Tech News - Security

Pwn2Own, run by Trend Micro’s Zero Day Initiative, is one of the industry’s toughest hacking contests. Started in 2007, Pwn2Own has become a platform for white hats to test their skills against various types of software and winners have been awarded more than $4 million over the lifetime of the program. Pwn2Own Vancouver- Pwn2Own’s spring vulnerability research competition- will be conducted from March 20 to 22 at the CanSecWest conference. The contest has 5 categories, including web browsers, virtualization software, enterprise applications and server-side software. For the first time, the contest will feature an ‘Automotive’ category with the Tesla Model 3 chosen as a target by ZDI. Other targets include software products from Apple, Google, Microsoft, Mozilla, Oracle and VMware. Let’s look into what's in store for every category: #1 Automotive category: Tesla Model 3 “We develop our cars with the highest standards of safety in every respect, and our work with the security research community is invaluable to us” -David Lau, Vice President of Vehicle Software at Tesla Tesla has long involved itself with the hacker community since involvement since 2004 with its bug bounty program, that pays up to $15,000 for security exploits of its systems. In 2018 the company altered its warranty policy. The updated policy states that ‘as long as security exploits are found and reported within the limits outlined by the bug bounty program, the user's warranty will remain intact.’ At Pwn2Own Vancouver, researchers will have 6 focal points to discover/ research vulnerabilities in the car. While prizes for every category vary from $35,000 to $300,000, the winning security researcher can walk away with their very own Model 3. Tesla’s line of action is an indication of its seriousness towards the security of its self-driving cars. #2 Virtualization Category The targets for virtualization category includes: Oracle VirtualBox VMware Workstation VMware ESXi Microsoft Hyper-V Client Microsoft leads the virtualization category with a $250,000 award for a successful Hyper-V Client guest-to-host escalation. VMware is a Pwn2Own sponsor for 2019, and the VMware ESXi along with VMware Workstation will serve as targets with awards of $150,000 and $70,000 respectively. Oracle VirtualBox is included in this category with a prize of $35,000. #3 Browser Category Within the browser category, we have: Google Chrome Microsoft Edge Apple Safari Mozilla Firefox We have seen a lot of web browsers getting hacked in 2018. It is great to see the biggest names in the tech industry coming forward to find vulnerabilities in their systems which can be saved from being exploited by malicious actors. A browser exploit for Firefox will be awarded $40,000. The award for exploiting Chrome is $80,000. Additionally, a contestant exploiting Edge with a Windows Defender Application Guard (WDAG) will be awarded with $80,000. Contestants exploiting Safari will be awarded $55,000 up to $65,000. #4 Enterprise Application Category The Enterprise Application Category has the following targets: Adobe Reader Microsoft Office 365 Microsoft Outlook The products offered by Adobe and Microsoft are used by almost everyone on a daily basis. Finding out a security flaw in this category would therefore safeguard the millions using these products regularly.  A reader exploit will be awarded with $40,000, breaking into office is awarded at $60,000 and $100,000 for Outlook. #5 Server side Category The final category in this contest includes Microsoft Windows RDP as a target. A successful RDP exploit will award the contestant with $150,000. You can head over to Zero Day Initiatives official blog for more information on the contest, the rules, awards and much more. Microsoft urgently releases Out-of-Band patch for an active Internet Explorer remote code execution zero-day vulnerability NYT says Facebook has been disclosing personal data to Amazon, Microsoft, Apple and other tech giants; Facebook denies claims with obfuscating press release AI chipmaking startup ‘Graphcore’ raises $200m from BMW, Microsoft, Bosch, Dell  

Project Alias is an open-source, ‘teachable’ parasite that gives users increased control over their smart home assistants in terms of customization and privacy. It also trains the smart home devices to accept custom wake-up names while disturbing their built-in microphone, by simply downloading an app. Once trained, Alias can take control over your home assistant by activating it for you. Tellart designer Bjørn Karmann and Topp designer Tore Knudsen are the brilliant minds behind this experimental project. Knudsen says, “This [fungus] is a vital part of the rain forest, since whenever a species gets too dominant or powerful it has higher chances of getting infected, thus keeping the diversity in balance” He further added, “We wanted to take that as an analogy and show how DIY and open source can be used to create ‘viruses’ for big tech companies.” The hardware part of Project Alias is a plug-powered microphone/speaker unit that sits on top of a user’s smart speaker of choice. It’s powered by a pretty typical Raspberry Pi chipset. Input and output logic of Alias Both Amazon and Google have a poor track record of storing past conversations in the cloud. However, Project Alias promises of privacy.  According to FastCompany the smart home assistants “aren’t meant to listen in to your private conversations, but by nature, the devices must always be listening to a little to be listening at just the right time–and they can always mishear any word as a wake word.” Knudsen says, “If somebody would be ready to invest, we would be ready for collaboration. But initially, we made this project with a goal to encourage people to take action and show how things could be different . . . [to] ask what kind of ‘smart’ we actually want in the future.” To know more about Project Alias in detail, head over to Bjørn Karmann’s website or GitHub. Here’s a short video on the working of Project Alias https://player.vimeo.com/video/306044007 Google’s secret Operating System ‘Fuchsia’ will run Android Applications: 9to5Google Report US government privately advised by top Amazon executive on web portal worth billions to the Amazon; The Guardian reports France to levy digital services tax on big tech companies like Google, Apple, Facebook, Amazon in the new year    

