Tech News - Security

Worried about the privacy of your messages and chats? It’s about time you start considering the use of ‘Signal’. As if end-to-end chat encryption wasn’t enough, Signal is now rolling out a new feature in Beta that will further hide a sender's “from” information and conceal their identity. The logic behind implementing this feature is simple- While the service always needs to know where a message should be delivered, ideally it shouldn’t need to know who the sender is. First, let's understand how communication takes place traditionally, prior to exploring this feature. The traditional method of sending messages A Signal client sends a message by connecting to the service over TLS, authentication takes place, and the encrypted message contents are sent to the destination. The authentication process is supposed to: Validate the sender’s identity to help prevent spoofing and help the recipient understand who sent the message. Use the sender’s identity to apply rate limiting and abuse protection. The latest beta release is designed to further retain another piece of information of its users: who is messaging whom. Communication will now take place in 3 simple steps: The app will hide a sender’s information inside the envelope of an encrypted message using Signal Protocol. The sender’s “from” information will be removed from outside the message’s envelope. It will be replaced with a short-term certificate, containing the sender’s phone number, public identity key and an expiry time. This will be used to prove a sender’s identity. The whole envelope is encrypted again. Once the message is delivered, the recipient’s device will validate the certificate and decrypt the message as it normally would without exposing the sender’s identity at any point. In order to implement the new feature and still ensure authenticity of the sender the following have been included in the short-term certificate: #1 Sender certificates To prevent spoofing of messages, clients periodically retrieve a short-lived sender certificate, containing the client’s phone number, public identity key, and an expiration timestamp- thus attesting to their identity. Clients can include the sender certificate when a message is sent, and receivers of the message can easily check its validity. #2 Delivery tokens To take steps against abuse, clients derive a 96-bit delivery token from their profile key and register it with the service. The service requires that the clients prove their knowledge of the delivery token for a user in order to transmit messages to that particular user. Profiles are shared with contacts, other people or groups who users explicitly approve, and in conversations that they create. This allows delivery tokens to be seamlessly exchanged behind the scenes. Since knowledge of a user’s profile key is necessary to derive that user’s delivery token, this restricts “sealed sender” messages to contacts who are less likely to require rate limits and other abuse protection. Additionally, blocking a user who has access to a profile key will trigger a profile key rotation. #3 Encryption Signal Protocol is used to encrypt message contents end-to-end. The “envelope” containing the sender certificate as well as the message ciphertext is also encrypted using the sender and recipient identity keys. Signal has never retained much of users data. This was proved two years ago when the FBI demanded that Signal turn over all the data it had on one particular user. But the question is, with social media platforms being misused by criminals to post attack threats, will a feature like this make Signal a haven for unscrupulous elements? Does Signal also have a plan to tackle issues such as hate speech recognition on its platform? The Beta releases that support sealed sender will be rolling out over the next few days. Users are advised to update all of their devices to use this new feature. Head over to the Signal Blog for more insights on this news. Google Cloud Storage Security gets an upgrade with Bucket Lock, Cloud KMS keys and more Firefox Nightly now supports Encrypted Server Name Indication (ESNI) to prevent 3rd parties from tracking your browsing history 90% Google Play apps contain third-party trackers, share user data with Alphabet, Facebook, Twitter, etc: Oxford University Study

It was only earlier this month when Bloomberg published a story alleging that China hacked into Amazon and Apple’s servers, and now the two tech giants seem to be retaliating against Bloomberg. Apple did not invite Bloomberg to its fall product event “There’s More in the Making” that takes place tomorrow in Brooklyn. Amazon, on the other hand, pulled its fourth quarter advertisements from Bloomberg’s website, last week, leading to a huge loss in Bloomberg’s ad revenue. An Amazon spokesperson told BuzzFeed News last week that the ads were canceled “due to a missed creative deadline”. Apple, on the other hand, declined to comment on this. Tim Cook, CEO, Apple, had asked Bloomberg to retract the story, in an interview with BuzzFeed News on 19th October. "There is no truth in their story about Apple," Cook mentioned to BuzzFeed. Apple also published a statement regarding the same, “we are deeply disappointed that in their dealings with us, Bloomberg’s reporters have not been open to the possibility that they or their sources might be wrong or misinformed. Apple has repeatedly explained to Bloomberg reporters and editors over the past 12 months, there is no truth to these claims”. Andy Jassy, Amazon web services CEO and Super Micro joined in Apple, refuting the claims made by Bloomberg. https://twitter.com/ajassy/status/1054401346827243520 Steve Schmidt, Chief Information Security Officer at Amazon Web Services further stated, “as we shared with Bloomberg BusinessWeek multiple times over the last couple months, this is untrue. At no time, past or present, have we ever found any issues relating to modified hardware or malicious chips in SuperMicro motherboards in any Elemental or Amazon systems. Nor have we engaged in an investigation with the government. There are so many inaccuracies in ‎this article as it relates to Amazon that they’re hard to count”. Super Micro also issued a statement, stating, “Super Micro strongly refutes reports that servers it sold to customers contained malicious microchips in the motherboards of those systems. Supermicro takes all security claims very seriously and makes continuous investments in the security capabilities of their products. Super Micro qualifies and certifies every contract manufacturer and routinely inspects their facilities and processes closely”. According to the Bloomberg article, Chinese spies had implanted tiny chips on computer motherboards made by Super Micro Computer. “In Supermicro, China’s spies appear to have found a perfect conduit for what U.S. officials now describe as the most significant supply chain attack known to have been carried out against American companies”. These motherboards were used by several of the largest American tech giants such as Amazon and Apple. These chips then provided secret access to the private data on the machines. The report also states that “the chips were reportedly built to be as inconspicuous as possible and to mimic signal conditioning couplers. It was determined during an investigation, which took three years to conclude, that the chip allowed the attackers to create a stealth doorway into any network that included the altered machines.” Although, both Amazon and Apple totally refute the allegations, Bloomberg, however, continues to stand by its report.   Bloomberg says Google, Mastercard covertly track customers’ offline retail habits via a secret million dollar ad deal Amazon tried to sell its facial recognition technology to ICE in June, emails reveal Apple now allows U.S. users to download their personal data via its online privacy data portal

