Tech News - Security

Last year, the company announced about adopting an approach to anti-tracking considering user data privacy. The company listed a few key initiatives mitigating harmful practices like fingerprinting and cryptomining. Yesterday, Mozilla announced that it is adding a new feature to protect its users against threats and web annoyances in future releases of Firefox. This new feature is available in the beta version of Firefox 67, and the nightly version of Firefox 68. They will be available in the stable release of Firefox in a few weeks. Mozilla has also added a feature to block fingerprinting and cryptomining in Firefox Nightly as an option for users to turn on. The cryptomining and fingerprinting blocks work similar to anti-tracking blocks in current versions of Firefox. Fingerprinting and crypto mining scripts A variety of “fingerprinting” scripts are embedded invisibly on many web pages to harvest a snapshot of users’ computer configuration. These scripts further build a digital fingerprint that can be used for tracking users across the web, even if the user has cleared the cookies. Fingerprinting thus violates Firefox’s anti-tracking policy. Cryptominers is another category of scripts that run costly operations on users’ web browser without the knowledge or consent of the users. It further uses the power of the user’s CPU to generate cryptocurrency for someone else’s benefit. These scripts slow down the computer speed and the drain battery which affects the electric bill. Firefox’s move towards blocking these scripts To overcome these threats, Mozilla has announced new protections against fingerprinters and cryptominers. The company has collaborated with Disconnect and have compiled the list of domains that serve fingerprinting and cryptomining scripts. Cryptomining and fingerprinting blocks have been disabled by default for now but users can activate them in a couple of clicks in the browser settings under “Privacy & Security.” Mozilla has given an option to users option in the latest Firefox Nightly and Beta versions for blocking both kinds of scripts as part of their Content Blocking suite of protections. The team at Mozilla will be testing these protections in the coming months. To know more about this news, check out the official announcement by Mozilla. Mozilla is exploring ways to reduce notification permission prompt spam in Firefox Mozilla launches Firefox Lockbox, a password manager for Android Mozilla’s Firefox Send is now publicly available as an encrypted file sharing service  

When Equifax announced up to $425 million global settlement with the FTC and that users affected by its data breach in 2017 can file a claim, the public response to this settlement was overwhelming. FTC says, “millions of people visited ftc.gov/Equifax and gone on to the settlement website’s claims form”. The settlement announced last month included other benefits the consumers can claim free credit monitoring services or, alternatively, request cash payment if they already have credit monitoring. Yesterday, the FTC released a statement requesting consumers to choose 10 years’ free credit card monitoring services instead. Only those who certify that they already have credit monitoring are recommended to claim up to $125. The FTC further explains this is because “the pot of money that pays for that part of the settlement is $31 million. A large number of claims for cash instead of credit monitoring means only one thing: each person who takes the money option will wind up only getting a small amount of money. Nowhere near the $125 they could have gotten if there hadn’t been such an enormous number of claims filed.” FTC suggest customers to opt for the 10-year free monitoring services as, “the market value would be hundreds of dollars a year”.  “it monitors your credit report at all three nationwide credit reporting agencies, and it comes with up to $1 million in identity theft insurance and individualized identity restoration services”, the FTC further adds. https://twitter.com/LauraSullivaNPR/status/1156617951245721601 The FTC is now attempting to influence users into believing why a 10-year free credit card monitoring by a company that is lax with its security measures is a better bet than claiming the low risk yet paltry sum of $125. This when users seek to discontinue their services with the company, makes one question who the FTC is protecting - the people, victims of the data breach or Equifax, whose irresponsible data and security practices have exposed millions to risk. https://twitter.com/ScottFeldman/status/1156639735063990272 FTC  says there is still money available; however, it’s to “reimburse people for what they paid out of their pocket to recover from the breach. Say you had to pay for your own credit freezes after the breach, or you hired someone to help you deal with identity theft. The settlement has a larger pool of money for just those people. If you’re one of them, use your documents to submit your claim.” CNBC reports, “Equifax could not immediately be reached for comment.” Many consumers are highly infuriated over this revised decision and also surprised that FTC has fined just $31m for compromising millions of user data. Andy Baio, a former CTO of Kickstarter, tweeted, “If any more than 248,000 people request cash settlements instead of credit monitoring, the payout starts shrinking. If a million people ask for cash, for example, the settlement goes down to $31.” https://twitter.com/waxpancake/status/1154877051574214656 A user on Reddit questions how Equifax is “only being fined $31 million for exposing sensitive data of half the nations population? That’s less than $0.19 per person whose data was hacked”. Another user on HackerNews writes, “It seems absurd that they only need to allocate $31 million for "alternative payments" while the old CEO leaves with close to $20 million in bonuses, while the rest of the money in the settlement is basically reserved for them to pay themselves for their "free" credit monitoring.” He further adds, “This whole situation was a good opportunity to set a precedent for companies not taking data security seriously. But they've instead shown everyone that you can really just ignore all of that and hope it's never discovered - even if it is, it's really just a light slap on the wrist. Combining this with the recent Facebook fine, it really makes me think that the FTC has become a complete joke.” Another furious user wrote on HackerNews, “$31 million is a laughably small amount of money to set aside for direct settlements in the biggest hack in all of history. Add three zeroes to that, probably still not enough.” “I spent three days figuring out this nightmarish credit reporting system and helping friends and family place freezes, as well as educating them to avoid all the horrible dark patterns on Equifax's site. What I want is about $2000 and the ability to opt-out of them owning and reselling my personal data completely. I don't need credit monitoring, I don't need credit period anymore, why am I forced into accepting the unlimited risk of them owning all my data so that this private company can keep operating?”, the user further added. https://twitter.com/ryanlcooper/status/1156638207032692737 To know more about this news in detail, head over to FTC’s official statement. Stefan Judis, a Twilio web developer, on responsible web development with HTTP headers Ex-Amazon employee hacks Capital One’s firewall to access its Amazon S3 database; 100m US and 60m Canadian users affected Equifax data breach could have been “entirely preventable”, says House oversight and government reform committee staff report

