Tech News - Security

Yesterday, Ghacks reported that Mozilla has partnered up with a Swiss VPN provider named, ProtonVPN. They are currently testing its VPN service for a sample of Firefox 62 users in the United States and this test starts on October 24th. Users who connect to an unencrypted wireless network, visit privacy-focused websites, or streaming sites, might see a recommendation by Firefox. The recommendation confirms that Mozilla has selected ProtonVPN as the partner for this test and also shows the price of the subscription. This price matches the price that users pay for a monthly ProtonVPN subscription ($10 monthly) when they subscribe directly on the ProtonVPN website. Why use VPN? In case you are wondering what Virtual Private Network (VPN) is, it is an encrypted connection over the internet from a device to a network. This encrypted connection ensures safe transmission of sensitive and prevents unauthorized people from eavesdropping. It makes use of tunneling protocols such as PPTP, L2TP/IPSec, SSTP, and OpenVPN to establish a secure connection. With VPN, users working at home, on the road, or at a branch office can securely connect to a remote corporate server using the internet. From the user’s perspective, it is a point-to-point connection between the user's computer and a corporate server. The nature of the intermediate network is irrelevant to the user because it appears as if the data is being sent over a dedicated private link. Why is Mozilla partnering with ProtonVPN? Mozilla conducted a thorough evaluation of a long list of market-leading VPN services based on a wide variety of factors, ranging from the design and implementation of each VPN service. As a result of this evaluation, they selected ProtonVPN for this experiment. According to Mozilla ProtonVPN service offers a secure, reliable, and easy-to-use VPN service. ProtonVPN comes with the following advantages: Strong security practices for better protection against hacking attempts. It does not store or logs information about the browsing of its users. It follows the same mission as Mozilla: to improve data safety and security on the Web. Mozilla also issued an announcement yesterday, explaining their decision to partner with ProtonVPN: “Mozilla will be the partly collecting payment from Firefox users who decide to subscribe. A portion of these proceeds will be shared with ProtonVPN, to offset their costs in operating the service, and a portion will go to Mozilla. In this way, subscribers will be directly supporting Mozilla while benefiting from one of the very best VPN services on the market today.” According to Ghacks, this partnership will provide Mozilla another way of generating revenue: “Mozilla has two main intentions when it comes to the new offering. First, to add a new revenue stream that is independent of the money that the organization gets from search engine companies like Google. The affiliate revenue earned from promoting the VPN in Firefox would reduce the stranglehold that search engine companies have on Mozilla. The bulk of Mozilla's revenue comes from deals with search engine companies like Google or Yandex. The second reason is that VPNs improve user privacy and security on the Internet. VPNs like ProtonVPN include security features that block certain attacks outright and they hide the IP address of the user device.” Although this introduction of VPN can ensure better security to users browsing the internet, the monthly charge of $10 is a bit steep. Also, since Firefox will be getting a share of the $10/month revenue if users subscribe to the service, it feels like a promotion of the VPN. It would have been much better if Mozilla would have come up with their own VPN. To know more about Mozilla testing ProtonVPN, check out the full story at ghacks.net and also read Mozilla’s official announcement. Note: Yesterday, we reported that the test will begin on 22nd. We have now corrected the date according to the official announcement to 24th. We have also added based on what criteria Mozilla has selected ProtonVPN and the reason they are partnering with them. Read more To bring focus on the impact of tech on society, an education in humanities is just as important as STEM for budding engineers, says Mozilla co-founder Is Mozilla the most progressive tech organization on the planet right now? Mozilla optimizes calls between JavaScript and WebAssembly in Firefox, making it almost as fast as JS to JS calls

Larry Cashdollar, a security researcher with Akamai's SIRT (Security Intelligence Response Team), found out a vulnerability which impacts the jQuery File Upload plugin, as reported by the Bleeping Computers last week. The vulnerability received the CVE-2018-9206 identifier earlier this month. This will help people pay a more close attention to this flaw. Larry discovered the flaw together with Sebastian Tschan, also known as Blueimp, the developer of the plugin. They found out that the flaw was caused by a change introduced in Apache 2.3.9, which disabled by default the .htaccess files that stored folder-related security settings. The jQuery File Upload plugin is the second most starred jQuery project on GitHub, after the jQuery framework itself. It is immensely popular, has been forked over 7,800 times, and has been integrated into hundreds and thousands, of other projects, such as CMSs, CRMs, Intranet solutions, WordPress plugins, Drupal add-ons, Joomla components, and so on. The 8-year old issue finally found As per the investigation, the developer identified the true source of the vulnerability not in the plugin's code, but in a change made in the Apache Web Server project dating back to 2010, which indirectly affected the plugin's expected behavior on Apache servers. The actual issue dates back to November 23, 2010, just five days before Blueimp launched the first version of his plugin. On that day, the Apache Foundation released version 2.3.9 of the Apache HTTPD server. Larry, in an interview with ZDNet, said, “attackers can abuse this vulnerability to upload malicious files on servers, such as backdoors and web shells”. "I've seen stuff as far back as 2016," he added. Hackers have been actively exploiting this flaw since 2016 and kept this as low-key without anyone knowing. Larry found several YouTube videos containing tutorials on how one could exploit the jQuery File Upload plugin vulnerability to take over servers. This means that the vulnerability was widely known to hackers, even if it remained a mystery for the infosec community. According to ZDNet, “All jQuery File Upload versions before 9.22.1 are vulnerable. Since the vulnerability affected the code for handling file uploads for PHP apps, other server-side implementations should be considered safe.” Measures taken against the formerly known ‘CVE-2018-9206’ flaw Unless specifically enabled by the administrator, .htaccess files would be ignored. The two reasons for doing this were, firstly, to protect the system configuration of the administrator by disabling users from customizing security settings on individual folders. Secondly, to improve performance since the server no longer had to check the .htaccess file when accessing a directory. After Apache 2.3.9, plugins using .htaccess files to impose access restrictions no longer benefited from the custom folder access security configuration. This was also the case with jQuery File Upload, which adds files to a root directory. Now tracked as CVE-2018-9206, the coding flaw is no longer present in the latest version of jQuery File Upload. Tschan changed the code to allow only image file types GIF, JPG, JPEG, and PNG by default; he provides instructions on how to enable more content without running a security risk. Larry said, "I did test 1000 out of the 7800 of the plugin's forks from GitHub, and they all were exploitable”. The code he's been using for these tests is available on GitHub, along with a proof-of-concept for the actual flaw. To know more this in detail, head over to Bleeping Computer’s complete coverage. Upgrade to Git 2.19.1 to avoid a Git submodule vulnerability that causes arbitrary code execution Implementing Web application vulnerability scanners with Kali Linux [Tutorial] ‘Peekaboo’ Zero-Day Vulnerability allows hackers to access CCTV cameras, says Tenable Research