The Electronic frontier foundation is taking part in copyright week. Their motto, “Copyright should encourage more speech, not act as a legal cudgel to silence it.” According to EFF, copyright law often belongs in a majority to the media and entertainment industries, with little to no effect on other domains. Following this, EFF has teamed with other organizations to participate in Copyright Week. They talk about five copyright issues which can help build a set of principles for the copyright law. Participating organizations for this year include Association of research libraries, Authors Alliance, Copyright for creativity, Disco, Ifixit, Rstreet, Techdirt, and Wikimedia. For the year 2019, they have highlighted five issues and the whole week they will be releasing blog posts and actions on these issues on their blog and on Twitter. EFF’s copyright issues for this year: [box type="shadow" align="" class="" width=""] Copyright as a Tool of Censorship Freedom of expression is a fundamental human right essential to a functioning democracy. Copyright should encourage more speech, not act as a legal cudgel to silence it. Device and Digital Ownership As the things we buy increasingly exist either in digital form or as devices with software, we also find ourselves subject to onerous licensing agreements and technological restrictions. If you buy something, you should be able to truly own it–meaning you can learn how it works, repair it, remove unwanted features, or tinker with it to make it work in a new way. Public Domain and Creativity Copyright policy should encourage creativity, not hamper it. Excessive copyright terms inhibit our ability to comment, criticize, and rework our common culture. Safe Harbors Safe harbor protections allow online intermediaries to foster public discourse and creativity. Safe harbor status should be easy for intermediaries of all sizes to attain and maintain. Filters Whether as a result of corporate pressure or regulation, over-reliance on automated filters to patrol copyright infringement presents a danger to free expression on the Internet.[/box] This month EU is all set to vote on new copyright rules. These new copyright laws have received major opposition from Europeans. Per EFF, the Articles 11 and 13, also known as the “censorship machines” rule and the “link tax” rule, have the power to crush small European tech startups and expose half a billion Europeans to mass, unaccountable algorithmic censorship. Per the Article 13 of the law, online platforms would be required to use algorithmic filters to unilaterally determine whether content anyone uploads, from social media posts to videos, infringes copyright, and would penalize companies that allow a user to infringe copyright, but not companies that overblock and censor their users. The outcome will be censorship of massive proportions. The Directive is now in the hands of the European member-states. EFF urges people from Sweden, Germany, Luxembourg, and Poland to contact their ministers to convey their concern about Article 13 and 11. Reddit takes stands against the EU copyright directives; greets EU redditors with ‘warning box’ GitHub updates developers and policymakers on EU copyright Directive at Brussels What the EU Copyright Directive means for developers – and what you can do

According to a report by Reuters released later last month, The Indian Information Technology ministry has proposed rules that will compel major technology giants like Facebook, Whatsapp, Twitter etc to take down unlawful content affecting the “sovereignty and integrity of India”. According to the rules, this content will have to be taken down within 24 hours of being notified by a court or a government body. These rules are proposed with an aim to achieve the goal of ‘a safer social media’. The proposal drafted by the ministry is open for public comment until 31st January 2019; after which it will be adopted as law, either ‘with or without changes’. Now, Reuters report that sources familiar with the matter have revealed that the tech giants are all set to fight against these rules that regulate content in India. The country is one of the world’s biggest Internet market with about 300 million Facebook users, more than 200 million Whatsapp users, and millions of Twitter users as well. Reuters also reports that many U.S. and Indian lobby groups representing these top tech companies have started seeking legal opinions on the impact of these rules. They have also been advised by law firms on drafting objections against these rules to be filed with the IT ministry. According to the Ministry of Electronics and Information Technology, the draft Intermediary Guidelines will  “curb misuse of Social Media for mob lynching and other violence”. Last year, fake messages about child traffickers and kidnappers circulated through WhatsApp sparked mob lynchings in India. Mozilla Corp. called this proposal “a blunt and disproportionate” solution to regulating harmful online content. The company also added that these rules could lead to the problem of over censorship of online content. Joint secretary at India’s I.T. ministry, Gopalakrishnan S, said that the proposal would ‘make social media safer’ and ‘not curb freedom of speech’. Industrial executives and civil rights activists agree otherwise. They state that these rules could be used by the government of Prime Minister Narendra Modi to increase surveillance on the public, given that this proposal comes just ahead of India’s national election to be held in May. Sources also express their concern to Reuters that the rules will put the privacy of users at stake with round the clock monitoring of online content. This is because the rules require companies with more than 5 million Indian users to have a local office and a nodal officer for 24x7 coordination with law enforcement. The rules also mandate that on being questioned by the government, companies need to reveal the origin of a message; thus questioning user confidentiality on platforms like Whatsapp that uses end to end encryption to protect user privacy. Twitter was abuzz with mixed sentiments. While some did support the motive of banishing fake news and misinformation on the internet, others were concerned about targeted surveillance. https://twitter.com/akhileshsharma1/status/1081499612698083328 https://twitter.com/subhapa/status/1083240653272825856   https://twitter.com/subhapa/status/1083256991156453377 While the rules come just in time to prevent malicious actors from misusing social media platforms to spread fake news and sway away voters, we cannot help but notice the strict impositions that tech giants will have to face if this draft becomes law. You can head over to Reuters for the entire coverage of this news. US government privately advised by top Amazon executive on web portal worth billions to the Amazon; The Guardian reports Australia passes a rushed anti-encryption bill “to make Australians safe”; experts find “dangerous loopholes” that compromise online privacy and safety Australia’s Assistance and Access (A&A) bill, popularly known as the anti-encryption law, opposed by many including the tech community  

