Tech News - Security

Researchers from the University of California and the University of Cambridge have come up with Constant-Time WebAssembly (CT-Wasm), the details of which are shared in their paper: CT-Wasm: Type-Driven Secure Cryptography for the Web Ecosystem in December. It is a type-driven, strict extension to WebAssembly, which aims to address the state of cryptography in the web ecosystem. CT-Wasm provides developers a principled direction for improving the quality and auditability of web platform cryptography libraries while also maintaining the convenience that has made JavaScript successful. Why CT-Wasm is introduced? A lot of work has been done towards the implementation of client and server-side cryptography in JavaScript. But, there are still some widespread concerns related to security in JavaScript, which CT-WASM tries to solve: Side channels: While implementing a cryptography algorithm, the functional correctness is not the only concern. It is also important to ensure the properties of information flow that take into account the existence of side channels. For instance, an attacker can use the duration of the computation as a side channel. They can compare different executions to find out which program paths were used and work backward to determine information about secret keys and messages. Additionally, modern JavaScript runtimes are extremely complex software systems, that include just-in-time (JIT) compilation and garbage collection (GC) techniques that can inherently expose timing side-channels. In-browser cryptography: Another concern is, in-browser cryptography, which refers to the implementation of cryptographic algorithms using JavaScript in a user’s browser. Unskilled cryptographers: Most of the JavaScript cryptography is implemented by unskilled cryptographers who do not generally care about the most basic timing side channels. How it solves the concerns in JavaScript cryptography? Recently, all browsers have added support for WebAssembly (WASM), a bytecode language. As Wasm is a low-level bytecode language, it already provides a firmer foundation for cryptography than JavaScript: Wasm’s “close-to-the-metal” instructions provide more confidence in its timing characteristics than JavaScript’s unpredictable optimizations. It has a strong, static type system, and principled designed. It uses a formal small-step semantics and a well-typed Wasm program enjoys standard progress and preservation properties. CT-Wasm extends Wasm to become a verifiably secure cryptographic language by augmenting its type system and semantics with cryptographically meaningful types to produce Constant-Time WebAssembly (CT-Wasm). It combines the convenience of in-browser JavaScript crypto with the security of a low-level, formally specified language. Using CT-Wasm, developers can distinguish between secret data such as keys and messages and public data. After distinguishing the secret data, they can impose secure information flow and constant-time programming disciplines on code that handles secret data and ensure that well-typed CT-Wasm code cannot leak such data. CT-Wasm allows developers to incorporate third-party cryptographic libraries as they do with JavaScript and ensures that these libraries do not leak any secret information by construction. For more details, read the paper: CT-Wasm: Type-Driven Secure Cryptography for the Web Ecosystem. The elements of WebAssembly – Wat and Wasm, explained [Tutorial] Now you can run nginx on Wasmjit on all POSIX systems Introducing Wasmjit: A kernel mode WebAssembly runtime for Linux

Yesterday, the Department of Homeland security issued an emergency directive with the subject, “Mitigate DNS Infrastructure Tampering” and ordering the federal agencies to comply with these in order to secure login credentials for their internet domain records. The DHS directive comes on the heels of research published by FireEye, early this month. The company shared that they have identified huge DNS hijacking affecting multiple domains belonging to the government, telecommunications, and internet infrastructure entities across the Middle East and some other countries. FireEye analysts also believe an Iranian-based group to be the source behind these attacks. https://twitter.com/gregotto/status/1087800274511634434 The directive provides a brief explanation of how the attackers compromise user credentials, alter their DNS records, which enables them to direct user traffic to their system for manipulation or inspection. This directive includes four actions to mitigate risks from undiscovered tampering, enable agencies to prevent illegitimate DNS activity for their domains, and detect unauthorized certificates. The actions include, Audit DNS Records Change DNS Account Passwords Add Multi-Factor Authentication to DNS Accounts Monitor Certificate Transparency Logs Agencies have 10 business days to implement these instructions. According to CyberScoop, “The directive makes clear that agencies will ultimately be held accountable for their domain-name security policies, regardless of where they maintain their DNS accounts.” The CISA (Cybersecurity and Infrastructure Security Agency) would also be providing technical assistance to agencies that report anomalous DNS records. They will also review submissions from agencies that are unable to implement MFA on DNS accounts within the timeline and get back to agencies. CISA will also provide additional assistance via their Cyber Hygiene service and will also provide additional guidance to agencies through an Emergency Directive coordination call following the issuance of this directive. “By February 8, 2019, CISA will provide a report to the Secretary of Homeland Security and the Director of the Office of Management and Budget (OMB) identifying agency status and outstanding issues”, the directive states. To know more about this news in detail, visit DHS’ official website. China Telecom misdirected internet traffic, says Oracle report How to attack an infrastructure using VoIP exploitation [Tutorial] FireEye’s Global DNS Hijacking Campaign suspects Iranian-based group as the prime source

