is being put together to account for improved security measures added to modern browsers, such as HSTS, SRI, CSP 2.0, telemetry handling, and improved certificate handling mechanisms — all mentioned in a new draft released for public debate last week.
Web-based DNA sequencer applications are under attack from a
mysterious hacker group using a still-unpatched zero-day to take control
of targeted devices.
The attacks have started two days ago, on June 12, and are still going on, according to Ankit Anubhav, a security researcher with NewSky Security, who shared his findings with ZDNet.
Anubhav says the group, which operates from an Iran-based IP address, has been scanning the internet for dnaLIMS, a web-based application installed by companies and research institutes to handle DNA sequencing operations.
The researcher told ZDNet the hacker is exploiting CVE-2017-6526, a vulnerability in dnaLIMS that has not been patched to this day after the vendor was notified back in 2017.
A young Czech bug hunter has found a security flaw in one of Google’s backend apps. If exploited by a malicious threat actor, the bug could have allowed hackers a way to steal Google employee cookies for internal apps and hijack accounts, launch extremely convincing spear-phishing attempts, and potentially gain access to other parts of Google’s internal network.
This attack vector was discovered by security researcher Thomas Orlita in February, this year, and has been patched in mid-April, but only now made public.