The Hacker News — Cyber Security, Hacking, Technology News

OSquery, an open-source framework created by Facebook that allows organizations to look for potential malware or malicious activity on their networks, was available for Mac OS X and Linux environments until today.

But now the social network has announced that the company has developed a Windows version of its osquery tool, too.

When Facebook engineers want to monitor thousands of Apple Mac laptops across their organization, they use their own untraditional security tool called OSquery.

OSquery is a smart piece of cross-platform software that scans every single computer on an infrastructure and catalogs every aspect of it.

Then SQL-based queries allow developers and security teams to monitor low-level functions in real-time and quickly search for malicious behavior and vulnerable applications on their infrastructure.

In simple words, OSquery allows an organization to treat its infrastructure as a database, turning OS information into a format that can be queried using SQL-like statements.

This functionality is critical for administrators to perform incident response, diagnose systems and network level problems, help to troubleshoot performance issues, and more.
This open source endpoint security tool has become one of the most popular security projects on GitHub since its release in mid-2014 and was available for Linux distribution such as Ubuntu or CentOS, and Mac OS X machines.

So, if your organization was running a Windows environment, you were out of luck.

But, not today, as with the help of Trail of Bits, Facebook has finally launched the OSquery developer kit for Windows, allowing security teams to build customized solutions for their Windows networks.

"As adoption for osquery grew, a strong and active community emerged in support of a more open approach to security," reads the earlier version of Facebook's blog post provided to The Hacker News.

"We saw the long-held misconception of 'security by obscurity' fall away as people started sharing tooling and experiences with other members of the community. Our initial release of osquery was supported for Linux and OS X, but the community was also excited for a Windows version — so we set out to build it."

To get started with the OSquery developer kit for Windows, check this official documentation, the development environment, and a single script. The build is easy to install, and you can start coding right away.

You can read the full documentation of the development process of the OSquery developer kit for Windows on the blog post by Trail of Bits.

Just last month, the most popular messaging app WhatsApp updated its privacy policy and T&Cs to start sharing its user data with its parent company, and now both the companies are in trouble, at least in Germany and India.

Both Facebook, as well as WhatsApp, have been told to immediately stop collecting and storing data on roughly 35 Million WhatsApp users in Germany.

The Hamburg Commissioner for Data Protection and Freedom of Information Johannes Caspar even ordered Facebook on Tuesday to delete all data that has already been forwarded to WhatsApp since August.

Also in India, the Delhi High Court on September 23 ordered WhatsApp to delete all users’ data from its servers up until September 25 when the company’s new privacy policy came into effect.

When Facebook first acquired WhatsApp for $19 billion in cash in 2014, WhatsApp made a promise that its users’ data would not be shared between both companies.

But now apparently this has changed, which, according to Caspar, is not only "misleading" for their users and public, but also "constitutes an infringement of national data protection law" in Germany.

"Such an exchange is only admissible if both companies, the one that provides the data (WhatsApp) as well as the receiving company (Facebook) have established a legal basis for doing so." the press release [PDF] from the Commission reads.

"Facebook, however, neither has obtained an effective approval from the WhatsApp users nor does a legal basis for the data reception exist."

Apparently, the new measure was taken by the companies in favor of more targeted advertising on the largest social network and to fight spam.

In response to the privacy watchdog’s decision, Facebook released a statement that it complied with EU data protection law, saying: "We are open to working with the Hamburg DPA in an effort to address their questions and resolve any concerns."

According to the watchdog, since Facebook and WhatsApp are independent companies, they should process their users' data based on their own terms and conditions as well as data privacy policies.

However, WhatsApp users need not to worry about the content of their WhatsApp messages, like chats and images, as they are end-to-end encrypted, which means even the company cannot read them.

Google's long-rumored Android-Chrome hybrid operating system is expected to debut at the company's upcoming hardware event on October 4.

The company has been working to merge the two OSes for roughly 3 years with a release planned for 2017, but an "early version" to show things off to the world in 2016.

Android + Chrome = Andromeda

The hybrid OS, currently nicknamed 'Andromeda,' could be come on a new Pixel laptop as well as Huawei Nexus tablet from Google by Q3 2017, if not sooner, according to new leaks from 9to5Google and Android Police.


The laptop, officially codenamed "Bison" and nicknamed "Pixel 3," is a reference to the "Chromebook Pixel," but since this edition is not running Chrome operating system, one can not call it a "Chromebook" anymore.

Andromeda is separate from the company's Fuchsia OS, which is focused on Internet-of-Thing (IoT) devices. Moreover, the report also makes it clear that Andromeda "is [an entirely] distinct effort from Google's current campaign to bring Android apps to Chromebooks." So, don't get confused.

