Tech News - Cybersecurity

A few days ago, the Entertainment Software Association accidentally leaked a spreadsheet including personal information of about 2,025 games industry journalists, content creators, video producers on its E3 ( Electronic Entertainment Expo) website making it publically available.  The information including details such as names, publications, home addresses, email addresses, and phone numbers was captured when they registered for E3. Hackers or bad actors can use this information to harass journalists or investors. The existence of this spreadsheet was first reported by a journalist, Sophia Narwitz who posted it on her personal YouTube channel on Friday, August 2. In the video, Narwitz described, “On the public E3 website was a web page that carried a link simply titled ‘Registered Media List.’ Upon clicking the link, a spreadsheet was downloaded that included the names, addresses, phone numbers, and publications of over 2,000 members of the press who attended E3 this past year.” ESA told VentureBeat, “ESA was made aware of a website vulnerability that led to the contact list of registered journalists attending E3 being made public. Once notified, we immediately took steps to protect that data and shut down the site, which is no longer available. We regret this occurrence and have put measures in place to ensure it will not occur again.” Narwitz tweeted, a group of journalists has been focusing on discrediting her, “Given that the ESA just caused a lot of suffering for many game journalists, I actually hate being on the offensive here, but the way folks in the media are lying about me and trying to bury me, it makes me really wanna scream about their lack of ethics.” https://twitter.com/Grummz/status/1157882288631246848 Although the E3 website is updated and the link to the spreadsheet no longer exists, a cached version of the site does “show a link titled “Registered Media List” used to appear on a “Helpful Links” page. For some time yesterday, even after this page was removed, clicking on the link in the easily-accessible Google cached version of the page would download the spreadsheet from the E3 website’s servers,” states Kotaku, a video game website and blog. ESA, in a statement, to GamesIndustry.biz said, it provides “ESA members and exhibitors a media list on a password-protected exhibitor site so they can invite you to E3 press events, connect with you for interviews, and let you know what they are showcasing. For more than 20 years there has never been an issue.” This accidental leak has serious potential to impact ESA’s image given that E3 is a prestigious event that companies pay the organization a lot of money to show up to. Also, “the ESA website was likely also accessible from Europe, and it contained info for European members of the press. That could turn this into a GDPR (General Data Protection Regulation) issue,” VentureBeat reports.  Users and gamers who attended E3 are disappointed and angry over ESA “accidental leak”. Some users say ESA should have been careful about their security measures and taken precautions to keep personal information of thousands of journalists. https://twitter.com/Dom_Pepin/status/1157772465445179392 Nathan Ditum, an Editor at a Playstation Access, attended the E3 this year, tweeted “Many journalists and content creators are freelancers and work from home addresses. This leak isn't just clumsy, it's a real cause for concern.” https://twitter.com/NathanDitum/status/1157744239045988353 A content creator with the handle @Parris tweeted he is “getting random texts saying they have my personal info, including my home address and putting my family at risk.” https://twitter.com/vicious696/status/1157642132779237377 A gaming news commentator at SDGC tweeted, “The ESA's carelessness and negligence has put the private information of thousands of games media employees in the hands of harassers.” https://twitter.com/DerekOfTheD/status/1157500146189553664 A user on Reddit writes, “There's a legitimate question of whether there will even be an E3 next year after this. Because there's absolutely no question that the ESA is getting sued heavily over this. Especially since European journalists are on this. Which means the ESA's going to be subject to GDPR. It's hard to really overstate how potentially devastating this is going to be for them.” Another Reddit user writes, “What's unforgivable is at this point, things like this have happened so many times and you still have people who refuse to take their security seriously and double-check their work. It's just negligent at this point.” https://twitter.com/Futterish/status/1157751307131924481 GDPR complaint in EU claim billions of personal data leaked via online advertising bids Hacker destroys Iranian cyber-espionage data; leaks source code of APT34’s hacking tools on Telegram Unprotected Elasticsearch database exposes 2 billion user records from smart home devices

A few days ago, researchers from Positive technologies discovered flaws in Visa contactless cards, which allow hackers to bypass the payment limits. This research was conducted by two of Positive technologies’ researchers: Leigh-Anne Galloway, Cyber Security Resilience Lead and Tim Yunusov, Head of banking security. The attack was tested with “five major UK banks where it successfully bypassed the UK contactless verification limit of £30 on all tested Visa cards, irrespective of the card terminal”, the researchers mentioned. They added that the contactless Visa card vulnerability is possible on cards outside the UK as well. How to exploit this contactless Visa card vulnerability? The attack manipulates two data fields that are exchanged between the card and the terminal during a contactless payment. “Predominantly in the UK, if a payment needs an additional cardholder verification (which is required for payments over 30 pounds in the UK), cards will answer "I can’t do that," which prevents against making payments over this limit,” the researchers said. Next, the terminal uses country-specific settings, which demand that the card or mobile wallet provide additional verification of the cardholder, such as through the entry of the card PIN or fingerprint authentication on the phone. The attack could bypass both these checks using a device that intercepts communication between the card and the payment terminal. This device acts as a proxy thereby conducting a man in the middle (MITM) attack. “This attack is possible because Visa does not require issuers and acquirers to have checks in place that block payments without presenting the minimum verification,” the researchers say. “The attack can also be done using mobile wallets such as GPay, where a Visa card has been added to the wallet. Here, it is even possible to fraudulently charge up to £30 without unlocking the phone,” Positive Technologies mention in their post. One of the researchers, Yunusov said, "The payment industry believes that contactless payments are protected by the safeguards they have put in place, but the fact is that contactless fraud is increasing. While it’s a relatively new type of fraud and might not be the number one priority for banks at the moment, if contactless verification limits can be easily bypassed, it means that we could see more damaging losses for banks and their customers." A hacker can easily conduct a cardless attack Forbes explains, criminals, for instance, could take a payment from a card when the user wasn’t looking with their own mobile payments machine (though a malicious merchant would eventually be caught by banks’ fraud systems if they used the same terminal). They could even take a payment reading from a credit card using their mobile phones and send the data to another phone and make a payment on that second device going beyond the limit, the researchers claimed. “For the hack to work, all the fraudsters need is to be close to their victim,” Forbes mentions. “So that means if you found someone’s card or if someone stole your card, they wouldn’t have to know your PIN, they wouldn’t have to impersonate your signature, and they could make a payment for a much higher value,” Galloway said. According to UK Finance, fraud on contactless cards and devices increased from £6.7 million in 2016 to £14 million in 2017. £8.4 million was lost to contactless fraud in the first half of 2018. Researchers suggest that additional security should be provided by the bank issuing cards and shouldn’t rely on Visa to provide a secure protocol for payments. “Instead, issuers should have their own measures in place to detect and block this attack vector and other payment attacks,” the researchers say. Galloway says, “It falls to the customer and the bank to protect themselves. While some terminals have random checks, these have to be programmed by the merchant, so it is entirely down to their discretion.” “Because of this, we can expect to see contactless fraud continue to rise. Issuers need to be better at enforcing their own rules on contactless and increasing the industry standard. Criminals will always gravitate to the more convenient way to get money quickly, so we need to make it as difficult as possible to crack contactless,” she further adds. In the U.S., contactless card transactions are relatively rare, with only about 3 percent of cards falling into this category, CNBC reports. Researchers say the limits attackers can withdraw will differ in different countries. In the UK, they were able to make payments of £100 without any detection. Galloway says, for instance, in the U.S., it’s considerably higher at $100. What measures is Visa taking to prevent this kind of contactless fraud? Surprisingly, the company was not alarmed by this situation. In fact, Forbes reports that Visa wasn’t planning on updating their systems anytime soon. “One key limitation of this type of attack is that it requires a physically stolen card that has not yet been reported to the card issuer. Likewise, the transaction must pass issuer validations and detection protocols. It is not a scalable fraud approach that we typically see criminals employ in the real world,” a Visa spokesperson told Forbes. The company also said it was continually working on improving its fraud detection tech. https://twitter.com/a66ot/status/1155793829443842049 To know more about this news in detail, head over to Positive technologies’ official post. A vulnerability found in Jira Server and Data Center allows attackers to remotely execute code on systems VLC media player affected by a major vulnerability in a 3rd library, libebml; updating to the latest version may help A zero-day vulnerability on Mac Zoom Client allows hackers to enable users’ camera, leaving 750k companies exposed

