Tech News - Security

The Reddit team has decided to take a stand against the EU copyright directive, as it announced last week that EU Reddit users will now be greeted with a “warning box”, on accessing Reddit via desktop. The warning box will provide users with information regarding the EU copyright directives (specifically article 11 and 13). It will also be referring to resources and support sites. This is Reddit’s attempt to make EU users more aware of the law’s potential impact on the free and open internet. This is not the first time Reddit has stood up against the controversial EU copyright law as it had published a post updating the users on EU copyright directives, 2 months back. “Article 13” talks about the “use of protected content by information society service providers storing and giving access to large amounts of works and other subject-matter uploaded by their users”. In a nutshell, any user-generated content, if found to be copyrighted on online platforms such as YouTube, Twitter, Facebook, Reddit, etc, would need to get censored by these platforms. “Article 11” talks about “Protection of press publications concerning digital uses”, under which sites would have to pay the publishers if a part of their work is being shared by these sites.   “Under the new Directive, activity that is core to Reddit, like sharing links to news articles, or the use of existing content for creative new purposes (r/photoshopbattles, anyone?) would suddenly become questionable under the law, and it is not clear right now that there are feasible mitigating actions that we could take while preserving core site functionality”, says the Reddit team. The Reddit team also argues that various similar kind of attempts made in the past in different countries within Europe had “actually harmed publishers and creators”. Furthermore, Reddit has come out with a number of suggestions, in partnership with Engine and Copia institute, for ways to improve both the proposals. Here are some of the fixes: Suggestions Article 11 Suggestions for Article 13 Clarification needed in detail about content requiring a license. There’s confusion regarding whether a single word would qualify for a license or a link. More information needed on what sites this proposal applies to. The current term “digital uses” is quite broad. For eg; if the target is news aggregators, then make that explicit. It should be made clear that this proposal is not applicable to individual users, but is meant only for large news collating sites.   Clarification should be made on what a “press publisher” is under the law. It could be interpreted to include all kinds of sites. Also, the fact that a press publisher does not include scientific journals and similar kind non-news-based publications, should be made clear. Clarification needed on what is meant by “appropriate and proportionate” as it currently doesn't provide any guidance to sites online and can be incorrectly interpreted, leading to litigation and abuse.   Must have clear and significant penalties in place for providing false reports of infringement. It should be the responsibility of the Copyright holders to provide information on platforms with specific identifying content, ownership details along with content information when determining infringing works. A “ fair use-like exception” should be implemented in the EU to legalize memes, remixes, and other everyday online culture.  “We hope that today’s action will drive the point home that there are grave problems with Articles 11 and 13 and.. that EU lawmakers will listen to those who use and understand the internet the most and reconsider these problematic articles. Protecting rights holders need not come at the cost of silencing European internet users”, says the Reddit team. GitHub updates developers and policymakers on EU copyright Directive at Brussels What the EU Copyright Directive means for developers – and what you can do YouTube’s CBO speaks out against Article 13 of EU’s controversial copyright law

On Wednesday, Dell announced that it had discovered a security breach on November 9th. This breach tried to extract Dell’s customer information including names, email addresses, and hashed passwords. The company said, “Though it is possible some of this information was removed from Dell’s network, our investigations found no conclusive evidence that any was extracted. Additionally, Dell cybersecurity measures are in place to limit the impact of any potential exposure.” According to Dell’s press release, “Upon detection of the attempted extraction, Dell immediately implemented countermeasures and initiated an investigation. Dell also retained a digital forensics firm to conduct an independent investigation and has engaged law enforcement.” The company also did not go into detail about the hashing algorithms it uses. However, algorithms such as MD5 can be cracked within seconds to reveal the plaintext password. “Credit card and other sensitive customer information were not targeted. The incident did not impact any Dell products or services”, the company said. According to a customer review on Hacker News thread, “Dell ‘hashes’ all Dell.com customer account passwords prior to storing them in our database using a hashing algorithm that has been tested and validated by an expert third-party firm. This security measure limits the risk of customers’ passwords being revealed if a hashed version of their password were to ever be taken.” According to ZDNet, “Dell said it's still investigating the incident, but said the breach wasn't extensive, with the company's engineers detecting the intrusion on the same day it happened. A Dell spokesperson declined to give out a number of affected accounts, saying "it would be imprudent to publish potential numbers when there may be none." While resetting passwords is a safer option, the users should also keep a check on their card statements if they have saved some financial or legal information in their accounts. European Consumer groups accuse Google of tracking its users’ location, calls it a breach of GDPR A new data breach on Facebook due to malicious browser extensions allowed almost 81,000 users’ private data up for sale, reports BBC News Cathay Pacific, a major Hong Kong based airlines, suffer data breach affecting 9.4 million passengers

