Tech News - Security

On Tuesday, Binance Exchange, one of the popular cryptocurrency exchanges, reported a huge security breach where hackers stole around 7,000 bitcoins worth $41 millions, in a single transaction. The hackers were able to gain a bulk of user API keys, 2FA codes, and a lot of other information. Binance Exchange said that the hackers used a variety of techniques, including phishing, viruses and other attacks. “We are still concluding all possible methods used. There may also be additional affected accounts that have not been identified yet”, Binance said in their official statement. Binance confirmed that only the BTC hot wallet was affected and all the other wallets are secure and unharmed. The affected ‘hot wallet’ contained about 2% of Binance’s total BTC holdings. The firm also mentioned that the hackers were extremely patient and carried out well-orchestrated actions through multiple seemingly independent accounts at the most opportune time. “The transaction is structured in a way that passed our existing security checks. It was unfortunate that we were not able to block this withdrawal before it was executed. Once executed, the withdrawal triggered various alarms in our system. We stopped all withdrawals immediately after that”, Binance’s official statement mentions. Binance said that no user funds will be affected and it will use the SAFU fund to cover this incident in full. Binance has estimated a week’s time to conduct a thorough security review of this incident during which all deposits and withdrawals will be needed to remain suspended. The security review will include all parts of their huge systems and data and the updates will be posted frequently. “We beg for your understanding in this difficult situation”, Binance urged their users. They further added, “Please also understand that the hackers may still control certain user accounts and may use those to influence prices in the meantime. We will monitor the situation closely. But we believe with withdrawals disabled, there isn’t much incentive for hackers to influence markets.” Larry Cermak, Head Analyst at The Block and former researcher at Diar, who conducted a research of the Binance hack concluded that it was the sixth largest exchange hack in history. He also said, “the $41 million is “peanuts” for Binance” and it will take hardly 47 days to make the money lost during the breach. https://twitter.com/lawmaster/status/1126090906908676096 In a live video chat, Binance's chief executive Changpeng Zhao sought to answer questions about the hack. https://twitter.com/CharlieShrem/status/1126166334121881601 To know more about this news, read the complete official document. Symantec says NSA’s Equation group tools were hacked by Buckeye in 2016 way before they were leaked by Shadow Brokers in 2017 Listen: We discuss what it means to be a hacker with Adrian Pruteanu [Podcast] Hacker destroys Iranian cyber-espionage data; leaks source code of APT34’s hacking tools on Telegram

In a report released yesterday by Symantec, the popular cybersecurity software and services company, it revealed that the Buckeye group used the Equation group's tools way before they were leaked by Shadow Brokers in 2017. With the help of these tools, Buckeye exploited the Windows zero-day in 2016. According to The New York Times: “Based on the timing of the attacks and clues in the computer code, researchers with the firm Symantec believe the Chinese did not steal the code but captured it from an N.S.A. attack on their own computers — like a gunslinger who grabs an enemy’s rifle and starts blasting away.” In 2017, a mysterious cyber group known as the Shadow Brokers leaked a bunch of tools belonging to the Equation group, one of the most technically adept espionage groups, tied to the Tailored Access Operations(TAO) unit of the U.S. NSA. This leak had a major impact as many attackers rushed forward to lay their hands on the tools disclosed. One of the tools named as the EternalBlue exploit was used in the WannaCry ransomware outbreak, which took place in May 2017. Symantec’s recent report highlights that Buckeye cyber espionage group (aka APT3, Gothic Panda) actually began using the Equation Group tools in various attacks at least a year prior when Shadow Brokers leaked the tools. The evidence traces back in March 2016, in Hong Kong, where Buckeye group began using a variant of DoublePulsar (Backdoor.Doublepulsar) backdoor, which was later disclosed in the Shadow Brokers’ leak. The DoublePulsar exploit was delivered to victims using a custom exploit tool (Trojan.Bemstour) that was specifically designed to install DoublePulsar. Bemstour exploited two Window vulnerabilities for achieving remote kernel code execution on targeted computers: One was a Windows zero-day vulnerability (CVE-2019-0703) that was reported by Symantec to Microsoft in September 2018 and was patched on March 12, 2019. The other Windows vulnerability (CVE-2017-0143) was patched on March 2017 after it was discovered to have been used by two exploit tools—EternalRomance and EternalSynergy--also released in the Shadow Brokers’ leak. According to Symantec’s report, “How Buckeye obtained Equation Group tools at least a year prior to the Shadow Brokers leak remains unknown.” Per Symantec report, the Buckeye group had been active since at least 2009, when it began mounting a string of espionage attacks, mainly against organizations based in the U.S. The report further states that the Buckeye group disappeared during the mid-2017. Also, three alleged members of the group were indicted in the U.S. in November 2017. However, the Bemstour exploit tool and the DoublePulsar variant used by Buckeye continued to be used until at least September 2018, but with different malware. In 2011, the N.S.A. used sophisticated malware, Stuxnet, to destroy Iran’s nuclear centrifuges. They later saw that the same code proliferated around the world, doing damage to random targets, including American business giants like Chevron. According to The New York Times, “Details of secret American cybersecurity programs were disclosed to journalists by Edward J. Snowden, a former N.S.A. contractor now living in exile in Moscow. A collection of C.I.A. cyber weapons, allegedly leaked by an insider, was posted on WikiLeaks.” To this, Eric Chien, a security director at Symantec said, “We’ve learned that you cannot guarantee your tools will not get leaked and used against you and your allies.” “This is the first time we’ve seen a case — that people have long referenced in theory — of a group recovering unknown vulnerabilities and exploits used against them, and then using these exploits to attack others,” Mr. Chien said. The New York Times post mentions, “The Chinese appear not to have turned the weapons back against the United States, for two possible reasons, Symantec researchers said. They might assume Americans have developed defenses against their own weapons, and they might not want to reveal to the United States that they had stolen American tools.” Two NSA employees told The New York Times that post the Shadow Brokers’ leak of the most highly coveted hacking tools in 2016 and 2017, the NSA turn over its arsenal of software vulnerabilities to Microsoft for patching and also shut down some of the N.S.A.’s most sensitive counterterrorism operations. “The N.S.A.’s tools were picked up by North Korean and Russian hackers and used for attacks that crippled the British health care system, shut down operations at the shipping corporation Maersk and cut short critical supplies of a vaccine manufactured by Merck. In Ukraine, the Russian attacks paralyzed critical Ukrainian services, including the airport, Postal Service, gas stations and A.T.M.s.”, The New York Times reported. Michael Daniel, the president of the Cyber Threat Alliance, previously a cybersecurity coordinator for the Obama administration, said, “None of the decisions that go into the process are risk-free. That’s just not the nature of how these things work. But this clearly reinforces the need to have a thoughtful process that involves lots of different equities and is updated frequently.” Chein said, in the future, American officials will need to factor in the real likelihood that their own tools will boomerang back on American targets or allies. A lot of security reports and experts feel there are certain loopholes to this report and that the report lacked backing by some intelligent sources. https://twitter.com/RidT/status/1125747510625091585 https://twitter.com/ericgeller/status/1125551150567129089 https://twitter.com/jfersec/status/1125746228195622912 https://twitter.com/GossiTheDog/status/1125754423245004800 https://twitter.com/RidT/status/1125746008577724416 To know more about this news in detail, head over to Symantec’s complete report. DockerHub database breach exposes 190K customer data including tokens for GitHub and Bitbucket repositories PostgreSQL security: a quick look at authentication best practices [Tutorial] Facebook accepts exposing millions of user passwords in a plain text to its employees after security researcher publishes findings

