Google announced today that it is willing to dish out bug bounty cash rewards of up to $1.5 million if security researchers find and report bugs in the Android operating system that can also compromise its new Titan M security chip. From a report: Launched last year, the Titan M chip is currently part of Google Pixel 3 and Pixel 4 devices. It's a separate chip that's included in both phones and is dedicated solely to processing sensitive data and processes, like Verified Boot, on-device disk encryption, lock screen protections, secure transactions, and more. Google says that if researchers manage to find "a full chain remote code execution exploit with persistence" that also compromises data protected by Titan M, they are willing to pay up to $1 million to the bug hunter who finds it. If the exploit chain works against a preview version of the Android OS, the reward can go up to $1.5 million.

An anonymous reader quotes a report from the Associated Press: Uber will allow passengers and drivers in Brazil and Mexico to record audio of their rides as it attempts to improve its safety record and image, and eventually it hopes to launch the feature into other markets including the United States. The ride-hailing company plans to pilot the feature in cities in both countries in December, although it has no timeline for possible expansion in the US and other markets.

The feature will allow customers to opt into recording all or select trips. Recordings will be stored on the rider or driver's phone and encrypted to protect privacy, and users will not be able to listen to them. They can later share a recording with Uber, which will have an encryption key, if they want to report a problem. Whether the recording feature will deter violent behavior to help riders and drivers is unknown. But Uber stands to benefit because the recordings could help the company mitigate losses and rein in liability for incidents that flare up between drivers and passengers.

New submitter Shad0wz writes: Microsoft's Core Network team just announced they plan on supporting DoH in the Windows resolver. In the blog post, the company writes: Providing encrypted DNS support without breaking existing Windows device admin configuration won't be easy. However, at Microsoft we believe that "we have to treat privacy as a human right. We have to have end-to-end cybersecurity built into technology." We also believe Windows adoption of encrypted DNS will help make the overall Internet ecosystem healthier. There is an assumption by many that DNS encryption requires DNS centralization. This is only true if encrypted DNS adoption isn't universal. To keep the DNS decentralized, it will be important for client operating systems (such as Windows) and Internet service providers alike to widely adopt encrypted DNS. With the decision made to build support for encrypted DNS, the next step is to figure out what kind of DNS encryption Windows will support and how it will be configured. Here are our team's guiding principles on making those decisions:

Windows DNS needs to be as private and functional as possible by default without the need for user or admin configuration because Windows DNS traffic represents a snapshot of the user's browsing history. To Windows users, this means their experience will be made as private as possible by Windows out of the box. For Microsoft, this means we will look for opportunities to encrypt Windows DNS traffic without changing the configured DNS resolvers set by users and system administrators.
Privacy-minded Windows users and administrators need to be guided to DNS settings even if they don't know what DNS is yet. Many users are interested in controlling their privacy and go looking for privacy-centric settings such as app permissions to camera and location but may not be aware of or know about DNS settings or understand why they matter and may not look for them in the device settings.
Windows users and administrators need to be able to improve their DNS configuration with as few simple actions as possible. We must ensure we don't require specialized knowledge or effort on the part of Windows users to benefit from encrypted DNS. Enterprise policies and UI actions alike should be something you only have to do once rather than need to maintain.
Windows users and administrators need to explicitly allow fallback from encrypted DNS once configured. Once Windows has been configured to use encrypted DNS, if it gets no other instructions from Windows users or administrators, it should assume falling back to unencrypted DNS is forbidden.

Google is announcing that today, a year and a half after it first unveiled RCS chat as Android's primary texting platform, it is actually making RCS chat Android's primary texting platform. That's because it is rolling out availability to any Android user in the US who wants to use it, starting today. From a report: RCS stands for "rich communication services," and it's the successor to SMS. Like other texting services, it supports read receipts, typing indicators, improved group chats, and high-quality images. Unlike several texting apps, like iMessage or Signal, it does not offer end-to-end encryption as an option. RCS is based on your phone number, so when you are texting with somebody who also has it, it should just turn on automatically in your chat. To get RCS, you simply need to use Android Messages as your default texting app on your Android phone. Many Android phones do that already by default, but Samsung users will need to head to the Google Play Store to download it and then switch to it as their default. Further reading: The Four Major Carriers Finally Agree To Replace SMS With a New RCS Standard.

