Tech News - Cybersecurity

Earlier this week, Facebook updated its terms and services after discussions with the European Commission and consumer protection authorities. Facebook will now clearly explain how it leverages users' data to create “profiling activities and target advertising”, which in turn helps them make money. As per the new terms and services, Facebook will have to provide details on: services it sells to third parties based on the user's data. how consumers can close their accounts, and for what reasons can users account be disabled. nature of the research activities conducted by Facebook itself or with third party business partners. reducing the number of clauses in the contract that are applied on a user’s account even after the termination of the account. Facebook will also inform consumers of these cases. The new terms of services are aimed at providing full disclosure of Facebook's business model in an understandable and plain language to the users. This is great since a new Adtech Market research report by the Information Commissioner’s Office states that most 61% users disagree that they’d prefer to see adverts on websites that are relevant to them. While 59% feel that they have no control over which advertisements are shown to them. Hopefully, as more users are made aware of what goes behind social media advertising, we can expect to see a drop in these numbers. "Today Facebook finally shows commitment to more transparency and straight forward language in its terms of use... Now, users will clearly understand that their data is used by the social network to sell targeted ads..”, said Vera Jourová, Commissioner for Justice, Consumers and Gender Equality. As per the statement from the European Union, post-Cambridge Analytica Scandal, Facebook was requested to clearly inform its users on how it receives finances and the revenues that it makes leveraging user’s data. Facebook was also requested to align its terms of service as per the EU Consumer Law. Apart from that, Facebook has also changed: its policy on the limitation of liability and acknowledges its responsibility in case of negligence ( eg; data mishandling by third parties) its power to unilaterally change terms and conditions by limiting it to cases where the changes are reasonable the rules around temporary retention of content that has been deleted by consumers.  Such type of content can only be retained in few cases (eg; in compliance with an enforcement request by an authority) the language clarifying the right to appeal of users when their content has been removed. EU states that Facebook will complete the implementation of all commitments by the end of June 2019. Also, the Commission and the Consumer Protection Cooperation network will closely monitor the implementation. In case, Facebook fails to fulfill its commitments, national consumer authorities would then resort to enforcement measures including sanctions. For more information, check out the official updated Facebook terms of service. Facebook AI introduces Aroma, a new code recommendation tool for developers Ahead of Indian elections, Facebook removes hundreds of assets spreading fake news and hate speech Facebook will ban white nationalism, and separatism content in addition to white supremacy content

Last year, the company announced about adopting an approach to anti-tracking considering user data privacy. The company listed a few key initiatives mitigating harmful practices like fingerprinting and cryptomining. Yesterday, Mozilla announced that it is adding a new feature to protect its users against threats and web annoyances in future releases of Firefox. This new feature is available in the beta version of Firefox 67, and the nightly version of Firefox 68. They will be available in the stable release of Firefox in a few weeks. Mozilla has also added a feature to block fingerprinting and cryptomining in Firefox Nightly as an option for users to turn on. The cryptomining and fingerprinting blocks work similar to anti-tracking blocks in current versions of Firefox. Fingerprinting and crypto mining scripts A variety of “fingerprinting” scripts are embedded invisibly on many web pages to harvest a snapshot of users’ computer configuration. These scripts further build a digital fingerprint that can be used for tracking users across the web, even if the user has cleared the cookies. Fingerprinting thus violates Firefox’s anti-tracking policy. Cryptominers is another category of scripts that run costly operations on users’ web browser without the knowledge or consent of the users. It further uses the power of the user’s CPU to generate cryptocurrency for someone else’s benefit. These scripts slow down the computer speed and the drain battery which affects the electric bill. Firefox’s move towards blocking these scripts To overcome these threats, Mozilla has announced new protections against fingerprinters and cryptominers. The company has collaborated with Disconnect and have compiled the list of domains that serve fingerprinting and cryptomining scripts. Cryptomining and fingerprinting blocks have been disabled by default for now but users can activate them in a couple of clicks in the browser settings under “Privacy & Security.” Mozilla has given an option to users option in the latest Firefox Nightly and Beta versions for blocking both kinds of scripts as part of their Content Blocking suite of protections. The team at Mozilla will be testing these protections in the coming months. To know more about this news, check out the official announcement by Mozilla. Mozilla is exploring ways to reduce notification permission prompt spam in Firefox Mozilla launches Firefox Lockbox, a password manager for Android Mozilla’s Firefox Send is now publicly available as an encrypted file sharing service  

