Tech News - Security

A team of academic researchers recently unveiled a new class of Rowhammer-based attack known as RAMBleed. This newly discovered side-channel attack allows attackers to read memory data on a victim’s Windows computer, without actually accessing the memory. This vulnerability listed as CVE-2019-0174 is called RAMBleed as the RAM "bleeds its contents, which we then recover through a side channel," the researchers explained at the RAMBleed page. RAMBleed is used to read data from dynamic random access memory (DRAM) chips. It leverages Rowhammer, a DRAM flaw which is exploited to cause bits in neighboring memory rows to flip their values. In their research paper titled "RAMBleed: Reading Bits in Memory Without Accessing Them", the researchers have shown how an attacker, by observing Rowhammer-induced bit flips in her own memory, can deduce the values in nearby DRAM rows. Thus, researchers say that RAMBleed shifts Rowhammer from being a threat not only to integrity but confidentiality as well. This paper will be presented at the 41st IEEE Symposium on Security and Privacy in May 2020. The researchers also said that they have successfully used RAMBleed to obtain a signing key from an OpenSSH server or rather leaked a 2048-bit RSA key using normal user privileges, enabling information to be taken from targeted devices.  To do so, “we also developed memory massaging methods and a technique called Frame Feng Shui that allows an attacker to place the victim’s secret-containing pages in chosen physical frames.”, the researchers mention in their paper. Source: RAMBleed.com Any system that uses Rowhammer-susceptible DIMMs is vulnerable to RAMBleed. Machines with memory chips “both DDR3 and DDR4 with TRR (targeted row refresh) enabled" are vulnerable. Users can mitigate their risk by upgrading their memory to DDR4 with targeted row refresh (TRR) enabled. Intel revealed a piece of mitigation advice for researchers in an article and further suggested that "Intel Software Guard Extensions (Intel SGX) can be used to protect systems from RAMBleed attacks." Oracle, in their blog post, state that machines running DDR2 and DDR1 memory chips aren't affected. "successfully leveraging RAMBleed exploits require that the malicious attacker be able to locally execute malicious code against the targeted system," Oracle states. No additional security patches are expected for Oracle product distributions, the company said. Red Hat, in an article, state that there are at least three known DRAM fault exploits, "Rowhammer," "Spoiler" and "RAMBleed." Mitigation approach depends on the hardware vendor, according to RedHat: There are a few commonly proposed hardware-based mitigations against Rowhammer that have potential to also mitigate RAMBleed. These are Targeted Row Refresh (TRR), increased DRAM refresh intervals (doubled DRAM refresh rate), and use of ECC memory. The extent to which these strategies may actually mitigate the problem varies and is hardware platform specific. Vendors are anticipated to provide suitable platform-specific guidance. To know more about RAMBleed in detail, visit its official page. Researchers discover a new Rowhammer attack, ‘ECCploit’ that bypasses Error Correcting Code protections Researchers discover Spectre like new speculative flaw, “SPOILER” in Intel CPU’s NSA warns users of BlueKeep vulnerability; urges them to update their Windows systems

Last week, two lawsuits were filed in Seattle that allege that Amazon is recording voiceprints of children using its Alexa devices without their consent. This is in violation of laws governing recordings in at least eight states, including Washington. The complaint was filed on behalf of a 10-year-old Massachusetts girl on Tuesday in federal court in Seattle. Another nearly identical suit was filed the same day in California Superior Court in Los Angeles, on behalf of an 8-year-old boy. What was the complaint? Per the complaint, “Alexa routinely records and voiceprints millions of children without their consent or the consent of their parents.” The complaint notes that Alexa devices record and transmit any speech captured after a “wake word” activates the device. This is regardless of the speaker and whether that person purchased the device or installed the associated app. It alleges that Amazon saves a permanent recording of the user’s voice instead of deleting the recordings after storing them for a short time or not at all. In both cases, the children had interacted with Echo Dot speakers in their homes, and in both cases the parents claimed they had never agreed for their child's voice to be recorded. The lawsuit alleges that Amazon’s failure to obtain consent, violates the laws of Florida, Illinois, Michigan, Maryland, Massachusetts, New Hampshire, Pennsylvania and Washington, which require consent of all parties to a recording, regardless of age. Aside from “the unique privacy interest” involved in recording someone’s voice, the lawsuit says, “It takes no great leap of imagination to be concerned that Amazon is developing voiceprints for millions of children that could allow the company (and potentially governments) to track a child’s use of Alexa-enabled devices in multiple locations and match those uses with a vast level of detail about the child’s life, ranging from private questions they have asked Alexa to the products they have used in their home.” What does the lawsuit suggest Amazon should do? The plaintiffs suggest that more could be done to ensure children and others were aware of what was going on. The lawsuit claims that Amazon should inform users who had not previously consented that they were being recorded and ask for consent. It should also deactivate permanent recording for users who had not consented. The complaints also suggest that Alexa devices should be designed to only send a digital query rather than a voice recording to Amazon's servers. Alternatively, Amazon could automatically overwrite the recordings shortly after they have been processed. What is Amazon’s response? When Vox reporters asked Amazon for a comment, they wrote to them in an email, “Amazon has a longstanding commitment to preserving the trust of our customers, and we have strict measures and protocols in place to protect their security and privacy.” They also pointed to a company blog post about the FreeTime parental controls on Alexa. Per their FreeTime parental control policy, parents can review and delete their offspring's voice recordings at any time via an app or the firm's website. In addition, it says, they can contact the firm and request the deletion of their child's voice profile and any personal information associated with it. However, these same requirements do not apply to a child’s use of Alexa outside of the FreeTime service and children’s Alexa skills. Amazon’s Alexa terms of use notes, “if you do not accept the terms of this agreement, then you may not use Alexa.” However, according to Andrew Schapiro, an attorney with Quinn Emanuel Urquhart & Sullivan, one of two law firms representing the plaintiffs. “There is nothing in that agreement that would suggest that “you” means a marital community, family or household. I doubt you could even design terms of service that bind ‘everyone in your household.’” This could also mean that Alexa is storing details of everyone, and not just children. A comment on Hacker News reads, “Important to note that if this allegation is true, it means Alexa is recording everyone and storing it indefinitely, not just children. The lawsuit just says children because children have more privacy protections than adults so it's easier to win a case when children's rights are being violated.” Others also share similar opinions: https://twitter.com/_FamilyInsights/status/1140490515240165377 https://twitter.com/lewiskamb/status/1138895472351883265   However, a few don’t agree: https://twitter.com/shellypalmer/status/1139545654567559169 https://twitter.com/CarolannJacobs/status/1139165270524780554   The suit asks a judge to certify the class action and rule that Amazon violated state laws, require it to delete all recordings of class members, and prevent further recording without prior consent. It seeks damages to be determined at trial. The Seattle case seeks damages up to $100 a day and the California case wants damages of $5,000 per violation. Google Home and Amazon Alexa can no longer invade your privacy; thanks to Project Alias! US regulators plan to probe Google on anti-trust issues; Facebook, Amazon & Apple also under legal scrutiny. Amazon shareholders reject proposals to ban sale of facial recognition tech to govt and to conduct an independent review of its human and civil rights impact.

