Tech News - Security

Russia is looking forward to its September 2019 elections for the representatives at the Parliament of the city (the Moscow City Douma). For the first time ever, Russia will use Internet voting in its elections. The internet-based system will use blockchain developed in-house by the Moscow Department of Information Technology. Since the news broke out, security experts have been quite skeptical about the overall applicability of blockchain to elections. Moscow’s voting system has a critical flaw in the encryption scheme Recently, a French security researcher Pierrick Gaudry has found a critical vulnerability in the encryption scheme used in the coding of the voting system. The scheme used was the ElGamal encryption, which is an asymmetric key encryption algorithm for public-key cryptography. Gaudry revealed that it can be broken in about 20 minutes using a standard personal computer and using only free software that is publicly available. The main problem, Gaudry says is in the choice of three cyclic groups of generators. These generators are multiplicative groups of finite fields of prime orders each of them being Sophie Germain primes. These prime fields are all less than 256-bit long and the 256x3 private key length is too little to guarantee strong security. Discrete logarithms in such a small setting can be computed in a matter of minutes, thus revealing the secret keys, and subsequently easily decrypting the encrypted data. Gaudry also showed that the implemented version of ElGamal worked in groups of even order, which means that it leaked a bit of the message. What an attacker can do with these encryption keys is currently unknown, since the voting system's protocols weren't yet available in English, so Gaudry couldn't investigate further. Following Gaudry's discovery, the Moscow Department of Information Technology promised to fix the reported issue. In a medium blog post, they wrote, "We absolutely agree that 256x3 private key length is not secure enough. This implementation was used only in a trial period. In a few days, the key's length will be changed to 1024." (Gaudry has mentioned in his research paper that the current general recommendation is at least 2048 bits). Even after the response, Gaudry was still concerned about potential flaws caused by the recent big changes fixing the key length issue. Gaudy concerns proved true as recently another security researcher Alexander Golovnev, found an attack on the revised encryption scheme. The revised encryption algorithm still leaks messages Alexander Golovnev is the current fellow for Michael O. Rabin Postdoctoral Fellowship in Theoretical Computer at Harvard University. His research reveals that the new implementation of the encryption system also leaks a bit of the message. This is caused by the usage of ElGamal where the message is not mapped to the cyclic group under consideration. This flaw can be misused for counting the number of votes cast for a candidate, which is illegal (until the end of the election period). Golovnev says that security vulnerability is a major issue of the implemented cryptographic scheme. The attack does not recover the secret key as required by the public testing scenario but rather breaks the system without recovering the secret key. There is no response or solution from the Moscow Department of Information Technology regarding this vulnerability. Many people took to Twitter to express their disappointment at Moscow’s lamentable internet voting system. https://twitter.com/mjos_crypto/status/1166252479761330176 https://twitter.com/KevinRothrock/status/1163750923182780416 In 2018, Robert Mueller’s report indicated that there were 12 Russian military officers who meddled with the 2016 U.S. Presidential elections. They had hacked into the Democratic National Committee, the Democratic Congressional Campaign Committee, and the Clinton campaign. This year, Microsoft revealed that Russian hackers ‘Fancy Bear’ are attempting to compromise IoT devices including a VOIP, a printer, and a video decoder across multiple locations. These attacks were discovered in April, by security researchers in the Microsoft Threat Intelligence Center. Microsoft reveals Russian hackers “Fancy Bear” are the culprit for IoT network breach in the US. FireEye reports infrastructure-crippling Triton malware linked to Russian government tech institute Russian government blocks ProtonMail services for its citizens

X-Lab, Baidu’s security lab focused on researching and developing industry-leading security solutions, today released the latest version of MesaLink, a cryptographic memory safe library for securing end-to-end communications. Encrypted communication is a cornerstone of Internet security, as it provides protection from vulnerabilities for a wide variety of applications like cloud computing, blockchain, autonomous driving and Internet of Things. Existing solutions for securing end-to-end communications are implemented with programming languages like C/C++, which makes them particularly susceptible to memory safety vulnerabilities. Heartbleed Bug, for example, is a serious memory safety vulnerability in OpenSSL cryptographic software library that allows attackers to steal information protected by encryption. “OpenSSL, one of the most prominent implementations of the SSL/TLS protocol, has been protecting the Internet for the past two decades,” said Tao Wei, Chief Security Scientist at Baidu, Inc. “It has made a significant contribution to the evolution of the Internet. However, cryptography and protocol implementations of SSL/TLS are complex, and SSL/TLS is nearly impossible to implement without vulnerabilities. When Heartbleed was discovered in 2014, it affected two-thirds of the Internet, causing detrimental loss around the globe. Heartbleed is considered one of the most serious vulnerabilities since the commercialization of the Internet.” MesaLink, unlike OpenSSL, is based on Baidu’s advanced Hybrid Memory Safety Model, which has revolutionized memory safety systems at the software architecture level. MesaLink is well-guarded against a whole class of memory safety vulnerabilities and withstands most exploits. MesaLink aims to be a drop-in replacement for the widely adopted OpenSSL library. By providing OpenSSL-compatible APIs, it enables developers of preexisting projects to smoothly transition to MesaLink. For example, curl, a popular library for transferring data, recently integrated MesaLink, which now easily extends its presence into a wide variety of applications where OpenSSL used to dominate. Another promising example is with Android, in which MesaLink is able to transparently establish secure communications for any installed app without changing a single line of code. Beyond memory safety and OpenSSL compatibility, MesaLink also provides competitive performance. With secure and efficient cryptographic APIs, MesaLink reduces the time to estasblish a trusted communication channel between the client and server, providing a faster web browsing experience to users. “Heartbleed is an example of why C/C++ cannot meet the memory safety expectations in SSL/TLS implementations,” add Wei. “To eliminate vulnerabilities like Heartbleed, the MesaLink project was created. We expect MesaLink could be the next OpenSSL that protects secure communication on the Internet for the foreseeable future.” MesaLink has already been adopted in products like smart TVs and set-top boxes. As part of Baidu's Open AI System Security Alliance and AIoT Security Solutions, it has enabled more than 2 million smart TVs to securely connect to the cloud. Baidu releases EZDL – a no-code platform for building AI and machine learning models Baidu Apollo autonomous driving vehicles get machine learning based auto-calibration system Baidu announces ClariNet, a neural network for text-to-speech synthesis