DuckDuckGo, the browser known for its privacy protection policies, has proposed draft legislation which will require sites to respect the Do Not Track browser setting. Called, the “Do-Not-Track Act of 2019”, this legislation will mandate websites to not track people if they have enabled the DNT signal on their browsers. Per a recent study conducted by DuckDuckGo, a quarter of people have turned on this setting, and most were unaware big sites do not respect it. [box type="shadow" align="" class="" width=""] Do-Not-Track Signal” means a signal sent by a web browser or similar User Agent that conveys a User’s choice regarding online Tracking, reflects a deliberate choice by the user. It complies with the latest Tracking Preference Expression (DNT) specification published by the World Wide Web Consortium (W3C)[/box] DuckDuckGo’s act just comes days after Google announced more privacy control to its users. Last week, Google launched a new feature allowing users to delete all or part of the location history and web and app activity data, manually.  It has a time limit for how long you want your activity data to be saved: 3 or 18 months, before deleting it automatically. However, it does not have an option to not store history automatically. DuckDuckGo’s proposed 'Do-Not-Track Act of 2019' legislation details the following points: No third-party tracking by default. Data brokers would no longer be legally able to use hidden trackers to slurp up your personal information from the sites you visit. And the companies that deploy the most trackers across the web — led by Google, Facebook, and Twitter — would no longer be able to collect and use your browsing history without your permission. No first-party tracking outside what the user expects. For example, if you use Whatsapp, its parent company (Facebook) wouldn't be able to use your data from Whatsapp in unrelated situations (like for advertising on Instagram, also owned by Facebook). As another example, if you go to a weather site, it could give you the local forecast, but not share or sell your location history. The legislation would have exceptions for debugging, auditing, security, non-commercial research, and journalism. However, each of these exceptions would only apply if a site adopts strict data-minimization practices. These include using the least amount of personal information needed, and anonymizing it when possible. Also, restrictions would only come into play only if a consumer has turned on the Do Not Track setting in their browser settings. In case of violation of the Do-Not-Track Act of 2019, DuckDuckGo proposes an amount no less than $50,000 and no more than $10,000,000 or 2% of an Organization’s annual revenue, whichever is greater, can be charged by the legislators. If the act passes into law, sites would be required to cease certain user tracking methods, which means fewer data available to inform marketing and advertising campaigns. The proposal is still quite far from being turning into law but presidential candidate Elizabeth Warren’s recent proposal to regulate “big tech companies”, may give it a much-needed boost. Twitter users complimented the act. https://twitter.com/Bendineliot/status/1123579280892538881 https://twitter.com/jmhaigh/status/1123574469950414848 https://twitter.com/n0ahrabbit/status/1123572013153439745 For the full text, download the proposed Do-Not-Track Act of 2019. DuckDuckGo now uses Apple MapKit JS for its map and location-based searches DuckDuckGo chooses to improve its products without sacrificing user privacy ‘Ethical mobile operating system’ /e/, an alternative for Android and iOS, is in beta

