Tech News - Cybersecurity

On June 25, 2018, Wi-Fi Alliance introduced the next generation of Wi-Fi security, WPA3. It took over a decade to introduce the successor of WPA2 protocol that brings new capabilities of enhancing personal and enterprise Wi-Fi networks. Individuals along with organizations were awaiting for this update especially after last years KRACK vulnerability, which was later fixed on many devices. This update comes with a variety of added features that include more robust authentication and increased cryptographic strength for highly sensitive data markets. With this update Wi-Fi industries transit to WPA3 security, however, WPA2 devices will continue to interoperate and provide recognized security. In order to maintain flexibility of mission critical networks, WPA3 networks will: Prohibit outdated legacy protocols, Deliver the latest security methods, and Use PMF (Protected Management Frames) WPA3 security supports the market through two distinct modes of operation: WPA3-Personal and WPA3-Enterprise. WPA3-Personal If users choose passwords that fall short of typical complexity recommendation, WPA3 leverages SAE (Simultaneous Authentication of Equals) a secure key establishment protocol between devices to provide more robust protection for users against third party password guessing attempts. With this level of security enhancement your network is more resilient. WPA3-Enterprise The WPA3-Enterprise protocol proves beneficial to organizations transmitting sensitive data such as finance or government, as it provides 192-bit cryptographic strength along with additional protection to these networks. This 192-bit bundle has a consistent combination of cryptographic tools deployed across WPA3 networks. Earlier this year, Wi-Fi Alliance introduced new features and some enhancements for Wi-Fi protected access. This addition ensures that WPA2 maintains robust security protection in the evolving wireless landscape. WPA2 is still a mandatory requirement for all Wi-Fi CERTIFIED devices as it would still take some time for WPA3 market adoption to grow. Through a transitional mode of operation, WPA3 will still maintains interoperability with WPA2 devices, and Wi-Fi users can remain confident that their devices are well-protected when connected to secured Wi-Fi CERTIFIED networks. Users and Wi-Fi device vendors need not worry as WPA3 protections won’t come into action overnight; it may still take some time to evolve or maybe even many-years-long process. To get WPA3 in place you need a new router that supports it or you can hope your old one can be updated to support it. This is also true for all your gadgets. You have to buy new gadgets that support WPA3 or can hope your old devices are updated to the required standards. However, WPA3 can still connect with devices that use WPA2, so you need not worry about your device not working just because you brought in a new connectivity hardware at home. WPA3 adoption has been on a positive side as organizations such as Hewlett Packard, Qualcomm, Huawei Wireless, Intel, Cisco and many more have announced their support towards next-gen Wi-Fi security for personal and enterprise networks. Qualcomm announces a new chipset for standalone AR/VR headsets at Augmented World Expo Intel’s Spectre variant 4 patch impacts CPU performance Top 5 cybersecurity assessment tools for networking professionals

Yesterday, TechCrunch reported that thousands of TP-Link routers are still vulnerable to a bug, discovered in January 2018. This vulnerability can allow any low-skilled attacker to remotely gain full access to an affected vulnerable router. The attacker could also target a vulnerable device, in a massive way, by searching the web thoroughly and hijacking routers by using default passwords, the way Mirai botnet had downed Dyn. TP-Link updated the firmware page sharing this vulnerability to their customers, only after TechCrunch reached out to them. https://twitter.com/zackwhittaker/status/1131221621287604229 In October 2017, Andrew Mabbitt (founder of U.K. cybersecurity firm, Fidus Information Security) had first discovered and disclosed a remote code execution bug in TP-Link WR940N router. The multiple vulnerabilities occurred due to multiple code paths calling strcpy on user controllable unsanitized input. TP-Link later released a patch for the vulnerable router in November 2017. Again in January 2018, Mabbitt warned TP-Link that another router WR740N was also at risk by the same bug. This happened because the company reused the same vulnerable code for both the devices. TP-Link asked Mabbitt for more details about CVE-2017-13772 (wr940n model) vulnerability. After providing the details, Mabbitt requested for an update thrice and warned them of public disclosure in March, if they did not provide an update. Later on 28th March 2018, TP-Link provided Mabbitt with a beta version of the firmware to fix the issue. He confirmed that the issue has been fixed and requested TP-Link to release the live version of the firmware. After receiving no response from TP-Link for another month, Mabbitt then publicly disclosed the vulnerability on 26th April 2018. The patch was still not fixed by then. When TechCrunch enquired, the firmware update for WR740N was missing on the company’s website till 16th May 2019. A TP-Link spokesperson told TechCrunch that the update was, “currently available when requested from tech support” and did not explain the reason. It was only when TechCrunch highlighted this issue did TP-Link, they updated the firmware page on 17th May 2019, to include the latest security update. They have specified that the firmware update is meant to resolve issues that the previous firmware version may have and improve its current performance. In a statement to TechCrunch, Mabbitt said, “TP-Link still had a duty of care to alert customers of the update if thousands of devices are still vulnerable, rather than hoping they will contact the company’s tech support.” This has been a highly irresponsible behavior from TP-Link’s end. Even after, a third person discovered its bug more than a year ago, TP-Link did not even bother to keep their users updated about it. This news comes at a time when both the U.K. and the U.S. state of California are set to implement laws to improve Internet of Things security. Soon companies will require devices to be sold with unique default passwords to prevent botnets from hijacking internet-connected devices at scale and using their collective internet bandwidth to knock websites offline. https://twitter.com/dane/status/1131224748577312769 Read More Approx. 250 public network users affected during Stack Overflow’s security attack Intel discloses four new vulnerabilities labeled MDS attacks affecting Intel chips A WhatsApp vulnerability enabled attackers to inject Israeli spyware on user’s phones

