Search icon CANCEL
Subscription
0
Cart icon
Your Cart (0 item)
Close icon
You have no products in your basket yet
Save more on your purchases! discount-offer-chevron-icon
Savings automatically calculated. No voucher code required.
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Newsletter Hub
Free Learning
Arrow right icon
timer SALE ENDS IN
0 Days
:
00 Hours
:
00 Minutes
:
00 Seconds

Tech News - Security

470 Articles
article-image-youtubes-ban-on-instructional-hacking-and-phishing-videos-receives-backlash-from-the-infosec-community
Savia Lobo
04 Jul 2019
7 min read
Save for later

YouTube’s ban on “instructional hacking and phishing” videos receives backlash from the infosec community

Savia Lobo
04 Jul 2019
7 min read
Updated: Mentioned MalwareTech's article, which shows a bigger picture of how YouTube’s ban can suppress education and the aspirants may turn to other shady websites to learn hacking, which is highly lethal. A month ago, in June, YouTube, in their blog post said, “The openness of YouTube’s platform has helped creativity and access to information thrive. It’s our responsibility to protect that, and prevent our platform from being used to incite hatred, harassment, discrimination, and violence.” YouTube said it plans to moderate content on its platform via three ways: By removing more hateful and supremacist content from the platform by banning supremacists, which will remove Nazis and other extremists who advocate segregation or exclusion based on age, gender, race, religion, sexual orientation, or veteran status. Reducing the spread of “borderline content and harmful misinformation” such as videos promoting a phony miracle cure for a serious illness, or claiming the earth is flat, etc. and recommend videos from more authoritative sources, like top news channels, in its “next watch” panel. Will suspend channels that repeatedly brush up against its hate speech policies from the YouTube Partner program. This means they will not be able to run ads on their channel or use other monetization features like Super Chat, which lets channel subscribers pay creators directly for extra chat features Following those lines, a few days ago, YouTube decided that it will ban all “instructional hacking and phishing” videos and listed it as “harmful or dangerous content” prohibited on its platform. YouTube mentioned that videos that demonstrate how to bypass secure computer systems or steal user credentials and personal data will be pulled from the platform. This recent addition to YouTube’s content policy is a big blow to all users in the infosec industry watching such videos for educational purposes or to develop their skills and also to the infosec Youtube content creators who make a living on maintaining dedicated channels on cybersecurity. The written policy first appears in the Internet Wayback Machine's archive of web history in an April 5, 2019 snapshot. According to The Register, "Lack of clarity about the permissibility of cyber-security related content has been an issue for years. In the past, hacking videos in years past could be removed if enough viewers submitted reports objecting to them or if moderators found the videos violated other articulated policies. Now that there's a written rule, there's renewed concern about how the policy is being applied". Kody Kinzie, a security researcher, educator, and owner of the popular ethical hacking and infosec YouTube channel, Null Byte, tweeted that on Tuesday they could not upload a video because of the rule. He said the video was created for the US July 4th holiday to demonstrate launching fireworks over Wi-Fi. https://twitter.com/KodyKinzie/status/1146196570083192832 After refraining Kinzie from uploading videos, he said that YouTube started to flag and remove his existing content and also issued a further strike on his channel. https://twitter.com/fuzz_sh/status/1146197679434883074 https://twitter.com/KodyKinzie/status/1146202025513771010 "I'm worried for everyone that teaches about infosec and tries to fill in the gaps for people who are learning," Kinzie said via Twitter. "It is hard, often boring, and expensive to learn cybersecurity." A lot of learners and the infosec community responded in support of Null Byte. YouTube then reversed its decision and removed the strikes, thereby restoring the channel to full functionality. https://twitter.com/myexploit2600/status/1146327656658550785 https://twitter.com/KodyKinzie/status/1146566379962695681 The YouTube policy page includes a list for content creators on things they should be careful of while uploading content. However, this is not a new policy and Youtube highlights, “the article now includes more examples of content that violates this policy. There are no policy changes.” According to Boing Boing, “This may sound like a commonsense measure but consider: the "bad guys" can figure this stuff out on their own. The two groups that really benefit from these disclosures are: Users, who get to know which systems they should and should not trust; and Developers, who learn from other developers' blunders and improve their own security.” A YouTube spokesperson told The Verge that Kody Kinzie’s channel was flagged by mistake and the videos have since been reinstated. “With the massive volume of videos on our site, sometimes we make the wrong call,” the spokesperson said. “We have an appeals process in place for users, and when it’s brought to our attention that a video has been removed mistakenly, we act quickly to reinstate it.” Dale Ruane, a hacker and penetration tester who runs a YouTube channel called DemmSec, told The Register via email that he believes this policy has always existed in some form. "But recently I've personally noticed a lot more people having issues where videos are being taken down," he said. "It seems adding video tags or titles which could be interpreted as malicious results in your video being 'dinged,'” he said. "For example, I made a video about a tool which basically provided instructions of how to phish a Facebook user. That video was taken down by YouTube after a couple of weeks." He also said, "I think the way in which this policy is written is far too broad. I also find the policy extremely hypocritical from a company (Google) that has a history of embracing 'hacker' culture and claims to have the goal of organizing the world's information." YouTube has recently taken actions towards content moderation, like taking down videos fighting white supremacy alongside white supremacist content. Also, on May 30th Vox host Carlos Maza tweeted a thread that pointed to a pattern of homophobic harassment from conservative pundit Steven Crowder on Youtube. In one of his comments, Crowder referred to Maza as a “little queer,” “lispy queer,” and “the gay Vox sprite.” After several days of investigation, YouTube said that Crowder did not violate the platform’s policies, but the company did not provide any insight into its process, and it chose to issue an unsigned statement via a reply to Maza on Twitter. Following YouTube’s decision, some Google employees said this does not send a positive message to everyone. An employee said, “This kind of makes me feel like it would be okay if my coworkers started calling me a lispy queer”. “...It’s the latest in a long series of really, really shitty behavior and double-talking on the part of my employer as pertains to anything to do with queer shit.” After a lot of opposition from people, YouTube opted to demonetize Crowder’s channel, citing “widespread harm to the YouTube community resulting from the ongoing pattern of egregious behavior.” The company has now also promised to “evolve its policies” on harassment in response to widespread backlash to these moves. A lot of YouTube creators have publicly derided the company for its decision calling it an unsurprising move from a platform they feel has failed to properly address harassment. Also, the recent taking down of videos that benefit a lot of users to develop skills with a fear that it can be misused, is not a correct move too. Hackers can implement a lot of stuff without the help of these videos. Youtube banning videos may not make the platform more secure, nor will it prevent attackers from exploiting defects. MalwareTech in its blog post mentions, “when it comes to hacking, it matters not what is taught, but how and by whom. Context is extremely important, especially with a potential audience of young and impressionable teens. Hacking tutorials will always be available no matter what, the only real question is where”. In its post, MalwareTech has also shown a bigger picture of how YouTube’s ban can suppress education and the aspirants may turn to other shady websites to learn hacking, which is highly lethal. FTC to investigate YouTube over mishandling children’s data privacy YouTube disables all comments on videos featuring children in an attempt to curb predatory behavior and appease advertisers Facebook fined $2.3 million by Germany for providing incomplete information about hate speech content
Read more
  • 0
  • 0
  • 3548

article-image-an-attack-on-sks-keyserver-network-a-write-only-program-poisons-two-high-profile-openpgp-certificates
Savia Lobo
01 Jul 2019
6 min read
Save for later

