Tech News - Cybersecurity

Tavis Ormandy, a vulnerability researcher at Google, uncovered a security issue in SymCrypt, the core cryptographic library for Windows, which the Microsoft team is still trying to fix. Ormandy says that if the vulnerability is exploited in a denial of service (DoS) attack, it could “take down an entire Windows fleet relatively easily”. Ormandy said that Microsoft had "committed to fixing it in 90 days". This was in line with Google's 90 days deadline for fixing or publicly disclosing bugs that its researchers find. https://twitter.com/taviso/status/1138469651799728128 On Mar 13, 2019, Ormandy informed Microsoft of this vulnerability and also posted this issue on Google’s Project Zero site. On March 26, Microsoft replied saying that it would issue a security bulletin and fix for this in the June 11 Patch Tuesday run. On June 11, Ormandy said that the Microsoft Security Response Center (MSRC) had “reached out and noted that the patch won't ship today and wouldn't be ready until the July release due to issues found in testing”. “There's a bug in the SymCrypt multi-precision arithmetic routines that can cause an infinite loop when calculating the modular inverse on specific bit patterns with bcryptprimitives!SymCryptFdefModInvGeneric”, the bug report mentions. “I've been able to construct an X.509 certificate that triggers the bug. I've found that embedding the certificate in an S/MIME message, authenticode signature, schannel connection, and so on will effectively DoS any windows server (e.g. ipsec, iis, exchange, etc) and (depending on the context) may require the machine to be rebooted. Obviously, lots of software that processes untrusted content (like antivirus) call these routines on untrusted data, and this will cause them to deadlock” Ormandy further added. “The disclosure a day after the deadline lapsed drew mixed reactions on social media, with some criticizing Ormandy for the move; and were met with short shrift”, CBR Online states. https://twitter.com/taviso/status/1138493191793963008 Davey Winder from Forbes approached  The Beer Farmers, a group of information security professionals on this issue. John Opdenakker, an ethical hacker from the group, said, "in general if you privately disclose a vulnerability to a company and the company agrees to fix it within a reasonable period of time I think it's fair to publicly disclose it if they then don't fix it on time." Another Beer Farmer professional, Sean Wright points out this is a denial of service vulnerability and there are many other ways to achieve this, which makes it a low severity issue. Wright said to Forbes, "Personally I think it's a bit harsh, every fix is different and they should allow for some flexibility in their deadline." A Microsoft spokesperson said in a statement to Forbes, “Microsoft has a customer commitment to investigate reported security issues and provide updates as soon as possible. We worked to meet the researcher's deadline for disclosure; however, a customer-impacting regression was discovered that prevented the update from being released on schedule. We advised the researcher of the delay as soon as we were able. Developing a security update is a delicate balance between timeliness and quality, and our ultimate goal is to help ensure maximum customer protection with minimal customer disruption.” To know more about this news in detail, head over to Google’s Project Zero website. All Docker versions are now vulnerable to a symlink race attack Microsoft quietly deleted 10 million faces from MS Celeb, the world’s largest facial recognition database Microsoft releases security updates: a “wormable” threat similar to WannaCry ransomware discovered

Last week, the President of the VideoLan non-profit organization, Jean-Baptiste Kempf, released the VLC 3.0.7, a minor update of VLC branch 3.0.x. This release is termed as ‘special’ by Kempf, as it has more security issues fixed than any other version of VLC. Kempf has said that “This high number of security issues is due to the sponsoring of a bug bounty program funded by the European Commission, during the FOSSA program.” Last year, the European Commission had announced that they will support Bug Hunting for 14 open source projects it uses. As VLC Media Player was one of the products they used, they were sponsored by EU-FOSSA. In a statement to Bleeping Computers, Kempf has stated that they had “no money”, for having the bug bounty previously. He also added that, the EU-FOSS sponsorship program provided more "manpower" towards funding and fixing security bugs in the VLC 3.0.7. According to the blogpost, VLC Media Player 3.0.7 have fixed 33 valid security issues, with 2 being high security issues, 21 being medium security issues and 10 being low security issues. Out of the two high security issues, one was an out-of-bound write issue, in the the faad2 library, which is a dependency of VLC and the other is a stack buffer overflow, in the RIST Module of VLC 4.0. The medium security issues include mostly out-of-band reads, heap overflows, NULL-dereference and use-after-free security issues. The low security issues are mostly integer overflow, division by zero, and other out-of-band reads. Kempf has also mentioned in the blogpost, that the best hacker via their bug bounty program was ele7enxxh. Bleeping Computers reports that ele7enxxh has addressed total of 13 bugs for $13,265.02. Users are quite happy with this release, due to the huge security fixes and improvements in the VLC 3.0.7 version. https://twitter.com/evanderburg/status/1136600143707246592 https://twitter.com/alorandi/status/1137603867120734208 The VLC users can download the latest version from the VideoLan website. VLC’s updating mechanism still uses HTTP over HTTPS dav1d 0.1.0, the AV1 decoder by VideoLAN, is here NSA warns users of BlueKeep vulnerability; urges them to update their Windows systems