Ann Cavoukian, Ontario’s former Privacy Commissioner stepped down from her role as a consultant at Google’s sister company Sidewalk Labs, last Friday. Sidewalk Labs has collaborated with Waterfront TO, an organization responsible for revitalization projects along the Toronto waterfront in Canada. The collaboration includes developing a 12-acre hi-tech neighborhood, called Quayside, on the shore of Lake Ontario. Cavoukian is not the only one. Saadia Muzaffar, tech entrepreneur, and founder of TechGirls Canada, also stepped down, earlier this month, from her advisory role, over “profound concerns” about the Quayside project. She also mentioned how Waterfront Toronto showed "apathy and a lack of leadership regarding shaky public trust". This project comprises implementing internet-connected devices such as pedestrian counters, and air-quality sensors among others to track energy consumption, noise, traffic, and pollution. This project, however, has sparked debate and criticism over the concern that people’s privacy is getting compromised as the company collects all their data via sensors. Sidewalk Labs came out with a digital governance framework last week to “set a new model for responsible data use in cities — anchored by an independent Civic Data Trust”. Cavoukian’s decision to resign from the project seems to be the result of this recent digital governance framework.  As per the proposal, Sidewalk Labs would be committed to “de-identifying” (wiping of the personal info) the data but it is in no power to control what the third-parties do with that data. This is different from what Cavoukian was advocating (Privacy by Design) and did not approve of it. “Sidewalk Labs has committed to implement, as a company, the principles of Privacy by Design. Though that question is settled, the question of whether other companies involved in the Quayside project would be required to do so is unlikely to be worked out soon and may be out of Sidewalk Labs’ hands," Sidewalk spokesman, Dan Levitan mentioned in an e-mailed statement as reported by the Globe and Mail. As per Cavoukian’s privacy by design principles (considered a global standard), it embeds the “privacy measures into the design of a project, asking questions such as: “What is the minimum data you really need to accomplish the goal?” and “Do you need personal information, or can you accomplish it with de-identified data?”. The main feature of this framework is that on collecting personal information via surveillance cameras and sensors, all kinds of personally identifying information (PII) gets anonymized automatically at the source. Although the proposal states that “No one should own urban data — it should be made freely and publicly available“, it’s not quite immediately clear who would be leading the governance body to handle all the data. “Just think of the consequences: If personally identifiable data are not de-identified at source, we will be creating another central database of personal information (controlled by whom?), that may be used without data subjects’ consent, that will be exposed to the risks of hacking and unauthorized access,” wrote Cavoukian in her resignation letter as reported by the Globe and Mail. Cavoukian mentioned that she would return back to the project only if Waterfront Toronto confirms that all the parties involved in the project wanting to use the public data would de-identify the personal data at its source. “We can sell dangerous surveillance systems to police or we can stand up for what’s right. We can’t do both,” says a protesting Amazon employee Did you know Facebook shares the data you share with them for ‘security’ reasons with advertisers? Facebook finds ‘no evidence that hackers accessed third party Apps via user logins’, from last week’s security breach

Yesterday, Mozilla announced that Firefox Nightly now supports encrypting the TLS Server Name Indication (SNI) extension. This prevents on-path observers from intercepting the TLS SNI extension and using it to determine which websites users are visiting. Why SNI is needed? SNI is required when multiple servers are sharing the same IP address. It is an extension to the TLS protocol using which clients are able to indicate which hostname they are attempting to connect to. This permits servers to present multiple certificates on the same IP address and TCP port number. To put this in simple words, SNI helps make large-scale TLS hosting work. How encrypted SNI (ESNI) works First, a public key is published by the server on a well-known DNS record, which is then fetched by the client before connecting. Next, the client replaces the SNI extension in the ClientHello with an encrypted SNI extension. The encrypted SNI is basically, the original SNI extension, but encrypted using a symmetric encryption key derived using the server’s public key. The server owns the private key and derives the symmetric encryption key as well. It can then decrypt the extension and therefore terminate the connection or forward it to a backend server). Since the encryption key can only be derived by the client and the server it is connecting to, encrypted SNI cannot be decrypted and accessed by third parties. How you can enable encrypted SNI (ESNI) Currently, ESNI is not supported for all the Firefox users. However, Firefox Nightly users can try out this feature by following these steps: First, ensure that you have DNS over HTPPS (DoH) enabled. To do that you can check out this article posted by Mozilla. Next, you need to set the network.security.esni.enabled preference in about:config to true. Head over to Mozilla Security Blog to read more about encrypted SNI. Is Mozilla the most progressive tech organization on the planet right now? Google Chrome, Mozilla Firefox, and others to disable TLS 1.0 and TLS 1.1 in favor of TLS 1.2 or later by 2020 Mozilla announces $3.5 million award for ‘Responsible Computer Science Challenge’ to encourage teaching ethical coding to CS graduates