Attorney General Bob Ferguson announced the day before yesterday (24th July 2018) that Facebook has been found guilty of providing discriminatory advertisements on its platform. The platform provides third-party advertisers with the option to exclude ethnic and religious minorities, immigrants, LGBTQ individuals and other protected groups from seeing their ads. If these groups cannot see the ads at all, they are deprived of the opportunities provided in the advertisements. Source: Office of the Attorney General Following this verdict, Facebook has signed a legally binding agreement to make changes to its advertising platform within 90 days. According to this agreement, Facebook will no longer provide advertisers with options to exclude ethnic groups from advertisements for housing, credit, employment, insurance and public accommodations ads. Facebook will no longer provide advertisers with tools to discriminate based on race, creed, color, national origin, veteran or military status, sexual orientation and disability status. This matter was first brought to light by ProRepublica in 2016 when they went undercover and bought multiple rental housing ads on Facebook, where certain categories of users were excluded from seeing the ads. According to ProPublica, “Every single ad was approved within minutes.” The allegations in this news were alarming and the AG’s office decided to investigate. They used the platform to create 20 fake ads that excluded one or more ethnic minorities from receiving their advertising. Despite these exclusions, Facebook’s advertising platform approved all 20 ads. “Facebook’s advertising platform allowed unlawful discrimination on the basis of race, sexual orientation, disability, and religion,” said Ferguson. “That’s wrong, illegal, and unfair.” The Attorney General’s investigation found the platform's unlawful targeting options as an act of unfair acts and practices, and in violation of the state Consumer Protection Act and the Washington Law Against Discrimination. Read more: 5 reasons the government should regulate technology This led to the development of a permanent and legal binding agreement that aims to cover all loopholes and prevent Facebook from offering discriminating advertising in any form. However, Peter Romer-Friedman, a lawyer with Outten & Golden LLP points out that the “agreement does nothing to address age discrimination or gender discrimination on Facebook”. This agreement is legally binding in Washington state. Facebook has agreed to change its platform nationwide. Apart from fixing its advertising platform within 90 days, they are also entitled to pay the Washington State AGs Office $90,000 in costs and fees. This agreement is a win not just for the citizens of Washington state but also the United States. Facebook has agreed to implement its improved advertising options nationwide. But this is a very small step for the entire world. The ball is in Facebook’s court now. We’ll have to wait and see if it proactively generalizes these policies on a worldwide scale or if it needs the public and the law to hold Facebook accountable for the power its platform holds over the lives of its over 2 billion users. EU slaps Google with $5 billion fine for the Android antitrust case Furthering the Net Neutrality debate, GOP proposes the 21st Century Internet Act 20 lessons on bias in machine learning systems by Kate Crawford at NIPS 2017

