Tech News - Security

Yesterday the team at Mozilla announced that the company is receiving hundreds of bug reports and feature requests from Firefox users on a daily basis. The team noted that it’s important to get the bugs fixed as soon as possible for the smooth functioning of the systems. Also, the developers should quickly come to know that there is a bug in order to fix it. Bug triage, a process where tracker issues are screened and prioritised can be useful in such cases. However, even when developers come to know that bugs exist in the system, it is still difficult for the developers to closely look at each bug. The team at Mozilla has been using Bugzilla since years now which is a web-based general-purpose bugtracker and testing tool that group the bugs by product. But product assignment or the grouping process was done manually by the developers so this process failed to scale. Now Mozilla is experimenting with Machine Learning to train systems to triage bugs. BugBug It’s important to get the bugs in the eye of the right set of engineers, for which the team at Mozilla developed BugBug, a machine learning tool that assigns a product and component automatically for every new untriaged bug. By bringing the bugs into the radar of the triage owners, the team at Mozilla has made an effort towards decreasing the turnaround time to fix new issues. Training the BugBug model Mozilla has a large training set of data for this model which includes two decades worth of bugs that have been reviewed by Mozillians and assigned to products and components. The bug data can’t be used as-is and any change to the bug after triage would create trouble during operation. So the team at Mozilla rolled back the bug to the time it was originally filed. Out of 396 components, 225 components had more than 49 bugs filed in the past 2 years. During operation, the team performed the assignment when the model was confident enough of its decision and currently, the team is using a 60% confidence threshold. Ever since the team has deployed BugBug in production at the end of February 2019, they have triaged around 350 bugs. The median time for any developer to act on triaged bugs is 2 days. Usually, 9 days is the average time to act, but with BugBug the Mozilla team took just 4 days to remove the outliers. Mozilla plans to use Machine learning in the future The Mozilla team has planned to use machine learning to assist in other software development processes, such as identifying duplicate bugs, providing automated help to developers, and detecting the bugs important for a Firefox release. The team plans to extend BugBug to automatically assign components for other Mozilla products. To know more about this news, check out the post by Mozilla. Mozilla is exploring ways to reduce notification permission prompt spam in Firefox Mozilla launches Firefox Lockbox, a password manager for Android Mozilla’s Firefox Send is now publicly available as an encrypted file sharing service  

Last year, the company announced about adopting an approach to anti-tracking considering user data privacy. The company listed a few key initiatives mitigating harmful practices like fingerprinting and cryptomining. Yesterday, Mozilla announced that it is adding a new feature to protect its users against threats and web annoyances in future releases of Firefox. This new feature is available in the beta version of Firefox 67, and the nightly version of Firefox 68. They will be available in the stable release of Firefox in a few weeks. Mozilla has also added a feature to block fingerprinting and cryptomining in Firefox Nightly as an option for users to turn on. The cryptomining and fingerprinting blocks work similar to anti-tracking blocks in current versions of Firefox. Fingerprinting and crypto mining scripts A variety of “fingerprinting” scripts are embedded invisibly on many web pages to harvest a snapshot of users’ computer configuration. These scripts further build a digital fingerprint that can be used for tracking users across the web, even if the user has cleared the cookies. Fingerprinting thus violates Firefox’s anti-tracking policy. Cryptominers is another category of scripts that run costly operations on users’ web browser without the knowledge or consent of the users. It further uses the power of the user’s CPU to generate cryptocurrency for someone else’s benefit. These scripts slow down the computer speed and the drain battery which affects the electric bill. Firefox’s move towards blocking these scripts To overcome these threats, Mozilla has announced new protections against fingerprinters and cryptominers. The company has collaborated with Disconnect and have compiled the list of domains that serve fingerprinting and cryptomining scripts. Cryptomining and fingerprinting blocks have been disabled by default for now but users can activate them in a couple of clicks in the browser settings under “Privacy & Security.” Mozilla has given an option to users option in the latest Firefox Nightly and Beta versions for blocking both kinds of scripts as part of their Content Blocking suite of protections. The team at Mozilla will be testing these protections in the coming months. To know more about this news, check out the official announcement by Mozilla. Mozilla is exploring ways to reduce notification permission prompt spam in Firefox Mozilla launches Firefox Lockbox, a password manager for Android Mozilla’s Firefox Send is now publicly available as an encrypted file sharing service  