"Authenticity matters and people need to be able to trust the connections they make on Facebook." -Mark Zuckerberg After Facebook announced last month that it had identified suspicious accounts that were engaged in "coordinated inauthentic behavior," it successfully took down 652 fake accounts and pages that published political content. Facebook had then declined to specify which country or countries may have been leading the campaign, but officials said the campaign was consistent with previous Russian attacks. These pages were suspected to have been intended to influence the US midterm elections set to take place in November this year. The campaigns were first discovered by FireEye, a cybersecurity firm that worked with Facebook on investigating the fake pages and accounts. Earlier this week, Facebook confirmed in a blog post that these campaigns had links to Russia and Iran. The existence of the fake accounts was first reported by The New York Times. Taking down Inauthentic Behaviour The conspiracy started unravelling in July,  when FireEye tipped Facebook off to the existence of a network of pages known as “Liberty Front Press”. The network included 70 accounts, three Facebook groups, and 76 Instagram accounts, which had 155,000 Facebook followers and 48,000 Instagram followers. The network had undisclosed links to Iranian state media, Facebook said, and spent more than $6,000 between 2015 and today. The network also hosted three events. On investigating those pages, it was found that they linked them back to Iranian state media using website registration information and internet protocol addresses. Pages created in 2013, posted political content that was focused on the Middle East, Latin America, Britain and the United States. Other fake pages also had a far more international spread than the earlier batches uncovered. They carried a number of pro-Iranian themes. The aim of the pages also included promoting Palestinians. Some included anti-Trump language and were tied to relations between the United States and Iran, including references to the Iranian nuclear weapons deal. Newer accounts, created in 2016 targeted cybersecurity by spreading malware and stealing passwords. The accounts that originated in Russia focused on activity in Ukraine and Syria. They did not appear to target the United States. But the aim of the latest campaigns can be summed up to be on similar lines as to those of past operations on the social network. Mainly to distribute fake news that might cause confusion among people, as well as to alter people’s thinking to become more biased or pro-government on various issues. Mark Zuckerberg, Facebook’s chief executive, officially made a statement in a conference call late Tuesday saying, “We believe these pages, groups, and accounts were part of two sets of campaigns, One from Iran, with ties to state-owned media. The other came from a set of people the U.S. government and others have linked to Russia.” Closely following suit, Twitter also went ahead and suspended 284 accounts for engaging in coordinated manipulation. Their analysis supports the theory that many of these accounts originated from Iran. Another social media giant, YouTube, deleted a channel called ‘Liberty Front Press’, which was a website linked to some of the fake Iranian accounts on Facebook. This was done because the account violated its community guidelines. Facebook has come under heavy audit for how its policies are exploited by third parties for fake news, propaganda, and other malicious activity especially after the debacle of the coordinated election interference from Russia’s IRA before, during, and after the 2016 US election. The criticism has only aggravated as the US heads toward the midterms. Facebook has been making an effort to prepare its products and moderation strategy for any manipulation. Now Facebook has taken a step further and is working with researchers to study social media-based election interference. The social media giant hopes to understand how this interference functions and to find ways to stop it. Read the the new york times post for further analysis of this evolving situation. Facebook and NYU are working together to make MRI scans 10x faster Four 2018 Facebook patents to battle fake news and improve news feed Facebook is investigating data analytics firm Crimson Hexagon over misuse of data  

Cryptojacking is a growing threat to users, a UK cyber security agency warns. In its Cyber Threat to UK Business report, the UK's National Cyber Security Centre (NCSC), outlines the growing use of cryptojacking as a method of mining bitcoin by stealth. The report quotes an earlier study by Checkpoint, done at the end of 2017, indicating that 55% of businesses globally had been impacted by the technique. One of the most interesting aspects of cryptojacking is how it's blurring the lines of cybercriminality. Although the NCSC 'assumes' that it is ultimately a new technique being used by experienced cyber criminals, the report also notes that websites - without necessarily having any record of cybercrime - are using it as a way of mining cryptocurrencies without users' knowledge. It's worth noting that back in February, Salon gave users the option to supress ads in return for using their computing power. This was essentially a legitimate and transparent form of cryptocurrency mining. What is cryptojacking? Cryptojacking is a method whereby a website visitor's CPU is 'hijacked' by a piece of JavaScript code that runs when the user accesses a specific webpage. This code then allows cybercriminals to 'mine' cryptocurrencies (at present Monero) without users' knowledge. The NCSC report gives an example of this in action. According to the report, more than 4,000 websites "mined cryptocurrency through a compromised screen-reading plugin for blind and partially sighted people." Cryptojacking looks set, then, to become a larger problem within the cybersecurity world. Because it's so hard for users to identify that they are being exploited, it's likely that this will be difficult to tackle. However, technology savvy users are already creating solutions to protect from cryptojacking. This will effectively become the next wave of ad blockers. It will be interesting to see whether this does, in fact, become a model that the media industry takes on to tackle struggling revenues. Could Salon's trial lead to the increased adoption of legitimate cryptojacking as a revenue stream? Whatever happens, user consent is going to remain an issue. Source: Coindesk Vevo’s YouTube account Hacked: Popular videos deleted Top 5 cloud security threats to look out for in 2018

