Apple Makes Another Acquisition: IT Startup Fleetsmith (arstechnica.com)

An anonymous reader quotes a report from Ars Technica: Apple has acquired device-management startup Fleetsmith. The technology and personnel that will join Apple as part of the acquisition could help Apple expand upon device enrollment and introduce better ways to set up new devices like iPads and Macs within organizations. Fleetsmith's proposition to customers (and Apple) seems perfectly tailored to our times: the company offers a way for organizations to equip remote workers' (or workers otherwise not located in the central office) devices and have those devices automatically registered and set up for enterprise use as soon as they're first turned on. After that, Fleetsmith automatically ensures devices get needed software updates. It also provides IT managers with a dashboard for managing the fleet.

If you've used Jamf, a more widespread competitor, you get the general idea. But Fleetsmith already had a special focus on Apple devices, it has an Apple-like design sensibility, and it was likely a much cheaper option for Apple than Jamf, to boot. Jamf appears to be on a different path, with a $3 billion IPO planned. Speaking of money, though, neither Apple nor Fleetsmith has revealed the purchase price. Fleetsmith did publish a blog post about the acquisition, though.
While the blog post notes that Fleetsmith will continue business as usual and serve both new and existing customers, Seth Goldin from Freethink Media claims that's not the full story. "Apple has completely eliminated core functionality from the app with absolutely no notice," says Goldin in a series of tweets, noting there are "hundreds of users" on the MacAdmins Slack workspace that are "totally outraged because Apple has pulled the rug out from under them."

Comcast Becomes the First ISP To Join Mozilla's TRR Program (neowin.net) 64

Comcast has joined Cloudflare and NextDNS in partnering with Mozilla's Trusted Recursive Resolver program, which aims to make DNS more trusted and secure. Neowin reports: Commenting on the move, Firefox CTO Eric Rescorla, said: "Comcast has moved quickly to adopt DNS encryption technology and we're excited to have them join the TRR program. Bringing ISPs into the TRR program helps us protect user privacy online without disrupting existing user experiences. We hope this sets a precedent for further cooperation between browsers and ISPs."

With its TRR program, Mozilla said that encrypting DNS data with DoH is just the first step in securing DNS. It said that the second step requires companies handling the data to have appropriate rules in place for handling it. Mozilla believes these rules include limiting data collection and retention, ensuring transparency about any retained data, and limiting the use of the resolver to block access or modify content.
Ars Technica notes that joining Mozilla's program means that Comcast agreed that it won't "retain, sell, or transfer to any third party (except as may be required by law) any personal information, IP addresses, or other user identifiers, or user query patterns from the DNS queries sent from the Firefox browser," along with other requirements.

When the change happens, it'll be automatic for users unless they've chosen a different DoH provider or disabled DoH altogether. Comcast told Ars yesterday that "Firefox users on Xfinity should automatically default to Xfinity resolvers under Mozilla's Trusted Recursive Resolver program, unless they have manually chosen a different resolver, or if DoH is disabled. The precise mechanism is still being tested and the companies plan to document it soon in an IETF [Internet Engineering Task Force] Draft."

Safari 14 Will Let You Log in To Websites With Your Face or Finger (cnet.com) 42

With Safari on iOS 14, MacOS Big Sur and iPadOS 14, you'll be able to log in to websites using Apple's Face ID and Touch ID biometric authentication. That's a powerful endorsement for technology called FIDO -- Fast Identity Online -- that's paving the way to a future without passwords. From a report: Apple disclosed the biometric authentication support in Safari on Wednesday at WWDC, its annual developers conference. "It's both much faster and more secure," Apple Safari programmer Jiewen Tan said during one of the WWDC video sessions Apple offered after the coronavirus pandemic pushed the conference online. The change is a big boost for browser technology called Web Authentication, aka WebAuthn, developed by the FIDO consortium allies. Apple's not the first supporter -- it's already in Mozilla Firefox, Google Chrome and Microsoft Edge, and works with Windows Hello facial recognition and Android fingerprint authentication.
The Internet

The US-China Battle Over the Internet Goes Under the Sea (wired.com) 66

Last week, Washington strongly objected to a new project from Facebook and Google. It's too risky and offers "unprecedented opportunities" for Chinese government espionage, the Justice Department declared. The project, however, wasn't about online speech or contact tracing, but concerned an issue that would seem far less politically charged: building an undersea internet cable from the United States to Hong Kong. From a report: On June 17, Team Telecom -- the executive branch group charged with reviewing foreign telecoms for security risks (and recently in the news for escalating and apparently insufficient inspections) -- recommended the Federal Communications Commission stop the Hong Kong connection. It may seem odd for American officials to fret over undersea cable networks; rarely does your chosen crime show's protagonist kick a door in because someone is laying telecommunications fiber.

