Tech News - Security

Microsoft announced on its blog today that the company has added support for DTrace into its Insider builds. The forthcoming Windows 10 feature update will bring support for this debugging and diagnostic tracing tool. The support for DTrace is now possible due to a port of the open-source OpenDTrace project. The port was announced at the Ignite conference last year. The instructions, binaries, and source code for the same are now available for Windows Insider. DTrace lets developers and administrators track kernel function calls, examine properties of running processes, and probe drivers. The DTrace scripting language allows users to specify which information is probed, and how to report that information. Hari Pulapaka, Microsoft group program manager for Windows kernel, says that the merge will happen over the next few months, but in the meantime, Microsoft is making its DTrace source available. Source: Microsoft blog To run DTrace on Windows 10, users need a 64-bit Insider build 18342 or higher, and a valid Insider account. DTrace has to be run in administrator mode. In order to expose the required functionality for DTrace, Microsoft created a new kernel extension driver, traceext.sys. However, Microsoft does not plan to open source Traceext . You can head over to GitHub to download the source code for this project. Microsoft researchers introduce a new climate forecasting model and a public dataset to train these models Microsoft @MWC (Mobile World Congress) Day 1: HoloLens 2, Azure-powered Kinect camera and more! Microsoft adds new features to Microsoft Office 365: Microsoft threat experts, priority notifications, Desktop App Assure, and more  

Last week, Citrix, the American cloud computing company, disclosed that it suffered a data breach on its internal network. They were informed of this attack through the FBI. In a statement posted on Citrix’s official blog, the company’s Chief Security Information Officer Stan Black said, “the FBI contacted Citrix to advise they had reason to believe that international cybercriminals gained access to the internal Citrix network. It appears that hackers may have accessed and downloaded business documents. The specific documents that may have been accessed, however, are currently unknown.” The FBI informed Citrix that the hackers likely used a tactic known as password spraying to exploit weak passwords. The blog further states that “Once they gained a foothold with limited access, they worked to circumvent additional layers of security”. In wake of these events, a security firm Resecurity reached out to NBC news and claimed that they had reasons to believe that the attacks were carried out by Iranian-linked group known as IRIDIUM.  Resecurity says that IRIDIUM "has hit more than 200 government agencies, oil and gas companies, and technology companies including Citrix." Resecurity claims that IRIDIUM breached Citrix's network during December 2018. Charles Yoo, Resecurity's president, said that the hackers extracted at least six terabytes of data and possibly up to 10 terabytes of sensitive data stored in the Citrix enterprise network, including e-mail correspondence, files in network shares and other services used for project management and procurement. “It's a pretty deep intrusion, with multiple employee compromises and remote access to internal resources." Yoo further added that his firm has been tracking the Iranian-linked group for years, and has reasons to believe that Iridium broke its way into Citrix's network about 10 years ago, and has been “lurking inside the company's system ever since.” There is no evidence to prove that the attacks directly penetrated U.S. government networks. However, the breach carries a potential risk that the hackers could eventually enter into sensitive government networks. According to Black, “At this time, there is no indication that the security of any Citrix product or service was compromised.” Resecurity said that it first reached out to Citrix on December 28, 2018, to share an early warning about “a targeted attack and data breach”. According to Yoo, an analysis of the indicated that the hackers were focused in particular on FBI-related projects, NASA and aerospace contracts and work with Saudi Aramco, Saudi Arabia's state oil company. “Based on the timing and further dynamics, the attack was planned and organized specifically during Christmas period,” Resecurity says in a blog. A spokesperson for Citrix confirmed to The Register that "Stan’s blog refers to the same incident" described by Resecurity. “At this time, there is no indication that the security of any Citrix product or service was compromised,” says Black Twitter was abuzz with users expressing their confusion over the timeline of events and wondering about the consequences if IRIDIUM was truly lurking in Citrix’s network for 10 years: “Based on the timing and further dynamics, the attack was planned and organized specifically during Christmas period,” Resecurity says in a blog. https://twitter.com/dcallahan2/status/1104301320255754241 https://twitter.com/MalwareYoda/status/1104170906740350977 https://twitter.com/Maliciouslink/status/1104375001715798016 The data breach is worrisome, considering that Citrix sells workplace software to government agencies and handles sensitive computer projects for the White House communications agency, the U.S. military, the FBI and many American corporations. U.S. Senator introduces a bill that levies jail time and hefty fines for companies violating data breaches Internal memo reveals NASA suffered a data breach compromising employees social security numbers Equifax data breach could have been “entirely preventable”, says House oversight and government reform committee staff report

