Tech News - Cybersecurity

This Monday, the community behind OnionShare has released its next major version, OnionShare 2. This release comes with macOS sandbox enabled by default, support for next-generation onion services, several new translations, and more. OnionShare is a free, open-source tool which allows users to share and receive files securely and anonymously using Tor onion services. Following are some of the updates introduced in OnionShare 2: The macOS sandbox enabled by default The macOS sandbox is enabled by default in OnionShare 2. This will prevent hackers from accessing data or running programs on user computers, even if they manage to exploit a vulnerability in OnionShare. Next generation Tor onion addresses OnionShare 2 improves security by using next-generation Tor onion service also known as v3 onion services. These next-generation Tor onion services provide onion addresses, which are unguessable address to share. These addresses look like this lldan5gahapx5k7iafb3s4ikijc4ni7gx5iywdflkba5y2ezyg6sjgyd.onion. Users can use v2 onion addresses if they want, by navigating to Setting and selecting “Use legacy addresses”. OnionShare addresses are ephemeral by default As soon as the sharing is complete, OnionShare address will completely disappear from the internet as these addresses are intended for one-time use. This behavior is enabled by default that you may want to change in case you want to share the files with a group of people. You can do that by going to the Settings menu and unchecking the "Stop sharing after files have been sent" option. Public OnionShare addresses By default, OnionShare addresses look like this http://[tor-address].onion/[slug]. In this format, the slug represents random words out of a list of 7,776 words. Even if the attacker figures out the tor-address part, they still won’t be able to download the files you are sharing or run programs on your computer. They need to know the slug, which works here as a password. But since this slug is only of two words, and the wordlist OnionShare uses is public, attackers can guess it. With this Public mode enabled, the OnionShare address will look like http://[tor-address].onion/, and the server will remain up no matter how many 404 errors it gets. OnionShare 2 comes with a Public mode that allows you to publicly share an OnionShare address. To enable this mode, just go to the Settings menu and check the box next to “Public mode”. OnionShare 2 is translated to 12 languages OnioShare 2 is translated into twelve new languages. These languages are Bengali, Catalan, Danish, French, Greek, Italian, Japanese, Persian, Portuguese Brazil, Russian, Spanish, and Swedish. You can select these languages from a dropdown. Read the complete list of updates in OnionShare 2 shared by Micah Lee, a computer security engineer. Understand how to access the Dark Web with Tor Browser [Tutorial] Brave Privacy Browser has a ‘backdoor’ to remotely inject headers in HTTP requests: HackerNews Signal introduces optional link previews to enable users understand what’s behind a URL

GitHub announced yesterday that it is expanding its bug bounty program by adding some more services into the list, and also increasing the reward amount offers for the vulnerability seekers. It has also added some Legal Safe Harbor terms to its updated policy. All products and services under the github.com domain including GitHub Education, Enterprise Cloud, Learning Lab, Jobs, the Desktop application, githubapp.com, and github.net are a part of this bug bounty list. Launched in 2014, GitHub’s Security Bug Bounty program paid out $165,000 to researchers from their public bug bounty program in 2018. GitHub’s researcher grants, private bug bounty programs, and a live-hacking event helped GitHub reach a huge milestone of $250,000 paid out to researchers last year. GitHub’s new Legal Safe Harbor terms cover three main sources of legal risk including: Protect user’s research activity and authorize if they cross the line for the purpose of research Protect researchers in the bug bounty program from legal exposure via third-parties. Unless GitHub gets user-written permission, they will not share identifying information with a third party Prevent researchers in the bug bounty program from being hit with any site violations when they’ve broken the rules in the spirit of research According to the GitHub blog post, “You won’t be violating our site terms if it’s specifically for bounty research. For example, if your in-scope research includes reverse engineering, you can safely disregard the GitHub Enterprise Agreement’s restrictions on reverse engineering. Our safe harbor now provides a limited waiver for parts of other site terms and policies to protect researchers from legal risk from DMCA anti-circumvention rules or other contract terms that could otherwise prohibit things a researcher might need to do, like reverse engineering or de-obfuscating code.” As for the reward schedule, GitHub says they have increased the reward amounts at all levels: Critical: $20,000–$30,000+ High: $10,000–$20,000 Medium: $4,000–$10,000 Low: $617–$2,000 “We no longer have a maximum reward amount for critical vulnerabilities. Although we’ve listed $30,000 as a guideline amount for critical vulnerabilities, we’re reserving the right to reward significantly more for truly cutting-edge research”, the GitHub blog states. Switzerland launches a bug bounty program ‘Public Intrusion test’ to find vulnerabilities in its E-Voting systems Hyatt Hotels launches public bug bounty program with HackerOne EU to sponsor bug bounty programs for 14 open source projects from January 2019

