Tech News - Cybersecurity

On 18th December, an internal HR memo was sent out to all NASA employees by Bob Gibbs, assistant administrator for the office of human capital management, alerting them of a possible compromise to their servers in late October. The memo was shared by SpaceRef and it states that servers stored personally identifiable information about NASA employees, including their social security numbers. What is surprising is that NASA learned of the incident in October 2018 but chose to remain silent till the memo was rolled out. Bill says in the memo that the space agency took immediate steps to contain the breach and that the investigation is still ongoing. The scope of the breach is unclear. The memo states that NASA is ‘examining the servers to determine the scope of the potential data exfiltration and identify potentially affected individuals’. This message is sent to all NASA employees, regardless of whether or not their information may have been compromised. NASA Civil Service employees who were on-boarded, separated from the agency, and/or transferred between centers, from July 2006 to October 2018, may also have been affected. NASA’s Office of Inspector General (OIG) has continually criticized the space agencies cybersecurity practices, reporting shortfalls in NASA’s overall information technology (IT) management. The office stated in its latest semi-annual report, dated Oct. 31: “Through its audits, the OIG has identified systemic and recurring weaknesses in NASA’s IT security program that adversely affect the Agency’s ability to protect the information and information systems vital to its mission.” In May, the OIG published The audit of NASA’s Security Operations Center (SOC) and found several issues with the center, right from high management turnover to a lack of formal authority to manage information security issues for some parts of the agency. An October 2017 report stated that “Lingering confusion about security roles coupled with poor IT inventory practices continues to negatively impact NASA’s security posture.” According to Hacker News, this is not the first time when the agency's servers have been hacked into. NASA suffered a massive security breach in 2016 where 276GB of sensitive data was released. This data included flight logs and credentials of thousands of its employees. All these facts draw attention to the poor security practices followed at NASA. It will be interesting to see how NASA will deal with this security breach and what measures it will take to secure its systems to prevent future cyber attacks. Head over to SpaceNews.com to know more about this news. Justice Department’s indictment report claims Chinese hackers breached business  and government network Former Senior VP’s take on the Mariott data breach; NYT reports suspects Chinese hacking ties Equifax data breach could have been “entirely preventable”, says House oversight and government reform committee staff report

On Friday, The American Civil Liberties Union (ACLU), Privacy International, and the University at Buffalo Law School’s Civil Liberties & Transparency Clinic filed a Freedom of Information Act lawsuit against 11 federal criminal and immigration enforcement agencies, including the FBI, Immigration and Customs Enforcement, and the Drug Enforcement Administration. This lawsuit demands disclosure of basic information about government hacking. They have demanded that the agencies disclose which hacking tools and methods they use, how often these tools are used, the legal basis for employing these methods, and any internal rules that govern them. They also seek any internal audits or investigations related to their use. The ACLU, in their blog post, state that the hacking by the government raises “grave privacy concerns”, creating “surveillance possibilities” that could pose a security risk because even “lawful hacking” can take advantage of unpatched vulnerabilities in a users devices and software. They believe that by hacking into a phone, laptop, or another device, federal agents can obtain any sensitive/confidential information. They can perform activities like activating a device’s camera and microphone, log keystrokes, or hijack a device’s functions. Most of the time users are completely unaware that they are being surveilled and there is not much information on what comprises a ‘lawful hacking’. ACLU argues that "Law enforcement use of hacking presents a unique threat to individual privacy." They have supported this claim by giving examples of a case in which the government commandeered an internet hosting service in order to set up a “watering hole” attack that is suspected to have spread malware to many innocent people that visited websites on the server. In another case, an FBI agent, posing as a reporter, investigating fake bomb threats impersonated an Associated Press reporter to deploy malware on a suspect’s computer. The agent created a fake story and sent a link to the story to a high school student. When the student visited the website, it implanted malware on his computer in order to report back identifying information to the FBI. To get a better understanding of what the government is doing, along with what rules it follows; the lawsuit will clarify whether and when the government should engage in hacking. It will also help users understand whether the government is collecting excessive information about the people it surveils, and how investigators handle innocent bystanders’ information. You can head over to ACLU’s official blog to know more about this news. IBM faces age discrimination lawsuit after laying off thousands of older workers, Bloomberg reports Microsoft calls on governments to regulate Facial recognition tech now, before it is too late British parliament publishes confidential Facebook documents that underscore the growth at any cost culture at Facebook

According to an Indictment report from the U.S. Justice Department released on Thursday, the Chinese hackers working on behalf of China’s Ministry of State Security breached the networks of dozens of tech companies and government departments, largely in an effort to steal intellectual property. The report stated that the attacks were being carried out by a group known as APT10, which various security companies have linked to the Chinese state. Speaking to Wired, Benjamin Read, senior manager for cyberespionage analysis at FireEye, said, “MSPs are incredibly valuable targets. They are people that you pay to have privileged access to your network. It’s a potential foothold into hundreds of organizations.” What organizations did the Chinese cybercriminal group target? According to Reuters, hackers successfully targeted Hewlett Packard Enterprise, IBM and both companies customers. In response to the attack, IBM said that it “has been aware of the reported attacks and already has taken extensive counter-measures worldwide as part of our continuous efforts to protect the company and our clients against constantly evolving threats. We take responsible stewardship of client data very seriously, and have no evidence that sensitive IBM or client data has been compromised by this threat.” HPE also responded. The company said in a statement that it had spun out a large managed-services business in a 2017 merger with Computer Sciences Corp that formed a new company, DXC Technology. “The security of HPE customer data is our top priority. We are unable to comment on the specific details described in the indictment, but HPE’s managed services provider business moved to DXC Technology in connection with HPE’s divestiture of its Enterprise Services business in 2017.” The hackers are believed to have used a technique known as spearphishing. This is a highly targeted form of phishing, where a website is disguised as reputable and trustworthy in order to scam the targets. Dmitri Alperovitch, Chief Technology Officer at CrowdStrike, said, “Today’s announcement of indictments against Ministry of State Security (MSS), whom we deem now to be the most active Chinese cyber threat actor, is another step in a campaign that has been waged to indicate to China that its blatant theft of IP is unacceptable and will not be tolerated”. Alperovitch added that “while this action alone will not likely solve the issue and companies in the US, Canada, Europe, Australia, and Japan will continue to be targeted by MSS for industrial espionage, it is an important element in raising the cost and isolating them internationally.” The U.K. government also said, “The National Cyber Security Centre assesses with the highest level of probability that the group widely known as APT10 is responsible for this sustained cyber campaign focused on large-scale service providers. The group almost certainly continues to target a range of global companies, seeking to gain access to commercial secrets.” “China has long rebuffed complaints from other nations accusing it of cyber attacks and espionage but didn’t immediately comment on Thursday’s indictment”, per TechCrunch. Former Senior VP’s take on the Mariott data breach; NYT reports suspects Chinese hacking ties Chinese hackers use snail mails to send malware on board government PCs Chinese company ZTE Corp to assist the Venezuelan government to monitor citizen behavior using ‘Fatherland Card’