A China-based cyber security researcher, Wish Wu, canceled his briefing on how he could crack biometric facial recognition on Apple Inc iPhones to be held at the Black Hat Asia hacking conference 2019. In a message to Reuters on Twitter, Wu said that his talk entitled 'Bypass Strong Face ID: Everyone Can Deceive Depth and IR Camera and Algorithms' was called as ‘misleading’ by his employer, and he was requested to withdraw his briefing from Black Hat- one of the most prestigious cybersecurity conferences- to be held at Singapore this year. In late December, Black Hat withdrew an abstract of the talk from their website after Wu’s employer- Ant Financial- uncovered problems with the research. The abstract stated that Face ID could be hacked with an image printed on an ordinary black-and-white printer and some tape. Ant Financial said in a statement that “'The research on the face ID verification mechanism is incomplete and would be misleading if presented”. Wu told Reuters that 'In order to ensure the credibility and maturity of the research results, we decided to cancel the speech’. He further added that he agreed with the decision to withdraw his talk, saying he was only able to reproduce hacks on iPhone X under certain conditions, but that it did not work with iPhone XS and XS Max. Black Hat conference spokeswoman Kimberly Samra said, “Black Hat accepted the talk after believing the hack could be replicated based on the materials provided by the researcher”. According to Apple, there is a one in 1 million chance a random person could unlock a Face ID, and 1 in 50,000 chance that would happen with the iPhone's fingerprint sensor. Thus, the idea that Face ID could be defeated or rather hacked into is disturbing. Especially because Face ID is used to lock down numerous functions on millions of iPhones which include banking apps, healthcare apps, emails, text messages, photos and much more. If fallen into the wrong hands, the hack could have damaging consequences and possibly compromise sensitive information. Head over to Reuters for more insights on this news. 7 Black Hat USA 2018 conference cybersecurity training highlights: Hardware attacks, IO campaigns, Threat Hunting, Fuzzing, and more Microsoft calls on governments to regulate Facial recognition tech now, before it is too late DC Airport nabs first imposter using its newly deployed facial recognition security system