Last week, the Metasploit team announced the release of its fifth version, Metasploit 5.0. This latest update introduces multiple new features including Metasploit’s new database and automation APIs, evasion modules and libraries, expanded language support, improved performance, and more. Metasploit 5.0 includes support for three different module languages; Go, Python, and Ruby. What’s New in Metasploit 5.0? Database as a RESTful service The latest Metasploit 5.0 now adds the ability to run the database by itself as a RESTful service on top of the existing PostgreSQL database backend from the 4.x versions. With this, multiple Metasploit consoles can easily interact. This change also offloads some bulk operations to the database service, which improves performance by allowing parallel processing of the database and regular msfconsole operations. New JSON-RPC API This new API will be beneficial for users who want to integrate Metasploit with new tools and languages. Till now, Metasploit supported automation via its own unique network protocol, which made it difficult to test or debug using standard tools like ‘curl’. A new common web service framework Metasploit 5.0 also adds a common web service framework to expose both the database and the automation APIs; this framework supports advanced authentication and concurrent operations and paves the way for future services. New evasion modules and libraries The Metasploit team announced a new evasion module type in Metasploit along with a couple of example modules in 2008. Using these module types, users can easily develop their own evasions and also add a set of convenient libraries that developers can use to add new on-the-fly mutations to payloads. A recent module uses these evasion libraries to generate unique persistent services. With Metasploit 5.0’s generation libraries, users can now write shellcode in C. Execution of an exploit module The ability to execute an exploit module against more than one target at a given point of time was a long-requested feature. Usage of the exploit module was limited to only one host at a time, which means any attempt at mass exploitation required writing a script or manual interaction. With Metasploit 5.0, any module can now target multiple hosts in the same way by setting RHOSTS to a range of IPs or referencing a hosts file with the file:// option. Improved search mechanism With a new improved search mechanism, Metasploit’s slow search has been upgraded and it now starts much faster out of the box. This means that searching for modules is always fast, regardless of how you use Metasploit. In addition, modules have gained a lot of new metadata capabilities. New metashell feature The new metashell feature allows users to background sessions with the background command, upload/download files, or even run resource scripts, all without needing to upgrade to a Meterpreter session first. As backward compatibility, Metasploit 5.0 still supports running with just a local database, or with no database at all. It also supports the original MessagePack-based RPC protocol. To know more about this news in detail, read its release notes on GitHub. Weaponizing PowerShell with Metasploit and how to defend against PowerShell attacks [Tutorial] Pentest tool in focus: Metasploit Getting Started with Metasploitable2 and Kali Linux

According to a report by The Intercept, Ring, Amazon’s smart doorbell company gave access to its employees to watch live footage from cameras of the customers. As per the claim, Ring engineers and executives were allowed to watch the unfiltered footage of the users. Last year in February, Amazon acquired Ring for $1 billion. Amazon had been in the news last year for its data breach where the company leaked out the customers’ email addresses. Ring markets its cameras, mounted as doorbells as a security means that act like a privatized neighborhood watch while the user was away. The staff at Ring was able to gain access to the cameras inside as well as outside the home, depending on where the devices were positioned. Ring has been accused of mishandling videos collected by the smart device and failing to protect the footage with encryption. The Ring customer’s email address is enough to get access to cameras from user’s home. According to The Information and The Intercept, Ring’s video annotation team would watch camera footage and tag objects, humans and other things in the video clips so that its object recognition software could better itself. In 2016, Ring provided its Ukraine-based research and development team unfettered access to a folder on Amazon’s S3 cloud storage service that had unencrypted videos created by Ring cameras. Ring’s Neighbors app, that lets users receive real-time crime and safety alerts, doesn’t include any mention of image or facial recognition in its description. Ring’s terms of service and its privacy policy don’t mention any details about the manual video annotation being conducted by humans. Ring tried to justify that the videos weren’t shared by the company. Ring responded to this post stating, “We take the privacy and security of our customers’ personal information extremely seriously. In order to improve our service, we view and annotate certain Ring video recordings. These recordings are sourced exclusively from publicly shared Ring videos from the Neighbors app (in accordance with our terms of service), and from a small fraction of Ring users who have provided their explicit written consent to allow us to access and utilize their videos for such purposes. Ring employees do not have access to livestreams from Ring products. We have strict policies in place for all our team members. We implement systems to restrict and audit access to information. We hold our team members to a high ethical standard and anyone in violation of our policies faces discipline, including termination and potential legal and criminal penalties. In addition, we have zero tolerance for abuse of our systems and if we find bad actors who have engaged in this behavior, we will take swift action against them.” https://twitter.com/briankrebs/status/1065219981833617408 Because of the privacy concerns, users are now skeptical about using Ring’s smart doorbell. One comment on HackerNews read, “The ring doorbell is installed at your front door. It records pretty much all movement to and from your house. It records audio at the doorstep, so if you're having a conversation with anyone at your doorstep, that gets recorded too.” Another user commented, “If some rando gets my ring doorbell footage and figures out where I live, that's hard to undo. If someone steals my stuff and gets away with it because I didn't have a ring doorbell, that's annoying but much easier to recover from. We are talking about the difference between an insurance claim and moving house.” According to a few users, this device is prone to DDOS attacks. One of the users commented, “Aside from the 700 person team given access to live video feeds and customer databases, the lack of proper security of this product makes it a PRIME target for DDOS attacks that could cripple infrastructure.” But few users are in the favor of such devices as they find them safe and convenient to use. One user commented, “These devices are extremely popular in my neighborhood, and cost/convenience is the only thing keeping them from being universal.” Another user commented, “I'd say, yes. I've been able to watch that many people see the ring (they see the camera), and they back right off the porch. It's been awesome in this respect, people simply ring it less.” Some users believe such surveillance devices shouldn’t use cloud but instead have data stored locally. Others are now looking out for alternatives like Xiaomi Dafang camera, RCA doorbell camera, and Blue Iris. This news surely makes one reflect on how home appliances could get monitored by companies or hackers and personal data might get misused. Note: We have edited this news to include the response from the Ring team to our post. AWS introduces Amazon DocumentDB featuring compatibility with MongoDB, scalability and much more Amazon confirms plan to sell a HIPAA eligible software, Amazon Comprehend Medical, which will mine medical records of the patients US government privately advised by top Amazon executive on web portal worth billions to the Amazon; The Guardian reports

