Tech News - Security

On Tuesday, Firefox released a number of updates to its browser with the intention of putting “people’s privacy first”. The new features were detailed by Dave Camp, Senior Vice President of Firefox in a blog post. Firefox will roll out its Enhanced Tracking Protection, to all new users on by default. Additionally, they have upgraded Facebook Container extension, a Firefox desktop extension for Lockwise, and Firefox Monitor’s new dashboard to manage multiple email addresses. Enhanced Tracking Protection blocks third party cookies by default Firefox’s Enhanced Tracking Protection offers protection controls to users to block third party cookies at their own level of comfort with three settings - Standard, Strict, and Custom. Per the new update, for all new users who install and download Firefox for the first time, Enhanced Tracking Protection will automatically be set on by default as part of the ‘Standard’ setting in the browser. The standard settings block known trackers and their cookies. Strict will block known trackers in all Firefox windows. This includes third party trackers and tracking cookies The custom setting of enhanced tracking protection allows you to select which trackers and cookies you want to block. https://twitter.com/jensimmons/status/1134549448120578048 This feature will be present as a shield icon in the address bar next to the URL address. Users can also see which companies are blocked by clicking on the shield icon. For existing users, Enhanced Tracking Protection by default will be rolled out in the coming months. Manually, users can turn this feature on by clicking on the menu icon marked by three horizontal lines at the top right of the browser, then under Content Blocking. Firefox Monitor- see if you’ve been part of an online data breach Firefox Monitor has a new feature in the form of a breach dashboard that presents a quick summary of updates for all registered email accounts. Firefox Monitor was launched in September, last year, as a free service that notifies people if they’ve been part of a data breach. The new breach dashboard helps users track and manage multiple email addresses, including both personal and professional email accounts. Users can easily identify which emails are being monitored, how many known data breaches may have exposed their information, and specifically, if any passwords have been leaked across those breaches. Safe password management with Firefox Lockwise Firefox have rolled out a new desktop extension that offers users safe password management features, the Firefox Lockwise. It will provide an additional touchpoint to store, edit and access passwords. Firefox Lockwise is already available for iOS, Android and iPad. The new Firefox Lockwise desktop extension includes: A new dashboard interface to manage saved list of passwords. For frequently visiting sites, users can quickly reference and edit what is being stored. For sites with fewer or no visits, users can easily delete a saved password. The mobile app and desktop extension can help users quickly retrieve your password to access a site account. Facebook Container now blocks tracking from other sites Firefox have updated their Facebook Container extension to prevent Facebook from tracking users on other sites that have embedded Facebook capabilities such as the Share and Like buttons on their site. Facebook Container is an add-on/web extension that helps users take control and isolate their web activity from Facebook. This blocking reduces Facebook’s propensity to build shadow profiles of non-Facebook users. Users would know the blocking is in effect when they see Facebook Container purple fence badge. It is interesting that Mozilla released a slew of updates following Apple's privacy focused features announced at WWDC 2019. It almost feels like they are acting as a counter balance to Google and Facebook, who have been under scrutiny for their data misinformation and privacy scandals. Google Chrome has also banned ad blockers for all users by deprecating the blocking capabilities of the webRequest API in Manifest V3. Chrome’s capability to block unwanted content will be restricted to only paid, enterprise users of Chrome. https://twitter.com/dhh/status/1136058254608355328 https://twitter.com/queercommunist/status/1135906369599549440 https://twitter.com/johnwilander/status/1135911532779335680 Learn more about these privacy features on Mozilla Blog. Firefox 67 enables AV1 video decoder ‘dav1d’, by default on all desktop platforms Mozilla makes Firefox 67 “faster than ever” by deprioritizing least commonly used features Firefox 67 will come with faster and reliable JavaScript debugging tools

Earlier this week, Tenable Inc announced that its research team had discovered a zero-day vulnerability dubbed as 'Peekaboo' in NUUO software. NUUO licenses its software to at least 100 other brands including Sony, CISCO, Sony, Cisco Systems, D-Link, Panasonic and many more. The vulnerable device is NVRMini2, which is a network-attached storage device and network video recorder. The vulnerability would allow cybercriminals to view, disable or otherwise manipulate video footage using administrator privileges. To give you a small gist of the situation, hackers could replace live feed of video surveillance with a static image of the area. This could assist criminals to enter someone’s premises- undetected by the CCTV! Cameras with this bug could be manipulated and taken offline, worldwide. And this is not the first time that NUUO devices have been affected by a vulnerability. Just last year, there were reports of the NUUO NVR devices being specifically targeted by the Reaper IoT Botnet. "The Peekaboo flaw is extremely concerning because it exploits the very technology we rely on to keep us safe" - Renaud Deraison, co-founder and chief technology officer, Tenable Vulnerabilities discovered by Tenable The vulnerabilities -CVE-2018-1149, CVE-2018-1150, are tied to NUUO NVRMini2 webserver software. #1 CVE-2018-1149: Allows an attacker to sniff out affected gear This vulnerability assists attackers to sniff out affected gear using Shodan. The attacker can trigger a buffer-overflow attack that allows them to access the camera’s web server Common Gateway Interface (CGI). This interface acts as a gateway between a remote user and the web server. The attack delivers a really large cookie file to the CGI handle. The CGI, therefore, does not validate the user’s input properly, allowing them to access the web server portion of the camera. #2 CVE-2018-1150: Takes advantage of Backdoor functionality This bug takes advantage of the backdoor functionality in the NUUO NVRMini2 web server. When the back door PHP code is enabled, it allows an unauthenticated attacker to change the password for any registered user except administrator of the system. ‘Peekaboo’ affects firmware versions older than 3.9.0, Tenable states that NUUO was notified of this vulnerability in June. NUUO was given 105 days to issue a patch before publicly disclosing the bugs. Tenable’s GitHub page provides more details on potential exploits tested with one of NUUO’s NVRMini2 devices. NUUO is planning to issue a security patch. Meanwhile, users are advised to restrict access to their NUUO NVRMini2 deployments. Owners of devices connected directly to the internet are especially at risk. Affected end users are urged to disconnect these devices from the internet until a patch is released. For more information on Peekaboo, head over to the Tenable Research Advisory blog post. Alarming ways governments are using surveillance tech to watch you Windows zero-day vulnerability exposed on ALPC interface by a vulnerability researcher with ‘no formal degrees’ IoT botnets Mirai and Gafgyt target vulnerabilities in Apache Struts and SonicWall  