Two U.S. Senators, namely  Mark R. Warner (D-VA) and Deb Fischer (R-NE), introduced a bill yesterday, to ban large online platforms ( with over 100 million monthly active users) such as Facebook and Twitter from tricking its consumers into handing over their personal data. The bill, named, the Deceptive Experiences To Online Users Reduction (DETOUR) Act, bipartisan legislation is aimed at prohibiting these platforms from using deceptive user interfaces, called, “dark patterns”. https://twitter.com/MarkWarner/status/1115660831969153025 The term “dark patterns” refers to online interfaces on websites and apps that are specially designed to manipulate users into taking actions they wouldn’t otherwise take under normal circumstances. The design tactics for these patterns are inspired by extensive behavioral psychology research and misleads the users on social media platforms into agreeing to settings and providing data that are advantageous to the company. Forcing the users this way to give up their personal data (contacts, messages, web activity, location), these social media companies gain an unfair advantage over their competitors, which significantly benefits the company. According to Senator Fischer, a member of the Senate Commerce Committee, these dark patterns weaken the privacy policies that involve consent. “Misleading prompts to just click the ‘OK’ button can often transfer your contacts, messages, browsing activity, photos, or location information without you even realizing it. Our bipartisan legislation seeks to curb the use of these dishonest interfaces and increase trust online”.   https://twitter.com/MarkWarner/status/1115660838692642818 https://twitter.com/MarkWarner/status/1115660840575877120 Other examples of dark patterns include a sudden interruption amidst a task repeating until the user agrees to consent and the use of privacy settings that push users to ‘agree’ as the default option. Also, users looking out for more privacy-related options are required to follow a long process that involves clicking through multiple screens. Moreover, sometimes users are not even provided with the alternative option.   As per the DETOUR act: A professional standards body, registered with the Federal Trade Commission (FTC), needs to be created to focus on best practices surrounding user design for large online operators. This association would act as a self-regulatory body and provide updated guidance to the social media platforms.    Segmenting consumers for behavioral experiments is prohibited unless carried out with a consumer’s informed consent. This includes routine disclosures by large online operators (at least once every 90 days) on any behavioral experiments to the public. Also, as per the bill, large online operators would have an internal Independent Review Board to offer oversight on these practices and safeguard consumer welfare. User design intended for compulsive usage among children under the age of 13 years old is prohibited. FTC needs to come out with rules within one year of its enactment and perform tasks necessary surrounding informed consent, Independent Review Boards, and Professional Standards Bodies. Senator Warner has been raising concerns regarding the implications of dark patterns used by social media companies for several years. For instance, in 2014, Sen. Warner asked the FTC to probe into Facebook’s use of dark patterns in an experiment that involved nearly 700,000 users. The experiment focused on the emotional impact of manipulating information on Facebook’s News Feeds. “We support Senators Warner and Fischer in protecting people from exploitive and deceptive practices online. Their legislation helps to achieve that goal and we look forward to working with them”, said Fred Humphries, Corporate VP of U.S. Government Affairs at Microsoft in a press release sent to us. Apart from the DETOUR act,  Sen. Warner is planning to introduce further legislation that will be designed to further improve transparency, privacy, and accountability on social media. Public reaction to the news has been largely positive, with people supporting the senators and new bill: https://twitter.com/tristanharris/status/1115735945393782785 https://twitter.com/joenatoli/status/1115823934132445186 For more information, check out the official DETOUR act bill. US Senators introduce a bill to avoid misuse of facial recognition technology U.S. Senator introduces a bill that levies jail time and hefty fines for companies violating data breaches A brief list of drafts bills in US legislation for protecting consumer data privacy  

It was later last month on 19th March, when Norsk Hydro ASA, a Norwegian and one of the world’s largest aluminum producer firm, had to halt its production due to a cyber attack that impacted its operations across Europe and the U.S. Earlier this week, the firm shared a video on YouTube, highlighting how the employees of Magnor Extrusion in Norway (one of the 160 hydro sites affected by the cyber attack) went out of their way to keep the plant up and running during crucial times. “With a tremendous effort of our colleagues at Magnor, the plant has managed to get production up to 100% of normal production, despite operating in normal mode”, states the video. https://twitter.com/NorskHydroASA/status/1110981944513388544 Olav Schulstad, Production Manager at Magnor mentions that people have been very supportive in the firm and volunteered to help without even being asked. Also, Frode Halteigen, an operator at Magnor, mentioned in the video that all the employees including the people on the shop floor sacrificed time with their families and weekends, to be able to get the operations back in shape. https://www.youtube.com/watch?v=S-ZlVuM0we0&feature=youtu.be                                     Cyber Attack on Hydro Magnor In fact, many employees also took unconventional roles to help out on the shop floor. For instance, Mads Madsstuen is an Area Sales Manager but is helping out with the shop floor in the plant. https://twitter.com/fabrikkfrue/status/1113426747809247232 https://twitter.com/GossiTheDog/status/1113442133267091456 Post-attack, Norsk Hydro kept providing updates on the attack to inform the public about progress made in securing safe and stable operations across the company. “With a systematic approach our experts are step by step restoring business-critical IT based functions to ensure stable production, serve our customers and limit financial impact, while always safeguarding our employee’s safety,” said Eivind Kallevik, CFO, Norsk Hydro in an update posted on March 21st. As per the update, the root cause of the problems had been detected, and a cure had been identified. Hydro’s experts have been working since then on bringing the virus infected systems back to a pre-infected state. The firm also called in experts from Microsoft and other IT security partners to help Hydro take all necessary actions in a systematic way to get business back in normal operation. “Hydro has experienced good progress over the weekend and continues to approach normal operations after the cyber attack. Our focus so far has been technical recovery. This week we are moving on to business and operation recovery”, Hydro updated earlier this week. Norsk Hydro lost over $40 million in the week following the cyber attack as it incapacitated most of its operations. It decided to switch the units to manual operations after the company’s IT systems had been attacked and blocked with ransomware, called LockerGoga. LockerGoga is a new and evolving ransomware that could have infected the systems at Norsk via stolen remote desktop credentials, phishing or a nonupdated targeting software reports Chemistry World. Other two US-based chemical companies, namely, Momentive and Hexion, have also suffered cyber attacks due to LockerGoga. The video states that thousands of people at Hydro around the world, are working day and night to fix the operations, showing a “true display of care, courage, and collaboration”. It sheds light on the indefatigable fervor of the Nosk Hydro employees and how the firm has managed to foster a work culture that many companies should aspire to. The video also shows behind-the-scenes of how challenging it becomes for the employees within a company to recuperate with the reality of such extensive cyber attacks in terms of both financial and operational constraints. Resecurity reports ‘IRIDUIM’ behind Citrix data breach, 200+ government agencies, oil and gas companies, and technology companies also targeted A security researcher reveals his discovery on 800+ Million leaked Emails available online Security researcher exposes malicious GitHub repositories that host more than 300 backdoored apps

