Tech News - Security

The recent data breach in MEGA, a popular cloud service, leaked about 87GB of data including 772,904,991 unique email addresses and over 21 million unique passwords and distributed in a folder dubbed "Collection #1" by hackers. This breach was first reported by a security researcher, Troy Hunt. The link to the dump was posted on a hacking forum, but has been since taken down from the service. https://twitter.com/haveibeenpwned/status/1085656743663693825 According to a Wired report, “While it’s difficult to confirm exactly where all that info came from, it appears to be something of a breach of breaches; that is to say, it claims to aggregate over 2,000 leaked databases that contain passwords whose protective hashing has been cracked.” “It just looks like a completely random collection of sites purely to maximize the number of credentials available to hackers. There’s no obvious patterns, just maximum exposure”, Hunt said. Hunt has uploaded all the email addresses and passwords into his site, haveibeenpwned. This allows users to be notified when their email has been tangled in a breach, or check if a password has been exposed and has to be changed. Wired states that around 140 million email accounts and over 10 million unique passwords in Collection #1 are new to Hunt’s database. This means that they do not just duplicate from prior megabreaches. “These are all plain text passwords. If we take a breach like Dropbox, there may have been 68 million unique email addresses in there, but the passwords were cryptographically hashes making them very difficult to use”, Hunt said. He also said that all this data was openly available to anyone on the popular cloud storage site and then on a public hacking site. The only way to stay safe is to never reuse a password for multiple sites. Hunt says, “It might be contrary to traditional thinking, but writing unique passwords down in a book and keeping them inside your physically locked house is a damn sight better than reusing the same one all over the web.” To know more about this breach in detail, visit Troy Hunt’s blog post. Internal memo reveals NASA suffered a data breach compromising employees social security numbers Justice Department’s indictment report claims Chinese hackers breached business  and government network Former Senior VP’s take on the Mariott data breach; NYT reports suspects Chinese hacking ties

The team at Aragon started their journey towards a decentralized model at the beginning of 2018. Now finally, the vision has become a reality with two teams contributing to Aragon's development: Aragon One and Aragon DAC. To further strengthen this motive, new Aragon teams need to be brought on board. This is why the team has been working on a program called ‘Flock’  for selecting new Aragon teams, which will provide a minimum grant of $1,000,000 for operational costs. The Aragon project For those who are not familiar with the Aragon project, it aims to disintermediate the creation and maintenance of organizational structures by using blockchain technology. They provide tools for users to become entrepreneurs and run their own organization while easily and securely managing it. The Aragon organizations are powered by Ethereum, a global blockchain in which code and applications always run without any possibility of downtime or censorship. The traditional Blockchain technology has a network of thousands of computers all over the globe. Users can set up their own nodes and all the necessary data is replicated across the network. There is a single shared point of cryptographically verifying the data. Alternatively, the decentralized design encouraged by Aragon ensures prohibiting interference of government or a malicious third-party in an organizations way of working. What is Flock? The Flock program is released in alpha to structure grants to Aragon teams. The program will handle the initial application and pre-selection process for new Aragon teams. Independent teams will be selected to work on the core components and products of the Aragon project. The funds provided are intended to cover: The operational costs for research, development, and maintenance of the Aragon products and ecosystem for one year. The minimum amount of funds available for operations is $1 million. An incentivization package in ANT While the process of onboarding new teams will begin in the next few months, Aragon will be opening conversations with potential teams soon. You can head over to Aragon’s blog to know more about their decentralization initiative. Alternatively, visit their GitHub page to know how to sign up your team to Aragon. Mozilla pledges to match donations to Tor crowdfunding campaign up to $500,000 JFrog, a DevOps based artifact management platform, bags a $165 million Series D funding OmniSci, formerly MapD, gets $55 million in series C funding

