Tech News - Security

The Internet Engineering Task Force (IETF), an organization that defines internet protocols, standardized the latest version of its most important security protocols, Transport Layer Security (TLS). Introducing TLS 1.3. The latest version, TLS 1.3 i.e. RFC 8446 was published on August 10, 2018. This version is the first major overhaul of the protocol, which brings in significant security and performance improvements. https://youtu.be/HFzXrqw-UpI TLS 1.3 vs TLS 1.2 The TLS 1.2 was defined in RFC 5246 and has been in use by a majority of all web browsers for eight years. The IETF organization finalized TLS 1.3, as of March 21, 2018. One can still deploy the TLS 1.2 securely. However, many of the high profile vulnerabilities have exploited certain parts of the 1.2 protocol along with some outdated algorithms. In the new TLS 1.3, all of these problems have been resolved and the included algorithms are said to have no known vulnerabilities. In contrast to the TLS 1.2, the v1.3 has an added privacy for data exchanges. This is done by encrypting more of the negotiation handshake to protect it from eavesdroppers. This helps in protecting the identities of the participants and impedes traffic analysis. In short, the TLS 1.3 has some performance improvements such as faster speed and increased security. Companies such as Cloudfare are making the new TLS 1.3 available to their customers. What’s new in the TLS v1.3? Improved security The outdated and insecure features in the TLS 1.2 removed in the v1.3 include: SHA-1 RC4 DES 3DES AES-CBC MD5 Arbitrary Diffie-Hellman groups — CVE-2016-0701 EXPORT-strength ciphers – Responsible for FREAK and LogJam The cryptographic community was having a constant check to analyze, improve, and validate security in TLS 1.3. It also removes all primitives and features that have contributed to weak configurations and has enabled common vulnerability exploits like DROWN, Vaudenay, Lucky 13, POODLE, SLOTH, CRIME and more. Improved Speed Web performance was affected due to TLS and other encrypted connections. However, the HTTP/2 helped in overcoming this problem. Further, the new version, TLS 1.3, helps in speeding up the encrypted connections even more with features such as TLS false start and Zero Round Trip Time (0-RTT). Simply put, TLS 1.2 requires two round-trips to complete the TLS handshake. On the other hand, the v1.3 requires only one round-trip, which in turn cuts the encryption latency in half. Another interesting feature with the TLS 1.3 is, one can now send data on the first message to the server to the sites which the user has visited previously. This is called a “zero round trip.” (0-RTT). This results in improved load times. Browser support for TLS v1.3 Google has started warning their users in search console that they are moving to TLS version 1.2, as TLS 1 is no longer that safe. TLS version 1.3 is enabled in Chrome 63 for outgoing connections. Support for TLS 1.3 was added back in Chrome 56 and is also supported by Chrome for Android. https://twitter.com/screamingfrog/status/940501282653077505 TLS 1.3 is enabled by default in Firefox 52 and above (including Quantum). They are retaining an insecure fallback to TLS 1.2 until they know more about server tolerance and the 1.3 handshake. TLS 1.3 browser support The other browsers such as IE, Microsoft Edge, Opera, or Safari do not support TLS 1.3 yet. This would take some time while the protocol is being finalized and for browsers to catch up. Most of the remaining ones are in development at the moment. Read more about this in detail, on the IETF blog. Analyzing Transport Layer Protocols Communication and Network Security A new WPA/WPA2 security attack in town: Wi-fi routers watch out! Mozilla’s new Firefox DNS security updates spark privacy hue and cry

