Tech News - Security

This Thursday a California federal judge granted warrants to the FBI to take down several websites providing DDoS attack services. The domains have been seized by the FBI just before Christmas Holidays. This is a season where hackers have done DDoS attacks in the past. The attacks are mainly targeted towards gaming services like PlayStation Network, Xbox, Steam, EA Online, etc. According to the document, these 15 ‘booter’ websites were taken down: anonsecurityteam.com critical-boot.com defianceprotocol.com ragebooter.come. str3ssed.me bullstresser.net quantumstress.net booter.ninja downthem.org netstress.org Torsecurityteam.org Vbooter.org defcon.pro request.rip layer7-stresser.xyz According to the filed affidavits, three men were charged, Matthew Gatrel, 30 and Juan Martinez, 25 from California; and David Bukoski, 23 from Alaska, for operating the websites. U.K.’s National Crime Agency, Netherlands Police, and the Department of Justice, USA along with companies like Cloudflare, Flashpoint, and Google have made joint efforts for the takedown. This takedown will most likely soon follow with arrests. As per the affidavit, some of these sites were capable of attacks exceeding 40 Gigabits per second (Gbit/s), enough to render some websites dead for a long time. Hackers have stated previously to the Telegraph that the rationale behind attacks on gaming websites on Christmas season is about the holiday spirit. They say that Christmas is not about “children sitting in their rooms and playing games, it is about spending time with their families.” What is a DDoS attack? DDoS attacks have long been a problem dating back to the 70’s. An attacker infects and uses multiple machines to target a network service and flood it with packets of useless data so that legitimate users are denied service. The goal of these attacks is to temporarily make the target services unavailable to its users. This story was initially reported by TechCrunch. Twitter memes are being used to hide malware An SQLite “Magellan” RCE vulnerability exposes billions of apps, including all Chromium-based browsers Hackers are our society’s immune system – Keren Elazari on the future of Cybersecurity

Yesterday, Microsoft released an out-of-band patch for a vulnerability discovered in the Internet Explorer that attackers are actively exploiting on the Internet. The IE zero-day can allow an attacker to execute malicious code on a user's computer. The vulnerability has been assigned ID CVE-2018-8653 and the security update is released as KB4483187; titled "Cumulative security update for Internet Explorer: December 19, 2018". It is available for Internet Explorer 11 on Windows 10, Windows 8.1, and Windows 7 SP1, Internet Explorer 10 on Windows Server 2012, and Internet Explorer 9 on Windows Server 2008. Microsoft has acknowledged Clement Lecigne of Google’s Threat Analysis Group for reporting the exploitation of this Internet Explorer vulnerability. Apart from the security advisory released yesterday, neither Microsoft or Google has shared any details about the attacks involving the flaw. Vulnerability Details According to Microsoft's security advisory, the remote code execution vulnerability was found in IE’s memory handling in Jscript.dll.  An attacker could corrupt IE’s memory to allow code execution on the affected system. The attacker could convince a user to visit a malicious website, which could then exploit this vulnerability, executing code on the user’s local machine. After exploiting the vulnerability, the attackers would be able to perform commands on the victim's system such as downloading further malware, scripts, or executing any command that the currently logged in user has access to. The issue can also be exploited through applications that embed the IE scripting engine to render web-based content such as the apps part of the Office suite. According to Microsoft, the attacker will get code execution rights under the same privileges the victims have. If the victim is using an account with limited access, the damage can be contained to simple operations, however, in case of a user having administrator rights, the attacker can increase the scope of the damage done. Mitigations and Workarounds According to ZDNet, in the previous four months, Microsoft has patched four other zero-days. All these zero-days allow an "elevation of privilege". This means that if a victim has missed any of the previous four Windows Patch Tuesday patches, an attacker can chain the IE zero-day with one of the previous zero-days (CVE-2018-8611, CVE-2018-8589, CVE-2018-8453, CVE-2018-8440) to gain SYSTEM-level access, and take over a targeted computer. Microsoft has assured customers who have Windows Update enabled and have applied the latest security updates that they are automatically protected against exploits. They have advised users to install the update as soon as possible, even if they don't normally use IE to browse sites. For those who want to mitigate the vulnerability until the update is installed, they can do the same by removing privileges to the jscript.dll file for the Everyone group. According to Microsoft, using this mitigation will not cause problems with Internet Explorer 11,10, or 9 as they use the Jscript9.dll by default. There are no workarounds listed on the security advisory for this vulnerability. Read the full security advisory on Microsoft’s blog. Microsoft announces Windows DNS Server Heap Overflow Vulnerability, users dissatisfied with patch details Microsoft calls on governments to regulate Facial recognition tech now, before it is too late NYT says Facebook has been disclosing personal data to Amazon, Microsoft, Apple and other tech giants; Facebook denies claims with obfuscating press release  

