Tech News - Security

Stack overflow has expanded its Code of Conduct which previously focused on just “Being Nice” to include more virtues around kindness, collaboration, and mutual respect. Recently, there has been many supporters of the idea that Stack Overflow is a “toxic wasteland”. https://twitter.com/aprilwensel/status/974859164747931650 There is also a Reddit thread, from six months ago, where people have shared their woes on Stack Overflow being too toxic. This Code of Conduct is a formal, far less ambiguous and a more informative way of Stack Overflow to regulate belittling language and condescension. It is applicable to everyone using Stack Overflow and the Stack Exchange network, including the team, moderators, and anyone posting to Q&A sites or chat rooms. The Be Nice policy, since its inception in 2008, was a single guiding principle that everyone was expected to follow. However, just two words turned out to be too little, too ambiguous and later, in 2014, a revised version of the policy was released to reflect Stack Exchange as a better community than what was believed on the Internet. The revised version also added instructions on how to report rare cases of bad behavior.  However, this still was not specific enough to meet the needs of a much larger dynamic site Stack Overflow was growing to be. This is when, they decided to launch a more formal policy, one that covers “Be nice, here’s how, here’s why, and here’s what to do if someone isn’t.” The main tenets of the new code are: If you’re here to get help, make it as easy as possible for others to help you. If you’re here to help others, be patient and welcoming. Offer support if you see someone struggling or otherwise in need of help. Be clear and constructive when giving feedback, and be open when receiving it. Be kind and friendly. Avoid sarcasm and be careful with jokes, as tone can be hard to decipher online. The code also denounces subtle put-downs or unfriendly language, name-calling or personal attacks, bigotry, and harassment. Source: Stack Overflow In case someone is guilty of breaking the code of conduct, there are three stages: Warning: For most first-time misconduct, moderators will remove the offending content and send a warning. Account Suspension: For repetitive misconduct, moderators will impose a temporary suspension Account Expulsion: For very rare cases, moderators will expel people who display a pattern of harmful destructive behavior towards the community. The Stack Overflow team plans to assess the CoC by taking feedback, every 6 months, from both new and experienced users about their recent experiences on the site. They have also added a code of conduct tag which members can use on Meta Stack Exchange to ask questions about or propose changes to the CoC. You can go through the entire Code of Conduct on Stack Overflow. 10 predictable findings from Stack Overflow’s 2018 survey Stack Overflow Developer Survey 2018: A Quick Overview 4 surprising things from Stack Overflow’s 2018 survey 96% of developers believe developing soft skills is important

Let's Encrypt is a Certification Authority that enables HTTPS on your website. Initially, major browsers and root certificate programs were, however, apprehensive of trusting this CA. The page has now turned for Let's Encrypt, who, in their announcement yesterday stated that they are now directly trusted by major root programs like Microsoft, Google, Apple, Mozilla, Oracle and Blackberry. Knowing that these big names are now associated with Let's Encrypt’s SSL Certificate, end users are in for a host of advantages. They can obtain a trusted certificate from Let's Encrypt for zero cost. Not only can software running on web server obtain a certificate, but also be securely configured for use and automatically renew the certificate as and when needed. This certification authority also ensures that TLS security is taken seriously. They aim to benefit the community by maintaining transparency in issuing and revoking certificates- which will be publicly recorded for inspection. This will be published as an open standard for others to adopt. Initially, they started off with the trust base of many browsers excluding the major root programs. The main reason for this being that it was a very new certificate authority launched in early April 2016. To overcome this roadblock, their intermediate “Let's Encrypt Authority X3” is signed by ISRG Root X1. The intermediate now stands cross-signed by another certificate authority- ‘IdenTrust’. IdenTrust has always been a major name whose root is already trusted in all major browsers. Thus, this indirect circle of trust has been a game changer for Let's Encrypt. There are still many older versions operating systems, browsers, and devices that do not directly trust Let's Encrypt. Some of these will eventually be updated to trust them directly. Some will not. And until they move out of the trust and security scene, they plan to use a cross signature. By currently providing certificates for more than 115 million websites,  Let's Encrypt is definitely making its presence felt! Head over to the official site of Let's Encrypt for more insights on this new announcement. You can also check out Black Hill’s post for information on why Let's Encrypt is making rounds on the internet these days. A new WPA/WPA2 security attack in town: Wi-fi routers watch out! Top 5 cybersecurity trends you should be aware of in 2018 Mozilla’s new Firefox DNS security updates spark privacy hue and cry  

