Tech News - Cybersecurity

Yesterday, Intel and a group of microarchitecture security researchers disclosed four new hackable vulnerabilities in Intel’s chips. These vulnerabilities expose extremely sensitive data and processes from a victim’s CPU to the attacker. Intel has grouped these vulnerabilities together and labeled them as Microarchitectural Data Sampling or MDS attacks. MDS is a sub-class of previously disclosed speculative execution side channel vulnerabilities and is comprised of four closely related CVEs. These vulnerabilities were first identified by Intel’s internal researchers and partners and independently reported to Intel by external researchers. These include: Microarchitectural Load Port Data Sampling (MLPDS) - CVE-2018-12127 Fallout: Microarchitectural Store Buffer Data Sampling (MSBDS) - CVE-2018-12126 ZombieLoad or RIDL: Microarchitectural Fill Buffer Data Sampling (MFBDS) - CVE-2018-12130 Microarchitectural Data Sampling Uncacheable Sampling (MDSUM) - CVE-2019-11091 Researchers have named few of these vulnerabilities as ZombieLoad, Fallout, and RIDL, or Rogue In-Flight Data Load, with ZombieLoad being the most dangerous as it can scrape more data than the rest. Intel said that the ARM and AMD are not likely vulnerable to these MDS attacks. Also, some models released last month include a fix for this problem. However, all of Intel's chips that the researchers tested, going back as early as 2008, were affected. According to a report by ZDNet, “The good news is that Intel had more than a year to get this patched, and the company worked with various OS and software vendors to coordinate patches at both the hardware and software level. Both the hardware (Intel CPU microcode updates) and software (OS security updates) protections must be installed at the same time to fully mitigate MDS attacks. If patches aren't available yet, disabling the Simultaneous Multi-Threading (SMT) feature on Intel CPUs will significantly reduce the impact of all MDS attacks.” In these new cases, researchers found that they could use speculative execution to trick Intel's processors into grabbing sensitive data that's moving from one component of a chip to another. Unlike Meltdown, which used speculative execution to grab sensitive data sitting in memory, MDS attacks focus on the buffers that sit between a chip's components, such as between a processor and its cache, the small portion of memory allocated to the processor to keep frequently accessed data close at hand. Cristiano Giuffrida, one of the researchers in the VUSec group at Vrije Universiteit Amsterdam who discovered the MDS attack said, "It's kind of like we treat the CPU as a network of components, and we basically eavesdrop on the traffic between them. We hear anything that these components exchange." Zombieload side-channel attack Zombieload, a side-channel attack, is the leading attack among the new vulnerabilities and also falls in the same category as Meltdown, Spectre, and Foreshadow. It is exploited by taking advantage of the speculative execution process, which is an optimization technique that Intel added to its CPUs to improve data processing speeds and performance. Read Also: Seven new Spectre and Meltdown attacks found ZombieLoad gets its name from a “zombie load,” an amount of data that the processor can’t understand or properly process, forcing the processor to ask for help from the processor’s microcode to prevent a crash. Apps are usually only able to see their own data, but this bug allows that data to bleed across those boundary walls. ZombieLoad will leak any data currently loaded by the processor’s core, the researchers said. Intel said patches to the microcode will help clear the processor’s buffers, preventing data from being read. “Like Meltdown and Spectre, it’s not just PCs and laptops affected by ZombieLoad — the cloud is also vulnerable. ZombieLoad can be triggered in virtual machines, which are meant to be isolated from other virtual systems and their host device”, the TechCrunch reports. Daniel Gruss, one of the researchers who discovered the latest round of chip flaws, said it works “just like” it does on PCs and can read data off the processor. That’s potentially a major problem in cloud environments where different customers’ virtual machines run on the same server hardware. Although no attacks have been publicly reported, the researchers couldn’t rule them out nor would any attack necessarily leave a trace, they said. Gruss said it was “easier than Spectre” but “more difficult than Meltdown” to exploit — and both required a specific set of skills and effort to use in an attack. But if exploit code was compiled in an app or delivered as malware, “we can run an attack,” he said. Intel has released microcode to patch vulnerable processors. Apple, Microsoft, and Google have also released patches, with other companies expected to follow. “In a call with TechCrunch, Intel said the microcode updates, like previous patches, would have an impact on processor performance. An Intel spokesperson told TechCrunch that most patched consumer devices could take a 3 percent performance hit at worst, and as much as 9 percent in a datacenter environment. But, the spokesperson said, it was unlikely to be noticeable in most scenarios. And neither Intel nor Gruss and his team have released exploit code, so there’s no direct and immediate threat to the average user”, TechCrunch reports. Is Zombieload a security threat for Linux system? As a defense against Zombieload, a ZDNet report suggests, “To defend yourself, your processor must be updated, your operating system must be patched, and for the most protection, Hyper-Threading disabled.” Red Hat rated CVE-2018-12130(Zombieload) as a severity impact of "important," while the others have moderate severity. Greg Kroah-Hartman, the stable Linux kernel maintainer, in an announcement email wrote, “I'm announcing the release of the 5.1.2 kernel. All users of the 5.1 kernel series must upgrade. Well, kind of, let me rephrase that...All users of Intel processors made since 2011 must upgrade.” “Red Hat noted all its Linux distributions from Red Hat Enterprise Linux (RHEL) 5 on up to the new RHEL 8 are affected. Platforms based on these Linux distros, such as Red Hat Virtualization and Red Hat OpenStack, are also vulnerable”, ZDNet reports. Chris Robinson, Red Hat's product security assurance manager, explained: "These vulnerabilities represent an access restriction bypass flaw that impacts many Intel CPU's and many of the operating systems that enable that hardware. Working with other industry leaders, Red Hat has developed kernel security updates for products in our portfolio to address these vulnerabilities. We are working with our customers and partners to make these updates available, along with the information our customers need to quickly protect their physical systems, virtual images, and container-based deployments." According to a Wired post, “VUSec's Giuffrida notes that his team was paid $100,000 by Intel for their work as part of the company's "bug bounty" program that rewards researchers who warn the company about critical flaws. That's hardly the kind of money paid out for trivial issues, he points out. But he also says that Intel at one point offered VUSec only a $40,000 bug bounty, accompanied by a $80,000 "gift"—which Giuffrida saw as an attempt to reduce the bounty amount cited publicly and thus the perceived severity of the MDS flaws. VUSec refused the offer of more total money in favor of a bounty that better reflected the severity of its findings, and it threatened to opt out of a bug bounty in protest. Intel changed its offer to the full $100,000.” To know more about this news, read Intel’s official blog post. A WhatsApp vulnerability enabled attackers to inject Israeli spyware on user’s phones ChaCha20-Poly1305 vulnerability issue affects OpenSSL 1.1.1 and 1.1.0 Drupal releases security advisory for ‘serious’ Remote Code Execution vulnerability

