Tech News - Malware Analysis

This week, NATIONAL VULNERABILITY DATABASE (NVD) identified an integer overflow flaw in libssh2 before the release of version 1.8.1 which could lead to an out of bounds write. A remote attacker could take advantage of this flaw to compromise an SSH server and execute code on the client system when a user connects to the server. Impact of the flaw in libssh2 The Common Vulnerability Scoring System (CVSS) base score, a numerical score that reflects its severity, calculated by the team who identified the flaw is 8.8, which is high. The overall impact score calculated by the team is 5.9 where the exploitability score is 2.8. The team also identified that the attack vector was a network and the attack complexity was low. Security issues fixed by the team CVE-2019-3861: The team fixed out-of-bounds reads with SSH packets. CVE-2019-3862: The team fixed the issues related to out-of-bounds memory with message channel request packet. CVE-2019-3860: The team fixed out-of-bounds reads with SFTP packets. CVE-2019-3863: The team fixed the integer overflow in user authenticate keyboard which could allow out-of-bounds writes with keyboard responses. CVE-2019-3856: The team fixed the issues related to a potential integer overflow in keyboard handling which could allow out-of-bounds write with payload. CVE-2019-3859: The team fixed the issues with out-of-bounds reads with payloads because of unchecked use of _libssh2_packet_require and _libssh2_packet_requirev. CVE-2019-3855: The team fixed a potential Integer overflow in transport read which could allow out-of-bounds write with a payload. CVE-2019-3858: The issues with the zero-byte allocation have been fixed, which could lead to an out-of-bounds read with SFTP packet. To know more about this news, check out NVD’s post. Linux use-after-free vulnerability found in Linux 2.6 through 4.20.11 Stable release of CUDA 10.0 out, with Turing support, tools and library changes ‘Peekaboo’ Zero-Day Vulnerability allows hackers to access CCTV cameras, says Tenable Research  

Yesterday the team at Mozilla announced that the company is receiving hundreds of bug reports and feature requests from Firefox users on a daily basis. The team noted that it’s important to get the bugs fixed as soon as possible for the smooth functioning of the systems. Also, the developers should quickly come to know that there is a bug in order to fix it. Bug triage, a process where tracker issues are screened and prioritised can be useful in such cases. However, even when developers come to know that bugs exist in the system, it is still difficult for the developers to closely look at each bug. The team at Mozilla has been using Bugzilla since years now which is a web-based general-purpose bugtracker and testing tool that group the bugs by product. But product assignment or the grouping process was done manually by the developers so this process failed to scale. Now Mozilla is experimenting with Machine Learning to train systems to triage bugs. BugBug It’s important to get the bugs in the eye of the right set of engineers, for which the team at Mozilla developed BugBug, a machine learning tool that assigns a product and component automatically for every new untriaged bug. By bringing the bugs into the radar of the triage owners, the team at Mozilla has made an effort towards decreasing the turnaround time to fix new issues. Training the BugBug model Mozilla has a large training set of data for this model which includes two decades worth of bugs that have been reviewed by Mozillians and assigned to products and components. The bug data can’t be used as-is and any change to the bug after triage would create trouble during operation. So the team at Mozilla rolled back the bug to the time it was originally filed. Out of 396 components, 225 components had more than 49 bugs filed in the past 2 years. During operation, the team performed the assignment when the model was confident enough of its decision and currently, the team is using a 60% confidence threshold. Ever since the team has deployed BugBug in production at the end of February 2019, they have triaged around 350 bugs. The median time for any developer to act on triaged bugs is 2 days. Usually, 9 days is the average time to act, but with BugBug the Mozilla team took just 4 days to remove the outliers. Mozilla plans to use Machine learning in the future The Mozilla team has planned to use machine learning to assist in other software development processes, such as identifying duplicate bugs, providing automated help to developers, and detecting the bugs important for a Firefox release. The team plans to extend BugBug to automatically assign components for other Mozilla products. To know more about this news, check out the post by Mozilla. Mozilla is exploring ways to reduce notification permission prompt spam in Firefox Mozilla launches Firefox Lockbox, a password manager for Android Mozilla’s Firefox Send is now publicly available as an encrypted file sharing service  

