The Hacker News — Cyber Security, Hacking, Technology News

Google has finally been rolling out its new massively redesigned Gmail for desktop and mobile to 1.4 billion of users worldwide, which might be the most significant single upgrade in Gmail's history.

This huge revamped version of the email service now offers plenty of new features such as confidential mode, offline support, email snoozing and more, to make Gmail more smarter, secure, and easier to use.

In this article, I have listed details of the most significant changes that you need to know and how to use them. Give it a quick read.

New 'Confidential Mode' Features For Security & Privacy

Are you afraid of sending sensitive documents in an email due to fear of hacking or being forwarded?

Well, now you can simply click the lock icon at the bottom of an email to enable the new Confidential Mode, which lets you add a bunch of extra layers of security (as mentioned below) to the emails of your choice.

1) Disappearing messages: This feature lets you send emails that disappear from the recipient's inbox after a period (between 1 day and five years) you specify or which you can revoke at any time even after you have sent them.

2) Un-forwardable messages: Confidential emails open in a special window that does not allow the recipient to forward, copy or print the email, though recipients can still grab a screenshot, or snap a photo from their phone.

3) Two-factor Authentication (2FA): If you're paranoid, you can even enable 2FA for a single email, requiring recipients to enter a secret passcode send to them via SMS before opening it.

All the above Confidential Mode features work even with emails sent to non-Gmail users, requiring them to click on a link before opening confidential emails.

New Features That Wouldn't Let You Skip Important Emails

1) Email Snoozing: Google now gives you the ability to snooze emails and become more organized when answering emails.

So, if you notice any emails that require a lengthy response cannot be responded immediately, you can snooze the messages for later. Once snoozed, that email will hide from the inbox and show up again at the time you chose.

This feature is already offered by Google's Inbox app, the mobile version of Microsoft Outlook, but now Google has brought it to Gmail to help you boost productivity.

2) Nudges: While snooze emails are set by you manually, nudges are those reminded to you by Google.

To help your task easier of going through massive amounts of emails to find important emails, Gmail uses artificial intelligence (AI) to remind you of those emails that sit in your inbox unattended and its AI thinks they are important.

Gmail will show up these nudged emails at the top of your inbox with an indicator of how long it’s been sitting there.

3) Smart Replies: Not just Gmail intelligently reminds of important emails to you, it also makes suggestions for tasks that you need to do, like replying to a certain email using "Smart Replies."

With Smart Replies, Google offers you intelligent touch-button responses to the web version of Gmail, a feature that was first introduced in 2015 for the mobile version of Gmail. You can turn this off if you want.

New Features That Supercharge Your Productivity

Besides security and AI, Google is adding a bunch of new management features.

1) Native offline mode: Until now, using Gmail without Internet requires a third-party Chrome plugin to be installed, but now with the built-in offline mode, you can write responses to your emails while on a flight, and then sync your inbox and send them once you land—thanks to Progressive Web Apps (PWA).

2) High-priority notifications: This feature will send you notifications for an incoming email if Gmail thinks it is important to you—based on factors like how typically you respond to email from the sender in question. These features were made available to Inbox users last year.

3) Gmail Tasks: Existed as a to-do list application within Gmail for years, Gmail Tasks is available as part of Gmail and as a standalone app for iOS and Android. The feature has also been given a major upgrade to manage work on the go—from your messages to your calendar.

The biggest new change in Gmail is the sidebar to the right, which gives you quick access to a new version of Google Tasks, pop-up versions of Google Calendar, Keep note-taking app, and 3rd-party services that use Gmail's add-on technology, like Asana, Dialpad, and DocuSign.

4) Inbox enhancers: You can now directly take actions on an email without opening it as you can directly open attachments in an email without having to click into the email itself. You can also RSVP to calendar invitations and even snooze messages without opening them.

5) One-tap unsubscribe prompt: Although Gmail already has a feature that lets users unsubscribe from ads and other bulk email lists you don't respond to, now Gmail proactively ask you to unsubscribe specific lists when it notices you don’t tend to click or you always insta-delete.

6) Anti-Phishing Enhancements: Though Google is already offering anti-phishing functionalities to warn its Gmail users of phishing attempts, the company has now increased the size of the banners (a gigantic, billboard-like message) it puts on top of dodgy emails to warn users they should not click the links within.

