macOS Leaks Application Usage, Forces Apple to Make Hard Decisions

Electronic Frontier Foundation

Last week, users of macOS noticed that attempting to open non-Apple applications while connected to the Internet resulted in long delays, if the applications opened at all. The interruptions were caused by a macOS security service attempting to reach Apple’s Online Certificate Status Protocol (OCSP) server, which had become unreachable due to internal errors. When security researchers looked into the contents of the OCSP requests, they found that these requests contained a hash of the developer’s certificate for the application that was being run, which was used by Apple in security checks.[1] The developer certificate contains a description of the individual, company, or organization which coded the application (e.g. Adobe or Tor Project), and thus leaks to Apple that an application by this developer was opened.

Full article

Hackers are actively probing millions of WordPress sites

Bleeping Computer

Unknown threat actors are scanning for WordPress websites with Epsilon Framework themes installed on over 150,000 sites and vulnerable to Function Injection attacks that could lead to full site takeovers.

So far today, we have seen a surge of more than 7.5 million attacks against more than 1.5 million sites targeting these vulnerabilities, coming from over 18,000 IP addresses, Wordfence QA engineer and threat analyst Ram Gall said.

Scanning for vulnerable sites

The ongoing large-scale wave of attacks against potentially vulnerable WordPress websites is targeting recently patched vulnerabilities.

While the security flaws found during the last few months in themes using the Epsilon Framework could allow for site takeover through an exploit chain ending in remote code execution (RCE), most of these ongoing attacks are designed to only probe for vulnerabilities.

We are not providing additional detail on the attacks at this time, as the exploit does not yet appear to be in a mature state and a large number of IP addresses are in use, Gall added.

These attacks use POST requests to admin-ajax.php and as such do not leave distinct log entries, though they will be visible in Wordfence Live Traffic.

Full article

Apple lets some Big Sur network traffic bypass firewalls

Ars Technica

Patrick Wardle

Firewalls aren’t just for corporate networks. Large numbers of security- or privacy-conscious people also use them to filter or redirect traffic flowing in and out of their computers. Apple recently made a major change to macOS that frustrates these efforts.

Beginning with Big Sur released last week, some 50 Apple-specific apps and processes are no longer routed through firewalls like Little Snitch and Lulu. The undocumented exemption came to light only after Patrick Wardle, a security researcher at a Mac and iOS enterprise developer Jamf, disclosed the change over the weekend.

Full article

Mozilla Firefox 83 Is Now Available for Download with HTTPS-Only Mode, Improvements

9to5Linux

The Mozilla Firefox 83 web browser is now available for download on Linux, macOS, and Windows systems ahead of its official launch tomorrow, November 17th, 2020.

The biggest new change in the Mozilla Firefox 83 release appears to be a new security feature called HTTPS-Only Mode, which is implemented in Preferences, under the Privacy & Security section. It provides a secure and encrypted connection between your web browser and the websites you visit, even if they don’t use HTTPS.

By default it’s disabled, but when enabled, the HTTPS-Only Mode will upgrade all your website connections to use Secure HTTP (HTTPS). The good news is that it can be used in all windows or only on private windows.

Full article

Big no on Big Sur: Mullvad disallows Apple apps to bypass firewall

Mullvad

Despite Apple’s changes to macOS with the release of Big Sur, we can confirm that the Mullvad app still performs as intended by not allowing Apple’s own apps to bypass our VPN firewall.

Starting in Big Sur, the latest version of macOS released 12 November 2020, Apple excludes its own apps from the content filter provider APIs. As a result, any network monitoring and security software using these APIs is unable to detect and block traffic from Apple apps.

Mullvad does not use content filter provider APIs to secure the device. Instead, we use the Packet Filter (PF) firewall which is built into macOS. This is a packet firewall, not an application firewall, which means that it does not exclude packets from any apps, including Apple’s own apps.