Tavis Ormandy, a vulnerability researcher at Google, uncovered a security issue in SymCrypt, the core cryptographic library for Windows, which the Microsoft team is still trying to fix. Ormandy says that if the vulnerability is exploited in a denial of service (DoS) attack, it could “take down an entire Windows fleet relatively easily”. Ormandy said that Microsoft had "committed to fixing it in 90 days". This was in line with Google's 90 days deadline for fixing or publicly disclosing bugs that its researchers find. https://twitter.com/taviso/status/1138469651799728128 On Mar 13, 2019, Ormandy informed Microsoft of this vulnerability and also posted this issue on Google’s Project Zero site. On March 26, Microsoft replied saying that it would issue a security bulletin and fix for this in the June 11 Patch Tuesday run. On June 11, Ormandy said that the Microsoft Security Response Center (MSRC) had “reached out and noted that the patch won't ship today and wouldn't be ready until the July release due to issues found in testing”. “There's a bug in the SymCrypt multi-precision arithmetic routines that can cause an infinite loop when calculating the modular inverse on specific bit patterns with bcryptprimitives!SymCryptFdefModInvGeneric”, the bug report mentions. “I've been able to construct an X.509 certificate that triggers the bug. I've found that embedding the certificate in an S/MIME message, authenticode signature, schannel connection, and so on will effectively DoS any windows server (e.g. ipsec, iis, exchange, etc) and (depending on the context) may require the machine to be rebooted. Obviously, lots of software that processes untrusted content (like antivirus) call these routines on untrusted data, and this will cause them to deadlock” Ormandy further added. “The disclosure a day after the deadline lapsed drew mixed reactions on social media, with some criticizing Ormandy for the move; and were met with short shrift”, CBR Online states. https://twitter.com/taviso/status/1138493191793963008 Davey Winder from Forbes approached  The Beer Farmers, a group of information security professionals on this issue. John Opdenakker, an ethical hacker from the group, said, "in general if you privately disclose a vulnerability to a company and the company agrees to fix it within a reasonable period of time I think it's fair to publicly disclose it if they then don't fix it on time." Another Beer Farmer professional, Sean Wright points out this is a denial of service vulnerability and there are many other ways to achieve this, which makes it a low severity issue. Wright said to Forbes, "Personally I think it's a bit harsh, every fix is different and they should allow for some flexibility in their deadline." A Microsoft spokesperson said in a statement to Forbes, “Microsoft has a customer commitment to investigate reported security issues and provide updates as soon as possible. We worked to meet the researcher's deadline for disclosure; however, a customer-impacting regression was discovered that prevented the update from being released on schedule. We advised the researcher of the delay as soon as we were able. Developing a security update is a delicate balance between timeliness and quality, and our ultimate goal is to help ensure maximum customer protection with minimal customer disruption.” To know more about this news in detail, head over to Google’s Project Zero website. All Docker versions are now vulnerable to a symlink race attack Microsoft quietly deleted 10 million faces from MS Celeb, the world’s largest facial recognition database Microsoft releases security updates: a “wormable” threat similar to WannaCry ransomware discovered

Yesterday, Untangle, a company that provides network security for SMBs (Small and Midsize Businesses) and distributed enterprises announced the release of its zSeries appliances. The zSeries appliances will provide better performance and functionality at a lower price for SMBs as well as distributed enterprises with cloud-managed next-generation firewalls. The zSeries includes five appliances, right from small desktop models to 1U rackmount servers, as well as a wireless option. All these appliances will be preloaded with NG Firewall 14.2 version, it is Untangle’s network security software product that makes deployment easy. The zSeries appliances are now available on the Untangle website for purchase. Heather Paunet, vice president of product management at Untangle said, “The zSeries offers a simplified lineup to suit customers from branch offices to large campuses. Key upgrades available with the zSeries include faster processors, more RAM, NVMe SSD storage on the z6 and above, and fiber connectivity on the z12 and above.” She further added, “It’s never been easier to deploy cost-effective, cloud-managed network security across dispersed networks while ensuring a consistent security posture for organizations of any size.” NG Firewall v14.2 packed with enhancements to web security and content filtering Untangle NG Firewall 14.2 comes with enhancements to web security and content filtering. It also offers the ability to synchronize users with Azure Active Directory as well as bring enhancements to intrusion detection and prevention. NG Firewall has won 2019 Security Today Government Security Awards “The Govies” for Network Security. NG Firewall v14.2 offers options for Flagging, blocking and alerting based on search terms for YouTube, Yahoo, Google, Bing, and Ask. With this firewall, YouTube searches can now be easily logged, and usage can also be locked down to show content that meets the 'safe search' criteria. Untangle NG Firewall 14.2 is available as a free upgrade for existing customers. Join Untangle for the Community Webinar: zSeries and NG Firewall v14.2 on June 18, 2019 to learn more about the features in 14.2 and the new zSeries appliances. To know more about this news, check out press release. Untangle VPN Services PyPI announces 2FA for securing Python package downloads All Docker versions are now vulnerable to a symlink race attack  