Hyatt Hotels Corporation launched its bug bounty program with HackerOne, earlier this week. As part of the bug bounty program, ethical hackers are invited to test Hyatt websites and apps to spot potential vulnerabilities in them. “At Hyatt, protecting guest and customer information is our top priority and launching this program represents an important step that furthers our goal of keeping our guests safe every day,” stated Hyatt Chief Information Security Officer Benjamin Vaughn. Hyatt Hotels Corporation is headquartered in Chicago and is a leading global hospitality company comprising a portfolio of 14 premier brands. Hyatt’s portfolio includes more than 750 properties in more than 55 countries across six continents. Hyatt decided to choose HackerOne bug bounty program after conducting a deep review of the bug bounty marketplace. The Bug Bounty program by HackerOne rewards friendly hackers who help discover security vulnerabilities in various important software on the internet. Hyatt is the first in the hotel industry to launch bug bounty program. “By being the first organization in the hospitality industry to embrace the collaborative efforts of global security researchers, Hyatt hopes to continue to raise its already high level of security standards as well as learn from and collaborate with security researchers”, stated the Hyatt team. The bug bounty program launched by Hyatt with Hackerone was originally available as an invite-only private program where it paid the hackers about $5600 in bounties (bug bounty rewards). This has changed as the bug bounty program is now public. Hackers are allowed to search for vulnerabilities on hyatt.com domain, www.hyatt.com,  m.hyatt.com, world.hyatt.com, and on Hyatt’s mobile apps for iOS and Android. The company will be paying hackers $4000 for spotting critical vulnerabilities, and $300 for low severity issues. The company will be rewarding hackers for tracking vulnerabilities such as novel Origin IP address discovery, authentication bypass, back-end system access via front-end systems, business logic bypass, container escape, SQL Injection, cross-site request forgery, exploitable cross-site scripting, and WAF bypass, among other issues. “Bug bounty programs are a proven method for advancing an organization’s cybersecurity defenses. In today’s connected society, vulnerabilities will always be present. Organizations like Hyatt are leading the way by taking this essential step to secure the data they are trusted to hold”, said HackerOne CEO Marten Mickos. EU to sponsor bug bounty programs for 14 open source projects from January 2019 Airtable, a Slack-like coding platform for non-techies, raises $100 million in funding The ‘Flock’ program provides grants to Aragon teams worth $1 million