Two U.S. Senators, namely  Mark R. Warner (D-VA) and Deb Fischer (R-NE), introduced a bill yesterday, to ban large online platforms ( with over 100 million monthly active users) such as Facebook and Twitter from tricking its consumers into handing over their personal data. The bill, named, the Deceptive Experiences To Online Users Reduction (DETOUR) Act, bipartisan legislation is aimed at prohibiting these platforms from using deceptive user interfaces, called, “dark patterns”. https://twitter.com/MarkWarner/status/1115660831969153025 The term “dark patterns” refers to online interfaces on websites and apps that are specially designed to manipulate users into taking actions they wouldn’t otherwise take under normal circumstances. The design tactics for these patterns are inspired by extensive behavioral psychology research and misleads the users on social media platforms into agreeing to settings and providing data that are advantageous to the company. Forcing the users this way to give up their personal data (contacts, messages, web activity, location), these social media companies gain an unfair advantage over their competitors, which significantly benefits the company. According to Senator Fischer, a member of the Senate Commerce Committee, these dark patterns weaken the privacy policies that involve consent. “Misleading prompts to just click the ‘OK’ button can often transfer your contacts, messages, browsing activity, photos, or location information without you even realizing it. Our bipartisan legislation seeks to curb the use of these dishonest interfaces and increase trust online”.   https://twitter.com/MarkWarner/status/1115660838692642818 https://twitter.com/MarkWarner/status/1115660840575877120 Other examples of dark patterns include a sudden interruption amidst a task repeating until the user agrees to consent and the use of privacy settings that push users to ‘agree’ as the default option. Also, users looking out for more privacy-related options are required to follow a long process that involves clicking through multiple screens. Moreover, sometimes users are not even provided with the alternative option.   As per the DETOUR act: A professional standards body, registered with the Federal Trade Commission (FTC), needs to be created to focus on best practices surrounding user design for large online operators. This association would act as a self-regulatory body and provide updated guidance to the social media platforms.    Segmenting consumers for behavioral experiments is prohibited unless carried out with a consumer’s informed consent. This includes routine disclosures by large online operators (at least once every 90 days) on any behavioral experiments to the public. Also, as per the bill, large online operators would have an internal Independent Review Board to offer oversight on these practices and safeguard consumer welfare. User design intended for compulsive usage among children under the age of 13 years old is prohibited. FTC needs to come out with rules within one year of its enactment and perform tasks necessary surrounding informed consent, Independent Review Boards, and Professional Standards Bodies. Senator Warner has been raising concerns regarding the implications of dark patterns used by social media companies for several years. For instance, in 2014, Sen. Warner asked the FTC to probe into Facebook’s use of dark patterns in an experiment that involved nearly 700,000 users. The experiment focused on the emotional impact of manipulating information on Facebook’s News Feeds. “We support Senators Warner and Fischer in protecting people from exploitive and deceptive practices online. Their legislation helps to achieve that goal and we look forward to working with them”, said Fred Humphries, Corporate VP of U.S. Government Affairs at Microsoft in a press release sent to us. Apart from the DETOUR act,  Sen. Warner is planning to introduce further legislation that will be designed to further improve transparency, privacy, and accountability on social media. Public reaction to the news has been largely positive, with people supporting the senators and new bill: https://twitter.com/tristanharris/status/1115735945393782785 https://twitter.com/joenatoli/status/1115823934132445186 For more information, check out the official DETOUR act bill. US Senators introduce a bill to avoid misuse of facial recognition technology U.S. Senator introduces a bill that levies jail time and hefty fines for companies violating data breaches A brief list of drafts bills in US legislation for protecting consumer data privacy  

It was later last month on 19th March, when Norsk Hydro ASA, a Norwegian and one of the world’s largest aluminum producer firm, had to halt its production due to a cyber attack that impacted its operations across Europe and the U.S. Earlier this week, the firm shared a video on YouTube, highlighting how the employees of Magnor Extrusion in Norway (one of the 160 hydro sites affected by the cyber attack) went out of their way to keep the plant up and running during crucial times. “With a tremendous effort of our colleagues at Magnor, the plant has managed to get production up to 100% of normal production, despite operating in normal mode”, states the video. https://twitter.com/NorskHydroASA/status/1110981944513388544 Olav Schulstad, Production Manager at Magnor mentions that people have been very supportive in the firm and volunteered to help without even being asked. Also, Frode Halteigen, an operator at Magnor, mentioned in the video that all the employees including the people on the shop floor sacrificed time with their families and weekends, to be able to get the operations back in shape. https://www.youtube.com/watch?v=S-ZlVuM0we0&feature=youtu.be                                     Cyber Attack on Hydro Magnor In fact, many employees also took unconventional roles to help out on the shop floor. For instance, Mads Madsstuen is an Area Sales Manager but is helping out with the shop floor in the plant. https://twitter.com/fabrikkfrue/status/1113426747809247232 https://twitter.com/GossiTheDog/status/1113442133267091456 Post-attack, Norsk Hydro kept providing updates on the attack to inform the public about progress made in securing safe and stable operations across the company. “With a systematic approach our experts are step by step restoring business-critical IT based functions to ensure stable production, serve our customers and limit financial impact, while always safeguarding our employee’s safety,” said Eivind Kallevik, CFO, Norsk Hydro in an update posted on March 21st. As per the update, the root cause of the problems had been detected, and a cure had been identified. Hydro’s experts have been working since then on bringing the virus infected systems back to a pre-infected state. The firm also called in experts from Microsoft and other IT security partners to help Hydro take all necessary actions in a systematic way to get business back in normal operation. “Hydro has experienced good progress over the weekend and continues to approach normal operations after the cyber attack. Our focus so far has been technical recovery. This week we are moving on to business and operation recovery”, Hydro updated earlier this week. Norsk Hydro lost over $40 million in the week following the cyber attack as it incapacitated most of its operations. It decided to switch the units to manual operations after the company’s IT systems had been attacked and blocked with ransomware, called LockerGoga. LockerGoga is a new and evolving ransomware that could have infected the systems at Norsk via stolen remote desktop credentials, phishing or a nonupdated targeting software reports Chemistry World. Other two US-based chemical companies, namely, Momentive and Hexion, have also suffered cyber attacks due to LockerGoga. The video states that thousands of people at Hydro around the world, are working day and night to fix the operations, showing a “true display of care, courage, and collaboration”. It sheds light on the indefatigable fervor of the Nosk Hydro employees and how the firm has managed to foster a work culture that many companies should aspire to. The video also shows behind-the-scenes of how challenging it becomes for the employees within a company to recuperate with the reality of such extensive cyber attacks in terms of both financial and operational constraints. Resecurity reports ‘IRIDUIM’ behind Citrix data breach, 200+ government agencies, oil and gas companies, and technology companies also targeted A security researcher reveals his discovery on 800+ Million leaked Emails available online Security researcher exposes malicious GitHub repositories that host more than 300 backdoored apps

