Tech News - Cybersecurity

Intel has introduced microcode updates for mitigating the recently disclosed speculative execution vulnerabilities known as ‘Foreshadow’ a.k.a the L1 Terminal Fault (L1TF). These microcode patches were supposed to handle various side-channel and timing attacks. A new license term applied to the new microcode is as follows: You will not, and will not allow any third party to (i) use, copy, distribute, sell or offer to sell the Software or associated documentation; (ii) modify, adapt, enhance, disassemble, decompile, reverse engineer, change or create derivative works from the Software except and only to the extent as specifically required by mandatory applicable laws or any applicable third party license terms accompanying the Software; (iii) use or make the Software available for the use or benefit of third parties; or (iv) use the Software on Your products other than those that include the Intel hardware product(s), platform(s), or software identified in the Software; or (v) publish or provide any Software benchmark or comparison test results. However, this was not very well received by the public. Let’s find out why. Issues in the Security Patches The security fixes introduced apparently slow down Intel processors. Intel could very well be facing a backlash from the public on this. Imagine companies that run huge server farms or provide cloud services having to face a significant 5-10% speed reduction in their server. Security and reputation, both would be at stake. Another dilemma is whether the customer should install the fix or not. Many computer users don't allow outside or unprivileged users to run on their CPUs the way a cloud or hosting company does. For them, the slowdown incurred by installing the fix is unnecessary. Through its license, Intel has now attempted to gag anyone who would collect information for reporting about speed loss incurred penalties. Bad move. When in reality, it should have focussed on ways to handle security problems by owning up to the damage and publish mitigations. This clause of the license just hides how they are damaged. By Silencing free speech of those who would merely publish benchmarks is bad ethics . Intel’s decision to include this clause in the license also gained attention by many big names in the tech industry. The Register reported on Tuesday that Linux distro Debian decided to withhold packages containing the microcode security fix over concerns about its license. After this, open-source pioneer Bruce Perens called out Intel for trying to "gag"  netizens. Here is what Lucas Holt, MidnightBSD project lead, had to say in a tweet.   Source: Twitter.com Terms of the License stand re-written To save further confusion and chaos of the masses, Intel has backtracked on the license for its latest microcode update after the previous wording outlawed public benchmarking of the chips. The reworked license no longer prohibits benchmarking. In an announcement via Twitter, Imad Sousou, corporate VP and general manager of Intel Open Source Technology Center, on Thursday said: "We have simplified the Intel license to make it easier to distribute CPU microcode updates and posted the new version here. As an active member of the open source community, we continue to welcome all feedback and thank the community." While Intel could have faced major trust issues not only from their dedicated users, it managed to re-trace its steps just in time. It’s about time Intel starts taking responsibility of its own machines. Hopefully, the company thinks twice before introducing any other changes that could lead to a backlash. You can read all about the origins of the discussion on Bruce Perens blog. Intel acquires Vertex.ai to join it under their artificial intelligence unit Defending Democracy Program: How Microsoft is taking steps to curb cybersecurity threats to democracy Microsoft claims it halted Russian spearphishing cyberattacks

Facebook today revealed that it has banned another quiz app, myPersonality, over concerns of data misuse. This step was taken after they did not allow Facebook to audit their app raising doubts regarding them having shared user information with researchers as well as companies. So far this is the second quiz app that has been banned after Facebook announced a large-scale audit of its platform in March. The first one being, This Is Your Digital Life which Facebook banned after it was found to be linked to Cambridge Analytica. According to Ime Archibong, VP of Product Partnerships at Facebook, “Since launching our investigation in March, we have investigated thousands of apps. And we have suspended more than 400.” These apps were banned on concerns around the developers who built them or around these apps misusing the information people chose to share. [box type="shadow" align="" class="" width=""]According to Facebook App Review policy, no user information will be shared with apps if the user hasn’t used them in 90 days.[/box] myPersonality was created by researchers at the Cambridge Psychometrics Centre to source data from Facebook users via personality quizzes. The quiz app gathered data on some four million users when it was operational from 2007 to 2012 and illegally gave it to researchers and companies. In May, Facebook suspended the app, which hadn’t been active since 2012, but now it has been completely banned. Facebook will notify people who chose to share their Facebook information with myPersonality. Currently, they have no evidence if the quiz app accessed any friends’ information. If they find any such evidence, they will be notifying these people’s Facebook friends as well. Read Facebook’s official statement on the Facebook blog. Facebook is reportedly rating users on how trustworthy they are at flagging fake news. Four 2018 Facebook patents to battle fake news and improve news feed. Facebook, Apple, Spotify pull Alex Jones content.

