Tech News - Security

An ex-employee filed a lawsuit against Facebook, last week, alleging that Facebook is not providing enough protection to the content moderators whose job involve reviewing disturbing content on the platform. Why is Selena Scola, a content moderator, suing Facebook? “Plaintiff Selena Scola seeks to protect herself and all others similarly situated from the dangers of psychological trauma resulting from Facebook's failure to provide a safe workplace for the thousands of contractors who are entrusted to provide the safest environment possible for Facebook users”, reads the lawsuit. Facebook receives millions of videos, images, and broadcast posts of child sexual abuse, rape, torture, bestiality, beheadings, suicide, and murder. In order to make Facebook a safe platform for users, it relies on machine learning augmented by content moderators. This ensures that any image that violates the corporation’s term of use is removed completely from the platform, as quickly as possible. “Facebook’s content moderators are asked to review more than 10 million potentially rule-breaking posts per week. Facebook aims to do this with an error rate of less than one percent, and seeks to review all user-reported content within 24 hours”, says the lawsuit. Although this safeguard helps with maintaining the safety on the platform, content moderators witness thousands of such extreme content every day. Because of this constant exposure to disturbing graphics, content moderators go through a lot of trauma, with many ending up developing Post-traumatic stress disorder (PTSD), highlights the lawsuit. What does the law say about workplace safety? Facebook claims to have a workplace safety standards draft already in place, like many other tech giants, to protect content moderators. They say it includes providing moderators with mandatory counseling, mental health supports, altering the resolution, and audio, of traumatizing images. It also aimed to train its moderators to recognize the physical and psychological symptoms of PTSD. We have, however, found it difficult to locate the said document. However, as per the lawsuit, “Facebook ignores the workplace safety standards it helped create. Instead, the multibillion-dollar corporation affirmatively requires its content moderators to work under conditions known to cause and exacerbate psychological trauma”. This is against the California law which states, “Every employer shall do every other thing reasonably necessary to protect the life, safety, and health of Employees. This includes establishing, implementing, and maintaining an effective injury prevention program. Employers must provide and use safety devices and safeguards reasonably adequate to render the employment and place of employment safe”. Facebook hires content moderators on a contract basis Tech giants such as Facebook generally have a two-level workforce in place. The top level comprises Facebook’s official employees such as engineers, designers, and managers. These enjoy the majority of benefits such as high salary, and lavish perks among others. Employees such as Content moderators come under the lower level. Majority of these workers are not even permanent employees at Facebook, as they’re employed on a contract basis. Because of this, they often get paid low, miss out on the benefits that regular employees get, as well as have limited access to Facebook management. One of the employees, who wished to remain anonymous told the Guardian last year, “We were underpaid and undervalued”. He earned roughly $15 per hour. This was for removing terrorist related content from Facebook, after a two-week training period. They usually come from a poor financial background, with many having families to support. Taking up a job as opposed to being unemployed seems to be a better option for them. Selena Scola was employed by Pro Unlimited (a contingent labor management company in New York) as a Public Content Contractor from approximately June 19, 2017, until March 1, 2018, at Facebook’s offices in Menlo Park and Mountain View, California. During the entirety of this period, Scola was employed solely by Pro Unlimited, an independent contractor of Facebook. She had never been directly employed by Facebook in any capacity. Scola is also suing Pro Unlimited. “According to the Technology Coalition, if a company contracts with a third-party vendor to perform duties that may bring vendor employees in contact with graphic content, the company should clearly outline procedures to limit unnecessary exposure and should perform an initial audit of a contractor’s wellness procedures for its employees,” says the lawsuit. Scola is not the only one who has complained about the company. Over a hundred conservative Facebook employees formed an online group to protest against the company’s “intolerant” liberal culture, last month. The mass exodus of high profile executives is also indicative of a deeper people and a cultural problem at Facebook. Additionally, Facebook has been in many controversies regarding user’s data, fake news, and hate speech. The Department of Housing and Urban Development (HUD) had filed a complaint against Facebook last month, for selling ads which discriminate against users on the basis of race, religion, and sexuality. Similarly, Facebook was found guilty of discriminatory advertisements. Apparently, Facebook provided the third-party advertisers with an option to exclude religious minorities, immigrants, LGBTQ individuals, and other protected groups from seeing their ads. Given the increasing number of controversial cases against Facebook, it's high time for the company to take the right measures towards solving these issues. The lawsuit is currently Scola v Facebook Inc and Pro Unlimited Inc, filed in Superior Court of the State of California. For more information, read the official lawsuit. How far will Facebook go to fix what it broke: Democracy, Trust, Reality Facebook COO, Sandberg’s Senate testimony: On combating foreign influence, fake news, and upholding election integrity Time for Facebook, Twitter and other social media to take responsibility or face regulation