Yesterday, the U.S. Customs and Border Protection(CBP) revealed a data breach occurrence exposing the photos of travelers and vehicles traveling in and out of the United States. CBP first learned of the attack on May 31 and said that none of the image data had been identified “on the Dark Web or Internet”. According to a CBP spokesperson, one of its subcontractors transferred images of travelers and license plate photos collected by the agency to its internal networks, which were then compromised by the attack. The agency declined to name the subcontractor that was compromised. They also said that its own systems had not been compromised. “A spokesperson for the agency later said the security incident affected “fewer than 100,000 people” through a “few specific lanes at a single land border” over a period of a month and a half”, according to TechCrunch. https://twitter.com/AJVicens/status/1138195795793055744 “No passport or other travel document photographs were compromised and no images of airline passengers from the air entry/exit process were involved,” the spokesperson said. According to The Register’s report released last month, a huge amount of internal files were breached from the firm Perceptics and were being offered for free on the dark web to download. The company’s license plate readers are deployed at various checkpoints along the U.S.-Mexico border. https://twitter.com/josephfcox/status/1138196952812806144 Now, according to the Washington Post, “in the Microsoft Word document of CBP’s public statement, sent Monday to Washington Post reporters, included the name “Perceptics” in the title: CBP Perceptics Public Statement”. “Perceptics representatives did not immediately respond to requests for comment. CBP spokeswoman Jackie Wren said she was “unable to confirm” if Perceptics was the source of the breach.”, the Washington post further added. In a statement to The Post, Sen. Ron Wyden (D-Ore.) said, “If the government collects sensitive information about Americans, it is responsible for protecting it — and that’s just as true if it contracts with a private company.” “Anyone whose information was compromised should be notified by Customs, and the government needs to explain exactly how it intends to prevent this kind of breach from happening in the future”, he further added. ACLU senior legislative counsel, Neema Singh Guliani said that the breach “further underscores the need to put the brakes” on the government’s facial recognition efforts. “The best way to avoid breaches of sensitive personal data is not to collect and retain such data in the first place,” she said. Jim Balsillie on Data Governance Challenges and 6 Recommendations to tackle them US blacklist China's telecom giant Huawei over threat to national security Privacy Experts discuss GDPR, its impact, and its future on Beth Kindig’s Tech Lightning Rounds Podcast

Last week, the NSA published an advisory urging Microsoft Windows administrators and users to update their older Windows systems to protect against the BlueKeep vulnerability. This vulnerability was first noted by UK National Cyber Security Centre and reported by Microsoft on 14 May 2019. https://twitter.com/GossiTheDog/status/1128431661266415616 On May 30, Microsoft wrote a security notice to its users to update their systems as "some older versions of Windows" could be vulnerable to cyber-attacks. On May 31, MalwareTech posted a detailed analysis of the BlueKeep vulnerability. “Microsoft has warned that this flaw is potentially “wormable,” meaning it could spread without user interaction across the internet. We have seen devastating computer worms inflict damage on unpatched systems with wide-ranging impact, and are seeking to motivate increased protections against this flaw,” the advisory states. BlueKeep(CVE-2019-0708) is a vulnerability in the Remote Desktop (RDP) protocol. It is present in Windows 7, Windows XP, Server 2003 and 2008, and although Microsoft has issued a patch, potentially millions of machines are still vulnerable. “This is the type of vulnerability that malicious cyber actors frequently exploit through the use of software code that specifically targets the vulnerability”, the advisory explains. NSA is concerned that malicious cyber actors will use the vulnerability in ransomware and exploit kits containing other known exploits, increasing capabilities against other unpatched systems. They have also suggested some additional measures that can be taken: Block TCP Port 3389 at your firewalls, especially any perimeter firewalls exposed to the internet. This port is used in RDP protocol and will block attempts to establish a connection. Enable Network Level Authentication. This security improvement requires attackers to have valid credentials to perform remote code authentication. Disable remote Desktop Services if they are not required. Disabling unused and unneeded services helps reduce exposure to security vulnerabilities overall and is a best practice even without the BlueKeep threat. Why has the NSA urged users and admins to update? Ian Thornton-Trump, head of security at AmTrust International told Forbes, “I suspect that they may have classified information about actor(s) who might target critical infrastructure with this exploit that critical infrastructure is largely made up of the XP, 2K3 family." NSA had also created a very similar EternalBlue exploit which was recently used to hold the city of Baltimore’s computer systems for ransom. The NSA developed the EternalBlue attack software for its own use but lost control of it when it was stolen by hackers in 2017. BlueKeep is similar to EternalBlue that Microsoft compared the two of them in its warning to users about the vulnerability. "It only takes one vulnerable computer connected to the internet to provide a potential gateway into these corporate networks, where advanced malware could spread, infecting computers across the enterprise," Microsoft wrote in its security notice to customers. Microsoft also compared the risks to those of the WannaCry virus, which infected hundreds of thousands of computers around the world in 2017 and caused billions of dollars worth of damage. NSA said patching against BlueKeep is “critical not just for NSA’s protection of national security systems but for all networks.” To know more about this news in detail, head over to Microsoft’s official notice. Approx. 250 public network users affected during Stack Overflow's security attack Over 19 years of ANU(Australian National University) students’ and staff data breached 12,000+ unsecured MongoDB databases deleted by Unistellar attackers