Yesterday a remote code execution bug was found in the APT high-level package manager used by Debian, Ubuntu, and other related Linux distributions. Max Justicz, the security researcher who discovered the bug, says that the bug "allows a network man-in-the-middle (or a malicious package mirror) to execute arbitrary code as root on a machine installing any package.” Justicz’s blog post states that the vulnerable versions of APT don't properly sanitize certain parameters during HTTP redirects. An attacker can take advantage of this and perform a remote man-in-the-middle attack to inject malicious content, thus tricking the system to install certain altered packages. HTTP redirects while using apt-get command help Linux machines to automatically request packages from an appropriate mirror server when other servers are unavailable. If the first server fails, it returns the location of the next server from where the client should request the package. Justicz has also demonstrated this man-in-the-middle attack in a short video: https://justi.cz/assets/aptpoc.mp4 Justicz told The Hacker News that a malicious actor intercepting HTTP traffic between APT utility and a mirror server, or just a malicious mirror, could execute arbitrary code on the targeted system with the highest level of privileges, i.e. root. He further adds, "You can completely replace the requested package, as in my proof of concept. You could substitute a modified package as well if you wanted to”. The APT is also used by major Linux distributions like Debian and Ubuntu, who have also acknowledged and released security patches for this vulnerability. Hacker News also points how this flaw comes around the time when cybersecurity experts are fighting over Twitter, in favor of not using HTTPS and suggesting software developers to rely on signature-based package verification since the APT on Linux also does the same. They further add that the APT exploitation could have been mitigated if the software download manager was strictly using HTTPS to communicate securely. The developers of APT have released version 1.4.9 that fixes the issue. The bug has also been fixed in APT 1.2.29ubuntu0.1, 1.7.0ubuntu0.1, 1.0.1ubuntu2.19, and 1.6.6ubuntu0.1 packages, as well as in APT 1.4.9 for the Debian distribution. You can head over to Max Justicz official blog for more insights on this news. Kali Linux 2018 for testing and maintaining Windows security – Wolf Halton and Bo Weaver [Interview] Black Hat hackers used IPMI cards to launch JungleSec Ransomware, affects most of the Linux servers Homebrew 1.9.0 released with periodic brew cleanup, beta support for Linux, Windows and much more!

Last week, the researchers at PEAR (PHP Extension and Application Repository) reported a security breach on PEAR’s web server, http://pear.php.net. They found that the go-pear.phar was breached. Following this, the PEAR website itself has been disabled until a known clean site can be rebuilt. The community tweeted that “a more detailed announcement will be on the PEAR Blog once it's back online”. https://twitter.com/pear/status/1086634389465956352 According to researchers, the users who have downloaded the go-pear.phar in the past six months should get a new copy of the same release version from GitHub (pear/pearweb_phars) and compare file hashes. If the hashes are different, this indicates that the user may have the infected file. The community is in the process of rebuilding the site; however, they are not sure of the ETA yet. To stay updated, keep a close watch on PEAR’s twitter account. Symfony leaves PHP-FIG, the framework interoperability group Internal memo reveals NASA suffered a data breach compromising employees social security numbers Justice Department’s indictment report claims Chinese hackers breached business  and government network  

Baptiste Robert, a French security researcher who goes by the online handle Elliot Alderson, has found a vulnerability in a Wordpress plugin called Social Network Tabs. The plugin leaks user’s Twitter account information exposing them to compromise. This WordPress plugin is developed by Design Chemical, which allows websites to help users share content on social media sites. MITRE has assigned the vulnerability CVE-2018-20555. In a twitter thread, Elliot described the details of the bug on Thursday. Per Elliot, the Wordpress Plugin is leaking twice the Twitter access_token, access_token_secret, consumer_key and consumer_secret of their user which is leading to a takeover of their Twitter account.  This was caused by the few lines of code which was within the page where the Twitter widget is displayed. Anyone who viewed this code had access to see the linked Twitter handle and the access tokens. If the access token had read/write rights, the attacker was also able to take over the account and there were 127 such accounts. Elliot tested the bug by searching PublicWWW, a website source code search engine. He was able to find 539 websites using the vulnerable code. He then managed to retrieve access tokens using a script including the Twitter access_token, access_token_secret, consumer_key and consumer_secret from 539 vulnerable websites. According to Elliot, this leak compromised over 446 Twitter accounts with 2 verified accounts and multiple accounts with more than 10K+ followers. The full list of accounts is also made public by him. Elliot talked to Techcrunch about the vulnerability, saying that he had told “Twitter on December 1 about the vulnerability in the third-party plugin, prompting the social media giant to revoke the keys, rendering the accounts safe again. Twitter also emailed the affected users of the security lapse of the WordPress plugin but did not comment on the record when reached.” However, this is not the case. On January 17, he mentioned in a tweet that, “With a simple Google search query, "inurl:/inc/dcwp_twitter.php?1=", you can find that a lot of websites and so Twitter accounts are still vulnerable to this issue. This query returns 3550 results.” He has also written a scraper to automatically extract the keys from the result of this Google search query. SEC’s EDGAR system hacked; allowing hackers to allegedly make a profit of $4.1 million via insider trading Hyatt Hotels launches public bug bounty program with HackerOne Black Hat hackers used IPMI cards to launch JungleSec Ransomware, affects most of the Linux servers.