Rumored specs suggest Bison is expected to pack a 12.3-inch display with a 'tablet' mode and stylus and reportedly powered by an Intel M3 processor like Apple's 12-inch MacBook, or an Intel Core i5.

Bison is expected to have two models with 32GB or 128GB of internal storage, and 8GB or 16GB of RAM.

Other features could include two USB-C ports, a 3.5mm headphone jack, a fingerprint scanner, stereo speakers, a backlit keyboard, quad microphones, a glass trackpad, and a battery that lasts around 10 hours.

For more details about the new hybrid operating system, you need to wait for two more weeks for Google's October 4 event that is set to launch a Google's new hardware product line, including "Google Wi-Fi" router, Google Home, the refreshed 4K-capable Chromecast rumored to be called Chromecast Ultra, and a "Daydream" VR headset.

A computer hacker who allegedly helped the terrorist organization ISIS by handing over data for 1,351 US government and military personnel has been sentenced to 20 years in a U.S. prison.

Ardit Ferizi, aka Th3Dir3ctorY, from Kosovo was sentenced in federal court in Alexandria, for "providing material support to the Islamic State of Iraq and the Levant (ISIL) and accessing a protected computer without authorization and obtaining information in order to provide material support to ISIL," the Department of Justice announced on Friday.

The 21-year-old ISIS-linked hacker obtained the data by hacking into the US web hosting company's servers on June 13, 2015.

Ferizi then filtered out over 1,300 US military and government employees' information from the stolen data and then handed them over to Junaid Hussain, according to court filings [PDF].

The stolen data contains personally identifiable information (PII), which includes names, email addresses, passwords, locations and phone numbers of US military service members and government workers.

Junaid Hussain, who was a British jihadi and believed to be the then leader and creator of a group of ISIS hackers called the Islamic State Hacking Division (ISHD), posted the names and personal data of 100 US service member's families online.

The Hussain's statements included:

"We are in your emails and computer systems, watching and recording your every move, we have your names and addresses, we are in your emails and social media accounts, we are extracting confidential data and passing on your personal information to the soldiers of the Khilafah, who soon with the permission of Allah will strike at your necks in your own lands!"

Hussain, who was also known as Abu Hussain Al-Britani and used the moniker TriCk, was later killed in a US drone strike in Syria in August last year.

The US authorities also tracked down Ferizi to Malaysia, where he was arrested by the local authorities on October 6, 2015, while trying to catch a flight back to Kosovo.

Before helping ISIS, Ferizi had served as an alleged leader of the Kosova Hacker's Security (KHS) hacking group and hacked into a number of government sites belonging to the Presidency of Macedonia, the Greek Ministry of Education, the Greek Decentralized Administration of Macedonia and Thrace (DAMT), Lifelong Learning and Religion. He also stole data from IBM and Greek mobile telecoms firm OTE.

Ferizi was pleaded guilty on June 15, 2016, and faced a sentence of up to 35 years in prison, but the sentence was reduced to a maximum of 25 years after agreeing to plead guilty. However, defense lawyers said he meant no real harm and asked for a six-year sentence.

Can you rely on a single loudspeaker in your living room for great sound throughout your home?

Nah!

In the same way, you can not expect a single WiFi router to provide stable range throughout your home.

To solve this issue, Google will soon power your home's wireless internet network with its own-brand new WiFi router called Google WiFi, according to a new report.

Google is set to launch a lot of new gadgets at its hardware event on October 4 including the new Pixel smartphones, Google Home, the refreshed 4K-capable Chromecast rumored to be called Chromecast Ultra and the new Google WiFi router.

But the Google WiFi router might be the biggest surprise of the bunch.

Google WiFi is said to be designed in such a way that it can be deployed in groups to create a mesh network so that multiple units can be linked together, similar to Eero's incredible router, according to a report from Android Police.
With Google WiFi, you simply need to plug one device into your modem, and other routers placed in different rooms will automatically connect to each other to create a single big wireless mesh network that covers every corner of your home.

Google WiFi will cost you $129 (INR 8600) each, according to the report.

The router is apparently going to have the same selling points as Google's OnHub router, including better range than most everyday routers and a slew of "smart" features.

Only the one significant advantage over OnHub is that Google WiFi will offer the ability to link several routers together to create one big wireless network.

According to a separate report from DroidLife, each Google WiFi unit will have dual-band antennas with two ports, 802.15.4 radios, AC1200 speeds, and Bluetooth. The setup process of the router is expected to be simplified so that it is ready to use in minutes.

Google did not yet comment on the matter. For details about the device, you need to wait for two more weeks.

After the iPhone encryption battle between Apple and the FBI, Apple was inspired to work toward making an unhackable future iPhones by implementing stronger security measures even the company can't hack.

Even at that point the company hired one of the key developers of Signal — one of the world's most secure, encrypted messaging apps — its core security team to achieve this goal.