ProtonMail launched an online resource site yesterday, called "GDPR.eu" that offers complete compliance guide to General data protection regulation (GDPR) law by EU. GDPR is considered the toughest privacy and security law in the world. The law imposes obligations onto organizations that collect user’s personal data across Europe. The regulation includes levying fines of tens of millions of euros against organizations who violate its rules of privacy and security. The GDPR compliance guide offers detailed information about the GDPR law and answers questions regarding “how to write a GDPR-compliant privacy notice”, “how does GDPR affect email”, “what is GDPR data protection office (DPO)”, and so on. Let’s have a look at some of the key topics covered under the GDPR compliance guide. GDPR-compliant privacy notice A GDPR privacy notice refers to a public document from an organization that gives details on how they process a user’s personal data and how they apply GDPR’s data protection principles. The information that needs to be mentioned in the privacy notice varies depending on two factors: a) whether an organization has collected its data directly from an individual or b) whether it's received via the third party. As per the GDPR law, organizations need to provide their users with a privacy notice that is: concise, transparent, intelligible, and is presented in an easily accessible form. written in clear and plain language, especially for information that is addressed specifically to a child. delivered properly and in a timely manner. provided free of charge. The guide also mentions some of the best practices that should be followed when writing a privacy notice. It mentions that phrases such as “we may use your personal data to develop services” or “we may use your personal data for research purposes” should not be used in a public notice as they don’t give a clear picture on how an organization intends to use that data. Instead, using phrases such as “we will retain your shopping history and use details of the products that have previously purchased to make better suggestions to you for other products” is much better and informative. GDPR email compliance The GPR compliance guide provides information on how GDPR affects email. GDPR compliance guide states that GDPR does not put a ban on email marketing by any means, instead it encourages organizations to promote effective email-marketing. “A good marketing email should ideally provide value to the recipient and be something they want to receive anyway. What the GDPR does is clarify the terms of consent, requiring organizations to ask for an affirmative opt-in to be able to send communications. And you must also make it easy for people to change their mind and opt-out”, states the guide. GDPR guide states another aspect of emails i.e. email security.  As per Article 5(f) of GDPR, it is the responsibility of an organization to protect personal data of the users against accidental loss, and destruction or damage, by implementing the appropriate technical or organizational steps. Moreover, the guide also states that in order to avoid any liability, it’s important for organizations to educate their team regarding email safety. For instance, implementing basic steps such as two-factor authentication is a good initiative toward protecting user data and complying with the GDPR. GPDR Data Protection Officer (DPO) GDPR, under certain conditions, states that organizations should appoint a Data Protection Officer that can oversee an organization’s GDPR compliance. The Data Protection Officer (DPO) should possess expert knowledge when it comes to data protection law and practices. Article 38 in GDPR states that no other employees within an organization can issue any instructions to the DPO when it comes to the performance of their tasks. DPOs have wide-ranging responsibilities and the position is protected from any potential interference from other employees within an organization. Also, DPO only reports to the highest level of management at the organization. GDPR does not list specific qualifications for DPO. However, it does mention that the level of knowledge and experience required for appointing an organization’s DPO should be determined based on the complexity of the data processing operations. The GDPR compliance guide mentions three criteria that need to be met by an organization for it to appoint a DPO: Public authority: the processing of personal data gets handled by a public body or public authorities within an organization. Large scale and regular monitoring: the processing of personal user data is the main activity of an organization who regularly and systematically observes user data on a large scale. Large-scale special data categories: the processing of specific “special” data is carried out on a large scale within these organizations. Apart from these major guidelines, GDPR compliance guide also offers an overview of GDPR, GDPR compliance checklist, GDPR forms, and templates, along with the latest news and updates regarding GDPR. Check out the complete GDPR compliance guide here. EU to sponsor bug bounty programs for 14 open source projects from January 2019 Twitter on the GDPR radar for refusing to provide a user his data due to ‘disproportionate effort’ involved Tim Cook talks about privacy, supports GDPR for USA at ICDPPC, ex-FB security chief calls him out

According to a leaked report found by the folks at Intercept, Google is secretly planning to bring back its search engine to China. The project, codenamed Dragonfly, will meet China's censorship rule and filter out certain topics including search terms about human rights, democracy, religion, and peaceful protests. According to internal Google documents and people familiar with the plans, the project was initiated in the spring of last year. However, it picked up speed following a December 2017 meeting between Google’s CEO Sundar Pichai and the Chinese government. Google has created a custom Android app through which users can access Google’s search service. Per Intercept, the app has already been demonstrated to the Chinese government and the finalized version may be launched anytime in the next 6 to 9 months. This custom app will comply with China’s strict censorship laws, restricting access to content that is banned. The Chinese government has censored popular social media sites like Instagram, Facebook, and Twitter, as well as news companies: the New York Times and the Wall Street Journal. It has also banned information on the internet about political opponents, free speech, and academic studies. Intercept says that the leaked document states that, “the search app will also blacklist sensitive queries so that no results will be shown at all when people enter certain words or phrases.” Back in 2010, Google made the decision to exit China by publicly declaring it would withdraw its search engine services from China. The primary reason can be attributed to the fact that the Chinese government was forcing Google to censor search results. However, the Chinese government had hacked Google’s servers, which also played a major role in Google absconding China. Patrick Poon, a Hong Kong-based researcher with human rights group Amnesty International, told The Intercept that “Google’s decision to comply with the censorship would be a big disaster for the information age.” The general public has also expressed their disdain over Google’s decision calling it a money-minting business. Twitter Twitter Google is yet to share their views on the Chinese search engine. A spokesperson from Google was heard saying that they have" no comment on speculation about future plans." You can read the original story on The Intercept. Google employees quit over company’s continued Artificial Intelligence ties with the Pentagon Decoding the reasons behind Alphabet’s record high earnings in Q2 2018 Time for Facebook, Twitter, and other social media to take responsibility or face regulation. Furthering the Net Neutrality debate, GOP proposes the 21st Century Internet Act. The New AI Cold War Between China and the USA

