A security researcher has discovered a critical vulnerability in some of the world’s most popular and widely used email encryption clients that use OpenPGP standard and rely on GnuPG for encrypting and digitally signing messages.
The disclosure comes almost a month after researchers revealed a series of flaws, dubbed eFail, in PGP and S/Mime encryption tools that could allow attackers to reveal encrypted emails in plaintext, affecting a variety of email programs, including Thunderbird, Apple Mail, and Outlook.
Software developer Marcus Brinkmann discovered that an input sanitization vulnerability, which he dubbed SigSpoof, makes it possible for attackers to fake digital signatures with someone’s public key or key ID, without requiring any of the private or public keys involved.
The vulnerability, tracked as CVE-2018-12020, affects popular email applications including GnuPG, Enigmail, GPGTools and python-gnupg, and have now been patched in their latest available software updates.
As explained by the researcher, the OpenPGP protocol allows to include the “filename” parameter of the original input file into the signed or encrypted messages, combining it with the GnuPG status messages (including signature information) in a single data pipe (literal data packets) by adding a predefined keyword to separate them.
“These status messages are parsed by programs to get information from gpg about the validity of a signature and other parameters,” GnuPG maintainer Werner Koch said in an advisory published today.
During the decryption of the message at recipient’s end, the client application splits up the information using that keyword and displays the message with a valid signature, if the user has the verbose option enabled in their gpg.conf file.
However, the researcher finds that the included file name, which can be up to 255 characters, does not properly get sanitized by the affected tools, potentially allowing an attacker to “include line feeds or other control characters in it.”
Brinkmann demonstrates how this loophole can be used to inject arbitrary (fake) GnuPG status messages into the application parser in an attempt to spoof signature verification and message decryption results.
“The attack is very powerful, and the message does not even need to be encrypted at all. A single literal data (aka ‘plaintext’) packet is a perfectly valid OpenPGP message, and already contains the ‘name of the encrypted file’ used in the attack, even though there is no encryption,” Brinkmann says.
The researcher also believes that the flaw has the potential to affect “a large part of our core infrastructure” that went well beyond encrypted email, since “GnuPG is not only used for email security but also to secure backups, software updates in distributions, and source code in version control systems like Git.”
Brinkmann also shared three proofs-of-concept showing how signatures can be spoofed in Enigmail and GPGTools, how the signature and encryption can be spoofed in Enigmail, as well as how a signature can be spoofed on the command line.
Since maintainers of three popular email clients have patched the issue, users are advised to upgrade their software to the latest versions.
If you are a developer, you are recommended to add –no-verbose” to all invocations of GPG and upgrade to python-gnupg 0.4.3.
Applications using GPGME as the crypto engine are safe. Also, GnuPG with –status-fd compilation flag set and –verbose flag not set are safe.
Another security vulnerability has been discovered in Intel chips that affects the processor’s speculative execution technology—like Specter and Meltdown—and could potentially be exploited to access sensitive information, including encryption related data.
Dubbed Lazy FP State Restore, the vulnerability (CVE-2018-3665) within Intel Core and Xeon processors has just been confirmed by Intel, and vendors are now rushing to roll out security updates in order to fix the flaw and keep their customers protected.
The company has not yet released technical details about the vulnerability, but since the vulnerability resides in the CPU, the flaw affects all devices running Intel Core-based microprocessors regardless of the installed operating systems, except some modern versions of Windows and Linux distributions.
As the name suggests, the flaw leverages a system performance optimization feature, called Lazy FP state restore, embedded in modern processors, which is responsible for saving or restoring the FPU state of each running application ‘lazily’ when switching from one application to another, instead of doing it ‘eagerly.’
“System software may opt to utilize Lazy FP state restore instead of eager save and restore of the state upon a context switch,” Intel says while describing the flaw.
“Lazy restored states are potentially vulnerable to exploits where one process may infer register values of other processes through a speculative execution side channel that infers their value.”
According to the Red Hat advisory, the numbers held in FPU registers could potentially be used to access sensitive information about the activity of other applications, including parts of cryptographic keys being used to secure data in the system.
All microprocessors starting with Sandy Bridge are affected by this designing blunder, which means lots of people again should gear them up to fix this vulnerability as soon as the patches are rolled out.