Microsoft made a series of new announcements, earlier this week. These include a new Microsoft Defender ATP for Mac, a first fully automated DNA data storage system, and the Revived Microsoft Office Assistant, Clippy. Microsoft Defender ATP for Mac Microsoft team announced yesterday that it's expanding the reach of the core components of its security platforms (including the new Threat & Vulnerability Management) to Mac devices. Also, the name of these unified endpoint security platforms has been updated to Microsoft Defender ATP (Advanced Threat Protection) from the prior Windows Defender ATP, keeping in mind its new cross-platform nature. “We’ve been working closely with industry partners to enable Windows Defender Advanced Threat Protection (ATP) customers to protect their non-Windows devices while keeping a centralized “single pane of glass” experience”, states the Microsoft Team. Users can install the Microsoft Defender ATP client on devices running macOS Mojave, macOS High Sierra, or macOS Sierra to manage and protect these devices. This app offers next-gen anti-malware protection, allowing users to review and perform configuration of their protection. Users can also configure the advanced settings, including disabling or enabling real-time protection, cloud-delivered protection, and automatic sample submission among others. Moreover, devices with alerts and detections will also get surfaced in the Microsoft Defender ATP portal. Security analysts and admins can then further review these alerts on Mac devices. Other than that, the Microsoft team also plans to bring Microsoft Intune in the future. This would enable the users to configure and deploy the settings via alternative Mac and MDM management tools such as JAMF. Fully automated DNA data storage system Microsoft announced the new and first fully automated DNA data storage system, yesterday. The system allows with the storage and retrieval of data in manufactured DNA. This move is aimed at moving the DNA tech out of the research lab and into commercial data centers, says the Microsoft team. The team (Microsoft researchers and University of Washington) successfully encoded the word “hello” in snippets of fabricated DNA. They then further converted it back to digital data with the help of a fully automated end-to-end system. This automated DNA data storage system makes use of the software developed by the Microsoft and UW team that helps convert the ones and zeros of digital data into the As, Ts, Cs, and Gs (the building blocks of DNA). It then leverages the inexpensive, ‘off-the-shelf’  lab equipment to allow the flow of necessary liquids and chemicals into a synthesizer. This synthesizer then builds the manufactured snippets of DNA and pushes them into a storage vessel. In case the system wants to retrieve the information, it can add other chemicals to properly prepare the DNA and uses microfluidic pumps to push the liquids into other parts of the system. This system is then able to “read” the DNA sequences and convert them back to information understandable by a computer. According to the researchers, “the goal of the project was not to prove how fast or inexpensively the system could work, but simply to demonstrate that automation is possible” Revived Office Assistant Clippy Microsoft revived its 90s Microsoft Office Assistant, called Clippy, earlier this week on Tuesday. Microsoft Office team brought back Clippy as an app that can offer animated Clippy stickers on chats in Microsoft Teams, company’s group chat software.These Clippy stickers were also released on Microsoft’s official Office developer GitHub page, allowing all the Microsoft Teams users to import and use these stickers for free. However, Clippy was removed yet again the next day. This is because the “brand police” within Microsoft was not happy with the reappearance of Clippy on Microsoft Teams, reports The Verge. The GitHub project associated with the same has also been removed. Clippy fans, however, are not happy with the company’s decision and have started a thread requesting Microsoft to bring back Clippy in Microsoft Teams. Microsoft brings PostgreSQL extension and SQL Notebooks functionality to Azure Data Studio Microsoft open-sources Project Zipline, its data compression algorithm and hardware for the cloud Microsoft announces Game stack with Xbox Live integration to Android and iOS

Researchers Michael Schwarz, Samuel Weiser, and Daniel Gruss from Graz University of Technology  have published a research paper that demonstrates how the Intel SGX currently poses as a security threat. The SGX (Software Guard eXtensions) allows malicious code to run on a system, which cannot be identified or analyzed by an antivirus software. SGX allows programs to establish protected enclaves for code and data, where none of the programs on the system can spy on it or tamper with it. The contents of an enclave are encrypted when written to RAM and decrypted upon being read. The processor does not allow code from outside the enclave to access the enclave’s memory. Researchers have used this model to understand what happens if the code inside the enclave itself is malicious. The SGX is designed in such a way that antimalware software will not be able to detect the malware, thus making these enclaves the perfect spot for planting malicious code. The researchers used an SGX-ROP attack that depicts the above, by including the the Transactional Synchronization eXtension(TSK)-based memory disclosure primitive as part of the process. The TSK was also a part of the Meltdown attacks launched on Intel processors. How does the attack take place? According to the researchers, since code in an enclave is quite restricted, it cannot make operating system calls, open files, read data from disk, or write to disk.  All of these attacks have to be performed from outside the enclave and only the encryption operation would occur within the enclave. That being said, the enclave code has the ability to read and write anywhere in the unencrypted process memory. To work with this model the TSX was used which provides a constrained form of transactional memory where a thread can modify different memory locations and then publish those modifications in one single atomic update. The enclave makes use of this functionality and scans the memory of the host process to find the components for its ROP payload and somewhere to write that payload. It  then redirects the processor to run that payload which can mark a section of memory as being executable, for the malware to put its own set of supporting functions someplace  it can access. What's more? The critical encryption will take place inside the enclave, making it impossible to extract the encryption key or even analyze the malware to find out what algorithm it's using to encrypt the data. Another thing to note is that malware isn't constrained by the enclave and it can subvert the host application to access operating system APIs, making way for attacks such as ransomware-style encryption of a victim's files. This is what an Intel spokesperson has replied to ZDNet in an email: “Intel is aware of this research which is based upon assumptions that are outside the threat model for Intel® SGX. The value of Intel SGX is to execute code in a protected enclave; however, Intel SGX does not guarantee that the code executed in the enclave is from a trusted source. In all cases, we recommend utilizing programs, files, apps, and plugins from trusted sources. Protecting customers continues to be a critical priority for us, and we would like to thank Michael Schwarz, Samuel Weiser, and Daniel Gruss for their ongoing research and for working with Intel on coordinated vulnerability disclosure”. The research paper outlines 4 simple steps required to perform the attack: The malicious enclave scans the host application for usable ROP gadgets using the read primitive The enclave identifies writable memory caves through the write primitive and injects the arbitrary malicious payload into those caves. The enclave uses the gadgets identified in step 1 to construct a ROP chain and injects it into the application stack. The enclave returns execution to the host application. Once the application hits the ROP chain on the stack, the actual exploitation starts. The ROP chain runs with host privileges and then the attacker can issue arbitrary system calls to hack into the system. You can head over to the Research paper to know more about the methodology followed by the researchers for this attack. Linux 4.20 kernel slower than its previous stable releases, Spectre flaw to be blamed, according to Phoronix Seven new Spectre and Meltdown attacks found Intel announces 9th Gen Core CPUs with Spectre and Meltdown Hardware Protection amongst other upgrades

