Tech News - Cybersecurity

Yesterday, Microsoft announced in a statement, that their popular Bing search engine was banned in China. This would be Microsoft’s second setback since November 2017, after its Skype internet phone call and messaging service were discontinued from Apple and Android app stores. When users within China’s mainland tried performing a search on Bing’s China website--cn.bing.com--they were redirected to a page which read, the server cannot be reached. Chinese authorities have a firewall that blocks most of the US-based tech platforms including Facebook and Twitter. However, Microsoft has not reported if this outage could be because of the censorship or simply a technical problem. A Microsoft spokesperson said, "We've confirmed that Bing is currently inaccessible in China and are engaged to determine next steps.” Microsoft’s Bing was the only major foreign search engine accessible from within China-built Great Firewall. Bing’s biggest rival, Google shut down its search engine in China in 2010, after rows with the authorities over censorship and hacking. Google CEO Sundar Pichai, said that it has no plans to relaunch a search engine in China. Microsoft, however, has censored search results on sensitive topics, in accordance with government policy. Citing a source, The Financial Times, yesterday, reported that China Unicom, a major state-owned telecommunication company, had confirmed the government order to block the search engine. Also, Cyberspace Administration of China (CAC), a government watchdog, did not respond to faxed questions about Bing’s blocked website. CAC also said that it has also deleted more than 7 million pieces of online information and 9,382 mobile apps. “President Xi Jinping has accelerated control of the internet in China since 2016, as the ruling Communist Party seeks to crack down on dissent in the social media landscape”, the Reuters reported. China Telecom misdirected internet traffic, says Oracle report Bo Weaver on Cloud security, skills gap, and software development in 2019 Microsoft Edge mobile browser now shows warnings against fake news using NewsGuard