One of the largest producers of aluminum in the world, Norsk Hydro, was hit by a cyber attack in the company’s IT system on Monday evening affecting major parts of its smelting operations. The attack which escalated overnight and which is still ongoing has caused the company to resort to manual operations at its smelting facilities. The company's website is currently down and it is posting updates to Facebook. Hydro said that IT systems in most business areas are impacted. According to a statement to BBC, Hydro said that the digital systems at its smelting plants were programmed to ensure machinery worked efficiently. However, these systems had to be turned off. The company is unsure what type of cyber attack it is facing or who is responsible. “We are working to contain and neutralize the attack. It is too early to assess the full impact of the situation. It is too early to assess the impact on customers. We have established a dialogue with all relevant authorities”, the firm updated on their Facebook post. "They are much more reliant today on computerised systems than they were some years ago. But they have the option of reverting back to methods that are not as computerised, so we are able to continue production”, a Hydro spokesperson told BBC. According to Reuters, “The company shut several metal extrusion plants, which transform aluminum ingots into components for car makers, builders, and other industries, while its giant smelters in countries including Norway, Qatar and Brazil were being operated manually.” A Norwegian National Security Authority (NSM) spokesperson said, “We are helping Norsk Hydro with the handling of the situation, and sharing this information with other sectors in Norway and with our international partners.” Hydro is arranging a press meeting on Tuesday, 19 Mar 2019 at 14:00:00 GMT where it will inform everyone about the cyber-attack. We will keep you updated as and when updates to this story is announced. In the meantime, you can check out Norsk Hydro’s Facebook wall for updates. 5 nation joint Activity Alert Report finds most threat actors use publicly available tools for cyber attacks How social media enabled and amplified the Christchurch terrorist attack Microsoft claims it halted Russian spearphishing cyberattacks

The work collaboration hub, Slack, yesterday, launched Slack Enterprise Key Management (EKM) for its enterprise customers. The feature is introduced to give customers control over their encryption keys used for encrypting and decrypting the files and messages they share on their Slack workspace. https://twitter.com/SlackHQ/status/1107646162079637506 Following are some of the advantages Slack EKM brings in: An extra layer of protection Slack EKM allows customers to use their own keys, which are stored in Amazon’s Key Management Service (AWS KMS). This will act as an extra layer of protection allowing privacy-conscious organizations such as banks share data, while also combating the risk. Better visibility into how the keys are being used It logs the usage of your keys to encrypt and decrypt messages and files in AWS KMS’s CloudWatch and CloudTrail. The detailed activity logs provide customers much more visibility into how the keys are being accessed. Administrators can control access very granularly What sets Slack EKM apart from general EKM services is that, in the case of any security threat, instead of revoking access to the entire product, it allows administrators to revoke access granularly. They can revoke access at the organization, workspace, channel, time-frame, and file levels. This type of revocation process ensures that the teams can continue to do their day-to-day work while administrators are taking care of the threat. On a phone interview, Slack Head of Enterprise Product, Ilan Frank told VentureBeat, “So today all data in Slack is encrypted at rest and in transit — but in rest, specifically. We, of course, have keys to those, and this now puts that control in the customer’s hands. It’s a feature that our large customers have been asking for for a very long time.” To know more about Slack EKM, check out Slack’s official website. Slack removed 28 accounts: A step against the spread of hate speech Slack confidentially files to go public Airtable, a Slack-like coding platform for non-techies, raises $100 million in funding

In a report released yesterday by Symantec, the popular cybersecurity software and services company, it revealed that the Buckeye group used the Equation group's tools way before they were leaked by Shadow Brokers in 2017. With the help of these tools, Buckeye exploited the Windows zero-day in 2016. According to The New York Times: “Based on the timing of the attacks and clues in the computer code, researchers with the firm Symantec believe the Chinese did not steal the code but captured it from an N.S.A. attack on their own computers — like a gunslinger who grabs an enemy’s rifle and starts blasting away.” In 2017, a mysterious cyber group known as the Shadow Brokers leaked a bunch of tools belonging to the Equation group, one of the most technically adept espionage groups, tied to the Tailored Access Operations(TAO) unit of the U.S. NSA. This leak had a major impact as many attackers rushed forward to lay their hands on the tools disclosed. One of the tools named as the EternalBlue exploit was used in the WannaCry ransomware outbreak, which took place in May 2017. Symantec’s recent report highlights that Buckeye cyber espionage group (aka APT3, Gothic Panda) actually began using the Equation Group tools in various attacks at least a year prior when Shadow Brokers leaked the tools. The evidence traces back in March 2016, in Hong Kong, where Buckeye group began using a variant of DoublePulsar (Backdoor.Doublepulsar) backdoor, which was later disclosed in the Shadow Brokers’ leak. The DoublePulsar exploit was delivered to victims using a custom exploit tool (Trojan.Bemstour) that was specifically designed to install DoublePulsar. Bemstour exploited two Window vulnerabilities for achieving remote kernel code execution on targeted computers: One was a Windows zero-day vulnerability (CVE-2019-0703) that was reported by Symantec to Microsoft in September 2018 and was patched on March 12, 2019. The other Windows vulnerability (CVE-2017-0143) was patched on March 2017 after it was discovered to have been used by two exploit tools—EternalRomance and EternalSynergy--also released in the Shadow Brokers’ leak. According to Symantec’s report, “How Buckeye obtained Equation Group tools at least a year prior to the Shadow Brokers leak remains unknown.” Per Symantec report, the Buckeye group had been active since at least 2009, when it began mounting a string of espionage attacks, mainly against organizations based in the U.S. The report further states that the Buckeye group disappeared during the mid-2017. Also, three alleged members of the group were indicted in the U.S. in November 2017. However, the Bemstour exploit tool and the DoublePulsar variant used by Buckeye continued to be used until at least September 2018, but with different malware. In 2011, the N.S.A. used sophisticated malware, Stuxnet, to destroy Iran’s nuclear centrifuges. They later saw that the same code proliferated around the world, doing damage to random targets, including American business giants like Chevron. According to The New York Times, “Details of secret American cybersecurity programs were disclosed to journalists by Edward J. Snowden, a former N.S.A. contractor now living in exile in Moscow. A collection of C.I.A. cyber weapons, allegedly leaked by an insider, was posted on WikiLeaks.” To this, Eric Chien, a security director at Symantec said, “We’ve learned that you cannot guarantee your tools will not get leaked and used against you and your allies.” “This is the first time we’ve seen a case — that people have long referenced in theory — of a group recovering unknown vulnerabilities and exploits used against them, and then using these exploits to attack others,” Mr. Chien said. The New York Times post mentions, “The Chinese appear not to have turned the weapons back against the United States, for two possible reasons, Symantec researchers said. They might assume Americans have developed defenses against their own weapons, and they might not want to reveal to the United States that they had stolen American tools.” Two NSA employees told The New York Times that post the Shadow Brokers’ leak of the most highly coveted hacking tools in 2016 and 2017, the NSA turn over its arsenal of software vulnerabilities to Microsoft for patching and also shut down some of the N.S.A.’s most sensitive counterterrorism operations. “The N.S.A.’s tools were picked up by North Korean and Russian hackers and used for attacks that crippled the British health care system, shut down operations at the shipping corporation Maersk and cut short critical supplies of a vaccine manufactured by Merck. In Ukraine, the Russian attacks paralyzed critical Ukrainian services, including the airport, Postal Service, gas stations and A.T.M.s.”, The New York Times reported. Michael Daniel, the president of the Cyber Threat Alliance, previously a cybersecurity coordinator for the Obama administration, said, “None of the decisions that go into the process are risk-free. That’s just not the nature of how these things work. But this clearly reinforces the need to have a thoughtful process that involves lots of different equities and is updated frequently.” Chein said, in the future, American officials will need to factor in the real likelihood that their own tools will boomerang back on American targets or allies. A lot of security reports and experts feel there are certain loopholes to this report and that the report lacked backing by some intelligent sources. https://twitter.com/RidT/status/1125747510625091585 https://twitter.com/ericgeller/status/1125551150567129089 https://twitter.com/jfersec/status/1125746228195622912 https://twitter.com/GossiTheDog/status/1125754423245004800 https://twitter.com/RidT/status/1125746008577724416 To know more about this news in detail, head over to Symantec’s complete report. DockerHub database breach exposes 190K customer data including tokens for GitHub and Bitbucket repositories PostgreSQL security: a quick look at authentication best practices [Tutorial] Facebook accepts exposing millions of user passwords in a plain text to its employees after security researcher publishes findings

