Tech News - Security

Researchers Michael Schwarz, Samuel Weiser, and Daniel Gruss from Graz University of Technology  have published a research paper that demonstrates how the Intel SGX currently poses as a security threat. The SGX (Software Guard eXtensions) allows malicious code to run on a system, which cannot be identified or analyzed by an antivirus software. SGX allows programs to establish protected enclaves for code and data, where none of the programs on the system can spy on it or tamper with it. The contents of an enclave are encrypted when written to RAM and decrypted upon being read. The processor does not allow code from outside the enclave to access the enclave’s memory. Researchers have used this model to understand what happens if the code inside the enclave itself is malicious. The SGX is designed in such a way that antimalware software will not be able to detect the malware, thus making these enclaves the perfect spot for planting malicious code. The researchers used an SGX-ROP attack that depicts the above, by including the the Transactional Synchronization eXtension(TSK)-based memory disclosure primitive as part of the process. The TSK was also a part of the Meltdown attacks launched on Intel processors. How does the attack take place? According to the researchers, since code in an enclave is quite restricted, it cannot make operating system calls, open files, read data from disk, or write to disk.  All of these attacks have to be performed from outside the enclave and only the encryption operation would occur within the enclave. That being said, the enclave code has the ability to read and write anywhere in the unencrypted process memory. To work with this model the TSX was used which provides a constrained form of transactional memory where a thread can modify different memory locations and then publish those modifications in one single atomic update. The enclave makes use of this functionality and scans the memory of the host process to find the components for its ROP payload and somewhere to write that payload. It  then redirects the processor to run that payload which can mark a section of memory as being executable, for the malware to put its own set of supporting functions someplace  it can access. What's more? The critical encryption will take place inside the enclave, making it impossible to extract the encryption key or even analyze the malware to find out what algorithm it's using to encrypt the data. Another thing to note is that malware isn't constrained by the enclave and it can subvert the host application to access operating system APIs, making way for attacks such as ransomware-style encryption of a victim's files. This is what an Intel spokesperson has replied to ZDNet in an email: “Intel is aware of this research which is based upon assumptions that are outside the threat model for Intel® SGX. The value of Intel SGX is to execute code in a protected enclave; however, Intel SGX does not guarantee that the code executed in the enclave is from a trusted source. In all cases, we recommend utilizing programs, files, apps, and plugins from trusted sources. Protecting customers continues to be a critical priority for us, and we would like to thank Michael Schwarz, Samuel Weiser, and Daniel Gruss for their ongoing research and for working with Intel on coordinated vulnerability disclosure”. The research paper outlines 4 simple steps required to perform the attack: The malicious enclave scans the host application for usable ROP gadgets using the read primitive The enclave identifies writable memory caves through the write primitive and injects the arbitrary malicious payload into those caves. The enclave uses the gadgets identified in step 1 to construct a ROP chain and injects it into the application stack. The enclave returns execution to the host application. Once the application hits the ROP chain on the stack, the actual exploitation starts. The ROP chain runs with host privileges and then the attacker can issue arbitrary system calls to hack into the system. You can head over to the Research paper to know more about the methodology followed by the researchers for this attack. Linux 4.20 kernel slower than its previous stable releases, Spectre flaw to be blamed, according to Phoronix Seven new Spectre and Meltdown attacks found Intel announces 9th Gen Core CPUs with Spectre and Meltdown Hardware Protection amongst other upgrades

Switzerland’s national postal service, Swiss Post, says that it has developed a fully verifiable system that can make e-voting widely available in the country. Yesterday, Swiss Post announced that it is launching a bug bounty program, in which hackers from all over the globe can participate to conduct penetration testing on both the frontend and backend of the e-voting system. The program, called as Public Intrusion test (PIT), will be conducted between February 25 and March 24. White hat hackers can sign up on onlinevote-pit.ch to participate. The security of the e-voting system has already been pen-tested and certified under the legal framework of the Swiss Confederation. Hackers who discover vulnerabilities that can be exploited to manipulate votes--without being detected by voters and auditors--will be rewarded between $30,000 and $50,000. Server-side loopholes that give an attacker the information of who voted and what they voted will be rewarded up to $10,000. Vote corruption issues are worth $5,000 and $100 will be paid out for server configuration weaknesses. Source code vulnerabilities must be reported by the ethical hackers separately if they cannot be exploited against the test system. All-in-all, out of the total $250,000 allocated for this project by the government, $100,000 will go to the Swiss cybersecurity firm that helps run the bug bounty program, and the rest could go to the researchers who find vulnerabilities. After finding the vulnerability, participants can then go ahead and make their findings public. The bug bounty program is open to anyone and the e-voting system is only available in German, French, Italian and Romansh – there is no English version. Researchers who take part in the PIT project will also be given voting cards for testing purposes, but they will be sent electronically. You can head over to E-Voting PIT to know more about the terms of this program. EuroPython Society announces the ‘Guido van Rossum Core Developer Grant’ program to honor Python core developers Microsoft announces Azure DevOps bounty program Hyatt Hotels launches public bug bounty program with HackerOne