An attack on SKS Keyserver Network, a write-only program, poisons two high-profile OpenPGP certificates

Savia Lobo
01 Jul 2019
6 min read
Robert J. Hansen, a maintainer of the GnuPG FAQ, revealed about a certificate spamming attack against him and Daniel Kahn Gillmor, two high-profile contributors in the OpenPGP community, in the last week of June 2019. The attack exploited a defect in the OpenPGP protocol to "poison" both Hansen’s and Gillmor’s OpenPGP certificates. “Anyone who attempts to import a poisoned certificate into a vulnerable OpenPGP installation will very likely break their installation in hard-to-debug ways”, Hansen wrote on his GitHub blog post. Gillmor said his OpenPGP certificate was flooded with bogus certifications which were uploaded to the SKS keyserver network. The main use of OpenPGP today is to verify downloaded packages for Linux-based operating systems, usually using a software tool called GnuPG. This attack has the following consequences: If you fetch a poisoned certificate from the keyserver network, you will break your GnuPG installation. Poisoned certificates cannot be deleted from the keyserver network. The number of deliberately poisoned certificates, currently at only a few, will only rise over time. The attackers may have an intent on poisoning other certificates and the scope of the damage is still unknown A year ago, OpenPGP experienced similar certificate flooding, one, a spam on Werner Koch's key and second, abuse tools made available years ago under the name "trollwot". There's a keyserver-backed filesystem proposed as a proof of concept to point out the abuse. “Poisoned certificates are already on the SKS keyserver network. There is no reason to believe the attacker will stop at just poisoning two certificates. Further, given the ease of the attack and the highly publicized success of the attack, it is prudent to believe other certificates will soon be poisoned”, Hansen further added. He also said that the mitigation to this attack cannot be carried out “in any reasonable time period” and that the future releases of OpenPGP software may have mitigation. However, he said he is unsure of the time frame. The best mitigation that can be applied at present is simple: stop retrieving data from the SKS keyserver network, Hansen says. The “keyserver software” was written to facilitate the discovery and distribution of public certificates. Users can search the keyserver by a variety of different criteria to discover public certificates which claim to belong to the desired user. The keyserver network, however, does not attest to the accuracy of the information. This was left for each user to ascertain according to their own criteria. According to the Keyserver design goals, “Keyservers could add information to existing certificates but could never, ever, ever, delete either a certificate or information about a certificate”, Hansen said as he was involved in the PGP community since 1992 and was present for these discussions. “In the early 1990s this design seemed sound. It is not sound in 2019. We've known it has problems for well over a decade”, Hansen adds. This shows that Keyservers are vulnerable and susceptible to attacks and how the data can be easily misused. Why SKS Keyserver Network can never be fixed Hansen has also given some reasons why the software was not fixed or updated for security to date. A difficult to understand algorithm The SKS or standard keyserver software was written by Yaron Minsky. It became the keystone of his Ph.D. thesis, and he wrote SKS originally as a proof of concept of his idea. The algorithm is written in an unusual programming language called OCaml, which Hansen says has an idiosyncratic dialect. “ Not only do we need to be bright enough to understand an algorithm that's literally someone's Ph.D. thesis, but we need expertise in obscure programming languages and strange programming customs”, Hansen says. Change in design goal may result in changes from scratch Due to a difficult programming language it is written in, there are hardly any programmers who are qualified to do such a major overhaul, Hansen says. Also, the design goal of the keyserver network is "baked into" essentially every part of the infrastructure and changing it may lead to huge changes in the entire software. Lack of a centralized authority The lack of centralized authority was a feature, not a bug. This means there is no single point of failure for a government to go after. This makes it even harder to change the design goals as the network works as a confederated system. Keyserver network is a Write-only file system The Keyserver network is based on a write-only, which makes it susceptible to a lot of attacks as one can only write into it and have a tough time deleting files. The keyserver network can be thought of as an extremely large, extremely reliable, extremely censorship-resistant distributed file system which anyone can write to. Attackers can easily add any malicious or censored content files or media, which no one can delete. Mitigations for using the Synchronization Key server Hansen says high-risk users should stop using the keyserver network immediately. For those confident with editing their GnuPG configuration files, the following process is recommended: Open gpg.conf in a text editor. Ensure there is no line starting with keyserver. If there is, remove it. Open dirmngr.conf in a text editor. Add the line keyserver hkps://keys.openpgp.org to the end of it. keys.openpgp.org is a new experimental keyserver which is not part of the keyserver network and has some features which make it resistant to this sort of attack. It has some limitations like its search functionality is sharply constrained. However, once changes are made users will be able to run gpg --refresh-keys with confidence. Daniel Kahn Gillmor, in his blogpost, says, “This is a mess, and it's a mess a long time coming. The parts of the OpenPGP ecosystem that rely on the naive assumptions of the SKS keyserver can no longer be relied on because people are deliberately abusing those keyservers. We need significantly more defensive programming and a better set of protocols for thinking about how and when to retrieve OpenPGP certificates”. Public reaction to this attack is quite speculative. People shared their opinions on Twitter. Some have also suggested migrating the SKS server towards the new OpenPGP key server called Hagrid. https://twitter.com/matthew_d_green/status/1145030844131753985 https://twitter.com/adulau/status/1145045929428443137 To know more about this in detail, head over to Robert J. Hansen’s GitHub post. Training Deep Convolutional GANs to generate Anime Characters [Tutorial] Former npm CTO introduces Entropic, a federated package registry with a new CLI and much more! Microsoft introduces Service Mesh Interface (SMI) for interoperability across different service mesh technologies
Read more
  • 0
  • 0
  • 3966

article-image-an-iot-worm-silex-developed-by-a-14-year-old-resulted-in-malware-attack-and-taking-down-2000-devices
Amrata Joshi
28 Jun 2019
5 min read
Save for later

An IoT worm Silex, developed by a 14 year old resulted in malware attack and taking down 2000 devices