Google made its scalable fuzzing tool, called ClusterFuzz available as open source, yesterday. ClusterFuzz is used by Google for fuzzing the Chrome Browser, a technique that helps detect bugs in software by feeding unexpected inputs to a target program. For fuzzing to be effective, it should be continuous, done at scale, and integrated into the development process of a software project. ClusterFuzz can run on clusters with over 25,000 machines and can effectively highlight security and stability issues in software. It serves as the fuzzing backend for OSS-Fuzz, a service that Google released back in 2016. ClusterFuzz was earlier offered as free service to open source projects through OSS-Fuzz but is now available for anyone to use. ClusterFuzz comes with a variety of features that help integrate fuzzing into a software project's development process. Here are some of the key features in ClusterFuzz: Helps with accurate deduplication of crashes. Comes with a fully automatic bug filing and closing for issue trackers. Includes statistics for analyzing fuzzer performance, and crash rates. Comprises easy-to-use web interface for management and viewing crashes. ClusterFuzz has so far tracked more than 16,000 bugs in Chrome and over 11,000 bugs in more than 160 open source projects integrated with OSS-Fuzz. ClusterFuzz can detect bugs hours after they have been introduced and is capable of verifying the fix within a day. “We developed ClusterFuzz over eight years to fit seamlessly into developer workflows, and to make it dead simple to find bugs and get them fixed. Through open sourcing ClusterFuzz, we hope to encourage all software developers to integrate fuzzing into their workflows.”, states the ClusterFuzz team members. For more information, check out the ClusterFuzz’s official GitHub repository. Google expands its Blockchain search tools, adds six new cryptocurrencies in BigQuery Public Datasets Transformer-XL: A Google architecture with 80% longer dependency than RNNs Google News Initiative partners with Google AI to help ‘deep fake’ audio detection research

Security Researchers have discovered a new backdoor trojan, dubbed as ‘SpeakUp’ which exploits known vulnerabilities in six different Linux distributions and has the ability to infect MacOS. This trojan discovered by Check Point Research, is being utilised in a crypto mining campaign that has targeted more than 70,000 servers worldwide so far. Attackers have been using SpeakUp in a campaign to deploy Monero cryptocurrency miners on infected servers thus earning around 107 Monero coins (around $4,500). Last month, the backdoor was spotted for the first time and researchers discovered a built-in Python script that allowed the trojan to spread through the local network, laterally. The virus remains undetected, has complex propagation tactics, and the threat surface contains servers that run the top sites on the internet. What can this trojan do? Vulnerable systems that have been affected by this trojan allow the hackers to perform a host of  illicit activities like modification of the local cron utility to gain boot persistence, take control over shell commands, execute files downloaded from a remote command and control (C&C) server, and update or uninstall itself. According to the researchers, SpeakUp has already been spotted exploiting the Linux servers that run more than 90 percent of the top 1 million domains in the U.S. The hackers behind SpeakUp are using an exploit for the ThinkPHP framework to infect servers and the researchers have not  seen the attackers targeting anything except ThinkPHP. The trojan has been crafted with complexity and can scan local networks for open ports, use a list of pre-defined usernames and passwords to brute-force nearby systems and take over unpatched systems using one of these seven exploits: CVE-2012-0874: JBoss Enterprise Application Platform Multiple Security Bypass Vulnerabilities CVE-2010-1871: JBoss Seam Framework remote code execution JBoss AS 3/4/5/6: Remote Command Execution CVE-2017-10271: Oracle WebLogic wls-wsat Component Deserialization RCE CVE-2018-2894: Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware. Hadoop YARN ResourceManager - Command Execution CVE-2016-3088: Apache ActiveMQ Fileserver File Upload Remote Code Execution Vulnerability. Security researchers have also pointed out to the fact that the SpeakUp’s authors have the ability to download any code they want to the servers. “SpeakUp’s obfuscated payloads and propagation technique is beyond any doubt the work of a bigger threat in the making. It is hard to imagine anyone would build such a compound array of payloads just to deploy few miners. The threat actor behind this campaign can at any given time deploy additional payloads, potentially more intrusive and offensive. It has the ability to scan the surrounding network of an infected server and distribute the malware.” According to Threatpost, Oded Vanunu, head of products vulnerability research for Check Point, said that “the scope of this attack includes all servers running ThinkPHP, Hadoop Yarn, Oracle WebLogic, Apache ActiveMQ and Red Hat JBoss. Since these software can be deployed on virtual servers, all cloud infrastructure are also prone to be affected.” According to the analysis by Check Point Research, the malware is currently distributed to Linux servers mainly located in China. Lotem Finkelstein, one of the Check Point researchers told ZDNet that “the infections in non-Chinese countries comes from SpeakUp using its second-stage exploits to infect companies' internal networks, which resulted in the trojan spreading outside the normal geographical area of a Chinese-only PHP framework.” You can head over to Check Point Research official post for a break down of how this trojan works as well as an analysis of its impact. Git-bug: A new distributed bug tracker embedded in git Fortnite just fixed a bug that let attackers to fully access user accounts, impersonate real players and buy V-Buck 35-year-old vulnerabilities in SCP client discovered by F-Secure researcher