An Amazon employee has spoken out against Amazon selling its facial recognition technology, named, Rekognition to the police departments across the world, over a letter. The news of Amazon selling its facial recognition technology to the police first came out in May this year. Earlier this week, Jeff Bezos spoke at the WIRED25 Summit regarding the use of technology to help the Department of Defense, "we are going to continue to support the DoD, and I think we should, The last thing we'd ever want to do is stop the progress of new technologies, If big tech companies are going to turn their back on US Department of Defense, this country is going to be in trouble”. Soon after a letter got published yesterday, on Medium, by an anonymous Amazon employee, whose identity was verified offline by the Medium editorial team. It read, “A couple weeks ago, my co-workers delivered a letter to this effect, signed by over 450 employees, to Jeff Bezos and other executives. We know Bezos is aware of these concerns... he acknowledged that big tech’s products might be misused, even exploited, by autocrats. But rather than meaningfully explain how Amazon will act to prevent the bad uses of its own technology, Bezos suggested we wait for society’s immune response”. The letter also laid out the employee’s demands to kick off Palantir, the software firm powering ICE’s deportation and tracking program, from Amazon Web Services along with the need to initiate employee oversight for ethical decisions within the company. It also clearly states that their concern is not regarding the harm that can be caused by some company in the future. Instead, it is about the fact that Amazon is “designing, marketing, and selling a system for mass surveillance right now”. In fact, Rekognition is already being used by law enforcement with zero debate or restrictions on its use from Amazon. For instance, Orlando, Florida, has currently put Rekognition to test with live video feeds from surveillance cameras around the city. Rekognition is a deep-learning based service which is capable of storing and searching tens of millions of faces at a time.  It allows detection of objects, scenes, activities and inappropriate content. Amazon had also received criticism from the ACLU regarding selling rekognition to cops as it said that, “People should be free to walk down the street without being watched by the government. By automating mass surveillance, facial recognition systems like Rekognition threaten this freedom, posing a particular threat to communities already unjustly targeted in the current political climate. Once powerful surveillance systems like these are built and deployed, the harm will be extremely difficult to undo.” Amazon had been quick to defend at that time and said in a statement emailed to various news organizations that, “Our quality of life would be much worse today if we outlawed new technology because some people could choose to abuse the technology. Imagine if customers couldn’t buy a computer because it was possible to use that computer for illegal purposes? Like any of our AWS services, we require our customers to comply with the law and be responsible when using Amazon Rekognition.” The protest by Amazon employees is over the same concern as ACLU’s. Giving Rekognition in the hands of the government puts the privacy of the people at stake as people won’t be able to go about their lives without being constantly monitored by the government. “Companies like ours should not be in the business of facilitating authoritarian surveillance. Not now, not ever. But Rekognition supports just that by pulling dozens of facial IDs from a single frame of video and storing them for later use or instantly comparing them with databases of millions of pictures. We cannot profit from a subset of powerful customers at the expense of our communities; we cannot avert our eyes from the human cost of our business”, mentions the letter. The letter also points out that Rekognition is not accurate in its ability to identify people and is a “flawed technology” that is more likely to “misidentify people” with darker skin tone. For instance, Rekognition was earlier this year put to test with pictures of Congress members compared against a collection of mugshots. The result was 28 false matches with incorrect results being higher for people of color. This makes it irresponsible, unreliable and unethical of the government to use Rekognition. “We will not silently build technology to oppress and kill people, whether in our country or in others. Amazon talks a lot about values of leadership. If we want to lead, we need to make a choice between people and profits. We can sell dangerous surveillance systems to police or we can stand up for what’s right. We can’t do both”, reads the letter. For more information, check out the official letter by Amazon employees. Jeff Bezos: Amazon will continue to support U.S. Defense Department Amazon increases the minimum wage of all employees in the US and UK Amazon is the next target on EU’s antitrust hitlist

