Tech News - Security

With more and more attacks happening via emails and hackers intruding into presidential elections and still influencing various ongoing campaigns, Google has recently shared their ongoing work to provide protection against: State-sponsored phishing attacks Technical attribution of a recently-reported influence campaign from Iran Detection and termination of activity on Google properties Due to the advanced techniques used by hackers, users are often tricked by an email camouflaged as a legitimate one. As a countermeasure, Google says it has invested in robust systems, For detecting any phishing or hacking attempts on user’s email network To identify influence operations launched by foreign governments To protect political campaigns from digital attacks via Google’s Protect Your Election program. Google’s Threat Analysis Group is working with their partners at Jigsaw and Google’s Trust & Safety team to identify bad actors and disable their accounts. The group will further warn users about these bad actors, and also share intelligence with other companies and law enforcement officials. State-sponsored phishing attacks Email phishing is the most common yet the most popular attack. Google has improved their security policies for Gmail users such as automated protections, account security (like security keys), specialized warnings, and so on. Google, via these attempts, plans to significantly decrease the volume of phishing emails that get through to its users. On 20th August 2018, Google issued a series of notifications to Gmail users who were subject to suspicious emails from a wide range of countries. They posted about the different warnings about Government-backed phishing on their blog post and asked users to take immediate actions if they came across the attack or pop-up mentioned. FireEye detected suspicious Google accounts linked to Iran Google has also integrated with FireEye cybersecurity group, and other top security consultants, to provide them with intelligence. FireEye’s recent help to Facebook by detecting the identified suspicious accounts with links to Russia and Iran is worth mentioning. For the last two months, Google and Jigsaw have worked closely with FireEye on the influence operation linked to Iran that FireEye identified last week. FireEye identified some suspicious Google accounts (three email accounts, three YouTube channels, and three Google+ accounts), which were swiftly disabled. Google Security team suspects the malicious actors are linked to IRIB In addition to FireEye’s intelligence report, Google’s team have investigated a broader range of suspicious actors linked to Iran who has engaged in setting up the malicious accounts. Following this, Google has informed the U.S. lawmakers and law enforcement agencies about the results of their investigation, including its relation to political content in the United States. Google’s technical research team further identified with evidence that these actors are associated with the IRIB, the Islamic Republic of Iran Broadcasting. Their observations are as follows: Technical data associated with these actors is strongly linked to the official IRIB IP address space. Domain ownership information about these actors is strongly linked to IRIB account information. Account metadata and subscriber information associated with these actors is strongly linked to the corresponding information associated with the IRIB, indicating common ownership and control. Detecting and terminating activity on Google properties All content influenced by the malicious actors violating Google’s policies are swiftly removed from Google services and terminates these actors’ accounts. It also uses several robust methods, including IP blocking, to prevent individuals or entities in Iran from opening advertising accounts. Google identified and terminated a number of accounts linked to the IRIB organization that disguised their connection to this effort, including while sharing English-language political content in the U.S., these include: 39 YouTube channels that had 13,466 total US views on relevant videos 6 blogs on Blogger 13 Google+ accounts The state-sponsored phishing attacks and the actors associated with the IRIB are not the only state-sponsored actors at work on the Internet. Google had also disclosed information about actors linked to the Internet Research Agency (IRA) in 2017. They detected and removed 42 YouTube channels, which had 58 English-language political videos (these videos had a total of fewer than 1,800 U.S. views). Read more about Google’s plan to protect users against phish attacks on their Safety & Security blog. DC Airport nabs the first imposter using its newly deployed facial recognition security system Intel faces backlash on Microcode Patches after it prohibited Benchmarking or Comparison Mozilla, Internet Society, and web foundation wants G20 to address “tech-lash” fuelled by security and privacy concerns