On Tuesday, Firefox released a number of updates to its browser with the intention of putting “people’s privacy first”. The new features were detailed by Dave Camp, Senior Vice President of Firefox in a blog post. Firefox will roll out its Enhanced Tracking Protection, to all new users on by default. Additionally, they have upgraded Facebook Container extension, a Firefox desktop extension for Lockwise, and Firefox Monitor’s new dashboard to manage multiple email addresses. Enhanced Tracking Protection blocks third party cookies by default Firefox’s Enhanced Tracking Protection offers protection controls to users to block third party cookies at their own level of comfort with three settings - Standard, Strict, and Custom. Per the new update, for all new users who install and download Firefox for the first time, Enhanced Tracking Protection will automatically be set on by default as part of the ‘Standard’ setting in the browser. The standard settings block known trackers and their cookies. Strict will block known trackers in all Firefox windows. This includes third party trackers and tracking cookies The custom setting of enhanced tracking protection allows you to select which trackers and cookies you want to block. https://twitter.com/jensimmons/status/1134549448120578048 This feature will be present as a shield icon in the address bar next to the URL address. Users can also see which companies are blocked by clicking on the shield icon. For existing users, Enhanced Tracking Protection by default will be rolled out in the coming months. Manually, users can turn this feature on by clicking on the menu icon marked by three horizontal lines at the top right of the browser, then under Content Blocking. Firefox Monitor- see if you’ve been part of an online data breach Firefox Monitor has a new feature in the form of a breach dashboard that presents a quick summary of updates for all registered email accounts. Firefox Monitor was launched in September, last year, as a free service that notifies people if they’ve been part of a data breach. The new breach dashboard helps users track and manage multiple email addresses, including both personal and professional email accounts. Users can easily identify which emails are being monitored, how many known data breaches may have exposed their information, and specifically, if any passwords have been leaked across those breaches. Safe password management with Firefox Lockwise Firefox have rolled out a new desktop extension that offers users safe password management features, the Firefox Lockwise. It will provide an additional touchpoint to store, edit and access passwords. Firefox Lockwise is already available for iOS, Android and iPad. The new Firefox Lockwise desktop extension includes: A new dashboard interface to manage saved list of passwords. For frequently visiting sites, users can quickly reference and edit what is being stored. For sites with fewer or no visits, users can easily delete a saved password. The mobile app and desktop extension can help users quickly retrieve your password to access a site account. Facebook Container now blocks tracking from other sites Firefox have updated their Facebook Container extension to prevent Facebook from tracking users on other sites that have embedded Facebook capabilities such as the Share and Like buttons on their site. Facebook Container is an add-on/web extension that helps users take control and isolate their web activity from Facebook. This blocking reduces Facebook’s propensity to build shadow profiles of non-Facebook users. Users would know the blocking is in effect when they see Facebook Container purple fence badge. It is interesting that Mozilla released a slew of updates following Apple's privacy focused features announced at WWDC 2019. It almost feels like they are acting as a counter balance to Google and Facebook, who have been under scrutiny for their data misinformation and privacy scandals. Google Chrome has also banned ad blockers for all users by deprecating the blocking capabilities of the webRequest API in Manifest V3. Chrome’s capability to block unwanted content will be restricted to only paid, enterprise users of Chrome. https://twitter.com/dhh/status/1136058254608355328 https://twitter.com/queercommunist/status/1135906369599549440 https://twitter.com/johnwilander/status/1135911532779335680 Learn more about these privacy features on Mozilla Blog. Firefox 67 enables AV1 video decoder ‘dav1d’, by default on all desktop platforms Mozilla makes Firefox 67 “faster than ever” by deprioritizing least commonly used features Firefox 67 will come with faster and reliable JavaScript debugging tools

The Australian National University (ANU) recently revealed they were hacked and personal data of students and staff over 19 years have been accessed. An official letter from ANU’s Vice-Chancellor, Brian Schmidt said that in late 2018 a “sophisticated operator” accessed their systems illegally. However, the breach was detected just two weeks ago and the ANU staff is working towards strengthening the systems “against secondary or opportunistic attacks”, Schmidt said. Regarding details on what data was affected, Schmidt wrote, “Depending on the information you have provided to the University, this may include names, addresses, dates of birth, phone numbers, personal email addresses, and emergency contact details, tax file numbers, payroll information, bank account details, and passport details. Student academic records were also accessed.” However, the systems that store credit card details, travel information, medical records, police checks, workers' compensation, vehicle registration numbers, and some performance records have not been affected. Schmidt also said, “We have no evidence that research work has been affected” and that ANU is working closely with Australian government security agencies and industry security partners to investigate further. Suthagar Seevaratnam, ANU’s Chief Information Security Officer, also wrote a letter, today, addressing the ANU community and suggested certain steps users can take to stay safe while using emails, passwords, and also advice on general device maintenance and configuration. “If you have not reset your ANU password since November 2018, it is highly advised that you do so immediately,” he mentions in his letter. This is the second data breach in ANU’s system, which lasted for seven months. Last year, in July, the ANU revealed that hackers infiltrated its systems. Schmidt said, “Following the incident reported last year, we undertook a range of upgrades to our systems to better protect our data.  Had it not been for those upgrades, we would not have detected this incident”. “The university said it did not believe data was stolen in that attack, which national security sources said was the work of the Chinese government”, The Sydney Morning Herald reports. What will hackers actually gain by such data breach? The Australian National University is considered to be one of the nation's most prestigious educational institutions and is home to global leading research. The hackers may be trying to leverage more information about international students who attend classes at the ANU university. “The ANU also educates on national security and houses the Strategic and Defence Studies Centre and the National Security College”, ABC Canberra news reports. Jamie Travers, a producer at ABC Canberra, tweeted that he had a conversation with the ANU media and they declined any information sharing about the massive breach. https://twitter.com/JamieTravers/status/1135732681407262725 Tom Uren, a senior analyst at the Australian Strategic Policy Institute told Travers that there could be two possible types of hackers behind this breach: 1) A state-sponsored group (presumably China) 2) A cybercriminal gang Travers also put forward his hypothesis on “why would a state-sponsored group such as China hack the ANU?” by giving two reasons: https://twitter.com/JamieTravers/status/1135749238468382720 https://twitter.com/JamieTravers/status/1135749435185516544 In one of his tweets, Travers also highlighted the profit a cybercriminal gang would get by breaching the ANU data, which include: Could use TFNs to file bogus tax returns. Could use bank account details to try and access users’ account. Could sell data as a whole to someone else online for ID theft. Schmidt, in his letter, said, “the University has taken immediate precautions to further strengthen our IT security and is working continuously to build on these precautions to reduce the risk of future intrusion”. To know more about this news in detail, read Brian Schmidt’s official letter to ANU’s students and staff. Facebook confessed another data breach; says it “unintentionally uploaded” 1.5 million email contacts without consent Canva faced security breach, 139 million users data hacked: ZDNet reports DockerHub database breach exposes 190K customer data including tokens for GitHub and Bitbucket repositories