Last week, the President of the VideoLan non-profit organization, Jean-Baptiste Kempf, released the VLC 3.0.7, a minor update of VLC branch 3.0.x. This release is termed as ‘special’ by Kempf, as it has more security issues fixed than any other version of VLC. Kempf has said that “This high number of security issues is due to the sponsoring of a bug bounty program funded by the European Commission, during the FOSSA program.” Last year, the European Commission had announced that they will support Bug Hunting for 14 open source projects it uses. As VLC Media Player was one of the products they used, they were sponsored by EU-FOSSA. In a statement to Bleeping Computers, Kempf has stated that they had “no money”, for having the bug bounty previously. He also added that, the EU-FOSS sponsorship program provided more "manpower" towards funding and fixing security bugs in the VLC 3.0.7. According to the blogpost, VLC Media Player 3.0.7 have fixed 33 valid security issues, with 2 being high security issues, 21 being medium security issues and 10 being low security issues. Out of the two high security issues, one was an out-of-bound write issue, in the the faad2 library, which is a dependency of VLC and the other is a stack buffer overflow, in the RIST Module of VLC 4.0. The medium security issues include mostly out-of-band reads, heap overflows, NULL-dereference and use-after-free security issues. The low security issues are mostly integer overflow, division by zero, and other out-of-band reads. Kempf has also mentioned in the blogpost, that the best hacker via their bug bounty program was ele7enxxh. Bleeping Computers reports that ele7enxxh has addressed total of 13 bugs for $13,265.02. Users are quite happy with this release, due to the huge security fixes and improvements in the VLC 3.0.7 version. https://twitter.com/evanderburg/status/1136600143707246592 https://twitter.com/alorandi/status/1137603867120734208 The VLC users can download the latest version from the VideoLan website. VLC’s updating mechanism still uses HTTP over HTTPS dav1d 0.1.0, the AV1 decoder by VideoLAN, is here NSA warns users of BlueKeep vulnerability; urges them to update their Windows systems

Yesterday, the U.S. Customs and Border Protection(CBP) revealed a data breach occurrence exposing the photos of travelers and vehicles traveling in and out of the United States. CBP first learned of the attack on May 31 and said that none of the image data had been identified “on the Dark Web or Internet”. According to a CBP spokesperson, one of its subcontractors transferred images of travelers and license plate photos collected by the agency to its internal networks, which were then compromised by the attack. The agency declined to name the subcontractor that was compromised. They also said that its own systems had not been compromised. “A spokesperson for the agency later said the security incident affected “fewer than 100,000 people” through a “few specific lanes at a single land border” over a period of a month and a half”, according to TechCrunch. https://twitter.com/AJVicens/status/1138195795793055744 “No passport or other travel document photographs were compromised and no images of airline passengers from the air entry/exit process were involved,” the spokesperson said. According to The Register’s report released last month, a huge amount of internal files were breached from the firm Perceptics and were being offered for free on the dark web to download. The company’s license plate readers are deployed at various checkpoints along the U.S.-Mexico border. https://twitter.com/josephfcox/status/1138196952812806144 Now, according to the Washington Post, “in the Microsoft Word document of CBP’s public statement, sent Monday to Washington Post reporters, included the name “Perceptics” in the title: CBP Perceptics Public Statement”. “Perceptics representatives did not immediately respond to requests for comment. CBP spokeswoman Jackie Wren said she was “unable to confirm” if Perceptics was the source of the breach.”, the Washington post further added. In a statement to The Post, Sen. Ron Wyden (D-Ore.) said, “If the government collects sensitive information about Americans, it is responsible for protecting it — and that’s just as true if it contracts with a private company.” “Anyone whose information was compromised should be notified by Customs, and the government needs to explain exactly how it intends to prevent this kind of breach from happening in the future”, he further added. ACLU senior legislative counsel, Neema Singh Guliani said that the breach “further underscores the need to put the brakes” on the government’s facial recognition efforts. “The best way to avoid breaches of sensitive personal data is not to collect and retain such data in the first place,” she said. Jim Balsillie on Data Governance Challenges and 6 Recommendations to tackle them US blacklist China's telecom giant Huawei over threat to national security Privacy Experts discuss GDPR, its impact, and its future on Beth Kindig’s Tech Lightning Rounds Podcast

