Tech News - Cybersecurity

Last year, a GDPR complaint was filed against Google and other ad auction companies regarding data breach. The complaint alleged that tech companies broadcasted people’s personal data to dozens of companies, without proper security through a mechanism of “behavioural ads”. The complaint was filed by a host of privacy activists and pro-privacy browser firm Brave. This year in January, new evidences emerged indicating the broadcasted data includes information about people’s ethnicity, disabilities, sexual orientation and more. This sensitive information allows advertisers to specifically target incest, abuse victims, or those with eating disorders. This complaint was filed by an anti-surveillance NGO, the Panoptykon Foundation. The initial complaints were filed in Ireland, the UK, and Poland. Now, yesterday, a new GDPR complaint about Real-Time Bidding (RTB) in the online advertising industry was filed with Data Protection Authorities in Spain, Netherlands, Belgium, and Luxembourg. In total seven EU countries have raised the GDPR issue, this week when it marked completion of one year since Europe’s General Data Protection Regulation (GDPR) came into force. The complaints were lodged by Gemma Galdon Clavell , Diego Fanjul , David Korteweg , Jef Ausloos , Pierre Dewitte , and Jose Belo . The complaints suggest Google and other major companies have leaked vast scale of personal data to the “Ad Tech” industry. https://twitter.com/mikarv/status/1130374705440018433 How RTB system is used for data breach According to the complaint, Google’s DoubleClick recently renamed “Authorized Buyers”, has 8.4 million websites and uses it to broadcasts personal data about visitors to over 2,000 companies. Google is using Real-Time Bidding (RTB) system for it. This means every time a person visits Google web page, intimate personal data about the users and what they are viewing is broadcasted in a “bid request”. These requests are then sent to hundreds of other companies to solicit bids from potential advertisers’ for the opportunity to show an ad to a specific visitor. This data includes people’s exact locations, inferred religious, sexual, political characteristics. The data also includes what users are reading, watching, and listening to online, and a unique code which details to  'Expression of Interest' section on a website. The next biggest ad exchange is AppNexus, owned by AT&T, which conducts 131 billion personal data broadcasts every day. Once the data is broadcasted, there is no control as to what happens to the data thereafter. Google has a self-regulatory guideline for companies that rely on its broadcast, according to which, companies should inform them if they are breaking any rules. Google has assured that over 2,000 companies are “certified” in this way. However, Google DoubleClick/Authorized Buyers sends intimate personal information about virtually every single online person to these companies, billions of times a day. This is one of the massive leakage of personal data recorded so far as this occurs hundreds of billions of times every day. In a statement to Fix AdTech, CEO of Eticas, Gemma Galdon Cavell has said, “We hope that this complaint sends a strong message to Google and those using Ad Tech solutions in their websites and products. Data protection is a legal requirement must be translated into practices and technical specifications” Google will be fined heavy for not complying to GDPR Under the GDPR, a company is not permitted to use personal data unless it tightly controls what happens to that data. Article 5 (1)(f) requires that personal data be “processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss.” The largest GDPR fine ever, is issued to Google amounting to 50M euros. In January, a French data protection watchdog, CNIL alleged that the search engine giant was breaking GDPR rules around transparency. It also reported that Google did not have valid legal base, when processing people's data for advertising purposes. Meanwhile, Google is still appealing to the fine. Many users on Hacker News are having varied opinions regarding the need for regulation and also about the credibility of GDPR. A user states, “To be clear, I think some privacy regulation is necessary, but there seems to be some kind of dissonance. People want a service, but are unwilling to pay for it nor give their data. Then they complain to the government that they should be able to get the service without payment anyway.” Another user added, “From a user perspective, GDPR has no impact so far. I am still being tracked to death wherever I go. Neither do companies offer me a way to get the data they have about me.” GAO recommends for a US version of the GDPR privacy laws ProtonMail shares guidelines to help organizations achieve EU GDPR compliance As US-China tech cold war escalates, Google revokes Huawei’s Android support, allows only those covered under open source licensing