Yesterday, Sennheiser, an audio device maker issued a fix for a major software blunder that let hackers  easily carry out man-in-the-middle attacks by cryptographically impersonating any website on the internet. What exactly happened? HeadSetup established an encrypted websocket with a browser to allow Sennheiser headphones and speaker phones to work smoothly with computers. A self-signed TLS certificate is installed in the central place that is reserved by the operating system for storing browser-trusted certificate authority roots. This location is called the Trusted Root CA certificate store in Windows and macOS Trust Store for Mac. This self-signed root certificate installed by version 7.3 of the HetSetup pro application gave rise to the vulnerability as it kept the private cryptographic key in such a way that it could be easily extracted. Since, the key was identical for all the installations of the software, hackers could easily use the root certificate for generating forged TLS certificates that impersonated any HTTPS website on the internet. Though the self-signed certificates were mere forgeries, they would still be accepted as authentic on computers as they store the poorly secured certificate root. Even the certificate pinning, a forgery defense can’t do anything to detect such hacks. According to Secorvo, a security firm, “the sensitive key was encrypted with the passphrase SennheiserCC. The key was then encrypted by a separate AES key and then base64 encoded. The passphrase was stored in plaintext in a configuration file. The encryption key was found by reverse-engineering the software binary.” Secorvo researcher André Domnick holds a control over a certificate authority which could be trusted by any computer that had installed the vulnerable Sennheiser app. Dominick said, “he tested his proof-of-concept only against Windows versions of HeadSetup but that he believes the design flaw is present in macOS versions as well.” A solution which didn’t prove to be succesful A later version of the Sennheiser app was released to solve this issue. This one came with a root certificate installed but it didn’t include the private key. It  seemed like a good solution until the update failed to remove the older root certificate. This was a major failure which caused anyone who had installed the older version, susceptible to the TLS forgeries. Also, uninstalling the app wasn’t enough as it didn’t remove the root certificates that made users vulnerable to the attack. For the computers that didn’t have the older root certificate installed, the newer version was still causing trouble as it installed a server certificate for the computer’s localhost, i.e. 127.0.0.1. Users have given a negative feedback as it was a major blunder. One of the users commented on ArsTechnica’s post, “This rises to the level of gross negligence and incompetence. There really should be some serious fines for these sorts of transgressions.” The company ended up violating CA/Browser Forum: Baseline Requirements to issue certificates which itself was a big problem. This latest threat opens up many questions including the most crucial ones ‘If there is still a safer way to get a HTTPS website communicate directly with a local device?’ Also, ‘if these companies are taking enough steps to protect the users from such frauds?’ All users that have installed  the app are advised that they should remove or block the installed root certificates. Microsoft has proactively removed the certificates so users need not take any further actions. However users have to manually remove the certificates from Macs and PCs. Read more about this news on ArsTechnica. Packt has put together a new cybersecurity bundle for Humble Bundle Blackberry is acquiring AI & cybersecurity startup, Cylance, to expand its next-gen endpoint solutions like its autonomous cars’ software IBM launches Industry’s first ‘Cybersecurity Operations Center on Wheels’ for on-demand cybersecurity support

Last month, JFrog a DevOps based artifact management platform bagged a $165 million Series D funding. Now they are announcing JFrog Xray, a binary analysis tool for performing recursive security scans and dependency analyses on all standard software package and container types. It performs a multilayer analysis of containers and software artifacts for vulnerabilities, license compliance, and quality assurance. JFrog Xray is available as a pure cloud subscription, making Xray the only cloud utility integrated with a universal artifact binary repository. Xray Cloud is available for customers on Amazon Web Services, Google Cloud Platform and soon on Azure. Xray’s database can also plug into other data sources, giving customers maximum flexibility and coverage. It is available in two versions. First, an on-Prem version where users can install, manage and maintain on their own hardware or host in the cloud themselves. Second, the cloud version where JFrog manages, maintains and scales the infrastructure, and provides automated server backups with free updates and guaranteed uptime. Features of JFrog Xray: Artifact analysis for all major package formats across the CI/CD pipeline Deep recursive scanning to provide insight into components graph and show the impact that an issue has on software artifacts Native Artifactory integration by enriching artifacts with metadata to protect software from potential threats Fully automated protection for development, build, and production phases through IDE and CI/CD integration and REST API 24/7 R&D level support Currently, JFrog Xray is being used by companies such as Slack, Workday, and AT&T and has helped its customers avoid nearly 57,000 unique software package vulnerabilities. “The ability to provide scalable security solutions in a hybrid cloud model has definitely become a requirement in the enterprise,” said Dror Bereznitsky, VP of Product Management for JFrog. “We’re proud that Xray is uniquely providing not only reliable scanning and compliance management, but also delivering these solutions at a massive scale across leading cloud providers to give customers maximum flexibility.” More information on Xray Cloud is available on JFrog official website. JFrog, a DevOps based artifact management platform, bags a $165 million Series D funding. Packt has put together a new cybersecurity bundle for Humble Bundle. Data Theorem launches two automated API security analysis solutions – API Discover and API Inspect

It might not even be December yet, but if you're interested in cybersecurity Christmas has come early. Packt has once again teamed up with Humble Bundle to bring readers a diverse set of titles covering some of the most important and cutting edge trends in contemporary security. While the offer runs, you can get your hands on $1,533 worth of eBooks and videos, for just $15. That's one steal that Packt wholeheartedly approves. Go to Humble Bundle now. As always, you'll also be able to support charity when you buy from Humble Bundle. You can choose who to donate to, but this month the featured charity is Innocent Lives Foundation. What you get in Packt's cybersecurity Humble Bundle For as little as $1 you can get your hands on: Nmap: Network Exploration and Security Auditing Cookbook - Second Edition Network Analysis Using Wireshark 2 Cookbook - Second Edition Practical Cyber Intelligence Cybersecurity Attacks (Red Team Activity) [Video] Python For Offensive PenTest: A Complete Practical Course Or you can pay as little as $8 to get all of the above as well as: Cryptography with Python [Video] Digital Forensics and Incident Response Hands-On Penetration Testing on Windows Industrial Cybersecurity Metasploit Penetration Testing Cookbook - Third Edition Web Penetration Testing with Kali Linux - Third Edition Hands-On Cybersecurity for Architects Mastering pfSense - Second Edition Mastering Kali Linux [Video] Alternatively, for as little as $15, you'll get all of the products above, but also get:   Mastering Kali Linux for Advanced Penetration Testing - Second Edition Kali Linux - An Ethical Hacker's Cookbook Learning Malware Analysis Cybersecurity - Attack and Defense Strategies Practical Mobile Forensics - Third Edition Hands-On Cybersecurity with Blockchain Metasploit for Beginners CompTIA Security+ Certification Guide Ethical Hacking for Beginners [Video] Mastering Linux Security and Hardening [Video] Learn Website Hacking / Penetration Testing From Scratch [Video]

