Is China Looking to Stockpile Zero-Days? New Vulnerability Disclosure Rules Could Create Closed Pipeline From Security Researchers to CCP

Opt-in to Cyber Safety. Multiple layers of protection for your devices, online privacy and more.

New vulnerability disclosure rules announced by the Chinese government have raised the prospect of “zero-day hoarding,” as anything discovered in the country must now be reported to the CCP and to no one else (in most cases). This includes a rule forbidding disclosures to the general public before a vendor has had a “reasonable chance” to patch the issue.

The new rules will, at the very least, threaten to disrupt working relationships between Chinese security researchers and “bug bounty” programs based in the West. The more worrisome possibility is that the Chinese government will collect and sit on zero-days, holding them in reserve for use by its state-backed hacking groups rather than disclosing them to software vendors and to the public so that appropriate safety measures can be taken.

Is the Chinese government planning to hoard zero-days?

All of this traces back to new vulnerability disclosure rules proposed by the Cyberspace Administration of China (CAC), which are slated to go into effect on September 1. The new rules make it illegal for anyone but the government to “publish or sell” vulnerabilities, requires everyone in the country to report discovered vulnerabilities within two days, prohibits disclosures before a vendor has had a “reasonable chance” to patch the issue (with case-by-case exemptions potentially granted by the Ministry of Industry and Information Technology), and prohibits any type of vulnerability disclosure to “overseas organizations” among other new requirements.

When researchers make a discovery, the new vulnerability disclosure process is rigid and requires them to go to the government first. Researchers themselves could face criminal penalties from the Ministry of Public Safety should they step outside the bounds of the formal reporting process. Any new zero-day discovered must be reported to the MIIT within two days, and in most cases it will then be up to the agency as to how and when the vendor is notified of the exploit. Naturally, the worry is that the government will simply keep many of these vulnerabilities quiet and keep them on hand for use by their own state-affiliated hackers. If the…


Google tightens Chrome Web Store security rules in the fight against malware – Computer

Opt-in to Cyber Safety. Multiple layers of protection for your devices, online privacy and more.

Google has introduced new rules for Chrome Web Store developers to combat spam and malware across the App Store. They are stricter rules regarding security and trust, and they are mainly intended to deceive.

For example, multiple Chrome extensions are no longer allowed to be served as part of the same installation flow and extensions are no longer allowed to use other extensions or apps appendix. This should prevent anyone from installing the second extension that collects data in the background, even if the user has uninstalled the original extension.

Also, developers will no longer be allowed to publish multiple extensions that are very similar in terms of “functionality, content, and user experience,” the company said in an email to developers. Picked up by XDA Developers. Google now sees this as a form of spam. For example, developers can no longer publish many nearly identical backend extensions.

In addition, developers should be clear about the functionality offered by the application and the user should not get lost in a mountain of inappropriate texts. Additionally, the user experience should match what users can expect when they see the app in the Store. It is also not allowed to compel users with an action to unlock the advertised access.

Finally, starting August 2, when these new rules are implemented, it will be mandatory for developers to enable two-step verification on their accounts. Without 2fa, developers will no longer be able to publish or upload apps and extensions that violate the new rules, and they will be removed from the Store and disabled in Chrome.


Hackers are playing by new rules, and dealerships’ defenses aren’t ready

Auto dealers are getting better at protecting their computer networks from cyberattacks, an information technology consultant who works with dealerships told me last week.

They’re investing in phishing training, a process that tests whether employees click on suspicious emails and trains those who do on proper security practices. More are carrying cyber insurance. They’re talking to colleagues in industry peer groups about best practices.

And yet, said Erik Nachbahr, president of Helion Technologies, just as dealerships have improved their defenses against hackers, the hackers have started using a different playbook.

It used to be that cybercriminals would deploy automated programs that would lock up files once someone clicked a malicious link or attachment in an email, he said. Then antivirus software and firewalls got better at blocking them. So the hackers evolved. Now, Nachbahr says, when they gain access to the networks, they’re embedding themselves in the systems, figuring out how they’re designed and laying the foundation for an attack before they launch it.

Those attacks — often ransomware, in which hackers lock down a computer system in exchange for a ransom demand — can be devastating, he said. Last month, for instance, Colonial Pipeline, which provides crucial energy supplies to the East Coast, went down for days after an attack; the CEO has said the organization paid a $4.4 million ransom. Municipal governments and public schools also have been targets.

So have dealerships. Nachbahr told me that among Helion’s 750 U.S. franchised dealership clients, “we see credible, critical-level threats a few times a week.”

“The attackers have identified industries where they’re not doing enough defense,” he said. “And dealers are one of those.”

New threat intelligence software can better detect hackers rooting around inside computer networks, he said. But it’s newer technology, and many dealerships aren’t yet using it.

Nachbahr says bringing awareness to the severity of cyberattacks and what’s at stake for dealers — including the possibility of having their operations shut down entirely — is his top priority.

“Dealers have always struggled with readiness when it comes to…


EU rules Apple’s a monopoly, Spotify and Facebook team up, ATT arrives – TechCrunch

Welcome back to This Week in Apps, the weekly TechCrunch series that recaps the latest in mobile OS news, mobile applications and the overall app economy.

The app industry is as hot as ever, with a record 218 billion downloads and $143 billion in global consumer spend in 2020.

Consumers last year also spent 3.5 trillion minutes using apps on Android devices alone. And in the U.S., app usage surged ahead of the time spent watching live TV. Currently, the average American watches 3.7 hours of live TV per day, but now spends four hours per day on their mobile devices.

Apps aren’t just a way to pass idle hours — they’re also a big business. In 2019, mobile-first companies had a combined $544 billion valuation, 6.5x higher than those without a mobile focus. In 2020, investors poured $73 billion in capital into mobile companies — a figure that’s up 27% year-over-year.

This week we’re looking at the launch of Apple’s ATT, the Facebook and Spotify team-up and the latest from the EU’s antitrust investigation against Apple.

This Week in Apps will soon be a newsletter! Sign up here:

Here Comes ATT

Apple’s public debut of App Tracking Transparency, or ATT, is the news of the week and possibly of the year. Through a small pop-up message asking users if the app can track them, Apple has disrupted a multibillion-dollar adtech industry, altered the course of tech giants like Facebook and drawn possible lawsuits and antitrust complaints, all in the name of protecting consumer privacy. Apple does believe in privacy and user control — you can tell that from the way the company has built its technology to do things like on-device processing or permissions toggles that let people decide what their apps can and cannot do.

But Apple will also benefit from this particular privacy reform, too. Its own first-party apps can collect data and share it with other first-party apps. That means what you do in apps like the App Store, Apple News, Stocks and others can be used to personalize Apple’s own ads. And the company is prepared to capitalize on this opportunity too, with the addition of a new ad slot on the App Store (in the Suggested…