Yesterday, Atlassian Bitbucket, GitHub, and GitLab published a joint incident report in the wake of the recent Git ransomware attack on the three platforms earlier this month. The post sheds light on the ransom event details, what measures the platforms are taking to protect users, and what are the next steps to be taken by the affected repo owners. https://twitter.com/github/status/1128332167229202433 The Git ransom attack On May 2, the security teams at Atlassian Bitbucket, GitHub, and GitLab started getting numerous reports from users about their accounts being compromised. The reports mentioned that the source code from their repositories, both private and public, was being wiped off and replaced with the following ransom note: “To recover your lost data and avoid leaking it: Send us 0.1 Bitcoin (BTC) to our Bitcoin address 1ES14c7qLb5CYhLMUekctxLgc1FV2Ti9DA and contact us by Email at admin@gitsbackup.com with your Git login and a Proof of Payment. If you are unsure if we have your data, contact us and we will send you a proof. Your code is downloaded and backed up on our servers. If we don't receive your payment in the next 10 Days, we will make your code public or use them otherwise.” The user accounts were compromised with legitimate user credentials including passwords, app passwords, API keys, and personal access tokens. After getting access to the user accounts, the attackers performed command-line Git commits, which resulted in overwriting the source code in repositories with the ransom note. To recover your repository, in case you have its latest copy on your computer, you can force push the local copy to the current HEAD using the ‘git push origin HEAD:master --force’ command. If not, you can clone the repository and use the git reflog or git fsck commands to find your last commit and change the HEAD. What the investigation revealed? A basic GitHub search shows that 267 repositories were affected by the ransom attack. While investigating how the credential leakage happened, the security teams found a public third-party credential dump, which was hosted by the same hosting provider where the attack had originated. The dump had credentials of nearly one-third of the attacked accounts. After finding this out, the platforms took steps to invalidate the credentials by resetting or revoking them. On further investigation, it was found that continuous scanning has been conducted by the same IP address as the attacker for publicly exposed .git/config and other environment files, which may have sensitive information like credentials and personal access tokens. Similar scanning behavior from other IPs residing on the same hosting provider was also found. How you can protect your repositories from such attacks? Strong and unique passwords: Users should use strong and unique passwords as attackers can easily crack simple passwords through brute-force attacks. Enabling multi-factor authentication (MFA): Users are recommended to use multi-factor authentication, which is supported on all three platforms. MFA provides better security by combining two or more independent credentials for authentication. Understanding personal access tokens (PATs) and their risks: PATs serve as an alternative to passwords when you are using two-factor authentication. Users should ensure that these are not publicly accessible in repositories or on web servers as in some situations these tokens may have read or write access to repositories. The report further recommends that users should use them as environment variables and avoid hardcoding them into their programs. Additionally, the three platforms also offer other features through which we can prevent such attacks from recurring. Bitbucket gives admins the authority to control access of users through IP Whitelisting on their Premium plan. GitHub does token scanning on public repositories to check for known token formats and notifies the service providers if secrets are published to public GitHub repositories. GitLab 11.9 comes with a feature called Secret Detection that scans repositories to find API keys and other information that should not be there. To read the official announcement, check out the joint incident report on GitLab blog. GitHub announces beta version of GitHub Package Registry, its new package management service GitHub deprecates and then restores Network Graph after GitHub users share their disapproval DockerHub database breach exposes 190K customer data including tokens for GitHub and Bitbucket repositories  

Last week, the Rust team was informed about a vulnerability in Rust’s standard library, the details of which they shared yesterday. The vulnerability is caused by a function that was stabilized in the Rust 1.34.0 and 1.34.1 versions. The Common Vulnerabilities and Exposures (CVE) Id for this vulnerability is CVE-2019-12083. What is the vulnerability? The Rust standard library contains the `Error::type_id` method, which allows you to acquire TypeId (a globally unique identifier for a type) of the underlying error type to downcast back to the original type. The vulnerability happens when the method is manually implemented or interacts with ‘Error::downcast’ family of functions to cast a type to the wrong type. Though the standard library has a default implementation of ‘Error::type_id’, it can also be manually implemented by downstream crates. This can cause security issues such as out of bounds reads and writes. If your code does not have a manual implementation of ‘Error::type_id’, then it is safe. This vulnerability affects two versions, Rust 1.34.0 and 1.34.1, which were released last month. Also, since the function has been a part of all the releases starting from Rust 1.0.0, this vulnerability may have affected the code compiled with the nightly distribution as well. What are the mitigation steps? The Rust team recommends to immediately remove the manual implementations of Error::type_id and inherit the default implementation which is a safe option. As a long term measure, the team plans to destabilize this function, which will be a breaking change for users calling Error::type_id and for users overriding Error::type_id. The team further wrote, “We will be releasing a 1.34.2 point release on 2019-05-14 (tomorrow) which reverts #58048 and destabilizes the Error::type_id function. The upcoming 1.35.0 release along with the beta/nightly channels will also all be updated with a destabilization.” Read the full announcement on Rust’s official website. Rust shares roadmap for 2019 Rust 1.34 releases with alternative cargo registries, stabilized TryFrom and TryInto, and more Chris Dickinson on how to implement Git in Rust