However, it should be noted that, unlike Spectre and Meltdown, the latest vulnerability does not reside in the hardware. So, the flaw can be fixed by pushing patches for various operating systems without requiring new CPU microcodes from Intel.
According to Intel, since the flaw is similar to Spectre Variant 3A (Rogue System Register Read), many operating systems and hypervisor software have already addressed it.
Red Hat is already working with its industry partners on a patch, which will be rolled out via its standard software release mechanism.
AMD processors are not affected by this issue.
Also, modern versions of Linux—from kernel version 4.9, released in 2016, and later are not affected by this flaw. Only if you are using an older Kernel, you are vulnerable to this vulnerability.
Microsoft has also published a security advisory, offering guidance for the Lazy FP State Restore vulnerability and explaining that the company is already working on security updates, but they will not be released until the next Patch Tuesday in July.
Microsoft says that Lazy restore is enabled by default in Windows and cannot be disabled, adding that virtual machines, kernel, and processes are affected by this vulnerability. However, customers running virtual machines in Azure are not at risk.
What if I say that your cute, smart robotic vacuum cleaner is collecting data than just dirt?
During an interview with Reuters, the CEO of iRobot, the company which manufactured Roomba device, has revealed that the robotic vacuum cleaner also builds a map of your home while cleaning — and is now planning to sell this data to third-party companies.
I know it sounds really creepy, but this is what the iRobot company has planned with the home mapping data its Roomba robots collect on its users.
Manufactured by Massachusetts-based firm iRobot, Roomba is a cute little robotic vacuum cleaner — which ranges in price from $375 to $899 — that has been vacuuming up household dirt since 2002.
Early versions of Roomba used IR or laser sensors to avoid obstacles in their way, but the company began distributing high-end Wi-Fi-connected Roomba models from 2015, such as the Roomba 980, which includes a camera and Simultaneous Localisation And Mapping (SLAM) technology that can not only avoid obstacle but also build a map of your home.
And this has opened up new possibilities for the company.
Roomba robots gather all kinds of data—from room dimensions and furniture position to distances between different objects placed in your room—that could help next-generation IoT devices to build a true smart home.
Angle believes mapping data could be used by other smart home devices—such as thermostats, lighting, air conditioner, personal assistant, and security cameras—to become smarter.
According to iRobot CEO Colin Angle, “there’s an entire ecosystem of things and services that the smart home can deliver once you have a rich map of the home that the user has allowed to be shared.”
Angle also told the publication that he is planning to push the company toward a broader vision of the smart home, and in the near future iRobot could sell your floor data with the business like Apple, Amazon, Microsoft and Google—but not without its users’ consent.
Until now, your home data is private and is not being shared with any third-party company.
By now, you must be thinking how your floor plans would be beneficial to companies like Apple, Amazon, Google or Microsoft?
The move has some obvious privacy concerns, but surprisingly, this could help other smart devices at your home to work more efficiently—for example:
Moreover, Microsoft, Apple, Amazon and Google are already chasing this kind of data to lead in the smart industry.
Since 2015 when iRobot introduced the mapping technology in Roomba, the vacuum clear has not just been picking up dirt and dust, but they have also been mapping the layout of your home, which could be privacy concerns for many of its users.
According to its terms of service, the users already give the company permission to share their data with third party vendors and subsidiaries, and on government requests.
Given these terms, it is possible for the company to sell its customers information in bulk with companies without notifying its users. And it is obvious that more you want your technology to be smart, more private data you are offering to companies.
Roomba is already compatible with Amazon’s Alexa and Google’s Home — Apple’s HomePod speaker will soon join them — therefore, its CEO is planning to sell its maps to one or more of these ‘Big Three’ in the next couple of years.
You probably have come across many websites that let you install browser extensions without ever going to the official Chrome web store.
It’s a great way for users to install an extension, but now Google has decided to remove the ability for websites to offer “inline installation” of Chrome extensions on all platforms.
Google announced today in its Chromium blog that by the end of this year, its Chrome browser will no longer support the installation of extensions from outside the Web Store in an effort to protect its users from shady browser extensions.
“We continue to receive large volumes of complaints from users about unwanted extensions causing their Chrome experience to change unexpectedly — and the majority of these complaints are attributed to confusing or deceptive uses of inline installation on websites,” says James Wagner, Google’s extensions platform product manager.