The Massachusetts Institute of Technology has broken off its partnerships with Chinese telecoms equipment makers Huawei and ZTE, amidst them facing US federal investigations. MIT follows suite moves by Stanford University, University of California’s flagship Berkeley and the University of Minnesota, who have all cut future research collaborations with Huawei. Late December, Huawei’s Chief Financial Officer, Wanzhou Meng, who is also the daughter of the company’s founder, was arrested in Canada. Huawei was allegedly involved in violating U.S.’ sanctions on Iran. Huawei was under constant scrutiny by the US government following the ban on ZTE from selling devices with American-made hardware and software. ZTE was also found guilty of violating US sanctions on Iran. Then in January, the U.S. Government officially charged Huawei for stealing T-Mobile’s trade secrets along with bank fraud to violate U.S. sanctions on Iran. Only a month had passed when Huawei came in the light again for using dirty tactics to steal Apple’s trade secrets. U.S. companies such as Motorola and Cisco Systems have made similar claims against Huawei in civil lawsuits. A Chicago-based company, Akhan Semiconductor even cooperated with a federal investigation into a theft of its intellectual property by Huawei. Huawei’s power in the mobile telecommunications sector and blatant ignorance of cybersecurity laws is alarming. FBI Director Christopher Wray said the cases “expose Huawei’s brazen and persistent actions to exploit American companies and financial institutions and to threaten the free and fair global marketplace. That kind of access could give a foreign government the capacity to maliciously modify or steal information, conduct undetected espionage, or exert pressure or control.” In a letter sent to the faculty on Wednesday, Richard Lester, MIT’s associate provost, and Maria Zuber, the school’s vice-president for research, said, “At this time, based on this enhanced review, MIT is not accepting new engagements or renewing existing ones with Huawei and ZTE or their respective subsidiaries due to federal investigations regarding violations of sanction restrictions.” The letter further stated, “Most recently we have determined that engagements with certain countries – currently China [including Hong Kong], Russia and Saudi Arabia – merit additional faculty and administrative review beyond the usual evaluations that all international projects receive.” Since Huawei’s ban in the US, the country is trying to prevent its allies from using Huawei technology for critical infrastructure, especially focusing on the five English speaking countries also known as the Five Eyes (US, Canada, New Zealand, Australia, Great Britain). Australia and New Zealand have so far stopped operators from using Huawei equipment in their 5G networks. In the EU however, policymakers have made it a mandate for EU nations to share data on 5G cybersecurity risks and produce measures to tackle them by the end of the year. “The aim is to use tools available under existing security rules plus cross-border cooperation,” the bloc’s executive body said. Now, it is upto individual EU countries to decide whether they want to ban any company on national security grounds. China’s Huawei technologies accused of stealing Apple’s trade secrets, reports The Information Cisco and Huawei Routers hacked via backdoor attacks and botnets Huawei launches HiAI

Last week, RedTeam Pentesting had discovered a command injection vulnerability in the web-based certificate generator feature of the Cisco RV320 router. According to RedTeam Pentesting, the feature was inadequately patched by the vendor. On Saturday, Cisco acknowledged that it had mismanaged a patch which would give rise to a vulnerability in two router models, namely, Cisco RV320 and RV325 WAN VPN routers. https://twitter.com/RedTeamPT/status/1110843396657238016 The security flaws These router vulnerabilities were discovered way back in September 2018. Post four months the discovery, a patch was issued for blacklisting the curl which is a command-line tool used for transferring data online and is also integrated into internet scanners. The idea behind introducing this curl was to prevent the devices from the attackers. Cisco patches were intended to protect these vulnerable devices. And initially, it was believed that Cisco’s patches were the ideal choice for businesses. Cisco’s RV320 product page reads, "Keep your employees, your business, and yourself productive and effective. The Cisco RV320 Dual Gigabit WAN VPN Router is an ideal choice for any small office or small business looking for performance, security, and reliability in its network." Around 10,000 of these devices are still accessible online and are vulnerable to attacks. Cisco’s patch could merely blacklist the curl which turned out be a major problem. In January, this year, security researcher David Davidson published a proof-of-concept for two Cisco RV320 and RV325 vulnerabilities. The security flaws patched by Cisco were: CVE-2019-1652 This flaw allows remote attackers to inject and run admin commands on the device without using a password. CVE-2019-1653 This flaw allows remote attackers to get sensitive device configuration details without using a password. But it seems instead of fixing the vulnerable code in the actual firmware, Cisco has instead blacklisted the user agent for curl. https://twitter.com/bad_packets/status/1110981011523977217 Most of the users are surprised by this news and they think that these patches can be easily bypassed by the attackers. https://twitter.com/hrbrmstr/status/1110995488235503616 https://twitter.com/tobiasz_cudnik/status/1111068710360485891 To know more about this news, check out RedTeam Pentesting’s post. Redis Labs raises $60 Million in Series E Funding led by Francisco partners San Francisco legislation proposes a citywide ban on government’s use of facial recognition technology Cisco and Huawei Routers hacked via backdoor attacks and botnets  

