Starting with iOS 16, people who are at risk of being targeted with spyware will have some much-needed help.

The surveillance-for-hire Industry has emerged in recent years as a very real threat to activists, dissidents, journalists, and human rights defenders around the world, as vendors offer increasingly invasive and effective spyware to governments. The most sophisticated of these tools, like NSO Group's notorious Pegasus spyware, target victims' smartphones using rare and sophisticated exploits to compromise Apple's iOS and Google's Android mobile operating systems. As the situation has deteriorated for victims, activists and security experts have increasingly called for more drastic measures to protect vulnerable individuals. Now Apple has an option.

Today, Apple is announcing a new feature for its upcoming iOS 16 release called Lockdown Mode. Apple emphasizes that the feature was created for a small subset of users who are at high risk of government targeting, and it doesn't expect the feature to be widely adopted. But for those who want to use it, the feature is an alternate mode of iOS that heavily restricts the tools and services that spyware actors target to take control of victims' devices.

“This is an unprecedented step for user security for high-risk users,” Ron Deibert, director of the University of Toronto's Citizen Lab said on a call with reporters ahead of the announcement. “I believe that this will throw a wrench into their modus operandi. I expect \[spyware vendors\] to try to evolve, but hopefully, this feature will prevent some of those harms from happening down the road.”

Lockdown Mode is a separate operating system mode. To turn it on, users enable the feature in the Settings menu and then are prompted to restart their device for all of the protections and digital defenses to fully take effect. The feature imposes limitations on the leakiest parts of the operating system sieve. Lockdown Mode attempts to comprehensively address threats from web browsing, for example, by blocking many speed and efficiency features that Safari (and WebKit) use to render webpages. Users can specifically mark a certain webpage as trusted so it loads normally, but by default, Lockdown Mode imposes a host of restrictions that extend anywhere WebKit is working behind the scenes. In other words, when you load web content in a third-party app or an iOS app like Mail, the same Lockdown Mode protections will apply. 

Lockdown Mode also limits all sorts of incoming invitations and requests, unless the device has previously initiated a request. That means your friend won't be able to call you on FaceTime, for example, if you've never called them. And to take it one step further, even when you initiate an interaction with another device, Lockdown Mode only honors that connection for 30 days. If you don't talk to a particular friend for weeks after that, you'll need to reestablish contact before they can reach out to you again. In Messages—a frequent target of spyware exploitation—Lockdown Mode won't show link previews and will block all attachments with the exception of a few trusted image formats.

Lockdown Mode also strengthens other protections. For example, when a device is locked, it won't receive connections from anything physically plugged into it. And, crucially, a device that isn't already registered with one of Apple's enterprise mobile device management (MDM) programs can't be added to one of these schemes once Lockdown Mode is turned on. This means that if your company gives you a phone enrolled in the corporate MDM, it will remain active if you then enable Lockdown Mode. And the manager of your MDM can't remotely turn off Lockdown Mode on your device. But if your phone is just a regular consumer device and you put it in Lockdown mode, you won't be able to activate MDM. This is important because attackers will trick victims into enabling MDM as a way of gaining the ability to install malicious apps on their devices.

Apple says the idea of Lockdown Mode feels foreign because iOS has always been developed to offer all security protections to every user. But the company saw the necessity to take drastic action as more and more spyware victims emerged worldwide. The company says it plans to continue refining Lockdown Mode and expanding it as needed. It also added a new category to its bug bounty program to reward researchers up to $2 million for finding flaws in Lockdown Mode or total bypasses. 

The company also pledged in November to donate $10 million to research and defense related to targeted spyware. On Wednesday, Apple is announcing that this money will become a grant to the Ford Foundation's Dignity and Justice Fund. At launch, advisers for the fund will come from Access Now, Citizen Lab, the Engine Room, Amnesty International, and Apple.

“The mercenary spyware industry is facilitating the spread of authoritarian practices,” Citizen Lab's Deibert emphasizes. “I applaud Apple for developing Lockdown Mode. It will be a major blow to mercenary spyware companies.”

Targeted spyware has proved a complicated threat to counter, and the industry is only growing. But a radical new defense can only help potential targets around the world who are exposed and in dire need of resources.

Apple’s Lockdown Mode Aims to Counter Spyware Threats

The unsecured server exposed more than 1.5 million files, including airport worker ID photos and other PII, highlighting the ongoing cloud-security challenges worldwide.

A misconfigured Amazon S3 bucket resulted in 3TB of airport data (more than 1.5 million files) being publicly accessible, open, and without an authentication requirement for access, highlighting the dangers of unsecured cloud infrastructure within the travel sector.

The exposed information, uncovered by Skyhigh Security, includes employee personal identification information (PII) and other sensitive company data affecting at least four airports in Colombia and Peru.