Earlier this month Harry Garrood, a PureScript maintainer found that PureScript’s npm installer is infected by some malicious code. Though the issue is now addressed, developers are recommended to update the installer as soon as possible. Which dependencies of the PureScript npm installer were infected Garrood got suspicious when some developers started submitting an issue on the GitHub repository of PureScript’s npm installer saying that it gets stuck during installation. He found that the code was added to various dependencies of the installer, specifically the ones that were maintained by @shinnn, the original author of the PureScript npm installer. It was first inserted into the load-from-cwd-or-npm (version 3.0.2) npm package and later into the rate-map (version 1.0.3) npm package. @shinnn and the maintainers of rate-map and load-from-cwd-or-npm said that the malicious code was published by an attacker who gained access to their npm account. The purpose of this code was to sabotage the PureScript npm installer to prevent the download from completing. This halted the installer during the “Check if a prebuilt binary is provided for your platform” step. In the first attempt of this exploit, the ‘load-from-cwd-or-npm’ package was infected so that any call to the ‘loadFromCwdOrNpm()’ method would return a ‘PassThrough’ stream instead of the expected package. In the second attempt, a more advanced version of the exploit was done by modifying the source file of ‘rate-map’ to prevent a download callback from firing. The resolution and next steps All the dependencies maintained by @shinnn as of v0.2.5 are now dropped. Also, all the previous versions of the PureScript installer are now marked as deprecated. If you have installed any version of PureScript npm package prior to 0.13.2, you will still be downloading packages maintained by @shinnn. It is recommended that you update the installer as soon as possible. Npm has also removed both ‘load-from-cwd-or-npm@3.0.2’ and ‘rate-map@1.0.3’ from the registry. Garrood further suggests, “If you want to be absolutely sure you do not have malicious code on your machine, you should delete your node_modules directories and your package-lock.json files, and set a lower bound of 0.13.2 on the purescript package.” This news triggered a discussion on Hacker News. While some think that the community etiquette is here to blame, others believe that npm packages can be easy targets of such attacks. A user commented, “This is not the first time this year we see an npm issue, and it could have been much worse than this. All package managers, in general, create risks, but how the community etiquette evolves around package managers is just as important. Something is wrong with the latter here.” Another user added, “Part of the problem is the bounty for attacking NPM packages is high. You get a high profile exploit and lots of people talking about it, or you can even get some of your evil JS code running on thousands of sites on the back end or the front end. Compounded by the fact there is no decent base class library for JS like you'd get for .NET [0]. Want to do anything you could do by default with .NET BCL? Like open a url, save a file (with nice api) or parse some XML? Then npm i ... it is. And hope it doesn't pull in an exploit. As a mitigation I recommend people consider writing their own code (NIH) for simple stuff not npm i all the things. [0] I'm comparing to .NET but same could be said of Java/Python/Ruby etc.” To know more in detail, check out Garrood’s blog post. Is the Npm 6.9.1 bug a symptom of the organization’s cultural problems? Surprise NPM layoffs raise questions about the company culture npm Inc. announces npm Enterprise, the first management code registry for organizations

Yesterday, a ransomware virus affected City Power Johannesburg, the electricity distributor for some parts of South Africa’s capital city. City Power notified citizens via Twitter that the virus has encrypted all its databases, applications and network and that the ICT team is trying to fix the issue. https://twitter.com/CityPowerJhb/status/1154277777950093313 Due to the attack, City Power’s website was restraining users from lodging a complaint or purchasing pre-paid electricity. https://twitter.com/CityPowerJhb/status/1154278402003804160 The city municipality, owners of the City Power, tweeted, it also “affected our response time to logged calls as some of the internal systems to dispatch and order material have been slowed by the impact”. Chris Baraniuk, a freelance science and technology journalist, tweeted, “The firm tells me more than 250,000 people would have had trouble paying for pre-paid electricity, potentially leaving them cut off”. City Power hasn’t yet released information on the scale of the impact. The ransomware attack occurs amidst existing power outages According to iAfrikan, the ransomware attack struck the city while it was “experiencing a strain on the power grid due to increased use of electricity during Johannesburg's recent cold winter weather”. The strain on the grid has resulted in multiple power outages in different parts of the city. According to Bleeping Computers, Business Insider South Africa reported that an automated voice message on City Power's phone helpline said, "Dear customers, please note that we are currently experiencing a problem with our prepaid vending system. We are working on this issue and hope to have it resolved by one o'clock today (25 July 2019)". The city municipality tweeted yesterday, “most of the IT applications and networks that were affected by the cyberattack have been cleaned up and restored.” The municipality apologized for their inconvenience and assured the customers that none of their details were compromised. https://twitter.com/CityPowerJhb/status/1154626973056012288 Many users have raised requests tagging the municipality and the electricity distribution board on Twitter. City Power replied, “Technicians will be dispatched to investigate and work on restorations”. Later it tweeted asking them to cancel their request and that the power had been restored. https://twitter.com/GregKee/status/1154397914191540225 A recent tweet today at 10:47 am (SAST) from the City Power says, “Electricity supply points to be treated as live at all times as power can be restored anytime. City Power regrets any inconvenience that may be caused by the interruption”. https://twitter.com/CityPowerJhb/status/1154674533367988224 Luckily, City Power Johannesburg escaped from paying a ransom Ransomware attack blocks the company’s or individual’s system until a huge ransom--in a credit or in Bitcoin--is paid to the attackers to relieve their systems. According to Business Insider South Africa, attackers usually convert the whole information with the databases into “gibberish, intelligible only to those with the right encryption key. Attackers then offer to sell that key to the victim, allowing for the swift reversal of the damage”. There have been many instances in this year and Johannesburg has been lucky enough to escape from paying a huge ransom. Early this month, a Ryuk ransomware attack encrypted Lake City’s IT network in the United States and the officials had to approve a huge payment of nearly $500,000 to restore operations. Similarly, Jackson County officials in Georgia, USA, paid $400,000 to cyber-criminals to resolve a ransomware infection. Also, La Porte County, Indiana, US, paid $130,000 to recover data from its encrypted computer systems. According to The Next Web, the “ever-growing list of ransomware attacks has prompted the United States Conference of Mayors to rule that they would not pay ransomware demands moving forward.” Jim Trainor, who formerly led the Cyber Division at FBI Headquarters and is now a senior vice president in the Cyber Solutions Group at risk management and insurance brokerage firm Aon, told CSO, “I would highly encourage a victim of a ransomware attack to work with the FBI and report the incident”. The FBI “strongly encourages businesses to contact their local FBI field office upon discovery of a ransomware infection and to file a detailed complaint at www.ic3.gov”. Maintaining good security habits is the best way to deal with ransomware attacks, according to the FBI. “The best approach is to focus on defense-in-depth and have several layers of security as there is no single method to prevent compromise or exploitation,” they tell CSO. To know more about the City Power Johannesburg ransomware attack in detail, head over to The Bleeping Computer’s coverage. Microsoft releases security updates: a “wormable” threat similar to WannaCry ransomware discovered Atlassian Bitbucket, GitHub, and GitLab take collective steps against the Git ransomware attack Anatomy of a Crypto Ransomware

