A full 70 percent of applications being used today have at least one security flaw stemming from the use of an open-source library.
According to Veracode’s annual State of Software Security report, these open-source libraries – free, centralized code repositories that provide ready-made application “building blocks” for developers – are not only ubiquitous but also risky.
These libraries, like other software, have bugs. The issue is that thanks to code re-use, a single bug can affect hundreds of applications.
“Prominent in almost every application today, open-source libraries allow developers to move faster by quickly adding basic functionality,” according to Veracode. “In fact, it would be nearly impossible to innovate with software without these libraries. However, lack of awareness about where and how open source libraries are being used and their risk factors is a problematic practice.”
A group of seven internet companies are vowing to stand up for the privacy of its users this week when the United States House of Representatives considers the USA FREEDOM Reauthorization Act of 2020.
Mozilla, Engine, Reddit, Reform Government Surveillance, Twitter, i2Coalition, and Patreon have asked four US legislators to explicitly prohibit the warrantless collection of internet search and browsing history.
"We hope legislators will amend the bill to limit government access to internet browsing and search history without a warrant," the Firefox-maker said in a blog post.
"Too much search and browsing history still is collected and stored around the Web. We believe this data deserves strong legal protections when the government seeks access to it, but in many cases that protection is uncertain."
In a letter [PDF] to the four US House of Representatives members, the group said it privacy and security are essential to the economy, businesses, and the continued growth of the free and open internet.
"By clearly reaffirming these protections, Congress can help preserve user trust and facilitate the continued use of the internet as a powerful contributing force for our recovery," the group wrote.
The companies said search and browsing history can provide a detailed portrait of peoples' private lives, and it may reveal sensitive information such as medical conditions, religious beliefs, and personal relationships, and as such it should be protected by effective legal safeguards.
Learn more: About Project and ClassificationsWe are a user rights initiative to rate and label website terms & privacy policies, from very good
Class Ato very bad
Terms of service are often too long to read, but it's important to understand what's in them. Your rights online depend on them. We hope that our ratings can help you get informed about your rights.
Have you been to eBay lately? The auction site is a popular destination to buy new and used items. It may surprise you that eBay is running a local port scan when you access the site in a browser.
I verified the port scan on ebay.com and ebay.de using built-in developer tools of several web browsers. It is likely that other eBay sites will also run the port scan.
You can verify this easily. Use a browser such as Google Chrome, Firefox, Brave, Microsoft Edge or Vivaldi. Open a new Tab page and hit the F12 button to open the Developer Tools of the web browser. Switch to the Network tab in the Developer Tools and load the eBay website in the browser's address bar.
Wait for the page to load and look for 127.0.0.1 in the name in the list of connections. These are the scans that eBay performs when you connect to the site.
Bleeping Computer created a handy table that lists the ports:
Program Ebay Name Port Unknown REF 63333 VNC VNC 5900 VNC VNC 5901 VNC VNC 5902 VNC VNC 5903 Remote Desktop Protocol RDP 3389 Aeroadmin ARO 5950 Ammyy Admin AMY 5931 TeamViewer TV0 5939 TeamViewer TV1 6039 TeamViewer TV2 5944 TeamViewer TV2 6040 Anyplace Control APC 5279 AnyDesk ANY 7070
Most of the ports are used by remote desktop applications such as VNC, Teamviewer, or Windows Remote Desktop. The eBay name is an abbreviation of the remote desktop software.
Nullsweep, the site that reported the issue first, discovered that the port scans were not run on Linux client systems.
It is unclear why eBay is running the port scans. A likely explanation is that it is done to combat fraud, e.g. by taking over a computer, establishing a remote desktop connection and either making purchases on eBay, through fake auctions, or other means.
What you may do about it
If you don't want your systems to be port scanned by eBay whenever you connect to the site, you may be able to do something about it.
The eBay site loads the check.js script from the following URL currently:
- Block the
check.jsscript in a content blocker.
- In some browsers, e.g. Firefox, disable Web Sockets.
The URL may change and it is different when you connect to localized eBay sites, e.g. eBay.de.
The other option, to disable WebSockets entirely, may lead to incompatibilities and loading issues on sites. Still, it is possible in Firefox by setting the parameter network.websocket.max-connections to 0.
Trend Micro is on the defensive after it was accused of engineering its software to cheat Microsoft's QA testing, branding the allegation "misleading." Bill Demirkapi, an 18-year-old computer security student at the Rochester Institute of Technology in the US, told The Register on Tuesday he was researching methods for detecting rootkits when he came across Trend's Rootkit Buster for Windows PCs.
While reverse-engineering Trend's rootkit-hunting tool and its kernel-mode driver, which appears to be common among Trend products, Demirkapi found some shortcomings in the code, and publicly documented them. You need administrator access to exploit the holes he found, though that's beside the point: they are an easy way into the kernel for, ironically enough, rootkits and other malware that have gained admin access. "Most of the security concerns I have with Trend Micro's driver were shocking because most of them were not mistakes," said Demirkapi, who has presented at hacking super-conference DEF CON and is due to discuss Windows rootkits at Black Hat USA 2020.
