Tech News - Cybersecurity

Microsoft claims it has identified and stopped a number of Russian cyberattacks just last week. In a post published on Monday (August 20), Brad Smith wrote that "Microsoft’s Digital Crimes Unit (DCU) successfully executed a court order to disrupt and transfer control of six internet domains created by a group widely associated with the Russian government and known as Strontium." Not only are the attacks notable because of Strontium's links with the Russian government, but also because of the institutions these 'fake' domains were targeting. One of the domaisn is believed to mimic International Republican Institute, while another is supposedly an imitation of conservative think tank the Hudson Institute. CNN notes that "both think tanks have been critical of Russia." Smith also writes that "other domains appear to reference the U.S. Senate but are not specific to particular offices." Spearphishing explained The attackers are alleged to have used a technique known in cybersecurity as spearphishing. This is where an email or a website is disguised a a reliable and trustworthy source to scam users into handing over information. In this instance, cyberattackers could have been imitating Republican think tanks in order to get staff to hand over information. This isn't the first spearphishing attack that Microsoft claims it has intercepted. Brad Smith writes that 84 fake websites believed to be linked to Strontium have been transferred to Microsoft in the last 2 years. Microsoft has notified the Hudson Institute and the International Republican Institute about the attacks. "Microsoft will continue to work closely with them and other targeted organizations on countering cybersecurity threats to their systems. We’ve also been monitoring and addressing domain activity with Senate IT staff the past several months, following prior attacks we detected on the staffs of two current senators." Next steps: Microsoft is expanding its Defending Democracy Program Microsoft has also announced it will be expanding its Defending Democracy Program with a new initiative called Microsoft AccountGuard. This will "provide state-of-the-art cybersecurity protection at no extra cost to all candidates and campaign offices at the federal, state and local level, as well as think tanks and political organizations we now believe are under attack" (free if you're using Office 365). Read next Do you want to know what the future holds for privacy? It’s got Artificial Intelligence on both sides. A Twitter video shows how voting machines used in 18 states can be hacked in 2 mins Google, Microsoft, Twitter, and Facebook team up for Data Transfer Project

A team of academic researchers recently unveiled a new class of Rowhammer-based attack known as RAMBleed. This newly discovered side-channel attack allows attackers to read memory data on a victim’s Windows computer, without actually accessing the memory. This vulnerability listed as CVE-2019-0174 is called RAMBleed as the RAM "bleeds its contents, which we then recover through a side channel," the researchers explained at the RAMBleed page. RAMBleed is used to read data from dynamic random access memory (DRAM) chips. It leverages Rowhammer, a DRAM flaw which is exploited to cause bits in neighboring memory rows to flip their values. In their research paper titled "RAMBleed: Reading Bits in Memory Without Accessing Them", the researchers have shown how an attacker, by observing Rowhammer-induced bit flips in her own memory, can deduce the values in nearby DRAM rows. Thus, researchers say that RAMBleed shifts Rowhammer from being a threat not only to integrity but confidentiality as well. This paper will be presented at the 41st IEEE Symposium on Security and Privacy in May 2020. The researchers also said that they have successfully used RAMBleed to obtain a signing key from an OpenSSH server or rather leaked a 2048-bit RSA key using normal user privileges, enabling information to be taken from targeted devices.  To do so, “we also developed memory massaging methods and a technique called Frame Feng Shui that allows an attacker to place the victim’s secret-containing pages in chosen physical frames.”, the researchers mention in their paper. Source: RAMBleed.com Any system that uses Rowhammer-susceptible DIMMs is vulnerable to RAMBleed. Machines with memory chips “both DDR3 and DDR4 with TRR (targeted row refresh) enabled" are vulnerable. Users can mitigate their risk by upgrading their memory to DDR4 with targeted row refresh (TRR) enabled. Intel revealed a piece of mitigation advice for researchers in an article and further suggested that "Intel Software Guard Extensions (Intel SGX) can be used to protect systems from RAMBleed attacks." Oracle, in their blog post, state that machines running DDR2 and DDR1 memory chips aren't affected. "successfully leveraging RAMBleed exploits require that the malicious attacker be able to locally execute malicious code against the targeted system," Oracle states. No additional security patches are expected for Oracle product distributions, the company said. Red Hat, in an article, state that there are at least three known DRAM fault exploits, "Rowhammer," "Spoiler" and "RAMBleed." Mitigation approach depends on the hardware vendor, according to RedHat: There are a few commonly proposed hardware-based mitigations against Rowhammer that have potential to also mitigate RAMBleed. These are Targeted Row Refresh (TRR), increased DRAM refresh intervals (doubled DRAM refresh rate), and use of ECC memory. The extent to which these strategies may actually mitigate the problem varies and is hardware platform specific. Vendors are anticipated to provide suitable platform-specific guidance. To know more about RAMBleed in detail, visit its official page. Researchers discover a new Rowhammer attack, ‘ECCploit’ that bypasses Error Correcting Code protections Researchers discover Spectre like new speculative flaw, “SPOILER” in Intel CPU’s NSA warns users of BlueKeep vulnerability; urges them to update their Windows systems