Yesterday, Intel and a group of microarchitecture security researchers disclosed four new hackable vulnerabilities in Intel’s chips. These vulnerabilities expose extremely sensitive data and processes from a victim’s CPU to the attacker. Intel has grouped these vulnerabilities together and labeled them as Microarchitectural Data Sampling or MDS attacks. MDS is a sub-class of previously disclosed speculative execution side channel vulnerabilities and is comprised of four closely related CVEs. These vulnerabilities were first identified by Intel’s internal researchers and partners and independently reported to Intel by external researchers. These include: Microarchitectural Load Port Data Sampling (MLPDS) - CVE-2018-12127 Fallout: Microarchitectural Store Buffer Data Sampling (MSBDS) - CVE-2018-12126 ZombieLoad or RIDL: Microarchitectural Fill Buffer Data Sampling (MFBDS) - CVE-2018-12130 Microarchitectural Data Sampling Uncacheable Sampling (MDSUM) - CVE-2019-11091 Researchers have named few of these vulnerabilities as ZombieLoad, Fallout, and RIDL, or Rogue In-Flight Data Load, with ZombieLoad being the most dangerous as it can scrape more data than the rest. Intel said that the ARM and AMD are not likely vulnerable to these MDS attacks. Also, some models released last month include a fix for this problem. However, all of Intel's chips that the researchers tested, going back as early as 2008, were affected. According to a report by ZDNet, “The good news is that Intel had more than a year to get this patched, and the company worked with various OS and software vendors to coordinate patches at both the hardware and software level. Both the hardware (Intel CPU microcode updates) and software (OS security updates) protections must be installed at the same time to fully mitigate MDS attacks. If patches aren't available yet, disabling the Simultaneous Multi-Threading (SMT) feature on Intel CPUs will significantly reduce the impact of all MDS attacks.” In these new cases, researchers found that they could use speculative execution to trick Intel's processors into grabbing sensitive data that's moving from one component of a chip to another. Unlike Meltdown, which used speculative execution to grab sensitive data sitting in memory, MDS attacks focus on the buffers that sit between a chip's components, such as between a processor and its cache, the small portion of memory allocated to the processor to keep frequently accessed data close at hand. Cristiano Giuffrida, one of the researchers in the VUSec group at Vrije Universiteit Amsterdam who discovered the MDS attack said, "It's kind of like we treat the CPU as a network of components, and we basically eavesdrop on the traffic between them. We hear anything that these components exchange." Zombieload side-channel attack Zombieload, a side-channel attack, is the leading attack among the new vulnerabilities and also falls in the same category as Meltdown, Spectre, and Foreshadow. It is exploited by taking advantage of the speculative execution process, which is an optimization technique that Intel added to its CPUs to improve data processing speeds and performance. Read Also: Seven new Spectre and Meltdown attacks found ZombieLoad gets its name from a “zombie load,” an amount of data that the processor can’t understand or properly process, forcing the processor to ask for help from the processor’s microcode to prevent a crash. Apps are usually only able to see their own data, but this bug allows that data to bleed across those boundary walls. ZombieLoad will leak any data currently loaded by the processor’s core, the researchers said. Intel said patches to the microcode will help clear the processor’s buffers, preventing data from being read. “Like Meltdown and Spectre, it’s not just PCs and laptops affected by ZombieLoad — the cloud is also vulnerable. ZombieLoad can be triggered in virtual machines, which are meant to be isolated from other virtual systems and their host device”, the TechCrunch reports. Daniel Gruss, one of the researchers who discovered the latest round of chip flaws, said it works “just like” it does on PCs and can read data off the processor. That’s potentially a major problem in cloud environments where different customers’ virtual machines run on the same server hardware. Although no attacks have been publicly reported, the researchers couldn’t rule them out nor would any attack necessarily leave a trace, they said. Gruss said it was “easier than Spectre” but “more difficult than Meltdown” to exploit — and both required a specific set of skills and effort to use in an attack. But if exploit code was compiled in an app or delivered as malware, “we can run an attack,” he said. Intel has released microcode to patch vulnerable processors. Apple, Microsoft, and Google have also released patches, with other companies expected to follow. “In a call with TechCrunch, Intel said the microcode updates, like previous patches, would have an impact on processor performance. An Intel spokesperson told TechCrunch that most patched consumer devices could take a 3 percent performance hit at worst, and as much as 9 percent in a datacenter environment. But, the spokesperson said, it was unlikely to be noticeable in most scenarios. And neither Intel nor Gruss and his team have released exploit code, so there’s no direct and immediate threat to the average user”, TechCrunch reports. Is Zombieload a security threat for Linux system? As a defense against Zombieload, a ZDNet report suggests, “To defend yourself, your processor must be updated, your operating system must be patched, and for the most protection, Hyper-Threading disabled.” Red Hat rated CVE-2018-12130(Zombieload) as a severity impact of "important," while the others have moderate severity. Greg Kroah-Hartman, the stable Linux kernel maintainer, in an announcement email wrote, “I'm announcing the release of the 5.1.2 kernel. All users of the 5.1 kernel series must upgrade. Well, kind of, let me rephrase that...All users of Intel processors made since 2011 must upgrade.” “Red Hat noted all its Linux distributions from Red Hat Enterprise Linux (RHEL) 5 on up to the new RHEL 8 are affected. Platforms based on these Linux distros, such as Red Hat Virtualization and Red Hat OpenStack, are also vulnerable”, ZDNet reports. Chris Robinson, Red Hat's product security assurance manager, explained: "These vulnerabilities represent an access restriction bypass flaw that impacts many Intel CPU's and many of the operating systems that enable that hardware. Working with other industry leaders, Red Hat has developed kernel security updates for products in our portfolio to address these vulnerabilities. We are working with our customers and partners to make these updates available, along with the information our customers need to quickly protect their physical systems, virtual images, and container-based deployments." According to a Wired post, “VUSec's Giuffrida notes that his team was paid $100,000 by Intel for their work as part of the company's "bug bounty" program that rewards researchers who warn the company about critical flaws. That's hardly the kind of money paid out for trivial issues, he points out. But he also says that Intel at one point offered VUSec only a $40,000 bug bounty, accompanied by a $80,000 "gift"—which Giuffrida saw as an attempt to reduce the bounty amount cited publicly and thus the perceived severity of the MDS flaws. VUSec refused the offer of more total money in favor of a bounty that better reflected the severity of its findings, and it threatened to opt out of a bug bounty in protest. Intel changed its offer to the full $100,000.” To know more about this news, read Intel’s official blog post. A WhatsApp vulnerability enabled attackers to inject Israeli spyware on user’s phones ChaCha20-Poly1305 vulnerability issue affects OpenSSL 1.1.1 and 1.1.0 Drupal releases security advisory for ‘serious’ Remote Code Execution vulnerability

E-mail is the traditional, primary, and the most vital part of communication within business organizations. They hold minutes of important discussions, confidential documents as attachments, high-profile business contact details, and much more. Hence, hackers or intruders often use emails as a medium to deliver dangerous content to the victim via attachments or by providing links to malicious websites. Companies throughout the world take huge efforts to detect malicious content within their communication media by setting up robust antivirus firewalls. But, how secure are they? Many choose antivirus engines based on their popularity than its performance. The myth that famous antivirus packages get you utmost security is now debunked by Email-sec-360°. According to Phys Org, it surpasses 60 other popular antivirus packages known to us. Email-sec-360° is developed by Aviad Cohen, a Ph.D. student, and researcher at the Ben-Gurion University of the Negev (BGU) Malware Lab researchers. It detects unknown, malicious emails much more accurately than the popular antivirus products such as Kaspersky, McAfee, Avast, etc. Email-sec-360° vs other popular antivirus engines Present antivirus engines use rule-based methods to analyze specific email sections. These often overlook the other important parts of the email. Dr. Nir Nissim, head of the David and Janet Polak Family Malware Lab at Cyber@BGU, stated that the existing antivirus engines use signature-based detection methods. These methods are at times insufficient for detecting new and unknown malicious emails. However, Email-sec-360° is based on machine learning methods and leverages 100 general descriptive features extracted from all email components, which include the header, body and attachments. Also an interesting fact about this method is that, it does not require an internet access. Thus, it provides a seamless threat detection in real-time and can be easily deployed by any individual or organizations. A well-experimented approach by the Malware Lab The researchers used a collection of 33,142 emails, which included 12,835 malicious and 20,307 benign emails obtained between 2013 and 2016. Later, they compared their detection model to 60 industry-leading antivirus engines as well as previous research. On doing this, they found their system to outperform the next best antivirus engine, Cyren, by a 13 percent range. BGU’s Malware Lab method vs the others BGU Malware Lab plan to extend this method by including research and analysis of attachments (PDFs and Microsoft Office documents) within the Email-sec-360°. Dr. Nissim adds,”since these are often used by hackers to get users to open and propagate viruses and malware.” They are also planning to develop an online system that evaluates the security risk posed by an email message. This system will be based on advanced machine learning methods and would also allow users to submit suspicious email messages and quickly obtain a maliciousness score. The system will further recommend on how to treat the email and would help to collect benign and malicious emails for research purposes. Read more about Email-sec-360° in the Phys Org blog post Pentest tool in focus: Metasploit 12 common malware types you should know 4 Ways You Can Use Machine Learning for Enterprise Security

