Tech News - Security

Google released a new Chrome extension on Tuesday, called the  ‘Password CheckUp’. This extension will inform users if the username and password that they are currently using was stolen in any data breaches. It then sends a prompt for them to reset their password. If a user’s Google account credentials have been exposed in a third-party data breach, the company automatically resets their passwords. The new Chrome extension will ensure the same level of protection to all services on the web. On installing, Password Checkup will appear in the browser bar as a green shield. The extension will then check the login details against a database of around four billion usernames and passwords. If a match is found, a dialogue box prompting users to “Change your password” will appear and the icon will turn bright red. Source: Google Password Checkup was designed by Google along with cryptography experts at Stanford University, keeping in mind that Google should not be able to capture a user’s credentials, to prevent a “wider exposure” of the situation. Google’s blog states “We also designed Password Checkup to prevent an attacker from abusing Password Checkup to reveal unsafe usernames and passwords.”   Password Checkup uses multiple rounds of hashing, k-anonymity, private information retrieval, and a technique called blinding to achieve encryption of the user’s credentials. You can check out Google’s blog for technical details on the extension. Google Chrome announces an update on its Autoplay policy and its existing YouTube video annotations Meet Carlo, a web rendering surface for Node applications by the Google Chrome team Google Chrome 70 now supports WebAssembly threads to build multi-threaded web applications

“While we are saying it’s going to be six and nine months [to launch], the world is a very dynamic place” - Ben Gomes, Google’s search engine chief The past two months have been filled with controversies for Google after The Intercept revealed details about a censored search engine for China, code-named Dragonfly. The project was severely criticized by human rights groups, U.S. senators and Google employees- some of whom have resigned. Even Vice President Mike Pence last week, called on Google to "immediately end development of the Dragonfly app"  while accusing China to be "applying its power in more proactive ways than ever before, to exert influence and interfere in the domestic policy and politics of our country." Now, fresh reposts have emerged that according to a leaked transcript to The Intercept, Google is all set to launch the search engine in the coming months. This came as a stark contrast to the public comments released by many of its senior executives. On September 23, at an event celebrating Google’s 20th anniversary, Ben Gomes, Google’s search engine chief, was confronted by a BBC reporter on the controversial search engine. Gomes told the reporter that all the work done so far is "some exploration," "but since we don’t have any plans to launch something, there’s nothing much I can say about it." Following this incident, on Sept. 26, Keith Enright, Google’s chief privacy officer faced public questions on the censorship plan. He confirmed that Project Dragonfly did exist, but affirmed: "we are not close to launching a product in China." Looks like the plan was way over an "exploration," as highlighted by Google’s own employees in a memo posted on an internal messaging list set up for Google employees to raise ethical concerns. Google had desperately tried to suppress this information by scrubbing the memo from the list. Individuals who had opened or saved the document were contacted by Google’s human resources department to discuss the matter. The employees were also instructed against sharing the memo. The leaked transcript of Ben Gomes private meeting with employees working on Dragonfly (dated July 18, 2018) is not in sync with these publicly released comments. The transcript records Gomes saying that the project was "the biggest opportunity to serve more people that we have. And if you take our mission seriously, that’s where our key focus should be". He goes on to add that China is one of the "most interesting markets". He prepares them to look for the window of opportunity where the search engine could be launched given the uncertain political climate in the US, supposedly six-nine months down the line. It wouldn’t come as a surprise if the engine launches earlier than the said deadline, as Gomes himself states that "This is a world none of us have ever lived in before, so I feel like we shouldn’t put too much definite into the timeline." This search engine was specifically designed to block terms considered to be sensitive by the Chinese communist party regimen such as 'peaceful protest'. With citizens phone numbers, IP address and location tracking attached to their search queries, it would be very easy for the government to track their internet footprint. The fear is that Google could be directly contributing to, or becoming complicit in, human rights violations. You can head over to The Intercept for the complete transcript of this private meeting. Skepticism welcomes Germany’s DARPA-like cybersecurity agency – The federal agency tasked with creating cutting-edge defense technology Google’s ‘mistakenly deployed experiment’ covertly activated battery saving mode on multiple phones today Ex-googler who quit Google on moral grounds writes to Senate about company’s “Unethical” China censorship plan  

You might remember that back in January, fitness app Strava was revealed to be giving away military secrets. The app, when used by military personnel, was giving the location of some potentially sensitive information. Well, it's happening again - this time another fitness app, Polar, is unwittingly giving up sensitive military locations. The digital investigation organization Bellingcat was able to scrape data from 200 sites around the world. From this, it gained information on exercises by nearly 6,500 Polar users. The level of detail Bellingcat was able to gain was remarkable. It was not only able to learn more about military locations - information that could be critical to national security - but also a startling level of information about the people that work on them. The investigation echoes the Strava data leak. It emphasizes the (disturbing) privacy issues that fitness tracking applications have been unable to confront. But Bellingcat explains that Polar is actually one of the worst apps for publicizing private data. On Strava and Garmin, for example, it's only possible to see individual exercises done by users. "Polar makes it far worse by showing all the exercises of an individual done since 2014, all over the world on a single map." Polar is reveals dangerous levels of detail about its users Some of the information found by Bellingcat is terrifying. For example: "A high-ranking officer of an airbase known to host nuclear weapons can be found jogging across the compound in the morning. From a house not too far from that base, he started and finished many more runs on early Sunday mornings. His favorite path is through a forest, but sometimes he starts and ends at a car park further away. The profile shows his full name." The investigators also revealed they were able to cross-reference profiles with social media profiles. This could allow someone to build up a very detailed picture of a member of the military or security personnel. Some of these people have access to nuclear weapons. Bellingcat's advice to fitness app users Bellingcat offers some clear advice to anyone using fitness tracking apps like Polar. Most of it sounds obvious, but it's clear that even people that should be particularly careful aren't doing it.  "As always, check your app-permissions, try to anonymize your online presence, and, if you still insist on tracking your activities, start and end sessions in a public space, not at your front door." The results of the investigation are, perhaps, just another piece in a broader story emerging this year about techno-scepticism. Problems with tech have always existed, it's only now that those are really surfacing and seem to be taking on a new urgency. This is going to have implications for the military for sure, but it is also likely to have an impact on the way these applications are built in the future. Read next The risk of wearables – How secure is your smartwatch? Computerizing our world with wearables and IoT