At the Black Hat 2019 security conference in Las Vegas, Ruben Santamarta, an IOActive Principal Security Consultant in his presentation said that there were vulnerabilities in the Boeing 787 Dreamliner’s components, which could be misused by hackers. The security flaws are in the code for a component known as a Crew Information Service/Maintenance System. “The CIS/MS is responsible for applications like maintenance systems and the so-called electronic flight bag, a collection of navigation documents and manuals used by pilots,” according to Bruce Schneier's (public-interest technologist) blog.  Boeing, however, strongly disagreed with Santamarta’s findings saying that such an attack is not possible and rejected Santamarta’s “claim of having discovered a potential path to pull it off.” SantaMarta says, “An attacker could potentially pivot from the in-flight entertainment system to the CIS/MS to send commands to far more sensitive components that control the plane's safety-critical systems, including its engine, brakes, and sensors.” According to Wired, “Santa­marta himself admits that he doesn't have a full enough picture of the aircraft—or access to a $250 million jet—to confirm his claims.” In a whitepaper Santamarta released earlier this month, he points out that in September 2018, a publicly accessible Boeing server was identified using a simple Google search, exposing multiple files. On further analysis, the exposed files contained parts of the firmware running on the Crew Information System/Maintenance System (CIS/MS) and Onboard Networking System (ONS) for the Boeing 787 and 737 models respectively. These included documents, binaries, and configuration files. Also, a Linux-based Virtual Machine used to allow engineers to access part of the Boeing’s network access was also available.  “The research presented in this paper is based on the analysis of information from public sources, collected documents, and the reverse engineering work performed on the 787’s CIS/MS firmware, which has been developed by Honeywell, based on a regular (nonavionics, non-certified, and non-ARINC-653-compliant) VxWorks 6.2 RTOS (x86) running on a Commercial Off The Shelf (COTS) CPU board (Pentium M),” the whitepaper states.  Santamarta identified three networks in the 787, the Open Data Network (ODN), the Isolated Data Network (IDN), and the Common Data Network (CDN). The ODN talks with the outside, handling communication with potentially dangerous devices. The IDN handles secure devices, but not necessarily ones that are connected to aircraft safety systems; a flight data recorder is an example. Santamarta described the CDN as the "backbone communication of the entire network," connecting to electronics that could impact the safety of the aircraft. According to PCMag, “Santamarta was clear that there are serious limitations to his research, since he did not have access to a 787 aircraft. Still, IOActive is confident in its findings. "We have been doing this for many years, we know how to do this kind of research." SantaMarta said "We're not saying it's doomsday, or that we can take a plane down. But we can say: This shouldn't happen." Boeing, on the other hand, denies the claims put forward by SantaMarta and says that the claims do not represent any real threat of a cyberattack. In a statement to Wired, Boeing writes, "IOActive's scenarios cannot affect any critical or essential airplane system and do not describe a way for remote attackers to access important 787 systems like the avionics system." The statement further reads, "IOActive reviewed only one part of the 787 network using rudimentary tools, and had no access to the larger system or working environments. IOActive chose to ignore our verified results and limitations in its research, and instead made provocative statements as if they had access to and analyzed the working system. While we appreciate responsible engagement from independent cybersecurity researchers, we're disappointed in IOActive's irresponsible presentation." "Although we do not provide details about our cybersecurity measures and protections for security reasons, Boeing is confident that its airplanes are safe from cyberattack," the company's statement concludes. In a follow-up call with WIRED, Boeing’s company spokesperson said that “in investigating IOActive's claims, Boeing had gone so far as to put an actual Boeing 787 in "flight mode" for testing, and then had its security engineers attempt to exploit the vulnerabilities that Santamarta had exposed. They found that they couldn't carry out a successful attack.”  Further, according to Wired, Boeing also consulted with the Federal Aviation Administration and the Department of Homeland Security about Santamarta's attack hypothesis. The DHS didn't respond to a request for comment, but an FAA spokesperson wrote in a statement to WIRED that it's "satisfied with the manufac­turer’s assessment of the issue." The Boeing fleet has been in the news for quite some time ever since Boeing's grounded 737 MAX 8 aircraft killed a total of 346 people in two fatal air crashes in October last year and in March this year.  Stefan Savage, a computer science professor at the University of California at San Diego, said,"The claim that one shouldn't worry about a vulnerability because other protections prevent it from being exploited has a very bad history in computer security." Savage is currently working with other academic researchers on an avionics cybersecurity testing platform. "Typically, where there's smoke there's fire," he further adds.  Per Wired, “The Aviation Industry Sharing and Analysis Center shot back in a press release that his findings were based on "technical errors." Santamarta countered that the A-ISAC was "killing the messenger," attempting to discredit him rather than address his research.” PCMag writes, “Santamarta is skeptical. He conceded that it's possible Boeing added mitigations later on, but says there was no evidence of such protections in the code he analyzed." A reader on Schneier’s blog post writes that Boeing should allow SantaMarta’s team to conduct a test, for the betterment of the passengers, “I really wish Boeing would just let them test against an actual 787 instead of immediately dismissing it. In the long run, it would work out way better for them, and even the short term PR would probably be a better look.” Another reader commented about lax FAA standards on schneier’s blog post, “Reading between the lines, this would infer that FAA/EASA certification requires no penetration testing of an aircrafts systems before approving a new type. That sounds like “straight to the scene of the accident” to me…” A user who is responsible for maintenance of 787’s wrote on HackerNews, “Unlike the security researcher, I do have access to multiple 787s as I am one of many people responsible for maintaining them. I'm obviously not going to attempt to exploit the firmware on an aircraft for obvious reasons, but the security researcher's notion that you can "pivot" from the in flight entertainment to anything to do with aircraft operation is pure fantasy.” He further added, “These systems are entirely separate, including the electricity that controls the systems. This guy is preying on individuals' lack of knowledge about aircraft mechanics in order to promote himself.” Another user on HackerNews shared, “I was flying about a year ago and was messing with the in flight entertainment in a 787. It was pretty easy to figure out how to get to a boot menu in the in flight entertainment. I was thinking "huh, this seems like maybe a way in". Seeing how the in-flight displays navigational data it must be on the network as the flight systems. I'm sure there is some kind of segregation but it’s probably not ultimately secure.” Savage tells Wired, "This is a reminder that planes, like cars, depend on increasingly complex networked computer systems. They don't get to escape the vulnerabilities that come with this." To know more about this news, read the whitepaper by the IOActive team. You can also head over to Wired’s detailed analysis.  “Deep learning is not an optimum solution for every problem faced”: An interview with Valentino Zocca 4 common challenges in Web Scraping and how to handle them Microsoft workers protest the lethal use of Hololens2 in the $480m deal with US military

Last Friday, ZDNet reported about Canva’s data breach. Canva is a popular Sydney-based startup which offers a graphic design service. According to the hacker, who directly contacted ZDNet, data of roughly 139 million users has been compromised during the breach. Responsible for the data breach is a hacker known as GnosticPlayers online. Since February this year, they have put up the data of 932 million users on sale, which are reportedly stolen from 44 companies around the world. "I download everything up to May 17," the hacker said to ZDNet. "They detected my breach and closed their database server." Source: ZDNet website In a statement on the Canva website, the company confirmed the attack and has notified the relevant authorities. They also tweeted about the data breach on 24th May as soon as they discovered the hack and recommended their users to change their passwords immediately. https://twitter.com/canva/status/1132086889408749573 “At Canva, we are committed to protecting the data and privacy of all our users and believe in open, transparent communication that puts our communities’ needs first,” the statement said. “On May 24, we became aware of a security incident. As soon as we were notified, we immediately took steps to identify and remedy the cause, and have reported the situation to authorities (including the FBI). “We’re aware that a number of our community’s usernames and email addresses have been accessed.” Stolen data included details such as customer usernames, real names, email addresses, and city & country information. For 61 million users, password hashes were also present in the database. The passwords where hashed with the bcrypt algorithm, currently considered one of the most secure password-hashing algorithms around. For other users, the stolen information included Google tokens, which users had used to sign up for the site without setting a password. Of the total 139 million users, 78 million users had a Gmail address associated with their Canva account. Canva is one of Australia's biggest tech companies. Founded in 2012, since the launch, the site has shot up the Alexa website traffic rank, and has been ranking among the Top 200 popular websites. Three days ago, the company announced it raised $70 million in a Series-D funding round, and is now valued at a whopping $2.5 billion. Canva also recently acquired two of the world's biggest free stock content sites -- Pexels and Pixabay. Details of Pexels and Pixabay users were not included in the data stolen by the hacker. According to reports from Business Insider, the community was dissatisfied with how Canva responded to the attack. IT consultant Dave Hall criticized the wording Canva used in a communication sent to users on Saturday. He believes Canva did not respond fast enough. https://twitter.com/skwashd/status/1132258055767281664 One Hacker News user commented , “It seems as though these breaches have limited effect on user behaviour. Perhaps I'm just being cynical but if you are aren't getting access and you are just getting hashed passwords, do people even care? Does it even matter? Of course names and contact details are not great. I get that. But will this even effect Canva?” Another user says, “How is a design website having 189M users? This is astonishing more than the hack!” Facebook again, caught tracking Stack Overflow user activity and data Ireland’s Data Protection Commission initiates an inquiry into Google’s online Ad Exchange services Adobe warns users of “infringement claims” if they continue using older versions of its Creative Cloud products