On 17th January, New America published a blog post on the rising number of Internet blackouts since 2018, citing various examples for the same and hinting at political reasons behind it. The post also predicts the same trend to continue in 2019 owing to two factors- countries deliberately “turning off” the internet within their borders, and hackers attempting a distributed denial-of-service (DDoS) attack ultimately leading to internet disruptions. Amongst the various reasons listed for abruptly cutting off a country’s internet connection were-  to avoid the “chaos” that might result from presidential election results in the Democratic Republic of Congo, an attempted coup in Gabon, under the sea internet cables being mysteriously cut off in Mauritania and much more. The post also lists a history of internet blackouts, right from 2004, that were caused by the governments of various countries to possibly manipulate people and stop protests against their Presidents. All of this “internet manipulation” makes us wonder how safe would one feel in a country whose government controls a centralized internet. This also makes us ponder on the power that governments- with relatively centralized internets- have, who can literally disconnect their domestic internet networks to cut off from the rest of the globe during domestic unrest or other government-related heists. The post also points out the fact that the government controlling components of the internet- like its hardware- to disrupt the working of the same, is a sign of “censorship” and “social control”. As for the DDOS attacks against the rising IoT devices, the post highlighted how IoT devices of today largely lack in their security features and can be easily hacked into. Hackers can easily take advantage of these security loopholes and block segments of the internet, directing traffic to a single site/service until it’s overwhelmed and can no longer function. The American internet was taken down in 2016 by the Mirai botnet that worked on similar lines, being the largest DDOS attack known till date and taking down major sites like Twitter, Spotify, SoundCloud, etc. New America has also indicated that these DDOS attacks are now being associated with government controlled internet blackouts. Jason Healey and Robert Knake wrote in a recent Council on Foreign Relations report, DDoS attacks via hijacked IoT devices can “cause serious harm by allowing foreign governments to stifle free speech abroad and enabling them to shut down countries’ domestic networks or even the internet globally.” A report from the Council to Secure the Digital Economy states that, these incidents undermine “fundamental confidence and trust in the digital economy” that depends on reliable availability and performance of internet services. If these are the problems associated with a centralized form of the internet, why don’t countries switch over to a more decentralized version then? The post states that the internet has become centralized in countries where the government has dictated the buildout of infrastructure and also where there’s little market competition for internet services. Policymakers should thereby pay minute attention while creating cyber norms taking into consideration the current scenario of internet manipulation. The technical standards for IoT devices need to tighten considering the extent of harm they can cause by being manipulated by malicious actors. The post states that, currently, there exist “virtually no consensus rules” for “minimum security” on these devices, and that many industry organizations and government agencies are possibly using IoT systems that have terrible security. Outcomes of this could be vulnerability to connected infrastructure systems, open wearable-IoT-wearing government personnel to real-time GPS tracking, devices that can be easily hijacked in service of DDoS attacks and much more. Here are some interesting statistics from acessnow that list the number of outages through the years and popular reasons for the same. A recent internet shutdown has been in Zimbabwe, where access to the internet and popular social media apps like Facebook, Twitter and WhatsApp has been blocked unless a VPN is used. The country's largest telecom company, Econet, has been sending customers text messages carrying the government's orders and calling the situation "beyond our reasonable control". A "total internet shutdown" was declared for most of Friday- last week. The Sydney Morning herald stated that critics called this “an attempt to hide growing reports of a violent crackdown on protests against a dramatic fuel price increase”. Twitter has seen some interesting sentiments on the topic, where people are speculating the necessity of turning off the internet during domestic turmoil. https://twitter.com/africatechie/status/1087024506571550720 https://twitter.com/cipesaug/status/1085499607185010688 It is sad to see how this is affecting normal citizens who depend on e-cash to fund various needs https://twitter.com/tapsy_j/status/1086166247639863297 Head over to New America for more insights on why you can expect 2019 to be a year filled with many more instances of politically motivated internet shutdowns like the one faced by Zimbabwe. Ex-Google CEO, Eric Schmidt, predicts an internet schism by 2028 China Telecom misdirected internet traffic, says Oracle report Internet governance project (IGP) survey on IPV6 adoption, initial reports  