Google’s browser extensions crackdown will take place in three phases:
Starting today, the inline installation will no longer work for newly published extensions.
Starting September 12th, the company will disable the inline installation feature for all existing extensions and automatically redirect users to the Chrome Web Store to complete the installation.
By December 2018, Google will also completely remove the inline install API method from Chrome 71. Developers using one-click install buttons on their websites are advised to update their links to point to the Web Store.
Since users’ comments, reviews, and ratings for a specific extension on the official app store play an essential role in giving other users an actual overview about its functionalities and issues, forcing users to land on the app store would definitely improve the Chrome experience for all.
“The information displayed alongside extensions in the Chrome Web Store plays a critical role in ensuring that users can make informed decisions about whether to install an extension,” Wagner explains.
“When installed through the Chrome Web Store, extensions are significantly less likely to be uninstalled or cause user complaints, compared to extensions installed through inline installation.”
It should be noted that you will still be able to run the extensions you use today, whether downloaded from third-party or the official web store.
It’s time to gear up for the latest June 2018 Microsoft security patch updates.
Microsoft today released security patch updates for more than 50 vulnerabilities, affecting Windows, Internet Explorer, Edge, MS Office, MS Office Exchange Server, ChakraCore, and Adobe Flash Player—11 of which are rated critical and 39 as important in severity.
Only one of these vulnerabilities, a remote code execution flaw (CVE-2018-8267) in the scripting engine, is listed as being publicly known at the time of release. However, none of the flaws are listed as under active attack.
Discovered by security researcher Dmitri Kaslov, the publicly known vulnerability is a remote memory-corruption issue affecting Microsoft Internet Explorer.
The flaw exists within the IE rendering engine and triggers when it fails to properly handle the error objects, allowing an attacker to execute arbitrary code in the context of the currently logged-in user.
The most critical bug Microsoft patched this month is a remote code execution vulnerability (CVE-2018-8225) exists in Windows Domain Name System (DNS) DNSAPI.dll, affecting all versions of Windows starting from 7 to 10, as well as Windows Server editions.
The vulnerability resides in the way Windows parses DNS responses, which could be exploited by sending corrupted DNS responses to a targeted system from an attacker-controlled malicious DNS server.
Successful exploitation of this vulnerability could allow an attacker to run arbitrary code in the context of the Local System Account.
Another critical bug is a remote code execution flaw (CVE-2018-8231) in the HTTP protocol stack (HTTP.sys) of Windows 10 and Windows Server 2016, which could allow remote attackers to execute arbitrary code and take control of the affected systems.
This vulnerability originates when HTTP.sys improperly handles objects in memory, allowing attackers to send a specially crafted packet to an affected Windows system to trigger arbitrary code execution.
Next critical remote code execution vulnerability (CVE-2018-8213) affecting Windows 10 and Windows Server exists in the way the operating system handles objects in memory. Successful exploitation could allow an attacker to take control of an affected Windows PC.
“To exploit the vulnerabilities, an attacker would first have to log on to the target system and then run a specially crafted application,” Microsoft explains in its advisory.
Microsoft has also addressed seven critical memory corruption bugs—one in Chakra scripting engine, three in Edge browser, one in the ChakraCore scripting engine, and one in Windows Media Foundation—all lead to remote code execution.
Rest CVE-listed flaws have been addressed in Windows, Microsoft Office, Internet Explorer, Microsoft Edge, ChakraCore, along with a zero-day bug in Flash Player that Adobe patched last week.
Users are strongly advised to apply security patches as soon as possible to keep hackers and cybercriminals away from taking control of their computers.
For installing security updates, simply head on to Settings → Update & security → Windows Update → Check for updates, or you can install the updates manually.
A years-old vulnerability has been discovered in the way several security products for Mac implement Apple’s code-signing API that could make it easier for malicious programs to bypass the security check, potentially leaving millions of Apple users vulnerable to hackers.
Josh Pitts, a researcher from security firm Okta, discovered that several third-party security products for Mac—including Little Snitch, F-Secure xFence, VirusTotal, Google Santa, and Facebook OSQuery—could be tricked into believing that an unsigned malicious code is signed by Apple.
Code-signing mechanism is a vital weapon in the fight against malware, which helps users identify who has signed the app and also provides reasonable proof that it has not been altered.