Yesterday, Microsoft with the goal to standardize homomorphic encryption, open sourced Microsoft Simple Encrypted Arithmetic Library (Microsoft SEAL) under the MIT License. It is an easy-to-use homomorphic encryption library developed by researchers in the Cryptography Research group at Microsoft. Microsoft SEAL was first released in 2015 to provide “a well-engineered and documented homomorphic encryption library, free of external dependencies, that would be easy for both cryptography experts and novice practitioners to use.” Industries have moved over to the cloud for data storage because it is convenient. But this does raise some privacy concerns. In order to get practical guidance on our decision making that cloud and machine learning provide, we need to share our personal information. The traditional encryption schemes do not allow running any computation on encrypted data. So we need to choose between storing our data encrypted in the cloud and downloading it to perform any useful operations or providing the decryption key to service providers which risks our privacy. But these concerns are solved by the homomorphic encryption approach. Homomorphic encryption is a cryptographic mechanism in which specific types of mathematical operations are carried out on the ciphertext, instead of on the actual data. This mechanism then generates an encrypted result, which on decryption, matches the result of operations performed on the plaintexts. In a nutshell, it produces the same output that will be obtained from decrypting the operated cipher text as from simply operating on the initial plain text. Some of the key advantages of using Microsoft SEAL are: it does not have any external dependencies and since it is written in standard C++, compiling it in many different environments is easy. At its core, it makes use of two encryption schemes: the Brakerski/Fan-Vercauteren (BFV) scheme and the Cheon-Kim-Kim-Song (CKKS) scheme. Along with the license change, the team have also added few updates in the latest release SEAL 3.1.0, some of which are listed here: Support for 32-bit platforms Google Test framework for unit tests To configure SEAL on Windows, Visual Studio now uses CMake Generating Galois keys for specific rotations is easier New EncryptionParameterQualifiers flag is added which indicates HomomorphicEncryption.org security standard compliance for parameters Now, secret key data is cleared automatically from memory by destructors of SecretKey, KeyGenerator, and Decryptor To read more in detail, check out Microsoft’s official announcement. Microsoft becomes the world’s most valuable public company, moves ahead of Apple Microsoft fixes 62 security flaws on Patch Tuesday and re-releases Windows 10 version 1809 and Windows Server 2019 4 Encryption options for your SQL Server

Drupal released a security advisory for a highly critical remote execution (CVE-2019-6340) in its software. Samuel Mortenson, a member of the Drupal Security Team reports that an arbitrary PHP code execution is possible due to a lack of data sanitization in certain field types linked to non-form sources.  Drupal issued the warning a day before Wednesday’s patch release. According to Drupal's blog, a particular site will be affected either if the site has the Drupal 8 core RESTful Web Services (rest) module enabled, allowing PATCH or POST requests, or if the site has another web services module enabled, for instance, JSON:API in Drupal 8, or Services or RESTful Web Services in Drupal 7. To address this vulnerability, Drupal has released security updates for contributed modules for Drupal 7 and Drupal 8. Drupal has also released Drupal 8.6.10 and Drupal 8.5.11 without any core update for Drupal 7. The team has also advised users to install any available security updates for contributed projects after updating Drupal core. Besides this, the blog also states that to immediately mitigate the vulnerability, users can disable all web services modules, or configure their web server(s) to not allow PUT/PATCH/POST requests to web services resources. According to ZDNET, Drupal is the third most popular CMS for website publishing and accounts for about three percent of the world's billion-plus websites. Hackers could use this vulnerability to potentially hijack a Drupal site and take control of a web server and all the websites supported by it. To know more about this announcement visit Drupal’s blog. Drupal 9 will be released in 2020, shares Dries Buytaert, Drupal’s founder Google’s home security system, Nest Secure’s had a hidden microphone; Google says it was an “error” Security researchers discloses vulnerabilities in TLS libraries and the downgrade Attack on TLS 1.3  

When you ask Google to turn off locations, it actually tracks in incognito mode. This default setting opens up Google to a potentially huge fine as per Europe’s GDPR rules. Google is secretly tracking your moves When users turn off their location tracking, they expect Google to stop detecting where they are, but this is not the case. Google continues as a secret stalker without the consent of the user. Recently, Associated Press News reported about Google continuing to collect a user’s location points, while users think they are safe from being tracked. According to AP news, location tracking by Google continues even if the user disabled it; and following are some of the resulting issues: User settings governing location markers are in different places Location tracking can be "Paused", but not permanently disabled Location tracking continues in Maps, Search and other Google applications regardless of the "Location History" setting. Warnings provided to both iOS and Android users are misleading How is Google’s location tracking violating EU’s new GDPR rules? In the month of May, this year, Europe announced its much anticipated new privacy law known as the General Data Protection Regulation (GDPR). This law has been virtually impacting every technology worldwide. As per the GDPR law, any company operating in the EU or any company that serves EU citizens should abide by its strict new privacy guidelines meant to protect consumers from companies abusing their personal data. Any company failing to comply with these rules faces financial penalties as high as 4 percent of their annual revenue. For Google, this penalty could mean billions of dollars in fine! GDPR’s data minimisation principle states that data collection should be done for specified, explicit and legitimate purposes for which they are processed. Serena Tierney, a partner at VWV law firm and a data protection and privacy specialist, said to The Register, “The legitimate purpose of the data collection must be clear. Is it only used for Google's own internal machine learning algorithms, say, or is it part of a personal profile sold to advertisers?” "It's part of a wider public debate. Is this part of the social contract between society generally (including me) and search engines (including Google) that in return for getting free search, for example, we expect our personal data to be used for personal advertising, with no way for us to opt out?" Tierney continued. Rafe Laguna, an open source infrastructure provider of Open-Xchange, says, “The Google location scandal could be the first real test of GDPR. The regulation states that user consent must be clear, distinguishable and written in plain language.” Google updated its location policies: “Some location data may be saved” Right after Google faced investigation by the AP regarding its location tracking practice, it made some quick updates to its location history feature. According to a report from Associated Press, Google, in this update made on 16th August, acknowledges that it still tracks users via its Google Maps, weather updates, and browser searches services. As per Google’s help page for location history setting, “some location data may be saved as part of your activity on other services, like Search and Maps.” The Location History toggle won’t actually stop Google from tracking users. However, users can turn it off by disabling the “Web and App Activity” option (which is enabled by default). By disabling the option, Google won’t be able to store and track user’s Maps’ data and browser searches for location anymore. To know more about this evolving story in detail, visit Associated Press News’ full coverage. Microsoft Cloud Services get GDPR Enhancements Machine learning APIs for Google Cloud Platform Build an IoT application with Google Cloud [Tutorial]

