Chrome comes with changes in cache partition

Google has changed the way one of chrome’s core components works to add additional privacy protection to users. This Chrome browser component, known as http cache or shared cache, works by saving copies of resources loaded on a Web page, such as pictures, CSS files, and JavaScript files.

The idea is that chrome will load the same files from its internal cache when users visit the same site again or visit other sites that use the same files, rather than wasting time re-downloading each file.

This component exists not only within Chrome, but also within all web browsers from an early age, as a bandwidth-saving feature. In all browsers, the caching system usually works in the same way. Each picture, CSS, or JS file saved in the cache receives a storage key, which is usually the URL of the resource.

For example, the storage key for an image is the image URL itself: https://x.example/doge.png, and when a browser loads a new page, it searches for the key (URL) in its internal cache database and sees if a picture needs to be downloaded or loaded from the cache.

Online advertising and analytics companies have realized that this feature can also be abused to track users. Detect if a user has visited a particular website. Commercial competitors can detect a user’s browsing history by checking the cache for resources that might be a particular site or group of sites, and the cache can also be used to store cookie-like identifiers as a cross-site tracking mechanism.

Google has introduced a major change to the mechanism called “cache partitioning,” works by changing the way resources in the HTTP cache are stored based on two additional factors. From now on, the storage key for a resource will contain three items, not one.

Chrome effectively blocks all past attacks on its caching mechanism by adding additional key to the cache preload check, because most site components will only be able to access their own resources and not check for resources they have not created.

Google has been testing cache partitions since the Release of Chrome 77 in September 2019 and says the new system will have no impact on users or developers.

Cache partitions are currently only active in Chrome browsers, but can also be used by other browsers based on Chrome open source, all of which are most likely to deploy it in the coming months.

Fancy Bear 🐻 APT 28 Back to action

The Russian military intelligence hackers known as Fancy Bear or APT28 wreaked havoc on the 2016 election.Ever since, the cybersecurity community has been waiting for the day they would return to sow more chaos. Just in time for the 2020 election, that day has come. According to Microsoft, Fancy Bear has been ramping up its election-targeted attacks for the past full year.

Microsoft published a blog post revealing that it has seen Russia’s Fancy Bear hackers, which Microsoft calls Strontium, targeting more than 200 organizations since September 2019. The targets include many election-adjacent organizations, according to researchers at Microsoft’s Threat Intelligence Center.

“The activity we are announcing today makes clear that foreign activity groups have stepped up their efforts targeting the 2020 election as had been anticipated,” Microsoft’s blog post reads. “Microsoft has been monitoring these attacks and notifying targeted customers for several months, but only recently reached a point in our investigation where we can attribute the activity to Strontium with high confidence.”

Microsoft’s blog post also details politically focused hacking campaigns by a Chinese group known as Zirconium or APT31, as well as an Iranian group known as Phosphorous or APT35. The Chinese campaign’s attacks have included 150 successful breaches of organizations in the last six months,

The Iranian campaign, according to Microsoft, has attempted to gain access to multiple accounts of people involved in the 2020 presidential election, as well as multiple members of Trump’s administration and campaign staff in May and June of this year. Those Trump-targeted intrusions were unsuccessful, Microsoft adds.

But it’s Russia’s latest attacks that are the most troubling, according to threat intelligence firm FireEye. That’s because, unlike Iran or China, the Russian military intelligence agency known as the GRU—and specifically the GRU team known as Fancy Bear, believed to be GRU Unit 26165—has a history of going beyond traditional spying to carry out political hack-and-leak operations

The new round of Fancy Bear hacking also shows that the group has evolved since 2016. While it’s still working to steal victims’ account credentials, it has moved on from the email-based spear-phishing attacks linking to fake login pages of the kind that tricked the earlier elections

Those two tactics “have likely allowed them to automate aspects of their operations,” which would let them scale up their targeting. Microsoft also notes that the hackers have evolved their attempts to avoid detection, rotating through more than a thousand IP addresses in their hacking spree, using the anonymity software Tor, and constantly jettisoning IP addresses and adding new ones.