Google launched a new form of encryption called ‘Adiantum’, that is designed to secure data stored on lower-end smartphones and devices with insufficient processing power. In lieu of security, most Android phones have storage encryption enabled within them as a default feature. An exemption is made for phones with low processing power or with low-end hardware; where storage encryption is either off by default to improve performance, or not present at all. Adiantum is suitable for devices that lack dedicated ARM extensions for security. While a majority of new Android devices have hardware support for AES through the ARMv8 Cryptography Extensions, devices that use low-end processors such as the ARM Cortex-A7 do not support AES encryption, as it leads to poor and slow user experience. According to Eugene Liderman, director of mobile security strategy for Google’s Android security & privacy team, “Adiantum was built to run on phones and other smart devices that don’t have the specialized hardware to use current methods to encrypt locally stored data efficiently.”  With a hope to democratize encryption for all devices - including any low-power Linux-based device, from smartwatches to connected medical devices, Liderman says that “There will be no excuse for compromising security for the sake of device performance. Everyone should have privacy and security, regardless of their phone’s price tag.” How does Adiantum work? Google's Adiantum has been designed to encrypt local data without slowing down systems or increase the price of devices due to the implementation of additional hardware. Adiantum uses the ChaCha stream cipher in a length-preserving mode. It does so by adapting ideas from AES-based proposals for length-preserving encryption such as HCTR and HCH. On ARM Cortex-A7, Adiantum encryption and decryption on 4096-byte sectors is around 5x faster than AES-256-XTS. Adiantum can change any bit anywhere in the plaintext, and this will unrecognizably change all of the ciphertext, and vice versa. It hashes almost the entire plaintext using a keyed hash based on Poly1305 and a keyed hashing function called NH. It also hashes a value called the "tweak" which is used to ensure that different sectors are encrypted differently. This hash is used to generate a nonce for the ChaCha encryption. After the encryption is complete, the data is hashed again. This is arranged in a configuration known as a Feistel network. You can read the entire whitepaper detailing the encryption standard by Google software engineers Paul Crowley and Eric Biggers. The paper goes into further technical details relating to Adiantum. This is the second announcement made by Google in the spirit of Safer Internet day. Earlier this week, Google released a new Chrome extension called "Password Checkup" which checks if a user's credentials have been connected to past data leaks. You can head over to Google’s official blog to know more about Adiantum. Google expands its Blockchain search tools, adds six new cryptocurrencies in BigQuery Public Datasets Google launches Live Transcribe, a free Android app to make conversations more accessible for the deaf Grafana 6.0 beta is here with new panel editor UX, google stackdriver datasource, and Grafana Loki among others