The PII ranged from photos of airline employees and national ID cards — which could present a serious threat if leveraged by terrorist groups or criminal organizations — to information about planes, fuel lines, and GPS map coordinates.

The bucket (now secured) contained information dating back to 2018, the report says, noting Android mobile apps also were contained within buckets, which security personnel tap to help with incident reporting and data handling.

"Airport security protects the lives of travelers and airport staff," the report explains. "As such, this breach is extremely dangerous with potentially devastating consequences should the bucket’s content end up in the wrong hands."  

As travel picks up dramatically following restrictions during the pandemic, Fortune Business Insights found that the global smart airport market size is set to be driven by the rising preference of the masses for air travel. The report also says that the expansion of commercial aviation is set to affect the market positively in the coming years, as airports increasingly turn to cloud service providers to house and process massive amounts of passenger and operational data.

Perhaps it's no wonder that travel-related organizations have been increasingly targeted of late. For instance, airlines have been the target of ransomware this year, including India's low-cost carrier SpiceJet, which weathered an attack in May that caused widespread flight delays. 

At the same time, multiple cybercrime groups have been spotted selling stolen credentials and other sensitive PII pilfered from travel-related websites and cloud databases, according to security firm Intel 471's tracking.

**Cloud Security Still Porous**

Back in 2019, Gartner stated that "90% of organizations that fail to control public cloud use will inappropriately share sensitive data." And that worry continues today: A recent IDC survey of CISOs in the US found that 80% of respondents are not able to identify excessive access to sensitive data in cloud production environments.

"Unfortunately, news headlines like these highlight examples of a data breach due to a simple, but harmful misconfiguration: an unsecured, exposed cloud storage service," according to Skyhigh's analysis. "Complexities around identity management, access permissions, secure configurations, data protection, and so much more, continuously result in poor cloud security hygiene and ultimately, data exposures."

And indeed, there has been no shortage of cloud security incidents recently — with misconfigurations leading the way. Cybercrime goals in subverting open databases can go beyond data pilfering, it should be noted, as shown by the recent discovery of Denonia, a Go-language-based cryptominer malware. It's designed to exploit AWS Lambda, the serverless function execution service.

Also, vulnerabilities in cloud products and services have become a growing concern for organizations, with a Linux container-escape flaw in Microsoft's Azure Service Fabric among the latest vulnerabilities disclosed.

The good news? One potential cloud security resource was recently established by security researchers at Wiz in the form of a community-based database — cloudvulndb.org — which currently lists some 70 cloud security issues and vulnerabilities.

**How to Protect Against Cloud Threats**

A recent survey of 500 security practitioners and 200 executives, conducted by cloud automation firm Lacework, indicated organizations must change the way they're securing cloud infrastructure and services.

Skyhigh’s report notes increasing read/write privileges are often the go-to for further strengthening cloud security. However, "in reality it will take far more than that; thanks to the extensive manners by which cloud storages can be accessed and misused," the report states.

So, other measures that the firm said should be implemented include: 

*   Enable automatic scanning for vulnerable storage across AWS S3 buckets and Azure Blobs.
*   Use continuous configuration audits for IaaS accounts and services to enforce consistent protection.
*   Enforce compliance checks against industry best practices to maintain secure postures.
*   Run data loss prevention and malware scans to detect violations in cloud-storage services and protect sensitive data from being exfiltrated.
*   Put measures in place to detect insider threats as well as threats from compromised accounts and privileged-access misuse.
*   And apply automatic remediation to take appropriate action against misconfigurations, vulnerabilities, and exposures.

Cloud Misconfig Exposes 3TB of Sensitive Airport Data in Amazon S3 Bucket: 'Lives at Stake'

In audio DSP, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS06558844; Issue ID: ALPS06558844.

CVE-2022-21787: July 2022

The iTopVPNmini.exe component of iTop VPN 3.2 will try to connect to datastate_iTopVPN_Pipe_Server on a loop. An attacker that opened a named pipe with the same name can use it to gain the token of another user by listening for connections and abusing ImpersonateNamedPipeClient().

**Next Possible Facebook Development Focus- Voice-Based Browsing**

Facebook is still the leading social network on the planet. It is not resting on its laurels and be overtaken by the competition. It is actively seeking different ways to develop and improve its main product to continue leading the pack. One possible focus of development may possibly be voice-based browsing. If Facebook’s current actions \[…\]

Continue Reading...

**Yahoo Takes Top Spot Overtakes Google In US Traffic**

Struggling Web media company Yahoo has gone through many ups and downs during the previous years. One of the original brands still surviving since the early days of the World Wide Web, Yahoo has since fallen considerably from its top perch as one of the more popular websites that helped in making the Web what \[…\]

Continue Reading...