Security researchers at Eclypsium, a hardware security startup, published a paper yesterday, examining the vulnerabilities in Bare Metal Cloud Servers (BMCs) that allow attackers to exploit and steal data. “We found weaknesses in methods for updating server BMC firmware that would allow an attacker to install malicious BMC firmware..these vulnerabilities can allow an attacker to not only do damage but also add other malicious implants that can persist and steal data”, states the researchers. BMC is a highly privileged component and part of the Intelligent Platform Management Interface (IPMI). It can monitor the state of a computer and allow an operating system reinstall from a remote management console through an independent connection. This means that there’s no need to physically attach a monitor, keyboard, and installation media to the server in BMCs. Now, although Bare-metal cloud offerings come with considerable benefits, they also pose new risks and challenges to security. For instance, in the majority of the cloud services, once a customer uses a bare-metal server, the hardware can be reclaimed by the service provider which is then repurposed for another customer. Similarly, for a bare-metal cloud service offering, the underlying hardware can be easily passed through different owners, providing direct access to control that hardware. This access gives rise to attackers controlling the hardware, who can spend a nominal sum of money for access to a server, and implant malicious firmware at the UEFI, BMC, and within drives or network adapters. This hardware can then get released by the attacker to the service provider, who could further pass it on for use to another customer. Eclypsium researchers have used IBM SoftLayer tecIhnology, as a case study to test the attack scenario on. However, researchers mention that the attack is not limited to any one service provider.IBM acquired SoftLayer Technologies, a managed hosting, and cloud computing provider in 2013 and is now known as IBM Cloud. The vulnerability found has been named as Cloudborne. Researchers chose SoftLayer as the testing environment due to its simplified logistics and access to hardware. However, SoftLayer was using a super vulnerable Supermicro server hardware. It took about 45 minutes for the Eclypsium team to provision the server. Once the instance was provisioned, they found out that it had the latest BMC firmware available. An additional IPMI user was created and given the administrative access to the BMC channels. This system was then finally released to IBM, which kicked off the reclamation process. Researchers noticed that the additional IPMI user was removed during the reclamation process but BMC firmware comprising the flipped bit was still present, meaning that servers’ BMC firmware was not re-flashed during the server reclamation process. “The combination of using vulnerable hardware and not re-flashing the firmware makes it possible to implant malicious code into the server’s BMC firmware and inflict damage or steal data from IBM clients that use that server in the future”, states the researchers. Other than that, BMC logs were also retained during provisioning, giving the new customer insights into the actions of the previous device owner. Also, the BMC root password was the same across provisioning, allowing the attacker to easily have control over the machine in the future. “While these issues have heightened importance for bare-metal services, they also apply to all services hosted in public and private clouds..to secure their applications, organizations must be able to manage these issues—or run the risk of endangering their most critical assets”, mentions Eclypsium researchers. For more information, check out the official Eclypsium paper. Security researchers discloses vulnerabilities in TLS libraries and the downgrade Attack on TLS 1.3 Drupal releases security advisory for ‘serious’ Remote Code Execution vulnerability A WordPress plugin vulnerability is leaking Twitter account information of users making them vulnerable to compromise

Yesterday, Twitter’s CEO Jack Dorsey announced that the popular social media platform might eliminate its heart-shaped like button, according to The Telegraph. The Twitter communications team further clarified in a tweet, “eliminating the like button is a ‘commitment to healthy conversation,’ it was ‘rethinking everything about the service,’  including the like button”. At the Wired25 summit held on the 15th of October, Dorsey made an onstage remark questioning the “like” button’s worth in facilitating meaningful communication. He said, “Is that the right thing? Versus contributing to the public conversation or a healthy conversation? How do we incentivize healthy conversation?” Twitter has also vowed to “increase the collective health, openness, and civility of the dialogue on our service”, in their blog post in July. Prior to this, the company had also introduced ‘Bookmarks’, an easy way to save Tweets for quick access later without having to like them. Ben Grosser, an artist, and professor at University of Illinois, says “I fear that if they remove the Like button the fact that there are other indicators that include metrics will just compel users to use those other indicators.” A Twitter spokesperson told the Telegraph, “At this point, there is no specific timeline for changes or particular planned changes to discuss”. He added, “We’re experimenting and considering numerous possible changes, all with an eye toward ensuring we’re incentivizing the right behaviors to drive a healthy conversation.” Should Retweet be eliminated instead? The Atlantic speculates that “If Twitter really wants to control the out-of-control rewards mechanisms it has created, the retweet button should be the first to go.” Retweets and not likes are Twitter’s most powerful method of reward, according to The Atlantic. More the retweets for the post, more it is likely to get viral on social media. According to MIT research, Twitter users retweet fake news almost twice as much as real news. Other Twitter users, desperate for validation, endlessly retweet their own tweets, spamming followers with duplicate information. Twitter introduced retweets to ensure that the most interesting and engaging content would show up in the feed and keep users entertained. The tweets shown on the platform are a result of an algorithmic accounting of exactly what the most interesting and engaging content is. In April, Alexis Madrigal wrote about how he used a script to eliminate retweets from his timeline and how it transformed his experience for the better. “Retweets make up more than a quarter of all tweets. When they disappeared, my feed had less punch-the-button outrage,” he wrote. “Fewer mean screenshots of somebody saying precisely the wrong thing. Less repetition of big, big news. Fewer memes I’d already seen a hundred times. Less breathlessness. And more of what the people I follow were actually thinking about, reading, and doing. It’s still not perfect, but it’s much better.” This week, Alexis along with Darshil Patel and Maas Lalani, two 18-year-old college freshers, launched a browser extension that hides the number of retweets, likes, and followers on all tweets in users feed. Elimination of the native retweet buttons will definitely refrain people from quote tweeting. According to The Atlantic, “it could just send everyone back to the dark ages of the manual retweet when users physically copy-pasted text from another tweet with the letters “RT” plastered in front. But killing native retweets is certainly a step in the right direction.” For a complete coverage of this news, head over to The Telegraph. Social media platforms, Twitter and Gab.com, accused of facilitating recent domestic terrorism in the U.S. Twitter prepares for mid-term US elections, with stronger rules and enforcement approach to fight against fake accounts and other malpractices Twitter on the GDPR radar for refusing to provide a user his data due to ‘disproportionate effort’ involved