Last week, a group of security researchers reported that they have found a new malware that takes its instructions from code hidden in memes posted to Twitter. This method is popularly known as Steganography, a method popularly used by cybercriminals to abstract a malicious file within an image to escape from security solutions. According to Trend Micro, some malware authors posted two tweets including malicious memes on 25th and 26th October. These images were tweeted via a Twitter account created in 2017.  “The memes contain an embedded command that is parsed by the malware after it’s downloaded from the malicious Twitter account onto the victim’s machine, acting as a C&C service for the already- placed malware”, reported Trend Micro. According to the blog post, this new threat is detected as TROJAN.MSIL.BERBOMTHUM.AA. Also, this malware gets its command from a legitimate source, which they state is a popular networking platform. The memes cannot be taken down until the malicious Twitter account is disabled. Twitter, on the other hand, has already taken the account offline as of December 13, 2018. Malicious memes are no laughing matter The memes posted via the malicious Twitter accounts have a “/print” command hidden, which enables the malware to take screenshots of the infected machine. These screenshots are then sent to a C&C server whose address is obtained through a hard-coded URL on pastebin.com. Next, the malware will send out the collected information or the command output to the attacker by uploading it to a specific URL address. According to Trend Micro, “During analysis, we saw that the Pastebin URL points to an internal or private IP address, which is possibly a temporary placeholder used by the attackers. The malware then parses the content of the malicious Twitter account and begins looking for an image file using the pattern:  “<img src=\”(.*?):thumb\” width=\”.*?\” height=\”.*?\”/>” on the account.” Source: TrendMicro Researchers have also mentioned some other commands supported by this malware, which includes /processos to retrieve the list of running processes. /clip, to capture clipboard content, /username to retrieve username from the infected machine, and /docs to retrieve filenames from a predefined path such as (desktop, %AppData% etc.) According to TechCrunch, “The malware appears to have first appeared in mid-October, according to a hash analysis by VirusTotal, around the time that the Pastebin post was first created.” After Trend Micro reported the account, Twitter pulled the account offline, suspending it permanently. How the biggest ad fraud rented Datacenter servers and used Botnet malware to infect 1.7m systems How to build a convolution neural network based malware detector using malware visualization [Tutorial] Privilege escalation: Entry point for malware via program errors

“No one should trust Facebook until they change their business model.” --Roger McNamee, an early investor in Facebook. The New York Times confronted Facebook once again. The media giant obtained hundreds of Facebook internal documents that prove the tech giant has been providing some of the world’s largest technology companies “more intrusive access to users’ personal data than it has disclosed”, and “effectively exempted those business partners from its usual privacy rules”. The records were initially generated in 2017 by the company’s internal system for tracking partnerships. The Times points out how these documents helped  Facebook get more users, and lift its advertising revenue. It was a win-win situation for both, Facebook and its partner companies- where partner companies acquired features to make their products more attractive and Facebook users connected with friends across different devices and websites. The deals revealed through the documents, benefited more than 150 companies including tech businesses, online retailers and entertainment sites, automakers and media organizations. The report speculates whether Facebook ran afoul of a 2011 consent agreement with the Federal Trade Commission that barred the social network from sharing user data without explicit permission.  Mr. Satterfield, Facebook’s privacy director, said its partners were subject to “rigorous controls.” Facebook officials claimed the company had disclosed its sharing deals in its privacy policy since 2010. New York Times, however, says that the language in the policy about its service providers does not specify what data Facebook shares, and with which companies it shares them with. With most of the partnerships, Mr. Satterfield said, the F.T.C. agreement did not require Facebook to secure users’ consent before sharing data because “Facebook considered the partners' extensions of itself “. He also stated that the partners were prohibited from using personal information for other purposes and that “Facebook’s partners don’t get to ignore people’s privacy settings.” This data was shared with some of the largest names of the tech industry, including Amazon, Microsoft, and Yahoo, who claimed that they had used the data appropriately, without further expanding on the sharing deals in detail. What did the documents reveal? Here are some key points from the report that stood out: Facebook allowed Microsoft’s Bing search engine to see the names of virtually all Facebook users’ friends without consent. Netflix and Spotify were given the ability to read Facebook users’ private messages. Amazon was permitted to obtain users’ names and contact information through their friend. Yahoo could view streams of friends’ posts, despite public statements that it had stopped that type of sharing years earlier. Facebook obtained data from multiple partners for a friend-suggestion tool called “People You May Know.” There have been reported cases of the tool’s recommending friend connections between patients of the same psychiatrist, estranged family members, and a harasser and his victim. Facebook, used contact lists from the partners, including Amazon, Yahoo, and Huawei to gain deeper insight into people’s relationships and suggest more connections. Some deals described in the documents were limited to sharing non-identifying information with research firms or enabling game makers to accommodate huge numbers of players. Some partners were allowed to see users’ contact information through their friends — even after Facebook said in 2014 that it was stripping all applications of that power. Sony, Microsoft, Amazon, and others could obtain users’ email addresses through their friends. Spotify, Netflix and the Royal Bank of Canada were allowed to read, write and delete users’ private messages. In late 2009, it launched “instant personalization” which changed the privacy settings of the 400 million people then using the service, making some of their information accessible to all of the internet. Then it shared that information, including users’ locations and religious and political leanings, with Microsoft and other partners. The F.T.C. investigated this and in 2011 cited these privacy changes as a deceptive practice. Facebook officials then stopped mentioning instant personalization in public and entered into the consent agreement. In 2014, Facebook ended instant personalization and removed access to friends’ information. But in a previously unreported agreement, the social network’s engineers continued allowing Bing; Pandora, and Rotten Tomatoes, the movie, and television review site, access to much of the data they had gotten for the discontinued feature. Facebook’s response to New York Times report In response to the New York Times report, Konstantinos Papamiltiadis, Director of Developer Platforms and Programs, said in a blog post that “To be clear: none of these partnerships or features gave companies access to information without people’s permission, nor did they violate our 2012 settlement with the FTC”. He also explained that all the work done in the said domain was so that “ people could have more social experiences.” The post goes on to somewhat justify the claims made in the Times report. In response to the instant personalization deal that the leaked documents revealed, his statement- “ We shut down instant personalization, which powered Bing’s features, in 2014 and we wound down our partnerships with device and platform companies months ago, following an announcement in April. Still, we recognize that we’ve needed tighter management over how partners and developers can access information using our APIs.”- does raise questions on Facebook’s seriousness with respect to user privacy. The post also claims that Facebook does not “have evidence that data was used or misused after the program was shut down”. Further adding, “we shouldn’t have left the APIs in place after we shut down instant personalization.” This post has received enormous backlash from Alex Stamos, a former chief security officer at Facebook. He claims that the response is not good enough to the claims made by the Times report and that “ it makes the same mistake of blending all kinds of different integrations and models into a bunch of prose and it is very hard to match up the responses to the Times' claims.” https://twitter.com/reckless/status/1075225675756421120 That being said, he also tweets that allowing for 3rd party clients is the kind of pro-competition move we want to see from dominant platforms, however, integrations that are sneaky or send secret data to servers controlled by others really is wrong. Users have demanded Facebook come clean about the explicit details of the access deals. Some users also have spoken up on the nature of legal contracts that a user has to sign to use a particular tech service. You can head over to the New York Times for more insights on this news. British parliament publishes confidential Facebook documents that underscore the growth at any cost culture at Facebook Ex-Facebook manager says Facebook has a “black people problem” and suggests ways to improve France to levy digital services tax on big tech companies like Google, Apple, Facebook, Amazon in the new year

