Category Archives: Internet

Maths and tech specialists need Hippocratic oath, says academic

Exclusive: Hannah Fry says ethical pledge needed in tech fields that will shape future

Mathematicians, computer engineers and scientists in related fields should take a Hippocratic oath to protect the public from powerful new technologies under development in laboratories and tech firms, a leading researcher has said.

The ethical pledge would commit scientists to think deeply about the possible applications of their work and compel them to pursue only those that, at the least, do no harm to society.

Despite being invisible, maths has a dramatic impact on our lives

Related: Google whistleblower launches project to keep tech ethical

Related: To fix the problem of deepfakes we must treat the cause, not the symptoms | Matt Beard

Continue reading...

Flaws in HTTP/2 implementations expose servers to DoS attacks

Experts at Netflix and Google discovered eight denial-of-service (DoS) vulnerabilities affecting various HTTP/2 implementations.

Researchers from Netflix and Google discovered eight denial-of-service (DoS) flaws affecting various HTTP/2 implementations. Some of the flawed implementations belong to tech giants such as Amazon, Apple, Facebook, and Microsoft. The security flaws affect the most popular web server software, including Apache, Microsoft’s IIS, and NGINX.

The vulnerabilities could be exploited by attackers to launch DoS attacks against servers that support HTTP/2. Seven flaws were discovered by Jonathan Looney of Netflix and one ( CVE-2019-9518) by Piotr Sikora of Google, they result from the resource exhaustion when handling malicious input.

HTTP/2 (originally named HTTP/2.0) is a major revision of the HTTP network protocol used by the World Wide Web. It was derived from the earlier experimental SPDY protocol, originally developed by Google.

The HTTP/2 protocol aims to make applications faster, secure, and more robust.

“These HTTP/2 vulnerabilities do not allow an attacker to leak or modify information.” Netflix explains in an advisory.

“Rather, they allow a small number of low bandwidth malicious sessions to prevent connection participants from doing additional work. These attacks are likely to exhaust resources such that other connections or processes on the same machine may also be impacted or crash,”

Below the list of vulnerabilities discovered by the experts:

  1. CVE-2019-9511 — HTTP/2 “Data Dribble”
  2. CVE-2019-9512 — HTTP/2 “Ping Flood”
  3. CVE-2019-9513 — HTTP/2 “Resource Loop”
  4. CVE-2019-9514 — HTTP/2 “Reset Flood”
  5. CVE-2019-9515 — HTTP/2 “Settings Flood”
  6. CVE-2019-9516 — HTTP/2 “0-Length Headers Leak”
  7. CVE-2017-9517 — HTTP/2 “Internal Data Buffering”
  8. CVE-2019-9518 — HTTP/2 “Request Data/Header Flood”

The attack scenario presented by the experts sees a malicious client contacts the server in an effort to get it to generate a response. Then, the client refuses to read the response, which triggers the server’s queue management code.

This exercises the server’s queue management code. Depending on how the server handles its queues, the client can force it to consume excess memory and CPU while processing its requests.” continues the advisory.

The CERT/CC also published a security advisory that includes a matrix of affected products and vulnerabilities. Apple, Akamai, Cloudflare, Microsoft, and NGINX have already released security patches to address the flaws. The unique possible mitigation is to disable HTTP/2 support on the servers, but this could cause performance issues.

Pierluigi Paganini

(SecurityAffairs – HTTP/2, hacking)

The post Flaws in HTTP/2 implementations expose servers to DoS attacks appeared first on Security Affairs.

Chinese cyberhackers ‘blurring line between state power and crime’

Cybersecurity firm FireEye says ‘aggressive’ APT41 group working for Beijing is also hacking video games to make money

A group of state-sponsored hackers in China ran activities for personal gain at the same time as undertaking spying operations for the Chinese government, the cybersecurity firm FireEye has said.

In a report released on Thursday, the company said the hacking group APT41 was different to other China-based groups tracked by security firms in that it used non-public malware typically reserved for espionage to make money through attacks on video game companies.

Related: Australia joins condemnation of 'huge, audacious' Chinese hacking plot

Continue reading...

Briton who helped stop 2017 WannaCry virus spared jail over malware charges

  • Marcus Hutchins pleaded guilty to two malware charges
  • 25-year-old ‘incredibly thankful’ to be sentenced to time served

The British computer expert who helped shut down the WannaCry cyber-attack on the NHS said he is “incredibly thankful” after being spared jail in the US for creating malware.

Marcus Hutchins was hailed as a hero in May 2017 when he found a “kill-switch” that slowed the effects of the WannaCry virus affecting more than 300,000 computers in 150 countries.

Related: FTSE 250 firms exposed to possible cyber-attacks, report finds

Continue reading...

Kazakhstan Government Filtering Civilian Internet Browsing

North Korea, China, and Iran, just three countries that we can easily remember as having government regimes that seriously censor the Internet. These territories implement state-level Internet traffic filtering that the motherland deems inappropriate for her citizens to view. These nations wish to be free from western influence as much as possible in order to secure their respective cultural heritage and well being. Kazakhstan, a former member of the USSR is set to join that list of nations that enforce active Internet filtering starting July 17, 2019.

But unlike North Korea and China that uses a state-level firewall to do the actual filtering, Kazakhstan is set to use a state-issued digital certificate that ISPs are legally compelled to install to their customer’s web browsers as part of the contract. The digital certificate that needs to be installed will overwrite the one that comes with the operating system, this enables the Kazakhstan regime to actually decrypt the traffic of websites for “telemetry purposes”.

