Category Archives: Technology

TiKTok app removed from Google’s Play Store and Apple’s App Store

Google and Apple remove TikTok from their App Stores following court orders

China’s Bytedance Technology’s hugely popular video app, TikTok has been removed from Google’s Play Store and Apple’s App Store in India following a local court’s decision. However, users who have already installed the TikTok app on their devices can continue to use the service.

For those unaware, the Madras High Court on April 3 had directed the government to ban downloading of the video-sharing mobile app, TikTok, as it exposed children to illicit content bordering on nudity, obscenity, including pornography. However, ByteDance, the parent company of TikTok, argued for a stay on banning the app saying it is causing irreparable damage to the company. ByteDance had earlier challenged the state court’s order in India’s apex Supreme Court.

In its hearing on Tuesday (April 16), the Madras High Court refused to suspend the ban on future downloads of TikTok app in India and the Supreme Court too refused to stay the ban. Following the order, the Ministry of Electronics and Information (MeitY) directed Alphabet Inc.’s Google and Apple Inc. to remove TikTok from their App stores. The court also restricted media houses from telecasting videos made using the TikTok app.

“It is evident from media reports that pornography and inappropriate contents are made available in this kind of cyber applications. The children are exposed to strangers and there is a possibility of the photographs, and other private details of the children are being landed in the hands of predators or third parties,” the bench hearing the case said.

Responding to the Madras High Court, TikTok said, “We have faith in the Indian judicial system and we are optimistic about an outcome that would allow over 120 million monthly active users in India to continue using TikTok to showcase their creativity and capture the moments that matter in their everyday lives. We are committed to continuously enhancing our existing measures and introducing additional technical and moderation processes as part of our ongoing commitment to our users in India.”

Last week, ByteDance-owned TikTok had removed six million videos from its platform that violated user agreements and community guidelines. It also introduced an age limit feature for new users, that allows only those aged 13 and above to login and create an account.

The Supreme Court has scheduled a hearing of the case again on April 22, where ByteDance can make a point as to why the ban should be withdrawn.

The post TiKTok app removed from Google’s Play Store and Apple’s App Store appeared first on TechWorm.

Nicholas Wakefield on LinkedIn: “Researchers believe hackers from the breakaway Luhansk People’s Republic (LPR) may be behind a spear phishing-based malware campaign that’s been actively targeting the Ukrainian government. The researchers, from FireEye, disclosed their assessment following their investigation into a malware-laced email that they were able to tie back to a 2018 phishing campaign designed to to deliver custom cyber espionage malware called RATVERMIN, aka Vermin. But based on an analysis of malware compilation times and domain resolutions, the group behind these attacks may have been active since as far back as 2014. https://lnkd.in/gwY__R5”

linkedin.com - Researchers believe hackers from the breakaway Luhansk People’s Republic (LPR) may be behind a spear phishing-based malware campaign that’s been actively targeting the Ukrainian government. The resea…


Tweeted by @Mypark58 https://twitter.com/Mypark58/status/1118716098860294144

Source code of Iranian cyber-espionage tools leaked on Telegram – The Breaking News Headlines

thebreakingnewsheadlines.com - In an incident paying homage to the Shadow Agents leak that revealed the NSA’s hacking instruments, any person has now printed an identical hacking instruments belonging to certainly one of Iran’s el…


Tweeted by @breakingnewshe1 https://twitter.com/breakingnewshe1/status/1118705244672864256

Michael Boevink 布 纷 奇 on LinkedIn: “The World Economic Forum’s (WEF) Global Risks Report 2018 names cyberattacks and cyber warfare as a top cause of disruption in the next five years, coming only after natural disasters and extreme weather events. The report states, “In a worst-case scenario, attackers could trigger a breakdown in the systems that keep societies functioning. Industry and critical infrastructure like power grids, gas pipelines and water purification systems could be potential targets for hackers, whether they are small groups or state actors.” #VIBE #authenticate “

linkedin.com - The World Economic Forum’s (WEF) Global Risks Report 2018 names cyberattacks and cyber warfare as a top cause of disruption in the next five years, coming only after natural disasters and extreme wea…


Tweeted by @mpmboevink https://twitter.com/mpmboevink/status/1118508168101814272

SN 710: DragonBlood

• DragonBlood: the first effective attack on the new WPA3 protocol
• Malicious use of the URL tracking "ping" attribute
• The WinRAR Nightmare
• More 3rd-party A/V troubles with Microsoft
• What good did April's patch Tuesday accomplish?
• Adobe 's big patch Tuesday
• Google considering automatically blocking "high risk" downloads
• Russia's Roskomnadzor finally lowers the boom on Facebook
• The incredible Taj Mahal APT framework

Hosts: Steve Gibson and Leo Laporte

Download or subscribe to this show at https://twit.tv/shows/security-now.

You can submit a question to Security Now! at the GRC Feedback Page.

For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.

Sponsors:

Cyber Sights on Critical Infrastructure

forbes.com - nightman1965 / iStock / Getty Images Plus The cyber crosshairs are firmly on critical infrastructure for anyone looking to cause either severe damage or to seize a platform. This was emphasized most …


Tweeted by @rossdonna1500 https://twitter.com/rossdonna1500/status/1118274328074891265

Former Mozilla VP blames Google For Sabotaging Firefox

Google ‘outfoxed’ Firefox alleges Former Mozilla VP

A former Mozilla executive has accused Google of repeatedly and continuously sabotaging Firefox for years in Windows 10.

Jonathan Nightingale, a former General Manager and Vice President of the Firefox group at Mozilla, said that Google was the company’s biggest partner during his 8-year tenure at Mozilla.