But geopolitical influence-projection on the internet isn't just about hacking other countries' intelligence databases. While not nearly as flashy, the development and maintenance of undersea cables, the landing points anchoring them above ground, and other physical internet infrastructure are a growing arm of cyber statecraft and source of security risk. This cable is just one element in a broader geopolitical contest. Facebook and Google joined the project, dubbed the Pacific Light Cable Network, back in 2016. Teaming up with New Jersey-based telecom TE SubCom and Pacific Light Data Communication Company, a Hong Kong subsidiary of the Chinese firm Dr. Peng Telecom & Media Group, the US giants jumped on a project already months underway: building a massive undersea internet cable -- the submarine-depth metal tubes hauling internet traffic from one land mass to another -- connecting the US, Hong Kong, Taiwan, and the Philippines.

To the US government, the Taiwan and Philippines part was up to scratch. Undersea cables have visible benefits, such as bolstering digital connections between regions and facilitating all forms of communication that follow. And for this 8,000-mile-long fiber-optic snake, connecting dispersed areas of the world was exactly the point. The stakeholders wrote as much in a December 2017 filing to the US government, noting this would be the first undersea cable moving internet traffic directly between Hong Kong and the United States, at speeds of 120 terabytes per second. But the government had security worries about the Chinese-owned Hong Kong subsidiary behind the effort, as well as the proposed line to Hong Kong itself. Google, Facebook, and their partners had already laid thousands of miles of cable and spent millions of dollars last August when word broke of the Justice Department's opposition to the project. Officials thought Beijing could physically access the cable for espionage -- in this case by capturing internet traffic.


Former Intel Engineer Claims Skylake QA Drove Apple Away (pcgamer.com) 243

UnknowingFool writes: A former Intel engineer has put forth information that the QA process around Skylake was so terrible that it may have finally driven Apple to use their own processors in upcoming Macs. Not to say that Apple would not have eventually made this move, but Francois Piednoel says Skylake was abnormally bad with Apple finding the largest amount of bugs inside the architecture rivaling Intel itself. That led Apple to reconsider staying on the architecture and hastening their plans to migrate to their own chips. "The quality assurance of Skylake was more than a problem," says Piednoel. "It was abnormally bad. We were getting way too much citing for little things inside Skylake. Basically our buddies at Apple became the number one filer of problems in the architecture. And that went really, really bad. When your customer starts finding almost as much bugs as you found yourself, you're not leading into the right place."

"For me this is the inflection point," added Piednoel. "This is where the Apple guys who were always contemplating to switch, they went and looked at it and said: 'Well, we've probably got to do it.' Basically the bad quality assurance of Skylake is responsible for them to actually go away from the platform."

Apple made the switch official at its developer conference on Monday, announcing that it will introduce Macs featuring Apple-designed, ARM-based processors later this year.

Safari 14 Removes Flash, Gets Support for Breach Alerts, HTTP/3, and WebP (zdnet.com) 52

Safari 14, scheduled to be released later this fall with iOS 14 and macOS 11, is a release that is packed choke-full with features. From a report: The biggest and most important of the new additions is support for WebExtensions, a technology for creating browser extensions. What this means for Safari users is that starting this fall, they'll see a huge influx of new Safari extensions as add-on developers are expected to port their existing Chrome and Firefox extensions to work on Apple's browser as well. Apple said that, for now, WebExtensions will only be available for Safari on macOS.