Google researchers presented a paper on Google’s consistent global authorization system known as Zanzibar. The paper focuses on the design, implementation, and deployment of Zanzibar for storing and evaluating access control lists (ACL). Zanzibar offers a uniform data model and configuration language for providing a wide range of access control policies from hundreds of client services at Google. The client services include Cloud, Drive, Calendar, Maps, YouTube and Photos. Zanizibar authorization decisions respect causal ordering of user actions and thus provide external consistency amid changes to access control lists and object contents. It scales to trillions of access control lists and millions of authorization requests per second to support services used by billions of people. It has maintained 95th-percentile latency of less than 10 milliseconds and availability of greater than 99.999% over 3 years of production use. Here’s a list of the authors who contributed to the paper, Ruoming Pang, Ramon C ´aceres, Mike Burrows, Zhifeng Chen, Pratik Dave, Nathan Germer, Alexander Golynski, Kevin Graney, Nina Kang, Lea Kissner, Jeffrey L. Korn, Abhishek Parmar, Christopher D. Richards and Mengzhi Wang. What are the goals of Zanzibar system Researchers have certain goals for the Zanzibar system which are as follows: Correctness: The system must ensure consistency of access control decisions. Flexibility: Zanzibar system should also support access control policies for consumer and enterprise applications. Low latency: The system should quickly respond because authorization checks are usually in the critical path of user interactions. And low latency is important for serving search results that often require tens to hundreds of checks. High availability: Zanzibar system should reliably respond to requests Because in the absence of explicit authorization, client services would be forced to deny their user access. Large scale: The system should protect billions of objects that are shared by billions of users. The system should be deployed around the globe so that it becomes easier for its clients and the end users. To achieve the above-mentioned goals, Zanzibar involves a combination of features. For example, for flexibility, the system pairs a simple data model with a powerful configuration language that allows clients to define arbitrary relations between users and objects. The Zanzibar system employs an array of techniques for achieving low latency and high availability and for consistency, it stores the data in normalized forms. Zanzibar replicates ACL data across multiple data centers The Zanzibar system operates at a global scale and stores more than two trillion ACLs (Access Control Lists) and also performs millions of authorization checks per second. But the ACL data does not lend itself to geographic partitioning as the authorization checks for an object can actually come from anywhere in the world. This is the reason why, Zanzibar replicates all of its ACL data in multiple geographically distributed data centers and then also distributes the load across thousands of servers around the world. Zanzibar’s architecture includes a main server organized in clusters Image source:  Zanzibar: Google’s Consistent, Global Authorization System The acl servers are the main server type in this system and they are organized in clusters so that they respond to Check, Read, Expand, and Write requests. When the requests arrive at any server in a cluster, the server passes on the work to other servers in the cluster and those servers may then contact other servers for computing intermediate results. The initial server is the one that gathers the final result and returns it to the client. The Zanzibar system stores the ACLs and their metadata in Spanner databases. There is one database for storing relation tuples for each client namespace and one database for holding all namespace configurations. And there is one changelog database that is shared across all namespaces. So the acl servers basically read and write those databases while responding to client requests. Then there are a specialized server type that respond to Watch requests, they are known as the watchservers. These servers tail the changelog and serve namespace changes to clients in real time. The Zanzibar system runs a data processing pipeline for performing a variety of offline functions across all Zanzibar data in Spanner. For example, producing dumps of the relation tuples in each namespace at a known snapshot time. Zanzibar uses an indexing system for optimizing operations on large and deeply nested sets, known as Leopard. It is responsible for reading periodic snapshots of ACL data and for watching the changes between snapshots. It also performs transformations on data, such as denormalization, and then responds to requests coming from acl servers. The researchers concluded by stating that Zanzibar system is simple, flexible data model and offers configuration language support. According to them, Zanzibar’s external consistency model allows authorization checks to be evaluated at distributed locations without the need for global synchronization. It also offers low latency, scalability, and high availability. People are finding this paper very interesting and also the facts involved are surprising for them. A user commented on HackerNews, “Excellent paper. As someone who has worked with filesystems and ACLs, but never touched Spanner before.” Another user commented, “What's interesting to me here is not the ACL thing, it's how in a way 'straight forward' this all seems to be.” Another comment reads, “I'm surprised by all the numbers they give out: latency, regions, operation counts, even servers. The typical Google paper omits numbers on the Y axis of its most interesting graphs. Or it says "more than a billion", which makes people think "2B", when the actual number might be closer to 10B or even higher.” https://twitter.com/kissgyorgy/status/1137370866453536769 https://twitter.com/markcartertm/status/1137644862277210113 Few others think that the name of the project wasn’t Zanzibar initially and it was called ‘Spice’. https://twitter.com/LeaKissner/status/1136691523104280576 To know more about this system, check out the paper Zanzibar: Google’s Consistent, Global Authorization System. Google researchers propose building service robots with reinforcement learning to help people with mobility impairment Researchers propose a reinforcement learning method that can hack Google reCAPTCHA v3 Researchers input rabbit-duck illusion to Google Cloud Vision API and conclude it shows orientation-bias    

Yesterday, Microsoft released an out-of-band patch for a vulnerability discovered in the Internet Explorer that attackers are actively exploiting on the Internet. The IE zero-day can allow an attacker to execute malicious code on a user's computer. The vulnerability has been assigned ID CVE-2018-8653 and the security update is released as KB4483187; titled "Cumulative security update for Internet Explorer: December 19, 2018". It is available for Internet Explorer 11 on Windows 10, Windows 8.1, and Windows 7 SP1, Internet Explorer 10 on Windows Server 2012, and Internet Explorer 9 on Windows Server 2008. Microsoft has acknowledged Clement Lecigne of Google’s Threat Analysis Group for reporting the exploitation of this Internet Explorer vulnerability. Apart from the security advisory released yesterday, neither Microsoft or Google has shared any details about the attacks involving the flaw. Vulnerability Details According to Microsoft's security advisory, the remote code execution vulnerability was found in IE’s memory handling in Jscript.dll.  An attacker could corrupt IE’s memory to allow code execution on the affected system. The attacker could convince a user to visit a malicious website, which could then exploit this vulnerability, executing code on the user’s local machine. After exploiting the vulnerability, the attackers would be able to perform commands on the victim's system such as downloading further malware, scripts, or executing any command that the currently logged in user has access to. The issue can also be exploited through applications that embed the IE scripting engine to render web-based content such as the apps part of the Office suite. According to Microsoft, the attacker will get code execution rights under the same privileges the victims have. If the victim is using an account with limited access, the damage can be contained to simple operations, however, in case of a user having administrator rights, the attacker can increase the scope of the damage done. Mitigations and Workarounds According to ZDNet, in the previous four months, Microsoft has patched four other zero-days. All these zero-days allow an "elevation of privilege". This means that if a victim has missed any of the previous four Windows Patch Tuesday patches, an attacker can chain the IE zero-day with one of the previous zero-days (CVE-2018-8611, CVE-2018-8589, CVE-2018-8453, CVE-2018-8440) to gain SYSTEM-level access, and take over a targeted computer. Microsoft has assured customers who have Windows Update enabled and have applied the latest security updates that they are automatically protected against exploits. They have advised users to install the update as soon as possible, even if they don't normally use IE to browse sites. For those who want to mitigate the vulnerability until the update is installed, they can do the same by removing privileges to the jscript.dll file for the Everyone group. According to Microsoft, using this mitigation will not cause problems with Internet Explorer 11,10, or 9 as they use the Jscript9.dll by default. There are no workarounds listed on the security advisory for this vulnerability. Read the full security advisory on Microsoft’s blog. Microsoft announces Windows DNS Server Heap Overflow Vulnerability, users dissatisfied with patch details Microsoft calls on governments to regulate Facial recognition tech now, before it is too late NYT says Facebook has been disclosing personal data to Amazon, Microsoft, Apple and other tech giants; Facebook denies claims with obfuscating press release  