Phishing attacks these days are a common phenomenon. Fraudsters use technical tricks and social engineering to deceive users into revealing sensitive personal information such as usernames, passwords, account IDs, credit card details and social security numbers through fake emails. Gophish provides a framework to simulate real-world phishing attacks. This enables industries to avail phishing training to make employees more aware of security in their business. Gophish is an open-source phishing toolkit written in Golang, specially designed for businesses and penetration testers. It is  This means that the Gophish releases do not have any dependencies. It's easy to set up and run and can be hosted in-house. Here are some of the features of Gophish #1 Ease of use Users can easily create or import pixel-perfect phishing template while customizing their templates in their browser itself. Phishing emails can be scheduled and can be sent in the background. Results of the simulation are delivered in near real-time. #2 Cross Platform Gophish can be used across platforms like Windows, Mac OSX, and Linux. #3 Full REST API The framework is powered with REST API. Gophish’s Python client makes it really easy to work with the API. #4 Real-Time Results Results obtained by Gophish are updated automatically. Users can view a timeline for every recipient, track if the email was opened, link clicks, submitted credentials, and more. Damage caused by phishing in a corporate environment can have dangerous repercussions like loss or misuse of confidential data, ruining the consumer's trust in the brand, use of corporate network resources etc. The Gophish framework aims to help industry professionals learn how to tackle phishing attacks with its ease of setup, use, and powerful results. To learn more about how to use Gophish and its benefits, head over to their official Blog. Google’s Protect your Election program: Security policies to defend against state-sponsored phishing attacks, and influence campaigns Microsoft claims it halted Russian spear phishing cyberattacks IBM launches Industry’s first ‘Cybersecurity Operations Center on Wheels’ for on-demand cybersecurity support

Software engineer Gaël Duval who is working to create an ‘ethical operating system’ called /e/ wrote an open letter to Apple CEO Tim Cook today in response to Cook’s talk about privacy at ICDPPC on Oct 24. Duval argued that Cook’s pro-privacy comments and actions are brilliant PR moves that work in favor of Apple. His open letter to Tim Cook reads, “your strategists know that Google, that owns 80% of the smartphone market worldwide, is in a difficult position on this topic because their business model essentially relies on collecting personal data and profiting from it through advertizing. That’s a great opportunity for Apple to communicate, because Apple’s business model is selling devices, not advertising.” Why Duval finds Apple’s privacy claims disingenuous Duval further dived into why he is skeptical of Apple’s concern for user privacy on its products. Apple’s privacy claims can’t be verified as it a closed ecosystem iOS and macOS are mostly proprietary, closed operating systems. Users can only ‘trust Apple’s claims’ of the OS being secure. As there is no source code in the open, there is no guarantee that the security measurements put in place are enough to protect users against all privacy threats. He pointed out that if the source code was open source, the community and experts could verify the security and privacy measures themselves. Personal information for profit According to Apple’s privacy policy: “Personal information will only be shared by Apple to provide or improve our products, services and advertising; it will not be shared with third parties for their marketing purposes.” Duval says that Apple explicitly accepted using personal information for their own profit. Apple allows Google to collect user data on iPhone for the right price The price was $9B for this year! It was $1B in 2014, speculated to be $3B in 2017 and to be $13B in 2019! This hefty fee allows Google to collect a lot of data from iOS users. Apple hasn’t been in the news for privacy issues mostly because they don’t collect that much personal data, or so Apple users should hope. Will Apple open-source their OSes? I don’t think so. Apple OSes are also less susceptible to less attacks because of it being a closed system. Apple, /e/, and privacy What about Apple user data collected by Google being the default search engine? Now you may argue that it is just the default engine and can be changed. Yes, but how many regular consumers do you picture doing that? Most people would just pull out their phone go to the browser and start typing on the search bar. While all of the above points are valid and call out Apple on its practices, the open letter ends up doing what Duval accused Cook of doing in the first place - cease the opportunity to promote his product. This letter does serve as a promotional medium for Duval’s new mobile OS project /e/ that follows a privacy by design ethos. We aren’t complaining though, more competition and diverse business models in the mobile OS space can only be a good thing in the age of data harvesting and security breaches . To read the letter, visit Duval’s Medium post. Tim Cook talks about privacy, supports GDPR for USA at ICDPPC, ex-FB security chief calls him out ‘Ethical mobile operating system’ /e/, an alternative for Android and iOS, is in beta Apple now allows U.S. users to download their personal data via its online privacy data portal

