Mar 15, 2024NewsroomBrowser Security / Phishing Attack

Google on Thursday announced an enhanced version of Safe Browsing to provide real-time, privacy-preserving URL protection and safeguard users from visiting potentially malicious sites.

“The Standard protection mode for Chrome on desktop and iOS will check sites against Google’s server-side list of known bad sites in real-time,” Google’s Jonathan Li and Jasika Bawa said.

“If we suspect a site poses a risk to you or your device, you’ll see a warning with more information. By checking sites in real time, we expect to block 25% more phishing attempts.”

Up until now, the Chrome browser used a locally-stored list of known unsafe sites that’s updated every 30 to 60 minutes, and then leveraging a hash-based approach to compare every site visited against the database.

Google first revealed its plans to switch to real-time server-side checks without sharing users’ browsing history with the company in September 2023.

The reason for the change, the search giant said, is motivated by the fact that the list of harmful websites is growing at a rapid pace and that 60% of the phishing domains exist for less than 10 minutes, making it difficult to block.

“Not all devices have the resources necessary to maintain this growing list, nor are they always able to receive and apply updates to the list at the frequency necessary to benefit from full protection,” it added.

Thus, with the new architecture, every time a user attempts to visit a website, the URL is checked against the browser’s global and local caches containing known safe URLs and the results of previous Safe Browsing checks in order to determine the site’s status.

Should the visited URL be absent from the caches, a real-time check is performed by obfuscating the URL into 32-byte full hashes, which are then truncated into 4-byte long hash prefixes, encrypted, and sent to a privacy server.

“The privacy server removes potential user identifiers and forwards the encrypted hash prefixes to the Safe Browsing server via a TLS connection that mixes requests with many other Chrome users,” Google explained.

The Safe Browsing server subsequently decrypts the hash prefixes and matches them against the server-side database to return full hashes of all unsafe URLs that match one of the hash prefixes sent by the browser.

Finally, on the client side, the full hashes are compared against the full hashes of the visited URL, and a warning message is displayed if a match is found.

Google also confirmed that the privacy server is nothing but an Oblivious HTTP (OHTTP) relay operated by Fastly that sits between Chrome and the Safe Browsing server to prevent the latter from access users’ IP addresses, thereby preventing it from correlating the URL checks with a user’s internet browsing history.

“Ultimately, Safe Browsing sees the hash prefixes of your URL but not your IP address, and the privacy server sees your IP address but not the hash prefixes,” the company emphasized. “No single party has access to both your identity and the hash prefixes. As such, your browsing activity remains private.”

Feb 21, 2024NewsroomSecure Communication / Anonymity

End-to-end encrypted (E2EE) messaging app Signal said it’s piloting a new feature that allows users to create unique usernames (not to be confused with profile names) and keep the phone numbers away from prying eyes.

“If you use Signal, your phone number will no longer be visible to everyone you chat with by default,” Signal’s Randall Sarafa said. “People who have your number saved in their phone’s contacts will still see your phone number since they already know it.”

Setting a new username requires account holders to provide two or more numbers at the end of it (e.g., axolotl.99) in an effort to keep them “egalitarian and minimize spoofing.” Usernames can be changed any number of times, but it’s worth noting that they are not logins or handles.

Put differently, a username is an anonymous way to initiate conversations on the chat platform without having to share phone numbers. The feature is opt-in, although Signal said it’s also taking steps to hide by default users’ phone numbers from others who do not have them saved in their phone’s contacts.

In addition, users can control who can find them by their numbers using another setting, restricting people from messaging them even if they are in possession of the phone numbers.

Both these options can be toggled via the following steps –

• Settings > Privacy > Phone Number > Who Can See My Number > Everybody / Nobody
• Settings > Privacy > Phone Number > Who Can Find Me By Number > Everybody / Nobody

“Your phone number will no longer be visible to people you chat with on Signal, unless they have it in their phone’s contacts,” Sarafa said. “You will also be able to configure a new privacy setting to limit who can find you by your phone number on Signal.”