Last month, the state of Illinois passed a Biometric privacy bill where a person can claim damages when their fingerprint is used without consent. Now, Cisco and Microsoft propose ideas for biometric privacy. The Cisco proposal states: ‘Ensure interoperability between different privacy protection regimes.’ This could threaten GDPR. ‘Avoid fracturing of legal obligations for data privacy through a uniform federal law that aligns with the emerging global consensus.’ This means gelling multiple levels of law systems, like state national into one, so a violation would go through only one level of a lawsuit. ‘Reassure customers that enforcement of privacy rights will be robust without costly and unnecessary litigation.’ Litigation is expensive, for individuals and more so for corporates, this can make it less expensive for the corporations. Microsoft is lobbying for a federal bill on facial recognition in Washington, according to a Bloomberg report. Bradd Smith, President at Microsoft, told Bloomberg: “Opening up the software for third-party testing is one of the key parts of the bill”. If the Washington bill is passed, it will affect companies like Amazon, Microsoft and any other companies that use personal data with a consumer base above 100,000. Meanwhile, Amazon has not made any comments on the bill as it’s still being modified. Cisco and Microsoft supporting federal privacy bills would sound like good news, but it’s not. If a new federal privacy bill is supported by a company, it would be designed to provide leeway to the company on how the rules regarding data collection and usage are set. According to a New York Times report from August last year, “In recent months, Facebook, Google, IBM, Microsoft and others have aggressively lobbied officials in the Trump administration and elsewhere to start outlining a federal privacy law, according to administration officials and the companies. The law would have a dual purpose, they said: It would overrule the California law and instead put into place a kinder set of rules that would give the companies wide leeway over how personal digital information was handled.” The Illinois Biometric Information Privacy Act is a good way forward for the consumers and should set an example of respecting user privacy. This may seem too strict but maybe that’s what is needed at this point. Biometric Information Privacy Act: It is now illegal for Amazon, Facebook or Apple to collect your biometric data without consent in Illinois ACLU files lawsuit against 11 federal criminal and immigration enforcement agencies for disclosure of information on government hacking The district of Columbia files a lawsuit against Facebook for the Cambridge Analytica scandal