EU’s proposed copyright bill has received major oppositions from Europeans for its Articles 11 and 13, also known as the “censorship machines” rule and the “link tax” rule. Major European countries including Germany, Italy, and the Netherlands, have been quite vocal about their resistance to support the latest version of the proposal. Following which, EU has canceled today’s negotiations for a final vote on the copyright directive. Article 13 of the directive will require “information society service providers” – user-generated information and content platforms – to use “recognition technologies” to protect against copyright infringement. Article 11 gives large press organizations more control over how their content is shared and linked to online. It has been called the “link tax” – it could mean that you would need a license to link to content. According to news sites, this law would allow them to charge internet giants like Facebook and Google that link to their content. Further reading: What the EU Copyright Directive means for developers – and what you can do Apparently, multiple countries including Germany, Italy, the Netherlands, and Poland voted against the latest text put forth by Romania earlier this week. MEP Julia Reda has confirmed this news. In a blog post, she writes, “A total of 11 countries voted against the compromise text proposed by the Romanian Council presidency earlier this week. All of these governments are known for thinking that either Article 11 or Article 13, respectively, are insufficiently protective of users’ rights. At the same time, some rightsholder groups who are supposed to benefit from the Directive are also turning their backs on Article 13.” https://twitter.com/Senficon/status/1086335378141966336 Last week, EFF also urged people from Sweden, Germany, Luxembourg, and Poland to contact their ministers to convey their concern about Article 13 and 11. The outcome of today’s Council vote shows that public attention to copyright reform is having an effect. This means that the bill could receive a significant overhaul when it’s gonna come for vote, which would also result in a delay in implementation. It won’t, however, imply that the Copyright Directive is rejected. Ahead of EU’s vote on new copyright rules, EFF releases 5 key principles to guide copyright policy Reddit takes stands against the EU copyright directives; greets EU redditors with ‘warning box’ GitHub updates developers and policymakers on EU copyright Directive at Brussels

The recent data breach in MEGA, a popular cloud service, leaked about 87GB of data including 772,904,991 unique email addresses and over 21 million unique passwords and distributed in a folder dubbed "Collection #1" by hackers. This breach was first reported by a security researcher, Troy Hunt. The link to the dump was posted on a hacking forum, but has been since taken down from the service. https://twitter.com/haveibeenpwned/status/1085656743663693825 According to a Wired report, “While it’s difficult to confirm exactly where all that info came from, it appears to be something of a breach of breaches; that is to say, it claims to aggregate over 2,000 leaked databases that contain passwords whose protective hashing has been cracked.” “It just looks like a completely random collection of sites purely to maximize the number of credentials available to hackers. There’s no obvious patterns, just maximum exposure”, Hunt said. Hunt has uploaded all the email addresses and passwords into his site, haveibeenpwned. This allows users to be notified when their email has been tangled in a breach, or check if a password has been exposed and has to be changed. Wired states that around 140 million email accounts and over 10 million unique passwords in Collection #1 are new to Hunt’s database. This means that they do not just duplicate from prior megabreaches. “These are all plain text passwords. If we take a breach like Dropbox, there may have been 68 million unique email addresses in there, but the passwords were cryptographically hashes making them very difficult to use”, Hunt said. He also said that all this data was openly available to anyone on the popular cloud storage site and then on a public hacking site. The only way to stay safe is to never reuse a password for multiple sites. Hunt says, “It might be contrary to traditional thinking, but writing unique passwords down in a book and keeping them inside your physically locked house is a damn sight better than reusing the same one all over the web.” To know more about this breach in detail, visit Troy Hunt’s blog post. Internal memo reveals NASA suffered a data breach compromising employees social security numbers Justice Department’s indictment report claims Chinese hackers breached business  and government network Former Senior VP’s take on the Mariott data breach; NYT reports suspects Chinese hacking ties