However, Pitts found that the mechanism used by most products to check digital signatures is trivial to bypass, allowing malicious files bundle with a legitimate Apple-signed code to effectively make the malware look like it has been signed by Apple.
It should be noted that this issue is not a vulnerability in MacOS itself but a flaw in how third-party security tools implemented Apple’s code-signing APIs when dealing with Mac’s executable files called Universal/Fat files.
The exploitation of the vulnerability requires an attacker to use Universal or Fat binary format, which contains several Mach-O files (executable, dyld, or bundle) written for different CPU architectures (i386, x86_64, or PPC).
“This vulnerability exists in the difference between how the Mach-O loader loads signed code vs. how improperly used Code Signing APIs check signed code and is exploited via a malformed Universal/Fat Binary,” Pitts explained.
Pitts also created several malformed PoC Fat/Universal files for developers to use in order to test their products against this vulnerability.
Successful attacks exploiting this technique could allow attackers to gain access to personal data, financial details and even sensitive insider information, in some cases, claimed researchers.
Here’s the list of affected vendors, alongside associated security products and CVEs:
The researcher first notified Apple of the vulnerability in March, but Apple stated that did not see it as a security issue that they should directly address.
“Apple stated that documentation could be updated and new features could be pushed out, but ‘third-party developers will need to do additional work to verify that all of the identities in a universal binary are the same if they want to present a meaningful result’,” Pitts said.
So, after hearing from Apple, Okta contacted CERT/CC and then notified all known affected third-party developers, who are working on security patches that will likely be released soon.
If you are using one of the above-listed tools, you are advised to check for updates in the coming days and upgrade your software as soon as they are released to guard against attacks exploiting the vulnerability.
Security researchers have been warning about cybercriminals who have made over 20 million dollars in just past few months by hijacking insecurely configured Ethereum nodes exposed on the Internet.
Qihoo 360 Netlab in March tweeted about a group of cybercriminals who were scanning the Internet for port 8545 to find insecure geth clients running Ethereum nodes and, at that time, stole 3.96234 units of Ethereum cryptocurrency (Ether).
However, researchers now noticed that another cybercriminal group have managed to steal a total 38,642 Ether, worth more than $20,500,000 at the time of writing, in past few months by hijacking Ethereum wallets of users who had opened their JSON-RPC port 8545 to the outside world.
Geth is one of the most popular clients for running Ethereum node and enabling JSON-RPC interface on it allows users to remotely access the Ethereum blockchain and node functionalities, including the ability to send transactions from any account which has been unlocked before sending a transaction and will stay unlocked for the entire session.
Here’s the attackers’ Ethereum account address, where all the stolen funds have been collected:
By simply searching this address on the Internet, we found dozens of forums and websites where users have posted details of similar incidents happened with them, describing about the same account address hackers used to stole their funds from the insecurely configured Ethereum nodes.
According to an advisory issued by Ethereum Project three years ago, leaving the JSON-RPC interface on an internet-accessible machine without a firewall policy opens up your cryptocurrency wallet to theft “by anybody who knows your [wallet] address in combination with your IP.”
NetLab researchers warned that not only the above-mentioned cybercriminal group but other attackers are also actively scanning the Internet for insecure JSON-RPC interface to steal funds from cryptocurrency wallets.
“If you have honeypot running on port 8545, you should be able to see the requests in the payload. Which has the wallet addresses. And there are quite a few ips scanning heavily on this port now,” 360 Netlab tweeted.
Users who have implemented Ethereum nodes are advised only to allow connections to the geth client originating from the local computer, or to implement user-authorization if remote RPC connections need to be enabled.
Organizations face many threats to their information systems and data. Understanding all the basic elements to cyber security is the first step to meeting those threats.
Cyber security is the practice of ensuring the integrity, confidentiality and availability (ICA) of information. It represents the ability to defend against and recover from accidents like hard drive failures or power outages, and from attacks by adversaries. The latter includes everyone from script kiddies to hackers and criminal groups capable of executing advanced persistent threats (APTs), and they pose serious threats to the enterprise. Business continuity and disaster recovery planning are every bit as critical to cyber security as application and network security.
Security should be top of mind across the enterprise, and come with a mandate from senior management. The fragility of the information world we now live in also demands strong cyber security controls. Management should see that all systems are built to certain security standards and that employees are properly trained. All code, for example, has bugs, and some of those bugs are security flaws. Developers are only human, after all.