**Tablet Shipments Predicted To Outpace PCs by 2015**

Many experts have long predicted the gradual decline of desktop personal computers in terms of demand. The advances in mobile computing have greatly affected the market as an increasing number of people prefer using laptops, smartphones and tablets. As more and more choices for mobile devices become available, things are not boding well for the \[…\]

Continue Reading...

**Gartner Reports 102 Billion App Store Downloads for 2013**

The app market has become a very lucrative market now that smartphones have taken over. People now use their mobile phones for doing many things other than making phone calls. Thanks to apps, the smartphone has become a versatile product that further makes them more appealing. And because of this, app downloads have seen a \[…\]

Continue Reading...

**Toyota Announces Cars On Auto-Pilot In Five Years**

When you take out the new flashy designs and features of cars today, you will notice that nothing revolutionary have been introduced. What may be seen as innovative lately are the use of hybrid engines that combine gas and electric power to run cars and save up on fossil fuel. You can also add GPS \[…\]

Continue Reading...

**Intel Reports Solid 3rd Quarter Earnings But With Cautious 4th Quarter Outlook**

Computer chip maker Intel recently reported a solid third quarter with better than expected earnings. But outlook for the fourth quarter remains cautious as not all business groups within the company enjoyed earnings improvements. The company reported third quarter earnings of $ 3 billion from a revenue of $ 13.5 billion, just similar to the \[…\]

Continue Reading...

**BlackBerrys BBM App Gets 10 Million Downloads In A Day**

Beleaguered BlackBerrysmartphone maker Research In Motion may have found a way to stay afloat. The company has struggled in recent years due to tight competition from iOS and Android smartphones. Its latest BlackBerry Z10 smartphone had a lukewarm reception from consumers. Although the exact sales figures are not yet known, since the company has not \[…\]

Continue Reading...

**Smartphones Now Take Up 70 Percent Of Teen Market 79 Percent For Young Adults**

It seems that feature phones are now going the way of the pager, if it has not already yet. More and more people now think of mobile phones as more than just a device to use for calling or texting. The market is becoming saturated with smartphones that allow users to do more than just \[…\]

Continue Reading...

**Twitter Goes Public Now What**

The Twitter IPO has finally pushed through after months and months of speculation. The way it is going, analysts are saying that it is faring better than when social network Facebook’s IPO of last year. The social network experienced a sudden decline in its share price in the weeks following the IPO. It took about \[…\]

Continue Reading...

**Bitcoin Popularity A Currency Revolution**

Just a couple of years ago, most people in the financial sector may not have heard of Bitcoin, the digital currency that is currently becoming a rage. In a matter of months, this fledgling digital currency has received quite an amount of publicity that has driven its name at the forefront. Suddenly, this little-known digital \[…\]

Continue Reading...

**Recent Posts**

CVE-2022-24141: iTop- Technology News

By Deeba Ahmed
Those still using older versions of the Android operating system are at risk. Microsoft’s 365 Defender team has detected a…
This is a post from HackRead.com Read the original post: Microsoft Warns of Evolving Toll Fraud Android Malware Draining Wallets

****Those still using older versions of the Android operating system are at risk.****

Microsoft’s 365 Defender team has detected a new and evolving Android malware that targets users’ crypto wallets to steal funds without raising suspicion. According to researchers; the malware hunts for devices still using older versions of Android OS.

Toll fraud falls into a billing fraud subcategory that automatically signs the user for a premium service without asking for user content. Since it is continuously evolving, researchers regard it as dangerous Android malware.

**A Novel Fraud**

The malware has a unique attack approach compared to other billing frauds such as call or SMS fraud. Where other types of scams utilize standard attack flow involving making calls or sending messages to premium numbers, toll fraud uses a complicated multi-step attack flow, which the malware developers are continually improving.

Furthermore, Microsoft explained that the malware targets “specific network operators” and performs its routines only if the device is subscribed to one of its approved network operators. And it uses cellular data for its malicious operations by default. In fact, it forces devices to connect to a mobile network even when a Wi-Fi connection is available.

**Attack Scenario**

According to the findings shared by Microsoft’s researchers, the evolving toll fraud scheme exploits the Wireless Application Protocol (WAP) billing mechanism to target Android users. For your information, applications use WAP to charge users for paid content via their mobile phone bills. But, the malware can easily enroll the user in premium services since it utilizes cellular networks to function.

The attack chain commences when the user disconnects from a Wi-Fi network and connects to a mobile network. The Android malware quickly launched the subscription page and automatically subscribed the user to the service.

Once this is done, the malware reads a one-time password (OTP), if any, and fills the required fields to finish the subscription process. The attackers then disguise this activity by disabling SMS notifications.