On Friday, DockerHub informed its users of a security breach in its database, via email written by Kent Lamb, Director of Docker Support. The breach exposed sensitive information including some usernames and hashed passwords, as well as tokens for GitHub and Bitbucket repositories, for approximately 190K users. The company said this number is only five percent of DockerHub's entire user base. Lamb highlighted that the security incident which took place a day prior, i.e. on April 25, where the company discovered unauthorized access to a single Hub database storing a subset of non-financial user data. "For users with autobuilds that may have been impacted, we have revoked GitHub tokens and access keys, and ask that you reconnect to your repositories and check security logs to see if any unexpected actions have taken place," Lamb said in his email. The GitHub and Bitbucket access tokens stored in Docker Hub allow developers to modify their project's code and also help in auto building the images on Docker Hub. In cases where a third-party gains access to these tokens would allow them to gain access to code within the private repositories. They can also easily modify it depending on the permissions stored in the token. Misusing these tokens to modify code and deploy compromised images can lead to serious supply-chain attacks as Docker Hub images are commonly utilized in server configurations and applications. “A vast majority of Docker Hub users are employees inside large companies, who may be using their accounts to auto-build containers that they then deploy in live production environments. A user who fails to change his account password and may have their accounts autobuilds modified to include malware”, ZDNet reports. Meanwhile, the company has asked users to change their password on Docker Hub and any other accounts that shared this password. For users with autobuilds that may have been impacted, the company has revoked GitHub tokens and access keys, and asked the users to reconnect to their repositories and check security logs to see if any unexpected actions have taken place. Mentioning DockerHub’s security exposure, a post on Microsoft website mentions, “While initial information led people to believe the hashes of the accounts could lead to image:tags being updated with vulnerabilities, including official and microsoft/ org images, this was not the case. Microsoft has confirmed that the official Microsoft images hosted in Docker Hub have not been compromised.” Docker said that it is enhancing the overall security processes and also that it is still investigating the incident and will share details when available. A user on HackerNews commented, “I find it frustrating that they are not stating when exactly did the breach occur. The message implies that they know, due to the "brief period" claim, but they are not explicitly stating one of the most important facts. No mention in the FAQ either. I'm guessing that they are either not quite certain about the exact timing and duration, or that the brief period was actually embarrassingly long.” https://twitter.com/kennwhite/status/1122117406372057090 https://twitter.com/ewindisch/status/1121998100749594624 https://twitter.com/markhood/status/1122067513477611521 To know more about this news, head over to the official DockerHub post. Hacker destroys Iranian cyber-espionage data; leaks source code of APT34’s hacking tools on Telegram Liz Fong-Jones on how to secure SSH with Two Factor Authentication (2FA) WannaCry hero, Marcus Hutchins pleads guilty to malware charges; may face upto 10 years in prison

On Tuesday, Stripe, the online payments platform provider, announced that it has upgraded its products to be compliant with Strong Customer Authentication (SCA) under the second Payment Services Directive (PSD2). This announcement comes just after Stripe confirmed that it has acquired Touchtech Payments, a Dublin-based payments start-up. Touchtech Payments is a provider of advanced SCA-compliant authentication technology for Europe's fintechs and challenger banks, like N26, TransferWise, and many more. From 14 September 2019, all the authenticating online payments in Europe will be required to comply with the SCA, which is a new European regulation introduced to reduce fraud and make only payments safer. It will be applicable to customer-initiated online payments within Europe, which includes most card payments and all bank transfers. To be SCA compliant, online payments platform need to have additional authentication mechanism in their payment flow. It should have at least two of the following requirements: Something the customer knows like a password or PIN Something the customer has like phone or hardware token Something the customer is like fingerprint or face recognition Making online payment platforms compliant with this regulation will not be an easy task for individual banks and payment providers across Europe. Additionally, a new step in the authentication can also cause some friction in payments and hinder user experience. So, to ease this process, the Stripe payments platform will take up the responsibility of analyzing each transaction to check whether it needs an additional authentication required or not. If required, Stripe will authenticate the transaction with appropriate new technologies. Updates are made in the following products: The Payment Intents API This new Payment Intents API will enable businesses to easily build SCA-compliant fully-customized, dynamic payment flows. This API tracks the state of payment and triggers additional authentication when needed. Upgraded Stripe Checkout Stripe Checkout, a smart payments page, enables businesses to start accepting payments with just a few lines of code. The latest version of Stripe Checkout is capable of dynamically detecting when SCA is required and triggers authentication when necessary. Dynamic 3D Secure provides an additional layer of authentication for credit card transactions. 3D Secure 2 support Stripe supports 3D Secure 2 on the new Payments Intent API and Checkout. 3D Secure 2 aims to address all the limitations in 3D Secure 1 by introducing “less disruptive authentication and better user experience.” With this authentication process, businesses and their payment providers are can send more data elements on each transaction to the cardholder’s bank. This data may include payment-specific info like shipping address, the customer’s device ID, or previous transaction history. The cardholder’s bank can then use this data to calculate the risk level of the transaction and take a suitable response. Upgraded Stripe Billing Billing makes recurring billing process for SaaS and subscription-based companies smoother. Along with SCA-compliance, the company also announced that the product is now available for all the businesses in Europe. Tara Seshan, product manager for Stripe Billing, said in a press release, “With Stripe Billing, companies of all sizes now have access to advanced invoicing tools that will also help them comply with SCA and VAT requirements.” In the next few weeks, the company plans to roll out tools in the Stripe Dashboard for business already using Stripe to make them ready for SCA. Read the official announcement on Stripe’s website. Former Google Cloud CEO joins Stripe board just as Stripe joins the global Unicorn Club Stripe open sources ‘Skycfg’, a configuration builder for Kubernetes 3D Secure v2: a new authentication protocol supported by Stripe for frictionless authentication and better user experience

