Tech News - Cybersecurity

Last week, the researchers at PEAR (PHP Extension and Application Repository) reported a security breach on PEAR’s web server, http://pear.php.net. They found that the go-pear.phar was breached. Following this, the PEAR website itself has been disabled until a known clean site can be rebuilt. The community tweeted that “a more detailed announcement will be on the PEAR Blog once it's back online”. https://twitter.com/pear/status/1086634389465956352 According to researchers, the users who have downloaded the go-pear.phar in the past six months should get a new copy of the same release version from GitHub (pear/pearweb_phars) and compare file hashes. If the hashes are different, this indicates that the user may have the infected file. The community is in the process of rebuilding the site; however, they are not sure of the ETA yet. To stay updated, keep a close watch on PEAR’s twitter account. Symfony leaves PHP-FIG, the framework interoperability group Internal memo reveals NASA suffered a data breach compromising employees social security numbers Justice Department’s indictment report claims Chinese hackers breached business  and government network  

On March 8, this year, an American Cloud computing firm, Citrix revealed a data breach occurrence where international cybercriminals gained access to its internal network. The FBI informed the company about this incident on March 6. Soon after the incident was reported by the FBI, Citrix initiated a forensic investigation while securing their network. Today, the company announced they have concluded the investigation and shared a report of their findings and their future plan of action to improve security. Post the incident, Eric Armstrong, Citrix’s Vice President of Corporate Communications updated the users on the investigation twice--on April 4 and May 24--before releasing the final report today. Attackers used ‘Password Spraying’ technique to exploit weak passwords In both the updates, Armstrong said they have identified password spraying, a technique that exploits weak passwords, to be the likely method used for the data breach. He said the company had also performed a forced password reset throughout the Citrix corporate network and improved internal password management protocols. Based on the ongoing investigation, Armstrong revealed they have found no evidence that the threat actors discovered or exploited any vulnerabilities within Citrix products or services to gain entry. Also, they found no evidence of compromise of the customer cloud service. Investigation reveals criminals were lurking for “six months” within Citrix internal system In their final report, Citrix revealed that the cybercriminals accessed their internal network between October 13, 2018, and March 8, 2019, and stole business documents and files from a company shared network drive, which was used to store current and historical business documents. They also accessed a drive associated with a web-based tool, which was used by Citrix for consulting purposes. The investigation also speculates that the criminals may have “accessed the individual virtual drives and company email accounts of a very limited number of compromised users and launched without further exploitation a limited number of internal applications”, David Henshall, President and CEO, Citrix writes. “Importantly, we found no compromise or exfiltration beyond what has been previously disclosed,” he further added. Citrix was also warned by Resecurity before the FBI When the data breach incident was revealed on March 8, on Citrix’s official website, security firm Resecurity wrote that it had warned Citrix of the data attack on December 28th, 2018. Resecurity also mentioned that the attack may have been caused by the Iranian group called "IRIDIUM" and also mentioned "at least 6 terabytes of sensitive data stored in the Citrix enterprise network, including e-mail correspondence, files in network shares and other services used for project management and procurement." On March 6, when the FBI contacted Citrix, “they had reason to believe that international cybercriminals gained access to the internal Citrix network”, Stan Black, Citrix's chief security and information officer wrote on the blog post. Henshall says, “The cybercriminals have been expelled from our systems”. Experts are having a close look at the documents that may have been accessed or stolen during the incident. “We have notified, or shortly will notify, the limited number of customers who may need to consider additional protective steps”, Henshall said. Along with performing a global password reset and improving internal password management, Citrix has: improved its firewall logging, extended its data exfiltration monitoring capabilities, removed internal access to non-essential web-based services, and disabled non-essential data transfer pathways, The company has also deployed FireEye’s endpoint agent technology across its systems for continuous monitoring of the system. Although Resecurity revealed that 6TB data might have been compromised, the company has not shared information on how many users were affected during this breach but they have assured they will notify those who need to take additional protection. To know more about this news in detail, read Citrix’s official blog post. Getting Started – Understanding Citrix XenDesktop and its Architecture British Airways set to face a record-breaking fine of £183m by the ICO over customer data breach US Customs and Border Protection reveal data breach that exposed thousands of traveler photos and license plate images