Yesterday, researchers from the Vrije Universiteit Amsterdam’s VUSec group announced that the new Rowhammer attack, known as ECCploit, bypasses ECC protections built into several widely used models of DDR3 chips. The researchers in their paper titled, ‘Exploiting Correcting Codes: On the Effectiveness of ECC Memory Against Rowhammer Attacks’ write, “Many believed that Rowhammer on ECC memory, even if plausible in theory, is simply impractical. This paper shows this to be false: while harder, Rowhammer attacks are still a realistic threat even to modern ECC-equipped systems.” The Rowhammer attack, discovered way back in the year 2015, exploits unfixable physical weakness in the silicon of certain types of memory chips and transforms the data they store. As a defense against this attack, researchers developed an enhancement known as error-correcting code (ECC). This ECC, present in higher-end chips, was believed to be an absolute defense against potentially disastrous bitflips that changed 0s to 1s and vice versa. “Rowhammer can flip bits in ways that have major consequences for security, for instance, by allowing an untrusted app to gain full administrative rights, breaking out of security sandboxes or virtual-machine hypervisors, or rooting devices running the vulnerable DIMM.” Kaveh Razavi, one of the VUSec researchers who developed the exploit, said, “ECCploit shows for the first time that it is possible to mount practical Rowhammer attacks on vulnerable ECC DRAM.” Working of ECC ECC uses memory words for storing redundant control bits next to the data bits inside the DIMMs. Further, CPUs use these words to quickly detect and repair flipped bits. The prime motive of ECC design was to protect against a naturally occurring phenomenon in which cosmic rays flip bits in newer DIMMs. Post Rowhammer’s appearance in 2015, ECC rose to popularity as it was arguably the most effective defense against the attack. However, there are some limitations to ECC, which includes: ECC generally adds enough redundancy to repair single bitflips in a 64-bit word When two bitflips occur in a word, it will cause the underlying program or process to crash When three bitflips occur in the right places, ECC can be completely bypassed According to Ars Technica, “The VUSec researchers spent months reverse-engineering the process, in part by using syringe needles to inject faults into chips and subjecting chips to a cold-boot attack. By extracting data stored inside the supercooled chips as they experienced the errors, the researchers were able to learn how computer memory controllers processed ECC control bits.” Following is a video of the researchers using the cold-boot technique https://youtu.be/NrYWVEjEfw0 The researchers thus demonstrated that ECC merely slows down the Rowhammer attack and is not enough to stop it. They tested ECCploit on four hardware platforms, including: AMD Opteron 6376 Bulldozer (15h) Intel Xeon E3-1270 v3 Haswell Intel Xeon E5-2650 v1 Sandy Bridge Intel Xeon E5-2620 v1 Sandy Bridge They said, “they tested several memory modules from different manufacturers". They also confirmed that a significant amount of Rowhammer bitflips occurred in a type of DIMM tested by a different team of researchers. Are all DDR chips affected? The researchers haven't demonstrated that ECCploit works against ECC in DDR4 chips, a newer type of memory chip favored by higher-end cloud services. The paper also doesn’t show that ECCploit can penetrate hypervisors or secondary Rowhammer defenses.  There's also no indication that ECCploit works reliably against endpoints typically used in cloud environments such as AWS or Microsoft Azure. To know more about this in detail, visit Ars Technica blog. Seven new Spectre and Meltdown attacks found Security issues in nginx HTTP/2 implementation expose nginx servers to DoS attack Weaponizing PowerShell with Metasploit and how to defend against PowerShell attacks [Tutorial]

Yesterday, Ghacks reported that Mozilla has partnered up with a Swiss VPN provider named, ProtonVPN. They are currently testing its VPN service for a sample of Firefox 62 users in the United States and this test starts on October 24th. Users who connect to an unencrypted wireless network, visit privacy-focused websites, or streaming sites, might see a recommendation by Firefox. The recommendation confirms that Mozilla has selected ProtonVPN as the partner for this test and also shows the price of the subscription. This price matches the price that users pay for a monthly ProtonVPN subscription ($10 monthly) when they subscribe directly on the ProtonVPN website. Why use VPN? In case you are wondering what Virtual Private Network (VPN) is, it is an encrypted connection over the internet from a device to a network. This encrypted connection ensures safe transmission of sensitive and prevents unauthorized people from eavesdropping. It makes use of tunneling protocols such as PPTP, L2TP/IPSec, SSTP, and OpenVPN to establish a secure connection. With VPN, users working at home, on the road, or at a branch office can securely connect to a remote corporate server using the internet. From the user’s perspective, it is a point-to-point connection between the user's computer and a corporate server. The nature of the intermediate network is irrelevant to the user because it appears as if the data is being sent over a dedicated private link. Why is Mozilla partnering with ProtonVPN? Mozilla conducted a thorough evaluation of a long list of market-leading VPN services based on a wide variety of factors, ranging from the design and implementation of each VPN service. As a result of this evaluation, they selected ProtonVPN for this experiment. According to Mozilla ProtonVPN service offers a secure, reliable, and easy-to-use VPN service. ProtonVPN comes with the following advantages: Strong security practices for better protection against hacking attempts. It does not store or logs information about the browsing of its users. It follows the same mission as Mozilla: to improve data safety and security on the Web. Mozilla also issued an announcement yesterday, explaining their decision to partner with ProtonVPN: “Mozilla will be the partly collecting payment from Firefox users who decide to subscribe. A portion of these proceeds will be shared with ProtonVPN, to offset their costs in operating the service, and a portion will go to Mozilla. In this way, subscribers will be directly supporting Mozilla while benefiting from one of the very best VPN services on the market today.” According to Ghacks, this partnership will provide Mozilla another way of generating revenue: “Mozilla has two main intentions when it comes to the new offering. First, to add a new revenue stream that is independent of the money that the organization gets from search engine companies like Google. The affiliate revenue earned from promoting the VPN in Firefox would reduce the stranglehold that search engine companies have on Mozilla. The bulk of Mozilla's revenue comes from deals with search engine companies like Google or Yandex. The second reason is that VPNs improve user privacy and security on the Internet. VPNs like ProtonVPN include security features that block certain attacks outright and they hide the IP address of the user device.” Although this introduction of VPN can ensure better security to users browsing the internet, the monthly charge of $10 is a bit steep. Also, since Firefox will be getting a share of the $10/month revenue if users subscribe to the service, it feels like a promotion of the VPN. It would have been much better if Mozilla would have come up with their own VPN. To know more about Mozilla testing ProtonVPN, check out the full story at ghacks.net and also read Mozilla’s official announcement. Note: Yesterday, we reported that the test will begin on 22nd. We have now corrected the date according to the official announcement to 24th. We have also added based on what criteria Mozilla has selected ProtonVPN and the reason they are partnering with them. Read more To bring focus on the impact of tech on society, an education in humanities is just as important as STEM for budding engineers, says Mozilla co-founder Is Mozilla the most progressive tech organization on the planet right now? Mozilla optimizes calls between JavaScript and WebAssembly in Firefox, making it almost as fast as JS to JS calls