Last week, the Git Project revealed a vulnerability, CVE-2018-17456, which can cause arbitrary code to be executed when a user clones a malicious repository. The new Git v2.19.1 has been released with a fix to this vulnerability. Also, backports in v2.14.5, v2.15.3, v2.16.5, v2.17.2, and v2.18.1 have been added. Users have been advised to update their clients in order to protect themselves. For those who have not yet updated, they can protect by simply avoiding submodules from untrusted repositories. This includes commands such as git clone --recurse-submodules and git submodule update. The community, in their post, mentions that neither GitHub.com nor GitHub Enterprise is directly affected by the vulnerability. However, as with previously discovered vulnerabilities, GitHub.com will detect malicious repositories and will reject pushes or API requests attempting to create them. Versions of GitHub Enterprise with this detection will be shipped on October 9th. About the CVE-2018-17456 vulnerability This vulnerability is similar to CVE-2017-1000117, as both are option-injection attacks related to submodules. In the previous attack, a malicious repository would ship a .gitmodules file pointing one of its submodules to a remote repository with an SSH host starting with a dash (-). The ssh program—spawned by Git—would then interpret that as an option. The new attack works in a similar way, except that the option-injection is against the child git clone itself. Learning from the previous attack, the researchers have audited all of the .gitmodules values and implemented stricter checks as appropriate. These checks should prevent a similar vulnerability in another code path. They also implemented detection of potentially malicious submodules as part of Git’s object quality checks, which was made much easier by the infrastructure added during the last submodule-related vulnerability. Products affected by the CVE-2018-17456 vulnerability GitHub Desktop GitHub Desktop versions 1.4.1 and older included an embedded version of Git that was affected by this vulnerability.  All GitHub Desktop users are encouraged to update to the newest version (1.4.2 and 1.4.3-beta0) available today in the Desktop app. Atom Atom included the same embedded Git and was also affected. Releases 1.31.2 and 1.32.0-beta3 include the patch. Users should ensure they have the latest Atom release by completing any of the following: Windows: From the toolbar, click “Help” -> “Check for updates” MacOS: From the menu bar, click “Atom” -> “Check for Update” Linux: Update manually by downloading the latest release from atom.io Git on the command line and other clients In order to be protected from the vulnerability, users must update their command-line version of Git and any other application that may include an embedded version of Git, as they are independent of each other. 4 myths about Git and GitHub you should know about 7 tips for using Git and GitHub the right way GitHub addresses technical debt, now runs on Rails 5.2.1

The US Justice Department has charged a North Korean hacker, Park Jin Hyok for the devastating cyberattacks that hacked Sony Pictures Entertainment and unleashed the WannaCry ransomware virus in 2017. The US alleges that Mr. Park worked as a computer programmer for Chosun Expo Joint Venture,a wing of the North Korean military. Hyok is charged with extortion, wire fraud, and various hacking crimes that could potentially carry a prison term up to 25 years. The criminal complaint against Hyok was filed in Los Angeles federal court in June, and unsealed this Thursday. It alleges that Mr. Park and the Joint Venture sought to “conduct multiple destructive cyber attacks around the world” in support of the North Korean government. Timeline of Cybercrimes committed by Hyok In 2017, the Wannacry ransomware attack affected more than 230,000 computers and caused hundreds of millions of dollars in damages around the world. One of the main targets affected was the UK’s National Health System, which was forced to cancel thousands of appointments after its systems were infected. The Justice Department asserts that the North Korean hacking team both developed the ransomware and propagated the attacks. Mr. Park is also charged in connection with an $81 million (£62 million) theft from a bank in Bangladesh in 2016. He is further accused of aiding the 2014 hack into Sony Pictures Entertainment, in which data was destroyed and internal documents were made publicly available online for anyone to download. The attack came shortly after Sony produced a comedy film ‘The Interview’, about an attempted assassination on a man who, was made to look like North Korean leader Kim Jong-un indirectly mocking him. According to the Justice Department, Mr. Park is also charged for “numerous other attacks or intrusions on the entertainment, financial services, defence, technology, and virtual currency industries, academia, and electric utilities”. The charges were filed four days before President Donald Trump’s meeting with North Korea’s leader, Kim Jong-n, to discuss ending hostility between the two countries. Prosecutors confirm that said the complaint wasn’t sealed to prevent derailing their meet in Singapore. Head over to cnet for more insights to this news. Microsoft claims it halted Russian spearphishing cyberattacks Bloomberg says Google, Mastercard covertly track customers’ offline retail habits via a secret million dollar ad deal New cybersecurity threats posed by artificial intelligence

