Tech News - Security

A few researchers from Purdue University and The University of Iowa have recently found three new security flaws in 4G and 5G protocols that can easily allow intruders to intercept calls and also track user’s device location. The research paper titled, ‘Privacy Attacks to the 4G and 5G Cellular Paging Protocols Using Side Channel Information’ mentions the design weaknesses of the 4G/5G cellular paging protocol, which can be misused by attackers to identify victim’s presence in a particular cell area just from the victim’s soft-identity (e.g., phone number, Twitter handle) with a novel attack called ToRPEDO (TRacking via Paging mEssage DistributiOn) attack. This attack also highlights two other attacks, namely, the PIERCER and the IMSI-Cracking attack which can be carried out via the ToRPEDO attack. The researchers in the paper state, “All of our attacks have been validated in a realistic setting for 4G using cheap software-defined radio and open-source protocol stack.” According to TechCrunch, “Hussain, along with Ninghui Li and Elisa Bertino at Purdue University, and Mitziu Echeverria and Omar Chowdhury at the University of Iowa are set to reveal their findings at the Network and Distributed System Security Symposium in San Diego on Tuesday.” The three security flaws in the 4G/5G cellular paging protocols The ToRPEDO attack The researchers have presented a ToRPEDO attack that exploits a 4G/5G paging protocol weakness. This enables the attacker to verify the victim’s presence in a particular cellular area and in the process identifies the victim’s paging occasion, if the attacker already knows the phone number. ToRPEDO can enable an adversary to verify a victim’s coarse-grained location information, inject fabricated paging messages, and mount denial-of-service attacks. PIERCER attack This attack exploits a 4G paging deployment vulnerability that allows an attacker to determine a victim’s international mobile subscriber identity (IMSI) on the 4G network. IMSI-Cracking attack In this attack, the victim’s IMSI details are leaked for both 4G and 5G. The researchers, in the paper, have demonstrated how by using the ToRPEDO attack as a sub-step, attackers can retrieve a victim device’s persistent identity (i.e., IMSI) with a brute-force IMSI-Cracking attack. One of the co-authors, Syed Rafiul Hussain, told TechCrunch, “Any person with a little knowledge of cellular paging protocols can carry out this attack.” “According to Hussain, all four major U.S. operators — AT&T, Verizon (which owns TechCrunch), Sprint and T-Mobile — are affected by Torpedo, and the attacks can be carried out with radio equipment costing as little as $200”, the TechCrunch reports. Hussain said the flaws were reported to the GSMA,  an industry body that represents mobile operators. GSMA recognized the flaws, but a spokesperson was unable to provide comment when reached. It isn’t known when the flaws will be fixed. One of the users wrote on HackerNews, “Most people consider the fact that your handset will readily talk to any base station that's on the air to be a feature. Try to imagine how things would work if you had to authenticate and authorize every station on the network. It's true that anyone who gets on the air and speaks the air protocol can screw with your phone. Those people are also violating multiple laws and regulations in the course of doing so.” To know more about these flaws in detail, head over to the complete research paper. Read Next Security researchers discloses vulnerabilities in TLS libraries and the downgrade Attack on TLS 1.3 Remote Code Execution Flaw in APT Linux Package Manager allows man-in-the-middle attack Internet Outage or Internet Manipulation? New America lists government interference, DDoS attacks as top reasons for Internet Outages across the world