On Tuesday, the 16th of October, GitHub hosted Open Source and Copyright: from Industry 4.0 to SMEs in Brussels. Partnering with OpenForum Europe and Red Hat, the event was designed to raise awareness of the EU Copyright Directive among developers and policymakers. GitHub has made its position on the controversial legislation clear, saying that while “current copyright laws are outdated in many respects and need modernization, we are concerned that some aspects of the EU’s proposed copyright reform package would inadvertently affect software.” The event included further discussion on topics such as: Policy: For GitHub, Abby Vollmer shared how developers have been especially effective in getting policymakers to respond to problems with the copyright proposal and asked them to continue reaching out to policymakers about a technical fix to protect open source. Developers: Evis Barbullushi from Red Hat explained why open source is so fundamental to software and critical to the EU, using examples of what open source powers every day. He also highlighted the world-class and commercially mainstream nature of open source. SMEs: Sebastiano Toffaletti (from the European Digital SME Alliance) described concerns about the copyright proposal from the perspective of SMEs, including how efforts to regulate large platforms can end up harming SMEs even if they’re not the target. Research and academia: Roberto Di Cosmo (Software Heritage) wrapped up the talks by noting that he “should not be here, because, in a world in which software was better understood and valued, policymakers would never introduce a proposal that inadvertently puts software at great risk, and motivated developers to fix this underlying problem.” In its previous EU copyright proposal update, GitHub explained that the EU Council, Parliament, and Commission were ready to begin final-stage negotiations of the copyright proposal. These three institutions are now working on the exceptions to copyright for text and data mining (Article 3), among other technical elements of the proposal. Article 13 would likely drive many platforms to use upload filters on user-generated content. Article 2 defines which services are in the scope of Article 13, Articles 2 and 13 will be discussed together. This means developers can still contact policymakers with thoughts on what outcomes are best for software development. The LLVM project is ditching SVN for GitHub. The migration to Github has begun. GitHub Business Cloud is now FedRAMP authorized What we learnt from the GitHub Octoverse 2018 Report

Today has been Facebook’s worst day in its history. As if the plummeting stocks that closed on  Wednesday at just $144.22.were not enough, Facebook is now facing backlash on its leadership morales. Yesterday, the New York Times published a scathing expose on how Facebook wilfully downplayed its knowledge of the 2016 Russian meddling of US elections via its platform. In addition, it also alleges that over the course of two years, Facebook has adopted a ‘delay, deny and deflect’ strategy under the shrewd leadership of Sheryl Sandberg and the disconnected from reality, Facebook CEO, Mark Zuckerberg, to continually maneuver through the chain of scandals the company has been plagued with. In the following sections, we dissect the NYT article and also loo at other related developments that have been triggered in the wake of this news. Facebook, with over 2.2 billion users globally, has accumulated one of the largest-ever repositories of personal data, including user photos, messages and likes that propelled the company into the Fortune 500. Its platform has been used to make or break political campaigns, advertising business and reshape the daily life around the world. There have been constant questions raised on the security of this platform and all credit goes to the various controversies surrounding Facebook since well over two years. While Facebook’s response to these scandals (“we should have done better”) have not convinced many, Facebook has never been considered ‘knowingly evil’ and continued enjoyed the benefit of the doubt. The Times article now changes that. Crisis management at Facebook: Delay, deny, deflect The report by the New York Times is based on anonymous interviews with more than 50 people, including current and former Facebook executives and other employees, lawmakers and government officials, lobbyists and congressional staff members. Over the past few years, Facebook has grown, so has the hate speech, bullying and other toxic content on the platform.  It hasn't fully taken responsibility for what users posted turning a blind eye and carrying on as it is- a platform and not a Publisher. The report highlights the dilemma Facebook leadership faces while deciding on candidate Trump’s statement on Facebook in 2015 calling for a “total and complete shutdown” on Muslims entering the United States. After a lengthy discussion, Mr. Schrage (a prosecutor whom Ms. Sandberg had recruited)  concluded that Mr. Trump’s language had “not violated Facebook’s rules”. Mr. Kaplan (Facebook’s Vice President of global public policy) argued that Mr. Trump was an important public figure, and shutting down his account or removing the statement would be perceived as obstructing free speech leading to a conservative backlash. Sandberg decided to allow the poston Facebook. In the spring of 2016, Mr. Alex Stamos (Facebook’s former security chief) and his team discovered Russian hackers probing Facebook accounts for people connected to the presidential campaign along with Facebook accounts linked to Russian hackers who messaged journalists to share information from the stolen emails. Mr. Stamos directed a team to scrutinize the extent of Russian activity on Facebook. By January 2017, it was clear that there was more to the Russian activity on Facebook. Mr. Kaplan believed that if Facebook implicated Russia further,  Republicans would “accuse the company of siding with Democrats” and pulling  down the Russians’ fake pages would offend regular Facebook users as having been deceived. To summarize their findings, Mr. Zuckerberg and Ms. Sandberg released a  blog post  on 6th September 2017. The post had little information on fake accounts or the organic posts created by Russian trolls gone viral on Facebook. You can head over to New York Times to read in depth about what went on in the company post reported scandals. What is also surprising, is that instead of offering a clear explanation to the matters at hand, the company was more focused on taking a stab at those who make statements against Facebook. Take for instance , Apple CEO Tim Cook who criticized Facebook in an MSNBC interview  and called facebook a service that traffics “in your personal life.” According to the Times, Mark Zuckerberg has reportedly told his employees to only use Android Phones in lieu of this statement. Over 70 human rights group write to Zuckerberg Fresh reports have now emerged that the Electronic Frontier Foundation, Human Rights Watch, and over 70 other groups have written an open letter to Mark Zuckerberg  to adopt a clearer “due process” system for content takedowns.  “Civil society groups around the globe have criticized the way that Facebook’s Community Standards exhibit bias and are unevenly applied across different languages and cultural contexts,” the letter says. “Offering a remedy mechanism, as well as more transparency, will go a long way toward supporting user expression.” Zuckerberg rejects facetime call for answers from five parliaments “The fact that he has continually declined to give evidence, not just to my committee, but now to an unprecedented international grand committee, makes him look like he’s got something to hide.” -DCMS chair Damian Collins On October 31st, Zuckerberg was invited to give evidence before a UK parliamentary committee on 27th November, with politicians from Canada co-signing the invitation. The committee needed answers related to Facebook “platform’s malign use in world affairs and democratic process”. Zuckerberg rejected the request on November 2nd.  In yet another attempt to obtain answers, MPs from Argentina, Australia, Canada, Ireland and the UK  joined forces with UK’s Digital, Culture, Media and Sport committee requesting a facetime call with Mark Zuckerberg last week. However, in a letter to DCMS, Facebook declined the request, stating: “Thank you for the invitation to appear before your Grand Committee. As we explained in our letter of November 2nd, Mr. Zuckerberg is not able to be in London on November 27th for your hearing and sends his apologies.” The letter does not explain why Zuckerberg is unavailable to speak to the committee via a video call. The letter summarizes a list of Facebook activities and related research that intersects with the topics of election interference, political ads, disinformation and security.  It makes no mention of the company’s controversial actions and their after effects. Diverting scrutiny from the matter? According to the NYT report, Facebook reportedly expanded its relationship with a Washington-based public relations consultancy with Republican ties in October 2017 after an entire year dedicated to external criticism over its handling of Russian interference on its social network. The firm last year wrote dozens of articles that criticized facebook’s  rivals Google and Apple while diverting focus from the impact of Russian interference on Facebook  It pushed the idea that liberal financier George Soros was behind a growing anti-Facebook movement, according to the New York Times. The PR team also reportedly pressed reporters to explore Soros' financial connections with groups that protested Facebook at Congressional hearings in July. How are employees and users reacting? According to the Wall Street Journal, only 52 percent of employees say that they're optimistic about Facebook's  future . As compared to 2017, 84 percent were optimistic about working at Facebook. Just under 29,000 workers (of more than 33,000 in total)  participated in the biannual pulse survey. In the most recent poll conducted in October, statistics have fallen-  like its tumbling stock market - as compared to last year's survey. Just over half feel Facebook was making the world a better place which was at 19 percentage last year. 70 percent said they were proud to work at Facebook, down from 87 percent, and overall favorability towards the company dropped from 73 to 70 percent since last October's poll. Around 12 percent apparently plan to leave within a year. Hacker news has comments from users stating that “Facebook needs to get its act together” and “are in need for serious reform”. Some also feel that “This Times piece should be taken seriously by FB, it's shareholders, employees, and users. With good sourcing, this paints a very immature picture of the company, from leadership on down to the users”. Readers have pointed out that Facebook’s integrity is questionable and that  “employees are doing what they can to preserve their own integrity with their friends/family/community, and that this push is strong enough to shape the development of the platform for the better, instead of towards further addictive, attention-grabbing, echo chamber construction.” Facebook’s reply on the New York Times Report Today, Facebook published a post in response to the Time’s report, listing the number of inaccuracies in their post. Facebook asserts that they have been closely following the Russian investigation, along with reasons for not citing Russia’s name in the April 2017 white paper. The company has also addressed the backlash it faced for the “Muslim ban” statement by Trump which was not taken down. Facebook strongly supports Mark and Sheryl in the fight against false news and information operations on Facebook.along with reasons  for Sheryl championing Sex Trafficking Legislation. Finally, in response to the controversy to advising employees to use only Android, they clarified that it was because “it is the most popular operating system in the world”. In response to hiring a PR team Definers, Facebook says that “We ended our contract with Definers last night. The New York Times is wrong to suggest that we ever asked Definers to pay for or write articles on Facebook’s behalf – or to spread misinformation.” We can’t help but notice that again, Facebook is defending itself against allegations but not providing a proper explanation for why it finds itself in controversies time and again. It is also surprising that the contract with Definers abruptly came to an end just before the report went live by the Times. What Facebook has additionally done is emphasized about improved security practices at the company, something which it has been talking about everytime they face a controversy. It is time to stop delaying, denying and deflecting. Instead, atone, accept, and act responsibly. Facebook shares update on last week’s takedowns of accounts involved in “inauthentic behavior” Emmanuel Macron teams up with Facebook in a bid to fight hate speech on social media Facebook GEneral Matrix Multiplication (FBGEMM), high-performance kernel library, open sourced, to run deep learning models efficiently