Last month, Firedome Inc announced the launch of the world’s first endpoint cybersecurity solutions portfolio, specifically tailored to home IoT companies and manufacturers. Firedome has developed business models that allow companies to implement top-quality endpoint cybersecurity solutions to close critical security gaps that are a byproduct of the IoT era. Home IoT devices are susceptible to cyber attacks due to the lack of regulation and budget limitations. Cryptojacking, DDoS and ransomware attacks are only a few examples of cyber crimes threaten the smart home ecosystem and consumer privacy. The low margins in this industry have led to manufacturers facing trouble in implementing high-end cybersecurity solutions. Features of ‘Firedome ‘Endpoint Protection’ solution: A lightweight software agent that can easily be added to any connected device (during the manufacturing process or later on, ‘over the air’), A cloud-based AI engine that collects and analyzes aggregated data from multiple fleets around the world, produces insights from each attack (or attack attempt) and optimizes them across the board. An accompanying 24/7 SOC team that responds to alerts, runs security researches and supports Firedome customers. Firedome solution adds a dynamic layer of protection and is not only designed to prevent attacks from occurring in the first place but also to identify attack attempts and respond to breaches in real time, thereby eliminating damage potential until a firmware update is released. The Firedome Home Solution enables industry players to provide their consumers with cyber protection and security insights for the entire home network. Moti Shkolnik, Firedome’s Co-founder and CEO says that: “We are very excited to formally launch our suite of services and solutions for the home IoT industry and we strongly believe they have the potential of changing the Home IoT cybersecurity landscape. Device companies and other ecosystem players are craving a solution that is tailored to their needs and business constraints, a solution that will address the vulnerability that is so evident in endpoint devices. Home IoT devices are becoming a commodity and the industry must address these vulnerabilities sooner rather than later. That’s why our solution is a ‘must-have’ rather than a ‘nice-to-have’” These solutions provided by Firedome has led to its selection by Universal Electronics Inc., the worldwide leader in universal control and sensing technologies for the smart home, to provide Cybersecurity Features to the Nevo® Butler Digital Assistant Platform product. To know more about this news in detail, head over to Firedome’s official website. California passes the U.S.’ first IoT security bill IoT Forensics: Security in an always connected world where things talk AWS IoT Greengrass extends functionality with third-party connectors, enhanced security, and more

Yesterday, Australia’s Prime Minister Scott Morrison, revealed that “a sophisticated state actor”  was behind a cyber attack on the Australian Parliament's computing network that also affected the network of major political parties. First reported by The Guardian, the attack affected the computer networks of the Liberal Party and the Nationals - as well as the opposition Labor Party, only three months before the Parliamentary election in May. Morrison told reporters that “Our cyber experts believe that a sophisticated state actor is responsible for this malicious activity”. In a statement to parliament on Monday, he said there was no evidence of electoral interference and measures  were taken to “ensure the integrity of our electoral system”. This intrusion into the networks of political parties was detected by agencies investigating the attack on the Parliament House network. He said security agencies had “acted decisively” to confront the incursion and were “securing these systems and protecting users”. Australian Cyber Security Centre head Alastair MacGibbon stated that the agency was currently unable to answer whether or not data had been stolen because all the agencies involved were "acting extraordinarily quickly and very openly, so we are piecing together all of the events." There is no evidence as to which country was behind the intrusion as well as no comment on how deeply the attack had penetrated the computer networks. The news comes just months after the Assistance and Access Bill was passed that allows the police to tell apps like WhatsApp and Signal to build in so-called “backdoors”, to give investigators access to the contents of messages, to assist in any investigation of cyber offense. However, security experts were unanimously against backdoors since once such a mechanism has been implanted in the app, it can create a target for other countries’ spy agencies and corporate spies to see what people are discussing. Users on Twitter and HackerNews have expressed strong sentiments on this news, one user is blaming the government's choices like weakening the encryption in apps through their new law, that has lead to this attack. Other users are speculating Russia’s hand in this attack. The Sydney Morning Herald stated that just four states — China, Russia, Israel, and the United States — have the capability to perform such an attack. https://twitter.com/Sunflower15661/status/1097322875042910208 https://twitter.com/admburns/status/1097402032833679360 Head over to BBC for more insights on this news. Australian intelligence and law enforcement agencies already issued notices under the ‘Assistance and Access’ Act despite opposition from industry groups Australia’s Facial recognition and identity system can have “chilling effect on freedoms of political discussion, the right to protest and the right to dissent”: The Guardian report Australia passes a rushed anti-encryption bill “to make Australians safe”; experts find “dangerous loopholes” that compromise online privacy and safety