The U.S. Defense Advanced Research Projects Agency ( DARPA) has come out with AI-based forensic tools to catch deepfakes, first reported by MIT technology review yesterday. According to MIT Technology Review, the development of more tools is currently under progress to expose fake images and revenge porn videos on the web. DARPA’s deepfake mission project was announced earlier this year. Alec Baldwin on Saturday Night Live face swapped with Donald Trump As mentioned in the MediFor blog post, “While many manipulations are benign, performed for fun or for artistic value, others are for adversarial purposes, such as propaganda or misinformation campaigns”. This is one of the major reasons why DARPA Forensics experts are keen on finding methods to detect deepfakes videos and images How did deepfakes originate? Back in December 2017, a Reddit user named “DeepFakes” posted extremely real-looking explicit videos of celebrities. He used deep learning techniques to insert celebrities’ faces into adult movies. Using Deep learning, one can combine and superimpose existing images and videos onto original images or videos to create realistic-seeming fake videos. As per the MIT technology review,“Video forgeries are done using a machine-learning technique -- generative modeling -- lets a computer learn from real data before producing fake examples that are statistically similar”. Video tampering is done using two neural networks -- generative adversarial networks which work in conjunction “to produce ever more convincing fakes”. Why are deepfakes toxic? An app named FakeApp was released earlier this year which helped create deepfakes quite easily. FakeApp uses neural networking tools developed by Google's AI division. The app trains itself to perform image-recognition tasks using trial and error. Ever since its release, the app has been downloaded more than 120,000 times. In fact, there are tutorials online on how to create deepfakes. Apart from this, there are regular requests on deepfake forums, asking users for help in creating face-swap porn videos of ex-girlfriends, classmates, politicians, celebrities, and teachers. Deepfakes is even be used to create fake news such as world leaders declaring war on a country. The toxic potential of this technology has led to a growing concern as deepfakes have become a powerful tool for harassing people. Once deepfakes found their way on the world wide web, many websites such as Twitter and PornHub, banned them from being posted on their platforms. Reddit also announced a ban on deepfakes, earlier this year, killing The “deepfakes” subreddit which had more than 90,000 subscribers, entirely. MediFor: DARPA’s AI weapon to counter deepfakes DARPA’s Media Forensics group, also known as MediFor, works in a group along with other researchers is set on developing AI tools for deepfakes. It is currently focusing on four techniques to catch the audiovisual discrepancies present in a forged video. This includes analyzing lip sync, detecting speaker inconsistency, scene inconsistency and content insertions. One technique comes from a team led by Professor Siwei Lyu of SUNY Albany. Lyu mentioned that they “generated about 50 fake videos and tried a bunch of traditional forensics methods. They worked on and off, but not very well”. As the deepfakes are created using static images, Lyu noticed that that the faces in deepfakes videos rarely blink and that eye-movement, if present, is quite unnatural. An academic paper titled "In Ictu Oculi: Exposing AI Generated Fake Face Videos by Detecting Eye Blinking," by Yuezun Li, Ming-Ching Chang and Siwei Lyu explains a method to detect forged videos. It makes use of Long-term Recurrent Convolutional Networks (LRCN). According to the research paper, people, on an average, blink about 17 times a minute or 0.283 times per second. This rate increases with conversation and decreases while reading. There are a lot of other techniques which are used for eye blink detection such as detecting the eye state by computing the vertical distance between eyelids, measuring eye aspect ratio ( EAR ), and using the convolutional neural network (CNN) to detect open and closed eye states. But, Li, Chang, and Lyu use a different approach. They rely on  Long-term Recurrent Convolutional Networks (LRCN) model. They first perform pre-processing to identify facial features and normalize the video frame orientation. Then, they pass cropped eye images into the LRCN for evaluation. This technique is quite effective. It is also better as compared to other approaches, with a reported accuracy of 0.99 (LRCN) compared to 0.98 (CNN) and 0.79 (EAR). However, Lyu says that a skilled video editor can fix the non-blinking deepfakes by using images that shows blinking eyes. But, Lyu’s team has a secret effective technique in the works to fix even that, though he hasn’t divulged any details. Others in DARPA are on the look-out for similar cues such as strange head movements, odd eye color, etc as these little details are leading the team even closer to detection of deepfakes. As mentioned in the MIT Technology review post, “the arrival of these forensics tools may simply signal the beginning of an AI-powered arms race between video forgers and digital sleuths” and how”. Also, MediFor states that “If successful, the MediFor platform will automatically detect manipulations, provide detailed information about how these manipulations were performed, and reason about the overall integrity of visual media to facilitate decisions regarding the use of any questionable image or video”. Deepfakes need to stop and the U.S. Defense Advanced Research Projects Agency ( DARPA) seems all set to fight against them. Twitter allegedly deleted 70 million fake accounts in an attempt to curb fake news A new WPA/WPA2 security attack in town: Wi-fi routers watch out! YouTube has a $25 million plan to counter fake news and misinformation  