On November 1st, 2018 Flickr announced that they would be limiting free accounts to just 1,000 pictures. But it recently made an exception: that it would be deleting any pictures on accounts over that number, and any Creative Commons licensed photos uploaded before the November 1st, 2018 deadline would be allowed to stay. Last Friday, the company made the policy permanent — all Creative Commons photos will be allowed on Flickr for good, regardless of upload date, even on accounts that otherwise would have surpassed the 1,000 picture limit. In light of this change, Flickr also removed the ability to change licenses on photos on the site in bulk. This makes it difficult for users to just hit a button and circumvent the 1,000 picture limit. That’s for good reason, too. The company says it wants users to think about and understand the consequences of making a photo open to use by anyone with Creative Commons licensing before they just flip the switch to avoid the limit. It’s unclear if users already at the 1,000 photo limit will be able to upload new Creative Commons photos past that, but that seems to be what Flickr is implying. Additionally, Flickr is adding “In memoriam” accounts to users that have passed away, which will lock the account and preserve all the pictures on it. It is available for Pro users too who would be over the 1,000 picture limit when their subscription inevitably lapses. For this Flickr has put up a page to submit accounts which can be memorialized. Upon receiving a request on the page they evaluate the account if it qualifies to be memorialized. And then the account’s username will be updated to reflect the “in memoriam” status and login for the account will be locked to prevent anyone from signing in. Lastly, Flickr also announced that it will finally be removing the last major vestige of the company’s former Yahoo stewardship. They have decided to to do away with the mandatory Yahoo login requirement, and will also transition existing accounts away from Yahoo over the next few weeks. RSA Conference 2019 Highlights: Top 5 cybersecurity products announced Google Cloud security launches three new services for better threat detection and protection in enterprises

A security researcher Bob Diachenko shared his discovery of an unprotected 150GB-sized MongoDB instance. He said that there were a huge number of emails that were publicly accessible for anyone with an internet connection. “Some of the data was much more detailed than just the email address and included personally identifiable information (PII)” The discovered database contained four separate collections of data and combined was 808,539,939 records. The huge part of this database was named ‘mailEmailDatabase’ with three folders Emailrecords (798,171,891 records) emailWithPhone (4,150,600 records) businessLeads (6,217,358 records) He cross-checked some random election of records with Troy Hunt’s HaveIBeenPwned database. The researcher states, “I started to analyze the content in an attempt to identify the owner and responsibly disclose it – even despite the fact that this started to look very much like a spam organization dataset.” In addition to the email databases the Mongo instance also uncovered details on the possible owner of the database-–a company named ‘Verifications.io’-–which offered the services of ‘Enterprise Email Validation’. Once emails were uploaded for verification they were also stored in plain text. “Once I reported my discovery to Verifications.io the site was taken offline and is currently down at the time of this publication. Here is the archived version”, the researcher said. According to Diachenko, Someone uploads a list of email addresses that they want to validate. Verifications.io has a list of mail servers and internal email accounts that they use to “validate” an email address. They do this by literally sending the people an email. If it does not bounce, the email is validated. If it bounces, they put it in a bounce list so they can easily validate later on. Diachenko said, “‘Mr. Threat Actor’ has a list of 1000 companies that he wants to hack into. He has a bunch of potential users and passwords but has no idea which ones are real. He could try to log in to a service or system using ALL of those accounts, but that type of brute force attack is very noisy and would likely be identified.” The threat actor instead uploaded all of his potential email addresses to a service like verifications.io. The email verification service then sent tens of thousands of emails to validate these users (some real, some not). Each one of the users on the list received their own spam message saying “hi”. Further, the threat actor received a cleaned, verified, and valid list of users at these companies. This, in turn, helped him to know who works there and who does not, using which he could possibly start a more focused phishing or brute forcing campaign. According to Wired, “The data doesn't contain Social Security numbers or credit card numbers, and the only passwords in the database are for Verifications.io's own infrastructure. Overall, most of the data is publicly available from various sources, but when criminals can get their hands on troves of aggregated data, it makes it much easier for them to run new social engineering scams, or expand their target pool.” Security researcher Troy Hunt is adding the Verifications.io data to his service HaveIBeenPwned, which helps people check whether their data has been compromised in data exposures and breaches. He says that 35 percent of the trove's 763 million email addresses are new to the HaveIBeenPwned database. The Verifications.io data dump is also the second-largest ever added to HaveIBeenPwned in terms of a number of email addresses, after the 773 million in the repository known as Collection 1, which was added earlier this year. Hunt says some of his own information is included in the Verifications.io exposure. To know more about this news in detail, read Bob Diachenko’s post. Leaked memo reveals that Facebook has threatened to pull investment projects from Canada and Europe if their data demands are not met Switzerland’s e-voting system source code leaked ahead of its bug bounty program; slammed for being ‘poorly constructed’ GDPR complaint claims Google and IAB leaked ‘highly intimate data’ of web users for behavioral advertising  

