Tech News - Security

Security gaps have been identified in both Washington State’s and North Carolina’s voter registration systems. Spotted by cybersecurity experts, these vulnerabilities could potentially be exploited to interfere with citizens’ eligibility to cast ballots in last week’s elections. Fortunately, it seems like that hasn’t happened. Officials in both Washington and North Carolina expressed confidence they would spot any widespread tampering with voter registration records. According to The Seattle Times, “cyber experts said Washington appears to have failed to plug all the holes after the U.S. Department of Homeland Security warned last year that Russian cyber operatives had downloaded voter records from Illinois’ database in advance of the 2016 presidential election and attempted to do so in 20 other states.” Washington Secretary of State Kim Whyman assures voters systems are secure Washington Secretary of State Kim Whyman was keen to stress that the Washington electoral infrastructure is secure. In a statement on her website, she said “voters can rest assured that Washington’s election system is secure.” It was only in May that the Senate Intelligence Committee alleged that in “a small number of states,” cyberattackers affiliated with the Russian government “were in a position to” alter or delete voter registration information during the 2016 election. As part of that report, the Committee urged “federal grant funds to improve cybersecurity by hiring additional Information Technology staff, updating software, and contracting vendors to provide cybersecurity services.” However, cybersecurity experts have been quick to pick up on vulnerabilities that still haven’t been tackled. Susan Greenhalgh, policy director for the National Election Defense Coalition, said “the gaping vulnerability found in Georgia should be sending shock waves, not just in the Georgia Secretary of State’s office, but in all the other states that are using the same technology. The vendor left a door wide open that allows an attacker, anywhere in the world, to execute a voter suppression operation using election technology.” The vendor who installed Georgia’s computer programming has been identified as PCC Technologies, at the time a Connecticut-based firm. Cyber experts examined four states’ registration sites for McClatchy, including North Carolina and Washington, because PCC had listed them alongside 15 other states for whom it had performed work. Officials in both Washington and North Carolina said PCC did not program their voter registration databases, but the cyber experts said they still could see vulnerabilities. According to The Seattle times, “[cybersecurity experts] said hackers could get around authentication requirements in the voter registration system for Washington’s statewide vote-by-mail operation.” This would mean that “if data were deleted, the affected voters would not be mailed ballots, creating significant challenges, especially if the voter failed to act before Election Day.” Georgia’s online registration system is out of date, cybersecurity expert claims Harri Hursti, a New York-based cybersecurity expert who monitored Georgia’s election on Tuesday, said the design of its online registration system was acceptable 15 years ago. But today, he said, it would violate “every single manual” because it exposes “critical information” to any viewer. Erich Ebel, a spokesperson for Kim Wyman, said “the state has a very robust election security protocol, both physical and electronic. Our firewalls are state-of-the-art, and we have a number of other measures in place to identify, block and report suspicious activity”. “Bernhard and a prominent cyber expert who evaluated Washington’s security on condition of anonymity said there’s still a way for a bad actor to manipulate the system.”, according to Seattle Times. A group of computer geeks created a website named Highprogrammer.com, which can easily obtain driver’s licenses for residents of Washington and a number of other states to show how easily systems can be breached. Patrick Gannon, a spokesman for North Carolina’s elections board, also acknowledged that a North Carolina law makes state’s voter registration data widely available. This includes personal information such as ages and addresses and could allow anyone to pluck names off the list, fill out a form and mail fake address changes to state or county officials.

Twitter CEO Jack Dorsey, attended a town hall meeting at IIT, Delhi, yesterday, where he talked about his plans to add an “edit tweet” feature to the social media platform. He revealed he has mixed feelings about the feature, and said that he wants to ensure that it gets implemented the right way. “You have to pay attention to what are the use cases for the edit button. A lot of people want the edit button because they want to quickly fix a mistake they made. Like a misspelling or tweeting the wrong URL. That’s a lot more achievable than allowing people to edit any tweet all the way back in time," said Dorsey. He also talked about the risks that can come along with the “edit tweet” feature. They could, he pointed out, be used to change old tweets, leading to further misinformation and ‘fake news’. Dorsey conceded, however, that an edit button remains high on users’ wishlists. https://twitter.com/KimKardashian/status/1006691477471125504 Dorsey elaborated on the conversations happening within Twitter about the feature. He said, “There’s a bunch of things we could do to show a changelog and show how a tweet has been changed and we’re looking at all this stuff. We’ve been considering edit for quite some time but we have to do it in the right way. We can’t just rush it out. We can’t make something which is distracting or takes anything away from the public record”. Dorsey says follower count is ‘meaningless’ Dorsey also talked about the follower count feature, calling it“meaningless”. According to the Twitter chief, people should stop focusing on the number of followers they have and instead focus on cultivating “meaningful conversations”. Only last month, the news of Twitter planning to disable the ‘like’ button emerged, with precisely this reasoning. There appears to be a perception that the gamified elements of the platform are harming conversation. Dorsey admitted that “back then, we were not really thinking about all the dynamics that could ensue afterwards. ”Bemoaning the importance of followers, he argued that. “what is more important is the number of meaningful conversations you're having on the platform. How many times do you receive a reply?” What this means, in reality, will remain to be seen. There will be many who still see Twitter’s attitude to verification and abuse as the real issues to be tackled if the platform is to become a place for ‘meaningful conversation.’ Twitter’s CEO, Jack Dorsey’s Senate Testimony: On Twitter algorithms, platform health, role in elections and more Jack Dorsey to testify explaining Twitter algorithms before the House Energy and Commerce Committee Twitter’s trying to shed its skin to combat fake news and data scandals, says Jack Dorsey