The recent Windows 7 ‘security-only’ update also includes Telemetry components, which users may be unaware of. It may be used to secretly monitor individual PC’s for “innocuous data collection to outright spyware”, according to ZDNet. Per Microsoft, the "Security-only updates" should not include quality fixes or diagnostic tools, etc. other than sole security updates. This is because, in 2016, Microsoft divided Win7 and 8.1 patchings into two parts, a monthly rollup of updates and fixes and, for those who want only essential patches, and second, a Security-only update package. Why is this “security-only” update suspicious? What was surprising about this month's Security-only update, formally titled the "July 9, 2019—KB4507456 (Security-only update)," is that it bundled the Compatibility Appraiser, KB2952664, which is designed to identify issues that could prevent a Windows 7 PC from updating to Windows 10. An anonymous user commented on Woody Leonhard’s post on the July 2019 security update published on his website, AskWoody. Leonhard is a Senior Contributing Editor at InfoWorld, and Senior Editor at Windows Secrets. “Warning for group B Windows 7 users! The “July 9, 2019—KB4507456 (Security-only update)” is NOT “security-only” update. It replaces infamous KB2952664 and contains telemetry. Some details can be found in file information for update 4507456 (keywords: “telemetry”, “diagtrack” and “appraiser”) and under http://www.catalog.update.microsoft.com/ScopedViewInline.aspx?updateid=7cdee6a8-6f30-423e-b02c-3453e14e3a6e (in “Package details”->”This update replaces the following updates” and there is KB2952664 listed). It doesn’t apply for IA-64-based systems, but applies both x64 and x86-based systems.” “Microsoft included the KB2952664 functionality (known as the “Compatibility Appraiser”) in the Security Quality Monthly Rollups for Windows 7 back in September 2018. The move was announced by Microsoft ahead of time”, another user with the name @PKCano explains. The user further added, “With the July 2019-07 Security Only Quality Update KB4507456, Microsoft has slipped this functionality into a security-only patch without any warning, thus adding the “Compatibility Appraiser” and its scheduled tasks (telemetry) to the update. The package details for KB4507456 say it replaces KB2952664 (among other updates).” “Come on Microsoft. This is not a security-only update. How do you justify this sneaky behavior? Where is the transparency now?”, the user concluded. ZDNet states, “The Appraiser tool was offered via Windows Update, both separately and as part of a monthly rollup update two years ago; as a result, most of the declining population of Windows 7 PCs already has it installed”. Ed Bott, a technology writer at ZDNet, says that this update is benign and also that Microsoft is being truthful when they say "There is no GWX or upgrade functionality contained in this update." If so, why is Microsoft not briefing users about this update? Many users are confused about whether or not they should update their systems. A user commented on AskWoody, “So should this update be skipped or installed? This appears to pose a dilemma, at least right now. I hope that some weeks from now, by the time we are closer to a green DEFCON, this has been sorted out”. Another user speculated that this issue might be resolved in the next update, “Disabling (or deleting) these schedule tasks after installation (before reboot) should be enough to turn off the appraiser \Microsoft\Windows\Application Experience\ProgramDataUpdater \Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser \Microsoft\Windows\Application Experience\AitAgent but it’s best to wait next month to see if the SO update comes clean” ZDNet states this might be because Windows 7 is nearing end-of-support date, which is on January 14, 2020, “It's also possible that Microsoft thinks it has a strong case for making the Compatibility Appraiser tool mandatory as the Windows 7 end-of-support date nears”. To know more about this news, visit Microsoft’s security update. Microsoft quietly deleted 10 million faces from MS Celeb, the world’s largest facial recognition database Microsoft’s Xbox team at E3 2019: Project Scarlett, AI-powered Flight Simulator, Keanu Reeves in Cyberpunk 2077, and more Debian GNU/Linux port for RISC-V 64-bits: Why it matters and roadmap

European’ Union’s copyright preform bill, is currently up for a vote in the European Parliament on September 12. It’s Article 13 has been on the receiving end of backlash with many organizations protesting against it. Last week it was Youtube’s CBO speaking out and this week German OpenStreetMap has made their map unusable, to protest against EU copyright reform. [box type="shadow" align="" class="" width=""]According to Article 13, there is an “obligation on information society service providers storing and giving access to large amounts of works and other subject-matter uploaded by their users to take appropriate and proportionate measures to ensure the functioning of agreements concluded with right holders and to prevent the availability on their services of content identified by rightholders in cooperation with the service providers”.[/box] The Article 13 is a new revamped version that EU has come out with as the older version of the copyright reform bill was rejected by the Parliament back in July. The older version also received heavy criticism from different policy experts and digital rights group on grounds of violating the fundamental rights of the internet users. This legislation has the possibility of changing the balance of power between producers of music, news and film and the dominant websites that host their work. On one side, people say that if passed, this law would mean the end of free Internet. Platforms will have to algorithmically pre-filter all user uploads and block fair use content, cool satire, funny memes etc. On the other side, supporters of the law say that their hard work is being compromised because they are not being fairly compensated for their work. These people are creators who depend upon being paid for the sharable content they create, such as musicians, authors, filmmakers and so on. Although people have supported OpenStreetmap’s decision. A hacker news user pointed out, “Good for them. The Internet as we know it is being attacked from multiple angles right now, with the EU filtering proposals, AU/5Eyes anti-encryption proposals, etc.” A person also called it as, “Oh no, more evil political hacking!” You can read about more such opinions on Hacker news. You can also find some of the most common questions around the proposed Directive on the EU website. Mozilla, Internet Society, and web foundation wants G20 to address “techlash” fuelled by security and privacy concerns. Facebook COO, Sandberg’s Senate testimony: On combating foreign influence, fake news, and upholding election integrity. Twitter’s CEO, Jack Dorsey’s Senate Testimony: On Twitter algorithms, platform health, role in elections and more.

