Tech News - Security

Last week, hackers attempted to extort ProtonMail by alleging a data breach with no evidence. One of the alleged hackers named, AmFearLiathMor has written in the message that, “We hacked Protonmail and have a significant amount of their data from the past few months. We are offering it back to Protonmail for a small fee if they decline then we will publish or sell user data to the world.” ProtonMail is one of the largest secure email services developed by CERN and MIT. The team at ProtonMail clarified, “We have no indications of any breach from our internal infrastructure monitoring.” Though, with further investigation, the team traced the source of the rumors on 4chan, a simple image-based bulletin board, where anyone can post comments and share images anonymously. The claims there included: CNN employees use ProtonMail and refer to the American people as prostitutes. Michael Avenatti uses ProtonMail and has a BDSM fetish. Private military contractors used ProtonMail to discuss circumventing the Geneva convention, underwater drone activities in the Pacific Ocean, and possible international treaty violations in Antarctica. Rampant pedophilia among high ranking government officials who use ProtonMail. ProtonMail's team said, “We believe that this is a hoax and failed extortion attempt, and there is zero evidence to suggest otherwise.”  For example, the criminals claimed that ProtonMail is vulnerable because the company doesn’t use SRI (Subresource Integrity), but this claim is baseless because it doesn't use any third party CDNs (content delivery networks) to serve the web app. ProtonMail only uses web servers that specifically eliminate the potential attack vector. The team said, “We are aware of a small number of ProtonMail accounts which have been compromised as a result of those individual users falling for phishing attacks (this is why we encourage using 2FA). However, we currently have zero evidence of a breach of our infrastructure.” As per the report by BleepingComputer, the hackers might send $20 in bitcoin to the one who would spread the word about this hack using #Protonmail on Twitter. People have given a mixed reaction to this news. Many are just scared and do not wish to take any risks and suggest to change the password. https://twitter.com/ProtonMail/status/1063392853014048768   https://twitter.com/crytorekt1/status/1063452592792051713 The team said, “The best way to ensure that they (criminals) do not succeed is to ignore them.” As a lot of users find this platform secure, this alleged hacking news, which is probably false, has still managed to create some impact on the users. The latest announcement on the Read recipients feature by the company could be a small distraction but is it enough to move the attention from the hacking news? https://twitter.com/ProtonMail/status/1063485043660734464 Read more about this news on Reddit. A new data breach on Facebook due to malicious browser extensions allowed almost 81,000 users’ private data up for sale, reports BBC News Cathay Pacific, a major Hong Kong based airlines, suffer data breach affecting 9.4 million passengers Timehop suffers data breach; 21 million users’ data compromised

The U.S Government Accountability Office (GAO) published a report on Tuesday, which highlights that the U.S. Department of Defense (DOD) can be easily hacked by adversaries. The report states that military weapon systems developed from 2012 to 2017 are vulnerable to cyber attacks. The GAO also said that the Pentagon was unaware of how easy it could be for an adversary to gain access to the computer brains and software of the weapons systems and operate inside them undetected. What were GAO’s findings? The GAO investigators assessed the Pentagon’s cybersecurity findings over a five-year period. The testers were asked to find vulnerabilities by hacking into the military weapon systems. To this, GAO reported, “testers were able to take control of systems and largely operate undetected, due in part, to basic issues such as poor password management and unencrypted communications.” The testers could shut down a system simply by scanning it. This is a typical first step in trying to carry out a digital attack. The testers could also manipulate what the soldiers operating the weapon were seeing on their computer screens. As described in the report, “weapons testers caused a pop-up message to appear on users’ terminals instructing them to insert two quarters to continue operating.” One of the reasons DOD systems are susceptible to the cyber attack could be their connectivity to various other systems, which can introduce vulnerabilities and make systems more difficult to defend. DOD systems are also more connected than ever before, which can introduce vulnerabilities and make systems more difficult to defend. The report further mentions, "These connections help facilitate information exchanges that benefit weapon systems and their operators in many ways—such as command and control of the weapons, communications, and battlespace awareness. If attackers can access one of those systems, they may be able to reach any of the others through the connecting networks." Pentagon spokesperson Maj. Audricia Harris told CNN, “We are continuously strengthening our defensive posture through network hardening, improved cybersecurity, and working with our international allies and partners and our defense Industrial Base and defense Critical Infrastructure partners to secure critical information." The fact that Pentagon weapon systems are vulnerable to cyber-attack raises brings in a lot of questions about the huge chunk of investments the US has done in its programs. Following the revelation of this vulnerability, the Department of Defense recently released its cyber strategy stating that the Pentagon is seeking to incorporate cyber-security awareness throughout the institutional culture of the department. The report claims that the DOD documented many of these "mission-critical cyber vulnerabilities," but Pentagon officials who met with GAO testers claimed their systems were secure, and "discounted some test results as unrealistic." GAO said, “all tests were performed on computerized weapons systems that are still under development. GAO officials also highlighted that hackers can't yet take control over current weapons systems and turn them against the U.S. But if these new weapons systems go live, the threat is more than real.” To know more about this in detail, head over to GAO’s report. Upgrade to Git 2.19.1 to avoid a Git submodule vulnerability that causes arbitrary code execution Implementing Web application vulnerability scanners with Kali Linux [Tutorial] Bitcoin Core escapes a collapse from a Denial-of-Service vulnerability  