FireEye, a US cybersecurity firm, have disclosed details about their DNS hijacking campaign. In their recent report, the company shared that they have identified huge DNS hijacking affecting multiple domains belonging to government, telecommunications and internet infrastructure entities across the Middle East and North Africa, Europe and North America. FireEye analysts believe an Iranian-based group is the source behind these attacks, although they do not have a definitive proof. The analysts also said that “they have been tracking this activity for several months, mapping and understanding the innovative tactics, techniques and procedures (TTPs) deployed by the attacker”. The FireEye Intelligence team has also identified an access from Iranian IPs to machines used to intercept, record and forward network traffic. The team also mentions that these IP addresses were previously observed during the response to an intrusion attributed to Iranian cyber espionage actors. The FireEye report highlights three different techniques used to conduct these attacks. Techniques to manipulate the DNS records and enable victim compromises 1. Altering DNS A Records Source: FireEye Here the attackers first logged into a proxy box used to conduct non-attributed browsing and as a jumpbox to other infrastructure. The attacker then logs into the DNS provider’s administration panel, utilising previously compromised credentials. Attackers change the DNS records for victim’s mail server in order to redirect it to their own mail server. They have used Let’s Encrypt certificates to support HTTPS traffic, and a load balancer to redirect victims back to the real email server after they've collected login credentials from victims on their shadow server. The username, password and domain credentials are harvested and stored. 2. Altering DNS NS Records Source: FireEye This technique is the same as the previous one. However, here the attacker exploits a previously compromised registrar or ccTLD. 3. A DNS Redirector Source: FireEye This technique is a conjunction of the previous two. The DNS Redirector is an attacker operations box which responds to DNS requests. Here, if the domain is from inside the company, OP2 responds with an attacker-controlled IP address, and the user is re-directed to the attacker-controlled infrastructure. Analysts said that a large number of organizations have been affected by this pattern of DNS record manipulation and fraudulent SSL certificates. These include telecoms and ISP providers, internet infrastructure providers, government and sensitive commercial entities. According to FireEye report, “While the precise mechanism by which the DNS records were changed is unknown, we believe that at least some records were changed by compromising a victim's domain registrar account.” To know more about this news in detail, read the FireEye report. FireEye reports North Korean state sponsored hacking group, APT38 is targeting financial institutions Reddit posts an update to the FireEye’s report on suspected Iranian influence operation Justice Department’s indictment report claims Chinese hackersbreached business and government network  

Researchers from the North China Electric Power University have recently published a paper titled, ‘A Review on The Use of Deep Learning in Android Malware Detection’. Researchers highlight the fact that Android applications can not only be used by application developers, but also by malware developers with criminal intention to design and spread malicious applications that can affect the normal work of Android phones and tablets, steal personal information and credential data, or even worse lock the phone and ask for ransom. In this paper, they have explained how deep learning methods can be used as a countermeasure in Android malware detection to fight back malware. Android Malware Detection Techniques Researchers have said that one critical point of mobile phones is that they are a sensor-based event system, which permits malware to respond to approaching SMS, position changes and so forth, increasing the sophistication of automated malware-analysis techniques. Moreover, the apps can use services and activities and integrate varied programming languages (e.g. Java and C++) in one application. Each application is analyzed in the following stages: Static Analysis The static analysis screens parts of the application without really executing them. This analysis incorporates Signature-based, Permission-based and Component-based analysis. The Signature-based strategy draws features and makes distinctive signs to identify specific malware. Hence, it falls short to recognize the variation or unidentified malware. The Permission-based strategy recognizes permission requests to distinguish malware. The Component-based techniques decompile the APP to draw and inspect the definition and byte code connections of significant components (i.e. activities, services, etc.), to identify the exposures. The principal drawbacks of static analysis are the lack of real execution paths and suitable execution conditions. Dynamic Analysis This technique includes the execution of the application on either a virtual machine or a physical device. This analysis results in a less abstract perspective of application than static analysis. The code paths executed during runtime are a subset of every single accessible path. The principal objective of the analysis is to achieve high code inclusion since every feasible event ought to be activated to watch any possible malicious behavior Hybrid Analysis The hybrid analysis technique includes consolidating static and dynamic features gathered from examining the application and drawing data while the application is running, separately. Nevertheless, it would boost the accuracy of the identification. The principal drawback of hybrid analysis is that it consumes the Android system resources and takes a long time to perform the analysis. Use of deep learning in Android malware detection Currently available machine learning has several weaknesses and some open issues related to the use of DL in Android malware detection include: Deep learning lacks transparency to provide an interpretation of the decision created by its methods. Malware analysts need to understand how the decision was made. There is no assurance that classification models built based on deep learning will perform in different conditions with new data that would not match previous training data. Deep learning studies complex correlations within input and output feature with no innate depiction of causality. Deep learning models are not autonomous and need continual retraining and rigorous parameters adjustments. The DL models in the training phase were subjected to data poisoning attacks, which are merely implemented by manipulating the training and instilling data that make a deep learning model to commit errors. In the testing phase, the models were exposed to several attack types including: Adversarial Attacks are where the DL model inputs are the ones that an adversary has invented deliberately to cause the model to make mistakes Evasion attack: Here, the intruder exploits malevolent instances at test time to have them incorrectly classified as benign by a trained classifier, without having an impact over the training data. This can breach system integrity, either with a targeted or with an indiscriminate attack. Impersonate attack: This attack mimics data instances from targets. The attacker plans to create particular adversarial instances to such an extent that current deep learning-based models mistakenly characterize original instances with different tags from the imitated ones. Inversion attack: This attack uses the APIs allowed by machine learning systems to assemble some fundamental data with respect to the target system models. This kind of attack is divided into two types; Whitebox attack and Blackbox attack. The white-box attack implies that an aggressor can loosely get to and download learning models and other supporting data, while the black-box one points to the way that the aggressor just knows the APIs opened by learning models and some observation after providing input. According to the researchers, hardening deep learning models against different adversarial attacks and detecting, describing and measuring concept drift are vital in future work in Android malware detection. They also mentioned that the limitation of deep learning methods such as lack of transparency and being nonautonomous, is to build more efficient models. To know more about this research in detail, read the research paper. Researchers introduce a deep learning method that converts mono audio recordings into 3D sounds using video scenes IEEE Computer Society predicts top ten tech trends for 2019: assisted transportation, chatbots, and deep learning accelerators among others Stanford researchers introduce DeepSolar, a deep learning framework that mapped every solar panel in the US