Mastercard has partnered with Microsoft to help people better manage and use their digital identity. Current identity management systems are complex in proving user identity and managing their data. Following this, Mastercard and Microsoft are provided a way for people to instantly verify their digital identity with whomever they want, whenever they want using a universally-recognized, single digital identity system. https://twitter.com/MastercardNews/status/1069601787852873728 Microsoft CEO Satya Nadella also tweeted about this collaboration. https://twitter.com/satyanadella/status/1069694712464973829 Today’s digital identity landscape is patchy, inconsistent and what works in one country often won’t work in another. We have an opportunity to establish a system that puts people first, giving them control of their identity data and where it is used,” says Ajay Bhalla, president, cyber and intelligence solutions, Mastercard. “Working with Microsoft brings us one step closer to making a globally interoperable digital identity service a reality, and we look forward to sharing more very soon.” This single digital identity initiative will be powered by Microsoft Azure and built in collaboration with leaders in the banking, mobile network operator and government communities. It will be used to solve three major challenges: Identity Inclusion: Improving digital identity for women, children, refugees, and other underrepresented groups to improve their access to health, financial and social services. Identity Verification: To help people interact with a merchant, bank, government agency and countless other digital service providers with greater integrity, lower cost and with less friction. Fraud Prevention: To help reduce payments fraud and identity theft of various forms. It will also streamline and improve the speed of commerce and government, financial,  and digital services. However, a universal identification like this may raise security, and privacy concerns, not to mention the data can be used for surveillance. Microsoft and MasterCard will need to adopt strict measures to protect their user data. Public opinion on this system has also been largely negative. https://twitter.com/ChrisBlec/status/1070169644835766272 https://twitter.com/goretsky/status/1069719344744062976 https://twitter.com/aral/status/1069853577865244672 https://twitter.com/bobofgold/status/1070227010209964033 Mastercard made their decisions clear to a Fast Company editor. The service will allow the data to sit with its rightful owner–the individual–and wouldn’t involve amassing personal data in honeypots vulnerable to attack. In no situation would Mastercard collect users’ identity data, share it or monitor their interactions. Instead, the data would reside with the trusted party, and our service would merely validate the information already provided, once an individual has decided to do so. This is about giving the individual control over who sees their information and how it’s used. Go through the press release on Mastercard Newsroom for more information. Marriott’s Starwood guest database faces a massive data breach affecting 500 million user data. Microsoft announces ‘Decentralized Identity’ in partnership with DIF and W3C Credentials Community Group

After Google just got saved from GDPR’s huge fine last month, Twitter is next on the EU’s GDPR investigation checklist. This appears to be the first GDPR investigation to be opened against Twitter. Last week, the data privacy regulators in Ireland opened up an investigation against Twitter’s data collection practices. This is to analyze the amount of data Twitter receives from its URL-shortening system, t.co. Twitter says the URL shortening allows the platform to measure the number of clicks per link, and helps it to fight the spread of malware through suspicious links. Why did Irish data regulators choose to investigate Twitter? This news was first reported by Fortune stating, “Michael Veale, who works at University College London, suspects that Twitter gets more information when people click on t.co links, and that it might use them to track those people as they surf the web, by leaving cookies in their browsers.” Veale asked Twitter to provide him with all the personal data it holds on him. To which, Twitter refused claiming that providing this information would take a disproportionate effort. Following this, Veale filed a complaint to the Irish Data Protection Commission (DPC), and the authorities opened an investigation last week. In a letter to Veale, the Irish Data Privacy Commissioner wrote, “The DPC has initiated a formal statutory inquiry in respect of your complaint. The inquiry will examine whether or not Twitter has discharged its obligations in connection with the subject matter of your complaint and determine whether or not any provisions of the GDPR or the [Irish Data Protection] Act have been contravened by Twitter in this respect.” The Irish authorities said that Veale’s complaint will be handled by the new European Data Protection Board as Veale’s complaint involves cross-border processing. The EU Data protection body helps national data protection authorities coordinate their GDPR enforcement efforts. Veale also prompted a similar investigation probe into Facebook, which also refused to hand over data held on users’ web-browsing activities. However, Fortune says, “ Facebook was already the subject of multiple GDPR investigations.” Veale says, "Data which looks a bit creepy, generally data which looks like web-browsing history, [is something] companies are very keen to keep out of data access requests. The user has a right to understand." Twitter, however, refused to comment, saying only that it was ‘actively engaged’ with the DPC. If Twitter is found to be in GDPR’s breach list, it could face a fine of up to €20m or up to 4 percent of its global annual revenue. To know more about this news in detail, head over to Fortune’s full coverage. How Twitter is defending against the Silhouette attack that discovers user identity GDPR is good for everyone: businesses, developers, customers The much loved reverse chronological Twitter timeline is back as Twitter attempts to break the ‘filter bubble’