On Wednesday, March 6, the OpenSSL team revealed a low severity vulnerability in the ChaCha20-Poly1305, an AEAD cipher that incorrectly allows a nonce to be set of up to 16 bytes. OpenSSL team states that ChaCha20-Poly1305 requires a unique nonce input for every encryption operation. RFC 7539 specifies that the nonce value (IV) should be 96 bits (12 bytes). OpenSSL allows a variable nonce length and front pads the nonce with 0 bytes if it is less than 12 bytes. However it also incorrectly allows a nonce to be set of up to 16 bytes. In this case only the last 12 bytes are significant and any additional leading bytes are ignored. The OpenSSL versions 1.1.1 and 1.1.0 are affected by this issue. However, this issue does not impact OpenSSL 1.0.2. The OpenSSL blog states that using the ChaCha20 cipher makes the nonce values unique. “Messages encrypted using a reused nonce value are susceptible to serious confidentiality and integrity attacks. If an application changes the default nonce length to be longer than 12 bytes and then makes a change to the leading bytes of the nonce expecting the new value to be a new unique nonce then such an application could inadvertently encrypt messages with a reused nonce”, the blog states. Also, the ignored bytes in a long nonce are not covered by the “integrity guarantee” of this cipher. This means any application that relies on the integrity of these ignored leading bytes of a long nonce may be further affected. Any OpenSSL internal use of this cipher, including in SSL/TLS, is safe because no such use sets such a long nonce value. However, user applications that use this cipher directly and set a non-default nonce length to be longer than 12 bytes may be vulnerable. To know more about this issue in detail, head over to the OpenSSL blog post. Drupal releases security advisory for ‘serious’ Remote Code Execution vulnerability New research from Eclypsium discloses a vulnerability in Bare Metal Cloud Servers that allows attackers to steal data Google releases a fix for the zero-day vulnerability in its Chrome browser while it was under active attack

Open Invention Network (OIN), a non-aggression patent community, announced an expansion in its patent non-aggression coverage by updating the freedom of action in a Linux System, last week. Patents provide organizations and individuals with the right to the invention and the right to exclude others from making, using, offering for sale, or selling the invention. This Linux System expansion enables “OIN to keep pace with open source innovation, promoting patent non-aggression in the core. As open source grows, we will continue to protect Linux and adjacent technologies through strategic software package additions to the Linux System” said Keith Bergelt, CEO of Open Invention Network. The recent expansion comprises 151 new packages, bringing the total number of protected packages to 2,873. “While the majority of the new additions are widely used and found in most devices. The update includes a number of key open source innovations such as Kubernetes, Apache Cassandra and packages for Automotive Grade Linux” said Boehm Open Invention Network was introduced by Mr. Mirko Boehm, OIN’s director for the Linux System definition to develop a non-aggression pact between companies (especially within the field of the Linux system definition). OIN practices cross-licensing of patents for the Linux system on a royalty-free basis. This zone of cross-licensing is called OIN’s Linux System, which comprises a list of fundamental Linux software packages. Patents owned by OIN are similarly licensed royalty-free to any organization that agrees to not assert its patents against the Linux System. Open Invention Network focuses on changing the current patent system in core Linux and other open source technologies as it is being abused by a lot of organizations, deteriorating innovation significantly. These non-aggression pacts or defensive patent tools by OIN help protect the signatories against the aggressive use of patents. A report by Dr. E. Altsitsiadis, for OpenForum Academy (OFA) stresses on these issues in the current patent system, as it mentions, that companies whose business model consists of buying up patents with a goal of taking anyone who infringes them to court have grown exponentially. Technology giants are engaged in massive legal battles. This leads to public resources getting held up in expensive lawsuits, as well as it poses a significant barrier to smaller innovators who don’t always have the capacity to cover these legal costs. Just last month, Microsoft joined the Open Invention Network, making 60,000 of its patents accessible to fellow members, to embrace the open source software and open source culture. “With this update to the Linux System definition, OIN continues with its well-established process of carefully maintaining a balance between stability and innovative core open source technology,” stated Boehm. For more information, check out the official OIN press release. Four IBM facial recognition patents in 2018, we found intriguing Four interesting Amazon patents in 2018 that use machine learning, AR, and robotics Four 2018 Facebook patents to battle fake news and improve news feed