The initial apprehension to having facial recognition technology is beginning to move on to acceptance as the incident at the D.C airport stands witness of this fact.  Just three days after the technology was implemented at Washington Dulles International Airport, the system identified an imposter attempting to make his way into the US using a fake passport. On August 23, the US Customs and Border Protection (CBP) released a news about the 26-year-old male, who was traveling from Sao Paulo, Brazil, who presented a French passport to the CBP officer in the primary investigation phase. The facial comparison biometric system confirmed that his face did not match the picture in the passport. He was then sent to secondary inspections for a thorough examination. He appeared nervous during the checks and doubts were confirmed when a search revealed the man's authentic Republic of Congo identification card concealed in his shoe. NEC has collaborated with a total of 14 airports across the US to use the facial recognition technology in order to screen out people arriving in the US with false documents. This has reduced the average wait time for arriving international passengers by around four minutes. According to the International Trade Administration that Quartz quoted back in February 2017,  about 104,525 people arrive from overseas into the US (that number excludes people entering from Mexico and Canada) every day. Scanning such a large number of travelers each day is a daunting task for the CBP. Facial Recognition technology will definitely reduce the complexity that comes with traveler identification. A gist of how the biometric system works The CBP first constructs a photo gallery of all the travelers on US-bound international aircraft using flight manifests and travelers’ documents (mainly passports and visas). When they touch down in America, TSA officers guide travelers to a camera next to a document checking podium. This camera snaps a picture and compares it to the one on their travel documents to determine if they’re indeed who they claim to be. The CBP asserts that the system will not only help in nabbing terrorists and criminals before they can enter the US, but also speed up airport checks, and eventually allow travelers to get through security processes without a boarding pass. CBP is  clearly trying its best to use technology to make its operations more efficient and to detect security breaches at a scale never seen before. It remains to be seen if the benefits of using of facial recognition such as protecting the American people from external threats outweighs the dangers of over-reliance on this tech such as wrongly tagging people or infringing on individual freedom. You can gain more insights to this article on techspot.com. Google’s new facial recognition patent uses your social network to identify you! Admiring the many faces of Facial Recognition with Deep Learning Amazon is selling facial recognition technology to police  