Facebook open-sourced a new library Fizz (a TLS 1.3 library) for securing websites against cyberattacks and improving its focus on safe data traversal across the internet. TLS  1.3 is now taking good shape, as Facebook has claimed that it’s secured and running more than 50% of its web traffic via TLS1.3 and Fizz. Since the Facebook infrastructure is so widespread, a protocol like the TLS is of much importance. Solving the SSL issues of both latency and data exposure, the TLS protocol also uses a stronger encryption for messages to maintain the privacy of certificates and redesigns the way secret keys are derived while using a zero round-trip connection setup to accelerate requests. Thus, TLS overcomes the shortcomings of the previously used SSL protocol. What problem does Fizz solve for Facebook? Assisting the Internet Engineering Task Force’s efforts to improve the TLS protocol, Fizz will now play its own part. One of the major issues faced by the engineers at Facebook was writing data to huge chunks of memory. This led to an increase in resource overhead and reduced the servers’ speed. To combat this issue, Fizz will divide the data into smaller chunks and then move it into memory while encrypting it in place. This simple technique called as “Scatter/gather I/O” processes data much more efficiently.   Scatter/Gather I/O Source: code.fb.com The next big thing that Fizz aims to do is replace the previously deployed Zero protocol with TLS 1.3. The zero protocol enabled Facebook to experiment with the 0-RTT secure connections. The 0-RTT reduced the latency of requests and the overhead needed to deploy TLS. Fizz has now taken over the zero protocol by providing zero copy encryption and decryption, tight integration with other parts of the infrastructure while reducing usage of memory and CPU. This improves user experience, particularly on app startup when there are no existing connections to reuse. All this is done at the same speed as the zero protocol but provides a 10-percent higher throughput. In today’s world, servers are scattered everywhere! Keeping in mind that these servers usually want to be able to make calls to services in other locations in the middle of a handshake, asynchronous IO becomes very important.  Fizz, therefore, provides a simple async application programming interface (API).  Any callback from Fizz can return an asynchronous response without blocking the service from processing other handshakes. It is also very easy to add new asynchronous callbacks to Fizz for other use cases. Fizz also provides developers with easy-to-use API’s to send “early data” immediately after the TCP connection is established. Early data reduces the latency of requests. Fizz is comprised of secure abstractions. This helps catch bugs during compile time rather than at runtime, thereby preventing mistakes. This open source provision from Facebook aims to be better than its SSL predecessor at preventing attacks. It would be interesting to see how the crowd takes advantage of the  library! Head over to the official FB documentation to know more about this robust library. Facebook is investigating data analytics firm Crimson Hexagon over misuse of data Facebook plans to use Bloomsbury AI to fight fake news Time for Facebook, Twitter and other social media to take responsibility or face regulation    

Jens "atom" Steube, the developer of the popular Hashcat password cracking tool recently developed a new technique to obtain user credentials over WPA/WPA2 security. Here, attackers can easily retrieve the Pairwise Master Key Identifier (PMKID) from a router. WPA/WPA2, the Wi-Fi security protocols, enable a wireless and secure connection between devices using encryption via a PSK(Pre-shared Key). The WPA2 protocol was considered as highly secure against attacks. However, a method known as KRACK attack discovered in October 2017 was successful in decrypting the data exchange between the devices, theoretically. Steube discovered the new method when looking for new ways to crack the WPA3 wireless security protocol. According to Steube, this method works against almost all routers utilizing 802.11i/p/q/r networks with roaming enabled. https://twitter.com/hashcat/status/1025786562666213377 How does this new WPA/WPA2 attack work? The new attack method works by extracting the RSN IE (Robust Security Network Information Element) from a single EAPOL frame. RSN IE is an optional field containing the PMKID generated by a router when a user tries to authenticate. Previously, for cracking user credentials, the attacker had to wait for a user to login to a wireless network. They could then capture the four-way handshake in order to crack the key. However, with the new method, an attacker has to simply attempt to authenticate to the wireless network in order to retrieve a single frame to get access to the PMKID. This can be then used to retrieve the Pre-Shared Key (PSK) of the wireless network. A boon for attackers? The new method makes it easier to access the hash containing the pre-shared key, which needs to be cracked. However, this process takes a long time depending on the complexity of the password. Most users don’t change their wireless password and simply use the PSK generated by their router. Steube, in his post on Hashcat, said,"Cracking PSKs is made easier by some manufacturers creating PSKs that follow an obvious pattern that can be mapped directly to the make of the routers. In addition, the AP mac address and the pattern of the ESSID  allows an attacker to know the AP manufacturer without having physical access to it." He also stated that attackers pre-collect the pattern used by the manufacturers and create generators for each of them, which can then be fed into Hashcat. Some manufacturers use patterns that are too large to search but others do not. The faster one’s hardware is, the faster one can search through such a keyspace. A typical manufacturer’s PSK of length 10 takes 8 days to crack (on a 4 GPU box). How can users safeguard their router’s passwords? Creating one’s own key rather than using the one generated by the router. The key should be long and complex by consisting of numbers, lower case letters, upper case letters, and symbols (&%$!) Steube personally uses a password manager and lets it generate truly random passwords of length 20 - 30. One can follow the researcher's footsteps in safeguarding their routers or use the tips he mentioned above. Read more about this new WiFi security attack on Hashcat forum. NetSpectre attack exploits data from CPU memory Cisco and Huawei Routers hacked via backdoor attacks and botnets Finishing the Attack: Report and Withdraw