Yesterday, on Microsoft's Patch Tuesday the company released its monthly security patches that fixed 62 security flaws. These fixes also included a fix for a zero-day vulnerability that was under active exploitation before these patches were made available. Microsoft also announced the re-release of its Windows 10 version 1809 and Windows Server 2019. Zero-day vulnerability CVE-2018-8589 Microsoft credited Kaspersky Lab researchers for discovering this zero-day, which is also known as CVE-2018-8589 and impacts the Windows Win32k component. A Kaspersky spokesperson told ZDNet, “they discovered the zero-day being exploited by multiple cyber-espionage groups (APTs).” The zero-day had been used to elevate privileges on 32-bit Windows 7 versions. This is the second Windows elevation of privilege zero-day patched by Microsoft discovered by Kaspersky researchers. Last month, Microsoft patched CVE-2018-8453, another zero-day that had been used by a state-backed cyber-espionage group known as FruityArmor. However, in this month’s Patch Tuesday, Microsoft has not patched a zero-day that is affecting the Windows Data Sharing Service (dssvc.dll). This zero-day was disclosed on Twitter at the end of October. According to ZDNet, “Microsoft has published this month a security advisory to instruct users on how to properly configure BitLocker when used together with solid-state drives (SSDs).” Re-release of Windows 10 version 1809 and Windows Server 2019 As reported by Microsoft, the Windows 10 October 2018 update caused user’s data loss post updating. Due to this, the company decided to pause the update. However, yesterday, Microsoft announced that it is re-releasing Windows 10 version 1809. John Cable, the director of Program Management for Windows Servicing and Delivery at Microsoft said, “the data-destroying bug that triggered that unprecedented decision, as well as other quality issues that emerged during the unscheduled hiatus, have been thoroughly investigated and resolved." Microsoft also announced the re-release of Windows Server 2019, which was affected by the same issue. According to ZDNet, “The first step in the re-release is to restore the installation files to its Windows 10 Download page so that "seekers" (the Microsoft term for advanced users who go out of their way to install a new Windows version) can use the ISO files to upgrade PCs running older Windows 10 versions.” Michael Fortin, Windows Corporate Vice President, in a blog post, offered some context behind the recent issues and announced changes to the way the company approaches communications and also the transparency around their process. Per Fortin, "We obsess over these metrics as we strive to improve product quality, comparing current quality levels across a variety of metrics to historical trends and digging into any anomaly." To know more about this in detail, visit Microsoft’s official blog post. A Microsoft Windows bug deactivates Windows 10 Pro licenses and downgrades to Windows 10 Home, users report Microsoft announces .NET standard 2.1 Microsoft releases ProcDump for Linux, a Linux version of the ProcDump Sysinternals tool  

Google announced yesterday the release of a new version of its multi-language, cross-platform cryptographic library, named, Tink 1.2.0 to secure data. Earlier versions of Tink are already in use by Google to secure data of their products such as AdMob, Google Pay, Google Assistant, Firebase, the Android Search App, etc. Tink 1.2.0 is built on top of libraries such as BoringSSL, and Java Cryptography Architecture. It comprises cryptographic APIs that are secure, easy to use, and hard to misuse. With Tink 1.2.0, it is easy to perform cryptographic operations like data encryption, digital signatures, etc, as it requires only a few lines of code. It focuses on eliminating as many data misuses as possible. For instance, if the encryption mode needs nonces and reusing nonces would make the encryption mode less secure, then Tink does not allow the user to pass nonces. Tink 1.2.0 also indicates security properties (e.g., safe against chosen-ciphertext attacks) directly in interfaces. This enables security auditors and automated tools to quickly discover usages where security guarantees don’t align with the security requirements. It provides support for key management, which includes, key rotation and phasing out of deprecated ciphers. Other than that, Tink 1.2.0 is customizable. This means that it is easy to add a custom cryptographic scheme or an in-house key management system that can work seamlessly with other parts of Tink. All the parts of Tink are easily removable as well as compostable. The components in Tink 1.2.0 can be selected and assembled in various combinations. As an example, if only digital signatures are needed, then symmetric key encryption components can be excluded to reduce the code size in your application. For more information, check out the official Google blog. Say hello to Sequoia: a new Rust based OpenPGP library to secure your apps Google releases new political ads library as part of its transparency report Google slams Trump’s accusations, asserts its search engine algorithms do not favor any political ideology

Robert Kyncl, YouTube's Chief Business Officer, opened up on YouTube’s Creator Blog, on Tuesday. This was about  “Article 13” in the EU proposal, which is currently up for a vote in the European Parliament on September 12. According to Article 13, there is an “obligation on information society service providers storing and giving access to large amounts of works and other subject-matter uploaded by their users to take appropriate and proportionate measures to ensure the functioning of agreements concluded with right holders and to prevent the availability on their services of content identified by rightholders in cooperation with the service providers”. In a nutshell, any user-generated content on these online platforms that a copyright enforcement algorithm considers as copyrighted work would need to be censored by these platforms. This is a new revamped version that EU has come out with as the older version was rejected by the Parliament back in July. The older version also received heavy criticism from different policy experts and digital rights group on grounds of violating the fundamental rights of the internet users. “The "Article 13” potentially undermine this creative economy, discouraging or even prohibiting platforms from hosting user-generated content. This outcome would not only stifle your creative freedom, it could have severe, negative consequences for the fans, the communities and the revenue you have all worked so hard to create,” mentioned Kyncl. Kyncl also pointed out how the creators and artists on these platforms have built businesses “on the back” of this “openness”.  YouTube has a strong set of copyright management tools like Content ID and a Copyright Match Tool which are pretty efficient at managing the re-uploads of creators’ content. “Copyright holders have control over their content: they can use our tools to block or remove their works, or they can keep them on YouTube and earn advertising revenue. In over 90% of cases, they choose to leave the content up. Enabling this new form of creativity and engagement with fans can lead to mass global promotion and even more revenue for the artist.” reads the YouTube blog post. A good example given by Kyncl is that of a famous pop singer, Dua Lipa whose singing career started with covering songs of other Artists. Also, Alan Walker’s worldwide famous track “Fade”  was heavily used by other users in the YouTube community along with being used in video games. This resulted in a massive fanbase for him. YouTube is not the only one disapproving of the new proposal. Other organizations such as  European Digital Rights, the Internet Archive, Patreon, Wordpress, and Medium have all opened up about their disapprobation against the EU copyright policy. “This is the new creative economy in action. The Copyright Directive won’t just affect creators and artists on YouTube. It will also apply to many forms of user-generated content across the Internet” writes Kyncl. For more information, check out the official YouTube blog post. YouTube has a $25 million plan to counter fake news and misinformation Mozilla, Internet Society, and web foundation wants G20 to address “techlash” fuelled by security and privacy concerns Facebook COO, Sandberg’s Senate testimony: On combating foreign influence, fake news, and upholding election integrity