Earlier this year, Cloudflare launched its 1.1.1.1 DNS service as a resolver to make DNS queries faster and more secure that anyone could use free of charge. The day before yesterday, they announced the launch of 1.1.1.1 mobile app for iOS and Android. DNS services are used by internet service providers to interpret a domain name like “Google.com” into an IP address that routers and switches can understand. However, DNS servers provided by ISPs are often slow and unreliable. Cloudflare claims to combat this issue with its 1.1.1.1 service. On a public internet connection, people can see what sites a user visits. This data can also be misused by an internet service provider. The 1.1.1.1 tool makes it easy to get a faster, more private, internet experience. Cloudflare’s 1.1.1.1 app will redirect all user apps to send DNS requests through a local resolver on their phone to its faster 1.1.1.1 server. The server will then encrypt the data to avoid any third person from spying on user data. Features of Cloudfare 1.1.1.1 mobile app The app is open source. The app uses VPN support to push mobile traffic towards the 1.1.1.1 DNS servers and improve speed. It prevents a user’s carrier from tracking their browsing history and misusing the same. Cloudflare has promised not to track 1.1.1.1 mobile app users or sell ads. The company has retained KPMG to perform an annual audit and publish a public report.  It also says most of the limited data collected is only stored for 24 hours. Cloudflare claims that 1.1.1.1 is the fastest public server, about “28 percent faster” than other public DNS resolvers. As compared to the desktop version, the mobile app is really easy to use and navigate. Head over to the Cloudflare Blog to know more about this announcement. You can download the app on iOS or Android to test the app for yourself. Cloudflare’s Workers enable containerless cloud computing powered by V8 Isolates and WebAssembly Cloudflare Workers KV, a distributed native key-value store for Cloudflare Workers Cloudflare’s decentralized vision of the web: InterPlanetary File System (IPFS) Gateway to create distributed websites

Yesterday, at an Amazon all-staff meeting, the company addressed its relationship with law enforcement agencies. This action is in response to the employee concerns raised in June about the company’s frequent successful attempts to provide cloud infrastructure and facial recognition software for the government authorities (including Immigrations Customs and Law Enforcement). This was the very first Amazon all-staff meeting and was live streamed globally. When asked about what is being done in response to the concerns voiced by both Amazon employees and civil rights groups, Andy Jassy, CEO of Amazon Web Services, said, “There’s a lot of value being enjoyed from Amazon Rekognition. Now now, of course, with any kind of technology, you have to make sure that it’s being used responsibly, and that’s true with new and existing technology. Just think about all the evil that could be done with computers or servers and has been done, and you think about what a different place our world would be if we didn’t allow people to have computers.” According to Buzzfeed, questions for the meeting were pre-screened and with no opportunity for questions. Last year, Amazon faced controversy over some uses of its AI-powered facial recognition product, Rekognition. Its use cases range from being used to monitor faces in group photos, crowded events and public places such as airports, and run those images for matches against mugshot databases. In June, hundreds of Amazon employees signed a letter titled 'We Won’t Build It', an open letter to CEO Jeff Bezos asking Amazon to stop selling Rekognition to the police, citing “historic militarization of police, renewed targeting of Black activists, and the growth of a federal deportation force currently engaged in human rights abuses”. The employee letter states, “Our company should not be in the surveillance business; we should not be in the policing business; we should not be in the business of supporting those who monitor and oppress marginalized populations.” The workers also pointed out Amazon’s commercial relationship with the data firm Palantir, which does business with the U.S. Immigration and Customs Enforcement. According to the public documents obtained by the Project on Government Oversight, “Amazon also pitched its facial recognition technology directly to the ICE, a few months after the federal immigration agency started enforcing President Trump’s controversial zero-tolerance family-separation border policy.” The American Civil Liberties Union(ACLU) also raised concerns on Amazon Rekognition’s misuse for racial profiling. This issue was identified after the organization ran a test and found that the software incorrectly matched 28 members of Congress, identifying them as other people who have been arrested for a crime and that the false matches disproportionately involved people of color, including six members of the Congressional Black Caucus. Jeff Bezos, at a Wired conference last month, stated, “If big tech companies are going to turn their back on the U.S. Department of Defense, this country is going to be in trouble.” To know more about this news in detail, head over to the complete Q&A of the meeting on BuzzFeed. Apple and Amazon take punitive action against Bloomberg’s ‘misinformed’ hacking story ‘We are not going to withdraw from the future’ says Microsoft’s Brad Smith on the ongoing JEDI bid, Amazon concurs Amazon tried to sell its facial recognition technology to ICE in June, emails reveal