The Washington-based Pew Research Center released a report that shares the results of its survey based on Facebook user data, yesterday. The survey was conducted on a sample of Facebook users (963 U.S. Facebook users aged 18 years and above) who were asked to present their opinion on the data collected about them by the platform. The nationally representative survey was conducted by the Pew Institute between September 4, 2018, and October 1, 2018. Respondents of the survey were asked to answer a series of questions related to the content present on the Facebook ad categories page. Facebook allows its users to view a “partial compilation” of how they are classified on its “Your ad preferences” page. All the results of this analysis are based on these self-reported answers. Let’s have a look at the key findings from the survey. 60% of Facebook users are assigned 10+ categories on their ad preferences page The report states that Facebook ad preferences page consists of “your categories” tab i.e. a list of a user’s interests analyzed by Facebook’s algorithm based on content that they have posted, liked, commented on or shared.                                                    Pew Institute survey As per the survey results: 88% of American said that they are assigned categories in this system, while 11% saw a message saying, “You have no behaviours” on the ad preferences page. A large majority of Facebook users have 10 or more categories listed on the page. Six-in-ten Facebook users said that their preferences page had either 10 to 20 (27%) or 21 or more (33%) categories for them. 27% noted that their list had fewer than 10 categories. 40% of users who go on Facebook multiple times a day are listed in 21 or more categories as compared to 16% of the “less-than-daily” Facebook users. Facebook users who have been on the platform for 10 years or longer (44%) have higher chances of being listed in 21 or more categories as compared to those with less than five years of Facebook experience (22%). 74% of Facebook users didn’t know the platform lists their interests for advertisers As per the survey results: Three-quarters of Facebook users (74%) did not know the list of categories existed on Facebook, with 12% saying that they were aware of it. 59% of Facebook users say the list was very (13%) or somewhat (46%) accurate about their interests, while 27% of them found the list not very (22%) or not at all ( 5%) accurate. Pew Institute survey Almost half of the Facebook users (51%) said answered that they were not comfortable with Facebook creating the ‘interests list’. 5% of Facebook users were very comfortable with the list and another 31% said that they are somewhat comfortable. Facebook’s political and ‘racial affinity’ labels don’t necessarily match users’ views Facebook assigns political labels to its users. Users who are assigned a political label are equally divided between “liberal or very liberal (34%)”, “conservative or very conservative “(35%) and “moderate” (29%). Pew Institute survey As per the survey results: Close to three-quarters (73%) of the ones assigned a label says the listing is’ very accurate’ or ‘somewhat accurate’ about their views. However, 27% of those say that label is not very or not at all accurate. Facebook’s algorithm also assigns some of its users to groups by “multicultural affinity,” that are assigned to users whose activities “aligns with” certain cultures. About 21% of the Facebook users say they are assigned such an affinity. 60% of the Facebook users assigned with multicultural affinity say they have a “very” or “somewhat” strong affinity for the group they were assigned, while 37% say they do not have a strong affinity. 57% of the Facebook users assigned a group say they consider themselves a member of that group, with 39% saying they are not members of that group. “We want people to understand how our ad settings and controls work..while we and the rest of the online ad industry need to educate people on how interest-based advertising works and how we protect people’s information, we welcome conversations about transparency and control”, Facebook told The Verge. Check out the official Pew research centre report here. Private International shares its findings on how popular Android apps send user data to Facebook without user consent NYT says Facebook has been disclosing personal data to Amazon, Microsoft, Apple and other tech giants; Facebook denies claims with obfuscating press release ProPublica shares learnings of its Facebook Political Ad Collector project

On Tuesday, the Securities and Exchange Commission (SEC) at Oklahoma charged nine defendants who participated in a previously disclosed scheme to hack into SEC’s EDGAR corporate filing system and extracted nonpublic information for use in illegal trading. The charged defendants were, a Ukrainian hacker, six individual traders in California, Ukraine, and Russia, and two entities. According to a CNBC report, “The scheme allegedly netted $4.1 million for fraudsters from the U.S., Russia, and Ukraine. Using 157 corporate earnings announcements, the group was able to execute trades on material nonpublic information. Most of those filings were "test filings," which corporations upload to the SEC's website.” Craig Carpenito, U.S. Attorney for the District of New Jersey, said, “After hacking into the EDGAR system they stole drafts of [these] reports before the information was disseminated to the general public.” According to Carpenito, the hacked documents included quarterly earnings, mergers and acquisitions plans and other sensitive news. Also, the criminals were able to view it before it was released as a public filing, thus affecting the individual companies' stock prices. The alleged hackers also executed trades on the reports and sold them to other illicit traders. One inside trader made $270,000 in a single day, Carpenito said. The hack was carried out by sending a malicious software via email to the SEC employees. Carpenito said, after planting the software on the SEC computers, the hackers sent the information they were able to gather from the EDGAR system to servers in Lithuania, where they either used it or distributed the data to other criminals. According to SEC official press report, “the hacker and some of the traders were also involved in a similar scheme to hack into newswire services and trade on information that had not yet been released to the public.” Steven Peikin, Enforcement Division Co-Director alongside Avakian, said, “The trader defendants charged today are alleged to have taken multiple steps to conceal their fraud, including using an offshore entity and nominee accounts to place trades. Our staff’s sophisticated analysis of the defendants’ trading exposed the common element behind their success, providing overwhelming evidence that each of them traded based on information hacked from EDGAR.” Know more about this news in detail in SEC’s official press release report. Hyatt Hotels launches public bug bounty program with HackerOne Black Hat hackers used IPMI cards to launch JungleSec Ransomware, affects most of the Linux servers Cybersecurity researcher withdraws public talk on hacking Apple’s Face ID from Black Hat Conference 2019: Reuters report