The Federal Trade Commission announced yesterday that they have issued orders to seven U.S. Internet broadband providers to analyze how these broadband companies carry out the data collection and distribution process. Seven broadband companies including AT&T Inc., AT&T Mobility LLC, Comcast Cable Communications doing business as Xfinity, Google Fiber Inc., T-Mobile US Inc., Verizon Communications Inc., and Cellco Partnership doing business as Verizon Wireless, received orders from the FTC for monitoring the companies’ privacy policies, procedures, and practices. According to the FTC press release, “This study is to better understand Internet service providers’ privacy practices in light of the evolution of telecommunications companies into vertically integrated platforms that also provide advertising-supported content. Under current law, the FTC has the ability to enforce against unfair and deceptive practices involving Internet service providers.” What information does the FTC plan to retrieve? The FTC is authorized to issue the “Orders to File a Special Report by Section 6(b) of the FTC Act”, the press release reads. The Commission seeks to obtain information on the categories of personal information collected about consumers or their devices, including the purpose for which the information is collected or used. Also, the techniques for collecting such information: whether the information collected is shared with third parties; internal policies for access to such data; and how long the information is retained; They will also analyze whether the information is aggregated, anonymized or de-identified. The other factors they’ll analyze include: Copies of the companies’ notices and disclosures to consumers about their data collection practices; Whether the companies offer consumers choices about the collection, retention, use, and disclosure of personal information, and whether the companies have denied or degraded service to consumers who decline to opt-in to data collection; and Procedures and processes for allowing consumers to access, correct, or delete their personal information. “The FTC has given the companies up to 45 days to hand over the requested information”, The Verge reports. A user wrote on HackerNews, “It’s good to check on this of course but...as far as ISPs go, this is actually about #3 on the list of problems I want the FTC or someone to fix” “How about the fact that there’s usually only one choice. Or that Internet that everyone wants can be force-bundled with ridiculous things no one wants (like a home phone line and minimum TV bundle), that we tolerate because there is no option. Or prices that go up forever with no improvements, except when they all magically found a way the day after Google Fiber was announced. These companies abuse their positions and need to be checked for that in addition to privacy”, the user added. To know more about this news in detail, visit the official press release. Facebook under criminal investigations for data sharing deals: NYT report Advocacy groups push FTC to fine Facebook and break it up for repeatedly violating the consent order and unfair business practices US Senators introduce a bill to avoid misuse of facial recognition technology

Motherboard, today, reported of a backdoor malware attack on ASUS’ servers, which took place last year between June and November 2018. The attack was discovered by Kaspersky Lab in January 2019 and was named ‘ShadowHammer’ thereafter. Researchers say that the attack was discovered after adding a new supply-chain detection technology to ASUS’ scanning tool to catch anomalous code fragments hidden in legitimate code or catch code that is hijacking normal operations on a machine. Kaspersky analysts told Kim Zetter, a cybersecurity journalist at Motherboard, that the backdoor malware was pushed to ASUS customers for at least five months before it was discovered and shut down. Researchers also said that attackers compromised ASUS’ server for the company’s live software update tool. Following which the attackers used it to push the malware to inadvertently install a malicious backdoor on thousands of its customers’ computers. The malicious file, however, was signed with legitimate ASUS digital certificates to make it appear to be an authentic software update from the company. One of Kaspersky’s spokesperson said, “Over 57,000 Kaspersky users have downloaded and installed the backdoored version of ASUS Live Update at some point in time... We are not able to calculate the total count of affected users based only on our data; however, we estimate that the real scale of the problem is much bigger and is possibly affecting over a million users worldwide”. According to researchers at Kaspersky Lab, the goal of the attack was to “surgically target an unknown pool of users, which were identified by their network adapters’ MAC addresses”. The attackers' first hardcoded a list of MAC addresses in the trojanized samples and this list was used to identify the actual intended targets of this massive operation. “We were able to extract more than 600 unique MAC addresses from over 200 samples used in this attack. Of course, there might be other samples out there with different MAC addresses in their list”, the researchers mentioned. Zetter also tweeted about “a Reddit forum from last year where ASUS users were discussing the suspicious software update ASUS was trying to install on their machines in June 2018” https://twitter.com/KimZetter/status/1110239014735405056 Kaspersky Lab plans to release a full technical paper and presentation about the ASUS attack at its Security Analyst Summit held in Singapore next month. Vitaly Kamluk, Asia-Pacific director of Kaspersky Lab’s Global Research and Analysis Team, said, “This attack shows that the trust model we are using based on known vendor names and validation of digital signatures cannot guarantee that you are safe from malware.” Zetter writes, “Motherboard sent ASUS a list of the claims made by Kaspersky in three separate emails on Thursday but has not heard back from the company.” Costin Raiu, company-wide director of Kaspersky’s Global Research and Analysis Team, told Motherboard, “I’d say this attack stands out from previous ones while being one level up in complexity and stealthiness. The filtering of targets in a surgical manner by their MAC addresses is one of the reasons it stayed undetected for so long. If you are not a target, the malware is virtually silent.” In a press release, Asus stated that the backdoor was fixed in the Live Update version 3.6.8. The company has also "introduced multiple security verification mechanisms to prevent any malicious manipulation in the form of software updates or other means, and implemented an enhanced end-to-end encryption mechanism", the press release states. Additionally, ASUS has also created an online security diagnostic tool to check for affected systems. To know more about the technical details on this attack, head over to Kaspersky’s website. UPDATED: In a press release, Asus stated that the backdoor was fixed in the Live Update version 3.6.8. Additionally, ASUS has also created an online security diagnostic tool to check for affected systems. Researchers prove that Intel SGX and TSX can hide malware from antivirus software Using deep learning methods to detect malware in Android Applications Security researcher exposes malicious GitHub repositories that host more than 300 backdoored apps