Yesterday, Microsoft users reported that a bug has affected the Microsoft Windows activation service which causes the Windows 10 Pro licenses to be downgraded to Windows 10 Home, says Bleepingcomputer. Following this, the bug flashes a message on user’s screen stating that their license is not activated and prompting the user to troubleshoot the problems. Windows 10 Pro not activated Source: Bleeping Computers Troubleshooting Completed Source: Bleeping Computers According to a Reddit post, "Microsoft has just released an Emerging issue announcement about current activation issue related to Pro edition recently. This happens in Japan, Korea, American, and many other countries. I am very sorry to inform you that there is a temporary issue with Microsoft's activation server at the moment and some customers might experience this issue where Windows is displayed as not activated. Our engineers are working tirelessly to resolve this issue and it is expected to be corrected within one to two business days." Jeff Jones, Sr. Director, Microsoft., told BleepingComputer, “We’re working to restore product activations for the limited number of affected Windows 10 Pro customers.” He added, “A limited number of customers experienced an activation issue that our engineers have now addressed. Affected customers will see a resolution over the next 24 hours as the solution is applied automatically. In the meantime, they can continue to use Windows 10 Pro as usual.” To know more about this news, head over to Bleeping Computers. Microsoft announces .NET standard 2.1 Microsoft releases ProcDump for Linux, a Linux version of the ProcDump Sysinternals tool Microsoft Azure reportedly chooses Xilinx chips over Intel Altera for AI co-processors, says Bloomberg report

The Naval War College published a paper titled, “China’s Maxim – Leave No Access Point Unexploited: The Hidden Story of China Telecom’s BGP Hijacking” that contained a number of claims about purported efforts by the Chinese government to manipulate BGP routing in order to intercept internet traffic. Doug Madory, Director of Internet Analysis at Oracle's Internet Intelligence team, in his recent blog post addresses the paper’s claims. He said, “I don’t intend to address the paper’s claims around the motivations of these actions. However, there is truth to the assertion that China Telecom (whether intentionally or not) has misdirected internet traffic (including out of the United States) in recent years. I know because I expended a great deal of effort to stop it in 2017”. SK Broadband, formerly known as Hanaro, experienced a brief routing leak on 9 December 2015,  which lasted a little more than a minute. During the incident, SK’s ASN, AS9318, announced over 300 Verizon routes that were picked up by OpenDNS’s BGPstream service. This leak was announced exclusively through China Telecom (AS4134), one of SK Broadband’s transit providers. Just minutes after that, AS9318 began transiting the same routes from Verizon APAC (AS703) to China Telecom (AS4134). The China telecom in turn began announcing them to international carriers such as Telia (AS1299), Tata (AS6453), GTT (AS3257) and Vodafone (AS1273), which resulted in AS paths such as: … {1299, 6453, 3257, 1273} 4134 9318 703 Doug says, “Networks around the world who accepted these routes inadvertently sent traffic to Verizon APAC (AS703) through China Telecom (AS4134). Below is a traceroute mapping the path of internet traffic from London to address space belonging to the Australian government. Prior to this routing phenomenon, it never traversed China Telecom”. He added, “Over the course of several months last year, I alerted Verizon and other Tier 1 carriers of the situation and, ultimately, Telia and GTT (the biggest carriers of these routes) put filters in place to ensure they would no longer accept Verizon routes from China Telecom. That action reduced the footprint of these routes by 90% but couldn’t prevent them from reaching those who were peering directly with China Telecom”. Focus of the BGP hijack alerting The common focus of BGP hijack alerting is looking for unexpected origins or immediate upstreams for routed address space. But traffic misdirection can occur at other parts of the AS path. In this scenario, Verizon APAC (AS703) likely established a settlement-free peering relationship with SK Broadband (AS9318), unaware that AS9318 would then send Verizon’s routes exclusively on to China Telecom and who would in turn send them on to the global internet. Doug said, “We would classify this as a peer leak and the result was China Telecom’s network being inserted into the inbound path of traffic to Verizon. The problematic routing decisions were occurring multiple AS hops from the origin, beyond its immediate upstream. Thus, he adds that the routes accepted from one’s peers also need monitoring, which is a fairly rare practice. Blindly accepting routes from a peer enables the peer to insert itself into the path of your outbound traffic. To know more about this news in detail, read Doug Madory’s blog post. US Supreme Court ends the net neutrality debate by rejecting the 2015 net neutrality repeal allowing the internet to be free and open again Ex-Google CEO, Eric Schmidt, predicts an internet schism by 2028 Has the EU just ended the internet as we know it?