David Wong, Security Consultant, at NCC Group, a global expert in cyber security and risk mitigation, revealed details about the new cryptographic attack, last week, that can break the encrypted TLS traffic. Wong collaborated with other security researchers and found out that out of the nine different TLS implementations against cache attacks, seven were found to be vulnerable, namely, OpenSSL, Amazon s2n, MbedTLS, Apple CoreTLS, Mozilla NSS, WolfSSL, and GnuTLS. TLS or Transport Layer Security refers to a cryptographic protocol that offers end-to-end communications security over networks. It is widely used for internet communications and online transactions. TLS (except TLS 1.3) makes use of RSA as a key exchange algorithm, which determines how the client and server will authenticate during the handshake to negotiate a shared secret. The client encrypts a shared secret under the server's RSA public key, the server then receives it and decrypts it. The latest attack isn’t entirely new; it is simply another variation of the original Bleichenbacher oracle attack that was able to decrypt an RSA encrypted message using the Public-Key Cryptography Standards (PKCS) #1 function. This new attack uses a side-channel leak via cache access timings of TLS implementations to break these RSA key exchanges of TLS implementations. It affects all versions of TLS (including TLS 1.3) as well as QUIC and makes use of the state-of-the-art cache attack techniques such as Flush+Reload, Prime+Probe, Branch-Prediction, etc. Attacking TLS 1.3 and downgrading to TLS 1.2 Since TLS 1.3 does not offer an RSA key exchange, researchers started with downgrading to an older version of TLS (TLS 1.2) for the exploitation of the attack. To downgrade a client’s connection attempt, a spoofed TLS 1.2 handshake technique is used. The server’s RSA certificate was presented in a ServerCertificate message and then the handshake was put to an end with a ‘ServerHelloDone’ message. However, if at this point, the server does not have a trusted certificate that allows RSA key exchanges or the client refuses to support RSA key exchanges or older versions than TLS 1.2, the attack halts. Otherwise, the client will make use of the RSA public key contained in the certificate to encrypt the TLS premaster secret. It will then send it in a ClientKeyExchange message and ends its part of the handshake using a ChangeCipherSpec and a Finished message. It is at this time, the attack is performed to decrypt the RSA encrypted premaster secret. The last Finished message being sent should contain an authentication tag (with HMAC) of the whole transcript and should be encrypted with the transport keys derived from the premaster secret.                                                    NCC Group Now, even if some clients might have zero handshake timeouts, most serious applications such as browsers can give up on the connection attempt if the response takes too much time to arrive. So, there are several techniques that can slow down the handshake such as sending the ChangeCipherSpec message to reset the client’s timer and sending TLS warning alerts to reset the handshake timer. After the decryption attack terminates, the expected Finished message is sent to the client and a handshake is finalized. This downgrade attack is able to bypass multiple downgrade mitigations, namely, one server-side and two client-side. TLS 1.3 servers that negotiate older versions of TLS must also advertise this information to their peers. TLS 1.3 clients that negotiate an older version of TLS must check for these values and abort the handshake if found. On the other hand, a TLS 1.3 client that goes back to an older version of TLS must advertise this information in their subsequent client hellos. Furthermore, a client should also include the version used by the client hello inside the encrypted premaster secret. “As it stands, RSA is the only known downgrade attack on TLS 1.3, which we are the first to successfully exploit in this research”, states Wong. The researchers also state that it is time for RSA PKCS#1 v1.5 to be deprecated and replaced by more modern schemes like OAEP (Optimal asymmetric encryption padding) and ECEIS (Elliptic Curve Integrated Encryption Scheme) for asymmetric encryption or Elliptic Curve Diffie-Hellman in case of key exchanges. For more information, check out the official NCC Group blog. Zimperium zLabs discloses a new critical vulnerability in multiple high-privileged Android services to Google A kernel vulnerability in Apple devices gives access to remote code execution FreeRTOS affected by 13 vulnerabilities in its TCP/IP stack

Brave, the open source privacy- focussed browser, has allegedly introduced a ‘backdoor’ to remotely inject headers in HTTP requests that may track users, say users on HackerNews. Users on Twitter and HackerNews have expressed their concerns over the new update on custom HTTP headers added by the Brave team: https://twitter.com/WithinRafael/status/1094712882867011585 Source: HackerNews A user on Reddit has explained this move as “not tracking anything, they just send the word "Brave" to the website whenever you visit certain partners of theirs. So for instance visiting coinbase.com sends an "X-Brave-Partner" custom header to coinbase.com.” Brendan Eich, from the Brave team, has replied back to this allegation saying that the ‘Update is not a "backdoor" in any event and is a custom header instead.’  He says the update is about custom HTTP headers that Brave sends to its partners, with fixed header values. There is no tracking hazard in the new update. He further stresses on the fact that Brave blocks 3rd party cookies and storage and 3rd party fingerprinting along with HSTS supercookies; thus assuring users on preserving their privacy. “I find it silly to assume we will "heel turn" so obviously and track our users. C'mon! We defined our model so we can't cheat without losing lead users who would see through it. That requires seeing clearly things like the difference between tracking and script blocking or custom header sending, though.” Users have also posted on Hacker News that the Brave browser Tracking Protection feature does not block tracking scripts from hostnames associated with Facebook and Twitter. The tracking_protection_service.h file contains a comment informing that a tracking protection white_list variable was created as a "Temporary hack which matches both browser-laptop and Android code". Bleepingcomputer also reports that this whitelist variable is associated with code in the tracking_protection_service.cc file that adds various Facebook and Twitter hostnames to the whitelist variable so that they are not blocked by Brave's Tracking Protection feature. In response to this comment, Brave says that the issue that was opened on September 8th, 2018 and developers decided to whitelist tracking scripts from Facebook and Twitter because blocking them would “affect the functionality of many sites” including Facebook logins. You can head over to Brendan’s Reddit thread for more insights on this update. Brave introduces Brave Ads that share 70% revenue with users for viewing ads Chromium-based Brave browser shows 22% faster page load time than its Muon-based counterpart Otter Browser’s first stable release, v1.0.01 is out