Earlier this month, a major vulnerability was discovered in Whatsapp by its security team that allowed attackers to remotely install surveillance software on iOS and Android smartphones. The malicious software was injected in users phone by making WhatsApp voice calls, regardless of whether the user has answered the call or not. In some cases, these calls just vanished from the call logs leaving the targeted users clueless of the attack. There is a possibility that this spyware would have allowed an attacker to read messages from the affected device. Facebook, who owns Whatsapp, published an advisory to security specialists yesterday, describing the attack as, “A buffer overflow vulnerability in WhatsApp VOIP stack that allowed remote code execution via specially crafted series of SRTCP packets sent to a target phone number.” What steps have been taken by WhatsApp? WhatsApp engineers worked through Sunday before deploying a patch for its 1.5 Billion customers yesterday and urging them to update their app as an added precaution. The Financial Times reported, “WhatsApp said that teams of engineers had worked around the clock in San Francisco and London to close the vulnerability. It began rolling out a fix to its servers on Friday last week, WhatsApp said, and issued a patch for customers on Monday.” Not much detail about the vulnerability or the impact of the attack has been revealed yet as WhatsApp is still in its early stages of the investigation. Reportedly, last week the company disclosed the attack to the United States Department of Justice. WhatsApp in a statement shared on Monday said, "This attack has all the hallmarks of a private company known to work with governments to deliver spyware that reportedly takes over the functions of mobile phone operating systems. We have briefed a number of human rights organisations to share the information we can, and to work with them to notify civil society.” Who was behind this attack? According to the Financial Times, this malicious software was developed by NSO Group, which is headquartered in the Israeli city of Herzliya. While the company tries to keep its work under wraps, it has been accused of selling its flagship software Pegasus to Saudi Arabia and UAE. It also licenses Pegasus to intelligence and law enforcement agencies worldwide. The NSO Group in its defense shared a statement: "NSO's technology is licensed to authorized government agencies for the sole purpose of fighting crime and terror. The company does not operate the system, and after a rigorous licensing and vetting process, intelligence and law enforcement determine how to use the technology to support their public safety missions. We investigate any credible allegations of misuse and if necessary, we take action, including shutting down the system. "Under no circumstances would NSO be involved in the operating or identifying of targets of its technology, which is solely operated by intelligence and law enforcement agencies. NSO would not or could not use its technology in its own right to target any person or organization." Human rights advocates against NSO Group NSO group does not have a good reputation with human rights organizations and groups. Its software has been linked to human rights abuses, unethical surveillance, and also to the gruesome murder of the Saudi Arabian critic Jamal Khashoggi. Back in 2016, it was revealed by Citizen Lab and Lookout Mobile Security that the company exploited three unpatched iOS vulnerabilities, which are also known as zero-days, to jailbreak on user phones. This allowed the installation of Pegasus on user phones, which is capable of reading texts, tracking calls, collecting passwords, tracking location, and gathering information from apps. Yesterday, human rights advocates, along with Amnesty International, shared their plans to file a petition against NSO Group. They are taking the Israeli Ministry of Defence (MoD) to court demanding the revocation of the mobile spyware vendor’s export license. This decision comes after an Amnesty International researcher was targeted by the company’s Pegasus surveillance software. Amnesty International wrote in a post, “In a petition to be filed tomorrow at the District Court of Tel Aviv, approximately 30 members and supporters of Amnesty International Israel and others from the human rights community set out how the MoD has put human rights at risk by allowing NSO to continue exporting its products.” To know more in detail, check out the report by the Financial Times. DARPA plans to develop a communication platform similar to WhatsApp The Indian government proposes to censor social media content and monitor WhatsApp messages Facebook hires top EEF lawyer and Facebook critic as Whatsapp privacy policy manager

On Tuesday, Binance Exchange, one of the popular cryptocurrency exchanges, reported a huge security breach where hackers stole around 7,000 bitcoins worth $41 millions, in a single transaction. The hackers were able to gain a bulk of user API keys, 2FA codes, and a lot of other information. Binance Exchange said that the hackers used a variety of techniques, including phishing, viruses and other attacks. “We are still concluding all possible methods used. There may also be additional affected accounts that have not been identified yet”, Binance said in their official statement. Binance confirmed that only the BTC hot wallet was affected and all the other wallets are secure and unharmed. The affected ‘hot wallet’ contained about 2% of Binance’s total BTC holdings. The firm also mentioned that the hackers were extremely patient and carried out well-orchestrated actions through multiple seemingly independent accounts at the most opportune time. “The transaction is structured in a way that passed our existing security checks. It was unfortunate that we were not able to block this withdrawal before it was executed. Once executed, the withdrawal triggered various alarms in our system. We stopped all withdrawals immediately after that”, Binance’s official statement mentions. Binance said that no user funds will be affected and it will use the SAFU fund to cover this incident in full. Binance has estimated a week’s time to conduct a thorough security review of this incident during which all deposits and withdrawals will be needed to remain suspended. The security review will include all parts of their huge systems and data and the updates will be posted frequently. “We beg for your understanding in this difficult situation”, Binance urged their users. They further added, “Please also understand that the hackers may still control certain user accounts and may use those to influence prices in the meantime. We will monitor the situation closely. But we believe with withdrawals disabled, there isn’t much incentive for hackers to influence markets.” Larry Cermak, Head Analyst at The Block and former researcher at Diar, who conducted a research of the Binance hack concluded that it was the sixth largest exchange hack in history. He also said, “the $41 million is “peanuts” for Binance” and it will take hardly 47 days to make the money lost during the breach. https://twitter.com/lawmaster/status/1126090906908676096 In a live video chat, Binance's chief executive Changpeng Zhao sought to answer questions about the hack. https://twitter.com/CharlieShrem/status/1126166334121881601 To know more about this news, read the complete official document. Symantec says NSA’s Equation group tools were hacked by Buckeye in 2016 way before they were leaked by Shadow Brokers in 2017 Listen: We discuss what it means to be a hacker with Adrian Pruteanu [Podcast] Hacker destroys Iranian cyber-espionage data; leaks source code of APT34’s hacking tools on Telegram