During July 2018, a planned Firefox Nightly experiment was performed involving secure DNS via the DNS over HTTPS (DoH) protocol. About 25,000 Firefox Nightly 63 users had agreed to be part of Nightly experiments and participated in this study. Cloudflare operated the DoH servers that were used according to the privacy policy they had agreed to with Mozilla. Each user was additionally given information directly in the browser about the project. That information included the service provider, and an opportunity to decline participation in the study. Browser users are currently experiencing spying and spoofing of their DNS information due to reliance on the unsecured traditional DNS protocol. Using a trusted DoH cloud based service in place of traditional DNS is a significant change in how networking operates and it raises many things to consider as we go forward when selecting servers. However, the initial experiment focused on validating two separate important technical questions: Does the use of a cloud DNS service perform well enough to replace traditional DNS? Does the use of a cloud DNS service create additional connection errors? The experiment is now complete and here are the finding highlights: The HTTPS with a cloud service provider shows a minor performance impact on the majority of non-cached DNS queries as compared to traditional DNS. Most queries were around 6 milliseconds slower, which seems to be an acceptable cost for the benefit of securing the data. However, the slowest DNS transactions performed much better with the new DoH based system than the traditional one – sometimes hundreds of milliseconds better. Source: Firefox Nightly The above chart shows the net improvement of the DoH performance distribution vs the traditional DNS performance distribution. The fastest DNS exchanges are at the left of the chart and the slowest at the right. The slowest 20% of DNS exchanges are radically improved (improvements of several seconds are truncated for chart formatting reasons at the extreme), while the majority of exchanges exhibit a small tolerable amount of overhead when using a cloud service. It shows a good result. The Firefox team hypothesized the improvements at the tail of the distribution derived from 2 advantages DoH provides compared to traditional DNS. First, the consistency of the service operation – when dealing with thousands of different operating system that are overloaded, unmaintained, or forwarded to strange locations. Second, HTTP’s use of modern loss recovery and congestion control allow it to better operate on very busy or low quality networks. The experiment also considered connection error rates and found that users using the DoH cloud service in ‘soft-fail’ mode experienced no statistically significant different rate of connection errors than users in a control group using traditional DNS. Soft-fail mode primarily uses DoH, but it will fallback to traditional DNS when a name does not resolve correctly or when a connection to the DoH provided address fails. The connection error rate measures whether an HTTP channel can be successfully established from a name and therefore incorporates the fallbacks into its measurements. These fallbacks are needed to ensure seamless operation in the presence of firewalled services and captive portals. “We’re committed long term to building a larger ecosystem of trusted DoH providers that live up to a high standard of data handling. We’re also working on privacy preserving ways of dividing the DNS transactions between a set of providers, and/or partnering with servers geographically. Future experiments will likely reflect this work as we continue to move towards a future with secured DNS deployed for all of our users.” says the Firefox Nightly team. Mozilla’s new Firefox DNS security updates spark privacy hue and cry Firefox Nightly browser: Debugging your app is now fun with Mozilla’s new ‘time travel’ feature Firefox has made a password manager for your iPhone

Three days ago, Emotet, a dangerous malware botnet was found sending malicious emails to many countries around the globe. The maligned email with Emotet's signature was first spotted on the morning of September 18th in countries like Germany, the United Kingdom, Poland, Italy, and the U.S.A. by targeting their individuals, businesses, and government entities. This is not Emotet’s first outing, as it has been found to be used as a banking trojan in 2014. https://twitter.com/MalwareTechBlog/status/1173517787597172741 If any receiver of the infected mail unknowingly downloaded and executed it, they may have exposed themselves to the Emotet malware. Once infected, the computer is then added to the Emotet botnet which uses the particular computer as a downloader for other threats. The Emotet botnet was able to compromise many websites like customernoble.com, taxolabs.com, www.mutlukadinlarakademisi.com, and more. In a statement to BleepingComputer, security researchers from email security corp Cofense Labs said, “Emotet is now targeting almost 66,000 unique emails for more than 30,000 domain names from 385 unique top-level domains (TLDs).” The origin of the malicious emails are suspected to be from “3,362 different senders, whose credentials had been stolen. The count for the total number of unique domains reached 1,875, covering a little over 400 TLDs.” Brad Duncan, a security researcher also reported that some U.S.-based hosts received Trickbot, which is a banking trojan turned malware dropper. Trickbot is a secondary malware infection dropped by Emotet. https://twitter.com/malware_traffic/status/1173694224572792834 What did Emotet botnet do in its last outing? According to BleepingComputer, the Command and control (C2) servers for the Emotet botnet had got active in the beginning of June 2019 but did not send out any instructions to infected machines, until August 22. Presumably, the bot was taking time to rebuild themselves, establish new distribution channels and preparing for new spam campaigns. In short, it was under maintenance. Benkøw, a security researcher had listed a list of stages required for the botnet to respawn a malicious activity. https://twitter.com/benkow_/status/1164899159431946240 Therefore, Emotet’s arrival was not a surprise to many security researchers, as it was expected that the Emotet botnet would revive sooner or later. How does the Emotet botnet function? Discovered in 2014, Emotet was originally designed as a banking trojan to target mostly German and Austrian bank customers by stealing their login credentials. However, over time it has evolved into a versatile and effective malware attack. Once a device is infected, the Emotet botnet tries to penetrate the associated systems via brute-force attacks. This enables Emotnet to perform DDoS attacks or to send out spam emails after obtaining a user’s financial data, browsing history, saved passwords, and Bitcoin wallets. On the other hand, the infected machine comes in contact with Emotet’s Command and Control (C&C) servers to receive updates. It also uses its C&C servers as a junkyard for storing the stolen data. Per Cyren, a single Emotet bot can send a few hundred thousand emails in just one hour, which means that it is capable of sending a few million emails in a day. Emotet delivers modules to extract passwords from local apps, which is then spread sideways to other computers on the same network. It is also capable of stealing the entire email thread to be later reused for spam campaigns. Emotet also provides Malware-as-a-Service (MaaS) to other malware groups to rent access to the Emotet-infected computers. Meanwhile, many people on Twitter are sharing details about Emotet for others to watch out. https://twitter.com/BenAylett/status/1174560327649746944 https://twitter.com/papa_anniekey/status/1173763993325826049 https://twitter.com/evanderburg/status/1174073569254395904 Interested readers can check out the Malware security analysis report for more information. Also, head over to BleepingComputer for more details. Latest news in Security LastPass patched a security vulnerability from the extensions generated on pop-up windows An unsecured Elasticsearch database exposes personal information of 20 million Ecuadoreans including 6.77M children under 18 UK’s NCSC report reveals significant ransomware, phishing, and supply chain threats to businesses