Have you heard about the latest VPNFilter Malware attack? In brief, the software networking firm and its network analysis department known as ‘Talos’ identified a malware known as VPNFilter a few weeks ago. Something about these attacks made them particularly risky. If you are an individual or any small or medium business organization accessing the internet using routers from companies such as Linksys, Netgear, QNAP, TP-Link, ASUS, D-Link, Huawei, Ubiquiti, UPVEL, and ZTE then you are vulnerable to the VPNFilter malware attack. Read on to understand where do you stand and what you can do to avoid falling victim of this vicious malware attack. How VPNFilter malware works? The first thing that you need to understand is that VPNFilter has a 3 stage attack procedure. The first stage, which is one of the most potent and dangerous one too, plants itself into the router firmware. In most malware attack cases, a reboot would make the malware go away. That’s where VPNFilter stands out. It persists through the reboot and after the reboot it initiates the second stage. The second stage is about spying on the user activity and data and then storing and accessing user data, tracking the URLs and getting to know more about the victim. The most terrifying factor is that the user never realizes that they have been attacked. The reason being that VPNFilter uses the technique of “Man in the Middle” or MitT attack. What happens in this form of cyber attack is that the spyware gets attached to the router and then collects user data and prepares for a larger assault while the user is completely unaware of it. The image below explains the process.     Source: Yeahhub.com If this seems scary to you then you haven’t yet heard the interesting bit yet. The third stage is about introducing different plugins which can perform different types of actions. One of them is it can downgrade the security level of your requests from HTTPS to HTTP protocol. This in turn makes your data unencrypted and also makes your passwords and other valuable data open to anyone who is snooping on your network. The rest of the hacking process then eventually becomes much easier. Imagine what could happen if you logged in to a social media platform or into your netbanking application and the data is phished away. The worst part is that you won’t even know that your account is hacked until the hackers expose themselves by making malicious transactions. The horror story doesn’t end here, it also comes with a “Remote Destroy” button. This enables the hackers to delete important network and configuration files from your router before destroying the malware and this means your router will be rendered useless after they choose to do so. This gives them the power to disrupt internet connectivity on a global scale since the number of routers presently affected can be anywhere around 500k. Is there a way out? How can you save your router from this onslaught. Rebooting doesn’t work. The only way that some groups have suggested is to restore factory defaults of your router, upgrade the firmware of your router, and log in with your credentials. This three step process might be the only way you can get away from this attack. How to know that your router is no good? Try updating it to the latest version of firmware, if it says unable to upgrade, you can be damn sure of the fact that it’s time for you to buy a new one. BeyondCorp is transforming enterprise security Top 5 cybersecurity assessment tools for networking professionals IoT Forensics: Security in an always connected world where things talk

In the real world, a person having multiple identities is said to have Dissociative identity disorder (DID); but what about the virtual world? Social media sites such as Facebook, Twitter, and so on have an equal number or even more fake identity profiles than real ones. It has set out on a mission to excise these fake and suspicious profiles from its platform. The committee plans to depreciate 214% more accounts on a yearly basis for violating its spam policies. Source: Twitter blog Twitter initiated this drive to improve the authenticity of conversations on the platform. It also aims to ensure users have access to information that is highly credible, relevant, and of a high-quality. Following this, it started off its battle against the fake profiles and has been constantly suspending fake accounts which are inauthentic, spammy or created via malicious automated bots. Instead of waiting for people to report on these accounts, the company is proactively dodging across problematic accounts and observing their behavior by using machine learning tools. These tools identify spam or automated accounts and automatically take necessary actions. Some plans Twitter has, to avoid fake account creation, include: Enabling a read-only mode to reduce visibility of suspicious accounts It plans to monitor the behaviour of every profile and update its account metrics in near-real time. This will help in knowing the number of followers an account has, or the number of likes or Retweets a Tweet receives, and so on. The account may even be converted into a read-only mode, if found behaving suspiciously. The account will be removed from follower figures and engagement counts until it has passed a challenge of conforming the account with a phone number. A warning is displayed against such read-only accounts to prevent new accounts from following it. Once the account passes the challenge, its footprint is restored. Improving Twitter’s sign-up process Twitter will make it all the more difficult for spam accounts to register for an account. The new accounts will also have to confirm either an email address or phone number when they sign up to Twitter. It also plans to working closely with its Trust and Safety Council and other expert NGOs to ensure this change does not affect people working in a high-risk environment where anonymity is necessary. This process would be rolled-out later this year. Auditing existing accounts for signs of automated sign-up It is also conducting an audit to secure a number of legacy systems used to create accounts. This process will ensure that every account created on Twitter passes some simple, automatic security checks designed to prevent automated signups. The new protections Twitter has recently developed as a result of this audit have already aided them in preventing more than 50,000 spam sign-ups per day. Malicious behavior detection systems being expanded They are also planning to automate some processes where suspicious account activity is detected by the behavior detection systems. Activities such as exceptionally high-volume tweeting using the same hashtag, or the same @username without a reply from the account. These tests vary in intensity, and may simply request the account owner to complete a simple reCAPTCHA process or a password reset request. Complex cases are automatically passed to the team for review. Twitter has fastened its seat belt and won’t stop until it takes down all the fake accounts from its platform. While this move is bold and commendable for a social network platform given the steep rise in fake news and other allied unsavory consequences of an ever-connected world, Twitter’s investors did not take it well. The company shares fell to around 9.7% on Monday, after it announced that it is suspending more than 1 million accounts a day. As per a Twitter statement, the account suspension doubled since October last year. Many speculate that this is a response to the congressional pressure the platform has been receiving regarding the alleged Russian fake accounts found on Twitter to interfere with the U.S elections held last year. The number reached around 7 million in May and June, and a similar pace continues in July. Though this move raises serious concerns around their falling user growth rate, this is an important step for the organization to improve the health of their social platform. Chief Financial Officer, Ned Segal, tweeted, "most accounts we remove are not included in our reported metrics as they have not been active on the platform for 30 days or more, or we catch them at sign up and they are never counted." I, for one, ‘like’ Twitter’s decision. Minor inconveniences are a small price to pay for a more honest commune and information sharing. Read more about this news on The Washington Post’s original coverage. Top 5 cybersecurity assessment tools for networking professionals Top 5 Cybersecurity Myths Debunked Top 10 IT certifications for cloud and networking professionals in 2018  