Amrata Joshi
28 Jun 2019
5 min read
This week, an IoT worm called Silex that targets a Unix-like system took down around 2,000 devices, ZDNet reports. This malware attacks by attempting a login with default credentials and after gaining access. Larry Cashdollar, an Akamai researcher, the first one to spot the malware, told ZDNet in a statement, "It's using known default credentials for IoT devices to log in and kill the system.” He added, “It's doing this by writing random data from /dev/random to any mounted storage it finds. I see in the binary it's calling fdisk -l which will list all disk partitions."  He added, "It then writes random data from /dev/random to any partitions it discovers." https://twitter.com/_larry0/status/1143532888538984448 It deletes the devices' firewall rules and then removes its network config and triggers a restart, this way the devices get bricked. Victims are advised to manually reinstall the device's firmware for recovering. This malware attack might remind you of the BrickerBot malware that ended up destroying millions of devices in 2017. Cashdollar told ZDNet in a statement, "It's targeting any Unix-like system with default login credentials." He further added, "The binary I captured targets ARM devices. I noticed it also had a Bash shell version available to download which would target any architecture running a Unix like OS." This also means that this malware might affect Linux servers if they have Telnet ports open and in case they are secured with poor or widely-used credentials. Also, as per the ZDNet report, the attacks were carried out from a VPS server that was owned by a company operating out of Iran. Cashdollar said, "It appears the IP address that targeted my honeypot is hosted on a VPS server owned by novinvps.com, which is operated out of Iran."  With the help of NewSky Security researcher Ankit Anubhav, ZDNet managed to reach out to the Silex malware author who goes by the pseudonym Light Leafon. According to Anubhav, Light Leafon, is a 14-year-old teenager responsible for this malware.  In a statement to Anubhav and ZDNet, he said, “The project started as a joke but has now developed into a full-time project, and has abandoned the old HITO botnet for Silex.” Light also said that he has plans for developing the Silex malware further and will add even more destructive functions. In a statement to Anubhav and ZDNet, he said, "It will be reworked to have the original BrickerBot functionality."  He is also planning to add the ability to log into devices via SSH apart from the current Telnet hijacking capability. He plans to give the malware the ability to use vulnerabilities for breaking into devices, which is quite similar to most of the IoT botnets. Light said, "My friend Skiddy and I are going to rework the whole bot.” He further added, "It is going to target every single publicly known exploit that Mirai or Qbot load." Light didn’t give any justification for his actions neither have put across any manifesto as the author of BrickerBot (goes with the pseudonym-Janit0r) did post before the BrickerBot attacks. Janit0r motivated the 2017 attacks to protest against owners of smart devices that were constantly getting infected with the Mirai DDoS malware. In a statement to ZDNet, Anubhav described the teenager as "one of the most prominent and talented IoT threat actors at the moment." He further added, "Its impressive and at the same time sad that Light, being a minor, is utilizing his talent in an illegal way." People are surprised how a 14-year-old managed to work this out and are equally worried about the consequences the kid might undergo. A user commented on Reddit, “He's a 14-year old kid who is a bit misguided in his ways and can easily be found. He admits to DDoSing Wix, Omegle, and Twitter for lols and then also selling a few spots on the net. Dude needs to calm down before it goes bad. Luckily he's under 18 so really the worst that would happen in the EU is a slap on the wrist.”  Another user commented, “It’s funny how those guys are like “what a skid lol” but like ... it’s a 14-year-old kid lol. What is it people say about the special olympics…” Few others said that developers need to be more vigilant and take security seriously. Another comment reads, “Hopefully manufacturers might start taking security seriously instead of churning out these vulnerable pieces of shit like it's going out of fashion (which it is).” To know more about this news, check out the report by ZDNet. WannaCry hero, Marcus Hutchins pleads guilty to malware charges; may face upto 10 years in prison FireEye reports infrastructure-crippling Triton malware linked to Russian government tech institute ASUS servers hijacked; pushed backdoor malware via software updates potentially affecting over a million users  
Read more
  • 0
  • 0
  • 4352
Banner background image

article-image-cloud-hopper-the-chinese-group-that-hacked-eight-major-u-s-computer-service-firms-to-boost-economic-interests-reuters-reports
Vincy Davis
28 Jun 2019
5 min read
Save for later

Cloud Hopper: The Chinese group that hacked eight major U.S. computer service firms to boost economic interests, Reuters reports

Vincy Davis
28 Jun 2019
5 min read
A recent report by Reuters has revealed that a global hacking group, working for China’s Ministry of State Security known as Cloud Hopper, broke into networks of eight of the world’s biggest technology service providers, in order to steal commercial secrets from their clients. The infringement by the hackers exploited these companies, their customers, and the Western system of technological defense. This hacking campaign is believed to have been done to boost Chinese economic interests.  How Cloud Hopper penetrated into U.S. firms Reuters reports that the Swedish telecoms equipment giant Ericsson were hacked five times by suspected Chinese cyber spies, between 2014 to 2017. After successfully repelling the many attacks, a year earlier, Ericsson discovered the intruders were back. Though this time, the path taken by the attackers were clear. The team of hackers had actually penetrated through Hewlett Packard Enterprise’s cloud computing service and used it as a launchpad to attack its customers. They managed to steal reams of corporate and government secrets for years, reports Reuters. In December 2018, the U.S. government charged the Chinese government of conducting an operation to steal Western intellectual property in order to advance China’s economic interests. They named the hackers from APT10 – Advanced Persistent Threat 10 hacking group, as agents of China’s Ministry of State Security. The U.S. also accused two Chinese nationals of identity theft and fraud, but did not divulge any victim names. Around the same time, Reuters reported Hewlett Packard Enterprise and IBM as the affected victims of this hacking campaign. The public attribution garnered widespread international support: Germany, New Zealand, Canada, Britain, Australia and other allies, issued statements backing the U.S. allegations against China. Key findings from Reuters investigation of Cloud Hopper hacking Two days ago, Reuters have made their new investigation report public, which states that along with Hewlett Packard Enterprise and IBM, the hackers had also managed to penetrate into Fujitsu, Tata Consultancy Services, NTT Data, Dimension Data, Computer Sciences Corporation and DXC Technology companies. According to the report, the Chinese hackers used these eight companies’ platform to attack their clients too. Along with Ericsson, a company which competes with Chinese firms in the strategically critical mobile telecoms business, the others include, travel reservation system Sabre, the American leader in managing plane bookings, and the largest shipbuilder for the U.S. Navy, Huntington Ingalls Industries, which builds America’s nuclear submarines at a Virginia shipyard. Though Reuters were unable to determine the full extent of the damage done by the hacking campaign, they claim that many victims are still unsure about the kind of information stolen by hackers. “This was the theft of industrial or commercial secrets for the purpose of advancing an economy”, said the former Australian National Cyber Security Adviser Alastair MacGibbon. This global hacking campaign also highlights the security vulnerabilities posed by cloud computing services. The former director of the U.S. National Security Agency, Mike Rogers says that, “For those that thought, the cloud was a panacea, I would say you haven’t been paying attention.” According to a senior adviser to the U.S. National Security Agency, Rob Joyce, the companies were battling against a skilled adversary. He says that the hacking was “high leverage and hard to defend against.” The Reuters report states that, according to Western officials, the attackers were from multiple Chinese government-backed hacking groups. The most feared was the APT10 hackers and were directed by the Ministry of State Security, says the U.S. prosecutors. The National security experts have said that the Chinese intelligence services are comparable to the U.S. Central Intelligence Agency, capable of pursuing both electronic and human spying operations. The Chinese government has firmly denied all accusations of involvement in hacking. In a statement to Reuters, the Chinese Foreign Ministry has said that “The Chinese government has never in any form participated in or supported any person to carry out the theft of commercial secrets.” China’s Foreign Ministry has also said that the charges were “warrantless accusations” and it urged the United States to “withdraw the so-called lawsuits against Chinese personnel, so as to avoid causing serious harm to bilateral relations.” The U.S. Justice Department has called the Chinese denials “ritualistic and bogus”. The DOJ Assistant Attorney General John Demers has told Reuters that, “The Chinese Government uses its own intelligence services to conduct this activity and refuses to cooperate with any investigation into thefts of intellectual property emanating from its companies or its citizens.” To know how the Chinese cyber spies infiltrated Western businesses in detail, head over to the Reuters investigation report. Following EU, China releases AI Principles As US-China tech cold war escalates, Google revokes Huawei’s Android support, allows only those covered under open source licensing US blacklist China’s telecom giant Huawei over threat to national security
Read more
  • 0
  • 0
  • 2514

article-image-do-google-ads-secretly-track-stack-overflow-users
Vincy Davis
27 Jun 2019
5 min read
Save for later

Do Google Ads secretly track Stack Overflow users?

