New Chrome Feature Scans Password-Protected Files for Malicious Content

From thehackernews.com

Google said it’s adding new security warnings when downloading potentially suspicious and malicious files via its Chrome web browser.

“We have replaced our previous warning messages with more detailed ones that convey more nuance about the nature of the danger and can help users make more informed decisions,” Jasika Bawa, Lily Chen, and Daniel Rubery from the Chrome Security team said.

To that end, the search giant is introducing a two-tier download warning taxonomy based on verdicts provided by Google Safe Browsing: Suspicious files and Dangerous files.

Read more…

AI-Driven Continuous Monitoring: The Future of Third-Party Risk Management

From medium.com

In the modern interconnected business landscape, third-party vendors play a crucial role in boosting efficiency and fostering innovation. However, this reliance also exposes businesses to substantial risks that can compromise security and compliance. The rising number of incidents involving breaches of duty by third parties highlights the inadequacy of traditional periodic assessments in effectively managing these risks. The future of third-party risk management lies in harnessing the power of AI-driven continuous monitoring systems.

Read more…

On the security of Google Secrets

From cryptax.medium.com

Google Secrets Gradle plugin is “for providing your secrets securely to your Android project”. I would like to make it clear in this article that it does not make your secrets safe to reverse engineering and that they remain very easy to recover. The intent is only to deport the secrets in a file that you do not commit in your versioning system. If this is clear to you, skip to the last section “how can I keep my secrets confidential”.

The disclaimer on the Google Secrets GitHub page is explicit:

DISCLAIMER: This plugin is primarily for hiding your keys from version control. Since your key is part of the static binary, your API keys are still recoverable by decompiling an APK. So, securing your key using other measures like adding restrictions (if possible) are recommended.

However, titles such as “How to Hide API and Secret Keys in Android Studio”, or “Hide your API keys on Android” can mislead developers and make them think this is sort of a secure storage facility. Don’t misunderstand me: I am not saying those links are wrong/bad, just that someone who reads them quickly will probably think Google Secrets is more than it is really.

Testing Google Secrets

I tested Google Secrets in a simple Android application. The secrets are stored in an external file, e.g secrets.properties, which should not be committed to git. That’s the whole and unique purpose of Google Secrets. The filename is configurable in your module build gradle. Follow this link to setup your Android project, and this link for a working example.

Read more…

When spear phishing met mass phishing

From securelist.com

Attackers starting to use spear phishing tactics in bulk phishing campaigns

Introduction

Bulk phishing email campaigns tend to target large audiences. They use catch-all wordings and simplistic formatting, and typos are not uncommon. Targeted attacks take greater effort, with attackers sending personalized messages that include personal details and might look more like something you’d get from your employer or a customer. Adopting that approach on a larger scale is a pricey endeavor. Yet, certain elements of spear phishing recently started to be used in regular mass phishing campaigns. This story looks at some real-life examples that illustrate the trend.

Read more…

Microsoft 365, Office users hit by wave of ‘30088-27’ update errors

From bleepingcomputer.com

Over the last month, Microsoft 365 and Microsoft Office users have been experiencing “30088-27” errors when attempting to update the application.

Based on widespread user reports, the update problems plague Microsoft 365 users and those who use Click-To-Run (C2R) versions of Office 2016, 2019, and 2021.

“Something went wrong. We’re sorry, we ran into a problem while looking for updates. Please check your network connection and try again later,” the update errors read.

Some affected users report being told by Microsoft support that this issue also impacts the latest Office release, Version 2406 (Build 17726.20126).

A Microsoft community moderator advised those impacted to revert to the previous version and turn off automatic updates until the next Office release.

“Network reasons have been ruled out as possible causes. This problem has now become a hot topic in the community. In other threads, some users mentioned that this problem occurred after updating to Office version 17726.20126,” the Redmond agent told them.

“The problem is solved by disabling updates and rolling back the version of Office.”

Read more…

When scientific citations go rogue: Uncovering ‘sneaked references’

From theconversation.com

A researcher working alone – apart from the world and the rest of the wider scientific community – is a classic yet misguided image. Research is, in reality, built on continuous exchange within the scientific community: First you understand the work of others, and then you share your findings.

Reading and writing articles published in academic journals and presented at conferences is a central part of being a researcher. When researchers write a scholarly article, they must cite the work of peers to provide context, detail sources of inspiration and explain differences in approaches and results. A positive citation by other researchers is a key measure of visibility for a researcher’s own work.

But what happens when this citation system is manipulated? A recent Journal of the Association for Information Science and Technology article by our team of academic sleuths – which includes information scientists, a computer scientist and a mathematician – has revealed an insidious method to artificially inflate citation counts through metadata manipulations: sneaked references.

Read more…

EU ends Apple Pay antitrust probe with binding commitments to open up contactless payments

From techcrunch.com

The European Union has accepted commitments from Apple over how it operates Apple Pay to settle a long running competition investigation. Commission EVP Margrethe Vestager, who heads up the EU’s competition division, announced the development in a press conference Thursday.

Apple has until July 25 to implement changes that will allow developers of rival mobile wallets to offer contactless payment by the predominant technology used in the EU (NFC) — enabling them to offer their users “tap and go” payments, she said. They will also be able to access key iOS features, such as double click to launch their apps as well as Face ID, Touch ID and passcodes for authentication.

Apple will also let users set a third-party wallet app as their default, rather than its own Apple Wallet.

Read more…