Google researchers presented a paper on Google’s consistent global authorization system known as Zanzibar. The paper focuses on the design, implementation, and deployment of Zanzibar for storing and evaluating access control lists (ACL). Zanzibar offers a uniform data model and configuration language for providing a wide range of access control policies from hundreds of client services at Google. The client services include Cloud, Drive, Calendar, Maps, YouTube and Photos. Zanizibar authorization decisions respect causal ordering of user actions and thus provide external consistency amid changes to access control lists and object contents. It scales to trillions of access control lists and millions of authorization requests per second to support services used by billions of people. It has maintained 95th-percentile latency of less than 10 milliseconds and availability of greater than 99.999% over 3 years of production use. Here’s a list of the authors who contributed to the paper, Ruoming Pang, Ramon C ´aceres, Mike Burrows, Zhifeng Chen, Pratik Dave, Nathan Germer, Alexander Golynski, Kevin Graney, Nina Kang, Lea Kissner, Jeffrey L. Korn, Abhishek Parmar, Christopher D. Richards and Mengzhi Wang. What are the goals of Zanzibar system Researchers have certain goals for the Zanzibar system which are as follows: Correctness: The system must ensure consistency of access control decisions. Flexibility: Zanzibar system should also support access control policies for consumer and enterprise applications. Low latency: The system should quickly respond because authorization checks are usually in the critical path of user interactions. And low latency is important for serving search results that often require tens to hundreds of checks. High availability: Zanzibar system should reliably respond to requests Because in the absence of explicit authorization, client services would be forced to deny their user access. Large scale: The system should protect billions of objects that are shared by billions of users. The system should be deployed around the globe so that it becomes easier for its clients and the end users. To achieve the above-mentioned goals, Zanzibar involves a combination of features. For example, for flexibility, the system pairs a simple data model with a powerful configuration language that allows clients to define arbitrary relations between users and objects. The Zanzibar system employs an array of techniques for achieving low latency and high availability and for consistency, it stores the data in normalized forms. Zanzibar replicates ACL data across multiple data centers The Zanzibar system operates at a global scale and stores more than two trillion ACLs (Access Control Lists) and also performs millions of authorization checks per second. But the ACL data does not lend itself to geographic partitioning as the authorization checks for an object can actually come from anywhere in the world. This is the reason why, Zanzibar replicates all of its ACL data in multiple geographically distributed data centers and then also distributes the load across thousands of servers around the world. Zanzibar’s architecture includes a main server organized in clusters Image source:  Zanzibar: Google’s Consistent, Global Authorization System The acl servers are the main server type in this system and they are organized in clusters so that they respond to Check, Read, Expand, and Write requests. When the requests arrive at any server in a cluster, the server passes on the work to other servers in the cluster and those servers may then contact other servers for computing intermediate results. The initial server is the one that gathers the final result and returns it to the client. The Zanzibar system stores the ACLs and their metadata in Spanner databases. There is one database for storing relation tuples for each client namespace and one database for holding all namespace configurations. And there is one changelog database that is shared across all namespaces. So the acl servers basically read and write those databases while responding to client requests. Then there are a specialized server type that respond to Watch requests, they are known as the watchservers. These servers tail the changelog and serve namespace changes to clients in real time. The Zanzibar system runs a data processing pipeline for performing a variety of offline functions across all Zanzibar data in Spanner. For example, producing dumps of the relation tuples in each namespace at a known snapshot time. Zanzibar uses an indexing system for optimizing operations on large and deeply nested sets, known as Leopard. It is responsible for reading periodic snapshots of ACL data and for watching the changes between snapshots. It also performs transformations on data, such as denormalization, and then responds to requests coming from acl servers. The researchers concluded by stating that Zanzibar system is simple, flexible data model and offers configuration language support. According to them, Zanzibar’s external consistency model allows authorization checks to be evaluated at distributed locations without the need for global synchronization. It also offers low latency, scalability, and high availability. People are finding this paper very interesting and also the facts involved are surprising for them. A user commented on HackerNews, “Excellent paper. As someone who has worked with filesystems and ACLs, but never touched Spanner before.” Another user commented, “What's interesting to me here is not the ACL thing, it's how in a way 'straight forward' this all seems to be.” Another comment reads, “I'm surprised by all the numbers they give out: latency, regions, operation counts, even servers. The typical Google paper omits numbers on the Y axis of its most interesting graphs. Or it says "more than a billion", which makes people think "2B", when the actual number might be closer to 10B or even higher.” https://twitter.com/kissgyorgy/status/1137370866453536769 https://twitter.com/markcartertm/status/1137644862277210113 Few others think that the name of the project wasn’t Zanzibar initially and it was called ‘Spice’. https://twitter.com/LeaKissner/status/1136691523104280576 To know more about this system, check out the paper Zanzibar: Google’s Consistent, Global Authorization System. Google researchers propose building service robots with reinforcement learning to help people with mobility impairment Researchers propose a reinforcement learning method that can hack Google reCAPTCHA v3 Researchers input rabbit-duck illusion to Google Cloud Vision API and conclude it shows orientation-bias    

Last week, the NSA published an advisory urging Microsoft Windows administrators and users to update their older Windows systems to protect against the BlueKeep vulnerability. This vulnerability was first noted by UK National Cyber Security Centre and reported by Microsoft on 14 May 2019. https://twitter.com/GossiTheDog/status/1128431661266415616 On May 30, Microsoft wrote a security notice to its users to update their systems as "some older versions of Windows" could be vulnerable to cyber-attacks. On May 31, MalwareTech posted a detailed analysis of the BlueKeep vulnerability. “Microsoft has warned that this flaw is potentially “wormable,” meaning it could spread without user interaction across the internet. We have seen devastating computer worms inflict damage on unpatched systems with wide-ranging impact, and are seeking to motivate increased protections against this flaw,” the advisory states. BlueKeep(CVE-2019-0708) is a vulnerability in the Remote Desktop (RDP) protocol. It is present in Windows 7, Windows XP, Server 2003 and 2008, and although Microsoft has issued a patch, potentially millions of machines are still vulnerable. “This is the type of vulnerability that malicious cyber actors frequently exploit through the use of software code that specifically targets the vulnerability”, the advisory explains. NSA is concerned that malicious cyber actors will use the vulnerability in ransomware and exploit kits containing other known exploits, increasing capabilities against other unpatched systems. They have also suggested some additional measures that can be taken: Block TCP Port 3389 at your firewalls, especially any perimeter firewalls exposed to the internet. This port is used in RDP protocol and will block attempts to establish a connection. Enable Network Level Authentication. This security improvement requires attackers to have valid credentials to perform remote code authentication. Disable remote Desktop Services if they are not required. Disabling unused and unneeded services helps reduce exposure to security vulnerabilities overall and is a best practice even without the BlueKeep threat. Why has the NSA urged users and admins to update? Ian Thornton-Trump, head of security at AmTrust International told Forbes, “I suspect that they may have classified information about actor(s) who might target critical infrastructure with this exploit that critical infrastructure is largely made up of the XP, 2K3 family." NSA had also created a very similar EternalBlue exploit which was recently used to hold the city of Baltimore’s computer systems for ransom. The NSA developed the EternalBlue attack software for its own use but lost control of it when it was stolen by hackers in 2017. BlueKeep is similar to EternalBlue that Microsoft compared the two of them in its warning to users about the vulnerability. "It only takes one vulnerable computer connected to the internet to provide a potential gateway into these corporate networks, where advanced malware could spread, infecting computers across the enterprise," Microsoft wrote in its security notice to customers. Microsoft also compared the risks to those of the WannaCry virus, which infected hundreds of thousands of computers around the world in 2017 and caused billions of dollars worth of damage. NSA said patching against BlueKeep is “critical not just for NSA’s protection of national security systems but for all networks.” To know more about this news in detail, head over to Microsoft’s official notice. Approx. 250 public network users affected during Stack Overflow's security attack Over 19 years of ANU(Australian National University) students’ and staff data breached 12,000+ unsecured MongoDB databases deleted by Unistellar attackers