Amidst the allegations surrounding Facebook on fake news, Facebook is now reportedly working on a scale to rate user trustworthiness. According to a report by Washington Post, the company is giving its users a trustworthiness score ranging from 0 to 1 depending on the reliability of their false news flagging. This is another of Facebook’s attempt to revamp its image after it got unfriended by Wall Street, complained on by HUD, and accused of discriminatory advertising. Previously, Facebook has made several patents to battle fake news and improve news feed, including patenting their news feed filter tool, most recently. How does the fake news scoring system work? If a user flags something as false news but fact checkers verify it as true, it could hurt their score and reduce future Facebook flagging. If users consistently report false news that’s indeed proven to be false, their score improves and Facebook will trust their future flagging more. The user-reported fakes are arranged on the basis of user trustworthiness to help make the best use of fact-checker time. The score is used to help the fact-checking team determine which posts to look at first. The idea behind this scoring is to eliminate people who have the habit of making false claims about news articles. This will also help thwart certain users who band together to flag a piece of content from a news publisher they disagree with.  Facebook says, "We developed a process to protect against people indiscriminately flagging news as fake and attempting to game the system. The reason we do this is to make sure that our fight against misinformation is as effective as possible.” Facebook’s News Feed product manager Tessa Lyons confirmed the scoring system exists and that it was developed sometime over the past year, Lyons said, “There’s currently no way to see your own or someone else’s trustworthiness score. And other signals are also used to compute the score.” Facebook is keeping shut about how the score is generated to prevent bad actors from unethically boosting their trustworthiness score. While it is good to distinguish genuine flagging from the rest to allow news moderators to focus on fact-checking better, what is still missing is an effective mechanism to minimize the reach of fake news in the early hours of post. This makes us wonder if Facebook or some other social media sites could be considering rating users based on their propensity for sharing/propagating fake news via shares and likes. The entire interview is available on Washington Post. Four 2018 Facebook patents to battle fake news and improve news feed. Facebook patents its news feed filter tool to provide more relevant news to its users. Facebook plans to use Bloomsbury AI to fight fake news.

A new research shared by Digital Content Next, reveals idle Android devices send 10 times more data than iOS devices. In a paper titled "Google Data Collection," by Douglas C. Schmidt, a computer science professor at Vanderbilt University. Schmidt in the research catalogues how much data Google is collecting about consumers and their most personal habits across all of its products and how that data is being tied together. More from Schmidt’s research findings: An idle Android phone with Chrome web browser active in the background communicated location information to Google 340 times during a 24-hour period. An equivalent experiment found that on an iOS device with Safari open but not Chrome, Google could not collect any appreciable data unless a user was interacting with the device. Additionally an idle Android phone with running Chrome sends back to Google nearly fifty times as many data requests per hour as an idle iPhone running Safari. Overall, an idle Android device was found to communicate with Google nearly 10 times more often than an Apple device communicates with Apple servers. Data transmission frequencies on an android device can potentially tie together data through passive means with the help of user’s personal information. For example, anonymous advertising identifiers collect activity data from apps and third-party web page visits of a user. Similarly Google can associate the cookie to a user's Google account when a user accesses a Google app in the same browser that a third-party web page was accessed. Source: Digital Content Next The research also showed Google to track location data even after the consumer turned off their settings. Google had clarified about its location policies but yet it continues to track location data through app features. The location data is used for ad targeting purposes, Google’s primary business model. While Apple uses differential privacy to gather anonymous usage insights from devices like iPhones, iPads, and Macs. Apple says the data it collects off-device is used to improve services like Siri suggestions, and to help identify problematic websites that use excessive power or too much memory in Safari. When users sets up their iOS device, it will explicitly asks users if they wish to provide usage information on an opt-in basis. If a user declines, no data is collected by the device unless they choose to opt in at a later time. Apple CEO, Tim Cook and Apple executives’ belief that customers are not the company's product seems to be clearly in action here. The company also has a dedicated privacy website that explains its approach to privacy and government data requests. Do you want to know what the future holds for privacy? It’s got Artificial Intelligence on both sides. Twitter’s trying to shed its skin to combat fake news and data scandals, says Jack Dorsey Mozilla’s new Firefox DNS security updates spark privacy hue and cry

Apache Struts 2 has been found with a bug in the core infrastructure of the software. The issue was found by the cybersecurity firm Semmle on April 10 and code patches were released on June 25. The Apache Software foundation is facing security vulnerability as the bug affects all the versions of Apache Struts 2. Researchers from Semmle, uncovered that the security flaw is caused by the insufficient validation of untrusted user data in the core Struts framework. As the bug, CVE-2018-11776, has been discovered in the Struts core, the team says there are multiple attack vectors, threat actors could use to exploit the vulnerability. If the alwaysSelectFullNamespace flag is set to true in the Struts configuration, which is automatically the case when the Struts Convention plugin is in use. Or if a user's Struts configuration file contains a tag that does not specify the optional namespace attribute or specifies a wildcard namespace, it is likely the build is vulnerable to attack. "This vulnerability affects commonly-used endpoints of Struts, which are likely to be exposed, opening up an attack vector to malicious hackers. On top of that, the weakness is related to the Struts OGNL language, which hackers are very familiar with, and are known to have been exploited in the past." says Man Yue Mo from the Semmle Security Research Team. The vulnerability will affect all versions of Apache Struts 2. Firms which use the popular open-source framework are urged to update their builds immediately. Users of Struts 2.3 are advised to upgrade to 2.3.35; users of Struts 2.5 need to upgrade to 2.5.17. As the latest releases only contain fixes for the vulnerability, Apache does not expect users to experience any backward compatibility issues. Semmle team mentioned, "Previous disclosures of similarly critical vulnerabilities have resulted in exploits being published within a day, putting critical infrastructure and customer data at risk. All applications that use Struts are potentially vulnerable, even when no additional plugins have been enabled." Git-bug: A new distributed bug tracker embedded in git How to Debug an application using Qt Creator Debugging Xamarin Application on Visual Studio [Tutorial]