“Our revenue share deal on search drove 90% of Mozilla’s income,” he tweeted.

However, in a series of tweets that followed Nightingale described the changes and issues between Google and Mozilla that happened after the release of Google Chrome.

“When I started at Mozilla in 2007 there was no Google Chrome, and most folks we spoke with inside [Google] were Firefox fans,” Nightingale mentioned in a Twitter thread on April 13.

“When Chrome launched things got complicated, but not in the way you might expect. They had a competing product now, but they didn’t cut ties, break our search deal – nothing like that. In fact, the story we kept hearing was, ‘We’re on the same side. We want the same things’,” the former Mozilla exec said.

“I think our friends inside Google genuinely believed that. At the individual level, their engineers cared about most of the same things we did. Their product and design folks made many decisions very similarly, and we learned from watching each other.

“But Google as a whole is very different than individual googlers. Google Chrome ads started appearing next to Firefox search terms. Gmail & [Google] Docs started to experience selective performance issues and bugs on Firefox. Demo sites would falsely block Firefox as ‘incompatible’,” he said.

“All of this is stuff you’re allowed to do to compete, of course. But we were still a search partner, so we’d say ‘hey what gives?’ And every time, they’d say, ‘oops. That was accidental. We’ll fix it in the next push in 2 weeks.’

“Over and over. Oops. Another accident. We’ll fix it soon. We want the same things. We’re on the same team. There were dozens of oopses. Hundreds maybe?

“I’m all for ‘don’t attribute to malice what can be explained by incompetence’ but I don’t believe Google is that incompetent. I think they were running out the clock. We lost users during every oops. And we spent effort and frustration every clock tick on that instead of improving our product. We got outfoxed for a while and by the time we started calling it what it was, a lot of damage had been done,” Nightingale added.

While Nightingale later stated that more than anyone Mozilla is responsible for Firefox’s collapse, this is not the first time a Firefox team member has made allegations against Google. In July 2018, Mozilla’s Technical Program Manager Chris Peterson accused Google of deliberately slowing down YouTube performance 5x slower in Firefox and Edge by switching to a JavaScript library for YouTube that they were aware was not supported by Firefox.

Source: Jonathan Nightingale (Twitter)

The post Former Mozilla VP blames Google For Sabotaging Firefox appeared first on TechWorm.

Ecuador says it has been hit with 40 million cyber attacks since Julian Assange was arrested at its embassy in London

businessinsider.com - Ecuador says it has weathered over 40 million cyber attacks since Julian Assange was arrested five days ago. Ecuador's president Lenin Moreno stripped Assange of asylum status on Thursday, allowing U…


Tweeted by @ProfoundGnosis https://twitter.com/ProfoundGnosis/status/1118203095979311104

Online Backup Reviews- Online Data Backup, Remote Offsite File Storage, Cloud Backup, Small Businesses, Enterprises, Online File Backup, Online Backups Providers Directory, SaaS, Cloud Computing, Data Storage Services, CEO Interviews. Choose the right Internet Web based Online Backups solution

backupreview.info - About F-Secure Nobody knows cyber security like F-Secure. For three decades, F-Secure has driven innovations in cyber security, defending tens of thousands of companies and millions of people. With u…


Tweeted by @backup_review https://twitter.com/backup_review/status/1118189122584305664

Silicon Valley-Funded Privacy Think Tanks Fight in D.C. to Unravel State-Level Consumer Privacy Protections

After years of ignoring the issue, lawmakers on Capitol Hill are suddenly engaged in a furious fight over enacting national legislation to establish basic online privacy rights for consumers. As with the crafting of much legislation dealing with complicated issues, legislators are relying on experts to help codify the consumer protections.

In a twist that is all too familiar in Washington, D.C., however, many of the groups that have positioned themselves as expert voices on consumer privacy are pushing for a bill that hews closely to tech industry interests. Lawmakers who are famously ignorant on technology issues are hearing largely from an army of industry lobbyists and experts funded by social media companies, online platforms, data brokers, advertisers, and telecommunication giants — the very same corporate interests that profit from the collection and sale of internet data.

Take the Center for Democracy and Technology, one of the most prominent privacy-centered Beltway think tanks. The group is considered to be well-respected among congressional staffers, routinely testifies before committees on privacy legislation, and is a prime mover in the national online privacy bill discussion.

Late last year, the organization circulated draft federal privacy legislation that would nullify major state-level regulations. In March, when the Senate Judiciary Committee held its first hearing of the session on how to formulate a federal consumer privacy standard, the center’s Privacy and Data Project Director Michelle Richardson testified.

The Center for Democracy and Technology is also awash in corporate money from the tech sector. Amazon, Verizon, and Google are among the corporate donors that each provide over $200,000 to the group. AT&T, Verizon, Uber, and Twitter are also major donors.

Last Wednesday, the group hosted its annual gala, known as “Tech Prom,” which brought together lobbyists and government affairs officials from leading Silicon Valley and telecom firms. Facebook, Google, Amazon, and Microsoft purchased tables at the event and served as sponsors, a privilege that came in exchange for a $35,000 donation to the center.

“Every one of these groups working on privacy that takes corporate money should return it.”

These industry-funded think tanks are pushing legislation in a direction that would have weak enforcement mechanisms, give consumers limited means for recourse, and perhaps most importantly for the industry, roll back state-level privacy standards being enacted by state legislatures.

The stakes of the online privacy fight could have ramifications the world over. American standards on data collection could shape political and business decisions across the world, said Jeff Chester, president of the Center for Digital Democracy, a privacy think tank that opposes overturning of state-level privacy laws.