A few days ago, a German security agency CERT-Bund revealed it had found a Remote Code Execution (RCE) flaw in the popular open-source, VLC Media Player allowing hackers to install, modify, or run any software on a victim’s device without their authority and could also be used to disclose files on the host system. The vulnerability (listed as CVE-2019-13615) was first announced by WinFuture and received a vulnerability score of 9.8 making it a "critical" problem. According to a release by CERT-Bund, “A remote, anonymous attacker can exploit a vulnerability in VLC to execute arbitrary code, create a denial of service state, disclose information, or manipulate files.” According to Threat Post, “Specifically, VLC media player’s heap-based buffer over-read vulnerability exists in mkv::demux_sys_t::FreeUnused() in the media player’s modules/demux/mkv/demux.cpp function when called from mkv::Open in modules/demux/mkv/mkv.cpp.” VLC is not vulnerable, VideoLAN says Yesterday, VideoLAN, the makers of VLC, tweeted that VLC is not vulnerable. They said, “the issue is in a 3rd party library, called libebml, which was fixed more than 16 months ago. VLC since version 3.0.3 has the correct version shipped, and @MITREcorp did not even check their claim.” https://twitter.com/videolan/status/1153963312981389312 VideoLAN said a reporter, opened a bug on their public bug tracker, which is outside of the reporting policy and should have mailed in private on the security alias. “We could not, of course, reproduce the issue, and tried to contact the security researcher, in private”, VideoLAN tweeted. VideoLAN said the reporter was using Ubuntu 18.04, an old version of Ubuntu and “clearly has not all the updated libraries. But did not answer our questions.” VideoLAN says it wasn’t contacted before the CVE was issued VideoLAN is quite unhappy that MITRE Corp did not approach them before issuing a CVE for the VLC vulnerability, which is a direct violation of MITRE’s own policies. Source: CVE.mitre.org https://twitter.com/videolan/status/1153965979988348928 When VideoLAN complained and asked if they could manage their own CVE (like another CNA), “we had no answer and @usnistgov NVD told us that they basically couldn't do anything for us, not even fixing the wrong information”, they tweeted. https://twitter.com/videolan/status/1153965981536010240 VideoLAN said even CERT Bund did not contact them for clarifications. They further added, “So, when @certbund decided to do their "disclosure", all the media jumped in, without checking anything nor contacting us.” https://twitter.com/videolan/status/1153971024297431047 The VLC CVE on the National Vulnerability Database has now been updated. NVD has downgraded the severity of the issue from a Base Score of 9.8 (critical) to 5.5 (medium). Also, the changelog specifies that the “Victim must voluntarily interact with attack mechanism.” Dan Kaminsky, an American security researcher, tweeted, “A couple of things, though: 1) Ubuntu 18.04 is not some ancient version 2) Playing videos with VLC is both a first-class user demand and a major attack surface, given the realities of content sourcing.  If Ubuntu can't secure VLC dependencies, VLC probably has to ship local libs.” https://twitter.com/dakami/status/1154118377197035520 Last month, VideoLAN fixed two high severity bugs in their security update for the VLC media player. The update included fixes for 33 vulnerabilities in total, of which two were marked critical, 21 medium and 10 rated low. Jean-Baptiste Kempf, president of VideoLAN and an open-source developer, wrote, “This high number of security issues is due to the sponsoring of a bug bounty program funded by the European Commission, during the Free and Open Source Software Audit (FOSSA) program”. To know more about this news in detail, you can read WinFuture’s blog post. The EU Bounty Program enabled in VLC 3.0.7 release, this version fixed the most number of security issues A zero-day vulnerability on Mac Zoom Client allows hackers to enable users’ camera, leaving 750k companies exposed VLC’s updating mechanism still uses HTTP over HTTPS