“Online security can sometimes feel like walking through a haunted house - scary, and you aren’t quite sure what may pop up” Jonathan Skelker, product manager at Google   October 31st marked the end of ‘Cybersecurity awareness month’ and Google has made sure to leave its mark on the very last day. Introducing a host of features to protect users account from being compromised, Google has come up with checkpoints before a user signs in, as soon as they are in their account and when users share information with other apps and sites. Let’s walk through all these features in detail. #1 Before you sign in- Enable Javascript on the Browser A mandatory requirement for signing into Google now is that JavaScript should be enabled on the Google sign-in page. When a user enters their credentials on Google’s sign-in page, a risk assessment will be run automatically to block any nefarious activity. It will only allow the sign-in if nothing looks suspicious. The post mentions that "JavaScript is already enabled in your browser; it helps power lots of the websites people use everyday. But, because it may save bandwidth or help pages load more quickly, a tiny minority of our users (0.1%) choose to keep it off" Here is what one user had to say: Source: y combinator #2 Security checkup for protection once signed in After the major update introduced to the Security Checkup last year, Google has gone a step forward to protect users against harmful apps based on recommendations from Google Play Protect. The web dashboard helps users set up two-factor authentication to check which apps have access to users’ account information, and review unusual security events. They also provide information on how to remove accounts from devices users no longer use. Google’s is introducing additional notifications which will send personalized alerts whenever any data is shared from a Google account with third-party sites or applications (including  Gmail info, sharing a Google Photos album, or Google Contacts). This looks like a step in the right direction especially after a recent Oxford University study revealed that more than 90% apps on the Google Play store had third party trackers, leaking sensitive data to top tech companies. #3 Help issued when a user account is compromised The most notable of all the security features is a new, step-by-step process within a users Google Account that will be automatically triggered if the team detects potential unauthorized activity. The 4 steps that will run in the event of a security breach includes: Verify critical security settings to check that a user’s account isn’t vulnerable to any other additional attacks by other means, like a recovery phone number or email address. Secure other user accounts taking into consideration that a user’s Google Account might be a gateway to accounts on other services and a hijacking can leave them vulnerable as well. Check financial activity to see if any payment methods connected to a user’s accounts were abused. Review content and files to see if any of a user’s Gmail or Drive data was accessed or misused. Head over to Google’s official Blog to read more about this news. Google’s #MeToo underbelly exposed by NYT; Pichai assures they take a hard line on inappropriate conduct by people in positions of authority Google employees plan a walkout to protest against the company’s response to recent reports of sexual misconduct A multimillion-dollar ad fraud scheme that secretly tracked user affected millions of Android phones. This is how Google is tackling it.  

The U.S. Justice Department filed a lawsuit against California yesterday after the California governor Jerry Brown signed the state’s Net Neutrality proposal into law. This was to restore open internet protections known as Net Neutrality, that requires internet service providers like AT&T, Comcast, and Verizon to treat all web traffic equally in the state. California’s Net Neutrality bill is a state-level response to the FCC’s decision to revoke the existing legislation earlier this year. The law that was set when President Obama was in office was scrapped after the Republicans took over leadership of the FCC in 2017.  Considered one of the toughest Net Neutrality bills in the U.S., it prevents ISPs from throttling traffic, and from charging websites for special access to internet users. It also bans “zero rating” on certain apps (where using certain apps would not count against a user’s data usage). The California Net Neutrality bill, namely, Senate No. 822  was approved by the State Assembly and the Senate, in August, despite receiving many protests. However, after the governor decided to enact the Net Neutrality proposal as a law yesterday, senior Justice Department officials sued them on the grounds that only the federal government, not state leaders, have the power to regulate Net Neutrality. Attorney General Jeff Sessions issued the following statement, for filing the complaint: “Once again the California legislature has enacted an extreme and illegal state law attempting to frustrate federal policy. The Justice Department should not have to spend valuable time and resources to file this suit today, but we have a duty to defend the prerogatives of the federal government and protect our Constitutional order. We are confident that we will prevail in this case—because the facts are on our side”. FCC Chairman Ajit Pai also issued a statement stating, “I’m pleased the Department of Justice has filed this suit. Not only is California’s Internet regulation law illegal, but it also hurts consumers.  The law prohibits many free-data plans, which allow consumers to stream video, music, and the like exempt from any data limits. They have proven enormously popular in the marketplace, especially among lower-income Americans. But notwithstanding the consumer benefits, this state law bans them.” Member of the California state and author of the state bill, Scott Wiener, tweeted his response to the lawsuit, saying that it’s just an attempt by the administration to block the state's initiatives. https://twitter.com/Scott_Wiener/status/1046585508472602624 Furthering the Net Neutrality debate, GOP proposes the 21st Century Internet Act California passes the U.S.’ first IoT security bill Like newspapers, Google algorithms are protected by the First amendment making them hard to legally regulate them