A few days ago, Firefox made announcements stating that starting from Firefox 70, which is planned to release in October this year, the browser will make two new changes favoring users and keeping them secure. First, it will notify users if their saved logins were part of any data breach. Secondly, it will prompt users if the web page they have landed on is not secure. Notifying users of saved logins that were a part of the data breach Firefox has partnered with popular data breach site, Have I Been Pwned, to notify users if their saved logins were found in data breaches. To start with, Firefox will scan the saved login credentials to see if they were exposed in a data breach listed on Have I been Pwned. If one is found, the user will be alerted and prompted to change their password. To support this, Mozilla will be integrating their independent Firefox Monitor service and the new Firefox Lockwise password manager directly into the Firefox browser. Mozilla will add an alert icon  next to the account profile in Firefox Lockwise, detected as being part of a breach. Clicking on the saved login will open its subpanel that displays an alert that the "Passwords were leaked or stolen" as part of a data breach. Compromised Password Notification in Firefox Lockwise Users will also be provided a “protection report” highlighting data breaches instances their logins were involved in. The current Firefox 69 Nightly builds includes a mockup of the ‘Protection Report’, which will list the type and amount of tracking and unwanted scripts that were blocked over the past 7 days. This mockup report is a mockup and not actual data from your browser. Mozilla to set up “not secure” indicators for all HTTP web pages Mozilla also announced that it will show a “Not secure” indication for all the websites in Firefox, starting with the Firefox 70. As we know, Google already has this feature activated on its browser starting with Chrome 68, which was released last year. Prior to this announcement, Mozilla used to indicate "not secure" only on HTTP pages that contained forms or login fields. “Mozilla argued that since more than 80% of all internet pages are now served via HTTPS, users don't need a positive indicator for HTTPS anymore, but a negative one for HTTP connections”, according to ZDNet. Firefox Developer Johann Hofmann said, "In desktop Firefox 70, we intend to show an icon in the 'identity block' (the left hand side of the URL bar which is used to display security / privacy information) that marks all sites served over HTTP (as well as FTP and certificate errors) as insecure". Mozilla started working on these developments way back in December 2017, when it added flags in the Firefox about:config section. These “flags are still present in the current stable version of Firefox, and users can enable them right now and preview how these indicators will look starting this fall,” according to ZDNet. Sean Wright, and infosec researcher told Forbes, “This is an excellent move by Mozilla and a step in the direction to have a secure by default web”.  He also added, many do not realize the potential implications of using sites over HTTP. “Even publicly accessible sites, even as simple as a blog, could potentially allow attackers to inject their malicious payloads into the site severed to the client. HTTPS can go a long way to prevent this, so any move to try to enforce it is a step in the right direction,” he further added. Wright has also warned the users that if you see you are browsing via an HTTPS site, it does not mean it is fully authentic. These sites may also be phished as hackers can purchase the certificates that mark a website as “secure”. Hence, a user has to be cautious while sharing their credentials online. He warns: “You should still pay close attention to links in emails.” A second zero-day found in Firefox was used to attack Coinbase employees; fix released in Firefox 67.0.4 and Firefox ESR 60.7.2 Mozilla is funding a project for bringing Julia to Firefox and the general browser environment Mozilla launches Firefox Preview, an early version of a GeckoView-based Firefox for Android

On Tuesday, Binance Exchange, one of the popular cryptocurrency exchanges, reported a huge security breach where hackers stole around 7,000 bitcoins worth $41 millions, in a single transaction. The hackers were able to gain a bulk of user API keys, 2FA codes, and a lot of other information. Binance Exchange said that the hackers used a variety of techniques, including phishing, viruses and other attacks. “We are still concluding all possible methods used. There may also be additional affected accounts that have not been identified yet”, Binance said in their official statement. Binance confirmed that only the BTC hot wallet was affected and all the other wallets are secure and unharmed. The affected ‘hot wallet’ contained about 2% of Binance’s total BTC holdings. The firm also mentioned that the hackers were extremely patient and carried out well-orchestrated actions through multiple seemingly independent accounts at the most opportune time. “The transaction is structured in a way that passed our existing security checks. It was unfortunate that we were not able to block this withdrawal before it was executed. Once executed, the withdrawal triggered various alarms in our system. We stopped all withdrawals immediately after that”, Binance’s official statement mentions. Binance said that no user funds will be affected and it will use the SAFU fund to cover this incident in full. Binance has estimated a week’s time to conduct a thorough security review of this incident during which all deposits and withdrawals will be needed to remain suspended. The security review will include all parts of their huge systems and data and the updates will be posted frequently. “We beg for your understanding in this difficult situation”, Binance urged their users. They further added, “Please also understand that the hackers may still control certain user accounts and may use those to influence prices in the meantime. We will monitor the situation closely. But we believe with withdrawals disabled, there isn’t much incentive for hackers to influence markets.” Larry Cermak, Head Analyst at The Block and former researcher at Diar, who conducted a research of the Binance hack concluded that it was the sixth largest exchange hack in history. He also said, “the $41 million is “peanuts” for Binance” and it will take hardly 47 days to make the money lost during the breach. https://twitter.com/lawmaster/status/1126090906908676096 In a live video chat, Binance's chief executive Changpeng Zhao sought to answer questions about the hack. https://twitter.com/CharlieShrem/status/1126166334121881601 To know more about this news, read the complete official document. Symantec says NSA’s Equation group tools were hacked by Buckeye in 2016 way before they were leaked by Shadow Brokers in 2017 Listen: We discuss what it means to be a hacker with Adrian Pruteanu [Podcast] Hacker destroys Iranian cyber-espionage data; leaks source code of APT34’s hacking tools on Telegram