On Wednesday, March 6, the OpenSSL team revealed a low severity vulnerability in the ChaCha20-Poly1305, an AEAD cipher that incorrectly allows a nonce to be set of up to 16 bytes. OpenSSL team states that ChaCha20-Poly1305 requires a unique nonce input for every encryption operation. RFC 7539 specifies that the nonce value (IV) should be 96 bits (12 bytes). OpenSSL allows a variable nonce length and front pads the nonce with 0 bytes if it is less than 12 bytes. However it also incorrectly allows a nonce to be set of up to 16 bytes. In this case only the last 12 bytes are significant and any additional leading bytes are ignored. The OpenSSL versions 1.1.1 and 1.1.0 are affected by this issue. However, this issue does not impact OpenSSL 1.0.2. The OpenSSL blog states that using the ChaCha20 cipher makes the nonce values unique. “Messages encrypted using a reused nonce value are susceptible to serious confidentiality and integrity attacks. If an application changes the default nonce length to be longer than 12 bytes and then makes a change to the leading bytes of the nonce expecting the new value to be a new unique nonce then such an application could inadvertently encrypt messages with a reused nonce”, the blog states. Also, the ignored bytes in a long nonce are not covered by the “integrity guarantee” of this cipher. This means any application that relies on the integrity of these ignored leading bytes of a long nonce may be further affected. Any OpenSSL internal use of this cipher, including in SSL/TLS, is safe because no such use sets such a long nonce value. However, user applications that use this cipher directly and set a non-default nonce length to be longer than 12 bytes may be vulnerable. To know more about this issue in detail, head over to the OpenSSL blog post. Drupal releases security advisory for ‘serious’ Remote Code Execution vulnerability New research from Eclypsium discloses a vulnerability in Bare Metal Cloud Servers that allows attackers to steal data Google releases a fix for the zero-day vulnerability in its Chrome browser while it was under active attack

The theme at the ongoing RSA 2019 conference is “Better”. As the official RSA page explains, “This means working hard to find better solutions. Making better connections with peers from around the world. And keeping the digital world safe so everyone can get on with making the real world a better place.” Keeping up with the theme of the year, the conference saw some exciting announcements, keynotes, and seminars presented by some of the top security experts and organizations. Here is our list of the top 5 new Cybersecurity products announced at RSA Conference 2019: #1 X-Force Red Blockchain Testing service IBM announced the ‘X-Force Red Blockchain Testing service’ to test vulnerabilities in enterprise blockchain platforms. This service will be run by IBM's in-house X-Force Red security team and will test the security of back-end processes for blockchain-powered networks. The service will evaluate the whole implementation of enterprise blockchain platforms. This will include chain code, public key infrastructure, and hyperledgers. Alongside, this service will also assess hardware and software applications that are usually used to control access and manage blockchain networks. #2 Microsoft Azure Sentinel Azure Sentinel will help developers “build next-generation security operations with cloud and AI”. It gives developers a holistic view of security across the enterprise. The service will help them collect data across all users, devices, applications, and infrastructure, both on-premises and in multiple clouds. It can then detect previously uncovered threats and minimize false positives using analytics and threat intelligence. Azure sentinel also helps investigate threats with AI and hunt suspicious activities at scale while responding to incidents rapidly with built-in orchestration and automation of common tasks. #3 Polaris Software Integrity Platform The Polaris Software Integrity Platform is an integrated, easy-to-use solution that enables security and development teams to quickly build secure and high-quality software. The service lets developers integrate and automate static, dynamic, and software composition analysis with the tools they are familiar with. The platform also provides security teams with a holistic view of application security risk across their portfolio and the SDLC. It enables developers to address security flaws in their code as they write it, without switching tools using the Polaris Code Sight IDE plugin. #4 CyberArk Privileged Access security solution v10.8 The CyberArk Privileged Access Security Solution v10.8 automates detection, alerting and response for unmanaged and potentially-risky Amazon Web Services (AWS) accounts. This version also features Just-in-Time capabilities to deliver flexible user access to cloud-based or on-premises Windows systems. The Just-in-Time provisional access to Windows servers will enable administrators to configure the amount of access time granted to Windows systems, irrespective of whether they are cloud-based or on-premises. This will reduce operational friction. The solution can now identify privileged accounts in AWS, unmanaged Identity and Access Management (IAM) users (such as Shadow Admins), and EC2 instances and accounts. This will help track AWS credentials and accelerate the on-boarding process for these accounts. #5 Cyxtera AppGate SDP IoT Connector Cyxtera’s IoT Connector, a feature within AppGate SDP secures unmanaged and undermanaged IoT devices with a 360-degree perimeter protection. It isolates IoT resources using their Zero Trust model. Each AppGate IoT Connector instance scales for both volume and throughput and handles a wide array of IoT devices. AppGate operates in-line and limits access to prevent lateral attacks while allowing devices to seamlessly perform their functions. It can be easily deployed without replacing existing hardware or software. Apart from this, the other products launched at the conference included CylancePERSONA, CrowdStrike Falcon for Mobile, Twistlock 19.03 and much more. To stay updated with all the events, keynotes, seminars, and releases happening at the RSA 2019 conference, head over to their official blog. The Erlang Ecosystem Foundation launched at the Code BEAM SF conference NSA releases Ghidra, a free software reverse engineering (SRE) framework, at the RSA security conference Google teases a game streaming service set for Game Developers Conference