In a blog post, an AirBnb guest shares his experience of staying at a property and to his shock there were cameras in the rooms. You’re off to a vacation to somewhere, naturally you need a place to stay. In this digitized age, AirBnB seems to be the go to stay service. It is popular and was considered a reliable service by many. But over the years their service has noticeably degraded with complaints from guests. Among many of the cases, the delayed solution or the lack thereof has left the guests dissatisfied. In this case, the matter did take a turn of events to present the guest with redressal. Jeffrey Bigham, a computer science professor at Carnegie Mellon University was staying in an AirBnB. Initially, he noticed a white object in the top corner of the room he rented. Upon further inspection he found that it was a camera. He found another near the bathroom exit. In the online page for the property, there were pictures of the rooms in which one camera was seen but barely. The description mentioned only “at the entrance,” for placement of cameras. These however, were clearly inside the room. Bigham also took it to Twitter: https://twitter.com/jeffbigham/status/1085177332011356161 Naturally, Bigham disconnected the cameras and contacted AirBnB. After knowing this, the host went as far as to send someone to spy on the guests and left a bad review. On initial contact with AirBnB support, they told Bigham that the image was a proper disclosure of both the cameras. After many reviews, a senior person from the AirBnB team admitted that the image does give proper disclosure about the camera situation. Bigham received a refund for his stay. Bigham writes in his blog: “I feel like our experience is in some ways more insidious. If you find a truly hidden camera in your bedroom or bathroom, AirBnB will support you. If you find an undisclosed camera in the private living room, AirBnB will not support you.” Some AirBnB hosts are opting to keep cameras as a security measure incase anything happens, but it’s clearly a privacy violation any genuine guest shouldn’t have to face. As Scott Riley, the author of Mindful Design puts it in his book promo, “a lot of the mainstream design practices out there definitely couldn't claim to be making a net positive on the world. Tech as a whole harms, oppresses and manipulates because it's used as a tool within an oligarchical power structure; but I truly believe that technology and design (as a tool for simplifying complex systems) can democratize and empower and bring about societal shifts for the better. It starts with compassion, and a refusal from the inside to implement negligent or oppressive practices, products or systems. Technology that exists to augment and ease human nature is going to be more and more important in this, and I really hope we can break free from the bullshit of behaviorism in design and explore what it really means to aide in self-determination and cognitive unburdening.” The AirBnB team could take a leaf out of such thinkers to better balance the fine line of protecting their user privacy while guaranteeing hosts the security of their properties through mindful design thinking and policy formulation. Rights groups pressure Google, Amazon, and Microsoft to stop selling facial surveillance tech to government The DEA and ICE reportedly plan to turn streetlights to covert surveillance cameras, says Quartz report “We can sell dangerous surveillance systems to police or we can stand up for what’s right. We can’t do both,” says a protesting Amazon employee