Yesterday, the founder of QubesOS and Invisible Things, Joanna Rutkowska announced her resignation from the organization. She shared on the QubesOS’ blog, that she has joined Golem Project as a Chief Strategy Officer, also doubling as the Chief Security Officer. Joanna Rutkowska has been working on several fields of computer security engineering over the past 10 years. Her projects include desktop systems security, Qubes OS, virtualization security, and other hardware-enforced security mechanisms, such as Intel vPro technologies, their vulnerabilities, as well as how they could be used to build more secure systems. Prior to these, her primary focus was on kernel-mode rootkits and stealth malware (e.g. Blue Pill), including both offensive as well as defensive research. In her post on QubesOS, she said, “Earlier this year, I decided to take a sabbatical. I wanted to reflect on my infosec work and decide what I would like to focus on in the coming years. As you probably know, I’ve spent the last nine years mostly fighting the battle to secure the endpoint, more specifically creating, developing, architecting, and promoting Qubes OS, as well as the more general concept of ‘Security through Distrusting’.” QubesOS: A security-oriented FOSS Qubes is a free and open-source software (FOSS), which means that everyone is free to use, copy, and change the software in any way. It also means that the source code is openly available so others can contribute to and audit it. Joanna says, “Over these past nine years, Qubes OS has grown from a research-inspired proof-of-concept into a reasonably mature, large open-source project with dozens of contributors and tens of thousands of users, including some high-profile security experts.” She highlighted two challenges for Qubes, firstly, improving hardware compatibility and UX and secondly, the trustworthiness of the x86 platform. From QubesOS to the Golem Project Despite the challenges in QubesOS, Joanna decided to switch to Golem as she believes endpoint device security has reasonably matured and the QubesOS project is in good hands. She sees cloud security as the next big challenge on this decade. She wrote, “While I still believe that the security of our digital lives starts and ends with the trustworthiness of the client devices we use”. “I recognize that the state of endpoint device security has significantly improved over the past decade. At the same time, most of our data and activities have migrated from local devices to the cloud.”, she added. She highlighted some fundamental problems with cloud trustworthiness, which include: The service providers who own our data (e.g. the vendor of your fitness tracking app), The hosting infrastructure owners, who can both access our data as well as deny us use of the service at their discretion (e.g. AWS, Azure, GCP), and The networking infrastructure operators, who can also selectively cut us off from the services (e.g. to implement some form of censorship). She added, “These are very important problems, in my opinion, and I’d like to work now on making the cloud more trustworthy, specifically by limiting the amount of trust we have to place in it.” Following this, she mentioned that Golem is a very unique project for her. Golem has been on a mission to build a ‘decentralized computer’ out of a heterogeneous network of third-party provided computers. Golem was founded two years ago through a successful crowdfunding campaign that allowed it to build a strong development team. Golem’s funding model has eliminated two common obstacles--lack of money to hire enough people and the need to implement investors’ agenda-- faced by most of the budding tech startups. She said, “Most importantly, we (ITL), have already been working with Golem over the past year. During that time I’ve had enough time to get to know some of the key people in the project, understand their personal agendas, and conclude they might be very much inline with my own.” Talking about QubesOS’ future, Joanna said that not much will change. Also that Marek Marczykowski-Górecki, QubesOS’ Lead engineer has been effectively leading most of the day-to-day efforts with Qubes OS development since recent years. “Marek will continue to lead Qubes now, so I’m reassured about the future of the project. I will also remain as an advisor to the Qubes OS Project, as well as… its user, though I’ve recently also been embracing other systems, including – of course – the cloud”, she added. To know more about this news in detail, head over to Joanna Rutkowska’s post ‘The Next Chapter’ on QubesOS. Sir Tim Berners-Lee on digital ethics and socio-technical systems at ICDPPC 2018 Mozilla shares plans to bring desktop applications, games to WebAssembly and make deeper inroads for the future web Why does the C programming language refuse to die?