A group of researchers from the University of Southern California published a paper titled “Combating Fake News: A Survey on Identification and Mitigation Techniques” that discusses existing methods and techniques applicable to identification and mitigation of fake news. The paper has categorised different existing work on fake news detection and mitigation methods into three types: fake news identification using content-based methods (classifies news based on the content of the information to be verified) identification using feedback-based methods (classifies news based on the user responses it receives over social media) intervention based solutions (offers computational solutions for identifying the spread of false information along with methods to mitigate the impact of fake news) These existing methods are further categorized as follows: Categorization of existing methods “The scope of the methods discussed in content-based and feedback based identification is limited to classifying news from a snapshot of features extracted from social media. For practical applications, we need techniques that can dynamically interpret and update the choice of actions for combating fake news based on real-time content propagation dynamics”, reads the paper. These techniques that provide such computational methods and algorithms are discussed extensively in the paper. Let’s have a look at some of these strategies. Mitigation strategies: decontamination, competing cascades, and multi-stage intervention The paper presents three different mitigation strategies aimed at reversing the effect of fake news by introducing true news on social media platforms. This ensures that users are exposed to the truth and the impact of fake news on user opinions are mitigated. The Computational methods designed for this purpose first needs to consider information diffusion models widely-used in social networks such as the Independent Cascade (IC), linear Threshold (LT) model, as well as the point process models such as Hawkes Process model. Decontamination The paper mentions the strategy introduced by Nam P Nguyen, in his paper “Containment of misinformation spread in online social networks”. The strategy includes decontaminating the users exposed to fake news. It makes use of the diffusion process (estimates the spread of information over the population) modelled with the help of Independent Cascade (IC) or Linear Threshold model (LT). A simple greedy algorithm is then designed that selects the best set of users. Then starts the diffusion process for true news so that at least a fraction of the selected users can be decontaminated. The algorithm iteratively selects the next best user to include into the set depending on the marginal gains obtained by the inclusion of that user (i.e. the number of users activated or reached by the true news in expectation, if the set did additionally include the chosen user). Competing cascades The paper mentions an intervention strategy based on competing cascades. The method of competing cascades involves introducing a true news cascade to make it compete with the fake news cascade, while the fake news is propagating through the network. The paper discusses an “influence blocking maximization objective” by Xinran He, as an optimal strategy to spread true news in the presence of fake news cascade. The process selects a set of “k” users strategically with the objective of minimizing the number of users who get activated by fake news at the end of the diffusion. According to the paper, this model assumes that once a user gets activated by either the fake or true cascade, that user will remain activated under that cascade. Multi-stage intervention Another strategy discussed in the paper is the “multi-stage intervention strategy” proposed by Mehrdad Farajtabar, in the paper “Fake News Mitigation via Point Process Based Intervention”.  This strategy allows “external interventions to adapt as necessary to the observed propagation dynamics of fake news”, states the paper. The purpose of the external interventions in the process is to incentivize certain users to enable increased sharing of true news that can counteract the fake news process over the network. At each step of the intervention, there are certain budget and user activity constraints that are imposed. This allows you to track the optimal amount of external incentivization, needed to achieve the desired objective i.e. minimizing the difference between fake and true news exposures. This strategy makes use of a reinforcement learning based policy iteration framework that helps derive the optimal amount of external incentivization. Identification strategies: Network Monitoring and crowd-sourcing The paper discusses different identification mechanisms that help actively detect and prevent the spread of misinformation due to fake news on social media platforms. Network Monitoring The paper presents a strategy based on network monitoring that involves intercepting information from a list of suspected fake news sources using computer-aided social media accounts or real paid user accounts. These accounts help filter out the information they receive and block fake news. The strategy used a “network monitor placement” that is determined by finding a part of the network with the highest probability of fakes news transmission. Another network monitoring placement solution involves a Stackelberg game between leader (attacker) and follower( defender) nodes. The paper also mentions an idea implemented by various network monitoring sites. This includes having multiple human or machine classifiers to improve the detection robustness as something that might get missed by one fact-checker might get captured by another. Crowd-sourcing Another identification strategy mentioned in the paper makes use of the crowd-sourced user feedback on social media platforms that helps users report or flag fake news articles. These crowd-sourced signals used to prioritize the fact-checking of news articles involves capturing “the trade-off between a collection of evidence v/s the harm caused from more users being exposed to fake news (exposures) to determine when the news needs to be verified”, states the paper. The fact-checking process and events are represented using point process models. This process helps to derive the optimal intensity of fact-checking that is proportional to the rate of exposure to misinformation and collected evidence as flags. The paper mentions an online learning algorithm to more accurately leverage user flags. This algorithm jointly infers the flagging accuracies of users while also identifying fake news. “The literature surveyed here has demonstrated significant advances in addressing the identification and mitigation of fake news. Nevertheless, there remain many challenges to overcome in practice,” states the researchers. For more information, check out the official research paper. Fake news is a danger to democracy. These researchers are using deep learning to model fake news to understand its impact on the elections Four 2018 Facebook patents to battle fake news and improve news feed Facebook patents its news feed filter tool to provide more relevant news to its users

On 23rd January, Debian announced the release of Debian 9.7 which is the seventh update of the stable distribution of Debian 9. This comes right after a remote code execution vulnerability was discovered in the APT high-level package manager used by Debian, Ubuntu, and other related Linux distributions that allows an attacker to perform a man-in-the-middle attack. This Debian includes a security update for the APT vulnerability. The Debian GNU/Linux 9.7 (codename "Stretch") release contains a new version of the APT package manager that's no longer vulnerable to man-in-the-middle attacks. The team states that there is no need to download new ISO images to update existing installations, however, the Debian Project will release live and install-only ISO images for all supported architectures of the Debian GNU/Linux 9.7 "Stretch". This will be available for download in a few days. Head over to Debian’s official website for more information on this announcement. Kali Linux 2018 for testing and maintaining Windows security – Wolf Halton and Bo Weaver [Interview] Black Hat hackers used IPMI cards to launch JungleSec Ransomware, affects most of the Linux servers Homebrew 1.9.0 released with periodic brew cleanup, beta support for Linux, Windows and much more!