The EU parliament voted last week to develop what is being described as the largest biometric database on earth. Once created, the database will connect the systems used by various border control, migration and law enforcement agencies into a truly gigantic searchable database for both EU and Non EU citizens. The new database will be called the Common Identity Repository (CIR) and will unify records of over 350 million people. What’s the purpose of the Common Identity Repository? The CIR will streamline a number of operations, bringing together information that is highly distributed - and even siloed - into one place. It will mean that officials will only need to search a single database rather than multiple ones. But accessibility is only one element - it also brings together layers of biometric information such as fingerprints, faces and personal data, like passport numbers. According to Politico Europe, the new system “will grant officials access to a person’s verified identity with a single fingerprint scan.” The multifaceted nature of the system can be explained by the way it was approved by the European Parliament. It went through on two separate votes: one for merging systems used for things related to visas and borders were approved 511 to 123 (with nine abstentions), and the other for streamlining systems users for law enforcement, judicial, migration, and asylum matters was approved 510 to 130 (also with nine abstentions). On this EU officials stated last week that, "The systems covered by the new rules would include the Schengen Information System, Eurodac, the Visa Information System (VIS) and three new systems: the European Criminal Records System for Third Country Nationals (ECRIS-TCN), the Entry/Exit System (EES) and the European Travel Information and Authorisation System (ETIAS)" Criticism of the Common Identity Repository The plan has come in for serious criticism from those who argue that there are serious privacy rights at stake. The civil liberties advocacy group Statewatch had asserted last year that it would lead to the “creation of a Big Brother centralised EU state database and have called CIR as the point of no return.” The European Parliament says “the system will make EU information systems used in security, border and migration management interoperable enabling data exchange between the systems.” It is also argued by the critics that once up and running, CIR will be one of the biggest people-tracking databases in the world, right behind the systems used by the Chinese government and India's Aadhar system. https://twitter.com/fs0c131y/status/1120374735693598720 Microsoft and Cisco propose ideas for a Biometric privacy law after the state of Illinois passed one Biometric Information Privacy Act: It is now illegal for Amazon, Facebook or Apple to collect your biometric data without consent in Illinois SafeMessage: An AI-based biometric authentication solution for messaging platforms

Over the weekend, Liz Fong-Jones, a Developer Advocate at honeycomb.io posted her experience with the security hardening of honeycomb.io’s infrastructure. In her post, on GitHub, Liz explains how SSH keys, which provide authentication between hosts, can be vulnerable to different threats, which might be overlooked. Liz mentions that by adding passphrase encryption, the private keys become resistant to theft when at rest. However, when they are in use, the usability challenges of re-entering the passphrase on every connection means that “engineers began caching keys unencrypted in memory of their workstations, and worse yet, forwarding the agent to allow remote hosts to use the cached keys without further confirmation”. The Matrix breach, which took place on April 11 showcases an example of what happens when authenticated sessions are allowed to propagate without a middle-man. The intruder in the Matrix breach had access to the production databases, potentially giving them access to unencrypted message data, password hashes, and access tokens. Liz also mentions two primary ways of preventing an attacker from misusing credentials. Using a separate device that generates, using a shared secret, numerical codes that we can transfer over out of the band and enter alongside the key. Having a separate device perform all the cryptography only when physically authorized by the user. In her post, Liz asks, “What will work for a majority of developers who are used to simply loading their SSH key into the agent at the start of their login session and SSHing everywhere?” and also shares her work on how one can avoid such threats. Some pre-requisites to this that Liz mentions is, “I'm assuming that you have a publicly exposed bastion host for each environment that intermediates accesses to the rest of each environment's VPC, and use SSH keys to authenticate from laptops to the bastion and from the bastion to each VM/container in the VPC”. As a preliminary step, the user should start by enabling numerical time-based one-time password (TOTP) for SSH authentication. However, since a malicious host could impersonate the real bastion (if strict host checking isn't on), intercept the OTP, and then use it to authenticate to the real bastion, “ it's better than being wormed or compromised because you forgot to take basic measures against even a passive adversary”, Liz states. After the server and the client setup, the user needs to use Chef to populate /etc/2fa_token_keys with keys that are generated and stored securely. There are different setup methods including: Mac client setup Users with Touchbar Macs should use TouchID to authenticate logins, as they'll have their laptop and their fingers with them anyways. For instance, SeKey is an SSH Agent that allows users to authenticate to UNIX/Linux SSH servers using the Secure Enclave. Krypt.co setup for iOS and Android With the help of krypt.co, instead of generating OTPs and sending them over manually, the mobile devices can securely store our SSH keys and only remotely authorize usage (and send the signed challenge to the remote server) simply with a single click. This process is even more secure than a TOTP app so long as the user supplies appropriate parameters to force hardware coprocessor storage (NIST P-256 for iOS, and 3072-bit RSA for Android, on new enough devices). Make sure people use screen locks! Liz in her post also explores YubiKey hardware token & Linux/ChromeOS client setup. To know more about this and how to set up in detail, read Liz’s GitHub post. How to remotely monitor hosts over Telnet and SSH [Tutorial] OpenSSH, now a part of the Windows Server 2019 OpenSSH 7.9 released