Microsoft made a series of new announcements, earlier this week. These include a new Microsoft Defender ATP for Mac, a first fully automated DNA data storage system, and the Revived Microsoft Office Assistant, Clippy. Microsoft Defender ATP for Mac Microsoft team announced yesterday that it's expanding the reach of the core components of its security platforms (including the new Threat & Vulnerability Management) to Mac devices. Also, the name of these unified endpoint security platforms has been updated to Microsoft Defender ATP (Advanced Threat Protection) from the prior Windows Defender ATP, keeping in mind its new cross-platform nature. “We’ve been working closely with industry partners to enable Windows Defender Advanced Threat Protection (ATP) customers to protect their non-Windows devices while keeping a centralized “single pane of glass” experience”, states the Microsoft Team. Users can install the Microsoft Defender ATP client on devices running macOS Mojave, macOS High Sierra, or macOS Sierra to manage and protect these devices. This app offers next-gen anti-malware protection, allowing users to review and perform configuration of their protection. Users can also configure the advanced settings, including disabling or enabling real-time protection, cloud-delivered protection, and automatic sample submission among others. Moreover, devices with alerts and detections will also get surfaced in the Microsoft Defender ATP portal. Security analysts and admins can then further review these alerts on Mac devices. Other than that, the Microsoft team also plans to bring Microsoft Intune in the future. This would enable the users to configure and deploy the settings via alternative Mac and MDM management tools such as JAMF. Fully automated DNA data storage system Microsoft announced the new and first fully automated DNA data storage system, yesterday. The system allows with the storage and retrieval of data in manufactured DNA. This move is aimed at moving the DNA tech out of the research lab and into commercial data centers, says the Microsoft team. The team (Microsoft researchers and University of Washington) successfully encoded the word “hello” in snippets of fabricated DNA. They then further converted it back to digital data with the help of a fully automated end-to-end system. This automated DNA data storage system makes use of the software developed by the Microsoft and UW team that helps convert the ones and zeros of digital data into the As, Ts, Cs, and Gs (the building blocks of DNA). It then leverages the inexpensive, ‘off-the-shelf’  lab equipment to allow the flow of necessary liquids and chemicals into a synthesizer. This synthesizer then builds the manufactured snippets of DNA and pushes them into a storage vessel. In case the system wants to retrieve the information, it can add other chemicals to properly prepare the DNA and uses microfluidic pumps to push the liquids into other parts of the system. This system is then able to “read” the DNA sequences and convert them back to information understandable by a computer. According to the researchers, “the goal of the project was not to prove how fast or inexpensively the system could work, but simply to demonstrate that automation is possible” Revived Office Assistant Clippy Microsoft revived its 90s Microsoft Office Assistant, called Clippy, earlier this week on Tuesday. Microsoft Office team brought back Clippy as an app that can offer animated Clippy stickers on chats in Microsoft Teams, company’s group chat software.These Clippy stickers were also released on Microsoft’s official Office developer GitHub page, allowing all the Microsoft Teams users to import and use these stickers for free. However, Clippy was removed yet again the next day. This is because the “brand police” within Microsoft was not happy with the reappearance of Clippy on Microsoft Teams, reports The Verge. The GitHub project associated with the same has also been removed. Clippy fans, however, are not happy with the company’s decision and have started a thread requesting Microsoft to bring back Clippy in Microsoft Teams. Microsoft brings PostgreSQL extension and SQL Notebooks functionality to Azure Data Studio Microsoft open-sources Project Zipline, its data compression algorithm and hardware for the cloud Microsoft announces Game stack with Xbox Live integration to Android and iOS