Malware or a malicious software is designed to harm user’s computer systems in multiple ways. Over the years, hackers and attackers have implemented various methods to inject viruses, worms, Trojans, and spyware to collapse a computer system. To combat against the current age malware, you must know how a malware function and what techniques attackers use to launch a malware within a system. Some advanced malware techniques include: Privilege Escalation is how a malware attempts to increase its reach within the system. Persistence Methods keep malware in execution state for a longer time. Data Encoding basically explores ways to hide the intent of the malware. Covert launching techniques help in launching malware in the most stealthy manner. Out of the three, privilege escalation is a network intrusion method where malware can enter the system via programming errors or design flaws. With the help of these channels, the attacker can have a direct access to the network and its associated data and applications. Watch the video below by Munir Njenga to know all about privilege escalation and its types in depth using real world examples. https://www.youtube.com/watch?v=Qzlkw5sJUsw About Munir Njengar Munir is a technology enthusiast, cybersecurity consultant, and researcher. His skills and competencies stem from his active involvement in engagements that deliver advisory services such as network security reviews, security course development, training and capacity building, mobile and internet banking security reviews (BSS, MSC, HLR/AUC, IN, NGN, GGSN/SGSN), web applications, and network attack and penetration testing. To know more about privilege Escalation and to learn other malware analysis methods, check out our course titled ‘Advanced Malware Analysis’ to which this video belongs.

Yesterday, the Microsoft suffered a worldwide issue affecting its various cloud services including Office 365, Azure Portal, Dynamics 365 and LinkedIn, where many users were unable to log into its cloud-based services. This outage issue was reported around 7.15 in the morning--Sydney time--and is believed to have affected multiple enterprise customers. Microsoft confirmed these problems and said that the network issues in the Azure Active Directory were to be blamed. In an update to customers, the Microsoft team said, “that have their authorization cached are unaffected by this issue, and new authentications are succeeded approximately 50 percent of the time.” They also tweeted that, “Engineers are investigating a Microsoft networking issue impacting customers' ability to log in to the Azure Portal.” https://twitter.com/AzureSupport/status/1090360382466605056 Downdetector, an outage tracking service, showed a heatmap of the problems, which show that the east coast of Australia, as well as New Zealand, felt the impact. Microsoft 365, tweeted today, “We've identified a third-party network provider issue that is affecting authentication to multiple Microsoft 365 services. We're moving services to an alternate network provider to resolve the issue.” https://twitter.com/GossiTheDog/status/1090579331502485505 To know more about this in detail, visit Microsoft’s official website. Gmail also suffers from a global outage Yesterday, Gmail users all around the globe reported a "404" error when they tried accessing the service around 11 am. Google's service status page listed no issues with Gmail at the time, but users clearly disagree. According to Outage Report and Down Detector, Gmail was down in nearly all of Europe, parts of North America, South America and Asia. https://twitter.com/zeefu/status/1090204478308012033 However, the issue with Gmail should now be resolved, as per a Google spokesperson. Internet Outage or Internet Manipulation? New America lists government interference, DDoS attacks as top reasons for Internet Outages across the world How Dropbox uses automated data center operations to reduce server outage and downtime Philips Hue’s second ongoing remote connectivity outage infuriates users