Yesterday, Google reported a bug discovery in one of the Google+ People APIs, which exposed user’s Google+ profile information such as name, email address, occupation, gender, and age. As per Google’s analysis, the profiles of up to 500,000 Google+ accounts were potentially affected. According to the Wall Street Journal report, “Google opted not to disclose the issue this past spring, in part because of fears that doing so would draw regulatory scrutiny and cause reputational damage.” Google discovered this bug as a part of its Project Strobe, which began in early 2018. Strobe was started with an aim to analyze third-party developer access in Google’s various services and Android. The company says it immediately patched this bug in March 2018 post learning of its existence. The bug provided outside developers potential access to private Google+ profile data between 2015 and March 2018, say internal investigators who discovered and fixed it. Using the API, users can grant access to their profile data, and the public profile information of their friends, to Google+ apps. However, with the bug, the apps also had an access to profile fields even when that data was listed as private and not public. Why were users kept in the dark? Any security breach pertaining to user data exposure should quickly be informed. However, as per the Wall Street Journal report, “A memo reviewed by the Journal prepared by Google’s legal and policy staff and shared with senior executives warned that disclosing the incident would likely trigger ‘immediate regulatory interest’ and invite comparisons to Facebook’s leak of user information to data firm Cambridge Analytica.” In response to the allegations raised on Google, Ben Smith, Vice President of Google’s Engineering team, in his recent blog post mentioned, “Every year, we send millions of notifications to users about privacy and security bugs and issues. Whenever user data may have been affected, we go beyond our legal requirements and apply several criteria focused on our users in determining whether to provide notice.” He also assured that Google’s Privacy & Data Protection Office reviewed the issue. He further added, “looking at the type of data involved, whether we could accurately identify the users to inform, whether there was any evidence of misuse, and whether there were any actions a developer or user could take in response. None of these thresholds were met in this instance.” Ben said that Google found no evidence that any developer was aware of this bug or abusing the API. He also assured that no profile data was misused. Will this delayed bug discovery announcement subject Google to GDPR? The European GDPR (General Data Protection Regulation), which was enforced on 25 May 2018 requires companies to notify regulators of breaches within 72 hours, else the companies would be charged a maximum fine of 2% of world-wide revenue. Al Saikali, a lawyer with Shook, Hardy & Bacon LLP, said, “The information potentially leaked via Google’s API would constitute personal information under GDPR, but because the problem was discovered in March, it wouldn’t have been covered under the European regulation.” He further added, “Google could also face class-action lawsuits over its decision not to disclose the incident. The story here that the plaintiffs will tell is that Google knew something here and hid it. That by itself is enough to make the lawyers salivate.” The Aftermath: Google plans to discontinue Google+ for consumers Ben’s post mentions that over the years, Google+ has not achieved broad consumer or developer adoption, and has seen limited user interaction with apps. Talking about its consumer version, Google+ currently has low usage and engagement--90 percent of Google+ user sessions are less than five seconds. One of the priorities of Project Strobe was to closely review all the APIs associated with Google+ during which it also discovered the bug. Ben mentions, “The review did highlight the significant challenges in creating and maintaining a successful Google+ that meets consumers’ expectations.” Following these challenges and the very low usage of the consumer version of Google+, Google has decided to discontinue Google+ consumer version. This shutdown will take place over the course of the next 10 months, and will conclude in August, next year. However, Google plans to make Google+ available as an enterprise product for companies. Ben states, “We’ve decided to focus on our enterprise efforts and will be launching new features purpose-built for businesses. We will share more information in the coming days.” Other findings of Project Strobe and the actions taken Project Strobe provides a ‘root and branch’ review of third-party developer access to Google account and Android device data and of Google’s philosophy around apps’ data access. The main key finding of this project is the discovery of an exploitable bug built into a core API of Google+ for three years. The other key findings and the actions taken include: The need for having fine-grained control over the data shared with apps For this finding, Google plans to launch more granular Google Account permissions that will show up in individual dialog boxes. Here, instead of seeing all requested permissions in a single screen, apps will have to show the user each requested permission, one at a time, within its own dialog box. Know more about this on Google Developer Blog. Here’s a sample of how this process will look like: Source: Google blog Granting access to user’s Gmail via apps is done with certain use cases in mind For this, Google plans to limit the types of use cases that are permitted. The company is updating their User Data Policy for the consumer Gmail API to limit the apps that may seek permission to access consumer’s Gmail data. Only apps directly enhancing email functionality such as email clients, email backup services and productivity services (e.g., CRM and mail merge services), will be authorized to access this data. Also, these apps will need to agree to new rules for handling Gmail data and will be subject to security assessments. To know more about this action, read the Gmail Developer Blog. Granting SMS, Contacts and Phone permissions to Android apps are done with certain use cases in mind As an action to this finding, Google will limit the apps’ ability to receive call log and SMS permissions on Android devices. Hence, the contact interaction data will no longer be available via the Android Contacts API. Additionally, Google has also provided basic interaction data, for example, a messaging app could show you your most recent contacts. They also plan to remove access to contact interaction data from the Android Contacts API within the next few months. To read more about Project Strobe and the closing down of Google+ in detail, visit Ben Smith Google post. Facebook’s largest security breach in its history leaves 50M user accounts compromised Bloomberg’s Big Hack Exposé says China had microchips on servers for covert surveillance of Big Tech and Big Brother; Big Tech deny supply chain compromise Timehop suffers data breach; 21 million users’ data compromised

On 23rd January, Debian announced the release of Debian 9.7 which is the seventh update of the stable distribution of Debian 9. This comes right after a remote code execution vulnerability was discovered in the APT high-level package manager used by Debian, Ubuntu, and other related Linux distributions that allows an attacker to perform a man-in-the-middle attack. This Debian includes a security update for the APT vulnerability. The Debian GNU/Linux 9.7 (codename "Stretch") release contains a new version of the APT package manager that's no longer vulnerable to man-in-the-middle attacks. The team states that there is no need to download new ISO images to update existing installations, however, the Debian Project will release live and install-only ISO images for all supported architectures of the Debian GNU/Linux 9.7 "Stretch". This will be available for download in a few days. Head over to Debian’s official website for more information on this announcement. Kali Linux 2018 for testing and maintaining Windows security – Wolf Halton and Bo Weaver [Interview] Black Hat hackers used IPMI cards to launch JungleSec Ransomware, affects most of the Linux servers Homebrew 1.9.0 released with periodic brew cleanup, beta support for Linux, Windows and much more!