Researchers at Intezer and IBM X-Force have detected an unconventional form of ransomware that's being deployed in targeted attacks against enterprise servers. They're calling it PureLocker because it's written in the PureBasic programming language. ZDNet reports: It's unusual for ransomware to be written in PureBasic, but it provides benefits to attackers because sometimes security vendors struggle to generate reliable detection signatures for malicious software written in this language. PureBasic is also transferable between Windows, Linux, and OS-X, meaning attackers can more easily target different platforms. "Targeting servers means the attackers are trying to hit their victims where it really hurts, especially databases which store the most critical information of the organization," Michael Kajiloti, security researcher at Intezer told ZDNet.

There's currently no figures on the number PureLocker victims, but Intezer and IBM X-Force have confirmed the ransomware campaign is active with the ransomware being offered to attackers 'as-a-service.' However, it's also believed than rather than being offered to anyone who wants it, the service is offered as a bespoke tool, only available to cyber criminal operations which can afford to pay a significant sum in the first place. The source code of PureLocker ransomware offers clues to its exclusive nature, as it contains strings from the 'more_eggs' backdoor malware. This malware is sold on the dark web by what researchers describe as a 'veteran' provider of malicious services. These tools have been used by some of the most prolific cyber criminal groups operating today, including Cobalt Gang and FIN6 -- and the ransomware shares code with previous campaigns by these hacking gangs. It indicates the PureLocker is designed for criminals who know what they're doing and know how to hit a large organization where it hurts.

An anonymous reader quotes a report from The New York Times: Last May, when Intel released a patch for a group of security vulnerabilities researchers had found in the company's computer processors, Intel implied that all the problems were solved. But that wasn't entirely true, according to Dutch researchers at Vrije Universiteit Amsterdam who discovered the vulnerabilities and first reported them to the tech giant in September 2018. The software patch meant to fix the processor problem addressed only some of the issues the researchers had found. It would be another six months before a second patch, publicly disclosed by the company on Tuesday, would fix all of the vulnerabilities Intel indicated were fixed in May, the researchers said in a recent interview.

The public message from Intel was "everything is fixed," said Cristiano Giuffrida, a professor of computer science at Vrije Universiteit Amsterdam and one of the researchers who reported the vulnerabilities. "And we knew that was not accurate." While many researchers give companies time to fix problems before the researchers disclose them publicly, the tech firms can be slow to patch the flaws and attempt to muzzle researchers who want to inform the public about the security issues. Researchers often agree to disclose vulnerabilities privately to tech companies and stay quiet about them until the company can release a patch. Typically, the researchers and companies coordinate on a public announcement of the fix. But the Dutch researchers say Intel has been abusing the process. Now the Dutch researchers claim Intel is doing the same thing again. They said the new patch issued on Tuesday still doesn't fix another flaw they provided Intel in May. The Intel flaws, like other high-profile vulnerabilities the computer security community has recently discovered in computer chips, allowed an attacker to extract passwords, encryption keys and other sensitive data from processors in desktop computers, laptops and cloud-computing servers. Intel says the patches "greatly reduce" the risk of attack, but don't completely fix everything the researchers submitted.

The company's spokeswoman Leigh Rosenwald said Intel was publishing a timeline with Tuesday's patch for the sake of transparency. "This is not something that is normal practice of ours, but we realized this is a complicated issue. We definitely want to be transparent about that," she said. "While we may not agree with some of the assertions made by the researchers, those disagreements aside, we value our relationship with them."

itwbennett writes: Security researcher Chris Kubecka has identified (and reported to Boeing and the Department of Homeland Security back in August) a number of security vulnerabilities in Boeing's networks, email system, and website. "[T]he company's failure to remedy the security failures she reported demonstrate either an unwillingness or inability to take responsibility for their information security," writes JM Porup for CSO online.