“This is much bigger than Cambridge Analytica,” Chester said. Cambridge Analytica was involved in a scandal when, while working on behalf of Donald Trump’s presidential campaign, the data analytics firm illicitly scraped consumer data from Facebook in order to build advanced voter-targeting methods. The events stoked outrage over Facebook’s security around its users’ private data.

Chester said the money lavished by the tech industry on privacy think tanks was tantamount to funding lobbyists. “These groups should not take a dime of corporate money. This is basically lobbying dollars,” Chester said. “I think every one of these groups working on privacy that takes corporate money should return it.”

Meanwhile, actual tech industry lobby groups are pushing federal legislation along the same lines as that proposed by the tech-funded think tanks. One of the largest lobbying groups for Silicon Valley, NetChoice, has rallied behind Sen. Marco Rubio’s, R-Fla., privacy bill. His bill would roll back state regulation and place enforcement authority largely under the Federal Trade Commission, a notoriously toothless federal agency with no rule-making power, instead of letting consumers directly sue tech companies under the law.

NetChoice lobbies on behalf of Facebook, Google, Twitter, Airbnb, and eBay, among other tech companies. (Pierre Omidyar, founder of The Intercepts parent company, First Look Media, is the chair of eBay.)

The sudden moves around online privacy kicked into high gear with a state-level privacy law that passed in California last year. In June 2018, state legislators passed California Consumer Privacy Act, a surprise turn of events that enshrined the strongest consumer privacy standard in the country.

The law, set to take effect next year, gives California residents the power to view the types of data companies collect from them, request that the data be deleted, and allows residents to declare that their data not be sold to third parties. In response, similar bills are being proposed in several other states.

The lobbying push to water down and overturn the California law has been so intense that some federal legislators are raising questions about whether the urgency for a national standard is simply a vehicle for lobbyists to push pre-emption, provisions in the federal law that would supersede and roll back the state-level privacy laws.

“Are we here just because we don’t like the California law, and we just want the federal pre-emption law to shut it down?” asked Sen. Maria Cantwell, D-Wash., during one of the recent hearings on the bill.

The Center for Democracy and Technology’s proposal for a draft bill contained such a pre-emption provision. The proposed bill would overturn the California Consumer Privacy Act and the Illinois Biometric Information Privacy Act, which compels technology companies to obtain consent from customers before collecting biometric data, including fingerprints and facial recognition models. Both Google and Facebook could faced lawsuits under the Illinois law.

The Center for Democracy and Technology’s vice president for external affairs, Brian Wesolowski, defended the group’s draft proposal. “It’s a stronger bill than the California one when it comes to the privacy rights of all,” he said in an email to The Intercept, adding that the group maintains “clear lines between funding and policy positions.”

The proposed draft from the Center for Democracy and Technology, however, does not reproduce the California law’s right for consumers to opt out of data collection. The California law also provides consumers with what is called a private right of action — meaning that they can file a lawsuit if the state attorney general does not act when companies violate the law — while the Center for Democracy and Technology’s draft simply calls for companies to respond to complaints within 30 days.

Another think tank, the Center for Information Policy Leadership, which bills itself as a leading voice on privacy, has also called for a provision pre-empting state-level laws. In a memo for policymakers released last month, the group said the new federal bill should “preempt a patchwork of inconsistent state laws.” Similarly, another group, the Technology Policy Institute, has asked that a federal privacy law pre-empts state regulation and explicitly called for any new national standard to have “fewer restrictions on the use of information.”

Both groups receive funding from Amazon, Google, and Facebook — and both strongly defended their positions.

Markus Heyder, a vice president at the Center for Information Policy Leadership, told The Intercept in an email, “CIPL’s mission is not to advocate specific industry positions, but to help develop globally consistent policies and approaches to privacy regulation that maximize both the appropriate protection of consumers from privacy risks and harms and reasonable data use and innovation.”

David Fish, a spokesperson for the Technology Policy Institute, dismissed concerns about industry funding, noting that his group’s position is “not supported universally by industry.”

Just like NetChoice, the tech industry lobby group, the Center for Information Policy Leadership and the Center for Democracy and Technology have both called for a weak enforcement standard that rests largely with the Federal Trade Commission.

The push for pre-emption, however, is not shared by all privacy and consumer think tanks. Electronic Privacy Information Center, Public Citizen, and U.S. Public Interest Research Group are among several major advocacy organizations that have demanded that any federal standard not pre-empt state privacy law. “Federal privacy legislation that preempts stronger state laws would only benefit technology companies at the expense of the public,” the groups wrote in a letter to lawmakers.

Jeff Chester’s group, the Center for Digital Democracy, also signed the letter demanding a redline on pre-emption. None of the four groups that signed the letter take corporate money.

The post Silicon Valley-Funded Privacy Think Tanks Fight in D.C. to Unravel State-Level Consumer Privacy Protections appeared first on The Intercept.

Spear Phishing Campaign Targets Ukraine Government and Military; Infrastructure Reveals Potential Link to So-Called Luhansk People’s Republic « Spear Phishing Campaign Targets Ukraine Government and Military; Infrastructure Reveals Potential Link to So-Called Luhansk People’s Republic

fireeye.com - In early 2019, FireEye Threat Intelligence identified a spear phishing email targeting government entities in Ukraine. The spear phishing email included a malicious LNK file with PowerShell script to…


Tweeted by @JohnHultquist https://twitter.com/JohnHultquist/status/1118126727929180162

Muscle Memory and Cyber Fitness Training

securityintelligence.com - Listen to this podcast on iTunes, Soundcloud or wherever you find your favorite audio content. Cyber hygiene matters. According to the Online Trust Alliance, 93 percent of breaches in 2017 could have…