Security these days is a major concern for all organizations dealing with user data. We have newer apps being developed daily, crunching in user data to provide users with better services, great deals, discounts, and much more. Application security has become one of the top priorities and needs to be taken care of at every stage of software development. Hence, over the years software testing has shifted from testing just before release to testing during the early stages of the software development lifecycle (SDLC). This helps developers to discover vulnerabilities during early stages and to tackle them easily with lesser efforts.  A recent report from WhiteSource, an open-source security and license compliance management platform, highlights how developers should be in charge of application security and how organizations are investing heavily to produce secure code. The development team should be in charge of software security According to a Whitesource report, “for the day-to-day operational responsibility for application security with 71% of the respondents stating the ownership lies in the software development side, whether it is by the DevOps teams, the development team leaders or the developers themselves.” This is because fixing the vulnerability in the development or coding phase produces better-secured applications. And, if these are handled by development teams, security teams can focus on other bigger security aspects for the organization, on the whole. In comparison to the previous waterfall method where software testing was done before the release, after adopting a DevOps approach, the testing has moved to early phases to avoid bottlenecks at a later stage.  Whitesource report says, “the 36% of organizations have moved past the initial implementation at testing at the build stage and are starting to integrate security testing tools at earlier points in the SDLC like the IDE and their repositories”. How are organizations investing in secure code? It is possible for a vulnerability to escape the final test rounds and affect users after being released in the market. This can bring in customer dissatisfaction, bad reviews towards the application, customer loss, and many other disadvantages. In such cases, organizations are trying their best to resolve vulnerabilities by testing tools, training, and time spent on handling security vulnerabilities, the Whitesource report says. “Along with training, developers are tooling up with a range of application security testing (AST) technologies with 68% of developers reporting using at least one of the following technologies: SAST, DAST, SCA, IAST or RASP”, the report says. For organizations that are working with DevOps, the question is not if they should integrate automated tools into their pipeline, but which ones should they adopt first. [box type="shadow" align="" class="" width=""] Static Application Security Testing (SAST) is also known as “white-box testing” and allows developers to know about security vulnerabilities in the application source code earlier in SDLC. Dynamic Application Security Testing (DAST) also known as “black-box testing” helps to find security vulnerabilities and weaknesses in a running application(web apps). Interactive Application Security Testing (IAST) combines static and dynamic techniques to improve testing. According to Veracode, IAST analyzes code for security vulnerabilities while the app is run by an automated test, human tester, or any activity “interacting” with the application functionality. Run-time Application Security Protection (RASP) lets an app run continuous security checks on itself and respond to live attacks by terminating an attacker’s session and alerting defenders to the attack. [/box] Security in the development phase, an added task for developers With the help of such technologies (SAST, DAST, SCA, IAST or RASP), issues can be notified before and after production, thus, adding visibility to the application’s security and also enable teams to be proactive. However, the issue may be constantly thrown at the developers which they will have to research and remediate. “It is unreasonable to ask developers to handle all security alerts, especially as most application security tools are developed for security teams focused on coverage (detecting all potential issues), rather than accuracy and prioritization”, the Whitesource team mentions. The report states, “Developers claim that they are spending a considerable amount of their time on dealing with remediations, with 42% reporting that they spend between 2 to 12 hours a month on these tasks, while another 33% say that they spend 12 to 36 hours on them.” How can developers ensure security while choosing their open-source component? Developers said they check for known vulnerabilities when they choose an open-source component. This ensures “their open source components are secure from the earliest stages of development”. The Whitesource team shows a graph where survey “respondents from North America (the U.S. and Canada) showed a higher level of awareness to check the vulnerability status of the open-source components that they were choosing.” For the Europeans though, open source compliance rated higher on their priorities. On asking respondents how their organization detects vulnerable open source components in their applications,  34% of them said they have tools that continuously detect open source vulnerabilities in their applications 28% of them use a code scanner to review software once or twice a year 14% manually check for open source vulnerabilities, but only for the high severity ones 24% said the security team notifies them Once developers discover the known vulnerability in their product they need to find a quick and effective path to remediating it. Most of them turn first to GitHub’s Security Alerts tool for help, Whitesource reports. The graph below shows other free security tools in the market similar to GitHub.  Detection vs Remediation of vulnerabilities Developers take a more proactive approach to detect vulnerabilities. However, the same isn’t applicable when it comes to vulnerability remediation. “25% of developers only report on detected vulnerabilities and 53% are taking actions only in specific cases,” the report states. “Developers are investing many hours is research and remediation so why aren’t we seeing more developers taking action? The reason probably lies in the fact that most application security tools' main goal is to detect, alert and report.” We cannot just blame developers if there is a vulnerability found. They also need to have the same quality of tools that speeds up the process for vulnerability remediation. Talking about manual processes, they are time-consuming and require a certain amount of skill set, which are certain challenges faced.  Whitesource concludes that next-generation application security tools will be those that are developer-focused, closing the loop from detecting of an issue, all the way through validation, research, and remediation of the issue. To know about this survey in detail, read Whitesource Developer security report. Kazakhstan government intercepts nationwide HTTPS traffic to re-encrypt with a govt-issued root certificate – Cyber-security or Cyber-surveillance? “Why was Rust chosen for Libra?”, US Congressman questions Facebook on Libra security design choices Introducing Abscissa, a security-oriented Rust application framework by iqlusion

On March 8, this year, an American Cloud computing firm, Citrix revealed a data breach occurrence where international cybercriminals gained access to its internal network. The FBI informed the company about this incident on March 6. Soon after the incident was reported by the FBI, Citrix initiated a forensic investigation while securing their network. Today, the company announced they have concluded the investigation and shared a report of their findings and their future plan of action to improve security. Post the incident, Eric Armstrong, Citrix’s Vice President of Corporate Communications updated the users on the investigation twice--on April 4 and May 24--before releasing the final report today. Attackers used ‘Password Spraying’ technique to exploit weak passwords In both the updates, Armstrong said they have identified password spraying, a technique that exploits weak passwords, to be the likely method used for the data breach. He said the company had also performed a forced password reset throughout the Citrix corporate network and improved internal password management protocols. Based on the ongoing investigation, Armstrong revealed they have found no evidence that the threat actors discovered or exploited any vulnerabilities within Citrix products or services to gain entry. Also, they found no evidence of compromise of the customer cloud service. Investigation reveals criminals were lurking for “six months” within Citrix internal system In their final report, Citrix revealed that the cybercriminals accessed their internal network between October 13, 2018, and March 8, 2019, and stole business documents and files from a company shared network drive, which was used to store current and historical business documents. They also accessed a drive associated with a web-based tool, which was used by Citrix for consulting purposes. The investigation also speculates that the criminals may have “accessed the individual virtual drives and company email accounts of a very limited number of compromised users and launched without further exploitation a limited number of internal applications”, David Henshall, President and CEO, Citrix writes. “Importantly, we found no compromise or exfiltration beyond what has been previously disclosed,” he further added. Citrix was also warned by Resecurity before the FBI When the data breach incident was revealed on March 8, on Citrix’s official website, security firm Resecurity wrote that it had warned Citrix of the data attack on December 28th, 2018. Resecurity also mentioned that the attack may have been caused by the Iranian group called "IRIDIUM" and also mentioned "at least 6 terabytes of sensitive data stored in the Citrix enterprise network, including e-mail correspondence, files in network shares and other services used for project management and procurement." On March 6, when the FBI contacted Citrix, “they had reason to believe that international cybercriminals gained access to the internal Citrix network”, Stan Black, Citrix's chief security and information officer wrote on the blog post. Henshall says, “The cybercriminals have been expelled from our systems”. Experts are having a close look at the documents that may have been accessed or stolen during the incident. “We have notified, or shortly will notify, the limited number of customers who may need to consider additional protective steps”, Henshall said. Along with performing a global password reset and improving internal password management, Citrix has: improved its firewall logging, extended its data exfiltration monitoring capabilities, removed internal access to non-essential web-based services, and disabled non-essential data transfer pathways, The company has also deployed FireEye’s endpoint agent technology across its systems for continuous monitoring of the system. Although Resecurity revealed that 6TB data might have been compromised, the company has not shared information on how many users were affected during this breach but they have assured they will notify those who need to take additional protection. To know more about this news in detail, read Citrix’s official blog post. Getting Started – Understanding Citrix XenDesktop and its Architecture British Airways set to face a record-breaking fine of £183m by the ICO over customer data breach US Customs and Border Protection reveal data breach that exposed thousands of traveler photos and license plate images