On Wednesday, a hacker duo hijacked thousands of Google’s Chromecast streaming adapters, Google Home smart speakers and smart TVs with built-in Chromecast technology to play a video urging users to subscribe to Swedish Youtuber ‘PewDiePie's’ Youtube channel. The hacked smart TV’s also displayed a message on the similar lines. The hackers behind this hacking campaign --codenamed CastHack-- are known on Twitter as TheHackerGiraffe and j3ws3r. The attack took advantage of badly configured routers to find streaming devices exposed to the public internet. Once found, the hackers renamed the device’s Wi-Fi name, and then played a PewDiePie Youtube video. A website detailing the hack lists the statistics on the number of devices forced to play the video, total renamed devices, total exposed devices and much more. The website shared some of the information the hackers had access to, including “what WIFI your Chromecast/Google Home is connected to, what bluetooth devices it has paired to, how long it’s been on, what WiFi networks your device remembers, what alarms you have set, and much more.” However, they state that “We’re only trying to protect you and inform you of this before someone takes real advantage of it. Imagine the consequences of having access to the information above.” They further added that  “We want to help you, and also our favorite Youtubers (mostly PewDiePie)’. According to Variety, the attack was part of a marketing campaign- “Subscribe to PewDiePie”-that fans of the Swedish video-game streamer and vlogger have been engaged in since late last year. The goal of that campaign is to defeat the Indian Youtube channel T-Series for the title of ‘Youtube's most popular channel’ by gaining more subscribers than the latter. How did the attack take place? The attack exploited a Chromecast bug allegedly ignored by Google for almost five years. According to ZDNet, the ongoing CastHack takes advantage of users who use incorrectly configured routers that have the UPnP (Universal Plug'n'Play) service enabled, a service which forwards specific ports from the internal network on the Internet. The ports are 8008, 8009, and 8443, normally used by smart TVs, Chromecasts, and Google Home for various management functions. The streaming devices expose these ports on internal networks, where users can operate them by sending commands from their smartphones or computers to the devices for remote management purposes. Routers with incorrectly configured UPnP settings make these ports available on the internet. This allowed FriendlyH4xx0r to scan the entire internet for devices with these ports exposed. Once devices are identified, the hacker said another script renames the devices to "HACKED_SUB2PEWDS_#" and then tries to autoplay a video (now taken down by Youtube) to promote PewDiePie’s channel. A Google spokesperson, told Variety via email: “To restrict the ability for external videos to be played on their devices, users can turn off Universal Plug and Play (UPnP). Please note that turning off UPnP may disable some devices (e.g. printers, game consoles, etc.) that depend on it for local device discovery.” This is the second time that HackerGiraffe and j3ws3r have teamed up to promote PewDiePie’s channel. Both said they were behind a hack in November that forced printers around the world to print out sheets of paper telling people to subscribe to PewDiePie. https://twitter.com/maddybenavente1/status/1068017390246600704 You can head over to The Verge for more insights on this news. How IRA hacked American democracy using social media and meme warfare to promote disinformation and polarization: A new report to Senate Intelligence Committee 16 year old hacked into Apple’s servers, accessed ‘extremely secure’ customer accounts for over a year undetected Quora Hacked: Almost a 100 Million users’ data compromised!

It has been only two months since Google reported a bug discovery in one of the Google+ People APIs, which affected up to 500,000 Google+ accounts, initiating the shutdown of Google+. Yesterday, Google+ suffered another massive data leak that has impacted approximately 52.5 million users in connection with a Google+ API. This has led Google to expedite the process of shutting down Google+. The access to the Google+ API network will be cut off in the next 90 days and it will shut down completely in April, rather than August next year. In a blog post on Google, David Thacker VP, Product Management, GSuite stated that this bug was added as a part of a software update introduced in November and immediately fixed. However, people are upset that the data leak was disclosed now. The software bug allowed apps that requested permission to view profile information of a Google+ user (name, email address, occupation, age etc), were granted permission even when set to not-public. In addition, Thacker mentions, “apps with access to a user's Google+ profile data also had access to the profile data that had been shared with the consenting user by another Google+ user but that was not shared publicly.” However, user financial data, national identification numbers, passwords, or similar data typically used for fraud or identity theft, was not given access to. Google discovered the bug as part of its standard testing procedure and says there is “no evidence that the app developers that inadvertently had this access for six days were aware of it or misused.” Google says it’s begun notifying users and enterprise customers who were impacted by the bug. Thacker also says maintaining users' privacy is Google’s top concern. “We have always taken this seriously, and we continue to invest in our privacy programs to refine internal privacy review processes, create powerful data controls, and engage with users, researchers, and policymakers to get their feedback and improve our programs.” People on Hacker news were highly critical of this data leak and expressed concerns on the kind of organization Google is turning out to be. “I've been online since Google was a new up and coming company. There is a world of difference between the civic-mindedness of Google back then and Google now. Google has gone from something genuinely idealistic to something scary and totalitarian. If you aren't of the same "tribe" as the typical Googler, then basically, you're a subject.” “So, how does Google, which we all trust with our precious data end up messing up like this several times in a row? If this is the company with the best security team in the world does that mean we should simply abandon all hope” “They could have done soo much more with Google+ ... The hype was real up until launch. Really wish they had done things a little differently. Oh well... With all these leaks, I'm actually really glad they weren't successful with this.” Google reveals an undisclosed bug that left 500K Google+ accounts vulnerable in early 2018; plans to sunset Google+ consumer version. Google bypassed its own security and privacy teams for Project Dragonfly reveals Intercept Marriott’s Starwood guest database faces a massive data breach affecting 500 million user data

Yesterday, the Swedish networking and telecommunications company, Ericsson reported an issue in their core software which caused network disturbances for some of its customers. This issue was responsible for a data outage across 11 countries including the United Kingdom’s O2 and Japan’s SoftBank mobile services. Ericsson identified that only those customers using two specific software versions of the SGSN–MME (Serving GPRS Support Node – Mobility Management Entity) were affected. The initial root cause analysis by the company indicated that the main issue was an expired certificate installed with the affected customers. Ericsson CEO and President, Börje Ekholm, said, “The faulty software that has caused these issues is being decommissioned and we apologize not only to our customers but also to their customers. We work hard to ensure that our customers can limit the impact and restore their services as soon as possible.” The O2 and Softbank outage caused millions of customers in UK and Japan to stay offline for a whole day! 30 million customers of the O2 mobile provider in the UK were unable to make or receive phone calls due to Ericsson’s expired certificate issue. The other service providers affected include Tesco Mobile and Sky Mobile. O2’s entire network including the companies using its platforms, and its subsidiaries, Giffgaff and Lycamobile were highly affected. However, the services were restored at around 4 am yesterday. The outage also affected Transport for London’s live updates of bus arrival times at stops across the capital, which relies on O2’s network for data updates. Mark Evans, O2’s CEO tweeted reassuring the customers that the company was doing everything to fix the issue and also apologized to the affected customers for the same. https://twitter.com/MarkEvansO2/status/1070710723905499136 On the other hand, in Japan’s, SoftBank and Y!mobile 4G LTE mobile phone services, Ouchi-No-Denwa fixed-line services, and SoftBank Air services were also affected. SoftBank said that its outage extended from 1.39pm until 6.04pm JST, yesterday. According to SoftBank’s press release on its outage, “SoftBank Network Center detected software's malfunction in all of the packet switching machines manufactured by Ericsson, which are installed at the Tokyo Center and the Osaka Center, covering our mobile customers nationwide.” SoftBank also received a report from Ericsson stating “the software has been in operation since nine months ago and the failure caused by the same software also occurred simultaneously in other telecom carriers across 11 countries, which installed the same Ericsson-made devices.” Marielle Lindgren, CEO Ericsson UK & Ireland said, “The faulty software that has caused these issues is being decommissioned. Our priority is to restore full data services on the network by tomorrow(Friday) morning. Ericsson sincerely apologizes to customers for the inconvenience caused.” To know more about this news in detail, visit Ericsson’s official press release. Outage plagues Facebook, Instagram, and Whatsapp ahead of Black Friday Sale, throwing users and businesses into panic How 3 glitches in Azure Active Directory MFA caused a 14-hour long multi-factor authentication outage in Office 365, Azure and Dynamics services A multi-factor authentication outage strikes Microsoft Office 365 and Azure users