Last September, a complaint was filed against Google and other ad auction companies about a data breach that “affects virtually every user on the web”. This complaint was made by a host of privacy activists and browser makers, alleging that tech companies broadcasted people’s personal data to dozens of companies, without proper security through a mechanism of “behavioural ads”. The complaint stated that every time a person visits a website and is shown a “behavioural” ad on a website; intimate personal data describing each visitor and what they are watching online is captured and broadcast to tens or hundreds of companies. This was done in order to request potential advertisers’ bids for the attention of the specific individual visiting the website. The complaints were lodged by Jim Killock of the U.K.’s Open Rights Group, tech policy researcher Michael Veale of University College London, and Johnny Ryan of the pro-privacy browser firm Brave. They claimed that Google and other ad-tech firms were breaking the EU’s strict General Data Protection Regulation (GDPR) by unlawfully recording people’s sensitive characteristics. Now, new evidence has been released by the very same organizations that filed last September's complaint, showing the data broadcasted includes information about people’s ethnicity, disabilities, sexual orientation and more. This sensitive information allows advertisers to specifically target incest, abuse victims, or those with eating disorders. The irony of it being, yesterday was ‘International Data Protection Day”. What is Behavioral advertising? Yahoo finance has explained the concept of behavioral advertising very simply. The online ad industry tracks a person's movements around the internet and builds a profile based on what the individual looks at/ sites the user visits. On visiting a webpage that runs behavioral ads, an automated auction takes place between ad agencies with the winner allowed being to show the user an ad that supposedly matches their profile. This ultimately means that for the real-time bidding system to work, personal details of the users have to be broadcasted to the advertisers in so-called “bid requests”. Evidence against Google and IAB Joining the list of complainants is Poland’s Panoptykon Foundation, another rights group, that has complained to its local data protection authority about organizations including Google and the Interactive Advertising Bureau (IAB), which is the industry body that sets the rules for ad auctions. The evidence submitted by the complainants comprises category lists from Google and IAB, including topics such as being an incest victim, having cancer, having a substance-abuse problem, being into a certain kind of politics or adhering to a certain religion or sect. Special needs kids, endocrine and metabolic diseases, birth control, infertility, diabetes, Islam, Judaism, disabled sports, bankruptcy- these serve as supplementary evidence for the two original complaints filed with the UK’s ICO and the Irish DPC last year. A Google spokesperson told TechCrunch that the company has “strict policies that prohibit advertisers on our platforms from targeting individuals on the basis of sensitive categories” and that if they did find such ads violating said policies, they would take immediate action”. The original IAB lists can be downloaded as a spreadsheet. The PDF versions of the IAB lists with special category and sensitive data highlighted by the complainants can be viewed here (v1) and here (v2). You can go ahead and download Google’s original document for more insights on this news. French data regulator, CNIL imposes a fine of 50M euros against Google for failing to comply with GDPR European Consumer groups accuse Google of tracking its users’ location, calls it a breach of GDPR Twitter on the GDPR radar for refusing to provide a user his data due to ‘disproportionate effort’ involved

On Thursday, Sen. Ron Wyden, a Democrat from Oregon, introduced a draft data privacy bill with harsh penalties for companies that violate data privacy. The bill would apply to companies that bring in more than $50 million in revenue and have personal information on more than 1 million people. This decision took roots a year ago when Equifax disclosed that hackers stole the personal information of  147.7 million Americans from its servers. Following this, Facebook and Cambridge Analytica were also sued over the firm's gathering of private data of more than 50 million people through the social network. Also, a lawsuit was filed against Uber after the San Francisco-based ride-sharing company took more than 12 months to inform users that it suffered a major hack. In August, Google closely escaped from a million dollar GDPR fine for tracking user’s data even when the user asks Google to turn off locations, it actually tracks in incognito mode. According to Cnet, “lawmakers still felt that the companies involved weren't being held accountable for mishandling data on millions of people.” Wyden has always been at the forefront of cybersecurity and privacy issues in the Senate. He said, “Today's economy is a giant vacuum for your personal information. Everything you read, everywhere you go, everything you buy and everyone you talk to is sucked up in a corporation's database. But individual Americans know far too little about how their data is collected, how it's used and how it's shared." Ron Wyden's draft bill Wyden’s draft bill has recommended boosting the ability of the Federal Trade Commission to take action on privacy violations. In current scenarios, the FTC can only fine tech companies if they agree to a consent decree. The decree straightforwardly states that users be notified and that they explicitly give their permission before data about them is shared beyond the privacy settings they have established Facebook had done the same in  2011. The bill also requires companies to submit an annual data protection report, similar to how companies like Google and Apple voluntarily release transparency reports on government demands. CNet reports, “The report needs to be signed by CEOs, who could face up to 20 years in prison if they lie to the FTC.” The draft bill introduces a national "Do No Track" website, allowing Americans to create a central page to opt out of data sharing across the internet. The FTC would also be able to issue fines up to 4 percent of the company's annual global revenue, which is also the same percentage that the European Union's General Data Protection Regulation uses. Wyden's draft bill is the first legislation proposed on data privacy in the US. Read Senator Ron Wyden’s draft bill to know more about this data privacy legislation in detail. Is AT&T trying to twist data privacy legislation to its own favor? Google, Amazon, AT&T met the U.S Senate Committee to discuss consumer data privacy Apple now allows U.S. users to download their personal data via its online privacy data portal  