Yesterday, Apple announced the release of iOS 12.1.4 to fix Apple’s Group FaceTime video bug discovered during the end of last month. Apple immediately disabled this bug that allowed callers to eavesdrop on people before they could even pick up their phone. Apple also plans to reward the 14-year-old Grant Thompson and his mother for first reporting the bug. Apple is “compensating the Thompson family for discovering the vulnerability and providing an additional gift to fund Grant Thompson’s tuition”, the Verge reports. As reported by TechCrunch, an Apple spokesperson told them in a statement, “In addition to addressing the bug that was reported, our team conducted a thorough security audit of the FaceTime service and made additional updates to both the FaceTime app and server to improve security. This includes a previously unidentified vulnerability in the Live Photos feature of FaceTime.” Source: The Verge “To protect customers who have not yet upgraded to the latest software, we have updated our servers to block the Live Photos feature of FaceTime for older versions of iOS and macOS”, Apple reports. To know more about this news in detail, head over to The Verge. Apple reinstates Facebook and Google Developer Certificates, restores the ability to run internal iOS apps Apple revoked Facebook developer certificates due to misuse of Apple’s Enterprise Developer Program; Google also disabled its iOS research app Apple disables Group FaceTime till it fixes a security flaw that gave access to microphone and camera of users, even before picking up the call  

Signal, the encrypted communication App for iOs and Android, recently announced optional link previews for the four most popular sites- Imgur, Reddit, Instagram, and YouTube. This will enable Signal users to see what’s behind a particular URL, while sharing content with their friends. According to Joshua Lund, the creator of Signal, the feature has been created in such a way that users can generate link previews while hiding the URL from the Signal service itself, thereby shielding their IP address from the previewed site, and obfuscating the true size of the preview image. Link previews will expose relevant pieces of the URL to the recipient. There are some sites like YouTube where the URL is a random string of letters, numbers, and symbols. A recipient will never know where the link goes until they click on the same. With link previews in place, users will get an idea of what they can expect when they click the link, just by looking at the preview. Users can disable this feature through settings or  by tapping the 'X' in the corner of the preview before hitting send. The process of sending a link preview follows 3 simple steps: The Signal app will establish a TCP connection using a privacy-enhancing proxy that will obscure a users IP address from the site that is being previewed. A TLS session will be negotiated directly between the app and the previewed site through the proxy. This will ensure that the Signal service never has access to the URL. The Signal app uses overlapping range requests to retrieve preview images. This will help the proxy service to see repeated requests for a fixed block size when media is transferred. Link previews may also alert users to avoid clicking on links that may contain malicious content. Users have taken this news well, commending the team on this new feature: https://twitter.com/Roderik_de_Pree/status/1093329997882949632 https://twitter.com/bcomenl/status/1093270187208523776 You can head over to Signal’s official blog to know more about this news. Signal to roll out a new privacy feature in beta, that conceals sender’s identity! Messaging app Telegram’s updated Privacy Policy is an open challenge SafeMessage: An AI-based biometric authentication solution for messaging platforms