Apple is getting pretty serious about user privacy. Last month, Apple had proposed a “privacy-focused” ad click attribution model to count conversions without tracking users. And just yesterday, Apple announced a host of security and privacy-related features at its ongoing Worldwide Developers Conference (WWDC) 2019. Users seem to be excited about the move taken by the company towards privacy and security. While some still seem to be a little confused and looking forward to exploring the major announcements by the company. Experts are indirectly indicating that these major steps by Apple might turn out to be really powerful and might make other tech companies think about their next moves in the same direction. https://twitter.com/ow/status/1135603153712422913 https://twitter.com/jmj/status/1135615177766739973 Sign In with Apple With iOS 13, Apple is introducing a new way to quickly sign into apps and websites with Sign In with Apple. Users can now simply use their Apple ID for authentication purpose instead of using a social account, verifying email addresses, etc. Apple will be protecting users’ privacy by providing developers with a unique random ID. Users also have the option to keep their email address private and can instead share a unique random email address. Sign In comes with built-in two-factor authentication for an added layer of security. The company does not use Sign In with Apple to profile users or their activity in apps. Users can now create a new account on an app with just one click and without revealing any new personal information. Twitter users are quite happy with Apple’s Sign in feature. https://twitter.com/sandofsky/status/1135673287659347968 https://twitter.com/tomwarren/status/1135602700710793217 https://twitter.com/izzydoesizzy/status/1135829977050615808 Apple can now stop third-party sites and services from getting users’ information when they sign up to an app. Apple’s software engineering chief Craig Federighi said at the company’s annual developer conference, “Next I want to turn to login to get a more personalized effect with an app, we all have seen buttons like this, asking us to use a social account login. Now this can be convenient, but it also can come at the cost of your privacy — your personal information sometimes gets shared behind the scenes and these logins can be used to track you. We wanted to solve this and many developers do too. Now we have a solution, it’s called Sign in with Apple. ” One time location sharing Apple will soon let users access their iPhone’s location just once, as the company is soon rolling out one-time location option. “For the first time, you can share your location to an app just once and then require it to ask you again next time at wants,” said Apple software engineering chief Craig Federighi at its annual developer conference on Monday. He also highlighted that a lot of apps try and bypass the location sharing restrictions by simply scanning WiFi and Bluetooth signals in that particular area which could reveal the users’ location. He added, “We’re shutting the door on that abuse as well.” https://twitter.com/ittechbuz/status/1135887736227934211 Apple updates its App Store guidelines Apple has also updated its App Store guidelines to ensure privacy and security enforced for new and existing apps. Here are a few of the highlights from the updated guidelines list. Keeping Kids’ data private Apple has taken a step towards keeping the kids’ data private.Apps in the kids category and apps for kids can’t include any third-party advertising or analytics software and cannot transmit data to third parties. This guideline has been enforced for new apps and even existing apps must follow this guideline by September 3, 2019. https://twitter.com/icastanheda/status/1135672922608087040 HTML game may not provide access to digital commerce The company has made a major move by stating in its guidelines that HTML5 games that are distributed in apps may not provide access to lotteries, real money gaming, or charitable donations and not support digital commerce. This functionality is appropriate only for code that’s embedded in the binary and that can be reviewed by Apple. Also, this guideline is now enforced for new apps and existing apps must follow this guideline by 3rd September 2019. VPN apps cannot provide access to sensitive data to third parties Since VPN provides access to sensitive data, so according to this guideline, VPN apps may not sell, use, or disclose any data to third parties for any purpose, and must commit to this in their privacy policy. The apps that are used for parental control, content blocking and security from approved providers can use the NEVPNManager API. This new guideline may possibly have the popular ad blocker, AdGuard Pro back on iOS.t was discontinued last year because of the App Store policy which said, “Guideline 2.5.1 – Performance – Software Requirements. Your app uses a VPN profile or root certificate to block ads or other content in a third-party app, which is not allowed on the App Store.” The new updates announced in the AppStore Review Guidelines at WWDC may probably make AG Pro compliant with it. https://twitter.com/AdGuard/status/1135660616679645185 https://twitter.com/pveugen/status/1135743658148356096 MDM apps can’t sell/use/disclose data to third parties MDM (Mobile Device Management) provides access to sensitive data, so according to this guideline, MDM apps should request the mobile device management capability. And they may only be offered access by commercial enterprises, such as business organizations, or government agencies, etc, and, in some cases, companies utilizing MDM for parental controls. Also, according to this guideline, MDM apps may not sell, use, or disclose any data to third parties for any purpose, and must also commit to this in their privacy policy. Health data can’t be shared with third parties Apps may use a user’s health data for providing a benefit directly to that user, and the data is not to be shared with a third party. The developer must also disclose to the user the specific health data collected from the device. Information coming in without user’s consent won’t be allowed on App Store Apps that compile information from any source that is not directly coming from the user or without the user’s explicit consent, even public databases for that matter, are not permitted on the App Store. Apps need to get consent for data collection Apps are supposed to get consent for data collection, even if that data is considered anonymous at the time of collection or immediately following it. Many are confused about this latest update, as they have some concerns about using Wikipedia API. https://twitter.com/jcampbell_05/status/1135679675026628608 As developers speculate about the changes in the guidelines, many are still wondering how the change in the rule would affect them and are looking forward to some clarity with the guidelines. Health Apps Apple has also introduced a few health apps that could be useful for users and below mentioned are the highlights from this section: Noise app Apple introduced the Noise app for Apple watchOS 6 that detects loud environments and notifies users when it thinks users at risk for hearing damage. This app uses the watch's built-in microphone for measuring the decibels at concerts, theaters, construction zones, parades, and other loud situations that usually aren't good for the ears. But to achieve this, the app needs to keep track of what the users are listening to, and such apps usually scares people as it appears to be like ‘always-listening technology’. Dr. Sumbul Desai, Apple’s VP of health, clarified, “It only periodically samples and does not record or save any audio.” So users need not worry as none of the audio or sounds in the environment aren’t saved or sent to Apple, according to the company. Menstrual cycle tracking feature Apple also unveiled the menstrual cycle tracking feature, called Cycle Tracking at the conference. Women can now easily log their symptoms and receive notifications when their periods are about to begin. They can also receive a fertility window prediction. This feature is also available in the Health app on iPhone with iOS 13. Apple Vice President of Health Sumbul Desai said, “We are so excited to bring more focus to this incredibly important aspect of women’s health.” But users are concerned over fertility data collection by the company. https://twitter.com/Vince34359049/status/1135677667859034112 While others think that this feature is not new and users have already used such applications for tracking their cycles. https://twitter.com/DrShark/status/1135773575154216960 Apple has taken steps towards strengthening security and maintaining privacy by introducing new features, apps and updating the guidelines, but only time will tell how effective they would turn out to be. Apple proposes a “privacy-focused” ad click attribution model for counting conversions without tracking users Apple Pay will soon support NFC tags to trigger payments U.S. Supreme Court ruled 5-4 against Apple on its App Store monopoly case    