**Possible Dangers**

According to Microsoft’s blog post, Toll fraud poses numerous risks, including the unwanted increase in your monthly phone bill. Since the malware hides behind legitimate apps requiring a wide range of permissions, it becomes impossible to detect it. It hides behind apps requesting SMS permissions, personalization, editing access, and communication-related privileges. Such as wallpaper or lock screen apps, chat/messaging apps, fake antivirus, and cleaner and camera apps.

It must be noted that the malware targets phones running Android 9 or older versions. This means mobile phones using Android version 10 or higher are safe. Still, it is recommended to install antivirus apps for added protection and avoid installing apps from 3rd-party sources.

**More Android Malware News**

*   Play Store Apps Caught Spreading Android Malware to Millions
*   Watch out as new Android malware spreads through WhatsApp
*   Microsoft warns of new Android ransomware blackmailing victims
*   Web3 Backdoor Wallets Steals Seed Phrases from iOS/Android Phones
*   New Russian Android Malware Tracks GPS Location and Spies on Victims

Microsoft Warns of Evolving Toll Fraud Android Malware Draining Wallets

The heap buffer-overflow issue in Chrome for Android could be used for DoS, code execution, and more.

A zero-day security vulnerability in Google Chrome for Android is being actively exploited in the wild, the Internet giant says.

The issue is a high-severity heap-buffer overflow bug (tracked as CVE-2022-2294) in WebRTC. WebRTC is an HTML5 specification that allows webpages to play real-time audio and video content inside the browser.

"Google is aware that an exploit for CVE-2022-2294 exists in the wild," the company said in its advisory on the issue.

As usual, Google is keeping the vulnerability's technical details close to the vest until a majority of users have updated their browsers, but heap-buffer overflows in general are memory issues that can lead to a range of bad outcomes if exploited. Possible outcomes include crashing the device, denial of service (DoS), remote code execution (RCE), and security-service bypasses.

Patrick Tiquet, vice president of security and architecture at Keeper Security, did some delving into the issue, and says that bug does indeed allow RCE.

"CVE-2022-2294 is a serious vulnerability that could lead to arbitrary remote code-execution by simply visiting a malicious website," he says. "This could enable an attacker to perform a variety of actions on a target system, such as install malware or steal information. Windows and Android Chrome users should ensure that they install the latest updates to protect themselves."  

To address the flaw, Google released Chrome 103 (103.0.5060.71) for Android on Monday – it said that the update would be rolling out on Google Play "over the next few days."

The update fixes two other security bugs as well: One is a high-severity type-confusion bug (CVE-2022-2295) in Google's V8 open source JavaScript engine, which earned a $7,500 bug bounty for reporters avaue and Buff3tts at S.S.L.; and the other is an unspecified fix that was discovered internally. Type-confusion issues can also lead to code execution, crashes, and logical efforts.

Tiquet adds, "Web browsers are essential applications that nearly all cloud-based services have in common and are therefore high-priority targets - compromise of a web browser could be leveraged to compromise any cloud-based service accessed by that browser."

**Fourth Exploited Chrome Zero-Day Bug in 2022**

The WebRTC flaw is the fourth zero-day in Chrome so far this year. Notably, in April Google disclosed a type-confusion vulnerability that is already being exploited in the wild (CVE-2022-1364), which affects the JavaScript and WebAssembly engine in the browser.

Another type-confusion problem in V8 (CVE-2022-1096) was patched in March; and the third was patched in February (CVE-2022-0609), after it was exploited by a North Korean-backed state advanced persistent threat, according to the Google Threat Analysis Group (TAG).

"With so many business and cloud applications depending on a web interface, browser vulnerabilities can be problematic," Mike Parkin, senior technical engineer at Vulcan Cyber, says. "Especially one as widely used as Chrome. It’s even worse when there are known exploits in the wild that leverage the vulnerability. Fortunately, Google has already developed patches for this vulnerability on both desktop and mobile platforms and will have them rolled out quickly."

Google Chrome WebRTC Zero-Day Faces Active Exploitation

The heap buffer overflow issue in the browser’s WebRTC engine could allow attackers to execute arbitrary code.

The heap buffer overflow issue in the browser’s WebRTC engine could allow attackers to execute arbitrary code.

While people were celebrating the Fourth of July holiday in the United States, Google quietly rolled out a stable channel update for Chrome to patch an actively exploited zero-day vulnerability, the fourth such flaw the vendor has had to patch in its browser product so far this year.

Chrome 103 (103.0.5060.71) for Android and Version 103.0.5060.114 for Windows and Mac, outlined in separate blog posts published Monday, fix a heap buffer overflow flaw in WebRTC, the engine that gives the browser its real-time communications capability.