Yesterday, Python’s core development team announced that PyPI now offers two-factor authentication to increase the security of Python package downloads and thus reduce the risk of unauthorized account access. The team announced that the 2FA will be introduced as a login security option on the Python Package Index. “We encourage project maintainers and owners to log in and go to their Account Settings to add a second factor”, the team wrote on the official blog. The blog also mentions that this project is a “grant from the Open Technology Fund; coordinated by the Packaging Working Group of the Python Software Foundation.” PyPI currently supports a single 2FA method that generates code through a Time-based One-time Password (TOTP) application. After users set up a 2FA on their PyPI account, they must provide a TOTP (along with your username and password) to log in. Therefore, to use 2FA on PyPI, users will need to provide an application (usually a mobile phone app) in order to generate authentication codes. Currently, only TOTP is supported as a 2FA method. Also, 2FA only affects login via the website, which safeguards against malicious changes to project ownership, deletion of old releases, and account takeovers. Package uploads will continue to work without 2FA codes being provided. Developers said that they are working on WebAuthn-based multi-factor authentication, which will allow the use of Yubikeys for your second factor, for example. They further plan to add API keys for package upload, along with an advanced audit trail of sensitive user actions. A user on HackerNews answered a question, “Will I lock myself out of my account if I lose my phone?” by saying,  “You won't lock yourself out. I just did a quick test and if you reset your password (via an email link) then you are automatically logged in. At this point you can even disable 2FA. So 2FA is protecting against logging in with a stolen password, but it's not protecting against logging in if you have access to the account's email account. Whether or not that's the intended behaviour is another question…” To know more about the ongoing security measures taken, visit Python’s official blog post. Salesforce open sources ‘Lightning Web Components framework’ Time for data privacy: DuckDuckGo CEO Gabe Weinberg in an interview with Kara Swisher Which Python framework is best for building RESTful APIs? Django or Flask?

Yesterday Aleksa Sarai, Senior Software Engineer at SUSE Linux GmbH, notified users that the ‘docker cp' is vulnerable to symlink-exchange race attacks. This attack makes all the Docker versions vulnerable. This attack can be seen as a continuation of some 'docker cp' security bugs that Sarai had found and fixed in 2014. This attack was discovered by Sarai, “though Tõnis Tiigi (software engineer at Docker) did mention the possibility of an attack like this in the past (at the time we thought the race window was too small to exploit)”, he added. The basis of this attack is that FollowSymlinkInScope suffers from a fundamental TOCTOU attack. FollowSymlinkInScope is used to take a path and resolve it safely as though the process was inside the container. Once the full path is resolved, it is passed around a bit and operated later on. If an attacker adds a symlink component to the path after the resolution, but before it is operated on, then the user will end up resolving the symlink path component on the host as root. Sarai adds, “As far as I'm aware there are no meaningful protections against this kind of attack. Unless you have restricted the Docker daemon through AppArmor, then it can affect the host filesystem”. Two reproducers of the issue have been attacked, including a Docker image and an empty directory in a loop hoping to hit the race condition. The Docker image contains a simple binary that does a RENAME_EXCHANGE of a symlink to "/”. In both the scripts, the user will be trying  to copy a file to or from a path containing the swapped symlink. However, the run_write.sh script can overwrite the host filesystem in very few iterations. This is because internally Docker has a "chrootarchive" concept where the archive is extracted from within a chroot. However in Docker, it chroots into the parent directory of the archive target which can be controlled by the attacker. This makes the attacker more likely to succeed. In an attempt to come up with a better solution for this problem, Sarai is working on Linux kernel patches. This will “add the ability to safely resolve paths from within a roots”. Users are concerned with the Docker versions being vulnerable as ‘docker cp’ is a very popular command. A user on Reddit says, “This seems really severe, it basically breaks a lot of the security that docker is assumed to provide. I know that we're often told not to rely upon docker for security, but still. I guess trusted but unsecure containers where the attack is executed after startup are still safe, because the docker cp command has already been executed before the attack begins.” A user on Hacker News comments, “So from a reading of the advisory and pull request, this seems to affect a specific set of scenarios, where a malicious image is running. Not sure if there are other scenarios where this would hit as well. One to be aware of, but as with most vulnerabilities, good to understand how it can be exploited, when you're assessing mitigations” To read more details of the notification, head over to Sarai’s mailing list. Angular 8.0 releases with major updates to framework, Angular Material, and the CLI Canva faced security breach, 139 million users data hacked: ZDNet reports SENSORID attack: Calibration fingerprinting that can easily trace your iOS and Android phones, study reveals