Yesterday, the United States Supreme Court refused the request by the telecommunications industry against net neutrality. This indicated a formal end to the legal fight over a 2016 lower court decision. This upheld the Obama-era, net neutrality rules which ensures a free and open internet. The 2015 Federal Communications Commission's (FCC) order to impose internet neutrality rules and strictly regulate broadband was already reversed by Trump's pick for FCC chairman, Ajit Pai. Trump's government had repealed the request with regards to net neutrality in 2017. But the justice’s action does not revoke the 2017 repeal of the policy. The rules supported by former US President Barack Obama, intended to safeguard equal access to content on the internet, were opposed by President Donald Trump. “According to the Supreme Court announcement, Justices Clarence Thomas, Samuel Alito, and Neil Gorsuch would grant the petitions, vacate the judgment of the United States Court of Appeals for the District of Columbia Circuit (which upheld the FCC's internet neutrality order), and remand to that court with instructions to dismiss the cases as moot.” Chief Justice John Roberts and Justice Brett Kavanaugh, a judge on the US Court of appeals for the District of Columbia Circuit, recused themselves from the case. In 2017, Brett Kavanaugh dissented from the ruling upholding net neutrality rules, arguing that the rules violate the First Amendment rights of Internet service providers by preventing them from "exercising editorial control" over Internet content. FCC’s thoughts on net neutrality FCC is defending its net neutrality repeal against a lawsuit filed by dozens of litigants, including 22 state attorneys general, consumer advocacy groups, and tech companies. California State Sen. Scott Wiener (D-San Francisco), author of the net neutrality law, supported California Attorney General Xavier Becerra's decision. Wiener said: Of course, I very much want to see California's net neutrality law go into effect immediately, in order to protect access to the Internet. Yet, I also understand and support the Attorney General's rationale for allowing the DC Circuit appeal to be resolved before we move forward to defend our net neutrality law in court. After the DC Circuit appeal is resolved, the litigation relating to California's internet neutrality law will then move forward. Even Ajit Pai, the FCC chairman appreciated the court’s statement. FCC Commissioner Jessica Rosenworcel, who backed the net neutrality order in 2015, said on Twitter that “the commission had actually petitioned the Supreme Court to erase history and wipe out an earlier court decision upholding open internet policies. But today the Supreme Court refused to do so.” The legal battle over net neutrality might still continue and could possibly reach the Supreme Court again in a separate case. Senior counsel John Bergmayer of consumer advocacy group Public Knowledge said, “The Supreme Court decision is a good news for supporters of internet neutrality because it means that the DC Circuit court's previous decision upholding both the FCC's classification of broadband as a telecommunications service, and its rules prohibiting broadband providers from blocking or degrading Internet content, remains in place. Much of the current FCC’s argument against net neutrality depends on ignoring or contradicting the DC Circuit’s earlier findings, but now that these are firmly established as binding law, the Pai FCC’s case is on even weaker ground than before." The new FCC rules that went into effect in June, gave internet service providers greater power to regulate the content that customers access. Though they are now the subject of a separate legal fight after being challenged by many groups that backed net neutrality. The net neutrality repeal turned out to be good for providers like Comcast Corp, AT&T Inc and Verizon Communications Inc. It was opposed by internet companies like Amazon.com Inc, Facebook Inc, and Alphabet Inc as the repeal could lead to higher costs. Read more about this news on arstechnica. Read more on the court’s announcement, check on the supreme court’s official website. The U.S. Justice Department sues to block the new California Net Neutrality law California’s tough net neutrality bill passes state assembly vote Spammy bots most likely influenced FCC’s decision on net neutrality repeal, says a new Stanford study

Yesterday, the Qubes OS community announced the first release candidate of Qubes OS 4.0.1. This is the first of at least two planned point releases for version 4.0. Qubes OS, a free and open source security-oriented operating system, aims to provide security through isolation. Virtualization in Qubes OS is performed by Xen; the user environments can be based on Fedora, Debian, Whonix, and Microsoft Windows. The community announced the release of 3.2.1-rc1 one month ago. Since no serious problems have been discovered in 3.2.1-rc1, they plan to build the final version of Qubes 3.2.1 at the end of this week. Features of Qubes OS 4.0.1-rc1 All 4.0 dom0 updates to date Includes Fedora 29 TemplateVM Debian 9 TemplateVM Whonix 14 Gateway and Workstation TemplateVMs Linux kernel 4.14 The next release candidate The second release candidate, 4.0.1-rc2, will include a fix for the Nautilus bug reported in #4460 along with any other available fixes for bugs reported against this release candidate. To know more about Qubes OS 4.0.1-rc1 visit its official release document. QubesOS’ founder and endpoint security expert, Joanna Rutkowska, resigns; joins the Golem Project to focus on cloud trustworthiness Harvard Law School launches its Caselaw Access Project API and bulk data service making almost 6.5 million cases available Google now requires you to enable JavaScript to sign-in as part of its enhanced security features