Vincy Davis
27 Jun 2019
5 min read
Update: A day after a user found a bug on Stack Overflow’s devtools website, Nick Craver, the Architecture Lead for Stack Overflow, has updated users on their working. He says that the fingerprinting issue has emerged from the ads relayed through 3rd party providers. Stack Overflow has been reaching out to experts and the Google Chrome security team and has also filed a bug in the Chrome tracker. Stack Overflow has contacted Google, their ad server for assistance and are testing deployment of Safe Frame to all ads. The Safe Frame API will configure if all ads on the page should be forced to be rendered using a SafeFrame container. Stack Overflow is also trying to deploy the Feature-Policy header to block access to most browser features from all components in the page. Craver has also specified in the update that Stack Overflow has decided not to turn off these ad campaigns swiftly, as they need the repro to fix these issues. A user by the name greggman has discovered a bug on Stack Overflow’s devtools website. Today, while working on his browser's devtools website, he noticed the following message: Image source: Stack Overflow Meta website  greggman then raised the query “Why is Stack Overflow trying to start audio?” on the Stack Overflow Meta website, which is intended for bugs, features, and discussion of Stack Overflow for its users. He then found out that the above message appears whenever a particular ad is appearing on the website. The ad is from Microsoft via Google.  Image source: Stack Overflow Meta Website  Later another user, TylerH did an investigation and revealed some intriguing information about the identified bug. He found out that the Google Ad is employing the audio API, to collect information from the users’ browser, in an attempt to fingerprint it.   He says that “This isn't general speculation, I've spent the last half hour going though the source code linked above, and it goes to considerable lengths to de-anonymize viewers. Your browser may be blocking this particular API, but it's not blocking most of the data.”  TylerH claims that this fingerprint tracking of users is definitely not done for legitimate feature detection. He adds that this technique is done in aggregate to generate a user fingerprint, which is included along with the advertising ID, while recording analytics for the publisher. This is done to detect the following : Users’ system resolution and accessibility settings The audio API capabilities, supported by the users’ browser The mobile browser-specific APIs, supported by the users’ browser TylerH states that this bug can detect many other details about the user, without the users’ consent. Hence he issues a warning to all Stack Overflow users to “Use an Ad blocker!” As both these findings gained momentum on the Stack Overflow Meta website, Nick Craver,  the Architecture Lead for Stack Overflow replied to greggman and TylerH, “Thanks for letting us know about this. We are aware of it. We are not okay with it.” Craver also mentioned that Stack Overflow has reached out to Google, to obtain their support. He also notified users that “This is not related to ads being tested on the network and is a distinctly separate issue. Programmatic ads are not being tested on Stack Overflow at all.” Users are annoyed at this response by Craver. Many are not ready to believe that the Architecture Lead for Stack Overflow did not have any idea about this and is now going to work on it. A user on Hacker News comments that this response from Craver “encapsulates the entire problem with the current state of digital advertising in 1 simple sentence.” Few users feel like this is not surprising at all, as all websites use ads as tracking mechanisms. A HN user says that “Audio feature detection isn't even a novel technique. I've seen trackers look at download stream patterns to detect whether or not BBR congestion control is used, I have seen mouse latency based on the difference between mouse ups and downs in double clocks and I have seen speed-of-interaction checks in mouse movements.”  Another comment reads, “I think ad blocking is a misnomer. What people are trying to do when blocking ads is prevent marketing people from spying on them. And the performance and resource consumption that comes from that. Personal opinion: Laws are needed to make what advertisers are doing illegal. Advertisers are spying on people to the extent where if the government did it they'd need a warrant.” While there is another user, who thinks that the situation is not that bad, with Stack Overflow at least taking responsibility of this bug. The user on Hacker News wrote, “Let's be adults here. This is SO, and I imagine you've used and enjoyed the use of their services just like the rest of us. Support them by letting passive ads sit on the edge of the page, and appreciate that they are actually trying to solve this issue.” Approx. 250 public network users affected during Stack Overflow’s security attack Stack Overflow confirms production systems hacked Facebook again, caught tracking Stack Overflow user activity and data
Read more
  • 0
  • 0
  • 4316

article-image-a-vulnerability-discovered-in-kubernetes-kubectl-cp-command-can-allow-malicious-directory-traversal-attack-on-a-targeted-system
Amrata Joshi
25 Jun 2019
3 min read
Save for later

A vulnerability discovered in Kubernetes kubectl cp command can allow malicious directory traversal attack on a targeted system

Amrata Joshi
25 Jun 2019
3 min read
Last week, the Kubernetes team announced that a security issue (CVE-2019-11246) was discovered with Kubernetes kubectl cp command. According to the team this issue could lead to a directory traversal in such a way that a malicious container could replace or create files on a user’s workstation.  This vulnerability impacts kubectl, the command line interface that is used to run commands against Kubernetes clusters. The vulnerability was discovered by Charles Holmes, from Atredis Partners as part of the ongoing Kubernetes security audit sponsored by CNCF (Cloud Native Computing Foundation). This particular issue is a client-side defect and it requires user interaction to exploit the system. According to the post, this issue is of high severity and  the Kubernetes team encourages to upgrade kubectl to Kubernetes 1.12.9, 1.13.6, and 1.14.2 or later versions for fixing this issue. To upgrade the system, users need to follow the installation instructions from the docs. The announcement reads, “Thanks to Maciej Szulik for the fix, to Tim Allclair for the test cases and fix review, and to the patch release managers for including the fix in their releases.” The kubectl cp command allows copying the files between containers and user machine. For copying files from a container, Kubernetes runs tar inside the container for creating a tar archive and then copies it over the network, post which, kubectl unpacks it on the user’s machine. In case, the tar binary in the container is malicious, it could possibly run any code and generate unexpected, malicious results. An attacker could use this to write files to any path on the user’s machine when kubectl cp is called, which is limited only by the system permissions of the local user. The current vulnerability is quite similar to CVE-2019-1002101 which was an issue in the kubectl binary, precisely in the kubectl cp command. The attacker could exploit this vulnerability for writing files to any path on the user’s machine. Wei Lien Dang, co-founder and vice president of product at StackRox, said, “This vulnerability stems from incomplete fixes for a previously disclosed vulnerability (CVE-2019-1002101). This vulnerability is concerning because it would allow an attacker to overwrite sensitive file paths or add files that are malicious programs, which could then be leveraged to compromise significant portions of Kubernetes environments.” Users are advised to run kubectl version --client and in case it does not say client version 1.12.9, 1.13.6, or 1.14.2 or newer, then it means the user is running a vulnerable version which needs to be upgraded. To know more about this news, check out the announcement.  Kubernetes 1.15 releases with extensibility around core Kubernetes APIs, cluster lifecycle stability, and more! HAProxy 2.0 released with Kubernetes Ingress controller, layer 7 retries, polyglot extensibility, gRPC support and more Red Hat releases OpenShift 4 with adaptability, Enterprise Kubernetes and more!    
Read more
  • 0
  • 0
  • 5255
Unlock access to the largest independent learning library in Tech for FREE!
Get unlimited access to 7500+ expert-authored eBooks and video courses covering every tech area you can think of.
Renews at $19.99/month. Cancel anytime
article-image-facebook-fails-to-fend-off-a-lawsuit-over-data-breach-of-nearly-30-million-users
Bhagyashree R
25 Jun 2019
4 min read
Save for later

