Users in EU will have a choice

Google has just announced a change for users in Europe that will allow them to decide exactly how much data sharing is right for them. The new policy, which the company says is in response to the EU’s Digital Markets Act (DMA), allows users to opt out of data sharing for all, some or none of Google’s selected services. The services listed include YouTube, search, advertising services, Google Play, Chrome, Google Shopping and Google Maps. However, the policy is not airtight – Google will still share user information when necessary to perform a task (for example, when you pay for a purchase on Google Shopping using Google Pay), to comply with the law, to prevent fraud or to protect against abuse.

This is not the biggest change Google will have to make to comply with the DMA, which comes into effect on 6 March. The law also includes additional rules on interoperability and competition. For example, Google will no longer be able to treat its own search ranking services more favourably than those of other companies.

Not all Big Tech representatives agree with many of the changes introduced by the DMA. While Google has decided not to challenge its gatekeeper status, Apple, Meta and TikTok owner ByteDance are fighting in court.

The EU is not the only government to take issue with Google’s vast collection of user data. In the US, the Department of Justice has sued Google in what is believed to be the country’s biggest antitrust case since the government took on Microsoft in the 1990s. In one of its arguments, the Justice Department said that the sheer volume of user data that Google has collected over the years has led to the creation of a “data fortress” that helps the company remain the world’s leading search engine.

However, the new changes will result in compromises for some users. The company noted that if users unplug Search, YouTube and Chrome, personalised recommendations on YouTube will be disabled. If Search and Maps are unplugged, Google Maps will no longer be able to suggest locations (such as restaurants) based on previous activity. Google users will still have to choose between privacy and convenience, but at least in Europe they will be able to be more precise about where they draw the line.

Nextcloud wins the Acteurs du Libre European Award 2023

Nextcloud has won the European Award of the Acteurs du Libre contest! This is a huge recognition for the community, the Nextcloud team, and the visionary leaders behind the project.

What is the Acteurs du Libre contest?

The Acteurs du Libre contest is part of the Open Source Experience event, which celebrates the achievements of Free Software companies, entrepreneurs, projects and associations. The contest awards six prizes every year, each honoring a different aspect of FOSS development, management or implementation: the Committed Public Service Award, the European Award in collaboration with APELL, the Business Development Award, the Best Open Source Strategy Award, the Open and Ethical Digital Award, and the Jury’s Special Award.

Why did Nextcloud win the European Prize?

The European Prize, given in collaboration with APELL (European Free Software Professional Association), recognizes open source organizations based in Europe, but outside of France, that have successfully led the commercial development of an open source project. The evaluation of the proposals and the award ceremony is organized in collaboration with APELL. Nextcloud founder Frank Karlitschek was invited on stage to receive the prize and thank everyone who made this possible.

This is a fantastic achievement for the Nextcloud team and the community that supports Nextcloud.

Open Source Experience is a two-day event that brings together more than 6,000 open source enthusiasts, developers, decision-makers, and influencers from various sectors and industries. The event features an exhibition area where you can meet and interact with over 150 exhibitors. The event also offers a rich and diverse program of presentations, workshops, round tables, and keynotes covering a wide range of topics related to open source.

Source: https://nextcloud.com/blog/nextcloud-wins-the-acteurs-du-libre-european-award-2023/

Patch your confluence if it’s not done yet

https://www.rapid7.com/blog/post/2023/10/04/etr-cve-2023-22515-zero-day-privilege-escalation-in-confluence-server-and-data-center/

Atlassian has been made aware of an issue reported by a handful of customers where external attackers may have exploited a previously unknown vulnerability in publicly accessible Confluence Data Center and Server instances to create unauthorized Confluence administrator accounts and access Confluence instances.

The Vulnerability has been marked with a maximum CVSS value (10/10) and allows you to create a Confluence administrator account from the Internet.

Doorbell

I have few blink cameras at home. And, to be honest, I’m really happy how they are working. So when I was looking for a doorbell, a one from blink was the obvious choice for me.

Company which I already know, application which I already have, integrated into my home assistant instance. Should be perfect.

Should be. After less than a month I’m sending it back. Blink is using a pair of lithium batteries. In all other cameras they are working few months. In the doorbell max is a week. It’s not a joke – one week. And this is when I set up a maximum energy saving options. No movement detection. No recording when system is armed. Nothing. Only recording when someone press the button.

I already have an alternative. Ring doorbell (2nd generation). It’s more expensive, but it’s working.

Ok. I had to install the application to set it up first time. And to integrate it with my Amazon account. But then I may not use it anymore. Not, if I want to use it as a doorbell only. And, to be honest, ring has a better integration with Alexa.