Security over the web via passwords can be crucial as passwords are hard to memorize, easy to forget and can be easily phished or cracked. However, Microsoft Edge has recently made dealing with passwords a lot easier by introducing the Web Authentication specification. This new feature allows an improved and a more secure user experience along with a passwordless experience on the web. Using Web Authentication, Edge users can now sign in with their face, fingerprint, PIN, or portable FIDO2 devices. These methods leverage strong public-key credentials instead of passwords. Why go passwordless? Many users might still be skeptical of moving onto these methods. On the other hand, we allow most of the online websites (shopping, food ordering websites, and so on) to store our credit card numbers, our other sensitive information without any investigation. These credentials are hidden using just passwords; an outdated security model which can be easily hacked. Microsoft aims for a secure and passwordless experience on the web via advanced methods such as Windows Hello biometrics and creation of Web Authentication, an open standard for passwordless authentication. How does Web authentication work? Windows Hello allows users to authenticate without a password on any Windows 10 device. They can make use of biometrics like face and fingerprint recognition to log in to websites by a simple glance or use a PIN number to sign in. External FIDO2 security keys also work for authentication with a removable device and the user’s biometrics or PIN. There are still some websites which do not offer a complete passwordless model yet. For such websites, backward compatibility with FIDO U2F devices can act as a strong enough secondary security besides the password. At the RSA 2018 conference, Microsoft discussed how APIs shall be used to approve a payment on the web via one’s facial identity. To get started with Web Authentication in Microsoft Edge, one can install Windows Insider Preview build 17723 or higher to try out the updated feature. Read more about this feature on the Microsoft Web Authentication guide. Web Security Update: CASL 2.0 releases! Amazon Cognito for secure mobile and web user authentication [Tutorial] Oracle Web Services Manager: Authentication and Authorization

Google faced a major outage on Monday this week as it went down for over an hour, taking a toll on Google Search and a majority of its other services such as the Google Cloud Platform. The outage was apparently a result of Google losing control over the normal routes of its IP addresses as they instead got misdirected, due to a BGP (Border Gateway Protocol) issue, to China Telecom, Nigeria, and Russia. The issue began at 21:13 UTC when MainOne Cable Company, a carrier in Lagos, Nigeria declared its own autonomous system 37282 as the right path to reach 212 IP prefixes that belong to Google, reported ArsTechnica. Shortly after, China Telecom improperly accepted the route and further declared it worldwide, leading to Transtelecom and other large service providers in Russia to follow the same route. A networking and security company, BGPmon, who assesses the route health of networks, tweeted out on Monday that it “appears that Nigerian ISP AS37282 'MainOne Cable Company' leaked many @google prefixes to China Telecom, who then advertised it to AS20485 TRANSTELECOM (Russia). From there on others appear to have picked this up”. BGPmon also tweeted that redirection of IP addresses came in five distinct waves over a 74-minute period: https://twitter.com/bgpmon/status/1062130855072546816 Another Network Intelligence company, ThousandEyes tweeted how a “potential hijack” was underway. As per ThousandEyes, it had detected over 180 prefixes affected by this route leak, covering a wide range of Google services. https://twitter.com/thousandeyes/status/1062102171506765825 This led to a growing suspicion among many as China Telecom, a Chinese state-owned telecommunication company recently came under the spotlight for misrouting the western carrier traffic through mainland China. On further analysis, however, ThousandEyes reached a conclusion that, “the origin of this leak was the BGP peering relationship between MainOne, the Nigerian provider, and China Telecom”. MainOne is in a peering relationship with Google via IXPN in Lagos and has got direct routes to Google, that leaked into China Telecom. These routes then further got propagated from China Telecom, via TransTelecom to NTT and other transit ISPs. “We also noticed that this leak was primarily propagated by business-grade transit providers and did not impact consumer ISP networks as much”, reads the ThousandEyes blog. BGPmon further tweeted that apart from Google, Cloudflare also faced the same issue as its IP addresses followed the same route as Google’s. https://twitter.com/bgpmon/status/1062145172773818368 However, Matthew Prince, CEO, CloudFare, told Ars Technica that this routing issue was just an error and chances of it being a malicious hack was low .“If there was something nefarious afoot there would have been a lot more direct, and potentially less disruptive/detectable, ways to reroute traffic. This was a big, ugly screw up. Intentional route leaks we’ve seen to do things like steal cryptocurrency are typically far more targeted” said Prince. “We’re aware that a portion of Internet traffic was affected by the incorrect routing of IP addresses, and access to some Google services was impacted. The root cause of the issue was external to Google and there was no compromise of Google services,” a Google representative told ArsTechnica.   MainOne also updated regarding the issue on its site, saying, that it faced a “technical glitch during a planned network update and access to some of the Google services was impacted. We promptly corrected the situation at our end and are doing all that is necessary to ensure it doesn’t happen again. The error was accidental on our part; we were not aware that any Google services were compromised as a result”. MainOne further addressed the issue on Twitter saying that the problem occurred due to a misconfiguration in BGP filters: https://twitter.com/Mainoneservice/status/1062321496838885376 The main takeaway from this incident remains that doing business on the Internet is still risky and there are going to be times when it’ll lead to unpredictable and destabilizing events, that may not necessarily be ‘malicious hacks’. Basecamp 3 faces a read-only outage of nearly 5 hours GitHub October 21st outage RCA: How prioritizing ‘data integrity’ launched a series of unfortunate events that led to a day-long outage Worldwide Outage: YouTube, Facebook, and Google Cloud goes down affecting thousands of users