One of the largest producers of aluminum in the world, Norsk Hydro, was hit by a cyber attack in the company’s IT system on Monday evening affecting major parts of its smelting operations. The attack which escalated overnight and which is still ongoing has caused the company to resort to manual operations at its smelting facilities. The company's website is currently down and it is posting updates to Facebook. Hydro said that IT systems in most business areas are impacted. According to a statement to BBC, Hydro said that the digital systems at its smelting plants were programmed to ensure machinery worked efficiently. However, these systems had to be turned off. The company is unsure what type of cyber attack it is facing or who is responsible. “We are working to contain and neutralize the attack. It is too early to assess the full impact of the situation. It is too early to assess the impact on customers. We have established a dialogue with all relevant authorities”, the firm updated on their Facebook post. "They are much more reliant today on computerised systems than they were some years ago. But they have the option of reverting back to methods that are not as computerised, so we are able to continue production”, a Hydro spokesperson told BBC. According to Reuters, “The company shut several metal extrusion plants, which transform aluminum ingots into components for car makers, builders, and other industries, while its giant smelters in countries including Norway, Qatar and Brazil were being operated manually.” A Norwegian National Security Authority (NSM) spokesperson said, “We are helping Norsk Hydro with the handling of the situation, and sharing this information with other sectors in Norway and with our international partners.” Hydro is arranging a press meeting on Tuesday, 19 Mar 2019 at 14:00:00 GMT where it will inform everyone about the cyber-attack. We will keep you updated as and when updates to this story is announced. In the meantime, you can check out Norsk Hydro’s Facebook wall for updates. 5 nation joint Activity Alert Report finds most threat actors use publicly available tools for cyber attacks How social media enabled and amplified the Christchurch terrorist attack Microsoft claims it halted Russian spearphishing cyberattacks

The work collaboration hub, Slack, yesterday, launched Slack Enterprise Key Management (EKM) for its enterprise customers. The feature is introduced to give customers control over their encryption keys used for encrypting and decrypting the files and messages they share on their Slack workspace. https://twitter.com/SlackHQ/status/1107646162079637506 Following are some of the advantages Slack EKM brings in: An extra layer of protection Slack EKM allows customers to use their own keys, which are stored in Amazon’s Key Management Service (AWS KMS). This will act as an extra layer of protection allowing privacy-conscious organizations such as banks share data, while also combating the risk. Better visibility into how the keys are being used It logs the usage of your keys to encrypt and decrypt messages and files in AWS KMS’s CloudWatch and CloudTrail. The detailed activity logs provide customers much more visibility into how the keys are being accessed. Administrators can control access very granularly What sets Slack EKM apart from general EKM services is that, in the case of any security threat, instead of revoking access to the entire product, it allows administrators to revoke access granularly. They can revoke access at the organization, workspace, channel, time-frame, and file levels. This type of revocation process ensures that the teams can continue to do their day-to-day work while administrators are taking care of the threat. On a phone interview, Slack Head of Enterprise Product, Ilan Frank told VentureBeat, “So today all data in Slack is encrypted at rest and in transit — but in rest, specifically. We, of course, have keys to those, and this now puts that control in the customer’s hands. It’s a feature that our large customers have been asking for for a very long time.” To know more about Slack EKM, check out Slack’s official website. Slack removed 28 accounts: A step against the spread of hate speech Slack confidentially files to go public Airtable, a Slack-like coding platform for non-techies, raises $100 million in funding

Yesterday, IBM launched its Blockchain World Wire, a global blockchain network for cross-border payments that will make use of Stablecoin by U.S. dollars and cryptocurrency to make near real-time cross border financial transactions. It is based on distributed ledger technology (DLT) for regulated financial firms. IBM Blockchain World Wire is a real-time global payments network that works towards clearing and settling foreign exchange, cross border payments and remittances. Currently, this network can transfer funds to more than 50 countries using 47 digital coins backed by fiat currencies. According to IBM, World Wire is the first blockchain network of its kind to integrate payment messaging and clearing and settlement on a single unified network while allowing participants to dynamically choose from a variety of digital assets for settlement. According to a report by Cheddar, six international banks have signed letters of intent to issue their own Stablecoins backed by their national fiat currencies including Brazil’s Banco Bradesco, South Korea’s Bank Busan and the Philippines’ Rizal Commercial Banking Corporation on IBM’s Blockchain World Wire. Advantages of Blockchain World Wire Faster payment processing Blockchain World Wire provides simultaneous clearing and settlement and eliminates multiple parties processing transactions. Lower costs The World Wire comes with reduced capital requirements for cross-border transactions. Even the clearing costs have been lowered. Transparency The World Wire provides end-to-end transparency and one exchange fee between all currencies which makes it easier. If two financial institutions that are transacting agree upon using either a Stablecoin, central bank digital currency or another digital asset as the bridge asset between any two currencies then they will be provided with trade and important settlement instructions. The institutions can use their existing payment systems by connecting it to World Wire’s APIs in order to convert the first fiat currency into the digital asset. Further, the World Wire converts the digital asset into the second fiat currency, that completes the transaction. The transaction details are recorded onto an immutable blockchain for clearing purpose. Marie Wieck, General Manager, IBM Blockchain, said, “We’ve created a new type of payment network designed to accelerate remittances and transform cross-border payments to facilitate the movement of money in countries that need it most. By creating a network where financial institutions support multiple digital assets, we expect to spur innovation and improve financial inclusion worldwide.” To know more about this news, check out IBM’s official website. Google expands its Blockchain search tools, adds six new cryptocurrencies in BigQuery Public Datasets Blockchain governance and uses beyond finance – Carnegie Mellon university podcast Stable version of OpenZeppelin 2.0, a framework for smart blockchain contracts, released!