The Massachusetts Institute of Technology has broken off its partnerships with Chinese telecoms equipment makers Huawei and ZTE, amidst them facing US federal investigations. MIT follows suite moves by Stanford University, University of California’s flagship Berkeley and the University of Minnesota, who have all cut future research collaborations with Huawei. Late December, Huawei’s Chief Financial Officer, Wanzhou Meng, who is also the daughter of the company’s founder, was arrested in Canada. Huawei was allegedly involved in violating U.S.’ sanctions on Iran. Huawei was under constant scrutiny by the US government following the ban on ZTE from selling devices with American-made hardware and software. ZTE was also found guilty of violating US sanctions on Iran. Then in January, the U.S. Government officially charged Huawei for stealing T-Mobile’s trade secrets along with bank fraud to violate U.S. sanctions on Iran. Only a month had passed when Huawei came in the light again for using dirty tactics to steal Apple’s trade secrets. U.S. companies such as Motorola and Cisco Systems have made similar claims against Huawei in civil lawsuits. A Chicago-based company, Akhan Semiconductor even cooperated with a federal investigation into a theft of its intellectual property by Huawei. Huawei’s power in the mobile telecommunications sector and blatant ignorance of cybersecurity laws is alarming. FBI Director Christopher Wray said the cases “expose Huawei’s brazen and persistent actions to exploit American companies and financial institutions and to threaten the free and fair global marketplace. That kind of access could give a foreign government the capacity to maliciously modify or steal information, conduct undetected espionage, or exert pressure or control.” In a letter sent to the faculty on Wednesday, Richard Lester, MIT’s associate provost, and Maria Zuber, the school’s vice-president for research, said, “At this time, based on this enhanced review, MIT is not accepting new engagements or renewing existing ones with Huawei and ZTE or their respective subsidiaries due to federal investigations regarding violations of sanction restrictions.” The letter further stated, “Most recently we have determined that engagements with certain countries – currently China [including Hong Kong], Russia and Saudi Arabia – merit additional faculty and administrative review beyond the usual evaluations that all international projects receive.” Since Huawei’s ban in the US, the country is trying to prevent its allies from using Huawei technology for critical infrastructure, especially focusing on the five English speaking countries also known as the Five Eyes (US, Canada, New Zealand, Australia, Great Britain). Australia and New Zealand have so far stopped operators from using Huawei equipment in their 5G networks. In the EU however, policymakers have made it a mandate for EU nations to share data on 5G cybersecurity risks and produce measures to tackle them by the end of the year. “The aim is to use tools available under existing security rules plus cross-border cooperation,” the bloc’s executive body said. Now, it is upto individual EU countries to decide whether they want to ban any company on national security grounds. China’s Huawei technologies accused of stealing Apple’s trade secrets, reports The Information Cisco and Huawei Routers hacked via backdoor attacks and botnets Huawei launches HiAI