Marcus Hutchins, who authors the popular blog MalwareTech, and a British security researcher has pleaded guilty today to writing malware in the years prior to his prodigious career as a malware researcher. Marcus posted a statement on his website and on his Twitter feed too, "I regret these actions and accept full responsibility for my mistakes. Having grown up, I've since been using the same skills that I misused several years ago for constructive purposes. I will continue to devote my time to keeping people safe from malware attacks." https://twitter.com/MalwareTechBlog/status/1119322882578866176 Marcus was virtually unknown to most in the security community until May 2017 when the UK media revealed him as the “accidental hero” who inadvertently halted the global spread of WannaCry, a ransomware contagion that had taken the world by storm just days before. In August 2017, Hutchins was arrested by FBI agents in Las Vegas on suspicion of authoring and/or selling “Kronos,” a strain of malware designed to steal online banking credentials. Hutchins has been barred from leaving the United States since he was arrested. The plea agreement of Marcus is here. “Attachment A” on page 15 outlines the case against Hutchins and an alleged co-conspirator. It further reads that in between July 2012 and Sept. 2015, Hutchins helped create and sell Kronos and a related piece of malware called UPAS Kit. Many of Hutchins’ supporters and readers had trouble believing the charges against him, and in response KrebsOnSecurity published a detailed investigation into activities tied to his various online personas over the years. As per the report, the clues suggested Hutchins began developing and selling malware in his mid-teens — only to later develop a change of heart and earnestly endeavor to leave that part of his life squarely in the rearview mirror. Nevertheless, there were a number of indications that Hutchins’ alleged malware activity continued into his adulthood. Upto 10 years in prison According to court documents obtained by ZDNet, Hutchins pleaded guilty to two counts, and the government agreed to drop the other eight. He pleaded guilty to entering a conspiracy to create and distribute malware, and in aiding and abetting its distribution. For each count, Hutchins will face up to five years in prison, $250,000 in fines, and one year of supervised release. According to ZDNet, Marcus was charged for working with a co-conspirator identified as "Vinny," "VinnyK," and "Aurora123"-- to advertise and sell the two malware strains online. This started somewhere in between July 2012 and September 2015, even before Hutchins was recognized as a talented security researcher. Further ZDNet explains that creating malware is a form of protected speech in the United States, but selling and disseminating is another matter. Orin Kerr, the law professor of University of Southern California gives a detailed explanation in the 2017 dissection of the government’s charges on the Washington Post website. The charges on Marcus are likely to be tempered by federal sentencing guidelines, and may take into account the already served detention time. It still remains unclear when he will be sentenced. After the arrest, Hutchins was released on bail and has been living in Los Angeles awaiting trial. He started sharing his malware analysis skills with the information security (infosec) community when he was prohibited from working for his employer. Hutchins is considered as one of the most talented security researchers and this news comes a huge loss for the infosec community. https://twitter.com/JRoosen/status/1119342458809331713 Update on 26th July from ZDNet ZDNet on Friday reported that the US legal case against Marcus Hutchins who helped stop WannaCry ransomware outbreak comes to an end. He is sentenced in the US to time served and one year of supervised release. The UK-born malware analyst avoids prison time in a case that the judge described as having "too many positives on other side of ledger" -- referring to Hutchins' role in the WannaCry ransomware outbreak and his work as a malware analyst. Read the full story on ZDNet blog post. Understanding the cost of a cybersecurity attack: The losses organizations face A security researcher reveals his discovery on 800+ Million leaked Emails available online RSA Conference 2019 Highlights: Top 5 cybersecurity products announced

On Wednesday, ZDNet reported that hacker with the online name Lab Dookhtegan leaked a set of hacking tools belonging to Iran’s espionage groups, often identified as the APT34, Oilrig, or HelixKitten, on Telegram. The leaks started somewhere in the mid-March, and included sensitive information, mostly consisting of usernames and passwords. https://twitter.com/campuscodi/status/1118656431069302795 ZDNet got aware of this hack when a Twitter user DMed them some of the same files that were leaked on Telegram. Though this Twitter user claimed to have worked on the group’s DNSpionage campaign, ZDNet believes that it is also possible that he is a member of a foreign intelligence agency trying to hide their real identity. ZDNet’s assumption is that the Twitter user could be the Telegram Lab Dookhtegan persona. The hacker leaked the source code of six hacking tools: Glimpse, PoisonFrog, HyperShell, HighShell, Fox Panel, and Webmask. Many cyber-security experts including Chronicle, Alphabet's cyber-security division, confirmed the authenticity of these tools. Along with these tools, the hacker also leaked the content from several active backend panels, where victim data had been collected. Chronicle, Alphabet's cyber-security division, confirmed to ZDNet that the hacker has leaked data of 66 victims, mainly from countries in the Middle East. This data was collected from both government agencies and private companies. The hacker also leaked data from APT34’s past operations, sharing the IP addresses and domains where the group hosted web shells and other operational data. Besides leaking the data and source code of the hacking tools, the hacker also made public personal information of the Iranian Ministry of Intelligence officers who were involved with APT34 operations including phone numbers, images, and names. The hacker admitted on the Telegram channel that he has destroyed the control panels of APT34’s hacking tools and wiped their servers clean. So, now the Iranian espionage group has no choice other than starting over. Going by the leaked documents, it seems that Dookhtegan also had some grudge against the Iranian Ministry of Intelligence, which he called "cruel," "ruthless" and "criminal”. Source: ZDNet Now, several cyber-security firms are analyzing the leaked data. In an email to ZDNet, Brandon Levene, Head of Applied Intelligence at Chronicle, said, "It's likely this group will alter their toolset in order to maintain operational status. There may be some copycat activity derived from the leaked tools, but it is unlikely to see widespread use." To know about this story in detail, visit ZDNet. Brave Privacy Browser has a ‘backdoor’ to remotely inject headers in HTTP requests: HackerNews Hyatt Hotels launches public bug bounty program with HackerOne Black Hat hackers used IPMI cards to launch JungleSec Ransomware, affects most of the Linux servers  