In a report released yesterday by Symantec, the popular cybersecurity software and services company, it revealed that the Buckeye group used the Equation group's tools way before they were leaked by Shadow Brokers in 2017. With the help of these tools, Buckeye exploited the Windows zero-day in 2016. According to The New York Times: “Based on the timing of the attacks and clues in the computer code, researchers with the firm Symantec believe the Chinese did not steal the code but captured it from an N.S.A. attack on their own computers — like a gunslinger who grabs an enemy’s rifle and starts blasting away.” In 2017, a mysterious cyber group known as the Shadow Brokers leaked a bunch of tools belonging to the Equation group, one of the most technically adept espionage groups, tied to the Tailored Access Operations(TAO) unit of the U.S. NSA. This leak had a major impact as many attackers rushed forward to lay their hands on the tools disclosed. One of the tools named as the EternalBlue exploit was used in the WannaCry ransomware outbreak, which took place in May 2017. Symantec’s recent report highlights that Buckeye cyber espionage group (aka APT3, Gothic Panda) actually began using the Equation Group tools in various attacks at least a year prior when Shadow Brokers leaked the tools. The evidence traces back in March 2016, in Hong Kong, where Buckeye group began using a variant of DoublePulsar (Backdoor.Doublepulsar) backdoor, which was later disclosed in the Shadow Brokers’ leak. The DoublePulsar exploit was delivered to victims using a custom exploit tool (Trojan.Bemstour) that was specifically designed to install DoublePulsar. Bemstour exploited two Window vulnerabilities for achieving remote kernel code execution on targeted computers: One was a Windows zero-day vulnerability (CVE-2019-0703) that was reported by Symantec to Microsoft in September 2018 and was patched on March 12, 2019. The other Windows vulnerability (CVE-2017-0143) was patched on March 2017 after it was discovered to have been used by two exploit tools—EternalRomance and EternalSynergy--also released in the Shadow Brokers’ leak. According to Symantec’s report, “How Buckeye obtained Equation Group tools at least a year prior to the Shadow Brokers leak remains unknown.” Per Symantec report, the Buckeye group had been active since at least 2009, when it began mounting a string of espionage attacks, mainly against organizations based in the U.S. The report further states that the Buckeye group disappeared during the mid-2017. Also, three alleged members of the group were indicted in the U.S. in November 2017. However, the Bemstour exploit tool and the DoublePulsar variant used by Buckeye continued to be used until at least September 2018, but with different malware. In 2011, the N.S.A. used sophisticated malware, Stuxnet, to destroy Iran’s nuclear centrifuges. They later saw that the same code proliferated around the world, doing damage to random targets, including American business giants like Chevron. According to The New York Times, “Details of secret American cybersecurity programs were disclosed to journalists by Edward J. Snowden, a former N.S.A. contractor now living in exile in Moscow. A collection of C.I.A. cyber weapons, allegedly leaked by an insider, was posted on WikiLeaks.” To this, Eric Chien, a security director at Symantec said, “We’ve learned that you cannot guarantee your tools will not get leaked and used against you and your allies.” “This is the first time we’ve seen a case — that people have long referenced in theory — of a group recovering unknown vulnerabilities and exploits used against them, and then using these exploits to attack others,” Mr. Chien said. The New York Times post mentions, “The Chinese appear not to have turned the weapons back against the United States, for two possible reasons, Symantec researchers said. They might assume Americans have developed defenses against their own weapons, and they might not want to reveal to the United States that they had stolen American tools.” Two NSA employees told The New York Times that post the Shadow Brokers’ leak of the most highly coveted hacking tools in 2016 and 2017, the NSA turn over its arsenal of software vulnerabilities to Microsoft for patching and also shut down some of the N.S.A.’s most sensitive counterterrorism operations. “The N.S.A.’s tools were picked up by North Korean and Russian hackers and used for attacks that crippled the British health care system, shut down operations at the shipping corporation Maersk and cut short critical supplies of a vaccine manufactured by Merck. In Ukraine, the Russian attacks paralyzed critical Ukrainian services, including the airport, Postal Service, gas stations and A.T.M.s.”, The New York Times reported. Michael Daniel, the president of the Cyber Threat Alliance, previously a cybersecurity coordinator for the Obama administration, said, “None of the decisions that go into the process are risk-free. That’s just not the nature of how these things work. But this clearly reinforces the need to have a thoughtful process that involves lots of different equities and is updated frequently.” Chein said, in the future, American officials will need to factor in the real likelihood that their own tools will boomerang back on American targets or allies. A lot of security reports and experts feel there are certain loopholes to this report and that the report lacked backing by some intelligent sources. https://twitter.com/RidT/status/1125747510625091585 https://twitter.com/ericgeller/status/1125551150567129089 https://twitter.com/jfersec/status/1125746228195622912 https://twitter.com/GossiTheDog/status/1125754423245004800 https://twitter.com/RidT/status/1125746008577724416 To know more about this news in detail, head over to Symantec’s complete report. DockerHub database breach exposes 190K customer data including tokens for GitHub and Bitbucket repositories PostgreSQL security: a quick look at authentication best practices [Tutorial] Facebook accepts exposing millions of user passwords in a plain text to its employees after security researcher publishes findings