Aside from the big ugly notch on the Pixel XL 3, both the XL 3 and the Pixel 3 will sport a new security chip called the Titan M. This dedicated chip raises the security game in these new Pixel devices. The M is... well a good guess—mobile. The Titan chip was previously used internally at Google. This is another move towards making better security available at the hands of everyday consumers after Google made the Titan security key for available for purchase. What does the Titan M do? The Titan M is an individual low-power security chip designed and manufactured by Google. This is not a part of Snapdragon 845 powering the new Pixel devices. It performs a couple of security functions at the hardware level. Store and enforce the locks and rollback counters used by Android Verified Boot to prevent attackers from unlocking the bootloader. Securely locks and encrypts your phone and further limits invalid attempts of unlocking the device. Apps can use the Android Strongbox Keymaster module to generate and store keys on the Titan M. The Titan M chip has direct electrical connections to the Pixel's side buttons that prevent an attacker from faking button presses. Factory-reset policies that enforce rules with which lost or stolen devices can be restored only by the owner. Ensures that even Google themselves can't unlock a phone or install firmware updates without the passcode set by the owner with Insider Attack Resistance. An overview of the Titan M chip Since the Titan M is a separate chip, it protects against hardware-level attacks such as Rowhammer, Spectre, and Meltdown. Google has complete control and supervision over building this chip, right from the silicon stages. They have taken care to incorporate features like low power usage, low-latency, hardware cryptographic acceleration, tamper detection, and secure, timely firmware updates to the chip. On the left is the first generation Titan chip and on the right is the new Titan M chip. Source: Google Blog Titan M CPU The CPU used is an ARM Cortex-M3 microprocessor which is specially hardened against side-channel attacks. It has been augmented with defensive features to detect and act upon abnormal conditions. The CPU core also exposes several control registers to join access with chip configuration settings and peripherals. The Titan M verifies the signature of its firmware using a public key built into the chip. On signature verification, the flash is locked to prevent any modification. It also has a large programmable coprocessor for public key algorithms. Encryption in the chip This new chip also features hardware accelerators like AES and SHA. The accelerators are flexible meaning they can either be initialized with firmware provided keys or via chip-specific and hardware-bound keys generated by the Key Manager module. The chip-specific keys are generated internally with the True Random Number Generator (TRNG). Hence such keys are limited entirely to the chip internally and are not available outside the chip. Google tried to pack maximum security features into Titan M's 64 KB RAM. The RAM contents of the chip can be preserved even during battery saving mode when most hardware modules are turned off. Here’s a diagram showing the chip components. Source: Google Blog Google is aware of what goes into each chip from logic gates to the boot code. The chip allows higher security in areas like two-factor authentication, medical device control, and P2P payments among other potential future uses. The Titan M firmware source code will be publicly available soon. For more details, visit the Google Blog. Google Titan Security key with secure FIDO two factor authentication is now available for purchase Google introduces Cloud HSM beta hardware security module for crypto key security Google’s Protect your Election program: Security policies to defend against state-sponsored phishing attacks, and influence campaigns

Yesterday, Apple started allowing U.S. users to download a copy of all their data the company stores as a part of their privacy data portal expansion. The company had announced this feature expansion earlier this year. Per Bloomberg, prior to making this functionality available to U.S users, Apple rolled out the same functionality in Europe earlier this year as part of the European Union’s General Data Protection Regulation (GDPR) rules. With this effort, U.S. users will be able to download data such as all of their address book contacts, calendar appointments, music streaming preferences and details about past Apple product repairs. Previously, customers could not get their data without contacting Apple directly. Apple launched its online privacy portal in May during which U.S users were allowed only to correct their data or delete their Apple accounts. Apple has also added messages across its apps that tell users how their data is being handled. The company is also rolling out an updated privacy page on its website today detailing what data it does and does not store. Apple says that it does not store much of user’s data, which was confirmed by Zack Whittaker, a security editor at TechCrunch, when he asked Apple for his own data and the company turned over only a few megabytes of spreadsheets, including his order and purchase histories, and marketing information. In his article on ZDNet, Zack says, “The zip file contained mostly Excel spreadsheets, packed with information that Apple stores about me. None of the files contained content information -- like text messages and photos -- but they do contain metadata, like when and who I messaged or called on FaceTime.” He further added, “Any other data that Apple stores is either encrypted — so it can’t turn over — or was only held for a short amount of time and was deleted.” About Apple’s privacy policy updates, it refreshes its privacy pages once a year, a month after its product launches. It first launched its dedicated privacy pages in 2014. A year later, the company blew up the traditional privacy policy in 2015 by going more full-disclosure. Zack says that, since then, Apple’s pages have expanded and continued to be transparent on how the company encrypts user data on its devices. To know more about how Apple encrypts user data in detail, visit Zack’s post on ZDNet. Apple bans Facebook’s VPN app from the App Store for violating its data collection rules Apple has introduced Shortcuts for iOS 12 to automate your everyday tasks Apple buys Shazam, and will soon make the app ad-free  

The Electronic Frontier Foundation is introducing a new Coder’s Rights project to allow programmers and developers to research and develop freely without worrying about facing serious legal challenges that may inhibit their work. With Coder’s Rights project, EFF will protect researchers through education, legal defense, amicus briefs, and involvement in the community. They will also provide policy advice to decision-making officials who are considering new computer crime legislation and treaties. The project seeks to support the right of free expression that lies at the heart of researchers' creations and use of computer code to examine computer systems, and relay their discoveries among their peers and to the wider public. To kick-start this project, EFF has published a whitepaper yesterday, Protecting Security Researchers' Rights in America. This paper aims to provide “legal and policy basis for the Coder’s Rights project, outlining human rights standards that lawmakers, judges, and most particularly the Inter-American Commission on Human Rights, should use to protect the fundamental rights of security researchers.” According to the paper, “present security researchers work in an environment of legal uncertainty, even as their job becomes more vital to the orderly functioning of society.” Their research paper is based on the rights recognized by the American Convention on Human Rights, and examples from North and South American jurisprudence. It analyzes “what rights security researchers have; how those rights are expressed in the Americas’ unique arrangement of human rights instruments, and how the EFF might best interpret the requirements of human rights law when applied to the domain of computer security research and its practitioners.” Here are the main highlights from the paper: Courts and the law should guarantee that the creation, possession or distribution of tools related to cybersecurity are protected by Article 13 of the American Convention of Human Rights, as legitimate acts of free expression. Lawmakers and judges should discourage the use of criminal law as a response to socially beneficial behavior by security researchers. Cybercrime law should include malicious intent and actual damage in its definition of criminal liability. Criminal liability must be based on laws which describe in a precise manner which conduct is forbidden and which is punishable. Penalties for computer crimes should be proportionate to the harm caused by crimes conducted without the use of a computer. Proactive actions should be taken to secure the free flow of information in the security research community. The white paper is available for download. Read more about the Coder’s Rights project on EFF. Privacy experts urge the Senate Commerce Committee for a strong federal privacy bill “that sets a floor, not a ceiling”. Consumer protection organizations submit a new data protection framework to the Senate Commerce Committee. What the EU Copyright Directive means for developers – and what you can do

