Social networking giant Twitter today disclosed a bug on its platform that impacted users who accessed their platform using Firefox browsers. From a report: According to Twitter, its platform stored private files inside the Firefox browser's cache -- a folder where websites store information and files temporarily. Twitter said that once users left their platform or logged off, the files would remain in the browser cache, allowing anyone to retrieve it. The company is now warning users who share workstations or used a public computer that some of their private files may still be present in the Firefox cache. Malware present on a system could also scrape and steal this data, if ever configured to do so.

Zoom's troubled year just got worse. From a report: Now that a large portion of the world is working from home to ride out the coronavirus pandemic, Zoom's popularity has rocketed, but also has led to an increased focus on the company's security practices and privacy promises. Hot on the heels of two security researchers finding a Zoom bug that can be abused to steal Windows passwords, another security researcher found two new bugs that can be used to take over a Zoom user's Mac, including tapping into the webcam and microphone. Patrick Wardle, a former NSA hacker and now principal security researcher at Jamf, dropped the two previously undisclosed flaws on his blog Wednesday, which he shared with TechCrunch. The two bugs, Wardle said, can be launched by a local attacker -- that's where someone has physical control of a vulnerable computer. Once exploited, the attacker can gain and maintain persistent access to the innards of a victim's computer, allowing them to install malware or spyware.

Dan Goodin writes via Ars Technica: For almost three years, OpenWRT -- the open source operating system that powers home routers and other types of embedded systems -- has been vulnerable to remote code-execution attacks because updates were delivered over an unencrypted channel and digital signature verifications are easy to bypass, a researcher said. Security researcher Guido Vranken, however, recently found that updates and installation files were delivered over unencrypted HTTPs connections, which are open to attacks that allow adversaries to completely replace legitimate updates with malicious ones. The researcher also found that it was trivial for attackers with moderate experience to bypass digital-signature checks that verify a downloaded update as the legitimate one offered by OpenWTR maintainers. The combination of those two lapses makes it possible to send a malicious update that vulnerable devices will automatically install.
[...]
The researcher said that OpenWRT maintainers have released a stopgap solution that partially mitigates the risk the bug poses. The mitigation requires new installations to be "set out from a well-formed list that would not sidestep the hash verification. However, this is not an adequate long-term solution because an attacker can simply provide an older package list that was signed by the OpenWRT maintainers." From there, attackers can use the same exploits they would use on devices that haven't received the mitigation. OpenWRT maintainers didn't immediately respond to questions asking why installation and update files are delivered over HTTP and when a longer-term fix might be available. In the meantime, OpenWRT users should install either version 18.06.7 or 19.07.1, both of which were released in February. These updates provide the stopgap mitigation.

An anonymous reader quotes Wired: Next week, blood banks across the Netherlands are set to begin a nationwide experiment. As donations arrive — about 7,000 of them per week is the norm — they'll be screened with the usual battery of tests that keep the blood supply safe, plus one more: a test for antibodies to SARS-CoV-2, the virus that causes Covid-19. Then, in a few weeks, another batch of samples will get the same test. And after that, depending on the numbers, there could be further rounds. The blood donors should be fairly representative of Dutch adults ages 18 to 75, and most importantly, they'll all be healthy enough for blood donation — or at least outwardly so...

Identifying what proportion of the population has already been infected is key to making the right decisions about containment... [B]ecause no Covid-19-specific serological [antibody] tests have been fully vetted yet, the FDA's latest guidance is that they shouldn't be relied upon for diagnoses. But in epidemiology circles, those tests are a sought-after tool for understanding the scope of the disease. Since February — which was either three weeks or a lifetime ago — epidemiologists have been trying to get the full scope of the number of infections here in the U.S... [A]s the disease has continued to spread and a patchwork of local "stay at home" rules begins to bend the course of the disease, projecting who has the disease and where the hot spots are has become more difficult for models to capture.

Instead, you need boots-on-the-ground surveillance. In other words, to fill the gap created by a lack of diagnostic tests, you need more testing — but of a different sort. This time you have to know how many total people have already fought the bug, and how recently they've fought it. "Of all the data out there, if there was a good serological assay that was very specific about individuating recent cases, that would be the best data we could have," says Alex Perkins, an epidemiologist at the University of Notre Dame. The key, he says, is drawing blood from a representative sample that would show the true scope of unobserved infections... Another motivation to develop better blood tests is the potential to develop therapeutics from antibody-rich blood serum.
Wired is currently providing free access to stories about the coronavirus.