Tweeted by @davidrmoulton https://twitter.com/davidrmoulton/status/1118125101847916544

Rapport ANSSI 2018 : Le cyber-espionnage plus actif que jamais – Le Monde Informatique | Renseignements Stratégiques, Investigations & Intelligence Economique

scoop.it - En dépit d'une baisse du nombre de signalements et d'incidents de cybersécurité sur l'année auprès de l'agence nationale de la sécurité des systèmes d'information sur un an, la cybermenace a été plus…


Tweeted by @Expert_IE_ https://twitter.com/Expert_IE_/status/1118115917907537920

Khaled Fattal on LinkedIn: “European council site down and defaced by Anonymous. Last week at the WSIS2019 ITU UN summit I warned leaders of nations & business of today’s Geo-Poli-Cyber warfare taking place worldwide. Tonight, it is playing in front of our own eyes. “CyberSecurity is No longer the Keyword – Survivability In A Geo-Poli-Cyber™ Threatened World is”.”

linkedin.com - European council site down and defaced by Anonymous. Last week at the WSIS2019 ITU UN summit I warned leaders of nations & business of today's Geo-Poli-Cyber warfare taking place worldwide. Tonight, …


Tweeted by @kf_MLiGrp https://twitter.com/kf_MLiGrp/status/1117953321573277696

Top 10 Best Anime Movie Sites 2019

By Zehra Ali

Are you a fan of anime movies? Look no further, here is a list of best anime movie sites. Entertainment is a major part of our lives and the Internet is the biggest source for it these days. There are several websites such as YouTube, DailyMotion, and Vimeo, etc. offering movies and TV shows but […]

This is a post from HackRead.com Read the original post: Top 10 Best Anime Movie Sites 2019

Mohamed Ouabi on LinkedIn

linkedin.com - Mohamed Ouabi Regional Sales Manager at SplunkNow · Edited Game of Thrones: A Tale of Fire(walls) and ICE (Infiltrating Cyber Espionage) splunk.com


Tweeted by @mohamed_ouabi https://twitter.com/mohamed_ouabi/status/1117875484010745857

Top VPNs found improperly securing cookies & tokens

By Uzair Amir

VPN software programs of Palo Alto, Cisco, Pulse, and F5 don’t Store Session Cookies Securely- DHS. A warning has been issued by the Department of Homeland Security (DHS) regarding the unreliable nature of Virtual Private Network (VPN) programmes from several well-known VPN service providers including Cisco, Palo Alto Networks, Pulse, and F5. See: Top 10 […]

This is a post from HackRead.com Read the original post: Top VPNs found improperly securing cookies & tokens

Cybrary and CSFI Announce Strategic Alliance to Expand Training and Career Guidance Offerings to Cyber Warfare Professionals – Cybrary

cybrary.it - College Park, MD – April 15, 2019 – The Cybersecurity Forum Initiative (CSFI), a non-profit providing cyber warfare awareness, guidance, and security solutions through collaboration, education, volun…


Tweeted by @cybraryIT https://twitter.com/cybraryIT/status/1117789754404352003

Top The Pirate Bay Alternatives – Best Torrent Download Sites (2019)

By Waqas

Looking for The Pirate Bay alternatives? You have come to the right place. The Pirate Bay (TPB) is one of the most visited torrent download websites in the world. However, lately, there has been an increase in its server downtime. Lately, the Dark web domain for The Pirate Bay is also offline. Moreover, The Pirate Bay was […]

This is a post from HackRead.com Read the original post: Top The Pirate Bay Alternatives – Best Torrent Download Sites (2019)

Cybercriminals turn opportunistic with cryptocurrency mining; continue to exploit vulnerabilities; steal data and resources to disrupt businesses and individuals in Asia Pacific – Asia News Center

news.microsoft.com - ASIA PACIFIC & SINGAPORE, 21 March 2019 – Even as businesses capitalize on the latest security intelligence and protections to stay ahead in the evolving cybersecurity landscape, Asia Pacific continu…


Tweeted by @MicrosoftASIA https://twitter.com/MicrosoftASIA/status/1117722732383354882

How To Nail Good OPSEC II

brooklynartproject.com - ▼Staying Under The Radar in the Age of Artificial Intelligence▼Breakthrough Ideas for November 2018 (1 of 3) | Images Hyperlinked If not committed to sophisticated paranoia — always in learning mode …


Tweeted by @B2Spirit_TT https://twitter.com/B2Spirit_TT/status/1117276219798458369

Veille Sécurité IA – N52

iasecurite.wordpress.com - Veille Sécurité IA – N52 Intelligence artificielle en sécurité et plus … La Lettre de veille hebdomadaire Semaine du 1er au 7 avril 2019 Je vous propose ci-après un relevé de sujets sur l’intelligenc…


Tweeted by @L_Guillet https://twitter.com/L_Guillet/status/1117080229808365568

Veille Cyber N225 – 08 avril 2019

veillecyberland.wordpress.com - CyberStratégie – CyberDéfense – CyberSécurité L’actualité cyber du 1er au 7 avril 2019 … …faits, chroniques et opinions, référentiels, séquences audio, séquences vidéo … selon vos centres d’intérêt, …


Tweeted by @L_Guillet https://twitter.com/L_Guillet/status/1117080229808365568

Intelligent Machines – How Artificial Intelligence is Going To Revolutionise Cyber Security? – HackersOnlineClub

hackersonlineclub.com - In the business world, the subject of cyber crime and cyber security is a huge talking point at the moment. This is a result of the frequency at which cyber security breaches are occurring, and the f…


Tweeted by @priyanshu_itech https://twitter.com/priyanshu_itech/status/1117050733017223169

New vulnerabilities in WPA3 Protocol allow hackers to steal Wi-Fi password

Dragonblood vulnerabilities discovered in Wi-Fi WPA3 protocol

Last year, Wi-Fi Alliance had released the next-gen WPA3 (Wi-Fi Protected Access 3) with several security improvements over WPA2 after the KRACK (Key Reinstallation Attack) exploit that affected almost every Wi-Fi supported device. WPA3 was introduced to protect against brute-force dictionary attacks on Wi-Fi supported devices and to provide authentication and encryption for Wi-Fi networks.