IEEE Computer Society (IEEE-CS) released its annual tech future predictions, earlier this week, unveiling the top ten most likely to be adopted technology trends in 2019. "The Computer Society's predictions are based on an in-depth analysis by a team of leading technology experts, identify top technologies that have substantial potential to disrupt the market in the year 2019," mentions Hironori Kasahara, IEEE Computer Society President. Let’s have a look at their top 10 technology trends predicted to reach wide adoption in 2019. Top ten trends for 2019 Deep learning accelerators According to IEEE computer society, 2019 will see widescale adoption of companies designing their own deep learning accelerators such as GPUs, FPGAs, and TPUs, which can be used in data centers. The development of these accelerators would further allow machine learning to be used in different IoT devices and appliances. Assisted transportation Another trend predicted for 2019 is the adoption of assisted transportation which is already paving the way for fully autonomous vehicles. Although the future of fully autonomous vehicles is not entirely here, the self-driving tech saw a booming year in 2018. For instance, AWS introduced DeepRacer, a self-driving race car, Tesla is building its own AI hardware for self-driving cars, Alphabet’s Waymo will be launching the world’s first commercial self-driving cars in upcoming months, and so on. Other than self-driving, assisted transportation is also highly dependent on deep learning accelerators for video recognition. The Internet of Bodies (IoB) As per the IEEE computer society, consumers have become very comfortable with self-monitoring using external devices like fitness trackers and smart glasses. With digital pills now entering the mainstream medicine, the body-attached, implantable, and embedded IoB devices provide richer data that enable development of unique applications. However, IEEE mentions that this tech also brings along with it the concerns related to security, privacy, physical harm, and abuse. Social credit algorithms Facial recognition tech was in the spotlight in 2018. For instance, Microsoft President- Brad Smith requested governments to regulate the evolution of facial recognition technology this month, Google patented a new facial recognition system that uses your social network to identify you, and so on.  According to the IEEE, social credit algorithms will now see a rise in adoption in 2019. Social credit algorithms make use of facial recognition and other advanced biometrics that help identify a person and retrieve data about them from digital platforms. This helps them check the approval or denial of access to consumer products and services. Advanced (smart) materials and devices IEEE computer society predicts that in 2019, advanced materials and devices for sensors, actuators, and wireless communications will see widespread adoption. These materials include tunable glass, smart paper, and ingestible transmitters, will lead to the development of applications in healthcare, packaging, and other appliances.   “These technologies will also advance pervasive, ubiquitous, and immersive computing, such as the recent announcement of a cellular phone with a foldable screen. The use of such technologies will have a large impact on the way we perceive IoT devices and will lead to new usage models”, mentions the IEEE computer society. Active security protection From data breaches ( Facebook, Google, Quora, Cathay Pacific, etc) to cyber attacks, 2018 saw many security-related incidents. 2019 will now see a new generation of security mechanisms that use an active approach to fight against these security-related accidents. These would involve hooks that can be activated when new types of attacks are exposed and machine-learning mechanisms that can help identify sophisticated attacks. Virtual reality (VR) and augmented reality (AR) Packt’s 2018 Skill Up report highlighted what game developers feel about the VR world. A whopping 86% of respondents replied with ‘Yes, VR is here to stay’. IEEE Computer Society echoes that thought as it believes that VR and AR technologies will see even greater widescale adoption and will prove to be very useful for education, engineering, and other fields in 2019. IEEE believes that now that there are advertisements for VR headsets that appear during prime-time television programs, VR/AR will see widescale adoption in 2019. Chatbots 2019 will also see an expansion in the development of chatbot applications. Chatbots are used quite frequently for basic customer service on social networking hubs. They’re also used in operating systems as intelligent virtual assistants. Chatbots will also find its applications in interaction with cognitively impaired children for therapeutic support. “We have recently witnessed the use of chatbots as personal assistants capable of machine-to-machine communications as well. In fact, chatbots mimic humans so well that some countries are considering requiring chatbots to disclose that they are not human”, mentions IEEE.   Automated voice spam (robocall) prevention IEEE predicts that the automated voice spam prevention technology will see widespread adoption in 2019. It will be able to block a spoofed caller ID and in turn enable “questionable calls” where the computer will ask questions to the caller for determining if the caller is legitimate. Technology for humanity (specifically machine learning) IEEE predicts an increase in the adoption rate of tech for humanity. Advances in IoT and edge computing are the leading factors driving the adoption of this technology. Other events such as fires and bridge collapses are further creating the urgency to adopt these monitoring technologies in forests and smart roads. "The technical community depends on the Computer Society as the source of technology IP, trends, and information. IEEE-CS predictions represent our commitment to keeping our community prepared for the technological landscape of the future,” says the IEEE Computer Society. For more information, check out the official IEEE Computer Society announcement. Key trends in software development in 2019: cloud native and the shrinking stack Key trends in software infrastructure in 2019: observability, chaos, and cloud complexity Quantum computing, edge analytics, and meta learning: key trends in data science and big data in 2019