Safari 14 is also an end of an era, as this will be the first version of Safari that won't support Adobe Flash Player content. But while old stuff is being removed, new stuff is also being added. One of the new technologies added to Safari is support for HTTP/3, a new web standard that will make loading websites faster and safer. Another important addition in Safari is support for WebP, a lightweight image format that has been gaining widespread adoption across the internet. The format, created by Google, serves as an alternative to the older JPEG format, and Safari has been the last browser to add support for it. [...] But Safari hasn't been lagging behind other browsers just in terms of HTTP/3 and WebP support. Apple has also added support for another cool feature, namely breach alerts, already present in both Chrome and Firefox. Starting this fall, Apple says that Safari 14 will scan a user's locally-stored passwords and show a prompt if one or more of the user's credentials are present in publicly available lists of breached accounts.


Republicans Push Bill Requiring Tech Companies To Help Access Encrypted Data (cnet.com) 170

New submitter feross shares a report: A group of Senate Republicans is looking to force tech companies to comply with "lawful access" to encrypted information, potentially jeopardizing the technology's security features. On Tuesday, Republican lawmakers introduced the Lawful Access to Encrypted Data Act, which calls for an end to "warrant-proof" encryption that's disrupted criminal investigations. The bill was proposed by Sen. Lindsey Graham, chairman of the Senate Judiciary committee, along with Sens. Tom Cotton and Marsha Blackburn. If passed, the act would require tech companies to help investigators access encrypted data if that assistance would help carry out a warrant. Lawmakers and the US Justice Department have long battled with tech companies over encryption, which is used to encode data.

The Justice Department argues that encryption prevents investigators from getting necessary evidence from suspects' devices and has requested that tech giants provide "lawful access." That could come in many ways, such as providing a key to unlock encryption that's only available for police requests. The FBI made a similar request to Apple in 2016 when it wanted to get data from a dead terrorist's iPhone in a San Bernardino, California, shooting case. Giving access specifically to government agencies when requested is often referred to as an "encryption backdoor," something tech experts and privacy advocates have long argued endangers more people than it helps.


80,000 Printers Are Exposing Their IPP Port Online (zdnet.com) 55

An anonymous reader quotes a report from ZDNet: In a report published earlier this month, security researchers from the Shadowserver Foundation, a non-profit organization focused on improving cyber-security practices across the world, have published a warning about companies that are leaving printers exposed online. More specifically, Shadowserver experts scanned all the four billion routable IPv4 addresses for printers that are exposing their IPP port. IPP stands for "Internet Printing Protocol" and, as the name suggests, is a protocol that allows users to manage internet-connected printers and send printing jobs to printers hosted online. The difference between IPP and the multiple other printer management protocols is that IPP is a secure protocol that supports advanced features such as access control lists, authentication, and encrypted communications. However, this doesn't mean that device owners are making use of any of these features.

Shadowserver experts said they specifically scanned the internet for IPP-capable printers that were left exposed without being protected by a firewall and allowed attackers to query for local details via the "Get-Printer-Attributes" function. In total, experts said they usually found an average of around 80,000 printers exposing themselves online via the IPP port on a daily basis. The number is about an eighth of all IPP-capable printers currently connected online. A normal scan with the BinaryEdge search engine reveals a daily count of between 650,000 and 700,000 devices with their IPP port (TCP/631) reachable via the internet.
What are the issues with not securing the IPP port? Shadowserver experts say this port can be used for intelligence gathering, since many of the printers scanned returned additional info about themselves, such as printer names, locations, models, firmware, organization names, and even Wi-Fi network names.

"To configure IPP access control and IPP authentication features, users are advised to check their printers' manuals," adds ZDNet. "Most printers have an IPP configuration section in their administration panel from where users can enable authentication, encryption, and limit access to the device via access lists."

Microsoft Releases First Public Preview of its Defender Antivirus on Android (zdnet.com) 18

Starting today, customers of Microsoft's commercial antivirus product -- Defender Advanced Threat Protection (ATP) -- can install a first version of the product's Android port. From a report: The product, named "Microsoft Defender ATP for Android," was announced at the RSA security conference in February this year, and has reached a first public preview today. Companies that have contracted Microsoft Defender ATP protection have a new option in their dashboard where they can enable the feature and deploy an Android app to employees' devices.