Google launched a new form of encryption called ‘Adiantum’, that is designed to secure data stored on lower-end smartphones and devices with insufficient processing power. In lieu of security, most Android phones have storage encryption enabled within them as a default feature. An exemption is made for phones with low processing power or with low-end hardware; where storage encryption is either off by default to improve performance, or not present at all. Adiantum is suitable for devices that lack dedicated ARM extensions for security. While a majority of new Android devices have hardware support for AES through the ARMv8 Cryptography Extensions, devices that use low-end processors such as the ARM Cortex-A7 do not support AES encryption, as it leads to poor and slow user experience. According to Eugene Liderman, director of mobile security strategy for Google’s Android security & privacy team, “Adiantum was built to run on phones and other smart devices that don’t have the specialized hardware to use current methods to encrypt locally stored data efficiently.”  With a hope to democratize encryption for all devices - including any low-power Linux-based device, from smartwatches to connected medical devices, Liderman says that “There will be no excuse for compromising security for the sake of device performance. Everyone should have privacy and security, regardless of their phone’s price tag.” How does Adiantum work? Google's Adiantum has been designed to encrypt local data without slowing down systems or increase the price of devices due to the implementation of additional hardware. Adiantum uses the ChaCha stream cipher in a length-preserving mode. It does so by adapting ideas from AES-based proposals for length-preserving encryption such as HCTR and HCH. On ARM Cortex-A7, Adiantum encryption and decryption on 4096-byte sectors is around 5x faster than AES-256-XTS. Adiantum can change any bit anywhere in the plaintext, and this will unrecognizably change all of the ciphertext, and vice versa. It hashes almost the entire plaintext using a keyed hash based on Poly1305 and a keyed hashing function called NH. It also hashes a value called the "tweak" which is used to ensure that different sectors are encrypted differently. This hash is used to generate a nonce for the ChaCha encryption. After the encryption is complete, the data is hashed again. This is arranged in a configuration known as a Feistel network. You can read the entire whitepaper detailing the encryption standard by Google software engineers Paul Crowley and Eric Biggers. The paper goes into further technical details relating to Adiantum. This is the second announcement made by Google in the spirit of Safer Internet day. Earlier this week, Google released a new Chrome extension called "Password Checkup" which checks if a user's credentials have been connected to past data leaks. You can head over to Google’s official blog to know more about Adiantum. Google expands its Blockchain search tools, adds six new cryptocurrencies in BigQuery Public Datasets Google launches Live Transcribe, a free Android app to make conversations more accessible for the deaf Grafana 6.0 beta is here with new panel editor UX, google stackdriver datasource, and Grafana Loki among others

Google made its scalable fuzzing tool, called ClusterFuzz available as open source, yesterday. ClusterFuzz is used by Google for fuzzing the Chrome Browser, a technique that helps detect bugs in software by feeding unexpected inputs to a target program. For fuzzing to be effective, it should be continuous, done at scale, and integrated into the development process of a software project. ClusterFuzz can run on clusters with over 25,000 machines and can effectively highlight security and stability issues in software. It serves as the fuzzing backend for OSS-Fuzz, a service that Google released back in 2016. ClusterFuzz was earlier offered as free service to open source projects through OSS-Fuzz but is now available for anyone to use. ClusterFuzz comes with a variety of features that help integrate fuzzing into a software project's development process. Here are some of the key features in ClusterFuzz: Helps with accurate deduplication of crashes. Comes with a fully automatic bug filing and closing for issue trackers. Includes statistics for analyzing fuzzer performance, and crash rates. Comprises easy-to-use web interface for management and viewing crashes. ClusterFuzz has so far tracked more than 16,000 bugs in Chrome and over 11,000 bugs in more than 160 open source projects integrated with OSS-Fuzz. ClusterFuzz can detect bugs hours after they have been introduced and is capable of verifying the fix within a day. “We developed ClusterFuzz over eight years to fit seamlessly into developer workflows, and to make it dead simple to find bugs and get them fixed. Through open sourcing ClusterFuzz, we hope to encourage all software developers to integrate fuzzing into their workflows.”, states the ClusterFuzz team members. For more information, check out the ClusterFuzz’s official GitHub repository. Google expands its Blockchain search tools, adds six new cryptocurrencies in BigQuery Public Datasets Transformer-XL: A Google architecture with 80% longer dependency than RNNs Google News Initiative partners with Google AI to help ‘deep fake’ audio detection research