Also, if you get an email that is supposedly from one of your contacts, but originates from an unfamiliar email address, Gmail will tell you that something may be wrong.

Here's How to Get New Gmail Right Now

Getting the all new Gmail depends on the type of Google account you have.

If you are a regular Gmail user, you can enable the new Gmail by clicking on the Settings icon in the top-right corner, then select “Try the new Gmail option,” if available.

If you are using the G Suite account for work or school, you can enable the new Gmail through the Early Adopter Program.

The administrator can use the Google Admin console and opt-in to the new Gmail.

However, it should be noted that all the features as mentioned above will not be immediately available at this moment.

Features available at the launch include smart replies, snooze emails and a new tool panel on the right side of Gmail's interface for quickly accessing Tasks and Calendar.

Two separate teams of security researchers have published working proof-of-concept exploits for an unpatchable vulnerability in Nvidia's Tegra line of embedded processors that comes on all currently available Nintendo Switch consoles.

Dubbed Fusée Gelée and ShofEL2, the exploits lead to a coldboot execution hack that can be leveraged by device owners to install Linux, run unofficial games, custom firmware, and other unsigned code on Nintendo Switch consoles, which is typically not possible.

Both exploits take advantage of a buffer overflow vulnerability in the USB software stack of read-only boot instruction ROM (IROM/bootROM), allowing unauthenticated arbitrary code execution on the game console before any lock-out operations (that protect the chip's bootROM) take effect.

The buffer overflow vulnerability occurs when a device owner sends an "excessive length" argument to an incorrectly coded USB control procedure, which overflows a crucial direct memory access (DMA) buffer in the bootROM, eventually allowing data to be copied into the protected application stack and giving attackers the ability to execute code of their choice.
In other words, a user can overload a Direct Memory Access (DMA) buffer within the bootROM and then execute it to gain high-level access on the device before the security part of the boot process comes into play.

"This execution can then be used to exfiltrate secrets and to load arbitrary code onto the main CPU Complex (CCPLEX) application processors at the highest possible level of privilege (typically as the TrustZone Secure Monitor at PL3/EL3)," hardware hacker Katherine Temkin of ReSwitched, who released Fusée Gelée, said.

However, the exploitation requires users to have physical access to the hardware console to force the Switch into USB recovery mode (RCM), which can simply be done by pressing and shorting out certain pins on the right Joy-Con connector, without actually opening the system.

By the way, fail0verflow said a simple piece of wire from the hardware store could be used to bridge Pin 10 and Pin 7 on the console's right Joy-Con connector, while Temkin suggested that simply exposing and bending the pins in question would also work.

Once done, you can connect the Switch to your computer using a cable (USB A → USB C) and then run any of the available exploits.

Fusée Gelée, released by Temkin, allows device owners only to display device data on the screen, while she promised to release more scripts and full technical details about exploiting Fusée Gelée on June 15, 2018, unless someone else made them public.

She is also working on customized Nintendo Switch firmware called Atmosphère, which can be installed via Fusée Gelée.
On the other hand, ShofEL2 exploit released by famous fail0verflow team allows users to install Linux on Nintendo Switches.

"We already caused temporary damage to one LCD panel with bad power sequencing code. Seriously, do not complain if something goes wrong," fail0verflow team warns.

Meanwhile, another team of hardware hackers Team Xecutor is also preparing to sell an easy-to-use consumer version of the exploit, which the team claims, will "work on any Nintendo Switch console regardless of the currently installed firmware, and will be completely future proof."

Nintendo Can't Fix the Vulnerability Using Firmware Update

The vulnerability is not just limited to the Nintendo Switch and affects Nvidia's entire line of Tegra X1 processors, according to Temkin.

"Fusée Gelée was responsibly disclosed to NVIDIA earlier, and forwarded to several vendors (including Nintendo) as a courtesy," Temkin says.

Since the bootROM component comes integrated into Tegra devices to control the device boot-up routine and all happens in Read-Only memory, the vulnerability cannot be patched by Nintendo with a simple software or firmware update.