After a long break from fundraising, yesterday Cloudflare, a U.S. based company that provides content delivery network services, Internet security, etc, announced that it raised $150 million of funding. The company also announced the joining of Stan Meresman, board member and chair of the Audit Committee of Guardant Health (GH) and Maria Eitel, founder and co-chair of the Nike Foundation as the board of directors. In 2014, Cloudflare raised around $110 million funding and the company has raised more than $330 million till date from investors including New Enterprise Associates, Union Square Ventures, Microsoft, Baidu, and many more. During the latest round of funding Franklin Templeton, an investment management company joined these investors and further extending its support to Cloudflare’s growth. Matthew Prince, co-founder and CEO of Cloudflare, said, “I’m honored to welcome Maria and Stan to our board of directors. Both of them bring a wealth of knowledge and experience to our board and know what it takes to propel companies forward. Our entire board looks forward to working with them as we continue to help build a better Internet.” Eitel has previously run European corporate affairs for Microsoft and worked in media affairs at the White House, and also had been an assistant to President George H.W. Bush. Eitel said, “My career has been focused on creating global change, and the Internet is a huge part of that. The Internet has the ability to unleash human potential, and I believe that Cloudflare is one of the major players able to drive the change that’s necessary for the world and Internet community.” Stan Meresman was previously CFO of Silicon Graphics (SGI) and Cypress Semiconductor (CY). He said, “Cloudflare’s technologies, customer base, and global network have helped propel the company to a position of leadership in the Internet ecosystem. I look forward to lending my skills and expertise to Cloudflare’s board in order to continue this growth and make even more of an impact.” According to a report by Reuters, last year, Cloudflare was considering an IPO in the first half of 2019, that could have valued the company more than $3.5 billion. According to this latest funding round, it seems that the company isn’t yet in the direction of going public, but Cloudflare is growing and public offering could possibly be the next big step. Few users are expecting the company to go public this year and are happy that the company is moving in a good direction. One of the users commented on HackerNews, “I do wonder how people feel about this internally though. There's a lot of expectation that the company would go public this year (and some even expected it would go public last year). Hopefully, no one needs the money they put in to early exercise any time soon!” Another comment reads, “Cloudflare is undergoing a lot of big projects to break away from the image that they are "just a CDN". Raising a round now instead of going public allows them to invest more on those projects instead of focusing on quarter to quarter results. Also, avoiding brain-drains post-IPO while they need those talents the most.” Few others think that the company might start monetizing over the data flow. A user commented, “Doesn't raising this kind of money scream that you're eventually going to start to monetize the data flowing through your network (e.g. telecoms selling location data to bounty hunters)?” To know more about this news, check out the official announcement. Cloudflare takes a step towards transparency by expanding its government warrant canaries workers.dev will soon allow users to deploy their Cloudflare Workers to a subdomain of their choice Cloudflare’s 1.1.1.1 DNS service is now available as a mobile app for iOS and Android  

Yesterday, Google launched reCAPTCHA v3, a revamped version of their Captcha API that helps filter abusive traffic to a website without user interaction. reCAPTCHA v3 returns a score for each request. The score is based on interactions with a site, so website owners can take the most appropriate action. “Over the last decade, reCAPTCHA has continuously evolved its technology,” Google product manager Wei Liu wrote in a blog post. ReCAPTCHA is usually used on sign in pages. You can rate limit login attempts, exponentially increasing rate limit or just lock out IPs that exceed allowed login attempts and analyze your logs to ban abusive IPs. She adds,“ reCAPTCHA v3 helps to protect your sites without user friction and gives you more power to decide what to do in risky situations.” reCAPTCHA v3 also runs adaptive risk analysis in the background to alert you of suspicious traffic. The scoring logic Website owners can use the reCAPTCHA score in 3 different ways. They can set a threshold that determines when a user is let through or when further verification needs to be done. They can combine the score with their own signals that reCAPTCHA can’t access such as user profiles or transaction histories. They can use the reCAPTCHA score as one of the signals to train machine learning models to fight abuse. reCAPTCHA v3, uses a new tag “Action” which can be used to define the key steps of a user journey and enable reCAPTCHA to run its risk analysis in context. On adding action to multiple pages, reCAPTCHA adaptive risk analysis engine can identify the pattern of attackers more accurately by looking at the activities across different pages on your website. The reCAPTCHA admin console provides an overview of reCAPTCHA score distribution and a breakdown for the stats of the top 10 actions on your site. It also provides multiple ways to customize actions that occur for different types of traffic, to protect against bots and improve user experience based on a website’s specific needs. Source: Google You can visit the reCAPTCHA developer site for more details. OK Google, why are you ok with mut(at)ing your ethos for Project DragonFly? 90% Google Play apps contain third-party trackers, share user data with Alphabet, Facebook, Twitter, etc: Oxford University Study. A multimillion-dollar ad fraud scheme that secretly tracked user affected millions of Android phones. This is how Google is tackling it.