Yesterday, Epic Games, the developer of Fortnite, an online video game acknowledged the existence of a bug in the game (Fortnite). This bug could let attackers access user accounts by impersonating as real gamers and purchase V-Buck, Fortnite’s in-game currency with credit cards. This bug could also eavesdrop on record players’ in-game conversation and background home conversations. Just two months ago, researchers at Check Point Research found the vulnerabilities and informed Epic Games which then fixed the vulnerability. In a statement to Washington Post, Oded Vanunu, Check Point’s head of products vulnerability research said, "The chain of the vulnerabilities within the log-in flow provide[d] the hacker the ability to take full control of the account.” According to an analysis made by market research company SuperData, last year, with the help of Fortnite, Epic Games was leading the market for free-to-play games by earning $2.4 billion in revenue. 10 months ago, a user shared his experience on Reddit regarding his account being hacked. The hacker used all his money using his card for buying V-Bucks. The post reads, “It appears my epic games account was hacked this past weekend, and they proceeded to spend all the money they could on v-bucks (which was all of it).” The victim also added a note, “ I've never tried signing up for free v-bucks or anything of the sort. I think I've just used the same password email combo too many times and at some point it was leaked in some data breach.” In spite of refund by Epic team the online gaming world doesn’t look that safe. But this post has some comments which clearly states how scared users are. One of the users commented, “Well, after reading this I just deleted my PayPal from my Epic Games account. Definitely going to run with entering details each time instead of storing them.” The thread has some comments which suggests having a two-way verification, changing passwords frequently and using prepaid cards if possible for online games. In a statement to The Verge, Epic Games said, “We were made aware of the vulnerabilities and they were soon addressed. We thank Check Point for bringing this to our attention. As always, we encourage players to protect their accounts by not re-using passwords and using strong passwords, and not sharing account information with others.” Hackers deceive players in various ways, one of which is, asking users to log into fake websites that promised to generate V-Buck. These sites ask gamers to enter their game login credentials and personal information like name, address and credit card details, which further get misused. Usually, such scams are promoted via social media campaigns that claim gamers can “earn easy cash” or “make quick money”. Check Point’s research found out a vulnerability in the game that didn’t even require the login details for the attackers to attack. An XSS (cross-site scripting) attack was responsible according to researchers, which would just require users to click on a link sent to them by the attacker. As soon as the user would click the link, their Fortnite username and password would immediately be captured by the attacker, without the need for them to enter any login credentials. According to the researchers, this bug would let hackers steal pieces of code to identify a gamer when he/she logs into the game by a third-party account such as Xbox Live or Facebook. After accessing a gamer’s account in Fortnite with these security tokens, hackers could buy weapons, in-game currency, or even cosmetic accessories. To know more about the bug in Fortnite, check out the report and YouTube video by Check Point. Hyatt Hotels launches public bug bounty program with HackerOne 35-year-old vulnerabilities in SCP client discovered by F-Secure researcher Fortnite server suffered a minor outage, Epic Games was quick to address the issue

