Tech News - Security

Last week, the NSA published an advisory urging Microsoft Windows administrators and users to update their older Windows systems to protect against the BlueKeep vulnerability. This vulnerability was first noted by UK National Cyber Security Centre and reported by Microsoft on 14 May 2019. https://twitter.com/GossiTheDog/status/1128431661266415616 On May 30, Microsoft wrote a security notice to its users to update their systems as "some older versions of Windows" could be vulnerable to cyber-attacks. On May 31, MalwareTech posted a detailed analysis of the BlueKeep vulnerability. “Microsoft has warned that this flaw is potentially “wormable,” meaning it could spread without user interaction across the internet. We have seen devastating computer worms inflict damage on unpatched systems with wide-ranging impact, and are seeking to motivate increased protections against this flaw,” the advisory states. BlueKeep(CVE-2019-0708) is a vulnerability in the Remote Desktop (RDP) protocol. It is present in Windows 7, Windows XP, Server 2003 and 2008, and although Microsoft has issued a patch, potentially millions of machines are still vulnerable. “This is the type of vulnerability that malicious cyber actors frequently exploit through the use of software code that specifically targets the vulnerability”, the advisory explains. NSA is concerned that malicious cyber actors will use the vulnerability in ransomware and exploit kits containing other known exploits, increasing capabilities against other unpatched systems. They have also suggested some additional measures that can be taken: Block TCP Port 3389 at your firewalls, especially any perimeter firewalls exposed to the internet. This port is used in RDP protocol and will block attempts to establish a connection. Enable Network Level Authentication. This security improvement requires attackers to have valid credentials to perform remote code authentication. Disable remote Desktop Services if they are not required. Disabling unused and unneeded services helps reduce exposure to security vulnerabilities overall and is a best practice even without the BlueKeep threat. Why has the NSA urged users and admins to update? Ian Thornton-Trump, head of security at AmTrust International told Forbes, “I suspect that they may have classified information about actor(s) who might target critical infrastructure with this exploit that critical infrastructure is largely made up of the XP, 2K3 family." NSA had also created a very similar EternalBlue exploit which was recently used to hold the city of Baltimore’s computer systems for ransom. The NSA developed the EternalBlue attack software for its own use but lost control of it when it was stolen by hackers in 2017. BlueKeep is similar to EternalBlue that Microsoft compared the two of them in its warning to users about the vulnerability. "It only takes one vulnerable computer connected to the internet to provide a potential gateway into these corporate networks, where advanced malware could spread, infecting computers across the enterprise," Microsoft wrote in its security notice to customers. Microsoft also compared the risks to those of the WannaCry virus, which infected hundreds of thousands of computers around the world in 2017 and caused billions of dollars worth of damage. NSA said patching against BlueKeep is “critical not just for NSA’s protection of national security systems but for all networks.” To know more about this news in detail, head over to Microsoft’s official notice. Approx. 250 public network users affected during Stack Overflow's security attack Over 19 years of ANU(Australian National University) students’ and staff data breached 12,000+ unsecured MongoDB databases deleted by Unistellar attackers

On Wednesday, ZDNet reported that hacker with the online name Lab Dookhtegan leaked a set of hacking tools belonging to Iran’s espionage groups, often identified as the APT34, Oilrig, or HelixKitten, on Telegram. The leaks started somewhere in the mid-March, and included sensitive information, mostly consisting of usernames and passwords. https://twitter.com/campuscodi/status/1118656431069302795 ZDNet got aware of this hack when a Twitter user DMed them some of the same files that were leaked on Telegram. Though this Twitter user claimed to have worked on the group’s DNSpionage campaign, ZDNet believes that it is also possible that he is a member of a foreign intelligence agency trying to hide their real identity. ZDNet’s assumption is that the Twitter user could be the Telegram Lab Dookhtegan persona. The hacker leaked the source code of six hacking tools: Glimpse, PoisonFrog, HyperShell, HighShell, Fox Panel, and Webmask. Many cyber-security experts including Chronicle, Alphabet's cyber-security division, confirmed the authenticity of these tools. Along with these tools, the hacker also leaked the content from several active backend panels, where victim data had been collected. Chronicle, Alphabet's cyber-security division, confirmed to ZDNet that the hacker has leaked data of 66 victims, mainly from countries in the Middle East. This data was collected from both government agencies and private companies. The hacker also leaked data from APT34’s past operations, sharing the IP addresses and domains where the group hosted web shells and other operational data. Besides leaking the data and source code of the hacking tools, the hacker also made public personal information of the Iranian Ministry of Intelligence officers who were involved with APT34 operations including phone numbers, images, and names. The hacker admitted on the Telegram channel that he has destroyed the control panels of APT34’s hacking tools and wiped their servers clean. So, now the Iranian espionage group has no choice other than starting over. Going by the leaked documents, it seems that Dookhtegan also had some grudge against the Iranian Ministry of Intelligence, which he called "cruel," "ruthless" and "criminal”. Source: ZDNet Now, several cyber-security firms are analyzing the leaked data. In an email to ZDNet, Brandon Levene, Head of Applied Intelligence at Chronicle, said, "It's likely this group will alter their toolset in order to maintain operational status. There may be some copycat activity derived from the leaked tools, but it is unlikely to see widespread use." To know about this story in detail, visit ZDNet. Brave Privacy Browser has a ‘backdoor’ to remotely inject headers in HTTP requests: HackerNews Hyatt Hotels launches public bug bounty program with HackerOne Black Hat hackers used IPMI cards to launch JungleSec Ransomware, affects most of the Linux servers  