On Saturday, Ubuntu-maker Canonical Ltd’s source code repositories were compromised and used to create repositories and issues among other activities. The unknown attacker(s) used a Canonical owned GitHub account whose credentials were compromised to unauthorizedly access Canonical's Github account. According to a mirror of the hacked Canonical GitHub account, the hacker created 11 new GitHub repositories in the official Canonical account. The repositories were empty and  sequentially named CAN_GOT_HAXXD_1, `with no existing data being changed or deleted. The Ubuntu source code remains unaffected. A Canonical representative said in a statement, “There is no indication at this point that any source code or PII was affected. Furthermore, the Launchpad infrastructure where the Ubuntu distribution is built and maintained is disconnected from GitHub and there is also no indication that it has been affected.” The hack appears to be limited to a defacement, as if the hacker(s) had added malicious code to Canonical projects, then they wouldn't have drawn attention by creating new repositories in the Canonical GitHub account. The official Ubuntu forums had been hacked on three different occasions, first in July 2013, when hackers stole the details of 1.82 million users. Second in July 2016, when the data of two million users was compromised. Third, in December 2016 when Ubuntu Forums was hacked with 1.8 Million users credentials stolen. In May, this year attackers wiped many GitHub, GitLab, and Bitbucket repos with ‘compromised’ valid credentials leaving behind a ransom note. Canonical has since removed the compromised account from the Canonical organisation in GitHub and is still investigating the extent of the breach. The Ubuntu security team said it plans to post a public update after our investigation, audit and remediations are finished. Twitter was flooded with people warning others about the hack. https://twitter.com/zackwhittaker/status/1147683774492303360 https://twitter.com/gcluley/status/1147901110503575552 https://twitter.com/evanderburg/status/1147895949697568770     Ubuntu has decided to drop i386 (32-bit) architecture from Ubuntu 19.10 onwards DockerHub database breach exposes 190K customer data including tokens for GitHub and Bitbucket repositories Attackers wiped many GitHub, GitLab, and Bitbucket repos with ‘compromised’ valid credentials leaving behind a ransom note.

On Wednesday, the German government announced the creation of a new federal agency to develop cutting-edge cyber defense technology. The agency would resemble the U.S. Defense Advanced Research Projects Agency (DARPA) and would be managed by the Ministry of Defense and the Ministry of the interior. Germany has always had background of rising numbers of cyber attacks. German Defense Minister Ursula von der Leyen affirms that the agency would encourage Germany’s investment in new technologies and in the protection of critical digital infrastructure. The agency will also be partnering with other EU countries on agency projects. The agency akin to DARPA will make Germany more independent in its fight against cyber threats. Ministers in Chancellor Angela Merkel’s government said on Wednesday that Germany will invest €200 million over the next five years to launch this agency that will develop its own cyber defense capabilities. The news, however, was not taken well by some lawmakers who have expressed their concerns about the new agency. The issue of military-led and cyber warfare has been a  disputable topic in Germany. Anke Domscheit-Berg, digital policy spokeswoman for the Left Party, expressed her concern on this matter. She believes that more digital security would definitely help Germany, however, her apprehension lies in the fact that the agency is located between the Defense Ministry and the Interior Ministry. Green Party spokesman Konstantin von Notz argued that the agency will work against the Foreign Ministry’s work. In a statement released to DW, Noz mentioned that the agency would massively undermine the Foreign Ministry’s efforts at the UN to outlaw cyber weapons Instead of promoting a spiraling escalation in the digital space, the government needs to make a U-turn on IT security.” Read the entire coverage of this article on DW for more insights on the matter. Facebook’s AI algorithm finds 20 Myanmar Military Officials guilty of spreading hate and misinformation, leads to their ban Google Employees Protest against the use of Artificial Intelligence in Military Fitness app Polar reveals military secrets

Yesterday, at Black Hat 2019, Mimecast Limited, a leading email and data security company, introduced Mimecast Threat Intelligence which offers a deeper understanding of the cyber threats faced by organizations. The cybersecurity landscape changes daily, and attackers are constantly changing their techniques to avoid detection. According to Mimecast’s recent State of Email Security Report 2019, 94% of organizations saw phishing attacks in the last 12 months and 61% said it was likely or inevitable that they would be hit with an email-borne attack. The new features in Mimecast Threat Intelligence are designed to give organizations access to threat data and analytics specific to overall organization. Additionally it offers a granular view of the attacks blocked by Mimecast. The Mimecast Threat Intelligence dashboard highlights users who are most at-risk, malware detections, malware origin by geo-location, Indicators of Compromise (IoCs) and malware forensics based on static and behavioral analysis. The data is consolidated into a user-friendly view and will be available for integration into an organization’s security ecosystem through the Threat Feed API. This targeted threat intelligence will provide greater visibility and insight to security professionals, enabling them to easily respond and remediate against threats and malicious files. “As the threat landscape evolves, arming our organization and people with the best possible tools is more important now than ever,” said Thomas Cronkright, CEO at CertifID. “Mimecast’s Threat Intelligence is a unique, incredibly easy to use value-added service that provides an outstanding benefit to organizations in search of a secure ecosystem.” “The cyber threat landscape is dynamic, complex and driven by a relentless community of adversaries. IT and security teams need threat intelligence that is easy to digest and actionable, so they can better leverage the information to proactively prevent and defend against cyberattacks,” said Josh Douglas, Vice President of threat intelligence at Mimecast. “Mimecast sees a lot of data, as we process more than 300 million emails every day to help customers block hundreds of thousands of malicious emails. Mimecast Threat Intelligence helps organizations get the deep insights they need to build a more cyber resilient environment.” Mimecast Threat Intelligence consists of a Threat Dashboard, Threat Remediation and Threat Feed with Threat Intelligence APIs. To know more, check out this page on Mimecast Threat Intelligence. International cybercriminals exploited Citrix internal systems for six months using password spraying technique A zero-day vulnerability on Mac Zoom Client allows hackers to enable users’ camera, leaving 750k companies exposed An IoT worm Silex, developed by a 14 year old resulted in malware attack and taking down 2000 devices