DuckDuckGo, the browser known for its privacy protection policies, has proposed draft legislation which will require sites to respect the Do Not Track browser setting. Called, the “Do-Not-Track Act of 2019”, this legislation will mandate websites to not track people if they have enabled the DNT signal on their browsers. Per a recent study conducted by DuckDuckGo, a quarter of people have turned on this setting, and most were unaware big sites do not respect it. [box type="shadow" align="" class="" width=""] Do-Not-Track Signal” means a signal sent by a web browser or similar User Agent that conveys a User’s choice regarding online Tracking, reflects a deliberate choice by the user. It complies with the latest Tracking Preference Expression (DNT) specification published by the World Wide Web Consortium (W3C)[/box] DuckDuckGo’s act just comes days after Google announced more privacy control to its users. Last week, Google launched a new feature allowing users to delete all or part of the location history and web and app activity data, manually.  It has a time limit for how long you want your activity data to be saved: 3 or 18 months, before deleting it automatically. However, it does not have an option to not store history automatically. DuckDuckGo’s proposed 'Do-Not-Track Act of 2019' legislation details the following points: No third-party tracking by default. Data brokers would no longer be legally able to use hidden trackers to slurp up your personal information from the sites you visit. And the companies that deploy the most trackers across the web — led by Google, Facebook, and Twitter — would no longer be able to collect and use your browsing history without your permission. No first-party tracking outside what the user expects. For example, if you use Whatsapp, its parent company (Facebook) wouldn't be able to use your data from Whatsapp in unrelated situations (like for advertising on Instagram, also owned by Facebook). As another example, if you go to a weather site, it could give you the local forecast, but not share or sell your location history. The legislation would have exceptions for debugging, auditing, security, non-commercial research, and journalism. However, each of these exceptions would only apply if a site adopts strict data-minimization practices. These include using the least amount of personal information needed, and anonymizing it when possible. Also, restrictions would only come into play only if a consumer has turned on the Do Not Track setting in their browser settings. In case of violation of the Do-Not-Track Act of 2019, DuckDuckGo proposes an amount no less than $50,000 and no more than $10,000,000 or 2% of an Organization’s annual revenue, whichever is greater, can be charged by the legislators. If the act passes into law, sites would be required to cease certain user tracking methods, which means fewer data available to inform marketing and advertising campaigns. The proposal is still quite far from being turning into law but presidential candidate Elizabeth Warren’s recent proposal to regulate “big tech companies”, may give it a much-needed boost. Twitter users complimented the act. https://twitter.com/Bendineliot/status/1123579280892538881 https://twitter.com/jmhaigh/status/1123574469950414848 https://twitter.com/n0ahrabbit/status/1123572013153439745 For the full text, download the proposed Do-Not-Track Act of 2019. DuckDuckGo now uses Apple MapKit JS for its map and location-based searches DuckDuckGo chooses to improve its products without sacrificing user privacy ‘Ethical mobile operating system’ /e/, an alternative for Android and iOS, is in beta

On Friday, DockerHub informed its users of a security breach in its database, via email written by Kent Lamb, Director of Docker Support. The breach exposed sensitive information including some usernames and hashed passwords, as well as tokens for GitHub and Bitbucket repositories, for approximately 190K users. The company said this number is only five percent of DockerHub's entire user base. Lamb highlighted that the security incident which took place a day prior, i.e. on April 25, where the company discovered unauthorized access to a single Hub database storing a subset of non-financial user data. "For users with autobuilds that may have been impacted, we have revoked GitHub tokens and access keys, and ask that you reconnect to your repositories and check security logs to see if any unexpected actions have taken place," Lamb said in his email. The GitHub and Bitbucket access tokens stored in Docker Hub allow developers to modify their project's code and also help in auto building the images on Docker Hub. In cases where a third-party gains access to these tokens would allow them to gain access to code within the private repositories. They can also easily modify it depending on the permissions stored in the token. Misusing these tokens to modify code and deploy compromised images can lead to serious supply-chain attacks as Docker Hub images are commonly utilized in server configurations and applications. “A vast majority of Docker Hub users are employees inside large companies, who may be using their accounts to auto-build containers that they then deploy in live production environments. A user who fails to change his account password and may have their accounts autobuilds modified to include malware”, ZDNet reports. Meanwhile, the company has asked users to change their password on Docker Hub and any other accounts that shared this password. For users with autobuilds that may have been impacted, the company has revoked GitHub tokens and access keys, and asked the users to reconnect to their repositories and check security logs to see if any unexpected actions have taken place. Mentioning DockerHub’s security exposure, a post on Microsoft website mentions, “While initial information led people to believe the hashes of the accounts could lead to image:tags being updated with vulnerabilities, including official and microsoft/ org images, this was not the case. Microsoft has confirmed that the official Microsoft images hosted in Docker Hub have not been compromised.” Docker said that it is enhancing the overall security processes and also that it is still investigating the incident and will share details when available. A user on HackerNews commented, “I find it frustrating that they are not stating when exactly did the breach occur. The message implies that they know, due to the "brief period" claim, but they are not explicitly stating one of the most important facts. No mention in the FAQ either. I'm guessing that they are either not quite certain about the exact timing and duration, or that the brief period was actually embarrassingly long.” https://twitter.com/kennwhite/status/1122117406372057090 https://twitter.com/ewindisch/status/1121998100749594624 https://twitter.com/markhood/status/1122067513477611521 To know more about this news, head over to the official DockerHub post. Hacker destroys Iranian cyber-espionage data; leaks source code of APT34’s hacking tools on Telegram Liz Fong-Jones on how to secure SSH with Two Factor Authentication (2FA) WannaCry hero, Marcus Hutchins pleads guilty to malware charges; may face upto 10 years in prison