Yesterday, IBM launched its Blockchain World Wire, a global blockchain network for cross-border payments that will make use of Stablecoin by U.S. dollars and cryptocurrency to make near real-time cross border financial transactions. It is based on distributed ledger technology (DLT) for regulated financial firms. IBM Blockchain World Wire is a real-time global payments network that works towards clearing and settling foreign exchange, cross border payments and remittances. Currently, this network can transfer funds to more than 50 countries using 47 digital coins backed by fiat currencies. According to IBM, World Wire is the first blockchain network of its kind to integrate payment messaging and clearing and settlement on a single unified network while allowing participants to dynamically choose from a variety of digital assets for settlement. According to a report by Cheddar, six international banks have signed letters of intent to issue their own Stablecoins backed by their national fiat currencies including Brazil’s Banco Bradesco, South Korea’s Bank Busan and the Philippines’ Rizal Commercial Banking Corporation on IBM’s Blockchain World Wire. Advantages of Blockchain World Wire Faster payment processing Blockchain World Wire provides simultaneous clearing and settlement and eliminates multiple parties processing transactions. Lower costs The World Wire comes with reduced capital requirements for cross-border transactions. Even the clearing costs have been lowered. Transparency The World Wire provides end-to-end transparency and one exchange fee between all currencies which makes it easier. If two financial institutions that are transacting agree upon using either a Stablecoin, central bank digital currency or another digital asset as the bridge asset between any two currencies then they will be provided with trade and important settlement instructions. The institutions can use their existing payment systems by connecting it to World Wire’s APIs in order to convert the first fiat currency into the digital asset. Further, the World Wire converts the digital asset into the second fiat currency, that completes the transaction. The transaction details are recorded onto an immutable blockchain for clearing purpose. Marie Wieck, General Manager, IBM Blockchain, said, “We’ve created a new type of payment network designed to accelerate remittances and transform cross-border payments to facilitate the movement of money in countries that need it most. By creating a network where financial institutions support multiple digital assets, we expect to spur innovation and improve financial inclusion worldwide.” To know more about this news, check out IBM’s official website. Google expands its Blockchain search tools, adds six new cryptocurrencies in BigQuery Public Datasets Blockchain governance and uses beyond finance – Carnegie Mellon university podcast Stable version of OpenZeppelin 2.0, a framework for smart blockchain contracts, released!

The Mozilla organization, Internet Society, and the web foundation have spoken out about the current “techlash” that is posing a strong risk to the Internet on their blogs. They want the G20 to address the issues causing techlash at the ongoing G20 Digital Economy Ministerial Meeting this week. Techlash, a term originally coined by The Economist last year, refers to a strong response against major tech companies due to concerns over power, user privacy, and security. This techlash is caused by security and privacy concerns for users on the web. As mentioned in their (Mozilla, Internet Society, web foundation) blog post, “once thought of as the global equalizer, opening doors for communication, work opportunities, commerce and more – the Internet is now increasingly viewed with skepticism and wariness. We are witnessing a trend where people are feeling let down by the technology they use”. The Internet is estimated to contribute US$6.6 trillion a year in the G20 countries by 2020. For developing nations, the rate at which digital economy is growing is 15 to 25 percent a year. Yet, the internet seems to be at continuous risk. This is largely due to the reasons like data breaches, silence around how data is utilized and monetized, cybercrime, surveillance as well as other online threats that are causing mistrust among users. The blog reads that “It is the priority of G20 to reinject hope into technological innovation: by putting people, their rights, and needs first”. With over 100 organizations calling on the leaders at the G20 Digital Economy Ministerial Meeting this week, the urgency speaks highly of how the leaders need to start putting people at “the center of the digital future”. G20 comprises of the world’s largest advanced and emerging economies. It represents, about two-thirds of the world’s population, 85% of global gross domestic product and over 75% of global trade These member nations engage with guest countries and other non-member countries to make sure that the G20 presents a broad range of international opinion. The G20 is famous for addressing issues such as connectivity, future of work and education. But, topics such as security and privacy, which are of great importance and concern to people across the globe, haven’t featured equally as prominently on discussion forums. According to the blog post, “It must be in the interest of the G20 as a global economic powerhouse to address these issues so that our digital societies can continue to thrive”. With recent data issues such as a 16-year-old hacking Apple’s “super secure” customer accounts, idle Android devices sending data to Google, and governments using surveillance tech to watch you, it is quite evident that the need of the hour is to make the internet a secure place. Other recent data breaches include Homebrew’s Github repo getting hacked in 30 minutes, TimeHop’s data breach, and AG Bob Ferguson asking Facebook to stop discriminatory ads. Companies should be held accountable for their invasive advertising techniques, manipulating user data or sharing user data without permission. People should be made aware of the ways their data is being used by the governments and the private sector. Now, there are measures being taken by organizations at an individual level to make the internet more safe for the users. For instance, DARPA is working on AI forensic tools to catch deepfakes over the web, Twitter deleted 70 million fake accounts to curb fake news, and EU fined Google with $5 billion over the Android antitrust case. But, with G20 bringing more focus to the issue, it can really help protect the development of the Internet on a global scale. G20 members should aim at protecting information of all the internet users across the world. It can play a detrimental role by taking into account people’s concerns over internet privacy and security. The techlash is ”questioning the benefits of the digital society”. Argentine President, Mauricio Macri, said that to tackle the challenges of the 21st century “put the needs of people first” and it's time for G20 to do the same. Check out the official blog post by Mozilla, Internet Society and Web Foundation. 1k+ Google employees frustrated with continued betrayal, protest against Censored Search engine project for China Four 2018 Facebook patents to battle fake news and improve news feed Time for Facebook, Twitter, and other social media to take responsibility or face regulation  