On 8th October, at it’s 'Fall Desktop Launch Event', Intel unveiled the 9th-generation Core i9-9900K, i7-9700K, and i5-9600K processors for desktops. With an aim to deliver ‘the best gaming performance’ in the word, the processors also come with fixes for the much controversial  Specter, Meltdown, and L1TF vulnerabilities. Major features of this launch include, #1 Security fixes for Specter, Meltdown, and LITF Faults In March 2018, Intel announced that they would be adding hardware protection to forthcoming CPUs protecting users against some of the processor's security flaws. These 'protective walls' added in the hardware would keep malicious code in a physically different location from areas of the CPU were speculative execution is taking place. Intel kept its word by announcing hardware mitigations in the 9th Gen CPU’s for Spectre/Meltdown. Former Intel CEO Brian Krzanich stated in a press release, "We have redesigned parts of the processor to introduce new levels of protection through partitioning that will protect against both Variants 2 and 3. Think of this partitioning as additional “protective walls” between applications and user privilege levels to create an obstacle for bad actors." It has not been detailed what specific hardware changes were made to add protection. It was noted that the previous software and microcode protections added would cause a performance hit on older CPUs. These new CPUs are powerful enough that any performance hit caused by these protections should not be noticeable. #2 Forgoing HyperThreading Intel is forgoing HyperThreading on some of the Core i9 parts. This will partly help make the product stack more linear. This could also possibly help mitigate one of the side-channel attacks that can occur when HyperThreading is in action. Disabling HyperThreading on the volume production chips, ensures that every thread on that chip is not competing for per-core resources. #3 Hardware Specifications Source: AnandTech Core i9-9900K The  Core i9-9900K processor is designed to deliver the best gaming performance in the world. Users can enable up to 220 FPS on Rainbow Six: Siege, Fortnite, Counter-Strike: Global Offensive and PlayerUnknown Battlegrounds. It comes with8 cores, 16 threads and a base frequency of 3.6GHz which can be boosted up to 5.0GHz. This processor is aimed at desktop-based enthusiasts and with a dual-channel DDR4 and up to 40 PCIe lanes. The i9-9900K is based off Intel’s 14nm process. Hyperthreading is an added bonus in this processor. Core i7-9700K The i7-9700K comes with 8 cores and 8 threads. With a  base clock speed is of 3.6 GHz (which can be boosted to 4.9 GHz on all cores), the processor comes without hyperthreading.  It can turbo up to 4.9 GHz only on a single core. The i7-9700K is meant to be the direct upgrade over the Core i7-8700K. While both chips have the same Coffee Lake microarchitecture, the 9700K has two more cores and slightly better turbo performance. That being said, it has less L3 cache per core at only 1.5MB per core. Core i5-9600K The  i5-9600K is clocked at a base frequency of 3.7 GHz and can be boosted up to 4.6 GHz. With 6 cores and 6 threads, it comes without Hyperthreading. This processor is really similar to the Core i5 of the previous generation, but with an added frequency for better performance. It would be interesting to see how these new processors will help in mitigating security flaws without impacting their performance. For detailed information on each of the processors, you can head over to AnandTech. You could also check out BleepingComputer for additional insights. NetSpectre attack exploits data from CPU memory Intel faces backlash on Microcode Patches after it prohibited Benchmarking or Comparison Meet ‘Foreshadow’: The L1 Terminal Fault in Intel’s chips