This Thursday a California federal judge granted warrants to the FBI to take down several websites providing DDoS attack services. The domains have been seized by the FBI just before Christmas Holidays. This is a season where hackers have done DDoS attacks in the past. The attacks are mainly targeted towards gaming services like PlayStation Network, Xbox, Steam, EA Online, etc. According to the document, these 15 ‘booter’ websites were taken down: anonsecurityteam.com critical-boot.com defianceprotocol.com ragebooter.come. str3ssed.me bullstresser.net quantumstress.net booter.ninja downthem.org netstress.org Torsecurityteam.org Vbooter.org defcon.pro request.rip layer7-stresser.xyz According to the filed affidavits, three men were charged, Matthew Gatrel, 30 and Juan Martinez, 25 from California; and David Bukoski, 23 from Alaska, for operating the websites. U.K.’s National Crime Agency, Netherlands Police, and the Department of Justice, USA along with companies like Cloudflare, Flashpoint, and Google have made joint efforts for the takedown. This takedown will most likely soon follow with arrests. As per the affidavit, some of these sites were capable of attacks exceeding 40 Gigabits per second (Gbit/s), enough to render some websites dead for a long time. Hackers have stated previously to the Telegraph that the rationale behind attacks on gaming websites on Christmas season is about the holiday spirit. They say that Christmas is not about “children sitting in their rooms and playing games, it is about spending time with their families.” What is a DDoS attack? DDoS attacks have long been a problem dating back to the 70’s. An attacker infects and uses multiple machines to target a network service and flood it with packets of useless data so that legitimate users are denied service. The goal of these attacks is to temporarily make the target services unavailable to its users. This story was initially reported by TechCrunch. Twitter memes are being used to hide malware An SQLite “Magellan” RCE vulnerability exposes billions of apps, including all Chromium-based browsers Hackers are our society’s immune system – Keren Elazari on the future of Cybersecurity

Last week, a group of security researchers reported that they have found a new malware that takes its instructions from code hidden in memes posted to Twitter. This method is popularly known as Steganography, a method popularly used by cybercriminals to abstract a malicious file within an image to escape from security solutions. According to Trend Micro, some malware authors posted two tweets including malicious memes on 25th and 26th October. These images were tweeted via a Twitter account created in 2017.  “The memes contain an embedded command that is parsed by the malware after it’s downloaded from the malicious Twitter account onto the victim’s machine, acting as a C&C service for the already- placed malware”, reported Trend Micro. According to the blog post, this new threat is detected as TROJAN.MSIL.BERBOMTHUM.AA. Also, this malware gets its command from a legitimate source, which they state is a popular networking platform. The memes cannot be taken down until the malicious Twitter account is disabled. Twitter, on the other hand, has already taken the account offline as of December 13, 2018. Malicious memes are no laughing matter The memes posted via the malicious Twitter accounts have a “/print” command hidden, which enables the malware to take screenshots of the infected machine. These screenshots are then sent to a C&C server whose address is obtained through a hard-coded URL on pastebin.com. Next, the malware will send out the collected information or the command output to the attacker by uploading it to a specific URL address. According to Trend Micro, “During analysis, we saw that the Pastebin URL points to an internal or private IP address, which is possibly a temporary placeholder used by the attackers. The malware then parses the content of the malicious Twitter account and begins looking for an image file using the pattern:  “<img src=\”(.*?):thumb\” width=\”.*?\” height=\”.*?\”/>” on the account.” Source: TrendMicro Researchers have also mentioned some other commands supported by this malware, which includes /processos to retrieve the list of running processes. /clip, to capture clipboard content, /username to retrieve username from the infected machine, and /docs to retrieve filenames from a predefined path such as (desktop, %AppData% etc.) According to TechCrunch, “The malware appears to have first appeared in mid-October, according to a hash analysis by VirusTotal, around the time that the Pastebin post was first created.” After Trend Micro reported the account, Twitter pulled the account offline, suspending it permanently. How the biggest ad fraud rented Datacenter servers and used Botnet malware to infect 1.7m systems How to build a convolution neural network based malware detector using malware visualization [Tutorial] Privilege escalation: Entry point for malware via program errors