On 18th December, an internal HR memo was sent out to all NASA employees by Bob Gibbs, assistant administrator for the office of human capital management, alerting them of a possible compromise to their servers in late October. The memo was shared by SpaceRef and it states that servers stored personally identifiable information about NASA employees, including their social security numbers. What is surprising is that NASA learned of the incident in October 2018 but chose to remain silent till the memo was rolled out. Bill says in the memo that the space agency took immediate steps to contain the breach and that the investigation is still ongoing. The scope of the breach is unclear. The memo states that NASA is ‘examining the servers to determine the scope of the potential data exfiltration and identify potentially affected individuals’. This message is sent to all NASA employees, regardless of whether or not their information may have been compromised. NASA Civil Service employees who were on-boarded, separated from the agency, and/or transferred between centers, from July 2006 to October 2018, may also have been affected. NASA’s Office of Inspector General (OIG) has continually criticized the space agencies cybersecurity practices, reporting shortfalls in NASA’s overall information technology (IT) management. The office stated in its latest semi-annual report, dated Oct. 31: “Through its audits, the OIG has identified systemic and recurring weaknesses in NASA’s IT security program that adversely affect the Agency’s ability to protect the information and information systems vital to its mission.” In May, the OIG published The audit of NASA’s Security Operations Center (SOC) and found several issues with the center, right from high management turnover to a lack of formal authority to manage information security issues for some parts of the agency. An October 2017 report stated that “Lingering confusion about security roles coupled with poor IT inventory practices continues to negatively impact NASA’s security posture.” According to Hacker News, this is not the first time when the agency's servers have been hacked into. NASA suffered a massive security breach in 2016 where 276GB of sensitive data was released. This data included flight logs and credentials of thousands of its employees. All these facts draw attention to the poor security practices followed at NASA. It will be interesting to see how NASA will deal with this security breach and what measures it will take to secure its systems to prevent future cyber attacks. Head over to SpaceNews.com to know more about this news. Justice Department’s indictment report claims Chinese hackers breached business  and government network Former Senior VP’s take on the Mariott data breach; NYT reports suspects Chinese hacking ties Equifax data breach could have been “entirely preventable”, says House oversight and government reform committee staff report