The Tencent Blade security team found a vulnerability in the SQLite database that exposes billions of desktop and web applications to hackers. This vulnerability classified as a remote code execution (RCE) vulnerability hasn’t received a CVE identification number yet and has been nicknamed as “Magellan” by the Tencent Blade Team. Since SQLite is one of the most popular databases used in modern operating systems and applications, this vulnerability can affect a variety of different apps ( eg: Android/iOS), devices (eg: IoT), and software. Magellan poses dangers such as allowing hackers to run malicious code within the hacked computers, leaking program memory or causing program crashes. Moreover, this vulnerability can be remotely exploited on even accessing a particular web page in a browser that supports SQLite. Other than SQLite, all web browsers using the Chromium engine has also been affected by this vulnerability. Tencent Blade has already reported the vulnerability to Google developers who then promptly took care of it on their end. Additionally, security experts at Tencent Blade also successfully exploited Google Home with this vulnerability, but haven’t disclosed the exploit code yet. The team also mentions how they’re yet to see a case where Magellan has been abused “wildly”. Tencent Blade recommends updating to the official stable version 71.0.3578.80 of Chromium and to 3.26.0 for SQLite as they’re safe from the vulnerability. Google Chrome, Vivaldi, and Brave are all reported to be affected as they support SQLite through the Web SQL database API. Safari web browser isn’t affected yet and Firefox may be prone to this vulnerability in case a hacker gains access to its local SQLite database. “We will not disclose any details of the vulnerability at this time, and we are pushing other vendors to fix this vulnerability as soon as possible”, says the Tencent Blade team. Zimperium zLabs discloses a new critical vulnerability in multiple high-privileged Android services to Google A kernel vulnerability in Apple devices gives access to remote code execution Microsoft announces Windows DNS Server Heap Overflow Vulnerability, users dissatisfied with patch details