Although WPA3 uses a ‘Dragonfly’ handshake that makes it nearly impossible for attackers to crack the password of a network, two security researchers, Mathy Vanhoef (NYUAD) and Eyal Ronen (Tel Aviv University & KU Leuven), have discovered new vulnerabilities in WPA3-Personal protocol, that allows an attacker who is within the range of a victim to gain access to the encrypted network traffic and recover Wi-Fi passwords.

“Concretely, attackers can then read information that WPA3 was assumed to safely encrypt. This can be abused to steal sensitive transmitted information such as credit card numbers, passwords, chat messages, emails, and so on,” the researchers explained in their paper titled Dragonblood: A Security Analysis of WPA3’s SAE Handshake.

The researchers discovered two types of different design flaws in WPA3, where both these vulnerabilities can be exploited to recover the password used by the Wi-Fi network. The first type is downgrade attacks, and the second type is side-channels leaks that reveal information about the password being used.

The first flaw is the downgrade attack on WP3 is due to a transition mode that allows a network to simultaneously support both WPA2 and WPA3.

“Our downgrade attack enables an adversary to force a client to partly execute WPA2’s 4-way handshake, which can subsequently be used to perform a traditional brute-force attack against the partial WPA2 handshake. Additionally, we also discovered downgrade attacks against the Dragonfly handshake itself, which can be abuse to force a victim into using a weaker elliptic curve than it would normally use,” the researchers added.

The second flaw, side-channels leaks allows attackers to launch cache-based and timing-based side-channel attacks due to the vulnerabilities in the Dragonfly handshake.

“Our side-channel attacks target Dragonfly’s password encoding method. The cache-based attack exploits Dragonfly’s hash-to-curve algorithm, and our timing-based attack exploits the hash-to-group algorithm. The information that is leaked in these attacks can be used to perform a password partitioning attack, which is similar to a dictionary attack.”

Similar to dictionary attacks, the side-channel attacks are efficient and low cost, the researchers said. They were able to brute-force all 8-character lowercase passwords that required less than 40 handshakes and US$125 worth of Amazon EC2 instances.

Further, Cache-Based Side-Channel Attack CVE-2019-9494 allows attackers to run unprivileged code on the victim machine. It allows the attackers to determine which branch was taken in the first iteration of the password generation algorithm. This information can then be exploited to carry out a password partitioning attack (this is similar to an offline dictionary attack).

In the same way, Timing-Based Side-Channel Attack CVE-2019-9494 allows an attacker to perform a remote timing attack against the password encoding algorithm. This allows an attacker to determine how many iterations were needed to encode the password. The recovered information can then be abused to perform a password partitioning attack, which is similar to an offline dictionary attack.

The two researchers have made the following four separate tools to test for certain Dragonblood vulnerabilities discovered in WPA3 Protocol:

  • Dragonslayer: implements attacks against EAP-pwd (to be released shortly).
  • Dragondrain: this tool can be used to test to which extend an Access Point is vulnerable to denial-of-service attacks against WPA3’s SAE handshake.
  • Dragontime: this is an experimental tool to perform timing attacks against the SAE handshake if MODP group 22, 23, or 24 is used. Note that most WPA3 implementations by default do not enable these groups.
  • Dragonforce: this is an experimental tool which takes the information to recover from our timing or cache-based attacks, and performs a password partitioning attack. This is similar to a dictionary attack.

“Nearly all of our attacks are against SAE’s password encoding method, i.e., against its hash-to-group and hash-to-curve algorithm. Interestingly, a simple change to this algorithm would have prevented most of our attacks,” the researchers say.

The duo reported their findings to Wi-Fi Alliance,  a non-profit organization that decides Wi-Fi standards, who acknowledged the flaws and said that all the flaws can be addressed with software updates. They are working with vendors to patch existing WPA3-certified devices.

“The software updates do not require any changes that affect interoperability between Wi-Fi devices. Users can refer to their device vendors’ websites for more information,” the Wi-Fi Alliance says in its press release.

You can read more information about Dragonblood vulnerabilities here.

The post New vulnerabilities in WPA3 Protocol allow hackers to steal Wi-Fi password appeared first on TechWorm.

KARIMA MOUDOUB on LinkedIn: “Transformation digitale, Stratégie, Intelligence artificielle,cyber sécurité, philosophie, politique éducation,éthique ont été tous les sujets abordés lors du 2nd Skema Strategy Summit. Pour ma part après réflexion 2 jours après j’en retiens que : – la transformation digitale n’a de sens et d’efficacité que si la stratégie et l’intelligence collective qui la précède pour l’une et l’accompagne pour l’autre sont bien communiquée et partagée en amont et en aval – l’intelligence artificielle est mal nommée ! Le mot date de 1956! l’IA intéresserait tout le monde ? Pourtant les technologies qui la caractérisent sont innovantes et pour certaines la spécialité technologique particulière des GAFAM et de milliers de start-ups en devenir aux techniques peu vulgarisables. Un seul mot d’ordre : cas d’usages illustrant les applications plutôt que la sorcellerie et l’idée du remplacement des cerveaux par des robots – comment penser une cyber sécurité zéro défaut ? Avec une approche zéro trust dans la mesure où les failles les plus dévastatrices sont souvent le fait de l’action accidentelle ou malveillante des humains au sein des entreprises ou de l’impéritie ou de la politique des états. Tahar MANGA Didier Bonnet Alice GUILHON ALAIN BAUER Fabienne Billat Eneric Lopez #strategy #cloud”

linkedin.com - Transformation digitale, Stratégie, Intelligence artificielle,cyber sécurité, philosophie, politique éducation,éthique ont été tous les sujets abordés lors du 2nd Skema Strategy Summit. Pour ma part …