Yesterday, the Department of Homeland security issued an emergency directive with the subject, “Mitigate DNS Infrastructure Tampering” and ordering the federal agencies to comply with these in order to secure login credentials for their internet domain records. The DHS directive comes on the heels of research published by FireEye, early this month. The company shared that they have identified huge DNS hijacking affecting multiple domains belonging to the government, telecommunications, and internet infrastructure entities across the Middle East and some other countries. FireEye analysts also believe an Iranian-based group to be the source behind these attacks. https://twitter.com/gregotto/status/1087800274511634434 The directive provides a brief explanation of how the attackers compromise user credentials, alter their DNS records, which enables them to direct user traffic to their system for manipulation or inspection. This directive includes four actions to mitigate risks from undiscovered tampering, enable agencies to prevent illegitimate DNS activity for their domains, and detect unauthorized certificates. The actions include, Audit DNS Records Change DNS Account Passwords Add Multi-Factor Authentication to DNS Accounts Monitor Certificate Transparency Logs Agencies have 10 business days to implement these instructions. According to CyberScoop, “The directive makes clear that agencies will ultimately be held accountable for their domain-name security policies, regardless of where they maintain their DNS accounts.” The CISA (Cybersecurity and Infrastructure Security Agency) would also be providing technical assistance to agencies that report anomalous DNS records. They will also review submissions from agencies that are unable to implement MFA on DNS accounts within the timeline and get back to agencies. CISA will also provide additional assistance via their Cyber Hygiene service and will also provide additional guidance to agencies through an Emergency Directive coordination call following the issuance of this directive. “By February 8, 2019, CISA will provide a report to the Secretary of Homeland Security and the Director of the Office of Management and Budget (OMB) identifying agency status and outstanding issues”, the directive states. To know more about this news in detail, visit DHS’ official website. China Telecom misdirected internet traffic, says Oracle report How to attack an infrastructure using VoIP exploitation [Tutorial] FireEye’s Global DNS Hijacking Campaign suspects Iranian-based group as the prime source

Yesterday a remote code execution bug was found in the APT high-level package manager used by Debian, Ubuntu, and other related Linux distributions. Max Justicz, the security researcher who discovered the bug, says that the bug "allows a network man-in-the-middle (or a malicious package mirror) to execute arbitrary code as root on a machine installing any package.” Justicz’s blog post states that the vulnerable versions of APT don't properly sanitize certain parameters during HTTP redirects. An attacker can take advantage of this and perform a remote man-in-the-middle attack to inject malicious content, thus tricking the system to install certain altered packages. HTTP redirects while using apt-get command help Linux machines to automatically request packages from an appropriate mirror server when other servers are unavailable. If the first server fails, it returns the location of the next server from where the client should request the package. Justicz has also demonstrated this man-in-the-middle attack in a short video: https://justi.cz/assets/aptpoc.mp4 Justicz told The Hacker News that a malicious actor intercepting HTTP traffic between APT utility and a mirror server, or just a malicious mirror, could execute arbitrary code on the targeted system with the highest level of privileges, i.e. root. He further adds, "You can completely replace the requested package, as in my proof of concept. You could substitute a modified package as well if you wanted to”. The APT is also used by major Linux distributions like Debian and Ubuntu, who have also acknowledged and released security patches for this vulnerability. Hacker News also points how this flaw comes around the time when cybersecurity experts are fighting over Twitter, in favor of not using HTTPS and suggesting software developers to rely on signature-based package verification since the APT on Linux also does the same. They further add that the APT exploitation could have been mitigated if the software download manager was strictly using HTTPS to communicate securely. The developers of APT have released version 1.4.9 that fixes the issue. The bug has also been fixed in APT 1.2.29ubuntu0.1, 1.7.0ubuntu0.1, 1.0.1ubuntu2.19, and 1.6.6ubuntu0.1 packages, as well as in APT 1.4.9 for the Debian distribution. You can head over to Max Justicz official blog for more insights on this news. Kali Linux 2018 for testing and maintaining Windows security – Wolf Halton and Bo Weaver [Interview] Black Hat hackers used IPMI cards to launch JungleSec Ransomware, affects most of the Linux servers Homebrew 1.9.0 released with periodic brew cleanup, beta support for Linux, Windows and much more!