The vulnerability, tracked as CVE-2022-2294 and reported by Jan Vojtesek from the Avast Threat Intelligence team on July 1**,** is described as a buffer overflow, “where the buffer that can be overwritten is allocated in the heap portion of memory,” according to the vulnerability’s listing on the Common Weakness Enumeration (CWE) website.

As per usual, Google did not reveal specific details about the bug, as it generally waits until most have updated to the patched version of the affected product. Indeed, updating is strongly recommended, as exploits for the vulnerability already exist in the wild, Google said.

Moreover, with scant details revealed about the flaw—a habit of Google’s that many security researchers find frustrating—at this point an update is really only way to defend against attacks exploiting the flaw. Fortunately, Google Chrome updates are pushed out without user intervention, so most users will be protected once patches are available.

Buffer overflows generally lead to crashes or other attacks that make the affected program unavailable including putting the program into an infinite loop, according to the CWE listing.  Attackers can take advantage of the situation by using the crash to execute arbitrary code typically outside of the scope of the program’s security policy.

“Besides important user data, heap-based overflows can be used to overwrite function pointers that may be living in memory, pointing it to the attacker’s code,” according to the listing. “Even in applications that do not explicitly use function pointers, the run-time will usually leave many in memory.”

****Other Fixes****

In addition to fixing the zero-day buffer overflow flaw, the Chrome releases also patch a type confusion flaw in the V8 JavaScript engine tracked as CVE-2022-2295 and reported June 16 by researchers “avaue” and “Buff3tts” at S.S.L., according to the post.

This is the third such flaw in the open-source engine used by Chrome and Chromium-based web browsers patched this year alone. In March a separate type-confusion issue in the V8 JavaScript engine tracked as CVE-2022-1096 and under active attack spurred a hasty patch  from Google.

Then in April, the company patched CVE-2022-1364, another type confusion flaw affecting Chrome’s use of V8 on which attackers already had pounced.

Another flaw patched in Monday’s Chrome update is a use-after-free flaw in Chrome OS Shell reported by Khalil Zhani on May 19 and tracked as CVE-2022-2296, according to Google. All of the flaws patched in this week’s update received a rating of high. The updates also includes several fixes from internal audits, fuzzing and other initiatives, Google said.

Prior to patching the Chrome V8 JavaScript engine flaws in March and April, Google in February already had patched a zero-day use-after-free flaw in Chrome’s Animation component tracked as CVE-2022-0609 that was under active attack.

Google Patches Actively Exploited Chrome Bug

Google on Monday shipped security updates to address a high-severity zero-day vulnerability in its Chrome web browser that it said is being exploited in the wild.
The shortcoming, tracked as CVE-2022-2294, relates to a heap overflow flaw in the WebRTC component that provides real-time audio and video communication capabilities in browsers without the need to install plugins or download native

Google on Monday shipped security updates to address a high-severity zero-day vulnerability in its Chrome web browser that it said is being exploited in the wild.

The shortcoming, tracked as **CVE-2022-2294**, relates to a heap overflow flaw in the WebRTC component that provides real-time audio and video communication capabilities in browsers without the need to install plugins or download native apps.

Heap buffer overflows, also referred to as heap overrun or heap smashing, occur when data is overwritten in the heap area of the memory, leading to arbitrary code execution or a denial-of-service (DoS) condition.

"Heap-based overflows can be used to overwrite function pointers that may be living in memory, pointing it to the attacker's code," MITRE explains. "When the consequence is arbitrary code execution, this can often be used to subvert any other security service."

Credited with discovering and reporting the flaw on July 1, 2022, is Jan Vojtesek from the Avast Threat Intelligence team. It's worth pointing out that the bug also impacts the Android version of Chrome.

As is usually the case with zero-day exploitation, details pertaining to the flaw as well as other specifics related to the campaign have been withheld to prevent further abuse in the wild and until a significant chunk of users are updated with a fix.

CVE-2022-2294 also marks the resolution of the fourth zero-day vulnerability in Chrome since the start of the year -

*   **CVE-2022-0609** - Use-after-free in Animation
*   **CVE-2022-1096** - Type confusion in V8
*   **CVE-2022-1364** - Type confusion in V8

Users are recommended to update to version 103.0.5060.114 for Windows, macOS, and Linux and 103.0.5060.71 for Android to mitigate potential threats. Users of Chromium-based browsers such as Microsoft Edge, Brave, Opera, and Vivaldi are also advised to apply the fixes as and when they become available.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Update Google Chrome Browser to Patch New Zero-Day Exploit Detected in the Wild

To celebrate Independence Day we're drawing attention to five technologies that could improve life, liberty and the pursuit of happiness on the Internet. 
The post 5 pro-freedom technologies that could change the Internet appeared first on Malwarebytes Labs.