It was only earlier this month when Bloomberg published a story alleging that China hacked into Amazon and Apple’s servers, and now the two tech giants seem to be retaliating against Bloomberg. Apple did not invite Bloomberg to its fall product event “There’s More in the Making” that takes place tomorrow in Brooklyn. Amazon, on the other hand, pulled its fourth quarter advertisements from Bloomberg’s website, last week, leading to a huge loss in Bloomberg’s ad revenue. An Amazon spokesperson told BuzzFeed News last week that the ads were canceled “due to a missed creative deadline”. Apple, on the other hand, declined to comment on this. Tim Cook, CEO, Apple, had asked Bloomberg to retract the story, in an interview with BuzzFeed News on 19th October. "There is no truth in their story about Apple," Cook mentioned to BuzzFeed. Apple also published a statement regarding the same, “we are deeply disappointed that in their dealings with us, Bloomberg’s reporters have not been open to the possibility that they or their sources might be wrong or misinformed. Apple has repeatedly explained to Bloomberg reporters and editors over the past 12 months, there is no truth to these claims”. Andy Jassy, Amazon web services CEO and Super Micro joined in Apple, refuting the claims made by Bloomberg. https://twitter.com/ajassy/status/1054401346827243520 Steve Schmidt, Chief Information Security Officer at Amazon Web Services further stated, “as we shared with Bloomberg BusinessWeek multiple times over the last couple months, this is untrue. At no time, past or present, have we ever found any issues relating to modified hardware or malicious chips in SuperMicro motherboards in any Elemental or Amazon systems. Nor have we engaged in an investigation with the government. There are so many inaccuracies in ‎this article as it relates to Amazon that they’re hard to count”. Super Micro also issued a statement, stating, “Super Micro strongly refutes reports that servers it sold to customers contained malicious microchips in the motherboards of those systems. Supermicro takes all security claims very seriously and makes continuous investments in the security capabilities of their products. Super Micro qualifies and certifies every contract manufacturer and routinely inspects their facilities and processes closely”. According to the Bloomberg article, Chinese spies had implanted tiny chips on computer motherboards made by Super Micro Computer. “In Supermicro, China’s spies appear to have found a perfect conduit for what U.S. officials now describe as the most significant supply chain attack known to have been carried out against American companies”. These motherboards were used by several of the largest American tech giants such as Amazon and Apple. These chips then provided secret access to the private data on the machines. The report also states that “the chips were reportedly built to be as inconspicuous as possible and to mimic signal conditioning couplers. It was determined during an investigation, which took three years to conclude, that the chip allowed the attackers to create a stealth doorway into any network that included the altered machines.” Although, both Amazon and Apple totally refute the allegations, Bloomberg, however, continues to stand by its report.   Bloomberg says Google, Mastercard covertly track customers’ offline retail habits via a secret million dollar ad deal Amazon tried to sell its facial recognition technology to ICE in June, emails reveal Apple now allows U.S. users to download their personal data via its online privacy data portal

A report released by Motherboard yesterday reveals employees of Snap Inc., the parent company of the popular social media, Snapchat, abused privileged data management tools to spy on Snap users. They gained access to location, contact details, email addresses, even saved Snaps! This news was first reported by Motherboard stating that various departments within Snap have dedicated tools for accessing data. Talking about sources, Motherboard said, “two former employees said multiple Snap employees abused their access to Snapchat user data several years ago”. Along with those sources, Motherboard also obtained information from two other former employees, a current employee, and a cache of internal company emails. The sources and the emails obtained highlight one of the internal tools that can access user data called SnapLion   Former employees said that SnapLion was originally used to gather information on users in response to valid law enforcement requests, such as a court order or subpoena. “Both of the sources said SnapLion is a play on words with the common acronym for law enforcement officer LEO, with one of them adding it, is a reference to the cartoon character Leo the Lion”, Motherboard reports. Snap Inc.’s ‘Spam and Abuse’ team has access to the tool and it can also be used to combat bullying or harassment on the platform by other users. Motherboard said, “An internal Snap email obtained by Motherboard says a department called "Customer Ops" also has access to SnapLion. Security staff also have access, according to the current employee. The existence of this tool has not been previously reported”. “Motherboard granted multiple sources in this story anonymity to speak candidly about internal Snap processes”, reports Motherboard. Snapchat has a customer bandwidth of around 186 million users who use it to share photos, videos, or post stories trusting that it may get auto-deleted as per Snapchat’s privacy policies. Snaps are photos or videos that, if not saved, typically disappear after being received (or after 24 hours if posted to a user's Story). However, in 2014, the Federal Trade Commission fined Snapchat for failing to disclose that the company collected, stored, and transmitted geolocation data. A Snap spokesperson wrote to Motherboard, “Protecting privacy is paramount at Snap. We keep very little user data, and we have robust policies and controls to limit internal access to the data we do have. Unauthorized access of any kind is a clear violation of the company's standards of business conduct and, if detected, results in immediate termination." A few years ago, SnapLion did not have a satisfactory level of logging to track what data employees accessed, a former employee said. The company then implemented more monitoring, the former employee added. Snap said it currently monitors access to user data. The second former employee said, "Logging isn't perfect". “Snap said it limits internal access to tools to only those who require it, but SnapLion is no longer a tool purely intended to help law enforcement. It is now used more generally across the company”, the former employees reported. One of them who worked with SnapLion said the tool is used for resetting passwords of hacked accounts and "other user administration." A current employee said that the company's strides for user privacy and two former employees stressed the controls Snap has in place for protecting user privacy. Snap also introduced end to end encryption in January of this year. Similar to Snap Inc. there are stories where other tech giants like Facebook, Uber employees have accessed their ex-employees’ data. Facebook fired some of its employees in May, last year, for using their privileged access to user data to stalk exes. In 2016, Uber employees, on the other hand, used internal systems to spy on ex-partners, politicians, and celebrities. https://twitter.com/justkelly_ok/status/1131750164773818369 Read more about this news in detail on Motherboard’s full coverage. A WhatsApp vulnerability enabled attackers to inject Israeli spyware on user’s phones Intel discloses four new vulnerabilities labeled MDS attacks affecting Intel chips Atlassian Bitbucket, GitHub, and GitLab take collective steps against the Git ransomware attack