Early last month, the team at OpenZepplin announced their first release candidate ‘OpenZepplin 2.0 RC1’. Yesterday, the team released a completely stable, audited, and fully tested package of this framework. OpenZeppelin is an open-source framework to build secure smart contracts for Ethereum and other EVM and eWASM blockchains. This framework provides well tested and audited code to secure blockchain-based projects. It caters to a new generation of distributed applications, protocols and organizations to counter the high risks and challenges faced while writing simple and secure code that deals with real money. Features of OpenZeppelin 2.0 #1 A Stable API One of the major updates of this release is that OpenZeppelin 2.0 now comes with a stable API to deliver reliable updates. The previous releases of OpenZeppelin have almost always encountered a change in its API. This has helped the team come up with multiple ideas for the framework. The experimental contracts in the drafts/ subdirectory can, however, experience changes in their minor versions. With the growing size and complexity of smart contract systems, developers can use this framework as a predictable interface to design vulnerability free contracts. The team plans to release more information on the Stable API in the following weeks. #2 Improved test suite The team has been improving the OpenZeppelin’s test suite over time. OpenZeppelin 2.0 now has 100% test coverage.  Every line of code in the package is now automatically tested. #3 Full Independent Audit LevelK team audited the OpenZeppelin 2.0.0 Release Candidate and found some severe issues. They then went on to suggest many improvements which helped fix almost all the issues and notes reported. Users are requested to check out the LevelK Audit - OpenZeppelin 2.0 project for all the details. The audit has helped the team secure the code further and help future developers easily deploy these contracts as they are intended to be used. #4 Miscellaneous Updates In addition to a stable API and an improved test suite, the version update comes with new concepts and designs along with many renames and restructures. These include changes like Ownable contracts moving to a role based access . Derived contracts cannot access state variables directly- as they are now private - use of getters is important. This was done to increase encapsulation. The team has also removed a few contracts that are not secure enough. For instance: LimitBalance, HasNoEther, HasNoTokens, HasNoContracts, NoOwner, Destructible, TokenDestructible, and CanReclaimToken stand removed. You can check all of these upgrades as well as the entire changelog at Github. Alternatively, head over to their blog for more insights on this release. Ethereum Blockchain dataset now available in BigQuery for smart contract analytics Will Ethereum eclipse Bitcoin? The trouble with Smart Contracts

Two fatal air crashes in Boeing’s 737 MAX 8 model in less than six months have aroused a lot of questions on the U.S. Federal Aviation Administration’s (FAA) safety analysis procedure. Per CNBC, the State’s Department of Transportation started their investigation after a new Boeing 737 Max 8 operated by Indonesia’s Lion Air crashed into the Java Sea in October last year killing 189 passengers. A similar air crash was reported this month on March 10 when a second Boeing 737 Max 8 operated by Ethiopian Airlines plane crashed shortly after take-off, killing all 157 people on board. Post these incidents, authorities around the world — including the U.S., Europe, China, and Indonesia have grounded Boeing 737 Max planes. Transport Minister Dagmawit Moges told the Wall Street Journal, “Clear similarities were noted between Ethiopian Air Flight 302 and Indonesian Lion Air Flight 610, which will be the subject of further study during the investigation.” The FAA is responsible for certifying an aircraft as airworthy by putting out bulletins and advisories on problems and fixes. It is often considered as the go-to agency for many aviation flight authorities around the world. Boeing's flight safety control system, MCAS (Maneuvering Characteristics Augmentation System) was  “added to the Max-8 series because new, heavier and larger engines replaced the old engines and as a result, the updated Max planes had a strong tendency to pitch nose up”, the Asia Time reported. “The new engine, CFM Leap-1B, was selected by Boeing because it was much more fuel efficient than the older models, one of the big reasons customers want the 737 Max.” The DOT investigation suspected that the flight safety system played a role in the fatal crash in Indonesia. The WSJ reported in November last year, that Boeing failed to warn the airline industry about a potentially dangerous feature in its new flight-control system. According to the Asia Times, “Almost every expert today puts the blame for both flight disasters on faulty software that took over running the plane’s flight control system. Many have pointed to Boeing’s alleged lack of transparency in telling pilots what to do if the software malfunctioned. In addition, there had been at least eight pilot-reported flight control incidents prior to the first Lion Air crash.” Trevor Sumner, a software engineer and the CEO of PERCH Interactive tweeted saying that the 737 MAX tragedies were not a software problem. Instead, it was an economic problem as the “737 engines used too much fuel, so they decided to install more efficient engines with bigger fans and make the 737MAX.” https://twitter.com/trevorsumner/status/1106934369158078470 In spite of the system complied with all the applicable FAA regulations, “the black box data retrieved after the Lion Air crash indicates that a single faulty sensor — a vane on the outside of the fuselage that measures the plane’s “angle of attack,” the angle between the airflow and the wing — triggered MCAS multiple times during the deadly flight, initiating a tug of war as the system repeatedly pushed the nose of the plane down and the pilots wrestled with the controls to pull it back up, before the final crash”, the Seattle Times reported. According to the Seattle Times, “Since MCAS was supposed to activate only in extreme circumstances far outside the normal flight envelope, Boeing decided that 737 pilots needed no extra training on the system — and indeed that they didn’t even need to know about it. It was not mentioned in their flight manuals. That stance allowed the new jet to earn a common “type rating” with existing 737 models, allowing airlines to minimize training of pilots moving to the MAX.” According to a detailed FAA briefing to legislators, Boeing plans to change the MCAS software to give the system input from both angle-of-attack sensors. Boeing also plans to update pilot training requirements and flight crew manuals to include MCAS. After two fatal crashes in less than six months involving the same plane model, authorities around the world — including the U.S., Europe, China, and Indonesia — grounded Boeing 737 Max planes. To know more about this news in detail, read more at The Seattle Times. The tug of war between Google and Oracle over API copyright issue has the future of software development in the crossfires F5 Networks is acquiring NGINX, a popular web server software for $670 million 18 people in tech every programmer and software engineer needs to follow in 2019