Yesterday, Computer Sweden revealed that 2.7 million recorded calls to Sweden’s 1177 medical assistance phone service were left without password protection or encryption security, on an open web server. The server was operated by MediCall, an outsourced call-center provider based in Thailand, but owned by Swedish nationals. MediCall is a subcontractor to Medhelp, a Stockholm firm, and the primary contractor that supplies 1177 call services to Inera, the Swedish company that heads up the national 1177 service. Inera is jointly owned by Sweden’s 21 regions and municipalities. Inera stated that the calls are recorded to check their quality. They further confirmed that the security issue had been discovered and remedied by the subcontractor, but added that it doesn’t have any agreement with the subcontractor. The report by Computer Sweden reveals that 2.7 million call recordings, and a total of 170,000 hours of calls logged over six years, could be remotely accessed from any browser if the IP address of the web server was known. No authentication was required to access the audio files and browser connections to the web server were not encrypted using HTTPS. Computer Sweden listened to some of the recordings to understand the severity of the issue and they found that the calls included sensitive information about patients’ diseases and ailments, medication, and medical history. People also described their children’s symptoms and provided their social security numbers for assistance. MediCall's call center system was developed by Swedish tech company Voice Integrate Nordic. Tommy Ekström, the CEO of Voice Integrate Nordic, said the leak was "catastrophic" due to the sensitivity of the information. Access to the storage device has now been closed after the review done by Computer Sweden. Users are now speculating if the incident will attract attention from Europe’s GDPR laws. It’s likely that Sweden's data protection authority will try to determine which organization was responsible for the unprotected server. GDPR also requires the data is not kept for any longer than needed for the purposes it is processed. In this case, the data has been exposed on the internet since 2003. The Collections #2-5 leak of 2.2 billion email addresses might have your information, German news site, Heise reports SBI data leak in India results in information of millions of customers exposed online GDPR complaint claims Google and IAB leaked ‘highly intimate data’ of web users for behavioral advertising

