Security News

After delays to Chrome version 81 in March, and the scrapping of version 82 a month later, this week sees the early arrival of Chrome 83 with a longer list of new security features than originally planned. First, it's not turned on by default, and might not even be visible under Settings > Privacy and security > Advanced.

A new version of COMpfun remote access trojan has been discovered in the wild that uses HTTP status codes to control compromised systems targeted in a recent campaign against diplomatic entities in Europe. In addition to functioning as a fully-featured RAT capable of capturing keystrokes, screenshots, and exfiltrating sensitive data, this new variant of COMpfun monitors for any removable USB devices plugged to the infected systems to spread further and receives commands from an attacker-controlled server in the form of HTTP status codes.

A new version of COMpfun remote access trojan has been discovered in the wild that uses HTTP status codes to control compromised systems targeted in a recent campaign against diplomatic entities in Europe. In addition to functioning as a fully-featured RAT capable of capturing keystrokes, screenshots, and exfiltrating sensitive data, this new variant of COMpfun monitors for any removable USB devices plugged to the infected systems to spread further and receives commands from an attacker-controlled server in the form of HTTP status codes.

Microsoft has announced the first testable version of DNS-Over-HTTPS support, available for its Windows 10 operating system. Support for the DoH protocol, which Microsoft first announced in November, is available in the Windows 10 Insider Preview Build 19628.

Short-video biz Quibi, airline JetBlue, shopping site Wish, and several other companies leaked million of people's email addresses to ad-tracking and analytics firms through HTTP request headers, it is claimed. Netizens using web browsers that prioritize defenses against ad tracking, such as Brave, Firefox, and Safari, or who have installed suitable privacy extensions in other browsers, may have avoided having their email addresses spirited away.

CA domains, among other important internet functions, is rolling out a free Canada-wide DNS-over-HTTPS service to protect people's privacy. The Canadian Internet Registry Authority today said its new Canadian Shield service will allow people and businesses to encrypt their DNS queries in transit between their devices and CIRA's servers, providing an added layer of security at a time where millions in the country are transitioning to working from home mid-coronavirus pandemic.

Converting websites from HTTP to HTTPS over the last decade must count as one of the most successful quiet security upgrades ever to affect web browsing. There are some HTTPS security caveats worth mentioning, but before getting to them we'll start with the news that that Mozilla's Firefox will, from May's version 76, offer the option to browse in an HTTPS-only mode.

While such Web site card skimming attacks are not new, this intrusion leveraged a sneaky new domain that hides quite easily in a hacked site's source code: "Http[.]ps". This crafty domain was hidden inside the checkout and login pages for grandwesternsteaks.com, a meat delivery service owned by Cheney Bros. Ps domain is hosted in Russia, and sits on a server with one other malicious domain - autocapital[.

A vulnerability in Avast's anti-tracking solution could allow malicious actors to perform man-in-the-middle attacks on HTTPS traffic, a security researcher has discovered. The security flaw, which impacts both Avast and AVG AntiTrack, as they share underlying code, resides in the manner in which the software filters HTTPS traffic.

Compounding the issue is that certain operating systems and browsers use new encryption technologies - DNS over TLS and DNS over HTTPS - in the query response handshake with these unauthorized DNS services that make them harder to block. Today I'm going to talk about DNS over HTTPS misuse or abuse.