An anonymous reader quotes a report from TechCrunch: A school in Norway has stopped using popular video conferencing service Whereby after a naked man apparently "guessed" the link to a video lesson. According to Norwegian state broadcaster NRK, the man exposed himself in front of several young children over the video call. The theory, according to the report, is that the man guessed the meeting ID and joined the video call. One expert quoted in the story said some are "looking" for links. Last year security researchers told TechCrunch that malicious users could access and listen in to Zoom and Webex video meetings by cycling through different permutations of meeting IDs in bulk. The researchers said the flaw worked because many meetings were not protected by a passcode.

An anonymous reader quotes a report from Bleeping Computer: A currently unpatched security vulnerability affecting iOS 13.3.1 or later prevents virtual private network (VPNs) from encrypting all traffic and can lead to some Internet connections bypassing VPN encryption to expose users' data or leak their IP addresses. While connections made after connecting to a VPN on your iOS device are not affected by this bug, all previously established connections will remain outside the VPN's secure tunnel as ProtonVPN disclosed.

The bug is due to Apple's iOS not terminating all existing Internet connections when the user connects to a VPN and having them automatically reconnect to the destination servers after the VPN tunnel is established. "Most connections are short-lived and will eventually be re-established through the VPN tunnel on their own," ProtonVPN explains. "However, some are long-lasting and can remain open for minutes to hours outside the VPN tunnel." During the time the connections are outside of the VPN secure communication channels, this issue can lead to serious consequences. For instance, user data could be exposed to third parties if the connections are not encrypted themselves, and IP address leaks could potentially reveal the users' location or expose them and destination servers to attacks. Until Apple provides a fix, the company recommends using Always-on VPN to mitigate this problem. "However, since this workaround uses device management, it cannot be used to mitigate the vulnerability for third-party VPN apps such as ProtonVPN," the report adds.

An anonymous reader writes: Hewlett Packard Enterprise (HPE) issued a security advisory last week warning customers about a bug in the firmware of some SAS SSDs (Serial-Attached SCSI solid-state drives) that will fail after reaching 40,000 hours of operation -- which is 4 years, 206 days, and 16 hours after the SSD has been put into operation. HPE says that based on when affected SSDs have been manufactured and sold, the earliest failures are expected to occur starting with October this year. The company has released firmware updates last week to address the issue. HPE warns that if companies fail to install the update, they risk losing both the SSD and the data. "After the SSD failure occurs, neither the SSD nor the data can be recovered," the company explained.

An anonymous reader quotes a report from Wired: Modern capitalism has never seen anything quite like the novel coronavirus SARS-CoV-2. In a matter of months, the deadly contagious bug has spread around the world, hobbling any economy in its path. [...] This economic catastrophe is blowing up the myth of the worker robot and AI takeover. We've been led to believe that a new wave of automation is here, made possible by smarter AI and more sophisticated robots. San Francisco has even considered a tax on robots -- replace a human with a machine, and pay a price. The problem will get so bad, argue folks like former presidential candidate Andrew Yang, we'll need a universal basic income to support our displaced human workers.

Yet our economy still craters without human workers, because the machines are far, far away from matching our intelligence and dexterity. You're more likely to have a machine automate part of your job, not destroy your job entirely. Moving from typewriters to word processors made workers more efficient. Increasingly sophisticated and sensitive robotic arms can now work side-by-side on assembly lines with people without flinging our puny bodies across the room, doing the heavy lifting and leaving the fine manipulation of parts to us. The machines have their strengths -- literally in this case -- and the humans have theirs. While robots can do the labor we don't want to do or can't do, such as lifting car doors on an assembly line, they're not very good at problem-solving. "Think about how you would pick up a piece of paper that's lying flat on a table. You can't grip it like you would an apple -- you have to either pinch it to get it to lift off the surface, or drag it to hang over the edge of the table," writes Matt Simon via Wired. "As a kid, you learn to do that through trial and error, whereas you'd have to program a robot with explicit instructions to do the same."

In closing, Simon writes: "Overestimating robots and AI underestimates the very people who can save us from this pandemic: Doctors, nurses, and other health workers, who will likely never be replaced by machines outright. They're just too beautifully human for that."

Microsoft says attackers are exploiting a previously undisclosed security vulnerability found in all supported versions of Windows, including Windows 10. From a report: But the software giant said there is currently no patch for the vulnerability. The security flaw, which Microsoft deems "critical" -- its highest severity rating -- is found in how Windows handles and renders fonts, according to the advisory posted Monday. The bug can be exploited by tricking a victim into opening a malicious document. Once the document is opened -- or viewed in Windows Preview -- an attacker can remotely run malware, such as ransomware, on a vulnerable device. The advisory said that Microsoft was aware of hackers launching "limited, targeted attacks," but did not say who was launching the attacks or at what scale.