On Tuesday, Firefox released a number of updates to its browser with the intention of putting “people’s privacy first”. The new features were detailed by Dave Camp, Senior Vice President of Firefox in a blog post. Firefox will roll out its Enhanced Tracking Protection, to all new users on by default. Additionally, they have upgraded Facebook Container extension, a Firefox desktop extension for Lockwise, and Firefox Monitor’s new dashboard to manage multiple email addresses. Enhanced Tracking Protection blocks third party cookies by default Firefox’s Enhanced Tracking Protection offers protection controls to users to block third party cookies at their own level of comfort with three settings - Standard, Strict, and Custom. Per the new update, for all new users who install and download Firefox for the first time, Enhanced Tracking Protection will automatically be set on by default as part of the ‘Standard’ setting in the browser. The standard settings block known trackers and their cookies. Strict will block known trackers in all Firefox windows. This includes third party trackers and tracking cookies The custom setting of enhanced tracking protection allows you to select which trackers and cookies you want to block. https://twitter.com/jensimmons/status/1134549448120578048 This feature will be present as a shield icon in the address bar next to the URL address. Users can also see which companies are blocked by clicking on the shield icon. For existing users, Enhanced Tracking Protection by default will be rolled out in the coming months. Manually, users can turn this feature on by clicking on the menu icon marked by three horizontal lines at the top right of the browser, then under Content Blocking. Firefox Monitor- see if you’ve been part of an online data breach Firefox Monitor has a new feature in the form of a breach dashboard that presents a quick summary of updates for all registered email accounts. Firefox Monitor was launched in September, last year, as a free service that notifies people if they’ve been part of a data breach. The new breach dashboard helps users track and manage multiple email addresses, including both personal and professional email accounts. Users can easily identify which emails are being monitored, how many known data breaches may have exposed their information, and specifically, if any passwords have been leaked across those breaches. Safe password management with Firefox Lockwise Firefox have rolled out a new desktop extension that offers users safe password management features, the Firefox Lockwise. It will provide an additional touchpoint to store, edit and access passwords. Firefox Lockwise is already available for iOS, Android and iPad. The new Firefox Lockwise desktop extension includes: A new dashboard interface to manage saved list of passwords. For frequently visiting sites, users can quickly reference and edit what is being stored. For sites with fewer or no visits, users can easily delete a saved password. The mobile app and desktop extension can help users quickly retrieve your password to access a site account. Facebook Container now blocks tracking from other sites Firefox have updated their Facebook Container extension to prevent Facebook from tracking users on other sites that have embedded Facebook capabilities such as the Share and Like buttons on their site. Facebook Container is an add-on/web extension that helps users take control and isolate their web activity from Facebook. This blocking reduces Facebook’s propensity to build shadow profiles of non-Facebook users. Users would know the blocking is in effect when they see Facebook Container purple fence badge. It is interesting that Mozilla released a slew of updates following Apple's privacy focused features announced at WWDC 2019. It almost feels like they are acting as a counter balance to Google and Facebook, who have been under scrutiny for their data misinformation and privacy scandals. Google Chrome has also banned ad blockers for all users by deprecating the blocking capabilities of the webRequest API in Manifest V3. Chrome’s capability to block unwanted content will be restricted to only paid, enterprise users of Chrome. https://twitter.com/dhh/status/1136058254608355328 https://twitter.com/queercommunist/status/1135906369599549440 https://twitter.com/johnwilander/status/1135911532779335680 Learn more about these privacy features on Mozilla Blog. Firefox 67 enables AV1 video decoder ‘dav1d’, by default on all desktop platforms Mozilla makes Firefox 67 “faster than ever” by deprioritizing least commonly used features Firefox 67 will come with faster and reliable JavaScript debugging tools