Last week, a Huawei engineer reported a vulnerability present in the early Linux 2.6 kernels through version 4.20.11. The Kernel Address Sanitizer (KASAN) that detects dynamic memory errors within the Linux kernel code was used to uncover the use-after-free vulnerability which was present since early Linux versions. The use-after-free issue was found in the networking subsystem's sockfs code and could lead to arbitrary code execution as a result. KASAN (along with the other sanitizers) have already proven quite valuable in spotting various coding mistakes hopefully before they are exploited in the real-world. The Kernel Address Sanitizer picked up another feather in its hat with being responsible for the CVE-2019-8912 discovery. The CVSS v3.0 Severity and Metrics gave this vulnerability a 9.8 CRITICAL score. A fix for this vulnerability is already released and will come to all Linux distributions in a couple of days, and will probably be backported to any supported Linux kernel versions. According to a user on Hacker News, “there may not actually be a proof-of-concept exploit yet, beyond a reproducer causing a KASAN splat. When people request a CVE for a use-after-free bug they usually just assume that code execution may be possible.” To know more about this vulnerability, visit the NVD website. Intel releases patches to add Linux Kernel support for upcoming dedicated GPU releases Undetected Linux Backdoor ‘SpeakUp’ infects Linux, MacOS with crypto miners OpenWrt 18.06.2 released with major bug fixes, updated Linux kernel and more!

Facebook today revealed that it has banned another quiz app, myPersonality, over concerns of data misuse. This step was taken after they did not allow Facebook to audit their app raising doubts regarding them having shared user information with researchers as well as companies. So far this is the second quiz app that has been banned after Facebook announced a large-scale audit of its platform in March. The first one being, This Is Your Digital Life which Facebook banned after it was found to be linked to Cambridge Analytica. According to Ime Archibong, VP of Product Partnerships at Facebook, “Since launching our investigation in March, we have investigated thousands of apps. And we have suspended more than 400.” These apps were banned on concerns around the developers who built them or around these apps misusing the information people chose to share. [box type="shadow" align="" class="" width=""]According to Facebook App Review policy, no user information will be shared with apps if the user hasn’t used them in 90 days.[/box] myPersonality was created by researchers at the Cambridge Psychometrics Centre to source data from Facebook users via personality quizzes. The quiz app gathered data on some four million users when it was operational from 2007 to 2012 and illegally gave it to researchers and companies. In May, Facebook suspended the app, which hadn’t been active since 2012, but now it has been completely banned. Facebook will notify people who chose to share their Facebook information with myPersonality. Currently, they have no evidence if the quiz app accessed any friends’ information. If they find any such evidence, they will be notifying these people’s Facebook friends as well. Read Facebook’s official statement on the Facebook blog. Facebook is reportedly rating users on how trustworthy they are at flagging fake news. Four 2018 Facebook patents to battle fake news and improve news feed. Facebook, Apple, Spotify pull Alex Jones content.