Two U.S. Senators, namely  Mark R. Warner (D-VA) and Deb Fischer (R-NE), introduced a bill yesterday, to ban large online platforms ( with over 100 million monthly active users) such as Facebook and Twitter from tricking its consumers into handing over their personal data. The bill, named, the Deceptive Experiences To Online Users Reduction (DETOUR) Act, bipartisan legislation is aimed at prohibiting these platforms from using deceptive user interfaces, called, “dark patterns”. https://twitter.com/MarkWarner/status/1115660831969153025 The term “dark patterns” refers to online interfaces on websites and apps that are specially designed to manipulate users into taking actions they wouldn’t otherwise take under normal circumstances. The design tactics for these patterns are inspired by extensive behavioral psychology research and misleads the users on social media platforms into agreeing to settings and providing data that are advantageous to the company. Forcing the users this way to give up their personal data (contacts, messages, web activity, location), these social media companies gain an unfair advantage over their competitors, which significantly benefits the company. According to Senator Fischer, a member of the Senate Commerce Committee, these dark patterns weaken the privacy policies that involve consent. “Misleading prompts to just click the ‘OK’ button can often transfer your contacts, messages, browsing activity, photos, or location information without you even realizing it. Our bipartisan legislation seeks to curb the use of these dishonest interfaces and increase trust online”.   https://twitter.com/MarkWarner/status/1115660838692642818 https://twitter.com/MarkWarner/status/1115660840575877120 Other examples of dark patterns include a sudden interruption amidst a task repeating until the user agrees to consent and the use of privacy settings that push users to ‘agree’ as the default option. Also, users looking out for more privacy-related options are required to follow a long process that involves clicking through multiple screens. Moreover, sometimes users are not even provided with the alternative option.   As per the DETOUR act: A professional standards body, registered with the Federal Trade Commission (FTC), needs to be created to focus on best practices surrounding user design for large online operators. This association would act as a self-regulatory body and provide updated guidance to the social media platforms.    Segmenting consumers for behavioral experiments is prohibited unless carried out with a consumer’s informed consent. This includes routine disclosures by large online operators (at least once every 90 days) on any behavioral experiments to the public. Also, as per the bill, large online operators would have an internal Independent Review Board to offer oversight on these practices and safeguard consumer welfare. User design intended for compulsive usage among children under the age of 13 years old is prohibited. FTC needs to come out with rules within one year of its enactment and perform tasks necessary surrounding informed consent, Independent Review Boards, and Professional Standards Bodies. Senator Warner has been raising concerns regarding the implications of dark patterns used by social media companies for several years. For instance, in 2014, Sen. Warner asked the FTC to probe into Facebook’s use of dark patterns in an experiment that involved nearly 700,000 users. The experiment focused on the emotional impact of manipulating information on Facebook’s News Feeds. “We support Senators Warner and Fischer in protecting people from exploitive and deceptive practices online. Their legislation helps to achieve that goal and we look forward to working with them”, said Fred Humphries, Corporate VP of U.S. Government Affairs at Microsoft in a press release sent to us. Apart from the DETOUR act,  Sen. Warner is planning to introduce further legislation that will be designed to further improve transparency, privacy, and accountability on social media. Public reaction to the news has been largely positive, with people supporting the senators and new bill: https://twitter.com/tristanharris/status/1115735945393782785 https://twitter.com/joenatoli/status/1115823934132445186 For more information, check out the official DETOUR act bill. US Senators introduce a bill to avoid misuse of facial recognition technology U.S. Senator introduces a bill that levies jail time and hefty fines for companies violating data breaches A brief list of drafts bills in US legislation for protecting consumer data privacy  

On Monday, 11th February, Wisconsin-based email provider, VFEmail, was attacked by an intruder who trashed all of the company’s primary and backup data in the United States. Initial signs of this attack were noticed on Monday, February 11, when users started shooting tweets on the company’s Twitter account stating that they were no longer receiving messages. According to Krebs on Security, “VFEmail tweeted that it had caught a hacker in the act of formatting one of the company’s mail servers in the Netherlands.” Another tweet followed this stating, “nl101 is up, but no incoming email. I fear all US-based data may be lost.” Following this, VFEmail’s founder, Rick Romero, tweeted yesterday, “Yes, @VFEmail is effectively gone. It will likely not return. I never thought anyone would care about my labor of love so much that they'd want to completely and thoroughly destroy it.” https://twitter.com/Havokmon/status/1095297448082317312 Another tweet on the VFEMail account said that the attacker formatted all disks on every server. VFEmail has lost every VM and all files hosted on the available servers. “NL was 100% hosted with a vastly smaller dataset. NL backups by the provider were intact, and service should be up there.” https://twitter.com/VFEmail/status/1095038701665746945 Romero has posted certain updates on the company’s website, one of which includes, “We have suffered catastrophic destruction at the hands of a hacker, last seen as aktv@94.155.49.9”. He also wrote, “ At this time I am unsure of the status of existing mail for US users. If you have your own email client, DO NOT TRY TO MAKE IT WORK. If you reconnect your client to your new mailbox, all your local mail will be lost.” John Senchak, a longtime VFEmail user from Florida, told Krebs on Security, that the attack completely deleted his entire inbox at the company--some 60,000 emails sent and received over more than a decade were lost. He also said, “It looked like the IP was a Bulgarian hosting company. So I’m assuming it was just a virtual machine they were using to launch the attack from. There definitely was something that somebody didn’t want found. Or, I really pissed someone off. That’s always possible.” The company has assured the users that they are working to recover the data as soon as possible. To know more about this news and stay updated, read VFEMail’s complete Twitter thread. Security researchers discloses vulnerabilities in TLS libraries and the downgrade attack on TLS 1.3 Remote Code Execution Flaw in APT Linux Package Manager allows man-in-the-middle attack Apple’s CEO, Tim Cook calls for new federal privacy law while attacking the ‘shadow economy’ in an interview with TIME