Microsoft claims it has identified and stopped a number of Russian cyberattacks just last week. In a post published on Monday (August 20), Brad Smith wrote that "Microsoft’s Digital Crimes Unit (DCU) successfully executed a court order to disrupt and transfer control of six internet domains created by a group widely associated with the Russian government and known as Strontium." Not only are the attacks notable because of Strontium's links with the Russian government, but also because of the institutions these 'fake' domains were targeting. One of the domaisn is believed to mimic International Republican Institute, while another is supposedly an imitation of conservative think tank the Hudson Institute. CNN notes that "both think tanks have been critical of Russia." Smith also writes that "other domains appear to reference the U.S. Senate but are not specific to particular offices." Spearphishing explained The attackers are alleged to have used a technique known in cybersecurity as spearphishing. This is where an email or a website is disguised a a reliable and trustworthy source to scam users into handing over information. In this instance, cyberattackers could have been imitating Republican think tanks in order to get staff to hand over information. This isn't the first spearphishing attack that Microsoft claims it has intercepted. Brad Smith writes that 84 fake websites believed to be linked to Strontium have been transferred to Microsoft in the last 2 years. Microsoft has notified the Hudson Institute and the International Republican Institute about the attacks. "Microsoft will continue to work closely with them and other targeted organizations on countering cybersecurity threats to their systems. We’ve also been monitoring and addressing domain activity with Senate IT staff the past several months, following prior attacks we detected on the staffs of two current senators." Next steps: Microsoft is expanding its Defending Democracy Program Microsoft has also announced it will be expanding its Defending Democracy Program with a new initiative called Microsoft AccountGuard. This will "provide state-of-the-art cybersecurity protection at no extra cost to all candidates and campaign offices at the federal, state and local level, as well as think tanks and political organizations we now believe are under attack" (free if you're using Office 365). Read next Do you want to know what the future holds for privacy? It’s got Artificial Intelligence on both sides. A Twitter video shows how voting machines used in 18 states can be hacked in 2 mins Google, Microsoft, Twitter, and Facebook team up for Data Transfer Project

Yesterday, Google Calendar was down for nearly three hours around the world. Calendar users that were trying to access the service faced a 404 error message through their browsers from around 10 AM ET to 12:40 PM ET. Google updated the service details stating, “We're investigating reports of an issue with Google Calendar. We will provide more information shortly. The affected users are unable to access Google Calendar.” During this outage, Google services including Gmail and Google Maps appeared to be unaffected but Hangouts Meet reportedly experienced some issues. Meanwhile, when Calendar was down, a lot of them expressed their concerns via tweets. Here are a few of the reactions: https://twitter.com/BestGaryEver/status/1141004879382700040   https://twitter.com/falcons3040/status/1141143090239090689 https://twitter.com/ola11king/status/1141012717144199169 https://twitter.com/thejacegoodwin/status/1140999161434689541 https://twitter.com/ChristinaAllDay/status/1140986268878286848 Few others were irritated, a user commented on HackerNews, “I guess it's time for all the Google engineers to put their LeetCode skills to the test.” People were also expecting the response to be quicker from the company.  Another comment reads, “Over an hour into the outage, still no word at all from Google on the status page apart from -We're investigating.” Such outages have been happening every now and then; earlier this month, Google Cloud suffered a major outage that took down a number of Google services including YouTube, GSuite, Gmail, etc. This outage had also affected the services that were dependent on Google including Nest, Discord, Snapchat, Shopify and more. To know more about this news, check out the Service details by Google. How Genius used embedded hidden Morse code in lyrics to catch plagiarism in Google search results Google announces early access of ‘Game Builder’, a platform for building 3D games with zero coding Google, Facebook and Twitter submit reports to EU Commission on progress to fight disinformation