Update: On August 6, 2019, TSARKA, a cyberattack prevention body in Kazakhstan, announced that those who have established the National Certificate may delete it since it will no longer be needed. "Officials explained that it was happening because of the new security system's testing," TSAR mentioned. TSAR was officially informed that the tests were completed, all the tasks set during the pilot were successfully solved.  However, they further said, "the need for its installation may arise in cases of strengthening the digital border of Kazakhstan within the framework of special regulations." On Wednesday, July 17, 2019, the Kazakhstan government started intercepting internet traffic within its borders. The government further instructed all the ISPs to force their users to install a government-issued root certificate by Quaznet Trust Network on all devices and in every browser. With the help of this security root certificate, the local government agencies will be able to decrypt users’ HTTPS traffic, sneak into their content, re-encrypt it with the government’s own certificate, and later send it to its destination; thus allowing for the possibility of a nation-wide man-in-the-middle (MITM) attack. Since Wednesday, all internet users in Kazakhstan have been redirected to a page instructing users to download and install the new certificate, be it in their desktops or on their mobile devices. Why is the Kazakhstan government forcing citizens to install the root certificate? A local media, Tengrinews.kz reported, the Kazakh Ministry of Digital Development, Innovation and Aerospace said only internet users in Kazakhstan's capital of Nur-Sultan will have to install the certificate; however, users from all across the country reported being blocked from accessing the internet until they installed the government's certificate. Olzhas Bibanov, head of public relations service at Tele2 Kazakhstan, said, "We were asked by authorized bodies to notify Nur-Sultan's subscribers about the need to establish a security certificate”. In an announcement sent to the local ISPs the government said the introduction of the root certificate was due to “the frequent cases of theft of personal and credentials, as well as money from bank accounts of Kazakhstan”. The government in the announcement mentioned, “The introduction of a security certificate will help in the protection of information systems and data, as well as in identifying hacker cyber attacks of Internet fraudsters on the country's information space systems, private, including the banking sector, before they can cause damage. (...) In the absence of a security certificate on subscriber devices, technical limitations may arise with access to individual Internet resources". The government further assured the tool “will become an effective tool to protect the country's information space from hackers, Internet fraudsters and other types of cyber threats.'' The Kazakh government has tried unsuccessfully before to get its root certificate implemented Similar to current situation, in December 2015, the government tried their first attempt to force Kazakh users to install the root certificate. The government also sent across a notice to all users warning to install the certificate by January 1, 2016. “The decision was never implemented because the local government was sued by several organizations, including ISPs, banks, and foreign governments, who feared this would weaken the security of all internet traffic (and adjacent business) originating from the country”, ZDNet reports. The Kazakh government approached Mozilla to include their root certificate into their Firefox by default. However, Mozilla declined their proposal. How can users ensure their safety from their own government? If users do not wish to install such a certificate that puts their personal data at risk, they can try encrypting their internet traffic themselves or avoid the installation of this certificate. One way is, by switching to Linux as according to the announcement, Linux users are exempted from downloading this certificate. “[…] the installation of a security certificate must be performed from each device that will be used to access the Internet (mobile phones and tablets based on iOS / Android, personal computers and laptops based on Windows / MacOS).” Eugene Ivanov, a member of the Mozilla team says, “I think both Mozilla and Google should intervene into this situation because it can create a dangerous precedent, nullifying all the efforts of enforcing HTTPS. If Kazakhstan will succeed, more and more governments (eg. Russian Federation, Iran, etc.) will start global MITM attacks on their citizens and this is not good. I think all CAs used for MITM attacks should be explicitly blacklisted both by Mozilla and Google to exclude even [the] possibility of such attacks.” The government claims that installing the certificate is entirely voluntary. However, a user on HackerNews adds to this claim saying, “Technically yes, installing the certificate is voluntary; it's just that if you don't install it you won't be able to access the internet anymore when the government starts MITMing your connections”.  This is possible.  The government can take strict measures, which may not be in favour of the public and in turn force them to indirectly and involuntarily handover their personal data In such cases people are highly dependent on browsers such as Firefox, Google, to fight for their rights. A Kazakhstan user writes on HackerNews, “Banning this certificate or at least warning the users against using it WILL help a lot. Each authoritarian regime is authoritarian in its own way. Kazakhstan doesn't have a very strong regime, especially since the first president resigned earlier this year. When people protest strongly against something, the government usually backs down. For example, a couple of years ago the government withdrew their plans of lending lands to foreign governments after backlash from ordinary people. If Kazakhs knew about the implications of installing this certificate, they would have been on the streets already.” The user further adds, “If Firefox, Chrome and/or Safari block this certificate, the people will show their dissatisfaction and the law will be revoked. Sometimes the people in authoritarian countries need a little bit of support from organizations to fight for their rights. I really hope the browser organizations would help us here.” Browser organizations are having a discussion to come up with a plan of action to deal with sites that have been (re-)encrypted by the Kazakh government's root certificate. However, nothing is yet officially disclosed. We will update this page on further updates to this news. Read Google’s discussion group to know more about this news in detail. An attack on SKS Keyserver Network, a write-only program, poisons two high-profile OpenPGP certificates Firefox releases v66.0.4 and 60.6.2 to fix the expired certificate problem that ended up disabling add-ons Apple revoked Facebook developer certificates due to misuse of Apple’s Enterprise Developer Program; Google also disabled its iOS research app