In a blog post yesterday, Google announced that their public DNS will now support transport layer security (TLS). Google DNS Google’s public Domain Name Service (DNS) is the world’s largest address resolver. The service allows anyone using it to convert a human readable domain name into addresses used by browsers. Similar to search results, domains visited by DNS can also expose sensitive information. With DNS-over-TLS, users can add security to queries between devices and Google public DNS. Google DNS-over-TLS The need for security from forged websites and surveillance has grown over the years. The DNS-over-TLS protocol used contains a standard way to secure and maintain privacy of DNS traffic between users and the resolvers. Users can secure connections to Google Public DNS with TLS. It is the same technology that makes HTTPS connections secure. The DNS-over-LTS specifications are implemented according to the RFC 7766 recommendations. Doing so minimizes the overhead of using TLS, supports TLS 1.3, TCP fast open, and pipelining multiple queries over a single connection. This is deployed Google’s own infrastructure which they claim provides reliable and scalable management for the DNS-over-TLS connections. Enabling DNS-over-TLS connections DNS-over-TLS can be used by Android 9 pie users. Linux users can use the stubby resolver to communicate with the DNS-over-TLS service. You can create an issue if you are facing one. A comment from Hacker news says: “This is a DNS provided by Google, a company that earns money by analysing user data. If you want privacy, run your own DNS.” But Google has stated in their guides that they do not store any personally identifiable information long term. Cloudflare’s 1.1.1.1 DNS service is now available as a mobile app for iOS and Andro Root Zone KSK (Key Sign Key) Rollover to resolve DNS queries was successfully completed Mozilla’s new Firefox DNS security updates spark privacy hue and cry

ProtonMail launched an online resource site yesterday, called "GDPR.eu" that offers complete compliance guide to General data protection regulation (GDPR) law by EU. GDPR is considered the toughest privacy and security law in the world. The law imposes obligations onto organizations that collect user’s personal data across Europe. The regulation includes levying fines of tens of millions of euros against organizations who violate its rules of privacy and security. The GDPR compliance guide offers detailed information about the GDPR law and answers questions regarding “how to write a GDPR-compliant privacy notice”, “how does GDPR affect email”, “what is GDPR data protection office (DPO)”, and so on. Let’s have a look at some of the key topics covered under the GDPR compliance guide. GDPR-compliant privacy notice A GDPR privacy notice refers to a public document from an organization that gives details on how they process a user’s personal data and how they apply GDPR’s data protection principles. The information that needs to be mentioned in the privacy notice varies depending on two factors: a) whether an organization has collected its data directly from an individual or b) whether it's received via the third party. As per the GDPR law, organizations need to provide their users with a privacy notice that is: concise, transparent, intelligible, and is presented in an easily accessible form. written in clear and plain language, especially for information that is addressed specifically to a child. delivered properly and in a timely manner. provided free of charge. The guide also mentions some of the best practices that should be followed when writing a privacy notice. It mentions that phrases such as “we may use your personal data to develop services” or “we may use your personal data for research purposes” should not be used in a public notice as they don’t give a clear picture on how an organization intends to use that data. Instead, using phrases such as “we will retain your shopping history and use details of the products that have previously purchased to make better suggestions to you for other products” is much better and informative. GDPR email compliance The GPR compliance guide provides information on how GDPR affects email. GDPR compliance guide states that GDPR does not put a ban on email marketing by any means, instead it encourages organizations to promote effective email-marketing. “A good marketing email should ideally provide value to the recipient and be something they want to receive anyway. What the GDPR does is clarify the terms of consent, requiring organizations to ask for an affirmative opt-in to be able to send communications. And you must also make it easy for people to change their mind and opt-out”, states the guide. GDPR guide states another aspect of emails i.e. email security.  As per Article 5(f) of GDPR, it is the responsibility of an organization to protect personal data of the users against accidental loss, and destruction or damage, by implementing the appropriate technical or organizational steps. Moreover, the guide also states that in order to avoid any liability, it’s important for organizations to educate their team regarding email safety. For instance, implementing basic steps such as two-factor authentication is a good initiative toward protecting user data and complying with the GDPR. GPDR Data Protection Officer (DPO) GDPR, under certain conditions, states that organizations should appoint a Data Protection Officer that can oversee an organization’s GDPR compliance. The Data Protection Officer (DPO) should possess expert knowledge when it comes to data protection law and practices. Article 38 in GDPR states that no other employees within an organization can issue any instructions to the DPO when it comes to the performance of their tasks. DPOs have wide-ranging responsibilities and the position is protected from any potential interference from other employees within an organization. Also, DPO only reports to the highest level of management at the organization. GDPR does not list specific qualifications for DPO. However, it does mention that the level of knowledge and experience required for appointing an organization’s DPO should be determined based on the complexity of the data processing operations. The GDPR compliance guide mentions three criteria that need to be met by an organization for it to appoint a DPO: Public authority: the processing of personal data gets handled by a public body or public authorities within an organization. Large scale and regular monitoring: the processing of personal user data is the main activity of an organization who regularly and systematically observes user data on a large scale. Large-scale special data categories: the processing of specific “special” data is carried out on a large scale within these organizations. Apart from these major guidelines, GDPR compliance guide also offers an overview of GDPR, GDPR compliance checklist, GDPR forms, and templates, along with the latest news and updates regarding GDPR. Check out the complete GDPR compliance guide here. EU to sponsor bug bounty programs for 14 open source projects from January 2019 Twitter on the GDPR radar for refusing to provide a user his data due to ‘disproportionate effort’ involved Tim Cook talks about privacy, supports GDPR for USA at ICDPPC, ex-FB security chief calls him out