After the recent disclosure of the vulnerability in Mac’s Zoom Client, Apple was quick to patch the vulnerable component. On July 9, the same day when security researcher, Jonathan Leitschuh revealed the vulnerability publicly, Apple released a patch that removes the local web server entirely and also allows users to manually uninstall Zoom. The Mac Zoom client vulnerability allowed any malicious website to initiate users’ camera and forcibly join a Zoom call without their authority. Apple said the update does not require any user interaction and is deployed automatically. How can Mac users ensure they get these updates? As the vulnerability was capable of re-installing the Zoom Client applications, Apple first stopped the use of a local web server on Mac devices. It then removed the local web server entirely, once the Zoom client was updated. Mac users were prompted in the Zoom user interface (UI) to update their client after the patch was deployed. After the complete update, the local web server will be completely removed on that device. Apple had added a new option to the Zoom menu bar that will allow users to manually and completely uninstall the Zoom client, including the local web server. Once the patch is deployed, a new menu option will appear that says, “Uninstall Zoom.” By clicking that button, Zoom will be completely removed from the user’s device along with the user’s saved settings. Plans to address ‘video on by default’ Apple has also announced a planned release this weekend (July 12) that will address another security concern, ‘video on by default’. With this July 12 release: First-time users who select the “Always turn off my video” box will automatically have their video preference saved. The selection will automatically be applied to the user’s Zoom client settings and their video will be OFF by default for all future meetings. Returning users can update their video preferences and make video OFF by default at any time through the Zoom client settings. Zoom spokesperson Priscilla McCarthy told TechCrunch, “We’re happy to have worked with Apple on testing this update. We expect the web server issue to be resolved today. We appreciate our users’ patience as we continue to work through addressing their concerns.” Regarding Apple’s quick action to patch the Zoom Client vulnerability, Leitschuh tweeted that their willingness to patch represented an “about face”. “it went from rationalizing its existing strategy to planning a fix in a matter of hours”, Engadget reports. https://twitter.com/JLLeitschuh/status/1148686921528414208 To know more about this news in detail, read Zoom blog. Apple plans to make notarization a default requirement in all future macOS updates Ian Goodfellow quits Google and joins Apple as a director of machine learning Apple to merge the iPhone, iPad, and Mac apps by 2021

Mozilla just upped its security game by introducing two new features to their Firefox browser that they call "DNS over HTTPs" (DoH) and "Trusted Recursive Resolver" (TRR). According to Mozilla, this is an attempt on their part to enhance security. They want to make one of the oldest parts of the internet architecture- the DNS- more private and safe. This will be done by encrypting DNS queries and by testing a service that keeps DNS providers from collecting and sharing users browsing history. But internet security geeks far from agree to this claim made by Mozilla. DoH and TRR explained A DNS converts a computer’s domain name into an IP address. This means that when you enter the domain of a particular website in your browser, a request is automatically sent to the DNS server that you have configured. The DNS server then looks up this domain name and returns an IP address for your browser to connect to. However, this DNS traffic is unencrypted and shared with multiple parties, making data vulnerable to capture and spy on. Enter Mozilla with two new updates to save the day. The DNS over HTTPS (DoH) protocol encrypts DNS requests and responses.DNS requests sent to the DoH cloud server are encrypted while old style DNS requests are not protected. The next thing up Mozilla’s alley is building a default configuration for DoH servers that puts privacy first- also known as the  Trusted Recursive Resolver (TRR). With Trusted Recursive Resolver (TRR) turned on as default, any DNS changes that a Firefox user configured in the network will be overridden. Mozilla has partnered up with Cloudflare after agreeing to a very strong privacy policy that protects users data. Why security Geeks don’t prefer Mozilla’s DNS updates? Even though Mozilla has made an attempt to transport requests over https- thus encrypting the data- the main concern was that the DNS servers used are local and hence the parties that spy on you will, well, also be local! Adding to this, while browsing with Firefox, Cloudflare will can read everyone's DNS requests. This is because Mozilla has partnered up with Cloudflare, and will resolve the domain names from the application itself via a DNS server from Cloudflare based in the United States. Now this itself poses as a threat since Cloudflare is a third party bearer and we all know the consequences of having a third party interfere with our data and network. Despite the assurance that Cloudflare has signed a “pro-user privacy policy” that deletes all personally identifiable data within 24 hours, you can never say what will be done with your data. After the Cambridge analytica scandal- nothing virtual can be trusted. Here’s a small overview of what can go wrong because of the TRR. TRR  fully disables anonymity. Before Mozilla implemented this change, the DNS resolution was local and could be attacked. However, with Mozilla's change, all DNS requests are seen by Cloudflare and in turn also by any government agency that has legal right to request data from Cloudflare. So in short, any (US) government agency can basically trace you down if you have information to spill or benefit them. So to save everyone the trouble, let's explore what you can do with the situation. It's simple- turn TRR off! Hackernews users suggest the following workaround: Enter about:config in the address bar Search for network.trr Set network.trr.mode = 5 to completely disable it If you want to explore more about mode 5, head over to mozilla.org. You can Change network.trr.mode to 2 to enable DoH. This will try and use. DoH but will fallback to insecure DNS under some circumstances like captive portals.  (Use mode 5 to disable DoH under all circumstances.) The other modes are described on usejournal.com You may be surprised at how such a simple update can fuel so much discussion. It all comes down to the pitfalls of blind trusting a third party service or being your own boss and switching the TRR off. Whose side are you on? To know more about this update, head over to Mozilla's Blog. Firefox Nightly browser: Debugging your app is now fun with Mozilla’s new ‘time travel’ feature Mozilla is building a bridge between Rust and JavaScript Firefox has made a password manager for your iPhone    