Last week, the researchers at PEAR (PHP Extension and Application Repository) reported a security breach on PEAR’s web server, http://pear.php.net. They found that the go-pear.phar was breached. Following this, the PEAR website itself has been disabled until a known clean site can be rebuilt. The community tweeted that “a more detailed announcement will be on the PEAR Blog once it's back online”. https://twitter.com/pear/status/1086634389465956352 According to researchers, the users who have downloaded the go-pear.phar in the past six months should get a new copy of the same release version from GitHub (pear/pearweb_phars) and compare file hashes. If the hashes are different, this indicates that the user may have the infected file. The community is in the process of rebuilding the site; however, they are not sure of the ETA yet. To stay updated, keep a close watch on PEAR’s twitter account. Symfony leaves PHP-FIG, the framework interoperability group Internal memo reveals NASA suffered a data breach compromising employees social security numbers Justice Department’s indictment report claims Chinese hackers breached business  and government network  

Baptiste Robert, a French security researcher who goes by the online handle Elliot Alderson, has found a vulnerability in a Wordpress plugin called Social Network Tabs. The plugin leaks user’s Twitter account information exposing them to compromise. This WordPress plugin is developed by Design Chemical, which allows websites to help users share content on social media sites. MITRE has assigned the vulnerability CVE-2018-20555. In a twitter thread, Elliot described the details of the bug on Thursday. Per Elliot, the Wordpress Plugin is leaking twice the Twitter access_token, access_token_secret, consumer_key and consumer_secret of their user which is leading to a takeover of their Twitter account.  This was caused by the few lines of code which was within the page where the Twitter widget is displayed. Anyone who viewed this code had access to see the linked Twitter handle and the access tokens. If the access token had read/write rights, the attacker was also able to take over the account and there were 127 such accounts. Elliot tested the bug by searching PublicWWW, a website source code search engine. He was able to find 539 websites using the vulnerable code. He then managed to retrieve access tokens using a script including the Twitter access_token, access_token_secret, consumer_key and consumer_secret from 539 vulnerable websites. According to Elliot, this leak compromised over 446 Twitter accounts with 2 verified accounts and multiple accounts with more than 10K+ followers. The full list of accounts is also made public by him. Elliot talked to Techcrunch about the vulnerability, saying that he had told “Twitter on December 1 about the vulnerability in the third-party plugin, prompting the social media giant to revoke the keys, rendering the accounts safe again. Twitter also emailed the affected users of the security lapse of the WordPress plugin but did not comment on the record when reached.” However, this is not the case. On January 17, he mentioned in a tweet that, “With a simple Google search query, "inurl:/inc/dcwp_twitter.php?1=", you can find that a lot of websites and so Twitter accounts are still vulnerable to this issue. This query returns 3550 results.” He has also written a scraper to automatically extract the keys from the result of this Google search query. SEC’s EDGAR system hacked; allowing hackers to allegedly make a profit of $4.1 million via insider trading Hyatt Hotels launches public bug bounty program with HackerOne Black Hat hackers used IPMI cards to launch JungleSec Ransomware, affects most of the Linux servers.

EU’s proposed copyright bill has received major oppositions from Europeans for its Articles 11 and 13, also known as the “censorship machines” rule and the “link tax” rule. Major European countries including Germany, Italy, and the Netherlands, have been quite vocal about their resistance to support the latest version of the proposal. Following which, EU has canceled today’s negotiations for a final vote on the copyright directive. Article 13 of the directive will require “information society service providers” – user-generated information and content platforms – to use “recognition technologies” to protect against copyright infringement. Article 11 gives large press organizations more control over how their content is shared and linked to online. It has been called the “link tax” – it could mean that you would need a license to link to content. According to news sites, this law would allow them to charge internet giants like Facebook and Google that link to their content. Further reading: What the EU Copyright Directive means for developers – and what you can do Apparently, multiple countries including Germany, Italy, the Netherlands, and Poland voted against the latest text put forth by Romania earlier this week. MEP Julia Reda has confirmed this news. In a blog post, she writes, “A total of 11 countries voted against the compromise text proposed by the Romanian Council presidency earlier this week. All of these governments are known for thinking that either Article 11 or Article 13, respectively, are insufficiently protective of users’ rights. At the same time, some rightsholder groups who are supposed to benefit from the Directive are also turning their backs on Article 13.” https://twitter.com/Senficon/status/1086335378141966336 Last week, EFF also urged people from Sweden, Germany, Luxembourg, and Poland to contact their ministers to convey their concern about Article 13 and 11. The outcome of today’s Council vote shows that public attention to copyright reform is having an effect. This means that the bill could receive a significant overhaul when it’s gonna come for vote, which would also result in a delay in implementation. It won’t, however, imply that the Copyright Directive is rejected. Ahead of EU’s vote on new copyright rules, EFF releases 5 key principles to guide copyright policy Reddit takes stands against the EU copyright directives; greets EU redditors with ‘warning box’ GitHub updates developers and policymakers on EU copyright Directive at Brussels