“No one should trust Facebook until they change their business model.” --Roger McNamee, an early investor in Facebook. The New York Times confronted Facebook once again. The media giant obtained hundreds of Facebook internal documents that prove the tech giant has been providing some of the world’s largest technology companies “more intrusive access to users’ personal data than it has disclosed”, and “effectively exempted those business partners from its usual privacy rules”. The records were initially generated in 2017 by the company’s internal system for tracking partnerships. The Times points out how these documents helped  Facebook get more users, and lift its advertising revenue. It was a win-win situation for both, Facebook and its partner companies- where partner companies acquired features to make their products more attractive and Facebook users connected with friends across different devices and websites. The deals revealed through the documents, benefited more than 150 companies including tech businesses, online retailers and entertainment sites, automakers and media organizations. The report speculates whether Facebook ran afoul of a 2011 consent agreement with the Federal Trade Commission that barred the social network from sharing user data without explicit permission.  Mr. Satterfield, Facebook’s privacy director, said its partners were subject to “rigorous controls.” Facebook officials claimed the company had disclosed its sharing deals in its privacy policy since 2010. New York Times, however, says that the language in the policy about its service providers does not specify what data Facebook shares, and with which companies it shares them with. With most of the partnerships, Mr. Satterfield said, the F.T.C. agreement did not require Facebook to secure users’ consent before sharing data because “Facebook considered the partners' extensions of itself “. He also stated that the partners were prohibited from using personal information for other purposes and that “Facebook’s partners don’t get to ignore people’s privacy settings.” This data was shared with some of the largest names of the tech industry, including Amazon, Microsoft, and Yahoo, who claimed that they had used the data appropriately, without further expanding on the sharing deals in detail. What did the documents reveal? Here are some key points from the report that stood out: Facebook allowed Microsoft’s Bing search engine to see the names of virtually all Facebook users’ friends without consent. Netflix and Spotify were given the ability to read Facebook users’ private messages. Amazon was permitted to obtain users’ names and contact information through their friend. Yahoo could view streams of friends’ posts, despite public statements that it had stopped that type of sharing years earlier. Facebook obtained data from multiple partners for a friend-suggestion tool called “People You May Know.” There have been reported cases of the tool’s recommending friend connections between patients of the same psychiatrist, estranged family members, and a harasser and his victim. Facebook, used contact lists from the partners, including Amazon, Yahoo, and Huawei to gain deeper insight into people’s relationships and suggest more connections. Some deals described in the documents were limited to sharing non-identifying information with research firms or enabling game makers to accommodate huge numbers of players. Some partners were allowed to see users’ contact information through their friends — even after Facebook said in 2014 that it was stripping all applications of that power. Sony, Microsoft, Amazon, and others could obtain users’ email addresses through their friends. Spotify, Netflix and the Royal Bank of Canada were allowed to read, write and delete users’ private messages. In late 2009, it launched “instant personalization” which changed the privacy settings of the 400 million people then using the service, making some of their information accessible to all of the internet. Then it shared that information, including users’ locations and religious and political leanings, with Microsoft and other partners. The F.T.C. investigated this and in 2011 cited these privacy changes as a deceptive practice. Facebook officials then stopped mentioning instant personalization in public and entered into the consent agreement. In 2014, Facebook ended instant personalization and removed access to friends’ information. But in a previously unreported agreement, the social network’s engineers continued allowing Bing; Pandora, and Rotten Tomatoes, the movie, and television review site, access to much of the data they had gotten for the discontinued feature. Facebook’s response to New York Times report In response to the New York Times report, Konstantinos Papamiltiadis, Director of Developer Platforms and Programs, said in a blog post that “To be clear: none of these partnerships or features gave companies access to information without people’s permission, nor did they violate our 2012 settlement with the FTC”. He also explained that all the work done in the said domain was so that “ people could have more social experiences.” The post goes on to somewhat justify the claims made in the Times report. In response to the instant personalization deal that the leaked documents revealed, his statement- “ We shut down instant personalization, which powered Bing’s features, in 2014 and we wound down our partnerships with device and platform companies months ago, following an announcement in April. Still, we recognize that we’ve needed tighter management over how partners and developers can access information using our APIs.”- does raise questions on Facebook’s seriousness with respect to user privacy. The post also claims that Facebook does not “have evidence that data was used or misused after the program was shut down”. Further adding, “we shouldn’t have left the APIs in place after we shut down instant personalization.” This post has received enormous backlash from Alex Stamos, a former chief security officer at Facebook. He claims that the response is not good enough to the claims made by the Times report and that “ it makes the same mistake of blending all kinds of different integrations and models into a bunch of prose and it is very hard to match up the responses to the Times' claims.” https://twitter.com/reckless/status/1075225675756421120 That being said, he also tweets that allowing for 3rd party clients is the kind of pro-competition move we want to see from dominant platforms, however, integrations that are sneaky or send secret data to servers controlled by others really is wrong. Users have demanded Facebook come clean about the explicit details of the access deals. Some users also have spoken up on the nature of legal contracts that a user has to sign to use a particular tech service. You can head over to the New York Times for more insights on this news. British parliament publishes confidential Facebook documents that underscore the growth at any cost culture at Facebook Ex-Facebook manager says Facebook has a “black people problem” and suggests ways to improve France to levy digital services tax on big tech companies like Google, Apple, Facebook, Amazon in the new year

The Tencent Blade security team found a vulnerability in the SQLite database that exposes billions of desktop and web applications to hackers. This vulnerability classified as a remote code execution (RCE) vulnerability hasn’t received a CVE identification number yet and has been nicknamed as “Magellan” by the Tencent Blade Team. Since SQLite is one of the most popular databases used in modern operating systems and applications, this vulnerability can affect a variety of different apps ( eg: Android/iOS), devices (eg: IoT), and software. Magellan poses dangers such as allowing hackers to run malicious code within the hacked computers, leaking program memory or causing program crashes. Moreover, this vulnerability can be remotely exploited on even accessing a particular web page in a browser that supports SQLite. Other than SQLite, all web browsers using the Chromium engine has also been affected by this vulnerability. Tencent Blade has already reported the vulnerability to Google developers who then promptly took care of it on their end. Additionally, security experts at Tencent Blade also successfully exploited Google Home with this vulnerability, but haven’t disclosed the exploit code yet. The team also mentions how they’re yet to see a case where Magellan has been abused “wildly”. Tencent Blade recommends updating to the official stable version 71.0.3578.80 of Chromium and to 3.26.0 for SQLite as they’re safe from the vulnerability. Google Chrome, Vivaldi, and Brave are all reported to be affected as they support SQLite through the Web SQL database API. Safari web browser isn’t affected yet and Firefox may be prone to this vulnerability in case a hacker gains access to its local SQLite database. “We will not disclose any details of the vulnerability at this time, and we are pushing other vendors to fix this vulnerability as soon as possible”, says the Tencent Blade team. Zimperium zLabs discloses a new critical vulnerability in multiple high-privileged Android services to Google A kernel vulnerability in Apple devices gives access to remote code execution Microsoft announces Windows DNS Server Heap Overflow Vulnerability, users dissatisfied with patch details