With more and more attacks happening via emails and hackers intruding into presidential elections and still influencing various ongoing campaigns, Google has recently shared their ongoing work to provide protection against: State-sponsored phishing attacks Technical attribution of a recently-reported influence campaign from Iran Detection and termination of activity on Google properties Due to the advanced techniques used by hackers, users are often tricked by an email camouflaged as a legitimate one. As a countermeasure, Google says it has invested in robust systems, For detecting any phishing or hacking attempts on user’s email network To identify influence operations launched by foreign governments To protect political campaigns from digital attacks via Google’s Protect Your Election program. Google’s Threat Analysis Group is working with their partners at Jigsaw and Google’s Trust & Safety team to identify bad actors and disable their accounts. The group will further warn users about these bad actors, and also share intelligence with other companies and law enforcement officials. State-sponsored phishing attacks Email phishing is the most common yet the most popular attack. Google has improved their security policies for Gmail users such as automated protections, account security (like security keys), specialized warnings, and so on. Google, via these attempts, plans to significantly decrease the volume of phishing emails that get through to its users. On 20th August 2018, Google issued a series of notifications to Gmail users who were subject to suspicious emails from a wide range of countries. They posted about the different warnings about Government-backed phishing on their blog post and asked users to take immediate actions if they came across the attack or pop-up mentioned. FireEye detected suspicious Google accounts linked to Iran Google has also integrated with FireEye cybersecurity group, and other top security consultants, to provide them with intelligence. FireEye’s recent help to Facebook by detecting the identified suspicious accounts with links to Russia and Iran is worth mentioning. For the last two months, Google and Jigsaw have worked closely with FireEye on the influence operation linked to Iran that FireEye identified last week. FireEye identified some suspicious Google accounts (three email accounts, three YouTube channels, and three Google+ accounts), which were swiftly disabled. Google Security team suspects the malicious actors are linked to IRIB In addition to FireEye’s intelligence report, Google’s team have investigated a broader range of suspicious actors linked to Iran who has engaged in setting up the malicious accounts. Following this, Google has informed the U.S. lawmakers and law enforcement agencies about the results of their investigation, including its relation to political content in the United States. Google’s technical research team further identified with evidence that these actors are associated with the IRIB, the Islamic Republic of Iran Broadcasting. Their observations are as follows: Technical data associated with these actors is strongly linked to the official IRIB IP address space. Domain ownership information about these actors is strongly linked to IRIB account information. Account metadata and subscriber information associated with these actors is strongly linked to the corresponding information associated with the IRIB, indicating common ownership and control. Detecting and terminating activity on Google properties All content influenced by the malicious actors violating Google’s policies are swiftly removed from Google services and terminates these actors’ accounts. It also uses several robust methods, including IP blocking, to prevent individuals or entities in Iran from opening advertising accounts. Google identified and terminated a number of accounts linked to the IRIB organization that disguised their connection to this effort, including while sharing English-language political content in the U.S., these include: 39 YouTube channels that had 13,466 total US views on relevant videos 6 blogs on Blogger 13 Google+ accounts The state-sponsored phishing attacks and the actors associated with the IRIB are not the only state-sponsored actors at work on the Internet. Google had also disclosed information about actors linked to the Internet Research Agency (IRA) in 2017. They detected and removed 42 YouTube channels, which had 58 English-language political videos (these videos had a total of fewer than 1,800 U.S. views). Read more about Google’s plan to protect users against phish attacks on their Safety & Security blog. DC Airport nabs the first imposter using its newly deployed facial recognition security system Intel faces backlash on Microcode Patches after it prohibited Benchmarking or Comparison Mozilla, Internet Society, and web foundation wants G20 to address “tech-lash” fuelled by security and privacy concerns