Today, The Librarian of Congress and US Copyright Office proposed new rules which will become effective from 28 October 2018. The new rules give consumers and independent repair experts the permission to legally hack embedded software on consumer electronics like smartphones, tractors, cars, smart home appliances, and many other devices in order to repair or maintain them. This is an upgrade to the previous exemption in 2015 that allowed consumers to hack into embedded systems of tractors and farm equipment for repair/ maintenance purpose. The ruling makes it clear that the federal government believes consumers should be legally allowed to fix the things they own. The rule states that consumers and repair professionals have the right to legally hack the firmware of “lawfully acquired” devices for the “maintenance” and “repair” of that device. The new clause specifically targets breaking the digital rights management (DRM) and embedded software locks for “the maintenance/ repair of a device or system …. in order to make it work in accordance with its original specifications.” DRM is a term for any technology used to control access and restrict usage of proprietary hardware and software and copyrighted work. It prevents the owner of a product from modifying, repairing, improving, distributing, and otherwise using the product in a way not authorized by the copyright holder. Until now, many countries prohibited circumventing DRM illegally. It is also illegal to create and distribute tools to bypass DRM. By applying restrictions on what the owner can and cannot do with their product, copyright holders can prevent intellectual property theft, copyright infringement, maintain artistic control, and ensure continued revenue streams. A good analog of DRM put to use is a printer’s inkjet cartridges. Printer companies make a lot more money when you buy your ink directly from them. They come up with multiple techniques to prevent users from refilling their cartridges and putting them in their printer. This move is considered as a big win for the ‘right to repair’ movement that aims to “protect consumers from unfair and deceptive policies that make it difficult, expensive, or impossible for you to repair the things you own.” Most of the devices used today have software locks, which can now be legally circumvented. The catch here is as DRM becomes legal to crack, companies will make it much harder to bypass. To top it up, the federal government has not made any rules for manufacturers to make it easy to break in the DRM. As such, the right to repair movement is pursuing state-level legislation to force manufacturers to allow DRM to be circumvented for the purposes of repair. [box type="shadow" align="" class="" width=""] With this ruling, some major freedoms for consumers include the following, as listed by iFixit: You can now jailbreak Alexa-powered hardware, and other similar gadgets—they call these ‘Voice assistant devices.’ You can unlock new phones, not just used ones. This is important for recyclers that get unopened consumer returns. We got a general exemption for repair of smartphones, home appliances, or home systems. This means that it’s finally legal to root and fix the Revolv smart home hubs that Google bricked when they shut down the servers. Or pretty much any other home device. Repair of motorized land vehicles (including tractors) by modifying the software is now legal. Importantly, this includes access to telematic diagnostic data—which was a major point of contention. It’s now legal for third-parties to perform repair on behalf of the owner. This is hugely important for the American economy, where repair jobs represent 3% of overall employment. [/box] Nathan Proctor, head of consumer rights group US PIRG’s right to repair states that "Companies use the anti-piracy rules in copyright laws to cover things that are nowhere near copying music or video games. We just want to fix our stuff. We're pleased with the progress being made, and ultimately we want to settle this by establishing Right to Repair." Kyle Wiens,  co-founder and CEO of iFixit wrote, “This ruling doesn’t make that [self-made] tooling available to the public—we’re going to need actual Right to Repair legislation for that. But it does make it legal to make your own tools. And that’s a huge step in the right direction. This is a sweeping victory. It’s the result of years of careful, painstakingly detailed work by the community.” While this discussion can be considered as a blow to manufacturers that use digital rights management  protections, consumers will now be able to take charge of their own devices and maintain them the way they want to. Head over to Motherboard.vice.com for more insights on this news. Day Against DRM is back. And its timing couldn’t be better. Git-bug: A new distributed bug tracker embedded in git Facebook and Arm join Yocto Project as platinum members for embedded Linux development