Facebook has banned 20 military officials from Myanmar for spreading hate and misinformation about the ethnic violence in Myanmar. They have also removed a total of 18 Facebook accounts, one Instagram account, and 52 Facebook Pages. This action was a result of a report conducted by the UN Human Rights Council-authorized Fact-Finding Mission on Myanmar. They found evidence of many organizations and individuals committing or assisting in serious human rights abuses in the country. Following this, Facebook banned these individuals to prevent further inflammation of ethnic and religious tensions. The 20 military officials and organizations removed include Senior General Min Aung Hlaing, commander-in-chief of the armed forces, and the military’s Myawady television network. They have removed six pages and six accounts from Facebook and one account from Instagram connected to these individuals and organizations. The rest don’t have a Facebook or Instagram presence but are banned nevertheless. Facebook has also removed 46 Pages and 12 accounts for engaging in coordinated inauthentic behavior. These pages used independent news and opinion pages to secretly push the messages of the Myanmar military. Earlier this year, Facebook created a dedicated team across product, engineering, and policy to work on issues specific to Myanmar. They use sophisticated artificial intelligence to proactively flag posts that break Facebook policies. In the second quarter of 2018, these algorithms identified about 52% of the content that Facebook removed for hate speech in Myanmar. They also updated their credible violence policies to deal with misinformation that may contribute to imminent violence or physical harm. They are also improving Facebook reporting tools and introducing new tools on the Messenger mobile app for people to report conversations that violate Community Standards. Read the entire report on this decision on the Facebook newsroom. Facebook takes down hundreds of fake accounts with ties to Russia and Iran Facebook bans another quiz app and suspends 400 more due to concerns of data misuse Facebook is reportedly rating users on how trustworthy they are at flagging fake news

The UK’s watchdog, Information Commissioner's Office (ICO) announced that it plans to impose a fine of more than £99 million ($124 million) under GDPR, on the popular hotel chain, Marriott International over a massive data breach which occurred last year. On November 19, 2018, Marriott revealed that the data breach occurred in Marriott’s Starwood guest database and that this breach was happening over the past four years and collected information about customers who made reservations in its Starwood subsidiary. The company initially said hackers stole the details of roughly 500 million hotel guests. However, with a further thorough investigation the number was later corrected to 383 million. This is ICO’s second announcement of imposing significant fines on companies involved in major data breaches. A few days ago, ICO declared its intentions of issuing British Airways a fine of £183.39M for compromising personal identification information of over 500,000 customers. According to ICO’s official website, “A variety of personal data contained in approximately 339 million guest records globally were exposed by the incident, of which around 30 million related to residents of 31 countries in the European Economic Area (EEA). Seven million related to UK residents.” Information Commissioner Elizabeth Denham, said, “The GDPR makes it clear that organizations must be accountable for the personal data they hold. This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected.” “Personal data has a real value so organizations have a legal duty to ensure its security, just like they would do with any other asset. If that doesn’t happen, we will not hesitate to take strong action when necessary to protect the rights of the public,” she further added. In a filing with the US Securities Exchange Commission, yesterday, Marriott International’s President and CEO, Arne Sorenson, said, “We are disappointed with this notice of intent from the ICO, which we will contest. Marriott has been cooperating with the ICO throughout its investigation into the incident, which involved a criminal attack against the Starwood guest reservation database. “We deeply regret this incident happened. We take the privacy and security of guest information very seriously and continue to work hard to meet the standard of excellence that our guests expect from Marriott”, Sorenson added. He further informed that the Starwood guest reservation database that was attacked is no longer used for business operations. A few hours after Marriott revealed about the data breach last year, two lawsuits were filed against it. First, by two Oregon men: Chris Harris and David Johnson, for exposing their data, and the other lawsuit was filed in the state of Maryland by a Baltimore law firm Murphy, Falcon & Murphy.  The petitioners in the Oregon lawsuit claimed $12.5 billion in costs and losses; however, the petitioners for the Maryland lawsuit didn't specify the amount for damages they were seeking from Marriott. According to OregonLive’s post last year, “The lawsuit seeks $12.5 billion -- or $25 for each customer whose privacy may have been jeopardized after making a reservation with Starwood brand hotels, including W Hotels, St. Regis, Sheraton, and Westin”. “The $25 as a minimum value for the time users will spend canceling credit cards due to the Marriott hack”, OregonLive further reported. Many are happy with ICO’s decision of imposing fines on major companies that put customer data at risk. A user on Reddit has commented, “Finally!! I am hoping this is a trend and a game changer for the companies to better protect their customer information!”. Another user said, “Great news, The GDPR is working.” To know more about this news in detail, head over to ICO’s official website. Former Senior VP’s take on the Mariott data breach; NYT reports suspects Chinese hacking ties Facebook fails to fend off a lawsuit over data breach of nearly 30 million users Experts discuss Dark Patterns and deceptive UI designs: What are they? What do they do? How do we stop them?