Microsoft CEO, Satya Nadella published his letter to shareholders in the company’s 2018 annual report, on LinkedIn yesterday. He talks about Microsoft’s accomplishments in the past year, results and progress of Microsoft’s workplace, business applications, infrastructure, data, AI, and gaming. He also mentioned the data and privacy rules adopted by Microsoft, and their belief to, “ instill trust in technology across everything they do.” Microsoft’s result and progress Data and AI Azure Cosmos DB has already exceeded $100 million in annualized revenue. The company also saw rapid customer adoption of Azure Databricks for data preparation, advanced analytics, and machine learning scenarios. Their Azure Bot Service has nearly 300,000 developers, and they are on the road for building the world’s first AI supercomputer in Azure. Microsoft also acquired GitHub to recognize the increasingly vital role developers will play in value creation and growth across every industry. Business Applications Microsoft’s investments in Power BI have made them the leader in business analytics in the cloud. Their Open Data Initiative with Adobe and SAP will help customers to take control of their data and build new experiences that truly put people at the center. HoloLens and mixed reality will be used for designing for first-line workers, who account for 80 percent of the world’s workforce. New solutions powered by LinkedIn and Microsoft Graphs help companies manage talent, training, and sales and marketing. Applications and Infrastructure Azure revenue grew 91 percent year-over-year and the company is investing aggressively to build Azure as the world’s computer. They added nearly 500 new Azure capabilities in the past year, focused on both existing workloads and new workloads such as IoT and Edge AI. Microsoft expanded their global data center footprint to 54 regions. They introduced Azure IoT and Azure Stack and Azure Sphere. Modern Workplace More than 135 million people use Office 365 commercial every month. Outlook Mobile is also employed on 100 million iOS and Android devices worldwide. Microsoft Teams is being used by more than 300,000 organizations of all sizes, including 87 of the Fortune 100. Windows 10 is active on nearly 700 million devices around the world. Gaming The company surpassed $10 billion in revenue this year for gaming. Xbox Live now has 57 million monthly active users, and they are investing in new services like Mixer and Game Pass. They also added five new gaming studios this year including PlayFab to build a cloud platform for the gaming industry across mobile, PC and console. Microsoft’s impact around the globe Nadella highlighted that companies such as Coca-Cola, Chevron Corporation, ZF Group, a car parts manufacturer in Germany are using Microsoft’s technology to build their own digital capabilities. Walmart is also using Azure and Microsoft 365 for transforming the shopping experience for customers. In Kenya, M-KOPA Solar, one of their partners connected homes across sub-Saharan Africa to solar power using the Microsoft Cloud. Office Dynamics 365 was used in Arizona to improve outcomes among the state’s 15,000 children in foster care. MedApp is using HoloLens in Poland to help cardiologists visualize a patient's heart as it beats in real time. In Cambodia, underserved children in rural communities are learning to code with Minecraft. How Microsoft is handling trust and responsibility Microsoft motto is “instilling trust in technology across everything they do.” Nadella says, “We believe that privacy is a fundamental human right, which is why compliance is deeply embedded in all our processes and practices.” Microsoft has extended the data subject rights of GDPR to all their customers around the world, not just those in the European Union, and advocated for the passage of the CLOUD Act in the U.S. They also led the Cybersecurity Tech Accord, which has been signed by 61 global organizations, and are calling on governments to do more to make the internet safe. They announced the Defending Democracy Program to work with governments around the world to help safeguard voting and introduced AccountGuard to offer advanced cybersecurity protections to political campaigns in the U.S. The company is also investing in tools for detecting and addressing bias in AI systems and advocating government regulation. They are also addressing society's most pressing challenges with new programs like AI for Earth, a five-year, $50M commitment to environmental sustainability, and AI for Accessibility to benefit people with disabilities. Nadella further adds, “Over the past year, we have made progress in building a diverse and inclusive culture where everyone can do their best work.” Microsoft has nearly doubled the number of women corporate vice presidents at Microsoft since FY16.  They have also increased African American/Black and Hispanic/Latino representation by 33 percent. He concludes saying that “I’m proud of our progress, and I’m proud of the more than 100,000 Microsoft employees around the world who are focused on our customers’ success in this new era.” Read the full letter on Linkedin. Paul Allen, Microsoft co-founder, philanthropist, and developer dies of cancer at 65. ‘Employees of Microsoft’ ask Microsoft not to bid on US Military’s Project JEDI in an open letter. Microsoft joins the Open Invention Network community, making 60,000 of its patents accessible to fellow members