Facebook fails to fend off a lawsuit over data breach of nearly 30 million users

Bhagyashree R
25 Jun 2019
4 min read
Last week, an appellate court in San Francisco ruled against Facebook’s appeal to block a class-lawsuit over a massive data breach it witnessed last year. This data breach impacted nearly 30 million Facebook users. On September 25th last year, Facebook discovered a data breach caused by a vulnerability that existed in its code between July 2017 and September 2018. This vulnerability “was the result of a complex interaction of three distinct software bugs.” These bugs were related to the “View As” feature that allows users to see what their profile looks like to another user. By exploiting this vulnerability, the attackers were able to steal digital access tokens of users. These keys make it easier for users to access their profiles without having to log in every time they visit the site. Facebook shared that the attackers were able to see everything in a user’s profile, although it was not sure whether they got access to private messages or if any of that data was misused. Zuckerberg in a call with reporters following the data breach said, “So far our initial investigation has not shown that these tokens were used to access any private messages or posts or to post anything to these accounts. But this, of course, may change as we learn more. The attackers used our APIs to access profile information fields like name, gender, hometown, etc. But we do not yet know if any private information was accessed that way.” The class-lawsuit against Facebook alleged to violate user privacy Following this incident, several Facebook users filed class-action complaints in a San Francisco appeals court, alleging that Facebook has failed to protect its users' data. The class-action lawsuit alleges that the vulnerability in Facebook’s code plus its “grossly inadequate” security measures have made victims’ more prone to identity theft. The lawsuit seeks to represent all people “who registered for Facebook accounts in the United States and whose PII (personally identifiable information) was accessed, compromised, or stolen from Facebook in the September 2018 data breach.” As a legal remedy, the plaintiffs are seeking statutory damages, penalties, punitive damages, and attorneys’ fees. In response, Facebook appealed to block the lawsuit in March arguing that some of the plaintiffs’ information was not “sensitive” as it was publicly available on their Facebook profile. And, therefore, no real harm had been done as the attackers were not able to steal users’ financial information and passwords. U.S. District Judge William Alsup dismissed Facebook’s appeal saying, “The lack of reasonable care in the handling of personal information can foreseeably harm the individuals providing the information.” He added, “Further, some of the information here was private, and plaintiff plausibly placed trust in Facebook to employ appropriate data security. From a policy standpoint, to hold that Facebook has no duty of care here ‘would create perverse incentives for businesses who profit off the use of consumers’ personal data to turn a blind eye and ignore known security risks.’” This is not the only instance were Facebook has shown its negligence towards personal data. Earlier this month, during a pretrial hearing, Facebook argued that it didn’t violate users’ privacy rights because there’s no expectation of privacy when using social media. Recently Aaron Greenspan, the founder of Think Computer Corporation, claimed that Mark does not really believe in the concept of personal data as Facebook has performed security fraud on a number of occasions, in an incredibly blatant manner. This is one of the many lawsuits against Facebook. Earlier this month, the Austrian Supreme Court overturned Facebook’s appeal to block a lawsuit against it for not conforming to Europe’s General Data Protection Regulation (GDPR). Regarding its alleged involvement in the Cambridge Analytica case, the social media giant is also preparing to pay a fine of up to $5 billion. You can read the lawsuit to know more details. Austrian Supreme Court rejects Facebook’s bid to stop a GDPR-violation lawsuit against it by privacy activist, Max Schrems Facebook fails to block ECJ data security case from proceeding Zuckberg just became the target of the world’s first high profile white hat deepfake op. Can Facebook come out unscathed?  
Read more
  • 0
  • 0
  • 3685

article-image-xenotime-hacker-group-behind-oil-and-natural-gas-sites-are-now-targeting-us-power-grids
Fatema Patrawala
24 Jun 2019
5 min read
Save for later

Xenotime, hacker group behind oil and natural gas sites are now targeting US power grids

Fatema Patrawala
24 Jun 2019
5 min read
Researchers from the security firm Dragos reported on Friday that a group of hackers behind two potentially fatal intrusions in industrial facilities have expanded its activities to investigate dozens of electricity grids in the US and other regions. The group, known as Xenotime, had gained attention in 2017 when researchers from Dragos and cyber-security firm FireEye independently reported about Xenotime causing dangerous operational disruption at a critical infrastructure site in the Middle East, reports Ars Technica. Researchers from Dragos have called the group the most dangerous cyber threat in the world since then. According to Bloomberg, FireEye Inc. has linked the group to a research institution in Moscow owned by the Russian government, called the Central Scientific Research Institute of Chemistry and Mechanics. Xenotime is one of the few groups in the world to use malware tailored to industrial control systems, said Benjamin Read, a FireEye senior manager. The most alarming of this group is the use of malware which was never seen before in the security processes of the installation. Such security instrumented systems are a combination of hardware and software that many critical infrastructure sites use to prevent unsafe conditions from arising. For example, when the gas fuel pressure or reactor temperature increases to potentially unsafe thresholds, a SIS will automatically close the valves or initiate cooling processes to avoid accidents that endanger life. In April, FireEye reported that the SIS manipulation malware, alternatively known as Triton and Trisis, was used in an attack at another industrial facility. Proliferation of threats in different sectors Dragos also reported that Xenotime has been conducting network scans and recognition of multiple components through power grids in the United States and other regions. Sergio Caltagirone, senior vice president of threat intelligence at Dragos, told Ars Technica that his firm has detected dozens of public services, some of them located in the United States, which have been subjected to Xenotime surveys from 2018. "The threat has proliferated and is now targeting electric companies in the US and Asia Pacific, which means that we are no longer safe thinking that the threat to our electrical utilities are understood or stable ", He said in an interview: "This is the first sign that threats are proliferating in all sectors, which means that now we can not be sure that a threat to the sector will remain in that sector and will not cross." Probes can come in multiple forms, one of them is credential filler attacks, which use passwords stolen in previous infractions, sometimes unrelated, in the hope that they will work against new targets. Another is network exploration, which maps and catalogs the different computers, routers and other devices connected to it and lists the network ports in which they receive the connections. "The scale of the operation and the regions it addresses, "Caltagirone said," shows more than a passing interest in the sector. " In a publication published on Friday, Dragos researchers wrote: “While none of the events of the electric utility company resulted in a known and successful intrusion into victim organizations to date, persistent attempts and the expansion in scope are cause for ultimate concern. Xenotime has successfully engaged several oil and gas environments, demonstrating its ability to do so in other vertical markets. Specifically, Xenotime remains one of four threats (along with electrum, sandworm and the entities responsible for stuxnet) to execute a deliberate disruptive or disruptive attack. Xenotime is the only known entity specifically aimed at instrumented safety systems (sis) for disruptive or destructive purposes. The electrical service environments are significantly different from oil and gas operations in several aspects, but electrical operations still have safety and protection equipment that could be directed with similar vessels. Xenotime, which expresses a direct and constant interest in the operations of the electric company, is a cause for deep concern, given the willingness of this adversary to compromise the security of the process, and therefore the integrity, of fulfilling its mission. The expansion of Xenotime to another vertical industry is emblematic of an increasingly hostile industrial industry. The most observed Xenotime activity focuses on the collection of initial information and access operations necessary for ICS tracking intrusion operations. As seen in the long-term intrusions sponsored by the state in the US, UU, the United Kingdom and other electrical infrastructure, entities are increasingly interested in the fundamental aspects of ICS operations and show all the badges associated with the information and acquisition of access necessary to carry out future attacks. While Dragos does not see evidence at this time to indicate that Xenotime (or any other activity group, such as electrum or allanite) is capable of executing a prolonged disruptive or disruptive event in the operations of the electric company, the observed activity shows a strong the adversary's interest in meeting the prerequisites for doing so.” This news has brought anxiety among cyber security folks on Reddit comments, “it's time to develop disconnected micro grids”. Another user comments, “Or just do security correctly. Much of the utility infrastructure in the country does not align with best practices or published standards.” To know more about this, check out the official research page of Dragos. Over 19 years of ANU(Australian National University) students’ and staff data breached Symantec says NSA’s Equation group tools were hacked by Buckeye in 2016 way before they were leaked by Shadow Brokers in 2017 How not to get hacked by state-sponsored actors
Read more
  • 0
  • 0
  • 2343