This week, NATIONAL VULNERABILITY DATABASE (NVD) identified an integer overflow flaw in libssh2 before the release of version 1.8.1 which could lead to an out of bounds write. A remote attacker could take advantage of this flaw to compromise an SSH server and execute code on the client system when a user connects to the server. Impact of the flaw in libssh2 The Common Vulnerability Scoring System (CVSS) base score, a numerical score that reflects its severity, calculated by the team who identified the flaw is 8.8, which is high. The overall impact score calculated by the team is 5.9 where the exploitability score is 2.8. The team also identified that the attack vector was a network and the attack complexity was low. Security issues fixed by the team CVE-2019-3861: The team fixed out-of-bounds reads with SSH packets. CVE-2019-3862: The team fixed the issues related to out-of-bounds memory with message channel request packet. CVE-2019-3860: The team fixed out-of-bounds reads with SFTP packets. CVE-2019-3863: The team fixed the integer overflow in user authenticate keyboard which could allow out-of-bounds writes with keyboard responses. CVE-2019-3856: The team fixed the issues related to a potential integer overflow in keyboard handling which could allow out-of-bounds write with payload. CVE-2019-3859: The team fixed the issues with out-of-bounds reads with payloads because of unchecked use of _libssh2_packet_require and _libssh2_packet_requirev. CVE-2019-3855: The team fixed a potential Integer overflow in transport read which could allow out-of-bounds write with a payload. CVE-2019-3858: The issues with the zero-byte allocation have been fixed, which could lead to an out-of-bounds read with SFTP packet. To know more about this news, check out NVD’s post. Linux use-after-free vulnerability found in Linux 2.6 through 4.20.11 Stable release of CUDA 10.0 out, with Turing support, tools and library changes ‘Peekaboo’ Zero-Day Vulnerability allows hackers to access CCTV cameras, says Tenable Research  

Last week, Mastodon 2.8, a self-hosted social media service, was shipped with Keybase’s brand new proof system. Yesterday, the team behind Keybase announced that this new proof system is now available for all Mastodon servers. With this update, any community will be able to cryptographically connect their profiles to Keybase. https://twitter.com/malgorithms/status/1117888468544147456 Keybase is a free security app for groups, communities, families, and friends using which you can affirm your identity across the web. At its core, Keybase is a key directory that maps social media identities to encryption keys. Users can also have an encrypted chat with Keybase’s end-to-end chat service called Keybase Chat. With Keybase, users can prove a “link” between online identities such as Twitter or Reddit account and their encryption keys. So, instead of relying on a system like OAuth, identities are proven by posting a signed statement on the account a user wants to prove ownership of. For instance, a user just needs to enter their Twitter handle in the Keybase app following which a signed tweet is generated and is sent to Twitter. Once the tweet is posted, the user returns to the Keybase app. This mechanism makes identity proofs publicly verifiable instead of having to trust that the service is truthful. Though this method is quick and easy, it does have some limitations. Keybase app automatically generates the verification tweet, which users are expected to post. However, the user can edit these tweets. The Keybase team has now updated the proof system, which solves this problem. When a user claims on Keybase that they are a user on a site, they are redirected to that particular site. The verification is then completed in just two steps: Source: Keybase The site will then show the following row, signaling that the user is verified: Source: Keybase To read the full announcement, visit Keybase’s official website. Mastodon 2.7, a decentralized alternative to social media silos, is now out! Mastodon 2.5 released with UI, administration, and deployment changes 5 ways to reduce App deployment time

On Saturday, Microsoft confirmed to TechCrunch that their email services were hacked from January 1, 2019, till March 28, 2019. Microsoft told TechCrunch, “Certain ‘limited’ number of people who use web email services managed by Microsoft—which cover services like MSN and Hotmail—had their accounts compromised.” “We addressed this scheme, which affected a limited subset of consumer accounts, by disabling the compromised credentials and blocking the perpetrators’ access”, a Microsoft spokesperson told in an email. Following this, Microsoft sent out an email to all the affected users stating that hackers were potentially able to access an affected user’s e-mail address, folder names, the subject lines of e-mails, and the names of other e-mail address the user communicates. However, they were not able to access the content of any e-mails or attachments or login credentials like passwords. Microsoft recommended the affected users to reset their account password. https://twitter.com/jason_koebler/status/1117557557051166721 According to the letter from Microsoft to affected users, the hackers got into the system by compromising a customer support agent’s credentials. Once identified, those credentials were disabled. Microsoft informed the users that it didn’t know what data was viewed by the hackers or why, but cautioned that users might, as a result, see more phishing or spam emails as a result. “You should be careful when receiving any e-mails from any misleading domain name, any e-mail that requests personal information or payment, or any unsolicited request from an untrusted source”, the letter mentioned. To know more about this news, head over to TechCrunch. Mozilla considers blocking DarkMatter after Reuters reported its link with a secret hacking operation, Project Raven MarioNet: A browser-based attack that allows hackers to run malicious code even if users’ exit a web page Understanding the cost of a cybersecurity attack: The losses organizations face