Earlier this week, Facebook updated its terms and services after discussions with the European Commission and consumer protection authorities. Facebook will now clearly explain how it leverages users' data to create “profiling activities and target advertising”, which in turn helps them make money. As per the new terms and services, Facebook will have to provide details on: services it sells to third parties based on the user's data. how consumers can close their accounts, and for what reasons can users account be disabled. nature of the research activities conducted by Facebook itself or with third party business partners. reducing the number of clauses in the contract that are applied on a user’s account even after the termination of the account. Facebook will also inform consumers of these cases. The new terms of services are aimed at providing full disclosure of Facebook's business model in an understandable and plain language to the users. This is great since a new Adtech Market research report by the Information Commissioner’s Office states that most 61% users disagree that they’d prefer to see adverts on websites that are relevant to them. While 59% feel that they have no control over which advertisements are shown to them. Hopefully, as more users are made aware of what goes behind social media advertising, we can expect to see a drop in these numbers. "Today Facebook finally shows commitment to more transparency and straight forward language in its terms of use... Now, users will clearly understand that their data is used by the social network to sell targeted ads..”, said Vera Jourová, Commissioner for Justice, Consumers and Gender Equality. As per the statement from the European Union, post-Cambridge Analytica Scandal, Facebook was requested to clearly inform its users on how it receives finances and the revenues that it makes leveraging user’s data. Facebook was also requested to align its terms of service as per the EU Consumer Law. Apart from that, Facebook has also changed: its policy on the limitation of liability and acknowledges its responsibility in case of negligence ( eg; data mishandling by third parties) its power to unilaterally change terms and conditions by limiting it to cases where the changes are reasonable the rules around temporary retention of content that has been deleted by consumers.  Such type of content can only be retained in few cases (eg; in compliance with an enforcement request by an authority) the language clarifying the right to appeal of users when their content has been removed. EU states that Facebook will complete the implementation of all commitments by the end of June 2019. Also, the Commission and the Consumer Protection Cooperation network will closely monitor the implementation. In case, Facebook fails to fulfill its commitments, national consumer authorities would then resort to enforcement measures including sanctions. For more information, check out the official updated Facebook terms of service. Facebook AI introduces Aroma, a new code recommendation tool for developers Ahead of Indian elections, Facebook removes hundreds of assets spreading fake news and hate speech Facebook will ban white nationalism, and separatism content in addition to white supremacy content

Last week, Cisco announced of a severe vulnerability in the web-based management interface of its Small Business RV320 and RV325 Dual Gigabit WAN VPN Routers. This vulnerability could easily allow an unauthenticated, remote attacker to retrieve sensitive information. Cisco in their report, mention that this vulnerability is due to the improper access controls for URLs. An attacker could easily exploit this vulnerability by connecting to the affected device via HTTP or HTTPS and requesting specific URLs. A successful exploit could allow the attacker to download the router configuration or detailed diagnostic information. Cisco routers vulnerable to CVE-2019-1653 According to Bad packets report, they scanned around 15,309 unique IPv4 hosts and determined 9,657 Cisco RV320/RV325 routers are vulnerable to CVE-2019-1653. Their report states, 6,247 out of 9,852 Cisco RV320 routers scanned are vulnerable (1,650 are not vulnerable and 1,955 did not respond to our scans) 3,410 out of 5,457 Cisco RV325 routers scanned are vulnerable (1,027 are not vulnerable and 1,020 did not respond to our scans) Source: Bad packets report This vulnerability also affects Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN Routers running Firmware Releases 1.4.2.15 and 1.4.2.17. Cisco has also released firmware updates to address this vulnerability. However, they mention, there are no workarounds that address this vulnerability. To know about this news in detail, visit Cisco’s official website. Cisco and Huawei Routers hacked via backdoor attacks and botnets Dropbox purchases workflow and eSignature startup ‘HelloSign’ for $250M Per the new GDC 2019 report, nearly 50% of game developers think game industry workers should unionize  