Intel CPU’s are reportedly vulnerable to a new attack: “SPOILER: Speculative Load Hazards Boost Rowhammer and Cache Attacks". The vulnerability takes advantage of speculative execution in the Intel CPU’s, and was discovered by computer scientists at Worcester Polytechnic Institute in Massachusetts, and the University of Lübeck in Germany. According to the research, the flaw is a “novel microarchitectural leakage which reveals critical information about physical page mappings to user space processes." The flaw can be exploited by malicious JavaScript within a web browser tab, malware running on the system or any illicit logged in users, to steal sensitive information and other data from running applications. The research paper further states that the leakage can be exploited only by a limited set of instructions, and is visible in all Intel generations starting from the 1st generation Intel Core processors, while being independent of the OS. It also works from within virtual machines and sandboxed environments. The flaw is very similar to the Spectre attacks that were revealed in July, last year. The Spoiler attack also takes advantage of speculative execution- like the Spectre attack- and reveals memory layout data, making it easy for other attacks like Rowhammer, cache attacks, and JavaScript-enabled attacks to be executed. "The root cause of the issue is that the memory operations execute speculatively and the processor resolves the dependency when the full physical address bits are available," says Ahmad Moghimi, one of the researchers who contributed to the paper. "Physical address bits are security sensitive information and if they are available to user space, it elevates the user to perform other micro architectural attacks." Intel was informed of the findings in early December, last year. However, they did not immediately respond to the researchers.  An Intel spokesperson has now provided Techradar with the following statement on the Spoiler vulnerability: “Intel received notice of this research, and we expect that software can be protected against such issues by employing side channel safe software development practices. This includes avoiding control flows that are dependent on the data of interest. We likewise expect that DRAM modules mitigated against Rowhammer style attacks remain protected. Protecting our customers and their data continues to be a critical priority for us and we appreciate the efforts of the security community for their ongoing research.” Impact of SPOILER by performing Rowhammer attack in a native user-level environment The research paper defines the Rowhammer attack as : “an attack causing cells of a victim row to leak faster by activating the neighboring rows repeatedly. If the refresh cycle fails to refresh the victim fast enough, that leads to bit flips. Once bit flips are found, they can be exploited by placing any security-critical data structure or code page at that particular location and triggering the bit flip again.” In order to perform a Rowhammer attack, the adversary needs to access DRAM rows that are adjacent to a victim row and ensure that multiple virtual pages co-locate on the same bank. Double-sided Rowhammer attacks cause bit flips faster owing to the extra charge on the nearby cells of the victim row and they further require access to contiguous memory pages. SPOILER can help boosting both single and double-sided Rowhammer attacks by its additional 8-bit physical address information and result in the detection of contiguous memory. The researchers used SPOILER to detect aliased virtual memory addresses where the 20 LSBs of the physical addresses match. These bits were then used by the memory controller for mapping the physical addresses to the DRAM banks. The  majority of the bits are known using SPOILER. Further, “a attacker can directly hammer such aliased addresses to perform a more efficient single-sided Rowhammer attack with a significantly increased probability of hitting the same bank.” The researchers reverse engineered the DRAM mappings for different hardware configurations using the DRAMA tool, and only a few bits of physical address entropy beyond the 20 bits remain unknown. To verify if aliased virtual addresses co-locate on the same bank, they used the row-conflict side channel It is observed that whenever the number of physical address bits used by the memory controller to map data to physical memory is equal to or less than 20,  the researchers always hit the same bank. To summarize their findings, SPOILER drastically improves the efficiency of finding addresses mapping to the same bank without the need of an administrative privilege or a reverse engineering of the memory controller mapping. This approach also works in sandboxed environments such as JavaScript. You can go through the Research paper for more insights on the SPOILER flaw. Linux 4.20 kernel slower than its previous stable releases, Spectre flaw to be blamed, according to Phoronix Intel releases patches to add Linux Kernel support for upcoming dedicated GPU releases Researchers prove that Intel SGX and TSX can hide malware from antivirus software

A security researcher Bob Diachenko shared his discovery of an unprotected 150GB-sized MongoDB instance. He said that there were a huge number of emails that were publicly accessible for anyone with an internet connection. “Some of the data was much more detailed than just the email address and included personally identifiable information (PII)” The discovered database contained four separate collections of data and combined was 808,539,939 records. The huge part of this database was named ‘mailEmailDatabase’ with three folders Emailrecords (798,171,891 records) emailWithPhone (4,150,600 records) businessLeads (6,217,358 records) He cross-checked some random election of records with Troy Hunt’s HaveIBeenPwned database. The researcher states, “I started to analyze the content in an attempt to identify the owner and responsibly disclose it – even despite the fact that this started to look very much like a spam organization dataset.” In addition to the email databases the Mongo instance also uncovered details on the possible owner of the database-–a company named ‘Verifications.io’-–which offered the services of ‘Enterprise Email Validation’. Once emails were uploaded for verification they were also stored in plain text. “Once I reported my discovery to Verifications.io the site was taken offline and is currently down at the time of this publication. Here is the archived version”, the researcher said. According to Diachenko, Someone uploads a list of email addresses that they want to validate. Verifications.io has a list of mail servers and internal email accounts that they use to “validate” an email address. They do this by literally sending the people an email. If it does not bounce, the email is validated. If it bounces, they put it in a bounce list so they can easily validate later on. Diachenko said, “‘Mr. Threat Actor’ has a list of 1000 companies that he wants to hack into. He has a bunch of potential users and passwords but has no idea which ones are real. He could try to log in to a service or system using ALL of those accounts, but that type of brute force attack is very noisy and would likely be identified.” The threat actor instead uploaded all of his potential email addresses to a service like verifications.io. The email verification service then sent tens of thousands of emails to validate these users (some real, some not). Each one of the users on the list received their own spam message saying “hi”. Further, the threat actor received a cleaned, verified, and valid list of users at these companies. This, in turn, helped him to know who works there and who does not, using which he could possibly start a more focused phishing or brute forcing campaign. According to Wired, “The data doesn't contain Social Security numbers or credit card numbers, and the only passwords in the database are for Verifications.io's own infrastructure. Overall, most of the data is publicly available from various sources, but when criminals can get their hands on troves of aggregated data, it makes it much easier for them to run new social engineering scams, or expand their target pool.” Security researcher Troy Hunt is adding the Verifications.io data to his service HaveIBeenPwned, which helps people check whether their data has been compromised in data exposures and breaches. He says that 35 percent of the trove's 763 million email addresses are new to the HaveIBeenPwned database. The Verifications.io data dump is also the second-largest ever added to HaveIBeenPwned in terms of a number of email addresses, after the 773 million in the repository known as Collection 1, which was added earlier this year. Hunt says some of his own information is included in the Verifications.io exposure. To know more about this news in detail, read Bob Diachenko’s post. Leaked memo reveals that Facebook has threatened to pull investment projects from Canada and Europe if their data demands are not met Switzerland’s e-voting system source code leaked ahead of its bug bounty program; slammed for being ‘poorly constructed’ GDPR complaint claims Google and IAB leaked ‘highly intimate data’ of web users for behavioral advertising  