Researchers from Italy have published a research paper showcasing that quantum communication is feasible between high-orbiting satellites and a station on the ground. This new research proves that quantum communication is possible on a global scale by using a Global Navigation Satellite System (GNSS). The reports of the study are presented in a paper published last week titled Towards quantum communication from global navigation satellite system. In the experiment conducted, a single photon was exchanged over a distance of 20,000km between a ground station and a high-orbit satellite. The exchange was between the retroreflector array mounted on Russian GLONASS satellites and the Space Geodesy Centre on the Earth, Italian space agency. The challenge in high-orbit satellites is that the distance causes high diffraction losses in the channel. One of the co-authors, Dr. Giuseppe Vallone, University of Padova said to IOP Publishing: “Satellite-based technologies enable a wide range of civil, scientific and military applications like communications, navigation and timing, remote sensing, meteorology, reconnaissance, search and rescue, space exploration and astronomy.” He mentions that the crux of such systems is to safely transmit information from satellites in the air to the ground. It is important that these channels be protected from interference by third parties. “Space quantum communications (QC) represents a promising way to guarantee unconditional security for satellite-to-ground and inter-satellite optical links, by using quantum information protocols as quantum key distribution (QKD).” The quantum key distribution (QKD) protocols used in the experiment guarantee strong security for communication between satellites and satellites to Earth. In QKD, data is encrypted using quantum mechanics and interferences are detected quickly. Another co-author, Prof. Villoresi talks to IOP Publishing about their focus on high-orbit satellites despite the challenges: "The high orbital speed of low earth orbit (LEO) satellites is very effective for the global coverage but limits their visibility periods from a single ground station. On the contrary, using satellites at higher orbits can extend the communication time, reaching few hours in the case of GNSS.” After the experiments, the researchers estimated the requirements needed for an active source on a GNSS satellite. They aim towards QC from GNSS with state-of-the-art technology. This does not really mean faster internet/communication as only a single photon was transmitted in the experiment. This means that transferring large amounts of data quickly, i.e., faster internet is not likely gonna happen with this application. However, it does show that data transmission can be done over a large distance with a secure channel. For more details, you can check out the research paper on the IOPSCIENCE website. The US to invest over $1B in quantum computing, President Trump signs a law UK researchers build the world’s first quantum compass to overthrow GPS Quantum computing – Trick or treat?

Baptiste Robert, a French security researcher who goes by the online handle Elliot Alderson, has found a vulnerability in a Wordpress plugin called Social Network Tabs. The plugin leaks user’s Twitter account information exposing them to compromise. This WordPress plugin is developed by Design Chemical, which allows websites to help users share content on social media sites. MITRE has assigned the vulnerability CVE-2018-20555. In a twitter thread, Elliot described the details of the bug on Thursday. Per Elliot, the Wordpress Plugin is leaking twice the Twitter access_token, access_token_secret, consumer_key and consumer_secret of their user which is leading to a takeover of their Twitter account.  This was caused by the few lines of code which was within the page where the Twitter widget is displayed. Anyone who viewed this code had access to see the linked Twitter handle and the access tokens. If the access token had read/write rights, the attacker was also able to take over the account and there were 127 such accounts. Elliot tested the bug by searching PublicWWW, a website source code search engine. He was able to find 539 websites using the vulnerable code. He then managed to retrieve access tokens using a script including the Twitter access_token, access_token_secret, consumer_key and consumer_secret from 539 vulnerable websites. According to Elliot, this leak compromised over 446 Twitter accounts with 2 verified accounts and multiple accounts with more than 10K+ followers. The full list of accounts is also made public by him. Elliot talked to Techcrunch about the vulnerability, saying that he had told “Twitter on December 1 about the vulnerability in the third-party plugin, prompting the social media giant to revoke the keys, rendering the accounts safe again. Twitter also emailed the affected users of the security lapse of the WordPress plugin but did not comment on the record when reached.” However, this is not the case. On January 17, he mentioned in a tweet that, “With a simple Google search query, "inurl:/inc/dcwp_twitter.php?1=", you can find that a lot of websites and so Twitter accounts are still vulnerable to this issue. This query returns 3550 results.” He has also written a scraper to automatically extract the keys from the result of this Google search query. SEC’s EDGAR system hacked; allowing hackers to allegedly make a profit of $4.1 million via insider trading Hyatt Hotels launches public bug bounty program with HackerOne Black Hat hackers used IPMI cards to launch JungleSec Ransomware, affects most of the Linux servers.

Project Alias is an open-source, ‘teachable’ parasite that gives users increased control over their smart home assistants in terms of customization and privacy. It also trains the smart home devices to accept custom wake-up names while disturbing their built-in microphone, by simply downloading an app. Once trained, Alias can take control over your home assistant by activating it for you. Tellart designer Bjørn Karmann and Topp designer Tore Knudsen are the brilliant minds behind this experimental project. Knudsen says, “This [fungus] is a vital part of the rain forest, since whenever a species gets too dominant or powerful it has higher chances of getting infected, thus keeping the diversity in balance” He further added, “We wanted to take that as an analogy and show how DIY and open source can be used to create ‘viruses’ for big tech companies.” The hardware part of Project Alias is a plug-powered microphone/speaker unit that sits on top of a user’s smart speaker of choice. It’s powered by a pretty typical Raspberry Pi chipset. Input and output logic of Alias Both Amazon and Google have a poor track record of storing past conversations in the cloud. However, Project Alias promises of privacy.  According to FastCompany the smart home assistants “aren’t meant to listen in to your private conversations, but by nature, the devices must always be listening to a little to be listening at just the right time–and they can always mishear any word as a wake word.” Knudsen says, “If somebody would be ready to invest, we would be ready for collaboration. But initially, we made this project with a goal to encourage people to take action and show how things could be different . . . [to] ask what kind of ‘smart’ we actually want in the future.” To know more about Project Alias in detail, head over to Bjørn Karmann’s website or GitHub. Here’s a short video on the working of Project Alias https://player.vimeo.com/video/306044007 Google’s secret Operating System ‘Fuchsia’ will run Android Applications: 9to5Google Report US government privately advised by top Amazon executive on web portal worth billions to the Amazon; The Guardian reports France to levy digital services tax on big tech companies like Google, Apple, Facebook, Amazon in the new year    