Yesterday, at an Amazon all-staff meeting, the company addressed its relationship with law enforcement agencies. This action is in response to the employee concerns raised in June about the company’s frequent successful attempts to provide cloud infrastructure and facial recognition software for the government authorities (including Immigrations Customs and Law Enforcement). This was the very first Amazon all-staff meeting and was live streamed globally. When asked about what is being done in response to the concerns voiced by both Amazon employees and civil rights groups, Andy Jassy, CEO of Amazon Web Services, said, “There’s a lot of value being enjoyed from Amazon Rekognition. Now now, of course, with any kind of technology, you have to make sure that it’s being used responsibly, and that’s true with new and existing technology. Just think about all the evil that could be done with computers or servers and has been done, and you think about what a different place our world would be if we didn’t allow people to have computers.” According to Buzzfeed, questions for the meeting were pre-screened and with no opportunity for questions. Last year, Amazon faced controversy over some uses of its AI-powered facial recognition product, Rekognition. Its use cases range from being used to monitor faces in group photos, crowded events and public places such as airports, and run those images for matches against mugshot databases. In June, hundreds of Amazon employees signed a letter titled 'We Won’t Build It', an open letter to CEO Jeff Bezos asking Amazon to stop selling Rekognition to the police, citing “historic militarization of police, renewed targeting of Black activists, and the growth of a federal deportation force currently engaged in human rights abuses”. The employee letter states, “Our company should not be in the surveillance business; we should not be in the policing business; we should not be in the business of supporting those who monitor and oppress marginalized populations.” The workers also pointed out Amazon’s commercial relationship with the data firm Palantir, which does business with the U.S. Immigration and Customs Enforcement. According to the public documents obtained by the Project on Government Oversight, “Amazon also pitched its facial recognition technology directly to the ICE, a few months after the federal immigration agency started enforcing President Trump’s controversial zero-tolerance family-separation border policy.” The American Civil Liberties Union(ACLU) also raised concerns on Amazon Rekognition’s misuse for racial profiling. This issue was identified after the organization ran a test and found that the software incorrectly matched 28 members of Congress, identifying them as other people who have been arrested for a crime and that the false matches disproportionately involved people of color, including six members of the Congressional Black Caucus. Jeff Bezos, at a Wired conference last month, stated, “If big tech companies are going to turn their back on the U.S. Department of Defense, this country is going to be in trouble.” To know more about this news in detail, head over to the complete Q&A of the meeting on BuzzFeed. Apple and Amazon take punitive action against Bloomberg’s ‘misinformed’ hacking story ‘We are not going to withdraw from the future’ says Microsoft’s Brad Smith on the ongoing JEDI bid, Amazon concurs Amazon tried to sell its facial recognition technology to ICE in June, emails reveal

Amidst the discussions going on around social media websites regulating their content or facing legal actions, Twitter CEO Jack Dorsey announced plans to rethink the core of how Twitter works. In an interview with the Washington Post, Dorsey said,  that he is experimenting with features that would promote alternative viewpoints in Twitter’s timeline to address misinformation and reduce echo chambers. “The most important thing that we can do is we look at the incentives that we’re building into our product,” Dorsey said. “Because they do express a point of view of what we want people to do — and I don't think they are correct anymore.” https://twitter.com/jack/status/1029846451524960261 Dorsey’s move is a clear indication of the fact that Silicon Valley leaders are getting serious about improving safety, security, and privacy across their services. In recent months, Twitter has made several moves to combat fake news and other data related scandals. Earlier this month, Apple, Facebook, and Spotify took action against Alex Jones. Initially, Twitter allowed Jones to continue using its service. But on Tuesday, Twitter imposed a seven-day “timeout” on Jones after he encouraged his followers to get their “battle rifles” ready against critics in the “mainstream media” and on the left. Last month, the social media giant allegedly deleted 70 million fake accounts in an attempt to curb fake news. It has been constantly suspending fake accounts which are inauthentic, spammy or created via malicious automated bots. Another solution Twitter is exploring is to surround false tweets with factual context. Dorsey said, that more context about a tweet, including tweets that call it out as obviously fake could help people make judgments for themselves. It is planning to label automated accounts; Legislators and federal lawmakers have already proposed putting such requirements into law. The social media website is also auditing existing accounts for signs of automated sign-up and improving the overall sign-up process. What is left to see now is whether Twitter can actually effectively implement these claims. Or Dorsey’s statements will go down the drain. You can read Dorsey’s entire interview on the Washington Post. How to stay safe while using Social Media Facebook plans to use Bloomsbury AI to fight fake news YouTube has a $25 million plan to counter fake news and misinformation

Julia Reda, EU member of the parliament, announced, last week, that EU will be funding the internet bug bounty programs for 14 out of the total 15 open source projects, starting January 2019. The Internet Bug Bounty programs are rewards for friendly hackers who actively search for security vulnerabilities and issues. The program is managed by a group of volunteers that are selected from the security community. The amount of the bounty depends on how severe the issue uncovered is and the importance of the software. The amount ranges from 25,000,00 Euros and all the way up to 89,000,00 Euros. The 14 open source projects include: Filezilla Apache Kafka Notepad++ PuTTY VLC media player FLUX TL KeePass 7-zip Digital Signature services (DSS) Drupal GNU C library (glibc) The Symfony PHP framework Apache Tomcat WSO2 MidPoint. EU is sponsoring the bug bounty programs as a part of their third edition of the Free and Open Source Software Audit project (FOSSA). Reda mentions that FOSSA project that started in 2015, was an initiative to encourage promotion of free and open source software. “In 2014, security vulnerabilities were found in important Free Software projects. One of the issues was found in the Open Source encryption library OpenSSL.The issue made lots of people realize how important Free and Open Source Software is for the integrity and reliability of the Internet and other infrastructure”, mentions Reda. People can contribute to the projects mentioned by EU by analyzing the software, and submitting any bugs or issues found in these software on bug bounty platforms such as Hackerone and Intigriti/Deloitte. For more information, check out Julia Reda’s official blog post. Mozilla funds winners of the 2018 Creative Media Awards for highlighting unintended consequences of AI in society Airtable, a Slack-like coding platform for non-techies, raises $100 million in funding The ‘Flock’ program provides grants to Aragon teams worth $1 million