Last Friday, ZDNet reported about Canva’s data breach. Canva is a popular Sydney-based startup which offers a graphic design service. According to the hacker, who directly contacted ZDNet, data of roughly 139 million users has been compromised during the breach. Responsible for the data breach is a hacker known as GnosticPlayers online. Since February this year, they have put up the data of 932 million users on sale, which are reportedly stolen from 44 companies around the world. "I download everything up to May 17," the hacker said to ZDNet. "They detected my breach and closed their database server." Source: ZDNet website In a statement on the Canva website, the company confirmed the attack and has notified the relevant authorities. They also tweeted about the data breach on 24th May as soon as they discovered the hack and recommended their users to change their passwords immediately. https://twitter.com/canva/status/1132086889408749573 “At Canva, we are committed to protecting the data and privacy of all our users and believe in open, transparent communication that puts our communities’ needs first,” the statement said. “On May 24, we became aware of a security incident. As soon as we were notified, we immediately took steps to identify and remedy the cause, and have reported the situation to authorities (including the FBI). “We’re aware that a number of our community’s usernames and email addresses have been accessed.” Stolen data included details such as customer usernames, real names, email addresses, and city & country information. For 61 million users, password hashes were also present in the database. The passwords where hashed with the bcrypt algorithm, currently considered one of the most secure password-hashing algorithms around. For other users, the stolen information included Google tokens, which users had used to sign up for the site without setting a password. Of the total 139 million users, 78 million users had a Gmail address associated with their Canva account. Canva is one of Australia's biggest tech companies. Founded in 2012, since the launch, the site has shot up the Alexa website traffic rank, and has been ranking among the Top 200 popular websites. Three days ago, the company announced it raised $70 million in a Series-D funding round, and is now valued at a whopping $2.5 billion. Canva also recently acquired two of the world's biggest free stock content sites -- Pexels and Pixabay. Details of Pexels and Pixabay users were not included in the data stolen by the hacker. According to reports from Business Insider, the community was dissatisfied with how Canva responded to the attack. IT consultant Dave Hall criticized the wording Canva used in a communication sent to users on Saturday. He believes Canva did not respond fast enough. https://twitter.com/skwashd/status/1132258055767281664 One Hacker News user commented , “It seems as though these breaches have limited effect on user behaviour. Perhaps I'm just being cynical but if you are aren't getting access and you are just getting hashed passwords, do people even care? Does it even matter? Of course names and contact details are not great. I get that. But will this even effect Canva?” Another user says, “How is a design website having 189M users? This is astonishing more than the hack!” Facebook again, caught tracking Stack Overflow user activity and data Ireland’s Data Protection Commission initiates an inquiry into Google’s online Ad Exchange services Adobe warns users of “infringement claims” if they continue using older versions of its Creative Cloud products

A report released by Motherboard yesterday reveals employees of Snap Inc., the parent company of the popular social media, Snapchat, abused privileged data management tools to spy on Snap users. They gained access to location, contact details, email addresses, even saved Snaps! This news was first reported by Motherboard stating that various departments within Snap have dedicated tools for accessing data. Talking about sources, Motherboard said, “two former employees said multiple Snap employees abused their access to Snapchat user data several years ago”. Along with those sources, Motherboard also obtained information from two other former employees, a current employee, and a cache of internal company emails. The sources and the emails obtained highlight one of the internal tools that can access user data called SnapLion   Former employees said that SnapLion was originally used to gather information on users in response to valid law enforcement requests, such as a court order or subpoena. “Both of the sources said SnapLion is a play on words with the common acronym for law enforcement officer LEO, with one of them adding it, is a reference to the cartoon character Leo the Lion”, Motherboard reports. Snap Inc.’s ‘Spam and Abuse’ team has access to the tool and it can also be used to combat bullying or harassment on the platform by other users. Motherboard said, “An internal Snap email obtained by Motherboard says a department called "Customer Ops" also has access to SnapLion. Security staff also have access, according to the current employee. The existence of this tool has not been previously reported”. “Motherboard granted multiple sources in this story anonymity to speak candidly about internal Snap processes”, reports Motherboard. Snapchat has a customer bandwidth of around 186 million users who use it to share photos, videos, or post stories trusting that it may get auto-deleted as per Snapchat’s privacy policies. Snaps are photos or videos that, if not saved, typically disappear after being received (or after 24 hours if posted to a user's Story). However, in 2014, the Federal Trade Commission fined Snapchat for failing to disclose that the company collected, stored, and transmitted geolocation data. A Snap spokesperson wrote to Motherboard, “Protecting privacy is paramount at Snap. We keep very little user data, and we have robust policies and controls to limit internal access to the data we do have. Unauthorized access of any kind is a clear violation of the company's standards of business conduct and, if detected, results in immediate termination." A few years ago, SnapLion did not have a satisfactory level of logging to track what data employees accessed, a former employee said. The company then implemented more monitoring, the former employee added. Snap said it currently monitors access to user data. The second former employee said, "Logging isn't perfect". “Snap said it limits internal access to tools to only those who require it, but SnapLion is no longer a tool purely intended to help law enforcement. It is now used more generally across the company”, the former employees reported. One of them who worked with SnapLion said the tool is used for resetting passwords of hacked accounts and "other user administration." A current employee said that the company's strides for user privacy and two former employees stressed the controls Snap has in place for protecting user privacy. Snap also introduced end to end encryption in January of this year. Similar to Snap Inc. there are stories where other tech giants like Facebook, Uber employees have accessed their ex-employees’ data. Facebook fired some of its employees in May, last year, for using their privileged access to user data to stalk exes. In 2016, Uber employees, on the other hand, used internal systems to spy on ex-partners, politicians, and celebrities. https://twitter.com/justkelly_ok/status/1131750164773818369 Read more about this news in detail on Motherboard’s full coverage. A WhatsApp vulnerability enabled attackers to inject Israeli spyware on user’s phones Intel discloses four new vulnerabilities labeled MDS attacks affecting Intel chips Atlassian Bitbucket, GitHub, and GitLab take collective steps against the Git ransomware attack