Yesterday, the security engineers at Netflix reported several TCP networking vulnerabilities in FreeBSD and Linux kernels. Out of these vulnerabilities, the most serious one is called “SACK Panic” that allows a remote attacker to trigger a kernel panic on recent Linux kernels. Details on the TCP networking vulnerabilities Netflix security engineers found four vulnerabilities in total. These were specifically related to the maximum segment size (MSS) and TCP Selective Acknowledgement (SACK) capabilities. MSS is a parameter in the TCP header of a packet that specifies the total amount of data a computer can receive in a single TCP segment. SACK is a mechanism that enables the data receiver to inform the sender about all the segments that have arrived successfully. Soon after, Red Hat also listed the vulnerabilities, background, and patches on their website and credited Netflix for reporting them. According to Red Hat, the extent of the impact of these vulnerabilities is limited to denial of service. “No privilege escalation or information leak is currently suspected,” Red Hat wrote in its post. Following are the vulnerabilities that were reported: SACK Panic (CVE-2019-11477) Sack Panic is the most severe vulnerability of all, that can be exploited by an attacker to induce an integer overflow by sending a crafted sequence of SACKs on a TCP connection with small MSS value. This can lead to a kernel panic that makes it difficult for the operating system to recover back to its normal state. This forces a restart and hence causes a denial of service attack. This vulnerability was found in Linux 2.6.29 or later versions. SACK Slowness (CVE-2019-11478 and CVE-2019-5599) The TCP retransmission queue in Linux kernels and the Rack send map in FreeBSD can be fragmented by sending a crafted sequence of SACKs. The attacker will then be able to exploit this fragmented queue to cause “an expensive linked-list walk for subsequent SACKs received” for that particular TCP connection. This vulnerability was found in Linux 4.15 or previous versions and FreeBSD 12 using the RACK TCP Stack Excess Resource Consumption Due to Low MSS Values (CVE-2019-11479) A Linux kernel can be forced by an attacker to divide its responses into multiple TCP segments accommodating 8 bytes of data. Sending the same amount of data will now require more bandwidth and will also consume additional resources like CPU and NIC processing power. This vulnerability was found in all Linux versions. Next steps The Netflix team has also mentioned the patches and workaround against each vulnerability in the official report. Red Hat has recommended two options to mitigate the CVE-2019-11477 and CVE-2019-11478 vulnerabilities: Disabling the vulnerable component Using iptables to drop connections with an MSS size that is able to exploit the vulnerability. Red Hat will be making a ‘kpatch’ available for customers running supported versions of Red Hat Enterprise Linux 7 or greater. Red Hat customers using the affected versions are recommended to update them as soon as Red Hat makes the errata available. Additionally, they have also provided an Ansible playbook, ‘disable_tcpsack_mitigate.yml’, which will disable selective acknowledgments and make the change permanent. More information about the mitigation steps is available on Red Hat’s official website. NSA warns users of BlueKeep vulnerability; urges them to update their Windows systems Over 19 years of ANU(Australian National University) students’ and staff data breached PyPI announces 2FA for securing Python package downloads