Last week, the Internet Corporation for Assigned Names and Numbers (ICANN) decided to call for the full deployment of the Domain Name System Security Extensions (DNSSEC) across all unsecured domain names. ICANN took this decision because of the increasing reports of malicious activity targeting the DNS infrastructure. According to ICANN, there is an ongoing and significant risk to key parts of the Domain Name System (DNS) infrastructure. The DNS that converts numerical internet addresses to domain names, has been the victim of various attacks by the use of different methodologies. https://twitter.com/ICANN/status/1099070857119391745?ref_src=twsrc%5Egoogle%7Ctwcamp%5Eserp%7Ctwgr%5Etweet Last month security company FireEye revealed that hackers associated with Iran were hijacking DNS records, by rerouting users from a legitimate web address to a malicious server in order to steal passwords. This “DNSpionage” campaign, was targeting governments in the United Arab Emirates and Lebanon. The Homeland Security’s Cybersecurity Infrastructure Security Agency had warned that U.S. agencies were also under attack. In its first emergency order amid a government shutdown, the agency ordered federal agencies to take action against DNS tampering. David Conrad, ICANN’s chief technology officer told the AFP news agency that the hackers are “going after the Internet infrastructure itself.” ICANN is urging domain owners for deploying DNSSEC, which is a more secure version of DNS and is difficult to manipulate. DNSSEC cryptographically signs data which makes it more difficult to be spoofed. Some of the attacks target the DNS where the addresses of intended servers are changed with addresses of machines controlled by the attackers. This type of attack that targets the DNS only works when DNSSEC is not in use. ICANN also reaffirms its commitment towards engaging in collaborative efforts for ensuring the security, stability, and resiliency of the internet’s global identifier systems. This month, ICANN offered a checklist of recommended security precautions for members of the domain name industry, registries, registrars, resellers, and related others, to proactively take steps to protect their systems. ICANN aims to assure that internet users reach their desired online destination by preventing “man in the middle” attacks where a user is unknowingly re-directed to a potentially malicious site. Few users have previously been a victim of DNS hijacking and think that this move won’t help them out. One user commented on HackerNews, “This is nonsense, and possibly crossing the border from ignorant nonsense to malicious nonsense.” Another user said, “There is in fact very little evidence that we "need" the authentication provided by DNSSEC.” Few others think that this might work as a good solution. A comment reads, “DNSSEC is quite famously a solution in search of a problem.” To know more about this news, check out ICANN’s official post. Internet governance project (IGP) survey on IPV6 adoption, initial reports Root Zone KSK (Key Sign Key) Rollover to resolve DNS queries was successfully completed RedHat shares what to expect from next week’s first-ever DNSSEC root key rollover

Last week, Swiss Post’s recently launched online voting system’s source code was leaked. The experts who examined the code reported that the system is poorly designed and makes it difficult to audit the code for security and configure it to operate securely. Swiss Post, Switzerland's national postal service also launched a fully verifiable system and a bug bounty program to test the system’s resilience to attacks this month. According to Motherboard report, “critics are already expressing concern about the system’s design and about the transparency around the public test.” Nathalie Dérobert, a spokeswoman for Swiss Post, said the public intrusion test is not meant to be an audit of the code “or to prove the security of the Swiss Post online voting system.” Instead, it’s meant to help inform the developers about improvements they need to make. In an email, Dérobert wrote, “Security is a process and even if the source code passed numerous previous security audits, we expected criticism and even outright negative comments. After all, that is the whole point of publishing the source code: we want a frank response and an honest discussion about the merits and shortcomings of our work… [W]e are determined to take up the negative comments, discuss them with our developing partner Scytl and to get in touch with the people where we see a benefit.” As for the public test of the new online system, more than 2,000 people have registered. The test will take place from February 25 to March 24. As per the rules, the bug bounty program will pay 20,000 Swiss francs to anyone who can manipulate votes in the mock election or 30,000 to 50,000 francs if they manage to manipulate votes without being detected. The Swiss Post is making the source code for the software available to participants. However, the code wasn’t supposed to be open to just anyone to examine. Swiss Post responded to the publication of the code, saying the source code was not leaked as it was already available to anyone who wanted to see it—as long as they registered with Swiss Post. Swiss Post also wrote that there is no NDA or confidentiality agreement around publishing information about the source code or citing parts of the code, but the statement did not say anything about the Scytl technical documents themselves and the architecture and protocol information that is contained in them. Cryptography experts, after examining the allegedly leaked code said: “the system is a poorly constructed and convoluted maze that makes it difficult to follow what’s going on and effectively evaluate whether the cryptography and other security measures deployed in the system are done properly.” Sarah Jamie Lewis, a former security engineer for Amazon and a former computer scientist for England’s GCHQ intelligence agency, said, “Most of the system is split across hundreds of different files, each configured at various levels. I’m used to dealing with Java code that runs across different packages and different teams, and this code somewhat defeats even my understanding.” Lewis said that the system uses cryptographic solutions that are fairly new to the field and that have to be implemented in very specific ways to make the system auditable, but the design the programmers chose thwarts this. “Someone could wire the thing in the wrong place and suddenly the system is compromised. And when you’re talking about code that is supposed to be protecting a national election, that is not a statement someone should be able to make”, Lewis added. The voting system was developed by Swiss Post and the Barcelona-based company Scytl, which was formed by a group of academics who spun it off of their research work at the Universidad Autónoma de Barcelona (Autonomous University of Barcelona) in 2001. “Local cantons, or states, in Switzerland are the ones who administer elections and would be responsible for the configuration. Scytl claims the system uses end-to-end encryption that only the Swiss Electoral Board would be able to decrypt. But there are reasons to be concerned about such claims”, Motherboard reports. Matthew Green, a noted cryptographer teaching cryptography at Johns Hopkins University, said that the system is highly complex and “at this point, I think the only appropriate way to evaluate it is through a professional evaluation by someone trained in this sort of advanced cryptography. And even then I’d be concerned, given the stakes.” To know more about this news, head over to Motherboard’s complete coverage. Drupal releases security advisory for ‘serious’ Remote Code Execution Vulnerability Google’s home security system, Nest Secure’s had a hidden microphone; Google says it was an “error” Firedome’s ‘Endpoint Protection’ solution for improved IoT security