McGruber shares a report from Business Insider: Facebook is blocking users from posting some legitimate news articles about the coronavirus in what appears to be a bug in its spam filters. On Tuesday, multiple Facebook users reported on Twitter that they found themselves unable to post articles from certain news outlets including Business Insider, BuzzFeed, The Atlantic, and the Times of Israel. It's not clear exactly what has gone wrong, and Facebook did not respond to a request for comment.

Alex Stamos, an outspoken former Facebook security exec, speculated that it might be caused by Facebook's shift to automated software after it sent its human content moderators home. "It looks like an anti-spam rule at FB is going haywire," he wrote on Twitter. "Facebook sent home content moderators yesterday, who generally can't [work from home] due to privacy commitments the company has made. We might be seeing the start of the machine learning going nuts with less human oversight. In a tweet, VP of Integrity Guy Rosen said: "We're on this -- this is a bug in an anti-spam system, unrelated to any changes in our content moderator workforce. We're in the process of fixing and bringing all these posts back."

An Austin, Texas based technology company is launching "artificially intelligent thermal cameras" that it claims will be able to detect fevers in people, and in turn send an alert that they may be carrying the coronavirus. Motherboard reports: Athena Security is pitching the product to be used in grocery stores, hospitals, and voting locations. It claims to be deploying the product at several customer locations over the coming weeks, including government agencies, airports, and large Fortune 500 companies. "Our Fever Detection COVID19 Screening System is now a part of our platform along with our gun detection system which connects directly to your current security camera system to deliver fast, accurate threat detection," Athena's website reads. Athena previously sold software that it claims can detect guns and knives in video feeds and then send alerts to an app or security system.

"The AI detects it, and it says I have a 99.5 degrees temperature. It notices that I have a fever, and that I am infected," an Athena employee says during a video demonstration of the product. "Since higher temperature is one of the first symptoms, these cameras can be life-saving" warning the person that they could have the virus and encouraging that person to take serious steps to self-quarantine," the representative added in an email, suggesting that the company could deploy them at polling locations. "Although many voters today are bound to get it, steps in the coming weeks could prevent them from spreading the bug to loved ones and strangers alike." The representative claimed that the software is accurate within half a degree and that it detects a dozen different parts on the body. They added the system has "no facial recognition, no personal tracking."

The Wall Street Journal reports on a new technology being developed by McLaren Technology Centre for its "Elva," a multi-million dollar, 804-horsepower two-seat roadster.

It doesn't have a windshield... In place of a windscreen, Elva will debut a technology called Active Air Management System (AAMS). When engaged, it generates two air flows streaming over the cockpit: One glances off the low, curvaceous wind deflector rising out of the front bodywork, with an energy proportional to vehicle speed. The other airflow is scooped up in a low-mounted grille intake and turned 135 degrees. Now ducted up and slightly forward, this high pressure flow intercepts the deflected airflow, bending the combined flows over the cockpit. Meanwhile, streaming air clinging to the hood wants to be drawn down, below face level, following the Elva's curving scuttle and dash.

And so the Elva's historically unique, eye-of-the-hurricane gestalt: Driver and passenger motoring at highway speeds, talking at normal volume, as warm or as cool as desired and, looking out, seeing nothing... but scenery. No helmet limiting their peripheral vision as if looking through a well-padded porthole, stifling breath and sense of smell. And no heavy, roof-supporting "A" pillars either, which clumsily bracket existence in almost all modern cars. The Elva is the motoring equivalent of a horizonless pool.

Under the right conditions the Elva's system can billow precipitation out of the way, over the car, so the occupants stay dry. Heading up the mountain to Gstaad? With the AAMS active, falling snow will swirl past but never settle... What about bugs? I asked. Will they be deflected too? "It depends on the mass of the bug," said Andrew Kay, Elva project chief engineer, being completely serious. What about stones thrown up by trucks? Overtalk...inaudible... In any event, McLaren expects all occupants will be wearing helmets on piste and will only engage the AAMS bareheaded at moderate speeds...

At 60 mph, the wind was so still I could have lit a cigarette.