The vulnerabilities include a publicly exposed test developer network, a lack of encryption on the boeing.com website, failure to use DMARC for email security, and, perhaps most notably, an email server infected with malware.

For its part, Boeing says that the vulnerabilities Kubecka reported are "common IT vulnerabilities — the type of cyber-hygiene issues thousands of companies confront every day" and that the company has "no indication of a compromise in any aviation system or product that Boeing produces." What Porup's reporting and Kubecka's research clearly shows, however, is how poor information security practices can become aviation security risks.

Freshly Exhumed shares a report from Securelist: Platinum is one of the most technologically advanced APT actors with a traditional focus on the APAC region. During recent analysis we discovered Platinum using a new backdoor that we call Titanium (named after a password to one of the self-executable archives). Titanium is the final result of a sequence of dropping, downloading and installing stages. The malware hides at every step by mimicking common software (protection related, sound drivers software, DVD video creation tools).

The Titanium APT has a very complicated infiltration scheme. It involves numerous steps and requires good coordination between all of them. In addition, none of the files in the file system can be detected as malicious due to the use of encryption and fileless technologies. One other feature that makes detection harder is the mimicking of well-known software. One of the methods Titanium uses to infect its targets and spread is via a local intranet that has already been compromised with malware. Another is via an SFX archive containing a Windows task installation script. A third is shellcode that gets injected into the winlogon.exe process (it's still unknown how this happens).

An anonymous reader quotes a report from Ars Technica: Mozilla is urging Congress to reject the broadband industry's lobbying campaign against encrypted DNS in Firefox and Chrome. The Internet providers' fight against this privacy feature raises questions about how they use broadband customers' Web-browsing data, Mozilla wrote in a letter sent today to the chairs and ranking members of three House of Representatives committees. Mozilla also said that Internet providers have been giving inaccurate information to lawmakers and urged Congress to "publicly probe current ISP data collection and use policies." DNS over HTTPS helps keep eavesdroppers from seeing what DNS lookups your browser is making. This can make it more difficult for ISPs or other third parties to monitor what websites you visit.

"Unsurprisingly, our work on DoH [DNS over HTTPS] has prompted a campaign to forestall these privacy and security protections, as demonstrated by the recent letter to Congress from major telecommunications associations. That letter contained a number of factual inaccuracies," Mozilla Senior Director of Trust and Security Marshall Erwin wrote. This part of Erwin's letter referred to an Ars article in which we examined the ISPs' claims, which center largely around Google's plans for Chrome. The broadband industry claimed that Google plans to automatically switch Chrome users to its own DNS service, but that's not what Google says it is doing. Google's publicly announced plan is to "check if the user's current DNS provider is among a list of DoH-compatible providers, and upgrade to the equivalent DoH service from the same provider." If the user-selected DNS service is not on that list, Chrome would make no changes for that user.

An anonymous reader quotes a report from TechCrunch: An amateur radio rig exposed to the internet and discovered by a security researcher was collecting real-time medical data and health information broadcast by hospitals and ambulances across U.K. towns and cities. The rig, operated out of a house in North London, was picking up radio waves from over the air and translating them into readable text. The hobbyist's computer display was filling up with messages about real-time medical emergencies from across the region. For some reason, the hobbyist had set up an internet-connected webcam pointed at the display. But because there was no password on the webcam, anyone who knew where to look could also see what was on the rig's computer display.

Daley Borda, a security researcher and bug bounty hunter, stumbled upon the exposed webcam. The live stream was grainy, and the quality of the images so poor that it was just possible to make out the text on the display. "You can see details of calls coming in -- their name, address, and injury," he told TechCrunch. TechCrunch verified his findings. Messages spilling across the screen appeared to direct nearby ambulances where to go following calls to the 999 emergency services. One message said a 98-year-old man had fallen at his home address. A few moments later, another message said a 49-year-old male was complaining of chest pains at a nearby residence. One after the other, messages were flooding in, describing accidents, incidents and medical emergencies, often including their home addresses. "The hobbyist was picking up and decoding pager communications from a nearby regional National Health Service trust," adds TechCrunch. These devices remain a fixture in UK hospitals and "allow anyone to send messages to one or many pagers at once by calling a dedicated phone number, often manned by an operator, which are then broadcast as radio waves over the pager network."