On Wednesday, Germany’s biggest bank, Deutsche Bank, shared that it has found a bug in its decade old software that it has using for flagging suspicious transactions. This news came out just a day ahead of the bank’s annual shareholders meeting held on May 23. According to a Deutsche Bank spokesman the faulty software was one of the many anti-financial crime systems that the bank uses. The glitch happened because two of 121 parameters in the software were not defined accurately. It was detected when employees from the bank's anti-financial crime unit started working on improving the bank’s internal processes last year. In a statement the bank said, “Deutsche Bank is working on correcting the error as quickly as possible and is in close contact with the regulators." This news has further dealt a major blow to the bank's reputation as it is already facing several accusations regarding its involvement in money laundering. On Tuesday, The New York Times reported that during 2016-2017, the bank’s executives were informed by its anti-laundering-specialists about several suspicious transactions. These transactions, which also involved Donald J. Trump and his son-in-law, Jared Kushner, were first flagged by a computer system. Despite these reports, the bank refused to take any action. "Compliance staff members who then reviewed the transactions prepared so-called suspicious activity reports that they believed should be sent to a unit of the Treasury Department that polices financial crimes. But executives at Deutsche Bank, which has lent billions of dollars to the Trump and Kushner companies, rejected their employees’ advice," wrote The New York Times in its report. Following these news, the bank's share price reached a new record low on Thursday morning and needless to say, this left its shareholders unimpressed. At the bank's Annual General Meeting, Christian Sewing, the Deutsche Bank chief executive, faced discontent of the shareholders regarding the bank’s top management. He has now promised to improve the bank's internal controls and is planning to "make tough cutbacks” to reverse the damages. Addressing the investors, Sewing said, "We will accelerate transformation by rigorously focusing our bank on profitable and growing businesses which are particularly relevant to our clients." Read the full story on The New York Times. Lloyds Bank’s online services which were down due to DNSSEC issues have been restored! Wells Fargo’s online and mobile banking operations suffer a major outage Apple’s March Event: Apple changes gears to services, is now your bank, news source, gaming zone, and TV

Yesterday, TechCrunch reported that thousands of TP-Link routers are still vulnerable to a bug, discovered in January 2018. This vulnerability can allow any low-skilled attacker to remotely gain full access to an affected vulnerable router. The attacker could also target a vulnerable device, in a massive way, by searching the web thoroughly and hijacking routers by using default passwords, the way Mirai botnet had downed Dyn. TP-Link updated the firmware page sharing this vulnerability to their customers, only after TechCrunch reached out to them. https://twitter.com/zackwhittaker/status/1131221621287604229 In October 2017, Andrew Mabbitt (founder of U.K. cybersecurity firm, Fidus Information Security) had first discovered and disclosed a remote code execution bug in TP-Link WR940N router. The multiple vulnerabilities occurred due to multiple code paths calling strcpy on user controllable unsanitized input. TP-Link later released a patch for the vulnerable router in November 2017. Again in January 2018, Mabbitt warned TP-Link that another router WR740N was also at risk by the same bug. This happened because the company reused the same vulnerable code for both the devices. TP-Link asked Mabbitt for more details about CVE-2017-13772 (wr940n model) vulnerability. After providing the details, Mabbitt requested for an update thrice and warned them of public disclosure in March, if they did not provide an update. Later on 28th March 2018, TP-Link provided Mabbitt with a beta version of the firmware to fix the issue. He confirmed that the issue has been fixed and requested TP-Link to release the live version of the firmware. After receiving no response from TP-Link for another month, Mabbitt then publicly disclosed the vulnerability on 26th April 2018. The patch was still not fixed by then. When TechCrunch enquired, the firmware update for WR740N was missing on the company’s website till 16th May 2019. A TP-Link spokesperson told TechCrunch that the update was, “currently available when requested from tech support” and did not explain the reason. It was only when TechCrunch highlighted this issue did TP-Link, they updated the firmware page on 17th May 2019, to include the latest security update. They have specified that the firmware update is meant to resolve issues that the previous firmware version may have and improve its current performance. In a statement to TechCrunch, Mabbitt said, “TP-Link still had a duty of care to alert customers of the update if thousands of devices are still vulnerable, rather than hoping they will contact the company’s tech support.” This has been a highly irresponsible behavior from TP-Link’s end. Even after, a third person discovered its bug more than a year ago, TP-Link did not even bother to keep their users updated about it. This news comes at a time when both the U.K. and the U.S. state of California are set to implement laws to improve Internet of Things security. Soon companies will require devices to be sold with unique default passwords to prevent botnets from hijacking internet-connected devices at scale and using their collective internet bandwidth to knock websites offline. https://twitter.com/dane/status/1131224748577312769 Read More Approx. 250 public network users affected during Stack Overflow’s security attack Intel discloses four new vulnerabilities labeled MDS attacks affecting Intel chips A WhatsApp vulnerability enabled attackers to inject Israeli spyware on user’s phones