Mozilla just upped its security game by introducing two new features to their Firefox browser that they call "DNS over HTTPs" (DoH) and "Trusted Recursive Resolver" (TRR). According to Mozilla, this is an attempt on their part to enhance security. They want to make one of the oldest parts of the internet architecture- the DNS- more private and safe. This will be done by encrypting DNS queries and by testing a service that keeps DNS providers from collecting and sharing users browsing history. But internet security geeks far from agree to this claim made by Mozilla. DoH and TRR explained A DNS converts a computer’s domain name into an IP address. This means that when you enter the domain of a particular website in your browser, a request is automatically sent to the DNS server that you have configured. The DNS server then looks up this domain name and returns an IP address for your browser to connect to. However, this DNS traffic is unencrypted and shared with multiple parties, making data vulnerable to capture and spy on. Enter Mozilla with two new updates to save the day. The DNS over HTTPS (DoH) protocol encrypts DNS requests and responses.DNS requests sent to the DoH cloud server are encrypted while old style DNS requests are not protected. The next thing up Mozilla’s alley is building a default configuration for DoH servers that puts privacy first- also known as the  Trusted Recursive Resolver (TRR). With Trusted Recursive Resolver (TRR) turned on as default, any DNS changes that a Firefox user configured in the network will be overridden. Mozilla has partnered up with Cloudflare after agreeing to a very strong privacy policy that protects users data. Why security Geeks don’t prefer Mozilla’s DNS updates? Even though Mozilla has made an attempt to transport requests over https- thus encrypting the data- the main concern was that the DNS servers used are local and hence the parties that spy on you will, well, also be local! Adding to this, while browsing with Firefox, Cloudflare will can read everyone's DNS requests. This is because Mozilla has partnered up with Cloudflare, and will resolve the domain names from the application itself via a DNS server from Cloudflare based in the United States. Now this itself poses as a threat since Cloudflare is a third party bearer and we all know the consequences of having a third party interfere with our data and network. Despite the assurance that Cloudflare has signed a “pro-user privacy policy” that deletes all personally identifiable data within 24 hours, you can never say what will be done with your data. After the Cambridge analytica scandal- nothing virtual can be trusted. Here’s a small overview of what can go wrong because of the TRR. TRR  fully disables anonymity. Before Mozilla implemented this change, the DNS resolution was local and could be attacked. However, with Mozilla's change, all DNS requests are seen by Cloudflare and in turn also by any government agency that has legal right to request data from Cloudflare. So in short, any (US) government agency can basically trace you down if you have information to spill or benefit them. So to save everyone the trouble, let's explore what you can do with the situation. It's simple- turn TRR off! Hackernews users suggest the following workaround: Enter about:config in the address bar Search for network.trr Set network.trr.mode = 5 to completely disable it If you want to explore more about mode 5, head over to mozilla.org. You can Change network.trr.mode to 2 to enable DoH. This will try and use. DoH but will fallback to insecure DNS under some circumstances like captive portals.  (Use mode 5 to disable DoH under all circumstances.) The other modes are described on usejournal.com You may be surprised at how such a simple update can fuel so much discussion. It all comes down to the pitfalls of blind trusting a third party service or being your own boss and switching the TRR off. Whose side are you on? To know more about this update, head over to Mozilla's Blog. Firefox Nightly browser: Debugging your app is now fun with Mozilla’s new ‘time travel’ feature Mozilla is building a bridge between Rust and JavaScript Firefox has made a password manager for your iPhone    

According to a leaked report found by the folks at Intercept, Google is secretly planning to bring back its search engine to China. The project, codenamed Dragonfly, will meet China's censorship rule and filter out certain topics including search terms about human rights, democracy, religion, and peaceful protests. According to internal Google documents and people familiar with the plans, the project was initiated in the spring of last year. However, it picked up speed following a December 2017 meeting between Google’s CEO Sundar Pichai and the Chinese government. Google has created a custom Android app through which users can access Google’s search service. Per Intercept, the app has already been demonstrated to the Chinese government and the finalized version may be launched anytime in the next 6 to 9 months. This custom app will comply with China’s strict censorship laws, restricting access to content that is banned. The Chinese government has censored popular social media sites like Instagram, Facebook, and Twitter, as well as news companies: the New York Times and the Wall Street Journal. It has also banned information on the internet about political opponents, free speech, and academic studies. Intercept says that the leaked document states that, “the search app will also blacklist sensitive queries so that no results will be shown at all when people enter certain words or phrases.” Back in 2010, Google made the decision to exit China by publicly declaring it would withdraw its search engine services from China. The primary reason can be attributed to the fact that the Chinese government was forcing Google to censor search results. However, the Chinese government had hacked Google’s servers, which also played a major role in Google absconding China. Patrick Poon, a Hong Kong-based researcher with human rights group Amnesty International, told The Intercept that “Google’s decision to comply with the censorship would be a big disaster for the information age.” The general public has also expressed their disdain over Google’s decision calling it a money-minting business. Twitter Twitter Google is yet to share their views on the Chinese search engine. A spokesperson from Google was heard saying that they have" no comment on speculation about future plans." You can read the original story on The Intercept. Google employees quit over company’s continued Artificial Intelligence ties with the Pentagon Decoding the reasons behind Alphabet’s record high earnings in Q2 2018 Time for Facebook, Twitter, and other social media to take responsibility or face regulation. Furthering the Net Neutrality debate, GOP proposes the 21st Century Internet Act. The New AI Cold War Between China and the USA