Early this week, Microsoft posted a report on what caused the multi-factor authentication outage in its Office 365 and Azure last week, which prevented users from signing into their cloud services for 14 hours. Microsoft researchers reported that they found out three issues that combined to cause the log-in glitch. Interestingly, all these three glitches occurred within a single system, i.e. Azure Active Directory Multi-Factor Authentication, a service which Microsoft uses to monitor and manage multi-factor login for the Azure, Office 365, and Dynamics services. According to the Microsoft researchers, “There were three independent root causes discovered. In addition, gaps in telemetry and monitoring for the MFA services delayed the from identification and understanding of these root causes which caused an extended mitigation time." All three glitches occurred within a single system: Azure Active Directory Multi-Factor Authentication. Microsoft uses that service to handle multi-factor login for the Azure, Office 364, and Dynamics services. The three root causes for the multi-factor authentication outage Microsoft, in their report, discovered three independent root causes. They said that the gaps in telemetry and monitoring for the MFA services delayed the identification and understanding of these root causes, which caused an extended mitigation time. 1. The first root cause manifested as latency issue in the MFA frontend’s communication to its cache services. This issue began under high load once a certain traffic threshold was reached. Once the MFA services experienced this first issue, they became more likely to trigger second root cause. 2. The second root cause is a race condition in processing responses from the MFA backend server that led to recycles of the MFA frontend server processes which can trigger additional latency and the third root cause (below) on the MFA backend. The third identified root cause was previously undetected issue in the backend MFA server that was triggered by the second root cause. This issue causes accumulation of processes on the MFA backend leading to resource exhaustion on the backend at which point it was unable to process any further requests from the MFA frontend while otherwise appearing healthy in our monitoring. On the day of the outage, these glitches first hit EMEA and APAC customers, and the US subscribers. According to The Register, “Microsoft would eventually solve the problem by turning the servers off and on again after applying mitigations. Because the services had presented themselves as healthy, actually identifying and mitigating the trio of bugs took some time.” Microsoft said, "The initial diagnosis of these issues was difficult because the various events impacting the service were overlapping and did not manifest as separate issues”. The company is further looking into ways to prevent the repetition of such an outage in the future by reviewing how it handles updates and testing. They also plan to review its internal monitoring services and how it contains failures once they begin. To know more about this in detail, head over to Microsoft Azure’s official page. A Microsoft Windows bug deactivates Windows 10 Pro licenses and downgrades to Windows 10 Home, users report Microsoft fixing and testing the Windows 10 October update after file deletion bug Microsoft announces official support for Windows 10 to build 64-bit ARM apps  

British and Dutch authorities have fined Uber for a total of nearly $1.2m on Tuesday over a data breach incident that occurred in 2016. The Information Commissioner's Office (ICO) from UK imposed a £385,000 fine (close to $500,000) on Uber for “failing to protect customers' personal information during a cyber attack". The said attack happened in November 2016. Additionally, the Dutch Data Protection Authority imposed their own €600,000 (close to $680,000) fine over the same incident for not reporting the data breach to the Dutch DPA within 72 hours after the discovery of the breach. For the same data breach, the US government has fined Uber $148m. Attackers obtained login credentials to access Uber’s servers and downloaded files in November 2016. These files contained records of users worldwide including passengers’ full names, phone numbers, and email addresses. Personal details of around 2.7million UK customers and 174,000 Dutch citizens were downloaded from Uber cloud servers by hackers in this breach. Steve Eckersley, the Director of Investigations at ICO, said: “This was not only a serious failure of data security on Uber’s part, but a complete disregard for the customers and drivers whose personal information was stolen. At the time, no steps were taken to inform anyone affected by the breach, or to offer help and support. That left them vulnerable.” As the attack occurred in 2016, it was not subject to the EU's GDPR that came into effect May 2018. The GDPR rules could have increased the fines for Uber. The affected customers and drivers were not told about the incident and Uber started monitoring the accounts for fraud only after an year. The attackers then demanded $100,000 to destroy the data they took which Uber paid as “bug bounty”. This is unlike a legitimate bug bounty program which is a common practice in tech industries. The attackers had malicious intent hence they downloaded the data as opposed to just pointing out the breach. Eckersley further added: “Paying the attackers and then keeping quiet about it afterwards was not, in our view, an appropriate response to the cyber attack.” In a statement, Uber representatives said “We’re pleased to close this chapter on the data incident from 2016. We’ve also made significant changes in leadership to ensure proper transparency with regulators and customers moving forward. We learn from our mistakes and continue our commitment to earn the trust of our users every day.” Uber posted a billion dollar loss this quarter. Can Uber Eats revitalize the Uber growth story? EU slaps Google with $5 billion fine for the Android antitrust case Origin DApp: A decentralized marketplace on Ethereum mainnet aims to disrupt gig economy platforms like Airbnb and Uber