On August 19, the Kubernetes Community disclosed that a security issue has been found in the net/http library of the Go language affecting all versions and all components of Kubernetes. This can further result in a DoS attack against any process with an HTTP or HTTPS listener. The two high severity vulnerabilities, CVE-2019-9512 and CVE-2019-9514 have been assigned CVSS v3.0 base scores of 7.5 by the Kubernetes Product Security Committee. These vulnerabilities allow untrusted clients to allocate an unlimited amount of memory until the server crashes. The Kubernetes' development team has released patched versions to address these security flaws to further block potential attackers from exploiting them. CVE-2019-9512 Ping Flood In CVE-2019-9512, the attacker sends continual pings to an HTTP/2 peer, causing the peer to build an internal queue of responses. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both, potentially leading to a denial of service. CVE-2019-9514 Reset Flood In CVE-2019-9514, the attacker opens a number of streams and sends an invalid request over each stream that should solicit a stream of RST_STREAM frames from the peer. Depending on how the peer queues the RST_STREAM frames, this can consume excess memory, CPU, or both, potentially leading to a denial of service. The Go team announced versions go1.12.8 and go1.11.13, following which the Kubernetes developer team has released patch versions of Kubernetes built using the new versions of Go. Kubernetes v1.15.3 - go1.12.9 Kubernetes v1.14.6 - go1.12.9 Kubernetes v1.13.10 - go1.11.13 On August 13, Netflix announced the discovery of multiple vulnerabilities that can affect server implementations of the HTTP/2 protocol. The popular video streaming website issued eight CVEs in their security advisory and two of these also impact Go and all Kubernetes components designed to serve HTTP/2 traffic (including /healthz). The Azure Kubernetes Service community has recommended customers to upgrade to a patched release soon. “Customers running minor versions lower than the above (1.10, 1.11, 1.12) are also impacted and should also upgrade to one of the releases above to mitigate these CVEs”, the team suggests. To know more about this news in detail, read AKS Guidance and updates on GitHub. Security flaws in Boeing 787 CIS/MS code can be misused by hackers, security researcher says at Black Hat 2019 CNCF-led open source Kubernetes security audit reveals 37 flaws in Kubernetes cluster; recommendations proposed Cybersecurity researcher "Elliot Alderson" talks Trump and Facebook, Google and Huawei, and teaching kids online privacy [Podcast]

Last week, an appellate court in San Francisco ruled against Facebook’s appeal to block a class-lawsuit over a massive data breach it witnessed last year. This data breach impacted nearly 30 million Facebook users. On September 25th last year, Facebook discovered a data breach caused by a vulnerability that existed in its code between July 2017 and September 2018. This vulnerability “was the result of a complex interaction of three distinct software bugs.” These bugs were related to the “View As” feature that allows users to see what their profile looks like to another user. By exploiting this vulnerability, the attackers were able to steal digital access tokens of users. These keys make it easier for users to access their profiles without having to log in every time they visit the site. Facebook shared that the attackers were able to see everything in a user’s profile, although it was not sure whether they got access to private messages or if any of that data was misused. Zuckerberg in a call with reporters following the data breach said, “So far our initial investigation has not shown that these tokens were used to access any private messages or posts or to post anything to these accounts. But this, of course, may change as we learn more. The attackers used our APIs to access profile information fields like name, gender, hometown, etc. But we do not yet know if any private information was accessed that way.” The class-lawsuit against Facebook alleged to violate user privacy Following this incident, several Facebook users filed class-action complaints in a San Francisco appeals court, alleging that Facebook has failed to protect its users' data. The class-action lawsuit alleges that the vulnerability in Facebook’s code plus its “grossly inadequate” security measures have made victims’ more prone to identity theft. The lawsuit seeks to represent all people “who registered for Facebook accounts in the United States and whose PII (personally identifiable information) was accessed, compromised, or stolen from Facebook in the September 2018 data breach.” As a legal remedy, the plaintiffs are seeking statutory damages, penalties, punitive damages, and attorneys’ fees. In response, Facebook appealed to block the lawsuit in March arguing that some of the plaintiffs’ information was not “sensitive” as it was publicly available on their Facebook profile. And, therefore, no real harm had been done as the attackers were not able to steal users’ financial information and passwords. U.S. District Judge William Alsup dismissed Facebook’s appeal saying, “The lack of reasonable care in the handling of personal information can foreseeably harm the individuals providing the information.” He added, “Further, some of the information here was private, and plaintiff plausibly placed trust in Facebook to employ appropriate data security. From a policy standpoint, to hold that Facebook has no duty of care here ‘would create perverse incentives for businesses who profit off the use of consumers’ personal data to turn a blind eye and ignore known security risks.’” This is not the only instance were Facebook has shown its negligence towards personal data. Earlier this month, during a pretrial hearing, Facebook argued that it didn’t violate users’ privacy rights because there’s no expectation of privacy when using social media. Recently Aaron Greenspan, the founder of Think Computer Corporation, claimed that Mark does not really believe in the concept of personal data as Facebook has performed security fraud on a number of occasions, in an incredibly blatant manner. This is one of the many lawsuits against Facebook. Earlier this month, the Austrian Supreme Court overturned Facebook’s appeal to block a lawsuit against it for not conforming to Europe’s General Data Protection Regulation (GDPR). Regarding its alleged involvement in the Cambridge Analytica case, the social media giant is also preparing to pay a fine of up to $5 billion. You can read the lawsuit to know more details. Austrian Supreme Court rejects Facebook’s bid to stop a GDPR-violation lawsuit against it by privacy activist, Max Schrems Facebook fails to block ECJ data security case from proceeding Zuckberg just became the target of the world’s first high profile white hat deepfake op. Can Facebook come out unscathed?  