Yesterday, Epic Games, the developer of Fortnite, an online video game acknowledged the existence of a bug in the game (Fortnite). This bug could let attackers access user accounts by impersonating as real gamers and purchase V-Buck, Fortnite’s in-game currency with credit cards. This bug could also eavesdrop on record players’ in-game conversation and background home conversations. Just two months ago, researchers at Check Point Research found the vulnerabilities and informed Epic Games which then fixed the vulnerability. In a statement to Washington Post, Oded Vanunu, Check Point’s head of products vulnerability research said, "The chain of the vulnerabilities within the log-in flow provide[d] the hacker the ability to take full control of the account.” According to an analysis made by market research company SuperData, last year, with the help of Fortnite, Epic Games was leading the market for free-to-play games by earning $2.4 billion in revenue. 10 months ago, a user shared his experience on Reddit regarding his account being hacked. The hacker used all his money using his card for buying V-Bucks. The post reads, “It appears my epic games account was hacked this past weekend, and they proceeded to spend all the money they could on v-bucks (which was all of it).” The victim also added a note, “ I've never tried signing up for free v-bucks or anything of the sort. I think I've just used the same password email combo too many times and at some point it was leaked in some data breach.” In spite of refund by Epic team the online gaming world doesn’t look that safe. But this post has some comments which clearly states how scared users are. One of the users commented, “Well, after reading this I just deleted my PayPal from my Epic Games account. Definitely going to run with entering details each time instead of storing them.” The thread has some comments which suggests having a two-way verification, changing passwords frequently and using prepaid cards if possible for online games. In a statement to The Verge, Epic Games said, “We were made aware of the vulnerabilities and they were soon addressed. We thank Check Point for bringing this to our attention. As always, we encourage players to protect their accounts by not re-using passwords and using strong passwords, and not sharing account information with others.” Hackers deceive players in various ways, one of which is, asking users to log into fake websites that promised to generate V-Buck. These sites ask gamers to enter their game login credentials and personal information like name, address and credit card details, which further get misused. Usually, such scams are promoted via social media campaigns that claim gamers can “earn easy cash” or “make quick money”. Check Point’s research found out a vulnerability in the game that didn’t even require the login details for the attackers to attack. An XSS (cross-site scripting) attack was responsible according to researchers, which would just require users to click on a link sent to them by the attacker. As soon as the user would click the link, their Fortnite username and password would immediately be captured by the attacker, without the need for them to enter any login credentials. According to the researchers, this bug would let hackers steal pieces of code to identify a gamer when he/she logs into the game by a third-party account such as Xbox Live or Facebook. After accessing a gamer’s account in Fortnite with these security tokens, hackers could buy weapons, in-game currency, or even cosmetic accessories. To know more about the bug in Fortnite, check out the report and YouTube video by Check Point. Hyatt Hotels launches public bug bounty program with HackerOne 35-year-old vulnerabilities in SCP client discovered by F-Secure researcher Fortnite server suffered a minor outage, Epic Games was quick to address the issue

ES File Explorer, one of the popular file managing apps, has been exposed with a hidden web server running in the background, leaving the door open for anyone to easily access data on the device just with a simple script. A French security researcher, Baptiste Robert with the online handle Elliot Alderson, found the exposed port last week. He also disclosed his findings in a tweet, yesterday, stating that, “The surprise is: if you opened the app at least once, anyone connected to the same local network can remotely get a file from your phone.” https://twitter.com/fs0c131y/status/1085460755313508352 ES File Explorer hasn’t responded to the allegations yet. The app has more than 500 million downloads on the Google Play Store. Robert said that the app versions 4.1.9.5.2 and below have the open port. According to TechCrunch, “Using a simple script he wrote, Robert demonstrated how he could pull pictures, videos and app names — or even grab a file from the memory card — from another device on the same network. The script even allows an attacker to remotely launch an app on the victim’s device.” The server running in the background can also use an HTTP protocol to stream videos to other apps. However, this opens up a portal for the hacker to hack every single information from the Android device. This vulnerability can only affect those connected within the local network. Internet and WWW cannot be used to steal information via this exposed web-server. However, this is still a threat and an opportunity for the hacker present in the local network. To know more about this news in detail, visit GitHub. Here’s a short video demonstrating the vulnerability by Baptiste Robert. https://www.youtube.com/watch?v=z6hfgnPNBRE Ethereum community postpones Constantinople, post vulnerability detection from ChainSecurity The Angular 7.2.1 CLI release fixes a webpack-dev-server vulnerability, supports TypeScript 3.2 and Angular 7.2.0-rc.0 Microsoft urgently releases Out-of-Band patch for an active Internet Explorer remote code execution zero-day vulnerability