The theme at the ongoing RSA 2019 conference is “Better”. As the official RSA page explains, “This means working hard to find better solutions. Making better connections with peers from around the world. And keeping the digital world safe so everyone can get on with making the real world a better place.” Keeping up with the theme of the year, the conference saw some exciting announcements, keynotes, and seminars presented by some of the top security experts and organizations. Here is our list of the top 5 new Cybersecurity products announced at RSA Conference 2019: #1 X-Force Red Blockchain Testing service IBM announced the ‘X-Force Red Blockchain Testing service’ to test vulnerabilities in enterprise blockchain platforms. This service will be run by IBM's in-house X-Force Red security team and will test the security of back-end processes for blockchain-powered networks. The service will evaluate the whole implementation of enterprise blockchain platforms. This will include chain code, public key infrastructure, and hyperledgers. Alongside, this service will also assess hardware and software applications that are usually used to control access and manage blockchain networks. #2 Microsoft Azure Sentinel Azure Sentinel will help developers “build next-generation security operations with cloud and AI”. It gives developers a holistic view of security across the enterprise. The service will help them collect data across all users, devices, applications, and infrastructure, both on-premises and in multiple clouds. It can then detect previously uncovered threats and minimize false positives using analytics and threat intelligence. Azure sentinel also helps investigate threats with AI and hunt suspicious activities at scale while responding to incidents rapidly with built-in orchestration and automation of common tasks. #3 Polaris Software Integrity Platform The Polaris Software Integrity Platform is an integrated, easy-to-use solution that enables security and development teams to quickly build secure and high-quality software. The service lets developers integrate and automate static, dynamic, and software composition analysis with the tools they are familiar with. The platform also provides security teams with a holistic view of application security risk across their portfolio and the SDLC. It enables developers to address security flaws in their code as they write it, without switching tools using the Polaris Code Sight IDE plugin. #4 CyberArk Privileged Access security solution v10.8 The CyberArk Privileged Access Security Solution v10.8 automates detection, alerting and response for unmanaged and potentially-risky Amazon Web Services (AWS) accounts. This version also features Just-in-Time capabilities to deliver flexible user access to cloud-based or on-premises Windows systems. The Just-in-Time provisional access to Windows servers will enable administrators to configure the amount of access time granted to Windows systems, irrespective of whether they are cloud-based or on-premises. This will reduce operational friction. The solution can now identify privileged accounts in AWS, unmanaged Identity and Access Management (IAM) users (such as Shadow Admins), and EC2 instances and accounts. This will help track AWS credentials and accelerate the on-boarding process for these accounts. #5 Cyxtera AppGate SDP IoT Connector Cyxtera’s IoT Connector, a feature within AppGate SDP secures unmanaged and undermanaged IoT devices with a 360-degree perimeter protection. It isolates IoT resources using their Zero Trust model. Each AppGate IoT Connector instance scales for both volume and throughput and handles a wide array of IoT devices. AppGate operates in-line and limits access to prevent lateral attacks while allowing devices to seamlessly perform their functions. It can be easily deployed without replacing existing hardware or software. Apart from this, the other products launched at the conference included CylancePERSONA, CrowdStrike Falcon for Mobile, Twistlock 19.03 and much more. To stay updated with all the events, keynotes, seminars, and releases happening at the RSA 2019 conference, head over to their official blog. The Erlang Ecosystem Foundation launched at the Code BEAM SF conference NSA releases Ghidra, a free software reverse engineering (SRE) framework, at the RSA security conference Google teases a game streaming service set for Game Developers Conference