With the growing cybersecurity threats, Microsoft took over six internet domains acting on a court order, and introduced AccountGuard for emails. Microsoft AccountGuard is a move extending their Defending Democracy Program which will be applicable to both organizational and personal email accounts. Microsoft’s Digital Crimes Unit (DCU) executed a court order to take over six internet domains created by a group known as Strontium, or alternatively Fancy Bear or APT28. The group is widely associated with the Russian government. The six internet domains, my-iri.org, hudsonorg-my-sharepoint.com, senate.group, adfs-senate.services, adfs-senate.email, office365-onedrive.com impersonated the real websites. Of late, there have been instances of foreign entities launching cyber strikes to disrupt elections. What is Microsoft AccountGuard? Microsoft AccountGuard will provide “state-of-the-art cybersecurity protection” without any additional cost. This applies to individuals, campaigns and related political institutions. Brad Smith, President at Microsoft stated: “To be clear, we currently have no evidence these domains were used in any successful attacks before the DCU transferred control of them, nor do we have evidence to indicate the identity of the ultimate targets of any planned attack involving these domains.” The technology is free of charge to candidates, campaigns and related political institutions using Office 365. Microsoft AccountGuard will provide these features: Cross-account threat detection and notification: Microsoft’s Threat Intelligence Center will enable them to detect and notify of attacks in a unified way on both organizational and personal emails. When threats are verified, Microsoft will provide personal and expedited recommendations to affected political campaigns and their staff to secure the concerned systems. The unified notification system will provide a comprehensive view of attacks against the campaign/organization. Security guidance and ongoing education: Microsoft will provide guidance to make officials’, political campaigns and eligible organizations to further secure their network and email systems. This includes multi-factor authentication, installing latest security update to control access of data. AccountGuard will also show updated briefings and training to address evolving cyber-attack trends. Early adopter opportunities: There will be preview releases of the new security features which are used in large corporate and government accounts. If you are eligible for Microsoft AccountGuard you can request an invitation to enroll. A quick look at Microsoft’s Defending Democracy Program The Defending Democracy Program is a global effort as Microsoft tries to scale its efforts and reach other democratic countries to protect their processes in the coming years. Microsoft has identified 2018 as a critical year for governments and tech companies to work together towards making elections more secure. The Defending Democracy Program consist of some steps that include: Protecting campaigns from hacks by better account monitoring and increasing response measures to attacks. Supporting proposals like the Honest Ads Act to increase online political advertising transparency. In addition, adopting self-regulatory measures across Microsoft platforms. Exploring technological solutions to protect and preserve the electoral processes. And also interact with federal, state, and local officials to identify and fix cyber threats. Defending against disinformation, propaganda and fake news by partnering with institutions and think tanks who are dedicated to counter such activities. Microsoft will focus on the U.S. midterm elections of November 2018. They are piloting new cross-industry protections; this will also be done in the 2020 U.S. presidential elections. Tom Burt, Corporate Vice President, Customer Security & Trust stated: “Expect to hear more from us on what we’re doing, both on our own and in partnership with governments and our industry colleagues, to put our cybersecurity expertise to work for the defense of democracy.” Visit the Microsoft Blog for more details on AccountGuard and the defending democracy program. Google introduces Cloud HSM beta hardware security module for crypto key security Top 5 cybersecurity trends you should be aware of in 2018 Microsoft Edge introduces Web Authentication for passwordless web security