Two fatal air crashes in Boeing’s 737 MAX 8 model in less than six months have aroused a lot of questions on the U.S. Federal Aviation Administration’s (FAA) safety analysis procedure. Per CNBC, the State’s Department of Transportation started their investigation after a new Boeing 737 Max 8 operated by Indonesia’s Lion Air crashed into the Java Sea in October last year killing 189 passengers. A similar air crash was reported this month on March 10 when a second Boeing 737 Max 8 operated by Ethiopian Airlines plane crashed shortly after take-off, killing all 157 people on board. Post these incidents, authorities around the world — including the U.S., Europe, China, and Indonesia have grounded Boeing 737 Max planes. Transport Minister Dagmawit Moges told the Wall Street Journal, “Clear similarities were noted between Ethiopian Air Flight 302 and Indonesian Lion Air Flight 610, which will be the subject of further study during the investigation.” The FAA is responsible for certifying an aircraft as airworthy by putting out bulletins and advisories on problems and fixes. It is often considered as the go-to agency for many aviation flight authorities around the world. Boeing's flight safety control system, MCAS (Maneuvering Characteristics Augmentation System) was  “added to the Max-8 series because new, heavier and larger engines replaced the old engines and as a result, the updated Max planes had a strong tendency to pitch nose up”, the Asia Time reported. “The new engine, CFM Leap-1B, was selected by Boeing because it was much more fuel efficient than the older models, one of the big reasons customers want the 737 Max.” The DOT investigation suspected that the flight safety system played a role in the fatal crash in Indonesia. The WSJ reported in November last year, that Boeing failed to warn the airline industry about a potentially dangerous feature in its new flight-control system. According to the Asia Times, “Almost every expert today puts the blame for both flight disasters on faulty software that took over running the plane’s flight control system. Many have pointed to Boeing’s alleged lack of transparency in telling pilots what to do if the software malfunctioned. In addition, there had been at least eight pilot-reported flight control incidents prior to the first Lion Air crash.” Trevor Sumner, a software engineer and the CEO of PERCH Interactive tweeted saying that the 737 MAX tragedies were not a software problem. Instead, it was an economic problem as the “737 engines used too much fuel, so they decided to install more efficient engines with bigger fans and make the 737MAX.” https://twitter.com/trevorsumner/status/1106934369158078470 In spite of the system complied with all the applicable FAA regulations, “the black box data retrieved after the Lion Air crash indicates that a single faulty sensor — a vane on the outside of the fuselage that measures the plane’s “angle of attack,” the angle between the airflow and the wing — triggered MCAS multiple times during the deadly flight, initiating a tug of war as the system repeatedly pushed the nose of the plane down and the pilots wrestled with the controls to pull it back up, before the final crash”, the Seattle Times reported. According to the Seattle Times, “Since MCAS was supposed to activate only in extreme circumstances far outside the normal flight envelope, Boeing decided that 737 pilots needed no extra training on the system — and indeed that they didn’t even need to know about it. It was not mentioned in their flight manuals. That stance allowed the new jet to earn a common “type rating” with existing 737 models, allowing airlines to minimize training of pilots moving to the MAX.” According to a detailed FAA briefing to legislators, Boeing plans to change the MCAS software to give the system input from both angle-of-attack sensors. Boeing also plans to update pilot training requirements and flight crew manuals to include MCAS. After two fatal crashes in less than six months involving the same plane model, authorities around the world — including the U.S., Europe, China, and Indonesia — grounded Boeing 737 Max planes. To know more about this news in detail, read more at The Seattle Times. The tug of war between Google and Oracle over API copyright issue has the future of software development in the crossfires F5 Networks is acquiring NGINX, a popular web server software for $670 million 18 people in tech every programmer and software engineer needs to follow in 2019