Feb 12, 2024NewsroomOperating System / Technology

Microsoft said it’s introducing Sudo for Windows 11 as part of an early preview version to help users execute commands with administrator privileges.

“Sudo for Windows is a new way for users to run elevated commands directly from an unelevated console session,” Microsoft Product Manager Jordi Adoumie said.

“It is an ergonomic and familiar solution for users who want to elevate a command without having to first open a new elevated console.”

Sudo, short for superuser do, is a program for Unix-like computer operating systems that allows users to run programs with the security privileges of another user, usually a user with elevated permissions (e.g., administrator).

The feature is available for Windows 11 builds 26045 and later. It can be enabled by heading to Settings > System > For Developers, and setting “Enable sudo” to On.

Sudo for Windows comes with three options: run applications in a new elevated console window, run the elevated process in the current window but with the input stream (stdin) closed, and in inline mode.

“The inline configuration option runs the elevated process in the current window and the process is able to receive input from the current console session,” Redmond warns in its documentation.

“An unelevated process can send input to the elevated process within the same console windows or get information from the output in the current windows in this configuration.”

Microsoft said it’s also in the process of open-sourcing the project on GitHub, urging other users to contribute to the initiative as well as report issues and file feature requests.

Dec 16, 2023NewsroomCyber Security / Incident Response

China’s Ministry of Industry and Information Technology (MIIT) on Friday unveiled draft proposals detailing its plans to tackle data security events in the country using a color-coded system.

The effort is designed to “improve the comprehensive response capacity for data security incidents, to ensure timely and effective control, mitigation and elimination of hazards and losses caused by data security incidents, to protect the lawful rights and interests of individuals and organizations, and to safeguard national security and public interests,” the department said.

The 25-page document encompasses all incidents in which data has been illegally accessed, leaked, destroyed, or tampered with, categorizing them into four hierarchical tiers based on the scope and the degree of harm caused –

• Red: Level I (“especially significant”), which applies to widespread shutdowns, substantial loss of business processing capability, interruptions arising due to serious anomalies lasting more than 24 hours, occurrence of major radio interference for more than 24 hours, economic losses 1 billion yuan, or affects the personal information of over 100 million people or sensitive personal information of more than 10 million people

• Orange: Level II (“significant”), which applies to shutdowns and operational interruptions lasting more than 12 hours, occurrence of major radio interference for more than 12 hours,, economic losses between 100 million yuan and 1 billion yuan, or affects the personal information of over 10 million people or sensitive personal information of more than 1 million people

• Yellow: Level III (“large”), which applies to operational interruptions lasting more than eight hours, occurrence of major radio interference for more than eight hours, economic losses between 50 million yuan and 100 million yuan, or affects the personal information of over 1 million people or sensitive personal information of more than 100,000 people

• Blue: Level IV (“general”), which applies to minor events that cause operational interruptions lasting less than eight hours, economic losses of less than 50 million yuan, or affects the personal information of less than 1 million people or sensitive personal information of less than 100,000 people

The new rules also require affected companies to make an assessment to determine the severity of the incident, and if deemed serious, report it immediately to the local industry supervision department without omitting or concealing any facts, or providing any false information.

“If the local industry regulatory department initially determines that it is a particularly major or major data security incident, it should report it to the Mechanism Office in accordance with the requirements of ’10 minutes by phone and 30 minutes in writing’ after discovering the incident,” the draft rules state.

Based on the response level activated – Red or Orange – the Mechanism Office is expected to report the matter to the MIIT. The draft rules are open for public comments until January 15, 2024.

The development comes as videotelephony and enterprise communications company Zoom unveiled an open-source vulnerability impact scoring system (VISS) to “objectively capture the principal impact characteristics of software, hardware, and firmware vulnerabilities as they relate to the associated infrastructure, technology stack, and security of customer data.”