A team of academic researchers recently unveiled a new class of Rowhammer-based attack known as RAMBleed. This newly discovered side-channel attack allows attackers to read memory data on a victim’s Windows computer, without actually accessing the memory. This vulnerability listed as CVE-2019-0174 is called RAMBleed as the RAM "bleeds its contents, which we then recover through a side channel," the researchers explained at the RAMBleed page. RAMBleed is used to read data from dynamic random access memory (DRAM) chips. It leverages Rowhammer, a DRAM flaw which is exploited to cause bits in neighboring memory rows to flip their values. In their research paper titled "RAMBleed: Reading Bits in Memory Without Accessing Them", the researchers have shown how an attacker, by observing Rowhammer-induced bit flips in her own memory, can deduce the values in nearby DRAM rows. Thus, researchers say that RAMBleed shifts Rowhammer from being a threat not only to integrity but confidentiality as well. This paper will be presented at the 41st IEEE Symposium on Security and Privacy in May 2020. The researchers also said that they have successfully used RAMBleed to obtain a signing key from an OpenSSH server or rather leaked a 2048-bit RSA key using normal user privileges, enabling information to be taken from targeted devices.  To do so, “we also developed memory massaging methods and a technique called Frame Feng Shui that allows an attacker to place the victim’s secret-containing pages in chosen physical frames.”, the researchers mention in their paper. Source: RAMBleed.com Any system that uses Rowhammer-susceptible DIMMs is vulnerable to RAMBleed. Machines with memory chips “both DDR3 and DDR4 with TRR (targeted row refresh) enabled" are vulnerable. Users can mitigate their risk by upgrading their memory to DDR4 with targeted row refresh (TRR) enabled. Intel revealed a piece of mitigation advice for researchers in an article and further suggested that "Intel Software Guard Extensions (Intel SGX) can be used to protect systems from RAMBleed attacks." Oracle, in their blog post, state that machines running DDR2 and DDR1 memory chips aren't affected. "successfully leveraging RAMBleed exploits require that the malicious attacker be able to locally execute malicious code against the targeted system," Oracle states. No additional security patches are expected for Oracle product distributions, the company said. Red Hat, in an article, state that there are at least three known DRAM fault exploits, "Rowhammer," "Spoiler" and "RAMBleed." Mitigation approach depends on the hardware vendor, according to RedHat: There are a few commonly proposed hardware-based mitigations against Rowhammer that have potential to also mitigate RAMBleed. These are Targeted Row Refresh (TRR), increased DRAM refresh intervals (doubled DRAM refresh rate), and use of ECC memory. The extent to which these strategies may actually mitigate the problem varies and is hardware platform specific. Vendors are anticipated to provide suitable platform-specific guidance. To know more about RAMBleed in detail, visit its official page. Researchers discover a new Rowhammer attack, ‘ECCploit’ that bypasses Error Correcting Code protections Researchers discover Spectre like new speculative flaw, “SPOILER” in Intel CPU’s NSA warns users of BlueKeep vulnerability; urges them to update their Windows systems

The recent Windows 7 ‘security-only’ update also includes Telemetry components, which users may be unaware of. It may be used to secretly monitor individual PC’s for “innocuous data collection to outright spyware”, according to ZDNet. Per Microsoft, the "Security-only updates" should not include quality fixes or diagnostic tools, etc. other than sole security updates. This is because, in 2016, Microsoft divided Win7 and 8.1 patchings into two parts, a monthly rollup of updates and fixes and, for those who want only essential patches, and second, a Security-only update package. Why is this “security-only” update suspicious? What was surprising about this month's Security-only update, formally titled the "July 9, 2019—KB4507456 (Security-only update)," is that it bundled the Compatibility Appraiser, KB2952664, which is designed to identify issues that could prevent a Windows 7 PC from updating to Windows 10. An anonymous user commented on Woody Leonhard’s post on the July 2019 security update published on his website, AskWoody. Leonhard is a Senior Contributing Editor at InfoWorld, and Senior Editor at Windows Secrets. “Warning for group B Windows 7 users! The “July 9, 2019—KB4507456 (Security-only update)” is NOT “security-only” update. It replaces infamous KB2952664 and contains telemetry. Some details can be found in file information for update 4507456 (keywords: “telemetry”, “diagtrack” and “appraiser”) and under http://www.catalog.update.microsoft.com/ScopedViewInline.aspx?updateid=7cdee6a8-6f30-423e-b02c-3453e14e3a6e (in “Package details”->”This update replaces the following updates” and there is KB2952664 listed). It doesn’t apply for IA-64-based systems, but applies both x64 and x86-based systems.” “Microsoft included the KB2952664 functionality (known as the “Compatibility Appraiser”) in the Security Quality Monthly Rollups for Windows 7 back in September 2018. The move was announced by Microsoft ahead of time”, another user with the name @PKCano explains. The user further added, “With the July 2019-07 Security Only Quality Update KB4507456, Microsoft has slipped this functionality into a security-only patch without any warning, thus adding the “Compatibility Appraiser” and its scheduled tasks (telemetry) to the update. The package details for KB4507456 say it replaces KB2952664 (among other updates).” “Come on Microsoft. This is not a security-only update. How do you justify this sneaky behavior? Where is the transparency now?”, the user concluded. ZDNet states, “The Appraiser tool was offered via Windows Update, both separately and as part of a monthly rollup update two years ago; as a result, most of the declining population of Windows 7 PCs already has it installed”. Ed Bott, a technology writer at ZDNet, says that this update is benign and also that Microsoft is being truthful when they say "There is no GWX or upgrade functionality contained in this update." If so, why is Microsoft not briefing users about this update? Many users are confused about whether or not they should update their systems. A user commented on AskWoody, “So should this update be skipped or installed? This appears to pose a dilemma, at least right now. I hope that some weeks from now, by the time we are closer to a green DEFCON, this has been sorted out”. Another user speculated that this issue might be resolved in the next update, “Disabling (or deleting) these schedule tasks after installation (before reboot) should be enough to turn off the appraiser \Microsoft\Windows\Application Experience\ProgramDataUpdater \Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser \Microsoft\Windows\Application Experience\AitAgent but it’s best to wait next month to see if the SO update comes clean” ZDNet states this might be because Windows 7 is nearing end-of-support date, which is on January 14, 2020, “It's also possible that Microsoft thinks it has a strong case for making the Compatibility Appraiser tool mandatory as the Windows 7 end-of-support date nears”. To know more about this news, visit Microsoft’s security update. Microsoft quietly deleted 10 million faces from MS Celeb, the world’s largest facial recognition database Microsoft’s Xbox team at E3 2019: Project Scarlett, AI-powered Flight Simulator, Keanu Reeves in Cyberpunk 2077, and more Debian GNU/Linux port for RISC-V 64-bits: Why it matters and roadmap