Researchers at the University of California, Irvine presented Sugar (Secure GPU Acceleration), a new OS solution to enhance the security of GPU acceleration for web apps. Their research paper titled, Sugar: Secure GPU Acceleration in Web Browsers, is a collective effort of Zhihao Yao et al. Recently, GPU based graphics acceleration in web apps has become increasingly popular. WebGL is the key component which provides OpenGL--such as graphics for web apps and is currently used in 53% of the top-100 websites. However, several attack vendors have been demonstrated through WebGL making it vulnerable to security attacks. One such example is the Rowhammer attack which took place in May, this year. Although web browsers have patched the vulnerabilities and have added new runtime security checks, the systems are still vulnerable to zero-day vulnerability exploits, especially given the large size of the Trusted Computing Base of the graphics plane. Sugar OS uses a dedicated virtual graphics plane for a web app by leveraging modern GPU virtualization solutions. It enhances the system security since a virtual graphics plane is fully isolated from the rest of the system. Despite GPU virtualization overhead, Sugar achieves high performance. Unlike current systems, Sugar uses two underlying physical GPUs, when available, to co-render the User Interface (UI), One GPU, to provide virtual graphics planes for web apps The other one to provide the primary graphics plane for the rest of the system. Thus, this design not only provides strong security guarantees but also provides enhanced performance isolation. The two GPU designs in Sugar OS for secured web apps The researchers presented two different designs of Sugar in their paper; a single-GPU and a dual-GPU. In both these designs, web apps use the virtual graphics planes created by the virtualizable GPU. The main difference between the two is the primary graphics plane. Single-GPU Design target: They designed a Single-GPU Sugar for machines with a single virtualizable GPU. The main targets of this design are commodity desktops and laptops using Intel processors that incorporate a virtualizable integrated GPU (all Intel Core processors starting from the 4th generation, i.e., Haswell [99]). Primary Graphics plane, in this design, uses the same underlying virtualizable GPU but has exclusive access to the display connected to it. Dual-GPU Design target: The dual-GPU Sugar is designed for machines with two physical GPUs, one of which is virtualizable. The main targets for this design are high-end desktops and laptops that incorporate a second GPU in addition to the virtualizable integrated Intel GPU. Primary graphics plane, here, uses the other GPU, which is connected to the display. However, Dual-GPU Sugar provides better security than single-GPU Sugar, especially against Denial-of-Service attacks. Moreover, dual-GPU Sugar achieves better graphics performance isolation. The researchers demonstrated that Sugar reduces the Trusted Computing Base (TCB) exposed to web apps and thus eliminates various vulnerabilities already reported in the WebGL framework. They also showed that Sugar’s performance is high, providing similar user-visible performance with existing less secure systems. Read more about Sugar OS in detail in its research paper Introducing MapD Cloud, the first Analytics Platform with GPU Acceleration on Cloud A new WPA/WPA2 security attack in town: Wi-fi routers watch out! 5 examples of Artificial Intelligence in Web apps  

Microsoft claims it has identified and stopped a number of Russian cyberattacks just last week. In a post published on Monday (August 20), Brad Smith wrote that "Microsoft’s Digital Crimes Unit (DCU) successfully executed a court order to disrupt and transfer control of six internet domains created by a group widely associated with the Russian government and known as Strontium." Not only are the attacks notable because of Strontium's links with the Russian government, but also because of the institutions these 'fake' domains were targeting. One of the domaisn is believed to mimic International Republican Institute, while another is supposedly an imitation of conservative think tank the Hudson Institute. CNN notes that "both think tanks have been critical of Russia." Smith also writes that "other domains appear to reference the U.S. Senate but are not specific to particular offices." Spearphishing explained The attackers are alleged to have used a technique known in cybersecurity as spearphishing. This is where an email or a website is disguised a a reliable and trustworthy source to scam users into handing over information. In this instance, cyberattackers could have been imitating Republican think tanks in order to get staff to hand over information. This isn't the first spearphishing attack that Microsoft claims it has intercepted. Brad Smith writes that 84 fake websites believed to be linked to Strontium have been transferred to Microsoft in the last 2 years. Microsoft has notified the Hudson Institute and the International Republican Institute about the attacks. "Microsoft will continue to work closely with them and other targeted organizations on countering cybersecurity threats to their systems. We’ve also been monitoring and addressing domain activity with Senate IT staff the past several months, following prior attacks we detected on the staffs of two current senators." Next steps: Microsoft is expanding its Defending Democracy Program Microsoft has also announced it will be expanding its Defending Democracy Program with a new initiative called Microsoft AccountGuard. This will "provide state-of-the-art cybersecurity protection at no extra cost to all candidates and campaign offices at the federal, state and local level, as well as think tanks and political organizations we now believe are under attack" (free if you're using Office 365). Read next Do you want to know what the future holds for privacy? It’s got Artificial Intelligence on both sides. A Twitter video shows how voting machines used in 18 states can be hacked in 2 mins Google, Microsoft, Twitter, and Facebook team up for Data Transfer Project