A few days ago, the Entertainment Software Association accidentally leaked a spreadsheet including personal information of about 2,025 games industry journalists, content creators, video producers on its E3 ( Electronic Entertainment Expo) website making it publically available.  The information including details such as names, publications, home addresses, email addresses, and phone numbers was captured when they registered for E3. Hackers or bad actors can use this information to harass journalists or investors. The existence of this spreadsheet was first reported by a journalist, Sophia Narwitz who posted it on her personal YouTube channel on Friday, August 2. In the video, Narwitz described, “On the public E3 website was a web page that carried a link simply titled ‘Registered Media List.’ Upon clicking the link, a spreadsheet was downloaded that included the names, addresses, phone numbers, and publications of over 2,000 members of the press who attended E3 this past year.” ESA told VentureBeat, “ESA was made aware of a website vulnerability that led to the contact list of registered journalists attending E3 being made public. Once notified, we immediately took steps to protect that data and shut down the site, which is no longer available. We regret this occurrence and have put measures in place to ensure it will not occur again.” Narwitz tweeted, a group of journalists has been focusing on discrediting her, “Given that the ESA just caused a lot of suffering for many game journalists, I actually hate being on the offensive here, but the way folks in the media are lying about me and trying to bury me, it makes me really wanna scream about their lack of ethics.” https://twitter.com/Grummz/status/1157882288631246848 Although the E3 website is updated and the link to the spreadsheet no longer exists, a cached version of the site does “show a link titled “Registered Media List” used to appear on a “Helpful Links” page. For some time yesterday, even after this page was removed, clicking on the link in the easily-accessible Google cached version of the page would download the spreadsheet from the E3 website’s servers,” states Kotaku, a video game website and blog. ESA, in a statement, to GamesIndustry.biz said, it provides “ESA members and exhibitors a media list on a password-protected exhibitor site so they can invite you to E3 press events, connect with you for interviews, and let you know what they are showcasing. For more than 20 years there has never been an issue.” This accidental leak has serious potential to impact ESA’s image given that E3 is a prestigious event that companies pay the organization a lot of money to show up to. Also, “the ESA website was likely also accessible from Europe, and it contained info for European members of the press. That could turn this into a GDPR (General Data Protection Regulation) issue,” VentureBeat reports.  Users and gamers who attended E3 are disappointed and angry over ESA “accidental leak”. Some users say ESA should have been careful about their security measures and taken precautions to keep personal information of thousands of journalists. https://twitter.com/Dom_Pepin/status/1157772465445179392 Nathan Ditum, an Editor at a Playstation Access, attended the E3 this year, tweeted “Many journalists and content creators are freelancers and work from home addresses. This leak isn't just clumsy, it's a real cause for concern.” https://twitter.com/NathanDitum/status/1157744239045988353 A content creator with the handle @Parris tweeted he is “getting random texts saying they have my personal info, including my home address and putting my family at risk.” https://twitter.com/vicious696/status/1157642132779237377 A gaming news commentator at SDGC tweeted, “The ESA's carelessness and negligence has put the private information of thousands of games media employees in the hands of harassers.” https://twitter.com/DerekOfTheD/status/1157500146189553664 A user on Reddit writes, “There's a legitimate question of whether there will even be an E3 next year after this. Because there's absolutely no question that the ESA is getting sued heavily over this. Especially since European journalists are on this. Which means the ESA's going to be subject to GDPR. It's hard to really overstate how potentially devastating this is going to be for them.” Another Reddit user writes, “What's unforgivable is at this point, things like this have happened so many times and you still have people who refuse to take their security seriously and double-check their work. It's just negligent at this point.” https://twitter.com/Futterish/status/1157751307131924481 GDPR complaint in EU claim billions of personal data leaked via online advertising bids Hacker destroys Iranian cyber-espionage data; leaks source code of APT34’s hacking tools on Telegram Unprotected Elasticsearch database exposes 2 billion user records from smart home devices