A new study by researchers at Cambridge University’s Computer Laboratory has revealed that an attack called calibration fingerprinting or SENSORID, allows iOS and Android devices to be tracked across the internet. The researchers stated that this attack is easy to conduct by a website or an app in under 1 second as it requires no special permissions, does not require user interaction, and is computationally efficient. Yesterday, at the IEEE Symposium on Security and Privacy, the researchers presented a research paper titled “SENSORID: Sensor Calibration Fingerprinting for Smartphones”, that introduces the calibration fingerprinting attack. In this paper, the researchers have demonstrated the effectiveness of this attack on iOS devices and found the lack of precision in the M-series co-processor helps the generation of such a fingerprint. “Such an attack does not require direct access to any calibration parameters since these are often embedded inside the firmware of the device and are not directly accessible by application developers”, the research report states. “According to a team of academics from the University of Cambridge in the UK, SensorID impacts iOS devices more than Android smartphones. The reason is that Apple likes to calibrate iPhone and iPad sensors on its factory line, a process that only a few Android vendors are using to improve the accuracy of their smartphones' sensors”, reports ZDNet. The researchers used a new method of fingerprinting devices with embedded sensors by carefully analyzing the sensor output. Sensors do not require any special permissions, and the data can be accessed via both a native app installed on a device and also by JavaScript when visiting a website on an iOS and Android device. It can be generated by both apps and mobile websites and will require no user interaction. When the attack was experimented on an iPhone 6S, it was found that that the GYROID contains about 42 bits of entropy and the MAGID provides an additional 25 bits of entropy. The study has demonstrated that the combination of the MAGID and GYROID – the SENSORID – is globally unique for the iPhone 6S. This did not change on factory reset or after a software update. This shows that the attack can also be applied retrospectively to a historic archive of sensor data. In addition to iOS devices, it has been found that Google Pixel 2 and Pixel 3 can also be fingerprinted by SENSORID attack. The researchers claim that all iOS devices that have a gyroscope or magnetometer can be fingerprinted by this approach, including the latest iPhone XS and iPhone XS Max. The mainstream iOS browsers- Safari, Chrome, Firefox, and Opera and privacy enhanced browsers- Brave and Firefox Focus are all vulnerable to this calibration based fingerprinting attack, even if the fingerprinting protection mode is turned on. They added, “We have also tried measuring the sensor data at different locations and under different temperatures; we confirm that these factors do not change the SENSORID either.” The researchers notified Apple about this vulnerability in August 2018 and Google in December 2018. Apple patched this issue with the release of iOS12.2 in March 2019. However, Google has not taken any prompt action and have just informed the researchers that they will investigate this issue. With the latest iOS 12.2 release, the new iPhones and iPads will generate a new fingerprint with every sensor calibration query, making SENSORID type of user tracking useless. Further, Apple also removed access to motion sensors from Mobile Safari by default. The researchers anticipate that calibration information used in other embedded sensors can also be recovered and used as a fingerprint. Thus future research will successfully perform calibration fingerprinting attacks on other types of sensor. Any iPhone, is vulnerable to an attack, unless it has been updated to to iOS 12.2. If a user is using a Pixel 2 or 3, it's vulnerable to attack. But the vulnerability to an Android phone is not yet known fully, but there is a sure possibility to it. Read More Apple proposes a “privacy-focused” ad click attribution model for counting conversions without tracking users Introducing Minecraft Earth, Minecraft’s AR-based game for Android and iOS users Apple Pay will soon support NFC tags to trigger payments  

A lot of fake news has been spreading in recent times via social media channels such as Facebook, Twitter, Whatsapp, and so on. A group of researchers from the University of Southern California came up with a paper titled “Combating Fake News: A Survey on Identification and Mitigation Techniques” that discusses existing methods and techniques applicable to identification and mitigation of fake news. Microsoft Edge mobile browser also flags untrustworthy news sites with the help of a plugin named NewsGuard. But how far are we in combating the ‘Fake News”? This weekend, Destin Sandlin, an engineer who conducts an educational video series Smarter Every Day on YouTube, tweeted how Fake News is getting popular on YouTube by being literally engineered within our daily feeds by using sophisticated AI, destructive bots and so on. https://twitter.com/smartereveryday/status/1091833011262423040 He started off by tweeting about “weaponized bots, algorithm exploitation, countermeasures, and counter-countermeasures!” He mentioned seeing a YouTube video thumbnail with a picture of Donald Trump and Ruth Bader Ginsburg side by side. What caught his eye was, the video received 135,000 views making him feel it’s a legit video. He further explained that the video was simply a bot reading a script. He realized that these bots have come-up with ways to auto-make YouTube videos and upload them. “I recognize that this video is meant to manipulate me so I go to close the video.” https://twitter.com/smartereveryday/status/1091833831206866944 Sandlin highlighted another fact that these videos had a 2,400 to 143 like to dislike ratio. He believes that this was some sort of weaponized algorithm exploitation. Source: Twitter He said that in order to get maximum views on YouTube, all a video has to do is get onto the sidebar or in the suggested videos list. He also mentioned an example of a channel that appeared in his suggestion list, named "The Small Workshop", which managed to get 13 million views. https://twitter.com/smartereveryday/status/1091835106149453826 The Trump - Ginsburg video Sandlin searched the YouTube for "After trump sends note to Ginsburg" following which he got tons of different videos but with the same content. He said, “They all use the exact same script, but the computerized voices are different to not trip YouTube's audio detectors, the videos all use different footage to avoid any visual content ID match”. “This is an offensive AI at work, and it's built to avoid every countermeasure”, he added. Sandlin tweeted, “I think the strategy is simple… if you bot-create enough videos on the same topic and generate traffic to those artificially…many will fail, but eventually, the algorithm will suggest one of them above the others, and it will be promoted as “THE ONE”.” He further said that tech company engineers are tasked with developing countermeasures to these kinds of attacks. He is dubious of the attacking party he suspects, “Is there a building in a foreign country where soldiers go to work/battle every day to "comment, like, and subscribe?” or are these clever software developers building bots to automatically create videos and accounts to promote those videos? “I would assume they’re using AI to see what types of videos and comments are amplified the most.” He wonders, “How often Do TTPs (Techniques, Tactics, and Procedures) change?  When the small groups of engineers at YouTube, Facebook, Instagram or Twitter develop a countermeasure, how long until counter-countermeasures are developed and deployed?” According to a post at Resurgent, “Perhaps Sandlin’s suggestion, responding with an active unity, a countermeasure of forgiveness and grace, is the best answer. There’s no AI or algorithm that can defeat those weapons.” Read Destin Sandlin’s complete Tweet thread to know more. WhatsApp limits users to five text forwards to fight against fake news and misinformation Is Anti-trust regulation coming to Facebook following fake news inquiry made by a global panel in the House of Commons, UK? Fake news is a danger to democracy. These researchers are using deep learning to model fake news to understand its impact on elections