Yesterday, Google, Mozilla, and Apple announced that by 2020, they will disable TLS 1.0 and 1.1 by default in their respective browsers. Kyle Pflug, Senior Program Manager for Microsoft Edge said, "January 19th of next year marks the 20th anniversary of TLS 1.0, the inaugural version of the protocol that encrypts and authenticates secure connections across the web." Chrome, Edge, Internet Explorer, Firefox, and Safari already support TLS 1.2 and will soon support recently-approved final version of the TLS 1.3 standard. On the other hand, Chrome and Firefox already support TLS 1.3, while Apple and Microsoft are still working towards supporting TLS 1.3. Why disable TLS 1.0 and 1.1? The Internet Engineering Task Force (IETF), an organization that develops and promotes Internet standards is hosting discussions to formally deprecated both TLS 1.0 and 1.1. TLS provides confidentiality and integrity of data in transit between clients and servers while exchanging information. In order to keep this data safe, it is essential to use modern and highly secures versions of this protocol. The Apple’s Secure Transports team has listed down some benefits of moving away from TLS 1.0 and 1.1 including: Modern cryptographic cipher suites and algorithms with desirable performance and security properties, e.g., perfect forward secrecy and authenticated encryption, that are not vulnerable to attacks such as BEAST. Removal of mandatory and insecure SHA-1 and MD5 hash functions as part of peer authentication. Resistance to downgrade-related attacks such as LogJam and FREAK. For Google Chrome users, Enterprise deployments can preview the TLS 1.0 and 1.1 removal today by setting the SSLVersionMin policy to ‘tls1.2’. For enterprise deployments that need more time, this same policy can be used to re-enable TLS 1.0 or TLS 1.1 until January 2021. Post depreciation here is what each browser maker has promised: TLS 1.0 and 1.1 will be disabled altogether in Chrome 81, which will start rolling out “on early release channels starting January 2020.” Edge and Internet Explorer 11 will disable TLS 1.0 and TLS 1.1 by default “in the first half of 2020.” Firefox will drop support for TLS 1.0 and TLS 1.1 in March 2020. TLS 1.0 and 1.1. will be removed from Safari in updates to Apple iOS and macOS beginning in March 2020. Read more about this news in detail on Internet Engineering Task Force (IETF) blog post. Introducing TLS 1.3, the first major overhaul of the TLS protocol with improved security and speed Let’s Encrypt SSL/TLS certificates gain the trust of all Major Root Programs Java 11 is here with TLS 1.3, Unicode 11, and more updates

After Google just got saved from GDPR’s huge fine last month, Twitter is next on the EU’s GDPR investigation checklist. This appears to be the first GDPR investigation to be opened against Twitter. Last week, the data privacy regulators in Ireland opened up an investigation against Twitter’s data collection practices. This is to analyze the amount of data Twitter receives from its URL-shortening system, t.co. Twitter says the URL shortening allows the platform to measure the number of clicks per link, and helps it to fight the spread of malware through suspicious links. Why did Irish data regulators choose to investigate Twitter? This news was first reported by Fortune stating, “Michael Veale, who works at University College London, suspects that Twitter gets more information when people click on t.co links, and that it might use them to track those people as they surf the web, by leaving cookies in their browsers.” Veale asked Twitter to provide him with all the personal data it holds on him. To which, Twitter refused claiming that providing this information would take a disproportionate effort. Following this, Veale filed a complaint to the Irish Data Protection Commission (DPC), and the authorities opened an investigation last week. In a letter to Veale, the Irish Data Privacy Commissioner wrote, “The DPC has initiated a formal statutory inquiry in respect of your complaint. The inquiry will examine whether or not Twitter has discharged its obligations in connection with the subject matter of your complaint and determine whether or not any provisions of the GDPR or the [Irish Data Protection] Act have been contravened by Twitter in this respect.” The Irish authorities said that Veale’s complaint will be handled by the new European Data Protection Board as Veale’s complaint involves cross-border processing. The EU Data protection body helps national data protection authorities coordinate their GDPR enforcement efforts. Veale also prompted a similar investigation probe into Facebook, which also refused to hand over data held on users’ web-browsing activities. However, Fortune says, “ Facebook was already the subject of multiple GDPR investigations.” Veale says, "Data which looks a bit creepy, generally data which looks like web-browsing history, [is something] companies are very keen to keep out of data access requests. The user has a right to understand." Twitter, however, refused to comment, saying only that it was ‘actively engaged’ with the DPC. If Twitter is found to be in GDPR’s breach list, it could face a fine of up to €20m or up to 4 percent of its global annual revenue. To know more about this news in detail, head over to Fortune’s full coverage. How Twitter is defending against the Silhouette attack that discovers user identity GDPR is good for everyone: businesses, developers, customers The much loved reverse chronological Twitter timeline is back as Twitter attempts to break the ‘filter bubble’