The human is always the weakest element in any cyber security program. Training developers to code securely, training operations staff to prioritize a strong security posture, training end users to spot phishing emails and social engineering attacks — cyber security begins with awareness.
All companies will experience some kind of cyber attack, even if strong controls are in place. An attacker will always exploit the weakest link, and many attacks are easily preventable by performing basic security tasks, sometimes referred to as “cyber hygiene.” A surgeon would never enter an operating room without washing their hands first. Likewise, an enterprise has a duty to perform the basic elements of cyber security care such as maintaining strong authentication practices and not storing sensitive data where it is openly accessible.
A good cyber security strategy needs to go beyond these basics, though. Sophisticated hackers can circumvent most defenses, and the attack surface — the number of ways or “vectors” an attacker can gain entry to a system — is expanding for most companies. For example, the information and the physical world are merging, and criminals and nation-state spies now threaten the ICA of cyber-physical systems such as cars, power plants, medical devices, even your IoT fridge. Similarly, the trends toward cloud computing, bring your own device (BYOD) policies in the workplace, and the burgeoning internet of things (IoT) create new challenges. Defending these systems has never been more important.
Further complicating cyber security is the regulatory climate around consumer privacy. Compliance with stringent regulatory frameworks like the European Union’s General Data Protection Regulation (GDPR) also demands new kinds of roles to ensure that organizations meet the privacy and security mandates of the GDPR and other regulations.
As a result, growing demand for cyber security professionals has hiring managers struggling to fill positions with qualified candidates. That struggle requires organizations to have a sharp focus on areas of greatest risk.
The scope of cyber security is broad. The core areas are described below, and any good cyber security strategy should take them all into account.
Critical infrastructure includes the cyber-physical systems that society relies on, including the electricity grid, water purification, traffic lights and hospitals. Plugging a power plant into the internet, for example, makes it vulnerable to cyber attacks. The solution for organizations responsible for critical infrastructure is to perform due diligence to protect understand the vulnerabilities and protect against them. Everyone else should evaluate how an attack on critical infrastructure they depend on might affect them and then develop a contingency plan.
Network security guards against unauthorized intrusion as well as malicious insiders. Ensuring network security often requires trade-offs. For example, access controls such as extra logins might be necessary, but slow down productivity.
Tools used to monitor network security generate a lot of data — so much that valid alerts are often missed. To help better manage network security monitoring, security teams are increasingly using machine learning to flag abnormal traffic and alert to threats in real time.
The enterprise’s move into the cloud creates new security challenges. For example, 2017 has seen almost weekly data breaches from poorly configured cloud instances. Cloud providers are creating new security tools to help enterprise users better secure their data, but the bottom line remains: Moving to the cloud is not a panacea for performing due diligence when it comes to cyber security.
Application security (AppSec), especially web application security, has become the weakest technical point of attack, but few organizations adequately mitigate all the OWASP Top Ten web vulnerabilities. AppSec begins with secure coding practices, and should be augmented by fuzzing and penetration testing.
Rapid application development and deployment to the cloud has seen the advent of DevOps as a new discipline. DevOps teams typically prioritize business needs over security, a focus that will likely change given the proliferation of threats.
Internet of things (IoT) Security
IoT refers to a wide variety of critical and non-critical cyber physical systems, like appliances, sensors, printers and security cameras. IoT devices frequently ship in an insecure state and offer little to no security patching, posing threats to not only their users, but also to others on the internet, as these devices often find themselves part of a botnet. This poses unique security challenges for both home users and society.
Common cyber threats fall under three general categories:
Attacks on confidentiality: Stealing, or rather copying, a target’s personal information is how many cyber attacks begin, including garden-variety criminal attacks like credit card fraud, identity theft, or stealing bitcoin wallets. Nation-state spies make confidentiality attacks a major portion of their work, seeking to acquire confidential information for political, military, or economic gain.
Attacks on integrity: Also known by its common name, sabotage, integrity attacks seek to corrupt, damage, or destroy information or systems, and the people who rely on them. Integrity attacks can be subtle — a typo here, a bit fiddled there — or a slash and burn campaign of sabotage against a target. Perpetrators can range from script kiddies to nation-state attackers.