A new research shared by Digital Content Next, reveals idle Android devices send 10 times more data than iOS devices. In a paper titled "Google Data Collection," by Douglas C. Schmidt, a computer science professor at Vanderbilt University. Schmidt in the research catalogues how much data Google is collecting about consumers and their most personal habits across all of its products and how that data is being tied together. More from Schmidt’s research findings: An idle Android phone with Chrome web browser active in the background communicated location information to Google 340 times during a 24-hour period. An equivalent experiment found that on an iOS device with Safari open but not Chrome, Google could not collect any appreciable data unless a user was interacting with the device. Additionally an idle Android phone with running Chrome sends back to Google nearly fifty times as many data requests per hour as an idle iPhone running Safari. Overall, an idle Android device was found to communicate with Google nearly 10 times more often than an Apple device communicates with Apple servers. Data transmission frequencies on an android device can potentially tie together data through passive means with the help of user’s personal information. For example, anonymous advertising identifiers collect activity data from apps and third-party web page visits of a user. Similarly Google can associate the cookie to a user's Google account when a user accesses a Google app in the same browser that a third-party web page was accessed. Source: Digital Content Next The research also showed Google to track location data even after the consumer turned off their settings. Google had clarified about its location policies but yet it continues to track location data through app features. The location data is used for ad targeting purposes, Google’s primary business model. While Apple uses differential privacy to gather anonymous usage insights from devices like iPhones, iPads, and Macs. Apple says the data it collects off-device is used to improve services like Siri suggestions, and to help identify problematic websites that use excessive power or too much memory in Safari. When users sets up their iOS device, it will explicitly asks users if they wish to provide usage information on an opt-in basis. If a user declines, no data is collected by the device unless they choose to opt in at a later time. Apple CEO, Tim Cook and Apple executives’ belief that customers are not the company's product seems to be clearly in action here. The company also has a dedicated privacy website that explains its approach to privacy and government data requests. Do you want to know what the future holds for privacy? It’s got Artificial Intelligence on both sides. Twitter’s trying to shed its skin to combat fake news and data scandals, says Jack Dorsey Mozilla’s new Firefox DNS security updates spark privacy hue and cry

On Thursday, the US launched a cyber-attack on Iranian weapons systems, according to sources. This attack is a retaliation by the US govt after Iran shot down a US spy drone. In response to the drone’s destruction, the US was ready to carry out a military strike against Iran but US President Donald Trump said he called it off at the last minute after being told some 150 people could die. Although that didn’t stop him from secretly authorizing US Cyber Command to carry out a retaliatory cyber attack on Iran. Defense officials had prepared such a cyber response as a contingency plan for weeks preceding the attack. The cyber-attacks disabled computer systems controlling Iran’s rocket and missile launchers. Officials told the Guardian that the attack, which specifically targeted computer systems of Iran’s Islamic Revolutionary Guard Corps (IRGC), had been provided as options after two oil tankers were bombed. The IRGC has been designated a foreign terrorist group by the Trump administration. The AP news agency said the cyber-attack had disabled the Iranian systems. The New York Times said it was intended to take the systems offline for a period of time. The response by Iran An Iran Minister however rejected these claims stating that US cyber attacks on Iranian targets were not successful. “They try hard, but have not carried out a successful attack,” Mohammad Javad Azari Jahromi, Iran’s minister for information and communications technology, told Reuters. “Media asked if the claimed cyber attacks against Iran are true,” he said. “Last year we neutralized 33 million attacks with the (national) firewall.” Azari Jahromi called attacks on Iranian computer networks “cyber-terrorism”, referring to Stuxnet, the first publicly known example of a virus used to attack industrial machinery, which targeted Iran’s nuclear facilities in November 2007. In response to the shooting down of the U.S drone, an Iranian navy commander warned it could be repeated. “Everyone saw the downing of the unmanned drone,” navy commander Rear Admiral Hossein Khanzadi was quoted as saying by the Tasnim news agency. “I can assure you that this firm response can be repeated, and the enemy knows it.” On Saturday the US Department for Homeland Security warned that Iran was stepping up its own cyber-attacks on the US. Christopher Krebs, the director of the Cybersecurity and Infrastructure Security Agency, said "malicious cyber activity" was being directed at US industries and government agencies by "Iranian regime actors and their proxies.'' The US military and intelligence officials are drafting plans for additional cyber attacks against Iranian targets. It will also further impose sanctions on Iran. President Trump said these sanctions were "major" and were needed to prevent Tehran from obtaining nuclear weapons, and economic pressure would be maintained unless Tehran changed course. Technology plays a central role in national security and foreign policies. Most recently, the US-China trade war saw Huawei and Apple caught at the center of escalating tensions. US prohibited wide swath of technology deals with a “foreign adversary” for national security reasons. National security and technological environments are intertwined because technology has a strong influence on the ways wars are fought and the character of the missions reserve components are asked to perform. It is often caught in the web of trade wars. The US Iran cyber attack is a clear example of the way the lines between physical and digital warfare are blurring. Hacker destroys Iranian cyber-espionage data; leaks source code of APT34’s hacking tools on Telegram FireEye’s Global DNS Hijacking Campaign suspects Iranian-based group as the prime source Slack has terminated the accounts of some Iranian users, citing U.S. sanctions as the reason.