Over the last three weeks, more than 12,000 unsecured MongoDB databases have been deleted. The cyber-extortionist have left only an email contact, most likely to negotiate the terms of data recovery. Attackers looking for exposed database servers use BinaryEdge or Shodan search engines to delete them and usually demand a ransom for their 'restoration services'. MongoDB is not new to such attacks, previously in September 2017 MongoDB databases were hacked, for ransom. Also, earlier this month, Security Discovery researcher Bob Diachenko found an unprotected MongoDB database which exposed 275M personal records of Indian citizens. The record contained a personal detailed identifiable information such as name, gender, date of birth, email, mobile phone number, and many more. This information was left exposed and unprotected on the Internet for more than two weeks. https://twitter.com/MayhemDayOne/status/1126151393927102464 The latest attack on MongoDB database was found out by Sanyam Jain, an independent security researcher. Sanyam first noticed the attacks on April 24, when he initially discovered a wiped MongoDB database. Instead of finding the huge quantities of leaked data, he found a note stating: “Restore ? Contact : unistellar@yandex.com”. It was later discovered that the cyber-extortionists have left behind ransom notes asking the victims to get in touch, if they want to restore their data. Two email addresses were provided for the same: unistellar@hotmail.com or unistellar@yandex.com. This method to find and wipe databases in such large numbers is expected to be automated by the attackers. The script or program used to connect to the publicly accessible MongoDB databases is also configured to indiscriminately delete every unsecured MongoDB it can find and later add it to the ransom table. In a statement to Bleeping Computer, Sanyam Jain says, “the Unistellar attackers seem to have created restore points to be able to restore the databases they deleted” Bleeping Computer have stated that there is no way to track if the victims have been paying for the databases to be restored because Unistellar only provides an email to be contacted and no cryptocurrency address is provided. Bleeping Computer also tried to get in touch with Unistellar to confirm if the wiped MongoDB databases are indeed backed up and if any victim have already paid for their "restoration services" but got no response. How to secure MongoDB databases MongoDB databases are remotely accessible and access to them is not properly secured. These frequent attacks highlight the need for an effective protection of data. This is possible by following fairly simple steps designed to properly secure one’s database. Users should take the simple preventive measure of enabling authentication and not allowing the databases to be remotely accessible. MongoDB has also provided a detailed manual for Security. It includes various features, such as authentication, access control, encryption, to secure a MongoDB deployments. There’s also a Security Checklist for administrators to protect the MongoDB deployment. The list discusses the proper way of enforcing authentication, enabling role-based access control, encrypt communication, limiting network exposure and many more factors for effectively securing MongoDB databases. To know more about this news in detail, head over to Bleeping Computer’s complete coverage. MongoDB is going to acquire Realm, the mobile database management system, for $39 million MongoDB withdraws controversial Server Side Public License from the Open Source Initiative’s approval process GNU Health Federation message and authentication server drops MongoDB and adopts PostgreSQL