On Tuesday, one of Microsoft’s former employees, Volodymyr Kvashuk, 25, was arrested for attempting to steal $10 million worth of digital currency from Microsoft. “If convicted of mail fraud, the former Microsoft software engineer could face as much as 20 years in prison and a $250,000 fine”, The Register reports. Kvashuk, a Ukranian citizen residing in Renton, Washington was hired by Microsoft in August 2016 as a contractor till June 2018. He was a part of Microsoft’s Universal Store Team (UST) with a duty to handle the company's e-commerce operations. Sam Guckenheimer, product owner for Azure DevOps at Microsoft, back in 2017,  said the UST "is the main commercial engine of Microsoft with the mission to bring One Universal Store for all commerce at Microsoft.” He further explained, "The UST encompasses everything Microsoft sells and everything others sell through the company, consumer and commercial, digital and physical, subscription and transaction, via all channels and storefronts". According to the prosecution’s complaint report, filed in a US federal district court in Seattle, the UST team was assigned to make simulated purchases of products from the online store to ensure customers could make purchases without any glitches. The test accounts used to make these purchases were linked to artificial payment devices (“Test In Production” or “TIP” cards) that allowed the tester to simulate a purchase without generating an actual charge. The program was designed to block the delivery of physical goods. However, no restrictions or safeguards were placed to block the test purchases of digital currency i.e. “Currency Stored Value” or “CSV”, which could also be used to buy Microsoft products or services. Kvashuk fraudulently obtained these CSVs and resold them to third parties, which reaped him over $10,000,000 in CSV and also some property from Microsoft. Kvashuk bought these CSVs by disguising his identity with different false names and statements. According to The Register, “The scheme supposedly began in 2017 and escalated to the point that Kvashuk, on a base salary of $116,000 per year, bought himself a $162,000 Tesla and $1.6m home in Renton, Washington”. Microsoft's UST Fraud Investigation Strike Team (FIST) noticed an unexpected rise in the use of CSV to buy subscriptions to Microsoft's Xbox gaming system in February 2018. By tracing the digital funds, the investigators found out that these were resold on two different websites, to two whitelisted test accounts. FIST then traced the accounts and transactions involved. With the assistance of the US Secret Service and the Internal Revenue Service, investigators concluded that Kvashuk had defrauded Microsoft. Kvashuk had also a Bitcoin mixing service to hide his public blockchain transactions. “In addition to service provider records that point to Kvashuk, the complaint notes that Microsoft's online store uses a form of device fingerprinting called a Fuzzy Device ID. Investigators, it's claimed, linked a specific device identifier to accounts associated with Kvashuk”, according to The Register. One of the users on HackerNews mentions, “There are two technical interesting takeaways in this: 1 - Microsoft, and probably most big companies, have persistent tracking ID on most stuff that is hard to get rid of and can be used to identify you and devices linked to you in a fuzzy way. I mean, we know about super cookies, fingerprinting and such, but it's another to hear it being used to track somebody that was careful and using multiple anonymous accounts. 2 - BTC mixers will not protect you. Correlating one single wallet with you will make it possible to them retrace the entire history.” To know about this news in detail, head over to the prosecution’s complaint. Microsoft Azure VP demonstrates Holoportation, a reconstructed transmittable 3D technology Microsoft mulls replacing C and C++ code with Rust calling it a “modern safer system programming language” with great memory safety features Microsoft adds Telemetry files in a “security-only update” without prior notice to users

A few days ago, Firefox made announcements stating that starting from Firefox 70, which is planned to release in October this year, the browser will make two new changes favoring users and keeping them secure. First, it will notify users if their saved logins were part of any data breach. Secondly, it will prompt users if the web page they have landed on is not secure. Notifying users of saved logins that were a part of the data breach Firefox has partnered with popular data breach site, Have I Been Pwned, to notify users if their saved logins were found in data breaches. To start with, Firefox will scan the saved login credentials to see if they were exposed in a data breach listed on Have I been Pwned. If one is found, the user will be alerted and prompted to change their password. To support this, Mozilla will be integrating their independent Firefox Monitor service and the new Firefox Lockwise password manager directly into the Firefox browser. Mozilla will add an alert icon  next to the account profile in Firefox Lockwise, detected as being part of a breach. Clicking on the saved login will open its subpanel that displays an alert that the "Passwords were leaked or stolen" as part of a data breach. Compromised Password Notification in Firefox Lockwise Users will also be provided a “protection report” highlighting data breaches instances their logins were involved in. The current Firefox 69 Nightly builds includes a mockup of the ‘Protection Report’, which will list the type and amount of tracking and unwanted scripts that were blocked over the past 7 days. This mockup report is a mockup and not actual data from your browser. Mozilla to set up “not secure” indicators for all HTTP web pages Mozilla also announced that it will show a “Not secure” indication for all the websites in Firefox, starting with the Firefox 70. As we know, Google already has this feature activated on its browser starting with Chrome 68, which was released last year. Prior to this announcement, Mozilla used to indicate "not secure" only on HTTP pages that contained forms or login fields. “Mozilla argued that since more than 80% of all internet pages are now served via HTTPS, users don't need a positive indicator for HTTPS anymore, but a negative one for HTTP connections”, according to ZDNet. Firefox Developer Johann Hofmann said, "In desktop Firefox 70, we intend to show an icon in the 'identity block' (the left hand side of the URL bar which is used to display security / privacy information) that marks all sites served over HTTP (as well as FTP and certificate errors) as insecure". Mozilla started working on these developments way back in December 2017, when it added flags in the Firefox about:config section. These “flags are still present in the current stable version of Firefox, and users can enable them right now and preview how these indicators will look starting this fall,” according to ZDNet. Sean Wright, and infosec researcher told Forbes, “This is an excellent move by Mozilla and a step in the direction to have a secure by default web”.  He also added, many do not realize the potential implications of using sites over HTTP. “Even publicly accessible sites, even as simple as a blog, could potentially allow attackers to inject their malicious payloads into the site severed to the client. HTTPS can go a long way to prevent this, so any move to try to enforce it is a step in the right direction,” he further added. Wright has also warned the users that if you see you are browsing via an HTTPS site, it does not mean it is fully authentic. These sites may also be phished as hackers can purchase the certificates that mark a website as “secure”. Hence, a user has to be cautious while sharing their credentials online. He warns: “You should still pay close attention to links in emails.” A second zero-day found in Firefox was used to attack Coinbase employees; fix released in Firefox 67.0.4 and Firefox ESR 60.7.2 Mozilla is funding a project for bringing Julia to Firefox and the general browser environment Mozilla launches Firefox Preview, an early version of a GeckoView-based Firefox for Android