"Having a mobile facility that allows us to bring realistic cyberattack preparation and rehearsal to a larger, global audience will be a game changer in our mission to improve incident response efforts for organizations around the world." -Caleb Barlow, vice president of Threat Intelligence at IBM Security   Yesterday (On 15th October), IBM Security announced the industry's first mobile Security Operations Center- ‘The IBM X-Force Command Cyber Tactical Operations Center’ (C-TOC). This mobile command center hosted at the back of a semi truck will travel around the U.S and Europe for cybersecurity training, preparedness, and response operations. The aim of this project is to provide an on-demand cybersecurity support, while building cybersecurity awareness and skills with professionals, students and consumers. Cybercriminals are getting smarter by the day and cyber crimes are becoming sophisticated by the hour. It is necessary for organizations to plan and rehearse their response to potential security breaches in advance. According to the 2018 Cost of a Data Breach Study, companies that respond to incidents effectively and remediate the event within 30 days can save over $1 million on the total cost of a data breach. Taking this into consideration, the C-TOC has the potential to provide immediate onsite support for clients at times when their cybersecurity needs may arise. The mobile vehicle is modeled after Tactical Operations Centers used by the military and incident command posts used by first responders. It comes with a gesture-controlled cybersecurity "watch floor," data center and conference facilities. It has self-sustaining power, satellite and cellular communications, which will provide a sterile and resilient network for investigation, response and serve as a platform for cybersecurity training. Source: IBM Source: IBM Here are some of the key takeaways that individuals can benefit from, from this mobile Security Operations center: #1 Focus on Response Training and Preparedness The C-TOC will simulate real world scenarios to depict how hackers operate- to help companies train their teams to respond to attacks. The training will cover key strategies to protect business and its resources from cyberattacks. #2 Onsite Cybersecurity Support The C-TOC is mobile and can be deployed as an on-demand Security Operation Center. It aims to provide a realistic cybersecurity experience in the industry while visiting local universities and industries to build interest in cybersecurity careers and to address other cybersecurity concerns. #3 Cyber Best Practices Laboratory The C-TOC training includes real world examples based on experiences with customers in the Cambridge Cyber Range. Attack scenarios will be designed for teams to participate in. The challenges are designed keeping in mind various pointers like: working as a team to mitigate attacks, thinking as a hacker, hands- on experience with a malicious toolset and much more #4 Supplementary Cybersecurity Operations The IBM team also aims to spread awareness on the cybersecurity workforce shortage that is anticipated soon. With an expected shortfall of nearly 2 million cybersecurity professionals by 2022, it is necessary to educate the masses about careers in security as well as help upskill current professionals in cybersecurity. This is one of the many initiatives taken by IBM to bring about awareness about the importance of mitigating cyber attacks in time. Back in 2016, IBM invested $200 million in new incident response facilities, services and software, which included the industry's first Cyber Range for the commercial sector. By real world simulation of cyber attacks and training individuals to come up with advanced defense strategies, the SOC aims to get a realistic cyberattack preparation and rehearsal to a larger, global audience. To know more about this news as well as the dates that the C-TOC will tour the U.S. and Europe, head over to IBM’s official blog. Mozilla announces $3.5 million award for ‘Responsible Computer Science Challenge’ to encourage teaching ethical coding to CS graduates The Intercept says Google’s Dragonfly is closer to launch than Google would like us to believe U.S Government Accountability Office (GAO) reports U.S weapons can be easily hacked  

Mitchell Baker, chairwoman, and co-founder of Mozilla talked about the need for the tech industry to expand beyond the technical skills, last week following the announcement of the Responsible computer Science Challenge. She spoke about how hiring employees only from the STEM (science, technology, engineering, and maths) stream leads the way for technologists who face the same “blind spots” in tech as the current ones.   “STEM is a necessity and educating more people in STEM topics clearly critical. But one thing that’s happened in 2018 is that we’ve looked at the platforms, and the thinking behind the platforms, and the lack of focus on impact or result,” said Baker in a statement to the Guardian. She also mentioned that hiring employees solely from the STEM disciplines is a move that will “come back to bite us”. Baker also tweeted about the reason to move beyond the precise technical jobs and skills: https://twitter.com/MitchellBaker/status/1050842658724184065 Mozilla wants to broaden the horizon of the tech industry by incorporating education grounded in humanities such as psychology and philosophy into undergraduate computer science degrees. The inclusion of ethics in the coursework will focus on not being purely philosophical. Rather, it will make use of hypothesis and logic to present the ideas. Also, these ethics ideas should make sense in a computer science coursework. “We need to be adding not just social sciences of the past, but something related to humanity and how to think about the effects of technology on humanity – which is partly sociology, partly anthropology, partly psychology, partly philosophy, partly ethics … it’s some new formulation of all of those things, as part of a Stem education. Otherwise, we’ll have ourselves to blame, for generations of technologists who don’t even have the toolsets to add these things in”, mentioned Baker. Mozilla Foundation, along with Omidyar Network, Schmidt Futures, and Craig Newmark Philanthropies, launched a competition, named Responsible Computer Science Challenge, last week for professors and educators. This aims to produce “a new wave of engineers” who’d implement a holistic approach to the design of all types of tech products.   “The hope is that the Challenge will unearth and spark innovative coursework that will not only be implemented at the participating home institutions but also be scaled to additional colleges and universities across the country — and beyond”, reads the challenge overview. The challenge stems from the ongoing problem of misinformation online and wants to empower graduating engineers to drive a “culture shift in the tech industry and build a healthier internet”. This initiative by Mozilla to promote ethics and humanities in computer science coursework reflects on the values that the company stands by. It was only last week when the company dropped the word “meritocracy” from its revised governance statement and leadership structure to actively promote diversity and inclusion. “In a world where software is entwined with much of our lives, it is not enough to simply know what software can do. We must also know what software should and shouldn’t do, and train ourselves to think critically about how our code can be used. Students of computer science...must understand how code intersects with human behavior, privacy, safety, vulnerability, equality, and many other factors”, says Kathy Pham, a computer scientist at Mozilla who’s also co-leading the challenge. For more information, check out the official Mozilla blog. Mozilla, Internet Society, and web foundation wants G20 to address “techlash” fuelled by security and privacy concerns Mozilla’s new Firefox DNS security updates spark privacy hue and cry Firefox Nightly browser: Debugging your app is now fun with Mozilla’s new ‘time travel’ feature