According to the tweet posted by official Gab account, last week, Coinbase banned Andrew Torba’s (Founder at Gab, the social media platform), Coinbase merchant account. Gab’s business account on Coinbase was already closed in December, as per the report by blockchain blog Breaker. In November Gab was banned by BitPay, the cryptocurrency payment processor. In August 2017, Gab was banned by Google and the company removed the app from the Google Play store for violating the company’s hate speech policy. Last year in July, Microsoft threatened to stop hosting the site after a pair of anti-Semitic posts were published on the website. In 2017, Gab was banned by Apple and removed from Apple store because of the objectionable content. Just two months ago, even GoDaddy banned Gab for breaking the domain registrar’s rules against hosting violent content. Other companies like Medium, Stripe and Shopify have also banned Gab. Possible reasons for getting banned Gab has described itself on its website as a “social network that champions free speech, individual liberty and the free flow of information online. All are welcome.”According to blockchain blog Breaker, one of the major reasons why it is hard for Gab to get a payment processor is its reputation for being the social network for users banned from mainstream platforms because of hate speech. As per a report by the New York Times, last year in October the alleged shooter, Robert Bowers in Pittsburgh used Gab to post a final message before attacking the synagogue. Post which, Torba stated that the Pittsburgh shooter doesn’t represent the broader user base of Gab. Paypal also banned Gab after the Pittsburgh incident. The official logo of Gab also got some controversies around it because of the green frog which is similar to Pepe the Frog, a cartoon character that became popular for racist memes. As per a post by Cointelegraph, last year, in April, the Coinbase merchandise shop of the anonymous international publishing nonprofit WikiLeaks had been closed due to a terms of service violation. Users have given mixed reaction to this news. Few users are not happy about this and are questioning Coinbase on restricting freedom via censorship. Many users got banned and are unhappy because of that, they are now comparing Coinbase with other platforms like Gemini and Cex.io. https://twitter.com/TallHandsomeOne/status/1081277877184802820 https://twitter.com/Hashmandu/status/1081261838568996866 Coinbase users are now agitated and even planning to close their accounts on Coinbase. Some are also planning to get their bitcoins off Coinbase. https://twitter.com/caballoantares/status/1081563003240308741 https://twitter.com/_Fruhmann_/status/1081409047679643648 According to few users the idea of bitcoin is freedom and the whole idea of bitcoin exchange would get ruined with Coinbase’ strategies and is anti-freedom. Users are are now looking forward to Decentralized Exchange, a cryptocurrency exchange without the central authority. Users are awaiting Skycoin’s first working decentralized exchange which is built directly into their software wallet. Skywire, Skycoin's flagship app is expected to launch sooner. Skywire will build a decentralized internet that will be fully encrypted and censorship proof. Users are also angry at Brian Armstrong, the founder of Coinbase and they are labelling him as a hypocrite as he talked about economic freedom and his latest move differs from it. Few users think that the decision taken by Coinbase was wise enough and it makes sense to ban platforms like Gab. https://twitter.com/livingrightco/status/1081578325104095233 Check the official announcement on Twitter. Social media platforms, Twitter and Gab.com, accused of facilitating recent domestic terrorism in the U.S. Coinbase Commerce API launches Coinbase looking to replicate Facebook’s platform strategy with support for more digital assets

Yesterday, FireEye said that they have uncovered the hacking group behind the Triton malware which was recently used to impact an unnamed “critical infrastructure” facility. This malware is designed to penetrate into the target’s networks and sabotage their industrial control systems and has often been used in power plants and oil refineries to control the operations of the facility. The Triton malware attack first occurred in August 2017, where it was used against a petrochemical plant owned by Tasnee in Suadi Arabia. Researchers believe that the operators of this attack must have been active since 2014. FireEye also believes Triton attack to be linked to a Russian government-owned technical research institute in Moscow. Triton, also known as Trisis, has been specifically engineered to target a specific type of industrial control system (ICS), namely Triconex safety instrumented systems (SIS) controllers developed by Schneider Electric. FireEye’s first analysis on Triton after the 2017 attack was, “malicious actors used Triton to manipulate industrial safety systems at a critical infrastructure facility and inadvertently caused a process shutdown.” FireEye has also released a report which explains the custom information technology tools and tactics the threat actor leveraged during the early stages of the targeted attack lifecycle. “The information in this report is derived from multiple TRITON-related incident responses carried out by FireEye Mandiant”, the researchers state in their blog. According to the FireEye report, the threat actor leveraged different custom and commodity intrusion tools including SecHack, NetExec, WebShell, and some more. “The actor's custom tools frequently mirrored the functionality of commodity tools and appear to be developed with a focus on anti-virus evasion. The group often leveraged custom tools when they appeared to be struggling with anti-virus detection or were at a critical phase in the intrusion (e.g., they switched to custom backdoors in IT and OT DMZ right before gaining access to the engineering workstation)”, the researchers mentioned in their report. The report further mentions, “After establishing an initial foothold on the corporate network, the TRITON actor focused most of their effort on gaining access to the OT network. Most of the attack tools they used were focused on network reconnaissance, lateral movement, and maintaining a presence in the target environment.” Actors have also used several other obfuscation methods including: Renaming their files to make them look like legitimate files; Planting webshells on the Outlook Exchange servers; Relying on encrypted SSH-based tunnels to transfer tools and for remote command execution; Routinely deleting dropped attack files, execution logs, and other files; Using multiple staging folders and directories that are very less used by legitimate users or processors. To know more about this report in detail, read FireEye’s complete report on the Triton attack. ASUS servers hijacked; pushed backdoor malware via software updates potentially affecting over a million users Researchers prove that Intel SGX and TSX can hide malware from antivirus software Mac users affected by ‘Shlayer Trojan’ dropped via a Steganography-based Ad Payload; Confiant and Malwarebytes report