The Marriott’s Starwood guest database breach that occurred at the end of last month affected almost 500 million user data. According to the Marriott investigation report, the possible cause of the breach was the technology platform deployed by Starwood under the name “Valhalla’. Israel del Rio, the former Senior Vice President of Technology and solutions at Starwood Hotels and Resorts from 2001- 2006, mentioned his take on the guest data breach. He said, “I worked on Valhalla and wrote about Marriott’s decision not to use it moving forward in 2016.” Israel del Rio’s take on the Marriott breach In his post, Israel said that the Valhalla system was entirely active in 2009 and all the best practices were followed in the system’s design including firewalls, DMZs, encryption, etc. He said, “The fact is, if we accept Marriott’s statement that the breach began in 2014, the system would already have been operating securely for five years. It is difficult to imagine how an architectural or platform vulnerability would not have been discovered or exploited sooner.” Israel highlighted three points in the Marriott report and explained his take on each of it. 500 million guests’ reservation data stolen The report stated that the data of approximately 500 million guests who made a reservation at Starwood property had been stolen. To this, Israel said, “It is unlikely this system would have had 500 million records, given the practice to remove booking records a number of days after checkout. Even assuming half a million rooms in Starwood’s inventory at 90% occupancy, with average lengths of stay of two days, and up to two years of advance booking, such a database would not exceed 200 million records.” He said that the only place to trace such huge data is the Data Warehouse, which would contain the booking records for several prior years. This is most likely the area from which the data was stolen. However, given that some of that data had already been migrated to Marriott, it is hard to say for certain whether the breach occurred in the Starwood system, the Marriott system, or in transit as a result of exposure during the Extract‐Transform‐Load process used during the migration. An alert from an internal security tool helped Marriott to know about the breach Marriott’s discovery of the breach was triggered on September 8, 2018, when Marriott received an alert from an internal security tool regarding an attempt to access the Starwood guest reservation database. Israel said, “We do not know when such a tool was first used, but what’s most confounding is Marriott’s assurance that the breach first occurred in 2014. If the detection tool was used prior to this September, why hadn’t the breach been detected earlier? And if the tool was not used earlier, how can they be so sure the breach occurred in 2014?” The stolen data also contained data from 2014, this could be a reason why it was assumed that the breach took place around that time. Also, the Data Warehouse contains booking data going back several years. The Data Warehouse data could have been exposed recently and still show stolen records from 2014. The exposed data included encrypted payment card numbers and payment card expiration dates According to Israel, “there are two components needed to decrypt the payment card numbers, and that at this point, Marriott has not been able to rule out the possibility that both were stolen.” Marriott’s report said there is the possibility that the primary encryption key was also exposed. “It is almost impossible to imagine a scenario in which an external hacker is able to gain access to the primary encryption keys”, according to Israel. Israel said there is a lack of information to actually understand what exactly happened. “It is possible that the Starwood system was in fact breached. Marriott had laid off most of the Starwood technology staff at the end of 2017, and whatever operational or migration issues this might have caused should be evaluated.” To know more about Israel del Rio’s take on the Marriott breach, visit his blogpost. Chinese hackers might have caused the Marriott Starwood guest data breach According to the New York Times report, the Marriott breach was a part of the “Chinese intelligence-gathering effort, that also hacked health insurers and the security clearance files of millions more Americans, according to the two people briefed on the investigation.” This discovery came out as the Trump administration is planning actions to target China’s trade, cyber and economic policies, within days. The Marriott Starwood guest data breach is not expected to be a part of the indictments against the Chinese hackers. “But two of the government officials said that it has added urgency to the administration’s crackdown, given that Marriott is the top hotel provider for the American government and military personnel”, according to New York Times. The Marriott database contains not only credit card information but passport data. But officials on Tuesday said this was a part of an aggressive operation whose main focus was the 2014 hacking into the Office of Personnel Management. “At the time, the government bureau loosely guarded the detailed forms that Americans fill out to get security clearances — forms that contain financial data; information about spouses, children and past romantic relationships; and any meetings with foreigners. Such information is exactly what the Chinese use to root out spies, recruit intelligence agents and build a rich repository of Americans’ personal data for future targeting. With those details, the Marriott data adds another critical element to the intelligence profile: travel habits.” James A. Lewis, a cybersecurity expert at the Center for Strategic Studies in Washington said to the Times, “The data can be used to track which Chinese citizens visited the same city, or hotel, as an American intelligence agent who was identified in data taken from the Office of Personnel Management or from American health insurers that document patients’ medical histories and Social Security numbers.” According to New York Times, “The effort to amass Americans’ personal information so alarmed government officials that in 2016, the Obama administration threatened to block a $14 billion bid by China’s Anbang Insurance Group Co. to acquire Starwood Hotel & Resorts Worldwide, according to one former official familiar with the work of the Committee on Foreign Investments in the United States, a secretive government body that reviews foreign acquisitions.” Finally, the failed bid cleared the way later that year for Marriott Hotels to acquire Starwood for $13.6 billion, becoming the world’s largest hotel chain. “The Chinese regard intrusions into hotel chain databases as a standard kind of espionage. So does the United States, which has often seized guest data from foreign hotels.” To know more about this news in detail, visit The New York Times’ in-depth coverage. Equifax data breach could have been “entirely preventable”, says House oversight and government reform committee staff report A new data breach on Facebook due to malicious browser extensions allowed almost 81,000 users’ private data up for sale, reports BBC News Cathay Pacific, a major Hong Kong based airlines, suffer data breach affecting 9.4 million passengers

11th December was Microsoft's December 2018 Patch Tuesday, which means users had to update their computers to be protected from the latest threats to Windows and Microsoft products. Microsoft has fixed 39 vulnerabilities, with 10 of them being labeled as Critical. Keeping up with its December 2018 Patch Tuesday, Microsoft announced on its blog that a vulnerability exists in Windows Domain Name System (DNS). There was not much information provided to the customers about how and when this vulnerability was discovered. The following details were released by Microsoft: The Exploit Microsoft Windows is prone to a heap-based buffer-overflow vulnerability. A remote code execution vulnerability exists in Windows Domain Name System (DNS) servers when they fail to properly handle requests. An attacker who successfully exploits this issue may execute arbitrary code within the context of the affected application. Microsoft states that failed exploit attempts will result in a denial-of-service condition. Windows servers that are configured as DNS servers are at risk from this vulnerability. Affected Systems Find a list of the affected systems on Microsoft’s Blog. The company has also provided users with security updates for the affected systems. Workarounds and Mitigations As of today, Microsoft has not identified any workarounds or mitigations for the affected systems. Jake Williams, the founder of Rendition Security and Rally security, posted an update on Twitter about the issue, questioning why there is no sufficient discussion among the infosec community about the matter. https://twitter.com/MalwareJake/status/1072916512724410369 Many users responded saying that they too have been looking for explanations about the vulnerability but have not found any satisfying results. https://twitter.com/spectrophagus/status/1072921055357009922 Security intelligence blog reported on 11th December that the just-released Patch Tuesday for December fixes the Windows DNS Server Heap Overflow remote code execution (RCE) vulnerability. However, there has not been any information released by Microsoft on the analysis or details of the patch. Users are also speculating that without pra oper understanding of the security patch, this vulnerability has the potential to be badly exploited. https://twitter.com/Greg_Scheidel/status/1073060170333339650 You can head over to Microsoft’s official blog to know more about this vulnerability. Also, visit BleepingComputer for information on all security updates in December Patch Tuesday 2018. Microsoft Connect(); 2018 Azure updates: Azure Pipelines extension for Visual Studio Code, GitHub releases and much more! Microsoft calls on governments to regulate Facial recognition tech now, before it is too late ‘Peekaboo’ Zero-Day Vulnerability allows hackers to access CCTV cameras, says Tenable Research  