On 25th January, the Illinois Supreme Court passed a unanimous ruling which states that, when companies collect biometric data like fingerprints or face prints without informed opt-in consent, they can be sued. This can be done even without proof of concrete injuries- like identity fraud or physical harm. The law known as the Biometric Information Privacy Act, requires that companies explicitly inform a person about what biometric data they will collect, and also how the data will be stored and utilized by the company. The data includes information like fingerprints, facial scans, iris scans, or other biological information. Next, the company has to obtain prior consent from that person before capturing these details. A point to be noted here is that, while other states only allow attorneys general to sue companies, the Illinois BIPA law gives individuals the right to sue companies. Afterwhich, they can collect damages of $1,000 (the amount increases to $5,000, if the court finds a company deliberately or recklessly flouted the law). Six Flags v Rosenbach According to FastCompany, the decision was taken in a landmark lawsuit against the theme park Six Flags, who recorded the thumbprint of a 14-year-old boy without notice or written consent, while issuing him a season pass in 2014. Six Flags did not notify the boy or his mother, Stacy Rosenbach, about obtaining his fingerprints. She sued Six Flags for violation of the BIPA law and in its defense, Six Flags made the case that because Rosenbach couldn’t demonstrate that taking his fingerprints had done any “harm” to the boy (example: no data breach or security problem), the company wasn’t liable for damages. According to the Electronic Frontier foundation, “EFF, along with ACLU, CDT, the Chicago Alliance Against Sexual Exploitation, PIRG, and Lucy Parsons Labs, filed an amicus curiae brief urging the Illinois Supreme Court to adopt a robust interpretation of BIPA. The Illinois Supreme Court agreed with us and soundly rejected the defendants’ argument that BIPA required a person to show an injury beyond loss of statutory privacy rights”.  On Friday the state’s Supreme Court ruled that Six Flags had, indeed, violated the law and would need to pay the boy damages, in spite of no “harm” shown. The ruling comes as an example in Illinois that if a company violates a citizen’s privacy without any prior notice or consent and the citizen sues, the plaintiff doesn’t need to demonstrate an additional harm for the law to protect the user. BIPA sets an example for similar lawsuits The Six Flags ruling builds a stronger case for other ongoing lawsuits, including one against Facebook in which consumers claimed that Facebook violated a state privacy law by using facial recognition technology on their uploaded photographs without their consent. Facebook is fighting back by saying consumers should have to show that the lawbreaking practice caused ‘additional harm’ beyond a mere violation. Google also faced a similar lawsuit on Thursday, where two Illinois residents allege that the company “failed to obtain consent from anyone when it introduced its facial recognition technology.” Just last month, Google won the dismissal of a lawsuit it has been facing since 2016 for allegedly scanning and saving the biometric data of a woman, captured unwillingly in 11 photos taken on Android by a Google Photos user. As per Bloomberg, the lawsuit was dismissed by a judge in Chicago, who found that the plaintiff didn’t suffer “concrete injuries”. Senior staff counsel Rebecca Glenberg of the ACLU of Illinois, said in a statement that  “Your biometric information belongs to you and should not be left to corporate interests who want to collect detailed information about you for advertising and other commercial purposes.” What does this mean to the tech industry? According to Illinois.org, while facial recognition technology and biometric does have the potential to simplify life of citizens, the BIPA may affect technological innovation overall. The litigation may have the potential to drive up costs- on both ends of the spectrum. Businesses like Apple, who have demonstrated the importance of biometric technology, will have to take extra precautions to comply with the BIPA. In case the law is violated, there is the expense of class-action lawyers and litigants. They may simply decide against hiring people in Illinois because of the expense and hassle. It would be interesting to see companies coming up with a kind of framework that would safeguard them against violation of the BIPA as well as put citizens at rest about the way their data is handled/used. You can head over to Electronic Frontier Foundation’s official post for more insights on this news. ACLU files lawsuit against 11 federal criminal and immigration enforcement agencies for disclosure of information on government hacking The district of Columbia files a lawsuit against Facebook for the Cambridge Analytica scandal IBM faces age discrimination lawsuit after laying off thousands of older workers, Bloomberg reports