On Tuesday, the 16th of October, GitHub hosted Open Source and Copyright: from Industry 4.0 to SMEs in Brussels. Partnering with OpenForum Europe and Red Hat, the event was designed to raise awareness of the EU Copyright Directive among developers and policymakers. GitHub has made its position on the controversial legislation clear, saying that while “current copyright laws are outdated in many respects and need modernization, we are concerned that some aspects of the EU’s proposed copyright reform package would inadvertently affect software.” The event included further discussion on topics such as: Policy: For GitHub, Abby Vollmer shared how developers have been especially effective in getting policymakers to respond to problems with the copyright proposal and asked them to continue reaching out to policymakers about a technical fix to protect open source. Developers: Evis Barbullushi from Red Hat explained why open source is so fundamental to software and critical to the EU, using examples of what open source powers every day. He also highlighted the world-class and commercially mainstream nature of open source. SMEs: Sebastiano Toffaletti (from the European Digital SME Alliance) described concerns about the copyright proposal from the perspective of SMEs, including how efforts to regulate large platforms can end up harming SMEs even if they’re not the target. Research and academia: Roberto Di Cosmo (Software Heritage) wrapped up the talks by noting that he “should not be here, because, in a world in which software was better understood and valued, policymakers would never introduce a proposal that inadvertently puts software at great risk, and motivated developers to fix this underlying problem.” In its previous EU copyright proposal update, GitHub explained that the EU Council, Parliament, and Commission were ready to begin final-stage negotiations of the copyright proposal. These three institutions are now working on the exceptions to copyright for text and data mining (Article 3), among other technical elements of the proposal. Article 13 would likely drive many platforms to use upload filters on user-generated content. Article 2 defines which services are in the scope of Article 13, Articles 2 and 13 will be discussed together. This means developers can still contact policymakers with thoughts on what outcomes are best for software development. The LLVM project is ditching SVN for GitHub. The migration to Github has begun. GitHub Business Cloud is now FedRAMP authorized What we learnt from the GitHub Octoverse 2018 Report

Data Theorem, a company that delivers mobile app security to developers, has launched an automated API discovery and security analysis solution. This solution will address API security threats prevalent in enterprise serverless and microservices applications. This solution will allow developers to integrate API discovery and security assessment into their DevOps practices and CI/CD processes to protect any modern application. Data Theorem has come up with two new products: API Discover and API Inspect. These tools address security concerns such as Shadow APIs, Serverless Applications, and API Gateway cross-check validation by conducting continuous security assessments on API authentication, encryption, source code, and logging. The new API security solutions support Amazon’s Lambda and API Gateway tools to discover modern APIs and to compute the specification using standards such as Swagger and Open API 3.0. By these solutions, users will be alerted of important and critical vulnerabilities caused by insufficient security protection. It will also alert users of newly created APIs built upon serverless frameworks and will deliver continuous, automated security analysis of these newly created APIs. “Data Theorem uniquely addresses threat models related to modern apps, helping us identify issues related to privacy and application-layer attacks and the potential loss of sensitive data,” said Rich Tener, Director of Security for Evernote, a note-taking app. He further adds, “With Data Theorem, we have continuous security testing in place for all of our apps in the app stores. Traditional API security checks are not enough in our environment. The new API discovery and analysis products Data Theorem has delivered are truly differentiated – I haven’t seen anyone else in the industry building automated API security services like this.” Data Theorem’s new API Discover and API Inspect security tools are available from Data Theorem website. Annual pricing starts at $300 per API operation. How the Titan M chip will improve Android security. How to stop hackers from messing with your home network (IoT). IBM launches Industry’s first ‘Cybersecurity Operations Center on Wheels’ for on-demand cybersecurity support.

Apple CEO Tim Cook, advocates data privacy, considers it as a fundamental human right representing ideas of the company. Closely after, ex-Facebook security chief calls him out on his speech over a series of Tweets. Cook on privacy Cook spoke during a keynote speech during the ongoing International Conference of Data Protection and Privacy Commissioners (ICDPPC) conference in Brussels, Belgium. He expressed his ideas of data privacy and praised the successful implementation of the GDPR policy of EU. The Apple CEO is in full support of a policy like GDPR coming into the US. “We at Apple are in full support of a comprehensive federal privacy law in the United States.” There are four essentials to such a law, he said: The right to have personal data minimized The right to knowledge The right to access The right to security He talked about how data collection has become sort of a trade and: “Today that trade has exploded into a data industrial complex. Our own information, from the everyday to the deeply personal, is being weaponized against us with military efficiency.” Cook did not explicitly mention any companies in his speech but it was likely that he was referring to the Facebook Cambridge Analytica scandal and Google being fined for privacy in the EU. There was also a Senate hearing recently on consumer data privacy. Cook added, “In the news almost every day, we bear witness to the harmful, even deadly, effects of these narrowed worldviews. We shouldn't sugarcoat the consequences. This is surveillance. And these stockpiles of personal data serve only to enrich the companies that collect them.” Cook on artificial intelligence Cook believes that for artificial intelligence to be truly smart it should respect human values which include privacy. He went on to say that achieving great artificial intelligence systems with great privacy standards is not just a possibility but a responsibility. He believes that we should not lose “humanity” in pursuit of artificial intelligence. He states: “For artificial intelligence to be truly smart, it must respect human values, including privacy.” Now how a system that makes decisions heavily based on data without using people’s data or obscure it to say the least is something to think about. Ex Facebook security chief on Cook’s speech Alex Stamos, ex Facebook security chief and a current adjunct professor said that he agrees with almost everything Cook had to say. On Twitter, Stamos mentioned Apple blocking the download of VPNs and the use of encrypted messaging apps in China. This could have given the Chinese citizens a way to connect to the internet and send private messages. Also, data on iCloud is supposed to be end-to-end encrypted. But Apple’s Chinese partner Guizhou-Cloud Big Data  stores iCloud data on Chinese government run servers. This gives them a possibility to access user data. He tweeted: “We don't want the media to create an incentive structure that ignores treating Chinese citizens as less-deserving of privacy protections because a CEO is willing to bad-mouth the business model of their primary competitor, who uses advertising to subsidize cheaper devices.” https://twitter.com/alexstamos/status/1055192743033458688 https://twitter.com/alexstamos/status/1055192747970191360 Now if data can really be weaponized against is a question of who has control over it. On a purely objective view yes it can be. But it is the responsibility of these tech giants collecting, using and controlling that data to use it responsibly, to keep it safe. It is understandable that a free to use model works on user data but the companies should respect that data and the people from whom they collect it. There are also some efforts towards mobile OSes that promote privacy. In a world where everything is online, what we share, creating profiles with personal details, using free services in exchange for our own data, complete privacy seems like a luxury. Apple now allows U.S. users to download their personal data via its online privacy data portal Privacy experts urge the Senate Commerce Committee for a strong federal privacy bill “that sets a floor, not a ceiling” Chrome 69 privacy issues: automatic sign-ins and retained cookies; Chrome 70 to correct these