Yesterday, Harry Sintonen, researcher at F-Secure, discovered 35-year-old vulnerabilities associated with SCP (Secure Copy Protocol) client, a network protocol, that uses Secure Shell (SSH) for data transfer between hosts on a network. These SCP clients are susceptible to a malicious SCP server, which could perform unauthorized changes to the target directory. In 2000, a directory traversal bug was found in the SCP client in SSH, which got fixed then. Vulnerabilities discovered One of the vulnerabilities associated with SCP clients lets the attackers write arbitrary malicious files to the target directory on the client machine. The attackers can change the permissions on the directory to allow further compromises. Another vulnerability is that the SCP clients are failing to verify how valid is the object returned to it after a download request. The consequences are severe as an attacker who controls the server can easily drop arbitrary files into the directory from which the user runs SCP (similar to a man-in-the-middle attack). The list of major vulnerabilities discovered are: CWE-20: SCP client improper directory name validation [CVE-2018-20685] With the help of empty ("D0777 0 \n") or dot ("D0777 0 .\n") directory name, the SCP client permits the server to modify permissions of the target directory. CWE-20: SCP client missing received object name validation [CVE-2019-6111] Since the SCP implementation has been derived from 1983 rcp (1), the server can choose which files/directories are sent to the client. According to the post by Sintonen, “A malicious SCP server can overwrite arbitrary files in the SCP client target directory. If recursive operation (-r) is performed, the server can manipulate subdirectories as well (for example overwrite .ssh/authorized_keys).” This vulnerability is known as CVE-2018-20684 in WinSCP. CWE-451: SCP client spoofing via object name [CVE-2019-6109] The object name can be used to manipulate the client output as there is a missing character encoding in the progress display. For example to employ ANSI codes to hide additional files being transferred. CWE-451: SCP client spoofing via stderr [CVE-2019-6110] A malicious server can manipulate the client output by accepting and displaying arbitrary stderr output from the SCP server. These vulnerabilities affect the SCP client implementations in Red Hat, Debian, and SUSE Linux, OpenSSH version 7.9 and earlier, and few versions of WinSCP. How to overcome these vulnerabilities? For OpenSSH Users can switch to sftp or apply the https://sintonen.fi/advisories/scp-name-validator.patch for hardening scp against server-side manipulation attempts. A note by Sintonen : This patch may cause problems if the the remote and local shells don't agree on the way glob() pattern matching works. YMMV. For WinSCP One can upgrade to WinSCP 5.14 or later versions. There are no fixes available for PuTTY yet and users are refraining from using PuTTY. One of the users commented on HackerNews, “I strongly discourage anyone from using PuTTY, not for this reason, but for its weird and nonstandard handling of SSH keys.” Users are now more skeptical to deal with the network while downloading their files and transferring them. Most of us highly rely on SSH as we think it is secure and trusted, but should we continue trusting it? Is it advisable to blindly trust and not take preventive measure beforehand? One of the users commented on HackerNews, “We trust a lot of things, and maybe we shouldn't. I use SCP infrequently and on machines that I control, so that's a level of risk I'm comfortable with.” Another user commented on the HackerNews thread, “The argument that you trusted this server enough to connect to it and download a file, therefore you clearly should trust it enough to permit it to execute arbitrary executables on your machine, is false in both cases.” Another user advises accessing data in offline mode by shutting down the instance and connecting the storage as secondary storage on another instance. The user further suggests discarding the storage as soon as the work is done. The data can also be downloaded at the hypervisor level. Another comment on HackerNews reads, “You can't physically access the disk, but you often can download a snapshot or disk image, which is created at the hypervisor level.” To know more about the vulnerabilities, check out the post by Sintonen advisories. OpenSSH, now a part of the Windows Server 2019 OpenSSH 7.9 released OpenSSH 7.8 released!

Hyatt Hotels Corporation launched its bug bounty program with HackerOne, earlier this week. As part of the bug bounty program, ethical hackers are invited to test Hyatt websites and apps to spot potential vulnerabilities in them. “At Hyatt, protecting guest and customer information is our top priority and launching this program represents an important step that furthers our goal of keeping our guests safe every day,” stated Hyatt Chief Information Security Officer Benjamin Vaughn. Hyatt Hotels Corporation is headquartered in Chicago and is a leading global hospitality company comprising a portfolio of 14 premier brands. Hyatt’s portfolio includes more than 750 properties in more than 55 countries across six continents. Hyatt decided to choose HackerOne bug bounty program after conducting a deep review of the bug bounty marketplace. The Bug Bounty program by HackerOne rewards friendly hackers who help discover security vulnerabilities in various important software on the internet. Hyatt is the first in the hotel industry to launch bug bounty program. “By being the first organization in the hospitality industry to embrace the collaborative efforts of global security researchers, Hyatt hopes to continue to raise its already high level of security standards as well as learn from and collaborate with security researchers”, stated the Hyatt team. The bug bounty program launched by Hyatt with Hackerone was originally available as an invite-only private program where it paid the hackers about $5600 in bounties (bug bounty rewards). This has changed as the bug bounty program is now public. Hackers are allowed to search for vulnerabilities on hyatt.com domain, www.hyatt.com,  m.hyatt.com, world.hyatt.com, and on Hyatt’s mobile apps for iOS and Android. The company will be paying hackers $4000 for spotting critical vulnerabilities, and $300 for low severity issues. The company will be rewarding hackers for tracking vulnerabilities such as novel Origin IP address discovery, authentication bypass, back-end system access via front-end systems, business logic bypass, container escape, SQL Injection, cross-site request forgery, exploitable cross-site scripting, and WAF bypass, among other issues. “Bug bounty programs are a proven method for advancing an organization’s cybersecurity defenses. In today’s connected society, vulnerabilities will always be present. Organizations like Hyatt are leading the way by taking this essential step to secure the data they are trusted to hold”, said HackerOne CEO Marten Mickos. EU to sponsor bug bounty programs for 14 open source projects from January 2019 Airtable, a Slack-like coding platform for non-techies, raises $100 million in funding The ‘Flock’ program provides grants to Aragon teams worth $1 million