Marcus Hutchins, who authors the popular blog MalwareTech, and a British security researcher has pleaded guilty today to writing malware in the years prior to his prodigious career as a malware researcher. Marcus posted a statement on his website and on his Twitter feed too, "I regret these actions and accept full responsibility for my mistakes. Having grown up, I've since been using the same skills that I misused several years ago for constructive purposes. I will continue to devote my time to keeping people safe from malware attacks." https://twitter.com/MalwareTechBlog/status/1119322882578866176 Marcus was virtually unknown to most in the security community until May 2017 when the UK media revealed him as the “accidental hero” who inadvertently halted the global spread of WannaCry, a ransomware contagion that had taken the world by storm just days before. In August 2017, Hutchins was arrested by FBI agents in Las Vegas on suspicion of authoring and/or selling “Kronos,” a strain of malware designed to steal online banking credentials. Hutchins has been barred from leaving the United States since he was arrested. The plea agreement of Marcus is here. “Attachment A” on page 15 outlines the case against Hutchins and an alleged co-conspirator. It further reads that in between July 2012 and Sept. 2015, Hutchins helped create and sell Kronos and a related piece of malware called UPAS Kit. Many of Hutchins’ supporters and readers had trouble believing the charges against him, and in response KrebsOnSecurity published a detailed investigation into activities tied to his various online personas over the years. As per the report, the clues suggested Hutchins began developing and selling malware in his mid-teens — only to later develop a change of heart and earnestly endeavor to leave that part of his life squarely in the rearview mirror. Nevertheless, there were a number of indications that Hutchins’ alleged malware activity continued into his adulthood. Upto 10 years in prison According to court documents obtained by ZDNet, Hutchins pleaded guilty to two counts, and the government agreed to drop the other eight. He pleaded guilty to entering a conspiracy to create and distribute malware, and in aiding and abetting its distribution. For each count, Hutchins will face up to five years in prison, $250,000 in fines, and one year of supervised release. According to ZDNet, Marcus was charged for working with a co-conspirator identified as "Vinny," "VinnyK," and "Aurora123"-- to advertise and sell the two malware strains online. This started somewhere in between July 2012 and September 2015, even before Hutchins was recognized as a talented security researcher. Further ZDNet explains that creating malware is a form of protected speech in the United States, but selling and disseminating is another matter. Orin Kerr, the law professor of University of Southern California gives a detailed explanation in the 2017 dissection of the government’s charges on the Washington Post website. The charges on Marcus are likely to be tempered by federal sentencing guidelines, and may take into account the already served detention time. It still remains unclear when he will be sentenced. After the arrest, Hutchins was released on bail and has been living in Los Angeles awaiting trial. He started sharing his malware analysis skills with the information security (infosec) community when he was prohibited from working for his employer. Hutchins is considered as one of the most talented security researchers and this news comes a huge loss for the infosec community. https://twitter.com/JRoosen/status/1119342458809331713 Update on 26th July from ZDNet ZDNet on Friday reported that the US legal case against Marcus Hutchins who helped stop WannaCry ransomware outbreak comes to an end. He is sentenced in the US to time served and one year of supervised release. The UK-born malware analyst avoids prison time in a case that the judge described as having "too many positives on other side of ledger" -- referring to Hutchins' role in the WannaCry ransomware outbreak and his work as a malware analyst. Read the full story on ZDNet blog post. Understanding the cost of a cybersecurity attack: The losses organizations face A security researcher reveals his discovery on 800+ Million leaked Emails available online RSA Conference 2019 Highlights: Top 5 cybersecurity products announced