The Marriott’s Starwood guest database breach that occurred at the end of last month affected almost 500 million user data. According to the Marriott investigation report, the possible cause of the breach was the technology platform deployed by Starwood under the name “Valhalla’. Israel del Rio, the former Senior Vice President of Technology and solutions at Starwood Hotels and Resorts from 2001- 2006, mentioned his take on the guest data breach. He said, “I worked on Valhalla and wrote about Marriott’s decision not to use it moving forward in 2016.” Israel del Rio’s take on the Marriott breach In his post, Israel said that the Valhalla system was entirely active in 2009 and all the best practices were followed in the system’s design including firewalls, DMZs, encryption, etc. He said, “The fact is, if we accept Marriott’s statement that the breach began in 2014, the system would already have been operating securely for five years. It is difficult to imagine how an architectural or platform vulnerability would not have been discovered or exploited sooner.” Israel highlighted three points in the Marriott report and explained his take on each of it. 500 million guests’ reservation data stolen The report stated that the data of approximately 500 million guests who made a reservation at Starwood property had been stolen. To this, Israel said, “It is unlikely this system would have had 500 million records, given the practice to remove booking records a number of days after checkout. Even assuming half a million rooms in Starwood’s inventory at 90% occupancy, with average lengths of stay of two days, and up to two years of advance booking, such a database would not exceed 200 million records.” He said that the only place to trace such huge data is the Data Warehouse, which would contain the booking records for several prior years. This is most likely the area from which the data was stolen. However, given that some of that data had already been migrated to Marriott, it is hard to say for certain whether the breach occurred in the Starwood system, the Marriott system, or in transit as a result of exposure during the Extract‐Transform‐Load process used during the migration. An alert from an internal security tool helped Marriott to know about the breach Marriott’s discovery of the breach was triggered on September 8, 2018, when Marriott received an alert from an internal security tool regarding an attempt to access the Starwood guest reservation database. Israel said, “We do not know when such a tool was first used, but what’s most confounding is Marriott’s assurance that the breach first occurred in 2014. If the detection tool was used prior to this September, why hadn’t the breach been detected earlier? And if the tool was not used earlier, how can they be so sure the breach occurred in 2014?” The stolen data also contained data from 2014, this could be a reason why it was assumed that the breach took place around that time. Also, the Data Warehouse contains booking data going back several years. The Data Warehouse data could have been exposed recently and still show stolen records from 2014. The exposed data included encrypted payment card numbers and payment card expiration dates According to Israel, “there are two components needed to decrypt the payment card numbers, and that at this point, Marriott has not been able to rule out the possibility that both were stolen.” Marriott’s report said there is the possibility that the primary encryption key was also exposed. “It is almost impossible to imagine a scenario in which an external hacker is able to gain access to the primary encryption keys”, according to Israel. Israel said there is a lack of information to actually understand what exactly happened. “It is possible that the Starwood system was in fact breached. Marriott had laid off most of the Starwood technology staff at the end of 2017, and whatever operational or migration issues this might have caused should be evaluated.” To know more about Israel del Rio’s take on the Marriott breach, visit his blogpost. Chinese hackers might have caused the Marriott Starwood guest data breach According to the New York Times report, the Marriott breach was a part of the “Chinese intelligence-gathering effort, that also hacked health insurers and the security clearance files of millions more Americans, according to the two people briefed on the investigation.” This discovery came out as the Trump administration is planning actions to target China’s trade, cyber and economic policies, within days. The Marriott Starwood guest data breach is not expected to be a part of the indictments against the Chinese hackers. “But two of the government officials said that it has added urgency to the administration’s crackdown, given that Marriott is the top hotel provider for the American government and military personnel”, according to New York Times. The Marriott database contains not only credit card information but passport data. But officials on Tuesday said this was a part of an aggressive operation whose main focus was the 2014 hacking into the Office of Personnel Management. “At the time, the government bureau loosely guarded the detailed forms that Americans fill out to get security clearances — forms that contain financial data; information about spouses, children and past romantic relationships; and any meetings with foreigners. Such information is exactly what the Chinese use to root out spies, recruit intelligence agents and build a rich repository of Americans’ personal data for future targeting. With those details, the Marriott data adds another critical element to the intelligence profile: travel habits.” James A. Lewis, a cybersecurity expert at the Center for Strategic Studies in Washington said to the Times, “The data can be used to track which Chinese citizens visited the same city, or hotel, as an American intelligence agent who was identified in data taken from the Office of Personnel Management or from American health insurers that document patients’ medical histories and Social Security numbers.” According to New York Times, “The effort to amass Americans’ personal information so alarmed government officials that in 2016, the Obama administration threatened to block a $14 billion bid by China’s Anbang Insurance Group Co. to acquire Starwood Hotel & Resorts Worldwide, according to one former official familiar with the work of the Committee on Foreign Investments in the United States, a secretive government body that reviews foreign acquisitions.” Finally, the failed bid cleared the way later that year for Marriott Hotels to acquire Starwood for $13.6 billion, becoming the world’s largest hotel chain. “The Chinese regard intrusions into hotel chain databases as a standard kind of espionage. So does the United States, which has often seized guest data from foreign hotels.” To know more about this news in detail, visit The New York Times’ in-depth coverage. Equifax data breach could have been “entirely preventable”, says House oversight and government reform committee staff report A new data breach on Facebook due to malicious browser extensions allowed almost 81,000 users’ private data up for sale, reports BBC News Cathay Pacific, a major Hong Kong based airlines, suffer data breach affecting 9.4 million passengers