While the NHS still uses about 130,000 pagers, according to the UK government, it's not clear how many trusts are exposing medical information -- if at all.

An anonymous reader quotes MediaPost: Faced with a new controversy related to online privacy, Comcast said this week that it doesn't draw on information about the sites broadband users visit for advertising or targeting. The company said Thursday that it deletes information every 24 hours about the domain names people navigate to online. "Millions of Comcast customers look up billions of addresses online every day," Chief Privacy Officer Christin McMeley wrote on the company's blog. "We've never used that data for any sort of marketing or advertising -- and we have never sold it to anyone."

The company's statement came one day after the publication Motherboard reported on Comcast's efforts to rally opposition on Capitol Hill to Google's plan to encrypt domain names... "While cloaked as enhancing user privacy, Google's DNS encryption will in fact vastly expand Google's control over and use of customer data, and will result in the complete commercialization of DNS data for Google's own ends," [Comcast's] presentation states. Google has said its plans were mischaracterized by broadband organizations, and that it has no intention of centralizing the web, or changing people's existing DNS providers to Google by default. "Any claim that we are trying to become the centralized encrypted DNS provider is inaccurate," a company spokesperson said last month...

One day after Motherboard posted the material reportedly prepared by Comcast, the cable provider touted its privacy policies in a blog post. "Where you go on the Internet is your business, not ours," McMeley wrote. "As your Internet Service Provider, we do not track the websites you visit or apps you use through your broadband connection. Because we don't track that information, we don't use it to build a profile about you and we have never sold that information to anyone."

Several years ago, Comcast opposed Federal Communications Commission privacy regulations that would have required broadband providers to obtain consumers' opt-in consent before drawing on their web-browsing activity for advertising. The FCC passed those rules in 2016, but the regulations were revoked by Congress the following year.

An anonymous reader writes: Mozilla said today that "no money is being exchanged to route DNS requests to Cloudflare" as part of the DNS-over-HTTPS (DoH) feature that is currently being gradually enabled for Firefox users in the US. The browser maker has been coming under heavy criticism lately for its partnership with Cloudflare. Many detractors say that by using Cloudflare as the default DoH resolver for Firefox, Mozilla will help centralize a large chunk of DNS traffic on Cloudflare's service. Critics of this decision include regular users, but also ISP-backed lobby groups, according to a recent report citing leaked documents. But according to Mozilla, they're not getting paid for this, and are only doing it for Firefox user privacy.

An open database exposing records containing the sensitive data of hotel customers as well as US military personnel and officials has been disclosed by researchers. ZDNet reports: On Monday, vpnMentor's cybersecurity team, led by Noam Rotem and Ran Locar, said the database belonged to Autoclerk, a service owned by Best Western Hotels and Resorts group. Autoclerk is a reservations management system used by resorts to manage web bookings, revenue, loyalty programs, guest profiles, and payment processing.

In a report shared with ZDNet, the researchers said the open Elasticsearch database was discovered through vpnMentor's web mapping project. It was possible to access the database, given it had no encryption or security barriers whatsoever, and perform searches to examine the records contained within. The team says that "thousands" of individuals were impacted, although due to ethical reasons it was not possible to examine every record in the leaking database to come up with a specific number. Hundreds of thousands of booking reservations for guests were available to view and data including full names, dates of birth, home addresses, phone numbers, dates and travel costs, some check-in times and room numbers, and masked credit card details were also exposed. Some of the records were logs for U.S. Army generals visiting Russia and Israel, the report says. In total, the AWS-hosted database contained over 179GB of data.