Anyone from Kazakhstan will not be able to browse the Internet until they yield to the regime’s demand for installing the government-issued root certificate. An initial visit to any website from any browser brand and device will redirect the user to a webpage providing a step-by-step procedure for installing the root certificate. The exact webpage where the users will be redirected is totally dependent on the ISP subscription. Beeline customers are redirected here, while Kcell subscribers are forwarded to this site.

The Ministry of Digital Development, Innovation, and Aerospace of Kazakhstan underscored the need for everyone that has not installed the root certificate to be denied Internet access across the country. The Ministry highlighted that this new rule is needed in order to protect individuals, companies and government agencies operating in the country from cybercriminals, online scammers and hackers.

This is the first time that the Kazakhstan government has successfully rolled-out its long-term plan to monitor Internet traffic for the whole nation. The last attempt has failed to gather support, in fact, the regime even received lawsuits not only from ISPs, but also private organizations, the Kazakh’s banking industry as well foreign companies who argued that such plan was counterproductive, and it will only set to further dilute the already weak Internet defenses of the country.

Kazakhstan regime even went out of its way to request Mozilla in 2015 to install their root certificate in the default Firefox root-store, it was immediately denied by the latter citing certificates can only be used by the organization that owns the domain: “Completing a successful BR audit would mean that the auditor ensured the CA meets the requirements for validating that the certificate subscriber owns/controls the domain name(s) to be included in the certificate.” said Mozilla in its official bug tracking site.

Major browser vendors have not yet issued their official statement on how to react with the Kazakhstan-issued root certificate. This needs to be resolved soon, as the Kazakhstan government may not allow anyone to visit Kazakhstan sites without installing the mentioned root certificate. This will have huge ramification for the whole Internet as outside users try to visit Kazakhstan website.

Also Read,

Guide To Secure Internet Access For Home & Office

Why Internet Security is Important Today

A DNS Exploit Is A Huge Risk That Can Disrupt The Internet

The post Kazakhstan Government Filtering Civilian Internet Browsing appeared first on .

The Guardian view on cybercrime: the law must be enforced | Editorial

Governments and police must take crime on the internet seriously. It is where we all live now

About half of all property crime in the developed world now takes place online. When so much of our lives, and almost all of our money, have been digitised, this is not surprising – but it has some surprising consequences. For one thing, the decline in reported property crimes trumpeted by successive British governments between 2005 and 2015 turns out to have been an illusion. Because banks were not required to report fraud to the police after 2005, they often didn’t. It would have made both banks and police look bad to have all that crime known and nothing done about it. The cost of the resulting ignorance was paid by the rest of government, and by the public, too, deprived of accurate and reliable knowledge. Since then, the total number of property crimes reported has risen from about 6m to 11m a year as the figures have taken computerised crime into account.

The indirect costs to society are very much higher than the hundreds of millions that individuals lose. One example is the proliferation of plagiarism software online, which developed an entire industry in poor, English-speaking countries like Kenya, serving idle or ignorant students in England and North America. The effort required by schools and universities to guard against such fraud has been considerable, and its cost entirely disproportionate to the gains made by the perpetrators.

Continue reading...

From Internet to Internet of Things

Thirty years ago, Tim Berners-Lee set out to accomplish an ambitious idea – the World Wide Web. While most of us take this invention for granted, we have the internet to thank for the technological advances that make up today’s smart home. From smart plugs to voice assistants – these connected devices have changed the modern consumer digital lifestyle dramatically. In 2019, the Internet of Things dominates the technological realm we have grown accustomed to – which makes us wonder, where do we go from here? Below, we take a closer look at where IoT began and where it is headed.

A Connected Evolution

Our connected world started to blossom with our first form of digital communication in the late 1800s –– Morse code. From there, technological advancements like the telephone, radio, and satellites made the world a smaller place. By the time the 1970s came about, email became possible through the creation of the internet. Soon enough the internet spread like wildfire, and in the 1990s we got the invention of the World Wide Web, which revolutionized the way people lived around the world. Little did Berners-Lee know that his invention would be used decades, probably even centuries, later to enable the devices that contribute to our connected lives.

Just ten years ago, there were less than one billion IoT devices in use around the world. In the year 2019, that number has been projected to skyrocket to over eight billion throughout the course of this year. In fact, it is predicted that by 2025, there will be almost twenty-two billion IoT devices in use throughout the world. Locks, doorbells, thermostats and other everyday items are becoming “smart,” while security for these devices is lacking quite significantly. With these devices creating more access points throughout our smart homes, it is comparable to leaving a backdoor unlocked for intruders. Without proper security in place, these devices, and by extension our smart homes, are vulnerable to cyberattacks.

Moving Forward with Security Top of Mind

If we’ve learned one thing from this technological evolution, it’s that we aren’t moving backward anytime soon. Society will continue to push the boundaries of what is possible – like taking the first a picture of a black hole. However, in conjunction with these advancements, to steer in the right direction, we have to prioritize security, as well as ease of use. For these reasons, it’s vital to have a security partner that you can trust, that will continue to grow to not only fit evolving needs, but evolving technologies, too. At McAfee, we make IoT device security a priority. We believe that when security is built in from the start, user data is more secure. Therefore, we call on manufacturers, users, and organizations to all equally do their part to safeguard connected devices and protect precious data. From there, we can all enjoy these technological advancements in a secure and stress-free way.

Interested in learning more about IoT and mobile security trends and information? Follow @McAfee_Home on Twitter, and ‘Like” us on Facebook.

The post From Internet to Internet of Things appeared first on McAfee Blogs.