Yesterday there were discussions on Twitter about an Ethereum classic 51% attack which was a possible chain reorganization or double spend attack. However, Ethereum developers denied it and have shed some light on the incident. Ethereum classic is the original version of Ethereum which suffered a major hack in 2016. The developers then forked that and used it to create a new version where the hack was fixed. This new version was called Ethereum. https://twitter.com/eth_classic/status/1082045223310483457 A 51% attack rate is when one or more parties have more than 50% of compute power (hash rate) in the network. Such a party could mine a large amount of block in the network, double spend coins and reward themselves unfairly. Double spending is exactly what it sounds like, paying the same amount twice. In a chain reorganization, single or more miners have significantly more hashrate than others in the network. Such a miner can define a new transaction history on the network. Etherchain Tweeted that there was a successful 51% attack on Ethereum classic. https://twitter.com/etherchain_org/status/1082329360948969472 Cryptocurrency coin exchange Coinbase published a post noting the same: “On 1/5/2019, Coinbase detected a deep chain reorganization of the Ethereum Classic blockchain that included a double spend. In order to protect customer funds, we immediately paused movements of these funds on the ETC blockchain. Subsequent to this event, we detected 8 additional reorganizations that included double spends, totaling 88,500 ETC (~$460,000)”. Amidst the confusion, fear and lowering ETC value, the Ethereum team has responded to the incident. The latest update from Ethereum classic official sources contradict the Coinbase report. They said that this activity was a selfish mine and not a 51% attack. ‘No double spends were detected’. They said that an ASIC card manufacturer, Linzhi was testing their new ethash machines which had a power of 1,400/Mh. The tweet seems to be removed but the contents stated: Regarding the recent mining events. We may have an idea of where the hashrate came from. ASIC manufacturer Linzhi confirmed testing of new 1,400/Mh ethash machines #projectLavaSnow – Most likely selfish mining (Not 51% attack) – Double spends not detected (Miner dumped blocks) A more recent tweet from Ethereum Classic states that both angles of coinbase and ASIC card may be true. https://twitter.com/eth_classic/status/1082392663314202624 Currently, ETC is 18th on the market cap with a market capitalization of ~$540 million. Ethereum Constantinople hard fork to move Ethereum from PoW (proof-of-work) to PoS (proof-of-stake) model Origin DApp: A decentralized marketplace on Ethereum mainnet aims to disrupt gig economy platforms like Airbnb and Uber Vitalik Buterin’s new consensus algorithm to make Ethereum 99% fault tolerant

According to the tweet posted by official Gab account, last week, Coinbase banned Andrew Torba’s (Founder at Gab, the social media platform), Coinbase merchant account. Gab’s business account on Coinbase was already closed in December, as per the report by blockchain blog Breaker. In November Gab was banned by BitPay, the cryptocurrency payment processor. In August 2017, Gab was banned by Google and the company removed the app from the Google Play store for violating the company’s hate speech policy. Last year in July, Microsoft threatened to stop hosting the site after a pair of anti-Semitic posts were published on the website. In 2017, Gab was banned by Apple and removed from Apple store because of the objectionable content. Just two months ago, even GoDaddy banned Gab for breaking the domain registrar’s rules against hosting violent content. Other companies like Medium, Stripe and Shopify have also banned Gab. Possible reasons for getting banned Gab has described itself on its website as a “social network that champions free speech, individual liberty and the free flow of information online. All are welcome.”According to blockchain blog Breaker, one of the major reasons why it is hard for Gab to get a payment processor is its reputation for being the social network for users banned from mainstream platforms because of hate speech. As per a report by the New York Times, last year in October the alleged shooter, Robert Bowers in Pittsburgh used Gab to post a final message before attacking the synagogue. Post which, Torba stated that the Pittsburgh shooter doesn’t represent the broader user base of Gab. Paypal also banned Gab after the Pittsburgh incident. The official logo of Gab also got some controversies around it because of the green frog which is similar to Pepe the Frog, a cartoon character that became popular for racist memes. As per a post by Cointelegraph, last year, in April, the Coinbase merchandise shop of the anonymous international publishing nonprofit WikiLeaks had been closed due to a terms of service violation. Users have given mixed reaction to this news. Few users are not happy about this and are questioning Coinbase on restricting freedom via censorship. Many users got banned and are unhappy because of that, they are now comparing Coinbase with other platforms like Gemini and Cex.io. https://twitter.com/TallHandsomeOne/status/1081277877184802820 https://twitter.com/Hashmandu/status/1081261838568996866 Coinbase users are now agitated and even planning to close their accounts on Coinbase. Some are also planning to get their bitcoins off Coinbase. https://twitter.com/caballoantares/status/1081563003240308741 https://twitter.com/_Fruhmann_/status/1081409047679643648 According to few users the idea of bitcoin is freedom and the whole idea of bitcoin exchange would get ruined with Coinbase’ strategies and is anti-freedom. Users are are now looking forward to Decentralized Exchange, a cryptocurrency exchange without the central authority. Users are awaiting Skycoin’s first working decentralized exchange which is built directly into their software wallet. Skywire, Skycoin's flagship app is expected to launch sooner. Skywire will build a decentralized internet that will be fully encrypted and censorship proof. Users are also angry at Brian Armstrong, the founder of Coinbase and they are labelling him as a hypocrite as he talked about economic freedom and his latest move differs from it. Few users think that the decision taken by Coinbase was wise enough and it makes sense to ban platforms like Gab. https://twitter.com/livingrightco/status/1081578325104095233 Check the official announcement on Twitter. Social media platforms, Twitter and Gab.com, accused of facilitating recent domestic terrorism in the U.S. Coinbase Commerce API launches Coinbase looking to replicate Facebook’s platform strategy with support for more digital assets