Researchers at the University of California, Irvine presented Sugar (Secure GPU Acceleration), a new OS solution to enhance the security of GPU acceleration for web apps. Their research paper titled, Sugar: Secure GPU Acceleration in Web Browsers, is a collective effort of Zhihao Yao et al. Recently, GPU based graphics acceleration in web apps has become increasingly popular. WebGL is the key component which provides OpenGL--such as graphics for web apps and is currently used in 53% of the top-100 websites. However, several attack vendors have been demonstrated through WebGL making it vulnerable to security attacks. One such example is the Rowhammer attack which took place in May, this year. Although web browsers have patched the vulnerabilities and have added new runtime security checks, the systems are still vulnerable to zero-day vulnerability exploits, especially given the large size of the Trusted Computing Base of the graphics plane. Sugar OS uses a dedicated virtual graphics plane for a web app by leveraging modern GPU virtualization solutions. It enhances the system security since a virtual graphics plane is fully isolated from the rest of the system. Despite GPU virtualization overhead, Sugar achieves high performance. Unlike current systems, Sugar uses two underlying physical GPUs, when available, to co-render the User Interface (UI), One GPU, to provide virtual graphics planes for web apps The other one to provide the primary graphics plane for the rest of the system. Thus, this design not only provides strong security guarantees but also provides enhanced performance isolation. The two GPU designs in Sugar OS for secured web apps The researchers presented two different designs of Sugar in their paper; a single-GPU and a dual-GPU. In both these designs, web apps use the virtual graphics planes created by the virtualizable GPU. The main difference between the two is the primary graphics plane. Single-GPU Design target: They designed a Single-GPU Sugar for machines with a single virtualizable GPU. The main targets of this design are commodity desktops and laptops using Intel processors that incorporate a virtualizable integrated GPU (all Intel Core processors starting from the 4th generation, i.e., Haswell [99]). Primary Graphics plane, in this design, uses the same underlying virtualizable GPU but has exclusive access to the display connected to it. Dual-GPU Design target: The dual-GPU Sugar is designed for machines with two physical GPUs, one of which is virtualizable. The main targets for this design are high-end desktops and laptops that incorporate a second GPU in addition to the virtualizable integrated Intel GPU. Primary graphics plane, here, uses the other GPU, which is connected to the display. However, Dual-GPU Sugar provides better security than single-GPU Sugar, especially against Denial-of-Service attacks. Moreover, dual-GPU Sugar achieves better graphics performance isolation. The researchers demonstrated that Sugar reduces the Trusted Computing Base (TCB) exposed to web apps and thus eliminates various vulnerabilities already reported in the WebGL framework. They also showed that Sugar’s performance is high, providing similar user-visible performance with existing less secure systems. Read more about Sugar OS in detail in its research paper Introducing MapD Cloud, the first Analytics Platform with GPU Acceleration on Cloud A new WPA/WPA2 security attack in town: Wi-fi routers watch out! 5 examples of Artificial Intelligence in Web apps  