Apple is getting pretty serious about user privacy. Last month, Apple had proposed a “privacy-focused” ad click attribution model to count conversions without tracking users. And just yesterday, Apple announced a host of security and privacy-related features at its ongoing Worldwide Developers Conference (WWDC) 2019. Users seem to be excited about the move taken by the company towards privacy and security. While some still seem to be a little confused and looking forward to exploring the major announcements by the company. Experts are indirectly indicating that these major steps by Apple might turn out to be really powerful and might make other tech companies think about their next moves in the same direction. https://twitter.com/ow/status/1135603153712422913 https://twitter.com/jmj/status/1135615177766739973 Sign In with Apple With iOS 13, Apple is introducing a new way to quickly sign into apps and websites with Sign In with Apple. Users can now simply use their Apple ID for authentication purpose instead of using a social account, verifying email addresses, etc. Apple will be protecting users’ privacy by providing developers with a unique random ID. Users also have the option to keep their email address private and can instead share a unique random email address. Sign In comes with built-in two-factor authentication for an added layer of security. The company does not use Sign In with Apple to profile users or their activity in apps. Users can now create a new account on an app with just one click and without revealing any new personal information. Twitter users are quite happy with Apple’s Sign in feature. https://twitter.com/sandofsky/status/1135673287659347968 https://twitter.com/tomwarren/status/1135602700710793217 https://twitter.com/izzydoesizzy/status/1135829977050615808 Apple can now stop third-party sites and services from getting users’ information when they sign up to an app. Apple’s software engineering chief Craig Federighi said at the company’s annual developer conference, “Next I want to turn to login to get a more personalized effect with an app, we all have seen buttons like this, asking us to use a social account login. Now this can be convenient, but it also can come at the cost of your privacy — your personal information sometimes gets shared behind the scenes and these logins can be used to track you. We wanted to solve this and many developers do too. Now we have a solution, it’s called Sign in with Apple. ” One time location sharing Apple will soon let users access their iPhone’s location just once, as the company is soon rolling out one-time location option. “For the first time, you can share your location to an app just once and then require it to ask you again next time at wants,” said Apple software engineering chief Craig Federighi at its annual developer conference on Monday. He also highlighted that a lot of apps try and bypass the location sharing restrictions by simply scanning WiFi and Bluetooth signals in that particular area which could reveal the users’ location. He added, “We’re shutting the door on that abuse as well.” https://twitter.com/ittechbuz/status/1135887736227934211 Apple updates its App Store guidelines Apple has also updated its App Store guidelines to ensure privacy and security enforced for new and existing apps. Here are a few of the highlights from the updated guidelines list. Keeping Kids’ data private Apple has taken a step towards keeping the kids’ data private.Apps in the kids category and apps for kids can’t include any third-party advertising or analytics software and cannot transmit data to third parties. This guideline has been enforced for new apps and even existing apps must follow this guideline by September 3, 2019. https://twitter.com/icastanheda/status/1135672922608087040 HTML game may not provide access to digital commerce The company has made a major move by stating in its guidelines that HTML5 games that are distributed in apps may not provide access to lotteries, real money gaming, or charitable donations and not support digital commerce. This functionality is appropriate only for code that’s embedded in the binary and that can be reviewed by Apple. Also, this guideline is now enforced for new apps and existing apps must follow this guideline by 3rd September 2019. VPN apps cannot provide access to sensitive data to third parties Since VPN provides access to sensitive data, so according to this guideline, VPN apps may not sell, use, or disclose any data to third parties for any purpose, and must commit to this in their privacy policy. The apps that are used for parental control, content blocking and security from approved providers can use the NEVPNManager API. This new guideline may possibly have the popular ad blocker, AdGuard Pro back on iOS.t was discontinued last year because of the App Store policy which said, “Guideline 2.5.1 – Performance – Software Requirements. Your app uses a VPN profile or root certificate to block ads or other content in a third-party app, which is not allowed on the App Store.” The new updates announced in the AppStore Review Guidelines at WWDC may probably make AG Pro compliant with it. https://twitter.com/AdGuard/status/1135660616679645185 https://twitter.com/pveugen/status/1135743658148356096 MDM apps can’t sell/use/disclose data to third parties MDM (Mobile Device Management) provides access to sensitive data, so according to this guideline, MDM apps should request the mobile device management capability. And they may only be offered access by commercial enterprises, such as business organizations, or government agencies, etc, and, in some cases, companies utilizing MDM for parental controls. Also, according to this guideline, MDM apps may not sell, use, or disclose any data to third parties for any purpose, and must also commit to this in their privacy policy. Health data can’t be shared with third parties Apps may use a user’s health data for providing a benefit directly to that user, and the data is not to be shared with a third party. The developer must also disclose to the user the specific health data collected from the device. Information coming in without user’s consent won’t be allowed on App Store Apps that compile information from any source that is not directly coming from the user or without the user’s explicit consent, even public databases for that matter, are not permitted on the App Store. Apps need to get consent for data collection Apps are supposed to get consent for data collection, even if that data is considered anonymous at the time of collection or immediately following it. Many are confused about this latest update, as they have some concerns about using Wikipedia API. https://twitter.com/jcampbell_05/status/1135679675026628608 As developers speculate about the changes in the guidelines, many are still wondering how the change in the rule would affect them and are looking forward to some clarity with the guidelines. Health Apps Apple has also introduced a few health apps that could be useful for users and below mentioned are the highlights from this section: Noise app Apple introduced the Noise app for Apple watchOS 6 that detects loud environments and notifies users when it thinks users at risk for hearing damage. This app uses the watch's built-in microphone for measuring the decibels at concerts, theaters, construction zones, parades, and other loud situations that usually aren't good for the ears. But to achieve this, the app needs to keep track of what the users are listening to, and such apps usually scares people as it appears to be like ‘always-listening technology’. Dr. Sumbul Desai, Apple’s VP of health, clarified, “It only periodically samples and does not record or save any audio.” So users need not worry as none of the audio or sounds in the environment aren’t saved or sent to Apple, according to the company. Menstrual cycle tracking feature Apple also unveiled the menstrual cycle tracking feature, called Cycle Tracking at the conference. Women can now easily log their symptoms and receive notifications when their periods are about to begin. They can also receive a fertility window prediction. This feature is also available in the Health app on iPhone with iOS 13. Apple Vice President of Health Sumbul Desai said, “We are so excited to bring more focus to this incredibly important aspect of women’s health.” But users are concerned over fertility data collection by the company. https://twitter.com/Vince34359049/status/1135677667859034112 While others think that this feature is not new and users have already used such applications for tracking their cycles. https://twitter.com/DrShark/status/1135773575154216960 Apple has taken steps towards strengthening security and maintaining privacy by introducing new features, apps and updating the guidelines, but only time will tell how effective they would turn out to be. Apple proposes a “privacy-focused” ad click attribution model for counting conversions without tracking users Apple Pay will soon support NFC tags to trigger payments U.S. Supreme Court ruled 5-4 against Apple on its App Store monopoly case    