Yesterday, the Seattle government announced that they are arranging for a public review on the different surveillance technologies used within the various Seattle departments. The City of Seattle Surveillance Ordinance was passed by the city’s council on 1st September 2017 and is designed to provide extended transparency to the council and the public when any new technology is acquired. It compels city departments to publish surveillance technology impact reports periodically and allows the public to comment. This is a Group 2 Surveillance on certain technologies including meter-reading devices, 911 call logging systems, and the Seattle police online crime reporting tool. A previous public comment period--for Group 1 Surveillance technologies--was held from October 8 to November 5, 2018, for a set of different technologies. The public comment period for this group will be up to March 5, 2019. There will also be a surveillance technology fair hosted by the city on Feb. 27 at the city hall. Technologies included in the Group 2 Surveillance review Seattle Fire Department's (SFD) computer-aided dispatch system https://youtu.be/AzKPaIHtbMs This includes information that 911 dispatchers gather for SFD calls. The system stores information like names and addresses, but that personal information is only available to select department personnel, SFD says. Acyclica https://youtu.be/PhwBUe1iUhE This is a service Seattle Department of Transportation (SDOT) uses to collect traffic data. SDOT describes, "Acyclica collects unique phone identifiers, called a MAC address, using a sensor installed inside of traffic control cabinets and immediately encrypts the data. Acyclica then hashes and salts the data, anonymizing it by assigning a set of numbers and letters, then adding [a] random set of additional characters." Electricity theft detection https://youtu.be/WSfrhYv6ngY Seattle City Light uses a variety of technologies to check whether people are stealing electricity. These can include low-tech items like binoculars on up to an "Ampstick," which measures voltage along power lines. Seattle Police 911 system: The 911 recorder https://youtu.be/KFShZY9t5Mg Similar to the SFD system, dispatchers collect personal data to send police to emergency situations. SPD also has a CAD dispatch system up for review. CopLogic https://youtu.be/A7JEwJGKvrc This is SPD's online crime reporting system. This is where citizens enter personal information if they've been the victim of a crime. According to a user comment on HackerNews, “Seattle uses WiFi MAC addresses to track traffic movements. While the data is currently hashed and anonymized, it wouldn't surprise me if this data is eventually processed and combined with CV technology (specifically license plate readers and facial recognition tech) to provide detailed information on the movements of individuals.” To know more about this announcement, visit Seattle.gov official website. Rights groups pressure Google, Amazon, and Microsoft to stop selling facial surveillance tech to government The DEA and ICE reportedly plan to turn streetlights to covert surveillance cameras, says Quartz report Conversational AI in 2018: An arms race of new products, acquisitions, and more

Google released a new Chrome extension on Tuesday, called the  ‘Password CheckUp’. This extension will inform users if the username and password that they are currently using was stolen in any data breaches. It then sends a prompt for them to reset their password. If a user’s Google account credentials have been exposed in a third-party data breach, the company automatically resets their passwords. The new Chrome extension will ensure the same level of protection to all services on the web. On installing, Password Checkup will appear in the browser bar as a green shield. The extension will then check the login details against a database of around four billion usernames and passwords. If a match is found, a dialogue box prompting users to “Change your password” will appear and the icon will turn bright red. Source: Google Password Checkup was designed by Google along with cryptography experts at Stanford University, keeping in mind that Google should not be able to capture a user’s credentials, to prevent a “wider exposure” of the situation. Google’s blog states “We also designed Password Checkup to prevent an attacker from abusing Password Checkup to reveal unsafe usernames and passwords.”   Password Checkup uses multiple rounds of hashing, k-anonymity, private information retrieval, and a technique called blinding to achieve encryption of the user’s credentials. You can check out Google’s blog for technical details on the extension. Google Chrome announces an update on its Autoplay policy and its existing YouTube video annotations Meet Carlo, a web rendering surface for Node applications by the Google Chrome team Google Chrome 70 now supports WebAssembly threads to build multi-threaded web applications

At the beginning of this week, Mandrill, a transactional email API for MailChimp users, experienced an outage where users were able to send but were unable to receive emails. The Madrill community also tweeted stating that they were also seeing ongoing errors with scheduled mail and webhooks and would resolve the issue soon. https://twitter.com/mandrillapp/status/1092611488982945793 Sebastian Lauwers, the VP of Engineering at Dixa, a customer service software tweeted that the issue took too long to resolve. He also asked for the reason why Mandrill was taking so long--nearly 23 hours--to sort the issue. https://twitter.com/teotwaki/status/1092624972252618754 Today, one of the users with the username GuyPostington posted an email received from Mandrill, on HackerNews. The email explains the reason for Mandrill’s outage and how they will be addressing the issue. Mandrill uses a sharded Postgres setup as one of their main datastores. According to the email, “On Sunday, February 3, at 10:30 pm EST, 1 of our 5 physical Postgres instances saw a significant spike in writes. The spike in writes triggered a Transaction ID Wraparound issue. When this occurs, database activity is completely halted. The database sets itself in read-only mode until offline maintenance (known as vacuuming) can occur.” They have also tweeted the same They further mentioned that the database is large due to which the vacuum process takes a significant amount of time and resources, and there’s no clear way to track progress. To address this issue, the community writes, “We don’t have an estimated time for when the vacuum process and cleanup work will be complete. While we have a parallel set of tasks going to try to get the database back in working order, these efforts are also slow and difficult with a database of this size. We’re trying everything we can to finish this process as quickly as possible, but this could take several days, or longer.” The email also states that once the outage is resolved, the community plans to offer refunds to all the affected users. To know about this news in detail, visit Mandrill’s Tweet thread. Microsoft Cloud services’ DNS outage results in deleting several Microsoft Azure database records Internet Outage or Internet Manipulation? New America lists government interference, DDoS attacks as top reasons for Internet Outages across the world Outage in the Microsoft 365 and Gmail made users unable to log into their accounts