The Marriott’s Starwood guest database breach that occurred at the end of last month affected almost 500 million user data. According to the Marriott investigation report, the possible cause of the breach was the technology platform deployed by Starwood under the name “Valhalla’. Israel del Rio, the former Senior Vice President of Technology and solutions at Starwood Hotels and Resorts from 2001- 2006, mentioned his take on the guest data breach. He said, “I worked on Valhalla and wrote about Marriott’s decision not to use it moving forward in 2016.” Israel del Rio’s take on the Marriott breach In his post, Israel said that the Valhalla system was entirely active in 2009 and all the best practices were followed in the system’s design including firewalls, DMZs, encryption, etc. He said, “The fact is, if we accept Marriott’s statement that the breach began in 2014, the system would already have been operating securely for five years. It is difficult to imagine how an architectural or platform vulnerability would not have been discovered or exploited sooner.” Israel highlighted three points in the Marriott report and explained his take on each of it. 500 million guests’ reservation data stolen The report stated that the data of approximately 500 million guests who made a reservation at Starwood property had been stolen. To this, Israel said, “It is unlikely this system would have had 500 million records, given the practice to remove booking records a number of days after checkout. Even assuming half a million rooms in Starwood’s inventory at 90% occupancy, with average lengths of stay of two days, and up to two years of advance booking, such a database would not exceed 200 million records.” He said that the only place to trace such huge data is the Data Warehouse, which would contain the booking records for several prior years. This is most likely the area from which the data was stolen. However, given that some of that data had already been migrated to Marriott, it is hard to say for certain whether the breach occurred in the Starwood system, the Marriott system, or in transit as a result of exposure during the Extract‐Transform‐Load process used during the migration. An alert from an internal security tool helped Marriott to know about the breach Marriott’s discovery of the breach was triggered on September 8, 2018, when Marriott received an alert from an internal security tool regarding an attempt to access the Starwood guest reservation database. Israel said, “We do not know when such a tool was first used, but what’s most confounding is Marriott’s assurance that the breach first occurred in 2014. If the detection tool was used prior to this September, why hadn’t the breach been detected earlier? And if the tool was not used earlier, how can they be so sure the breach occurred in 2014?” The stolen data also contained data from 2014, this could be a reason why it was assumed that the breach took place around that time. Also, the Data Warehouse contains booking data going back several years. The Data Warehouse data could have been exposed recently and still show stolen records from 2014. The exposed data included encrypted payment card numbers and payment card expiration dates According to Israel, “there are two components needed to decrypt the payment card numbers, and that at this point, Marriott has not been able to rule out the possibility that both were stolen.” Marriott’s report said there is the possibility that the primary encryption key was also exposed. “It is almost impossible to imagine a scenario in which an external hacker is able to gain access to the primary encryption keys”, according to Israel. Israel said there is a lack of information to actually understand what exactly happened. “It is possible that the Starwood system was in fact breached. Marriott had laid off most of the Starwood technology staff at the end of 2017, and whatever operational or migration issues this might have caused should be evaluated.” To know more about Israel del Rio’s take on the Marriott breach, visit his blogpost. Chinese hackers might have caused the Marriott Starwood guest data breach According to the New York Times report, the Marriott breach was a part of the “Chinese intelligence-gathering effort, that also hacked health insurers and the security clearance files of millions more Americans, according to the two people briefed on the investigation.” This discovery came out as the Trump administration is planning actions to target China’s trade, cyber and economic policies, within days. The Marriott Starwood guest data breach is not expected to be a part of the indictments against the Chinese hackers. “But two of the government officials said that it has added urgency to the administration’s crackdown, given that Marriott is the top hotel provider for the American government and military personnel”, according to New York Times. The Marriott database contains not only credit card information but passport data. But officials on Tuesday said this was a part of an aggressive operation whose main focus was the 2014 hacking into the Office of Personnel Management. “At the time, the government bureau loosely guarded the detailed forms that Americans fill out to get security clearances — forms that contain financial data; information about spouses, children and past romantic relationships; and any meetings with foreigners. Such information is exactly what the Chinese use to root out spies, recruit intelligence agents and build a rich repository of Americans’ personal data for future targeting. With those details, the Marriott data adds another critical element to the intelligence profile: travel habits.” James A. Lewis, a cybersecurity expert at the Center for Strategic Studies in Washington said to the Times, “The data can be used to track which Chinese citizens visited the same city, or hotel, as an American intelligence agent who was identified in data taken from the Office of Personnel Management or from American health insurers that document patients’ medical histories and Social Security numbers.” According to New York Times, “The effort to amass Americans’ personal information so alarmed government officials that in 2016, the Obama administration threatened to block a $14 billion bid by China’s Anbang Insurance Group Co. to acquire Starwood Hotel & Resorts Worldwide, according to one former official familiar with the work of the Committee on Foreign Investments in the United States, a secretive government body that reviews foreign acquisitions.” Finally, the failed bid cleared the way later that year for Marriott Hotels to acquire Starwood for $13.6 billion, becoming the world’s largest hotel chain. “The Chinese regard intrusions into hotel chain databases as a standard kind of espionage. So does the United States, which has often seized guest data from foreign hotels.” To know more about this news in detail, visit The New York Times’ in-depth coverage. Equifax data breach could have been “entirely preventable”, says House oversight and government reform committee staff report A new data breach on Facebook due to malicious browser extensions allowed almost 81,000 users’ private data up for sale, reports BBC News Cathay Pacific, a major Hong Kong based airlines, suffer data breach affecting 9.4 million passengers