On 13th February, the OpenSSL team released a blog post outlining the changes that users can expect in the OpenSSL 3.0 architecture and plans for including a new FIPS module. Architecture changes in OpenSSL 3.0 ‘Providers’ will be introduced in this release which will be a possible replacement for the existing ENGINE interface to enable more flexibility for implementers. There will be three types of Providers: the “default” Provider will implement all of the most commonly used algorithms available in OpenSSL. The “legacy” Provider will implement legacy cryptographic algorithms and the “FIPS” Provider will implement FIPS validated algorithms. Existing engines will have to be recompiled to work normally and will be made available via both the old ENGINE APIs as well as a Provider compatibility layer. The architecture will include Core Services that will form the building blocks usable by applications and providers. Providers in the new architecture will implement cryptographic algorithms and supporting services. It will have implementations of one or more of the following: The cryptographic primitives (encrypt/decrypt/sign/hash etc)  for an algorithm Serialisation for an algorithm Store loader back ends   A Provider may be entirely self-contained or it may use services provided by different providers or the Core Services.     Protocol implementations, for instance TLS, DTLS.  New EVP APIs will be provided in order to find the implementation of an algorithm in the   Core to be used for any given EVP call.  Implementation agnostic way will be used to pass information between the core library and the providers.  Legacy APIs that do not go via the EVP layer will be deprecated. The OpenSSL FIPS Cryptographic Module will be self-contained and implemented as a dynamically loaded provider. Other interfaces may also be transitioned to use the Core over time  A majority of existing well-behaved applications will just need to be recompiled. No deprecated APIs will be removed in this release You can head over to the draft documentation to know more about the features in the upgraded architecture. FIPS module in OpenSSL 3.0 The updated architecture incorporates the FIPS module into main line OpenSSL. The module is dynamically loadable and will no longer be a separate download and support periods will also be aligned. He module is a FIPS 140-2 validated cryptographic module that contains FIPS validated/approved cryptographic algorithms only. The FIPS module version number will be aligned with the main OpenSSL version number. New APIs will give applications greater flexibility in the selection of algorithm implementations. The FIPS Provider will implement a set of services that are FIPS validated and made available to the Core. This includes: POST: Power On Self Test KAT: Known Answer Tests Integrity Check Low Level Implementations Conceptual Component View of OpenSSL 3.0 Read the draft documentation to know more about the FIPS module in the upgraded architecture. Baidu Security Lab’s MesaLink, a cryptographic memory safe library alternative to OpenSSL OpenSSL 1.1.1 released with support for TLS 1.3, improved side channel security Transformer-XL: A Google architecture with 80% longer dependency than RNNs    

Switzerland’s national postal service, Swiss Post, says that it has developed a fully verifiable system that can make e-voting widely available in the country. Yesterday, Swiss Post announced that it is launching a bug bounty program, in which hackers from all over the globe can participate to conduct penetration testing on both the frontend and backend of the e-voting system. The program, called as Public Intrusion test (PIT), will be conducted between February 25 and March 24. White hat hackers can sign up on onlinevote-pit.ch to participate. The security of the e-voting system has already been pen-tested and certified under the legal framework of the Swiss Confederation. Hackers who discover vulnerabilities that can be exploited to manipulate votes--without being detected by voters and auditors--will be rewarded between $30,000 and $50,000. Server-side loopholes that give an attacker the information of who voted and what they voted will be rewarded up to $10,000. Vote corruption issues are worth $5,000 and $100 will be paid out for server configuration weaknesses. Source code vulnerabilities must be reported by the ethical hackers separately if they cannot be exploited against the test system. All-in-all, out of the total $250,000 allocated for this project by the government, $100,000 will go to the Swiss cybersecurity firm that helps run the bug bounty program, and the rest could go to the researchers who find vulnerabilities. After finding the vulnerability, participants can then go ahead and make their findings public. The bug bounty program is open to anyone and the e-voting system is only available in German, French, Italian and Romansh – there is no English version. Researchers who take part in the PIT project will also be given voting cards for testing purposes, but they will be sent electronically. You can head over to E-Voting PIT to know more about the terms of this program. EuroPython Society announces the ‘Guido van Rossum Core Developer Grant’ program to honor Python core developers Microsoft announces Azure DevOps bounty program Hyatt Hotels launches public bug bounty program with HackerOne

Last month, the state of Illinois passed a Biometric privacy bill where a person can claim damages when their fingerprint is used without consent. Now, Cisco and Microsoft propose ideas for biometric privacy. The Cisco proposal states: ‘Ensure interoperability between different privacy protection regimes.’ This could threaten GDPR. ‘Avoid fracturing of legal obligations for data privacy through a uniform federal law that aligns with the emerging global consensus.’ This means gelling multiple levels of law systems, like state national into one, so a violation would go through only one level of a lawsuit. ‘Reassure customers that enforcement of privacy rights will be robust without costly and unnecessary litigation.’ Litigation is expensive, for individuals and more so for corporates, this can make it less expensive for the corporations. Microsoft is lobbying for a federal bill on facial recognition in Washington, according to a Bloomberg report. Bradd Smith, President at Microsoft, told Bloomberg: “Opening up the software for third-party testing is one of the key parts of the bill”. If the Washington bill is passed, it will affect companies like Amazon, Microsoft and any other companies that use personal data with a consumer base above 100,000. Meanwhile, Amazon has not made any comments on the bill as it’s still being modified. Cisco and Microsoft supporting federal privacy bills would sound like good news, but it’s not. If a new federal privacy bill is supported by a company, it would be designed to provide leeway to the company on how the rules regarding data collection and usage are set. According to a New York Times report from August last year, “In recent months, Facebook, Google, IBM, Microsoft and others have aggressively lobbied officials in the Trump administration and elsewhere to start outlining a federal privacy law, according to administration officials and the companies. The law would have a dual purpose, they said: It would overrule the California law and instead put into place a kinder set of rules that would give the companies wide leeway over how personal digital information was handled.” The Illinois Biometric Information Privacy Act is a good way forward for the consumers and should set an example of respecting user privacy. This may seem too strict but maybe that’s what is needed at this point. Biometric Information Privacy Act: It is now illegal for Amazon, Facebook or Apple to collect your biometric data without consent in Illinois ACLU files lawsuit against 11 federal criminal and immigration enforcement agencies for disclosure of information on government hacking The district of Columbia files a lawsuit against Facebook for the Cambridge Analytica scandal