The recent data breach in MEGA, a popular cloud service, leaked about 87GB of data including 772,904,991 unique email addresses and over 21 million unique passwords and distributed in a folder dubbed "Collection #1" by hackers. This breach was first reported by a security researcher, Troy Hunt. The link to the dump was posted on a hacking forum, but has been since taken down from the service. https://twitter.com/haveibeenpwned/status/1085656743663693825 According to a Wired report, “While it’s difficult to confirm exactly where all that info came from, it appears to be something of a breach of breaches; that is to say, it claims to aggregate over 2,000 leaked databases that contain passwords whose protective hashing has been cracked.” “It just looks like a completely random collection of sites purely to maximize the number of credentials available to hackers. There’s no obvious patterns, just maximum exposure”, Hunt said. Hunt has uploaded all the email addresses and passwords into his site, haveibeenpwned. This allows users to be notified when their email has been tangled in a breach, or check if a password has been exposed and has to be changed. Wired states that around 140 million email accounts and over 10 million unique passwords in Collection #1 are new to Hunt’s database. This means that they do not just duplicate from prior megabreaches. “These are all plain text passwords. If we take a breach like Dropbox, there may have been 68 million unique email addresses in there, but the passwords were cryptographically hashes making them very difficult to use”, Hunt said. He also said that all this data was openly available to anyone on the popular cloud storage site and then on a public hacking site. The only way to stay safe is to never reuse a password for multiple sites. Hunt says, “It might be contrary to traditional thinking, but writing unique passwords down in a book and keeping them inside your physically locked house is a damn sight better than reusing the same one all over the web.” To know more about this breach in detail, visit Troy Hunt’s blog post. Internal memo reveals NASA suffered a data breach compromising employees social security numbers Justice Department’s indictment report claims Chinese hackers breached business  and government network Former Senior VP’s take on the Mariott data breach; NYT reports suspects Chinese hacking ties

The Washington-based Pew Research Center released a report that shares the results of its survey based on Facebook user data, yesterday. The survey was conducted on a sample of Facebook users (963 U.S. Facebook users aged 18 years and above) who were asked to present their opinion on the data collected about them by the platform. The nationally representative survey was conducted by the Pew Institute between September 4, 2018, and October 1, 2018. Respondents of the survey were asked to answer a series of questions related to the content present on the Facebook ad categories page. Facebook allows its users to view a “partial compilation” of how they are classified on its “Your ad preferences” page. All the results of this analysis are based on these self-reported answers. Let’s have a look at the key findings from the survey. 60% of Facebook users are assigned 10+ categories on their ad preferences page The report states that Facebook ad preferences page consists of “your categories” tab i.e. a list of a user’s interests analyzed by Facebook’s algorithm based on content that they have posted, liked, commented on or shared.                                                    Pew Institute survey As per the survey results: 88% of American said that they are assigned categories in this system, while 11% saw a message saying, “You have no behaviours” on the ad preferences page. A large majority of Facebook users have 10 or more categories listed on the page. Six-in-ten Facebook users said that their preferences page had either 10 to 20 (27%) or 21 or more (33%) categories for them. 27% noted that their list had fewer than 10 categories. 40% of users who go on Facebook multiple times a day are listed in 21 or more categories as compared to 16% of the “less-than-daily” Facebook users. Facebook users who have been on the platform for 10 years or longer (44%) have higher chances of being listed in 21 or more categories as compared to those with less than five years of Facebook experience (22%). 74% of Facebook users didn’t know the platform lists their interests for advertisers As per the survey results: Three-quarters of Facebook users (74%) did not know the list of categories existed on Facebook, with 12% saying that they were aware of it. 59% of Facebook users say the list was very (13%) or somewhat (46%) accurate about their interests, while 27% of them found the list not very (22%) or not at all ( 5%) accurate. Pew Institute survey Almost half of the Facebook users (51%) said answered that they were not comfortable with Facebook creating the ‘interests list’. 5% of Facebook users were very comfortable with the list and another 31% said that they are somewhat comfortable. Facebook’s political and ‘racial affinity’ labels don’t necessarily match users’ views Facebook assigns political labels to its users. Users who are assigned a political label are equally divided between “liberal or very liberal (34%)”, “conservative or very conservative “(35%) and “moderate” (29%). Pew Institute survey As per the survey results: Close to three-quarters (73%) of the ones assigned a label says the listing is’ very accurate’ or ‘somewhat accurate’ about their views. However, 27% of those say that label is not very or not at all accurate. Facebook’s algorithm also assigns some of its users to groups by “multicultural affinity,” that are assigned to users whose activities “aligns with” certain cultures. About 21% of the Facebook users say they are assigned such an affinity. 60% of the Facebook users assigned with multicultural affinity say they have a “very” or “somewhat” strong affinity for the group they were assigned, while 37% say they do not have a strong affinity. 57% of the Facebook users assigned a group say they consider themselves a member of that group, with 39% saying they are not members of that group. “We want people to understand how our ad settings and controls work..while we and the rest of the online ad industry need to educate people on how interest-based advertising works and how we protect people’s information, we welcome conversations about transparency and control”, Facebook told The Verge. Check out the official Pew research centre report here. Private International shares its findings on how popular Android apps send user data to Facebook without user consent NYT says Facebook has been disclosing personal data to Amazon, Microsoft, Apple and other tech giants; Facebook denies claims with obfuscating press release ProPublica shares learnings of its Facebook Political Ad Collector project