A major Hong Kong based international airline, Cathay Pacific Airways Limited, revealed yesterday that it has discovered unauthorized access of data belonging to as many as 9.4 million Cathay passengers. This data includes the passenger name, nationality, date of birth, phone number, email address, passport number, identity card number, customer service remarks, and historical travel information. Moreover, 403 expired credit card numbers and 27 credit card numbers with no CVV were also accessed. Cathay Pacific has its head office and main hub located at Hong Kong International Airport and serves flights around North America, Europe, China, Taiwan, Japan, Southeast Asia, and the Middle East. The company has taken immediate measures to investigate the data breach further. So far, Cathay hasn’t found any evidence of misuse of personal information. The airlines also mentioned that because of the recent data breach, part of the IT security processes have been affected, but and is the flight operations systems which are insulated from the IT security systems remain uncompromised.   Cathay Pacific posted about the data breach on Twitter: https://twitter.com/cathaypacific/status/1055117720444854273 “We are very sorry for any concern this data security event may cause our passengers. We acted immediately to contain the event, commence a thorough investigation with the assistance of a leading cybersecurity firm, and to further strengthen our IT security measures”, said Rupert Hogg, CEO, Cathay Pacific. Cathay is currently contacting the affected passengers, using multiple communications channels, and is providing them with information on steps that can be taken to protect users. “We have no evidence that any personal data has been misused. No-one’s travel or loyalty profile was accessed in full, and no passwords were compromised. Cathay Pacific has notified the Hong Kong Police and is notifying the relevant authorities. We want to reassure our passengers that we took and continue to take measures to enhance our IT security. The safety and security of our passengers remain our top priority”, said Hogg. Timehop suffers data breach; 21 million users’ data compromised Facebook’s largest security breach in its history leaves 50M user accounts compromised Facebook says only 29 million and not 50 million users were affected by last month’s security breach

The EMVCo team released a new version of the 3D Secure protocol, called EMV 3-D Secure (3D Secure v2), using Stripe, an online software platform that handles, builds and runs flexible tools for Internet commerce, around the world, earlier this week. 3D Secure v2 works on overcoming the shortcomings of 3D Secure v1. It explores features such as frictionless authentication and better user experience. Let’s have a look at these features. Frictionless authentication 3D Secure v2 is used by businesses and their payment providers to securely send over 100 data elements on every transaction to the cardholder’s bank. This includes data related to payments such as the shipping address, as well as contextual data, such as the customer’s device ID or previous transaction history. The cardholder’s bank then uses this information to analyze the risk level of the transaction and further selects an appropriate response. If the bank trusts the data provided by the cardholder during the payment phase, then it follows the “frictionless” flow and the cardholder doesn’t see any sign of 3D Secure being applied. If the bank decided on getting further proof, then the transaction follows the “challenge” flow where the customer is asked to provide additional input to make sure the payment is authentic. Better User Experience 3D Secure v2 comes with new mobile SDKs using which businesses can implement native flows within their apps. Moreover, this doesn’t require customers to switch to a browser-based flow for completing the transaction. These new mobile SDKs further make it easy for the customers to authenticate a payment using their mobile banking apps. This SDK also detects whether the bank’s app is installed on the customer’s device and then automatically opens the banking app during the 3D Secure flow without requiring any customer interaction. The customer can then authenticate the payment with the help of a password, fingerprint, or facial recognition. EMVco is expecting the first banks to support the 3D Secure v2 for their cardholders in early 2019. The wider implementation of 3D Secure v2 among banks will be incremental and would take several months. “We’re keen to support 3D Secure v2 for businesses using Stripe as soon as possible, so we’re preparing the Stripe APIs to take full advantage of the 3D Secure v2 improvements”, reads the announcement page. For more information, check out the official announcement. Amazon Cognito for secure mobile and web user authentication [Tutorial] Google Titan Security key with secure FIDO two factor authentication is now available for purchase Multi-Factor Authentication System – Is it a Good Idea for an App?