David Wong, Security Consultant, at NCC Group, a global expert in cyber security and risk mitigation, revealed details about the new cryptographic attack, last week, that can break the encrypted TLS traffic. Wong collaborated with other security researchers and found out that out of the nine different TLS implementations against cache attacks, seven were found to be vulnerable, namely, OpenSSL, Amazon s2n, MbedTLS, Apple CoreTLS, Mozilla NSS, WolfSSL, and GnuTLS. TLS or Transport Layer Security refers to a cryptographic protocol that offers end-to-end communications security over networks. It is widely used for internet communications and online transactions. TLS (except TLS 1.3) makes use of RSA as a key exchange algorithm, which determines how the client and server will authenticate during the handshake to negotiate a shared secret. The client encrypts a shared secret under the server's RSA public key, the server then receives it and decrypts it. The latest attack isn’t entirely new; it is simply another variation of the original Bleichenbacher oracle attack that was able to decrypt an RSA encrypted message using the Public-Key Cryptography Standards (PKCS) #1 function. This new attack uses a side-channel leak via cache access timings of TLS implementations to break these RSA key exchanges of TLS implementations. It affects all versions of TLS (including TLS 1.3) as well as QUIC and makes use of the state-of-the-art cache attack techniques such as Flush+Reload, Prime+Probe, Branch-Prediction, etc. Attacking TLS 1.3 and downgrading to TLS 1.2 Since TLS 1.3 does not offer an RSA key exchange, researchers started with downgrading to an older version of TLS (TLS 1.2) for the exploitation of the attack. To downgrade a client’s connection attempt, a spoofed TLS 1.2 handshake technique is used. The server’s RSA certificate was presented in a ServerCertificate message and then the handshake was put to an end with a ‘ServerHelloDone’ message. However, if at this point, the server does not have a trusted certificate that allows RSA key exchanges or the client refuses to support RSA key exchanges or older versions than TLS 1.2, the attack halts. Otherwise, the client will make use of the RSA public key contained in the certificate to encrypt the TLS premaster secret. It will then send it in a ClientKeyExchange message and ends its part of the handshake using a ChangeCipherSpec and a Finished message. It is at this time, the attack is performed to decrypt the RSA encrypted premaster secret. The last Finished message being sent should contain an authentication tag (with HMAC) of the whole transcript and should be encrypted with the transport keys derived from the premaster secret.                                                    NCC Group Now, even if some clients might have zero handshake timeouts, most serious applications such as browsers can give up on the connection attempt if the response takes too much time to arrive. So, there are several techniques that can slow down the handshake such as sending the ChangeCipherSpec message to reset the client’s timer and sending TLS warning alerts to reset the handshake timer. After the decryption attack terminates, the expected Finished message is sent to the client and a handshake is finalized. This downgrade attack is able to bypass multiple downgrade mitigations, namely, one server-side and two client-side. TLS 1.3 servers that negotiate older versions of TLS must also advertise this information to their peers. TLS 1.3 clients that negotiate an older version of TLS must check for these values and abort the handshake if found. On the other hand, a TLS 1.3 client that goes back to an older version of TLS must advertise this information in their subsequent client hellos. Furthermore, a client should also include the version used by the client hello inside the encrypted premaster secret. “As it stands, RSA is the only known downgrade attack on TLS 1.3, which we are the first to successfully exploit in this research”, states Wong. The researchers also state that it is time for RSA PKCS#1 v1.5 to be deprecated and replaced by more modern schemes like OAEP (Optimal asymmetric encryption padding) and ECEIS (Elliptic Curve Integrated Encryption Scheme) for asymmetric encryption or Elliptic Curve Diffie-Hellman in case of key exchanges. For more information, check out the official NCC Group blog. Zimperium zLabs discloses a new critical vulnerability in multiple high-privileged Android services to Google A kernel vulnerability in Apple devices gives access to remote code execution FreeRTOS affected by 13 vulnerabilities in its TCP/IP stack