In September 2018, LightYear acquired Chain to form a combined company called Interstellar. The company is working on a new blockchain architecture with a focus on privacy, security, and safety named Slingshot. https://twitter.com/go_interstellar/status/1039164551139287040 The Slingshot project encapsulates the following sub-protocols and components: Zero-knowledge Virtual Machines (ZkVM) The authors of TxVM, a virtual machine for blockchain transactions have come up with ZkVM. https://twitter.com/oleganza/status/1126612382728372224 It is a blockchain transaction format with cloaked assets and zero-knowledge smart contracts. Its goal is to make transactions customizable, confidential, highly efficient, and simple. It allows custom contracts via programmable constraints over encrypted data and assets. Slingshot also has an API called Token for issuing assets using ZkVM. ZkVM ensures confidentiality by fully encrypting quantities and types of assets. It also makes it certain that the asset flow is hidden at the transaction level allowing individuals and organizations to safely perform their transactions directly on the shared ledger. Its data model is compact, taking up only a few kilobytes. You can verify transactions parallelly in 1-2 ms per CPU core and bootstrap nodes instantly from a network-verified snapshot. Spacesuit, Rust implementation of the Cloak protocol Slingshot's Spacesuit is the implementation of the Cloak protocol in Rust. Cloak is a protocol for confidential assets based on the Bulletproofs zero-knowledge circuit proof system. With cloaked transactions, you can exchange values that have different asset types. Musig, a signature scheme for signing messages Slingshot's Musig is the Rust implementation of Simple Schnorr Multi-Signatures. It is a signature scheme for signing single or multiple messages. You can sign a single message with one public key. This public key can be created from a private key of a single party or by aggregating multiple public keys. Multiple messages can be signed with multiple public keys. Keytree, a key blinding scheme for deriving hierarchies of public keys Keytree is a 'key blinding scheme' with which you can derive hierarchies of public keys for Ristretto-based signatures. It can derive a set of public keys with only one key without using any private keys. This enables a system to generate unique receiving addresses without knowing any details about the private key. For instance, an online merchant can generate invoices with unique keys by keeping only public keys on the server, without compromising the security of the private keys. Slidechain, a demonstration of a minimal Stellar sidechain Slingshot includes Slidechain that allows you to peg funds from the Stellar testnet. You can then import them to a sidechain and move them back to Stellar if needed. A sidechain is generally used for operations that aren’t possible or permitted on the originating network. The sidechain in Slidechain is based on TxVM for allowing safe, general-purpose smart contracts and token issuance. The pegged funds will remain immobilized on the originating network while the imported funds exist on the sidechain. On a Reddit thread, a user explained, “Looks more like an entire network upgrade to me. An overhaul that offers privacy, more scalability, and sidechains. It would be odd to offer a sidechain that operates as a better version of stellar.” Another user added, “Ever since Chain was acquired, there has been little information about what Interstellar is building for Stellar. Chain offered a blockchain service called Sequence. Sequence allowed you to easily setup a ledger/blockchain and integrate it with your application/business. I believe this repo details an enhanced version of Chain with Stellar integration. Businesses can create their own private network while having full access to the Stellar network to transact with other chain networks. This would function as a second layer solution on top of Stellar. Other networks such as OMG and Cosmos function similarly to this iirc.” To know more about Slingshot, check out its GitHub repository. Blast through the Blockchain hype with Packt and Humble Bundle Installing a blockchain network using Hyperledger Fabric and Composer[Tutorial] Google expands its Blockchain search tools, adds six new cryptocurrencies in BigQuery Public Datasets