GnuPG developers have recently begun working on Sequoia, a new OpenPGP implementation in Rust. OpenPGP is an open, free version of the Pretty Good Privacy (PGP) standard. It defines standard formats for emails and other message encryption and is based on the original PGP (Pretty Good Privacy) software. Sequoia is an OpenPGP library that provides easy-to-use cryptography for applications. It helps you protect the privacy of your users and is easy to incorporate into your application, no matter what language you use. It helps you manage your keys better as its keystore stores keys and updates them so that new keys or revocations are discovered in a timely manner. It is currently in development led by three former GnuPG developers, Neal H. Walfield, Justus Winter, and Kai. The project is funded by the  p≡p foundation, where each of the aforementioned developers has been working since fall 2017. What motivated the developers for this new implementation was their experience with GnuPG, a free software replacement for Symantec's PGP cryptographic software. PGP or Pretty Good Privacy is a program which is used to encrypt and decrypt texts, emails, files, directories, etc. to increase the security of data communications. According to Neal H. Walfield, GnuPG posed several problems as “it is hard to modify due to lack of unit tests and tight component coupling”. He also mentioned other reasons like how a lot of developers are unsatisfied with GnuPG’s API and that GnuPG can’t be used on iOS due to GPL. The developers also have major social and technical goals in mind for Sequoia. “The social goals are -- to create an inclusive environment in our project, it should be free software and -- community-centered,” says Neal. Here’s the video of Neal introducing the new OpenPGP library:  Sequoia  On the technical side, the team is taking a different approach. They are putting the library API first, and a command-line interface tool, second. Neal says that the team “encourages” the users to use the library. They also aim to create an API which is friendly, easy to use and supports all modern platforms such as Android, iOS, Mac, etc. Let’s have a look at how Sequoia is built. Starting at the bottom level, we have the OpenPGP library which provides the low-level interface. There are two services built on top of this library, namely, Sequoia network service ( helps with accessing keyservers) and Sequoia-store which is used for accessing and storing the public keys along with the private keys.    Architecture of Sequoia On top of these three, there is a Sequoia library, a high-level API. If it’s a rust application, then it can use this library directly or else it can access the library via FFI ( foreign function interface). Apart from this, the vision for Sequoia is “a nice OpenPGP implementation -- with focus on user development, and its community” says Neal. For more information on Sequoia, check out the official Sequoia documentation. Will Rust Replace C++? Mozilla is building a bridge between Rust and JavaScript Perform Advanced Programming with Rust

Security over the web via passwords can be crucial as passwords are hard to memorize, easy to forget and can be easily phished or cracked. However, Microsoft Edge has recently made dealing with passwords a lot easier by introducing the Web Authentication specification. This new feature allows an improved and a more secure user experience along with a passwordless experience on the web. Using Web Authentication, Edge users can now sign in with their face, fingerprint, PIN, or portable FIDO2 devices. These methods leverage strong public-key credentials instead of passwords. Why go passwordless? Many users might still be skeptical of moving onto these methods. On the other hand, we allow most of the online websites (shopping, food ordering websites, and so on) to store our credit card numbers, our other sensitive information without any investigation. These credentials are hidden using just passwords; an outdated security model which can be easily hacked. Microsoft aims for a secure and passwordless experience on the web via advanced methods such as Windows Hello biometrics and creation of Web Authentication, an open standard for passwordless authentication. How does Web authentication work? Windows Hello allows users to authenticate without a password on any Windows 10 device. They can make use of biometrics like face and fingerprint recognition to log in to websites by a simple glance or use a PIN number to sign in. External FIDO2 security keys also work for authentication with a removable device and the user’s biometrics or PIN. There are still some websites which do not offer a complete passwordless model yet. For such websites, backward compatibility with FIDO U2F devices can act as a strong enough secondary security besides the password. At the RSA 2018 conference, Microsoft discussed how APIs shall be used to approve a payment on the web via one’s facial identity. To get started with Web Authentication in Microsoft Edge, one can install Windows Insider Preview build 17723 or higher to try out the updated feature. Read more about this feature on the Microsoft Web Authentication guide. Web Security Update: CASL 2.0 releases! Amazon Cognito for secure mobile and web user authentication [Tutorial] Oracle Web Services Manager: Authentication and Authorization

Recently, Cisco and Huawei had faced a major breach in their routers where attackers used two different bypass methods. Hackers managed to compromise Cisco routers through a backdoor attack while Huawei was a victim of botnets. This year has been crucial for big players targeted with modern cyber attacks like Meltdown and Spectre. Who would have ever imagined a CD being the cause of a security breach in the year 2018. However, this time hackers have taken an old school approach or must I say one of the most unexpected methods of opening a backdoor to sensitive information. Packages with China postmarks had ended-up at several local and state government offices. The envelope contained a rambling letter and a small CD. The letter included lengthy paragraphs about fireworks, parades, and film industry but nothing in particular. While the CD contained a set of Word files that consisted of script-based malware. These scripts were supposed to run when the government officials would access them on their computers, eventually compromising that system. Well, people usually end up with blunders when they are confused or curious. The hackers knew exactly how to kick the victims curiosity and confusion into high gear. Until now, State Department of Cultural Affairs, State Historical Societies, and State Archives have received these packages addressed specifically to them. The MS-ISAC claim that these CDs included Mandarin language Microsoft Word (.doc) files from which a few include malicious Visual Basic scripts. It’s not very clear if anyone was tricked into inserting the disk in government systems. Well, it's common sense that you don’t insert a random disk into your system, but that’s not always the case. In 2016, a study found 50% of people plugging-in random USB devices into their system found at public places. The government agencies receiving these packages look quite strange but may be the hackers are looking at breaching a system where they won’t be detected easily; the perfect spot to quickly attack a bigger target. Human curiosity can lead to an invention or a disaster, but, in the security chain, humans are considered as the most delicate link. It’s quite obvious to not insert a random storage device into your systems, but here the hackers have shelled a little cash to target victims still using CD-ROMs in this modern age.  Now the only thing state agencies can hope for is that no one accidentally or out of curiosity inserts disks or USB devices of unknown origin into government systems. Related Links Top 5 cybersecurity trends you should be aware of in 2018 Intel’s Spectre variant 4 patch impacts CPU performance NetSpectre attack exploits data from CPU memory