Researchers from the North China Electric Power University have recently published a paper titled, ‘A Review on The Use of Deep Learning in Android Malware Detection’. Researchers highlight the fact that Android applications can not only be used by application developers, but also by malware developers with criminal intention to design and spread malicious applications that can affect the normal work of Android phones and tablets, steal personal information and credential data, or even worse lock the phone and ask for ransom. In this paper, they have explained how deep learning methods can be used as a countermeasure in Android malware detection to fight back malware. Android Malware Detection Techniques Researchers have said that one critical point of mobile phones is that they are a sensor-based event system, which permits malware to respond to approaching SMS, position changes and so forth, increasing the sophistication of automated malware-analysis techniques. Moreover, the apps can use services and activities and integrate varied programming languages (e.g. Java and C++) in one application. Each application is analyzed in the following stages: Static Analysis The static analysis screens parts of the application without really executing them. This analysis incorporates Signature-based, Permission-based and Component-based analysis. The Signature-based strategy draws features and makes distinctive signs to identify specific malware. Hence, it falls short to recognize the variation or unidentified malware. The Permission-based strategy recognizes permission requests to distinguish malware. The Component-based techniques decompile the APP to draw and inspect the definition and byte code connections of significant components (i.e. activities, services, etc.), to identify the exposures. The principal drawbacks of static analysis are the lack of real execution paths and suitable execution conditions. Dynamic Analysis This technique includes the execution of the application on either a virtual machine or a physical device. This analysis results in a less abstract perspective of application than static analysis. The code paths executed during runtime are a subset of every single accessible path. The principal objective of the analysis is to achieve high code inclusion since every feasible event ought to be activated to watch any possible malicious behavior Hybrid Analysis The hybrid analysis technique includes consolidating static and dynamic features gathered from examining the application and drawing data while the application is running, separately. Nevertheless, it would boost the accuracy of the identification. The principal drawback of hybrid analysis is that it consumes the Android system resources and takes a long time to perform the analysis. Use of deep learning in Android malware detection Currently available machine learning has several weaknesses and some open issues related to the use of DL in Android malware detection include: Deep learning lacks transparency to provide an interpretation of the decision created by its methods. Malware analysts need to understand how the decision was made. There is no assurance that classification models built based on deep learning will perform in different conditions with new data that would not match previous training data. Deep learning studies complex correlations within input and output feature with no innate depiction of causality. Deep learning models are not autonomous and need continual retraining and rigorous parameters adjustments. The DL models in the training phase were subjected to data poisoning attacks, which are merely implemented by manipulating the training and instilling data that make a deep learning model to commit errors. In the testing phase, the models were exposed to several attack types including: Adversarial Attacks are where the DL model inputs are the ones that an adversary has invented deliberately to cause the model to make mistakes Evasion attack: Here, the intruder exploits malevolent instances at test time to have them incorrectly classified as benign by a trained classifier, without having an impact over the training data. This can breach system integrity, either with a targeted or with an indiscriminate attack. Impersonate attack: This attack mimics data instances from targets. The attacker plans to create particular adversarial instances to such an extent that current deep learning-based models mistakenly characterize original instances with different tags from the imitated ones. Inversion attack: This attack uses the APIs allowed by machine learning systems to assemble some fundamental data with respect to the target system models. This kind of attack is divided into two types; Whitebox attack and Blackbox attack. The white-box attack implies that an aggressor can loosely get to and download learning models and other supporting data, while the black-box one points to the way that the aggressor just knows the APIs opened by learning models and some observation after providing input. According to the researchers, hardening deep learning models against different adversarial attacks and detecting, describing and measuring concept drift are vital in future work in Android malware detection. They also mentioned that the limitation of deep learning methods such as lack of transparency and being nonautonomous, is to build more efficient models. To know more about this research in detail, read the research paper. Researchers introduce a deep learning method that converts mono audio recordings into 3D sounds using video scenes IEEE Computer Society predicts top ten tech trends for 2019: assisted transportation, chatbots, and deep learning accelerators among others Stanford researchers introduce DeepSolar, a deep learning framework that mapped every solar panel in the US