Drupal released a security advisory for a highly critical remote execution (CVE-2019-6340) in its software. Samuel Mortenson, a member of the Drupal Security Team reports that an arbitrary PHP code execution is possible due to a lack of data sanitization in certain field types linked to non-form sources.  Drupal issued the warning a day before Wednesday’s patch release. According to Drupal's blog, a particular site will be affected either if the site has the Drupal 8 core RESTful Web Services (rest) module enabled, allowing PATCH or POST requests, or if the site has another web services module enabled, for instance, JSON:API in Drupal 8, or Services or RESTful Web Services in Drupal 7. To address this vulnerability, Drupal has released security updates for contributed modules for Drupal 7 and Drupal 8. Drupal has also released Drupal 8.6.10 and Drupal 8.5.11 without any core update for Drupal 7. The team has also advised users to install any available security updates for contributed projects after updating Drupal core. Besides this, the blog also states that to immediately mitigate the vulnerability, users can disable all web services modules, or configure their web server(s) to not allow PUT/PATCH/POST requests to web services resources. According to ZDNET, Drupal is the third most popular CMS for website publishing and accounts for about three percent of the world's billion-plus websites. Hackers could use this vulnerability to potentially hijack a Drupal site and take control of a web server and all the websites supported by it. To know more about this announcement visit Drupal’s blog. Drupal 9 will be released in 2020, shares Dries Buytaert, Drupal’s founder Google’s home security system, Nest Secure’s had a hidden microphone; Google says it was an “error” Security researchers discloses vulnerabilities in TLS libraries and the downgrade Attack on TLS 1.3  

On Monday, 11th February, Wisconsin-based email provider, VFEmail, was attacked by an intruder who trashed all of the company’s primary and backup data in the United States. Initial signs of this attack were noticed on Monday, February 11, when users started shooting tweets on the company’s Twitter account stating that they were no longer receiving messages. According to Krebs on Security, “VFEmail tweeted that it had caught a hacker in the act of formatting one of the company’s mail servers in the Netherlands.” Another tweet followed this stating, “nl101 is up, but no incoming email. I fear all US-based data may be lost.” Following this, VFEmail’s founder, Rick Romero, tweeted yesterday, “Yes, @VFEmail is effectively gone. It will likely not return. I never thought anyone would care about my labor of love so much that they'd want to completely and thoroughly destroy it.” https://twitter.com/Havokmon/status/1095297448082317312 Another tweet on the VFEMail account said that the attacker formatted all disks on every server. VFEmail has lost every VM and all files hosted on the available servers. “NL was 100% hosted with a vastly smaller dataset. NL backups by the provider were intact, and service should be up there.” https://twitter.com/VFEmail/status/1095038701665746945 Romero has posted certain updates on the company’s website, one of which includes, “We have suffered catastrophic destruction at the hands of a hacker, last seen as [email protected]”. He also wrote, “ At this time I am unsure of the status of existing mail for US users. If you have your own email client, DO NOT TRY TO MAKE IT WORK. If you reconnect your client to your new mailbox, all your local mail will be lost.” John Senchak, a longtime VFEmail user from Florida, told Krebs on Security, that the attack completely deleted his entire inbox at the company--some 60,000 emails sent and received over more than a decade were lost. He also said, “It looked like the IP was a Bulgarian hosting company. So I’m assuming it was just a virtual machine they were using to launch the attack from. There definitely was something that somebody didn’t want found. Or, I really pissed someone off. That’s always possible.” The company has assured the users that they are working to recover the data as soon as possible. To know more about this news and stay updated, read VFEMail’s complete Twitter thread. Security researchers discloses vulnerabilities in TLS libraries and the downgrade attack on TLS 1.3 Remote Code Execution Flaw in APT Linux Package Manager allows man-in-the-middle attack Apple’s CEO, Tim Cook calls for new federal privacy law while attacking the ‘shadow economy’ in an interview with TIME