It has been only two months since Google reported a bug discovery in one of the Google+ People APIs, which affected up to 500,000 Google+ accounts, initiating the shutdown of Google+. Yesterday, Google+ suffered another massive data leak that has impacted approximately 52.5 million users in connection with a Google+ API. This has led Google to expedite the process of shutting down Google+. The access to the Google+ API network will be cut off in the next 90 days and it will shut down completely in April, rather than August next year. In a blog post on Google, David Thacker VP, Product Management, GSuite stated that this bug was added as a part of a software update introduced in November and immediately fixed. However, people are upset that the data leak was disclosed now. The software bug allowed apps that requested permission to view profile information of a Google+ user (name, email address, occupation, age etc), were granted permission even when set to not-public. In addition, Thacker mentions, “apps with access to a user's Google+ profile data also had access to the profile data that had been shared with the consenting user by another Google+ user but that was not shared publicly.” However, user financial data, national identification numbers, passwords, or similar data typically used for fraud or identity theft, was not given access to. Google discovered the bug as part of its standard testing procedure and says there is “no evidence that the app developers that inadvertently had this access for six days were aware of it or misused.” Google says it’s begun notifying users and enterprise customers who were impacted by the bug. Thacker also says maintaining users' privacy is Google’s top concern. “We have always taken this seriously, and we continue to invest in our privacy programs to refine internal privacy review processes, create powerful data controls, and engage with users, researchers, and policymakers to get their feedback and improve our programs.” People on Hacker news were highly critical of this data leak and expressed concerns on the kind of organization Google is turning out to be. “I've been online since Google was a new up and coming company. There is a world of difference between the civic-mindedness of Google back then and Google now. Google has gone from something genuinely idealistic to something scary and totalitarian. If you aren't of the same "tribe" as the typical Googler, then basically, you're a subject.” “So, how does Google, which we all trust with our precious data end up messing up like this several times in a row? If this is the company with the best security team in the world does that mean we should simply abandon all hope” “They could have done soo much more with Google+ ... The hype was real up until launch. Really wish they had done things a little differently. Oh well... With all these leaks, I'm actually really glad they weren't successful with this.” Google reveals an undisclosed bug that left 500K Google+ accounts vulnerable in early 2018; plans to sunset Google+ consumer version. Google bypassed its own security and privacy teams for Project Dragonfly reveals Intercept Marriott’s Starwood guest database faces a massive data breach affecting 500 million user data

Last week, Australia’s Assistance and Access (A&A) anti-encryption law was passed through Parliament, which allows Australian police and government the powers to issue technical notices. The Assistance and Access (A&A) law requires tech companies to help law enforcement agencies break into individuals’ encrypted data. Using secret warrants, the government can even compel a company to serve malware remotely to the target’s device. The Labor party, which planned to amend the legislation, later pulled its amendments in the Senate and the bill was passed even though it was found to be flawed by the Labour community. The Australian Human Rights Commission wrote to Parliament, “The definition of ‘acts or things’ in the Bill is so vague as to potentially permit almost limitless forms of assistance”. Several lawmakers look set to reject the bill, criticizing the government’s efforts to rush through the bill before the holiday. The anti-encryption bill has been slammed by many. Protonmail, a Swiss-based end-to-end email encryption company has also condemned the new law in their blog post and said that they will remain committed to protecting their users anywhere in the world, including in Australia. Protonmail against the Assistance and Access (A&A) law Although ProtonMail has data centers only in Switzerland and is not under Australian jurisdiction, any request for assistance from Australian agencies under the A&A law would need to pass the scrutiny of Switzerland’s criminal procedure and data protection laws. According to ProtonMail, “just because this particular law does not affect ProtonMail and ProtonVPN does not mean we are indifferent. A&A is one of the most significant attacks on digital security and privacy since the NSA’s PRISM program. But the Australian measure is more brazen, hastily forced through Parliament over the loud objections of every sector of society, from businesses to lawyers groups.” In a letter to the Parliament, the Australian Computer Society, a trade association for IT professionals, outlined several problems in the law, including: Not every company has the technical know-how to safely implement malware that won’t accidentally backdoor the entire product (particularly with IoT devices), putting the security of people’s homes and organizations at risk. Businesses can’t easily plan or budget for possible covert surveillance work with the government. A companion “explanatory document” outlines some safeguards to protect civil rights and privacy that don’t actually appear in the law itself. Once police have gained access to a suspect’s device, they could easily remove evidence from the device that could prove the person’s innocence. There would be no way to know. These are just a few of the issues, and that’s barely scratching the surface. According to ProtonMail, “the widespread use of encryption can actually further governments’ national security goals. It is critical that we strike the right balance. In our opinion, the A&A law does not do this, and in the long run, will make us all less safe.” To know more about this in detail, visit ProtonMail ‘s official blog post. The tech community also oppose the Australian bill in an open letter The Tech community also wrote an open letter titled, “You bunch of Idiots!” to Bill Shorten and the Australian Labor from the tech community. They mention, “Every tech expert agrees that the so-called "Assistance and Access Bill" will do significant damage to Australia's IT industry.” The letter highlights three key points including: The community members state that the law weakens security for users. “We do not want to deliberately build backdoors or make our products insecure. This means everyone else's data will be vulnerable. People have an expectation that we protect their personal data to the best of our ability. We cannot continue to guarantee this unless we go against the technical capability notices issued by law enforcement - which will become a criminal offence”, according to the letter. They also said, “You have made it harder for international companies to hire Australian talent, or have offices in Australia filled with Australian talent. Companies such as Amazon, Apple, Atlassian, Microsoft, Slack, Zendesk and others now have to view their Australian staff and teams as "potentially compromised". This is because law enforcement can force a person to build a backdoor and they cannot tell their bosses. They might sack them and leave Australia because of the law you just passed.” “You have also just made it almost impossible to export Australian tech services because no-one wants a potentially vulnerable system that might contain a backdoor. Who in their right mind will buy a product like that? Look at the stock price of one of Australia's largest tech companies, Atlassian. It's down because of what you have voted for. In addition, because it violates the EU's General Data Protection Regulations (GDPR), you have just locked Australian companies and startups out of a huge market.” The tech communities strongly opposed the bill calling it a destructive and short-sighted law. They said, “In all good conscience, we can no longer support Labor. We will be advocating for people to choose those who protect digital rights.” The ‘blackout’ move on GitHub to block Australia for everyone’s safety Many Australian users suggested that the world block Australia for everyone’s safety, after the Australian Assistance and Access Bill was passed. Following this, users have created a repository on GitHub to provide easy-to-use solutions to blackout Australia, in solidarity with Australians who oppose the Assistance and Access Bill. Under the GNU/Linux OSes, the goal of the main script shall be to periodically download a blocklist and update rules in a dedicated BLACKOUT chain in iptables. The repo also includes scripts to: setup a dedicated BLACKOUT chain in the iptables filter table, and setup a privileged cron job for updating the iptable rules stop any running cron job, remove the cron job, and tear down the dedicated BLACKOUT chain. Australia’s ACCC publishes a preliminary report recommending Google Facebook be regulated and monitored for discriminatory and anti-competitive behavior Australia’s Facial recognition and identity system can have “chilling effect on freedoms of political discussion, the right to protest and the right to dissent”: The Guardian report Dark Web Phishing Kits: Cheap, plentiful and ready to trick you