On Tuesday, the Securities and Exchange Commission (SEC) at Oklahoma charged nine defendants who participated in a previously disclosed scheme to hack into SEC’s EDGAR corporate filing system and extracted nonpublic information for use in illegal trading. The charged defendants were, a Ukrainian hacker, six individual traders in California, Ukraine, and Russia, and two entities. According to a CNBC report, “The scheme allegedly netted $4.1 million for fraudsters from the U.S., Russia, and Ukraine. Using 157 corporate earnings announcements, the group was able to execute trades on material nonpublic information. Most of those filings were "test filings," which corporations upload to the SEC's website.” Craig Carpenito, U.S. Attorney for the District of New Jersey, said, “After hacking into the EDGAR system they stole drafts of [these] reports before the information was disseminated to the general public.” According to Carpenito, the hacked documents included quarterly earnings, mergers and acquisitions plans and other sensitive news. Also, the criminals were able to view it before it was released as a public filing, thus affecting the individual companies' stock prices. The alleged hackers also executed trades on the reports and sold them to other illicit traders. One inside trader made $270,000 in a single day, Carpenito said. The hack was carried out by sending a malicious software via email to the SEC employees. Carpenito said, after planting the software on the SEC computers, the hackers sent the information they were able to gather from the EDGAR system to servers in Lithuania, where they either used it or distributed the data to other criminals. According to SEC official press report, “the hacker and some of the traders were also involved in a similar scheme to hack into newswire services and trade on information that had not yet been released to the public.” Steven Peikin, Enforcement Division Co-Director alongside Avakian, said, “The trader defendants charged today are alleged to have taken multiple steps to conceal their fraud, including using an offshore entity and nominee accounts to place trades. Our staff’s sophisticated analysis of the defendants’ trading exposed the common element behind their success, providing overwhelming evidence that each of them traded based on information hacked from EDGAR.” Know more about this news in detail in SEC’s official press release report. Hyatt Hotels launches public bug bounty program with HackerOne Black Hat hackers used IPMI cards to launch JungleSec Ransomware, affects most of the Linux servers Cybersecurity researcher withdraws public talk on hacking Apple’s Face ID from Black Hat Conference 2019: Reuters report