When you ask Google to turn off locations, it actually tracks in incognito mode. This default setting opens up Google to a potentially huge fine as per Europe’s GDPR rules. Google is secretly tracking your moves When users turn off their location tracking, they expect Google to stop detecting where they are, but this is not the case. Google continues as a secret stalker without the consent of the user. Recently, Associated Press News reported about Google continuing to collect a user’s location points, while users think they are safe from being tracked. According to AP news, location tracking by Google continues even if the user disabled it; and following are some of the resulting issues: User settings governing location markers are in different places Location tracking can be "Paused", but not permanently disabled Location tracking continues in Maps, Search and other Google applications regardless of the "Location History" setting. Warnings provided to both iOS and Android users are misleading How is Google’s location tracking violating EU’s new GDPR rules? In the month of May, this year, Europe announced its much anticipated new privacy law known as the General Data Protection Regulation (GDPR). This law has been virtually impacting every technology worldwide. As per the GDPR law, any company operating in the EU or any company that serves EU citizens should abide by its strict new privacy guidelines meant to protect consumers from companies abusing their personal data. Any company failing to comply with these rules faces financial penalties as high as 4 percent of their annual revenue. For Google, this penalty could mean billions of dollars in fine! GDPR’s data minimisation principle states that data collection should be done for specified, explicit and legitimate purposes for which they are processed. Serena Tierney, a partner at VWV law firm and a data protection and privacy specialist, said to The Register, “The legitimate purpose of the data collection must be clear. Is it only used for Google's own internal machine learning algorithms, say, or is it part of a personal profile sold to advertisers?” "It's part of a wider public debate. Is this part of the social contract between society generally (including me) and search engines (including Google) that in return for getting free search, for example, we expect our personal data to be used for personal advertising, with no way for us to opt out?" Tierney continued. Rafe Laguna, an open source infrastructure provider of Open-Xchange, says, “The Google location scandal could be the first real test of GDPR. The regulation states that user consent must be clear, distinguishable and written in plain language.” Google updated its location policies: “Some location data may be saved” Right after Google faced investigation by the AP regarding its location tracking practice, it made some quick updates to its location history feature. According to a report from Associated Press, Google, in this update made on 16th August, acknowledges that it still tracks users via its Google Maps, weather updates, and browser searches services. As per Google’s help page for location history setting, “some location data may be saved as part of your activity on other services, like Search and Maps.” The Location History toggle won’t actually stop Google from tracking users. However, users can turn it off by disabling the “Web and App Activity” option (which is enabled by default). By disabling the option, Google won’t be able to store and track user’s Maps’ data and browser searches for location anymore. To know more about this evolving story in detail, visit Associated Press News’ full coverage. Microsoft Cloud Services get GDPR Enhancements Machine learning APIs for Google Cloud Platform Build an IoT application with Google Cloud [Tutorial]

The world's first trillion-dollar public company- Apple, had its servers hacked. By a Melbourne based teenage schoolboy aged 16. Yes, Read that again. That’s how safe your data is at Apple, the most privacy-conscious of the FAANG tech giants. The student, whose name cannot be publicly revealed due to his age and reputation in the hacking community, reportedly pleaded guilty to his actions in an Australian Children's Court this week. “Dream of working at Apple” leads teen to hack into its servers The accused juvenile, not new to cybercrime, is well known in the international hacking community. His ability to develop computerized tunnels and online bypassing systems to hide his identity served him well until a raid on his family home last year exposed hacking files and instructions all saved in a folder interestingly named “hacky hack hack”. Reportedly fascinated with the tech giant, the 16-year old confessed that the hacking took shape as someday he had plans to work for Apple, a Melbourne court reported. He hacked into Apple’s mainframe, downloaded internal files and accessed customer accounts. The teen managed to obtain customers’ authorized keys – that could grant access to user accounts to anybody. Which, by the way, are considered to be extremely secure. What is surprising is that, he hasn’t hacked into Apple just once but multiple times over the course of the past year. In spite of downloading 90GB of secure files and accessing customer accounts, Apple has denied that customers were affected in real time. The company testified that it identified the security breach and notified the FBI, which in turn referred the matter to the Australian federal police. A prosecutor further threw some light on the incident by acknowledging that "Two Apple laptops were seized and the serial numbers matched the serial numbers of the devices which accessed the internal systems" He further added that, "A mobile phone and hard drive were also seized whose IP address matched those detected in the breaches." A company guardian tried to provide solace to its customers by releasing a statement saying that they vigilantly protect their networks and have dedicated teams of information security professionals that work to detect and respond to threats. He added, “In this case, our teams discovered the unauthorized access, contained it, and reported the incident to law enforcement. We regard the data security of our users as one of our greatest responsibilities and want to assure our customers that at no point during this incident was their personal data compromised.” The boy’s audacity is further highlighted by the fact that he shared details of his hacking with members of a WhatsApp group. He pleaded guilty and will return to the court for sentencing in September. However, the magistrate has decided to announce the sentence conferred, by next week because of the complexities involved in the case. Head over to fossbytes for a detailed coverage of the case. Apple stocks soar just shy of $1 Trillion market cap as revenue hits $53.3 Billion in Q3 earnings 2018 Twitter’s trying to shed its skin to combat fake news and data scandals, says Jack Dorsey Timehop suffers data breach; 21 million users’ data compromised    