Last week, the team behind LastPass, a password manager website, released an update to patch a security vulnerability that exposes credentials entered by the users on a previously visited site. This vulnerability would let the websites steal credentials for the last account the user had logged into via Chrome or Opera extension. Tavis Ormandy, a security researcher at Google’s Project Zero discovered this bug last month. The security vulnerability appeared on extensions from pop-up windows Google Project Zero’s issue page, Ormandy explained that the flaw rooted from the extensions generated on the popup windows. In some cases, websites could produce a popup by creating an HTML iframe that was linked to the Lastpass popupfilltab.html window instead of calling the do_popupregister() function. In some of the cases, this unexpected method led the popups to open with a password for the most recently visited site.  https://twitter.com/taviso/status/1173401754257375232 According to Ormandy, an attacker can easily hide a malicious link behind a Google Translate URL and make users visit the link, and then extract credentials from a previously visited site. Google’s Project Zero reporting site reads, "Because do_popupregister() is never called, ftd_get_frameparenturl() just uses the last cached value in g_popup_url_by_tabid for the current tab. That means via some clickjacking, you can leak the credentials for the previous site logged in for the current tab." LastPass patched the reported issue in version 4.33.0 that was released on 12th September. According to the official blog post, the bug impacts its Chrome and Opera browser extensions. The bug is considered dangerous as it relies on executing malicious JavaScript code alone without the need for user interaction. Ormandy further added, “I think it’s fair to call this “High” severity, even if it won’t work for *all* URLs.” Ferenc Kun, the security engineering manager for LastPass said in an online statement that this "limited set of circumstances on specific browser extensions" could potentially enable the attack scenario described. Kun further added, "To exploit this bug, a series of actions would need to be taken by a LastPass user including filling a password with the LastPass icon, then visiting a compromised or malicious site and finally being tricked into clicking on the page several times."  LastPass recommends general security practices The team at LastPass shared the following list of general security practices:  Users need to beware of phishing attacks, they shouldn’t click on links from untrusted contacts and companies.  The team advises the users to enable MFA for LastPass and other services like including email, bank, Twitter, Facebook, etc. Additional layers of authentication could prove to be the most effective way to protect the account.  Users shouldn’t reuse or disclose the LastPass master password. Users should use unique passwords for every online account and run antivirus with the latest detection patterns and keeping their software up-to-date.  To know more about this news, check out the official post. Other interesting news in security UK’s NCSC report reveals significant ransomware, phishing, and supply chain threats to businesses A new Stuxnet-level vulnerability named Simjacker used to secretly spy over mobile phones in multiple countries for over 2 years: Adaptive Mobile Security reports Lilocked ransomware (Lilu) affects thousands of Linux-based servers          

Yesterday, Microsoft Azure and Office 365 users had trouble logging into their accounts. The problem for this is a multi-factor authentication issue which prevented users to sign into their services. The outage started at 04:39 UTC, yesterday, with Azure Active Directory users struggling to gain access to their accounts when multi-factor authentification (MFA) was enabled. The issue continued for almost seven hours. A notice confirming the outage was put up on Office 365’s service health page stating, “Affected users may be unable to sign in”. The impact of this outage is specific to any user who is located in Europe, Middle East and Africa (EMEA) or Asia Pacific (APAC) regions. According to Azure’s status page, “Engineers have explored mitigating a back-end service via deploying a code hotfix, and this is currently being validated in a staging environment to verify before potential roll-out to production. Engineers are also continuing to explore additional workstreams to expedite mitigation.” Azure engineers said that they are also developing an alternative code update to resolve the connectivity issue between MFA and the cache provider. Pete Banham, cyber resilience expert at Mimecast, reported to CBR in an email statement, “With less than a month between disruptions, incidents like today’s Azure multi-factor authentication issue pose serious productivity risks for those sticking to a software-as-a-service monoculture.” He further added, “No organization should trust a single cloud supplier without an independent cyber resilience and continuity plan to keep connected and productive during unplanned, and planned, email outages. Every minute of an email outage could costs businesses hundreds and thousands of pounds.” According to Office 365 status page, "We've observed continued success with recent MFA requests and are taking additional actions in the environment in an effort to prevent new instances of this problem. Our investigation into the root cause of this problem is ongoing and maintained as our highest priority." To know more about this news in detail, head over to Techcrunch. Monday’s Google outage was a BGP route leak: traffic redirected through Nigeria, China, and Russia Worldwide Outage: YouTube, Facebook, and Google Cloud goes down affecting thousands of users Basecamp 3 faces a read-only outage of nearly 5 hours