Last month, Firedome Inc announced the launch of the world’s first endpoint cybersecurity solutions portfolio, specifically tailored to home IoT companies and manufacturers. Firedome has developed business models that allow companies to implement top-quality endpoint cybersecurity solutions to close critical security gaps that are a byproduct of the IoT era. Home IoT devices are susceptible to cyber attacks due to the lack of regulation and budget limitations. Cryptojacking, DDoS and ransomware attacks are only a few examples of cyber crimes threaten the smart home ecosystem and consumer privacy. The low margins in this industry have led to manufacturers facing trouble in implementing high-end cybersecurity solutions. Features of ‘Firedome ‘Endpoint Protection’ solution: A lightweight software agent that can easily be added to any connected device (during the manufacturing process or later on, ‘over the air’), A cloud-based AI engine that collects and analyzes aggregated data from multiple fleets around the world, produces insights from each attack (or attack attempt) and optimizes them across the board. An accompanying 24/7 SOC team that responds to alerts, runs security researches and supports Firedome customers. Firedome solution adds a dynamic layer of protection and is not only designed to prevent attacks from occurring in the first place but also to identify attack attempts and respond to breaches in real time, thereby eliminating damage potential until a firmware update is released. The Firedome Home Solution enables industry players to provide their consumers with cyber protection and security insights for the entire home network. Moti Shkolnik, Firedome’s Co-founder and CEO says that: “We are very excited to formally launch our suite of services and solutions for the home IoT industry and we strongly believe they have the potential of changing the Home IoT cybersecurity landscape. Device companies and other ecosystem players are craving a solution that is tailored to their needs and business constraints, a solution that will address the vulnerability that is so evident in endpoint devices. Home IoT devices are becoming a commodity and the industry must address these vulnerabilities sooner rather than later. That’s why our solution is a ‘must-have’ rather than a ‘nice-to-have’” These solutions provided by Firedome has led to its selection by Universal Electronics Inc., the worldwide leader in universal control and sensing technologies for the smart home, to provide Cybersecurity Features to the Nevo® Butler Digital Assistant Platform product. To know more about this news in detail, head over to Firedome’s official website. California passes the U.S.’ first IoT security bill IoT Forensics: Security in an always connected world where things talk AWS IoT Greengrass extends functionality with third-party connectors, enhanced security, and more

Larry Cashdollar, a security researcher with Akamai's SIRT (Security Intelligence Response Team), found out a vulnerability which impacts the jQuery File Upload plugin, as reported by the Bleeping Computers last week. The vulnerability received the CVE-2018-9206 identifier earlier this month. This will help people pay a more close attention to this flaw. Larry discovered the flaw together with Sebastian Tschan, also known as Blueimp, the developer of the plugin. They found out that the flaw was caused by a change introduced in Apache 2.3.9, which disabled by default the .htaccess files that stored folder-related security settings. The jQuery File Upload plugin is the second most starred jQuery project on GitHub, after the jQuery framework itself. It is immensely popular, has been forked over 7,800 times, and has been integrated into hundreds and thousands, of other projects, such as CMSs, CRMs, Intranet solutions, WordPress plugins, Drupal add-ons, Joomla components, and so on. The 8-year old issue finally found As per the investigation, the developer identified the true source of the vulnerability not in the plugin's code, but in a change made in the Apache Web Server project dating back to 2010, which indirectly affected the plugin's expected behavior on Apache servers. The actual issue dates back to November 23, 2010, just five days before Blueimp launched the first version of his plugin. On that day, the Apache Foundation released version 2.3.9 of the Apache HTTPD server. Larry, in an interview with ZDNet, said, “attackers can abuse this vulnerability to upload malicious files on servers, such as backdoors and web shells”. "I've seen stuff as far back as 2016," he added. Hackers have been actively exploiting this flaw since 2016 and kept this as low-key without anyone knowing. Larry found several YouTube videos containing tutorials on how one could exploit the jQuery File Upload plugin vulnerability to take over servers. This means that the vulnerability was widely known to hackers, even if it remained a mystery for the infosec community. According to ZDNet, “All jQuery File Upload versions before 9.22.1 are vulnerable. Since the vulnerability affected the code for handling file uploads for PHP apps, other server-side implementations should be considered safe.” Measures taken against the formerly known ‘CVE-2018-9206’ flaw Unless specifically enabled by the administrator, .htaccess files would be ignored. The two reasons for doing this were, firstly, to protect the system configuration of the administrator by disabling users from customizing security settings on individual folders. Secondly, to improve performance since the server no longer had to check the .htaccess file when accessing a directory. After Apache 2.3.9, plugins using .htaccess files to impose access restrictions no longer benefited from the custom folder access security configuration. This was also the case with jQuery File Upload, which adds files to a root directory. Now tracked as CVE-2018-9206, the coding flaw is no longer present in the latest version of jQuery File Upload. Tschan changed the code to allow only image file types GIF, JPG, JPEG, and PNG by default; he provides instructions on how to enable more content without running a security risk. Larry said, "I did test 1000 out of the 7800 of the plugin's forks from GitHub, and they all were exploitable”. The code he's been using for these tests is available on GitHub, along with a proof-of-concept for the actual flaw. To know more this in detail, head over to Bleeping Computer’s complete coverage. Upgrade to Git 2.19.1 to avoid a Git submodule vulnerability that causes arbitrary code execution Implementing Web application vulnerability scanners with Kali Linux [Tutorial] ‘Peekaboo’ Zero-Day Vulnerability allows hackers to access CCTV cameras, says Tenable Research