But while the latest Microsoft findings name Russian, Chinese, and Iranian hackers in equal measure, FireEye director of intelligence warns that Americans shouldn’t fall into the trap of thinking those three potential wild cards carry equal risk for American democracy. “APT28 is the threat that really matters here,” Hultquist says. “They have the history, the motivation, and the means to actually interfere.”

Racoon Attack 🦝

A team of academics has disclosed today a theoretical attack on the TLS cryptographic protocol that can be used to decrypt the HTTPS connection between users and servers and read sensitive communications.

Named Raccoon, the attack has been described as “really hard to exploit” and its underlying conditions as “rare.”

The Raccoon attack is, at its base, a timing attack, where a malicious third-party measures the time needed to perform known cryptographic operations in order to determine parts of the algorithm.

The target is the Diffie-Hellman key exchange process, with the aim being to recover several bytes of information.

“In the end, this helps the attacker to construct a set of equations and use a solver for the Hidden Number Problem (HNP) to compute the original premaster secret established between the client and the server,” .

All servers that use the Diffie-Hellman key exchange in setting up TLS connections are vulnerable to attacks.

This is a server-side attack and cannot be performed on a client, such as browsers. The attack also needs to be executed for each client-server connection in part, and cannot be used to recover the server’s private key and decrypt all connections at once.

Servers that use the Diffie-Hellman key exchange and TLS 1.2 and below are considered vulnerable. DTLS is also impacted.

TLS 1.3 is considered safe.

“The vulnerability is really hard to exploit and relies on very precise timing measurements and on a specific server configuration to be exploitable,”.

“(The attacker) needs to be close to the target server to perform high precision timing measurements. He needs the victim connection to use DH(E) and the server to reuse ephemeral keys. And finally, the attacker needs to observe the original connection.

Attacker would need to do to break modern cryptographic primitives like AES, the attack does not look complex anymore.

“But still, a real-world attacker will probably use other attack vectors that are simpler and more reliable than this attack,”

While the attack has been deemed hard to exploit, some vendors have done their due diligence and released patches. Microsoft (CVE-2020-1596), Mozilla, OpenSSL (CVE-2020-1968), and F5 Networks (CVE-2020-5929) have released security updates to block Raccoon attacks.

Firefox adds drive by download protection

Mozilla will add a new security feature to Firefox in October that will make it harder for malicious web pages to initiate automatic downloads and plant malware-laced files on a user’s computer.

Called a drive-by download, this type of attack has been around for two decades and usually takes place when users visit a website that contains malicious code placed there by an attacker.

The role of the malicious code is to abuse legitimate features in browsers and web standards to initiate an automatic file download or download prompt, in the hopes of tricking the user into running a malicious file.

There are multiple forms of drive-by downloads, depending on the browser feature attackers decide to use.

Browsers like Chrome, Firefox, and Internet Explorer have, across the years, gradually deployed various forms of protections against automatic drive-by downloads, but 100% protection can’t be fully achieved because browser makers can’t fully block legitimate web features and also because of the shifting landscape of web attacks, with attackers always finding a new hole to poke at.

The latest round of protections that browser makers have decided to ship against drive-by downloads targets a technology called “sandboxed iframes,” which is often used to load ads and embeddable widgets (videos, music tracks, podcasts) on third-party sites.

The idea is that websites rarely initiate downloads via sandboxed iframes since most of these widgets are usually used to embed content.

Starting with Firefox 82, scheduled for release next month, in October 2020, Firefox will block all file downloads that originate from a sandboxed iframe.

The only situations were downloads will be honored is if the website owner or the web widget provider has an “allow-download” flag on the iframe; however, most don’t since this is a security risk and a reason why they use sandboxed iframes in the first, rather than classic iframes.

Browsers are complex piles of code, and this is a small update in the grand scheme of things, but this is usually how you build a secure product, reacting to threats as they come, and making tiny adjustments here and there, over time.