The State of Mozilla 2017 report is out and contains information on areas where Mozilla has made an impact and its activities in 2017-18. We look at some of the important details from the report. Towards building a healthier internet In the last two years, there have been scandals and news around big tech companies relating to data misuse, privacy hindrances and more. Some of these include the Cambridge Analytica scandal, Google tracking, and many others. Public and political trust from large tech companies has eroded following the uncovering of how some of these companies operate and treat user data. The Mozilla report says that now the focus is on how to limit these tech platforms and encourage them to adopt data regulation protocols. Mozilla seeks to fill the void where there is a lack of people who can decide correctly towards building a better internet. The State of Mozilla 2017 report reads: “When the United States Federal Communications Commission attacks net neutrality or the Indian government undermines privacy with Aadhaar, we see people around the world—including hundreds of thousands of members of the Mozilla community—stand up and say, Things should not work this way.” Read also: Is Mozilla the most progressive tech organization on the planet right now? The Mozilla Foundation and the Mozilla Corporation Mozilla was founded in 1998 as an open source project back when open source was truly open source, free of things like the Commons Clause. Mozilla has two organizations. The Mozilla Foundation which supports emerging leaders and mobilizes citizens towards better health of the internet. Second, the Mozilla Corporation which is a wholly owned subsidiary of the former and creates Mozilla products and advances public policy. The Mozilla Foundation Mozilla invests in people and organizations with a common vision other than building products. Another part of the State of Mozilla 2017 reads: “Our core program areas work together to bring the most effective ideas forward, quickly and where they have the most impact. As a result of our work, internet users see a change in the products they use and the policies that govern them.” Every year Mozilla Foundation creates the open source Internet Health Report to shed light on what’s been happening on the internet, specifically on its wellbeing. Their research includes data from multiple sources on areas like privacy and security, open innovation, decentralization, web literacy, and digital inclusion. Per the health report, Mozilla spent close to a million in 2017 on their agenda-setting work. Mozilla has also mobilized conscious internet users with campaigns around net neutrality in the US, India’s Aadhaar biometric system, copyright reform in the EU, and more. Mozilla has also invested in connecting internet health leaders and worked on data and privacy issues across the globe. It also invested about $24M in 2017 in this work. The Mozilla Corporation Mozilla says that to take the charge in changing internet culture they need to do more than building products. Post Firefox Quantum’s success, their focus is to better enable people in taking control of their online life. Another part of the State of Mozilla 2017 report highlights their vision stating that “Over the coming years, we will become the leading provider of user agency and online privacy by developing long-term trusted relationships with "conscious choosers" with a focus on helping people navigate their connected lives.” Mozilla pulled its ads from Facebook after the Cambridge Analytica scandal After learning about the Cambridge Analytica incident and guided by the Mozilla Manifesto, they decided to pull their ads from Facebook. Their Manifesto says “Individuals’ security and privacy on the Internet are fundamental and must not be treated as optional,”. After sending a message with this action, Mozilla also launched Facebook Container. It is a version of multi-account containers that prevent Facebook from tracking its users when they are not on the platform. They say that everyone has a right to keep their private information private and control their own web experiences. You can view the full State of Mozilla 2017 report at the Mozilla website. Mozilla shares plans to bring desktop applications, games to WebAssembly and make deeper inroads for the future web Mozilla criticizes EU’s terrorist content regulation proposal, says it’s a threat to user rights Is Mozilla the most progressive tech organization on the planet right now?

Just when Google is facing large walkouts and protests against its policies, another consumer group has lodged a complaint against Google’s user tracking. According to a report published by the European Consumer Organisation (BEUC), Google is using various methods to encourage users to enable the settings ‘location history’ and ‘web and app activity’ which are integrated into all Google user accounts. They allege that Google is using these features to facilitate targeted advertising. BEUC and its members including those from the Czech Republic, Greece, Norway, Slovenia, and Sweden argue that what Google is doing is in breach of the GDPR. Per the report, BEUC says “We argue that consumers are deceived into being tracked when they use Google services. This happens through a variety of techniques, including withholding or hiding information, deceptive design practices, and bundling of services. We argue that these practices are unethical, and that they in our opinion are in breach of European data protection legislation because they fail to fulfill the conditions for lawful data processing.” Android users are generally unaware of the fact that their Location History or Web & App Activity is enabled. Google uses a variety of dark patterns, to collect the exact location of the user, including the latitude (e.g. floor of the building) and mode of transportation, both outside and inside, to serve targeted advertising. Moreover, there is no real option to turn off Location History, only to pause it. Even if the user has kept Location History disabled, their location will still be shared with Google through Web & App Activity. “If you pause Location history, we make clear that — depending on your individual phone and app settings — we might still collect and use location data to improve your Google experience.” said a Google spokesman to Reuters. “These practices are not compliant with the General Data Protection Regulation (GDPR), as Google lacks a valid legal ground for processing the data in question. In particular, the report shows that users’ consent provided under these circumstances is not freely given,” BEUC, speaking on behalf of the countries’ consumer groups, said. Google claims to have a legitimate interest in serving ads based on personal data, but the fact that location data is collected, and how it is used, is not clearly expressed to the user. BEUC calls out Google saying that the company’s legitimate interest in serving advertising as part of its business model overrides the data subject’s fundamental right to privacy. BEUC argues that in light of how Web & App Activity is presented to users, the interests of the data subject should take precedence. Reuters asked for comment on the consumer groups’ complaints to a Google spokesman. According to them, “Location History is turned off by default, and you can edit, delete, or pause it at any time. If it’s on, it helps to improve services like predicted traffic on your commute. We’re constantly working to improve our controls, and we’ll be reading this report closely to see if there are things we can take on board,”. People are largely supportive of BEUC on the allegations they made on Google. https://www.youtube.com/watch?v=qIq17DeAc1M However, some people feel that it is just another attack on Google. If people voluntarily and most of them knowingly use these services and consent to giving personal information, it should not be a concern for any third party. “I can't help but think that there's some competitors' money behind these attacks on Google. They provide location services which you can turn off or delete yourself, which is anonymous to anyone else, and there's no evidence they sell your data (they just anonymously connect you to businesses you search for). Versus carriers which track you without an option to opt-in or out and actually do sell your data to 3rd parties.” “If the vast majority of customers don't know arithmetic, then yes, that's exactly what happened. Laws are a UX problem, not a theory problem. If most of your users end up getting deceived, you can't say "BUT IT WAS ALL RIGHT THERE IN THE SMALL PRINT, IT'S NOT MY FAULT THEY DIDN'T READ IT!". Like, this is literally how everything else works.” Read the full conversation on Hacker news. You may also go through the full “Every step you take” report published by BEUC for more information. Google employees join hands with Amnesty International urging Google to drop Project Dragonfly. Is Anti-trust regulation coming to Facebook following fake news inquiry made by a global panel in the House of Commons, UK? Google hints shutting down Google News over EU’s implementation of Article 11 or the “link tax”