Yesterday, on Microsoft's Patch Tuesday the company released its monthly security patches that fixed 62 security flaws. These fixes also included a fix for a zero-day vulnerability that was under active exploitation before these patches were made available. Microsoft also announced the re-release of its Windows 10 version 1809 and Windows Server 2019. Zero-day vulnerability CVE-2018-8589 Microsoft credited Kaspersky Lab researchers for discovering this zero-day, which is also known as CVE-2018-8589 and impacts the Windows Win32k component. A Kaspersky spokesperson told ZDNet, “they discovered the zero-day being exploited by multiple cyber-espionage groups (APTs).” The zero-day had been used to elevate privileges on 32-bit Windows 7 versions. This is the second Windows elevation of privilege zero-day patched by Microsoft discovered by Kaspersky researchers. Last month, Microsoft patched CVE-2018-8453, another zero-day that had been used by a state-backed cyber-espionage group known as FruityArmor. However, in this month’s Patch Tuesday, Microsoft has not patched a zero-day that is affecting the Windows Data Sharing Service (dssvc.dll). This zero-day was disclosed on Twitter at the end of October. According to ZDNet, “Microsoft has published this month a security advisory to instruct users on how to properly configure BitLocker when used together with solid-state drives (SSDs).” Re-release of Windows 10 version 1809 and Windows Server 2019 As reported by Microsoft, the Windows 10 October 2018 update caused user’s data loss post updating. Due to this, the company decided to pause the update. However, yesterday, Microsoft announced that it is re-releasing Windows 10 version 1809. John Cable, the director of Program Management for Windows Servicing and Delivery at Microsoft said, “the data-destroying bug that triggered that unprecedented decision, as well as other quality issues that emerged during the unscheduled hiatus, have been thoroughly investigated and resolved." Microsoft also announced the re-release of Windows Server 2019, which was affected by the same issue. According to ZDNet, “The first step in the re-release is to restore the installation files to its Windows 10 Download page so that "seekers" (the Microsoft term for advanced users who go out of their way to install a new Windows version) can use the ISO files to upgrade PCs running older Windows 10 versions.” Michael Fortin, Windows Corporate Vice President, in a blog post, offered some context behind the recent issues and announced changes to the way the company approaches communications and also the transparency around their process. Per Fortin, "We obsess over these metrics as we strive to improve product quality, comparing current quality levels across a variety of metrics to historical trends and digging into any anomaly." To know more about this in detail, visit Microsoft’s official blog post. A Microsoft Windows bug deactivates Windows 10 Pro licenses and downgrades to Windows 10 Home, users report Microsoft announces .NET standard 2.1 Microsoft releases ProcDump for Linux, a Linux version of the ProcDump Sysinternals tool  

Robert Kyncl, YouTube's Chief Business Officer, opened up on YouTube’s Creator Blog, on Tuesday. This was about  “Article 13” in the EU proposal, which is currently up for a vote in the European Parliament on September 12. According to Article 13, there is an “obligation on information society service providers storing and giving access to large amounts of works and other subject-matter uploaded by their users to take appropriate and proportionate measures to ensure the functioning of agreements concluded with right holders and to prevent the availability on their services of content identified by rightholders in cooperation with the service providers”. In a nutshell, any user-generated content on these online platforms that a copyright enforcement algorithm considers as copyrighted work would need to be censored by these platforms. This is a new revamped version that EU has come out with as the older version was rejected by the Parliament back in July. The older version also received heavy criticism from different policy experts and digital rights group on grounds of violating the fundamental rights of the internet users. “The "Article 13” potentially undermine this creative economy, discouraging or even prohibiting platforms from hosting user-generated content. This outcome would not only stifle your creative freedom, it could have severe, negative consequences for the fans, the communities and the revenue you have all worked so hard to create,” mentioned Kyncl. Kyncl also pointed out how the creators and artists on these platforms have built businesses “on the back” of this “openness”.  YouTube has a strong set of copyright management tools like Content ID and a Copyright Match Tool which are pretty efficient at managing the re-uploads of creators’ content. “Copyright holders have control over their content: they can use our tools to block or remove their works, or they can keep them on YouTube and earn advertising revenue. In over 90% of cases, they choose to leave the content up. Enabling this new form of creativity and engagement with fans can lead to mass global promotion and even more revenue for the artist.” reads the YouTube blog post. A good example given by Kyncl is that of a famous pop singer, Dua Lipa whose singing career started with covering songs of other Artists. Also, Alan Walker’s worldwide famous track “Fade”  was heavily used by other users in the YouTube community along with being used in video games. This resulted in a massive fanbase for him. YouTube is not the only one disapproving of the new proposal. Other organizations such as  European Digital Rights, the Internet Archive, Patreon, Wordpress, and Medium have all opened up about their disapprobation against the EU copyright policy. “This is the new creative economy in action. The Copyright Directive won’t just affect creators and artists on YouTube. It will also apply to many forms of user-generated content across the Internet” writes Kyncl. For more information, check out the official YouTube blog post. YouTube has a $25 million plan to counter fake news and misinformation Mozilla, Internet Society, and web foundation wants G20 to address “techlash” fuelled by security and privacy concerns Facebook COO, Sandberg’s Senate testimony: On combating foreign influence, fake news, and upholding election integrity