Yesterday, Google announced that a patch for Chrome released last week was actually a fix for an active zero-day discovered by its security team. The bug tagged as CVE-2019-5786, was originally discovered by Clement Lecigne of Google's Threat Analysis Group on Wednesday, February 27th and is currently under active attack. The threat advisory states that this vulnerability involves a memory mismanagement bug in a part called ‘FileReader’ of the Chrome browser. The FileReader is a programming tool that allows web developers to pop up menus and dialogs asking a user to choose from a list of local files to upload or an attachment to be added to their webmail. The attackers can use this vulnerability to execute a Remote Code Execution or RCE. ZDNet states that the bug is a type of memory error that happens when an app tries to access memory after it has been freed/deleted from Chrome's allocated memory. If this type of memory access operation is mishandled, it can lead to the execution of malicious code. Chaouki Bekrar, CEO of exploit vendor Zerodium, tweeted that the vulnerability allegedly allows malicious code to escape Chrome's security sandbox and run commands on the underlying OS. https://twitter.com/cBekrar/status/1103138159133569024 Not divulging in any further information on the bug, Google says: “Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.” Further, Forbes reports that Satnam Narang, a senior research engineer at Tenable has said that it is a "Use-After-Free (UAF) vulnerability in FileReader, an application programming interface (API) included in browsers to allow web applications to read the contents of files stored on a user's computer." Catalin Cimpanu, a security reporter at ZDNet, suggests that there are malicious PDF files in the wild that are being used to exploit this vulnerability. "The PDF documents would contact a remote domain with information on the users' device --such as IP address, OS version, Chrome version, and the path of the PDF file on the user's computer", he added. The fix for this zero-day Users are being advised to update Chrome across all platforms. https://twitter.com/justinschuh/status/1103087046661267456 Check out the new version of Chrome for Android and the patch for Chrome OS . Mac, Windows, and Linux users are advised to manually initiate the download if it is yet to be pushed to a device. Head over to chrome://settings/help to check the current version of Chrome on your system. The URL will also do an update check at the same time, just in case any recent auto-updates have failed. Google Chrome developers “clarify” the speculations around Manifest V3 after a study nullifies their performance hit argument Google’s new Chrome extension ‘Password CheckUp’ checks if your username or password has been exposed to a third party breach Hacker duo hijacks thousands of Chromecasts and Google smart TVs to play PewDiePie ad, reveals bug in Google’s Chromecast devices!