Last week, a Huawei engineer reported a vulnerability present in the early Linux 2.6 kernels through version 4.20.11. The Kernel Address Sanitizer (KASAN) that detects dynamic memory errors within the Linux kernel code was used to uncover the use-after-free vulnerability which was present since early Linux versions. The use-after-free issue was found in the networking subsystem's sockfs code and could lead to arbitrary code execution as a result. KASAN (along with the other sanitizers) have already proven quite valuable in spotting various coding mistakes hopefully before they are exploited in the real-world. The Kernel Address Sanitizer picked up another feather in its hat with being responsible for the CVE-2019-8912 discovery. The CVSS v3.0 Severity and Metrics gave this vulnerability a 9.8 CRITICAL score. A fix for this vulnerability is already released and will come to all Linux distributions in a couple of days, and will probably be backported to any supported Linux kernel versions. According to a user on Hacker News, “there may not actually be a proof-of-concept exploit yet, beyond a reproducer causing a KASAN splat. When people request a CVE for a use-after-free bug they usually just assume that code execution may be possible.” To know more about this vulnerability, visit the NVD website. Intel releases patches to add Linux Kernel support for upcoming dedicated GPU releases Undetected Linux Backdoor ‘SpeakUp’ infects Linux, MacOS with crypto miners OpenWrt 18.06.2 released with major bug fixes, updated Linux kernel and more!

Earlier this month, Google upgraded its home security and alarm system, Nest Secure to work with its Google Assistant. This meant that Nest Secure customers would be able to perform tasks like asking Google about the weather. The device came with a microphone for this purpose, without it being mentioned on the device’s published specifications. On Tuesday, a Google spokesperson got in touch with Business Insider and told them that the miss was an “error” on their part. “The on-device microphone was never intended to be a secret and should have been listed in the tech specs. Further, the Nest team added that the microphone has “never been on” and is activated only when users specifically enable the option. As an explanation as to why the microphone was installed in the devices, the team said that it was in order to support future features “such as the ability to detect broken glass.” Before sending over an official statement to Business Insider, the Nest team replied to a similar concern from a user on Twitter, in early February. https://twitter.com/treaseye/status/1092507172255289344 Scott Galloway, professor of marketing at the New York University Stern School of Business, has expressed strong sentiments regarding this news on Twitter https://twitter.com/profgalloway/status/1098228685155508224 Users have even accused Google of “pretending the mistake happened” and slammed Google over such an error. https://twitter.com/tshisler/status/1098231070275686400 https://twitter.com/JoshConstine/status/1098086028353720320   Apart from Google, there have also been multiple cases in the past of Amazon Alexa and Google home listening to people’s conversations, thus invading privacy. Earlier this year, a family in Portland, discovered that its Alexa-powered Echo device had recorded their private conversation and sent it to a random person in their contacts list. Google’s so-called “error” can lead to a drop in the number of customers buying its home security system as well as a drop in the trust users place  in Google’s products. It is high time Google starts thinking along the line of security standards and integrity maintained in its products. Amazon’s Ring gave access to its employees to watch live footage of the customers, The Intercept reports Email and names of Amazon customers exposed due to ‘technical error’; number of affected users unknown Google Home and Amazon Alexa can no longer invade your privacy; thanks to Project Alias!  