In the digital era, freedom is inextricably linked to privacy. After a good start, the Internet-enabled, technological revolution we are living through has hit some bumps in the road. We have already lost a lot of control over who and what has access to our data, and there are further threats to our freedom on the horizon.

It doesn’t have to be that way though, and it is not inevitable that the trend will continue. To celebrate Independence Day we want to draw your attention to five technologies that could improve life, liberty and the pursuit of happiness on the Internet.

The technologies are listed in a rough order of simplest, soonest, and most likely to happen, to most complex, furthest out, and least likely to happen.

**DNS encryption**

DNS encryption plugs a gap that makes it easy to track the websites you visit.

The domain name system (DNS) is a distributed address book that lists domain names and their corresponding IP addresses. When you visit a website, your browser sends a request to a DNS resolver, which responds with the IP address of the domain you’re visiting. The request is sent in plain text, which is the computer networking equivalent of yelling the names of all the websites you’re visiting out loud.

Anyone, or anything, on the same local network as you can see your DNS lookups, as can your ISP, which will happily sell your browsing history to the highest bidder. And any machine-in-the-middle (MitM) attackers between you and the DNS resolver—such as rogue Wi-Fi access points—can also silently change your plain text DNS requests and use them to direct you to malicious websites.

DNS encryption restores your privacy by making it impossible for anything other than the DNS resolver to read and respond to your queries. You still have to trust the resolver you send your requests to, but the eavesdroppers are out in the cold.

DNS encryption is new, and still relatively rare, but it is supported natively by modern versions of Windows, macOS, Android, and iOS, as well as a number of different DNS clients, proxies and applications, including the DNS Filtering module for the Malwarebytes Nebula platform. It’s ascendancy seems assured.

**Passwordless authentication**

Passwordless authentication could usher in a world where we no longer rely on passwords, and that could be an enormous, unabashed win for security and peace of mind. The trouble is, that has been true for a _very long time indeed_, and it hasn’t happened yet.

There is reason to hope that things are finally about change though.

Passwords are a great idea in theory that fail horribly in practice. Humans are poorly equipped to create and remember them, and demonstrably poor at building systems that handle them securely. And yet almost every Internet account requires one. The inevitable result is an epidemic of poor passwords and an entire criminal industry preying on them with relentless automated attacks.

For a long time, the successor to the password was widely presumed to be some form of biometric authentication—such as face or fingerprint recognition—but nobody could agree which one. With multiple novel, competing, costly, and incompatible alternatives, passwords remained the clear winner.

The solution to that gridlock was FIDO2.

FIDO2 is a specification that uses public key encryption for authentication. This allows users to log in to websites without sharing a secret that needs to be secured like a password. There is nothing for a programmer to secure, nothing for an attacker to guess, and nothing that can be stolen in a data breach.

The sensitive encrpytion work all happens on a device owned by the user, which can be a specialist hardware key, a phone, a laptop, or any other compatible device. FIDO2 doesn’t specify what the device is, or how it should be secured, only that a user must make a “gesture” to approve the authentication. This leaves device manufacturers free to use whatever “gesture” works best for them: PIN numbers, swipe patterns, and any and all forms of biometrics. The end result is a technology that allows you to log in to a website securely using Windows Hello, Apple’s Touch ID, and any number of other methods that exist now or could be created in the future.

Passwordless authentication is possible today but still extremely rare. However, it took a big step forward in May this year when Google, Microsoft, and Apple made simultaneous, coordinated pledges to increase their adoption of the FIDO2 standard.

**Onion networking**

Onion networking, the technology behind Tor and the “dark web”, has been around for twenty years, so it might seem an odd candidate for an emerging technology that could change everything—but what if that’s just because we’ve been thinking about it the wrong way?

Tor is a network of servers that allows software clients (like web browsers) and services (like websites) to communicate securely and anonymously. Although the software is extremely good at what it does, today it services a narrow niche of users who put privacy and security above all, and it has become strongly associated with ransomware, illegal drug markets, and other forms of unsavoury criminal activity.

According to security evangelist Alec Muffett, we are overlooking a very important aspect of this technology though. Muffett was previously a security engineer at Facebook, where he was responsible for putting the social network on Tor. Speaking to David Ruiz on a recent Malwarebytes Lock and Code podcast, he explained how he sees Tor as “a brand new networking stack for the Internet” that can “guarantee integrity, and privacy, and unblockability of communication.”

Every Tor address is also the cryptographic public key of the service you want to talk to. For example, the Facebook address is:

www.facebookwkhpilnemxj7asaniu7vnjjbiltxjqhye3mhbshg7kx5tfyd.onion

Having the public key act as the address provides cryptographic assurance that you are talking to the service you want to talk to, bypassing several layers of the OSI model, and cutting out fundamental Internet vulnerabilities, such as BGP hijacking.