On Tuesday, Stripe, the online payments platform provider, announced that it has upgraded its products to be compliant with Strong Customer Authentication (SCA) under the second Payment Services Directive (PSD2). This announcement comes just after Stripe confirmed that it has acquired Touchtech Payments, a Dublin-based payments start-up. Touchtech Payments is a provider of advanced SCA-compliant authentication technology for Europe's fintechs and challenger banks, like N26, TransferWise, and many more. From 14 September 2019, all the authenticating online payments in Europe will be required to comply with the SCA, which is a new European regulation introduced to reduce fraud and make only payments safer. It will be applicable to customer-initiated online payments within Europe, which includes most card payments and all bank transfers. To be SCA compliant, online payments platform need to have additional authentication mechanism in their payment flow. It should have at least two of the following requirements: Something the customer knows like a password or PIN Something the customer has like phone or hardware token Something the customer is like fingerprint or face recognition Making online payment platforms compliant with this regulation will not be an easy task for individual banks and payment providers across Europe. Additionally, a new step in the authentication can also cause some friction in payments and hinder user experience. So, to ease this process, the Stripe payments platform will take up the responsibility of analyzing each transaction to check whether it needs an additional authentication required or not. If required, Stripe will authenticate the transaction with appropriate new technologies. Updates are made in the following products: The Payment Intents API This new Payment Intents API will enable businesses to easily build SCA-compliant fully-customized, dynamic payment flows. This API tracks the state of payment and triggers additional authentication when needed. Upgraded Stripe Checkout Stripe Checkout, a smart payments page, enables businesses to start accepting payments with just a few lines of code. The latest version of Stripe Checkout is capable of dynamically detecting when SCA is required and triggers authentication when necessary. Dynamic 3D Secure provides an additional layer of authentication for credit card transactions. 3D Secure 2 support Stripe supports 3D Secure 2 on the new Payments Intent API and Checkout. 3D Secure 2 aims to address all the limitations in 3D Secure 1 by introducing “less disruptive authentication and better user experience.” With this authentication process, businesses and their payment providers are can send more data elements on each transaction to the cardholder’s bank. This data may include payment-specific info like shipping address, the customer’s device ID, or previous transaction history. The cardholder’s bank can then use this data to calculate the risk level of the transaction and take a suitable response. Upgraded Stripe Billing Billing makes recurring billing process for SaaS and subscription-based companies smoother. Along with SCA-compliance, the company also announced that the product is now available for all the businesses in Europe. Tara Seshan, product manager for Stripe Billing, said in a press release, “With Stripe Billing, companies of all sizes now have access to advanced invoicing tools that will also help them comply with SCA and VAT requirements.” In the next few weeks, the company plans to roll out tools in the Stripe Dashboard for business already using Stripe to make them ready for SCA. Read the official announcement on Stripe’s website. Former Google Cloud CEO joins Stripe board just as Stripe joins the global Unicorn Club Stripe open sources ‘Skycfg’, a configuration builder for Kubernetes 3D Secure v2: a new authentication protocol supported by Stripe for frictionless authentication and better user experience

Over the weekend, Liz Fong-Jones, a Developer Advocate at honeycomb.io posted her experience with the security hardening of honeycomb.io’s infrastructure. In her post, on GitHub, Liz explains how SSH keys, which provide authentication between hosts, can be vulnerable to different threats, which might be overlooked. Liz mentions that by adding passphrase encryption, the private keys become resistant to theft when at rest. However, when they are in use, the usability challenges of re-entering the passphrase on every connection means that “engineers began caching keys unencrypted in memory of their workstations, and worse yet, forwarding the agent to allow remote hosts to use the cached keys without further confirmation”. The Matrix breach, which took place on April 11 showcases an example of what happens when authenticated sessions are allowed to propagate without a middle-man. The intruder in the Matrix breach had access to the production databases, potentially giving them access to unencrypted message data, password hashes, and access tokens. Liz also mentions two primary ways of preventing an attacker from misusing credentials. Using a separate device that generates, using a shared secret, numerical codes that we can transfer over out of the band and enter alongside the key. Having a separate device perform all the cryptography only when physically authorized by the user. In her post, Liz asks, “What will work for a majority of developers who are used to simply loading their SSH key into the agent at the start of their login session and SSHing everywhere?” and also shares her work on how one can avoid such threats. Some pre-requisites to this that Liz mentions is, “I'm assuming that you have a publicly exposed bastion host for each environment that intermediates accesses to the rest of each environment's VPC, and use SSH keys to authenticate from laptops to the bastion and from the bastion to each VM/container in the VPC”. As a preliminary step, the user should start by enabling numerical time-based one-time password (TOTP) for SSH authentication. However, since a malicious host could impersonate the real bastion (if strict host checking isn't on), intercept the OTP, and then use it to authenticate to the real bastion, “ it's better than being wormed or compromised because you forgot to take basic measures against even a passive adversary”, Liz states. After the server and the client setup, the user needs to use Chef to populate /etc/2fa_token_keys with keys that are generated and stored securely. There are different setup methods including: Mac client setup Users with Touchbar Macs should use TouchID to authenticate logins, as they'll have their laptop and their fingers with them anyways. For instance, SeKey is an SSH Agent that allows users to authenticate to UNIX/Linux SSH servers using the Secure Enclave. Krypt.co setup for iOS and Android With the help of krypt.co, instead of generating OTPs and sending them over manually, the mobile devices can securely store our SSH keys and only remotely authorize usage (and send the signed challenge to the remote server) simply with a single click. This process is even more secure than a TOTP app so long as the user supplies appropriate parameters to force hardware coprocessor storage (NIST P-256 for iOS, and 3072-bit RSA for Android, on new enough devices). Make sure people use screen locks! Liz in her post also explores YubiKey hardware token & Linux/ChromeOS client setup. To know more about this and how to set up in detail, read Liz’s GitHub post. How to remotely monitor hosts over Telnet and SSH [Tutorial] OpenSSH, now a part of the Windows Server 2019 OpenSSH 7.9 released