In September, Goldman Sachs estimated that almost $9 billion dollar revenue is coming to Apple from Google for being the built-in search engine on Apple’s Safari web browsers. Till then, Apple had never talked about its revenue stream from Google. However, last week, Tim Cook, CEO, Apple participated in an interview by Axios on HBO. In the interview, he was asked if he agreed of taking billion dollars from Google. He casually replied to the question stating, “I think their (Google’s) search engine is the best”. He also admitted that Apple-Google partnership was not "perfect." He further defended Apple’s multi-billion dollar deal with Google search by talking about the additional security measures that Apple has added to Safari to "help" users better navigate the Google search engine. These include private web browsing and an intelligent tracker prevention. He stated in the interview, "Look at what we've done with the controls we've built in. We have private web browsing. We have an intelligent tracker prevention, What we've tried to do is come up with ways to help our users through their course of the day. It's not a perfect thing. I'd be the very first person to say that. But it goes a long way to helping." Apple has been quite vocal about not selling targeted advertisements based on user information. Cook has criticized Google, Facebook, and other social media platforms for mishandling user privacy. He has claimed that Apple’s business model depends on selling hardware such as smartphones and tablets and that they are very particular about user privacy. Last month, Cook had also given a speech at a privacy conference in Brussels where he mentioned his concerns on privacy in various social media platforms. He had also called for new digital privacy laws in the United States. His concerns involved, users' personal data collection by companies, data manipulation, and lack of surveillance. People on the internet are not much in favor of this news. Twitter users are raising eyebrows on Cook’s casual statement and the fact they are taking millions of dollars from Google even if they disagree with its policies in the first place. https://twitter.com/b_fung/status/1064552025864765441   https://twitter.com/christianring/status/1064614295395282947 Apple was previously using Bing as its default browser in 2017. However, the company switched to Google because it faced consistency issues with Bing. It’s still not sure if the main reason to switch to Google was the company’s expectations of consistent results or the multi-billion deal! You can see a snippet of Tim Cook’s interview on Axios. Newer Apple maps is greener and has more details A kernel vulnerability in Apple devices gives access to remote code execution Gaël Duval, creator of the ethical mobile OS, /e/, calls out Tim Cook for being an ‘opportunist’ in the ongoing digital privacy debate

Mozilla has come up with a fun creepy product rater and guide to help people be aware of privacy issues by helping them shop safe products this holiday season. Their opening line - “Teddy bears that connect to the internet. Smart speakers that listen to commands. Great gifts—unless they spy on you. We created this guide to help you buy safe, secure products this holiday season.” Source: Mozilla When you click on a product, you can see a description, a creepiness rater, ‘a how likely to buy it’ option, and different privacy-related questions and answers. “It is a super fun poke by Mozilla at the overwhelming majority of the technology industry who treat privacy as a nuisance at best and as a non-event at worst,” said a hacker news user. It may be Mozilla’s way of illustrating their mission of being advocates for privacy. Read More: Is Mozilla the most progressive tech organization on the planet right now? Some people also disagreed with Mozilla’s jibe. “The page looks to be targeted at consumers, with the 'creepy' meter that changes as you scroll. However the PS4 and Xbox are considered 'A little creepy' and a sous vide cooker is listed as 'Somewhat creepy'. Despite the arguments made on the respective pages for why they are creepy (generally "Shares your information with 3rd parties for unexpected reasons") I don't think any consumer on the planet is going to consider any of those gifts even slightly creepy.” “This list definitely feels very shallow and disconnected from any deeper reasoning about specific security practices, business models, whether a net connection is actually required or not, etc. It's a popularity poll at best, and the actionable advice is minimal. It's a bit disappointing coming from Mozilla, at least to the extent that it's a wasted opportunity on something that the public is growing more aware of.” said a hacker news user. Most of the people agree that this is just for fun poll by Mozilla without any serious implications. Read more such hackernews comments. Also, have a look at Mozilla’s guide. Mozilla introduces new Firefox Test Pilot experiments: Price Wise and Email tabs. Mozilla shares how AV1, the new the open source royalty-free video codec, works. Mozilla pledges to match donations to Tor crowdfunding campaign up to $500,000.