Microsoft today released a patch for a vulnerability in the SMBv3 protocol that accidentally leaked online earlier this week during the March 2020 Patch Tuesday preamble. From a report: The fix is available as KB4551762, an update for Windows 10, versions 1903 and 1909, and Windows Server 2019, versions 1903 and 1909. The update fixes CVE-2020-0796, a vulnerability in Server Message Block, a protocol for sharing files, printers, and other resources on local networks and the Internet. The bug allows attackers to connect to remote systems where the SMB service is enabled and run malicious code with SYSTEM privileges, allowing for remote takeovers of vulnerable systems. Earlier this week, due to what looks like a miscommunication between Microsoft and some antivirus vendors, details about this bug leaked online.

An anonymous reader quotes SD Times: The Free Software Foundation (FSF) announced plans to launch a public code hosting and collaboration platform ("forge") this year. Members of the FSF tech team are currently reviewing ethical web-based software that will help teams work on their projects, with features like merge requests, bug tracking, and other common tools.

"Infrastructure is very important for free software, and it's unfortunate that so much free software development currently relies on sites that don't publish their source code, and require or encourage the use of proprietary software," FSF wrote in a blog post. "Our GNU ethical repository criteria aim to set a high standard for free software code hosting, and we hope to meet that with our new forge."

As of now, the team said it has been researching a list of candidate programs and analyzing them in terms of ethical and practical criteria.
The FSF blog post adds that "We plan on contributing improvements upstream for the new forge software we choose, to boost its score on those criteria...

"We'll communicate with the upstream developers to request improvements and help clarify any questions related to the ethical repository criteria."

Security researchers say that a bug in one of Intel's CPU technologies that was patched last year is actually much worse than previously thought. From a report: "Most Intel chipsets released in the last five years contain the vulnerability in question," said Positive Technologies in a report published today. Attacks are impossible to detect, and a firmware patch only partially fixes the problem. To protect devices that handle sensitive operations, researchers recommend replacing CPUs with versions that are not impacted by this bug. Only the latest Intel 10th generation chips are not vulnerable, researchers said. The actual vulnerability is tracked as CVE-2019-0090, and it impacts the Intel Converged Security and Management Engine (CSME), formerly called the Intel Management Engine BIOS Extension (Intel MEBx).

rufey writes: The free SSL certificate provider Let's Encrypt is going to revoke 2.6% of the SSL certs issued by them that are currently active, due to a bug in boulder, the Certificate Authority Authorization (CAA) software Let's Encrypt uses. Ars Technica reports: "Let's Encrypt uses Certificate Authority software called Boulder. Typically, a Web server that services many separate domain names and uses Let's Encrypt to secure them receives a single LE certificate that covers all domain names used by the server rather than a separate cert for each individual domain. The bug LE discovered is that, rather than checking each domain name separately for valid CAA records authorizing that domain to be renewed by that server, Boulder would check a single one of the domains on that server n times (where n is the number of LE-serviced domains on that server). Let's Encrypt typically considers domain validation results good for 30 days from the time of validation -- but CAA records specifically must be checked no more than eight hours prior to certificate issuance. The upshot is that a 30-day window is presented in which certificates might be issued to a particular Web server by Let's Encrypt despite the presence of CAA records in DNS that would prohibit that issuance.

Since Let's Encrypt finds itself in the unenviable position of possibly having issued certificates that it should not have, it is revoking all current certificates that might not have had proper CAA record checking on Wednesday, March 4. Users whose certificates are scheduled to be revoked will need to manually force-renewal before then. If an admin does not perform this manual renewal step, browsers reaching their websites will show TLS security warnings due to the revoked certificates. Let's Encrypt certificates are issued for 90-day intervals, and Certbot automatically renews them only when 30 days or less are left on the cert -- so this could mean roughly two months of browser errors if the manual forced renewal isn't performed."

The CAB Forum, which oversees the public CAA space, has a ticket for this specific issue. According to a community post on Let's Encrypt's website, 3,048,289 of the ~116 million overall active Let's Encrypt certificates are affected.

theodp writes: On its Careers page, zero-commission online broker Robinhood explains its founders "decided it was more important to build products that would provide everyone with access to the financial markets, not just the wealthy. Two years after heading to New York, they moved back to California and built Robinhood -- a company that leverages technology to encourage everyone to participate in our financial system." But on Monday, at least, the advantage went to the wealthy. Bloomberg reports that Robinhood suffered an outage that lasted the entire U.S. trading day and prevented customers from making trades as stocks surged after last week's rout (status). Just another reminder that we're all just one technology fail away from chaos.