Security Researchers have discovered a new backdoor trojan, dubbed as ‘SpeakUp’ which exploits known vulnerabilities in six different Linux distributions and has the ability to infect MacOS. This trojan discovered by Check Point Research, is being utilised in a crypto mining campaign that has targeted more than 70,000 servers worldwide so far. Attackers have been using SpeakUp in a campaign to deploy Monero cryptocurrency miners on infected servers thus earning around 107 Monero coins (around $4,500). Last month, the backdoor was spotted for the first time and researchers discovered a built-in Python script that allowed the trojan to spread through the local network, laterally. The virus remains undetected, has complex propagation tactics, and the threat surface contains servers that run the top sites on the internet. What can this trojan do? Vulnerable systems that have been affected by this trojan allow the hackers to perform a host of  illicit activities like modification of the local cron utility to gain boot persistence, take control over shell commands, execute files downloaded from a remote command and control (C&C) server, and update or uninstall itself. According to the researchers, SpeakUp has already been spotted exploiting the Linux servers that run more than 90 percent of the top 1 million domains in the U.S. The hackers behind SpeakUp are using an exploit for the ThinkPHP framework to infect servers and the researchers have not  seen the attackers targeting anything except ThinkPHP. The trojan has been crafted with complexity and can scan local networks for open ports, use a list of pre-defined usernames and passwords to brute-force nearby systems and take over unpatched systems using one of these seven exploits: CVE-2012-0874: JBoss Enterprise Application Platform Multiple Security Bypass Vulnerabilities CVE-2010-1871: JBoss Seam Framework remote code execution JBoss AS 3/4/5/6: Remote Command Execution CVE-2017-10271: Oracle WebLogic wls-wsat Component Deserialization RCE CVE-2018-2894: Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware. Hadoop YARN ResourceManager - Command Execution CVE-2016-3088: Apache ActiveMQ Fileserver File Upload Remote Code Execution Vulnerability. Security researchers have also pointed out to the fact that the SpeakUp’s authors have the ability to download any code they want to the servers. “SpeakUp’s obfuscated payloads and propagation technique is beyond any doubt the work of a bigger threat in the making. It is hard to imagine anyone would build such a compound array of payloads just to deploy few miners. The threat actor behind this campaign can at any given time deploy additional payloads, potentially more intrusive and offensive. It has the ability to scan the surrounding network of an infected server and distribute the malware.” According to Threatpost, Oded Vanunu, head of products vulnerability research for Check Point, said that “the scope of this attack includes all servers running ThinkPHP, Hadoop Yarn, Oracle WebLogic, Apache ActiveMQ and Red Hat JBoss. Since these software can be deployed on virtual servers, all cloud infrastructure are also prone to be affected.” According to the analysis by Check Point Research, the malware is currently distributed to Linux servers mainly located in China. Lotem Finkelstein, one of the Check Point researchers told ZDNet that “the infections in non-Chinese countries comes from SpeakUp using its second-stage exploits to infect companies' internal networks, which resulted in the trojan spreading outside the normal geographical area of a Chinese-only PHP framework.” You can head over to Check Point Research official post for a break down of how this trojan works as well as an analysis of its impact. Git-bug: A new distributed bug tracker embedded in git Fortnite just fixed a bug that let attackers to fully access user accounts, impersonate real players and buy V-Buck 35-year-old vulnerabilities in SCP client discovered by F-Secure researcher