This new Android app will work like a classic mobile antivirus product that can scan the phone for malicious apps and other malware, detect malicious and phishing sites while the user is browsing the web, and block users from accessing certain sites based on a predefined block-list. Microsoft says the Defender ATP for Android app also comes with hidden features, courtesy of its integration into the larger and more complex Defender ATP, Intune, and Configuration Manager platforms.


Stuck At Home, Scientists Discover 9 New Insect Species (wired.com) 35

An anonymous reader quotes a report from Wired: When the Natural History Museum of Los Angeles County shut down due to the pandemic in mid-March, Lisa Gonzalez headed home with the expectation that she would be back in a few weeks. But once it became clear that she wouldn't get back anytime soon, Gonzalez, the museum's assistant entomology collection manager, converted her home's craft room into a makeshift lab. Then she began sifting through thousands of insects the museum had previously collected via a citizen science project. [...] Using just her own microscope, Gonzalez identified dozens of insect species by looking at features like tiny hairs or the shape of a fly's wings. She also found some unusual insects that she turned over to her colleague, Brian Brown, the museum's curator of entomology. Using a larger Leica stereoscope that he hauled in from the office, as well as a smaller compound microscope he found on craigslist, Brown discovered nine species of small flies, all new to science. "It's always cool to find new things, and it is one of the great joys of this job," says Brown. "It's not just finding slightly different new things -- we find extravagantly different things all the time."

The insects, mostly small flies, wasps, and wasplike flies, had been collected through the BioSCAN project, which began in 2012 with insect traps set at 30 sites throughout Los Angeles, mostly in backyards or public spaces. The pair recruited volunteers who were then trained in how to use the "Malaise traps," which resemble two-person pup tents that force bugs to fly upward into collecting nets before the volunteers can put them into vials. The BioSCAN project started when Brown bet a museum trustee that he could find a new species of insect in her backyard in West LA. He did, and the project took off. In its first three years, Brown and the backyard collector discovered 30 new species of insects and published their results. The museum team found an additional 13 new species in the past two years, plus he and the staff have discovered nine more since the pandemic shutdown.
"The nine new species include phorid flies, some of which are known for their ability to run across surfaces and or enter coffins to consume dead bodies," the report adds. "Brown and Gonzalez have also found botflies, parasites of rats and wasplike flies that have never been seen before in Southern California. They likely arrived from Central America, perhaps hitching a ride on a flowering plant or piece of food."

"With the help of tens of thousands of insects collected through the BioSCAN project, over the years Brown and Gonzalez have expanded the count of known insect species in the Los Angeles basin from 3,500 during the last census in 1993 to around 20,000 today."

'BlueLeaks' Exposes Files From Hundreds of Police Departments (krebsonsecurity.com) 144

New submitter bmimatt shares a report from Krebs On Security: Hundreds of thousands of potentially sensitive files from police departments across the United States were leaked online last week. The collection, dubbed "BlueLeaks" and made searchable online, stems from a security breach at a Texas web design and hosting company that maintains a number of state law enforcement data-sharing portals. The collection -- nearly 270 gigabytes in total -- is the latest release from Distributed Denial of Secrets (DDoSecrets), an alternative to Wikileaks that publishes caches of previously secret data.

In a post on Twitter, DDoSecrets said the BlueLeaks archive indexes "ten years of data from over 200 police departments, fusion centers and other law enforcement training and support resources," and that "among the hundreds of thousands of documents are police and FBI reports, bulletins, guides and more." KrebsOnSecurity obtained an internal June 20 analysis by the National Fusion Center Association (NFCA), which confirmed the validity of the leaked data. The NFCA alert noted that the dates of the files in the leak actually span nearly 24 years -- from August 1996 through June 19, 2020 -- and that the documents include names, email addresses, phone numbers, PDF documents, images, and a large number of text, video, CSV and ZIP files. The NFCA said it appears the data published by BlueLeaks was taken after a security breach at Netsential, a Houston-based web development firm.