Today, the Tor Project launched its annual end-of-year crowdfunding campaign ‘Strength in Numbers’ and it's receiving support from Firefox maker Mozilla. The Tor network disguises a users identity by moving their traffic across different Tor servers, and encrypting that traffic so it isn't traced back to them, thus "ensuring privacy and online freedom". Started back in 2016, Tor’s Crowdfunding campaigns allow the community to realize the opportunity that Tor promises. Their vision to deliver significant advancements in the hidden services field aims to draw contributions from donors, further facilitating their participation in shaping the evolution of hidden services. Tor announced that Mozilla will match donations up to a total of $500,000. This means a significant portion of the donations Tor receives during this campaign will be automatically be doubled. This is not the first time that Mozilla, Tor’s long term ally, has supported its network. Its partnership with Tor helped the organization raise over $400,000 from a similar campaign. Mozilla's support has been beneficial to Tor, who began soliciting ‘crowdfunded’ donations in 2015 to offset its reliance on government grants. 2018 has been a busy year for the Tor network who have always aimed to take a stand against restrictive online practices and foster privacy and online freedom to its users. In wake of the same, they build the  Tor Browser 8 based on Firefox’s 2017 Quantum structure and the Tor Browser for Android  to reach out to users in nations that have tightened restrictions on free expression and accessing the open web and not much freedom is provided to its citizens. Looks like Mozilla has given them a good head start to continue their work in 2019. Tor plans to do the following in 2019 with community support: Improve the capacity, modularization, and scalability of the Tor network Make improvements and integrations into other privacy and circumvention tools easier and reliable Better test  and design solutions around internet censorship Strengthen the development of Tor Browser for Android And much more! You can head over to Tor’s official Blog to know more about this news. Tor Project gets its first official mobile browser for Android, the privacy friendly Tor Browser Tor Browser 8.0 powered by Firefox 60 ESR released

Two months ago, a security researcher with the name SandboxEscaper disclosed a local privilege escalation exploit in Windows. The researcher is back with another Windows zero-day vulnerability, which was disclosed on Twitter yesterday. A Proof-of-Concept (PoC) for this vulnerability was also published on Github. https://twitter.com/SandboxEscaper/status/1054744201244692485 Many security experts analyzed the PoC and stated that this zero-day vulnerability only affects recent versions of the Windows OS, such as Windows 10 (all versions, including the latest October 2018 Update), Server 2016, and even the new Server 2019. An attacker can use it to elevate their privileges on systems they already have an access to. Will Dormann, software vulnerability analyst, CERT/CC, says, “this is because the "Data Sharing Service (dssvc.dll), does not seem to be present on Windows 8.1 and earlier systems." According to ZDNet, experts who analyzed the PoC say, “The PoC, in particular, was coded to delete files for which a user would normally need admin privileges to do so. With the appropriate modifications, other actions can be taken.” The second zero-day Windows exploit This zero-day exploit is quite identical to the previous exploit released by SandboxEscaper in August, said Kevin Beaumont, an infosec geek at Vault-Tec. "It allows non-admins to delete any file by abusing a new Windows service not checking permissions again", he added. However, Microsoft released a security patch for the previous vulnerability during the September 2018 Patch Tuesday updates. SandboxEscaper’s PoC for the previous exploit “wrote garbage data to a Windows PC, the PoC for the second zero-day will delete crucial Windows files, crashing the operating system, and forcing users through a system restore process”. Hence, Mitja Kolsek, CEO of ACROS Security, advised users to avoid running this recent PoC. Kolsek's company released an update for their product (called 0Patch) that would block any exploitation attempts until Microsoft releases an official fix. Kolsek and his team are currently working on porting their ‘micro-patch’ to all affected Windows versions. As per ZDNet, malware authors integrated SandboxEscaper's first zero-day inside different malware distribution campaigns. Experts believe that malware authors can use the zero-day to delete OS files or DLLs and replace them with malicious versions. SandboxEscaper argues that this second zero-day can be just as useful for attackers as the first. To know more about this news in detail, head over to ZDNet’s website. ‘Peekaboo’ Zero-Day Vulnerability allows hackers to access CCTV cameras, says Tenable Research Implementing Identity Security in Microsoft Azure [Tutorial] Upgrade to Git 2.19.1 to avoid a Git submodule vulnerability that causes arbitrary code execution