After the recent SpectreRSB attack on Intel, AMD, and ARM CPUs, a group of security researchers have found a new Spectre variant in town codenamed NetSpectre. They have recorded this latest Spectre in their paper, “NetSpectre:Read arbitrary memory over Network” As per the researchers, the specialty of NetSpectre is, it can be launched over the network without requiring the attacker to host the code on a targeted machine. This new Spectre attack is a new remote side-channel attack, which is related to Spectre variant 1. https://twitter.com/misc0110/status/1022603751197163520 What does NetSpectre attack do? The new Spectre attack exploits speculative execution to perform bounds-check bypass and can be further used to destroy address-space layout randomization on the remote system. This issue further allows the attacker to write and execute malicious code that extracts data from the previously secured CPU memory. This memory could include sensitive information such as passwords, cryptographic keys, and much more. The researchers have demonstrated the NetSpectre attack using the AVX-based covert channel. This approach allowed them to capture data at a speed of 60 bits per hour from the target system. Researchers said, “Depending on the gadget location, the attacker has access to either the memory of the entire corresponding application or the entire kernel memory, typically including the entire system memory.” The remote attacker need to simply send a series of request packets to the target machine and measure the response time to leak a secret value from the machine’s memory. Researchers said, “We verified that our NetSpectre attacks work in local-area networks as well as between virtual machines in the Google cloud.” How to be safe? If one has updated their code and applications to mitigate previous Spectre exploits they do not have to worry about the ‘NetSpectre’ attack. Researchers have mentioned state-of-the-art and network-layer countermeasures for NetSpectre in their paper. However, they state, “as attackers can adapt and improve attacks, it is not safe to assume that noise levels and monitoring thresholds chosen now will still be valid in the near future.” Also recently, Intel paid $100,000 bug bounty to a team of researchers to find and report new processor vulnerabilities. These newfound Spectre variants were also related to Spectre variant 1. Following this, Intel has included information related to the NetSpectre attack in its updated white paper, ‘Analyzing potential bounds check bypass vulnerabilities’ Read more about the NetSpectre attack in the whitepaper. SpectreRSB targets CPU return stack buffer, found on Intel, AMD, and ARM chipsets Intel’s Spectre variant 4 patch impacts CPU performance  

Attorney General Bob Ferguson announced the day before yesterday (24th July 2018) that Facebook has been found guilty of providing discriminatory advertisements on its platform. The platform provides third-party advertisers with the option to exclude ethnic and religious minorities, immigrants, LGBTQ individuals and other protected groups from seeing their ads. If these groups cannot see the ads at all, they are deprived of the opportunities provided in the advertisements. Source: Office of the Attorney General Following this verdict, Facebook has signed a legally binding agreement to make changes to its advertising platform within 90 days. According to this agreement, Facebook will no longer provide advertisers with options to exclude ethnic groups from advertisements for housing, credit, employment, insurance and public accommodations ads. Facebook will no longer provide advertisers with tools to discriminate based on race, creed, color, national origin, veteran or military status, sexual orientation and disability status. This matter was first brought to light by ProRepublica in 2016 when they went undercover and bought multiple rental housing ads on Facebook, where certain categories of users were excluded from seeing the ads. According to ProPublica, “Every single ad was approved within minutes.” The allegations in this news were alarming and the AG’s office decided to investigate. They used the platform to create 20 fake ads that excluded one or more ethnic minorities from receiving their advertising. Despite these exclusions, Facebook’s advertising platform approved all 20 ads. “Facebook’s advertising platform allowed unlawful discrimination on the basis of race, sexual orientation, disability, and religion,” said Ferguson. “That’s wrong, illegal, and unfair.” The Attorney General’s investigation found the platform's unlawful targeting options as an act of unfair acts and practices, and in violation of the state Consumer Protection Act and the Washington Law Against Discrimination. Read more: 5 reasons the government should regulate technology This led to the development of a permanent and legal binding agreement that aims to cover all loopholes and prevent Facebook from offering discriminating advertising in any form. However, Peter Romer-Friedman, a lawyer with Outten & Golden LLP points out that the “agreement does nothing to address age discrimination or gender discrimination on Facebook”. This agreement is legally binding in Washington state. Facebook has agreed to change its platform nationwide. Apart from fixing its advertising platform within 90 days, they are also entitled to pay the Washington State AGs Office $90,000 in costs and fees. This agreement is a win not just for the citizens of Washington state but also the United States. Facebook has agreed to implement its improved advertising options nationwide. But this is a very small step for the entire world. The ball is in Facebook’s court now. We’ll have to wait and see if it proactively generalizes these policies on a worldwide scale or if it needs the public and the law to hold Facebook accountable for the power its platform holds over the lives of its over 2 billion users. EU slaps Google with $5 billion fine for the Android antitrust case Furthering the Net Neutrality debate, GOP proposes the 21st Century Internet Act 20 lessons on bias in machine learning systems by Kate Crawford at NIPS 2017