On Thursday, Sen. Ron Wyden, a Democrat from Oregon, introduced a draft data privacy bill with harsh penalties for companies that violate data privacy. The bill would apply to companies that bring in more than $50 million in revenue and have personal information on more than 1 million people. This decision took roots a year ago when Equifax disclosed that hackers stole the personal information of  147.7 million Americans from its servers. Following this, Facebook and Cambridge Analytica were also sued over the firm's gathering of private data of more than 50 million people through the social network. Also, a lawsuit was filed against Uber after the San Francisco-based ride-sharing company took more than 12 months to inform users that it suffered a major hack. In August, Google closely escaped from a million dollar GDPR fine for tracking user’s data even when the user asks Google to turn off locations, it actually tracks in incognito mode. According to Cnet, “lawmakers still felt that the companies involved weren't being held accountable for mishandling data on millions of people.” Wyden has always been at the forefront of cybersecurity and privacy issues in the Senate. He said, “Today's economy is a giant vacuum for your personal information. Everything you read, everywhere you go, everything you buy and everyone you talk to is sucked up in a corporation's database. But individual Americans know far too little about how their data is collected, how it's used and how it's shared." Ron Wyden's draft bill Wyden’s draft bill has recommended boosting the ability of the Federal Trade Commission to take action on privacy violations. In current scenarios, the FTC can only fine tech companies if they agree to a consent decree. The decree straightforwardly states that users be notified and that they explicitly give their permission before data about them is shared beyond the privacy settings they have established Facebook had done the same in  2011. The bill also requires companies to submit an annual data protection report, similar to how companies like Google and Apple voluntarily release transparency reports on government demands. CNet reports, “The report needs to be signed by CEOs, who could face up to 20 years in prison if they lie to the FTC.” The draft bill introduces a national "Do No Track" website, allowing Americans to create a central page to opt out of data sharing across the internet. The FTC would also be able to issue fines up to 4 percent of the company's annual global revenue, which is also the same percentage that the European Union's General Data Protection Regulation uses. Wyden's draft bill is the first legislation proposed on data privacy in the US. Read Senator Ron Wyden’s draft bill to know more about this data privacy legislation in detail. Is AT&T trying to twist data privacy legislation to its own favor? Google, Amazon, AT&T met the U.S Senate Committee to discuss consumer data privacy Apple now allows U.S. users to download their personal data via its online privacy data portal  

Tamir Zahavi-Brunner, Security Researcher at Zimperium zLabs posted the technical details of the vulnerability affecting multiple high-privileged Android devices and its exploit, earlier this week. Brunner had disclosed this vulnerability to Google who then designated it as CVE-2018-9411. As per Brunner, Google claims Project Treble ( introduced as part of Android 8.0 Oreo and that makes updates faster and easier for OEMs to roll out to devices) benefits Android security. However, as per the vulnerability disclosed by Brunner, elements of Project Treble could hamper Android security. “This vulnerability is in a library introduced specifically as part of Project Treble and does not exist in a previous library which does pretty much the same thing. This time, the vulnerability is in a commonly used library, so it affects many high-privileged services”, says Brunner. One of the massive changes that come with Project Treble is the split of many system services. Previously, these system services contained both AOSP (Android Open Source Project) and vendor code. After Project Treble, all of these services were split into one AOSP service and one or more vendor services called HAL services.  This means that data which used to be previously passed in the same process between AOSP and vendor now will have to pass through IPC (enables communication between different Android components) between AOSP and HAL services. Now, most of the IPC in Android goes through Binder (enables a remote procedure calls mechanism between the client and server processes), so Google decided that the new IPC should do so as well. But Google also decided to perform some modifications. They introduced HIDL which is a whole new format for the data passed through Binder IPC (makes use of shared memory to maintain simplicity and good performance). HIDL is supported by a new set of libraries and is dedicated to the new Binder domain for IPC between AOSP and HAL services. HIDL comes with its own new implementation for many types of objects. An important object for sharing memory in HIDL is hidl_memory. Technical details of the Vulnerability The hidl_memory comprises members namely, mHandle (HIDL object which holds file descriptors, mSize (size of the memory to be shared), mName (represents the type of memory). These structures are transferred through Binder in HIDL, where complex objects (like hidl_handle or hidl_string) have their own custom code for writing and reading the data. Transferring structures via 64-bit processes cause no issues, however, this size gets truncated to 32 bit in 32-bit processes, so only the lower 32 bits are used. So if a 32-bit process receives a hidl_memory whose size is bigger than UINT32_MAX (0xFFFFFFFF), the actually mapped memory region will be much smaller. “For instance, for a hidl_memory with a size of 0x100001000, the size of the memory region will only be 0x1000. In this scenario, if the 32-bit process performs bounds checks based on the hidl_memory size, they will hopelessly fail, as they will falsely indicate that the memory region spans over more than the entire memory space. This is the vulnerability!” writes Brunner. After the vulnerability has been tracked, it is time to find a target for the vulnerability. To find the target, an eligible HAL service is needed such as android.hardware.cas, or MediaCasService. MediaCasService allows the apps to decrypt the encrypted data. Exploiting the Vulnerability To exploit the vulnerability, there are two other issues that need to be solved such as finding the address of the shared memory and of other interesting data and making sure that the shared memory gets mapped in the same location each time. The second issue gets solved by looking at the memory maps of the linker in the service memory space. To solve the first issue, the data in the linker_alloc straight after the gap is analyzed, and a shared memory is mapped before a blocked thread stack, which makes it easy to reach the memory relatively through the vulnerability. Hence, instead of only getting one thread to that blocked state, multiple (5) threads are generated, which in turn, causes more threads to be created, and more thread stacks to get allocated. Once this shared memory gets mapped before the blocked thread stack, the vulnerability is used to read two things from the thread stack, the thread stack address, and the address where libc is mapped at to build a ROP chain. The last step is executing this ROP chain. However, Brunner states that the SELinux limitations on this process prevent turning this ROP chain into full arbitrary code execution. “There is no execmem permission, so anonymous memory cannot be mapped as executable, and we have no control over file types which can be mapped as executable”. Now, as the main objective is to obtain the QSEOS version, a code using ROP chain does that. This makes sure that the thread does not crash immediately after running the ROP chain. Then this process is left in a bit of an unstable state. To leave everything in a clean state, service using the vulnerability is crashed (by writing to an unmapped address) in order to let it restart. For complete information, read the official Zimperium blog post. FreeRTOS affected by 13 vulnerabilities in its TCP/IP stack A kernel vulnerability in Apple devices gives access to remote code execution