The Tencent Blade security team found a vulnerability in the SQLite database that exposes billions of desktop and web applications to hackers. This vulnerability classified as a remote code execution (RCE) vulnerability hasn’t received a CVE identification number yet and has been nicknamed as “Magellan” by the Tencent Blade Team. Since SQLite is one of the most popular databases used in modern operating systems and applications, this vulnerability can affect a variety of different apps ( eg: Android/iOS), devices (eg: IoT), and software. Magellan poses dangers such as allowing hackers to run malicious code within the hacked computers, leaking program memory or causing program crashes. Moreover, this vulnerability can be remotely exploited on even accessing a particular web page in a browser that supports SQLite. Other than SQLite, all web browsers using the Chromium engine has also been affected by this vulnerability. Tencent Blade has already reported the vulnerability to Google developers who then promptly took care of it on their end. Additionally, security experts at Tencent Blade also successfully exploited Google Home with this vulnerability, but haven’t disclosed the exploit code yet. The team also mentions how they’re yet to see a case where Magellan has been abused “wildly”. Tencent Blade recommends updating to the official stable version 71.0.3578.80 of Chromium and to 3.26.0 for SQLite as they’re safe from the vulnerability. Google Chrome, Vivaldi, and Brave are all reported to be affected as they support SQLite through the Web SQL database API. Safari web browser isn’t affected yet and Firefox may be prone to this vulnerability in case a hacker gains access to its local SQLite database. “We will not disclose any details of the vulnerability at this time, and we are pushing other vendors to fix this vulnerability as soon as possible”, says the Tencent Blade team. Zimperium zLabs discloses a new critical vulnerability in multiple high-privileged Android services to Google A kernel vulnerability in Apple devices gives access to remote code execution Microsoft announces Windows DNS Server Heap Overflow Vulnerability, users dissatisfied with patch details

Hyatt Hotels Corporation launched its bug bounty program with HackerOne, earlier this week. As part of the bug bounty program, ethical hackers are invited to test Hyatt websites and apps to spot potential vulnerabilities in them. “At Hyatt, protecting guest and customer information is our top priority and launching this program represents an important step that furthers our goal of keeping our guests safe every day,” stated Hyatt Chief Information Security Officer Benjamin Vaughn. Hyatt Hotels Corporation is headquartered in Chicago and is a leading global hospitality company comprising a portfolio of 14 premier brands. Hyatt’s portfolio includes more than 750 properties in more than 55 countries across six continents. Hyatt decided to choose HackerOne bug bounty program after conducting a deep review of the bug bounty marketplace. The Bug Bounty program by HackerOne rewards friendly hackers who help discover security vulnerabilities in various important software on the internet. Hyatt is the first in the hotel industry to launch bug bounty program. “By being the first organization in the hospitality industry to embrace the collaborative efforts of global security researchers, Hyatt hopes to continue to raise its already high level of security standards as well as learn from and collaborate with security researchers”, stated the Hyatt team. The bug bounty program launched by Hyatt with Hackerone was originally available as an invite-only private program where it paid the hackers about $5600 in bounties (bug bounty rewards). This has changed as the bug bounty program is now public. Hackers are allowed to search for vulnerabilities on hyatt.com domain, www.hyatt.com,  m.hyatt.com, world.hyatt.com, and on Hyatt’s mobile apps for iOS and Android. The company will be paying hackers $4000 for spotting critical vulnerabilities, and $300 for low severity issues. The company will be rewarding hackers for tracking vulnerabilities such as novel Origin IP address discovery, authentication bypass, back-end system access via front-end systems, business logic bypass, container escape, SQL Injection, cross-site request forgery, exploitable cross-site scripting, and WAF bypass, among other issues. “Bug bounty programs are a proven method for advancing an organization’s cybersecurity defenses. In today’s connected society, vulnerabilities will always be present. Organizations like Hyatt are leading the way by taking this essential step to secure the data they are trusted to hold”, said HackerOne CEO Marten Mickos. EU to sponsor bug bounty programs for 14 open source projects from January 2019 Airtable, a Slack-like coding platform for non-techies, raises $100 million in funding The ‘Flock’ program provides grants to Aragon teams worth $1 million