Attacks on availability: Preventing a target from accessing their data is most frequently seen today in the form of ransomware and denial-of-service attacks. Ransomware encrypts a target’s data and demands a ransom to decrypt it. A denial-of-service attack, typically in the form of a distributed denial-of-service (DDoS) attack, floods a network resource with requests, making it unavailable.
The following describes the means by which these attacks are carried out.
Attackers aren’t going to hack a computer if they can hack a human instead. Socially engineered malware, often used to deliver ransomware, is the No. 1 method of attack (not a buffer overflow, misconfiguration, or advanced exploit). An end-user is tricked into running a Trojan horse program, often from a website they trust and visit often. Ongoing user education is the best countermeasure against this attack.
Sometimes the best way to steal someone’s password is to trick them into revealing it This accounts for the spectacular success of phishing. Even smart users, well-trained in security, can fall for a phishing attack. That’s why the best defense is two-factor authentication (2FA) — a stolen password is worthless to an attacker without a second factor, such as hardware security token, or soft token authenticator app on the user’s phone.
It’s hard to blame your enterprise if an attacker deploys a zero-day exploit against you, but failure to patch looks a lot like failure to perform due diligence. If months and years pass after disclosure of a vulnerability, and your enterprise has not applied that security patch, you open yourself to accusations of negligence. Patch, patch, patch.
Social Media Threats
Catfishing isn’t just for the dating scene. Believable sock puppet accounts can worm their way through your LinkedIn network. If someone who knows 100 of your professional contacts strikes up a conversation about your work, are you going to think it strange? Loose lips sink ships. Expect social media espionage, of both the industrial and nation-state variety.
Advanced Persistent Threats
Speaking of nation-state adversaries, your enterprise has them. Don’t be surprised if multiple APTs are playing hide-and-go-seek on your corporate network. If you’re doing anything remotely interesting to someone, anywhere, you need to consider your security posture against sophisticated APTs. Nowhere is this more true than in the technology space, an industry rich with valuable intellectual property many criminals and nations will not scruple to steal.
Executing a strong cyber security strategy requires you have the right people in place. The demand for professional cyber security folk has never been higher, from the C-suite down to the security engineers working on the front lines. Security leaders have elbowed their way into the C-suite and boardrooms, as protecting company data becomes mission critical for organizations. A chief security officer (CSO) or chief information security officer (CISO) is now a core management position that any serious organization must have.
Roles have also grown more specialized. The days of the generalist security analyst are fading fast. Today a penetration tester might focus on application security, or network security, or phishing users to test security awareness. Incident response may see you on call 24/7. The following roles are the foundation of any security team.
The CISO is a C-level management executive who oversees the operations of an organization’s IT security department and related staff. The CISO directs and manages strategy, operations, and the budget to protect an organization’s information assets.
Also referred to as cyber security analyst, data security analyst, information systems security analyst, or IT security analyst, this role typically has these responsibilities:
A good information security architect straddles the business and technical worlds. While the role can vary in the details by industry, is that of a senior-level employee responsible to plan, analyze, design, configure, test, implement, maintain, and support an organization’s computer and network security infrastructure. This requires knowing the business with a comprehensive awareness of its technology and information needs.
The security engineer is on the front line of protecting a company’s assets from threats. The job requires strong technical, organizational and communication skills. IT security engineer is a relatively new job title. Its focus is on quality control within the IT infrastructure. This includes designing, building, and defending scalable, secure, and robust systems; working on operational data center systems and networks; helping the organization understand advanced cyber threats; and helping to create strategies to protect those networks.
At Worldwide Developer Conference 2018 on Monday, Apple announced the next version of its macOS operating system, and it’s called #Mojave.
Besides introducing new features and improvements of macOS 10.14 Mojave—like Dark Mode, Group FaceTime, Dynamic Desktop, and Finder—at WWDC, Apple also revealed a bunch of new security and privacy features coming with the next major macOS update.
Apple CEO Tim Cook said the new features included in Mojave are “inspired by pro users, but designed for everyone,” helping you protect from various security threats.
Here’s a list of all macOS Mojave security and privacy features:
Safari’s Enhanced “Intelligent Tracking Prevention”
It’s no longer shocking that your online privacy is being invaded, and everything you search online is being tracked—thanks to third-party trackers present on the Internet in the form of social media like and sharing buttons that marketers and data brokers use to monitor web users as they browse.