Yesterday, the Swedish networking and telecommunications company, Ericsson reported an issue in their core software which caused network disturbances for some of its customers. This issue was responsible for a data outage across 11 countries including the United Kingdom’s O2 and Japan’s SoftBank mobile services. Ericsson identified that only those customers using two specific software versions of the SGSN–MME (Serving GPRS Support Node – Mobility Management Entity) were affected. The initial root cause analysis by the company indicated that the main issue was an expired certificate installed with the affected customers. Ericsson CEO and President, Börje Ekholm, said, “The faulty software that has caused these issues is being decommissioned and we apologize not only to our customers but also to their customers. We work hard to ensure that our customers can limit the impact and restore their services as soon as possible.” The O2 and Softbank outage caused millions of customers in UK and Japan to stay offline for a whole day! 30 million customers of the O2 mobile provider in the UK were unable to make or receive phone calls due to Ericsson’s expired certificate issue. The other service providers affected include Tesco Mobile and Sky Mobile. O2’s entire network including the companies using its platforms, and its subsidiaries, Giffgaff and Lycamobile were highly affected. However, the services were restored at around 4 am yesterday. The outage also affected Transport for London’s live updates of bus arrival times at stops across the capital, which relies on O2’s network for data updates. Mark Evans, O2’s CEO tweeted reassuring the customers that the company was doing everything to fix the issue and also apologized to the affected customers for the same. https://twitter.com/MarkEvansO2/status/1070710723905499136 On the other hand, in Japan’s, SoftBank and Y!mobile 4G LTE mobile phone services, Ouchi-No-Denwa fixed-line services, and SoftBank Air services were also affected. SoftBank said that its outage extended from 1.39pm until 6.04pm JST, yesterday. According to SoftBank’s press release on its outage, “SoftBank Network Center detected software's malfunction in all of the packet switching machines manufactured by Ericsson, which are installed at the Tokyo Center and the Osaka Center, covering our mobile customers nationwide.” SoftBank also received a report from Ericsson stating “the software has been in operation since nine months ago and the failure caused by the same software also occurred simultaneously in other telecom carriers across 11 countries, which installed the same Ericsson-made devices.” Marielle Lindgren, CEO Ericsson UK & Ireland said, “The faulty software that has caused these issues is being decommissioned. Our priority is to restore full data services on the network by tomorrow(Friday) morning. Ericsson sincerely apologizes to customers for the inconvenience caused.” To know more about this news in detail, visit Ericsson’s official press release. Outage plagues Facebook, Instagram, and Whatsapp ahead of Black Friday Sale, throwing users and businesses into panic How 3 glitches in Azure Active Directory MFA caused a 14-hour long multi-factor authentication outage in Office 365, Azure and Dynamics services A multi-factor authentication outage strikes Microsoft Office 365 and Azure users