Tweeted by @kmoudok https://twitter.com/kmoudok/status/1116956370698428416

Palmetto Cyber Defense Competition

pcdc-sc.com - PCDC is an event for the promotion of Cyber Security education and awareness. Competition energizes local high schools and colleges to develop invigorating and focused curriculum for the technical ne…


Tweeted by @ECStechHQ https://twitter.com/ECStechHQ/status/1116794697853227009

Counter Intelligence – Jimmy’s

redbullradio.com - Whether they hail from Japan or Peru or right around the corner, dedicated record diggers have long known just where to head when they’re in Nairobi: Stall 570 …Read more


Tweeted by @redbull_radio https://twitter.com/redbull_radio/status/1116713842673717253

The CyberWire Daily Podcast for 4.9.19

thecyberwire.com - In today’s podcast, we hear about GossipGirl, potentially a “supra threat actor” Chronicle sees linking Stuxnet, Flame, and Duqu. LockerGoga’s destructive functionality may be a feature, not a bug. V…


Tweeted by @radware_italia https://twitter.com/radware_italia/status/1116241233079406592

Imagining a Cyber Surprise: How Might China Use Stolen OPM Records to Target Trust? – War on the Rocks

warontherocks.com - Editor’s Note: This is the fourth installment in “Off Guard,” a series on surprise in war inspired by a new CSIS study. Read the rest of the series here. “What is the quickest way you can destroy an …


Tweeted by @MilWritersGuild https://twitter.com/MilWritersGuild/status/1116108099620888576

Kelli Aker on LinkedIn: “Technically sophisticated and rare, this malware steals data and uses new techniques including stealing documents sent to print, stealing files burned to a CD and much more – and it isn’t linked to any known threat actor. #malware #cybersecurity #cybercrime https://zd.net/2G6yg7P”

linkedin.com - Technically sophisticated and rare, this malware steals data and uses new techniques including stealing documents sent to print, stealing files burned to a CD and much more - and it isn't linked to a…


Tweeted by @kelliaker1 https://twitter.com/kelliaker1/status/1116051914171482112

Sens. Gardner, Warner introduce bill to encourage states to bolster cybersecurity – Homeland Preparedness News

homelandprepnews.com - U.S. Sens. Cory Gardner (R-CO) and Mark Warner (D-VA) introduced legislation this week to encourage state, local, and tribal governments to strengthen their defenses against cybersecurity threats. Th…


Tweeted by @CybersecurityC6 https://twitter.com/CybersecurityC6/status/1115991083337551872

Proofpoint Security Awareness Training

proofpoint.com - Engage your end users and arm them against real-world cyber attacks, using personalized training based on our industry-leading threat intelligence. Instead of wasting time with one-size-fits-all cont…


Tweeted by @KFSullyTweets https://twitter.com/KFSullyTweets/status/1115968895901421571

Marco Bicudo on LinkedIn

linkedin.com - Marco Bicudo Consultant Sr. CyberSecurity - Embratel / Claro Brasil1m · Edited TajMahal cyber-espionage campaign uses previously unseen malicious tools | ZDNet zdnet.com


Tweeted by @MarcoABicudo https://twitter.com/MarcoABicudo/status/1115920826287706112

Cyber Security – Drishti IAS

drishtiias.com - According to EY’s latest Global Information Security Survey (GISS) 2018-19 – India edition, one of the highest number of cyber threats have been detected in India, and the country ranks second in ter…


Tweeted by @drishtiiaseng https://twitter.com/drishtiiaseng/status/1115877792208556032

Cyber Threat Intelligence

secureworks.com - Knowledge is power - not just in business, but also in the world of cybersecurity, where the ability to see and know more about the activities of threat actors empowers security professionals to do m…


Tweeted by @LeonardoCarmo86 https://twitter.com/LeonardoCarmo86/status/1115845697260130307

SN 709: URL “Ping” Tracking

This Week's Stories

  • Yet another capitulation in the (virtually lost) battle against tracking our behavior on the Internet with URL "ping" tracking.
  • UK government's plan to legislate, police and enforce online social media content
  • Microsoft's Chromium-based Edge browser's security
  • Improvements to Windows 10's update management
  • News from the "spoofing biometrics" department
  • The worrisome state of Android mobile financial apps
  • NSA's GHIDRA software reverse engineering tool suite
  • Perhaps the dumbest thing Facebook has done yet (and by policy, not by mistake)
  • An important change in Win10 1809 external storage caching policy

Hosts: Jason Howell and Steve Gibson

Download or subscribe to this show at https://twit.tv/shows/security-now.

You can submit a question to Security Now! at the GRC Feedback Page.

For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.

Sponsors:

Feds Warn Of New Sextortion Email Scam

newyork.cbslocal.com - NEW YORK (CBSNewYork) — Warnings are being issued about a sextortion scam that is people over email and blackmailing them for thousands of dollars. CBS2’s Jessica Layton recently spoke to one of thos…


Tweeted by @BoDietl https://twitter.com/BoDietl/status/1115604532866600965

Cameras Linked to Chinese Government Stir Alarm in U.K. Parliament

It is a Chinese state-owned company that is implicated in disturbing human rights violations. But that has not stopped Hikvision from gaining a major foothold in the United Kingdom. Through a network of corporate partners, the Hangzhou-based security firm has supplied its surveillance cameras for use on the British parliamentary estate, as well as to police, hospitals, schools, and universities throughout the country, according to sources and procurement records.