Intel CPU’s are reportedly vulnerable to a new attack: “SPOILER: Speculative Load Hazards Boost Rowhammer and Cache Attacks". The vulnerability takes advantage of speculative execution in the Intel CPU’s, and was discovered by computer scientists at Worcester Polytechnic Institute in Massachusetts, and the University of Lübeck in Germany. According to the research, the flaw is a “novel microarchitectural leakage which reveals critical information about physical page mappings to user space processes." The flaw can be exploited by malicious JavaScript within a web browser tab, malware running on the system or any illicit logged in users, to steal sensitive information and other data from running applications. The research paper further states that the leakage can be exploited only by a limited set of instructions, and is visible in all Intel generations starting from the 1st generation Intel Core processors, while being independent of the OS. It also works from within virtual machines and sandboxed environments. The flaw is very similar to the Spectre attacks that were revealed in July, last year. The Spoiler attack also takes advantage of speculative execution- like the Spectre attack- and reveals memory layout data, making it easy for other attacks like Rowhammer, cache attacks, and JavaScript-enabled attacks to be executed. "The root cause of the issue is that the memory operations execute speculatively and the processor resolves the dependency when the full physical address bits are available," says Ahmad Moghimi, one of the researchers who contributed to the paper. "Physical address bits are security sensitive information and if they are available to user space, it elevates the user to perform other micro architectural attacks." Intel was informed of the findings in early December, last year. However, they did not immediately respond to the researchers.  An Intel spokesperson has now provided Techradar with the following statement on the Spoiler vulnerability: “Intel received notice of this research, and we expect that software can be protected against such issues by employing side channel safe software development practices. This includes avoiding control flows that are dependent on the data of interest. We likewise expect that DRAM modules mitigated against Rowhammer style attacks remain protected. Protecting our customers and their data continues to be a critical priority for us and we appreciate the efforts of the security community for their ongoing research.” Impact of SPOILER by performing Rowhammer attack in a native user-level environment The research paper defines the Rowhammer attack as : “an attack causing cells of a victim row to leak faster by activating the neighboring rows repeatedly. If the refresh cycle fails to refresh the victim fast enough, that leads to bit flips. Once bit flips are found, they can be exploited by placing any security-critical data structure or code page at that particular location and triggering the bit flip again.” In order to perform a Rowhammer attack, the adversary needs to access DRAM rows that are adjacent to a victim row and ensure that multiple virtual pages co-locate on the same bank. Double-sided Rowhammer attacks cause bit flips faster owing to the extra charge on the nearby cells of the victim row and they further require access to contiguous memory pages. SPOILER can help boosting both single and double-sided Rowhammer attacks by its additional 8-bit physical address information and result in the detection of contiguous memory. The researchers used SPOILER to detect aliased virtual memory addresses where the 20 LSBs of the physical addresses match. These bits were then used by the memory controller for mapping the physical addresses to the DRAM banks. The  majority of the bits are known using SPOILER. Further, “a attacker can directly hammer such aliased addresses to perform a more efficient single-sided Rowhammer attack with a significantly increased probability of hitting the same bank.” The researchers reverse engineered the DRAM mappings for different hardware configurations using the DRAMA tool, and only a few bits of physical address entropy beyond the 20 bits remain unknown. To verify if aliased virtual addresses co-locate on the same bank, they used the row-conflict side channel It is observed that whenever the number of physical address bits used by the memory controller to map data to physical memory is equal to or less than 20,  the researchers always hit the same bank. To summarize their findings, SPOILER drastically improves the efficiency of finding addresses mapping to the same bank without the need of an administrative privilege or a reverse engineering of the memory controller mapping. This approach also works in sandboxed environments such as JavaScript. You can go through the Research paper for more insights on the SPOILER flaw. Linux 4.20 kernel slower than its previous stable releases, Spectre flaw to be blamed, according to Phoronix Intel releases patches to add Linux Kernel support for upcoming dedicated GPU releases Researchers prove that Intel SGX and TSX can hide malware from antivirus software

The National Security Agency released the Ghidra toolkit, today at the RSA security conference in San Francisco. Ghidra is a free, software reverse engineering (SRE) framework developed by NSA's Research Directorate for NSA's cybersecurity mission. Ghidra helps in analyzing malicious code and malware like viruses and can also provide cybersecurity professionals with a better understanding of potential vulnerabilities in their networks and systems. “The NSA's general plan was to release Ghidra so security researchers can get used to working with it before applying for positions at the NSA or other government intelligence agencies with which the NSA has previously shared Ghidra in private”, ZDNet reports. Ghidra’s anticipated release broke out at the start of 2019 following which users have been looking forward to this release. This is because Ghidra is a free alternative to IDA Pro, a similar reverse engineering tool which can only be available under an expensive commercial license, priced in the range of thousands of US dollars per year. NSA cybersecurity advisor, Rob Joyce said that Ghidra is capable of analyzing binaries written for a wide variety of architectures, and can be easily extended with more if ever needed. https://twitter.com/RGB_Lights/status/1103019876203978752 Key features of Ghidra Ghidra includes a suite of software analysis tools for analyzing compiled code on a variety of platforms including Windows, Mac OS, and Linux It includes capabilities such as disassembly, assembly, decompilation, graphing and scripting, and hundreds of other features Ghidra supports a wide variety of processor instruction sets and executable formats and can be run in both user-interactive and automated modes. With Ghidra users may develop their own Ghidra plug-in components and/or scripts using the exposed API To know more about the Ghidra cybersecurity tool, visit its documentation on GitHub repo or its official website. Security experts, Wolf Halton and Bo Weaver, discuss pentesting and cybersecurity [Interview] Hackers are our society’s immune system – Keren Elazari on the future of Cybersecurity 5 lessons public wi-fi can teach us about cybersecurity