We should stop thinking about Tor as just an anonymity tool, says Muffet. It should be attractive to anyone who cares about the integrity of their brand and what it has to say:

> If you are in the position of providing a forum, a messenger service, or news to a mass public … where your brand name is a really important part of your value proposition, then onion networking is for you, because you can make sure that no one can mess with your traffic.
> 
> Alec Muffet speaking to Lock and Code.

Although mainstream organizations like The New York Times, Pro Publica, Facebook, and Twitter have already embraced Tor, having a .onion site is still very much the exception. In all likelihood, it will take something quite dramatic to change that, but that doesn’t mean it can’t happen.

In 2013, Edward Snowden’s revelations about pervasive Internet surveillance triggered a huge gobal effort to make encrypted web traffic the norm, rather than the exception.

A similar stimulus today could tip onion networking from its niche into the mainstream.

**Cryptocurrencies**

People may be surprised to see cryptocurrencies appearing in our list. If cryptotrading sites are naming stadia and buying superbowl ads then cryptocurrencies are already mainstream and hardly a technology for the future, surely.

Its presence near the bottom of our list tells you that isn’t how we see it.

Cryptocurrencies face a number of cyclone-force headwinds, starting with the current, across-the-board, price crash. The market cap of the biggest currencies, Bitcoin and Ether, is shrinking fast, and some cryptocurrencies have already disappeared completely; the free flow of venture capital money is likely to dry up; there are issues with scalability, scams, rug pulls, thefts from exchanges, and environmental damage; and the pseudo-anonymity blockchains provide is challenged by our ever-improving capacity to identify patterns in payments.

More importantly, from the perspective of _life, liberty, and the pursuit of happiness_, almost nobody is using these currencies as actual currencies—nobody is paid in Bitcoin, and nobody is using Ether to buy groceries. Remember, Bitcoin was supposed to be a peer-to-peer electronic cash system not a vehicle for speculative trading.

So why is it on our list at all?

For all the reasons to dislike them or write them off, cryptocurrencies are hard to ignore. At its core, the original cryptocurrency, Bitcoin, was supposed to be a trustless, borderless payment system that was built on top of the Internet.

> What is needed is an electronic payment system based on cryptographic proof instead of trust, allowing any two willing parties to transact directly with each other without the need for a trusted third party.
> 
> “Satoshi Nakamoto”, from Bitcoin: A Peer-to-Peer Electronic Cash System

It was a vision of what freedom might look like in the digital age.

That desire for freedom propelled Bitcoin it in its early days, and the attractiveness of a private, peer-to-peer currency is undimmed, even if nobody has managed to actually build one that works yet.

The current crash will pass and the strongest ideas and technology will survive. We suspect that Satoshi’s original vision will be one of them, even if Bitcoin isn’t.

**Homomorphic encryption**

The cornerstone of digital privacy, security, and freedom is encryption, and the last item in our list is one of its holy grails: Encryption that never needs to be undone.

Encryption protects your data if your phone is stolen, and it makes your emails, credit card details, and WhatsApp messages tamper proof as they whizz around the Internet. And it’s what underpins all of the other things in our list.

And all of the examples above have something in common: They are either examples of encryption that’s used to protect data at rest, or data that’s in transit. Moving or storing data only gets you so far though, sooner or later it has to be used. It can’t be used unless it’s decrypted, and you need to trust whatever system has access to that decrypted data.

Homomorphic encryption algorithms allow mathematical operations to be performed on encrypted data, so that it doesn’t need to be decrypted at all, ever, even when it’s being used.

The result of performing a mathematical operation on the encrypted data is the same as if the data was decrypted, subject to a mathematical operation, and the answer encrypted.

This incredible act of needle threading needs to ensure that you can’t learn anything about the data from the ciphertext (the encrypted version of the data), and that you can’t learn anything at all about it by observing the mathematical operations performed on it.

If you had access to homomorphic encryption you wouldn’t have to trust anyone you share your data with, whether they are the vendors in your organization’s supply chain, or your favorite, data-hungry social network.

Almost unbelievably, homomorphic encryption algorithms already exist. The reason you don’t have access to their almost magical properties though is that they are prohibitively slow. It currently takes days for them to perform actions that we expect to take seconds.

Although slow, these algorithms are already millions of times quicker than they were just a few years ago. And while that rate of improvement will surely decelerate, the processing power of computers is still doubling every few years.

At some point in the not-too-distant future, when these two trends meet, it could change how we think about trust and freedom in the digital age completely.

5 pro-freedom technologies that could change the Internet

Plus: Indian hacker-for-hire groups, Chinese student espionage efforts, and more.