Internet giant Comcast is lobbying U.S. lawmakers against plans to encrypt web traffic that would make it harder for internet service providers (ISPs) to determine your browsing history, Motherboard reported Wednesday, citing a lobbying presentation. From the report: The plan, which Google intends to implement soon, would enforce the encryption of DNS data made using Chrome, meaning the sites you visit. Privacy activists have praised Google's move. But ISPs are pushing back as part of a wider lobbying effort against encrypted DNS, according to the presentation. Technologists and activists say this encryption would make it harder for ISPs to leverage data for things such as targeted advertising, as well as block some forms of censorship by authoritarian regimes.

Mozilla, which makes Firefox, is also planning a version of this encryption. "The slides overall are extremely misleading and inaccurate, and frankly I would be somewhat embarrassed if my team had provided that slide deck to policy makers," Marshall Erwin, senior director of trust and safety at Mozilla, told Motherboard in a phone call after reviewing sections of the slide deck. "We are trying to essentially shift the power to collect and monetize peoples' data away from ISPs and providing users with control and a set of default protections," he added, regarding Mozilla's changes.

Google said on Wednesday that it had achieved a long-sought breakthrough called "quantum supremacy," which could allow new kinds of computers to do calculations at speeds that are inconceivable with today's technology. From a report: In a paper published in the science journal Nature, Google said its research lab in Santa Barbara, Calif., had reached a milestone that scientists had been working toward since the 1980s: Its quantum computer performed a task that isn't possible with current technology. In this case, a mathematical calculation that the largest supercomputers could not complete in under 10,000 years was done in 3 minutes 20 seconds, Google said in its paper. Scientists likened Google's announcement to the Wright brothers' first plane flight in 1903 -- proof that something is really possible even though it may be years before it can fulfill its potential. "The original Wright flyer was not a useful airplane," said Scott Aaronson, a computer scientist at the University of Texas at Austin who reviewed Google's paper before publication. "But it was designed to prove a point. And it proved the point."

A quantum machine, the result of more than a century's worth of research into a type of physics called quantum mechanics, operates in a completely different manner from regular computers. It relies on the mind-bending ways some objects act at the subatomic level or when exposed to extreme cold, like the metal chilled to nearly 460 degrees below zero inside Google's machine. One day, researchers believe, these devices could power advances in artificial intelligence or easily overwhelm the encryption that protects computers vital to national security. Because of that, the governments of the United States and China consider quantum computing a national security priority. Further reading: Interview of Google CEO Sundar Pichai, who explains why quantum computing could be as important for Google as AI.

A user writes: When it comes to using strong username and passwords for administrative purposes let alone customer facing portals, Equifax appears to have dropped the ball. Equifax used the word "admin" as both password and username for a portal that contained sensitive information, according to a class action lawsuit filed in federal court in the Northern District of Georgia. The ongoing lawsuit, filed after the breach, went viral on Twitter Friday after Buzzfeed reporter Jane Lytvynenko came across the detail. "Equifax employed the username 'admin' and the password 'admin' to protect a portal used to manage credit disputes, a password that 'is a surefire way to get hacked,'" the lawsuit reads. The lawsuit also notes that Equifax admitted using unencrypted servers to store the sensitive personal information and had it as a public-facing website. When Equifax, one of the three largest consumer credit reporting agencies, did encrypt data, the lawsuit alleges, "it left the keys to unlocking the encryption on the same public-facing servers, making it easy to remove the encryption from the data." The class-action suit consolidated 373 previous lawsuits into one. Unlike other lawsuits against Equifax, these don't come from wronged consumers, but rather shareholders that allege the company didn't adequately disclose risks or its security practices.

Edward Snowden: In the midst of the greatest computer security crisis in history, the US government, along with the governments of the UK and Australia, is attempting to undermine the only method that currently exists for reliably protecting the world's information: encryption. Should they succeed in their quest to undermine encryption, our public infrastructure and private lives will be rendered permanently unsafe. [...] Earlier this month the US, alongside the UK and Australia, called on Facebook to create a "backdoor," or fatal flaw, into its encrypted messaging apps, which would allow anyone with the key to that backdoor unlimited access to private communications. So far, Facebook has resisted this.