This Monday, the community behind OnionShare has released its next major version, OnionShare 2. This release comes with macOS sandbox enabled by default, support for next-generation onion services, several new translations, and more. OnionShare is a free, open-source tool which allows users to share and receive files securely and anonymously using Tor onion services. Following are some of the updates introduced in OnionShare 2: The macOS sandbox enabled by default The macOS sandbox is enabled by default in OnionShare 2. This will prevent hackers from accessing data or running programs on user computers, even if they manage to exploit a vulnerability in OnionShare. Next generation Tor onion addresses OnionShare 2 improves security by using next-generation Tor onion service also known as v3 onion services. These next-generation Tor onion services provide onion addresses, which are unguessable address to share. These addresses look like this lldan5gahapx5k7iafb3s4ikijc4ni7gx5iywdflkba5y2ezyg6sjgyd.onion. Users can use v2 onion addresses if they want, by navigating to Setting and selecting “Use legacy addresses”. OnionShare addresses are ephemeral by default As soon as the sharing is complete, OnionShare address will completely disappear from the internet as these addresses are intended for one-time use. This behavior is enabled by default that you may want to change in case you want to share the files with a group of people. You can do that by going to the Settings menu and unchecking the "Stop sharing after files have been sent" option. Public OnionShare addresses By default, OnionShare addresses look like this http://[tor-address].onion/[slug]. In this format, the slug represents random words out of a list of 7,776 words. Even if the attacker figures out the tor-address part, they still won’t be able to download the files you are sharing or run programs on your computer. They need to know the slug, which works here as a password. But since this slug is only of two words, and the wordlist OnionShare uses is public, attackers can guess it. With this Public mode enabled, the OnionShare address will look like http://[tor-address].onion/, and the server will remain up no matter how many 404 errors it gets. OnionShare 2 comes with a Public mode that allows you to publicly share an OnionShare address. To enable this mode, just go to the Settings menu and check the box next to “Public mode”. OnionShare 2 is translated to 12 languages OnioShare 2 is translated into twelve new languages. These languages are Bengali, Catalan, Danish, French, Greek, Italian, Japanese, Persian, Portuguese Brazil, Russian, Spanish, and Swedish. You can select these languages from a dropdown. Read the complete list of updates in OnionShare 2 shared by Micah Lee, a computer security engineer. Understand how to access the Dark Web with Tor Browser [Tutorial] Brave Privacy Browser has a ‘backdoor’ to remotely inject headers in HTTP requests: HackerNews Signal introduces optional link previews to enable users understand what’s behind a URL

GitHub announced yesterday that it is expanding its bug bounty program by adding some more services into the list, and also increasing the reward amount offers for the vulnerability seekers. It has also added some Legal Safe Harbor terms to its updated policy. All products and services under the github.com domain including GitHub Education, Enterprise Cloud, Learning Lab, Jobs, the Desktop application, githubapp.com, and github.net are a part of this bug bounty list. Launched in 2014, GitHub’s Security Bug Bounty program paid out $165,000 to researchers from their public bug bounty program in 2018. GitHub’s researcher grants, private bug bounty programs, and a live-hacking event helped GitHub reach a huge milestone of $250,000 paid out to researchers last year. GitHub’s new Legal Safe Harbor terms cover three main sources of legal risk including: Protect user’s research activity and authorize if they cross the line for the purpose of research Protect researchers in the bug bounty program from legal exposure via third-parties. Unless GitHub gets user-written permission, they will not share identifying information with a third party Prevent researchers in the bug bounty program from being hit with any site violations when they’ve broken the rules in the spirit of research According to the GitHub blog post, “You won’t be violating our site terms if it’s specifically for bounty research. For example, if your in-scope research includes reverse engineering, you can safely disregard the GitHub Enterprise Agreement’s restrictions on reverse engineering. Our safe harbor now provides a limited waiver for parts of other site terms and policies to protect researchers from legal risk from DMCA anti-circumvention rules or other contract terms that could otherwise prohibit things a researcher might need to do, like reverse engineering or de-obfuscating code.” As for the reward schedule, GitHub says they have increased the reward amounts at all levels: Critical: $20,000–$30,000+ High: $10,000–$20,000 Medium: $4,000–$10,000 Low: $617–$2,000 “We no longer have a maximum reward amount for critical vulnerabilities. Although we’ve listed $30,000 as a guideline amount for critical vulnerabilities, we’re reserving the right to reward significantly more for truly cutting-edge research”, the GitHub blog states. Switzerland launches a bug bounty program ‘Public Intrusion test’ to find vulnerabilities in its E-Voting systems Hyatt Hotels launches public bug bounty program with HackerOne EU to sponsor bug bounty programs for 14 open source projects from January 2019