After FireEye’s announcement on a suspected influence operation (using a network of fake news sites) in Iran two weeks ago, Reddit started its own investigation into these suspicious websites. Just two days ago, Reddit has shared the findings of its investigation. It has also consulted with third parties to dig deeper into the matter and get more relevant information. The influence group in Iran is leveraging the inauthentic websites “to promote political narratives in line with Iranian Interests”. These narratives comprises of anti-Saudi, anti-Israeli, and pro-Palestinian themes. It also provides support for U.S. policies which are favorable to Iran, such as the U.S.-Iran nuclear deal (JCPOA). According to Reddit, 143 accounts have been uncovered so far that are suspected to be linked to this influence group. The majority (126) of these accounts were created between 2015 and 2018, with a few (17) of these accounts dating back to 2011. More than 51 accounts were banned by Reddit before beginning the investigation as part of their trust and safety practices. Additionally no ads were posted by these accounts on Reddit. These groups were found to be focussed on discussing subjects that are important to Iran such as criticism of US policies in the Middle East, negative sentiment toward Saudi Arabia and Israel and discussions regarding Syria and ISIS. Around 60% of the accounts had karma below 1,000 out of which 36% of these accounts had zero or negative karma. However, a minority of 40% of the accounts had more than 1,000 karma. Reddit is planning to keep these accounts with varied karma levels public. This is to make the moderators, investigators, and the users on Reddit more aware of the tactics that foreign agents could attempt to use. However, Reddit will be removing some accounts in the future. Reddit found the behavior of these accounts quite different in the sense that even though the overall influence of these accounts was low, some of these accounts were still able to gain traction. It was noted that these accounts would share news and articles aligned to Iran’s political narrative such as highlighting civilian deaths in Yemen. The investigation is, according to Reddit, a tribute to the “incredible vigilance” of the Reddit community. Reddit is now planning to develop a trusted reporter system which will be able to better separate useful information from the junk. They’re also investing in advanced detection and mitigation methods. “Our actions against these threats may not always be immediately visible to you, but this is a battle we have been fighting, and will continue to fight for the foreseeable future. And of course, we’ll continue to communicate openly with you about these subjects” says the Reddit team. For more information, read the official FireEye report. Read next Google’s Protect your Election program: Security policies to defend against state-sponsored phishing attacks, and influence campaigns Intel faces backlash on Microcode Patches after it prohibited Benchmarking or comparison

Recently, Confiant and Malwarebytes analyzed a steganography based payload which was utilized by a "malvertizer" dubbed "VeryMal" by the two firms, to infect Macs. According to the firms, the attempted attack ad was viewed on as many as 5 million Macs. This campaign was active from 11th January 2019 until 13th January 2019. Confiant detected and blocked 191,970 impressions across their publisher customers. They said that only the US visitors were targeted in this campaign. According to Confiant, the Mac users who saw the ad, the attack displayed notices that the Adobe Flash Player needed to be updated and made the users to open a file that would attempt to download in their browsers. The download, when accepted and run, ended up infecting the user’s Mac with the Shlayer trojan. The image could be viewed without harm despite containing the payload. It is harmful only when the code is run on the file, followed by the browser being redirected to a link included in the payload. Eliya Stein, Security Engineering and research at Confiant, writes, “As malvertizing detection continues to mature, sophisticated attackers are starting to learn that obvious methods of obfuscation are no longer getting the job done. Techniques like steganography are useful for smuggling payloads without relying on hex encoded strings or bulky lookup tables.” The same malicious actor VeryMal had performed a similar attack at the end December 2018: 437,819 Impressions detected and blocked by Confiant across two December campaigns. US targeting split between Mac OS and iOS. However, this attack includes a method, which was difficult to detect. Malware “is not only limited to advertising-based attacks, with reports in September noting even some apps in the Mac App Store were performing malicious actions, such as extracting a user's data”, according to an Apple Insider report. To know more about how Confiant and Malwarebytes carried out this analysis, visit Eliya Stein’s blog post on Medium. Twitter memes are being used to hide malware Privilege escalation: Entry point for malware via program errors Bo Weaver on Cloud security, skills gap, and software development in 2019  

On November 1st, 2018 Flickr announced that they would be limiting free accounts to just 1,000 pictures. But it recently made an exception: that it would be deleting any pictures on accounts over that number, and any Creative Commons licensed photos uploaded before the November 1st, 2018 deadline would be allowed to stay. Last Friday, the company made the policy permanent — all Creative Commons photos will be allowed on Flickr for good, regardless of upload date, even on accounts that otherwise would have surpassed the 1,000 picture limit. In light of this change, Flickr also removed the ability to change licenses on photos on the site in bulk. This makes it difficult for users to just hit a button and circumvent the 1,000 picture limit. That’s for good reason, too. The company says it wants users to think about and understand the consequences of making a photo open to use by anyone with Creative Commons licensing before they just flip the switch to avoid the limit. It’s unclear if users already at the 1,000 photo limit will be able to upload new Creative Commons photos past that, but that seems to be what Flickr is implying. Additionally, Flickr is adding “In memoriam” accounts to users that have passed away, which will lock the account and preserve all the pictures on it. It is available for Pro users too who would be over the 1,000 picture limit when their subscription inevitably lapses. For this Flickr has put up a page to submit accounts which can be memorialized. Upon receiving a request on the page they evaluate the account if it qualifies to be memorialized. And then the account’s username will be updated to reflect the “in memoriam” status and login for the account will be locked to prevent anyone from signing in. Lastly, Flickr also announced that it will finally be removing the last major vestige of the company’s former Yahoo stewardship. They have decided to to do away with the mandatory Yahoo login requirement, and will also transition existing accounts away from Yahoo over the next few weeks. RSA Conference 2019 Highlights: Top 5 cybersecurity products announced Google Cloud security launches three new services for better threat detection and protection in enterprises