Last month, Facebook witnessed its largest security breach which compromised 50 million user accounts, which was later fixed by its investigation team to avoid further misuse. On Friday, 12th October, Guy Rosen, VP of Product Management in Facebook, shared details of the attack for the users to know the actual reason behind the attack. A snapshot of the attack Facebook discovered the issue on September 25th where the attackers exploited a vulnerability in Facebook’s code that existed between July 2017 and September 2018. The attackers exploited a series of interactions of three distinct software bugs, which affected the ‘View As’ feature that lets people see what their own profile looks like to someone else. Attackers stole FB access tokens to take over people’s accounts. These tokens allow an attacker to take full control of the victim’s account, including logging into third-party applications that use Facebook Login. Read Also : Facebook’s largest security breach in its history leaves 50M user accounts compromised Deciphering the attack : 29 million users were affected, not 50 million Guy Rosen, in his update stated, “We now know that fewer people were impacted than we originally thought. Of the 50 million people whose access tokens we believed were affected, about 30 million actually had their tokens stolen.” Here’s what happened The attackers already had control over a set of accounts connected to Facebook users. They further used an automatic technique to move from one account to the other in order to steal the access tokens of those friends, friends of friends, and so on. This allowed them to reach about 400,000 users. Guy writes, “this technique automatically loaded those accounts’ Facebook profiles, mirroring what these 400,000 people would have seen when looking at their own profiles. That includes posts on their timelines, their lists of friends, Groups they are members of, and the names of recent Messenger conversations”. The attackers used these 400,000 people’s lists of friends to further steal access tokens for about 30 million people. They broke down these 30 million into three batches; namely 15, 14 and 1 million, and carried out different accessing techniques for the first two batches. For the 1 million people, the attackers did not access any information. For 15 million people, attackers accessed just the name and contact details (phone number, email, or both, depending on what people had on their profiles). For 14 million people, the attackers not only accessed name and contact details, but also other details people had on their profiles. This included username, gender, locale/language, relationship status, religion, hometown, self-reported current city, birthdate, device types used to access Facebook, education, work, the last 10 places they checked into or were tagged in, website, people or Pages they follow, and the 15 most recent searches. Facebook will be sending customized messages to the 30 million affected people to explain to them the information the attacker might have accessed and how they can protect themselves from the after effects (getting suspicious calls, mails and messages). Guy also clarified, “This attack did not include Messenger, Messenger Kids, Instagram, WhatsApp, Oculus, Workplace, Pages, payments, third-party apps, or advertising or developer accounts.” Meanwhile, Facebook is co-operating with FBI, the US Federal Trade Commission, Irish Data Protection Commission, and other authorities to look for ways  attackers used Facebook and other possibilities of smaller-scale attacks. To know more about this in detail, visit Guy Rosen official blog post. Facebook introduces two new AI-powered video calling devices “built with Privacy + Security in mind” Facebook finds ‘no evidence that hackers accessed third party Apps via user logins’, from last week’s security breach “Facebook is the new Cigarettes”, says Marc Benioff, Salesforce Co-CEO

On September 26th, U.S. Senator John Thune (R-S.D.), chairman of the Senate Committee on Commerce, Science, and Transportation, summoned a hearing titled ‘Examining Safeguards for Consumer Data Privacy’. Executives from AT&T, Amazon, Google, Twitter, Apple, and Charter Communications provided their testimonies to the Committee. The hearing took place to: examine privacy policies of top technology and communications firms, review the current state of consumer data privacy, and offer members the opportunity to discuss possible approaches to safeguarding privacy more effectively. John Thune opened the meeting by saying, “This hearing will provide leading technology companies and internet service providers an opportunity to explain their approaches to privacy, how they plan to address new requirements from the European Union and California, and what Congress can do to promote clear privacy expectations without hurting innovation.” There is,however, one major problem with this approach. A hearing on consumer privacy barring any participation from the consumer side is like a meeting to discuss women safety and empowerment without any woman on the board. Why would the administration do such a thing? They might just be not ready to bring all the sides in one room. They have had a second set of hearings with privacy advocates last week. But will this really bring a change in perspective? And where are we headed?   AT&T and net neutrality One of the key issues at hand in this story is net neutrality.. For those that don’t know, this is the principle that Internet service providers should allow access to all content and applications regardless of the source, and shouldn’t be able to favor or block particular products or websites. This basically means a democratic internet. The recent law ending net neutrality across the majority of U.S. states was arguably pushed and supported by major ISPs and corporations. This makes the declaration by AT&T stating that they want to uphold user privacy rules seem farcical, like a statement made by a hunter who is about to pounce on its prey and luring them with fake consolations. As one of the leading telecom companies, AT&T has a significant stake in the online advertising and direct TV industry. The more they can track you online and record your habits, the better they can push ads and continue to milk user data without them being informed. That was their goal when they manipulated the modest FCC user data privacy guidelines last year for broadband providers before they could even take effect. Those rules largely just mandated that ISPs be transparent about what data is collected and who it's being sold to, while requiring opt in consent for particularly sensitive consumer data like your financial background. When the same company rallies for user data privacy rules and tries to burden the social media and search engine giants like Facebook, Google, Microsoft etc, then there’s a definite doubt about their actual intent. The actual reason might just be to weaken the power of major tech companies like Google, facebook and push their own agenda via their broadband network. Monopoly in any form is not an ideal scenario for users and customers. While Google and Facebook are vying for a monopoly over how users interact online everyday,  AT&T is playing a different game altogether, that of gaining control of the internet itself. Google, though, has plans of laying their own internet cable under sea - it’s going to be hard for AT&T to compete, as admirable as its ostensible hubris might be. Still, there is a decent chance that it might become a two horse race by the middle of the next decade. Of course, the ultimate impact of this sort of monopoly remains to be seen. For AT&T, the opportunity is there, even if it looks like a big challenge. Google, Amazon, AT&T met the U.S Senate Committee to discuss consumer data privacy, yesterday The U.S. Justice Department sues to block the new California Net Neutrality law California’s tough net neutrality bill passes state assembly vote