ES File Explorer, one of the popular file managing apps, has been exposed with a hidden web server running in the background, leaving the door open for anyone to easily access data on the device just with a simple script. A French security researcher, Baptiste Robert with the online handle Elliot Alderson, found the exposed port last week. He also disclosed his findings in a tweet, yesterday, stating that, “The surprise is: if you opened the app at least once, anyone connected to the same local network can remotely get a file from your phone.” https://twitter.com/fs0c131y/status/1085460755313508352 ES File Explorer hasn’t responded to the allegations yet. The app has more than 500 million downloads on the Google Play Store. Robert said that the app versions 4.1.9.5.2 and below have the open port. According to TechCrunch, “Using a simple script he wrote, Robert demonstrated how he could pull pictures, videos and app names — or even grab a file from the memory card — from another device on the same network. The script even allows an attacker to remotely launch an app on the victim’s device.” The server running in the background can also use an HTTP protocol to stream videos to other apps. However, this opens up a portal for the hacker to hack every single information from the Android device. This vulnerability can only affect those connected within the local network. Internet and WWW cannot be used to steal information via this exposed web-server. However, this is still a threat and an opportunity for the hacker present in the local network. To know more about this news in detail, visit GitHub. Here’s a short video demonstrating the vulnerability by Baptiste Robert. https://www.youtube.com/watch?v=z6hfgnPNBRE Ethereum community postpones Constantinople, post vulnerability detection from ChainSecurity The Angular 7.2.1 CLI release fixes a webpack-dev-server vulnerability, supports TypeScript 3.2 and Angular 7.2.0-rc.0 Microsoft urgently releases Out-of-Band patch for an active Internet Explorer remote code execution zero-day vulnerability

The Ethereum developers announced yesterday that they are pulling back the Constantinople Hard Fork Upgrade after a vulnerability that could allow hackers to steal users’ funds was reported. This upgrade was scheduled to launch today, January 16th. This issue, known as the ‘reentrancy attack’ in the Ethereum Improvement Proposal (EIP) 1283. was identified by a smart contract audit firm ChainSecurity. They also reported about the bug in detail in a Medium blog post yesterday. According to the Ethereum official blog, “Security researchers like ChainSecurity and TrailOfBits ran (and are still running) analysis across the entire blockchain. They did not find any cases of this vulnerability in the wild. However, there is still a non-zero risk that some contracts could be affected.” According to a statement by Ethereum Core Developers and the Ethereum Security Community, “Because the risk is non-zero and the amount of time required to determine the risk with confidence is longer the amount of time available before the planned Constantinople upgrade, a decision was reached to postpone the fork out of an abundance of caution.” The blog posted by ChainSecurity explained the cause of the potential vulnerability and have also suggested how smart contracts can be tested for vulnerabilities. The blog highlighted that the EIP-1283 introduces cheaper gas cost for SSTORE operations. If the upgrade took place, the smart contracts on the chain could have utilized code patterns that would make them vulnerable to re-entrancy attack. However, these smart contracts would not have been vulnerable before the attack. Afri Schoedon, the hard fork coordinator at Ethereum said, “We will decide (sic) further steps on Friday in the all-core-devs call. For now it will not happen this week. Stay tuned for instructions.” To know more about this news in detail, visit the Ethereum official blog. Ethereum classic suffered a 51% attack; developers deny, state a new ASIC card was tested Ethereum’s 1000x Scalability Upgrade ‘Serenity’ is coming with better speed and security: Vitalik Buterin at Devcon Origin DApp: A decentralized marketplace on Ethereum mainnet aims to disrupt gig economy platforms like Airbnb and Uber