On Thursday, Australia passed a rushed assistance and access bill which will allow Australian police and government the powers to issue technical notices. The Labor party had planned to amend the legislation. However, even after calling the bill flawed, Labor pulled its amendments in the Senate and the bill was passed. "Let's just make Australians safer over Christmas," Bill Shorten, leader of the Opposition and Labor Party said on Thursday evening. "It's all about putting people first." The assistance and access bill provides vague answers on the potential power that it could give government and law enforcement over digital privacy. The government claims that encrypted communications are “increasingly being used by terrorist groups and organized criminals to avoid detection and disruption,” and so this bill will ask tech companies to provide assistance to them in accessing electronic data. Per Zdnet, under the new assistance and access bill, Australian government agencies can issue three notices to companies and websites: Technical Assistance Notices (TAN), which are compulsory notices for a communication provider to use an interception capability they already have. Technical Capability Notices (TCN), which are compulsory notices for a communication provider to build a new interception capability, so that it can meet subsequent Technical Assistance Notices. Technical Assistance Requests (TAR), which have been described by experts as the most dangerous of all. Basically, the Australian government can hack, implant malware, undermine encryption or insert backdoors across companies and websites. If companies refuse, they may face financial penalties. Although the government has said this bill will target criminals in the likes of sex offenders, terrorists, homicide and drug offenses, critics think otherwise. According to communications alliance, the bill contains dangerous loopholes and technical backdoors that could be exploited by hackers. Another issue of debate was the lack of a clear definition of the term, “systemic weakness.” Labor has asked for a more concrete definition of it in the amendments made on the law next year. Several lawmakers, as well as the general public, condemned the bill on Twitter pointing out it’s rushed release. https://twitter.com/timwattsmp/status/1069361402589011968?s=21 https://twitter.com/jordonsteele/status/1070170310626828288?s=12 https://twitter.com/Asher_Wolf/status/1070692137052758016 https://twitter.com/Scottludlam/status/1070592908292612096 https://twitter.com/Jordonsteele/status/1070565215106818048 https://twitter.com/AdamBandt/status/1070492876365225985 The State of Mozilla 2017 report focuses on internet health and user privacy. Privacy experts urge the Senate Commerce Committee for a strong federal privacy bill “that sets a floor, not a ceiling” Consumer protection organizations submit a new data protection framework to the Senate Commerce Committee

Yesterday, HashiCorp announced HashiCorp Vault 1.0. It is a tool that can be used to manage secrets and protect sensitive data for infrastructures and applications. This first major release focuses on high performance and scalability in workloads. Batch tokens in Vault 1.0 They are a new type of token with support for ephemeral, high-performance workloads. Batch tokens do not write to disk, and thereby significantly reduce the performance cost of any operations within the Vault. The tradeoff is that batch tokens are not persistent. Therefore they will not be of much use in long-lived or ongoing operations or any operations that require token resiliency. Due to their ephemeral nature, batch tokens are good for large batches of operations with a single purpose like using a transit secret engine. However, they are not good for operations like persistent secret access within a K/V engine. Cloud Auto Unseal open sourced Cloud Auto Unseal is open sourced in Vault 1.0. This allows Vault users to leverage cloud services like AWS KMS, Azure Key Vault, and GCP CKMS. It is open sourced to simplify storing and reassembling Shamir's keys for users. HSM-based Auto Unseal and Seal-Wrap will remain as features within Vault Enterprise. They are typically deployed to conform with government and regulatory compliance requirements. OpenAPI in Vault 1.0 The latest release of Vault supports the OpenAPI standard by the Open API Initiative. This standard provides vendor-neutral description format for API calls. By using the /sys/internal/specs/openapi endpoint, Vault can now generate an OpenAPI v3 document describing mounted backends and endpoint capabilities for a token’s permissions. A new updated UI There have been significant UI upgrades in vault leading up to 1.0. These upgrades include: Wizards to help introduce new users to get started with Vault New, updated screens to show users how to mount auth methods and secret engines Support to manage key versioning within the K/V v2 secrets engine Other UI updates to help ensure simple Vault deployment, initialization, and management Expanded Alibaba Cloud integration Features for operating Vault with and within Alibaba Cloud is now expanded. In Vault 1.0, Alibaba Cloud KMS is supported as a Seal-Wrap and Auto Unseal target. The Alibaba Cloud Auth Method is now a supported interface for Auto Auth within Vault Agent. GCP CKMS secret engine A new secrets engine is added for managing cryptographic operations within GCP CKMS. With this interface, users can perform tasks like transit-like decrypt/encrypt operations, key creation, and key management within external GCP CKMS systems. Other features The credential used by the AWS secret engine can be rotated to ensure that only Vault knows the credentials. With a new operator migrate command, users can do offline migration of data between two storage backends. Keys in transit secret engine can be trimmed which allows removal of older unused key versions. To know more about Vault, visit the HashiCorp website. Google Titan Security key with secure FIDO two factor authentication is now available for purchase Google introduces Cloud HSM beta hardware security module for crypto key security Kubernetes 1.13 released with new features and fixes to a major security flaw