Donald Trump's attorney general, William Barr, who authorised one of the earliest mass surveillance programmes without reviewing whether it was legal, is now signalling an intention to halt -- or even roll back -- the progress of the last six years. WhatsApp, the messaging service owned by Facebook, already uses end-to-end encryption (E2EE): in March the company announced its intention to incorporate E2EE into its other messaging apps -- Facebook Messenger and Instagram -- as well. Now Barr is launching a public campaign to prevent Facebook from climbing this next rung on the ladder of digital security. This began with an open letter co-signed by Barr, UK home secretary Priti Patel, Australia's minister for home affairs and the US secretary of homeland security, demanding Facebook abandon its encryption proposals.

If Barr's campaign is successful, the communications of billions will remain frozen in a state of permanent insecurity: users will be vulnerable by design. And those communications will be vulnerable not only to investigators in the US, UK and Australia, but also to the intelligence agencies of China, Russia and Saudi Arabia -- not to mention hackers around the world. End-to-end encrypted communication systems are designed so that messages can be read only by the sender and their intended recipients, even if the encrypted -- meaning locked -- messages themselves are stored by an untrusted third party, for example, a social media company such as Facebook.

Security researchers believe the Chinese Communist Party's official "Study the Great Nation" app has a backdoor that could help monitor use and copy data from those who have it installed on their devices. The BBC reports: Released in February, Study the Great Nation has become the most downloaded free program in China, thanks to persuasive demands by Chinese authorities that citizens download and install it. The app pushes out official news and images and encourages people to earn points by reading articles, commenting on them and playing quizzes about China and its leader, Xi Jinping. Use of the app is mandatory among party officials and civil servants and it is tied to wages in some workplaces.

Starting this month, native journalists must pass a test on the life of President Xi, delivered via the app, in order to obtain a press card which enables them to do their jobs. On behalf of the Open Technology Fund, which campaigns on human rights issues, Germany cyber-security firm Cure 53 took apart the Android version of the app and said it found many undocumented and hidden features. In its lengthy report, Cure 53 said Study the Great Nation had "extensive logging" abilities and seemed to try to build up a list of the popular apps an individual had installed on their phone. It was "evident and undeniable that the examined application is capable of collecting and managing vast amounts of very specific data," said the report. The app also weakened encryption used to scramble data and messages, making it easy for a government to crack security. Adam Lynn, research director at the Open Technology Fund, told the Washington Post, which broke the story: "It's very, very uncommon for an application to require that level of access to the device, and there's no reason to have these privileges unless you're doing something you're not supposed to be."

The security company didn't find evidence that this high-level access was being used, but said it's not clear why an educational app would need such access to a phone.

Governments breaking encryption is bad, and "will get worse once breaking encryption means people can die," says one of the world's leading security experts. From a report: "Australia has some pretty draconian laws about forcing tech companies to break security," says cryptographer and computer security professional Bruce Schneier. He's referring to the controversial Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018, which came into force in December. "I actually don't like that, because stuff that you do flows downhill to the US. So stop doing that," he told the Australian Cybersecurity Conference, or CyberCon, in Melbourne on Wednesday. Schneier's argument against breaking encrypted communications is simple. "You have to make a choice. Either everyone gets to spy, or no one gets to spy. You can't have 'We get to spy, you don't.' That's not the way the tech works," he said. "As this tech becomes more critical to life, we simply have to believe, accept, that securing it is more important than leaving it insecure so you can eavesdrop on the bad guys."

doconnor writes: On the Mozilla Thunderbird blog it was announced that for the future Thunderbird 78 release, planned for summer 2020, they will add built-in functionality for email encryption and digital signatures using the OpenPGP standard. This addresses a feature request opened on Bugzilla almost 20 years ago and has been one of the top voted bugs for most of that period.