But it seems like Apple has taken something of a backward step.

Apple deliberately weakens Backup Encryption For iOS 10

With the latest update of its iPhone operating system, it seems the company might have made a big blunder that directly affects its users' security and privacy.

Apple has downgraded the hashing algorithm for iOS 10 from "PBKDF2 SHA-1 with 10,000 iterations" to "plain SHA256 with a single iteration," potentially allowing attackers to brute-force the password via a standard desktop computer processor.

PBKDF2 stands for Password-Based Key Derivation Function, is a key stretching algorithm which uses a SHA-1 hash with thousands of password iterations, which makes password cracking quite difficult.

In iOS 9 and prior versions back to iOS 4, PBKDF2 function generates the final crypto key using a pseudorandom function (PRF) 10,000 times (password iterations), which dramatically increases authentication process time and makes dictionary or brute-force attacks less effective.

Now Bruteforce 2,500 times Faster than earlier iOS Versions

Moscow-based Russian firm ElcomSoft, who discovered this weakness that is centered around local password-protected iTunes backups, pointed out that Apple has betrayed its users by deliberately downgrading its 6 years old effective encryption to SHA256 with just one iteration.

Therefore, a hacker only requires to try a single password once and brute force to find a match and crack the account login, making the entire process substantially less time consuming.

"We discovered an alternative password verification mechanism added to iOS 10 backups. We looked into it and found out that the new mechanism skips certain security checks, allowing us to try passwords approximately 2500 times faster compared to the old mechanism used in iOS 9 and older," Oleg Afonin from Elcomsoft wrote in a blog post today.

Yes, that's right. With iOS 10, it's possible for an attacker to brute force the password for a user’s local backup 2,500 faster than was possible on iOS 9, using a computer with an Intel Core i5 CPU (with 6 million passwords per second).

However, an obvious limitation to this attack is that it can't be performed remotely.

Since the weakness is specific to password-protected local backups on iOS 10, a hacker would require access to your device’s local backup, where the iPhone files are stored.

Elcomsoft is a well-known Russian forensics company that, like market leader Cellebrite, makes money by selling a kit that can hack into iPhones for the purpose of rooting around a target's device.

The Elcomsoft's kit was believed to have been used in The Fappening (or 'Celebgate') hack, where hackers exposed celebrities' nude pictures in 2014 by hacking into the Apple iCloud and Gmail accounts of more than 300 victims.

The OpenSSL Foundation has patched over a dozen vulnerabilities in its cryptographic code library, including a high severity bug that can be exploited for denial-of-service (DoS) attacks.

OpenSSL is a widely used open-source cryptographic library that provides encrypted Internet connections using Secure Sockets Layer (SSL) or Transport Layer Security (TLS) for the majority of websites, as well as other secure services.

The vulnerabilities exist in OpenSSL versions 1.0.1, 1.0.2 and 1.1.0 and patched in OpenSSL versions 1.1.0a, 1.0.2i and 1.0.1u.

The Critical-rated bug (CVE-2016-6304) can be exploited by sending a large OCSP Status Request extension on the targeted server during connection negotiations, which causes memory exhaustion to launch DoS attacks, the OpenSSL Project said.

What is OCSP Protocol?

OCSP(Online Certificate Status Protocol), supported by all modern web browsers, is a protocol designed to perform verification and obtain the revocation status of a digital certificate attached to a website.

OCSP divided into client and server components. When an application or a web browser attempts to verify an SSL certificate, the client component sends a request to an online responder via HTTP protocol, which in turn, returns the status of the certificate, valid or not.

Reported by Shi Lei, a researcher at Chinese security firm Qihoo 360, the vulnerability affects servers in their default configuration even if they do not support OCSP.

"An attacker could use the TLS extension "TLSEXT_TYPE_status_request" and fill the OCSP ids with continually renegotiation," the researcher explained in a blog post.

"Theoretically, an attacker could continually renegotiation with the server thus causing unbounded memory growth on the server up to 64k each time." 

How to Prevent OpenSSL DoS Attack

Administrators can mitigate damage by running 'no-ocsp.' Furthermore, servers using older versions of OpenSSL prior to 1.0.1g are not vulnerable in their default configuration.

Another moderate severity vulnerability (CVE-2016-6305) that can be exploited to launch denial of service attacks is fixed in the patch release, affecting OpenSSL 1.1.0 that was launched less than one month ago.

The team has also resolved a total of 12 low severity vulnerabilities in the latest versions of OpenSSL, but most of them do not affect the 1.1.0 branch.

It is worth noting that the OpenSSL Project will end support for OpenSSL version 1.0.1 on 31st December 2016, so users will not receive any security update from the beginning of 2017. Therefore users are advised to upgrade in order to avoid any security issues.