Popular Bitcoin wallet Electrum and Bitcoin Cash wallet Electron Cash are subject to an ongoing phishing attack. The hacker, or hackers, have already got away with over 200 Bitcoin (around $718,000 as of press) and with the attack still ongoing, it is quite possible that they get away with much more. The phishing attack urged wallet users to download and install a malicious software update from an unauthorized GitHub repository, according to ZDNet. The hack began last Friday i.e on December 21, and the vulnerability at the heart of this attack has remained unpatched. The official Electrum blog at GitHub says that the wallet’s admins privately received a screenshot from a German chat room, in response to the issue where new malware was being distributed that disguises itself as the "real" Electrum. Source: GitHub Immediately after investigating the reasons for the error message, they silently made mitigations in 5248613 and 5dc240d; and released Electrum wallet version 3.3.2. The attacker then stopped with the phishing attack, temporarily. Yesterday, one of the electrum developers-SomberNight, announced on GitHub that the attacker has started the malicious activity again.  Electrum wallet admins are taking steps to mitigate its usability for the attacker. Execution of the ongoing phishing attack In order to launch such a major attack, the attacker added tens of malicious servers to the Electrum wallet network. When users of legitimate Electrum wallets initiate a Bitcoin transaction, and if the transaction reaches one of the malicious servers, the servers reply with an error message urging users to download a wallet app update from a malicious website (GitHub repo). If the user clicks the given link, the malicious update gets downloaded following which the app asks the user for a two-factor authentication (2FA) code. However, these 2FA codes are only requested before sending funds, and not at wallet startup. This stealthily obtains users’ 2FA code to steal their funds and transfer them to the attacker's Bitcoin addresses. The major drawback here is that Electrum servers are allowed to trigger popups with custom text inside users' wallets. Steps taken by Electrum admins to create user awareness The developers at Electrum, have updated Electrum the wallet so that whenever an attacker sends a malicious message, the message does not appear like a rich-text-based organized message. Instead, the user receives a non-formatted error that looks more like unreadable code. This alerts the user that the transaction is malicious and not a legitimate one. Following is the screenshot of how the ongoing attack looks in the new Electrum wallet version: Source: GitHub Blockchain reporter says that “The Electrum Development team has identified some 33 malicious Electrum servers, though the total number is suspected to be between 40 and 50.” You can head over to Reddit for more insights on this news. Malicious code in npm ‘event-stream’ package targets a bitcoin wallet and causes 8 million downloads in two months There and back again: Decrypting Bitcoin`s 2017 journey from $1000 to $20000 Bitcoin Core escapes a collapse from a Denial-of-Service vulnerability  

Recently, Cisco and Huawei had faced a major breach in their routers where attackers used two different bypass methods. Hackers managed to compromise Cisco routers through a backdoor attack while Huawei was a victim of botnets. This year has been crucial for big players targeted with modern cyber attacks like Meltdown and Spectre. Who would have ever imagined a CD being the cause of a security breach in the year 2018. However, this time hackers have taken an old school approach or must I say one of the most unexpected methods of opening a backdoor to sensitive information. Packages with China postmarks had ended-up at several local and state government offices. The envelope contained a rambling letter and a small CD. The letter included lengthy paragraphs about fireworks, parades, and film industry but nothing in particular. While the CD contained a set of Word files that consisted of script-based malware. These scripts were supposed to run when the government officials would access them on their computers, eventually compromising that system. Well, people usually end up with blunders when they are confused or curious. The hackers knew exactly how to kick the victims curiosity and confusion into high gear. Until now, State Department of Cultural Affairs, State Historical Societies, and State Archives have received these packages addressed specifically to them. The MS-ISAC claim that these CDs included Mandarin language Microsoft Word (.doc) files from which a few include malicious Visual Basic scripts. It’s not very clear if anyone was tricked into inserting the disk in government systems. Well, it's common sense that you don’t insert a random disk into your system, but that’s not always the case. In 2016, a study found 50% of people plugging-in random USB devices into their system found at public places. The government agencies receiving these packages look quite strange but may be the hackers are looking at breaching a system where they won’t be detected easily; the perfect spot to quickly attack a bigger target. Human curiosity can lead to an invention or a disaster, but, in the security chain, humans are considered as the most delicate link. It’s quite obvious to not insert a random storage device into your systems, but here the hackers have shelled a little cash to target victims still using CD-ROMs in this modern age.  Now the only thing state agencies can hope for is that no one accidentally or out of curiosity inserts disks or USB devices of unknown origin into government systems. Related Links Top 5 cybersecurity trends you should be aware of in 2018 Intel’s Spectre variant 4 patch impacts CPU performance NetSpectre attack exploits data from CPU memory