"Intel's security plans sound a lot like 'we're going to catch up to AMD,'" argues FOSS advocate and "mercenary sysadmin" Jim Salter at Ars Technica, citing a "present-and-future" presentation by Anil Rao and Scott Woodgate at Intel's Security Day that promised a future with Full Memory Encryption but began with Intel SGX (launched with the Skylake microarchitecture in 2015).

Salter describes SGX as "one of the first hardware encryption technologies designed to protect areas of memory from unauthorized users, up to and including the system administrators themselves." SGX is a set of x86_64 CPU instructions which allows a process to create an "enclave" within memory which is hardware encrypted. Data stored in the encrypted enclave is only decrypted within the CPU -- and even then, it is only decrypted at the request of instructions executed from within the enclave itself. As a result, even someone with root (system administrator) access to the running system can't usefully read or alter SGX-protected enclaves. This is intended to allow confidential, high-stakes data processing to be safely possible on shared systems -- such as cloud VM hosts. Enabling this kind of workload to move out of locally owned-and-operated data centers and into massive-scale public clouds allows for less expensive operation as well as potentially better uptime, scalability, and even lower power consumption.

Intel's SGX has several problems. The first and most obvious is that it is proprietary and vendor-specific -- if you design an application to utilize SGX to protect its memory, that application will only run on Intel processors... Finally, there are potentially severe performance impacts to utilization of SGX. IBM's Danny Harnik tested SGX performance fairly extensively in 2017, and he found that many common workloads could easily see a throughput decrease of 20 to 50 percent when executed inside SGX enclaves. Harnik's testing wasn't 100 percent perfect, as he himself made clear -- in particular, in some cases his compiler seemed to produce less-optimized code with SGX than it had without. Even if one decides to handwave those cases as "probably fixable," they serve to highlight an earlier complaint -- the need to carefully develop applications specifically for SGX use cases, not merely flip a hypothetical "yes, encrypt this please" switch....

After discussing real-world use of SGX, Rao moved on to future Intel technologies -- specifically, full-memory encryption. Intel refers to its version of full-memory encryption as TME (Total Memory Encryption) or MKTME (Multi-Key Total Memory Encryption). Unfortunately, those features are vaporware for the moment. Although Intel submitted an enormous Linux kernel patchset last May for enabling those features, there are still no real-world processors that offer them... This is probably a difficult time to give exciting presentations on Intel's security roadmap. Speculative prediction vulnerabilities have hurt Intel's processors considerably more than their competitors', and the company has been beaten significantly to market by faster, easier-to-use hardware memory encryption technologies as well. Rao and Woodgate put a brave face on things by talking up how SGX has been and is being used in Azure. But it seems apparent that the systemwide approach to memory encryption already implemented in AMD's Epyc CPUs -- and even in some of their desktop line -- will have a far greater lasting impact.

Intel's slides about their own upcoming full memory encryption are labeled "innovations," but they look a lot more like catching up to their already-established competition.

Apache Tomcat servers released in the last 13 years are vulnerable to a bug named Ghostcat that can allow hackers to take over unpatched systems. From a report: Discovered by Chinese cybersecurity firm Chaitin Tech, Ghostcat is a flaw in the Tomcat AJP protocol. AJP stands for Apache JServ Protocol and is a performance-optimized version of the HTTP protocol in binary format. Tomcat uses AJP to exchange data with nearby Apache HTTPD web servers or other Tomcat instances. Tomcat's AJP connector is enabled by default on all Tomcat servers and listens on the server's port 8009. Chaitin researchers say they discovered a bug in AJP that can be exploited to either read or write files to a Tomcat server.

Facebook filed today a federal lawsuit in a California court against OneAudience, a New Jersey-based data analytics firm. From a report: The social networking giant claims that OneAudience paid app developers to install its Software Development Kit (SDK) in their apps, and later used the control it had over the SDK's code to harvest data on Facebook users. According to court documents obtained by ZDNet, the SDK was embedded in shopping, gaming, and utility-type apps, some of which were made available through the official Google Play Store. "After a user installed one of these apps on their device, the malicious SDK enabled OneAudience to collect information about the user from their device and their Facebook, Google, or Twitter accounts, in instances where the user logged into the app using those accounts," the complaint reads. "With respect to Facebook, OneAudience used the malicious SDK -- without authorization from Facebook -- to access and obtain a user's name, email address, locale (i.e. the country that the user logged in from), time zone, Facebook ID, and, in limited instances, gender," Facebook said. Twitter was the first to expose OneAudience's secret data harvesting practices on November 26, last year.