Last month, the state of Illinois passed a Biometric privacy bill where a person can claim damages when their fingerprint is used without consent. Now, Cisco and Microsoft propose ideas for biometric privacy. The Cisco proposal states: ‘Ensure interoperability between different privacy protection regimes.’ This could threaten GDPR. ‘Avoid fracturing of legal obligations for data privacy through a uniform federal law that aligns with the emerging global consensus.’ This means gelling multiple levels of law systems, like state national into one, so a violation would go through only one level of a lawsuit. ‘Reassure customers that enforcement of privacy rights will be robust without costly and unnecessary litigation.’ Litigation is expensive, for individuals and more so for corporates, this can make it less expensive for the corporations. Microsoft is lobbying for a federal bill on facial recognition in Washington, according to a Bloomberg report. Bradd Smith, President at Microsoft, told Bloomberg: “Opening up the software for third-party testing is one of the key parts of the bill”. If the Washington bill is passed, it will affect companies like Amazon, Microsoft and any other companies that use personal data with a consumer base above 100,000. Meanwhile, Amazon has not made any comments on the bill as it’s still being modified. Cisco and Microsoft supporting federal privacy bills would sound like good news, but it’s not. If a new federal privacy bill is supported by a company, it would be designed to provide leeway to the company on how the rules regarding data collection and usage are set. According to a New York Times report from August last year, “In recent months, Facebook, Google, IBM, Microsoft and others have aggressively lobbied officials in the Trump administration and elsewhere to start outlining a federal privacy law, according to administration officials and the companies. The law would have a dual purpose, they said: It would overrule the California law and instead put into place a kinder set of rules that would give the companies wide leeway over how personal digital information was handled.” The Illinois Biometric Information Privacy Act is a good way forward for the consumers and should set an example of respecting user privacy. This may seem too strict but maybe that’s what is needed at this point. Biometric Information Privacy Act: It is now illegal for Amazon, Facebook or Apple to collect your biometric data without consent in Illinois ACLU files lawsuit against 11 federal criminal and immigration enforcement agencies for disclosure of information on government hacking The district of Columbia files a lawsuit against Facebook for the Cambridge Analytica scandal

Last month, Facebook witnessed its largest security breach which compromised 50 million user accounts, which was later fixed by its investigation team to avoid further misuse. On Friday, 12th October, Guy Rosen, VP of Product Management in Facebook, shared details of the attack for the users to know the actual reason behind the attack. A snapshot of the attack Facebook discovered the issue on September 25th where the attackers exploited a vulnerability in Facebook’s code that existed between July 2017 and September 2018. The attackers exploited a series of interactions of three distinct software bugs, which affected the ‘View As’ feature that lets people see what their own profile looks like to someone else. Attackers stole FB access tokens to take over people’s accounts. These tokens allow an attacker to take full control of the victim’s account, including logging into third-party applications that use Facebook Login. Read Also : Facebook’s largest security breach in its history leaves 50M user accounts compromised Deciphering the attack : 29 million users were affected, not 50 million Guy Rosen, in his update stated, “We now know that fewer people were impacted than we originally thought. Of the 50 million people whose access tokens we believed were affected, about 30 million actually had their tokens stolen.” Here’s what happened The attackers already had control over a set of accounts connected to Facebook users. They further used an automatic technique to move from one account to the other in order to steal the access tokens of those friends, friends of friends, and so on. This allowed them to reach about 400,000 users. Guy writes, “this technique automatically loaded those accounts’ Facebook profiles, mirroring what these 400,000 people would have seen when looking at their own profiles. That includes posts on their timelines, their lists of friends, Groups they are members of, and the names of recent Messenger conversations”. The attackers used these 400,000 people’s lists of friends to further steal access tokens for about 30 million people. They broke down these 30 million into three batches; namely 15, 14 and 1 million, and carried out different accessing techniques for the first two batches. For the 1 million people, the attackers did not access any information. For 15 million people, attackers accessed just the name and contact details (phone number, email, or both, depending on what people had on their profiles). For 14 million people, the attackers not only accessed name and contact details, but also other details people had on their profiles. This included username, gender, locale/language, relationship status, religion, hometown, self-reported current city, birthdate, device types used to access Facebook, education, work, the last 10 places they checked into or were tagged in, website, people or Pages they follow, and the 15 most recent searches. Facebook will be sending customized messages to the 30 million affected people to explain to them the information the attacker might have accessed and how they can protect themselves from the after effects (getting suspicious calls, mails and messages). Guy also clarified, “This attack did not include Messenger, Messenger Kids, Instagram, WhatsApp, Oculus, Workplace, Pages, payments, third-party apps, or advertising or developer accounts.” Meanwhile, Facebook is co-operating with FBI, the US Federal Trade Commission, Irish Data Protection Commission, and other authorities to look for ways  attackers used Facebook and other possibilities of smaller-scale attacks. To know more about this in detail, visit Guy Rosen official blog post. Facebook introduces two new AI-powered video calling devices “built with Privacy + Security in mind” Facebook finds ‘no evidence that hackers accessed third party Apps via user logins’, from last week’s security breach “Facebook is the new Cigarettes”, says Marc Benioff, Salesforce Co-CEO