"Since this bug is in the Boot ROM, it cannot be patched without a hardware revision, meaning all Switch units in existence today are vulnerable, forever," fail0verflow says. "Nintendo can only patch Boot ROM bugs during the manufacturing process."

So, it is possible for the company to address this issue in the future using some hardware modifications, but do not expect any fix for the Switches that you already own.

THN Deals Store this week brings you the Cybersecurity Certification Mega Bundle, which will walk you through the skills and concepts you need to master three elite cybersecurity certification exams: CISA, CISM, and CISSP [...]

Dr. Mordechai Guri, the head of R&D team at Israel's Ben Gurion University, who previously demonstrated various methods to steal data from an air-gapped computer, has now published new research named "BeatCoin."

BeatCoin is not a new hacking technique; instead, it's an experiment wherein the researcher demonstrates how all previously discovered out-of-band communication methods can be used to steal private keys for a cryptocurrency wallet installed on cold storage, preferably an air-gapped computer or Raspberry Pi.

For those unaware, keeping your cryptocurrency protected in a wallet on a device which is entirely offline is called cold storage. Since online digital wallets carry different security risks, some people prefer keeping their private keys offline.

Air-gapped computers are those that are isolated from the Internet, local networks, Bluetooth and therefore, are believed to be the most secure devices and are difficult to infiltrate or exfiltrate.

If you are new to this topic, we recommend reading our previous articles, detailing how highly-motivated attackers can use specially designed malware to exfiltrate data from an air-gapped computer via light, sound, heat, electromagnetic, magnetic, infrared, and ultrasonic waves.
For BeatCoin experiment, Dr. Guri deployed malware on an air-gapped computer that runs a Bitcoin wallet application and then performed each attack vector one-by-one to transmit the wallet keys to a nearby device over covert channels.

"In the adversarial attack model, the attacker infiltrates the offline wallet, infecting it with malicious code," the paper [PDF] reads. "The malware can be pre-installed or pushed in during the initial installation of the wallet, or it can infect the system when removable media (e.g., USB flash drive) is inserted into the wallet’s computer in order to sign a transaction. These attack vectors have repeatedly been proven feasible in the last decade."

Results shown in the above chart suggests AirHopper, MOSQUITO, and Ultrasonic techniques are the fastest way to transmit a 256-bit private key to a remote receiver, whereas, Diskfiltration and Fansmitter methods take minutes.

Guri has also shared two videos. The first one demonstrates exfiltration of private keys from an air-gapped computer, which hardly took a few seconds to transmit data to a nearby smartphone using ultrasonic waves.
In the second video, the researcher transmitted private keys stored on a Raspberry Pi device to the nearby smartphone using the RadIoT attack—a technique to exfiltrate data from air-gapped internet-of-things (IoT) and embedded devices via radio signals.

"The radio signals - generated from various buses and general-purpose input/output (GPIO) pins of the embedded devices - can be modulated with binary data. In this case, the transmissions can be received by an AM or FM receiver located nearby the device."

In the last research published earlier this month, Guri’s team also demonstrated how hackers could use power fluctuations in the current flow "propagated through the power lines" to covertly exfiltrate highly sensitive data out of an air gapped-computer.

Security researchers have uncovered a new hacking group that is aggressively targeting healthcare organizations and related sectors across the globe to conduct corporate espionage.

Dubbed "Orangeworm," the hacking group has been found installing a wormable trojan on machines hosting software used for controlling high-tech imaging devices, such as X-Ray and MRI machines, as well as machines used to assist patients in completing consent forms.

According to a new report published by Symantec on Monday, the Orangeworm hacking group has been active since early 2015 and targeting systems of major international corporations based in the United States, Europe, and Asia with a primary focus on the healthcare sector.

"We believe that these industries have also been targeted as part of a larger supply-chain attack in order for Orangeworm to get access to their intended victims related to healthcare," Symantec said.

After getting into the victim's network, attackers install a trojan, dubbed Kwampirs, which opens a backdoor on the compromised computers, allowing attackers to remotely access equipment and steal sensitive data.

While decrypting, the Kwampirs malware inserts a randomly generated string into its main DLL payload in an attempt to evade hash-based detection. The malware also starts a service on the compromised systems to persist and restart after the system reboots.