Motherboard, today, reported of a backdoor malware attack on ASUS’ servers, which took place last year between June and November 2018. The attack was discovered by Kaspersky Lab in January 2019 and was named ‘ShadowHammer’ thereafter. Researchers say that the attack was discovered after adding a new supply-chain detection technology to ASUS’ scanning tool to catch anomalous code fragments hidden in legitimate code or catch code that is hijacking normal operations on a machine. Kaspersky analysts told Kim Zetter, a cybersecurity journalist at Motherboard, that the backdoor malware was pushed to ASUS customers for at least five months before it was discovered and shut down. Researchers also said that attackers compromised ASUS’ server for the company’s live software update tool. Following which the attackers used it to push the malware to inadvertently install a malicious backdoor on thousands of its customers’ computers. The malicious file, however, was signed with legitimate ASUS digital certificates to make it appear to be an authentic software update from the company. One of Kaspersky’s spokesperson said, “Over 57,000 Kaspersky users have downloaded and installed the backdoored version of ASUS Live Update at some point in time... We are not able to calculate the total count of affected users based only on our data; however, we estimate that the real scale of the problem is much bigger and is possibly affecting over a million users worldwide”. According to researchers at Kaspersky Lab, the goal of the attack was to “surgically target an unknown pool of users, which were identified by their network adapters’ MAC addresses”. The attackers' first hardcoded a list of MAC addresses in the trojanized samples and this list was used to identify the actual intended targets of this massive operation. “We were able to extract more than 600 unique MAC addresses from over 200 samples used in this attack. Of course, there might be other samples out there with different MAC addresses in their list”, the researchers mentioned. Zetter also tweeted about “a Reddit forum from last year where ASUS users were discussing the suspicious software update ASUS was trying to install on their machines in June 2018” https://twitter.com/KimZetter/status/1110239014735405056 Kaspersky Lab plans to release a full technical paper and presentation about the ASUS attack at its Security Analyst Summit held in Singapore next month. Vitaly Kamluk, Asia-Pacific director of Kaspersky Lab’s Global Research and Analysis Team, said, “This attack shows that the trust model we are using based on known vendor names and validation of digital signatures cannot guarantee that you are safe from malware.” Zetter writes, “Motherboard sent ASUS a list of the claims made by Kaspersky in three separate emails on Thursday but has not heard back from the company.” Costin Raiu, company-wide director of Kaspersky’s Global Research and Analysis Team, told Motherboard, “I’d say this attack stands out from previous ones while being one level up in complexity and stealthiness. The filtering of targets in a surgical manner by their MAC addresses is one of the reasons it stayed undetected for so long. If you are not a target, the malware is virtually silent.” In a press release, Asus stated that the backdoor was fixed in the Live Update version 3.6.8. The company has also "introduced multiple security verification mechanisms to prevent any malicious manipulation in the form of software updates or other means, and implemented an enhanced end-to-end encryption mechanism", the press release states. Additionally, ASUS has also created an online security diagnostic tool to check for affected systems. To know more about the technical details on this attack, head over to Kaspersky’s website. UPDATED: In a press release, Asus stated that the backdoor was fixed in the Live Update version 3.6.8. Additionally, ASUS has also created an online security diagnostic tool to check for affected systems. Researchers prove that Intel SGX and TSX can hide malware from antivirus software Using deep learning methods to detect malware in Android Applications Security researcher exposes malicious GitHub repositories that host more than 300 backdoored apps

One of the largest producers of aluminum in the world, Norsk Hydro, was hit by a cyber attack in the company’s IT system on Monday evening affecting major parts of its smelting operations. The attack which escalated overnight and which is still ongoing has caused the company to resort to manual operations at its smelting facilities. The company's website is currently down and it is posting updates to Facebook. Hydro said that IT systems in most business areas are impacted. According to a statement to BBC, Hydro said that the digital systems at its smelting plants were programmed to ensure machinery worked efficiently. However, these systems had to be turned off. The company is unsure what type of cyber attack it is facing or who is responsible. “We are working to contain and neutralize the attack. It is too early to assess the full impact of the situation. It is too early to assess the impact on customers. We have established a dialogue with all relevant authorities”, the firm updated on their Facebook post. "They are much more reliant today on computerised systems than they were some years ago. But they have the option of reverting back to methods that are not as computerised, so we are able to continue production”, a Hydro spokesperson told BBC. According to Reuters, “The company shut several metal extrusion plants, which transform aluminum ingots into components for car makers, builders, and other industries, while its giant smelters in countries including Norway, Qatar and Brazil were being operated manually.” A Norwegian National Security Authority (NSM) spokesperson said, “We are helping Norsk Hydro with the handling of the situation, and sharing this information with other sectors in Norway and with our international partners.” Hydro is arranging a press meeting on Tuesday, 19 Mar 2019 at 14:00:00 GMT where it will inform everyone about the cyber-attack. We will keep you updated as and when updates to this story is announced. In the meantime, you can check out Norsk Hydro’s Facebook wall for updates. 5 nation joint Activity Alert Report finds most threat actors use publicly available tools for cyber attacks How social media enabled and amplified the Christchurch terrorist attack Microsoft claims it halted Russian spearphishing cyberattacks