“Ensure the Internet is a global public resource… where individuals can shape their own experience and are empowered, safe and independent.” -Team Mozilla Yesterday, Firefox explained the idea behind Firefox Sync as well as how the tool was built keeping in mind user’s privacy. Because sharing data with a provider is a norm, the team found it important to highlight the privacy aspects of Firefox Sync. What is Firefox Sync? Firefox Sync lets a user share their bookmarks, browsing history, passwords and other browser data between different devices, and send tabs from one device to another. This feature re-defines how users interact with the web. Users can log on to Firefox with Firefox sync, using the same account across multiple devices. They can even access the same sessions on swapping devices. With one easy sign-in, Firefox sync helps users access their bookmarks, tabs, and passwords. Sync allows users logged on from one device to be simultaneously logged on to other devices. Which means that tasks that started on a user’s laptop in the morning can be picked up on their phone even later in the day. Why is Firefox Sync Secure? By default, Firefox Sync protects all user synced data so Mozilla can’t read it. When a user signs up for sync with a strong passphrase, their data is protected from both attackers and from Mozilla.  Mozilla encrypts all of a user’s synced data so that it is entirely unreadable without the key used to encrypt it. Ideally, even a service provider must never receive a user’s key. Firefox takes care of this aspect when a user signs into their Firefox account with a username and passphrase which are sent to the server. Traditionally, on receiving the username and passphrase at the server, it is hashed and compared with a stored hash. If a match is found, the server sends the user his data. While using Firefox, a user never sends over their passphrase. Mozilla transforms a user’s passphrase on their computer into two different, unrelated values such that the two values are independent of each other. Mozilla sends an authentication token, derived from the passphrase, to the server which serves as the password-equivalent. This means that the encryption key derived from the passphrase never leaves a user’s computer. In more technical terms, 1000 rounds of PBKDF2 is used to derive a user’s passphrase into the authentication token. On the server size, this token is hashed with scrypt so that the database of authentication tokens is even more difficult to crack. The passphrase is then derived into an encryption key using the same 1000 rounds of PBKDF2. It is domain-separated from the previously generated authentication token by using HKDF with separate info values. This key is used to unwrap an encryption key (obtained during setup and which Mozilla never see unwrapped), and that encryption key is used to protect a user data.  The key is used to encrypt user data using AES-256 in CBC mode, protected with an HMAC. Source: Mozilla Hacks How are people reacting to this feature? Sync has been well received by customers. A user on Hacker news commented how this feature makes “Firefox important”.  Sync has also been compared to Google Chrome since Chrome's sync feature collects their users' complete browsing histories. One user commented on how Mozilla’s privacy tools will make him “chose over chrome”. And since this approach is relatively simple to implement, users are also exploring the possibility of “implement a similar encryption system as a proof of concept”. In a time where respecting the privacy of a user is so unusual, Mozilla sure has caught our attention with its approach to be more “user privacy-centric”. You can head over to Mozilla’s Blog to know other approaches to building a sync feature for a browser and how Sync protects user data. Mozilla pledges to match donations to Tor crowdfunding campaign up to $500,000 Mozilla shares how AV1, the new the open source royalty-free video codec, works Mozilla introduces new Firefox Test Pilot experiments: Price Wise and Email tabs

Unit 42 of the Palo Alto Networks reported about two new variants of the IoT botnets named Mirai and Gafgyt last week on September 7, 2018. The former IoT botnet targets vulnerabilities in Apache Struts and the latter in older, unsupported versions of SonicWall’s Global Management System (GMS). Researchers at Palo Alto Networks said, “Unit 42 found the domain that is currently hosting these Mirai samples previously resolved to a different IP address during the month of August. During that time this IP was intermittently hosting samples of Gafgyt that incorporated an exploit against CVE-2018-9866, a SonicWall vulnerability affecting older versions of SonicWall Global Management System (GMS). SonicWall has been notified of this development.” Mirai variant botnet exploit in Apache Struts The Mirai botnet exploit targets 16 different vulnerabilities, which includes the Apache Struts arbitrary command execution vulnerability CVE-2017-5638 , via crafted Content-Type, Content-Disposition, or Content-Length HTTP headers. The same Mirai bug was associated with the massive Equifax data breach in September 2017. This botnet had previously targeted routers and other IoT based devices which was revealed around end of May 2018. However, in the case of Mirai botnet, this is the first instance where it has targeted a vulnerability in Apache Struts. This new Mirai variant is also targeting vulnerabilities such as: the Linksys E-series device remote code execution flaw, a D-Link router remote code execution flaw, an OS command injection security flaw affecting Zyxel routers, an unauthenticated command injection flaw affecting AVTECH IP devices and more. Here’s the complete list of all exploits incorporated in this Mirai variant. Gafgyt variant exploit in SonicWall GMS The Gafgyt variant is targeting a security flaw, CVE-2018-9866 discovered in July that affects old, unsupported versions of SonicWall Global Management System (GMS) that is, versions 8.1 and older. The vulnerability targeted by this exploit is caused by the lack of sanitization of XML-RPC requests to the set_time_config method. There is currently no fix for the flaw except for GMS users to upgrade to version 8.2. Researchers noted that these samples were first surfaced on August 5, less than a week after the publication of a Metasploit module for this vulnerability. Some of its configured commands include launching the Blacknurse DDoS attack. Unit 42 researchers said, “Blacknurse is a low bandwidth DDoS attack involving ICMP Type 3 Code 3 packets causing high CPU loads first discovered in November 2016. The earliest samples we have seen supporting this DDoS method are from September 2017.” The researchers also mentioned, "The incorporation of exploits targeting Apache Struts and SonicWall by these IoT/Linux botnets could indicate a larger movement from consumer device targets to enterprise targets. These developments suggest these IoT botnets are increasingly targeting enterprise devices with outdated versions." In an email directed to us, SonicWall mentions that "The vulnerability disclosed in this post is not an announcement of a new vulnerability in SonicWall Global Management System (GMS).  The issue referenced only affects an older version of the GMS software (version 8.1) which was replaced by version 8.2 in December 2016. Customers and partners running GMS version 8.2 and above are protected against this vulnerability.  Customers still using GMS version 8.1 should apply a hotfix supplied by SonicWall in August 2018 and plan for an immediate upgrade, as GMS 8.1 went out of support in February 2018.  SonicWall and its threat research team continuously updates its products to provide industry-leading protection against the latest security threats, and it is therefore crucial that customers are using the latest versions of our products. We recommend that customers with older versions of GMS, which are long out of support, should upgrade immediately from www.mysonicwall.com." To know more about these IoT botnet attacks in detail, visit Palo Alto Networks Unit 42 blog post. Build botnet detectors using machine learning algorithms in Python [Tutorial] Cisco and Huawei Routers hacked via backdoor attacks and botnets How to protect yourself from a botnet attack