European’ Union’s copyright preform bill, is currently up for a vote in the European Parliament on September 12. It’s Article 13 has been on the receiving end of backlash with many organizations protesting against it. Last week it was Youtube’s CBO speaking out and this week German OpenStreetMap has made their map unusable, to protest against EU copyright reform. [box type="shadow" align="" class="" width=""]According to Article 13, there is an “obligation on information society service providers storing and giving access to large amounts of works and other subject-matter uploaded by their users to take appropriate and proportionate measures to ensure the functioning of agreements concluded with right holders and to prevent the availability on their services of content identified by rightholders in cooperation with the service providers”.[/box] The Article 13 is a new revamped version that EU has come out with as the older version of the copyright reform bill was rejected by the Parliament back in July. The older version also received heavy criticism from different policy experts and digital rights group on grounds of violating the fundamental rights of the internet users. This legislation has the possibility of changing the balance of power between producers of music, news and film and the dominant websites that host their work. On one side, people say that if passed, this law would mean the end of free Internet. Platforms will have to algorithmically pre-filter all user uploads and block fair use content, cool satire, funny memes etc. On the other side, supporters of the law say that their hard work is being compromised because they are not being fairly compensated for their work. These people are creators who depend upon being paid for the sharable content they create, such as musicians, authors, filmmakers and so on. Although people have supported OpenStreetmap’s decision. A hacker news user pointed out, “Good for them. The Internet as we know it is being attacked from multiple angles right now, with the EU filtering proposals, AU/5Eyes anti-encryption proposals, etc.” A person also called it as, “Oh no, more evil political hacking!” You can read about more such opinions on Hacker news. You can also find some of the most common questions around the proposed Directive on the EU website. Mozilla, Internet Society, and web foundation wants G20 to address “techlash” fuelled by security and privacy concerns. Facebook COO, Sandberg’s Senate testimony: On combating foreign influence, fake news, and upholding election integrity. Twitter’s CEO, Jack Dorsey’s Senate Testimony: On Twitter algorithms, platform health, role in elections and more.

A few days ago, Firefox made announcements stating that starting from Firefox 70, which is planned to release in October this year, the browser will make two new changes favoring users and keeping them secure. First, it will notify users if their saved logins were part of any data breach. Secondly, it will prompt users if the web page they have landed on is not secure. Notifying users of saved logins that were a part of the data breach Firefox has partnered with popular data breach site, Have I Been Pwned, to notify users if their saved logins were found in data breaches. To start with, Firefox will scan the saved login credentials to see if they were exposed in a data breach listed on Have I been Pwned. If one is found, the user will be alerted and prompted to change their password. To support this, Mozilla will be integrating their independent Firefox Monitor service and the new Firefox Lockwise password manager directly into the Firefox browser. Mozilla will add an alert icon  next to the account profile in Firefox Lockwise, detected as being part of a breach. Clicking on the saved login will open its subpanel that displays an alert that the "Passwords were leaked or stolen" as part of a data breach. Compromised Password Notification in Firefox Lockwise Users will also be provided a “protection report” highlighting data breaches instances their logins were involved in. The current Firefox 69 Nightly builds includes a mockup of the ‘Protection Report’, which will list the type and amount of tracking and unwanted scripts that were blocked over the past 7 days. This mockup report is a mockup and not actual data from your browser. Mozilla to set up “not secure” indicators for all HTTP web pages Mozilla also announced that it will show a “Not secure” indication for all the websites in Firefox, starting with the Firefox 70. As we know, Google already has this feature activated on its browser starting with Chrome 68, which was released last year. Prior to this announcement, Mozilla used to indicate "not secure" only on HTTP pages that contained forms or login fields. “Mozilla argued that since more than 80% of all internet pages are now served via HTTPS, users don't need a positive indicator for HTTPS anymore, but a negative one for HTTP connections”, according to ZDNet. Firefox Developer Johann Hofmann said, "In desktop Firefox 70, we intend to show an icon in the 'identity block' (the left hand side of the URL bar which is used to display security / privacy information) that marks all sites served over HTTP (as well as FTP and certificate errors) as insecure". Mozilla started working on these developments way back in December 2017, when it added flags in the Firefox about:config section. These “flags are still present in the current stable version of Firefox, and users can enable them right now and preview how these indicators will look starting this fall,” according to ZDNet. Sean Wright, and infosec researcher told Forbes, “This is an excellent move by Mozilla and a step in the direction to have a secure by default web”.  He also added, many do not realize the potential implications of using sites over HTTP. “Even publicly accessible sites, even as simple as a blog, could potentially allow attackers to inject their malicious payloads into the site severed to the client. HTTPS can go a long way to prevent this, so any move to try to enforce it is a step in the right direction,” he further added. Wright has also warned the users that if you see you are browsing via an HTTPS site, it does not mean it is fully authentic. These sites may also be phished as hackers can purchase the certificates that mark a website as “secure”. Hence, a user has to be cautious while sharing their credentials online. He warns: “You should still pay close attention to links in emails.” A second zero-day found in Firefox was used to attack Coinbase employees; fix released in Firefox 67.0.4 and Firefox ESR 60.7.2 Mozilla is funding a project for bringing Julia to Firefox and the general browser environment Mozilla launches Firefox Preview, an early version of a GeckoView-based Firefox for Android