Brave, the open source privacy- focussed browser, has allegedly introduced a ‘backdoor’ to remotely inject headers in HTTP requests that may track users, say users on HackerNews. Users on Twitter and HackerNews have expressed their concerns over the new update on custom HTTP headers added by the Brave team: https://twitter.com/WithinRafael/status/1094712882867011585 Source: HackerNews A user on Reddit has explained this move as “not tracking anything, they just send the word "Brave" to the website whenever you visit certain partners of theirs. So for instance visiting coinbase.com sends an "X-Brave-Partner" custom header to coinbase.com.” Brendan Eich, from the Brave team, has replied back to this allegation saying that the ‘Update is not a "backdoor" in any event and is a custom header instead.’  He says the update is about custom HTTP headers that Brave sends to its partners, with fixed header values. There is no tracking hazard in the new update. He further stresses on the fact that Brave blocks 3rd party cookies and storage and 3rd party fingerprinting along with HSTS supercookies; thus assuring users on preserving their privacy. “I find it silly to assume we will "heel turn" so obviously and track our users. C'mon! We defined our model so we can't cheat without losing lead users who would see through it. That requires seeing clearly things like the difference between tracking and script blocking or custom header sending, though.” Users have also posted on Hacker News that the Brave browser Tracking Protection feature does not block tracking scripts from hostnames associated with Facebook and Twitter. The tracking_protection_service.h file contains a comment informing that a tracking protection white_list variable was created as a "Temporary hack which matches both browser-laptop and Android code". Bleepingcomputer also reports that this whitelist variable is associated with code in the tracking_protection_service.cc file that adds various Facebook and Twitter hostnames to the whitelist variable so that they are not blocked by Brave's Tracking Protection feature. In response to this comment, Brave says that the issue that was opened on September 8th, 2018 and developers decided to whitelist tracking scripts from Facebook and Twitter because blocking them would “affect the functionality of many sites” including Facebook logins. You can head over to Brendan’s Reddit thread for more insights on this update. Brave introduces Brave Ads that share 70% revenue with users for viewing ads Chromium-based Brave browser shows 22% faster page load time than its Muon-based counterpart Otter Browser’s first stable release, v1.0.01 is out

Yesterday, Apple announced the release of iOS 12.1.4 to fix Apple’s Group FaceTime video bug discovered during the end of last month. Apple immediately disabled this bug that allowed callers to eavesdrop on people before they could even pick up their phone. Apple also plans to reward the 14-year-old Grant Thompson and his mother for first reporting the bug. Apple is “compensating the Thompson family for discovering the vulnerability and providing an additional gift to fund Grant Thompson’s tuition”, the Verge reports. As reported by TechCrunch, an Apple spokesperson told them in a statement, “In addition to addressing the bug that was reported, our team conducted a thorough security audit of the FaceTime service and made additional updates to both the FaceTime app and server to improve security. This includes a previously unidentified vulnerability in the Live Photos feature of FaceTime.” Source: The Verge “To protect customers who have not yet upgraded to the latest software, we have updated our servers to block the Live Photos feature of FaceTime for older versions of iOS and macOS”, Apple reports. To know more about this news in detail, head over to The Verge. Apple reinstates Facebook and Google Developer Certificates, restores the ability to run internal iOS apps Apple revoked Facebook developer certificates due to misuse of Apple’s Enterprise Developer Program; Google also disabled its iOS research app Apple disables Group FaceTime till it fixes a security flaw that gave access to microphone and camera of users, even before picking up the call  