Intel has introduced microcode updates for mitigating the recently disclosed speculative execution vulnerabilities known as ‘Foreshadow’ a.k.a the L1 Terminal Fault (L1TF). These microcode patches were supposed to handle various side-channel and timing attacks. A new license term applied to the new microcode is as follows: You will not, and will not allow any third party to (i) use, copy, distribute, sell or offer to sell the Software or associated documentation; (ii) modify, adapt, enhance, disassemble, decompile, reverse engineer, change or create derivative works from the Software except and only to the extent as specifically required by mandatory applicable laws or any applicable third party license terms accompanying the Software; (iii) use or make the Software available for the use or benefit of third parties; or (iv) use the Software on Your products other than those that include the Intel hardware product(s), platform(s), or software identified in the Software; or (v) publish or provide any Software benchmark or comparison test results. However, this was not very well received by the public. Let’s find out why. Issues in the Security Patches The security fixes introduced apparently slow down Intel processors. Intel could very well be facing a backlash from the public on this. Imagine companies that run huge server farms or provide cloud services having to face a significant 5-10% speed reduction in their server. Security and reputation, both would be at stake. Another dilemma is whether the customer should install the fix or not. Many computer users don't allow outside or unprivileged users to run on their CPUs the way a cloud or hosting company does. For them, the slowdown incurred by installing the fix is unnecessary. Through its license, Intel has now attempted to gag anyone who would collect information for reporting about speed loss incurred penalties. Bad move. When in reality, it should have focussed on ways to handle security problems by owning up to the damage and publish mitigations. This clause of the license just hides how they are damaged. By Silencing free speech of those who would merely publish benchmarks is bad ethics . Intel’s decision to include this clause in the license also gained attention by many big names in the tech industry. The Register reported on Tuesday that Linux distro Debian decided to withhold packages containing the microcode security fix over concerns about its license. After this, open-source pioneer Bruce Perens called out Intel for trying to "gag"  netizens. Here is what Lucas Holt, MidnightBSD project lead, had to say in a tweet.   Source: Twitter.com Terms of the License stand re-written To save further confusion and chaos of the masses, Intel has backtracked on the license for its latest microcode update after the previous wording outlawed public benchmarking of the chips. The reworked license no longer prohibits benchmarking. In an announcement via Twitter, Imad Sousou, corporate VP and general manager of Intel Open Source Technology Center, on Thursday said: "We have simplified the Intel license to make it easier to distribute CPU microcode updates and posted the new version here. As an active member of the open source community, we continue to welcome all feedback and thank the community." While Intel could have faced major trust issues not only from their dedicated users, it managed to re-trace its steps just in time. It’s about time Intel starts taking responsibility of its own machines. Hopefully, the company thinks twice before introducing any other changes that could lead to a backlash. You can read all about the origins of the discussion on Bruce Perens blog. Intel acquires Vertex.ai to join it under their artificial intelligence unit Defending Democracy Program: How Microsoft is taking steps to curb cybersecurity threats to democracy Microsoft claims it halted Russian spearphishing cyberattacks

After the first preview of its Blockchain Cloud Service at OpenWorld last October, Oracle has confirmed the general release and availability of its Blockchain platform in an official press release this Monday. Before this release, Oracle’s pre-release version of  Blockchain Cloud Service was being used by different businesses across the globe such as Arab Jordan Investment Bank, Certified Origins, Solar Site Design, CargoSmart, etc. These organizations say have seen a major difference in their business after adopting Oracle’s Blockchain as a service (BaaS). For instance,  Andrea Biagianti, CIO of Certified Origins (Italy based olive oil producer) mentions that the company wanted to trace the products (Bellucci EVOO) that they sell in the market of United States across the entire supply chain. Oracle’s Blockchain service helped the company by making the implementation and collaboration of all the included parties quite simple. It also provided them with a competitive edge over the others in the market. “It adds a further level of transparency and information that is valuable for consumers looking for quality products and helps us to support the excellence of the small farms”, says Biagianti. This Blockchain service will be of great help to organizations in three major ways. Firstly, it provides them with a development platform to build their own Blockchain networks. Secondly, it allows integration with Oracle SaaS, existing third-party applications, Oracle PaaS and other Blockchain networks to drive more reliable transactions. Lastly, clients or customers can program and test smart contracts to automate processes over the Blockchain distributed electronic ledger. The new service is based on top of the Linux Foundation’s Hyperledger Fabric, which is a collaboration tool that comes with in-built infrastructure dependencies, REST proxy, and a number of monitoring and operation tools. It helps in building Blockchain based automated ledger such as smart contract technology. A smart contract is an automation tool based on the Blockchain technology. It gets rid of the middleman in a business by enabling automatic exchange of money, property, etc, in a transparent and hassle-free manner. According to Amit Zavery, executive vice president of Oracle Cloud Platform, “Blockchain promises to be one of the most transformative technologies of our generation”. This is quite true as Blockchain is helping transform businesses by making interactions more secure, efficient and cost-effective. It has also made the future Blockchain implementations easier. This means that as the Hyperledger specification evolves and makes new updates, there is no need for the developers to rewrite the company-specific Blockchain applications. Apart from that, new SaaS applications are being offered by Oracle for the Blockchain technology. These can be used in cases like track and trace, warranty and usage, cold chain, etc. Organizations wanting to avail Oracle’s Blockchain services can either pay per usage (without a contract) or via a monthly, yearly or a multi-year deal. There is also a 30-day free trial of the cloud service that the Customers can sign up for. Oracle Apex 18.1 is here! Oracle announces Oracle Soar, a tools package to ease application migration on cloud