On Tuesday, Binance Exchange, one of the popular cryptocurrency exchanges, reported a huge security breach where hackers stole around 7,000 bitcoins worth $41 millions, in a single transaction. The hackers were able to gain a bulk of user API keys, 2FA codes, and a lot of other information. Binance Exchange said that the hackers used a variety of techniques, including phishing, viruses and other attacks. “We are still concluding all possible methods used. There may also be additional affected accounts that have not been identified yet”, Binance said in their official statement. Binance confirmed that only the BTC hot wallet was affected and all the other wallets are secure and unharmed. The affected ‘hot wallet’ contained about 2% of Binance’s total BTC holdings. The firm also mentioned that the hackers were extremely patient and carried out well-orchestrated actions through multiple seemingly independent accounts at the most opportune time. “The transaction is structured in a way that passed our existing security checks. It was unfortunate that we were not able to block this withdrawal before it was executed. Once executed, the withdrawal triggered various alarms in our system. We stopped all withdrawals immediately after that”, Binance’s official statement mentions. Binance said that no user funds will be affected and it will use the SAFU fund to cover this incident in full. Binance has estimated a week’s time to conduct a thorough security review of this incident during which all deposits and withdrawals will be needed to remain suspended. The security review will include all parts of their huge systems and data and the updates will be posted frequently. “We beg for your understanding in this difficult situation”, Binance urged their users. They further added, “Please also understand that the hackers may still control certain user accounts and may use those to influence prices in the meantime. We will monitor the situation closely. But we believe with withdrawals disabled, there isn’t much incentive for hackers to influence markets.” Larry Cermak, Head Analyst at The Block and former researcher at Diar, who conducted a research of the Binance hack concluded that it was the sixth largest exchange hack in history. He also said, “the $41 million is “peanuts” for Binance” and it will take hardly 47 days to make the money lost during the breach. https://twitter.com/lawmaster/status/1126090906908676096 In a live video chat, Binance's chief executive Changpeng Zhao sought to answer questions about the hack. https://twitter.com/CharlieShrem/status/1126166334121881601 To know more about this news, read the complete official document. Symantec says NSA’s Equation group tools were hacked by Buckeye in 2016 way before they were leaked by Shadow Brokers in 2017 Listen: We discuss what it means to be a hacker with Adrian Pruteanu [Podcast] Hacker destroys Iranian cyber-espionage data; leaks source code of APT34’s hacking tools on Telegram

It was only earlier this month when Bloomberg published a story alleging that China hacked into Amazon and Apple’s servers, and now the two tech giants seem to be retaliating against Bloomberg. Apple did not invite Bloomberg to its fall product event “There’s More in the Making” that takes place tomorrow in Brooklyn. Amazon, on the other hand, pulled its fourth quarter advertisements from Bloomberg’s website, last week, leading to a huge loss in Bloomberg’s ad revenue. An Amazon spokesperson told BuzzFeed News last week that the ads were canceled “due to a missed creative deadline”. Apple, on the other hand, declined to comment on this. Tim Cook, CEO, Apple, had asked Bloomberg to retract the story, in an interview with BuzzFeed News on 19th October. "There is no truth in their story about Apple," Cook mentioned to BuzzFeed. Apple also published a statement regarding the same, “we are deeply disappointed that in their dealings with us, Bloomberg’s reporters have not been open to the possibility that they or their sources might be wrong or misinformed. Apple has repeatedly explained to Bloomberg reporters and editors over the past 12 months, there is no truth to these claims”. Andy Jassy, Amazon web services CEO and Super Micro joined in Apple, refuting the claims made by Bloomberg. https://twitter.com/ajassy/status/1054401346827243520 Steve Schmidt, Chief Information Security Officer at Amazon Web Services further stated, “as we shared with Bloomberg BusinessWeek multiple times over the last couple months, this is untrue. At no time, past or present, have we ever found any issues relating to modified hardware or malicious chips in SuperMicro motherboards in any Elemental or Amazon systems. Nor have we engaged in an investigation with the government. There are so many inaccuracies in ‎this article as it relates to Amazon that they’re hard to count”. Super Micro also issued a statement, stating, “Super Micro strongly refutes reports that servers it sold to customers contained malicious microchips in the motherboards of those systems. Supermicro takes all security claims very seriously and makes continuous investments in the security capabilities of their products. Super Micro qualifies and certifies every contract manufacturer and routinely inspects their facilities and processes closely”. According to the Bloomberg article, Chinese spies had implanted tiny chips on computer motherboards made by Super Micro Computer. “In Supermicro, China’s spies appear to have found a perfect conduit for what U.S. officials now describe as the most significant supply chain attack known to have been carried out against American companies”. These motherboards were used by several of the largest American tech giants such as Amazon and Apple. These chips then provided secret access to the private data on the machines. The report also states that “the chips were reportedly built to be as inconspicuous as possible and to mimic signal conditioning couplers. It was determined during an investigation, which took three years to conclude, that the chip allowed the attackers to create a stealth doorway into any network that included the altered machines.” Although, both Amazon and Apple totally refute the allegations, Bloomberg, however, continues to stand by its report.   Bloomberg says Google, Mastercard covertly track customers’ offline retail habits via a secret million dollar ad deal Amazon tried to sell its facial recognition technology to ICE in June, emails reveal Apple now allows U.S. users to download their personal data via its online privacy data portal