Last year, a GDPR complaint was filed against Google and other ad auction companies regarding data breach. The complaint alleged that tech companies broadcasted people’s personal data to dozens of companies, without proper security through a mechanism of “behavioural ads”. The complaint was filed by a host of privacy activists and pro-privacy browser firm Brave. This year in January, new evidences emerged indicating the broadcasted data includes information about people’s ethnicity, disabilities, sexual orientation and more. This sensitive information allows advertisers to specifically target incest, abuse victims, or those with eating disorders. This complaint was filed by an anti-surveillance NGO, the Panoptykon Foundation. The initial complaints were filed in Ireland, the UK, and Poland. Now, yesterday, a new GDPR complaint about Real-Time Bidding (RTB) in the online advertising industry was filed with Data Protection Authorities in Spain, Netherlands, Belgium, and Luxembourg. In total seven EU countries have raised the GDPR issue, this week when it marked completion of one year since Europe’s General Data Protection Regulation (GDPR) came into force. The complaints were lodged by Gemma Galdon Clavell , Diego Fanjul , David Korteweg , Jef Ausloos , Pierre Dewitte , and Jose Belo . The complaints suggest Google and other major companies have leaked vast scale of personal data to the “Ad Tech” industry. https://twitter.com/mikarv/status/1130374705440018433 How RTB system is used for data breach According to the complaint, Google’s DoubleClick recently renamed “Authorized Buyers”, has 8.4 million websites and uses it to broadcasts personal data about visitors to over 2,000 companies. Google is using Real-Time Bidding (RTB) system for it. This means every time a person visits Google web page, intimate personal data about the users and what they are viewing is broadcasted in a “bid request”. These requests are then sent to hundreds of other companies to solicit bids from potential advertisers’ for the opportunity to show an ad to a specific visitor. This data includes people’s exact locations, inferred religious, sexual, political characteristics. The data also includes what users are reading, watching, and listening to online, and a unique code which details to  'Expression of Interest' section on a website. The next biggest ad exchange is AppNexus, owned by AT&T, which conducts 131 billion personal data broadcasts every day. Once the data is broadcasted, there is no control as to what happens to the data thereafter. Google has a self-regulatory guideline for companies that rely on its broadcast, according to which, companies should inform them if they are breaking any rules. Google has assured that over 2,000 companies are “certified” in this way. However, Google DoubleClick/Authorized Buyers sends intimate personal information about virtually every single online person to these companies, billions of times a day. This is one of the massive leakage of personal data recorded so far as this occurs hundreds of billions of times every day. In a statement to Fix AdTech, CEO of Eticas, Gemma Galdon Cavell has said, “We hope that this complaint sends a strong message to Google and those using Ad Tech solutions in their websites and products. Data protection is a legal requirement must be translated into practices and technical specifications” Google will be fined heavy for not complying to GDPR Under the GDPR, a company is not permitted to use personal data unless it tightly controls what happens to that data. Article 5 (1)(f) requires that personal data be “processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss.” The largest GDPR fine ever, is issued to Google amounting to 50M euros. In January, a French data protection watchdog, CNIL alleged that the search engine giant was breaking GDPR rules around transparency. It also reported that Google did not have valid legal base, when processing people's data for advertising purposes. Meanwhile, Google is still appealing to the fine. Many users on Hacker News are having varied opinions regarding the need for regulation and also about the credibility of GDPR. A user states, “To be clear, I think some privacy regulation is necessary, but there seems to be some kind of dissonance. People want a service, but are unwilling to pay for it nor give their data. Then they complain to the government that they should be able to get the service without payment anyway.” Another user added, “From a user perspective, GDPR has no impact so far. I am still being tracked to death wherever I go. Neither do companies offer me a way to get the data they have about me.” GAO recommends for a US version of the GDPR privacy laws ProtonMail shares guidelines to help organizations achieve EU GDPR compliance As US-China tech cold war escalates, Google revokes Huawei’s Android support, allows only those covered under open source licensing

Salesforce informed its customers that it was facing a major issue with its service, early Friday morning, and mentioned that it was working towards resolving the issue soon. The popular cloud-based software company experienced an outage due to its faulty database script after the company made changes to its production environment. Due to this, users got access to a broad amount of data than intended where they could see all the company’s data irrespective of the permissions. Salesforce said that the outage, which began on Friday and lasted just over 15 hours, is over - although some may experience a few issues as the platform gets back up to speed. Salesforce’s chief technology officer and a co-founder, Parker Harris, acknowledged the issue at 12:40 p.m. Eastern time the same day, and tweeted that Salesforce employees were working on the problem. https://twitter.com/parkerharris/status/1129426438325587969 According to reports on Reddit, users not only received read access but also received write permissions, thus, making it easy for malicious employees to steal or tamper with a company's data. Salesforce said the script only impacted customers of Salesforce Pardot or have used Pardot in the past. According to The Register, “To deal with the mess, Salesforce's IT team has denied all access to more than 100 cloud instances that host Pardot users, shutting out everyone else using those same systems, whether or not they were using Pardot.” Customers who were not affected may have also experienced certain service disruptions including customers using Marketing Cloud integrations. https://twitter.com/sfdcmitch/status/1129403764513787905 Salesforce customers in Europe and North America were the most impacted by the company shutting down access to its own service. Salesforce said, “We have started unblocking customers who were not affected by the permission issues.” https://twitter.com/sfdcmitch/status/1129403764513787905 https://twitter.com/RealSalesAdvice/status/1129421822007566336 On the 18th, at 5.40 a.m. Eastern time, Salesforce, on its status page, announced that access had been restored for administrators of all organizations that had been affected by the permission issues. “We are preparing a set of instructions for admins that may need guidance on how to manually restore those permissions. As soon as the instructions are final, we will inform admins via an email that will contain a link to the instructions,” the company said. The company further updated: “We have restored administrators' access to all affected orgs as of 08:04 UTC. We have prepared a set of instructions for admins that may need guidance on how to manually restore those user permissions. We notified admins via an email that contained a link to the instructions. A subset of admins may still be experiencing issues such as logging in to their orgs, modifying perms that are uneditable, or timeouts.” To know more about this in detail, visit Salesforce’s status page. DockerHub database breach exposes 190K customer data including tokens for GitHub and Bitbucket repositories Facebook confessed another data breach; says it “unintentionally uploaded” 1.5 million email contacts without consent Justice Department’s indictment report claims Chinese hackers breached business  and government network