article-image-openssh-code-gets-an-update-to-protect-against-side-channel-attacks
Savia Lobo
24 Jun 2019
2 min read
Save for later

OpenSSH code gets an update to protect against side-channel attacks

Savia Lobo
24 Jun 2019
2 min read
Last week, Damien Miller, a Google security researcher, and one of the popular OpenSSH and OpenBSD developers announced an update to the existing OpenSSH code that can help protect against the side-channel attacks that leak sensitive data from computer’s memory. This protection, Miller says, will protect the private keys residing in the RAM against Spectre, Meltdown, Rowhammer, and the latest RAMBleed attack. SSH private keys can be used by malicious threat actors to connect to remote servers without the need of a password. According to CSO, “The approach used by OpenSSH could be copied by other software projects to protect their own keys and secrets in memory”. However, if the attacker is successful in extracting the data from a computer or server's RAM, they will only obtain an encrypted version of an SSH private key, rather than the cleartext version. In an email to OpenBSD, Miller writes, “this change encrypts private keys when they are not in use with a symmetric key that is derived from a relatively large 'prekey' consisting of random data (currently 16KB)." He further adds, "Attackers must recover the entire prekey with high accuracy before they can attempt to decrypt the shielded private key, but the current generation of attacks have bit error rates that, when applied cumulatively to the entire prekey, make this unlikely”. "Implementation-wise, keys are encrypted 'shielded' when loaded and then automatically and transparently unshielded when used for signatures or when being saved/serialised," Miller said. The OpenSSH dev hope they'll be able to remove this special protection against side-channel attacks "in a few years time when computer architecture has become less unsafe", Miller said at the end of the patch. To know more about this announcement in detail, visit Damien Miller’s email. All Docker versions are now vulnerable to a symlink race attack Telegram faces massive DDoS attack; suspects link to the ongoing Hong Kong protests A second zero-day found in Firefox was used to attack Coinbase employees; fix released in Firefox 67.0.4 and Firefox ESR 60.7.2
Read more
  • 0
  • 0
  • 3452

article-image-the-us-launched-a-cyber-attack-on-iran-to-disable-its-rocket-launch-systems-iran-calls-it-unsuccessful
Sugandha Lahoti
24 Jun 2019
4 min read
Save for later

The US launched a cyber attack on Iran to disable its rocket launch systems; Iran calls it unsuccessful

Sugandha Lahoti
24 Jun 2019
4 min read
On Thursday, the US launched a cyber-attack on Iranian weapons systems, according to sources. This attack is a retaliation by the US govt after Iran shot down a US spy drone. In response to the drone’s destruction, the US was ready to carry out a military strike against Iran but US President Donald Trump said he called it off at the last minute after being told some 150 people could die. Although that didn’t stop him from secretly authorizing US Cyber Command to carry out a retaliatory cyber attack on Iran. Defense officials had prepared such a cyber response as a contingency plan for weeks preceding the attack. The cyber-attacks disabled computer systems controlling Iran’s rocket and missile launchers. Officials told the Guardian that the attack, which specifically targeted computer systems of Iran’s Islamic Revolutionary Guard Corps (IRGC), had been provided as options after two oil tankers were bombed. The IRGC has been designated a foreign terrorist group by the Trump administration. The AP news agency said the cyber-attack had disabled the Iranian systems. The New York Times said it was intended to take the systems offline for a period of time. The response by Iran An Iran Minister however rejected these claims stating that US cyber attacks on Iranian targets were not successful. “They try hard, but have not carried out a successful attack,” Mohammad Javad Azari Jahromi, Iran’s minister for information and communications technology, told Reuters. “Media asked if the claimed cyber attacks against Iran are true,” he said. “Last year we neutralized 33 million attacks with the (national) firewall.” Azari Jahromi called attacks on Iranian computer networks “cyber-terrorism”, referring to Stuxnet, the first publicly known example of a virus used to attack industrial machinery, which targeted Iran’s nuclear facilities in November 2007. In response to the shooting down of the U.S drone, an Iranian navy commander warned it could be repeated. “Everyone saw the downing of the unmanned drone,” navy commander Rear Admiral Hossein Khanzadi was quoted as saying by the Tasnim news agency. “I can assure you that this firm response can be repeated, and the enemy knows it.” On Saturday the US Department for Homeland Security warned that Iran was stepping up its own cyber-attacks on the US. Christopher Krebs, the director of the Cybersecurity and Infrastructure Security Agency, said "malicious cyber activity" was being directed at US industries and government agencies by "Iranian regime actors and their proxies.'' The US military and intelligence officials are drafting plans for additional cyber attacks against Iranian targets. It will also further impose sanctions on Iran. President Trump said these sanctions were "major" and were needed to prevent Tehran from obtaining nuclear weapons, and economic pressure would be maintained unless Tehran changed course. Technology plays a central role in national security and foreign policies. Most recently, the US-China trade war saw Huawei and Apple caught at the center of escalating tensions. US prohibited wide swath of technology deals with a “foreign adversary” for national security reasons. National security and technological environments are intertwined because technology has a strong influence on the ways wars are fought and the character of the missions reserve components are asked to perform. It is often caught in the web of trade wars. The US Iran cyber attack is a clear example of the way the lines between physical and digital warfare are blurring. Hacker destroys Iranian cyber-espionage data; leaks source code of APT34’s hacking tools on Telegram FireEye’s Global DNS Hijacking Campaign suspects Iranian-based group as the prime source Slack has terminated the accounts of some Iranian users, citing U.S. sanctions as the reason.
Read more
  • 0
  • 0
  • 2912
article-image-a-second-zero-day-found-in-firefox-was-used-to-attack-coinbase-employees-fix-released-in-firefox-67-0-4-and-firefox-esr-60-7-2
Bhagyashree R
21 Jun 2019
4 min read
Save for later