In the US Senate select committee hearing Facebook COO, Sheryl Sandberg has put forward Facebook’s testimony to the US Senate select committee on Wednesday, 5th September 2018. Twitter and Google also have their side of testimonies to be offered in the hearing. Facebook has had a tumultuous couple of years centered around the misuse of its platform and abuse of its users’ data and privacy by advertisers, political entities and foreign bad actors.  The Cambridge Analytica scandal is just one example. Another is where Russians used Facebook to meddle with the 2016 US Presidential elections. Sheryl Sandberg in her testimony started with an apologizing statement, “We were too slow to spot this and too slow to act. That’s on us. This interference was completely unacceptable. It violated the values of our company and of the country we love.” She had also highlighted the efforts taken by Facebook to keep its community safe and the user services secure, which include: Using artificial intelligence to help find bad content and locate bad actors. Shutting down fake accounts and reducing the spread of false news. Set up new ad transparency policies, ad content restrictions, and documentation requirements for political ad buyers. Better anticipation of risks and working closely with law enforcement and its industry peers to share information and make progress together. Removed hundreds of Pages and accounts involved in coordinated inauthentic behavior— meaning they misled others about who they were and what they were doing. Sandberg further touched upon these highlights in detail and presented ways in which Facebook is looking forward to combat the issues. She said, “At its best, Facebook plays a positive role in our democratic process—and we know we have a responsibility to protect that process on our service. We’re investing for the long term because security is never a finished job. Our adversaries are determined, creative, and well-funded. But we are even more determined—and we will continue to fight back.” Facebook assesses past Russian attempts to influence elections Sheryl said that, before the election day in November 2016, Facebook committee detected and mitigated several threats from actors--such as the APT28 activity-- that had ties to Russia. They also recorded new behaviour such as the creation of fake IDs which were linked to a Facebook page named DCLeaks, which was later removed by them. Read more: DCLeaks and Guccifer 2.0: How hackers used social engineering to manipulate the 2016 U.S. elections Post the 2016 elections, Facebook found that the Internet Research Agency (IRA), a Russian entity located in St. Petersburg, Russia, had used coordinated networks of fake Pages and accounts to interfere in the election. Sheryl stated, “Around 470 fake Pages and accounts associated with the IRA spent approximately $100,000 on about 3,500 Facebook and Instagram ads between June 2015 and August 2017. Our analysis showed that these accounts used these ads to promote roughly 120 Facebook Pages that they had set up, which had posted more than 80,000 pieces of content between January 2015 and August 2017. We shut down the accounts and Pages we identified at the time that were still active. The Instagram accounts we deleted had posted about 120,000 pieces of content.” In April of this year, Facebook took down more than 270 additional Pages and accounts controlled by the IRA and it continues to monitor its service for abuse and share information with law enforcement and others in the industry about these threats. Facebook combats Foreign election interference AND also advances on Election Integrity Facebook has more than doubled the number of people working on safety and security and now have over 20,000 people. They review reports in over 50 languages, 24 hours a day. Use of better machine learning technology and artificial intelligence have also enabled highly proactive identification of abuses. Sheryl mentioned that Facebook focusses on removing Fake Accounts. She added, “One of the main ways we identify and stop foreign actors is by proactively detecting and removing fake accounts, since they’re the source of much of the interference we see.” Some important measures Facebook is taking are: Use of both automated and manual review to detect and deactivate fake accounts. These systems analyze distinctive account characteristics and prioritize signals that are more difficult for bad actors to disguise. It has blocked millions of attempts to register fake accounts every day. It has globally disabled 1.27 billion fake accounts from October 2017 to March 2018. By using technologies like machine learning, artificial intelligence, and computer vision, Facebook is proactively detecting more bad actors and take action more quickly. Read More: Four 2018 Facebook patents to battle fake news and improve news feed Tackling False News: Facebook has partnered with third-party fact-checking organizations to limit the spread of articles they rate as false, and it further disrupts the economic incentives for traffickers of misinformation. It has also invested in news literacy programs and work to inform people by providing more context on the stories it sees. Increasing Ad Transparency. Facebook has taken strong steps to prevent abuse and increase transparency in advertising. They ensure all politics and issue ads on Facebook and Instagram in the U.S. are clearly labeled with a “Paid for by” disclosure at the top of the ad so people can see who is paying for them. This is especially important when the Page name doesn’t match the name of the company or person funding the ad. Enforcing Compliance with Federal Law. Facebook’s compliance team maintains a Political Activities and Lobbying Policy that is available to all employees. This Policy is covered in its Code of Conduct training for all employees and includes guidelines to ensure compliance with the Federal Election Campaign Act. Suspicious Activity Reporting. Facebook has designed certain processes to identify inauthentic and suspicious activity. It also maintains a sanctions compliance program to screen advertisers, partners, vendors, and others using its payment products. Its payments subsidiaries file Suspicious Activity Reports on developers of certain apps and take other steps as appropriate, including denying such apps access to the facebook platform. Facebook defending against targeted hacking Sheryl Sandberg also highlighted how Facebook is strengthening its defenses against a broader set of threats. Some of the defenses include: Building AI systems to detect and stop attempts to send malicious content. Providing customizable security and privacy features, including two-factor authentication options and marketing to encourage people to adopt them. Sending notifications to individuals if they have been targeted by sophisticated attackers, with custom recommendations depending on the threat model. Sending proactive notifications to people who have not yet been targeted, but may be at risk based on the behavior of particular malicious actors. Deploying AI systems to monitor login patterns and detect the signs of a successful account takeover campaign. Facebook working with government entities, industry, and civil society Sheryl mentioned in her testimony, “We have worked successfully with the DOJ, the FBI, and other law enforcement agencies to address a wide variety of threats to our platform, and we are actively engaged with DHS and the FBI’s new Foreign Influence Task Force focused on election integrity.” Facebook has also partnered with cybersecurity firms such as FireEye, which informed it about a network of Pages and accounts originating from Iran that engaged in coordinated inauthentic behavior. Based on which, Facebook started an investigation and identified and removed additional accounts and Pages from the network. The FB security team regularly conducts internal reviews to monitor for state-sponsored threats that are not publicly disclosed, for security reasons. They monitor and assess thousands of account details, such as location information and connections to others on Facebook. Sheryl also added, “As part of official investigations, government officials sometimes request data about people who use Facebook. We have an easily accessible online portal and processes in place to handle these government requests, and we disclose account records in accordance with our terms of service and applicable law. We also have law enforcement response teams available around the clock to respond to emergency requests.” Facebook also participated in discussions with governments around the world at key events such as the Munich Security Conference and CyCon, which is organized by the NATO Cooperative Cyber Defense Centre of Excellence. Sheryl Sandberg concluded her testimony by saying that, the Facebook community is learning from what happened and is improving. She said, “When we find bad actors, we will block them. When we find content that violates our policies, we will take it down. And when our attackers use new techniques, we’ll share them to improve our collective defense. We are even more determined than our adversaries, and we will continue to fight back.” Here’s the link to Sheryl Sandberg’s complete testimony to the US Senate Committee. Facebook’s AI algorithm finds 20 Myanmar Military Officials guilty of spreading hate and misinformation, leads to their ban A new conservative employee group within Facebook to protest Facebook’s “intolerant” liberal policies Facebook Watch is now available worldwide challenging video-streaming rivals, YouTube, Twitch, and more