“Online security can sometimes feel like walking through a haunted house - scary, and you aren’t quite sure what may pop up” Jonathan Skelker, product manager at Google   October 31st marked the end of ‘Cybersecurity awareness month’ and Google has made sure to leave its mark on the very last day. Introducing a host of features to protect users account from being compromised, Google has come up with checkpoints before a user signs in, as soon as they are in their account and when users share information with other apps and sites. Let’s walk through all these features in detail. #1 Before you sign in- Enable Javascript on the Browser A mandatory requirement for signing into Google now is that JavaScript should be enabled on the Google sign-in page. When a user enters their credentials on Google’s sign-in page, a risk assessment will be run automatically to block any nefarious activity. It will only allow the sign-in if nothing looks suspicious. The post mentions that "JavaScript is already enabled in your browser; it helps power lots of the websites people use everyday. But, because it may save bandwidth or help pages load more quickly, a tiny minority of our users (0.1%) choose to keep it off" Here is what one user had to say: Source: y combinator #2 Security checkup for protection once signed in After the major update introduced to the Security Checkup last year, Google has gone a step forward to protect users against harmful apps based on recommendations from Google Play Protect. The web dashboard helps users set up two-factor authentication to check which apps have access to users’ account information, and review unusual security events. They also provide information on how to remove accounts from devices users no longer use. Google’s is introducing additional notifications which will send personalized alerts whenever any data is shared from a Google account with third-party sites or applications (including  Gmail info, sharing a Google Photos album, or Google Contacts). This looks like a step in the right direction especially after a recent Oxford University study revealed that more than 90% apps on the Google Play store had third party trackers, leaking sensitive data to top tech companies. #3 Help issued when a user account is compromised The most notable of all the security features is a new, step-by-step process within a users Google Account that will be automatically triggered if the team detects potential unauthorized activity. The 4 steps that will run in the event of a security breach includes: Verify critical security settings to check that a user’s account isn’t vulnerable to any other additional attacks by other means, like a recovery phone number or email address. Secure other user accounts taking into consideration that a user’s Google Account might be a gateway to accounts on other services and a hijacking can leave them vulnerable as well. Check financial activity to see if any payment methods connected to a user’s accounts were abused. Review content and files to see if any of a user’s Gmail or Drive data was accessed or misused. Head over to Google’s official Blog to read more about this news. Google’s #MeToo underbelly exposed by NYT; Pichai assures they take a hard line on inappropriate conduct by people in positions of authority Google employees plan a walkout to protest against the company’s response to recent reports of sexual misconduct A multimillion-dollar ad fraud scheme that secretly tracked user affected millions of Android phones. This is how Google is tackling it.  