11th December was Microsoft's December 2018 Patch Tuesday, which means users had to update their computers to be protected from the latest threats to Windows and Microsoft products. Microsoft has fixed 39 vulnerabilities, with 10 of them being labeled as Critical. Keeping up with its December 2018 Patch Tuesday, Microsoft announced on its blog that a vulnerability exists in Windows Domain Name System (DNS). There was not much information provided to the customers about how and when this vulnerability was discovered. The following details were released by Microsoft: The Exploit Microsoft Windows is prone to a heap-based buffer-overflow vulnerability. A remote code execution vulnerability exists in Windows Domain Name System (DNS) servers when they fail to properly handle requests. An attacker who successfully exploits this issue may execute arbitrary code within the context of the affected application. Microsoft states that failed exploit attempts will result in a denial-of-service condition. Windows servers that are configured as DNS servers are at risk from this vulnerability. Affected Systems Find a list of the affected systems on Microsoft’s Blog. The company has also provided users with security updates for the affected systems. Workarounds and Mitigations As of today, Microsoft has not identified any workarounds or mitigations for the affected systems. Jake Williams, the founder of Rendition Security and Rally security, posted an update on Twitter about the issue, questioning why there is no sufficient discussion among the infosec community about the matter. https://twitter.com/MalwareJake/status/1072916512724410369 Many users responded saying that they too have been looking for explanations about the vulnerability but have not found any satisfying results. https://twitter.com/spectrophagus/status/1072921055357009922 Security intelligence blog reported on 11th December that the just-released Patch Tuesday for December fixes the Windows DNS Server Heap Overflow remote code execution (RCE) vulnerability. However, there has not been any information released by Microsoft on the analysis or details of the patch. Users are also speculating that without pra oper understanding of the security patch, this vulnerability has the potential to be badly exploited. https://twitter.com/Greg_Scheidel/status/1073060170333339650 You can head over to Microsoft’s official blog to know more about this vulnerability. Also, visit BleepingComputer for information on all security updates in December Patch Tuesday 2018. Microsoft Connect(); 2018 Azure updates: Azure Pipelines extension for Visual Studio Code, GitHub releases and much more! Microsoft calls on governments to regulate Facial recognition tech now, before it is too late ‘Peekaboo’ Zero-Day Vulnerability allows hackers to access CCTV cameras, says Tenable Research  

Microsoft posted an update regarding the new features in Microsoft Office 365, a web-based subscription comprising premium productivity apps as part of Microsoft's Office product line, last week. “We released several new capabilities to help you stay ahead of threats, create a more productive workplace, and keep you in the flow of work”, states the Microsoft team. What’s new in Microsoft 365? Microsoft Threat Experts Microsoft has come out with a new feature called Microsoft threat experts to boost the capabilities of the security teams. Microsoft Threat experts is a ‘threat-hunting service’ that helps you track down and prioritize threats using Windows Defender Advanced Threat Protection (ATP). Microsoft threat experts service connects you with the world-class experts using the new ‘Ask a threat expert’ button, who in turn helps you work through the tough investigation challenges. Priority notifications and integration of electronic health records You can now make use of Priority notifications in Microsoft Teams to enable clinicians to focus on urgent messages to manage patient care and empower your healthcare organization. There’s also an added ability to integrate FHIR-enabled electronic health records (EHR) data within Teams. This will enable the clinicians to securely access patient records, chat with other team members, and start a video meeting. Desktop App Assure and Microsoft FastTrack Microsoft has come out with a new service called Desktop App Assure, as a part of Microsoft FastTrack that offers app compatibility services for Windows 10 and Office 365 ProPlus. FastTrack now also provides guidance on configuring Exchange Online Protection, Office 365 Advanced Threat Protection, Office 365 Message Encryption, and Data Loss Prevention policies. Security Notifications via Microsoft Authenticator You can now receive security alerts for important events on your personal Microsoft account through the Microsoft Authenticator app. Once you receive the push notification, you can quickly view your account activity and take necessary actions to protect your account. You can also add two-step verification to your account using Microsoft Authenticator for added security. New Office app for Windows 10 Users with work, school, or personal Microsoft Account can use the new Office app for Windows 10 to access the available apps, relevant files, and documents. Organizations can also integrate third-party apps, and enable users to search for documents and people across the organization. The new Office app requires a current version of Windows 10. Add data to Excel using a photo You can use the Excel app to click a picture of a printed data table on your Android device and convert the picture into a fully editable table in Excel. Using this new image recognition functionality cuts down on the need to manually enter hardcopy data. This feature has started to roll out for the Excel Android app and will support iOS soon. New file-attached tasks in Microsoft To-Do Users can now quickly attach files and photos to help make tasks more actionable. Microsoft team says that this was a highly requested feature and has been made available on all platforms and syncs across all your devices. For more information, check out the official Microsoft blog. Microsoft Office 365 now available on the Mac App Store Microsoft announces Internet Explorer 10 will reach end-of-life by January 2020 Microsoft joins the OpenChain Project to help define standards for open source software compliance