On June 25, 2018, Wi-Fi Alliance introduced the next generation of Wi-Fi security, WPA3. It took over a decade to introduce the successor of WPA2 protocol that brings new capabilities of enhancing personal and enterprise Wi-Fi networks. Individuals along with organizations were awaiting for this update especially after last years KRACK vulnerability, which was later fixed on many devices. This update comes with a variety of added features that include more robust authentication and increased cryptographic strength for highly sensitive data markets. With this update Wi-Fi industries transit to WPA3 security, however, WPA2 devices will continue to interoperate and provide recognized security. In order to maintain flexibility of mission critical networks, WPA3 networks will: Prohibit outdated legacy protocols, Deliver the latest security methods, and Use PMF (Protected Management Frames) WPA3 security supports the market through two distinct modes of operation: WPA3-Personal and WPA3-Enterprise. WPA3-Personal If users choose passwords that fall short of typical complexity recommendation, WPA3 leverages SAE (Simultaneous Authentication of Equals) a secure key establishment protocol between devices to provide more robust protection for users against third party password guessing attempts. With this level of security enhancement your network is more resilient. WPA3-Enterprise The WPA3-Enterprise protocol proves beneficial to organizations transmitting sensitive data such as finance or government, as it provides 192-bit cryptographic strength along with additional protection to these networks. This 192-bit bundle has a consistent combination of cryptographic tools deployed across WPA3 networks. Earlier this year, Wi-Fi Alliance introduced new features and some enhancements for Wi-Fi protected access. This addition ensures that WPA2 maintains robust security protection in the evolving wireless landscape. WPA2 is still a mandatory requirement for all Wi-Fi CERTIFIED devices as it would still take some time for WPA3 market adoption to grow. Through a transitional mode of operation, WPA3 will still maintains interoperability with WPA2 devices, and Wi-Fi users can remain confident that their devices are well-protected when connected to secured Wi-Fi CERTIFIED networks. Users and Wi-Fi device vendors need not worry as WPA3 protections won’t come into action overnight; it may still take some time to evolve or maybe even many-years-long process. To get WPA3 in place you need a new router that supports it or you can hope your old one can be updated to support it. This is also true for all your gadgets. You have to buy new gadgets that support WPA3 or can hope your old devices are updated to the required standards. However, WPA3 can still connect with devices that use WPA2, so you need not worry about your device not working just because you brought in a new connectivity hardware at home. WPA3 adoption has been on a positive side as organizations such as Hewlett Packard, Qualcomm, Huawei Wireless, Intel, Cisco and many more have announced their support towards next-gen Wi-Fi security for personal and enterprise networks. Qualcomm announces a new chipset for standalone AR/VR headsets at Augmented World Expo Intel’s Spectre variant 4 patch impacts CPU performance Top 5 cybersecurity assessment tools for networking professionals

Yesterday, TechCrunch reported that thousands of TP-Link routers are still vulnerable to a bug, discovered in January 2018. This vulnerability can allow any low-skilled attacker to remotely gain full access to an affected vulnerable router. The attacker could also target a vulnerable device, in a massive way, by searching the web thoroughly and hijacking routers by using default passwords, the way Mirai botnet had downed Dyn. TP-Link updated the firmware page sharing this vulnerability to their customers, only after TechCrunch reached out to them. https://twitter.com/zackwhittaker/status/1131221621287604229 In October 2017, Andrew Mabbitt (founder of U.K. cybersecurity firm, Fidus Information Security) had first discovered and disclosed a remote code execution bug in TP-Link WR940N router. The multiple vulnerabilities occurred due to multiple code paths calling strcpy on user controllable unsanitized input. TP-Link later released a patch for the vulnerable router in November 2017. Again in January 2018, Mabbitt warned TP-Link that another router WR740N was also at risk by the same bug. This happened because the company reused the same vulnerable code for both the devices. TP-Link asked Mabbitt for more details about CVE-2017-13772 (wr940n model) vulnerability. After providing the details, Mabbitt requested for an update thrice and warned them of public disclosure in March, if they did not provide an update. Later on 28th March 2018, TP-Link provided Mabbitt with a beta version of the firmware to fix the issue. He confirmed that the issue has been fixed and requested TP-Link to release the live version of the firmware. After receiving no response from TP-Link for another month, Mabbitt then publicly disclosed the vulnerability on 26th April 2018. The patch was still not fixed by then. When TechCrunch enquired, the firmware update for WR740N was missing on the company’s website till 16th May 2019. A TP-Link spokesperson told TechCrunch that the update was, “currently available when requested from tech support” and did not explain the reason. It was only when TechCrunch highlighted this issue did TP-Link, they updated the firmware page on 17th May 2019, to include the latest security update. They have specified that the firmware update is meant to resolve issues that the previous firmware version may have and improve its current performance. In a statement to TechCrunch, Mabbitt said, “TP-Link still had a duty of care to alert customers of the update if thousands of devices are still vulnerable, rather than hoping they will contact the company’s tech support.” This has been a highly irresponsible behavior from TP-Link’s end. Even after, a third person discovered its bug more than a year ago, TP-Link did not even bother to keep their users updated about it. This news comes at a time when both the U.K. and the U.S. state of California are set to implement laws to improve Internet of Things security. Soon companies will require devices to be sold with unique default passwords to prevent botnets from hijacking internet-connected devices at scale and using their collective internet bandwidth to knock websites offline. https://twitter.com/dane/status/1131224748577312769 Read More Approx. 250 public network users affected during Stack Overflow’s security attack Intel discloses four new vulnerabilities labeled MDS attacks affecting Intel chips A WhatsApp vulnerability enabled attackers to inject Israeli spyware on user’s phones