New York University researchers have found a way to generate artificial fingerprints that can be used to create fake fingerprints. They do this by using a neural network. They have presented their work in a paper titled DeepMasterPrints: Generating MasterPrints for Dictionary Attacks via Latent Variable Evolution. The vulnerability in fingerprint sensors Fingerprint recognition systems are vulnerable to dictionary attacks based on MasterPrint. MasterPrints are like master keys that can match with a large number of fingerprints. Such work was done previously at feature level, but now this work dubbed as DeepMasterPrints has much higher attack accuracy with the capacity to generate complete images. The method demonstrated in the paper is Latent Variable Evolution which is based on training a Generative Adversarial Network (GAN) on a set of real fingerprint images. Then a stochastic search is then used to search for latent input variables to the generator network. This can increase the accuracy of impostor matches assessed by a fingerprint recognizer. Small fingerprint sensors pose a risk Aditi Roy, one of the authors of the paper exploited an observation. Smartphones have small areas for fingerprint recording and recognition. Hence the whole fingerprint is not recorded in them at once, they are partially recorded and authenticated. Also, some features among fingerprints are more common than others. She then demonstrated that MasterPrints can be obtained from real fingerprint images or be synthesized. With this exploit, 23% of the subjects could be spoofed in the used dataset at a 0.1% false match rate. The generated DeepMasterPrints was able to spoof 77% of the subjects at a 1% false match rate. This shows the danger of using small fingerprint sensors. For a DeepMasterPrint a synthetic fingerprint image needed to be created that can fool a fingerprint matcher. A condition was that the matcher should also match that fingerprint image to different identities in addition to realizing that the image is a fingerprint. The paper presents a method for creating DeepMasterPrint using a neural network that learns to generate fingerprint images. A Covariance Matrix Adaptation Evolution Strategy (CMA-ES) is used for searching the input space of the trained neural network. The ideal fingerprint image is then selected. Conclusion Partial fingerprint images can be generated that can be used for launching dictionary attacks against a fingerprint verification system. A GAN network is trained over a dataset of fingerprints, then LVE searches the latent variables of the generator network for a fingerprint image that maximize the matching chance. This matching is only successful when a large number of different identities are involved, meaning specific individual attacks are not so likely. The use of inked images and sensor images show that the system is robust and independent of artifacts and datasets. For more details, read the research paper. Tesla v9 to incorporate neural networks for autopilot Alphabet’s Waymo to launch the world’s first commercial self driving cars next month UK researchers have developed a new PyTorch framework for preserving privacy in deep learning

Tavis Ormandy, a vulnerability researcher at Google, uncovered a security issue in SymCrypt, the core cryptographic library for Windows, which the Microsoft team is still trying to fix. Ormandy says that if the vulnerability is exploited in a denial of service (DoS) attack, it could “take down an entire Windows fleet relatively easily”. Ormandy said that Microsoft had "committed to fixing it in 90 days". This was in line with Google's 90 days deadline for fixing or publicly disclosing bugs that its researchers find. https://twitter.com/taviso/status/1138469651799728128 On Mar 13, 2019, Ormandy informed Microsoft of this vulnerability and also posted this issue on Google’s Project Zero site. On March 26, Microsoft replied saying that it would issue a security bulletin and fix for this in the June 11 Patch Tuesday run. On June 11, Ormandy said that the Microsoft Security Response Center (MSRC) had “reached out and noted that the patch won't ship today and wouldn't be ready until the July release due to issues found in testing”. “There's a bug in the SymCrypt multi-precision arithmetic routines that can cause an infinite loop when calculating the modular inverse on specific bit patterns with bcryptprimitives!SymCryptFdefModInvGeneric”, the bug report mentions. “I've been able to construct an X.509 certificate that triggers the bug. I've found that embedding the certificate in an S/MIME message, authenticode signature, schannel connection, and so on will effectively DoS any windows server (e.g. ipsec, iis, exchange, etc) and (depending on the context) may require the machine to be rebooted. Obviously, lots of software that processes untrusted content (like antivirus) call these routines on untrusted data, and this will cause them to deadlock” Ormandy further added. “The disclosure a day after the deadline lapsed drew mixed reactions on social media, with some criticizing Ormandy for the move; and were met with short shrift”, CBR Online states. https://twitter.com/taviso/status/1138493191793963008 Davey Winder from Forbes approached  The Beer Farmers, a group of information security professionals on this issue. John Opdenakker, an ethical hacker from the group, said, "in general if you privately disclose a vulnerability to a company and the company agrees to fix it within a reasonable period of time I think it's fair to publicly disclose it if they then don't fix it on time." Another Beer Farmer professional, Sean Wright points out this is a denial of service vulnerability and there are many other ways to achieve this, which makes it a low severity issue. Wright said to Forbes, "Personally I think it's a bit harsh, every fix is different and they should allow for some flexibility in their deadline." A Microsoft spokesperson said in a statement to Forbes, “Microsoft has a customer commitment to investigate reported security issues and provide updates as soon as possible. We worked to meet the researcher's deadline for disclosure; however, a customer-impacting regression was discovered that prevented the update from being released on schedule. We advised the researcher of the delay as soon as we were able. Developing a security update is a delicate balance between timeliness and quality, and our ultimate goal is to help ensure maximum customer protection with minimal customer disruption.” To know more about this news in detail, head over to Google’s Project Zero website. All Docker versions are now vulnerable to a symlink race attack Microsoft quietly deleted 10 million faces from MS Celeb, the world’s largest facial recognition database Microsoft releases security updates: a “wormable” threat similar to WannaCry ransomware discovered