A report released by Motherboard yesterday reveals employees of Snap Inc., the parent company of the popular social media, Snapchat, abused privileged data management tools to spy on Snap users. They gained access to location, contact details, email addresses, even saved Snaps! This news was first reported by Motherboard stating that various departments within Snap have dedicated tools for accessing data. Talking about sources, Motherboard said, “two former employees said multiple Snap employees abused their access to Snapchat user data several years ago”. Along with those sources, Motherboard also obtained information from two other former employees, a current employee, and a cache of internal company emails. The sources and the emails obtained highlight one of the internal tools that can access user data called SnapLion   Former employees said that SnapLion was originally used to gather information on users in response to valid law enforcement requests, such as a court order or subpoena. “Both of the sources said SnapLion is a play on words with the common acronym for law enforcement officer LEO, with one of them adding it, is a reference to the cartoon character Leo the Lion”, Motherboard reports. Snap Inc.’s ‘Spam and Abuse’ team has access to the tool and it can also be used to combat bullying or harassment on the platform by other users. Motherboard said, “An internal Snap email obtained by Motherboard says a department called "Customer Ops" also has access to SnapLion. Security staff also have access, according to the current employee. The existence of this tool has not been previously reported”. “Motherboard granted multiple sources in this story anonymity to speak candidly about internal Snap processes”, reports Motherboard. Snapchat has a customer bandwidth of around 186 million users who use it to share photos, videos, or post stories trusting that it may get auto-deleted as per Snapchat’s privacy policies. Snaps are photos or videos that, if not saved, typically disappear after being received (or after 24 hours if posted to a user's Story). However, in 2014, the Federal Trade Commission fined Snapchat for failing to disclose that the company collected, stored, and transmitted geolocation data. A Snap spokesperson wrote to Motherboard, “Protecting privacy is paramount at Snap. We keep very little user data, and we have robust policies and controls to limit internal access to the data we do have. Unauthorized access of any kind is a clear violation of the company's standards of business conduct and, if detected, results in immediate termination." A few years ago, SnapLion did not have a satisfactory level of logging to track what data employees accessed, a former employee said. The company then implemented more monitoring, the former employee added. Snap said it currently monitors access to user data. The second former employee said, "Logging isn't perfect". “Snap said it limits internal access to tools to only those who require it, but SnapLion is no longer a tool purely intended to help law enforcement. It is now used more generally across the company”, the former employees reported. One of them who worked with SnapLion said the tool is used for resetting passwords of hacked accounts and "other user administration." A current employee said that the company's strides for user privacy and two former employees stressed the controls Snap has in place for protecting user privacy. Snap also introduced end to end encryption in January of this year. Similar to Snap Inc. there are stories where other tech giants like Facebook, Uber employees have accessed their ex-employees’ data. Facebook fired some of its employees in May, last year, for using their privileged access to user data to stalk exes. In 2016, Uber employees, on the other hand, used internal systems to spy on ex-partners, politicians, and celebrities. https://twitter.com/justkelly_ok/status/1131750164773818369 Read more about this news in detail on Motherboard’s full coverage. A WhatsApp vulnerability enabled attackers to inject Israeli spyware on user’s phones Intel discloses four new vulnerabilities labeled MDS attacks affecting Intel chips Atlassian Bitbucket, GitHub, and GitLab take collective steps against the Git ransomware attack

Google made its scalable fuzzing tool, called ClusterFuzz available as open source, yesterday. ClusterFuzz is used by Google for fuzzing the Chrome Browser, a technique that helps detect bugs in software by feeding unexpected inputs to a target program. For fuzzing to be effective, it should be continuous, done at scale, and integrated into the development process of a software project. ClusterFuzz can run on clusters with over 25,000 machines and can effectively highlight security and stability issues in software. It serves as the fuzzing backend for OSS-Fuzz, a service that Google released back in 2016. ClusterFuzz was earlier offered as free service to open source projects through OSS-Fuzz but is now available for anyone to use. ClusterFuzz comes with a variety of features that help integrate fuzzing into a software project's development process. Here are some of the key features in ClusterFuzz: Helps with accurate deduplication of crashes. Comes with a fully automatic bug filing and closing for issue trackers. Includes statistics for analyzing fuzzer performance, and crash rates. Comprises easy-to-use web interface for management and viewing crashes. ClusterFuzz has so far tracked more than 16,000 bugs in Chrome and over 11,000 bugs in more than 160 open source projects integrated with OSS-Fuzz. ClusterFuzz can detect bugs hours after they have been introduced and is capable of verifying the fix within a day. “We developed ClusterFuzz over eight years to fit seamlessly into developer workflows, and to make it dead simple to find bugs and get them fixed. Through open sourcing ClusterFuzz, we hope to encourage all software developers to integrate fuzzing into their workflows.”, states the ClusterFuzz team members. For more information, check out the ClusterFuzz’s official GitHub repository. Google expands its Blockchain search tools, adds six new cryptocurrencies in BigQuery Public Datasets Transformer-XL: A Google architecture with 80% longer dependency than RNNs Google News Initiative partners with Google AI to help ‘deep fake’ audio detection research