ACME (Automated Certificate Management Environment) is no longer just a Let's Encrypt effort as it is now standardized by the Internet Engineering Task Force (IETF). The ACME protocol can be used by a Certificate Authority (CA) to automate the process of verification and certificate issuance. The open-source Let's Encrypt project has been an innovating force on the security landscape over the last several years. It provides millions of free SSL/TLS certificates to help secure web traffic. Aside from the disruptive model of providing certificates for free, Let's Encrypt has also helped to pioneer new technology to help manage and deliver certificates as well, including the Automated Certificate Management Environment (ACME). Let's Encrypt is a non-profit effort that was announced in November 2014 and became a Linux Foundation Collaborative Project in April 2015. Let's Encrypt exited its beta period in April 2016 and currently is helping to secure over 43 million websites."The protocol also provides facilities for other certificate management functions, such as certificate revocation," as per the IETF draft of the ACME standard states. The ACME protocol being standardized at the IETF is version 2 of the protocol and benefits from the wider participation of other internet organizations' viewpoint on certificate management, beyond Let's Encrypt. Though the IETF standardization process is a multi-stakeholder effort, Josh Aas, Executive Director and Co-Founder of Internet Security Research Group (ISRG) and Let's Encrypt, noted that the process has gone as expected with no real surprises. "We expect the standardization process to conclude in the next few months," Josh mentioned on the blog. Josh said that the ACME v1 protocol is what Let's Encrypt uses today, and version 2 will be standardized by the IETF and supported by Let's Encrypt as of January 2018. The main difference between the two versions is the order of operations. "In v1, clients authorize a set of domains and then request a certificate," Aas said. "In v2 clients request a certificate and then authorize domains for the certificate. The latter ordering offers more flexibility to us and other CAs who might be interested in using ACME." As a Certificate Authority (CA), to date Let's Encrypt has only provided Domain Validated (DV) certificates. DV certificates do not specifically identify or validate the organization using the certificate, but rather validate a request against a domain registry. In contrast, an Organization Validated (OV) certificate identifies the organization and validates the identity against a business registry. An Extended Validation (EV) provides the highest level of validation for an organization and involves a comprehensive vetting process. "ACME v1 was designed primarily with DV issuance in mind," Aas said. "ACME v2 can probably not be used to issued OV or EV certificates on its own, but it can play a role in issuing OV or EV certificates." Aas added that ACME V2 could potentially be used in OV and EV certificate issuance by automating the parts of the validation process that can be automated. While Let's Encrypt will be making use of the IETF ACME v2 protocol, other Certificate Authorities are taking a cautious approach. "Symantec offers an automation agent, SSL Assistant Plus, which implements a proprietary certificate lifecycle protocol," Rick Andrews, Symantec Distinguished Engineer told, "We follow the ACME development discussions in the IETF, and are considering adding support for the ACME protocol." Google’s Adiantum, a new encryption standard for lower-end phones and other smart devices Microsoft open sources (SEAL) Simple Encrypted Arithmetic Library 3.1.0, with aims to standardize homomorphic encryption 4 Encryption options for your SQL Server  

Microsoft announced on its blog today that the company has added support for DTrace into its Insider builds. The forthcoming Windows 10 feature update will bring support for this debugging and diagnostic tracing tool. The support for DTrace is now possible due to a port of the open-source OpenDTrace project. The port was announced at the Ignite conference last year. The instructions, binaries, and source code for the same are now available for Windows Insider. DTrace lets developers and administrators track kernel function calls, examine properties of running processes, and probe drivers. The DTrace scripting language allows users to specify which information is probed, and how to report that information. Hari Pulapaka, Microsoft group program manager for Windows kernel, says that the merge will happen over the next few months, but in the meantime, Microsoft is making its DTrace source available. Source: Microsoft blog To run DTrace on Windows 10, users need a 64-bit Insider build 18342 or higher, and a valid Insider account. DTrace has to be run in administrator mode. In order to expose the required functionality for DTrace, Microsoft created a new kernel extension driver, traceext.sys. However, Microsoft does not plan to open source Traceext . You can head over to GitHub to download the source code for this project. Microsoft researchers introduce a new climate forecasting model and a public dataset to train these models Microsoft @MWC (Mobile World Congress) Day 1: HoloLens 2, Azure-powered Kinect camera and more! Microsoft adds new features to Microsoft Office 365: Microsoft threat experts, priority notifications, Desktop App Assure, and more  