Signal, the encrypted communication App for iOs and Android, recently announced optional link previews for the four most popular sites- Imgur, Reddit, Instagram, and YouTube. This will enable Signal users to see what’s behind a particular URL, while sharing content with their friends. According to Joshua Lund, the creator of Signal, the feature has been created in such a way that users can generate link previews while hiding the URL from the Signal service itself, thereby shielding their IP address from the previewed site, and obfuscating the true size of the preview image. Link previews will expose relevant pieces of the URL to the recipient. There are some sites like YouTube where the URL is a random string of letters, numbers, and symbols. A recipient will never know where the link goes until they click on the same. With link previews in place, users will get an idea of what they can expect when they click the link, just by looking at the preview. Users can disable this feature through settings or  by tapping the 'X' in the corner of the preview before hitting send. The process of sending a link preview follows 3 simple steps: The Signal app will establish a TCP connection using a privacy-enhancing proxy that will obscure a users IP address from the site that is being previewed. A TLS session will be negotiated directly between the app and the previewed site through the proxy. This will ensure that the Signal service never has access to the URL. The Signal app uses overlapping range requests to retrieve preview images. This will help the proxy service to see repeated requests for a fixed block size when media is transferred. Link previews may also alert users to avoid clicking on links that may contain malicious content. Users have taken this news well, commending the team on this new feature: https://twitter.com/Roderik_de_Pree/status/1093329997882949632 https://twitter.com/bcomenl/status/1093270187208523776 You can head over to Signal’s official blog to know more about this news. Signal to roll out a new privacy feature in beta, that conceals sender’s identity! Messaging app Telegram’s updated Privacy Policy is an open challenge SafeMessage: An AI-based biometric authentication solution for messaging platforms

Google launched a new form of encryption called ‘Adiantum’, that is designed to secure data stored on lower-end smartphones and devices with insufficient processing power. In lieu of security, most Android phones have storage encryption enabled within them as a default feature. An exemption is made for phones with low processing power or with low-end hardware; where storage encryption is either off by default to improve performance, or not present at all. Adiantum is suitable for devices that lack dedicated ARM extensions for security. While a majority of new Android devices have hardware support for AES through the ARMv8 Cryptography Extensions, devices that use low-end processors such as the ARM Cortex-A7 do not support AES encryption, as it leads to poor and slow user experience. According to Eugene Liderman, director of mobile security strategy for Google’s Android security & privacy team, “Adiantum was built to run on phones and other smart devices that don’t have the specialized hardware to use current methods to encrypt locally stored data efficiently.”  With a hope to democratize encryption for all devices - including any low-power Linux-based device, from smartwatches to connected medical devices, Liderman says that “There will be no excuse for compromising security for the sake of device performance. Everyone should have privacy and security, regardless of their phone’s price tag.” How does Adiantum work? Google's Adiantum has been designed to encrypt local data without slowing down systems or increase the price of devices due to the implementation of additional hardware. Adiantum uses the ChaCha stream cipher in a length-preserving mode. It does so by adapting ideas from AES-based proposals for length-preserving encryption such as HCTR and HCH. On ARM Cortex-A7, Adiantum encryption and decryption on 4096-byte sectors is around 5x faster than AES-256-XTS. Adiantum can change any bit anywhere in the plaintext, and this will unrecognizably change all of the ciphertext, and vice versa. It hashes almost the entire plaintext using a keyed hash based on Poly1305 and a keyed hashing function called NH. It also hashes a value called the "tweak" which is used to ensure that different sectors are encrypted differently. This hash is used to generate a nonce for the ChaCha encryption. After the encryption is complete, the data is hashed again. This is arranged in a configuration known as a Feistel network. You can read the entire whitepaper detailing the encryption standard by Google software engineers Paul Crowley and Eric Biggers. The paper goes into further technical details relating to Adiantum. This is the second announcement made by Google in the spirit of Safer Internet day. Earlier this week, Google released a new Chrome extension called "Password Checkup" which checks if a user's credentials have been connected to past data leaks. You can head over to Google’s official blog to know more about Adiantum. Google expands its Blockchain search tools, adds six new cryptocurrencies in BigQuery Public Datasets Google launches Live Transcribe, a free Android app to make conversations more accessible for the deaf Grafana 6.0 beta is here with new panel editor UX, google stackdriver datasource, and Grafana Loki among others