FreeRTOS, a popular real-time operating system kernel for embedded devices, is found to have 13 vulnerabilities, as reported by Bleeping Computers yesterday. A part of these 13 vulnerabilities results in flaws in its remote code execution. FreeRTOS supports more than 40 hardware platforms and powers microcontrollers in a diverse range of products including temperature monitors, appliances, sensors, fitness trackers, and any microcontroller-based devices. Although it works at a smaller component scale, it lacks the complexity that comes with more elaborate hardware. However, it allows processing of data as it comes in. A researcher at Zimperium, Ori Karliner, analyzed the operating system and found that all of its varieties are vulnerable to: 4 remote code execution bugs, 1 denial of service, 7 information leak, and another security problem which is yet undisclosed Here’s a full list of the vulnerabilities and their identifiers, that affect FreeRTOS: CVE-2018-16522 Remote Code Execution CVE-2018-16525 Remote Code Execution CVE-2018-16526 Remote Code Execution CVE-2018-16528 Remote Code Execution CVE-2018-16523 Denial of Service CVE-2018-16524 Information Leak CVE-2018-16527   Information Leak CVE-2018-16599 Information Leak CVE-2018-16600 Information Leak CVE-2018-16601 Information Leak CVE-2018-16602 Information Leak CVE-2018-16603 Information Leak CVE-2018-16598 Other FreeRTOS versions affected by the vulnerability FreeRTOS versions up to V10.0.1, AWS FreeRTOS up to V1.3.1, OpenRTOS and SafeRTOS (With WHIS Connect middleware TCP/IP components) are affected. Amazon has been notified of the situation. In response to this, the company has released patches to mitigate the problems. Per the report, “Amazon decided to become involved in the development of the product for the Internet-of-Things segment. The company extended the kernel by adding libraries to support cloud connectivity, security and over-the-air updates.” According to Bleeping Computers, “Zimperium is not releasing any technical details at the moment. This is to allow smaller vendors to patch the vulnerabilities. The wait time expires in 30 days.” To know more about these vulnerabilities in detail, visit the full coverage by Bleeping Computers. NSA researchers present security improvements for Zephyr and Fucshia at Linux Security Summit 2018 How the Titan M chip will improve Android security EFF kicks off its Coder’s Rights project with a paper on protecting security researchers’ rights

Early last month, the team at OpenZepplin announced their first release candidate ‘OpenZepplin 2.0 RC1’. Yesterday, the team released a completely stable, audited, and fully tested package of this framework. OpenZeppelin is an open-source framework to build secure smart contracts for Ethereum and other EVM and eWASM blockchains. This framework provides well tested and audited code to secure blockchain-based projects. It caters to a new generation of distributed applications, protocols and organizations to counter the high risks and challenges faced while writing simple and secure code that deals with real money. Features of OpenZeppelin 2.0 #1 A Stable API One of the major updates of this release is that OpenZeppelin 2.0 now comes with a stable API to deliver reliable updates. The previous releases of OpenZeppelin have almost always encountered a change in its API. This has helped the team come up with multiple ideas for the framework. The experimental contracts in the drafts/ subdirectory can, however, experience changes in their minor versions. With the growing size and complexity of smart contract systems, developers can use this framework as a predictable interface to design vulnerability free contracts. The team plans to release more information on the Stable API in the following weeks. #2 Improved test suite The team has been improving the OpenZeppelin’s test suite over time. OpenZeppelin 2.0 now has 100% test coverage.  Every line of code in the package is now automatically tested. #3 Full Independent Audit LevelK team audited the OpenZeppelin 2.0.0 Release Candidate and found some severe issues. They then went on to suggest many improvements which helped fix almost all the issues and notes reported. Users are requested to check out the LevelK Audit - OpenZeppelin 2.0 project for all the details. The audit has helped the team secure the code further and help future developers easily deploy these contracts as they are intended to be used. #4 Miscellaneous Updates In addition to a stable API and an improved test suite, the version update comes with new concepts and designs along with many renames and restructures. These include changes like Ownable contracts moving to a role based access . Derived contracts cannot access state variables directly- as they are now private - use of getters is important. This was done to increase encapsulation. The team has also removed a few contracts that are not secure enough. For instance: LimitBalance, HasNoEther, HasNoTokens, HasNoContracts, NoOwner, Destructible, TokenDestructible, and CanReclaimToken stand removed. You can check all of these upgrades as well as the entire changelog at Github. Alternatively, head over to their blog for more insights on this release. Ethereum Blockchain dataset now available in BigQuery for smart contract analytics Will Ethereum eclipse Bitcoin? The trouble with Smart Contracts