Kwampirs then collects some basic information about the compromised computers and send it to the attackers to a remote command-and-control server, using which the group determines whether the hacked system is used by a researcher or a high-value target.
If the victim is of interest, the malware then "aggressively" spread itself across open network shares to infect other computers within the same organisation.

To gather additional information about the victim's network and compromised systems, the malware uses system's built-in commands, instead of using third-party reconnaissance and enumeration tools.

Above shown list of commands help attackers to steal information including, "any information pertaining to recently accessed computers, network adapter information, available network shares, mapped drives, and files present on the compromised computer."

Besides health-care providers and pharmaceutical companies that account for nearly 40% of targets, Orangeworm has also launched attacks against other industries including information technology and manufacturing sectors, agriculture, and logistics.

However, these industries also somehow work for healthcare, like manufacturers that make medical devices, technology companies that offer services to clinics, and logistics firms that deliver healthcare products.
Although the exact motive of Orangeworm is not clear and there's no information that could help determine the group's origins, Symantec believes the group is likely conducting espionage for commercial purposes and there's no evidence that it's backed by a nation-state.

"Based on the list of known victims, Orangeworm does not select its targets randomly or conduct opportunistic hacking," Symantec said. "Rather, the group appears to choose its targets carefully and deliberately, conducting a good amount of planning before launching an attack."

The highest percentage of victims has been detected in the United States, followed by Saudi Arabia, India, Philippines, Hungary, United Kingdom, Turkey, Germany, Poland, Hong Kong, Sweden, Canada, France, and several other countries across the globe.

Not just Facebook, a new vulnerability discovered in Linkedin's popular AutoFill functionality found leaking its users' sensitive information to third party websites without the user even knowing about it.

LinkedIn provides an AutoFill plugin for a long time that other websites can use to let LinkedIn users quickly fill in profile data, including their full name, phone number, email address, ZIP code, company and job title, with a single click.

In general, the AutoFill button only works on specifically "whitelisted websites," but 18-year-old security researcher Jack Cable of Lightning Security said it is not just the case.

Cable discovered that the feature was plagued with a simple yet important security vulnerability that potentially enabled any website (scrapers) secretly harvest user profile data and the user would not even realize of the event.

A legitimate website would likely place a AutoFill button near the fields the button can fill, but according to Cable, an attacker could secretly use the AutoFill feature on his website by changing its properties to spread the button across the entire web page and then make it invisible.

Since the AutoFill button is invisible, users clicking anywhere on the website would trigger AutoFill, eventually sending all of their public as well as private data requested to the malicious website, Cable explains.

Here's How attackers can exploit the LinkedIn Flaw:

• User visits the malicious website, which loads the LinkedIn AutoFill button iframe.
• The iframe is styled in a way that it takes up the entire page and is invisible to the user.
• The user then clicks anywhere on that page, and LinkedIn interprets this as the AutoFill button being pressed and sends the users' data via postMessage to the malicious site.

Cable discovered the vulnerability on April 9th and immediately disclosed it to LinkedIn. The company issued a temporary fix the next day without informing the public of the issue.

The fix only restricted the use of LinkedIn's AutoFill feature to whitelisted websites only who pay LinkedIn to host their advertisements, but Cable argued that the patch was incomplete and still left the feature open to abuse as whitelisted sites still could have collected user data.

Besides this, if any of the sites whitelisted by LinkedIn gets compromised, the AutoFill feature could be abused to send the collected data to malicious third-parties.

To demonstrate the issue, Cable also built a proof-of-concept test page, which shows how a website can grab your first and last name, email address, employer, and location.

Since a complete fix for the vulnerability was rolled out by LinkedIn on April 19, the above demo page might not work for you now.

"We immediately prevented unauthorized use of this feature, once we were made aware of the issue. We are now pushing another fix that will address potential additional abuse cases, and it will be in place shortly," the company said in a statement. 

"While we've seen no signs of abuse, we're constantly working to ensure our members' data stays protected. We appreciate the researcher responsible reporting this, and our security team will continue to stay in touch with them."

Although the vulnerability is not at all a sophisticated or critical one, given the recent Cambridge Analytica scandal wherein data of over 87 million Facebook users was exposed, such security loopholes can pose a serious threat not only to the customers but also the company itself.