Julia Reda, EU member of the parliament, announced, last week, that EU will be funding the internet bug bounty programs for 14 out of the total 15 open source projects, starting January 2019. The Internet Bug Bounty programs are rewards for friendly hackers who actively search for security vulnerabilities and issues. The program is managed by a group of volunteers that are selected from the security community. The amount of the bounty depends on how severe the issue uncovered is and the importance of the software. The amount ranges from 25,000,00 Euros and all the way up to 89,000,00 Euros. The 14 open source projects include: Filezilla Apache Kafka Notepad++ PuTTY VLC media player FLUX TL KeePass 7-zip Digital Signature services (DSS) Drupal GNU C library (glibc) The Symfony PHP framework Apache Tomcat WSO2 MidPoint. EU is sponsoring the bug bounty programs as a part of their third edition of the Free and Open Source Software Audit project (FOSSA). Reda mentions that FOSSA project that started in 2015, was an initiative to encourage promotion of free and open source software. “In 2014, security vulnerabilities were found in important Free Software projects. One of the issues was found in the Open Source encryption library OpenSSL.The issue made lots of people realize how important Free and Open Source Software is for the integrity and reliability of the Internet and other infrastructure”, mentions Reda. People can contribute to the projects mentioned by EU by analyzing the software, and submitting any bugs or issues found in these software on bug bounty platforms such as Hackerone and Intigriti/Deloitte. For more information, check out Julia Reda’s official blog post. Mozilla funds winners of the 2018 Creative Media Awards for highlighting unintended consequences of AI in society Airtable, a Slack-like coding platform for non-techies, raises $100 million in funding The ‘Flock’ program provides grants to Aragon teams worth $1 million

Malware or a malicious software is designed to harm user’s computer systems in multiple ways. Over the years, hackers and attackers have implemented various methods to inject viruses, worms, Trojans, and spyware to collapse a computer system. To combat against the current age malware, you must know how a malware function and what techniques attackers use to launch a malware within a system. Some advanced malware techniques include: Privilege Escalation is how a malware attempts to increase its reach within the system. Persistence Methods keep malware in execution state for a longer time. Data Encoding basically explores ways to hide the intent of the malware. Covert launching techniques help in launching malware in the most stealthy manner. Out of the three, privilege escalation is a network intrusion method where malware can enter the system via programming errors or design flaws. With the help of these channels, the attacker can have a direct access to the network and its associated data and applications. Watch the video below by Munir Njenga to know all about privilege escalation and its types in depth using real world examples. https://www.youtube.com/watch?v=Qzlkw5sJUsw About Munir Njengar Munir is a technology enthusiast, cybersecurity consultant, and researcher. His skills and competencies stem from his active involvement in engagements that deliver advisory services such as network security reviews, security course development, training and capacity building, mobile and internet banking security reviews (BSS, MSC, HLR/AUC, IN, NGN, GGSN/SGSN), web applications, and network attack and penetration testing. To know more about privilege Escalation and to learn other malware analysis methods, check out our course titled ‘Advanced Malware Analysis’ to which this video belongs.

git-bug is a distributed bug tracker that is embedded in git. Using git's internal storage ensures that no files are added in your project. You can push your bugs to the same git remote that you are already using to collaborate with other people. The main idea behind implementing a distributed bug tracker in Git was to stop relying on a web service somewhere to deal with bugs. Browsing and editing bug reports offline wouldn’t be much of a pain, thanks to this implementation. While git-bug addresses a pressing need, note that the project is not yet available for full fledged use and is currently a proof of concept released just 3 days ago at version 0.2.0. Reddit is abuzz with views on the release. A user quotes- Source: reddit.com Certain users also had counter thoughts on the cons of the release - Source: reddit.com   Now that you want to get your hands on git-bug, let’s look at how to get started. Installing git-bug, Linux packages needed and CLI usage for its implementation To install the git-bug, all you need to do is execute the following command- go get github.com/MichaelMure/git-bug If it's not done already, add golang binary directory in your PATH: export PATH=$PATH:$GOROOT/bin:$GOPATH/bin You can set pre-compiled binaries by following 3 simple steps: Head over to the release page and download the appropriate binary for your system. Copy the binary anywhere in your PATH Rename the binary to git-bug (or git-bug.exe on windows) The only linux packge needed for this release is the Archlinux (AUR) Further, you can use the CLI to implement the git-bug using the following commands- Create a new bug: git bug new Your favorite editor will open to write a title and a message. You can push your new entry to a remote: git bug push [<remote>] And pull for updates: git bug pull [<remote>] List existing bugs: git bug ls   Use commands like show, comment, open or close to display and modify bugs. For more details about each command, you can run git bug <command> --help or scan the command's documentation. Features of the git-bug #1 Interactive User Interface for the terminal Use the git bug termui  command to browse and edit bugs. This short video will demonstrate how easy and interactive it is to browse and edit bugs #2 Launch a rich Web UI Take a look at the awesome web UI that is obtained with git bug webui. Source: github.com     Source: github.com   This web UI is entirely packed inside the same go binary and serve static content through a localhost http server. It connects to  backend through a GraphQL API. Take a look at the schema for more clarity. The additional features that are planned include media embedding import/export of github issue extendable data model to support arbitrary bug tracker inflatable raptor Every new release is expected to come with exciting new features, it is also coupled with a few minor constraints. You can check out some of the minor inconveniences as listed out on the github page. We can’t wait for the release to be in a fully working condition. But before that, if you need any additional information on how the git-bug works, head over to the github page. Snapchat source code leaked and posted to GitHub GitHub open sources its GitHub Load Balancer (GLB) Director Homebrew’s Github repo got hacked in 30 mins. How can open source projects fight supply chain attacks?