About a thousand Google employees frustrated with a series of controversies involving Google have signed a letter to demand transparency on building a censored search engine for China. The project named Dragonfly is a censored search engine for the Chinese market. In the letter employees mentioned, “Currently we do not have the information required to make ethically-informed decisions about our work, our projects, and our employment.” The letter published by the Buzzfeed news was circulated on Google’s internal communications system and is signed by about 1400 Googlers. The Dragonfly project will be Google’s return to China after 8 years of withdrawal from its decision to protest against censorship and government hacking. China has the world’s largest internet audience but has frustrated American tech giants with content restrictions or outright blockages of services including Facebook and Instagram. Crisis already hailing in Google This is not the first time Google’s outspoken workforce has been agitated by changes in strategy. In April, the internet company’s employees spoke out against its involvement in a Pentagon program that uses artificial intelligence to improve weaponry. Over 4,000 employees signed a petition asking the company to cancel it. A dozen engineers resigned in protest, and Google eventually promised not to renew the contract. Following that uproar, Google published AI ethics guidelines for the company. The letter about Dragonfly that's currently being circulated inside the company, argues that those guidelines are not enough and employees further added, "As a company and as individuals we have a responsibility to use this power to better the world, not to support social control, violence, and oppression," the letter reads. "What is clear is that Ethical Principles on paper are not enough to ensure ethical decision making. We need transparency, oversight, and accountability mechanisms sufficient to allow informed ethical choice and deliberation across the company." What does Google’s management say Allison Day, a program manager at Google is not shocked by this outrage and says to the Buzzfeed news, “I can see the bottom line for any corporation is growth, and [China] represented a gigantic market,” she said. “The ‘Don’t be Evil’ slogan or whatever is, you know… It’s not a farce. I wouldn’t go so far as to say that. But it is a giant corporation, and its bottom line is to make money.” Google CEO Sundar Pichai has repeatedly expressed interest in the company making a return to China, which it pulled out of for political reasons in 2010. Pichai’s apparent decision to return, which was not addressed companywide before Thursday, has caused some employees to consider leaving the company altogether. “There are questions about how [Dragonfly] is implemented that could make it less concerning, or much more concerning,” an anonymous Google employee said. “That will continue to be on my mind, and the mind of other Googlers deciding whether to stay.” The Dragonfly project secrecy Two Google employees who were working on Dragonfly were so disturbed by the secrecy that they quit the team over it. Developers who were working on the project had been asked to keep Dragonfly confidential — not just from the public, but also from their coworkers. Even more upsetting to some employees is the fact that the company has blocked off internal access to Dragonfly’s code. Managers also shut down access to certain documents pertaining to the project, according to the Intercept. Employees feel that this is a special kind of betrayal and erosion of trust because they talk and act like, “Once you’re at Google, you can look up the code anywhere in the code base and see for yourself.” “We pride ourselves on having an open and transparent culture,” said the anonymous Google developer. “There [are] definitely employees at the company who are very frustrated because that’s clearly not true.” Google has not responded to specific questions about Dragonfly from the Intercept, nor to Bloomberg, nor to BuzzFeed News, only saying in a statement, “We don’t comment on speculation about future plans.” An anonymous Google developer said, “Even though a lot of us have really good jobs, we can see that the difference between us and the leadership is still astronomical. The vision they have for the future is not our vision.” Google releases new political ads library as part of its transparency report Google is missing out $50 million because of Fortnite’s decision to bypass Play Store Google’s censored Chinese search engine is a stupid, stupid move, says former exec Lokman Tsui