Yesterday, Australia’s Prime Minister Scott Morrison, revealed that “a sophisticated state actor”  was behind a cyber attack on the Australian Parliament's computing network that also affected the network of major political parties. First reported by The Guardian, the attack affected the computer networks of the Liberal Party and the Nationals - as well as the opposition Labor Party, only three months before the Parliamentary election in May. Morrison told reporters that “Our cyber experts believe that a sophisticated state actor is responsible for this malicious activity”. In a statement to parliament on Monday, he said there was no evidence of electoral interference and measures  were taken to “ensure the integrity of our electoral system”. This intrusion into the networks of political parties was detected by agencies investigating the attack on the Parliament House network. He said security agencies had “acted decisively” to confront the incursion and were “securing these systems and protecting users”. Australian Cyber Security Centre head Alastair MacGibbon stated that the agency was currently unable to answer whether or not data had been stolen because all the agencies involved were "acting extraordinarily quickly and very openly, so we are piecing together all of the events." There is no evidence as to which country was behind the intrusion as well as no comment on how deeply the attack had penetrated the computer networks. The news comes just months after the Assistance and Access Bill was passed that allows the police to tell apps like WhatsApp and Signal to build in so-called “backdoors”, to give investigators access to the contents of messages, to assist in any investigation of cyber offense. However, security experts were unanimously against backdoors since once such a mechanism has been implanted in the app, it can create a target for other countries’ spy agencies and corporate spies to see what people are discussing. Users on Twitter and HackerNews have expressed strong sentiments on this news, one user is blaming the government's choices like weakening the encryption in apps through their new law, that has lead to this attack. Other users are speculating Russia’s hand in this attack. The Sydney Morning Herald stated that just four states — China, Russia, Israel, and the United States — have the capability to perform such an attack. https://twitter.com/Sunflower15661/status/1097322875042910208 https://twitter.com/admburns/status/1097402032833679360 Head over to BBC for more insights on this news. Australian intelligence and law enforcement agencies already issued notices under the ‘Assistance and Access’ Act despite opposition from industry groups Australia’s Facial recognition and identity system can have “chilling effect on freedoms of political discussion, the right to protest and the right to dissent”: The Guardian report Australia passes a rushed anti-encryption bill “to make Australians safe”; experts find “dangerous loopholes” that compromise online privacy and safety

The Washington-based Pew Research Center released a report that shares the results of its survey based on Facebook user data, yesterday. The survey was conducted on a sample of Facebook users (963 U.S. Facebook users aged 18 years and above) who were asked to present their opinion on the data collected about them by the platform. The nationally representative survey was conducted by the Pew Institute between September 4, 2018, and October 1, 2018. Respondents of the survey were asked to answer a series of questions related to the content present on the Facebook ad categories page. Facebook allows its users to view a “partial compilation” of how they are classified on its “Your ad preferences” page. All the results of this analysis are based on these self-reported answers. Let’s have a look at the key findings from the survey. 60% of Facebook users are assigned 10+ categories on their ad preferences page The report states that Facebook ad preferences page consists of “your categories” tab i.e. a list of a user’s interests analyzed by Facebook’s algorithm based on content that they have posted, liked, commented on or shared.                                                    Pew Institute survey As per the survey results: 88% of American said that they are assigned categories in this system, while 11% saw a message saying, “You have no behaviours” on the ad preferences page. A large majority of Facebook users have 10 or more categories listed on the page. Six-in-ten Facebook users said that their preferences page had either 10 to 20 (27%) or 21 or more (33%) categories for them. 27% noted that their list had fewer than 10 categories. 40% of users who go on Facebook multiple times a day are listed in 21 or more categories as compared to 16% of the “less-than-daily” Facebook users. Facebook users who have been on the platform for 10 years or longer (44%) have higher chances of being listed in 21 or more categories as compared to those with less than five years of Facebook experience (22%). 74% of Facebook users didn’t know the platform lists their interests for advertisers As per the survey results: Three-quarters of Facebook users (74%) did not know the list of categories existed on Facebook, with 12% saying that they were aware of it. 59% of Facebook users say the list was very (13%) or somewhat (46%) accurate about their interests, while 27% of them found the list not very (22%) or not at all ( 5%) accurate. Pew Institute survey Almost half of the Facebook users (51%) said answered that they were not comfortable with Facebook creating the ‘interests list’. 5% of Facebook users were very comfortable with the list and another 31% said that they are somewhat comfortable. Facebook’s political and ‘racial affinity’ labels don’t necessarily match users’ views Facebook assigns political labels to its users. Users who are assigned a political label are equally divided between “liberal or very liberal (34%)”, “conservative or very conservative “(35%) and “moderate” (29%). Pew Institute survey As per the survey results: Close to three-quarters (73%) of the ones assigned a label says the listing is’ very accurate’ or ‘somewhat accurate’ about their views. However, 27% of those say that label is not very or not at all accurate. Facebook’s algorithm also assigns some of its users to groups by “multicultural affinity,” that are assigned to users whose activities “aligns with” certain cultures. About 21% of the Facebook users say they are assigned such an affinity. 60% of the Facebook users assigned with multicultural affinity say they have a “very” or “somewhat” strong affinity for the group they were assigned, while 37% say they do not have a strong affinity. 57% of the Facebook users assigned a group say they consider themselves a member of that group, with 39% saying they are not members of that group. “We want people to understand how our ad settings and controls work..while we and the rest of the online ad industry need to educate people on how interest-based advertising works and how we protect people’s information, we welcome conversations about transparency and control”, Facebook told The Verge. Check out the official Pew research centre report here. Private International shares its findings on how popular Android apps send user data to Facebook without user consent NYT says Facebook has been disclosing personal data to Amazon, Microsoft, Apple and other tech giants; Facebook denies claims with obfuscating press release ProPublica shares learnings of its Facebook Political Ad Collector project