Mastercard has partnered with Microsoft to help people better manage and use their digital identity. Current identity management systems are complex in proving user identity and managing their data. Following this, Mastercard and Microsoft are provided a way for people to instantly verify their digital identity with whomever they want, whenever they want using a universally-recognized, single digital identity system. https://twitter.com/MastercardNews/status/1069601787852873728 Microsoft CEO Satya Nadella also tweeted about this collaboration. https://twitter.com/satyanadella/status/1069694712464973829 Today’s digital identity landscape is patchy, inconsistent and what works in one country often won’t work in another. We have an opportunity to establish a system that puts people first, giving them control of their identity data and where it is used,” says Ajay Bhalla, president, cyber and intelligence solutions, Mastercard. “Working with Microsoft brings us one step closer to making a globally interoperable digital identity service a reality, and we look forward to sharing more very soon.” This single digital identity initiative will be powered by Microsoft Azure and built in collaboration with leaders in the banking, mobile network operator and government communities. It will be used to solve three major challenges: Identity Inclusion: Improving digital identity for women, children, refugees, and other underrepresented groups to improve their access to health, financial and social services. Identity Verification: To help people interact with a merchant, bank, government agency and countless other digital service providers with greater integrity, lower cost and with less friction. Fraud Prevention: To help reduce payments fraud and identity theft of various forms. It will also streamline and improve the speed of commerce and government, financial,  and digital services. However, a universal identification like this may raise security, and privacy concerns, not to mention the data can be used for surveillance. Microsoft and MasterCard will need to adopt strict measures to protect their user data. Public opinion on this system has also been largely negative. https://twitter.com/ChrisBlec/status/1070169644835766272 https://twitter.com/goretsky/status/1069719344744062976 https://twitter.com/aral/status/1069853577865244672 https://twitter.com/bobofgold/status/1070227010209964033 Mastercard made their decisions clear to a Fast Company editor. The service will allow the data to sit with its rightful owner–the individual–and wouldn’t involve amassing personal data in honeypots vulnerable to attack. In no situation would Mastercard collect users’ identity data, share it or monitor their interactions. Instead, the data would reside with the trusted party, and our service would merely validate the information already provided, once an individual has decided to do so. This is about giving the individual control over who sees their information and how it’s used. Go through the press release on Mastercard Newsroom for more information. Marriott’s Starwood guest database faces a massive data breach affecting 500 million user data. Microsoft announces ‘Decentralized Identity’ in partnership with DIF and W3C Credentials Community Group

Yesterday, Quora announced that one of their systems was hacked and approximately 100 million user's data has been exposed to an unauthorized third-party. The breach was discovered on 30th November, after which the team immediately notified law enforcement and hired a digital forensics and security consulting company to uncover details of the attack. Quora is a strongly knit community of experts and intellectuals that is estimated to have almost 700 million visits per month and is the 95th largest site in the world. Adam D’Angelo, CEO of Quora states that for approximately 100 million Quora users, the following information may have been compromised: Account information such as name, email address, encrypted (hashed) password, data imported from linked networks when authorized by users Public content and actions, including questions, answers, comments, and upvotes Non-public content and actions, like answer requests, downvotes, and direct messages Quora claims that users who post questions and answers anonymously are safe as the site does not store the identities of people who post anonymous content. Quora has started notifying users whose data has been compromised, via email. They are also logging out all Quora users who may have been affected. Users that use a password as their authentication method, Quora will be invalidating their passwords. Quora has also advised users to head over to their help center for answers to more specific questions related to the breach. The breach comes right after the Marriott International hotel group breach that impacted half a billion users. Quora concludes that “The investigation is still ongoing, we have already taken steps to contain the incident, and our efforts to protect our users and prevent this type of incident from happening in the future are our top priority as a company.” Head over to Quora’s official site to know more about this news. A new data breach on Facebook due to malicious browser extensions allowed almost 81,000 users’ private data up for sale, reports BBC News Uber fined by British ICO and Dutch DPA for nearly $1.2m over a data breach from 2016 Use TensorFlow and NLP to detect duplicate Quora questions [Tutorial]

Yesterday, Microsoft with the goal to standardize homomorphic encryption, open sourced Microsoft Simple Encrypted Arithmetic Library (Microsoft SEAL) under the MIT License. It is an easy-to-use homomorphic encryption library developed by researchers in the Cryptography Research group at Microsoft. Microsoft SEAL was first released in 2015 to provide “a well-engineered and documented homomorphic encryption library, free of external dependencies, that would be easy for both cryptography experts and novice practitioners to use.” Industries have moved over to the cloud for data storage because it is convenient. But this does raise some privacy concerns. In order to get practical guidance on our decision making that cloud and machine learning provide, we need to share our personal information. The traditional encryption schemes do not allow running any computation on encrypted data. So we need to choose between storing our data encrypted in the cloud and downloading it to perform any useful operations or providing the decryption key to service providers which risks our privacy. But these concerns are solved by the homomorphic encryption approach. Homomorphic encryption is a cryptographic mechanism in which specific types of mathematical operations are carried out on the ciphertext, instead of on the actual data. This mechanism then generates an encrypted result, which on decryption, matches the result of operations performed on the plaintexts. In a nutshell, it produces the same output that will be obtained from decrypting the operated cipher text as from simply operating on the initial plain text. Some of the key advantages of using Microsoft SEAL are: it does not have any external dependencies and since it is written in standard C++, compiling it in many different environments is easy. At its core, it makes use of two encryption schemes: the Brakerski/Fan-Vercauteren (BFV) scheme and the Cheon-Kim-Kim-Song (CKKS) scheme. Along with the license change, the team have also added few updates in the latest release SEAL 3.1.0, some of which are listed here: Support for 32-bit platforms Google Test framework for unit tests To configure SEAL on Windows, Visual Studio now uses CMake Generating Galois keys for specific rotations is easier New EncryptionParameterQualifiers flag is added which indicates HomomorphicEncryption.org security standard compliance for parameters Now, secret key data is cleared automatically from memory by destructors of SecretKey, KeyGenerator, and Decryptor To read more in detail, check out Microsoft’s official announcement. Microsoft becomes the world’s most valuable public company, moves ahead of Apple Microsoft fixes 62 security flaws on Patch Tuesday and re-releases Windows 10 version 1809 and Windows Server 2019 4 Encryption options for your SQL Server