Attorney General Bob Ferguson announced the day before yesterday (24th July 2018) that Facebook has been found guilty of providing discriminatory advertisements on its platform. The platform provides third-party advertisers with the option to exclude ethnic and religious minorities, immigrants, LGBTQ individuals and other protected groups from seeing their ads. If these groups cannot see the ads at all, they are deprived of the opportunities provided in the advertisements. Source: Office of the Attorney General Following this verdict, Facebook has signed a legally binding agreement to make changes to its advertising platform within 90 days. According to this agreement, Facebook will no longer provide advertisers with options to exclude ethnic groups from advertisements for housing, credit, employment, insurance and public accommodations ads. Facebook will no longer provide advertisers with tools to discriminate based on race, creed, color, national origin, veteran or military status, sexual orientation and disability status. This matter was first brought to light by ProRepublica in 2016 when they went undercover and bought multiple rental housing ads on Facebook, where certain categories of users were excluded from seeing the ads. According to ProPublica, “Every single ad was approved within minutes.” The allegations in this news were alarming and the AG’s office decided to investigate. They used the platform to create 20 fake ads that excluded one or more ethnic minorities from receiving their advertising. Despite these exclusions, Facebook’s advertising platform approved all 20 ads. “Facebook’s advertising platform allowed unlawful discrimination on the basis of race, sexual orientation, disability, and religion,” said Ferguson. “That’s wrong, illegal, and unfair.” The Attorney General’s investigation found the platform's unlawful targeting options as an act of unfair acts and practices, and in violation of the state Consumer Protection Act and the Washington Law Against Discrimination. Read more: 5 reasons the government should regulate technology This led to the development of a permanent and legal binding agreement that aims to cover all loopholes and prevent Facebook from offering discriminating advertising in any form. However, Peter Romer-Friedman, a lawyer with Outten & Golden LLP points out that the “agreement does nothing to address age discrimination or gender discrimination on Facebook”. This agreement is legally binding in Washington state. Facebook has agreed to change its platform nationwide. Apart from fixing its advertising platform within 90 days, they are also entitled to pay the Washington State AGs Office $90,000 in costs and fees. This agreement is a win not just for the citizens of Washington state but also the United States. Facebook has agreed to implement its improved advertising options nationwide. But this is a very small step for the entire world. The ball is in Facebook’s court now. We’ll have to wait and see if it proactively generalizes these policies on a worldwide scale or if it needs the public and the law to hold Facebook accountable for the power its platform holds over the lives of its over 2 billion users. EU slaps Google with $5 billion fine for the Android antitrust case Furthering the Net Neutrality debate, GOP proposes the 21st Century Internet Act 20 lessons on bias in machine learning systems by Kate Crawford at NIPS 2017

Researchers Michael Schwarz, Samuel Weiser, and Daniel Gruss from Graz University of Technology  have published a research paper that demonstrates how the Intel SGX currently poses as a security threat. The SGX (Software Guard eXtensions) allows malicious code to run on a system, which cannot be identified or analyzed by an antivirus software. SGX allows programs to establish protected enclaves for code and data, where none of the programs on the system can spy on it or tamper with it. The contents of an enclave are encrypted when written to RAM and decrypted upon being read. The processor does not allow code from outside the enclave to access the enclave’s memory. Researchers have used this model to understand what happens if the code inside the enclave itself is malicious. The SGX is designed in such a way that antimalware software will not be able to detect the malware, thus making these enclaves the perfect spot for planting malicious code. The researchers used an SGX-ROP attack that depicts the above, by including the the Transactional Synchronization eXtension(TSK)-based memory disclosure primitive as part of the process. The TSK was also a part of the Meltdown attacks launched on Intel processors. How does the attack take place? According to the researchers, since code in an enclave is quite restricted, it cannot make operating system calls, open files, read data from disk, or write to disk.  All of these attacks have to be performed from outside the enclave and only the encryption operation would occur within the enclave. That being said, the enclave code has the ability to read and write anywhere in the unencrypted process memory. To work with this model the TSX was used which provides a constrained form of transactional memory where a thread can modify different memory locations and then publish those modifications in one single atomic update. The enclave makes use of this functionality and scans the memory of the host process to find the components for its ROP payload and somewhere to write that payload. It  then redirects the processor to run that payload which can mark a section of memory as being executable, for the malware to put its own set of supporting functions someplace  it can access. What's more? The critical encryption will take place inside the enclave, making it impossible to extract the encryption key or even analyze the malware to find out what algorithm it's using to encrypt the data. Another thing to note is that malware isn't constrained by the enclave and it can subvert the host application to access operating system APIs, making way for attacks such as ransomware-style encryption of a victim's files. This is what an Intel spokesperson has replied to ZDNet in an email: “Intel is aware of this research which is based upon assumptions that are outside the threat model for Intel® SGX. The value of Intel SGX is to execute code in a protected enclave; however, Intel SGX does not guarantee that the code executed in the enclave is from a trusted source. In all cases, we recommend utilizing programs, files, apps, and plugins from trusted sources. Protecting customers continues to be a critical priority for us, and we would like to thank Michael Schwarz, Samuel Weiser, and Daniel Gruss for their ongoing research and for working with Intel on coordinated vulnerability disclosure”. The research paper outlines 4 simple steps required to perform the attack: The malicious enclave scans the host application for usable ROP gadgets using the read primitive The enclave identifies writable memory caves through the write primitive and injects the arbitrary malicious payload into those caves. The enclave uses the gadgets identified in step 1 to construct a ROP chain and injects it into the application stack. The enclave returns execution to the host application. Once the application hits the ROP chain on the stack, the actual exploitation starts. The ROP chain runs with host privileges and then the attacker can issue arbitrary system calls to hack into the system. You can head over to the Research paper to know more about the methodology followed by the researchers for this attack. Linux 4.20 kernel slower than its previous stable releases, Spectre flaw to be blamed, according to Phoronix Seven new Spectre and Meltdown attacks found Intel announces 9th Gen Core CPUs with Spectre and Meltdown Hardware Protection amongst other upgrades