Over the last three weeks, more than 12,000 unsecured MongoDB databases have been deleted. The cyber-extortionist have left only an email contact, most likely to negotiate the terms of data recovery. Attackers looking for exposed database servers use BinaryEdge or Shodan search engines to delete them and usually demand a ransom for their 'restoration services'. MongoDB is not new to such attacks, previously in September 2017 MongoDB databases were hacked, for ransom. Also, earlier this month, Security Discovery researcher Bob Diachenko found an unprotected MongoDB database which exposed 275M personal records of Indian citizens. The record contained a personal detailed identifiable information such as name, gender, date of birth, email, mobile phone number, and many more. This information was left exposed and unprotected on the Internet for more than two weeks. https://twitter.com/MayhemDayOne/status/1126151393927102464 The latest attack on MongoDB database was found out by Sanyam Jain, an independent security researcher. Sanyam first noticed the attacks on April 24, when he initially discovered a wiped MongoDB database. Instead of finding the huge quantities of leaked data, he found a note stating: “Restore ? Contact : unistellar@yandex.com”. It was later discovered that the cyber-extortionists have left behind ransom notes asking the victims to get in touch, if they want to restore their data. Two email addresses were provided for the same: unistellar@hotmail.com or unistellar@yandex.com. This method to find and wipe databases in such large numbers is expected to be automated by the attackers. The script or program used to connect to the publicly accessible MongoDB databases is also configured to indiscriminately delete every unsecured MongoDB it can find and later add it to the ransom table. In a statement to Bleeping Computer, Sanyam Jain says, “the Unistellar attackers seem to have created restore points to be able to restore the databases they deleted” Bleeping Computer have stated that there is no way to track if the victims have been paying for the databases to be restored because Unistellar only provides an email to be contacted and no cryptocurrency address is provided. Bleeping Computer also tried to get in touch with Unistellar to confirm if the wiped MongoDB databases are indeed backed up and if any victim have already paid for their "restoration services" but got no response. How to secure MongoDB databases MongoDB databases are remotely accessible and access to them is not properly secured. These frequent attacks highlight the need for an effective protection of data. This is possible by following fairly simple steps designed to properly secure one’s database. Users should take the simple preventive measure of enabling authentication and not allowing the databases to be remotely accessible. MongoDB has also provided a detailed manual for Security. It includes various features, such as authentication, access control, encryption, to secure a MongoDB deployments. There’s also a Security Checklist for administrators to protect the MongoDB deployment. The list discusses the proper way of enforcing authentication, enabling role-based access control, encrypt communication, limiting network exposure and many more factors for effectively securing MongoDB databases. To know more about this news in detail, head over to Bleeping Computer’s complete coverage. MongoDB is going to acquire Realm, the mobile database management system, for $39 million MongoDB withdraws controversial Server Side Public License from the Open Source Initiative’s approval process GNU Health Federation message and authentication server drops MongoDB and adopts PostgreSQL

A vulnerability in Mac’s Zoom Client allows any malicious website to initiate users’ camera and forcibly join a Zoom call without their authority. This vulnerability was publicly disclosed by security researcher, Jonathan Leitschuh, today. The flaw exposes up to 750,000 companies around the world using the video conferencing app on their Macs, to conduct day-to-day business activities. It also allows a website to launch a DoS (Denial of Service) attack on Macs by repeatedly joining a user to an invalid call. Even if one tries to uninstall the app from their devices, it can even re-install the app without user’s permission with the help of a localhost web server on the machine that should have installed the app at least once. https://twitter.com/OldhamMade/status/1148476854837415936 “This vulnerability leverages the amazingly simple Zoom feature where you can just send anyone a meeting link (for example https://zoom.us/j/492468757) and when they open that link in their browser their Zoom client is magically opened on their local machine”, Leitschuh writes. Leitschuh said that the vulnerability was responsibly disclosed on March 26, this year. This means the company had 90 days to fix this issue based on the disclosure policy. He had suggested a ‘quick fix’ which Zoom could have implemented by simply changing their server logic. However, Zoom first took 10 days to confirm the vulnerability and held a meeting about how the vulnerability would be patched, only 18 days before the end of the 90-day public disclosure deadline, i.e. June 11th, 2019. A day before the public disclosure, Zoom had only implemented the quick fix solution. “An organization of this profile and with such a large user base should have been more proactive in protecting their users from attack”, Leitschuh says. Leitschuh also mentioned the Tenable Remote Code Execution in Zoom security vulnerability which was only patched within the last 6 months. “Had the Tenable vulnerability been combined with this vulnerability it would have allowed RCE against any computer with the Zoom Mac client installed. If a similar future vulnerability were to be found, it would allow any website on the internet to achieve RCE on the user’s machine”, Leitschuh adds. According to ZDNet, “Leitschuh also pointed out to Zoom that a domain it used for sending out updates was about to expire before May 1, but the domain was renewed in late April”. In a statement to The Verge, Zoom said, the local webserver was developed “to save users some clicks after Apple changed its Safari web browser in a way that requires Zoom users to confirm that they want to launch Zoom each time”. Zoom defended their “workaround” and said it is a “legitimate solution to poor user experience, enabling our users to have seamless, one-click-to-join meetings, which is our key product differentiator.” The company said it would do some minor tweaking to the app this month. “Zoom will save users’ and administrators’ preferences for whether the video will be turned on, or not when they first join a call”, the company said. https://twitter.com/backlon/status/1148464344876716033 This move by Zoom is unfair towards users where they have to turn their cameras off and the company just escapes with a minor change to the app for such a serious security lapse issue where they should have taken a major step. Many are unhappy with the way Zoom is handling this vulnerability. https://twitter.com/chadloder/status/1148375915329495040 https://twitter.com/ticky/status/1148389970073096192 Users can patch the camera issue by themselves by updating their Mac and disabling the setting that allows Zoom to turn your camera on when joining a meeting. As mentioned earlier, the vulnerability may re-install the applications; hence, users are advised to run some terminal commands to turn off their web server. Leitschuh has explained these commands in detail in his blog post on Medium. Google researcher reveals an unpatched bug in Windows’ cryptographic library that can quickly “take down a windows fleet” Apple promotes app store principles & practices as good for developers and consumers following rising antitrust worthy allegations Google Project Zero reveals an iMessage bug that bricks iPhone causing repetitive crash and respawn operations