The Australian National University (ANU) recently revealed they were hacked and personal data of students and staff over 19 years have been accessed. An official letter from ANU’s Vice-Chancellor, Brian Schmidt said that in late 2018 a “sophisticated operator” accessed their systems illegally. However, the breach was detected just two weeks ago and the ANU staff is working towards strengthening the systems “against secondary or opportunistic attacks”, Schmidt said. Regarding details on what data was affected, Schmidt wrote, “Depending on the information you have provided to the University, this may include names, addresses, dates of birth, phone numbers, personal email addresses, and emergency contact details, tax file numbers, payroll information, bank account details, and passport details. Student academic records were also accessed.” However, the systems that store credit card details, travel information, medical records, police checks, workers' compensation, vehicle registration numbers, and some performance records have not been affected. Schmidt also said, “We have no evidence that research work has been affected” and that ANU is working closely with Australian government security agencies and industry security partners to investigate further. Suthagar Seevaratnam, ANU’s Chief Information Security Officer, also wrote a letter, today, addressing the ANU community and suggested certain steps users can take to stay safe while using emails, passwords, and also advice on general device maintenance and configuration. “If you have not reset your ANU password since November 2018, it is highly advised that you do so immediately,” he mentions in his letter. This is the second data breach in ANU’s system, which lasted for seven months. Last year, in July, the ANU revealed that hackers infiltrated its systems. Schmidt said, “Following the incident reported last year, we undertook a range of upgrades to our systems to better protect our data.  Had it not been for those upgrades, we would not have detected this incident”. “The university said it did not believe data was stolen in that attack, which national security sources said was the work of the Chinese government”, The Sydney Morning Herald reports. What will hackers actually gain by such data breach? The Australian National University is considered to be one of the nation's most prestigious educational institutions and is home to global leading research. The hackers may be trying to leverage more information about international students who attend classes at the ANU university. “The ANU also educates on national security and houses the Strategic and Defence Studies Centre and the National Security College”, ABC Canberra news reports. Jamie Travers, a producer at ABC Canberra, tweeted that he had a conversation with the ANU media and they declined any information sharing about the massive breach. https://twitter.com/JamieTravers/status/1135732681407262725 Tom Uren, a senior analyst at the Australian Strategic Policy Institute told Travers that there could be two possible types of hackers behind this breach: 1) A state-sponsored group (presumably China) 2) A cybercriminal gang Travers also put forward his hypothesis on “why would a state-sponsored group such as China hack the ANU?” by giving two reasons: https://twitter.com/JamieTravers/status/1135749238468382720 https://twitter.com/JamieTravers/status/1135749435185516544 In one of his tweets, Travers also highlighted the profit a cybercriminal gang would get by breaching the ANU data, which include: Could use TFNs to file bogus tax returns. Could use bank account details to try and access users’ account. Could sell data as a whole to someone else online for ID theft. Schmidt, in his letter, said, “the University has taken immediate precautions to further strengthen our IT security and is working continuously to build on these precautions to reduce the risk of future intrusion”. To know more about this news in detail, read Brian Schmidt’s official letter to ANU’s students and staff. Facebook confessed another data breach; says it “unintentionally uploaded” 1.5 million email contacts without consent Canva faced security breach, 139 million users data hacked: ZDNet reports DockerHub database breach exposes 190K customer data including tokens for GitHub and Bitbucket repositories

Yesterday, Python’s core development team announced that PyPI now offers two-factor authentication to increase the security of Python package downloads and thus reduce the risk of unauthorized account access. The team announced that the 2FA will be introduced as a login security option on the Python Package Index. “We encourage project maintainers and owners to log in and go to their Account Settings to add a second factor”, the team wrote on the official blog. The blog also mentions that this project is a “grant from the Open Technology Fund; coordinated by the Packaging Working Group of the Python Software Foundation.” PyPI currently supports a single 2FA method that generates code through a Time-based One-time Password (TOTP) application. After users set up a 2FA on their PyPI account, they must provide a TOTP (along with your username and password) to log in. Therefore, to use 2FA on PyPI, users will need to provide an application (usually a mobile phone app) in order to generate authentication codes. Currently, only TOTP is supported as a 2FA method. Also, 2FA only affects login via the website, which safeguards against malicious changes to project ownership, deletion of old releases, and account takeovers. Package uploads will continue to work without 2FA codes being provided. Developers said that they are working on WebAuthn-based multi-factor authentication, which will allow the use of Yubikeys for your second factor, for example. They further plan to add API keys for package upload, along with an advanced audit trail of sensitive user actions. A user on HackerNews answered a question, “Will I lock myself out of my account if I lose my phone?” by saying,  “You won't lock yourself out. I just did a quick test and if you reset your password (via an email link) then you are automatically logged in. At this point you can even disable 2FA. So 2FA is protecting against logging in with a stolen password, but it's not protecting against logging in if you have access to the account's email account. Whether or not that's the intended behaviour is another question…” To know more about the ongoing security measures taken, visit Python’s official blog post. Salesforce open sources ‘Lightning Web Components framework’ Time for data privacy: DuckDuckGo CEO Gabe Weinberg in an interview with Kara Swisher Which Python framework is best for building RESTful APIs? Django or Flask?

Yesterday Aleksa Sarai, Senior Software Engineer at SUSE Linux GmbH, notified users that the ‘docker cp' is vulnerable to symlink-exchange race attacks. This attack makes all the Docker versions vulnerable. This attack can be seen as a continuation of some 'docker cp' security bugs that Sarai had found and fixed in 2014. This attack was discovered by Sarai, “though Tõnis Tiigi (software engineer at Docker) did mention the possibility of an attack like this in the past (at the time we thought the race window was too small to exploit)”, he added. The basis of this attack is that FollowSymlinkInScope suffers from a fundamental TOCTOU attack. FollowSymlinkInScope is used to take a path and resolve it safely as though the process was inside the container. Once the full path is resolved, it is passed around a bit and operated later on. If an attacker adds a symlink component to the path after the resolution, but before it is operated on, then the user will end up resolving the symlink path component on the host as root. Sarai adds, “As far as I'm aware there are no meaningful protections against this kind of attack. Unless you have restricted the Docker daemon through AppArmor, then it can affect the host filesystem”. Two reproducers of the issue have been attacked, including a Docker image and an empty directory in a loop hoping to hit the race condition. The Docker image contains a simple binary that does a RENAME_EXCHANGE of a symlink to "/”. In both the scripts, the user will be trying  to copy a file to or from a path containing the swapped symlink. However, the run_write.sh script can overwrite the host filesystem in very few iterations. This is because internally Docker has a "chrootarchive" concept where the archive is extracted from within a chroot. However in Docker, it chroots into the parent directory of the archive target which can be controlled by the attacker. This makes the attacker more likely to succeed. In an attempt to come up with a better solution for this problem, Sarai is working on Linux kernel patches. This will “add the ability to safely resolve paths from within a roots”. Users are concerned with the Docker versions being vulnerable as ‘docker cp’ is a very popular command. A user on Reddit says, “This seems really severe, it basically breaks a lot of the security that docker is assumed to provide. I know that we're often told not to rely upon docker for security, but still. I guess trusted but unsecure containers where the attack is executed after startup are still safe, because the docker cp command has already been executed before the attack begins.” A user on Hacker News comments, “So from a reading of the advisory and pull request, this seems to affect a specific set of scenarios, where a malicious image is running. Not sure if there are other scenarios where this would hit as well. One to be aware of, but as with most vulnerabilities, good to understand how it can be exploited, when you're assessing mitigations” To read more details of the notification, head over to Sarai’s mailing list. Angular 8.0 releases with major updates to framework, Angular Material, and the CLI Canva faced security breach, 139 million users data hacked: ZDNet reports SENSORID attack: Calibration fingerprinting that can easily trace your iOS and Android phones, study reveals