Hikvision, whose technology the U.S. government recently banned federal agencies from purchasing, is generating millions of dollars in annual revenue selling its technology to British companies and organizations. At the same time, it has been helping to establish an oppressive surveillance state in the Xinjiang region of China, where the Uighur ethnic minorities have been held in secret internment camps.

British politicians are raising concerns about the technology — and are calling for an embargo on further purchases of it — on the grounds that Hikvision is complicit in human rights abuses and also represents a national security risk, as it is feared that Chinese intelligence agencies could potentially tap into camera feeds in sensitive locations. Some of the company’s cameras record audio and are connected to the internet, meaning that they can be monitored from anywhere in the world.

In January, the cameras were scheduled to be installed inside London’s Portcullis House, according to Adm. Lord Alan West, a member of the U.K. Parliament’s second chamber, the House of Lords. Portcullis House is an office building in Westminster used by more than 200 members of Parliament and 400 of their staff to carry out their daily work, which routinely involves discussion of confidential national security, economic, and foreign policy issues.

West told The Intercept that someone who was “concerned that this was happening” tipped him off about a contract that would equip the building with Hikvision surveillance equipment. He said he subsequently complained about the matter to authorities within the parliamentary estate.

“It seems to me to be extremely worrying — it’s rather like being able to get a Mata Hari into each office,” he said, referring to the Dutch exotic dancer who was accused of spying for Germany during World War I. “Are we sure we are happy with Chinese CCTV in members of Parliament’s offices, listening to what they say to their constituents, listening to what ministers say, filming the documents on their desks?”

A Parliament spokesperson denied the existence of a contract involving Hikvision and said that there was no plan to “install any additional cameras at Portcullis House this year.”

A source familiar with security on parts of the parliamentary estate, which, in addition to Portcullis House, consists of the Palace of Westminster, the Norman Shaw buildings, and Big Ben, told The Intercept that Hikvision’s equipment had “absolutely” been used there in the past. The source said they could not confirm whether any Hikvision cameras were currently active, as there are hundreds of cameras fitted both in and around all parliamentary and government buildings in the area.

“It’s rather like being able to get a Mata Hari into each office.”

It has previously been estimated that, throughout the U.K., there are more than 1.2 million Hikvision cameras. Procurement records and government contracts reviewed by The Intercept show that the company — which was 40% owned by China’s authoritarian Communist Party regime, as of June 2018 — has supplied its surveillance systems to a wide range of organizations and companies across the country.

The cameras have been installed widely in London, in boroughs including Hackney, Kensington, Chelsea, and Hammersmith and Fulham. They have been purchased by local government authorities in Guildford, South Kesteven, Thurrock, Stockton, North Tyneside, Aberdeenshire, Falkirk, West Suffolk, and Kent.

In Wales last year, police began placing the Chinese cameras in 17 towns. In Northern Ireland, Hikvision’s surveillance equipment has been installed inside more than 300 buses. The cameras have been fitted inside hospitals in Hampshire, Lancashire, Kent, Northampton, Cornwall, Cumbria, and Yorkshire. They have been set up at schools in Surrey, Devon, Birmingham, and at a university in Plymouth. The cameras have also been deployed commercially: in the Southgate shopping center in Bath, the Gallions Reach shopping park in London, and at Tesco supermarkets and Burger King fast food restaurants.

Hikvision’s marketing materials say that its cameras can be used with facial recognition software and linked to a centralized database of photographs. The technology can distinguish between known faces and strangers, and trigger alerts when an unknown person enters a building or office, the company claims. It says its corporate mission is to “work together to enhance safety and advance sustainable development around the world.”

In China, Hikvision has been helping the government implement a nationwide surveillance network named Skynet. In recent years, the effort has aggressively focused on the Xinjiang region, where the Communist Party is implementing a crackdown on ethnic Uighurs, a Muslim minority, under the pretext of countering terrorism.

In Xinjiang, an estimated 1 million Uighurs — including children, pregnant women, the elderly, and disabled people — have been held in internment camps. Within these secretive facilities, Uighurs are forced to undergo a “re-education” process that includes mandatory recitals of Communist Party political songs and speeches. Those who resist are said to face punishments, such as beatings and solitary confinement.

According to Human Rights Watch, Chinese authorities are “committing human rights abuses in Xinjiang on a scale unseen in the country in decades.” The group said in a 2018 report that one of the most disturbing aspects of the repression of Uighurs in Xinjiang involves mass surveillance systems.

“Xinjiang authorities conduct compulsory mass collection of biometric data, such as voice samples and DNA, and use artificial intelligence and big data to identify, profile, and track everyone in Xinjiang,” the report said. “The authorities have envisioned these systems as a series of ‘filters,’ picking out people with certain behavior or characteristics that they believe indicate a threat to the Communist Party’s rule.”

Since at least 2010, Hikvision has been helping to establish a massive network of cameras in Xinjiang that police are using to spy on ethnic minorities. In 2013, Hikvision’s public security manager, Qian Hao, boasted that the company’s technology had enabled security forces to track and profile people. “We can help preserve stability by seeing which family someone comes from, then persuading their relatives to stop them from harmful behavior, like with Falun Gong,” a banned spiritual group, Qian said.

“We must be vigilant of any risk that Hikvision or any company may pose to U.K. national security.”