A second zero-day found in Firefox was used to attack Coinbase employees; fix released in Firefox 67.0.4 and Firefox ESR 60.7.2

Bhagyashree R
21 Jun 2019
4 min read
Earlier this week, Mozilla fixed a zero-day vulnerability that was being actively exploited by attackers. It released another security update yesterday when the Coinbase Security team detected a second zero-day vulnerability in Firefox. This update has landed in Firefox 67.0.4 and Firefox ESR 60.7.2. The two zero-day vulnerabilities The first one was a type confusion vulnerability tracked as CVE-2019-11707 that occurs “when manipulating JavaScript objects due to issues in Array.pop. This can allow for an exploitable crash.” It enables an attacker to run malicious code inside Firefox’s native process. This vulnerability was reported by both Coinbase Security team and Samuel Groß, a security researcher with Google Project Zero security team. Groß has reported the vulnerability on Bugzilla back in April 15th. https://twitter.com/5aelo/status/1141273394723414016 Sharing the implications of the vulnerability, the tech researcher said, “the bug can be exploited for RCE [remote code execution] but would then need a separate sandbox escape to run code on an underlying operating system. However, most likely it can also be exploited for UXSS [universal cross-site scripting] which might be enough depending on the attacker’s goals.” The second zero-day vulnerability was described as “sandbox escape using Prompt:Open” and is assigned CVE-2019-11708. This highly-critical vulnerability enables the escape of malware from the Firefox protected process and its execution on the targeted host. “Insufficient vetting of parameters passed with the Prompt:Open IPC message between child and parent processes can result in the non-sandboxed parent process opening web content chosen by a compromised child process,” the advisory page reads. The Coinbase attack Not much detail was out about these attacks and vulnerabilities until yesterday when Martin Phil, Chief Information Security Officer at Coinbase, and his team detected an attack targeting Coinbase employees. Coinbase also said that the attacker might have targeted other cryptocurrency organizations as well. It is now notifying the organizations that it believes have been possibly targeted. https://twitter.com/SecurityGuyPhil/status/1141466335592869888 Fortunately, the attack was detected before it was able to do any damage. If it had been left undetected, the attacker could have gained access to the Coinbase backend network and stole funds from exchanges. Phil in his tweets also shared a couple of Indicators of Compromise (IOC) that will give the indication whether a system is affected or not. https://twitter.com/SecurityGuyPhil/status/1141466339518767104 Vitali Kremez who specializes in Information Security, Malware Hunting & Carding, Cybercrime Intelligence, speculated that these IOCs were linked to a username “powercat”. https://twitter.com/VK_Intel/status/1141540229951709184 Going by the IOCs, we can say that the attacker would have sent a spear-phishing email to lure victims to a web page. So, if the victims were using a vulnerable Firefox version, the web page would have downloaded and installed the malware on their systems. The macOS backdoor attack Not only cryptocurrency organizations, it looks like the attacker has also targeted other Firefox users as well. Yesterday, Patrick Wardle, a macOS security expert published an analysis of a Mac malware. This malware was sent by a user who claimed that it was installed in his fully updated Mac through Firefox’s zero-day vulnerability. Here’s how the email sent by the attacker to this user looked like: Source: Objective-See The malware that was installed on the user’s system was called Finder.app, the hash of which completely matched with one of the hashes provided by Martin. This news sparked a discussion on Hacker News. Many users found it unsettling that Mozilla took two months to deliver the security patch to fix a very crucial bug report. “Really, that Mozilla would let a reported RCE vulnerability simmer for two months until it bit someone would seem to reflect very poorly on their priorities and competence,” a user commented. Others were rather interested to know how Coinbase discovered this attack. A user commented, “I am more interested in how Coinbase employees discovered the attack. I am assuming nobody clicked the suspicious link and instead took it to a vm for reversing and analysis. It would have been game over if the exploit was actually executed on a non-sandboxed machine.” Mozilla releases Firefox 67.0.3 and Firefox ESR 60.7.1 to fix a zero-day vulnerability, being abused in the wild Firefox releases v66.0.4 and 60.6.2 to fix the expired certificate problem that ended up disabling add-ons Firefox 67 enables AV1 video decoder ‘dav1d’, by default on all desktop platforms
Read more
  • 0
  • 0
  • 3347

article-image-oracle-releases-emergency-patches-to-fix-a-critical-vulnerability-in-its-weblogic-servers
Savia Lobo
21 Jun 2019
2 min read
Save for later

Oracle releases emergency patches to fix a critical vulnerability in its WebLogic servers

Savia Lobo
21 Jun 2019
2 min read
On Tuesday Oracle published an out-of-band security update that had a patch to a critical code-execution vulnerability in its WebLogic server. “This remote code execution vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password,'' the Oracle update warned. The vulnerability tracked as CVE-2019-2729, has received a Common Vulnerability Scoring System score of 9.8 out of 10. The vulnerability is a deserialization attack targeting two Web applications that WebLogic appears to expose to the Internet by default—wls9_async_response and wls-wsat.war. The flaw in Oracle's WebLogic Java application servers came to light as a zero-day four days ago when it was reported by security firm KnownSec404. “This isn't the first, or even second, deserialization attack that has been used to target these services. The wls-wsat component was successfully exploited in a similar fashion in 2017, and KnownSec404 reported another one in April. The 2017 vulnerability was largely used to install bitcoin miners; April's vulnerability was exploited in cryptojacking and ransomware campaigns”, Arstechnica reported. John Heimann, Oracle's Security Program Vice-President, said, this was an incorrect assessment, and that the new attacks are exploiting a separate vulnerability that had nothing to do with the zero-day from April. If patching is not possible right away, the researchers propose two mitigation solutions: delete "wls9_async_response.war" and "wls-wsat.war" then restart the WebLogic service enforce access policy controls for URL access to the paths  "/_async/*" and "/wls-wsat/* According to Johannes Ullrich of the SANS Technology Institute, Oracle has been patching each of these series of deserialization vulnerabilities by individually blacklisting the deserialization of very specific classes as exploits are published. “Oracle has been using a "blacklist" approach in patching these deserialization vulnerabilities, blocking the deserialization of very specific classes, which has led to similar bypass/patch cat and mouse games in the past”, Ullrich mentions. To know more about this in detail, head over to Oracle’s blog post. Oracle does “organizational restructuring” by laying off 100s of employees IBM, Oracle under the scanner again for questionable hiring and firing policies RedHat takes over stewardship for the OpenJDK 8 and OpenJDK 11 projects from Oracle
Read more
  • 0
  • 0
  • 2191

article-image-google-calendar-was-down-for-nearly-three-hours-after-a-major-outage
Amrata Joshi
19 Jun 2019
2 min read
Save for later