Yesterday, Harry Sintonen, researcher at F-Secure, discovered 35-year-old vulnerabilities associated with SCP (Secure Copy Protocol) client, a network protocol, that uses Secure Shell (SSH) for data transfer between hosts on a network. These SCP clients are susceptible to a malicious SCP server, which could perform unauthorized changes to the target directory. In 2000, a directory traversal bug was found in the SCP client in SSH, which got fixed then. Vulnerabilities discovered One of the vulnerabilities associated with SCP clients lets the attackers write arbitrary malicious files to the target directory on the client machine. The attackers can change the permissions on the directory to allow further compromises. Another vulnerability is that the SCP clients are failing to verify how valid is the object returned to it after a download request. The consequences are severe as an attacker who controls the server can easily drop arbitrary files into the directory from which the user runs SCP (similar to a man-in-the-middle attack). The list of major vulnerabilities discovered are: CWE-20: SCP client improper directory name validation [CVE-2018-20685] With the help of empty ("D0777 0 \n") or dot ("D0777 0 .\n") directory name, the SCP client permits the server to modify permissions of the target directory. CWE-20: SCP client missing received object name validation [CVE-2019-6111] Since the SCP implementation has been derived from 1983 rcp (1), the server can choose which files/directories are sent to the client. According to the post by Sintonen, “A malicious SCP server can overwrite arbitrary files in the SCP client target directory. If recursive operation (-r) is performed, the server can manipulate subdirectories as well (for example overwrite .ssh/authorized_keys).” This vulnerability is known as CVE-2018-20684 in WinSCP. CWE-451: SCP client spoofing via object name [CVE-2019-6109] The object name can be used to manipulate the client output as there is a missing character encoding in the progress display. For example to employ ANSI codes to hide additional files being transferred. CWE-451: SCP client spoofing via stderr [CVE-2019-6110] A malicious server can manipulate the client output by accepting and displaying arbitrary stderr output from the SCP server. These vulnerabilities affect the SCP client implementations in Red Hat, Debian, and SUSE Linux, OpenSSH version 7.9 and earlier, and few versions of WinSCP. How to overcome these vulnerabilities? For OpenSSH Users can switch to sftp or apply the https://sintonen.fi/advisories/scp-name-validator.patch for hardening scp against server-side manipulation attempts. A note by Sintonen : This patch may cause problems if the the remote and local shells don't agree on the way glob() pattern matching works. YMMV. For WinSCP One can upgrade to WinSCP 5.14 or later versions. There are no fixes available for PuTTY yet and users are refraining from using PuTTY. One of the users commented on HackerNews, “I strongly discourage anyone from using PuTTY, not for this reason, but for its weird and nonstandard handling of SSH keys.” Users are now more skeptical to deal with the network while downloading their files and transferring them. Most of us highly rely on SSH as we think it is secure and trusted, but should we continue trusting it? Is it advisable to blindly trust and not take preventive measure beforehand? One of the users commented on HackerNews, “We trust a lot of things, and maybe we shouldn't. I use SCP infrequently and on machines that I control, so that's a level of risk I'm comfortable with.” Another user commented on the HackerNews thread, “The argument that you trusted this server enough to connect to it and download a file, therefore you clearly should trust it enough to permit it to execute arbitrary executables on your machine, is false in both cases.” Another user advises accessing data in offline mode by shutting down the instance and connecting the storage as secondary storage on another instance. The user further suggests discarding the storage as soon as the work is done. The data can also be downloaded at the hypervisor level. Another comment on HackerNews reads, “You can't physically access the disk, but you often can download a snapshot or disk image, which is created at the hypervisor level.” To know more about the vulnerabilities, check out the post by Sintonen advisories. OpenSSH, now a part of the Windows Server 2019 OpenSSH 7.9 released OpenSSH 7.8 released!

The Ethereum developers announced yesterday that they are pulling back the Constantinople Hard Fork Upgrade after a vulnerability that could allow hackers to steal users’ funds was reported. This upgrade was scheduled to launch today, January 16th. This issue, known as the ‘reentrancy attack’ in the Ethereum Improvement Proposal (EIP) 1283. was identified by a smart contract audit firm ChainSecurity. They also reported about the bug in detail in a Medium blog post yesterday. According to the Ethereum official blog, “Security researchers like ChainSecurity and TrailOfBits ran (and are still running) analysis across the entire blockchain. They did not find any cases of this vulnerability in the wild. However, there is still a non-zero risk that some contracts could be affected.” According to a statement by Ethereum Core Developers and the Ethereum Security Community, “Because the risk is non-zero and the amount of time required to determine the risk with confidence is longer the amount of time available before the planned Constantinople upgrade, a decision was reached to postpone the fork out of an abundance of caution.” The blog posted by ChainSecurity explained the cause of the potential vulnerability and have also suggested how smart contracts can be tested for vulnerabilities. The blog highlighted that the EIP-1283 introduces cheaper gas cost for SSTORE operations. If the upgrade took place, the smart contracts on the chain could have utilized code patterns that would make them vulnerable to re-entrancy attack. However, these smart contracts would not have been vulnerable before the attack. Afri Schoedon, the hard fork coordinator at Ethereum said, “We will decide (sic) further steps on Friday in the all-core-devs call. For now it will not happen this week. Stay tuned for instructions.” To know more about this news in detail, visit the Ethereum official blog. Ethereum classic suffered a 51% attack; developers deny, state a new ASIC card was tested Ethereum’s 1000x Scalability Upgrade ‘Serenity’ is coming with better speed and security: Vitalik Buterin at Devcon Origin DApp: A decentralized marketplace on Ethereum mainnet aims to disrupt gig economy platforms like Airbnb and Uber