Yesterday, Google announced that a patch for Chrome released last week was actually a fix for an active zero-day discovered by its security team. The bug tagged as CVE-2019-5786, was originally discovered by Clement Lecigne of Google's Threat Analysis Group on Wednesday, February 27th and is currently under active attack. The threat advisory states that this vulnerability involves a memory mismanagement bug in a part called ‘FileReader’ of the Chrome browser. The FileReader is a programming tool that allows web developers to pop up menus and dialogs asking a user to choose from a list of local files to upload or an attachment to be added to their webmail. The attackers can use this vulnerability to execute a Remote Code Execution or RCE. ZDNet states that the bug is a type of memory error that happens when an app tries to access memory after it has been freed/deleted from Chrome's allocated memory. If this type of memory access operation is mishandled, it can lead to the execution of malicious code. Chaouki Bekrar, CEO of exploit vendor Zerodium, tweeted that the vulnerability allegedly allows malicious code to escape Chrome's security sandbox and run commands on the underlying OS. https://twitter.com/cBekrar/status/1103138159133569024 Not divulging in any further information on the bug, Google says: “Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.” Further, Forbes reports that Satnam Narang, a senior research engineer at Tenable has said that it is a "Use-After-Free (UAF) vulnerability in FileReader, an application programming interface (API) included in browsers to allow web applications to read the contents of files stored on a user's computer." Catalin Cimpanu, a security reporter at ZDNet, suggests that there are malicious PDF files in the wild that are being used to exploit this vulnerability. "The PDF documents would contact a remote domain with information on the users' device --such as IP address, OS version, Chrome version, and the path of the PDF file on the user's computer", he added. The fix for this zero-day Users are being advised to update Chrome across all platforms. https://twitter.com/justinschuh/status/1103087046661267456 Check out the new version of Chrome for Android and the patch for Chrome OS . Mac, Windows, and Linux users are advised to manually initiate the download if it is yet to be pushed to a device. Head over to chrome://settings/help to check the current version of Chrome on your system. The URL will also do an update check at the same time, just in case any recent auto-updates have failed. Google Chrome developers “clarify” the speculations around Manifest V3 after a study nullifies their performance hit argument Google’s new Chrome extension ‘Password CheckUp’ checks if your username or password has been exposed to a third party breach Hacker duo hijacks thousands of Chromecasts and Google smart TVs to play PewDiePie ad, reveals bug in Google’s Chromecast devices!

Just when Google is facing large walkouts and protests against its policies, another consumer group has lodged a complaint against Google’s user tracking. According to a report published by the European Consumer Organisation (BEUC), Google is using various methods to encourage users to enable the settings ‘location history’ and ‘web and app activity’ which are integrated into all Google user accounts. They allege that Google is using these features to facilitate targeted advertising. BEUC and its members including those from the Czech Republic, Greece, Norway, Slovenia, and Sweden argue that what Google is doing is in breach of the GDPR. Per the report, BEUC says “We argue that consumers are deceived into being tracked when they use Google services. This happens through a variety of techniques, including withholding or hiding information, deceptive design practices, and bundling of services. We argue that these practices are unethical, and that they in our opinion are in breach of European data protection legislation because they fail to fulfill the conditions for lawful data processing.” Android users are generally unaware of the fact that their Location History or Web & App Activity is enabled. Google uses a variety of dark patterns, to collect the exact location of the user, including the latitude (e.g. floor of the building) and mode of transportation, both outside and inside, to serve targeted advertising. Moreover, there is no real option to turn off Location History, only to pause it. Even if the user has kept Location History disabled, their location will still be shared with Google through Web & App Activity. “If you pause Location history, we make clear that — depending on your individual phone and app settings — we might still collect and use location data to improve your Google experience.” said a Google spokesman to Reuters. “These practices are not compliant with the General Data Protection Regulation (GDPR), as Google lacks a valid legal ground for processing the data in question. In particular, the report shows that users’ consent provided under these circumstances is not freely given,” BEUC, speaking on behalf of the countries’ consumer groups, said. Google claims to have a legitimate interest in serving ads based on personal data, but the fact that location data is collected, and how it is used, is not clearly expressed to the user. BEUC calls out Google saying that the company’s legitimate interest in serving advertising as part of its business model overrides the data subject’s fundamental right to privacy. BEUC argues that in light of how Web & App Activity is presented to users, the interests of the data subject should take precedence. Reuters asked for comment on the consumer groups’ complaints to a Google spokesman. According to them, “Location History is turned off by default, and you can edit, delete, or pause it at any time. If it’s on, it helps to improve services like predicted traffic on your commute. We’re constantly working to improve our controls, and we’ll be reading this report closely to see if there are things we can take on board,”. People are largely supportive of BEUC on the allegations they made on Google. https://www.youtube.com/watch?v=qIq17DeAc1M However, some people feel that it is just another attack on Google. If people voluntarily and most of them knowingly use these services and consent to giving personal information, it should not be a concern for any third party. “I can't help but think that there's some competitors' money behind these attacks on Google. They provide location services which you can turn off or delete yourself, which is anonymous to anyone else, and there's no evidence they sell your data (they just anonymously connect you to businesses you search for). Versus carriers which track you without an option to opt-in or out and actually do sell your data to 3rd parties.” “If the vast majority of customers don't know arithmetic, then yes, that's exactly what happened. Laws are a UX problem, not a theory problem. If most of your users end up getting deceived, you can't say "BUT IT WAS ALL RIGHT THERE IN THE SMALL PRINT, IT'S NOT MY FAULT THEY DIDN'T READ IT!". Like, this is literally how everything else works.” Read the full conversation on Hacker news. You may also go through the full “Every step you take” report published by BEUC for more information. Google employees join hands with Amnesty International urging Google to drop Project Dragonfly. Is Anti-trust regulation coming to Facebook following fake news inquiry made by a global panel in the House of Commons, UK? Google hints shutting down Google News over EU’s implementation of Article 11 or the “link tax”