Tavis Ormandy, a vulnerability researcher at Google, uncovered a security issue in SymCrypt, the core cryptographic library for Windows, which the Microsoft team is still trying to fix. Ormandy says that if the vulnerability is exploited in a denial of service (DoS) attack, it could “take down an entire Windows fleet relatively easily”. Ormandy said that Microsoft had "committed to fixing it in 90 days". This was in line with Google's 90 days deadline for fixing or publicly disclosing bugs that its researchers find. https://twitter.com/taviso/status/1138469651799728128 On Mar 13, 2019, Ormandy informed Microsoft of this vulnerability and also posted this issue on Google’s Project Zero site. On March 26, Microsoft replied saying that it would issue a security bulletin and fix for this in the June 11 Patch Tuesday run. On June 11, Ormandy said that the Microsoft Security Response Center (MSRC) had “reached out and noted that the patch won't ship today and wouldn't be ready until the July release due to issues found in testing”. “There's a bug in the SymCrypt multi-precision arithmetic routines that can cause an infinite loop when calculating the modular inverse on specific bit patterns with bcryptprimitives!SymCryptFdefModInvGeneric”, the bug report mentions. “I've been able to construct an X.509 certificate that triggers the bug. I've found that embedding the certificate in an S/MIME message, authenticode signature, schannel connection, and so on will effectively DoS any windows server (e.g. ipsec, iis, exchange, etc) and (depending on the context) may require the machine to be rebooted. Obviously, lots of software that processes untrusted content (like antivirus) call these routines on untrusted data, and this will cause them to deadlock” Ormandy further added. “The disclosure a day after the deadline lapsed drew mixed reactions on social media, with some criticizing Ormandy for the move; and were met with short shrift”, CBR Online states. https://twitter.com/taviso/status/1138493191793963008 Davey Winder from Forbes approached  The Beer Farmers, a group of information security professionals on this issue. John Opdenakker, an ethical hacker from the group, said, "in general if you privately disclose a vulnerability to a company and the company agrees to fix it within a reasonable period of time I think it's fair to publicly disclose it if they then don't fix it on time." Another Beer Farmer professional, Sean Wright points out this is a denial of service vulnerability and there are many other ways to achieve this, which makes it a low severity issue. Wright said to Forbes, "Personally I think it's a bit harsh, every fix is different and they should allow for some flexibility in their deadline." A Microsoft spokesperson said in a statement to Forbes, “Microsoft has a customer commitment to investigate reported security issues and provide updates as soon as possible. We worked to meet the researcher's deadline for disclosure; however, a customer-impacting regression was discovered that prevented the update from being released on schedule. We advised the researcher of the delay as soon as we were able. Developing a security update is a delicate balance between timeliness and quality, and our ultimate goal is to help ensure maximum customer protection with minimal customer disruption.” To know more about this news in detail, head over to Google’s Project Zero website. All Docker versions are now vulnerable to a symlink race attack Microsoft quietly deleted 10 million faces from MS Celeb, the world’s largest facial recognition database Microsoft releases security updates: a “wormable” threat similar to WannaCry ransomware discovered

Tamir Zahavi-Brunner, Security Researcher at Zimperium zLabs posted the technical details of the vulnerability affecting multiple high-privileged Android devices and its exploit, earlier this week. Brunner had disclosed this vulnerability to Google who then designated it as CVE-2018-9411. As per Brunner, Google claims Project Treble ( introduced as part of Android 8.0 Oreo and that makes updates faster and easier for OEMs to roll out to devices) benefits Android security. However, as per the vulnerability disclosed by Brunner, elements of Project Treble could hamper Android security. “This vulnerability is in a library introduced specifically as part of Project Treble and does not exist in a previous library which does pretty much the same thing. This time, the vulnerability is in a commonly used library, so it affects many high-privileged services”, says Brunner. One of the massive changes that come with Project Treble is the split of many system services. Previously, these system services contained both AOSP (Android Open Source Project) and vendor code. After Project Treble, all of these services were split into one AOSP service and one or more vendor services called HAL services.  This means that data which used to be previously passed in the same process between AOSP and vendor now will have to pass through IPC (enables communication between different Android components) between AOSP and HAL services. Now, most of the IPC in Android goes through Binder (enables a remote procedure calls mechanism between the client and server processes), so Google decided that the new IPC should do so as well. But Google also decided to perform some modifications. They introduced HIDL which is a whole new format for the data passed through Binder IPC (makes use of shared memory to maintain simplicity and good performance). HIDL is supported by a new set of libraries and is dedicated to the new Binder domain for IPC between AOSP and HAL services. HIDL comes with its own new implementation for many types of objects. An important object for sharing memory in HIDL is hidl_memory. Technical details of the Vulnerability The hidl_memory comprises members namely, mHandle (HIDL object which holds file descriptors, mSize (size of the memory to be shared), mName (represents the type of memory). These structures are transferred through Binder in HIDL, where complex objects (like hidl_handle or hidl_string) have their own custom code for writing and reading the data. Transferring structures via 64-bit processes cause no issues, however, this size gets truncated to 32 bit in 32-bit processes, so only the lower 32 bits are used. So if a 32-bit process receives a hidl_memory whose size is bigger than UINT32_MAX (0xFFFFFFFF), the actually mapped memory region will be much smaller. “For instance, for a hidl_memory with a size of 0x100001000, the size of the memory region will only be 0x1000. In this scenario, if the 32-bit process performs bounds checks based on the hidl_memory size, they will hopelessly fail, as they will falsely indicate that the memory region spans over more than the entire memory space. This is the vulnerability!” writes Brunner. After the vulnerability has been tracked, it is time to find a target for the vulnerability. To find the target, an eligible HAL service is needed such as android.hardware.cas, or MediaCasService. MediaCasService allows the apps to decrypt the encrypted data. Exploiting the Vulnerability To exploit the vulnerability, there are two other issues that need to be solved such as finding the address of the shared memory and of other interesting data and making sure that the shared memory gets mapped in the same location each time. The second issue gets solved by looking at the memory maps of the linker in the service memory space. To solve the first issue, the data in the linker_alloc straight after the gap is analyzed, and a shared memory is mapped before a blocked thread stack, which makes it easy to reach the memory relatively through the vulnerability. Hence, instead of only getting one thread to that blocked state, multiple (5) threads are generated, which in turn, causes more threads to be created, and more thread stacks to get allocated. Once this shared memory gets mapped before the blocked thread stack, the vulnerability is used to read two things from the thread stack, the thread stack address, and the address where libc is mapped at to build a ROP chain. The last step is executing this ROP chain. However, Brunner states that the SELinux limitations on this process prevent turning this ROP chain into full arbitrary code execution. “There is no execmem permission, so anonymous memory cannot be mapped as executable, and we have no control over file types which can be mapped as executable”. Now, as the main objective is to obtain the QSEOS version, a code using ROP chain does that. This makes sure that the thread does not crash immediately after running the ROP chain. Then this process is left in a bit of an unstable state. To leave everything in a clean state, service using the vulnerability is crashed (by writing to an unmapped address) in order to let it restart. For complete information, read the official Zimperium blog post. FreeRTOS affected by 13 vulnerabilities in its TCP/IP stack A kernel vulnerability in Apple devices gives access to remote code execution