Last week, Citrix, the American cloud computing company, disclosed that it suffered a data breach on its internal network. They were informed of this attack through the FBI. In a statement posted on Citrix’s official blog, the company’s Chief Security Information Officer Stan Black said, “the FBI contacted Citrix to advise they had reason to believe that international cybercriminals gained access to the internal Citrix network. It appears that hackers may have accessed and downloaded business documents. The specific documents that may have been accessed, however, are currently unknown.” The FBI informed Citrix that the hackers likely used a tactic known as password spraying to exploit weak passwords. The blog further states that “Once they gained a foothold with limited access, they worked to circumvent additional layers of security”. In wake of these events, a security firm Resecurity reached out to NBC news and claimed that they had reasons to believe that the attacks were carried out by Iranian-linked group known as IRIDIUM.  Resecurity says that IRIDIUM "has hit more than 200 government agencies, oil and gas companies, and technology companies including Citrix." Resecurity claims that IRIDIUM breached Citrix's network during December 2018. Charles Yoo, Resecurity's president, said that the hackers extracted at least six terabytes of data and possibly up to 10 terabytes of sensitive data stored in the Citrix enterprise network, including e-mail correspondence, files in network shares and other services used for project management and procurement. “It's a pretty deep intrusion, with multiple employee compromises and remote access to internal resources." Yoo further added that his firm has been tracking the Iranian-linked group for years, and has reasons to believe that Iridium broke its way into Citrix's network about 10 years ago, and has been “lurking inside the company's system ever since.” There is no evidence to prove that the attacks directly penetrated U.S. government networks. However, the breach carries a potential risk that the hackers could eventually enter into sensitive government networks. According to Black, “At this time, there is no indication that the security of any Citrix product or service was compromised.” Resecurity said that it first reached out to Citrix on December 28, 2018, to share an early warning about “a targeted attack and data breach”. According to Yoo, an analysis of the indicated that the hackers were focused in particular on FBI-related projects, NASA and aerospace contracts and work with Saudi Aramco, Saudi Arabia's state oil company. “Based on the timing and further dynamics, the attack was planned and organized specifically during Christmas period,” Resecurity says in a blog. A spokesperson for Citrix confirmed to The Register that "Stan’s blog refers to the same incident" described by Resecurity. “At this time, there is no indication that the security of any Citrix product or service was compromised,” says Black Twitter was abuzz with users expressing their confusion over the timeline of events and wondering about the consequences if IRIDIUM was truly lurking in Citrix’s network for 10 years: “Based on the timing and further dynamics, the attack was planned and organized specifically during Christmas period,” Resecurity says in a blog. https://twitter.com/dcallahan2/status/1104301320255754241 https://twitter.com/MalwareYoda/status/1104170906740350977 https://twitter.com/Maliciouslink/status/1104375001715798016 The data breach is worrisome, considering that Citrix sells workplace software to government agencies and handles sensitive computer projects for the White House communications agency, the U.S. military, the FBI and many American corporations. U.S. Senator introduces a bill that levies jail time and hefty fines for companies violating data breaches Internal memo reveals NASA suffered a data breach compromising employees social security numbers Equifax data breach could have been “entirely preventable”, says House oversight and government reform committee staff report

On November 1st, 2018 Flickr announced that they would be limiting free accounts to just 1,000 pictures. But it recently made an exception: that it would be deleting any pictures on accounts over that number, and any Creative Commons licensed photos uploaded before the November 1st, 2018 deadline would be allowed to stay. Last Friday, the company made the policy permanent — all Creative Commons photos will be allowed on Flickr for good, regardless of upload date, even on accounts that otherwise would have surpassed the 1,000 picture limit. In light of this change, Flickr also removed the ability to change licenses on photos on the site in bulk. This makes it difficult for users to just hit a button and circumvent the 1,000 picture limit. That’s for good reason, too. The company says it wants users to think about and understand the consequences of making a photo open to use by anyone with Creative Commons licensing before they just flip the switch to avoid the limit. It’s unclear if users already at the 1,000 photo limit will be able to upload new Creative Commons photos past that, but that seems to be what Flickr is implying. Additionally, Flickr is adding “In memoriam” accounts to users that have passed away, which will lock the account and preserve all the pictures on it. It is available for Pro users too who would be over the 1,000 picture limit when their subscription inevitably lapses. For this Flickr has put up a page to submit accounts which can be memorialized. Upon receiving a request on the page they evaluate the account if it qualifies to be memorialized. And then the account’s username will be updated to reflect the “in memoriam” status and login for the account will be locked to prevent anyone from signing in. Lastly, Flickr also announced that it will finally be removing the last major vestige of the company’s former Yahoo stewardship. They have decided to to do away with the mandatory Yahoo login requirement, and will also transition existing accounts away from Yahoo over the next few weeks. RSA Conference 2019 Highlights: Top 5 cybersecurity products announced Google Cloud security launches three new services for better threat detection and protection in enterprises