Recently, a group of researchers exposed a severe vulnerability called Key Negotiation Of Bluetooth (KNOB) that allows an attacker to break the Bluetooth Basic Rate/Extended Data Rate (BR/EDR) security. The vulnerability allows the attacker to intercept, monitor, or manipulate encrypted Bluetooth traffic between two paired devices, without being detected. The vulnerability was identified by researchers at the Center for IT-Security, Privacy and Accountability (CISPA) who shared their findings in a paper “The KNOB is Broken: Exploiting Low Entropy in the Encryption Key Negotiation Of Bluetooth BR/EDR”. The paper was included in the proceedings of the 28th USENIX Security Symposium (August 14–16), USA. In November 2018, the researchers of the paper shared the details of the attack with the Bluetooth SIG, the CERT Coordination Center, and the International Consortium for the Advancement of Cybersecurity on the Internet (ICASI), which is an industry-led coordination body founded by Intel, Microsoft, Cisco, Juniper and IBM. The vulnerability has been assigned CVE ID CVE-2019-9506. [box type="shadow" align="" class="" width=""]The Bluetooth BR/EDR is a popular wireless technology which is used for low-power short-range communications, and is maintained by the Bluetooth Special Interest Group (SIG).[/box] How does the KNOB attack the victim’s devices The researchers specify that such an attack would “allow a third party, without knowledge of any secret material (such as link and encryption keys), to make two (or more) victims agree on an encryption key—enabling the attacker to easily brute force the negotiated encryption keys, decrypt the eavesdropped ciphertext, and inject valid encrypted messages (in real-time)." Researchers add that the attack is “standard-compliant because all Bluetooth BR/EDR versions require to support encryption keys with entropy between 1 and 16 bytes and do not secure the key negotiation protocol. As a result, the attacker completely breaks Bluetooth BR/EDR security without being detected." In some cases, it can also allow an attacker to reduce the length of an encryption key to a single octet. "In addition, since not all Bluetooth specifications mandate a minimum encryption key length, it is possible that some vendors may have developed Bluetooth products where the length of the encryption key used on a BR/EDR connection could be set by an attacking device down to a single octet,” according to an advisory released by Bluetooth. This in turn would make it much easier for an attacker to brute force the encryption key used by the paired devices to communicate with each other. The KNOB attack is effective, stealthy and cheap The KNOB attack is a serious threat to the security and privacy of all Bluetooth device users. It exploits the vulnerable encryption key negotiation protocol, hence risking all standard compliant Bluetooth devices irrespective of their Bluetooth version number and implementation details. This attack is highly ‘effective’ and severe as it can even attack secure Bluetooth connections. The KNOB attack is considered ‘stealthy’ (secretive), as the users and the Bluetooth application developers do not come to know about the attack, since it generally uses a Bluetooth link-layer encryption as a trusted service. Also, the protocol is transparent to the Bluetooth host (OS) and the Bluetooth application used by the victims. The KNOB attack is also cheap because the attacker does not need an expensive resource or an attacker model to conduct the attack. The researchers say, “We were surprised to discover such fundamental issues in a widely used and 20 years old standard. We urge the Bluetooth SIG to update the specification of Bluetooth according to our findings. Until the specification is not fixed, we do not recommend to trust any link-layer encrypted Bluetooth BR/EDR link.” Proposed countermeasures to the KNOB attack The researchers have proposed two classes of countermeasures to the KNOB attack. The first class is called the Legacy compliant countermeasure which requires a standard amount of negotiable entropy that cannot be easily brute-forced, e.g.,16 bytes of entropy. It also includes automated checks by the Bluetooth host to confirm the amount of negotiated entropy each time the link layer encryption is activated. This will enable the hosts to abort the connection if the entropy does not meet the minimum requirement. Another class of countermeasure is called the Non-legacy compliant which modifies the encryption key negotiation protocol by securing it using the link key. The link key should be a shared and an authenticated secret should always be made available before starting the entropy negotiation protocol. It should also have message integrity and confidentiality. Devices vulnerable to the KNOB attack The researchers have conducted the attack on more than 17 unique Bluetooth chips including Broadcom, Qualcomm, Apple, Intel, and Chicony manufacturers and all the devices were found to be vulnerable to the KNOB attack. On August 13th, Bluetooth released a Security Notice stating that the Bluetooth SIG has updated the Bluetooth Core Specification to recommend a minimum encryption key length of 7 octets for further BR/EDR connections. However, the Bluetooth SIG says, “There is no evidence that the vulnerability has been exploited maliciously and the Bluetooth SIG is not aware of any devices implementing the attack having been developed, including by the researchers who identified the vulnerability. ” The researchers of this paper also disclosed KNOB attack to the Bluetooth Chip vendors in late 2018, following which some vendors have implemented workarounds for the vulnerability on their devices. These vendors include Apple macOS, iOS, and watchOS, Google, Cisco IP phones and Webex and Blackberry powered by Android phones who have added fixes to this vulnerability in their latest updates. Last week, the CERT Coordination Center also released an advisory to this attack. Last week, Microsoft released an update titled “CVE-2019-9506 | Encryption Key Negotiation of Bluetooth Vulnerability” They have proposed “a default 7-octet minimum key length to ensure that the key negotiation does not trivialize the encryption.” The researchers of this paper have also notified users that if their device has not been updated since late 2018, then it is likely to be vulnerable. Many people  are surprised to learn about the KNOB attack and are advising others to update their devices. https://twitter.com/aiacobelli_sec/status/1162348463402684416 https://twitter.com/4jorge/status/1162983043969236992 https://twitter.com/lgrangeia/status/1162170365541605377 https://twitter.com/jurajsomorovsky/status/1162119755475537926 To know more details about the KNOB attack, check out the “The KNOB is Broken” paper. Google to provide a free replacement key for its compromised Bluetooth Low Energy (BLE) Titan Security Keys Amazon FreeRTOS adds a new ‘Bluetooth low energy support’ feature Security flaws in Boeing 787 CIS/MS code can be misused by hackers, security researcher says at Black Hat 2019