Last week the DefCon security conference, which was held in Paris and Las Vegas, revealed that companies, govt and startups are inadvertently leaking their own files from the cloud. Ben Morris, a senior security analyst at cybersecurity firm Bishop Fox presented at DefCon on finding the secrets in publicly exposed EBS accounts. “You may have heard of exposed S3 buckets — those Amazon-hosted storage servers packed with customer data but often misconfigured and inadvertently set to “public” for anyone to access. But you may not have heard about exposed EBS snapshots, which poses as much, if not a greater, risk” Morris said. “Did you know that Elastic Block Storage (Amazon EBS) has a "public" mode that makes your virtual hard disk available to anyone on the internet? Apparently hundreds of thousands of others didn't either, because they're out there exposing secrets for everyone to see. I tore apart petabytes of data for you and have some dirty laundry to air: encryption keys, passwords, authentication tokens, PII, you name it and it's here. Whole (virtual) hard drives to live sites and apps, just sitting there for anyone to read. So much data in fact that I had to invent a custom system to process it all.” he added. Ahead of his talk at DefCon, Morris also spoke to a TechCrunch reporter and said that these elastic block storage (EBS) snapshots are the “keys to the kingdom”. “They have the secret keys to your applications and they have database access to your customers’ information.” “When you get rid of the hard disk for your computer, you know, you usually shredded or wipe it completely,” he said. “But these public EBS volumes are just left for anyone to take and start poking at.” He said that all too often cloud admins don’t choose the correct configuration settings, leaving EBS snapshots inadvertently public and unencrypted. “That means anyone on the internet can download your hard disk and boot it up, attach it to a machine they control, and then start rifling through the disk to look for any kind of secrets,” he said. Source: TechCrunch, Morris’ Def Con slides explaining how EBS snapshots can be exposed. Morris built a tool using Amazon’s own internal search feature to query and scrape publicly exposed EBS snapshots. He then attached it, made a copy and listed the contents of the volume on his system. “If you expose the disk for even just a couple of minutes, our system will pick it up and make a copy of it,” he said. It took him two months to build up a database of exposed data and just a few hundred dollars spent on Amazon cloud resources. Morris validates each snapshot and then deletes the data. Morris found dozens of snapshots exposed publicly in one region alone, it included application keys, critical user or administrative credentials, source code and more. He found data from several major companies, including healthcare providers and tech companies, exposed publicly. He also found VPN configurations, which could allow him to tunnel into a corporate network. Among the most damaging things he found a snapshot for one government contractor that provided data storage services to federal agencies. “On their website, they brag about holding this data,” he said, referring to collected intelligence from messages sent to and from the so-called Islamic State terror group to data on border crossings. Morris estimated the figure to be approximately 1,250 exposures across all Amazon cloud regions. An Amazon spokesperson said to TechCrunch, customers who set their Amazon EBS snapshots to public “have been notified and advised to take the snapshot offline if the setting was unintentional.” Morris plans to release his proof-of-concept code in the coming weeks. “I’m giving companies a couple of weeks to go through their own disks and make sure that they don’t have any accidental exposures,” he said. On Hacker News users are astonished to know about this fact and some of them say they have never come across such a situation after working on AWS for years. While some agree that the exposure of Amazon EBS snapshots it could be accidental or due to management pressure. One of the comments read, “I've been working almost exclusively in the AWS space for about 10 years now. Clients anywhere from tiny little three-person consultancies to Fortune 100. Commercial, govcloud, dozens of clients. Never once have I ever found a use case for making public EBS snapshots. Who on Earth is thinking that it is a good idea to take an EBS snapshot and make it public? Note, several of those engagements did involve multiple accounts, and the need to share / copy AMIs and/or snapshots between accounts. But never making them public.” Another user responded to this, “Laziness in attempting to share data with someone in another org? "Nope, can't access it" ... "Nope, still can't access it"... "My manager is harassing me to get access now"... "Look, just make it public then change it back after I get it copied"...” Ex-Amazon employee hacks Capital One’s firewall to access its Amazon S3 database; 100m US and 60m Canadian users affected Amazon S3 is retiring support for path-style API requests; sparks censorship fears Amazon S3 Security access and policies