Yesterday, the Seattle government announced that they are arranging for a public review on the different surveillance technologies used within the various Seattle departments. The City of Seattle Surveillance Ordinance was passed by the city’s council on 1st September 2017 and is designed to provide extended transparency to the council and the public when any new technology is acquired. It compels city departments to publish surveillance technology impact reports periodically and allows the public to comment. This is a Group 2 Surveillance on certain technologies including meter-reading devices, 911 call logging systems, and the Seattle police online crime reporting tool. A previous public comment period--for Group 1 Surveillance technologies--was held from October 8 to November 5, 2018, for a set of different technologies. The public comment period for this group will be up to March 5, 2019. There will also be a surveillance technology fair hosted by the city on Feb. 27 at the city hall. Technologies included in the Group 2 Surveillance review Seattle Fire Department's (SFD) computer-aided dispatch system https://youtu.be/AzKPaIHtbMs This includes information that 911 dispatchers gather for SFD calls. The system stores information like names and addresses, but that personal information is only available to select department personnel, SFD says. Acyclica https://youtu.be/PhwBUe1iUhE This is a service Seattle Department of Transportation (SDOT) uses to collect traffic data. SDOT describes, "Acyclica collects unique phone identifiers, called a MAC address, using a sensor installed inside of traffic control cabinets and immediately encrypts the data. Acyclica then hashes and salts the data, anonymizing it by assigning a set of numbers and letters, then adding [a] random set of additional characters." Electricity theft detection https://youtu.be/WSfrhYv6ngY Seattle City Light uses a variety of technologies to check whether people are stealing electricity. These can include low-tech items like binoculars on up to an "Ampstick," which measures voltage along power lines. Seattle Police 911 system: The 911 recorder https://youtu.be/KFShZY9t5Mg Similar to the SFD system, dispatchers collect personal data to send police to emergency situations. SPD also has a CAD dispatch system up for review. CopLogic https://youtu.be/A7JEwJGKvrc This is SPD's online crime reporting system. This is where citizens enter personal information if they've been the victim of a crime. According to a user comment on HackerNews, “Seattle uses WiFi MAC addresses to track traffic movements. While the data is currently hashed and anonymized, it wouldn't surprise me if this data is eventually processed and combined with CV technology (specifically license plate readers and facial recognition tech) to provide detailed information on the movements of individuals.” To know more about this announcement, visit Seattle.gov official website. Rights groups pressure Google, Amazon, and Microsoft to stop selling facial surveillance tech to government The DEA and ICE reportedly plan to turn streetlights to covert surveillance cameras, says Quartz report Conversational AI in 2018: An arms race of new products, acquisitions, and more

Google released a new Chrome extension on Tuesday, called the  ‘Password CheckUp’. This extension will inform users if the username and password that they are currently using was stolen in any data breaches. It then sends a prompt for them to reset their password. If a user’s Google account credentials have been exposed in a third-party data breach, the company automatically resets their passwords. The new Chrome extension will ensure the same level of protection to all services on the web. On installing, Password Checkup will appear in the browser bar as a green shield. The extension will then check the login details against a database of around four billion usernames and passwords. If a match is found, a dialogue box prompting users to “Change your password” will appear and the icon will turn bright red. Source: Google Password Checkup was designed by Google along with cryptography experts at Stanford University, keeping in mind that Google should not be able to capture a user’s credentials, to prevent a “wider exposure” of the situation. Google’s blog states “We also designed Password Checkup to prevent an attacker from abusing Password Checkup to reveal unsafe usernames and passwords.”   Password Checkup uses multiple rounds of hashing, k-anonymity, private information retrieval, and a technique called blinding to achieve encryption of the user’s credentials. You can check out Google’s blog for technical details on the extension. Google Chrome announces an update on its Autoplay policy and its existing YouTube video annotations Meet Carlo, a web rendering surface for Node applications by the Google Chrome team Google Chrome 70 now supports WebAssembly threads to build multi-threaded web applications