Attacks exploiting operating systems and applications have been on an exponential rise in recent time. One such popular class of vulnerability is the Spectre, which exploits the speculative execution mechanism employed in modern processor chips and has recently targeted Intel, AMD, and ARM. The assumed dead exploit which resurfaced as a new variant of Spectre, SpectreRSB, was successful in exploiting the return stack buffer (RSB), a common predictor structure in modern CPUs used to predict return addresses. Spectre, which was first detected in January this year, has remained resilient. The Spectre variant 1, which Dartmouth claimed to resolve using its ELFbac policy techniques. The next one is the Spectre variant 2, which Google fixed using its Retpoline. Next to follow are the new data-stealing exploits, Spectre 1.1 and 1.2, detected just two weeks ago by Vladimir Kiriansky and Carl Waldspurger. And the most recent one in the headlines is the SpectreRSB. This spectre-class exploit, SpectreRSB, was revealed by security experts from the University of California, Riverside (UCR). They mentioned the details of this new exploit attack method in a research paper published by Arxiv, titled ‘Spectre Returns! Speculation Attacks using the Return Stack Buffer’ What is SpectreRSB? The SpectreRSB exploit relies on speculative execution, a feature found in several modern CPUs for optimizing computing performance. Due to the disparity between the potential speed of modern CPUs and memory, speculative execution occurs to keep efficiency at peak levels. However, to do so, the CPU is employed with running batch instructions. Once the instructions start, the CPU does not really check whether the memory accesses from the cache are accessing via a privileged memory. This exactly is the time for exploits to attack the system. As per the UCR researchers, SpectreRSB takes a slight detour from other similar attacks such as Meltdown. Rather than exploit the branch predictor units of CPUs or CPU cache components, SpectreRSB exploits the Return Stack Buffer (RSB). Researcher Nael Abu-Ghazaleh wrote, “To launch the attack, the attacker should poison the RSB (a different and arguably easier process than poisoning the branch predictor) and then cause a return instruction without a preceding call instruction in the victim (which is arguably more difficult than finding an indirect branch).” The paper says SpectreRSB also enables an attack against the Intel SGX (Software Guard Extensions) compartment. Here a malicious OS pollutes the RSB to cause a mis-speculation exposing data outside an SGX compartment. This attack bypasses all software and microcode patches on the SGX machine. How to Defend against SpectreRSB? Researchers stated that they reported SpectreRSB to companies that use RSBs to predict return addresses, which include Intel, AMD and ARM. Out of the three, AMD and ARM did not respond to a request for comment from Threatpost. However, in a reply to one of the statements in the Threatpost, an Intel spokesperson stated via an email, “SpectreRSB is related to branch target injection (CVE-2017-5715), and we expect that the exploits described in this paper are mitigated in the same manner.” He further stated that, “We have already published guidance for developers in the whitepaper, Speculative Execution Side Channel Mitigations. We are thankful for the ongoing work of the research community as we collectively work to help protect customers.” Following this, the UCR researchers stated that this newly found SpectreRSB cannot be prevented, using prior known defenses such as Google’s Retpoline fix, Intel’s microcode patches and so on. However, the researchers did mention the existence of a defense to mitigate against the SpectreRSB known as RSB stuffing. RSB stuffing currently exists on Intel’s Core i7 processors, starting from its Skylake lineup. With RSB stuffing, also known as  RSB refilling, every time there is a switch into the kernel, the RSB is intentionally filled with the address of a benign delay gadget to avoid the possibility of mis-speculation. Abu-Ghazaleh told Threatpost, “For some of the more dangerous attacks, the attack starts from the user code, but it's trying to get the OS to return to the poisoned address. Refilling overwrites the entries in the RSB whenever we switch to the kernel (for example, at the same points where the KPTI patch remaps the kernel addresses).  So, the user cannot get the kernel to return to its poisoned addresses in the RSB.” Read more about the SpectreRSB in its research paper. Social engineering attacks – things to watch out for while online Top 5 cybersecurity trends you should be aware of in 2018 Top 5 cybersecurity myths debunked  