Yesterday, the Department of Justice charged eight men for their alleged involvement in a massive ad fraud that caused losses of tens of millions of dollars. A 13-count indictment was unsealed in the federal court in Brooklyn against these men. These charges included wire fraud, computer intrusion, aggravated identity theft, and money laundering, among others. They used two mechanisms for conducting this fraud: datacenter-based (Methbot) and botnet-based scheme (3ve). The accused eight men were Aleksandr Zhukov, Boris Timokhin, Mikhail Andreev, Denis Avdeev, Dmitry Novikov, Sergey Ovsyannikov, Aleksandr Isaev, and Yevgeniy Timchenko. According to the DOJ announcement, three of the men have been arrested and are awaiting extradition to the United States. How this ad fraud was conducted? Revenue generated by digital advertising depends on how many users click or view the ads on websites. The perpetrators faked both the users and the webpages. The fraudsters, with the help of an automated program, loaded advertisements on fake web pages, in order to generate advertising revenue. The Department of Justice, on their website listed two schemes through which the accused were able to do this ad fraud: Datacenter-Based Scheme According to the indictment, in the period September 2014 to December 2016, the fraudsters operated an advertising network called Ad Network #1. This network had business arrangements with other advertising networks through which it received payments in return for placing advertising placeholder or ad tags on websites. Instead of placing these ad tags on legitimate publishers’ websites, Ad Network #1 rented more than 1,900 computer servers housed in commercial datacenters. With these datacenter servers, they loaded ads on fabricated websites, and spoofed more than 5,000 domains. To make this look like that a real user has viewed or clicked on the advertisement, they simulated the normal activities a real internet user does. In addition to this, they also leased more than 650,000 IP addresses and assigned multiple IP addresses to each datacenter server. These IP addresses were then registered fraudulently to make it appear that the datacenter servers were residential computers belonging to individual human internet users. Through this scheme, Ad Network #1 was able to generate billions of ad views and caused businesses to pay more than $7 million for ads that were never actually viewed by real human internet users. Botnet-based scheme The indictment further reveals that between December 2015 and October 2018, Ovsyannikov, Timchenko, and Isaev started another advertising network called Ad Network #2. In this scheme, they used a global botnet network of malware-infected computers. The three fraudsters developed an intricate infrastructure of command-and-control servers to direct and monitor the infected computers. This infrastructure enabled the fraudsters to access more than 1.7 million infected computers, belonging to ordinary individuals and businesses in the United States and elsewhere. They used hidden browsers on those infected computers to download fabricated webpages and load ads onto those fabricated webpages. Through this scheme, Ad Network #2 caused businesses to pay more than $29 million for ads. This is one of the most complex and sophisticated ad frauds popularly named as 3ve (pronounced “Eve”). U.S law enforcement authorities with various private sector companies including White Ops and Google began the process of dismantling this criminal cyber infrastructure utilized in the botnet-based scheme. 3ve infected computers with malicious software known as Kovter. As a part of the investigation, FBI also discovered an additional cybercrime infrastructure committing digital advertising fraud called Boaxxe. This infrastructure used datacenter servers located in Germany and a botnet of computers in the United States infected. Google and White Ops investigators also realized that this is not a simple botnet seeing its evading efforts to filter and contain its traffic. Scott Spencer, a Google product manager told Buzzfeed: “The thing that was really different here was the number of techniques that they used, their ability to quickly respond when they thought they were being detected, and to evolve the mechanisms they were using in real time. We would start to filter traffic and we’d see them change things, and then we’d filter a different way and then they’d change things.” The United States Computer Emergency Readiness Tea (US-CERT) has published an alert which highlights the 3ve’s botnet behavior and how it interacts with Boaxxe and Kovter botnets. It also lists some measures to avoid getting affected by these malwares. To know more details about this case, check out the announcement by the Department of Justice. A multimillion-dollar ad fraud scheme that secretly tracked user affected millions of Android phones. This is how Google is tackling it. Fake news is a danger to democracy. These researchers are using deep learning to model fake news to understand its impact on elections. DARPA on the hunt to catch deepfakes with its AI forensic tools underway