Security researcher expose malicious GitHub repositories that host more than 300 backdoored apps An unnamed security researcher at dfir.it recently revealed certain GitHub accounts that host more than “300 backdoored Windows, Mac, and Linux applications and software libraries”. The researcher in his blog titled, “The Supreme Backdoor Factory” explained how he stumbled upon this malicious code and various other codes within the GitHub repo. The investigation started when the researcher first spotted a malicious version of the JXplorer LDAP browser. The researcher in his blog post states, “I did not expect an installer for a quite popular LDAP browser to create a scheduled task in order to download and execute PowerShell code from a subdomain hosted by free dynamic DNS provider.” According to ZDNet, “All the GitHub accounts that were hosting these files --backdoored versions of legitimate apps-- have now been taken down.” The malicious files included codes which could allow boot persistence on infected systems and further download other malicious code. The researcher has also mentioned that the malicious apps downloaded a Java-based malware named Supreme NYC Blaze Bot (supremebot.exe). “According to researchers, this appeared to be a "sneaker bot," a piece of malware that would add infected systems to a botnet that would later participate in online auctions for limited edition sneakers”, ZDNet reports. The researcher revealed that some of the malicious entries were made via an account with the name of Andrew Dunkins that included a set of nine repositories, each hosting Linux cross-compilation tools. Each repository was watched or starred by several already known suspicious accounts. The report mentions that accounts that did not host backdoored apps were used to ‘star’ or ‘watch’ the malicious repositories and help boost their popularity in GitHub's search results. To know about these backdoored apps in detail, read the complete report, ‘The Supreme Backdoor Factory’ Brave Privacy Browser has a ‘backdoor’ to remotely inject headers in HTTP requests: HackerNews Undetected Linux Backdoor ‘SpeakUp’ infects Linux, MacOS with cryptominers Cisco and Huawei Routers hacked via backdoor attacks and botnets  

Microsoft posted an update regarding the new features in Microsoft Office 365, a web-based subscription comprising premium productivity apps as part of Microsoft's Office product line, last week. “We released several new capabilities to help you stay ahead of threats, create a more productive workplace, and keep you in the flow of work”, states the Microsoft team. What’s new in Microsoft 365? Microsoft Threat Experts Microsoft has come out with a new feature called Microsoft threat experts to boost the capabilities of the security teams. Microsoft Threat experts is a ‘threat-hunting service’ that helps you track down and prioritize threats using Windows Defender Advanced Threat Protection (ATP). Microsoft threat experts service connects you with the world-class experts using the new ‘Ask a threat expert’ button, who in turn helps you work through the tough investigation challenges. Priority notifications and integration of electronic health records You can now make use of Priority notifications in Microsoft Teams to enable clinicians to focus on urgent messages to manage patient care and empower your healthcare organization. There’s also an added ability to integrate FHIR-enabled electronic health records (EHR) data within Teams. This will enable the clinicians to securely access patient records, chat with other team members, and start a video meeting. Desktop App Assure and Microsoft FastTrack Microsoft has come out with a new service called Desktop App Assure, as a part of Microsoft FastTrack that offers app compatibility services for Windows 10 and Office 365 ProPlus. FastTrack now also provides guidance on configuring Exchange Online Protection, Office 365 Advanced Threat Protection, Office 365 Message Encryption, and Data Loss Prevention policies. Security Notifications via Microsoft Authenticator You can now receive security alerts for important events on your personal Microsoft account through the Microsoft Authenticator app. Once you receive the push notification, you can quickly view your account activity and take necessary actions to protect your account. You can also add two-step verification to your account using Microsoft Authenticator for added security. New Office app for Windows 10 Users with work, school, or personal Microsoft Account can use the new Office app for Windows 10 to access the available apps, relevant files, and documents. Organizations can also integrate third-party apps, and enable users to search for documents and people across the organization. The new Office app requires a current version of Windows 10. Add data to Excel using a photo You can use the Excel app to click a picture of a printed data table on your Android device and convert the picture into a fully editable table in Excel. Using this new image recognition functionality cuts down on the need to manually enter hardcopy data. This feature has started to roll out for the Excel Android app and will support iOS soon. New file-attached tasks in Microsoft To-Do Users can now quickly attach files and photos to help make tasks more actionable. Microsoft team says that this was a highly requested feature and has been made available on all platforms and syncs across all your devices. For more information, check out the official Microsoft blog. Microsoft Office 365 now available on the Mac App Store Microsoft announces Internet Explorer 10 will reach end-of-life by January 2020 Microsoft joins the OpenChain Project to help define standards for open source software compliance