Your car is a data gold mine. Each trip you make produces a lot of data—from your location to your use of infotainment systems—and car manufacturers are getting better at using this information. One 2019 analysis found cars could generate up to 25 gigabytes of data per hour. As companies refine their ability to mine this data, your car could prove to be the next national security threat. This week, the Chinese town of Beidaihe banned Teslas from its streets as the country’s Communist party leaders gather in the area. One possible reason for the ban is that the cars could reveal sensitive details about China’s most senior figures.

Elsewhere, German mobile providers are testing “digital tokens” as a way to serve up personalized advertising on people’s phones. The trial of TrustPid by Vodafone and Deutsche Telekom generates pseudo-anonymous tokens based on people’s IP addresses and uses them to show personalized product recommendations. The move has been likened to “supercookies,” which have previously been used to track people without their permission. While Vodafone denies the system is akin to supercookies, privacy advocates say it is a step too far. “Companies that operate communication networks should neither track their customers nor should they help others to track them,” privacy researcher Wolfie Christl told WIRED.

In other stories this week, we’ve rounded up the critical updates from Android, Chrome, Microsoft, and others that emerged in June—you should make those updates now. We also looked at how the new ZuoRAT router malware has infected at least 80 targets worldwide. And we detailed how to use Microsoft Defender on all your Apple, Android, and Windows devices.

But that’s not all. We have a rundown of the week’s big security news that we haven’t been able to cover ourselves. Click on the headlines to read the full stories. And stay safe out there.

California’s gun database, dubbed the Firearms Dashboard Portal, was meant to improve transparency around the sale of weapons. Instead, when new data was added to it on June 27, the update proved to be a calamity. During the planned publication of new information, the California Department of Justice made a spreadsheet publicly accessible online and exposed more than 10 years of gun owner information. Included in the data breach were the names, dates of birth, genders, races, driver’s license numbers, addresses, and criminal histories of people who were granted or denied permits for concealed and carry weapons between 2011 and 2021. More than 40,000 CCW permits were issued in 2021; however, California’s justice department said financial information and Social Security numbers weren’t included in the data breach.

While the spreadsheet was online for under 24 hours, an initial investigation appears to indicate that the breach was more widespread than initially thought. In a press release issued on June 29, the Californian DOJ said other parts of its gun databases were also “impacted.” Information contained in the Assault Weapon Registry, Handguns Certified for Sale, Dealer Record of Sale, Firearm Safety Certificate, and Gun Violence Restraining Order dashboards may have been exposed in the breach, the department said, adding that it is investigating what information could have been revealed. Responding to the data breach, the Fresno County Sheriff’s Office said it was “worse than previously expected” and that some of the potentially impacted information “came as a surprise to us.”

Indian hacker-for-hire groups have been targeting lawyers and their clients across the globe for the better part of a decade, a Reuters investigation revealed this week. Hacking groups have used phishing attacks to gain access to confidential legal documents in more than 35 cases since 2013 and targeted at least 75 US and European companies, according to the report, which is partly based on a trove of 80,000 emails sent by Indian hackers over the past seven years. The investigation details how hack-for-hire groups operate and how private investigators take advantage of their ruthless nature. As Reuters published its investigation, Google’s Threat Analysis Group made public dozens of domains belonging to alleged hack-for-hire groups in India, Russia, and the United Arab Emirates.

Since 2009, the Chinese hacking group APT40 has targeted companies, government bodies, and universities around the world. APT40 has hit countries including the United States, United Kingdom, Germany, Cambodia, Malaysia, Norway, and more, according to security firm Mandiant. This week, a _Financial Times_ investigation found that Chinese university students have been tricked into working for a front company linked to APT40 and been involved in researching its hacking targets. The newspaper identified 140 potential translators who had applied to job ads at Hainan Xiandun, a company allegedly linked to APT40 and named in a US Department of Justice indictment in July 2021. Those applying for jobs at Hainan Xiandun were asked to translate sensitive US government documents and appear to have been “unwittingly drawn into a life of espionage,” according to the story.

In 2021, North Korean hackers stole around $400 million in crypto as part of the country’s efforts to evade international sanctions and bolster its nuclear weapons program. This week, investigators started linking the theft of around $100 million in cryptocurrency from Horizon Bridge, on June 23, to North Korean actors. Blockchain analysis firm Elliptic says it has uncovered “strong indications” that North Korea’s Lazarus Group may be linked to the Horizon Bridge hacking incident—and Ellipictic is not the only group to have made the connection. The attack is the latest in a string against blockchain bridges, which have become increasingly common targets in recent years. However, investigators say the ongoing crypto crash has wiped millions in value from North Korea’s crypto heists.

Tag

#android