Last Friday, ZDNet reported about Canva’s data breach. Canva is a popular Sydney-based startup which offers a graphic design service. According to the hacker, who directly contacted ZDNet, data of roughly 139 million users has been compromised during the breach. Responsible for the data breach is a hacker known as GnosticPlayers online. Since February this year, they have put up the data of 932 million users on sale, which are reportedly stolen from 44 companies around the world. "I download everything up to May 17," the hacker said to ZDNet. "They detected my breach and closed their database server." Source: ZDNet website In a statement on the Canva website, the company confirmed the attack and has notified the relevant authorities. They also tweeted about the data breach on 24th May as soon as they discovered the hack and recommended their users to change their passwords immediately. https://twitter.com/canva/status/1132086889408749573 “At Canva, we are committed to protecting the data and privacy of all our users and believe in open, transparent communication that puts our communities’ needs first,” the statement said. “On May 24, we became aware of a security incident. As soon as we were notified, we immediately took steps to identify and remedy the cause, and have reported the situation to authorities (including the FBI). “We’re aware that a number of our community’s usernames and email addresses have been accessed.” Stolen data included details such as customer usernames, real names, email addresses, and city & country information. For 61 million users, password hashes were also present in the database. The passwords where hashed with the bcrypt algorithm, currently considered one of the most secure password-hashing algorithms around. For other users, the stolen information included Google tokens, which users had used to sign up for the site without setting a password. Of the total 139 million users, 78 million users had a Gmail address associated with their Canva account. Canva is one of Australia's biggest tech companies. Founded in 2012, since the launch, the site has shot up the Alexa website traffic rank, and has been ranking among the Top 200 popular websites. Three days ago, the company announced it raised $70 million in a Series-D funding round, and is now valued at a whopping $2.5 billion. Canva also recently acquired two of the world's biggest free stock content sites -- Pexels and Pixabay. Details of Pexels and Pixabay users were not included in the data stolen by the hacker. According to reports from Business Insider, the community was dissatisfied with how Canva responded to the attack. IT consultant Dave Hall criticized the wording Canva used in a communication sent to users on Saturday. He believes Canva did not respond fast enough. https://twitter.com/skwashd/status/1132258055767281664 One Hacker News user commented , “It seems as though these breaches have limited effect on user behaviour. Perhaps I'm just being cynical but if you are aren't getting access and you are just getting hashed passwords, do people even care? Does it even matter? Of course names and contact details are not great. I get that. But will this even effect Canva?” Another user says, “How is a design website having 189M users? This is astonishing more than the hack!” Facebook again, caught tracking Stack Overflow user activity and data Ireland’s Data Protection Commission initiates an inquiry into Google’s online Ad Exchange services Adobe warns users of “infringement claims” if they continue using older versions of its Creative Cloud products

A report released by Motherboard yesterday reveals employees of Snap Inc., the parent company of the popular social media, Snapchat, abused privileged data management tools to spy on Snap users. They gained access to location, contact details, email addresses, even saved Snaps! This news was first reported by Motherboard stating that various departments within Snap have dedicated tools for accessing data. Talking about sources, Motherboard said, “two former employees said multiple Snap employees abused their access to Snapchat user data several years ago”. Along with those sources, Motherboard also obtained information from two other former employees, a current employee, and a cache of internal company emails. The sources and the emails obtained highlight one of the internal tools that can access user data called SnapLion   Former employees said that SnapLion was originally used to gather information on users in response to valid law enforcement requests, such as a court order or subpoena. “Both of the sources said SnapLion is a play on words with the common acronym for law enforcement officer LEO, with one of them adding it, is a reference to the cartoon character Leo the Lion”, Motherboard reports. Snap Inc.’s ‘Spam and Abuse’ team has access to the tool and it can also be used to combat bullying or harassment on the platform by other users. Motherboard said, “An internal Snap email obtained by Motherboard says a department called "Customer Ops" also has access to SnapLion. Security staff also have access, according to the current employee. The existence of this tool has not been previously reported”. “Motherboard granted multiple sources in this story anonymity to speak candidly about internal Snap processes”, reports Motherboard. Snapchat has a customer bandwidth of around 186 million users who use it to share photos, videos, or post stories trusting that it may get auto-deleted as per Snapchat’s privacy policies. Snaps are photos or videos that, if not saved, typically disappear after being received (or after 24 hours if posted to a user's Story). However, in 2014, the Federal Trade Commission fined Snapchat for failing to disclose that the company collected, stored, and transmitted geolocation data. A Snap spokesperson wrote to Motherboard, “Protecting privacy is paramount at Snap. We keep very little user data, and we have robust policies and controls to limit internal access to the data we do have. Unauthorized access of any kind is a clear violation of the company's standards of business conduct and, if detected, results in immediate termination." A few years ago, SnapLion did not have a satisfactory level of logging to track what data employees accessed, a former employee said. The company then implemented more monitoring, the former employee added. Snap said it currently monitors access to user data. The second former employee said, "Logging isn't perfect". “Snap said it limits internal access to tools to only those who require it, but SnapLion is no longer a tool purely intended to help law enforcement. It is now used more generally across the company”, the former employees reported. One of them who worked with SnapLion said the tool is used for resetting passwords of hacked accounts and "other user administration." A current employee said that the company's strides for user privacy and two former employees stressed the controls Snap has in place for protecting user privacy. Snap also introduced end to end encryption in January of this year. Similar to Snap Inc. there are stories where other tech giants like Facebook, Uber employees have accessed their ex-employees’ data. Facebook fired some of its employees in May, last year, for using their privileged access to user data to stalk exes. In 2016, Uber employees, on the other hand, used internal systems to spy on ex-partners, politicians, and celebrities. https://twitter.com/justkelly_ok/status/1131750164773818369 Read more about this news in detail on Motherboard’s full coverage. A WhatsApp vulnerability enabled attackers to inject Israeli spyware on user’s phones Intel discloses four new vulnerabilities labeled MDS attacks affecting Intel chips Atlassian Bitbucket, GitHub, and GitLab take collective steps against the Git ransomware attack