Identifying and authenticating users on the web is a cakewalk, thanks to the use of HTTP cookies. They allow website developers to store user’s website preferences or authentication tokens in the browsers. On the other hand, users can remain logged into a website without the need to re-enter their credentials again and again. Win-Win situation for everybody, right? Hold your horses. Due to the ever-evolving web, the way these cookies are implemented leave some space for hackers to perform intrusive attacks. Exploiting this domain, researchers at Belgium's Catholic University in Leuven bagged the Distinguished Paper prize this year at the Usenix Security Conference for their award-winning presentation on, “Who Left Open the Cookie Jar? A Comprehensive Evaluation of Third-Party Cookie Policies”. How did the team discover these web security loopholes? The authors managed to reveal an array of surprisingly devastating and never-seen-before tracking techniques. These techniques were to identify web-users who were using privacy tools that were supplied by browser-vendors and also third-party tracking-blocking tools. They tested a total of 7 browsers and 46 browser extensions. The tracking techniques used  Appcache API; "lesser-known HTML tags"; the Location response-header; various <meta> redirects; Javascript in PDF tables, Javascript's location.href property; and various service workers to track users across various sites. These techniques managed to bypass the privacy protection settings of the stock browser privacy protections. Apart from that, they also managed to fiddle with the latest privacy settings of Firefox. The techniques were advanced enough to work against popular cookie-blocking/ad-blocking/script-blocking browser extensions. Thankfully, there are no real-world concerns about these techniques being exploited. The researchers tipped off the browser vendors before they went public. This should stand as a lesson for browsers to be better equipped to defend against these tactics.  But until then, we're all vulnerable to websites using these tactics to track virtually everywhere! Here is a snapshot of the results that the team came across: Source: wholeftopenthecookiejar.eu Exploits and their Countermeasures as explored by the Researchers The team has not only come up with a list of 10 exploits but also have suggested measures to combat them. Here is the list, in brief, to give you a short gist- #1 Bypasses for the Opera AdBlocker discovered While the built-in ad blocker is enabled, the team discovered that requests to cross-site blacklisted domains can still be sent using various mechanisms in Opera. #2 Various bypasses discovered for the same-site cookie policy in Edge The same-site cookie policy implemented by Edge can be bypassed in multiple ways. #3 The option to block third-party cookies in Safari 10 does not exclude cookies set in the first-party context from future cross-site requests In Safari 10 when users enable "allow cookies from the current website only", cookies that are set in a first-party context are still included in cross-site requests. Safari blocks only the setting of cookies and not the sending of cookies. #4 Enabling the option to block third-party cookies in Edge has no effect Even when users enable the option to block third-party cookies in Edge, they are still included in all requests. #5 The option to block third-party cookies can be bypassed in Chromium through PDF files JavaScript embedded in PDF files can be used to send GET or POST requests to a cross-site domain. In Chromium, this bypasses the option to block third-party cookies. Affected Browsers are Chrome and Opera. #6 Cross-site requests initiated by PDF files bypass the WebExtentension API provided by Chromium Researchers found that extensions such as ad blockers or privacy extensions cannot intercept requests initiated by PDF files that are opened in Chrome or Opera through the WebExtension API. #7 Bypasses for the Firefox Tracking Protection discovered Firefox Tracking Protection can be bypassed easily by various mechanisms. Cross-site requests directed at blacklisted domains can be sent while this counter measurement is enabled. #8 Requests initiated by the AppCache API are not easily distinguished from requests initiated by browser background processes. Once again, in the Firefox browser, It is posing to be a difficult task for extension developers to distinguish requests initiated by the browsers background processes from requests initiated by websites. #9 Requests to fetch the favicon are not interceptable by Firefox extensions Looks like Firefox had a lot to fix in its extensions, as they were not able to intercept (cross-site) requests to fetch the favicon through the WebExtension API. But this stands fixed right on time. #10 Same-site cookie policy bypass discovered in Chromium Prerender functionality can be leveraged to initiate cross-site requests. This can be done including same-site cookies assigned the value strict. This bug was not detected anymore for multiple versions starting from Chrome 62, however, the bug returned in Chrome 66, 67 and 68. You can read the entire catalog to understand how your cookies are at stake (pun intended). The browser vendors have been made aware of these bugs and solutions have been proposed to rectify browser API’s and tools to deal with these exploits. Along with the aforementioned reports, wholeftopenthecookiejar.eu includes a breakdown of every test that researchers carried out against each of the 7 browsers, 46 extensions, and what version. You can read the paper presented by Gertjan Franken, Tom Van Goethem and Wouter Joosen for an inside view of why they won the award and we are sure you will agree with the same! 10 great tools to stay completely anonymous online Mozilla’s new Firefox DNS security updates spark privacy hue and cry Top 5 cybersecurity trends you should be aware of in 2018

Google, yesterday, released an archive of political ads purchased on its platforms. The new library of political ads reveals how much money is spent on these ads across different states and congressional districts, along with a list of top advertisers. Political ads feature federal candidates or currently elected federal officeholders. Google has been modifying its transparency report by adding different sections over the years due to European privacy laws, encryption adoption on websites i.e. HTTPS, among other evolving policy and user expectations. Read also: EU slaps Google with $5 billion fine for the Android antitrust case The latest archive is another newly added section in the company's regular transparency report This report shares data revealing “how the policies and actions of governments and corporations affect privacy, security, and access to information. This is Google’s efforts to make things more transparent when it comes to online political advertisements. Now, for any advertiser purchasing election ads on Google in the U.S., they have to “provide a government-issued ID and other key information that confirms they are a U.S. citizen or lawful permanent resident, as required by law. We also required that election ads incorporate a clear “paid for by” disclosure”, says Google. The new election ad library is searchable, downloadable and provides information about the ads with the highest views, the latest election ads running on our platform, and specific advertisers’ campaigns. The data from the Ad Library is publicly available on Google Cloud’s BigQuery. This data is particularly helpful for researchers, political watchdog groups and private citizens as they can leverage this data to develop charts, graphs, tables or other visualizations of political ads on Google Ads services. Apart from Google, Facebook and Twitter are other tech giants, who launched ad archives in recent months. Twitter ad archives are a part of the company’s increased transparency efforts. “We clearly label and show disclaimer information for federal political campaigning ads,” says Twitter. Facebook has been under a lot of controversy regarding advertisements, especially after an outcry over Russians’ alleged purchase of political ads during the 2016 elections. Also, A.G., Bob Ferguson, last month, proved Facebook guilty of providing discriminatory advertisements on its platform. Facebook, now has its own political ad archive that shows information about who paid for these ads along with other details. Google seems to be following Twitter and Facebook’s footsteps when it comes to political and issue-based advertising on its platform. Whether this comes at a right time, with the election season coming up soon, is another matter to be debated.   The new database is updated every week and anyone can see the newly uploaded ads and the advertisers uploading these ads. Google mentioned in their blog that despite the Ad Library providing many new insights, it’s still “working with experts in the U.S. and around the world to explore tools that capture a wider range of political ads—including ads about political issues (beyond just candidate ads), state and local election ads, and political ads in other countries”. Google’s aim with this is to protect these campaigns from digital attacks. “We hope this provides unprecedented, data-driven insights into election ads on our platform,” says Google. For more information regarding Google’s new political ad archive, check out the official Google blog post. Facebook must stop discriminatory advertising in the US, declares Washington AG, Ferguson Google’s new facial recognition patent uses your social network to identify you! Google is missing out $50 million because of Fortnite’s decision to bypass Play Store