Yesterday, Microsoft announced in a statement, that their popular Bing search engine was banned in China. This would be Microsoft’s second setback since November 2017, after its Skype internet phone call and messaging service were discontinued from Apple and Android app stores. When users within China’s mainland tried performing a search on Bing’s China website--cn.bing.com--they were redirected to a page which read, the server cannot be reached. Chinese authorities have a firewall that blocks most of the US-based tech platforms including Facebook and Twitter. However, Microsoft has not reported if this outage could be because of the censorship or simply a technical problem. A Microsoft spokesperson said, "We've confirmed that Bing is currently inaccessible in China and are engaged to determine next steps.” Microsoft’s Bing was the only major foreign search engine accessible from within China-built Great Firewall. Bing’s biggest rival, Google shut down its search engine in China in 2010, after rows with the authorities over censorship and hacking. Google CEO Sundar Pichai, said that it has no plans to relaunch a search engine in China. Microsoft, however, has censored search results on sensitive topics, in accordance with government policy. Citing a source, The Financial Times, yesterday, reported that China Unicom, a major state-owned telecommunication company, had confirmed the government order to block the search engine. Also, Cyberspace Administration of China (CAC), a government watchdog, did not respond to faxed questions about Bing’s blocked website. CAC also said that it has also deleted more than 7 million pieces of online information and 9,382 mobile apps. “President Xi Jinping has accelerated control of the internet in China since 2016, as the ruling Communist Party seeks to crack down on dissent in the social media landscape”, the Reuters reported. China Telecom misdirected internet traffic, says Oracle report Bo Weaver on Cloud security, skills gap, and software development in 2019 Microsoft Edge mobile browser now shows warnings against fake news using NewsGuard

Last month, the Intercept informed that Google is reportedly building a prototype search engine for China called 'Dragonfly' which lead to Google employees pressuring Google to abandon the project on ethical grounds. Google has then appeased their employees stating that the project was simply an exploration and nowhere near completion. Now, there are fresh reports from the Intercept that Google’s custom search engine would link Chinese users’ search queries to their personal phone numbers, thus making it easier for the government to track their searches. This means those who search for banned information could be interrogated or detained if security agencies got hold of Google's search records. According to The intercept, Dragonfly will be designed for Android devices, and would remove content considered to be sensitive by China’s authoritarian Communist Party regime- which includes information about freedom of speech, dissidents, peaceful protest and human rights. Citing anonymous sources familiar with the plan—including a Google whistleblower having "moral and ethical concerns" about Google’s role in censorship, the Intercept revealed that "programmers and engineers at Google have created a custom Android app" which has already been demonstrated to the Chinese government. The finalized version could be launched in the next six to nine months,  after the approval from Chinese officials. What this means to other nations and to Google China has strict cyber surveillance, and the fact that this tech giant is bending to China’s demands is a topic of concern for US legislators as well as citizens of other countries. Last week, in an Open letter to Google CEO Sundar Pichai, the US Senator for Florida Marco Rubio led by a bipartisan group of senators, expresses his concerns over the project being   "deeply troubling" and risks making “Google complicit in human rights abuses related to China’s rigorous censorship regime”. He also requests answers for several unanswered doubts. For instance, what changed since Google’s 2010 withdrawal from China to make the tech giant comfortable in cooperating with China’s rigorous censorship regime. This project is also driving attention from users all over the Globe. Source: Reddit   Google has not yet confirmed the existence of Dragonfly, and has publicly declined to comment on reports about the project. The only comment released to Fox News from a Google spokesperson on Sunday was that it is just doing 'exploratory' work on a search service in China and that it is 'not close to launching a search product.' In protest to this project last month, more than 1,000 employees had signed an open letter asking the company to be transparent. Now, some employees have taken the next step by resigning from the company altogether.  This is not the first time that Google employees have resigned in protest over one of the company's projects. Earlier this year, Project Maven, a drone initiative for the US government that could weaponize their AI research caused a stir among at least a dozen employees who reportedly quit over the initiative. The scrutiny on Google’s take on privacy has continued to intensify. It is about time the company starts  taking into consideration all aspects of a user’s internet privacy. To know more about Project 'Dragonfly', head over to The intercept. Google’s ‘mistakenly deployed experiment’ covertly activated battery saving mode on multiple phones today Did you know your idle Android device sends data to Google 10 times more often than an iOS device does to Apple? Bloomberg says Google, Mastercard covertly track customers’ offline retail habits via a secret million dollar ad deal