Apple’s special event held in Brooklyn yesterday, saw the unveiling of a host of new hardware and software including the MacBook Air 2018 and the Mac mini. Along with this, Apple also published a complete security overview white paper that minutely lists the details of its T2 security chip incorporated into the  Mac mini and MacBook Air. The chip disconnects the device’s microphone when the laptop is closed. It also prevents tampering of data while introducing a strict level of security for its devices. Let’s look at features of this chip that caught our attention. #1 Disabling the microphone on closing the laptop One of the major features of the T2 chip is disconnecting the device’s microphone when the laptop is closed. The chip first introduced in last year's iMac Pro, is upgraded to prevent any kind of malware from eavesdropping on a user’s conversation once the laptop’s lid is shut. Apple further notes that the camera is not disabled because, the field of view of the lens is completely obstructed while the lid is closed #2 Security Enclave The Secure Enclave is a coprocessor incorporated within the system on chip (SoC) of the Apple T2 Security Chip. IIt provides dedicated security by protecting the necessary cryptographic keys for FileVault and secure boot. What's more? It processes fingerprint data from the Touch ID sensor and checks if a match is present. Apple further mentions that its limited function is a virtue: “Security is enhanced by the fact that the hardware is limited to specific operations.” #3 Storage Encryption The Apple T2 Security Chip has a dedicated AES crypto engine built into the DMA path between the flash storage and main system memory. It makes it really efficient to perform internal volume encryption using FileVault with AES-XTS . The Mac unique ID (UID) and a device group ID (GID) are AES 256-bit keys included in the Secure Enclave during manufacturing. It is designed in such a way that no software or firmware can read the keys directly. The keys can be used only by the AES engine dedicated to the Secure Enclave. The UID is unique to each device and is generated completely within the Secure Enclave rather than in a manufacturing system outside of the device. Hence, the UID key isn’t available for access or storage by Apple or any Apple suppliers. Software that is run on the Secure Enclave takes advantage of the UID to protect Touch ID data, FileVault class keys, and the Keychain. #4 Touch ID The T2 chip processes the data from the Touch ID to authenticate a user. The Touch ID is a mathematical representation of the fingerprint which is encrypted and stored on the device. It is then protected with a key available only to the Secure Enclave which is used to  verify a match with the enrolled information. The data cannot be accessed by macOS or by any apps running on it and is never stored on Apple servers, nor is it backed up to iCloud. Thus ensuring that only authenticated users can access the device. #5 Secure Boot The T2 Security Chip ensures that each step of the startup process contains components that cryptographically signed by Apple to verify integrity. The boot process proceeds only after verifying the integrity of the software at every step. When a Mac computer with the T2 chip is turned on, the chip will execute code from read-only memory known as the Boot ROM. This unchangeable code, referred to as the hardware root of trust, is laid down during chip fabrication and audited for vulnerabilities to ensure all-round security of the process. These robust features of the T2 chip is definitely something to watch out for. You can read the whitepaper to understand more about the chip’s features. Apple and Amazon take punitive action against Bloomberg’s ‘misinformed’ hacking story Apple now allows U.S. users to download their personal data via its online privacy data portal Could Apple’s latest acquisition yesterday of an AR lens maker signal its big plans for its secret Apple car?

Yesterday, Twitter’s CEO Jack Dorsey announced that the popular social media platform might eliminate its heart-shaped like button, according to The Telegraph. The Twitter communications team further clarified in a tweet, “eliminating the like button is a ‘commitment to healthy conversation,’ it was ‘rethinking everything about the service,’  including the like button”. At the Wired25 summit held on the 15th of October, Dorsey made an onstage remark questioning the “like” button’s worth in facilitating meaningful communication. He said, “Is that the right thing? Versus contributing to the public conversation or a healthy conversation? How do we incentivize healthy conversation?” Twitter has also vowed to “increase the collective health, openness, and civility of the dialogue on our service”, in their blog post in July. Prior to this, the company had also introduced ‘Bookmarks’, an easy way to save Tweets for quick access later without having to like them. Ben Grosser, an artist, and professor at University of Illinois, says “I fear that if they remove the Like button the fact that there are other indicators that include metrics will just compel users to use those other indicators.” A Twitter spokesperson told the Telegraph, “At this point, there is no specific timeline for changes or particular planned changes to discuss”. He added, “We’re experimenting and considering numerous possible changes, all with an eye toward ensuring we’re incentivizing the right behaviors to drive a healthy conversation.” Should Retweet be eliminated instead? The Atlantic speculates that “If Twitter really wants to control the out-of-control rewards mechanisms it has created, the retweet button should be the first to go.” Retweets and not likes are Twitter’s most powerful method of reward, according to The Atlantic. More the retweets for the post, more it is likely to get viral on social media. According to MIT research, Twitter users retweet fake news almost twice as much as real news. Other Twitter users, desperate for validation, endlessly retweet their own tweets, spamming followers with duplicate information. Twitter introduced retweets to ensure that the most interesting and engaging content would show up in the feed and keep users entertained. The tweets shown on the platform are a result of an algorithmic accounting of exactly what the most interesting and engaging content is. In April, Alexis Madrigal wrote about how he used a script to eliminate retweets from his timeline and how it transformed his experience for the better. “Retweets make up more than a quarter of all tweets. When they disappeared, my feed had less punch-the-button outrage,” he wrote. “Fewer mean screenshots of somebody saying precisely the wrong thing. Less repetition of big, big news. Fewer memes I’d already seen a hundred times. Less breathlessness. And more of what the people I follow were actually thinking about, reading, and doing. It’s still not perfect, but it’s much better.” This week, Alexis along with Darshil Patel and Maas Lalani, two 18-year-old college freshers, launched a browser extension that hides the number of retweets, likes, and followers on all tweets in users feed. Elimination of the native retweet buttons will definitely refrain people from quote tweeting. According to The Atlantic, “it could just send everyone back to the dark ages of the manual retweet when users physically copy-pasted text from another tweet with the letters “RT” plastered in front. But killing native retweets is certainly a step in the right direction.” For a complete coverage of this news, head over to The Telegraph. Social media platforms, Twitter and Gab.com, accused of facilitating recent domestic terrorism in the U.S. Twitter prepares for mid-term US elections, with stronger rules and enforcement approach to fight against fake accounts and other malpractices Twitter on the GDPR radar for refusing to provide a user his data due to ‘disproportionate effort’ involved