Recently, Cisco and Huawei had faced a major breach in their routers where attackers used two different bypass methods. Hackers managed to compromise Cisco routers through a backdoor attack while Huawei was a victim of botnets. This year has been crucial for big players targeted with modern cyber attacks like Meltdown and Spectre. Who would have ever imagined a CD being the cause of a security breach in the year 2018. However, this time hackers have taken an old school approach or must I say one of the most unexpected methods of opening a backdoor to sensitive information. Packages with China postmarks had ended-up at several local and state government offices. The envelope contained a rambling letter and a small CD. The letter included lengthy paragraphs about fireworks, parades, and film industry but nothing in particular. While the CD contained a set of Word files that consisted of script-based malware. These scripts were supposed to run when the government officials would access them on their computers, eventually compromising that system. Well, people usually end up with blunders when they are confused or curious. The hackers knew exactly how to kick the victims curiosity and confusion into high gear. Until now, State Department of Cultural Affairs, State Historical Societies, and State Archives have received these packages addressed specifically to them. The MS-ISAC claim that these CDs included Mandarin language Microsoft Word (.doc) files from which a few include malicious Visual Basic scripts. It’s not very clear if anyone was tricked into inserting the disk in government systems. Well, it's common sense that you don’t insert a random disk into your system, but that’s not always the case. In 2016, a study found 50% of people plugging-in random USB devices into their system found at public places. The government agencies receiving these packages look quite strange but may be the hackers are looking at breaching a system where they won’t be detected easily; the perfect spot to quickly attack a bigger target. Human curiosity can lead to an invention or a disaster, but, in the security chain, humans are considered as the most delicate link. It’s quite obvious to not insert a random storage device into your systems, but here the hackers have shelled a little cash to target victims still using CD-ROMs in this modern age.  Now the only thing state agencies can hope for is that no one accidentally or out of curiosity inserts disks or USB devices of unknown origin into government systems. Related Links Top 5 cybersecurity trends you should be aware of in 2018 Intel’s Spectre variant 4 patch impacts CPU performance NetSpectre attack exploits data from CPU memory

E-mail is the traditional, primary, and the most vital part of communication within business organizations. They hold minutes of important discussions, confidential documents as attachments, high-profile business contact details, and much more. Hence, hackers or intruders often use emails as a medium to deliver dangerous content to the victim via attachments or by providing links to malicious websites. Companies throughout the world take huge efforts to detect malicious content within their communication media by setting up robust antivirus firewalls. But, how secure are they? Many choose antivirus engines based on their popularity than its performance. The myth that famous antivirus packages get you utmost security is now debunked by Email-sec-360°. According to Phys Org, it surpasses 60 other popular antivirus packages known to us. Email-sec-360° is developed by Aviad Cohen, a Ph.D. student, and researcher at the Ben-Gurion University of the Negev (BGU) Malware Lab researchers. It detects unknown, malicious emails much more accurately than the popular antivirus products such as Kaspersky, McAfee, Avast, etc. Email-sec-360° vs other popular antivirus engines Present antivirus engines use rule-based methods to analyze specific email sections. These often overlook the other important parts of the email. Dr. Nir Nissim, head of the David and Janet Polak Family Malware Lab at Cyber@BGU, stated that the existing antivirus engines use signature-based detection methods. These methods are at times insufficient for detecting new and unknown malicious emails. However, Email-sec-360° is based on machine learning methods and leverages 100 general descriptive features extracted from all email components, which include the header, body and attachments. Also an interesting fact about this method is that, it does not require an internet access. Thus, it provides a seamless threat detection in real-time and can be easily deployed by any individual or organizations. A well-experimented approach by the Malware Lab The researchers used a collection of 33,142 emails, which included 12,835 malicious and 20,307 benign emails obtained between 2013 and 2016. Later, they compared their detection model to 60 industry-leading antivirus engines as well as previous research. On doing this, they found their system to outperform the next best antivirus engine, Cyren, by a 13 percent range. BGU’s Malware Lab method vs the others BGU Malware Lab plan to extend this method by including research and analysis of attachments (PDFs and Microsoft Office documents) within the Email-sec-360°. Dr. Nissim adds,”since these are often used by hackers to get users to open and propagate viruses and malware.” They are also planning to develop an online system that evaluates the security risk posed by an email message. This system will be based on advanced machine learning methods and would also allow users to submit suspicious email messages and quickly obtain a maliciousness score. The system will further recommend on how to treat the email and would help to collect benign and malicious emails for research purposes. Read more about Email-sec-360° in the Phys Org blog post Pentest tool in focus: Metasploit 12 common malware types you should know 4 Ways You Can Use Machine Learning for Enterprise Security