The Reddit team has decided to take a stand against the EU copyright directive, as it announced last week that EU Reddit users will now be greeted with a “warning box”, on accessing Reddit via desktop. The warning box will provide users with information regarding the EU copyright directives (specifically article 11 and 13). It will also be referring to resources and support sites. This is Reddit’s attempt to make EU users more aware of the law’s potential impact on the free and open internet. This is not the first time Reddit has stood up against the controversial EU copyright law as it had published a post updating the users on EU copyright directives, 2 months back. “Article 13” talks about the “use of protected content by information society service providers storing and giving access to large amounts of works and other subject-matter uploaded by their users”. In a nutshell, any user-generated content, if found to be copyrighted on online platforms such as YouTube, Twitter, Facebook, Reddit, etc, would need to get censored by these platforms. “Article 11” talks about “Protection of press publications concerning digital uses”, under which sites would have to pay the publishers if a part of their work is being shared by these sites.   “Under the new Directive, activity that is core to Reddit, like sharing links to news articles, or the use of existing content for creative new purposes (r/photoshopbattles, anyone?) would suddenly become questionable under the law, and it is not clear right now that there are feasible mitigating actions that we could take while preserving core site functionality”, says the Reddit team. The Reddit team also argues that various similar kind of attempts made in the past in different countries within Europe had “actually harmed publishers and creators”. Furthermore, Reddit has come out with a number of suggestions, in partnership with Engine and Copia institute, for ways to improve both the proposals. Here are some of the fixes: Suggestions Article 11 Suggestions for Article 13 Clarification needed in detail about content requiring a license. There’s confusion regarding whether a single word would qualify for a license or a link. More information needed on what sites this proposal applies to. The current term “digital uses” is quite broad. For eg; if the target is news aggregators, then make that explicit. It should be made clear that this proposal is not applicable to individual users, but is meant only for large news collating sites.   Clarification should be made on what a “press publisher” is under the law. It could be interpreted to include all kinds of sites. Also, the fact that a press publisher does not include scientific journals and similar kind non-news-based publications, should be made clear. Clarification needed on what is meant by “appropriate and proportionate” as it currently doesn't provide any guidance to sites online and can be incorrectly interpreted, leading to litigation and abuse.   Must have clear and significant penalties in place for providing false reports of infringement. It should be the responsibility of the Copyright holders to provide information on platforms with specific identifying content, ownership details along with content information when determining infringing works. A “ fair use-like exception” should be implemented in the EU to legalize memes, remixes, and other everyday online culture.  “We hope that today’s action will drive the point home that there are grave problems with Articles 11 and 13 and.. that EU lawmakers will listen to those who use and understand the internet the most and reconsider these problematic articles. Protecting rights holders need not come at the cost of silencing European internet users”, says the Reddit team. GitHub updates developers and policymakers on EU copyright Directive at Brussels What the EU Copyright Directive means for developers – and what you can do YouTube’s CBO speaks out against Article 13 of EU’s controversial copyright law

Yesterday, the Department of Justice charged eight men for their alleged involvement in a massive ad fraud that caused losses of tens of millions of dollars. A 13-count indictment was unsealed in the federal court in Brooklyn against these men. These charges included wire fraud, computer intrusion, aggravated identity theft, and money laundering, among others. They used two mechanisms for conducting this fraud: datacenter-based (Methbot) and botnet-based scheme (3ve). The accused eight men were Aleksandr Zhukov, Boris Timokhin, Mikhail Andreev, Denis Avdeev, Dmitry Novikov, Sergey Ovsyannikov, Aleksandr Isaev, and Yevgeniy Timchenko. According to the DOJ announcement, three of the men have been arrested and are awaiting extradition to the United States. How this ad fraud was conducted? Revenue generated by digital advertising depends on how many users click or view the ads on websites. The perpetrators faked both the users and the webpages. The fraudsters, with the help of an automated program, loaded advertisements on fake web pages, in order to generate advertising revenue. The Department of Justice, on their website listed two schemes through which the accused were able to do this ad fraud: Datacenter-Based Scheme According to the indictment, in the period September 2014 to December 2016, the fraudsters operated an advertising network called Ad Network #1. This network had business arrangements with other advertising networks through which it received payments in return for placing advertising placeholder or ad tags on websites. Instead of placing these ad tags on legitimate publishers’ websites, Ad Network #1 rented more than 1,900 computer servers housed in commercial datacenters. With these datacenter servers, they loaded ads on fabricated websites, and spoofed more than 5,000 domains. To make this look like that a real user has viewed or clicked on the advertisement, they simulated the normal activities a real internet user does. In addition to this, they also leased more than 650,000 IP addresses and assigned multiple IP addresses to each datacenter server. These IP addresses were then registered fraudulently to make it appear that the datacenter servers were residential computers belonging to individual human internet users. Through this scheme, Ad Network #1 was able to generate billions of ad views and caused businesses to pay more than $7 million for ads that were never actually viewed by real human internet users. Botnet-based scheme The indictment further reveals that between December 2015 and October 2018, Ovsyannikov, Timchenko, and Isaev started another advertising network called Ad Network #2. In this scheme, they used a global botnet network of malware-infected computers. The three fraudsters developed an intricate infrastructure of command-and-control servers to direct and monitor the infected computers. This infrastructure enabled the fraudsters to access more than 1.7 million infected computers, belonging to ordinary individuals and businesses in the United States and elsewhere. They used hidden browsers on those infected computers to download fabricated webpages and load ads onto those fabricated webpages. Through this scheme, Ad Network #2 caused businesses to pay more than $29 million for ads. This is one of the most complex and sophisticated ad frauds popularly named as 3ve (pronounced “Eve”). U.S law enforcement authorities with various private sector companies including White Ops and Google began the process of dismantling this criminal cyber infrastructure utilized in the botnet-based scheme. 3ve infected computers with malicious software known as Kovter. As a part of the investigation, FBI also discovered an additional cybercrime infrastructure committing digital advertising fraud called Boaxxe. This infrastructure used datacenter servers located in Germany and a botnet of computers in the United States infected. Google and White Ops investigators also realized that this is not a simple botnet seeing its evading efforts to filter and contain its traffic. Scott Spencer, a Google product manager told Buzzfeed: “The thing that was really different here was the number of techniques that they used, their ability to quickly respond when they thought they were being detected, and to evolve the mechanisms they were using in real time. We would start to filter traffic and we’d see them change things, and then we’d filter a different way and then they’d change things.” The United States Computer Emergency Readiness Tea (US-CERT) has published an alert which highlights the 3ve’s botnet behavior and how it interacts with Boaxxe and Kovter botnets. It also lists some measures to avoid getting affected by these malwares. To know more details about this case, check out the announcement by the Department of Justice. A multimillion-dollar ad fraud scheme that secretly tracked user affected millions of Android phones. This is how Google is tackling it. Fake news is a danger to democracy. These researchers are using deep learning to model fake news to understand its impact on elections. DARPA on the hunt to catch deepfakes with its AI forensic tools underway