Yesterday, Mozilla released Firefox 67.0.3 and Firefox ESR 60.7.1 to fix an actively exploited vulnerability that can enable attackers to remotely execute arbitrary code on devices using vulnerable versions. So, if you are a Firefox user, it is recommended that you update it right now. This critical zero-day flaw was reported by Samuel Groß, a security researcher with Google Project Zero security team and the Coinbase Security team. It is a type confusion vulnerability tracked as CVE-2019-11707 that occurs “when manipulating JavaScript objects due to issues in Array.pop. This can allow for an exploitable crash. We are aware of targeted attacks in the wild abusing this flaw.” Not much information has been disclosed about the vulnerability yet, apart from this short description on the advisory page. In general, we can say that type confusion happens when a piece of code fails to verify the object type that is passed to it and blindly uses it without type-checking. The US Cybersecurity and Infrastructure Security Agency (CISA) also issued an alert informing users and administrators to update Firefox as soon as possible: “The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Mozilla Security Advisory for Firefox 67.0.3 and Firefox ESR 60.7.1 and apply the necessary updates.” Users can install the patched Firefox versions by downloading them from Mozilla’s official website. Or, they can click on the hamburger icon on the upper-right hand corner, type Update into the search box and hit the Restart to update Firefox button to be sure. This is not the first time when a zero-day vulnerability has been found in Firefox. Back in 2016, a vulnerability was reported in Firefox that was exploited by attackers to de-anonymize Tor Browser users. The attackers then collected the user data that included their IP addresses, MAC addresses, and hostnames. Mozilla then released an emergency fix in Firefox 50.0.2 and 45.5.1 ESR. Firefox releases v66.0.4 and 60.6.2 to fix the expired certificate problem that ended up disabling add-ons Firefox 67 enables AV1 video decoder ‘dav1d’, by default on all desktop platforms Mozilla makes Firefox 67 “faster than ever” by deprioritizing least commonly used features

On Wednesday, Microsoft announced of its search engine, Bing, being blocked in China. However, they were unsure if it was due to China’s great wall censorship or due to a technical glitch. However, the search engine is back online after being shut down for two consecutive days. The site may have been blocked by government censors. Many users also posted on Weibo, one of the popular social networks in China, commenting that “Bing is back” and “Bing returns to normal.” ZDNet also pointed out a notable fact that, “The temporary block of Microsoft's Bing comes at a time when tensions between the US and China are running high, with the introduction of a bipartisan Bill in the US earlier this month to ban the sale of tech to Chinese companies Huawei and ZTE, and the US stating on Wednesday its intention to extradite Huawei CFO Meng Wanzhou.” Though Bing is not widely used in China, it has been one of the few remaining portals to the broader internet as the Chinese government isolates China’s internet from the rest of the world. Bing remains the only US-based search engine because “Microsoft has worked to follow the government’s censorship practices around political topics”, the New York Times reported. In an interview with Fox Business Network at the World Economic Forum in Davos, Switzerland, Microsoft’s president, Brad Smith, said “There are times when there are disagreements, there are times when there are difficult negotiations with the Chinese government, and we’re still waiting to find out what this situation is about.” What the US-China tech and AI arms race means for the world – Frederick Kempe at Davos 2019 Packt helped raise almost $1 million for charity with Humble Bundle in 2018 Sweden is at a crossroads with its nearly cashless society: To Swish or e-krona?