11th December was Microsoft's December 2018 Patch Tuesday, which means users had to update their computers to be protected from the latest threats to Windows and Microsoft products. Microsoft has fixed 39 vulnerabilities, with 10 of them being labeled as Critical. Keeping up with its December 2018 Patch Tuesday, Microsoft announced on its blog that a vulnerability exists in Windows Domain Name System (DNS). There was not much information provided to the customers about how and when this vulnerability was discovered. The following details were released by Microsoft: The Exploit Microsoft Windows is prone to a heap-based buffer-overflow vulnerability. A remote code execution vulnerability exists in Windows Domain Name System (DNS) servers when they fail to properly handle requests. An attacker who successfully exploits this issue may execute arbitrary code within the context of the affected application. Microsoft states that failed exploit attempts will result in a denial-of-service condition. Windows servers that are configured as DNS servers are at risk from this vulnerability. Affected Systems Find a list of the affected systems on Microsoft’s Blog. The company has also provided users with security updates for the affected systems. Workarounds and Mitigations As of today, Microsoft has not identified any workarounds or mitigations for the affected systems. Jake Williams, the founder of Rendition Security and Rally security, posted an update on Twitter about the issue, questioning why there is no sufficient discussion among the infosec community about the matter. https://twitter.com/MalwareJake/status/1072916512724410369 Many users responded saying that they too have been looking for explanations about the vulnerability but have not found any satisfying results. https://twitter.com/spectrophagus/status/1072921055357009922 Security intelligence blog reported on 11th December that the just-released Patch Tuesday for December fixes the Windows DNS Server Heap Overflow remote code execution (RCE) vulnerability. However, there has not been any information released by Microsoft on the analysis or details of the patch. Users are also speculating that without pra oper understanding of the security patch, this vulnerability has the potential to be badly exploited. https://twitter.com/Greg_Scheidel/status/1073060170333339650 You can head over to Microsoft’s official blog to know more about this vulnerability. Also, visit BleepingComputer for information on all security updates in December Patch Tuesday 2018. Microsoft Connect(); 2018 Azure updates: Azure Pipelines extension for Visual Studio Code, GitHub releases and much more! Microsoft calls on governments to regulate Facial recognition tech now, before it is too late ‘Peekaboo’ Zero-Day Vulnerability allows hackers to access CCTV cameras, says Tenable Research  

It has been only two months since Google reported a bug discovery in one of the Google+ People APIs, which affected up to 500,000 Google+ accounts, initiating the shutdown of Google+. Yesterday, Google+ suffered another massive data leak that has impacted approximately 52.5 million users in connection with a Google+ API. This has led Google to expedite the process of shutting down Google+. The access to the Google+ API network will be cut off in the next 90 days and it will shut down completely in April, rather than August next year. In a blog post on Google, David Thacker VP, Product Management, GSuite stated that this bug was added as a part of a software update introduced in November and immediately fixed. However, people are upset that the data leak was disclosed now. The software bug allowed apps that requested permission to view profile information of a Google+ user (name, email address, occupation, age etc), were granted permission even when set to not-public. In addition, Thacker mentions, “apps with access to a user's Google+ profile data also had access to the profile data that had been shared with the consenting user by another Google+ user but that was not shared publicly.” However, user financial data, national identification numbers, passwords, or similar data typically used for fraud or identity theft, was not given access to. Google discovered the bug as part of its standard testing procedure and says there is “no evidence that the app developers that inadvertently had this access for six days were aware of it or misused.” Google says it’s begun notifying users and enterprise customers who were impacted by the bug. Thacker also says maintaining users' privacy is Google’s top concern. “We have always taken this seriously, and we continue to invest in our privacy programs to refine internal privacy review processes, create powerful data controls, and engage with users, researchers, and policymakers to get their feedback and improve our programs.” People on Hacker news were highly critical of this data leak and expressed concerns on the kind of organization Google is turning out to be. “I've been online since Google was a new up and coming company. There is a world of difference between the civic-mindedness of Google back then and Google now. Google has gone from something genuinely idealistic to something scary and totalitarian. If you aren't of the same "tribe" as the typical Googler, then basically, you're a subject.” “So, how does Google, which we all trust with our precious data end up messing up like this several times in a row? If this is the company with the best security team in the world does that mean we should simply abandon all hope” “They could have done soo much more with Google+ ... The hype was real up until launch. Really wish they had done things a little differently. Oh well... With all these leaks, I'm actually really glad they weren't successful with this.” Google reveals an undisclosed bug that left 500K Google+ accounts vulnerable in early 2018; plans to sunset Google+ consumer version. Google bypassed its own security and privacy teams for Project Dragonfly reveals Intercept Marriott’s Starwood guest database faces a massive data breach affecting 500 million user data