Mark Zuckerberg, CEO, Facebook published a “blueprint for content governance and enforcement”, last week, that talks about updating its news feed algorithm to demote the “borderline (click-bait) content” to curb spreading misinformation, hate speech, and bullying on its platform. Facebook has been getting itself into a lot of controversies regarding user data and privacy on its platform.  Just last week, the New York Times published a report on how Facebook follows the strategy of ‘delaying, denying, and deflecting’ the blame for all the controversies surrounding it.  Given all these controversies it goes without saying, that Facebook is trying to bring the number down. “One of the biggest issues social networks face is that, when left unchecked, people will engage disproportionately with more sensationalist and provocative content. At scale, it can undermine the quality of public discourse and lead to polarization. In our case, it can also degrade the quality of our services.”, said Zuckerberg. Here’s what the natural engagement pattern on Facebook looks like:   As per the Facebook research, it is observed that no matter where the lines are drawn for the kind of content allowed, once a piece of content gets close to that line, people engage with it more on average, despite them not liking the content. Facebook calls this an “incentive problem,” and has decided to penalize the borderline content so that it gets less distribution and engagement. The natural engagement pattern has been adjusted and now looks like this: In the graph above, distribution declines as content get more sensational, and people are disincentivized from creating provocative content that is as close to the line as possible. “We train AI systems to detect borderline content so we can distribute that content less”, adds Zuckerberg.  This process by Facebook for adjusting the curve is similar to its process for identifying harmful content but now is focused on identifying borderline content instead. Moreover, a research by Facebook has found out that the natural pattern of borderline content getting more engagement is applicable to not just news but all the different categories of content.  For instance, photos close to the line of nudity, the ones with revealing clothing or sexually suggestive positions, had more engagement on average before the distribution curve was adjusted to discourage this.  Facebook finds this issue most important to address. This is because although social networks generally expose people to more diverse views, some of the pages can still “fuel polarization”.  Therefore, Facebook has decided to apply these distribution changes not just to feed ranking but to all their recommendation systems that suggest things users should join. An alternative to reducing distribution approach is moving the line to define what kind of content is acceptable.  However, Facebook thinks that it won’t effectively address the underlying incentive problem, which is the bigger issue in hand. Since this engagement pattern exists no matter where the line is drawn, what needs to be changed is the incentive and not simply the removal of content. “By fixing this incentive problem in our services, we believe it'll create a virtuous cycle: by reducing sensationalism of all forms, we'll create a healthier, less polarized discourse where more people feel safe participating”, said Zuckerberg. Facebook’s outgoing Head of communications and policy takes blame for hiring PR firm ‘Definers’ and reveals more Facebook AI researchers investigate how AI agents can develop their own conceptual shared language Facebook shares update on last week’s takedowns of accounts involved in “inauthentic behavior”

Early this week, the U.S.Postal Service patched an API exploit that could allow users with an account on USPS.com to view other users' account details and also modify account details on their behalf. This exploit had an impact on 60 million USPS users. KrebsOnSecurity was contacted last week by a researcher who discovered the problem, but who asked to remain anonymous. According to KrebsOnSecurity, “The researcher said he informed the USPS about his finding more than a year ago yet never received a response. After confirming his findings, KrebsOnSecurity contacted the USPS, which promptly addressed the issue.” The problem was discovered from an authentication weakness in a USPS Web component- API, which was a part of the USPS "Informed Visibility" program designed to help mail senders with near real-time tracking data. According to KrebsOnSecurity, “the flaw let any logged-in usps.com user query the system for account details belonging to any other users, such as email address, username, user ID, account number, street address, phone number, authorized users, mailing campaign data and other information.” “Many of the API’s features accepted ‘wildcard’ search parameters, meaning they could be made to return all records for a given data set without the need to search for specific terms. No special hacking tools were needed to pull this data, other than knowledge of how to view and modify data elements processed by a regular Web browser like Chrome or Firefox”, according to KrebsOnSecurity. Nicholas Weaver, a researcher at the International Computer Science Institute and lecturer at UC Berkeley, said, “This is not even Information Security 101, this is Information Security 1, which is to implement access control. It seems like the only access control they had in place was that you were logged in at all. And if you can access other people’s data because they aren’t enforcing access controls on reading that data, it’s catastrophically bad and I’m willing to bet they’re not enforcing controls on writing to that data as well.” Following this flaw, the USPS included a validation step to prevent unauthorized changes. If anyone tries to modify the email address associated with a user’s USPS account via the API, a confirmation message will be sent to the email address tied to that account. KrebsOnSecurity states, “It does not appear USPS account passwords were exposed via this API, although KrebsOnSecurity conducted only a very brief and limited review of the API’s rather broad functionality before reporting the issue to the USPS. The API at issue resides here; a copy of the API prior to its modification on Nov. 20 by the USPS is available here as a text file.” Robert Hansen, chief technology officer at Bit Discovery, a security firm in Austin, Texas, said, “This could easily be leveraged to build up mass targeted spam or spear phishing. It should have been protected via authentication and validated against the logged in user in question.” In a statement shared with KrebsOnSecurity, the USPS said it currently has no information that this vulnerability was leveraged to exploit customer records, and that the information shared with the USPS allowed it to quickly mitigate the vulnerability. Here’s the rest of their statement: “Computer networks are constantly under attack from criminals who try to exploit vulnerabilities to illegally obtain information.  Similar to other companies, the Postal Service’s Information Security program and the Inspection Service uses industry best practices to constantly monitor our network for suspicious activity.” “Any information suggesting criminals have tried to exploit potential vulnerabilities in our network is taken very seriously. Out of an abundance of caution, the Postal Service is further investigating to ensure that anyone who may have sought to access our systems inappropriately is pursued to the fullest extent of the law.” To know more about this news in detail, visit KrebsOnSecurity website. Linux 4.20 kernel slower than its previous stable releases, Spectre flaw to be blamed, according to Phoronix Microsoft fixes 62 security flaws on Patch Tuesday and re-releases Windows 10 version 1809 and Windows Server 2019 Final release for macOS Mojave is here with new features, security changes and a privacy flaw