Earlier this year, Cloudflare launched its 1.1.1.1 DNS service as a resolver to make DNS queries faster and more secure that anyone could use free of charge. The day before yesterday, they announced the launch of 1.1.1.1 mobile app for iOS and Android. DNS services are used by internet service providers to interpret a domain name like “Google.com” into an IP address that routers and switches can understand. However, DNS servers provided by ISPs are often slow and unreliable. Cloudflare claims to combat this issue with its 1.1.1.1 service. On a public internet connection, people can see what sites a user visits. This data can also be misused by an internet service provider. The 1.1.1.1 tool makes it easy to get a faster, more private, internet experience. Cloudflare’s 1.1.1.1 app will redirect all user apps to send DNS requests through a local resolver on their phone to its faster 1.1.1.1 server. The server will then encrypt the data to avoid any third person from spying on user data. Features of Cloudfare 1.1.1.1 mobile app The app is open source. The app uses VPN support to push mobile traffic towards the 1.1.1.1 DNS servers and improve speed. It prevents a user’s carrier from tracking their browsing history and misusing the same. Cloudflare has promised not to track 1.1.1.1 mobile app users or sell ads. The company has retained KPMG to perform an annual audit and publish a public report.  It also says most of the limited data collected is only stored for 24 hours. Cloudflare claims that 1.1.1.1 is the fastest public server, about “28 percent faster” than other public DNS resolvers. As compared to the desktop version, the mobile app is really easy to use and navigate. Head over to the Cloudflare Blog to know more about this announcement. You can download the app on iOS or Android to test the app for yourself. Cloudflare’s Workers enable containerless cloud computing powered by V8 Isolates and WebAssembly Cloudflare Workers KV, a distributed native key-value store for Cloudflare Workers Cloudflare’s decentralized vision of the web: InterPlanetary File System (IPFS) Gateway to create distributed websites

Earlier this month, Cisco announced a critical vulnerability in its Nexus 9000 Series Application Centric Infrastructure (ACI) Mode Switch Software. This vulnerability allows an unauthenticated, remote attacker to connect to the affected system with the privileges of the root user. This vulnerability is only exploitable over IPv6; however, the IPv4 is not vulnerable. Cisco has released free software updates that address the vulnerability. This vulnerability(CVE-2019-1804), with a CVSS severity rating of 9.8, is due to the presence of a default SSH key pair that is present in all devices. An attacker could exploit this vulnerability by opening an SSH connection via IPv6 to a targeted device using the extracted key materials. There are no workarounds, so Cisco is encouraging users to update to the latest software release. However, the fix is only an interim patch. The company also issued a “high” security warning advisory for the Nexus 9000, with a CVSS severity rating of 10.0. This involves an exploit that allows attackers to execute arbitrary operating-system commands as root on an affected device. In order to succeed, an attacker would need valid administrator credentials for the device, Cisco said. The vulnerability is due to overly broad system-file permissions where an attacker could exploit this vulnerability by authenticating to an affected device, creating a crafted command string and writing this crafted string to a specific file location. Critical vulnerabilities Cisco’s web-based management interface Multiple critical vulnerabilities in the web-based management interface of Cisco Prime Infrastructure (PI) and Cisco Evolved Programmable Network (EPN) Manager were revealed yesterday. These vulnerabilities could allow a remote attacker to gain the ability to execute arbitrary code with elevated privileges on the underlying operating system. These vulnerabilities affect Cisco PI Software Releases prior to 3.4.1, 3.5, and 3.6, and EPN Manager Releases prior to 3.0.1 One of these issues, CVE-2019-1821, can be exploited by an unauthenticated attacker that has network access to the affected administrative interface. For the second and third issues(CVE-2019-1822 and CVE-2019-1823), the attacker needs to have valid credentials to authenticate to the impacted administrative interface. Cisco has released software updates that address these vulnerabilities. There are no workarounds that address these vulnerabilities. To know more about these and other vulnerabilities, visit Cisco’s Security Advisories and Alerts page. Cisco merely blacklisted a curl instead of actually fixing the vulnerable code for RV320 and RV325 Cisco announces severe vulnerability that gives improper access controls for URLs in its Small Business routers RV320 and RV325 A WhatsApp vulnerability enabled attackers to inject Israeli spyware on user’s phones

