Intel ships update for newest Spectre-affected chips


Intel has announced that the fix is out for its latest chips affected by Spectre, the memory-leakage flaw affecting practically all computing hardware. The patch is for the Skylake generation (late 2015) and newer, though most users will still have to wait for the code to be implemented by whoever manufactured their computer (specifically, their motherboard).

The various problems presented in January by security researchers have to be addressed by a mix of fixes at the application, OS, kernel and microarchitecture level. This patch is the latter, and it replaces an earlier one that was found to be unstable.

These aren’t superficial tweaks and they’re being made under pressure, so some hiccups are to be expected — but Intel is also a huge company that has had months of warning to get this right, so people may be frustrated by the less-than-optimal way the flaws have been addressed.

As before, there isn’t much you as a user can do except make sure that you are checking frequently to make sure your PC and applications are up to date — in addition, of course, to not running any strange code.

If you’re on an older chipset, like Sandy Bridge, you’ll have to wait a bit longer — your fix is still in beta. You don’t want to be their test machine.

Featured Image: Alice Bevan–McGregor/Flickr UNDER A CC BY 2.0 LICENSE

Senator calls on Tinder to fix a security flaw that lets randos snoop through your dates


Oregon Senator Ron Wyden is nervous about Tinder. He may not be swiping on the service this Valentine’s Day, but with a new letter demanding that Tinder resolve some security issues, Wyden is looking out for everyone who is.

Last month, a security report surfaced what it deemed “disturbing vulnerabilities” in the dating app. Wyden’s letter cites the research, demanding a fix for a security loophole that allows would-be attackers to view nearly everything about a user’s Tinder experience via an attack over unsecured wifi.

“Tinder can easily enhance privacy to its users by encrypting all data transmitted between its app and servers, and padding sensitive information to thwart snooping,” Wyden writes.

As the security firm Checkmarx explains:

“The vulnerabilities, found in both the app’s Android and iOS versions, allow an attacker using the same network as the user to monitor the user’s every move on the app. It is also possible for an attacker to take control over the profile pictures the user sees, swapping them for inappropriate content, rogue advertising or other type of malicious content (as demonstrated in the research).”

The report notes that stolen credentials are unlikely, but the vulnerability is a recipe for blackmail. TechCrunch reached out to Tinder for comment on Sen. Wyden’s letter and its plans to fix its security concerns but the company has not responded.

“Americans expect their personal information to remain private online,” Wyden writes. “To that end, I urge Tinder to address these security lapses, and by doing so, to swipe right on user privacy and security.”

Facebook staff reportedly interviewed in Mueller investigation


At least one Facebook employee has been interviewed by special counsel Robert Mueller as part of his investigation into potential Russian interference with the 2016 election, reports Wired. But don’t put on your conspiracy hats just yet.

Wired’s source indicated that the Facebook staffer was associated with the Trump campaign, which could mean just about anything. For a major spender on social media, which that campaign certainly was, it is common for Facebook, Google, Twitter, and other properties selling ads to have a liaison with the client.

Since Facebook is also up to its eyes on Russia-related inquiries, it makes perfect sense that someone acting as go-between or advisor for the company and the campaign would be interviewed as a matter of course. Certainly no wrongdoing is implied.

The Facebook staffer would be the primary source for any information relating to Trump campaign spending, including whether or not there was any knowledge of or involvement in the Russian side of things — again, not to imply anything, just to say if there’s anything to know, that person would know it.

As Facebook was more strongly targeted by Russian bots and trolls during the election than its rivals, it makes sense that it would be pulled in like this, but don’t be surprised if others have a chance to chat with the special counsel’s team as well. I’ve asked Facebook for comment.

Featured Image: Alex Wong/Getty Images

Reddit adds 2-factor authentication for all


Reddit has finally joined other major web properties in adding two-factor authentication for all users. It’s been available for mods and some testers for a while, but this is the first time the vast multitudes of redditors will have access to it.

Turn it on and you’ll have to enter a six-digit code sent to your phone whenever you have a new login attempt. You’ll need Google Authenticator, Authy, or any TOTP-supporting auth app — texting codes is no longer recommended (and really, it was always a bad idea).

There’s not much to setting it up: go into the password/email area of the site’s preferences once you’ve logged in on a desktop browser. Enable two-factor authentication and follow the instructions.

Now, this may be a problem for power users, who might have trouble switching between the one they use for ordinary browsing and the one they use to post racist comments on every post they can, or the one they use to vehemently disagree with a headline without reading the article. But that’s the price of security.

Featured Image: REUTERS/Robert Galbraith

Thousands of major sites are taking silent anti-ad-blocking measures


It’s no secret that ad blockers are putting a dent in advertising-based business models on the web. This has produced a range of reactions, from relatively polite whitelisting asks (TechCrunch does this) to dynamic redeployment of ads to avoid blocking. A new study finds that nearly a third of the top 10,000 sites on the web are taking ad blocking countermeasures, many silent and highly sophisticated.

Seeing the uptick in anti-ad-blocking tech, University of Iowa and UC Riverside researchers decided to perform a closer scrutiny (PDF) of major sites than had previously been done. Earlier estimates, based largely on visible or obvious anti-ad-blocking means such as pop-ups or broken content, suggested that somewhere between 1 and 5 percent of popular sites were doing this — but the real number seems to be an order of magnitude higher.

The researchers visited thousands of sites multiple times, with and without ad-blocking software added to the browser. By comparing the final rendered code of the page for blocking browsers versus non-blocking browsers, they could see when pages changed content or noted the presence of a blocker, even if they didn’t notify the user.

As you can see above, 30.5 percent of the top 10,000 sites on the web as measured by Alexa are using some sort of ad-blocker detection, and 38.2 percent of the top 1,000. (Again, TechCrunch is among these, but to my knowledge we just ask visitors to whitelist the site.)

Our results show that anti-adblockers are much more pervasive than previously reported…our hypothesis is that a much larger fraction of websites than previously reported are “worried” about adblockers but many are not employing retaliatory actions against adblocking users yet.

It turns out that many ad providers are offering anti-blocking tech in the form of scripts that produce a variety of “bait” content that’s ad-like — for instance, images or elements named and tagged in such a way that they will trigger ad blockers, tipping the site off. The pattern of blocking, for instance not loading any divs marked “banner_ad” but loading images with “banner” in the description, further illuminates the type and depth of ad blocking being enforced by the browser.

Sites can simply record this for their own purposes (perhaps to gauge the necessity of responding) or redeploy ads in such a way that the detected ad blocker won’t catch.

In addition to detecting these new and increasingly common measures being taken by advertisers, the researchers suggest some ways that current ad blockers may be able to continue functioning as intended.

One way involves dynamically rewriting the JavaScript code that checks for a blocker, forcing it to think there is no blocker. However, this could break some sites that render as if there is no blocker when there actually is.

A second method identifies the “bait” content and fails to block it, making the site think there’s no blocker in the browser and therefore render ads as normal — except the real ads will be blocked.

That will, of course, provoke new and even more sophisticated measures by the advertisers, and so on. As the paper concludes:

To keep up the pressure on publishers and advertisers in the long term, we believe it is crucial that adblockers keep pace with anti-adblockers in the rapidly escalating technological arms race. Our work represents an important step in this direction.

The study has been submitted for consideration at the Network and Distributed Systems Security Symposium in February of 2018.

Featured Image: Bryce Durbin