But not anymore. With macOS Mojave, Safari has updated its “Intelligent Tracking Prevention”—a feature that limits the tracking ability of website using various ad-tracking and device fingerprinting techniques.
The all-new enhanced Intelligent Tracking Prevention will now automatically block all third-party trackers, including social media “Like” or “Share” buttons, as well as comment widgets from tracking users without their permission.
Safari will also help in defeating the “device fingerprinting” approach by exposing only generic configuration information of users’ device and default fonts.
End-to-End Encrypted Group FaceTime (Up to 32 People)
That’s really a huge security improvement, as at WWDC 2018, Apple has introduced group FaceTime feature that lets groups of 32 or fewer people do video calls at the same time, which have end-to-end encryption just like the already existing one-to-one audio and video calls and group audio calls.
End-to-encryption for group calls with the Facetime app means that there’s no way for Apple or anyone to decrypt the data when it’s in transit between devices.
macOS Mojave Will Alert When Your Camera & Mic Are Accessed
As we reported several times in past few years, cybercriminals have now been spreading new malware for macOS that targets built-in webcam and microphone to spy on users without detection.
To address this threat, macOS Mojave adds a new feature that monitors access to your macOS webcam/microphone and alerts you with new permission dialogues whenever an app tries to access the camera or microphone.
This new protection has primarily been designed to prevent malicious software from silently turning on these device features in order to spy on its users.
Excessive Data Access Request User Permissions
macOS Mojave also adds similar permission requirements for apps to access personal data like mail database, message history, file system and backups.
By default, the macOS Mojave will also protect your location information, contacts, photos, Safari data, mail database, message history, iTunes device backups, calendar, reminders, time machine backups, cookies, and more.
Secure (and Convenient) Password Management
We have long warned users to deploy a good password practice by keeping their passwords strong and unique for every website or service. Now, Apple has made it easier in macOS 10.14 Mojave and iOS 12.
While Safari in macOS has provided password suggestions for years when users are asked to create a login at a site, Apple has improved this feature in a way that Safari now automatically generates strong passwords, enters them into the web browser, and stores them in the iCloud keychain when users create new online accounts.
Previously, third-party password manager apps have done that much of tasks, and now Apple is integrating such functionalities directly into the next major versions of both macOS and iOS.
The company also announced a new feature that even flags reused passwords so that users can change them, a new interface that autofills one-time passwords provided by authentication apps, and a mechanism that shares passwords across all of a user’s nearby devices, including iOS devices, Macs, and Apple TVs.
macOS Mojave Moves Software Updates from App Store to System Preferences
With the new macOS Mojave, Apple has also redesigned its Mac App Store a little bit and moved the system update mechanism to the System Preferences from the Mac App Store.
Apple has reintroduced “Software Update” option in the System Preferences windows, allowing users to update their operating system and native software without opening the App Store.
Moreover, Apple has also confirmed that Mojave will be its last version of macOS to support legacy 32-bit apps.
Similar High Sierra, users will be shown a dialog box when opening 32-bit apps in macOS 10.14 Mojave (beta1) with a message telling them that “This app will not work with future versions of macOS.”
We are strongly advising an immediate to your Google Chrome installation.
Security researcher Michał Bentkowski discovered and reported a high severity vulnerability in Google Chrome in late May, affecting the web browsing software for all major operating systems including Windows, Mac, and Linux.
Without revealing any technical detail about the vulnerability, the Chrome security team described the issue as incorrect handling of CSP header (CVE-2018-6148) in a blog post published today.
“Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed,” the Chrome security team notes.
Content Security Policy (CSP) header allows website administrators to add an extra layer of security on a given web page by allowing them to control resources the browser is allowed to load.
Mishandling of CSP headers by your web browser could re-enable attackers to perform cross-site scripting, clickjacking and other types of code injection attacks on any targeted web pages.
The patch for the vulnerability has already been rolled out to its users in a stable Chrome update 67.0.3396.79 for Windows, Mac, and Linux operating system, which users may have already receive or will receive over the coming days/weeks.
So, make sure your system is running the updated version of Chrome web browser. We’ll update the article, as soon as Google releases further update.
Firefox has also released its new version of the Firefox web browser, version 60.0.2, which includes security and bug fixes. So, users of the stable version of Firefox are also recommended to update their browser.