Updated: Mentioned MalwareTech's article, which shows a bigger picture of how YouTube’s ban can suppress education and the aspirants may turn to other shady websites to learn hacking, which is highly lethal. A month ago, in June, YouTube, in their blog post said, “The openness of YouTube’s platform has helped creativity and access to information thrive. It’s our responsibility to protect that, and prevent our platform from being used to incite hatred, harassment, discrimination, and violence.” YouTube said it plans to moderate content on its platform via three ways: By removing more hateful and supremacist content from the platform by banning supremacists, which will remove Nazis and other extremists who advocate segregation or exclusion based on age, gender, race, religion, sexual orientation, or veteran status. Reducing the spread of “borderline content and harmful misinformation” such as videos promoting a phony miracle cure for a serious illness, or claiming the earth is flat, etc. and recommend videos from more authoritative sources, like top news channels, in its “next watch” panel. Will suspend channels that repeatedly brush up against its hate speech policies from the YouTube Partner program. This means they will not be able to run ads on their channel or use other monetization features like Super Chat, which lets channel subscribers pay creators directly for extra chat features Following those lines, a few days ago, YouTube decided that it will ban all “instructional hacking and phishing” videos and listed it as “harmful or dangerous content” prohibited on its platform. YouTube mentioned that videos that demonstrate how to bypass secure computer systems or steal user credentials and personal data will be pulled from the platform. This recent addition to YouTube’s content policy is a big blow to all users in the infosec industry watching such videos for educational purposes or to develop their skills and also to the infosec Youtube content creators who make a living on maintaining dedicated channels on cybersecurity. The written policy first appears in the Internet Wayback Machine's archive of web history in an April 5, 2019 snapshot. According to The Register, "Lack of clarity about the permissibility of cyber-security related content has been an issue for years. In the past, hacking videos in years past could be removed if enough viewers submitted reports objecting to them or if moderators found the videos violated other articulated policies. Now that there's a written rule, there's renewed concern about how the policy is being applied". Kody Kinzie, a security researcher, educator, and owner of the popular ethical hacking and infosec YouTube channel, Null Byte, tweeted that on Tuesday they could not upload a video because of the rule. He said the video was created for the US July 4th holiday to demonstrate launching fireworks over Wi-Fi. https://twitter.com/KodyKinzie/status/1146196570083192832 After refraining Kinzie from uploading videos, he said that YouTube started to flag and remove his existing content and also issued a further strike on his channel. https://twitter.com/fuzz_sh/status/1146197679434883074 https://twitter.com/KodyKinzie/status/1146202025513771010 "I'm worried for everyone that teaches about infosec and tries to fill in the gaps for people who are learning," Kinzie said via Twitter. "It is hard, often boring, and expensive to learn cybersecurity." A lot of learners and the infosec community responded in support of Null Byte. YouTube then reversed its decision and removed the strikes, thereby restoring the channel to full functionality. https://twitter.com/myexploit2600/status/1146327656658550785 https://twitter.com/KodyKinzie/status/1146566379962695681 The YouTube policy page includes a list for content creators on things they should be careful of while uploading content. However, this is not a new policy and Youtube highlights, “the article now includes more examples of content that violates this policy. There are no policy changes.” According to Boing Boing, “This may sound like a commonsense measure but consider: the "bad guys" can figure this stuff out on their own. The two groups that really benefit from these disclosures are: Users, who get to know which systems they should and should not trust; and Developers, who learn from other developers' blunders and improve their own security.” A YouTube spokesperson told The Verge that Kody Kinzie’s channel was flagged by mistake and the videos have since been reinstated. “With the massive volume of videos on our site, sometimes we make the wrong call,” the spokesperson said. “We have an appeals process in place for users, and when it’s brought to our attention that a video has been removed mistakenly, we act quickly to reinstate it.” Dale Ruane, a hacker and penetration tester who runs a YouTube channel called DemmSec, told The Register via email that he believes this policy has always existed in some form. "But recently I've personally noticed a lot more people having issues where videos are being taken down," he said. "It seems adding video tags or titles which could be interpreted as malicious results in your video being 'dinged,'” he said. "For example, I made a video about a tool which basically provided instructions of how to phish a Facebook user. That video was taken down by YouTube after a couple of weeks." He also said, "I think the way in which this policy is written is far too broad. I also find the policy extremely hypocritical from a company (Google) that has a history of embracing 'hacker' culture and claims to have the goal of organizing the world's information." YouTube has recently taken actions towards content moderation, like taking down videos fighting white supremacy alongside white supremacist content. Also, on May 30th Vox host Carlos Maza tweeted a thread that pointed to a pattern of homophobic harassment from conservative pundit Steven Crowder on Youtube. In one of his comments, Crowder referred to Maza as a “little queer,” “lispy queer,” and “the gay Vox sprite.” After several days of investigation, YouTube said that Crowder did not violate the platform’s policies, but the company did not provide any insight into its process, and it chose to issue an unsigned statement via a reply to Maza on Twitter. Following YouTube’s decision, some Google employees said this does not send a positive message to everyone. An employee said, “This kind of makes me feel like it would be okay if my coworkers started calling me a lispy queer”. “...It’s the latest in a long series of really, really shitty behavior and double-talking on the part of my employer as pertains to anything to do with queer shit.” After a lot of opposition from people, YouTube opted to demonetize Crowder’s channel, citing “widespread harm to the YouTube community resulting from the ongoing pattern of egregious behavior.” The company has now also promised to “evolve its policies” on harassment in response to widespread backlash to these moves. A lot of YouTube creators have publicly derided the company for its decision calling it an unsurprising move from a platform they feel has failed to properly address harassment. Also, the recent taking down of videos that benefit a lot of users to develop skills with a fear that it can be misused, is not a correct move too. Hackers can implement a lot of stuff without the help of these videos. Youtube banning videos may not make the platform more secure, nor will it prevent attackers from exploiting defects. MalwareTech in its blog post mentions, “when it comes to hacking, it matters not what is taught, but how and by whom. Context is extremely important, especially with a potential audience of young and impressionable teens. Hacking tutorials will always be available no matter what, the only real question is where”. In its post, MalwareTech has also shown a bigger picture of how YouTube’s ban can suppress education and the aspirants may turn to other shady websites to learn hacking, which is highly lethal. FTC to investigate YouTube over mishandling children’s data privacy YouTube disables all comments on videos featuring children in an attempt to curb predatory behavior and appease advertisers Facebook fined $2.3 million by Germany for providing incomplete information about hate speech content