Last month, Firedome Inc announced the launch of the world’s first endpoint cybersecurity solutions portfolio, specifically tailored to home IoT companies and manufacturers. Firedome has developed business models that allow companies to implement top-quality endpoint cybersecurity solutions to close critical security gaps that are a byproduct of the IoT era. Home IoT devices are susceptible to cyber attacks due to the lack of regulation and budget limitations. Cryptojacking, DDoS and ransomware attacks are only a few examples of cyber crimes threaten the smart home ecosystem and consumer privacy. The low margins in this industry have led to manufacturers facing trouble in implementing high-end cybersecurity solutions. Features of ‘Firedome ‘Endpoint Protection’ solution: A lightweight software agent that can easily be added to any connected device (during the manufacturing process or later on, ‘over the air’), A cloud-based AI engine that collects and analyzes aggregated data from multiple fleets around the world, produces insights from each attack (or attack attempt) and optimizes them across the board. An accompanying 24/7 SOC team that responds to alerts, runs security researches and supports Firedome customers. Firedome solution adds a dynamic layer of protection and is not only designed to prevent attacks from occurring in the first place but also to identify attack attempts and respond to breaches in real time, thereby eliminating damage potential until a firmware update is released. The Firedome Home Solution enables industry players to provide their consumers with cyber protection and security insights for the entire home network. Moti Shkolnik, Firedome’s Co-founder and CEO says that: “We are very excited to formally launch our suite of services and solutions for the home IoT industry and we strongly believe they have the potential of changing the Home IoT cybersecurity landscape. Device companies and other ecosystem players are craving a solution that is tailored to their needs and business constraints, a solution that will address the vulnerability that is so evident in endpoint devices. Home IoT devices are becoming a commodity and the industry must address these vulnerabilities sooner rather than later. That’s why our solution is a ‘must-have’ rather than a ‘nice-to-have’” These solutions provided by Firedome has led to its selection by Universal Electronics Inc., the worldwide leader in universal control and sensing technologies for the smart home, to provide Cybersecurity Features to the Nevo® Butler Digital Assistant Platform product. To know more about this news in detail, head over to Firedome’s official website. California passes the U.S.’ first IoT security bill IoT Forensics: Security in an always connected world where things talk AWS IoT Greengrass extends functionality with third-party connectors, enhanced security, and more

Yesterday, Australia’s Prime Minister Scott Morrison, revealed that “a sophisticated state actor”  was behind a cyber attack on the Australian Parliament's computing network that also affected the network of major political parties. First reported by The Guardian, the attack affected the computer networks of the Liberal Party and the Nationals - as well as the opposition Labor Party, only three months before the Parliamentary election in May. Morrison told reporters that “Our cyber experts believe that a sophisticated state actor is responsible for this malicious activity”. In a statement to parliament on Monday, he said there was no evidence of electoral interference and measures  were taken to “ensure the integrity of our electoral system”. This intrusion into the networks of political parties was detected by agencies investigating the attack on the Parliament House network. He said security agencies had “acted decisively” to confront the incursion and were “securing these systems and protecting users”. Australian Cyber Security Centre head Alastair MacGibbon stated that the agency was currently unable to answer whether or not data had been stolen because all the agencies involved were "acting extraordinarily quickly and very openly, so we are piecing together all of the events." There is no evidence as to which country was behind the intrusion as well as no comment on how deeply the attack had penetrated the computer networks. The news comes just months after the Assistance and Access Bill was passed that allows the police to tell apps like WhatsApp and Signal to build in so-called “backdoors”, to give investigators access to the contents of messages, to assist in any investigation of cyber offense. However, security experts were unanimously against backdoors since once such a mechanism has been implanted in the app, it can create a target for other countries’ spy agencies and corporate spies to see what people are discussing. Users on Twitter and HackerNews have expressed strong sentiments on this news, one user is blaming the government's choices like weakening the encryption in apps through their new law, that has lead to this attack. Other users are speculating Russia’s hand in this attack. The Sydney Morning Herald stated that just four states — China, Russia, Israel, and the United States — have the capability to perform such an attack. https://twitter.com/Sunflower15661/status/1097322875042910208 https://twitter.com/admburns/status/1097402032833679360 Head over to BBC for more insights on this news. Australian intelligence and law enforcement agencies already issued notices under the ‘Assistance and Access’ Act despite opposition from industry groups Australia’s Facial recognition and identity system can have “chilling effect on freedoms of political discussion, the right to protest and the right to dissent”: The Guardian report Australia passes a rushed anti-encryption bill “to make Australians safe”; experts find “dangerous loopholes” that compromise online privacy and safety