A Security researcher from Google’s Project Zero team recently revealed a high severity flaw in the macOS kernel that allows a copy-on-write (COW) behavior, a resource-management technique, also referred to as shadowing. The researcher informed Apple about the flaw back in November 2018, but the company is yet to fix it even after exceeding the 90-day deadline. This is the reason why the bug is now being made public with a "high severity" label. According to a post on Monorail, the issue tracking tool is for chromium-related projects, “The copy-on-write behavior works not only with anonymous memory but also with file mappings. This means that, after the destination process has started reading from the transferred memory area, memory pressure can cause the pages holding the transferred memory to be evicted from the page cache. Later, when the evicted pages are needed again, they can be reloaded from the backing filesystem.” “This means that if an attacker can mutate an on-disk file without informing the virtual management subsystem, this is a security bug. MacOS permits normal users to mount filesystem images. When a mounted filesystem image is mutated directly (e.g. by calling pwrite() on the filesystem image), this information is not propagated into the mounted filesystem”, the post further reads. According to a Google project member, “We've been in contact with Apple regarding this issue, and at this point no fix is available. Apple is intending to resolve this issue in a future release, and we're working together to assess the options for a patch. We'll update this issue tracker entry once we have more details.” A user commented on HackerNews, “Given the requirements that a secondary process should even be able to modify a file that is already open, I guess the expected behavior is that the 1st process's version should remain cached in memory while allowing the on-disk (CoW) version to be updated? While also informing the 1st process of the update and allowing the 1st process to reload/reopen the file if it chooses to do so. If this is the intended/expected behavior, then it follows that pwrite() and other syscalls should inform the kernel and cause prevent the origional cache from being flushed.” To know more about this news, head over to the bug issue post. Drupal releases security advisory for ‘serious’ Remote Code Execution vulnerability Google’s home security system, Nest Secure’s had a hidden microphone; Google says it was an “error” Firedome’s ‘Endpoint Protection’ solution for improved IoT security

Coinhive, an in-browser Monero cryptocurrency miner, announced that it would be shutting down all its operations next week on March 8, 2019. Users will be given time until April 30th for withdrawing any remaining Monero from their accounts. Launched in 2017, Coinhive service provided ways to mine cryptocurrency in the background of a website, turning visitors’ processing power directly into cash. The company in their blog post mentioned reasons for the service closure including the fall in the value of Monero over the past year. Coinhive said, "The drop in hash rate (over 50%) after the last Monero hard fork hit us hard. So did the 'crash' of the cryptocurrency market with the value of XMR depreciating over 85% within a year. The company further mentions, “This and the announced hard fork and algorithm update of the Monero network on March 9 has led us to the conclusion that we need to discontinue Coinhive." Security researcher Troy Mursch said, “Coinhive had a market share of 62 percent in August 2018.” According to an academic paper, the company was making in an estimated $250,000 per month up until last summer, the ZDNet reports. https://twitter.com/bad_packets/status/1030201187381927936 Jérôme Segura, malware researcher at Malwarebytes told ZDNet “While 'cryptojacking' or 'drive-by mining' dominated the threat landscape in late 2017 and early 2018, it took a backseat for the rest of the year, with the notable exception of some campaigns powered by a large number of compromised IoT devices (i.e. MikroTik exploits).” “Some sites were upfront with visitors about their use of the software, most notably the news website Salon and UNICEF, but countless others either didn’t disclose the fact they were using it or saw the Javascript code added without their knowledge as part of a “cryptojacking” malware attack. Eventually, ad-blockers and anti-virus software learned to identify and block such code, so that users could avoid having their CPUs used and their batteries drained by the software”, The Verge reports. To know more about the Coinhive closure in detail, head over to Coinhive’s official blog post. Hackers are our society’s immune system – Keren Elazari on the future of Cybersecurity Winbox vulnerability in MicroTik routers forwarding traffic to attackers, say researchers at NetLabs 360 Cryptojacking is a growing cybersecurity threat, report warns