Tamir Zahavi-Brunner, Security Researcher at Zimperium zLabs posted the technical details of the vulnerability affecting multiple high-privileged Android devices and its exploit, earlier this week. Brunner had disclosed this vulnerability to Google who then designated it as CVE-2018-9411. As per Brunner, Google claims Project Treble ( introduced as part of Android 8.0 Oreo and that makes updates faster and easier for OEMs to roll out to devices) benefits Android security. However, as per the vulnerability disclosed by Brunner, elements of Project Treble could hamper Android security. “This vulnerability is in a library introduced specifically as part of Project Treble and does not exist in a previous library which does pretty much the same thing. This time, the vulnerability is in a commonly used library, so it affects many high-privileged services”, says Brunner. One of the massive changes that come with Project Treble is the split of many system services. Previously, these system services contained both AOSP (Android Open Source Project) and vendor code. After Project Treble, all of these services were split into one AOSP service and one or more vendor services called HAL services.  This means that data which used to be previously passed in the same process between AOSP and vendor now will have to pass through IPC (enables communication between different Android components) between AOSP and HAL services. Now, most of the IPC in Android goes through Binder (enables a remote procedure calls mechanism between the client and server processes), so Google decided that the new IPC should do so as well. But Google also decided to perform some modifications. They introduced HIDL which is a whole new format for the data passed through Binder IPC (makes use of shared memory to maintain simplicity and good performance). HIDL is supported by a new set of libraries and is dedicated to the new Binder domain for IPC between AOSP and HAL services. HIDL comes with its own new implementation for many types of objects. An important object for sharing memory in HIDL is hidl_memory. Technical details of the Vulnerability The hidl_memory comprises members namely, mHandle (HIDL object which holds file descriptors, mSize (size of the memory to be shared), mName (represents the type of memory). These structures are transferred through Binder in HIDL, where complex objects (like hidl_handle or hidl_string) have their own custom code for writing and reading the data. Transferring structures via 64-bit processes cause no issues, however, this size gets truncated to 32 bit in 32-bit processes, so only the lower 32 bits are used. So if a 32-bit process receives a hidl_memory whose size is bigger than UINT32_MAX (0xFFFFFFFF), the actually mapped memory region will be much smaller. “For instance, for a hidl_memory with a size of 0x100001000, the size of the memory region will only be 0x1000. In this scenario, if the 32-bit process performs bounds checks based on the hidl_memory size, they will hopelessly fail, as they will falsely indicate that the memory region spans over more than the entire memory space. This is the vulnerability!” writes Brunner. After the vulnerability has been tracked, it is time to find a target for the vulnerability. To find the target, an eligible HAL service is needed such as android.hardware.cas, or MediaCasService. MediaCasService allows the apps to decrypt the encrypted data. Exploiting the Vulnerability To exploit the vulnerability, there are two other issues that need to be solved such as finding the address of the shared memory and of other interesting data and making sure that the shared memory gets mapped in the same location each time. The second issue gets solved by looking at the memory maps of the linker in the service memory space. To solve the first issue, the data in the linker_alloc straight after the gap is analyzed, and a shared memory is mapped before a blocked thread stack, which makes it easy to reach the memory relatively through the vulnerability. Hence, instead of only getting one thread to that blocked state, multiple (5) threads are generated, which in turn, causes more threads to be created, and more thread stacks to get allocated. Once this shared memory gets mapped before the blocked thread stack, the vulnerability is used to read two things from the thread stack, the thread stack address, and the address where libc is mapped at to build a ROP chain. The last step is executing this ROP chain. However, Brunner states that the SELinux limitations on this process prevent turning this ROP chain into full arbitrary code execution. “There is no execmem permission, so anonymous memory cannot be mapped as executable, and we have no control over file types which can be mapped as executable”. Now, as the main objective is to obtain the QSEOS version, a code using ROP chain does that. This makes sure that the thread does not crash immediately after running the ROP chain. Then this process is left in a bit of an unstable state. To leave everything in a clean state, service using the vulnerability is crashed (by writing to an unmapped address) in order to let it restart. For complete information, read the official Zimperium blog post. FreeRTOS affected by 13 vulnerabilities in its TCP/IP stack A kernel vulnerability in Apple devices gives access to remote code execution

Yesterday, Mozilla released Firefox 67.0.3 and Firefox ESR 60.7.1 to fix an actively exploited vulnerability that can enable attackers to remotely execute arbitrary code on devices using vulnerable versions. So, if you are a Firefox user, it is recommended that you update it right now. This critical zero-day flaw was reported by Samuel Groß, a security researcher with Google Project Zero security team and the Coinbase Security team. It is a type confusion vulnerability tracked as CVE-2019-11707 that occurs “when manipulating JavaScript objects due to issues in Array.pop. This can allow for an exploitable crash. We are aware of targeted attacks in the wild abusing this flaw.” Not much information has been disclosed about the vulnerability yet, apart from this short description on the advisory page. In general, we can say that type confusion happens when a piece of code fails to verify the object type that is passed to it and blindly uses it without type-checking. The US Cybersecurity and Infrastructure Security Agency (CISA) also issued an alert informing users and administrators to update Firefox as soon as possible: “The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Mozilla Security Advisory for Firefox 67.0.3 and Firefox ESR 60.7.1 and apply the necessary updates.” Users can install the patched Firefox versions by downloading them from Mozilla’s official website. Or, they can click on the hamburger icon on the upper-right hand corner, type Update into the search box and hit the Restart to update Firefox button to be sure. This is not the first time when a zero-day vulnerability has been found in Firefox. Back in 2016, a vulnerability was reported in Firefox that was exploited by attackers to de-anonymize Tor Browser users. The attackers then collected the user data that included their IP addresses, MAC addresses, and hostnames. Mozilla then released an emergency fix in Firefox 50.0.2 and 45.5.1 ESR. Firefox releases v66.0.4 and 60.6.2 to fix the expired certificate problem that ended up disabling add-ons Firefox 67 enables AV1 video decoder ‘dav1d’, by default on all desktop platforms Mozilla makes Firefox 67 “faster than ever” by deprioritizing least commonly used features