On July 2, 2019, Cloudflare suffered a major outage due to a massive spike in CPU utilization in the network. Ten days after the outage, on July 12, Cloudflare’s CTO John Graham-Cumming, has released a report highlighting the details about how the Cloudflare service went down for 27 minutes. During the outage, the company speculated the reason to be a single misconfigured rule within the Cloudflare Web Application Firewall (WAF), deployed during a routine deployment of new Cloudflare WAF Managed rules. This speculation turns out to be true and caused CPUs to become exhausted on every CPU core that handles HTTP/HTTPS traffic on the Cloudflare network worldwide. Graham-Cumming said they are “constantly improving WAF Managed Rules to respond to new vulnerabilities and threats”. The CPU exhaustion was caused by a single WAF rule that contained a poorly written regular expression that ended up creating excessive backtracking. Source: Cloudflare report The regular expression that was at the heart of the outage is : Graham-Cumming says Cloudflare deploys dozens of new rules to the WAF every week, and also have numerous systems in place to prevent any negative impact of that deployment. He shared a list of vulnerabilities that caused the major outage. What’s Cloudflare doing to mend the situation? Graham-Cumming said they had stopped all release work on the WAF completely and are following some processes: He says, for longer-term, Cloudflare is “moving away from the Lua WAF that I wrote years ago”. The company plans to port the WAF to use the new firewall engine, which provides customers the ability to control requests, in a flexible and intuitive way, inspired by the widely known Wireshark language. This will make the WAF both faster and add yet another layer of protection. Users have appreciated Cloudflare’s efforts in taking immediate calls for the outage and being completely transparent about the root cause of it with a complete post mortem report. https://twitter.com/fatih/status/1150014793253904386 https://twitter.com/nealmcquaid/status/1150754753825165313 https://twitter.com/_stevejansen/status/1150928689053470720 “We are ashamed of the outage and sorry for the impact on our customers. We believe the changes we’ve made mean such an outage will never recur,” Graham-Cumming writes. Read the complete in-depth report by Cloudflare on their blog post. How Verizon and a BGP Optimizer caused a major internet outage affecting Amazon, Facebook, CloudFlare among others Cloudflare adds Warp, a free VPN to 1.1.1.1 DNS app to improve internet performance and security Cloudflare raises $150M with Franklin Templeton leading the latest round of funding

Europe’s satellite navigation system, Galileo, is suffering a major outage since July 11, nearing 100 hours of downtime, due to a “technical incident related to its ground infrastructure”, according to the European GNSS (Global Navigation Satellite System) Agency or GSA. Funded by the EU, the Galileo program went live with initial services in December 2016 after 17 years of development. This program was launched to avoid the EU’s reliance on the US Air Force's Global Positioning System (GPS) for commercial, military and other applications like guiding aircraft, and also on Russian government's GLONASS. The Galileo satellite network is presently being used by satnavs, financial institutions and more. It provides both free and commercial offerings and is widely used by government agencies and private companies for navigation and search and rescue operations. GSA’s service status page highlights that 24 of the 26 Galileo satellites are listed as "not usable," while the other two are listing the status of "testing". Source: ZDNet The outage means the satellites may not be able to provide timing or positioning data to smartphones or other devices in Europe that use the system. According to BBC, all of the affected users will hardly notice the outage as their devices “will be relying instead on the data coming from the American Global Positioning System (GPS). They will also depend on the sat-nav chip they have installed, cell phones and other devices might also be making connections with the Russian (Glonass) and Chinese (Beidou) networks”. On July 11, the GSA released an advisory notifying users that the Galileo satellite signals “may not be available nor meet the minimum performance levels”. They also warned users that these systems “should be employed at users’ own risk”. On Saturday, July 13, the GSA warned users Another stern warning by the GSA said the Galileo was experiencing a full-service outage and that "signals are not to be used." On July 14, GSA said the outage affected only the Galileo navigational and satellite-based timing services. However, "the Galileo Search and Rescue (SAR) service -- used for locating and helping people in distress situations for example at sea or mountains -- is unaffected and remains operational." “Experts are working to restore the situation as soon as possible. An Anomaly Review Board has been immediately set up to analyze the exact root cause and to implement recovery actions”, GSA added. “Galileo is still in a roll-out, or pilot phase, meaning it would not yet be expected to lead critical applications”, BBC reports. A GSA spokesperson told BBC News, "People should remember that we are still in the 'initial services' phase; we're not in full operation yet”. However, according to Inside GNSS, a specialist sat-nav site, the problem may be with the Precise Timing Facility(PTF), a ground station in Italy that gives each satellite in the system an accurate time reference. “time has an impact on the whole constellation!”, Inside GNSS adds. According to ZDNet, “The downtime also comes after widespread GPS outages were reported across Israel, Iran, Iraq, and Syria at the end of June. Israeli media blamed the downtime on Russian interference, rather than a technical problem”. https://twitter.com/planet4589/status/1150638285640912897 https://twitter.com/aallan/status/1150427275231420417 https://twitter.com/LeoBodnar/status/1150338536517881856 To know more about this news in detail, head over to Europe GSA’s official blog post. Twitter experienced major outage yesterday due to an internal configuration issue Stripe’s API suffered two consecutive outages yesterday causing elevated error rates and response times Why did Slack suffer an outage on Friday?

The recent Windows 7 ‘security-only’ update also includes Telemetry components, which users may be unaware of. It may be used to secretly monitor individual PC’s for “innocuous data collection to outright spyware”, according to ZDNet. Per Microsoft, the "Security-only updates" should not include quality fixes or diagnostic tools, etc. other than sole security updates. This is because, in 2016, Microsoft divided Win7 and 8.1 patchings into two parts, a monthly rollup of updates and fixes and, for those who want only essential patches, and second, a Security-only update package. Why is this “security-only” update suspicious? What was surprising about this month's Security-only update, formally titled the "July 9, 2019—KB4507456 (Security-only update)," is that it bundled the Compatibility Appraiser, KB2952664, which is designed to identify issues that could prevent a Windows 7 PC from updating to Windows 10. An anonymous user commented on Woody Leonhard’s post on the July 2019 security update published on his website, AskWoody. Leonhard is a Senior Contributing Editor at InfoWorld, and Senior Editor at Windows Secrets. “Warning for group B Windows 7 users! The “July 9, 2019—KB4507456 (Security-only update)” is NOT “security-only” update. It replaces infamous KB2952664 and contains telemetry. Some details can be found in file information for update 4507456 (keywords: “telemetry”, “diagtrack” and “appraiser”) and under http://www.catalog.update.microsoft.com/ScopedViewInline.aspx?updateid=7cdee6a8-6f30-423e-b02c-3453e14e3a6e (in “Package details”->”This update replaces the following updates” and there is KB2952664 listed). It doesn’t apply for IA-64-based systems, but applies both x64 and x86-based systems.” “Microsoft included the KB2952664 functionality (known as the “Compatibility Appraiser”) in the Security Quality Monthly Rollups for Windows 7 back in September 2018. The move was announced by Microsoft ahead of time”, another user with the name @PKCano explains. The user further added, “With the July 2019-07 Security Only Quality Update KB4507456, Microsoft has slipped this functionality into a security-only patch without any warning, thus adding the “Compatibility Appraiser” and its scheduled tasks (telemetry) to the update. The package details for KB4507456 say it replaces KB2952664 (among other updates).” “Come on Microsoft. This is not a security-only update. How do you justify this sneaky behavior? Where is the transparency now?”, the user concluded. ZDNet states, “The Appraiser tool was offered via Windows Update, both separately and as part of a monthly rollup update two years ago; as a result, most of the declining population of Windows 7 PCs already has it installed”. Ed Bott, a technology writer at ZDNet, says that this update is benign and also that Microsoft is being truthful when they say "There is no GWX or upgrade functionality contained in this update." If so, why is Microsoft not briefing users about this update? Many users are confused about whether or not they should update their systems. A user commented on AskWoody, “So should this update be skipped or installed? This appears to pose a dilemma, at least right now. I hope that some weeks from now, by the time we are closer to a green DEFCON, this has been sorted out”. Another user speculated that this issue might be resolved in the next update, “Disabling (or deleting) these schedule tasks after installation (before reboot) should be enough to turn off the appraiser \Microsoft\Windows\Application Experience\ProgramDataUpdater \Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser \Microsoft\Windows\Application Experience\AitAgent but it’s best to wait next month to see if the SO update comes clean” ZDNet states this might be because Windows 7 is nearing end-of-support date, which is on January 14, 2020, “It's also possible that Microsoft thinks it has a strong case for making the Compatibility Appraiser tool mandatory as the Windows 7 end-of-support date nears”. To know more about this news, visit Microsoft’s security update. Microsoft quietly deleted 10 million faces from MS Celeb, the world’s largest facial recognition database Microsoft’s Xbox team at E3 2019: Project Scarlett, AI-powered Flight Simulator, Keanu Reeves in Cyberpunk 2077, and more Debian GNU/Linux port for RISC-V 64-bits: Why it matters and roadmap