Last week, Australia’s Assistance and Access (A&A) anti-encryption law was passed through Parliament, which allows Australian police and government the powers to issue technical notices. The Assistance and Access (A&A) law requires tech companies to help law enforcement agencies break into individuals’ encrypted data. Using secret warrants, the government can even compel a company to serve malware remotely to the target’s device. The Labor party, which planned to amend the legislation, later pulled its amendments in the Senate and the bill was passed even though it was found to be flawed by the Labour community. The Australian Human Rights Commission wrote to Parliament, “The definition of ‘acts or things’ in the Bill is so vague as to potentially permit almost limitless forms of assistance”. Several lawmakers look set to reject the bill, criticizing the government’s efforts to rush through the bill before the holiday. The anti-encryption bill has been slammed by many. Protonmail, a Swiss-based end-to-end email encryption company has also condemned the new law in their blog post and said that they will remain committed to protecting their users anywhere in the world, including in Australia. Protonmail against the Assistance and Access (A&A) law Although ProtonMail has data centers only in Switzerland and is not under Australian jurisdiction, any request for assistance from Australian agencies under the A&A law would need to pass the scrutiny of Switzerland’s criminal procedure and data protection laws. According to ProtonMail, “just because this particular law does not affect ProtonMail and ProtonVPN does not mean we are indifferent. A&A is one of the most significant attacks on digital security and privacy since the NSA’s PRISM program. But the Australian measure is more brazen, hastily forced through Parliament over the loud objections of every sector of society, from businesses to lawyers groups.” In a letter to the Parliament, the Australian Computer Society, a trade association for IT professionals, outlined several problems in the law, including: Not every company has the technical know-how to safely implement malware that won’t accidentally backdoor the entire product (particularly with IoT devices), putting the security of people’s homes and organizations at risk. Businesses can’t easily plan or budget for possible covert surveillance work with the government. A companion “explanatory document” outlines some safeguards to protect civil rights and privacy that don’t actually appear in the law itself. Once police have gained access to a suspect’s device, they could easily remove evidence from the device that could prove the person’s innocence. There would be no way to know. These are just a few of the issues, and that’s barely scratching the surface. According to ProtonMail, “the widespread use of encryption can actually further governments’ national security goals. It is critical that we strike the right balance. In our opinion, the A&A law does not do this, and in the long run, will make us all less safe.” To know more about this in detail, visit ProtonMail ‘s official blog post. The tech community also oppose the Australian bill in an open letter The Tech community also wrote an open letter titled, “You bunch of Idiots!” to Bill Shorten and the Australian Labor from the tech community. They mention, “Every tech expert agrees that the so-called "Assistance and Access Bill" will do significant damage to Australia's IT industry.” The letter highlights three key points including: The community members state that the law weakens security for users. “We do not want to deliberately build backdoors or make our products insecure. This means everyone else's data will be vulnerable. People have an expectation that we protect their personal data to the best of our ability. We cannot continue to guarantee this unless we go against the technical capability notices issued by law enforcement - which will become a criminal offence”, according to the letter. They also said, “You have made it harder for international companies to hire Australian talent, or have offices in Australia filled with Australian talent. Companies such as Amazon, Apple, Atlassian, Microsoft, Slack, Zendesk and others now have to view their Australian staff and teams as "potentially compromised". This is because law enforcement can force a person to build a backdoor and they cannot tell their bosses. They might sack them and leave Australia because of the law you just passed.” “You have also just made it almost impossible to export Australian tech services because no-one wants a potentially vulnerable system that might contain a backdoor. Who in their right mind will buy a product like that? Look at the stock price of one of Australia's largest tech companies, Atlassian. It's down because of what you have voted for. In addition, because it violates the EU's General Data Protection Regulations (GDPR), you have just locked Australian companies and startups out of a huge market.” The tech communities strongly opposed the bill calling it a destructive and short-sighted law. They said, “In all good conscience, we can no longer support Labor. We will be advocating for people to choose those who protect digital rights.” The ‘blackout’ move on GitHub to block Australia for everyone’s safety Many Australian users suggested that the world block Australia for everyone’s safety, after the Australian Assistance and Access Bill was passed. Following this, users have created a repository on GitHub to provide easy-to-use solutions to blackout Australia, in solidarity with Australians who oppose the Assistance and Access Bill. Under the GNU/Linux OSes, the goal of the main script shall be to periodically download a blocklist and update rules in a dedicated BLACKOUT chain in iptables. The repo also includes scripts to: setup a dedicated BLACKOUT chain in the iptables filter table, and setup a privileged cron job for updating the iptable rules stop any running cron job, remove the cron job, and tear down the dedicated BLACKOUT chain. Australia’s ACCC publishes a preliminary report recommending Google Facebook be regulated and monitored for discriminatory and anti-competitive behavior Australia’s Facial recognition and identity system can have “chilling effect on freedoms of political discussion, the right to protest and the right to dissent”: The Guardian report Dark Web Phishing Kits: Cheap, plentiful and ready to trick you

Yesterday, the Swedish networking and telecommunications company, Ericsson reported an issue in their core software which caused network disturbances for some of its customers. This issue was responsible for a data outage across 11 countries including the United Kingdom’s O2 and Japan’s SoftBank mobile services. Ericsson identified that only those customers using two specific software versions of the SGSN–MME (Serving GPRS Support Node – Mobility Management Entity) were affected. The initial root cause analysis by the company indicated that the main issue was an expired certificate installed with the affected customers. Ericsson CEO and President, Börje Ekholm, said, “The faulty software that has caused these issues is being decommissioned and we apologize not only to our customers but also to their customers. We work hard to ensure that our customers can limit the impact and restore their services as soon as possible.” The O2 and Softbank outage caused millions of customers in UK and Japan to stay offline for a whole day! 30 million customers of the O2 mobile provider in the UK were unable to make or receive phone calls due to Ericsson’s expired certificate issue. The other service providers affected include Tesco Mobile and Sky Mobile. O2’s entire network including the companies using its platforms, and its subsidiaries, Giffgaff and Lycamobile were highly affected. However, the services were restored at around 4 am yesterday. The outage also affected Transport for London’s live updates of bus arrival times at stops across the capital, which relies on O2’s network for data updates. Mark Evans, O2’s CEO tweeted reassuring the customers that the company was doing everything to fix the issue and also apologized to the affected customers for the same. https://twitter.com/MarkEvansO2/status/1070710723905499136 On the other hand, in Japan’s, SoftBank and Y!mobile 4G LTE mobile phone services, Ouchi-No-Denwa fixed-line services, and SoftBank Air services were also affected. SoftBank said that its outage extended from 1.39pm until 6.04pm JST, yesterday. According to SoftBank’s press release on its outage, “SoftBank Network Center detected software's malfunction in all of the packet switching machines manufactured by Ericsson, which are installed at the Tokyo Center and the Osaka Center, covering our mobile customers nationwide.” SoftBank also received a report from Ericsson stating “the software has been in operation since nine months ago and the failure caused by the same software also occurred simultaneously in other telecom carriers across 11 countries, which installed the same Ericsson-made devices.” Marielle Lindgren, CEO Ericsson UK & Ireland said, “The faulty software that has caused these issues is being decommissioned. Our priority is to restore full data services on the network by tomorrow(Friday) morning. Ericsson sincerely apologizes to customers for the inconvenience caused.” To know more about this news in detail, visit Ericsson’s official press release. Outage plagues Facebook, Instagram, and Whatsapp ahead of Black Friday Sale, throwing users and businesses into panic How 3 glitches in Azure Active Directory MFA caused a 14-hour long multi-factor authentication outage in Office 365, Azure and Dynamics services A multi-factor authentication outage strikes Microsoft Office 365 and Azure users