A security researcher Bob Diachenko shared his discovery of an unprotected 150GB-sized MongoDB instance. He said that there were a huge number of emails that were publicly accessible for anyone with an internet connection. “Some of the data was much more detailed than just the email address and included personally identifiable information (PII)” The discovered database contained four separate collections of data and combined was 808,539,939 records. The huge part of this database was named ‘mailEmailDatabase’ with three folders Emailrecords (798,171,891 records) emailWithPhone (4,150,600 records) businessLeads (6,217,358 records) He cross-checked some random election of records with Troy Hunt’s HaveIBeenPwned database. The researcher states, “I started to analyze the content in an attempt to identify the owner and responsibly disclose it – even despite the fact that this started to look very much like a spam organization dataset.” In addition to the email databases the Mongo instance also uncovered details on the possible owner of the database-–a company named ‘Verifications.io’-–which offered the services of ‘Enterprise Email Validation’. Once emails were uploaded for verification they were also stored in plain text. “Once I reported my discovery to Verifications.io the site was taken offline and is currently down at the time of this publication. Here is the archived version”, the researcher said. According to Diachenko, Someone uploads a list of email addresses that they want to validate. Verifications.io has a list of mail servers and internal email accounts that they use to “validate” an email address. They do this by literally sending the people an email. If it does not bounce, the email is validated. If it bounces, they put it in a bounce list so they can easily validate later on. Diachenko said, “‘Mr. Threat Actor’ has a list of 1000 companies that he wants to hack into. He has a bunch of potential users and passwords but has no idea which ones are real. He could try to log in to a service or system using ALL of those accounts, but that type of brute force attack is very noisy and would likely be identified.” The threat actor instead uploaded all of his potential email addresses to a service like verifications.io. The email verification service then sent tens of thousands of emails to validate these users (some real, some not). Each one of the users on the list received their own spam message saying “hi”. Further, the threat actor received a cleaned, verified, and valid list of users at these companies. This, in turn, helped him to know who works there and who does not, using which he could possibly start a more focused phishing or brute forcing campaign. According to Wired, “The data doesn't contain Social Security numbers or credit card numbers, and the only passwords in the database are for Verifications.io's own infrastructure. Overall, most of the data is publicly available from various sources, but when criminals can get their hands on troves of aggregated data, it makes it much easier for them to run new social engineering scams, or expand their target pool.” Security researcher Troy Hunt is adding the Verifications.io data to his service HaveIBeenPwned, which helps people check whether their data has been compromised in data exposures and breaches. He says that 35 percent of the trove's 763 million email addresses are new to the HaveIBeenPwned database. The Verifications.io data dump is also the second-largest ever added to HaveIBeenPwned in terms of a number of email addresses, after the 773 million in the repository known as Collection 1, which was added earlier this year. Hunt says some of his own information is included in the Verifications.io exposure. To know more about this news in detail, read Bob Diachenko’s post. Leaked memo reveals that Facebook has threatened to pull investment projects from Canada and Europe if their data demands are not met Switzerland’s e-voting system source code leaked ahead of its bug bounty program; slammed for being ‘poorly constructed’ GDPR complaint claims Google and IAB leaked ‘highly intimate data’ of web users for behavioral advertising  

On Wednesday, March 6, the OpenSSL team revealed a low severity vulnerability in the ChaCha20-Poly1305, an AEAD cipher that incorrectly allows a nonce to be set of up to 16 bytes. OpenSSL team states that ChaCha20-Poly1305 requires a unique nonce input for every encryption operation. RFC 7539 specifies that the nonce value (IV) should be 96 bits (12 bytes). OpenSSL allows a variable nonce length and front pads the nonce with 0 bytes if it is less than 12 bytes. However it also incorrectly allows a nonce to be set of up to 16 bytes. In this case only the last 12 bytes are significant and any additional leading bytes are ignored. The OpenSSL versions 1.1.1 and 1.1.0 are affected by this issue. However, this issue does not impact OpenSSL 1.0.2. The OpenSSL blog states that using the ChaCha20 cipher makes the nonce values unique. “Messages encrypted using a reused nonce value are susceptible to serious confidentiality and integrity attacks. If an application changes the default nonce length to be longer than 12 bytes and then makes a change to the leading bytes of the nonce expecting the new value to be a new unique nonce then such an application could inadvertently encrypt messages with a reused nonce”, the blog states. Also, the ignored bytes in a long nonce are not covered by the “integrity guarantee” of this cipher. This means any application that relies on the integrity of these ignored leading bytes of a long nonce may be further affected. Any OpenSSL internal use of this cipher, including in SSL/TLS, is safe because no such use sets such a long nonce value. However, user applications that use this cipher directly and set a non-default nonce length to be longer than 12 bytes may be vulnerable. To know more about this issue in detail, head over to the OpenSSL blog post. Drupal releases security advisory for ‘serious’ Remote Code Execution vulnerability New research from Eclypsium discloses a vulnerability in Bare Metal Cloud Servers that allows attackers to steal data Google releases a fix for the zero-day vulnerability in its Chrome browser while it was under active attack