Yesterday, Google, Mozilla, and Apple announced that by 2020, they will disable TLS 1.0 and 1.1 by default in their respective browsers. Kyle Pflug, Senior Program Manager for Microsoft Edge said, "January 19th of next year marks the 20th anniversary of TLS 1.0, the inaugural version of the protocol that encrypts and authenticates secure connections across the web." Chrome, Edge, Internet Explorer, Firefox, and Safari already support TLS 1.2 and will soon support recently-approved final version of the TLS 1.3 standard. On the other hand, Chrome and Firefox already support TLS 1.3, while Apple and Microsoft are still working towards supporting TLS 1.3. Why disable TLS 1.0 and 1.1? The Internet Engineering Task Force (IETF), an organization that develops and promotes Internet standards is hosting discussions to formally deprecated both TLS 1.0 and 1.1. TLS provides confidentiality and integrity of data in transit between clients and servers while exchanging information. In order to keep this data safe, it is essential to use modern and highly secures versions of this protocol. The Apple’s Secure Transports team has listed down some benefits of moving away from TLS 1.0 and 1.1 including: Modern cryptographic cipher suites and algorithms with desirable performance and security properties, e.g., perfect forward secrecy and authenticated encryption, that are not vulnerable to attacks such as BEAST. Removal of mandatory and insecure SHA-1 and MD5 hash functions as part of peer authentication. Resistance to downgrade-related attacks such as LogJam and FREAK. For Google Chrome users, Enterprise deployments can preview the TLS 1.0 and 1.1 removal today by setting the SSLVersionMin policy to ‘tls1.2’. For enterprise deployments that need more time, this same policy can be used to re-enable TLS 1.0 or TLS 1.1 until January 2021. Post depreciation here is what each browser maker has promised: TLS 1.0 and 1.1 will be disabled altogether in Chrome 81, which will start rolling out “on early release channels starting January 2020.” Edge and Internet Explorer 11 will disable TLS 1.0 and TLS 1.1 by default “in the first half of 2020.” Firefox will drop support for TLS 1.0 and TLS 1.1 in March 2020. TLS 1.0 and 1.1. will be removed from Safari in updates to Apple iOS and macOS beginning in March 2020. Read more about this news in detail on Internet Engineering Task Force (IETF) blog post. Introducing TLS 1.3, the first major overhaul of the TLS protocol with improved security and speed Let’s Encrypt SSL/TLS certificates gain the trust of all Major Root Programs Java 11 is here with TLS 1.3, Unicode 11, and more updates

Two days ago, Microsoft revealed that Russian hackers are attempting to compromise IoT devices including a VOIP, a printer, and a video decoder across multiple locations. These attacks were discovered in April, by security researchers in the Microsoft Threat Intelligence Center. According to the Microsoft report, “These devices became points of ingress from which the actor established a presence on the network and continued looking for further access,” “Once the actor had successfully established access to the network, a simple network scan to look for other insecure devices allowed them to discover and move across the network in search of higher-privileged accounts that would grant access to higher-value data.” Microsoft officials said, “We attribute the attacks on these customers using three popular IoT devices to an activity group that Microsoft refers to as STRONTIUM,” which is a Russian-based hacking group also known as Fancy Bear or ATP28. “In two of the cases, the passwords for the devices were deployed without changing the default manufacturer’s passwords and in the third instance the latest security update had not been applied to the device,” the officials further added. “After gaining access to each of the IoT devices, the actor ran tcpdump to sniff network traffic on local subnets. They were also seen enumerating administrative groups to attempt further exploitation,” the officials added. “As the actor moved from one device to another, they would drop a simple shell script to establish persistence on the network which allowed extended access to continue hunting. Analysis of network traffic showed the devices were also communicating with an external command and control (C2) server.” “Microsoft said it identified and blocked these attacks in their early stages, so its investigators weren't able to determine what Strontium was trying to steal from the compromised networks,” ZDNet reports. Microsoft has notified the makers of the targeted devices so that they can explore the possibility of adding new protections. Microsoft’s report also provided IP addresses and scripts that organizations can use to detect if they have also been targeted or infected. Microsoft plans to reveal more information about the Strontium April 2019 attacks later this week at the Black Hat USA 2019 security conference. To know more about this news in detail, read Microsoft's complete report. Winnti Malware: Chinese hacker group attacks major German corporations for years, German public media investigation reveals An IoT worm Silex, developed by a 14 year old resulted in malware attack and taking down 2000 devices A cybersecurity primer for mid sized businesses