Last month, JFrog a DevOps based artifact management platform bagged a $165 million Series D funding. Now they are announcing JFrog Xray, a binary analysis tool for performing recursive security scans and dependency analyses on all standard software package and container types. It performs a multilayer analysis of containers and software artifacts for vulnerabilities, license compliance, and quality assurance. JFrog Xray is available as a pure cloud subscription, making Xray the only cloud utility integrated with a universal artifact binary repository. Xray Cloud is available for customers on Amazon Web Services, Google Cloud Platform and soon on Azure. Xray’s database can also plug into other data sources, giving customers maximum flexibility and coverage. It is available in two versions. First, an on-Prem version where users can install, manage and maintain on their own hardware or host in the cloud themselves. Second, the cloud version where JFrog manages, maintains and scales the infrastructure, and provides automated server backups with free updates and guaranteed uptime. Features of JFrog Xray: Artifact analysis for all major package formats across the CI/CD pipeline Deep recursive scanning to provide insight into components graph and show the impact that an issue has on software artifacts Native Artifactory integration by enriching artifacts with metadata to protect software from potential threats Fully automated protection for development, build, and production phases through IDE and CI/CD integration and REST API 24/7 R&D level support Currently, JFrog Xray is being used by companies such as Slack, Workday, and AT&T and has helped its customers avoid nearly 57,000 unique software package vulnerabilities. “The ability to provide scalable security solutions in a hybrid cloud model has definitely become a requirement in the enterprise,” said Dror Bereznitsky, VP of Product Management for JFrog. “We’re proud that Xray is uniquely providing not only reliable scanning and compliance management, but also delivering these solutions at a massive scale across leading cloud providers to give customers maximum flexibility.” More information on Xray Cloud is available on JFrog official website. JFrog, a DevOps based artifact management platform, bags a $165 million Series D funding. Packt has put together a new cybersecurity bundle for Humble Bundle. Data Theorem launches two automated API security analysis solutions – API Discover and API Inspect

On Wednesday, Microsoft announced of its search engine, Bing, being blocked in China. However, they were unsure if it was due to China’s great wall censorship or due to a technical glitch. However, the search engine is back online after being shut down for two consecutive days. The site may have been blocked by government censors. Many users also posted on Weibo, one of the popular social networks in China, commenting that “Bing is back” and “Bing returns to normal.” ZDNet also pointed out a notable fact that, “The temporary block of Microsoft's Bing comes at a time when tensions between the US and China are running high, with the introduction of a bipartisan Bill in the US earlier this month to ban the sale of tech to Chinese companies Huawei and ZTE, and the US stating on Wednesday its intention to extradite Huawei CFO Meng Wanzhou.” Though Bing is not widely used in China, it has been one of the few remaining portals to the broader internet as the Chinese government isolates China’s internet from the rest of the world. Bing remains the only US-based search engine because “Microsoft has worked to follow the government’s censorship practices around political topics”, the New York Times reported. In an interview with Fox Business Network at the World Economic Forum in Davos, Switzerland, Microsoft’s president, Brad Smith, said “There are times when there are disagreements, there are times when there are difficult negotiations with the Chinese government, and we’re still waiting to find out what this situation is about.” What the US-China tech and AI arms race means for the world – Frederick Kempe at Davos 2019 Packt helped raise almost $1 million for charity with Humble Bundle in 2018 Sweden is at a crossroads with its nearly cashless society: To Swish or e-krona?

The Australian National University (ANU) recently revealed they were hacked and personal data of students and staff over 19 years have been accessed. An official letter from ANU’s Vice-Chancellor, Brian Schmidt said that in late 2018 a “sophisticated operator” accessed their systems illegally. However, the breach was detected just two weeks ago and the ANU staff is working towards strengthening the systems “against secondary or opportunistic attacks”, Schmidt said. Regarding details on what data was affected, Schmidt wrote, “Depending on the information you have provided to the University, this may include names, addresses, dates of birth, phone numbers, personal email addresses, and emergency contact details, tax file numbers, payroll information, bank account details, and passport details. Student academic records were also accessed.” However, the systems that store credit card details, travel information, medical records, police checks, workers' compensation, vehicle registration numbers, and some performance records have not been affected. Schmidt also said, “We have no evidence that research work has been affected” and that ANU is working closely with Australian government security agencies and industry security partners to investigate further. Suthagar Seevaratnam, ANU’s Chief Information Security Officer, also wrote a letter, today, addressing the ANU community and suggested certain steps users can take to stay safe while using emails, passwords, and also advice on general device maintenance and configuration. “If you have not reset your ANU password since November 2018, it is highly advised that you do so immediately,” he mentions in his letter. This is the second data breach in ANU’s system, which lasted for seven months. Last year, in July, the ANU revealed that hackers infiltrated its systems. Schmidt said, “Following the incident reported last year, we undertook a range of upgrades to our systems to better protect our data.  Had it not been for those upgrades, we would not have detected this incident”. “The university said it did not believe data was stolen in that attack, which national security sources said was the work of the Chinese government”, The Sydney Morning Herald reports. What will hackers actually gain by such data breach? The Australian National University is considered to be one of the nation's most prestigious educational institutions and is home to global leading research. The hackers may be trying to leverage more information about international students who attend classes at the ANU university. “The ANU also educates on national security and houses the Strategic and Defence Studies Centre and the National Security College”, ABC Canberra news reports. Jamie Travers, a producer at ABC Canberra, tweeted that he had a conversation with the ANU media and they declined any information sharing about the massive breach. https://twitter.com/JamieTravers/status/1135732681407262725 Tom Uren, a senior analyst at the Australian Strategic Policy Institute told Travers that there could be two possible types of hackers behind this breach: 1) A state-sponsored group (presumably China) 2) A cybercriminal gang Travers also put forward his hypothesis on “why would a state-sponsored group such as China hack the ANU?” by giving two reasons: https://twitter.com/JamieTravers/status/1135749238468382720 https://twitter.com/JamieTravers/status/1135749435185516544 In one of his tweets, Travers also highlighted the profit a cybercriminal gang would get by breaching the ANU data, which include: Could use TFNs to file bogus tax returns. Could use bank account details to try and access users’ account. Could sell data as a whole to someone else online for ID theft. Schmidt, in his letter, said, “the University has taken immediate precautions to further strengthen our IT security and is working continuously to build on these precautions to reduce the risk of future intrusion”. To know more about this news in detail, read Brian Schmidt’s official letter to ANU’s students and staff. Facebook confessed another data breach; says it “unintentionally uploaded” 1.5 million email contacts without consent Canva faced security breach, 139 million users data hacked: ZDNet reports DockerHub database breach exposes 190K customer data including tokens for GitHub and Bitbucket repositories