Europe’s satellite navigation system, Galileo, is suffering a major outage since July 11, nearing 100 hours of downtime, due to a “technical incident related to its ground infrastructure”, according to the European GNSS (Global Navigation Satellite System) Agency or GSA. Funded by the EU, the Galileo program went live with initial services in December 2016 after 17 years of development. This program was launched to avoid the EU’s reliance on the US Air Force's Global Positioning System (GPS) for commercial, military and other applications like guiding aircraft, and also on Russian government's GLONASS. The Galileo satellite network is presently being used by satnavs, financial institutions and more. It provides both free and commercial offerings and is widely used by government agencies and private companies for navigation and search and rescue operations. GSA’s service status page highlights that 24 of the 26 Galileo satellites are listed as "not usable," while the other two are listing the status of "testing". Source: ZDNet The outage means the satellites may not be able to provide timing or positioning data to smartphones or other devices in Europe that use the system. According to BBC, all of the affected users will hardly notice the outage as their devices “will be relying instead on the data coming from the American Global Positioning System (GPS). They will also depend on the sat-nav chip they have installed, cell phones and other devices might also be making connections with the Russian (Glonass) and Chinese (Beidou) networks”. On July 11, the GSA released an advisory notifying users that the Galileo satellite signals “may not be available nor meet the minimum performance levels”. They also warned users that these systems “should be employed at users’ own risk”. On Saturday, July 13, the GSA warned users Another stern warning by the GSA said the Galileo was experiencing a full-service outage and that "signals are not to be used." On July 14, GSA said the outage affected only the Galileo navigational and satellite-based timing services. However, "the Galileo Search and Rescue (SAR) service -- used for locating and helping people in distress situations for example at sea or mountains -- is unaffected and remains operational." “Experts are working to restore the situation as soon as possible. An Anomaly Review Board has been immediately set up to analyze the exact root cause and to implement recovery actions”, GSA added. “Galileo is still in a roll-out, or pilot phase, meaning it would not yet be expected to lead critical applications”, BBC reports. A GSA spokesperson told BBC News, "People should remember that we are still in the 'initial services' phase; we're not in full operation yet”. However, according to Inside GNSS, a specialist sat-nav site, the problem may be with the Precise Timing Facility(PTF), a ground station in Italy that gives each satellite in the system an accurate time reference. “time has an impact on the whole constellation!”, Inside GNSS adds. According to ZDNet, “The downtime also comes after widespread GPS outages were reported across Israel, Iran, Iraq, and Syria at the end of June. Israeli media blamed the downtime on Russian interference, rather than a technical problem”. https://twitter.com/planet4589/status/1150638285640912897 https://twitter.com/aallan/status/1150427275231420417 https://twitter.com/LeoBodnar/status/1150338536517881856 To know more about this news in detail, head over to Europe GSA’s official blog post. Twitter experienced major outage yesterday due to an internal configuration issue Stripe’s API suffered two consecutive outages yesterday causing elevated error rates and response times Why did Slack suffer an outage on Friday?

FreeRTOS, a popular real-time operating system kernel for embedded devices, is found to have 13 vulnerabilities, as reported by Bleeping Computers yesterday. A part of these 13 vulnerabilities results in flaws in its remote code execution. FreeRTOS supports more than 40 hardware platforms and powers microcontrollers in a diverse range of products including temperature monitors, appliances, sensors, fitness trackers, and any microcontroller-based devices. Although it works at a smaller component scale, it lacks the complexity that comes with more elaborate hardware. However, it allows processing of data as it comes in. A researcher at Zimperium, Ori Karliner, analyzed the operating system and found that all of its varieties are vulnerable to: 4 remote code execution bugs, 1 denial of service, 7 information leak, and another security problem which is yet undisclosed Here’s a full list of the vulnerabilities and their identifiers, that affect FreeRTOS: CVE-2018-16522 Remote Code Execution CVE-2018-16525 Remote Code Execution CVE-2018-16526 Remote Code Execution CVE-2018-16528 Remote Code Execution CVE-2018-16523 Denial of Service CVE-2018-16524 Information Leak CVE-2018-16527   Information Leak CVE-2018-16599 Information Leak CVE-2018-16600 Information Leak CVE-2018-16601 Information Leak CVE-2018-16602 Information Leak CVE-2018-16603 Information Leak CVE-2018-16598 Other FreeRTOS versions affected by the vulnerability FreeRTOS versions up to V10.0.1, AWS FreeRTOS up to V1.3.1, OpenRTOS and SafeRTOS (With WHIS Connect middleware TCP/IP components) are affected. Amazon has been notified of the situation. In response to this, the company has released patches to mitigate the problems. Per the report, “Amazon decided to become involved in the development of the product for the Internet-of-Things segment. The company extended the kernel by adding libraries to support cloud connectivity, security and over-the-air updates.” According to Bleeping Computers, “Zimperium is not releasing any technical details at the moment. This is to allow smaller vendors to patch the vulnerabilities. The wait time expires in 30 days.” To know more about these vulnerabilities in detail, visit the full coverage by Bleeping Computers. NSA researchers present security improvements for Zephyr and Fucshia at Linux Security Summit 2018 How the Titan M chip will improve Android security EFF kicks off its Coder’s Rights project with a paper on protecting security researchers’ rights