In today’s world, organizations and companies go to great lengths to protect themselves from network breaches. However, even a pinhole is enough for the attackers to intrude into any system. Last week, routers by Cisco and Huawei were hacked by two separate groups using different methods. Cisco’s routers were hacked using a backdoor attack while Huawei routers were exploited using a much older vulnerability programming code. An abnormal rise in the Cisco router backdoors Cisco in the year 2004 had written the IETF proposal for a “lawful intercept” backdoor for their routers. This proposal stated that the law enforcement teams could use the intercept to remotely log in to routers. These routers which are sold to ISPs and other large enterprises would allow the law enforcement agents to wiretap IP networks. These law enforcement agents are supposed to gain such an access only via a court order or other legal access request. [box type="shadow" align="" class="" width=""]A backdoor is a malware type which can surpass the normal authentication process for accessing any system or application. Some backdoors are legitimate and assist, for instance, manufacturers to regain lost passwords. However, these backdoors can be used by attackers to remotely access the systems without anyone on the system knowing it.[/box] However, later in the year 2010, an IBM security researcher stated that such a protocol would give an easy access to malicious attackers and would take over Cisco IOS routers. Also, the ISPs related to these routers would also end up being hacked. Some undocumented backdoors were discovered in the year 2013, 2014, 2015, and 2017. According to Tom’s Hardware, this year alone, Cisco recorded five different backdoors within their routers, which resulted in a security flaw for the company’s routers. Let’s have a look at the list of undocumented backdoors found and when. The month of March recorded two backdoors. Firstly, a hardcoded account with the username ‘cisco’, which would have provided an intrusion within more than 8.5 million Cisco routers and switches in a remote mode. Another hardcoded password was found for Cisco's Prime Collaboration Provisioning (PCP) software. This software is used for the remote installation of Cisco voice and video products. May revealed another backdoor in Cisco’s Digital Network Architecture (DNA) Center. This center is used by enterprises to provision devices across a network. Further, in the month of June, Cisco’s Wide Area Application Services (WAAS) found a backdoor account. Note that this is a software tool for traffic optimizations in the Wide Area Network (WAN). The most recent backdoor, found this month, was in the Cisco Policy Suite, which is a software suite for ISPs and large companies that can manage a network’s bandwidth policies. Using this backdoor, the attacker gets a root access to the network with no mitigations against it. However, this backdoor has been patched with Cisco’s software update. The question that arises from these incidents is whether these backdoors were created accidentally or actually by intruders? The recurrence of such incidents does not paint a good picture of Cisco as a responsible, reliable and trustworthy network for end users. Botnet built in a day brings down Huawei routers Researchers from the NewSky security spotted a new botnet last week, which nearly enslaved 18,000 Huawei’s IoT devices within a day. [box type="shadow" align="" class="" width=""]Botnets are huge networks of enslaved devices and can be used to perform distributed denial-of-service attack (DDoS attack), send malicious packets of data to a device, and remotely execute code.[/box] The most striking feature of this huge botnet is that it was built within a day and with a vulnerability which was previously known, as CVE-2017-17215. Anubhav said, “It's painfully hilarious how attackers can construct big bot armies with known vulns"This botnet was created by a hacker, nicknamed Anarchy, says Ankit Anubhav, security researcher at NewSky security. Other security firms including Rapid7 and Qihoo 360 Netlab also confirmed the existence of this new botnet. They first noticed a huge increase in Huawei’s device scanning. Anubhav states that the hacker revealed to him an IP list of victims. This list has not been made public yet. He further adds that the same code was released as public in January this year. The same code was used in the Satori and Brickerbot botnets, and also within other botnets based on Mirai botnets (Mirai botnets were used in 2016 to disrupt Internet services across the US on a huge scale). The NetSky security researcher suspects that Anarchy may be the same hacker known as Wicked, who was linked with the creation of the Owari/Sora botnets. Moreover, Anarchy/Wicked told the researcher that they also plan to start a scan for Realtek router vulnerability CVE-2014-8361, in order to enslave more devices. After receiving such a warning from the hacker himself, what new security measures will be taken henceforth? Read more about this Huawei botnet attack on ZDNet. Is Facebook planning to spy on you through your mobile’s microphones? Social engineering attacks – things to watch out for while online DCLeaks and Guccifer 2.0: How hackers used social engineering to manipulate the 2016 U.S. elections

E-mail is the traditional, primary, and the most vital part of communication within business organizations. They hold minutes of important discussions, confidential documents as attachments, high-profile business contact details, and much more. Hence, hackers or intruders often use emails as a medium to deliver dangerous content to the victim via attachments or by providing links to malicious websites. Companies throughout the world take huge efforts to detect malicious content within their communication media by setting up robust antivirus firewalls. But, how secure are they? Many choose antivirus engines based on their popularity than its performance. The myth that famous antivirus packages get you utmost security is now debunked by Email-sec-360°. According to Phys Org, it surpasses 60 other popular antivirus packages known to us. Email-sec-360° is developed by Aviad Cohen, a Ph.D. student, and researcher at the Ben-Gurion University of the Negev (BGU) Malware Lab researchers. It detects unknown, malicious emails much more accurately than the popular antivirus products such as Kaspersky, McAfee, Avast, etc. Email-sec-360° vs other popular antivirus engines Present antivirus engines use rule-based methods to analyze specific email sections. These often overlook the other important parts of the email. Dr. Nir Nissim, head of the David and Janet Polak Family Malware Lab at Cyber@BGU, stated that the existing antivirus engines use signature-based detection methods. These methods are at times insufficient for detecting new and unknown malicious emails. However, Email-sec-360° is based on machine learning methods and leverages 100 general descriptive features extracted from all email components, which include the header, body and attachments. Also an interesting fact about this method is that, it does not require an internet access. Thus, it provides a seamless threat detection in real-time and can be easily deployed by any individual or organizations. A well-experimented approach by the Malware Lab The researchers used a collection of 33,142 emails, which included 12,835 malicious and 20,307 benign emails obtained between 2013 and 2016. Later, they compared their detection model to 60 industry-leading antivirus engines as well as previous research. On doing this, they found their system to outperform the next best antivirus engine, Cyren, by a 13 percent range. BGU’s Malware Lab method vs the others BGU Malware Lab plan to extend this method by including research and analysis of attachments (PDFs and Microsoft Office documents) within the Email-sec-360°. Dr. Nissim adds,”since these are often used by hackers to get users to open and propagate viruses and malware.” They are also planning to develop an online system that evaluates the security risk posed by an email message. This system will be based on advanced machine learning methods and would also allow users to submit suspicious email messages and quickly obtain a maliciousness score. The system will further recommend on how to treat the email and would help to collect benign and malicious emails for research purposes. Read more about Email-sec-360° in the Phys Org blog post Pentest tool in focus: Metasploit 12 common malware types you should know 4 Ways You Can Use Machine Learning for Enterprise Security