Google Calendar was down for nearly three hours after a major outage

Amrata Joshi
19 Jun 2019
2 min read
Yesterday, Google Calendar was down for nearly three hours around the world. Calendar users that were trying to access the service faced a 404 error message through their browsers from around 10 AM ET to 12:40 PM ET. Google updated the service details stating, “We're investigating reports of an issue with Google Calendar. We will provide more information shortly. The affected users are unable to access Google Calendar.” During this outage, Google services including Gmail and Google Maps appeared to be unaffected but Hangouts Meet reportedly experienced some issues. Meanwhile, when Calendar was down, a lot of them expressed their concerns via tweets. Here are a few of the reactions: https://twitter.com/BestGaryEver/status/1141004879382700040   https://twitter.com/falcons3040/status/1141143090239090689 https://twitter.com/ola11king/status/1141012717144199169 https://twitter.com/thejacegoodwin/status/1140999161434689541 https://twitter.com/ChristinaAllDay/status/1140986268878286848 Few others were irritated, a user commented on HackerNews, “I guess it's time for all the Google engineers to put their LeetCode skills to the test.” People were also expecting the response to be quicker from the company.  Another comment reads, “Over an hour into the outage, still no word at all from Google on the status page apart from -We're investigating.” Such outages have been happening every now and then; earlier this month, Google Cloud suffered a major outage that took down a number of Google services including YouTube, GSuite, Gmail, etc. This outage had also affected the services that were dependent on Google including Nest, Discord, Snapchat, Shopify and more. To know more about this news, check out the Service details by Google. How Genius used embedded hidden Morse code in lyrics to catch plagiarism in Google search results Google announces early access of ‘Game Builder’, a platform for building 3D games with zero coding Google, Facebook and Twitter submit reports to EU Commission on progress to fight disinformation
Read more
  • 0
  • 0
  • 3252
article-image-mozilla-releases-firefox-67-0-3-and-firefox-esr-60-7-1-to-fix-a-zero-day-vulnerability-being-abused-in-the-wild
Bhagyashree R
19 Jun 2019
2 min read
Save for later

Mozilla releases Firefox 67.0.3 and Firefox ESR 60.7.1 to fix a zero-day vulnerability, being abused in the wild

Bhagyashree R
19 Jun 2019
2 min read
Yesterday, Mozilla released Firefox 67.0.3 and Firefox ESR 60.7.1 to fix an actively exploited vulnerability that can enable attackers to remotely execute arbitrary code on devices using vulnerable versions. So, if you are a Firefox user, it is recommended that you update it right now. This critical zero-day flaw was reported by Samuel Groß, a security researcher with Google Project Zero security team and the Coinbase Security team. It is a type confusion vulnerability tracked as CVE-2019-11707 that occurs “when manipulating JavaScript objects due to issues in Array.pop. This can allow for an exploitable crash. We are aware of targeted attacks in the wild abusing this flaw.” Not much information has been disclosed about the vulnerability yet, apart from this short description on the advisory page. In general, we can say that type confusion happens when a piece of code fails to verify the object type that is passed to it and blindly uses it without type-checking. The US Cybersecurity and Infrastructure Security Agency (CISA) also issued an alert informing users and administrators to update Firefox as soon as possible: “The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Mozilla Security Advisory for Firefox 67.0.3 and Firefox ESR 60.7.1 and apply the necessary updates.” Users can install the patched Firefox versions by downloading them from Mozilla’s official website. Or, they can click on the hamburger icon on the upper-right hand corner, type Update into the search box and hit the Restart to update Firefox button to be sure. This is not the first time when a zero-day vulnerability has been found in Firefox. Back in 2016, a vulnerability was reported in Firefox that was exploited by attackers to de-anonymize Tor Browser users. The attackers then collected the user data that included their IP addresses, MAC addresses, and hostnames. Mozilla then released an emergency fix in Firefox 50.0.2 and 45.5.1 ESR. Firefox releases v66.0.4 and 60.6.2 to fix the expired certificate problem that ended up disabling add-ons Firefox 67 enables AV1 video decoder ‘dav1d’, by default on all desktop platforms Mozilla makes Firefox 67 “faster than ever” by deprioritizing least commonly used features
Read more
  • 0
  • 0
  • 3227

article-image-netflix-security-engineers-report-several-tcp-networking-vulnerabilities-in-freebsd-and-linux-kernels
Bhagyashree R
18 Jun 2019
3 min read
Save for later

Netflix security engineers report several TCP networking vulnerabilities in FreeBSD and Linux kernels

Bhagyashree R
18 Jun 2019
3 min read
Yesterday, the security engineers at Netflix reported several TCP networking vulnerabilities in FreeBSD and Linux kernels. Out of these vulnerabilities, the most serious one is called “SACK Panic” that allows a remote attacker to trigger a kernel panic on recent Linux kernels. Details on the TCP networking vulnerabilities Netflix security engineers found four vulnerabilities in total. These were specifically related to the maximum segment size (MSS) and TCP Selective Acknowledgement (SACK) capabilities. MSS is a parameter in the TCP header of a packet that specifies the total amount of data a computer can receive in a single TCP segment. SACK is a mechanism that enables the data receiver to inform the sender about all the segments that have arrived successfully. Soon after, Red Hat also listed the vulnerabilities, background, and patches on their website and credited Netflix for reporting them. According to Red Hat, the extent of the impact of these vulnerabilities is limited to denial of service. “No privilege escalation or information leak is currently suspected,” Red Hat wrote in its post. Following are the vulnerabilities that were reported: SACK Panic (CVE-2019-11477) Sack Panic is the most severe vulnerability of all, that can be exploited by an attacker to induce an integer overflow by sending a crafted sequence of SACKs on a TCP connection with small MSS value. This can lead to a kernel panic that makes it difficult for the operating system to recover back to its normal state. This forces a restart and hence causes a denial of service attack. This vulnerability was found in Linux 2.6.29 or later versions. SACK Slowness (CVE-2019-11478 and CVE-2019-5599) The TCP retransmission queue in Linux kernels and the Rack send map in FreeBSD can be fragmented by sending a crafted sequence of SACKs. The attacker will then be able to exploit this fragmented queue to cause “an expensive linked-list walk for subsequent SACKs received” for that particular TCP connection. This vulnerability was found in Linux 4.15 or previous versions and FreeBSD 12 using the RACK TCP Stack Excess Resource Consumption Due to Low MSS Values (CVE-2019-11479) A Linux kernel can be forced by an attacker to divide its responses into multiple TCP segments accommodating 8 bytes of data. Sending the same amount of data will now require more bandwidth and will also consume additional resources like CPU and NIC processing power. This vulnerability was found in all Linux versions. Next steps The Netflix team has also mentioned the patches and workaround against each vulnerability in the official report. Red Hat has recommended two options to mitigate the CVE-2019-11477 and CVE-2019-11478 vulnerabilities: Disabling the vulnerable component Using iptables to drop connections with an MSS size that is able to exploit the vulnerability. Red Hat will be making a ‘kpatch’ available for customers running supported versions of Red Hat Enterprise Linux 7 or greater. Red Hat customers using the affected versions are recommended to update them as soon as Red Hat makes the errata available. Additionally, they have also provided an Ansible playbook, ‘disable_tcpsack_mitigate.yml’, which will disable selective acknowledgments and make the change permanent. More information about the mitigation steps is available on Red Hat’s official website. NSA warns users of BlueKeep vulnerability; urges them to update their Windows systems Over 19 years of ANU(Australian National University) students’ and staff data breached PyPI announces 2FA for securing Python package downloads
Read more
  • 0
  • 0
  • 3843