After the recent disclosure of the vulnerability in Mac’s Zoom Client, Apple was quick to patch the vulnerable component. On July 9, the same day when security researcher, Jonathan Leitschuh revealed the vulnerability publicly, Apple released a patch that removes the local web server entirely and also allows users to manually uninstall Zoom. The Mac Zoom client vulnerability allowed any malicious website to initiate users’ camera and forcibly join a Zoom call without their authority. Apple said the update does not require any user interaction and is deployed automatically. How can Mac users ensure they get these updates? As the vulnerability was capable of re-installing the Zoom Client applications, Apple first stopped the use of a local web server on Mac devices. It then removed the local web server entirely, once the Zoom client was updated. Mac users were prompted in the Zoom user interface (UI) to update their client after the patch was deployed. After the complete update, the local web server will be completely removed on that device. Apple had added a new option to the Zoom menu bar that will allow users to manually and completely uninstall the Zoom client, including the local web server. Once the patch is deployed, a new menu option will appear that says, “Uninstall Zoom.” By clicking that button, Zoom will be completely removed from the user’s device along with the user’s saved settings. Plans to address ‘video on by default’ Apple has also announced a planned release this weekend (July 12) that will address another security concern, ‘video on by default’. With this July 12 release: First-time users who select the “Always turn off my video” box will automatically have their video preference saved. The selection will automatically be applied to the user’s Zoom client settings and their video will be OFF by default for all future meetings. Returning users can update their video preferences and make video OFF by default at any time through the Zoom client settings. Zoom spokesperson Priscilla McCarthy told TechCrunch, “We’re happy to have worked with Apple on testing this update. We expect the web server issue to be resolved today. We appreciate our users’ patience as we continue to work through addressing their concerns.” Regarding Apple’s quick action to patch the Zoom Client vulnerability, Leitschuh tweeted that their willingness to patch represented an “about face”. “it went from rationalizing its existing strategy to planning a fix in a matter of hours”, Engadget reports. https://twitter.com/JLLeitschuh/status/1148686921528414208 To know more about this news in detail, read Zoom blog. Apple plans to make notarization a default requirement in all future macOS updates Ian Goodfellow quits Google and joins Apple as a director of machine learning Apple to merge the iPhone, iPad, and Mac apps by 2021

The UK’s watchdog, Information Commissioner's Office (ICO) announced that it plans to impose a fine of more than £99 million ($124 million) under GDPR, on the popular hotel chain, Marriott International over a massive data breach which occurred last year. On November 19, 2018, Marriott revealed that the data breach occurred in Marriott’s Starwood guest database and that this breach was happening over the past four years and collected information about customers who made reservations in its Starwood subsidiary. The company initially said hackers stole the details of roughly 500 million hotel guests. However, with a further thorough investigation the number was later corrected to 383 million. This is ICO’s second announcement of imposing significant fines on companies involved in major data breaches. A few days ago, ICO declared its intentions of issuing British Airways a fine of £183.39M for compromising personal identification information of over 500,000 customers. According to ICO’s official website, “A variety of personal data contained in approximately 339 million guest records globally were exposed by the incident, of which around 30 million related to residents of 31 countries in the European Economic Area (EEA). Seven million related to UK residents.” Information Commissioner Elizabeth Denham, said, “The GDPR makes it clear that organizations must be accountable for the personal data they hold. This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected.” “Personal data has a real value so organizations have a legal duty to ensure its security, just like they would do with any other asset. If that doesn’t happen, we will not hesitate to take strong action when necessary to protect the rights of the public,” she further added. In a filing with the US Securities Exchange Commission, yesterday, Marriott International’s President and CEO, Arne Sorenson, said, “We are disappointed with this notice of intent from the ICO, which we will contest. Marriott has been cooperating with the ICO throughout its investigation into the incident, which involved a criminal attack against the Starwood guest reservation database. “We deeply regret this incident happened. We take the privacy and security of guest information very seriously and continue to work hard to meet the standard of excellence that our guests expect from Marriott”, Sorenson added. He further informed that the Starwood guest reservation database that was attacked is no longer used for business operations. A few hours after Marriott revealed about the data breach last year, two lawsuits were filed against it. First, by two Oregon men: Chris Harris and David Johnson, for exposing their data, and the other lawsuit was filed in the state of Maryland by a Baltimore law firm Murphy, Falcon & Murphy.  The petitioners in the Oregon lawsuit claimed $12.5 billion in costs and losses; however, the petitioners for the Maryland lawsuit didn't specify the amount for damages they were seeking from Marriott. According to OregonLive’s post last year, “The lawsuit seeks $12.5 billion -- or $25 for each customer whose privacy may have been jeopardized after making a reservation with Starwood brand hotels, including W Hotels, St. Regis, Sheraton, and Westin”. “The $25 as a minimum value for the time users will spend canceling credit cards due to the Marriott hack”, OregonLive further reported. Many are happy with ICO’s decision of imposing fines on major companies that put customer data at risk. A user on Reddit has commented, “Finally!! I am hoping this is a trend and a game changer for the companies to better protect their customer information!”. Another user said, “Great news, The GDPR is working.” To know more about this news in detail, head over to ICO’s official website. Former Senior VP’s take on the Mariott data breach; NYT reports suspects Chinese hacking ties Facebook fails to fend off a lawsuit over data breach of nearly 30 million users Experts discuss Dark Patterns and deceptive UI designs: What are they? What do they do? How do we stop them?