Pwn2Own, run by Trend Micro’s Zero Day Initiative, is one of the industry’s toughest hacking contests. Started in 2007, Pwn2Own has become a platform for white hats to test their skills against various types of software and winners have been awarded more than $4 million over the lifetime of the program. Pwn2Own Vancouver- Pwn2Own’s spring vulnerability research competition- will be conducted from March 20 to 22 at the CanSecWest conference. The contest has 5 categories, including web browsers, virtualization software, enterprise applications and server-side software. For the first time, the contest will feature an ‘Automotive’ category with the Tesla Model 3 chosen as a target by ZDI. Other targets include software products from Apple, Google, Microsoft, Mozilla, Oracle and VMware. Let’s look into what's in store for every category: #1 Automotive category: Tesla Model 3 “We develop our cars with the highest standards of safety in every respect, and our work with the security research community is invaluable to us” -David Lau, Vice President of Vehicle Software at Tesla Tesla has long involved itself with the hacker community since involvement since 2004 with its bug bounty program, that pays up to $15,000 for security exploits of its systems. In 2018 the company altered its warranty policy. The updated policy states that ‘as long as security exploits are found and reported within the limits outlined by the bug bounty program, the user's warranty will remain intact.’ At Pwn2Own Vancouver, researchers will have 6 focal points to discover/ research vulnerabilities in the car. While prizes for every category vary from $35,000 to $300,000, the winning security researcher can walk away with their very own Model 3. Tesla’s line of action is an indication of its seriousness towards the security of its self-driving cars. #2 Virtualization Category The targets for virtualization category includes: Oracle VirtualBox VMware Workstation VMware ESXi Microsoft Hyper-V Client Microsoft leads the virtualization category with a $250,000 award for a successful Hyper-V Client guest-to-host escalation. VMware is a Pwn2Own sponsor for 2019, and the VMware ESXi along with VMware Workstation will serve as targets with awards of $150,000 and $70,000 respectively. Oracle VirtualBox is included in this category with a prize of $35,000. #3 Browser Category Within the browser category, we have: Google Chrome Microsoft Edge Apple Safari Mozilla Firefox We have seen a lot of web browsers getting hacked in 2018. It is great to see the biggest names in the tech industry coming forward to find vulnerabilities in their systems which can be saved from being exploited by malicious actors. A browser exploit for Firefox will be awarded $40,000. The award for exploiting Chrome is $80,000. Additionally, a contestant exploiting Edge with a Windows Defender Application Guard (WDAG) will be awarded with $80,000. Contestants exploiting Safari will be awarded $55,000 up to $65,000. #4 Enterprise Application Category The Enterprise Application Category has the following targets: Adobe Reader Microsoft Office 365 Microsoft Outlook The products offered by Adobe and Microsoft are used by almost everyone on a daily basis. Finding out a security flaw in this category would therefore safeguard the millions using these products regularly.  A reader exploit will be awarded with $40,000, breaking into office is awarded at $60,000 and $100,000 for Outlook. #5 Server side Category The final category in this contest includes Microsoft Windows RDP as a target. A successful RDP exploit will award the contestant with $150,000. You can head over to Zero Day Initiatives official blog for more information on the contest, the rules, awards and much more. Microsoft urgently releases Out-of-Band patch for an active Internet Explorer remote code execution zero-day vulnerability NYT says Facebook has been disclosing personal data to Amazon, Microsoft, Apple and other tech giants; Facebook denies claims with obfuscating press release AI chipmaking startup ‘Graphcore’ raises $200m from BMW, Microsoft, Bosch, Dell  

Project Alias is an open-source, ‘teachable’ parasite that gives users increased control over their smart home assistants in terms of customization and privacy. It also trains the smart home devices to accept custom wake-up names while disturbing their built-in microphone, by simply downloading an app. Once trained, Alias can take control over your home assistant by activating it for you. Tellart designer Bjørn Karmann and Topp designer Tore Knudsen are the brilliant minds behind this experimental project. Knudsen says, “This [fungus] is a vital part of the rain forest, since whenever a species gets too dominant or powerful it has higher chances of getting infected, thus keeping the diversity in balance” He further added, “We wanted to take that as an analogy and show how DIY and open source can be used to create ‘viruses’ for big tech companies.” The hardware part of Project Alias is a plug-powered microphone/speaker unit that sits on top of a user’s smart speaker of choice. It’s powered by a pretty typical Raspberry Pi chipset. Input and output logic of Alias Both Amazon and Google have a poor track record of storing past conversations in the cloud. However, Project Alias promises of privacy.  According to FastCompany the smart home assistants “aren’t meant to listen in to your private conversations, but by nature, the devices must always be listening to a little to be listening at just the right time–and they can always mishear any word as a wake word.” Knudsen says, “If somebody would be ready to invest, we would be ready for collaboration. But initially, we made this project with a goal to encourage people to take action and show how things could be different . . . [to] ask what kind of ‘smart’ we actually want in the future.” To know more about Project Alias in detail, head over to Bjørn Karmann’s website or GitHub. Here’s a short video on the working of Project Alias https://player.vimeo.com/video/306044007 Google’s secret Operating System ‘Fuchsia’ will run Android Applications: 9to5Google Report US government privately advised by top Amazon executive on web portal worth billions to the Amazon; The Guardian reports France to levy digital services tax on big tech companies like Google, Apple, Facebook, Amazon in the new year