Splunk announced that it will no longer be selling its services to Russian companies. There will be no direct sales or via partners. This also includes companies whose headquarters is situated in Russia. However, they will continue to provide support for existing accounts/services. But, any renewals or expansion of accounts will not be entertained. Security researcher @SwiftOnSecurity spotted this first. https://twitter.com/SwiftOnSecurity/status/1097694742706556928 Some users are encouraging the act and also suggesting this be done in China: https://twitter.com/Primed_Mover/status/1097717830580166657 They plan to continue services globally with this exception. The announcement on the Splunk website explains that this decision is effective for: “...opportunities with technical partners, resellers, distributors and vendors. It also applies to business with subsidiaries based in countries outside of Russia whose parent company is in Russia, or who would use the software or services within the territory.” Splunk is a business intelligence tool with a web UI. They also provide Security information and event management. It’s not very clear as to why they decided to drop support for Russia. Malicious cyber crimes like disinformation propaganda and hacks have been traced back to Russia in the past. Perhaps Splunk does not want to be linked to such activities or actors. Splunk leverages AI in its monitoring tools Splunk introduces machine learning capabilities in Splunk Enterprise and Splunk Cloud Why should enterprises use Splunk?

Yesterday, Computer Sweden revealed that 2.7 million recorded calls to Sweden’s 1177 medical assistance phone service were left without password protection or encryption security, on an open web server. The server was operated by MediCall, an outsourced call-center provider based in Thailand, but owned by Swedish nationals. MediCall is a subcontractor to Medhelp, a Stockholm firm, and the primary contractor that supplies 1177 call services to Inera, the Swedish company that heads up the national 1177 service. Inera is jointly owned by Sweden’s 21 regions and municipalities. Inera stated that the calls are recorded to check their quality. They further confirmed that the security issue had been discovered and remedied by the subcontractor, but added that it doesn’t have any agreement with the subcontractor. The report by Computer Sweden reveals that 2.7 million call recordings, and a total of 170,000 hours of calls logged over six years, could be remotely accessed from any browser if the IP address of the web server was known. No authentication was required to access the audio files and browser connections to the web server were not encrypted using HTTPS. Computer Sweden listened to some of the recordings to understand the severity of the issue and they found that the calls included sensitive information about patients’ diseases and ailments, medication, and medical history. People also described their children’s symptoms and provided their social security numbers for assistance. MediCall's call center system was developed by Swedish tech company Voice Integrate Nordic. Tommy Ekström, the CEO of Voice Integrate Nordic, said the leak was "catastrophic" due to the sensitivity of the information. Access to the storage device has now been closed after the review done by Computer Sweden. Users are now speculating if the incident will attract attention from Europe’s GDPR laws. It’s likely that Sweden's data protection authority will try to determine which organization was responsible for the unprotected server. GDPR also requires the data is not kept for any longer than needed for the purposes it is processed. In this case, the data has been exposed on the internet since 2003. The Collections #2-5 leak of 2.2 billion email addresses might have your information, German news site, Heise reports SBI data leak in India results in information of millions of customers exposed online GDPR complaint claims Google and IAB leaked ‘highly intimate data’ of web users for behavioral advertising