A lot of fake news has been spreading in recent times via social media channels such as Facebook, Twitter, Whatsapp, and so on. A group of researchers from the University of Southern California came up with a paper titled “Combating Fake News: A Survey on Identification and Mitigation Techniques” that discusses existing methods and techniques applicable to identification and mitigation of fake news. Microsoft Edge mobile browser also flags untrustworthy news sites with the help of a plugin named NewsGuard. But how far are we in combating the ‘Fake News”? This weekend, Destin Sandlin, an engineer who conducts an educational video series Smarter Every Day on YouTube, tweeted how Fake News is getting popular on YouTube by being literally engineered within our daily feeds by using sophisticated AI, destructive bots and so on. https://twitter.com/smartereveryday/status/1091833011262423040 He started off by tweeting about “weaponized bots, algorithm exploitation, countermeasures, and counter-countermeasures!” He mentioned seeing a YouTube video thumbnail with a picture of Donald Trump and Ruth Bader Ginsburg side by side. What caught his eye was, the video received 135,000 views making him feel it’s a legit video. He further explained that the video was simply a bot reading a script. He realized that these bots have come-up with ways to auto-make YouTube videos and upload them. “I recognize that this video is meant to manipulate me so I go to close the video.” https://twitter.com/smartereveryday/status/1091833831206866944 Sandlin highlighted another fact that these videos had a 2,400 to 143 like to dislike ratio. He believes that this was some sort of weaponized algorithm exploitation. Source: Twitter He said that in order to get maximum views on YouTube, all a video has to do is get onto the sidebar or in the suggested videos list. He also mentioned an example of a channel that appeared in his suggestion list, named "The Small Workshop", which managed to get 13 million views. https://twitter.com/smartereveryday/status/1091835106149453826 The Trump - Ginsburg video Sandlin searched the YouTube for "After trump sends note to Ginsburg" following which he got tons of different videos but with the same content. He said, “They all use the exact same script, but the computerized voices are different to not trip YouTube's audio detectors, the videos all use different footage to avoid any visual content ID match”. “This is an offensive AI at work, and it's built to avoid every countermeasure”, he added. Sandlin tweeted, “I think the strategy is simple… if you bot-create enough videos on the same topic and generate traffic to those artificially…many will fail, but eventually, the algorithm will suggest one of them above the others, and it will be promoted as “THE ONE”.” He further said that tech company engineers are tasked with developing countermeasures to these kinds of attacks. He is dubious of the attacking party he suspects, “Is there a building in a foreign country where soldiers go to work/battle every day to "comment, like, and subscribe?” or are these clever software developers building bots to automatically create videos and accounts to promote those videos? “I would assume they’re using AI to see what types of videos and comments are amplified the most.” He wonders, “How often Do TTPs (Techniques, Tactics, and Procedures) change?  When the small groups of engineers at YouTube, Facebook, Instagram or Twitter develop a countermeasure, how long until counter-countermeasures are developed and deployed?” According to a post at Resurgent, “Perhaps Sandlin’s suggestion, responding with an active unity, a countermeasure of forgiveness and grace, is the best answer. There’s no AI or algorithm that can defeat those weapons.” Read Destin Sandlin’s complete Tweet thread to know more. WhatsApp limits users to five text forwards to fight against fake news and misinformation Is Anti-trust regulation coming to Facebook following fake news inquiry made by a global panel in the House of Commons, UK? Fake news is a danger to democracy. These researchers are using deep learning to model fake news to understand its impact on elections

Two days ago Apple revoked Facebook’s Developer Certificate that barred Facebook employees from using the early versions of Facebook apps such as Instagram and Messenger, and other day-to-day activities on their iPhones. However, yesterday Apple announced that it has restored Facebook’s enterprise certificates. A Facebook spokesperson told The Verge, “We have had our Enterprise Certification, which enables our internal employee applications, restored. We are in the process of getting our internal apps up and running. To be clear, this didn’t have an impact on our consumer-facing services.” Apple also blocked Google’s developer certificates after it got to know of a similar data-collection drill via Google’s Screenwise Meter app. Early versions of Google Maps, Hangouts, Gmail, and other pre-release beta apps stopped functioning. Also, employee-only apps such as the Gbus app for transportation and Google’s internal cafe app stopped working.. However, the Google services and apps were restored later yesterday. Google also announced that it had disabled the app a day before their certificates were blocked. Prior to revoking Facebook’s Developer Certificates, Apple had warned in a statement, “any developer using their enterprise certificates to distribute apps to consumers will have their certificates revoked.” Alex Fajkowski, an iOS developer, discovered that other companies including Amazon, DoorDash, and Sonos all distribute beta versions of their apps to non-employees. Following this, “Apple may be forced to take action against these apps, or to even revamp its entire enterprise program in the future”, The Verge reports. https://twitter.com/thefaj/status/1091087789704105984 Read more about this news on The Verge. Firefox now comes with a Facebook Container extension to prevent Facebook from tracking user’s web activity Facebook researchers show random methods without any training can outperform modern sentence embeddings models for sentence classification Stanford experiment results on how deactivating Facebook affects social welfare measures