So at the end, I have few blink outdoor cameras, but ring doorbell 😂

Critical vulnerability in Fortinet products

https://www.fortiguard.com/psirt/FG-IR-22-300

https://www.fortiguard.com/psirt/FG-IR-22-300

Summary

An external control of file name or path vulnerability [CWE-73] in FortiNAC webserver may allow an unauthenticated attacker to perform arbitrary write on the system.

Affected Products

FortiNAC version 9.4.0
FortiNAC version 9.2.0 through 9.2.5
FortiNAC version 9.1.0 through 9.1.7
FortiNAC 8.8 all versions
FortiNAC 8.7 all versions
FortiNAC 8.6 all versions
FortiNAC 8.5 all versions
FortiNAC 8.3 all versions

Critical vulnerability in Fortinet products

https://www.fortiguard.com/psirt/FG-IR-22-398

A heap-based buffer overflow vulnerability [CWE-122] in FortiOS SSL-VPN may allow a remote unauthenticated attacker to execute arbitrary code or commands via specifically crafted requests.

Affected Products

FortiOS version 7.2.0 through 7.2.2
FortiOS version 7.0.0 through 7.0.8
FortiOS version 6.4.0 through 6.4.10
FortiOS version 6.2.0 through 6.2.11
FortiOS-6K7K version 7.0.0 through 7.0.7
FortiOS-6K7K version 6.4.0 through 6.4.9
FortiOS-6K7K version 6.2.0 through 6.2.11
FortiOS-6K7K version 6.0.0 through 6.0.14

Bring your own key

What is bring your own key (BYOK)?

Bring your own key (BYOK) is an innovative concept to allow public cloud users to keep control of the cryptographic keys used in the cloud to secure their data. With public cloud services exploding, BYOK is now supported by all major cloud services. BYOK enables public cloud users to generate their own high-quality master key locally and securely transmit the key to a cloud service provider (CSP) to protect data in multi-cloud environments. To generate and manage high-quality keys, BYOK uses FIPS and Common Criteria Certified Hardware Security Modules (HSMs) that the cloud user maintains locally or leases as a service.

BYOK enables organizations that migrate to the cloud to achieve:

  • Flexibility, convenience and cost effectiveness
  • Strong control of sensitive data and applications
  • Full visibility into the use of keys in the cloud
  • The highest level of data security, integrity and trust

What is the role of BYOK?

BYOK provides users of public cloud services with the ability to generate cryptographic keys in their own environment and maintain control of these keys, while making them available for use in the cloud of their choice when needed.

How does BYOK work?

CSPs protect their customers’ data in the cloud with robust encryption. The cryptographic key that encrypts the data (tenant key) forms the basis of cloud storage security. Cloud user generated master key using BYOK essentially creates a closed box to protect tenant keys in CSP data centers. This gives the cloud user control over the tenant key, ensuring it is only used for an authorized purpose, and ultimately protects the security of the data in the cloud.

What are some examples of CSPs supporting BYOK?

Leading CSPs including Amazon Web Services (AWS), Google Compute Engine, Microsoft Azure, and Salesforce.

How is BYOK different from Hold Your Own Key (HYOK)?

Hold Your Own Key (HYOK) is an option offered by Microsoft to manage the most confidential data of cloud users within their own security perimeter. Microsoft is replacing HYOK with Double Key Encryption (DKE), which enables cloud users to take advantage of hybrid environments with additional levels of protection, control and confidence.

Why do we need a BYOK?

The security of your encrypted data is as good as the protection provided by the encryption keys. BYOK gives cloud users the control and confidence they need, whether they are deploying a single cloud provider, hybrid or multi-cloud strategy. BYOK and the use of HSM allow cloud users to avoid the difficulties of vendor dependency, which can make it difficult to migrate from one CSP to another. HSM modules are specifically designed to prevent a hacker from finding critical cryptographic keys by placing them in a tamper-proof location rather than in software.

Confluence Security Advisory 2022-06-02

https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html

Confluence Server and Data Center – CVE-2022-26134 – Critical severity unauthenticated remote code execution vulnerability

Atlassian has published a notification on a critical vulnerability affecting all on premise instances of Confluence (Server and Data Center) – unauthenticated remote code execution vulnerability in Confluence Server and Data Center.

What You Need to Do

There are currently no fixed versions of Confluence Server and Data Center available. In the interim, customers should work with their security team to consider the best course of action. Options to consider include:

  • Restricting access to Confluence Server and Data Center instances from the internet.
  • Disabling Confluence Server and Data Center instances.

If you are unable to take the above actions implementing a WAF (Web Application Firewall) rule which blocks URLs containing ${ may reduce your risk.