Crooks Abuse Google Analytics To Conceal Theft of Payment Card Data (arstechnica.com) 10

An anonymous reader quotes a report from Ars Technica: Hackers are abusing Google Analytics so that they can more covertly siphon stolen credit card data out of infected ecommerce sites, researchers reported on Monday. Payment card skimming used to refer solely to the practice of infecting point-of-sale machines in brick-and-mortar stores. The malware would extract credit card numbers and other data. Attackers would then use or sell the stolen information so it could be used in payment card fraud. One challenge in pulling off the hack is bypassing website security policies or concealing the exfiltration of massive amounts of sensitive data from endpoint security applications installed on the infected network. Researchers from Kaspersky Lab on Monday said that they have recently observed about two dozen infected sites that found a novel way to achieve this. Instead of sending it to attacker-controlled servers, the attackers send it to Google Analytics accounts they control. Since the Google service is so widely used, ecommerce site security policies generally fully trust it to receive data.

"Google Analytics is an extremely popular service (used on more than 29 million sites, according to BuiltWith) and is blindly trusted by users," Kaspersky Lab researcher Victoria Vlasova wrote here. "Administrators write *.google-analytics.com into the Content-Security-Policy header (used for listing resources from which third-party code can be downloaded), allowing the service to collect data. What's more, the attack can be implemented without downloading code from external sources." The researcher added: "To harvest data about visitors using Google Analytics, the site owner must configure the tracking parameters in their account on analytics.google.com, get the tracking ID (trackingId, a string like this: UA-XXXX-Y), and insert it into the web pages together with the tracking code (a special snippet of code). Several tracking codes can rub shoulders on one site, sending data about visitors to different Analytics accounts." The "UA-XXXX-Y" refers to the tracking ID that Google Analytics uses to tell one account from another. As demonstrated in the following screenshot, showing malicious code on an infected site, the IDs (underlined) can easily blend in with legitimate code.


Encrypted Phone Network Says It's Shutting Down After Police Hack (vice.com) 31

Someone in control of an email address long associated with Encrochat, a company that sells custom encrypted phones often used by organized criminals, tells Motherboard the company is shutting down after a law enforcement hacking operation against its customers. From a report: The news comes as law enforcement agencies have arrested multiple criminal users of Encrochat across Europe in what appears to be a large scale, coordinated operation against the phone network and its users. "We have been forced to make the difficult decision to shut down our service and our business permanently," the person wrote in an email to Motherboard. "This [sic] following several attacks carried out by a foreign organization that seems to originate in the UK." The email address has been linked to Encrochat for years, but Motherboard could not confirm the identity of the person currently using the account. Motherboard also separately obtained screenshots of text messages sent over the past week of alleged Encrochat users discussing a wave of arrests associated with the Encrochat takeover. Encrochat is part of the encrypted phone industry, which sells devices pre-loaded with private messaging apps, sometimes have the GPS or camera functionality physically removed, and can be remotely wiped by the user.

Academics Studied DDoS Takedowns and Said They're Ineffective, Recommend Patching Vulnerable Servers (zdnet.com) 5

A team of Dutch and German academics has studied the aftermath of a major crackdown against DDoS providers and concluded that law enforcement takedowns are largely ineffective, recommending that authorities rather focus on patching the vulnerable systems that are abused for the DDoS attacks in the first place. From a report: The study, published last year on paper-hosting service arXiv, analyzed how the DDoS-for-hire market was impacted after US and European law enforcement shut down 15 major DDoS-for-hire (aka DDoS booter, DDoS stresser) services in December 2018. The research team said it analyzed DDoS attack traffic observed at the level of three different major networks -- a tier-1 internet service provider, a tier-2 internet service provider, and a major IXP (internet exchange point). "The takedown immediately reduced the DDoS amplification traffic to reflectors," the research team said. "However, it did not have any significant effect on DDoS traffic hitting victims or on the number of attacks observed." By reflectors, the research team is referring to vulnerable servers abused during a DDoS attack.

Chrome Might Not Eat All Your RAM After Adopting This Windows Feature (extremetech.com) 40

A new feature in Windows 10 might allow Google to streamline Chrome, and we know it works because Microsoft is already using it. From a report: According to Microsoft, its recent update implemented a new memory management feature in Edge known as SegmentHeap. In the latest version of Windows, developers can opt into SegmentHeap to lower the RAM usage of a program. Microsoft says it already added support to the new Edge browser, and it has seen a 27 percent drop in the browser's memory footprint.