The National Security Agency (NSA) will be publicly releasing their reverse engineering framework called GHIDRA, for the first time at the RSA Conference (Rivest, Shamir, and Adleman security conference) to be held in March 2019. According to the official announcement on the RSA blog, the framework will be introduced by NSA’s Senior Advisor Robert Joyce. According to NSA, GHIDRA has ‘an interactive GUI capability that enables reverse engineers to leverage an integrated set of features that run on a variety of platforms including Windows, Mac O, and LINUX and supports a variety of processor instruction sets’. This is what we know about GHIDRA so far: In March 2017, WikiLeaks leaked CIA Vault 7 documents which highlighted the various tools utilized by the CIA. The leaked documents included numerous references to a reverse engineering tool called ‘GHIDRA’ that was developed by the NSA at the start of the 2000s. For the past few years GHIDRA has been shared with other US government agencies with cyber teams that look at the inner workings of malware strains or suspicious software. GHIDRA is a ‘disassembler’ that breaks down software into its assembly code so that humans can analyze malware and other suspected malicious software. GHIDRA is built in Java, that runs on Linux, Mac and Windows operating systems and has a graphical user interface. With GHIDRA, developers can analyze the binaries of all major operating systems, including mobile platforms like Android and iOS. NSA is expected to add GHIDRA on NSA's code repository hosted by Github where the spy agency has released several other open source programs. Some people who are familiar with this tool and have shared opinions on HackerNews, Reddit, and Twitter. They have compared GHIDRA with IDA, another well-known reverse engineering tool. Source: HackerNews Head over to RSA’s official blog to check out the announcement. Alternatively, check out Siliconangle for more insights on this news. NSA’s EternalBlue leak leads to 459% rise in illicit crypto mining, Cyber Threat Alliance report NSA researchers present security improvements for Zephyr and Fucshia at Linux Security Summit 2018

A team of researchers at the University of Maryland released unCaptcha2 last week, an updated version of their tool Uncaptcha that defeated Google's reCAPTCHA audio challenge with 85.15% accuracy in 2017. Google’s Audio challenge is aimed at solving reCAPTCHA's accessibility problem for visually challenged people who can’t see where to "tick the box" to prove that they’re a human and not a robot. Hence, they’re offered an option to listen to the audio and enter what they hear as a response. UnCaptcha, which was released in 2017, managed to pass the reCAPTCHA audio system by using an approach that involved downloading the audio and segmenting it. These segments were then uploaded to multiple speech-to-text services, which in turn would convert the message.                                                            unCaptcha Finally, the response obtained would be typed into the reCAPTCHA form to solve the challenge. However, after the attack in 2017, Google updated the reCAPTCHA form by introducing changes such as improved browser automation detection and using spoken phrases instead of digits for reCAPTCHA. These changes managed to successfully protect reCAPTCHA from the 2017 unCaptcha attack but failed to protect it from the new unCaptcha2. “As of June 2018, these challenges have been solved. The reCAPTCHA team..is..fully aware of this attack. The team has allowed us to release the code. The code now only needs to make a single request to a free, publicly available speech to text API (by Google) to achieve around 90% accuracy over all the captchas”, states the team. UnCaptcha2 makes use of a screen clicker that helps it move to certain pixels on the screen and move around the webpage as a human would. However, this method is not very robust and still needs more working. Also, unCaptcha2 uses a different approach than the first version and no longer requires the use of multiple speech-to-text engines as well as the segmentation approach. UnCaptcha2 involves navigating to Google's ReCaptcha Demo site, navigating to audio challenge for reCAPTCHA and then downloading the audio challenge. After this step, the audio challenge is submitted to Speech To Text services. Finally, the response obtained is typed in and submitted to solve the challenge. “unCaptcha2, like the original version, is meant to be a proof of concept. As Google updates its service, this repository will not be updated. As a result, it is not expected to work in the future, and is likely to break at any time,” state the researchers. Google launches score-based reCAPTCHA v3 to filter abusive traffic on websites Google’s secret Operating System ‘Fuchsia’ will run Android Applications: 9to5Google Report Google Cloud releases a beta version of SparkR job types in Cloud Dataproc