On Wednesday, Dell announced that it had discovered a security breach on November 9th. This breach tried to extract Dell’s customer information including names, email addresses, and hashed passwords. The company said, “Though it is possible some of this information was removed from Dell’s network, our investigations found no conclusive evidence that any was extracted. Additionally, Dell cybersecurity measures are in place to limit the impact of any potential exposure.” According to Dell’s press release, “Upon detection of the attempted extraction, Dell immediately implemented countermeasures and initiated an investigation. Dell also retained a digital forensics firm to conduct an independent investigation and has engaged law enforcement.” The company also did not go into detail about the hashing algorithms it uses. However, algorithms such as MD5 can be cracked within seconds to reveal the plaintext password. “Credit card and other sensitive customer information were not targeted. The incident did not impact any Dell products or services”, the company said. According to a customer review on Hacker News thread, “Dell ‘hashes’ all Dell.com customer account passwords prior to storing them in our database using a hashing algorithm that has been tested and validated by an expert third-party firm. This security measure limits the risk of customers’ passwords being revealed if a hashed version of their password were to ever be taken.” According to ZDNet, “Dell said it's still investigating the incident, but said the breach wasn't extensive, with the company's engineers detecting the intrusion on the same day it happened. A Dell spokesperson declined to give out a number of affected accounts, saying "it would be imprudent to publish potential numbers when there may be none." While resetting passwords is a safer option, the users should also keep a check on their card statements if they have saved some financial or legal information in their accounts. European Consumer groups accuse Google of tracking its users’ location, calls it a breach of GDPR A new data breach on Facebook due to malicious browser extensions allowed almost 81,000 users’ private data up for sale, reports BBC News Cathay Pacific, a major Hong Kong based airlines, suffer data breach affecting 9.4 million passengers

On Friday, The American Civil Liberties Union (ACLU), Privacy International, and the University at Buffalo Law School’s Civil Liberties & Transparency Clinic filed a Freedom of Information Act lawsuit against 11 federal criminal and immigration enforcement agencies, including the FBI, Immigration and Customs Enforcement, and the Drug Enforcement Administration. This lawsuit demands disclosure of basic information about government hacking. They have demanded that the agencies disclose which hacking tools and methods they use, how often these tools are used, the legal basis for employing these methods, and any internal rules that govern them. They also seek any internal audits or investigations related to their use. The ACLU, in their blog post, state that the hacking by the government raises “grave privacy concerns”, creating “surveillance possibilities” that could pose a security risk because even “lawful hacking” can take advantage of unpatched vulnerabilities in a users devices and software. They believe that by hacking into a phone, laptop, or another device, federal agents can obtain any sensitive/confidential information. They can perform activities like activating a device’s camera and microphone, log keystrokes, or hijack a device’s functions. Most of the time users are completely unaware that they are being surveilled and there is not much information on what comprises a ‘lawful hacking’. ACLU argues that "Law enforcement use of hacking presents a unique threat to individual privacy." They have supported this claim by giving examples of a case in which the government commandeered an internet hosting service in order to set up a “watering hole” attack that is suspected to have spread malware to many innocent people that visited websites on the server. In another case, an FBI agent, posing as a reporter, investigating fake bomb threats impersonated an Associated Press reporter to deploy malware on a suspect’s computer. The agent created a fake story and sent a link to the story to a high school student. When the student visited the website, it implanted malware on his computer in order to report back identifying information to the FBI. To get a better understanding of what the government is doing, along with what rules it follows; the lawsuit will clarify whether and when the government should engage in hacking. It will also help users understand whether the government is collecting excessive information about the people it surveils, and how investigators handle innocent bystanders’ information. You can head over to ACLU’s official blog to know more about this news. IBM faces age discrimination lawsuit after laying off thousands of older workers, Bloomberg reports Microsoft calls on governments to regulate Facial recognition tech now, before it is too late British parliament publishes confidential Facebook documents that underscore the growth at any cost culture at Facebook