If you think closing down a website, closes down the possibility of the device being tracked, then you are wrong! Some Greek researchers have revealed a new browser-based attack named MarioNet, using which attackers can run malicious code inside users' browsers even after users have closed the webpage or even navigated away from the web page on which they got infected. The researchers in the paper titled, “Master of Web Puppets: Abusing Web Browsers for Persistent and Stealthy Computation” have also explained different anti-malware browser extensions and anti-mining countermeasures, and also puts forward several mitigations that browser makers could take. The MarioNet attack was presented on February 25 at the NDSS 2019 conference in San Diego, USA. MarioNet allows hackers to assemble giant botnets from users’ browsers. The researchers state that these bots can be used for in-browser crypto-mining (crypto jacking), DDoS attacks, malicious files hosting/sharing, distributed password cracking, creating proxy networks, advertising click-fraud, and traffic stats boosting. Even after a user exits a browser or web page, MarioNet can easily survive. This is because modern web browsers support a new API called Service Workers. “This mechanism allows a website to isolate operations that rendering a page's user interface from operations that handle intense computational tasks so that the web page UI doesn't freeze when processing large quantities of data”, the ZDNet reports. In their research paper, they explain technical details of how service workers are an update to an older API called Web Workers. They say, unlike web workers, a service worker, once registered and activated, can live and run in the page's background, without requiring the user to continue browsing through the site that loaded the service worker. The attack routine consists of registering a service worker when the user lands on an attacker-controlled website and then abusing the Service Worker SyncManager interface to keep the service worker alive after the user navigates away. The attack doesn't require any type of user interaction as browsers don't alert users or ask for permission before registering a service worker. Everything happens under the browser's hood as the user waits for the website to load. MarioNet allows attackers to place malicious code on high-traffic websites for a short period of time. This allows the attackers to gain a huge user base, remove the malicious code, but continue to control the infected browsers from another central server. The attack can also persist across browser reboots by abusing the Web Push API. This requires the attacker from getting user permission from the infected hosts to access this API. The researchers also highlighted the fact that as Service Workers have been introduced a few years back, the MarioNet attack also works in almost all desktop and mobile browsers. Places, where a MarioNet attack won't work, are IE (desktop), Opera Mini (mobile), and Blackberry (mobile). To know more about MarioNet attack in detail, read the complete research paper. New research from Eclypsium discloses a vulnerability in Bare Metal Cloud Servers that allows attackers to steal data Security researchers discloses vulnerabilities in TLS libraries and the downgrade Attack on TLS 1.3 Remote Code Execution Flaw in APT Linux Package Manager allows man-in-the-middle attack

Security researchers at Eclypsium, a hardware security startup, published a paper yesterday, examining the vulnerabilities in Bare Metal Cloud Servers (BMCs) that allow attackers to exploit and steal data. “We found weaknesses in methods for updating server BMC firmware that would allow an attacker to install malicious BMC firmware..these vulnerabilities can allow an attacker to not only do damage but also add other malicious implants that can persist and steal data”, states the researchers. BMC is a highly privileged component and part of the Intelligent Platform Management Interface (IPMI). It can monitor the state of a computer and allow an operating system reinstall from a remote management console through an independent connection. This means that there’s no need to physically attach a monitor, keyboard, and installation media to the server in BMCs. Now, although Bare-metal cloud offerings come with considerable benefits, they also pose new risks and challenges to security. For instance, in the majority of the cloud services, once a customer uses a bare-metal server, the hardware can be reclaimed by the service provider which is then repurposed for another customer. Similarly, for a bare-metal cloud service offering, the underlying hardware can be easily passed through different owners, providing direct access to control that hardware. This access gives rise to attackers controlling the hardware, who can spend a nominal sum of money for access to a server, and implant malicious firmware at the UEFI, BMC, and within drives or network adapters. This hardware can then get released by the attacker to the service provider, who could further pass it on for use to another customer. Eclypsium researchers have used IBM SoftLayer tecIhnology, as a case study to test the attack scenario on. However, researchers mention that the attack is not limited to any one service provider.IBM acquired SoftLayer Technologies, a managed hosting, and cloud computing provider in 2013 and is now known as IBM Cloud. The vulnerability found has been named as Cloudborne. Researchers chose SoftLayer as the testing environment due to its simplified logistics and access to hardware. However, SoftLayer was using a super vulnerable Supermicro server hardware. It took about 45 minutes for the Eclypsium team to provision the server. Once the instance was provisioned, they found out that it had the latest BMC firmware available. An additional IPMI user was created and given the administrative access to the BMC channels. This system was then finally released to IBM, which kicked off the reclamation process. Researchers noticed that the additional IPMI user was removed during the reclamation process but BMC firmware comprising the flipped bit was still present, meaning that servers’ BMC firmware was not re-flashed during the server reclamation process. “The combination of using vulnerable hardware and not re-flashing the firmware makes it possible to implant malicious code into the server’s BMC firmware and inflict damage or steal data from IBM clients that use that server in the future”, states the researchers. Other than that, BMC logs were also retained during provisioning, giving the new customer insights into the actions of the previous device owner. Also, the BMC root password was the same across provisioning, allowing the attacker to easily have control over the machine in the future. “While these issues have heightened importance for bare-metal services, they also apply to all services hosted in public and private clouds..to secure their applications, organizations must be able to manage these issues—or run the risk of endangering their most critical assets”, mentions Eclypsium researchers. For more information, check out the official Eclypsium paper. Security researchers discloses vulnerabilities in TLS libraries and the downgrade Attack on TLS 1.3 Drupal releases security advisory for ‘serious’ Remote Code Execution vulnerability A WordPress plugin vulnerability is leaking Twitter account information of users making them vulnerable to compromise