Facebook announced updates to it’s “remove, reduce, and inform” strategy to better control “problematic” content and fake news across Facebook, Instagram, and Messenger. No new tools or updates have been announced for Whatsapp. By problematic content, they mean reducing the spread of content that is inappropriate but does not violate their community guidelines. Similarly, for Instagram, the company is reducing the spread of posts that are inappropriate but do not go against Instagram’s Community Guidelines. These posts will not be recommended on the Explore and hashtag pages but can still appear in your feed if you follow the account that posts it. For instance, the company adds, “ a sexually suggestive post will still appear in Feed but may not appear for the broader community in Explore or hashtag pages.” They disclosed this news to a small group of journalists in an event organized at Menlo Park, on Wednesday. “This strategy”, Facebook said, “applies not only during critical times like elections but year-round.” Last week, WhatsApp included a 'Checkpoint Tipline' feature in India to verify messages during the election. "Launched by PROTO, an India-based media skilling startup, this tip line will help create a database of rumors to study misinformation during elections for Checkpoint," Facebook said in a statement. However, the tool turned out to be more for researching purposes rather than debunking fake news as reported in an investigation led by BuzzFeed News. Per Buzzfeed, FAQs uploaded on Pronto website suggests it’s just meant for research purposes. Increasing overall product integrity Facebook has rolled out a Community Standards site where people can track the updates Facebook makes each month. All policy changes will be visible to the public with specifics on some on why they made a certain change. Facebook Groups admins will be held more accountable for Community Standards violations. Facebook will be looking at admin and moderator content violations in a group while deciding whether or not to take it down. They will be checking approved member posts as a stronger signal that the group violates facebook standards. This feature is also released globally. A new Group Quality feature will provide an overview of content removed and flagged for most violations. It will also have a section for false news found in the group. This initiative is going to start globally in the coming weeks. They are also expanding their third-party collaborations for news flagging and fact-checking by including The Associated Press as part of the third-party fact-checking program. AP will be debunking false and misleading video misinformation and Spanish-language content appearing on Facebook in the US. Surprisingly, fact-checking by AP has not been added as a feature globally. India is Facebook’s largest market and is also conducting its national elections over this month and the next. Current fact checking agencies in India include AFP India, Boom, Fact Crescendo, Factly, India Today Fact Check, Newsmobile Fact Checker, and Vishvas.News. Facebook has made admin and moderator policies as well as the Group Quality feature made available globally, but not the AP inclusion. Read also: Ahead of Indian elections, Facebook removes hundreds of assets spreading fake news and hate speech, but are they too late? If a Facebook group is found to repeatedly share misinformation that has been rated false by independent fact-checkers, Facebook will reduce that group’s overall News Feed distribution. Interestingly, they have not suspended these groups as they are only removing/suspending content that “violates their policies”, even if it’s deemed inappropriate. A new “Click-Gap” signal into News Feed ranking will be incorporated to see less low-quality content in their News Feed. Per Facebook, “This new signal, Click-Gap, relies on the web graph, a conceptual “map” of the internet in which domains with a lot of inbound and outbound links are at the center of the graph and domains with fewer inbound and outbound links are at the edges. Click-Gap looks for domains with a disproportionate number of outbound Facebook clicks compared to their place in the web graph. This can be a sign that the domain is succeeding on News Feed in a way that doesn’t reflect the authority they’ve built outside it and is producing low-quality content.” Specifically for Facebook and messenger apps The Context Button feature is now added to images to provide people more background information about the publishers and articles they see in News Feed. Facebook is testing this feature for images that have been reviewed by third-party fact-checkers. Trust Indicators are also added to the Context Button to provide a publication’s fact-checking practices, ethics statements, corrections, ownership and funding, and editorial team. They are created by a consortium of news organizations known as the Trust Project. This feature started in March 2019, on English and Spanish content. Facebook will also be adding more information to the Page Quality tab starting with info on Page’s status with respect to clickbait. Facebook will also allow people to remove their posts and comments from a group after they leave the group. For Messenger The Verified Badge is now officially a part of Messenger as a visible indicator of a verified account. There is also the inclusion of Messaging Settings and an Updated Block feature for greater control. Messenger also has a Forward Indicator and Context Button to help prevent the spread of misinformation. The Forward Indicator lets someone know if a message they received was forwarded by the sender, while the Context Button provides more background on shared articles. [dropcap]W[/dropcap]hat’s distressing is that there is a significant gap between policy update and the actual implementation of Facebook’s practices. Facebook continues to host Laura Loomer's inciting content on Instagram even after being flagged saying it does not violate their standards. Laura Loomer is an anti-Muslim conservative activist who published alarming posts that could potentially incite violence against Muslim congresswoman Ilhan Omar. https://twitter.com/letsgomathias/status/1116461347259256832 https://twitter.com/justinhendrix/status/1116501676456910849 Facebook discussions with the EU resulted in changes of its terms and services for users. Ahead of Indian elections, Facebook removes hundreds of assets spreading fake news and hate speech, but are they too late? Ahead of EU 2019 elections, Facebook expands its Ad Library to provide advertising transparency in all active ads.