On Wednesday, ZDNet reported that hacker with the online name Lab Dookhtegan leaked a set of hacking tools belonging to Iran’s espionage groups, often identified as the APT34, Oilrig, or HelixKitten, on Telegram. The leaks started somewhere in the mid-March, and included sensitive information, mostly consisting of usernames and passwords. https://twitter.com/campuscodi/status/1118656431069302795 ZDNet got aware of this hack when a Twitter user DMed them some of the same files that were leaked on Telegram. Though this Twitter user claimed to have worked on the group’s DNSpionage campaign, ZDNet believes that it is also possible that he is a member of a foreign intelligence agency trying to hide their real identity. ZDNet’s assumption is that the Twitter user could be the Telegram Lab Dookhtegan persona. The hacker leaked the source code of six hacking tools: Glimpse, PoisonFrog, HyperShell, HighShell, Fox Panel, and Webmask. Many cyber-security experts including Chronicle, Alphabet's cyber-security division, confirmed the authenticity of these tools. Along with these tools, the hacker also leaked the content from several active backend panels, where victim data had been collected. Chronicle, Alphabet's cyber-security division, confirmed to ZDNet that the hacker has leaked data of 66 victims, mainly from countries in the Middle East. This data was collected from both government agencies and private companies. The hacker also leaked data from APT34’s past operations, sharing the IP addresses and domains where the group hosted web shells and other operational data. Besides leaking the data and source code of the hacking tools, the hacker also made public personal information of the Iranian Ministry of Intelligence officers who were involved with APT34 operations including phone numbers, images, and names. The hacker admitted on the Telegram channel that he has destroyed the control panels of APT34’s hacking tools and wiped their servers clean. So, now the Iranian espionage group has no choice other than starting over. Going by the leaked documents, it seems that Dookhtegan also had some grudge against the Iranian Ministry of Intelligence, which he called "cruel," "ruthless" and "criminal”. Source: ZDNet Now, several cyber-security firms are analyzing the leaked data. In an email to ZDNet, Brandon Levene, Head of Applied Intelligence at Chronicle, said, "It's likely this group will alter their toolset in order to maintain operational status. There may be some copycat activity derived from the leaked tools, but it is unlikely to see widespread use." To know about this story in detail, visit ZDNet. Brave Privacy Browser has a ‘backdoor’ to remotely inject headers in HTTP requests: HackerNews Hyatt Hotels launches public bug bounty program with HackerOne Black Hat hackers used IPMI cards to launch JungleSec Ransomware, affects most of the Linux servers  

Last week, Mastodon 2.8, a self-hosted social media service, was shipped with Keybase’s brand new proof system. Yesterday, the team behind Keybase announced that this new proof system is now available for all Mastodon servers. With this update, any community will be able to cryptographically connect their profiles to Keybase. https://twitter.com/malgorithms/status/1117888468544147456 Keybase is a free security app for groups, communities, families, and friends using which you can affirm your identity across the web. At its core, Keybase is a key directory that maps social media identities to encryption keys. Users can also have an encrypted chat with Keybase’s end-to-end chat service called Keybase Chat. With Keybase, users can prove a “link” between online identities such as Twitter or Reddit account and their encryption keys. So, instead of relying on a system like OAuth, identities are proven by posting a signed statement on the account a user wants to prove ownership of. For instance, a user just needs to enter their Twitter handle in the Keybase app following which a signed tweet is generated and is sent to Twitter. Once the tweet is posted, the user returns to the Keybase app. This mechanism makes identity proofs publicly verifiable instead of having to trust that the service is truthful. Though this method is quick and easy, it does have some limitations. Keybase app automatically generates the verification tweet, which users are expected to post. However, the user can edit these tweets. The Keybase team has now updated the proof system, which solves this problem. When a user claims on Keybase that they are a user on a site, they are redirected to that particular site. The verification is then completed in just two steps: Source: Keybase The site will then show the following row, signaling that the user is verified: Source: Keybase To read the full announcement, visit Keybase’s official website. Mastodon 2.7, a decentralized alternative to social media silos, is now out! Mastodon 2.5 released with UI, administration, and deployment changes 5 ways to reduce App deployment time

On Saturday, Microsoft confirmed to TechCrunch that their email services were hacked from January 1, 2019, till March 28, 2019. Microsoft told TechCrunch, “Certain ‘limited’ number of people who use web email services managed by Microsoft—which cover services like MSN and Hotmail—had their accounts compromised.” “We addressed this scheme, which affected a limited subset of consumer accounts, by disabling the compromised credentials and blocking the perpetrators’ access”, a Microsoft spokesperson told in an email. Following this, Microsoft sent out an email to all the affected users stating that hackers were potentially able to access an affected user’s e-mail address, folder names, the subject lines of e-mails, and the names of other e-mail address the user communicates. However, they were not able to access the content of any e-mails or attachments or login credentials like passwords. Microsoft recommended the affected users to reset their account password. https://twitter.com/jason_koebler/status/1117557557051166721 According to the letter from Microsoft to affected users, the hackers got into the system by compromising a customer support agent’s credentials. Once identified, those credentials were disabled. Microsoft informed the users that it didn’t know what data was viewed by the hackers or why, but cautioned that users might, as a result, see more phishing or spam emails as a result. “You should be careful when receiving any e-mails from any misleading domain name, any e-mail that requests personal information or payment, or any unsolicited request from an untrusted source”, the letter mentioned. To know more about this news, head over to TechCrunch. Mozilla considers blocking DarkMatter after Reuters reported its link with a secret hacking operation, Project Raven MarioNet: A browser-based attack that allows hackers to run malicious code even if users’ exit a web page Understanding the cost of a cybersecurity attack: The losses organizations face