At the 26th Annual DEFCON Conference in Vegas last week, attendees were reminded of US election infrastructure being susceptible to ulterior motives, by an alarming video posted on Twitter. https://twitter.com/RachelTobac/status/1029449569266884608 Rachel Tobac, CEO of SocialProof Security demonstrated on her Twitter status about the voting machines hacked in under two minutes. SocialProof Security provides assessments for social engineering based security. Social engineering involves tricking people into giving up information that lets hackers bypass physical and computer security systems. It’s most commonly done with a simple phone call, talking to a tech support agent into resetting a password or getting information about a company’s network by asking an unwary staffer few leading questions. Tobac explained that accessing the voting machine’s admin function is synonymous toopening the hood of a car with a release button, unplugging the card reader, picking a lock and turning on a machine with a ballpoint pen. The model of voting machine used was the Premier AccuVote TS or TSX which is used in more than 18 states for elections. Jack Braun, organizer of the Voting Village commented to the Wall Street Journal, “This is not the cyber mature industry.” While the National Association of Secretaries of State, one of the biggest providers of election supplies in the US, issued a statement discrediting the hackers: “Our main concern with the approach taken by DEFCON is that it uses a pseudo environment which in no way replicates state election systems, networks, or physical security,” it said. “Providing conference attendees with unlimited physical access to voting machines,” NASS said, “does not replicate accurate physical and cyber protections established by state and local governments before and on Election Day.” This is the second year in a row where DEFCON have hacked election systems with the Voting Village. Other experiments included an 11 year girl old hacking a replica of Florida secretary of state website and changing the results in 10 minutes. There were suggestions to use blockchain based voting systems to maintain the integrity of elections. Regardless of its implementation this is an area of concern and should be addressed to alleviate tampering of future elections. 7 Black Hat USA 2018 conference cybersecurity training highlights: Hardware attacks, IO campaigns, Threat Hunting, Fuzzing, and more DCLeaks and Guccifer 2.0: How hackers used social engineering to manipulate the 2016 U.S. elections Twitter allegedly deleted 70 million fake accounts in an attempt to curb fake news

Amidst the discussions going on around social media websites regulating their content or facing legal actions, Twitter CEO Jack Dorsey announced plans to rethink the core of how Twitter works. In an interview with the Washington Post, Dorsey said,  that he is experimenting with features that would promote alternative viewpoints in Twitter’s timeline to address misinformation and reduce echo chambers. “The most important thing that we can do is we look at the incentives that we’re building into our product,” Dorsey said. “Because they do express a point of view of what we want people to do — and I don't think they are correct anymore.” https://twitter.com/jack/status/1029846451524960261 Dorsey’s move is a clear indication of the fact that Silicon Valley leaders are getting serious about improving safety, security, and privacy across their services. In recent months, Twitter has made several moves to combat fake news and other data related scandals. Earlier this month, Apple, Facebook, and Spotify took action against Alex Jones. Initially, Twitter allowed Jones to continue using its service. But on Tuesday, Twitter imposed a seven-day “timeout” on Jones after he encouraged his followers to get their “battle rifles” ready against critics in the “mainstream media” and on the left. Last month, the social media giant allegedly deleted 70 million fake accounts in an attempt to curb fake news. It has been constantly suspending fake accounts which are inauthentic, spammy or created via malicious automated bots. Another solution Twitter is exploring is to surround false tweets with factual context. Dorsey said, that more context about a tweet, including tweets that call it out as obviously fake could help people make judgments for themselves. It is planning to label automated accounts; Legislators and federal lawmakers have already proposed putting such requirements into law. The social media website is also auditing existing accounts for signs of automated sign-up and improving the overall sign-up process. What is left to see now is whether Twitter can actually effectively implement these claims. Or Dorsey’s statements will go down the drain. You can read Dorsey’s entire interview on the Washington Post. How to stay safe while using Social Media Facebook plans to use Bloomsbury AI to fight fake news YouTube has a $25 million plan to counter fake news and misinformation