The theme at the ongoing RSA 2019 conference is “Better”. As the official RSA page explains, “This means working hard to find better solutions. Making better connections with peers from around the world. And keeping the digital world safe so everyone can get on with making the real world a better place.” Keeping up with the theme of the year, the conference saw some exciting announcements, keynotes, and seminars presented by some of the top security experts and organizations. Here is our list of the top 5 new Cybersecurity products announced at RSA Conference 2019: #1 X-Force Red Blockchain Testing service IBM announced the ‘X-Force Red Blockchain Testing service’ to test vulnerabilities in enterprise blockchain platforms. This service will be run by IBM's in-house X-Force Red security team and will test the security of back-end processes for blockchain-powered networks. The service will evaluate the whole implementation of enterprise blockchain platforms. This will include chain code, public key infrastructure, and hyperledgers. Alongside, this service will also assess hardware and software applications that are usually used to control access and manage blockchain networks. #2 Microsoft Azure Sentinel Azure Sentinel will help developers “build next-generation security operations with cloud and AI”. It gives developers a holistic view of security across the enterprise. The service will help them collect data across all users, devices, applications, and infrastructure, both on-premises and in multiple clouds. It can then detect previously uncovered threats and minimize false positives using analytics and threat intelligence. Azure sentinel also helps investigate threats with AI and hunt suspicious activities at scale while responding to incidents rapidly with built-in orchestration and automation of common tasks. #3 Polaris Software Integrity Platform The Polaris Software Integrity Platform is an integrated, easy-to-use solution that enables security and development teams to quickly build secure and high-quality software. The service lets developers integrate and automate static, dynamic, and software composition analysis with the tools they are familiar with. The platform also provides security teams with a holistic view of application security risk across their portfolio and the SDLC. It enables developers to address security flaws in their code as they write it, without switching tools using the Polaris Code Sight IDE plugin. #4 CyberArk Privileged Access security solution v10.8 The CyberArk Privileged Access Security Solution v10.8 automates detection, alerting and response for unmanaged and potentially-risky Amazon Web Services (AWS) accounts. This version also features Just-in-Time capabilities to deliver flexible user access to cloud-based or on-premises Windows systems. The Just-in-Time provisional access to Windows servers will enable administrators to configure the amount of access time granted to Windows systems, irrespective of whether they are cloud-based or on-premises. This will reduce operational friction. The solution can now identify privileged accounts in AWS, unmanaged Identity and Access Management (IAM) users (such as Shadow Admins), and EC2 instances and accounts. This will help track AWS credentials and accelerate the on-boarding process for these accounts. #5 Cyxtera AppGate SDP IoT Connector Cyxtera’s IoT Connector, a feature within AppGate SDP secures unmanaged and undermanaged IoT devices with a 360-degree perimeter protection. It isolates IoT resources using their Zero Trust model. Each AppGate IoT Connector instance scales for both volume and throughput and handles a wide array of IoT devices. AppGate operates in-line and limits access to prevent lateral attacks while allowing devices to seamlessly perform their functions. It can be easily deployed without replacing existing hardware or software. Apart from this, the other products launched at the conference included CylancePERSONA, CrowdStrike Falcon for Mobile, Twistlock 19.03 and much more. To stay updated with all the events, keynotes, seminars, and releases happening at the RSA 2019 conference, head over to their official blog. The Erlang Ecosystem Foundation launched at the Code BEAM SF conference NSA releases Ghidra, a free software reverse engineering (SRE) framework, at the RSA security conference Google teases a game streaming service set for Game Developers Conference

Yesterday, Google announced that a patch for Chrome released last week was actually a fix for an active zero-day discovered by its security team. The bug tagged as CVE-2019-5786, was originally discovered by Clement Lecigne of Google's Threat Analysis Group on Wednesday, February 27th and is currently under active attack. The threat advisory states that this vulnerability involves a memory mismanagement bug in a part called ‘FileReader’ of the Chrome browser. The FileReader is a programming tool that allows web developers to pop up menus and dialogs asking a user to choose from a list of local files to upload or an attachment to be added to their webmail. The attackers can use this vulnerability to execute a Remote Code Execution or RCE. ZDNet states that the bug is a type of memory error that happens when an app tries to access memory after it has been freed/deleted from Chrome's allocated memory. If this type of memory access operation is mishandled, it can lead to the execution of malicious code. Chaouki Bekrar, CEO of exploit vendor Zerodium, tweeted that the vulnerability allegedly allows malicious code to escape Chrome's security sandbox and run commands on the underlying OS. https://twitter.com/cBekrar/status/1103138159133569024 Not divulging in any further information on the bug, Google says: “Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.” Further, Forbes reports that Satnam Narang, a senior research engineer at Tenable has said that it is a "Use-After-Free (UAF) vulnerability in FileReader, an application programming interface (API) included in browsers to allow web applications to read the contents of files stored on a user's computer." Catalin Cimpanu, a security reporter at ZDNet, suggests that there are malicious PDF files in the wild that are being used to exploit this vulnerability. "The PDF documents would contact a remote domain with information on the users' device --such as IP address, OS version, Chrome version, and the path of the PDF file on the user's computer", he added. The fix for this zero-day Users are being advised to update Chrome across all platforms. https://twitter.com/justinschuh/status/1103087046661267456 Check out the new version of Chrome for Android and the patch for Chrome OS . Mac, Windows, and Linux users are advised to manually initiate the download if it is yet to be pushed to a device. Head over to chrome://settings/help to check the current version of Chrome on your system. The URL will also do an update check at the same time, just in case any recent auto-updates have failed. Google Chrome developers “clarify” the speculations around Manifest V3 after a study nullifies their performance hit argument Google’s new Chrome extension ‘Password CheckUp’ checks if your username or password has been exposed to a third party breach Hacker duo hijacks thousands of Chromecasts and Google smart TVs to play PewDiePie ad, reveals bug in Google’s Chromecast devices!