Quote : "Picking the best VPN can be a tricky endeavor. There are hundreds of VPN services out there, all promising to keep you private. Some are more anonymous than others, however. To help you pick the best one for your needs, we asked dozens of VPNs what their logging policies are, how they handle torrent users, and what else they do to keep you anonymous. The VPN industry is booming and prospective users have hundreds of options to pick from. All claim to be the best, but some are more anonymous than others. The VPN review business is also flourishing. Just do a random search for “best VPN service” or “VPN review” and you’ll see dozens of sites filled with recommendations and preferred picks.
We don’t want to make any recommendations. When it comes to privacy and anonymity, an outsider can’t offer any guarantees. Vulnerabilities are always lurking around the corner and even with the most secure VPN, you still have to trust the VPN company with your data. Instead, we aim to provide an unranked overview of VPN providers, asking them questions we believe are important. Many of these questions relate to anonymity and security, and the various companies answer them in their own words. We hope that this helps users to make an informed choice. However, we stress that users themselves should always make sure that their VPN setup is secure, working correctly, and not leaking.
Source: Avast Launches All-new Mobile Browser With Complete Data EncryptionAvast Secure Browser for Android was developed following Avast’s 2019 acquisition of Tenta, a private browser backed by Blockchain pioneers ConsenSys, and has been built from the ground up by privacy and cybersecurity engineers focused on total encryption. At its core is strong encryption including AES-256, ChaCha 256-bit, and the latest TLS/SSL cryptographic protocols for the data transport layer. To ensure that user DNS requests are kept private and secure, Avast Secure Browser for Android supports multiple DNS options straight out of the box, such as DNS over TLS, DNSSEC and decentralized DNS support.
Source: Avast acquires Seattle startup Tenta, leading to release of new secure browser for AndroidAvast’s new Android browser, which offers VPN, encryption and other privacy and security features [..]. Avast says an iOS version is also in the works, set for release later this year. The Avast browser comes in a free version, and a premium version with additional features for $12/year.
Revealing his identity for the first time, Thomas le Bonniec, a contractor employed to listen to and grade Siri recordings, has written to data protection regulators stating that Apple “keeps ignoring and violating fundamental rights and continues their massive collection of data.”
Describing his role in detail, he writes:
“I listened to hundreds of recordings every day, from various Apple devices (eg. iPhones, Apple Watches, or iPads). These recordings were often taken outside of any activation of Siri, eg in the context of an actual intention from the user to activate it for a request. These processings were made without users being aware of it, and were gathered into datasets to correct the transcription of the recording made by the device.
"The recordings were not limited to the users of Apple devices, but also involved relatives, children, friends, colleagues, and whoever could be recorded by the device. The system recorded everything: names, addresses, messages, searches, arguments, background noises, films, and conversations. I heard people talking about their cancer, referring to dead relatives, religion, sexuality, pornography, politics, school, relationships, or drugs with no intention to activate Siri whatsoever."
While Le Bonniec rounds primarily on Apple, he is also highly critical of the lack of action taken against Apple and big tech companies in general, saying “I am extremely concerned that [they] are basically wiretapping entire populations”.
It is important to note that Apple’s so-called wiretapping is not an isolated case. Amazon, Google and Facebook have admitted to similar practices [..]
So we’re asking everyone who has not watched anything on Netflix for a year since they joined to confirm they want to keep their membership. And we’ll do the same for anyone who has stopped watching for more than two years. Members will start seeing these emails or in app notifications this week. If they don’t confirm that they want to keep subscribing, we’ll automatically cancel their subscription. If anyone changes their mind later, it’s really easy to restart Netflix. These inactive accounts represent less than half of one percent of our overall member base, only a few hundred thousand, and are already factored into our financial guidance.
Security experts believe the malware's operators are very likely to sell access to infected hosts to other hacker groups.
Security researchers say they've spotted a new version of the Sarwent malware that opens RDP (Remote Desktop Protocol) ports on infected computers so hackers could gain hands-on access to infected hosts.
Researchers from SentinelOne, who spotted this new version, believe the Sarwent operators are most likely preparing to sell access to these systems on the cybercrime underworld, a common method of monetizing RDP-capable hosts.
In a Seattle court, Judge John Coughenour determined that gathering evidence from a lock screen constitutes a search, therefore doing so without first obtaining a warrant violates the Fourth Amendment, which prohibits unreasonable search seizure.
Joseph Sam from Washington state was arrested in May 2019 and indicted on several charges related to robbery and assault. The suspect was in possession of a Motorola smartphone. According to Sam, one of the officers present at his arrest pressed the power button to bring up the phone's lock screen.