In other words, our usage of the PF firewall does not allow Apple apps to leak when Mullvad VPN is blocking the Internet. We have verified this by observing the network traffic from outside of the Apple machine.

Full article

Security News This Week: A Ransomware Gang Bought Facebook Ads to Troll Its Victim

WIRED

Photograph: Eric Lindgren/Getty Images

This week, president Donald Trump continued to contest the results of the United States presidential election, which he lost handily to Joe Biden. But along the way, the Trump campaign’s lawsuits and other offensives have inadvertently demonstrated just how free of fraud the election was.

We also took a deep dive into the world of Covid-19 apps, which represent a privacy minefield, especially when developers don’t use Apple and Google’s Bluetooth-based protocol. And a former Microsoft engineer was sentenced to nine years in prison for stealing $10 million in store credit from the company.

Elsewhere, we showed you how to stop WhatsApp from hogging so much of your phone’s storage, and how to set up parental controls on all of your accounts. And lastly, if you have some time to set aside this weekend, check out this feature from our December/January issue about the lengths that hackers went to to expose rampant corruption in Brazil.

And there’s more! Every Saturday we round up the security and privacy stories that we didn’t break or report on in depth but think you should know about. Click on the headlines to read them, and stay safe out there.

Full article

7 Simple Tech Tips to Keep Your Family Safe This Holiday

WIRED

Photograph: 10’000 Hours/Getty Images

With Thanksgiving and the holidays looming, you might well find yourself called upon to provide some free tech support to your family. Maybe it’s a tradition, or maybe it’ll be the first time. After all, these are usually the occasions where 12 months’ worth of tech problems and concerns get aired. At this point, since you probably shouldn’t travel if you can avoid it, here are some tips you can offer family in your stead – or at least help them out with from afar.

These tips represent simple and straightforward security advice that you can pass on to your loved ones, even if it has to be over Zoom. What’s more, following these guidelines should keep your family members safe for the year ahead as well, with minimal involvement from you.

Keep Everything Up to Date

You might be surprised at just how many security threats get stopped simply by having up-to-date software on your laptop or phone: While they’re not invulnerable to vulnerabilities or attacks, most modern-day operating systems, web browsers, and other apps are very good at keeping a lot of malicious activity at bay.

These days it’s actually pretty hard not to keep operating systems, programs, and other devices up to date. Most of them have auto-updates turned on by default, but it’s worth double-checking with family members to make sure they’re not putting off an update for whatever reason (a lack of free storage space might be a problem on older devices, or one stalled or failed update may mean no updates since the failed one).

Full article

Ubuntu 20.10 Gets Its First Linux Kernel Security Patch, Update Now

9to5Linux

Canonical published today the very first Linux kernel security patch for the latest Ubuntu 20.10 (Groovy Gorilla) operating system to address two security vulnerabilities.

Released about three weeks ago, Ubuntu 20.10 is the latest version of the popular Linux-based operating system. It ships with the Linux 5.8 kernel series by default, which has now been patched against two recently discovered security vulnerabilities.

The first security vulnerability addressed in this update is CVE-2020-27194, discovered by Simon Scannell in Linux kernel’s bpf verifier, which could allow a local attacker to expose sensitive information (kernel memory) or gain administrative privileges.

The second security flaw is CVE-2020-8694 and was discovered by Andreas Kogler, Catherine Easdon, Claudio Canella, Daniel Gruss, David Oswald, Michael Schwarz, and Moritz Lipp in Linux kernel’s Intel Running Average Power Limit (RAPL) driver. This could allow a local attacker to expose sensitive information.

Full article

Your privacy is your privacy – updated policy

Mullvad

Our long-term goal is to not store any PII (Personally Identifiable Information). For this purpose we recently made two changes in our Privacy Policy and our No-logging of user activity Policy.

Decisions are hard to make. They always involve trade-offs. In our quest to distinguish ourselves as the most privacy-focused VPN, we often weigh “privacy + ease-of-use” against “privacy + cool features”.

Full article