Have you ever visited YouTube for watching some breaking news videos expecting to get all the info in one go but did not get what you expected? Videos use luring thumbnails and clickbait titles to attract more views and traffic. Most breaking news videos that follow such patterns are either fake, have a high level of misinformation or don’t clarify what the news really is. The news that continuously keeps popping up is most of the time, catchy. Google engineer, Guillaume Chaslot, who worked on the recommendation algorithm for YouTube, stated that this was purely designed to boost user engagement. To tackle this fake thread going around the popular video-sharing website, YouTube has initiated a $25 million plan to counter fake news and misinformation. In a Wired interview held in March, YouTube CEO, Susan Wojcicki announced new features which include updates to breaking news and conspiracy theories by adding information cues to every video. Information cues are short blocks of text based on moon landing and chemtrails, for example. Susan further added, “When there are videos that are focused around something that’s a conspiracy — and we’re using a list of well-known internet conspiracies from Wikipedia — then we will show a companion unit of information from Wikipedia showing that here is information about the event.” https://twitter.com/movandy/status/973688202530869248 Now, YouTube also features ‘authoritative’ content in their breaking news shelf. This means, news in this ‘authoritative’ section comes only from authoritative sources such as Google News and other providers who have applied to be part of Google News program. YouTube then uses a different set of algorithms to determine who within that group is authoritative. Later, based on this YouTube uses those news providers in their breaking news shelf, and their home feed. YouTube chief product officer Neal Mohan said, “Rather than recommending a video first, the algorithm will point to a text-based story surfaced by Google News. Results will be accompanied by a label reminding users that the story is still developing, and the info is "subject to change." These updated features for anti-fake news plan are currently active in 17 countries, including the US and YouTube is planning to double the reach in coming months. Python founder resigns. Guido van Rossum, goes ‘on a permanent vacation from being BDFL’ Facebook to launch AR ads on its news feed to let you try on products virtually Microsoft launches a free version of its Teams app to take Slack head on

The world's first trillion-dollar public company- Apple, had its servers hacked. By a Melbourne based teenage schoolboy aged 16. Yes, Read that again. That’s how safe your data is at Apple, the most privacy-conscious of the FAANG tech giants. The student, whose name cannot be publicly revealed due to his age and reputation in the hacking community, reportedly pleaded guilty to his actions in an Australian Children's Court this week. “Dream of working at Apple” leads teen to hack into its servers The accused juvenile, not new to cybercrime, is well known in the international hacking community. His ability to develop computerized tunnels and online bypassing systems to hide his identity served him well until a raid on his family home last year exposed hacking files and instructions all saved in a folder interestingly named “hacky hack hack”. Reportedly fascinated with the tech giant, the 16-year old confessed that the hacking took shape as someday he had plans to work for Apple, a Melbourne court reported. He hacked into Apple’s mainframe, downloaded internal files and accessed customer accounts. The teen managed to obtain customers’ authorized keys – that could grant access to user accounts to anybody. Which, by the way, are considered to be extremely secure. What is surprising is that, he hasn’t hacked into Apple just once but multiple times over the course of the past year. In spite of downloading 90GB of secure files and accessing customer accounts, Apple has denied that customers were affected in real time. The company testified that it identified the security breach and notified the FBI, which in turn referred the matter to the Australian federal police. A prosecutor further threw some light on the incident by acknowledging that "Two Apple laptops were seized and the serial numbers matched the serial numbers of the devices which accessed the internal systems" He further added that, "A mobile phone and hard drive were also seized whose IP address matched those detected in the breaches." A company guardian tried to provide solace to its customers by releasing a statement saying that they vigilantly protect their networks and have dedicated teams of information security professionals that work to detect and respond to threats. He added, “In this case, our teams discovered the unauthorized access, contained it, and reported the incident to law enforcement. We regard the data security of our users as one of our greatest responsibilities and want to assure our customers that at no point during this incident was their personal data compromised.” The boy’s audacity is further highlighted by the fact that he shared details of his hacking with members of a WhatsApp group. He pleaded guilty and will return to the court for sentencing in September. However, the magistrate has decided to announce the sentence conferred, by next week because of the complexities involved in the case. Head over to fossbytes for a detailed coverage of the case. Apple stocks soar just shy of $1 Trillion market cap as revenue hits $53.3 Billion in Q3 earnings 2018 Twitter’s trying to shed its skin to combat fake news and data scandals, says Jack Dorsey Timehop suffers data breach; 21 million users’ data compromised    

Last week, a group of security researchers reported that they have found a new malware that takes its instructions from code hidden in memes posted to Twitter. This method is popularly known as Steganography, a method popularly used by cybercriminals to abstract a malicious file within an image to escape from security solutions. According to Trend Micro, some malware authors posted two tweets including malicious memes on 25th and 26th October. These images were tweeted via a Twitter account created in 2017.  “The memes contain an embedded command that is parsed by the malware after it’s downloaded from the malicious Twitter account onto the victim’s machine, acting as a C&C service for the already- placed malware”, reported Trend Micro. According to the blog post, this new threat is detected as TROJAN.MSIL.BERBOMTHUM.AA. Also, this malware gets its command from a legitimate source, which they state is a popular networking platform. The memes cannot be taken down until the malicious Twitter account is disabled. Twitter, on the other hand, has already taken the account offline as of December 13, 2018. Malicious memes are no laughing matter The memes posted via the malicious Twitter accounts have a “/print” command hidden, which enables the malware to take screenshots of the infected machine. These screenshots are then sent to a C&C server whose address is obtained through a hard-coded URL on pastebin.com. Next, the malware will send out the collected information or the command output to the attacker by uploading it to a specific URL address. According to Trend Micro, “During analysis, we saw that the Pastebin URL points to an internal or private IP address, which is possibly a temporary placeholder used by the attackers. The malware then parses the content of the malicious Twitter account and begins looking for an image file using the pattern:  “<img src=\”(.*?):thumb\” width=\”.*?\” height=\”.*?\”/>” on the account.” Source: TrendMicro Researchers have also mentioned some other commands supported by this malware, which includes /processos to retrieve the list of running processes. /clip, to capture clipboard content, /username to retrieve username from the infected machine, and /docs to retrieve filenames from a predefined path such as (desktop, %AppData% etc.) According to TechCrunch, “The malware appears to have first appeared in mid-October, according to a hash analysis by VirusTotal, around the time that the Pastebin post was first created.” After Trend Micro reported the account, Twitter pulled the account offline, suspending it permanently. How the biggest ad fraud rented Datacenter servers and used Botnet malware to infect 1.7m systems How to build a convolution neural network based malware detector using malware visualization [Tutorial] Privilege escalation: Entry point for malware via program errors