Yesterday, researchers from the Vrije Universiteit Amsterdam’s VUSec group announced that the new Rowhammer attack, known as ECCploit, bypasses ECC protections built into several widely used models of DDR3 chips. The researchers in their paper titled, ‘Exploiting Correcting Codes: On the Effectiveness of ECC Memory Against Rowhammer Attacks’ write, “Many believed that Rowhammer on ECC memory, even if plausible in theory, is simply impractical. This paper shows this to be false: while harder, Rowhammer attacks are still a realistic threat even to modern ECC-equipped systems.” The Rowhammer attack, discovered way back in the year 2015, exploits unfixable physical weakness in the silicon of certain types of memory chips and transforms the data they store. As a defense against this attack, researchers developed an enhancement known as error-correcting code (ECC). This ECC, present in higher-end chips, was believed to be an absolute defense against potentially disastrous bitflips that changed 0s to 1s and vice versa. “Rowhammer can flip bits in ways that have major consequences for security, for instance, by allowing an untrusted app to gain full administrative rights, breaking out of security sandboxes or virtual-machine hypervisors, or rooting devices running the vulnerable DIMM.” Kaveh Razavi, one of the VUSec researchers who developed the exploit, said, “ECCploit shows for the first time that it is possible to mount practical Rowhammer attacks on vulnerable ECC DRAM.” Working of ECC ECC uses memory words for storing redundant control bits next to the data bits inside the DIMMs. Further, CPUs use these words to quickly detect and repair flipped bits. The prime motive of ECC design was to protect against a naturally occurring phenomenon in which cosmic rays flip bits in newer DIMMs. Post Rowhammer’s appearance in 2015, ECC rose to popularity as it was arguably the most effective defense against the attack. However, there are some limitations to ECC, which includes: ECC generally adds enough redundancy to repair single bitflips in a 64-bit word When two bitflips occur in a word, it will cause the underlying program or process to crash When three bitflips occur in the right places, ECC can be completely bypassed According to Ars Technica, “The VUSec researchers spent months reverse-engineering the process, in part by using syringe needles to inject faults into chips and subjecting chips to a cold-boot attack. By extracting data stored inside the supercooled chips as they experienced the errors, the researchers were able to learn how computer memory controllers processed ECC control bits.” Following is a video of the researchers using the cold-boot technique https://youtu.be/NrYWVEjEfw0 The researchers thus demonstrated that ECC merely slows down the Rowhammer attack and is not enough to stop it. They tested ECCploit on four hardware platforms, including: AMD Opteron 6376 Bulldozer (15h) Intel Xeon E3-1270 v3 Haswell Intel Xeon E5-2650 v1 Sandy Bridge Intel Xeon E5-2620 v1 Sandy Bridge They said, “they tested several memory modules from different manufacturers". They also confirmed that a significant amount of Rowhammer bitflips occurred in a type of DIMM tested by a different team of researchers. Are all DDR chips affected? The researchers haven't demonstrated that ECCploit works against ECC in DDR4 chips, a newer type of memory chip favored by higher-end cloud services. The paper also doesn’t show that ECCploit can penetrate hypervisors or secondary Rowhammer defenses.  There's also no indication that ECCploit works reliably against endpoints typically used in cloud environments such as AWS or Microsoft Azure. To know more about this in detail, visit Ars Technica blog. Seven new Spectre and Meltdown attacks found Security issues in nginx HTTP/2 implementation expose nginx servers to DoS attack Weaponizing PowerShell with Metasploit and how to defend against PowerShell attacks [Tutorial]