Worried about the privacy of your messages and chats? It’s about time you start considering the use of ‘Signal’. As if end-to-end chat encryption wasn’t enough, Signal is now rolling out a new feature in Beta that will further hide a sender's “from” information and conceal their identity. The logic behind implementing this feature is simple- While the service always needs to know where a message should be delivered, ideally it shouldn’t need to know who the sender is. First, let's understand how communication takes place traditionally, prior to exploring this feature. The traditional method of sending messages A Signal client sends a message by connecting to the service over TLS, authentication takes place, and the encrypted message contents are sent to the destination. The authentication process is supposed to: Validate the sender’s identity to help prevent spoofing and help the recipient understand who sent the message. Use the sender’s identity to apply rate limiting and abuse protection. The latest beta release is designed to further retain another piece of information of its users: who is messaging whom. Communication will now take place in 3 simple steps: The app will hide a sender’s information inside the envelope of an encrypted message using Signal Protocol. The sender’s “from” information will be removed from outside the message’s envelope. It will be replaced with a short-term certificate, containing the sender’s phone number, public identity key and an expiry time. This will be used to prove a sender’s identity. The whole envelope is encrypted again. Once the message is delivered, the recipient’s device will validate the certificate and decrypt the message as it normally would without exposing the sender’s identity at any point. In order to implement the new feature and still ensure authenticity of the sender the following have been included in the short-term certificate: #1 Sender certificates To prevent spoofing of messages, clients periodically retrieve a short-lived sender certificate, containing the client’s phone number, public identity key, and an expiration timestamp- thus attesting to their identity. Clients can include the sender certificate when a message is sent, and receivers of the message can easily check its validity. #2 Delivery tokens To take steps against abuse, clients derive a 96-bit delivery token from their profile key and register it with the service. The service requires that the clients prove their knowledge of the delivery token for a user in order to transmit messages to that particular user. Profiles are shared with contacts, other people or groups who users explicitly approve, and in conversations that they create. This allows delivery tokens to be seamlessly exchanged behind the scenes. Since knowledge of a user’s profile key is necessary to derive that user’s delivery token, this restricts “sealed sender” messages to contacts who are less likely to require rate limits and other abuse protection. Additionally, blocking a user who has access to a profile key will trigger a profile key rotation. #3 Encryption Signal Protocol is used to encrypt message contents end-to-end. The “envelope” containing the sender certificate as well as the message ciphertext is also encrypted using the sender and recipient identity keys. Signal has never retained much of users data. This was proved two years ago when the FBI demanded that Signal turn over all the data it had on one particular user. But the question is, with social media platforms being misused by criminals to post attack threats, will a feature like this make Signal a haven for unscrupulous elements? Does Signal also have a plan to tackle issues such as hate speech recognition on its platform? The Beta releases that support sealed sender will be rolling out over the next few days. Users are advised to update all of their devices to use this new feature. Head over to the Signal Blog for more insights on this news. Google Cloud Storage Security gets an upgrade with Bucket Lock, Cloud KMS keys and more Firefox Nightly now supports Encrypted Server Name Indication (ESNI) to prevent 3rd parties from tracking your browsing history 90% Google Play apps contain third-party trackers, share user data with Alphabet, Facebook, Twitter, etc: Oxford University Study