The team at Aragon started their journey towards a decentralized model at the beginning of 2018. Now finally, the vision has become a reality with two teams contributing to Aragon's development: Aragon One and Aragon DAC. To further strengthen this motive, new Aragon teams need to be brought on board. This is why the team has been working on a program called ‘Flock’  for selecting new Aragon teams, which will provide a minimum grant of $1,000,000 for operational costs. The Aragon project For those who are not familiar with the Aragon project, it aims to disintermediate the creation and maintenance of organizational structures by using blockchain technology. They provide tools for users to become entrepreneurs and run their own organization while easily and securely managing it. The Aragon organizations are powered by Ethereum, a global blockchain in which code and applications always run without any possibility of downtime or censorship. The traditional Blockchain technology has a network of thousands of computers all over the globe. Users can set up their own nodes and all the necessary data is replicated across the network. There is a single shared point of cryptographically verifying the data. Alternatively, the decentralized design encouraged by Aragon ensures prohibiting interference of government or a malicious third-party in an organizations way of working. What is Flock? The Flock program is released in alpha to structure grants to Aragon teams. The program will handle the initial application and pre-selection process for new Aragon teams. Independent teams will be selected to work on the core components and products of the Aragon project. The funds provided are intended to cover: The operational costs for research, development, and maintenance of the Aragon products and ecosystem for one year. The minimum amount of funds available for operations is $1 million. An incentivization package in ANT While the process of onboarding new teams will begin in the next few months, Aragon will be opening conversations with potential teams soon. You can head over to Aragon’s blog to know more about their decentralization initiative. Alternatively, visit their GitHub page to know how to sign up your team to Aragon. Mozilla pledges to match donations to Tor crowdfunding campaign up to $500,000 JFrog, a DevOps based artifact management platform, bags a $165 million Series D funding OmniSci, formerly MapD, gets $55 million in series C funding

Yesterday, Google launched reCAPTCHA v3, a revamped version of their Captcha API that helps filter abusive traffic to a website without user interaction. reCAPTCHA v3 returns a score for each request. The score is based on interactions with a site, so website owners can take the most appropriate action. “Over the last decade, reCAPTCHA has continuously evolved its technology,” Google product manager Wei Liu wrote in a blog post. ReCAPTCHA is usually used on sign in pages. You can rate limit login attempts, exponentially increasing rate limit or just lock out IPs that exceed allowed login attempts and analyze your logs to ban abusive IPs. She adds,“ reCAPTCHA v3 helps to protect your sites without user friction and gives you more power to decide what to do in risky situations.” reCAPTCHA v3 also runs adaptive risk analysis in the background to alert you of suspicious traffic. The scoring logic Website owners can use the reCAPTCHA score in 3 different ways. They can set a threshold that determines when a user is let through or when further verification needs to be done. They can combine the score with their own signals that reCAPTCHA can’t access such as user profiles or transaction histories. They can use the reCAPTCHA score as one of the signals to train machine learning models to fight abuse. reCAPTCHA v3, uses a new tag “Action” which can be used to define the key steps of a user journey and enable reCAPTCHA to run its risk analysis in context. On adding action to multiple pages, reCAPTCHA adaptive risk analysis engine can identify the pattern of attackers more accurately by looking at the activities across different pages on your website. The reCAPTCHA admin console provides an overview of reCAPTCHA score distribution and a breakdown for the stats of the top 10 actions on your site. It also provides multiple ways to customize actions that occur for different types of traffic, to protect against bots and improve user experience based on a website’s specific needs. Source: Google You can visit the reCAPTCHA developer site for more details. OK Google, why are you ok with mut(at)ing your ethos for Project DragonFly? 90% Google Play apps contain third-party trackers, share user data with Alphabet, Facebook, Twitter, etc: Oxford University Study. A multimillion-dollar ad fraud scheme that secretly tracked user affected millions of Android phones. This is how Google is tackling it.