Yesterday, FireEye said that they have uncovered the hacking group behind the Triton malware which was recently used to impact an unnamed “critical infrastructure” facility. This malware is designed to penetrate into the target’s networks and sabotage their industrial control systems and has often been used in power plants and oil refineries to control the operations of the facility. The Triton malware attack first occurred in August 2017, where it was used against a petrochemical plant owned by Tasnee in Suadi Arabia. Researchers believe that the operators of this attack must have been active since 2014. FireEye also believes Triton attack to be linked to a Russian government-owned technical research institute in Moscow. Triton, also known as Trisis, has been specifically engineered to target a specific type of industrial control system (ICS), namely Triconex safety instrumented systems (SIS) controllers developed by Schneider Electric. FireEye’s first analysis on Triton after the 2017 attack was, “malicious actors used Triton to manipulate industrial safety systems at a critical infrastructure facility and inadvertently caused a process shutdown.” FireEye has also released a report which explains the custom information technology tools and tactics the threat actor leveraged during the early stages of the targeted attack lifecycle. “The information in this report is derived from multiple TRITON-related incident responses carried out by FireEye Mandiant”, the researchers state in their blog. According to the FireEye report, the threat actor leveraged different custom and commodity intrusion tools including SecHack, NetExec, WebShell, and some more. “The actor's custom tools frequently mirrored the functionality of commodity tools and appear to be developed with a focus on anti-virus evasion. The group often leveraged custom tools when they appeared to be struggling with anti-virus detection or were at a critical phase in the intrusion (e.g., they switched to custom backdoors in IT and OT DMZ right before gaining access to the engineering workstation)”, the researchers mentioned in their report. The report further mentions, “After establishing an initial foothold on the corporate network, the TRITON actor focused most of their effort on gaining access to the OT network. Most of the attack tools they used were focused on network reconnaissance, lateral movement, and maintaining a presence in the target environment.” Actors have also used several other obfuscation methods including: Renaming their files to make them look like legitimate files; Planting webshells on the Outlook Exchange servers; Relying on encrypted SSH-based tunnels to transfer tools and for remote command execution; Routinely deleting dropped attack files, execution logs, and other files; Using multiple staging folders and directories that are very less used by legitimate users or processors. To know more about this report in detail, read FireEye’s complete report on the Triton attack. ASUS servers hijacked; pushed backdoor malware via software updates potentially affecting over a million users Researchers prove that Intel SGX and TSX can hide malware from antivirus software Mac users affected by ‘Shlayer Trojan’ dropped via a Steganography-based Ad Payload; Confiant and Malwarebytes report

Earlier this week, Facebook updated its terms and services after discussions with the European Commission and consumer protection authorities. Facebook will now clearly explain how it leverages users' data to create “profiling activities and target advertising”, which in turn helps them make money. As per the new terms and services, Facebook will have to provide details on: services it sells to third parties based on the user's data. how consumers can close their accounts, and for what reasons can users account be disabled. nature of the research activities conducted by Facebook itself or with third party business partners. reducing the number of clauses in the contract that are applied on a user’s account even after the termination of the account. Facebook will also inform consumers of these cases. The new terms of services are aimed at providing full disclosure of Facebook's business model in an understandable and plain language to the users. This is great since a new Adtech Market research report by the Information Commissioner’s Office states that most 61% users disagree that they’d prefer to see adverts on websites that are relevant to them. While 59% feel that they have no control over which advertisements are shown to them. Hopefully, as more users are made aware of what goes behind social media advertising, we can expect to see a drop in these numbers. "Today Facebook finally shows commitment to more transparency and straight forward language in its terms of use... Now, users will clearly understand that their data is used by the social network to sell targeted ads..”, said Vera Jourová, Commissioner for Justice, Consumers and Gender Equality. As per the statement from the European Union, post-Cambridge Analytica Scandal, Facebook was requested to clearly inform its users on how it receives finances and the revenues that it makes leveraging user’s data. Facebook was also requested to align its terms of service as per the EU Consumer Law. Apart from that, Facebook has also changed: its policy on the limitation of liability and acknowledges its responsibility in case of negligence ( eg; data mishandling by third parties) its power to unilaterally change terms and conditions by limiting it to cases where the changes are reasonable the rules around temporary retention of content that has been deleted by consumers.  Such type of content can only be retained in few cases (eg; in compliance with an enforcement request by an authority) the language clarifying the right to appeal of users when their content has been removed. EU states that Facebook will complete the implementation of all commitments by the end of June 2019. Also, the Commission and the Consumer Protection Cooperation network will closely monitor the implementation. In case, Facebook fails to fulfill its commitments, national consumer authorities would then resort to enforcement measures including sanctions. For more information, check out the official updated Facebook terms of service. Facebook AI introduces Aroma, a new code recommendation tool for developers Ahead of Indian elections, Facebook removes hundreds of assets spreading fake news and hate speech Facebook will ban white nationalism, and separatism content in addition to white supremacy content