In a new blog post on open Internet policy initiatives, Mozilla has criticized EU’s terrorist content regulation proposal which was released in September. They have termed it as a threat to ‘the ecosystem and user’s rights’. Mozilla had also released a post when the bill was proposed saying that it ‘threatens internet health in Europe.” In September, EU proposed a bill to tackle the spread of ‘terrorist’ content on the internet. Per this bill, government-appointed authorities will have the unilateral power to suppress speech on the internet. [box type="shadow" align="" class="" width=""] The regulation proposes a removal order which can be issued as an administrative or judicial decision by a competent authority in a Member State. In such cases, the hosting service provider is obliged to remove the content or disable access to it within one hour. In addition, the Regulation harmonizes the minimum requirements for referrals sent by Member States’ competent authorities and by Union bodies (such as Europol) to hosting service providers to be assessed against their respective terms and conditions. Finally, the Regulation requires hosting service providers, where appropriate, to take proactive measures proportionate to the level of risk and to remove terrorist material from their services, including by deploying automated detection tools.[/box] Source: European Commission Mozilla has previously condemned the bill saying, “It would undermine due process online; compel the use of ineffective content filters; strengthen the position of a few dominant platforms while hampering European competitors; and, ultimately, violate the EU’s commitment to protecting fundamental rights.” In the recent blog post, they have further addressed this issue pointing out worrying elements from the proposal: "The definition of ‘terrorist’ content is extremely broad, opening the door for a huge amount of over-removal (including the potential for discriminatory effect) and the resulting risk that much lawful and public interest speech will be indiscriminately taken down. Government-appointed bodies, rather than independent courts, hold the ultimate authority to determine illegality, with few safeguards in place to ensure these authorities act in a rights-protective manner. The aggressive one hour timetable for removal of content upon notification is barely feasible for the largest platforms, let alone the many thousands of micro, small and medium-sized online services whom the proposal threatens; Companies could be forced to implement ‘proactive measures’ including upload filters, which, as we’ve argued before, are neither effective nor appropriate for the task at hand. The proposal risks making content removal an end in itself, simply pushing terrorist off the open internet rather than tackling the underlying serious crimes.” A hacker news user agreed with Mozilla but considered themselves lucky that the proposal was yet to be sanctioned. “This proposal is very bad. But luckily it is only a proposal. The council and parliament will still vote for this before it becomes European law. Both bodies will likely oppose, and the proposal will be significantly amended.” Mozilla has also said that they will continue to scrutinize, deliberate, and clarify how to protect their users and the internet ecosystem. A hacker news user said he’s happy “Mozilla's on top of this early in the process. Let's hope they manage to remove the problematic parts they outline in this post.” Some people say the EU was unnecessarily ‘bashed’ for this. “I don't see how the EU as an institution is bashed for this. This is a similar process as occurs in any other member state and other democracies. Not to mention the US, with its secret laws and national security letters. My personal opinion is that illegal content (CP, inciting violence) should be moderated quickly, where failure to act has big consequences. What I don't like about the proposal is that it is enforced by governments, and not some judiciary body. I hope the council and parliament will amend the proposal in such a way this is reflected in a final law.” “I don't see how the EU as an institution is bashed for this. I think people are seeing a general trend of internet laws and bashing their creators. One could argue that this stage of the process is where bashing should occur. When it did with other ridiculous legislation, on both sides of the Atlantic, nobody excused the institutions making the suggestions. To many, myself included, this trend has to stop and sadly there isn't enough bashing to curb it, especially as there are so many cheering it on.” Mozilla v. FCC: Mozilla challenges FCC’s elimination of net neutrality protection rules. Is Mozilla the most progressive tech organization on the planet right now? Senator Ron Wyden’s data privacy law draft can punish tech companies that misuse user data

Yesterday, some Amazon customers received an email stating that their names and email addresses have been revealed due to a ‘technical error’. There have been several reports of this on the internet. What is exposed? Amazon said that the users need not change their passwords. Only the emails and names of the Amazon customers have been exposed. As per the information shared by Amazon, passwords and payment information like credit cards seem to be unaffected. The worst that could happen is that your email will get a bunch of spam emails. The company did not reveal further information about the compromise. The number of affected users/email addresses and where this information is available is not known. Amazon told CNBC that the Amazon website and systems were not breached. In a statement, Amazon said; “We have fixed the issue and informed customers who may have been impacted.” The exact contents of the emails read: “Hello, We’re contacting you to let you know that our website inadvertently disclosed your name and email address due to a technical error. The issue has been fixed. This is not a result of anything you have done, and there is no need for you to change your password or take any other action. Sincerely, Customer Service http://Amazon.com” What are people saying A matter of surprise was that Amazon did not recommend changing the passwords of affected accounts. Also, the email signature had a capital A in the Amazon URL and had “http://” instead of “https://”. https://twitter.com/OfficialMisterC/status/1065227154961719296 https://twitter.com/briankrebs/status/1065219981833617408 Amazon customers are also concerned if the email originally was from Amazon due to the discrepancies in the email signature. Here are tweets displaying a chat with Amazon customer care. The responses from the Amazon customer care are also vague and they insist that the exposed information is not available publically. https://twitter.com/YaBoyKevinnn/status/1065325794740850688 https://twitter.com/notenoughnamez/status/1065231918713704449 Amazon sellers get customer information A comment on Hacker News reads: “If you were one of my customers I looked at your house, judged your grass, found you on LinkedIn and Facebook, Instagram, mortgages, mugshots, everything lol. The sellers also get your full name and address even on fulfilled by Amazon.” This comment might be an exaggeration or an over-enthusiastic seller. Other sellers do confirm that the names and addresses are seen but not the emails. The Amazon terms of service also prohibits the sellers from contacting the customers directly for any other purpose than the order. Another seller said that they get this to confirm the shipping address. This is where EU seems better off with a GDPR article that says companies need to inform users of data breaches. But even that gives an option which says “describe the nature of the personal data breach including where possible, the categories and approximate number of data subjects, approximate number of personal data records concerned,” So doesn't look like Amazon intends to disclose any further information about this incident and assures that there is no need to worry. This story appeared first on betanews after several Amazon customers reported it online. Amazon splits HQ2 between New York and Washington, D.C. after a making 200+ states compete over a year; public sentiments largely negative A new data breach on Facebook due to malicious browser extensions allowed almost 81,000 users’ private data up for sale, reports BBC News Cathay Pacific, a major Hong Kong based airlines, suffer data breach affecting 9.4 million passengers