Intel's’ chips have been struck with yet another significant flaw called ‘Foreshadow’. This flaw, alternatively called as L1 Terminal Fault or L1TF, targets Intel’s Security Guard Extensions (SGX) within its Core chips. The US government’s body for computer security testified that an attacker could take advantage of this vulnerability in Intel’s chips to obtain sensitive information. This security flaw affects processors released right from 2015. Thankfully,  Intel has released a patch to combat the problem. Check the full list of affected hardware on Intel's website. While Intel confirmed that they are not aware of reports that any of these methods have been used in real-world exploits, the tech giant is now under scrutiny. This was bound to happen as Intel strikes a  hattrick following two similar attacks - Spectre and Meltdown - that were discovered earlier this year in January. Intel confirms that future processors would be built in such a way as to not be affected by Foreshadow. How does Foreshadow affect your data? The flaw was first brought to Intel’s notice by researchers from KU Leuven University in Belgium and others from the universities of Adelaide and Michigan. Foreshadow can exploit various flaws in a computing technique known as speculative execution. It can specifically target a lock box within Intel’s processors. This would let a hacker leak any data desired. To give you a gist, a  processor can run more efficiently by guessing the next operation to be performed. A correct prediction will save resources, while work based on an incorrect prediction gets scrapped. However, the system leaves behind clues like how long it will take the processor to fulfill a certain request. This can be used by an attacker to find weaknesses, ultimately gaining the ability to manipulate what path the speculation takes. Thus, hacking into the data at opportune moments that leaks out of a process's data storage cache. Speculative execution is important to guard against, because an attacker could use them to access data and system privileges meant to be off-limits. The most intriguing part of the story, as stated by hardware security researcher and Foreshadow contributor Jo Van Bulck is,  “Spectre is focused on one speculation mechanism, Meltdown is another, and Foreshadow is another”.   "This is not an attack on a particular user, it’s an attack on infrastructure."                          YUVAL YAROM, UNIVERSITY OF ADELAIDE   After the discovery of Spectre and Meltdown, the researchers found it only too fitting to look for speculative execution flaws in the SGX enclave. To give you an overview, Security Guard Extensions, or SGX, were originally designed to protect code from disclosure or modification. SGX is included in 7th-generation Core chips and above, as well as the corresponding Xeon generation. It remains protected even when the BIOS, VMM, operating system, and drivers are compromised. Meaning that an attacker with full execution control over the platform can be kept away. SGX, allows programs to establish secure enclaves on Intel processors. These are regions of a chip that are restricted to run code that the computer's operating system can't access or change. The creates a safe space for sensitive data,. Even if the main computer is compromised by malware, the sensitive data remains safe. That apparently isn’t totally the case. Wired furthers stress on the fact that the Foreshadow bug could break down the walls between virtual machines, a real concern for cloud companies whose services share space with other theoretically isolated processes. Watch this youtube video for more clarity on how foreshadow works. https://www.youtube.com/watch?v=ynB1inl4G3c&feature=youtu.be The Quick Fix to Foreshadow Prior to details of the flaw being made public, Intel had created its fix and coordinated its response with the researchers on Tuesday. The fix disables some of chips features that were vulnerable to the attack. Along with software mitigations, the bug will also be patched at the hardware level with Cascade Lake, an upcoming Xeon chip, as well as future Intel processors expected to launch later this year. This mitigation limits the extent to which the same processor can be used simultaneously for multiple tasks, and hence companies running cloud computing platforms could see a significant hit to their collective computing power. On Tuesday, cloud services companies - Amazon, Google and Microsoft - said they had put in place a fix for the problem. Intel is working with these cloud providers—where uptime and performance is key—to “detect L1TF-based exploits during system operation, applying mitigation only when necessary,” Leslie Culbertson, executive vice president and general manager of Product Assurance and Security at Intel, wrote. Individual computer users are advised, as ever, to download and install any software updates available. The research team confirmed that is was unlikely that individuals would see any performance impact. As long as you’re system is patched up, you should be okay. Check out PCWorld’s guide on how to protect your PC against Meltdown and Spectre. You can also head over to the Red Hat Blog for more knowledge on Foreshadow. NetSpectre attack exploits data from CPU memory Intel’s Spectre variant 4 patch impacts CPU performance 7 Black Hat USA 2018 conference cybersecurity training highlights

A malicious worm, Retadup, affected 850k Windows machines throughout Latin America. The objective of the Retadup worm is to obtain persistence on victims’ computers to spread itself far and wide and to install additional malware payloads on infected machines. Source: Avast.io The Avast antivirus team started closely monitoring activities of the Retadup worm in March 2019. Jan Vojtěšek, a malware analyst at Avast who led research into Retadup said, "The general functionality of this payload is pretty much what we have come to expect from common malicious stealthy miners."  “In the vast majority of cases, the installed payload is a piece of malware mining cryptocurrency on the malware authors’ behalf. However, in some cases, we have also observed Retadup distributing the Stop ransomware and the Arkei password stealer,” Vojtěšek writes. A few days ago, Vojtěšek shared a report informing users that Avast researchers, the French National Gendarmerie and FBI have together disinfected the Retadup virus, by making the threat to self-destruct. When the Avast team analyzed the Retadup worm closely they identified a design flaw in the (Command-and-Control) C&C protocol that “would have allowed us to remove the malware from its victims’ computers had we taken over its C&C server,” Vojtěšek writes. As Retadup’s C&C infrastructure was mostly located in France, Vojtěšek’s team decided to contact the  Cybercrime Fighting Center (C3N) of the French National Gendarmerie (one of two national police forces of France) at the end of March. The team shared their findings with the Gendarmerie proposing a disinfection scenario that involved taking over a C&C server and abusing the C&C design flaw in order to neutralize Retadup. In July 2019, the Gendarmerie received the green light to legally proceed with the disinfection. To do this, they replaced the malicious C&C server with a prepared disinfection server that made connected instances of Retadup self-destruct. “In the very first second of its activity, several thousand bots connected to it in order to fetch commands from the server. The disinfection server responded to them and disinfected them, abusing the C&C protocol design flaw,” the report states. The Gendarmerie also alerted the FBI of this worm as some parts of the C&C infrastructure were also located in the US. The FBI took them down successfully and on July 8, the malware authors no longer had any control over the malware bots, Vojtěšek said. “Since it was the C&C server’s responsibility to give mining jobs to the bots, none of the bots received any new mining jobs to execute after this takedown. This meant that they could no longer drain the computing power of their victims and that the malware authors no longer received any monetary gain from mining,” the report explained. Avast report highlights, “Over 85% of Retadup’s victims also had no third-party antivirus software installed. Some also had it disabled, which left them completely vulnerable to the worm and allowed them to unwittingly spread the infection further.” Retadup has many different variants of its core, which is written in either AutoIt or AutoHotkey. Both cases contain two files, the clean scripting language interpreter and the malicious script. “In AutoHotkey variants of Retadup, the malicious script is distributed as source code, while in AutoIt variants, the script is first compiled and then distributed. Fortunately, since the compiled AutoIt bytecode is very high-level, it is not that hard to decompile it into a more readable form,” the report states. Users and researchers are congratulating both the Avast team and the Gendarmerie to successfully disinfect the Retadup. https://twitter.com/nunohaien/status/1166636067279257600 To know more about Retadup in detail, read Avast’s complete report. Other interesting news in Security New Bluetooth vulnerability, KNOB attack can manipulate the data transferred between two paired devices A year-old Webmin backdoor revealed at DEF CON 2019 allowed unauthenticated attackers to execute commands with root privileges on server A security issue in the net/http library of the Go language affects all versions and all components of Kubernetes