After a long break from fundraising, yesterday Cloudflare, a U.S. based company that provides content delivery network services, Internet security, etc, announced that it raised $150 million of funding. The company also announced the joining of Stan Meresman, board member and chair of the Audit Committee of Guardant Health (GH) and Maria Eitel, founder and co-chair of the Nike Foundation as the board of directors. In 2014, Cloudflare raised around $110 million funding and the company has raised more than $330 million till date from investors including New Enterprise Associates, Union Square Ventures, Microsoft, Baidu, and many more. During the latest round of funding Franklin Templeton, an investment management company joined these investors and further extending its support to Cloudflare’s growth. Matthew Prince, co-founder and CEO of Cloudflare, said, “I’m honored to welcome Maria and Stan to our board of directors. Both of them bring a wealth of knowledge and experience to our board and know what it takes to propel companies forward. Our entire board looks forward to working with them as we continue to help build a better Internet.” Eitel has previously run European corporate affairs for Microsoft and worked in media affairs at the White House, and also had been an assistant to President George H.W. Bush. Eitel said, “My career has been focused on creating global change, and the Internet is a huge part of that. The Internet has the ability to unleash human potential, and I believe that Cloudflare is one of the major players able to drive the change that’s necessary for the world and Internet community.” Stan Meresman was previously CFO of Silicon Graphics (SGI) and Cypress Semiconductor (CY). He said, “Cloudflare’s technologies, customer base, and global network have helped propel the company to a position of leadership in the Internet ecosystem. I look forward to lending my skills and expertise to Cloudflare’s board in order to continue this growth and make even more of an impact.” According to a report by Reuters, last year, Cloudflare was considering an IPO in the first half of 2019, that could have valued the company more than $3.5 billion. According to this latest funding round, it seems that the company isn’t yet in the direction of going public, but Cloudflare is growing and public offering could possibly be the next big step. Few users are expecting the company to go public this year and are happy that the company is moving in a good direction. One of the users commented on HackerNews, “I do wonder how people feel about this internally though. There's a lot of expectation that the company would go public this year (and some even expected it would go public last year). Hopefully, no one needs the money they put in to early exercise any time soon!” Another comment reads, “Cloudflare is undergoing a lot of big projects to break away from the image that they are "just a CDN". Raising a round now instead of going public allows them to invest more on those projects instead of focusing on quarter to quarter results. Also, avoiding brain-drains post-IPO while they need those talents the most.” Few others think that the company might start monetizing over the data flow. A user commented, “Doesn't raising this kind of money scream that you're eventually going to start to monetize the data flowing through your network (e.g. telecoms selling location data to bounty hunters)?” To know more about this news, check out the official announcement. Cloudflare takes a step towards transparency by expanding its government warrant canaries workers.dev will soon allow users to deploy their Cloudflare Workers to a subdomain of their choice Cloudflare’s 1.1.1.1 DNS service is now available as a mobile app for iOS and Android  

ACME (Automated Certificate Management Environment) is no longer just a Let's Encrypt effort as it is now standardized by the Internet Engineering Task Force (IETF). The ACME protocol can be used by a Certificate Authority (CA) to automate the process of verification and certificate issuance. The open-source Let's Encrypt project has been an innovating force on the security landscape over the last several years. It provides millions of free SSL/TLS certificates to help secure web traffic. Aside from the disruptive model of providing certificates for free, Let's Encrypt has also helped to pioneer new technology to help manage and deliver certificates as well, including the Automated Certificate Management Environment (ACME). Let's Encrypt is a non-profit effort that was announced in November 2014 and became a Linux Foundation Collaborative Project in April 2015. Let's Encrypt exited its beta period in April 2016 and currently is helping to secure over 43 million websites."The protocol also provides facilities for other certificate management functions, such as certificate revocation," as per the IETF draft of the ACME standard states. The ACME protocol being standardized at the IETF is version 2 of the protocol and benefits from the wider participation of other internet organizations' viewpoint on certificate management, beyond Let's Encrypt. Though the IETF standardization process is a multi-stakeholder effort, Josh Aas, Executive Director and Co-Founder of Internet Security Research Group (ISRG) and Let's Encrypt, noted that the process has gone as expected with no real surprises. "We expect the standardization process to conclude in the next few months," Josh mentioned on the blog. Josh said that the ACME v1 protocol is what Let's Encrypt uses today, and version 2 will be standardized by the IETF and supported by Let's Encrypt as of January 2018. The main difference between the two versions is the order of operations. "In v1, clients authorize a set of domains and then request a certificate," Aas said. "In v2 clients request a certificate and then authorize domains for the certificate. The latter ordering offers more flexibility to us and other CAs who might be interested in using ACME." As a Certificate Authority (CA), to date Let's Encrypt has only provided Domain Validated (DV) certificates. DV certificates do not specifically identify or validate the organization using the certificate, but rather validate a request against a domain registry. In contrast, an Organization Validated (OV) certificate identifies the organization and validates the identity against a business registry. An Extended Validation (EV) provides the highest level of validation for an organization and involves a comprehensive vetting process. "ACME v1 was designed primarily with DV issuance in mind," Aas said. "ACME v2 can probably not be used to issued OV or EV certificates on its own, but it can play a role in issuing OV or EV certificates." Aas added that ACME V2 could potentially be used in OV and EV certificate issuance by automating the parts of the validation process that can be automated. While Let's Encrypt will be making use of the IETF ACME v2 protocol, other Certificate Authorities are taking a cautious approach. "Symantec offers an automation agent, SSL Assistant Plus, which implements a proprietary certificate lifecycle protocol," Rick Andrews, Symantec Distinguished Engineer told, "We follow the ACME development discussions in the IETF, and are considering adding support for the ACME protocol." Google’s Adiantum, a new encryption standard for lower-end phones and other smart devices Microsoft open sources (SEAL) Simple Encrypted Arithmetic Library 3.1.0, with aims to standardize homomorphic encryption 4 Encryption options for your SQL Server