On Thursday, Australia passed a rushed assistance and access bill which will allow Australian police and government the powers to issue technical notices. The Labor party had planned to amend the legislation. However, even after calling the bill flawed, Labor pulled its amendments in the Senate and the bill was passed. "Let's just make Australians safer over Christmas," Bill Shorten, leader of the Opposition and Labor Party said on Thursday evening. "It's all about putting people first." The assistance and access bill provides vague answers on the potential power that it could give government and law enforcement over digital privacy. The government claims that encrypted communications are “increasingly being used by terrorist groups and organized criminals to avoid detection and disruption,” and so this bill will ask tech companies to provide assistance to them in accessing electronic data. Per Zdnet, under the new assistance and access bill, Australian government agencies can issue three notices to companies and websites: Technical Assistance Notices (TAN), which are compulsory notices for a communication provider to use an interception capability they already have. Technical Capability Notices (TCN), which are compulsory notices for a communication provider to build a new interception capability, so that it can meet subsequent Technical Assistance Notices. Technical Assistance Requests (TAR), which have been described by experts as the most dangerous of all. Basically, the Australian government can hack, implant malware, undermine encryption or insert backdoors across companies and websites. If companies refuse, they may face financial penalties. Although the government has said this bill will target criminals in the likes of sex offenders, terrorists, homicide and drug offenses, critics think otherwise. According to communications alliance, the bill contains dangerous loopholes and technical backdoors that could be exploited by hackers. Another issue of debate was the lack of a clear definition of the term, “systemic weakness.” Labor has asked for a more concrete definition of it in the amendments made on the law next year. Several lawmakers, as well as the general public, condemned the bill on Twitter pointing out it’s rushed release. https://twitter.com/timwattsmp/status/1069361402589011968?s=21 https://twitter.com/jordonsteele/status/1070170310626828288?s=12 https://twitter.com/Asher_Wolf/status/1070692137052758016 https://twitter.com/Scottludlam/status/1070592908292612096 https://twitter.com/Jordonsteele/status/1070565215106818048 https://twitter.com/AdamBandt/status/1070492876365225985 The State of Mozilla 2017 report focuses on internet health and user privacy. Privacy experts urge the Senate Commerce Committee for a strong federal privacy bill “that sets a floor, not a ceiling” Consumer protection organizations submit a new data protection framework to the Senate Commerce Committee

Yesterday, HashiCorp announced HashiCorp Vault 1.0. It is a tool that can be used to manage secrets and protect sensitive data for infrastructures and applications. This first major release focuses on high performance and scalability in workloads. Batch tokens in Vault 1.0 They are a new type of token with support for ephemeral, high-performance workloads. Batch tokens do not write to disk, and thereby significantly reduce the performance cost of any operations within the Vault. The tradeoff is that batch tokens are not persistent. Therefore they will not be of much use in long-lived or ongoing operations or any operations that require token resiliency. Due to their ephemeral nature, batch tokens are good for large batches of operations with a single purpose like using a transit secret engine. However, they are not good for operations like persistent secret access within a K/V engine. Cloud Auto Unseal open sourced Cloud Auto Unseal is open sourced in Vault 1.0. This allows Vault users to leverage cloud services like AWS KMS, Azure Key Vault, and GCP CKMS. It is open sourced to simplify storing and reassembling Shamir's keys for users. HSM-based Auto Unseal and Seal-Wrap will remain as features within Vault Enterprise. They are typically deployed to conform with government and regulatory compliance requirements. OpenAPI in Vault 1.0 The latest release of Vault supports the OpenAPI standard by the Open API Initiative. This standard provides vendor-neutral description format for API calls. By using the /sys/internal/specs/openapi endpoint, Vault can now generate an OpenAPI v3 document describing mounted backends and endpoint capabilities for a token’s permissions. A new updated UI There have been significant UI upgrades in vault leading up to 1.0. These upgrades include: Wizards to help introduce new users to get started with Vault New, updated screens to show users how to mount auth methods and secret engines Support to manage key versioning within the K/V v2 secrets engine Other UI updates to help ensure simple Vault deployment, initialization, and management Expanded Alibaba Cloud integration Features for operating Vault with and within Alibaba Cloud is now expanded. In Vault 1.0, Alibaba Cloud KMS is supported as a Seal-Wrap and Auto Unseal target. The Alibaba Cloud Auth Method is now a supported interface for Auto Auth within Vault Agent. GCP CKMS secret engine A new secrets engine is added for managing cryptographic operations within GCP CKMS. With this interface, users can perform tasks like transit-like decrypt/encrypt operations, key creation, and key management within external GCP CKMS systems. Other features The credential used by the AWS secret engine can be rotated to ensure that only Vault knows the credentials. With a new operator migrate command, users can do offline migration of data between two storage backends. Keys in transit secret engine can be trimmed which allows removal of older unused key versions. To know more about Vault, visit the HashiCorp website. Google Titan Security key with secure FIDO two factor authentication is now available for purchase Google introduces Cloud HSM beta hardware security module for crypto key security Kubernetes 1.13 released with new features and fixes to a major security flaw