Facebook’s public image suffered quite a few setbacks in recent times. The Cambridge analytica scandal has opened up a pandora’s box full of questions about user data security and privacy. In the recent senate hearings, Facebook CEO, Mark Zuckerberg had an apologetic tone and he promised to give utmost importance to user data security. The misfortunes however, doesn’t seem to be over for Zuckerberg and Facebook. In a latest security scare, a bug had caused quite a ruckus for the tech giant. Facebook composer bug Now let’s talk about the bugs, yes, you read that correctly, there were more than one recent Facebook bugs affecting user data and privacy. The first bug was related to the Facebook message composer. According to Facebook’s Chief Privacy Officer Erin Egan, the bug affected composer’s privacy settings in a way that when the users were creating new posts, it automatically changed the privacy settings to public. This meant that user updates which might have been private, were available publicly. This bug had affected 14 million users worldwide and it was active during 18th May to 22nd May 2018. It took Facebook till 27th May to identify the bug and then rectify the problem. As a trust building measure, Facebook had sent notifications to all the users affected by this breach. A snapshot of the Facebook notification looked like this:   Source: Techcrunch Automatic Unblocking bug The second incident occurred was between 29th May to 5th June. This particular incident was reported via a Facebook blog post which stated that a bug that had affected around 800k Facebook users, had temporarily unblocked contacts and enabled previously blocked contacts to message or view the details of the respective users. This security breach was in a way potentially dangerous since it openly allowed stalking or even harassment. Facebook had although stated that this bug had unblocked one contact per user. The official Facebook notification to the affected users looked like this: Source: Facebook Blog Facebook Analytics Data leak The story of bugs is not over yet. There were recent reports that the Facebook analytics data of around 3 percent Facebook apps were leaked to testers accidentally. This was  due to a faulty automated email system according to Facebook. Although Facebook insists on the fact that no personal user data was leaked, still this incident doesn’t go down well keeping in mind the company’s latest record of user privacy and data secrecy. Facebook is trying to be transparent in its approach to tackle this menace of recurring bugs, but how successful their efforts will be, only time and their future actions will tell. The Cambridge Analytica scandal and ethics in data science Mark Zuckerberg’s Congressional testimony: 5 things we learned F8 AR Announcements  

Yesterday, Python’s core development team announced that PyPI now offers two-factor authentication to increase the security of Python package downloads and thus reduce the risk of unauthorized account access. The team announced that the 2FA will be introduced as a login security option on the Python Package Index. “We encourage project maintainers and owners to log in and go to their Account Settings to add a second factor”, the team wrote on the official blog. The blog also mentions that this project is a “grant from the Open Technology Fund; coordinated by the Packaging Working Group of the Python Software Foundation.” PyPI currently supports a single 2FA method that generates code through a Time-based One-time Password (TOTP) application. After users set up a 2FA on their PyPI account, they must provide a TOTP (along with your username and password) to log in. Therefore, to use 2FA on PyPI, users will need to provide an application (usually a mobile phone app) in order to generate authentication codes. Currently, only TOTP is supported as a 2FA method. Also, 2FA only affects login via the website, which safeguards against malicious changes to project ownership, deletion of old releases, and account takeovers. Package uploads will continue to work without 2FA codes being provided. Developers said that they are working on WebAuthn-based multi-factor authentication, which will allow the use of Yubikeys for your second factor, for example. They further plan to add API keys for package upload, along with an advanced audit trail of sensitive user actions. A user on HackerNews answered a question, “Will I lock myself out of my account if I lose my phone?” by saying,  “You won't lock yourself out. I just did a quick test and if you reset your password (via an email link) then you are automatically logged in. At this point you can even disable 2FA. So 2FA is protecting against logging in with a stolen password, but it's not protecting against logging in if you have access to the account's email account. Whether or not that's the intended behaviour is another question…” To know more about the ongoing security measures taken, visit Python’s official blog post. Salesforce open sources ‘Lightning Web Components framework’ Time for data privacy: DuckDuckGo CEO Gabe Weinberg in an interview with Kara Swisher Which Python framework is best for building RESTful APIs? Django or Flask?