As China has ramped up its crackdown in Xinjiang, Hikvision has reaped the financial rewards.

The company is reported to have have a stake in more than $1 billion in business in the region, including five contracts in 2017 alone that were worth about $277 million. Among those contracts were deals to provide surveillance systems to state agencies for use in the internment camps, as well as on Xinjiang’s streets and inside its mosques, schools, and offices.

Hikvision declined to comment for this story. The company has in the past tried to downplay its connection to the Chinese regime, portraying itself as an independent corporation. However, the company’s own financial records disclose that its controlling shareholder is a Chinese government-owned entity called the China Electronics Technology HIK Group.

In September 2018, Chinese government official Weng Jieming declared that Communist Party leadership “is integrated into the corporate governance structure” at Hikvision, according to a government press release translated by IPVM, a video surveillance trade publication. Weng praised the company, saying that it had “resolutely implemented the spirit of the important instructions” from the country’s president, Xi Jinping.

In the U.K., Hikvision does not supply its cameras directly to its customers; instead, it sells the equipment through a network of wholesalers and subcontractors. The company’s latest U.K. accounts, from 2017, show a gross annual profit of $2.62 million and a turnover of $6.55 million. Its total global sales revenue for the same year totaled $6.65 billion, according to its promotional materials.

Hikvision has three offices across the U.K. and last year announced a plan to launch a new research and development hub within its British headquarters, near London’s Heathrow airport. The research and development division is headed by Pu Shiliang, who is based in China, where he has also reportedly worked for the government’s Ministry of Public Security, a feared agency known for targeting activists and political opponents.

The U.K. is an attractive prospect for any company working in the security industry. It is one of the most surveilled countries in the world, with up to an estimated 6 million cameras, one for every 11 people, throughout its towns and cities. Hikvision has managed to tap into the lucrative British market by undercutting its European competitors by a substantial margin. According to government procurement documents, a basic Hikvision surveillance system could be purchased for £1,000 ($1,310). In contrast, the cost was £3,000 ($3,930) for a system of similar specification made by Germany’s Bosch.

The British government has expressed concerns about the Chinese government’s involvement in the country’s critical infrastructure. In December, defense secretary Gavin Williamson said he would be looking “very closely” at the role of Chinese firm Huawei in upgrading the U.K.’s mobile networks from 4G to 5G. “We’ve got to recognize the fact … that the Chinese state does sometimes act in a malign way,” he said. However, Hikvision’s growing presence in the U.K. has not attracted the same level of scrutiny.

In the U.S., Hikvision has not had such an easy ride. In August of last year, an amendment was added to the National Defense Authorization Act that banned the U.S. military and government from purchasing Hikvision technology. Rep. Vicky Hartzler, R-Mo., who authored the amendment, stated that the Chinese government was trying to “target the United States” by expanding the role of Chinese companies in the U.S. domestic communications and public safety sectors. “Video surveillance and security equipment sold by Chinese companies exposes the U.S. government to significant vulnerabilities,” she said, “and my amendment will ensure that China cannot create a video surveillance network within federal agencies.” The ban was eventually signed into U.S. law.

Karen Lee, a member of Parliament for the U.K.’s Labour Party, told The Intercept that she was urging the British government to consider boycotting Hikvision products, especially for use in publicly owned buildings. “At a time when digital interference in foreign political processes is increasingly being used to destabilize other countries, we must be vigilant of any risk that Hikvision or any company may pose to U.K. national security,” Lee said.

More evidence is needed to prove that Hikvision is implicated in Chinese government espionage, Lee added. “Regardless, it is unacceptable that a company which has been instrumental in human rights abuses is providing equipment to publicly owned U.K. agencies,” she said. “Divestment has a proud history at the center of civil rights campaigns, from apartheid South Africa to the American civil rights movement. The U.K. must send a clear message that we will do no business with any company that facilitates mass human rights abuse and ethnic repression.”

The post Cameras Linked to Chinese Government Stir Alarm in U.K. Parliament appeared first on The Intercept.

Tara O’Carroll on LinkedIn: “Data privacy… new technologies… cyber warfare… geopolitical relations… who can we trust? I’m excited to watch Stephanie Hare tonight to understand more 😁”

linkedin.com - Data privacy... new technologies... cyber warfare... geopolitical relations... who can we trust? I'm excited to watch Stephanie Hare tonight to understand more 😁 Tonight on @BBC News Panorama: "Can …


Tweeted by @TaraOCarroll https://twitter.com/TaraOCarroll/status/1115512058710319104

NTT Security warns of increased IoT risks –

enterprisetimes.co.uk - NTT Security has warned that IoT devices continue to increase security risks for both business and consumers. The warning comes in its latest Global Threat Intelligence Center (GTIC) report. It also …


Tweeted by @NTTSecurity_US https://twitter.com/NTTSecurity_US/status/1115436230605451268

Wake up to AI Cyber Defence

news.gotchamobi.com - From self-adjusting thermostats and email spam filters, to Netflix’s recommendation algorithms and Alexa virtual assistants, AI (artificial intelligence) is fast emerging out of its infancy, and the …


Tweeted by @gotchamobi https://twitter.com/gotchamobi/status/1115330985640513536

What is cyber warfare?

itpro.co.uk - Cyber warfare refers to the use of technology to launch attacks on nations, governments and citizens, causing comparable harm to actual warfare using weaponry. To date, there have not been any obviou…


Tweeted by @securacloud https://twitter.com/securacloud/status/1115210435341553664

cyber crisis

professionalsecurity.co.uk - Last year was a year of digital acceleration, as new technologies such as 5G, artificial intelligence and next-gen cloud moved into the realm of reality and started to radically transform how busines…