December 19, 2019

Chrome 79 patched after Android WebView app chaos

By John E Dunn

Google has rushed out a fix for a bug in the Android version of Chrome that left some app users unable to access accounts or retrieve stored data.

The problem happened when users upgraded from version 78 to 79 last week, after which apps using a stripped-down browser component called WebView started throwing up issues.

For affected apps, this quickly turned into a big problem, with the Chromium bugs forum filling up with comments from numerous disgruntled developers.

Here’s a flavor. On December 13, one commenter wrote:

This is a major issue. We can see the old data is left in the filesystem, but it’s not “found” by Chrome 79 – which I consider even worse – for one, it breaks the apps as it’s not available.

And another on the same day:

We have verified that all our clients with Chrome/WebView updated to v79 have lost all their app data.

As its name suggests, WebView provides a way for app developers to integrate web pages or even applications inside Android apps using a cut-down browser that’s part of Chrome.

Used to display everything from login pages to terms and conditions documents, it’s useful because it avoids the need to visit the original web pages by launching a separate browser app.

Google has shifted WebView function into and out of Chrome more than once – versions 7, 8 and 9 use it, but from Android 10, it once again becomes a separate app.

Read more at https://nakedsecurity.sophos.com/2019/12/19/chrome-79-patched-after-android-webview-app-chaos/

Get in line! 38,000 students and staff forced to queue for new passwords

By Lisa Vaas

No, these students aren’t lining up to see Santa.

The University in Gießen, Germany had a security incident that required resetting the passwords of 38000 students.… twitter.com/i/web/status/1…



svbl (@svblxyz) December 17, 2019

They’re lining up for new passwords as the IT staff at their university – Justus Liebig University (JLU) in Gießen, a town north of Frankfurt, Germany – continue to mop up after a malware attack hit the school on Sunday, 8 December.

English version of #JLUoffline: https://t.co/YrpgnDW69F



Universität Gießen (@jlugiessen) December 09, 2019

In what has to be the most analog password-reset operation of modern times, 38,000 students and staff were told to grab their identity cards and join a queue so they can get a new password for their university email accounts. They have to pick up the passwords in person, JLU said on Wednesday, due to unspecified security reasons as well as the legal requirements of the German National Research and Education Network (DFN).

There is no alternative to this procedure. Collecting the password in person is a prerequisite for the ability of every JLU member to use e-mail at JLU in the near future. All previous e-mail passwords are thus invalid!

Following the attack, JLU staff took down the email server, the internet and internal networks, fearing that they’d been infected. Then, they reset all email account passwords, as a precautionary step – a move that affected all students and staff.

Read more at https://nakedsecurity.sophos.com/2019/12/19/get-in-line-38000-students-and-staff-forced-to-queue-for-new-passwords/

Proposed standard would make warrant canaries machine-readable

By Danny Bradbury

For years, organizations have been using a common tactic called the warrant canary to warn people that the government has secretly demanded access to their private information. Now, a proposed standard could make this tool easier to use.

When passed in 2001, the US Patriot Act enabled authorities to access personal information stored by a service provider about US citizens. It also let them issue gag orders that would prevent the organization from telling anyone about it. It meant that the government could access an individual’s private information without that person knowing.

Companies like ISPs and cloud service providers want their users to know whether the government is asking for this information. This is where the warrant canary comes in. First conceived by Steve Schear in 2002, shortly after the Patriot Act came into effect, a warrant canary is a way of warning people that the organization holding their data has received a subpoena.

Instead of telling people that it has been served with a subpoena, the organization stops telling them that it hasn’t. It displays a public statement online that it only changes if the authorities serve it with a warrant. As long as the statement stays unchanged, individuals know that their information is safe. When the statement changes or disappears, they can infer that all is not well without the organization explicitly saying so. Here’s an example of one.

A warrant canary can be as simple as a statement that the service provider has never received a warrant. The problem is that those statements aren’t standardized, which makes it difficult for people to interpret them. How can you be sure that a warrant canary means what you think it means? If it disappears, does that mean that the service provider received a warrant, or did someone just forget to include it somewhere? Does the canary’s death indicate a sinister problem, or did it just die of natural causes? This isn’t idle speculation – warrant canary changes like SpiderOak’s have confused users in the past.

Read more at https://nakedsecurity.sophos.com/2019/12/19/proposed-standard-would-make-warrant-canaries-machine-readable/

Instagram hides ‘false’ content, unless it’s from a politician

By Lisa Vaas

Facebook is expanding its efforts to muffle misinformation on Instagram, which it owns.

In 2018, two reports prepared for the Senate Intelligence Committee found that when it came to Russia’s misinformation campaign in the 2016 US presidential election, Instagram was where the real action was: researchers counted more Instagram reactions to fake news than on Facebook and Twitter combined.

Instagram launched a fact-checking program a few months after the reports came out…

…then said Yikes, this is a sticky wicket a month later. Some places don’t have fact-checkers, different places have different standards of what constitutes journalism, it takes a long time to verify content, and it’s hard to figure out how to treat opinion and satire, Facebook explained, saying that it’s working on improving machine learning to help.

Be that as it may, on Monday, Facebook announced that it’s taking Instagram’s limited, experimental fact-checking program worldwide, hooking up with fact-checking organizations around the globe so they can assess and rate misinformation on Instagram.

Instagram’s fact-checking program relies on 45 third-party organizations that review and label false information on the photo/video-sharing platform. From Monday’s post:

We want you to trust what you see on Instagram.

Read more at https://nakedsecurity.sophos.com/2019/12/19/instagram-hides-false-content-unless-its-from-a-politician/

ACS

Advanced Computer Services of Central Florida

Centrally located in Winter Haven, we serve residential and business clients in and around Polk County.

9 Camellia Drive
Winter Haven, FL 33880
863-229-4244

Our Promise to You

Plain language, no tech-talk

We will never try to over-sell you a product you don't need.


Advanced Computer Services of Central Florida is your local, hometown computer service and repair company that can do more than just fix your PC.  We offer highly skilled professionals who can be counted on to give you sound advice on upgrades, software and hardware, commercial & residential networks, hardwire or secure wireless.

No trip charges within Polk County

No after-hours or weekend fees

$45.00/hr Residential

$65.00/hr Commercial - free system evaluation