Facebook announced updates to it’s “remove, reduce, and inform” strategy to better control “problematic” content and fake news across Facebook, Instagram, and Messenger. No new tools or updates have been announced for Whatsapp. By problematic content, they mean reducing the spread of content that is inappropriate but does not violate their community guidelines. Similarly, for Instagram, the company is reducing the spread of posts that are inappropriate but do not go against Instagram’s Community Guidelines. These posts will not be recommended on the Explore and hashtag pages but can still appear in your feed if you follow the account that posts it. For instance, the company adds, “ a sexually suggestive post will still appear in Feed but may not appear for the broader community in Explore or hashtag pages.” They disclosed this news to a small group of journalists in an event organized at Menlo Park, on Wednesday. “This strategy”, Facebook said, “applies not only during critical times like elections but year-round.” Last week, WhatsApp included a 'Checkpoint Tipline' feature in India to verify messages during the election. "Launched by PROTO, an India-based media skilling startup, this tip line will help create a database of rumors to study misinformation during elections for Checkpoint," Facebook said in a statement. However, the tool turned out to be more for researching purposes rather than debunking fake news as reported in an investigation led by BuzzFeed News. Per Buzzfeed, FAQs uploaded on Pronto website suggests it’s just meant for research purposes. Increasing overall product integrity Facebook has rolled out a Community Standards site where people can track the updates Facebook makes each month. All policy changes will be visible to the public with specifics on some on why they made a certain change. Facebook Groups admins will be held more accountable for Community Standards violations. Facebook will be looking at admin and moderator content violations in a group while deciding whether or not to take it down. They will be checking approved member posts as a stronger signal that the group violates facebook standards. This feature is also released globally. A new Group Quality feature will provide an overview of content removed and flagged for most violations. It will also have a section for false news found in the group. This initiative is going to start globally in the coming weeks. They are also expanding their third-party collaborations for news flagging and fact-checking by including The Associated Press as part of the third-party fact-checking program. AP will be debunking false and misleading video misinformation and Spanish-language content appearing on Facebook in the US. Surprisingly, fact-checking by AP has not been added as a feature globally. India is Facebook’s largest market and is also conducting its national elections over this month and the next. Current fact checking agencies in India include AFP India, Boom, Fact Crescendo, Factly, India Today Fact Check, Newsmobile Fact Checker, and Vishvas.News. Facebook has made admin and moderator policies as well as the Group Quality feature made available globally, but not the AP inclusion. Read also: Ahead of Indian elections, Facebook removes hundreds of assets spreading fake news and hate speech, but are they too late? If a Facebook group is found to repeatedly share misinformation that has been rated false by independent fact-checkers, Facebook will reduce that group’s overall News Feed distribution. Interestingly, they have not suspended these groups as they are only removing/suspending content that “violates their policies”, even if it’s deemed inappropriate. A new “Click-Gap” signal into News Feed ranking will be incorporated to see less low-quality content in their News Feed. Per Facebook, “This new signal, Click-Gap, relies on the web graph, a conceptual “map” of the internet in which domains with a lot of inbound and outbound links are at the center of the graph and domains with fewer inbound and outbound links are at the edges. Click-Gap looks for domains with a disproportionate number of outbound Facebook clicks compared to their place in the web graph. This can be a sign that the domain is succeeding on News Feed in a way that doesn’t reflect the authority they’ve built outside it and is producing low-quality content.” Specifically for Facebook and messenger apps The Context Button feature is now added to images to provide people more background information about the publishers and articles they see in News Feed. Facebook is testing this feature for images that have been reviewed by third-party fact-checkers. Trust Indicators are also added to the Context Button to provide a publication’s fact-checking practices, ethics statements, corrections, ownership and funding, and editorial team. They are created by a consortium of news organizations known as the Trust Project. This feature started in March 2019, on English and Spanish content. Facebook will also be adding more information to the Page Quality tab starting with info on Page’s status with respect to clickbait. Facebook will also allow people to remove their posts and comments from a group after they leave the group. For Messenger The Verified Badge is now officially a part of Messenger as a visible indicator of a verified account. There is also the inclusion of Messaging Settings and an Updated Block feature for greater control. Messenger also has a Forward Indicator and Context Button to help prevent the spread of misinformation. The Forward Indicator lets someone know if a message they received was forwarded by the sender, while the Context Button provides more background on shared articles. [dropcap]W[/dropcap]hat’s distressing is that there is a significant gap between policy update and the actual implementation of Facebook’s practices. Facebook continues to host Laura Loomer's inciting content on Instagram even after being flagged saying it does not violate their standards. Laura Loomer is an anti-Muslim conservative activist who published alarming posts that could potentially incite violence against Muslim congresswoman Ilhan Omar. https://twitter.com/letsgomathias/status/1116461347259256832 https://twitter.com/justinhendrix/status/1116501676456910849 Facebook discussions with the EU resulted in changes of its terms and services for users. Ahead of Indian elections, Facebook removes hundreds of assets spreading fake news and hate speech, but are they too late? Ahead of EU 2019 elections, Facebook expands its Ad Library to provide advertising transparency in all active ads.

Yesterday, FireEye said that they have uncovered the hacking group behind the Triton malware which was recently used to impact an unnamed “critical infrastructure” facility. This malware is designed to penetrate into the target’s networks and sabotage their industrial control systems and has often been used in power plants and oil refineries to control the operations of the facility. The Triton malware attack first occurred in August 2017, where it was used against a petrochemical plant owned by Tasnee in Suadi Arabia. Researchers believe that the operators of this attack must have been active since 2014. FireEye also believes Triton attack to be linked to a Russian government-owned technical research institute in Moscow. Triton, also known as Trisis, has been specifically engineered to target a specific type of industrial control system (ICS), namely Triconex safety instrumented systems (SIS) controllers developed by Schneider Electric. FireEye’s first analysis on Triton after the 2017 attack was, “malicious actors used Triton to manipulate industrial safety systems at a critical infrastructure facility and inadvertently caused a process shutdown.” FireEye has also released a report which explains the custom information technology tools and tactics the threat actor leveraged during the early stages of the targeted attack lifecycle. “The information in this report is derived from multiple TRITON-related incident responses carried out by FireEye Mandiant”, the researchers state in their blog. According to the FireEye report, the threat actor leveraged different custom and commodity intrusion tools including SecHack, NetExec, WebShell, and some more. “The actor's custom tools frequently mirrored the functionality of commodity tools and appear to be developed with a focus on anti-virus evasion. The group often leveraged custom tools when they appeared to be struggling with anti-virus detection or were at a critical phase in the intrusion (e.g., they switched to custom backdoors in IT and OT DMZ right before gaining access to the engineering workstation)”, the researchers mentioned in their report. The report further mentions, “After establishing an initial foothold on the corporate network, the TRITON actor focused most of their effort on gaining access to the OT network. Most of the attack tools they used were focused on network reconnaissance, lateral movement, and maintaining a presence in the target environment.” Actors have also used several other obfuscation methods including: Renaming their files to make them look like legitimate files; Planting webshells on the Outlook Exchange servers; Relying on encrypted SSH-based tunnels to transfer tools and for remote command execution; Routinely deleting dropped attack files, execution logs, and other files; Using multiple staging folders and directories that are very less used by legitimate users or processors. To know more about this report in detail, read FireEye’s complete report on the Triton attack. ASUS servers hijacked; pushed backdoor malware via software updates potentially affecting over a million users Researchers prove that Intel SGX and TSX can hide malware from antivirus software Mac users affected by ‘Shlayer Trojan’ dropped via a Steganography-based Ad Payload; Confiant and Malwarebytes report