Google, yesterday, released an archive of political ads purchased on its platforms. The new library of political ads reveals how much money is spent on these ads across different states and congressional districts, along with a list of top advertisers. Political ads feature federal candidates or currently elected federal officeholders. Google has been modifying its transparency report by adding different sections over the years due to European privacy laws, encryption adoption on websites i.e. HTTPS, among other evolving policy and user expectations. Read also: EU slaps Google with $5 billion fine for the Android antitrust case The latest archive is another newly added section in the company's regular transparency report This report shares data revealing “how the policies and actions of governments and corporations affect privacy, security, and access to information. This is Google’s efforts to make things more transparent when it comes to online political advertisements. Now, for any advertiser purchasing election ads on Google in the U.S., they have to “provide a government-issued ID and other key information that confirms they are a U.S. citizen or lawful permanent resident, as required by law. We also required that election ads incorporate a clear “paid for by” disclosure”, says Google. The new election ad library is searchable, downloadable and provides information about the ads with the highest views, the latest election ads running on our platform, and specific advertisers’ campaigns. The data from the Ad Library is publicly available on Google Cloud’s BigQuery. This data is particularly helpful for researchers, political watchdog groups and private citizens as they can leverage this data to develop charts, graphs, tables or other visualizations of political ads on Google Ads services. Apart from Google, Facebook and Twitter are other tech giants, who launched ad archives in recent months. Twitter ad archives are a part of the company’s increased transparency efforts. “We clearly label and show disclaimer information for federal political campaigning ads,” says Twitter. Facebook has been under a lot of controversy regarding advertisements, especially after an outcry over Russians’ alleged purchase of political ads during the 2016 elections. Also, A.G., Bob Ferguson, last month, proved Facebook guilty of providing discriminatory advertisements on its platform. Facebook, now has its own political ad archive that shows information about who paid for these ads along with other details. Google seems to be following Twitter and Facebook’s footsteps when it comes to political and issue-based advertising on its platform. Whether this comes at a right time, with the election season coming up soon, is another matter to be debated.   The new database is updated every week and anyone can see the newly uploaded ads and the advertisers uploading these ads. Google mentioned in their blog that despite the Ad Library providing many new insights, it’s still “working with experts in the U.S. and around the world to explore tools that capture a wider range of political ads—including ads about political issues (beyond just candidate ads), state and local election ads, and political ads in other countries”. Google’s aim with this is to protect these campaigns from digital attacks. “We hope this provides unprecedented, data-driven insights into election ads on our platform,” says Google. For more information regarding Google’s new political ad archive, check out the official Google blog post. Facebook must stop discriminatory advertising in the US, declares Washington AG, Ferguson Google’s new facial recognition patent uses your social network to identify you! Google is missing out $50 million because of Fortnite’s decision to bypass Play Store

British and Dutch authorities have fined Uber for a total of nearly $1.2m on Tuesday over a data breach incident that occurred in 2016. The Information Commissioner's Office (ICO) from UK imposed a £385,000 fine (close to $500,000) on Uber for “failing to protect customers' personal information during a cyber attack". The said attack happened in November 2016. Additionally, the Dutch Data Protection Authority imposed their own €600,000 (close to $680,000) fine over the same incident for not reporting the data breach to the Dutch DPA within 72 hours after the discovery of the breach. For the same data breach, the US government has fined Uber $148m. Attackers obtained login credentials to access Uber’s servers and downloaded files in November 2016. These files contained records of users worldwide including passengers’ full names, phone numbers, and email addresses. Personal details of around 2.7million UK customers and 174,000 Dutch citizens were downloaded from Uber cloud servers by hackers in this breach. Steve Eckersley, the Director of Investigations at ICO, said: “This was not only a serious failure of data security on Uber’s part, but a complete disregard for the customers and drivers whose personal information was stolen. At the time, no steps were taken to inform anyone affected by the breach, or to offer help and support. That left them vulnerable.” As the attack occurred in 2016, it was not subject to the EU's GDPR that came into effect May 2018. The GDPR rules could have increased the fines for Uber. The affected customers and drivers were not told about the incident and Uber started monitoring the accounts for fraud only after an year. The attackers then demanded $100,000 to destroy the data they took which Uber paid as “bug bounty”. This is unlike a legitimate bug bounty program which is a common practice in tech industries. The attackers had malicious intent hence they downloaded the data as opposed to just pointing out the breach. Eckersley further added: “Paying the attackers and then keeping quiet about it afterwards was not, in our view, an appropriate response to the cyber attack.” In a statement, Uber representatives said “We’re pleased to close this chapter on the data incident from 2016. We’ve also made significant changes in leadership to ensure proper transparency with regulators and customers moving forward. We learn from our mistakes and continue our commitment to earn the trust of our users every day.” Uber posted a billion dollar loss this quarter. Can Uber Eats revitalize the Uber growth story? EU slaps Google with $5 billion fine for the Android antitrust case Origin DApp: A decentralized marketplace on Ethereum mainnet aims to disrupt gig economy platforms like Airbnb and Uber