Yesterday, Kali Linux’s first release for 2019 was announced. Kali Linux 2019.1 comes with a variety of changes and new features including, support for Metasploit version 5.0, kernel up to version 4.19.13, ARM updates and numerous bug fixes. Users with a Kali installation can upgrade using: root@kali:~# apt update && apt -y full-upgrade You can also download new Kali Linux ISOs directly from the official website or from the Torrent network. What’s new in Kali Linux 2019.1? Support for Metasploit 5.0 The new version of Kali Linux now supports Metasploit version 5.0, which was released last month. Metasploit 5.0 introduces multiple new features including Metasploit’s new database and automation APIs, evasion modules and libraries, expanded language support, improved performance, and more. Kali Linux 2019.1 also includes updated packages for theHarvester, DBeaver, and more. theHarvester helps Penetration testers in the early stages of the penetration test to gather emails, subdomains, hosts, employee names, open ports and banners from different public sources. DBeaver is an SQL client and a database administration tool. Updates to ARM The 2019.1 Kali release for ARM include: The operating system has an upgraded kernel (v4.19.13) that supports the use of both Banana Pi and Banana Pro single board computers. Veyron has also been moved to a 4.19 kernel The Offensive Security virtual machine and ARM images have also been updated to 2019.1 Raspberry Pi images have been simplified. Separate Raspberry Pi images are no longer there for users with TFT LCDs because Kali 2019.1 now comes with re4son’s kalipi-tft-config script on all of them.  For setting up a board with a TFT, users can run ‘kalipi-tft-config’ and follow the prompts. You can go through the changelog to know detailed bug fixes. Kali Linux 2018 for testing and maintaining Windows security – Wolf Halton and Bo Weaver [Interview] Implementing Web application vulnerability scanners with Kali Linux [Tutorial] Kali Linux 2018.2 released

On 13th February, the OpenSSL team released a blog post outlining the changes that users can expect in the OpenSSL 3.0 architecture and plans for including a new FIPS module. Architecture changes in OpenSSL 3.0 ‘Providers’ will be introduced in this release which will be a possible replacement for the existing ENGINE interface to enable more flexibility for implementers. There will be three types of Providers: the “default” Provider will implement all of the most commonly used algorithms available in OpenSSL. The “legacy” Provider will implement legacy cryptographic algorithms and the “FIPS” Provider will implement FIPS validated algorithms. Existing engines will have to be recompiled to work normally and will be made available via both the old ENGINE APIs as well as a Provider compatibility layer. The architecture will include Core Services that will form the building blocks usable by applications and providers. Providers in the new architecture will implement cryptographic algorithms and supporting services. It will have implementations of one or more of the following: The cryptographic primitives (encrypt/decrypt/sign/hash etc)  for an algorithm Serialisation for an algorithm Store loader back ends   A Provider may be entirely self-contained or it may use services provided by different providers or the Core Services.     Protocol implementations, for instance TLS, DTLS.  New EVP APIs will be provided in order to find the implementation of an algorithm in the   Core to be used for any given EVP call.  Implementation agnostic way will be used to pass information between the core library and the providers.  Legacy APIs that do not go via the EVP layer will be deprecated. The OpenSSL FIPS Cryptographic Module will be self-contained and implemented as a dynamically loaded provider. Other interfaces may also be transitioned to use the Core over time  A majority of existing well-behaved applications will just need to be recompiled. No deprecated APIs will be removed in this release You can head over to the draft documentation to know more about the features in the upgraded architecture. FIPS module in OpenSSL 3.0 The updated architecture incorporates the FIPS module into main line OpenSSL. The module is dynamically loadable and will no longer be a separate download and support periods will also be aligned. He module is a FIPS 140-2 validated cryptographic module that contains FIPS validated/approved cryptographic algorithms only. The FIPS module version number will be aligned with the main OpenSSL version number. New APIs will give applications greater flexibility in the selection of algorithm implementations. The FIPS Provider will implement a set of services that are FIPS validated and made available to the Core. This includes: POST: Power On Self Test KAT: Known Answer Tests Integrity Check Low Level Implementations Conceptual Component View of OpenSSL 3.0 Read the draft documentation to know more about the FIPS module in the upgraded architecture. Baidu Security Lab’s MesaLink, a cryptographic memory safe library alternative to OpenSSL OpenSSL 1.1.1 released with support for TLS 1.3, improved side channel security Transformer-XL: A Google architecture with 80% longer dependency than RNNs