Google lost control of several million of its IP addresses for more than an hour on Monday in an event that intermittently made its search and other services unavailable to many users and also caused problems for Spotify and other Google cloud customers. While Google said it had no reason to believe the mishap was a malicious hijacking attempt, the leak appeared suspicious to many, in part because it misdirected traffic to China Telecom, the Chinese government-owned provider that was recently caught improperly routing traffic belonging to a raft of Western carriers though mainland China. Further ReadingStrange snafu misroutes domestic US Internet traffic through China TelecomThe leak started at 21:13 UTC when MainOne Cable Company, a small ISP in Lagos, Nigeria, suddenly updated tables in the Internet’s global routing system to improperly declare that its autonomous system 37282 was the proper path to reach 212 IP prefixes belonging to Google.

…

A large chunk of the hijacked traffic passed through the network of a controversial Chinese state-owned telecom provider that was previously accused of intentionally misdirecting internet traffic. A tiny Nigerian ISP has hijacked internet traffic meant for Google’s data centers. The incident, called a BGP hijack, occurred yesterday, on November 12, between 13:12 and 14:35, Pacific time, according to Google.

The incident was first detected and reported by BGPmon, an online service that monitors the routes that internet traffic takes through the smaller internet service provider (ISP) networks that make up the larger internet. According to BGPmon, the incident was caused by a small Nigerian ISP named MainOne Cable Company (AS37282), which announced to nearby ISPs that it was hosting IP addresses that were normally assigned to Google’s data center network. BGPmon says the Nigerian ISP incorrectly announced it was hosting 212 Google network prefixes in five different waves, for a total of 74 minutes.

…

Britain’s biggest employer organisation and main trade union body have sounded the alarm over the prospect of British companies implanting staff with microchips to improve security. UK firm BioTeq, which offers the implants to businesses and individuals, has already fitted 150 implants in the UK. The tiny chips, implanted in the flesh between the thumb and forefinger, are similar to those for pets.

…

The recent low in cryptocurrency morale has given our community a rich opportunity for reflection. The vast majority of us crypto enthusiasts have a genuine heart for marrying technology and social action, and I believe it’s time we reflect on where we wanted to go with digital currencies, honestly take stock of the state of blockchain technology today, and rigorously plan how to improve digital currencies moving forward. I’ve been fortunate enough to sit in on many lectures discussing blockchain technologies and incentive structures in computer science at Stanford University, and it’s led me to the conclusion that crypto incentives have driven a lust for global consensus which obscures the important goals we originally had in mind.

…

VirtualBox E1000 Guest-to-Host Escape. Contribute to MorteNoir1/virtualbox_e1000_0day development by creating an account on GitHub. Vulnerable software: VirtualBox 5.2.20 and prior versions.

Host OS: any, the bug is in a shared code base. VM configuration: default (the only requirement is that a network card is Intel PRO/1000 MT Desktop (82540EM) and a mode is NAT). Until the patched VirtualBox build is out you can change the network card of your virtual machines to PCnet (either of two) or to Paravirtualized Network.

…

A widespread scam pretending to be from ElonMusk and utilizing a stream of hacked Twitter accounts andfake giveaway sites has earned scammers over 28 bitcoins or approximately $180,000 in a single day. This scam is being pulled off by attackers hacking into verified Twitter accounts and then changing the profile name to ‘Elon Musk’. They then tweet out that he, being Elon, is creating the biggest crypto-giveaway of 10,000 bitcoins.

…

Despite the high quality of supportive tools in the field of security testing, this is still unknown territory for many development projects and therefore still has some unused potential. Christian Schneider’s session at DevOpsCon 2017 offers a well-rounded overview of the open-source tools used by security professionals and penetration testers in their daily work on the detection of security vulnerabilities. Presented from the perspective of a fictitious web application penetration test, this session will provide you with a well-rounded overview of the open-source tools used by security professionals and penetration testers in their daily work on the detection of security vulnerabilities.

…

What are the flaws inherent in both Proof-of-Work and Proof-of-Stake that make Proof-of-Signature an ideal alternative? A short explanation is given below. How does Bitcoin validate transactions and deter denial of service attacks?

It requires a transaction-requesting entity to perform computational work. Inessence, it makes data creation difficult for users but data verification easy for the network. This system is known as Proof-of-Work, a well-known protocol used throughout much of the cryptocurrency world.

…

A Chinese state-owned telecommunications company has been ‘hijacking the vital internet backbone of western countries,’ according to an academic paper published this week by researchers from the US Naval War College and Tel Aviv University. The culprit is China Telecom, the country’s third-largest telco and internet service provider (ISP), which has had a presence inside North American networks since the early 2000s when it created its first point-of-presence (PoP). PoPs are data centers that do nothing more than re-route traffic between all the smaller networks that make up the larger internet.

…

Walking around downtown Orlando, you might not notice the lightbulb-sized camera affixed to one of the traffic signal poles along the city’s palm tree–studded avenues. But it’s there, scanning all the same. If it sees you, the camera will instantly send a live video feed over to Amazon’s facial “Rekognition” system, cross-referencing your face against persons of interest.

…

A software security engineer has identified 12 Python libraries uploaded on the official Python Package Index (PyPI) that contained malicious code. The 12 packages have been discovered in two separate scans by a security engineer who goes online by the name of Bertus, and have long been removed from PyPI before this article’s publication. All packages were put together and worked following a similar pattern.

…

A deeper investigation has revealed that hackers were stealing information for much longer than initially thought, and an additional 185,000 British Airways customer payment cards were compromised. Last month, British Airways announced that the customer data and details of some 380,000 card payments had been stolen from its network by hackers between August 21 and September 5 2018. Now, in an update posted on its website, British Airways says it has discovered that more of its customers have been affected – with potentially impacted individuals being those who made reward bookings between April 21 and July 28, 2018, and who used a payment card.

…

Several big-name Linux and BSD operating systems are vulnerable to an exploit that gives untrusted users powerful root privileges. The critical flaw in the X.org server—the open-source implementation of the X11 system that helps manage graphics displays—affects OpenBSD, widely considered to be among the most secure OSes. It also impacts some versions of the Red Hat, Ubuntu, Debian, and CentOS distributions of Linux.

…

In 2015, Amazon.com Inc. began quietly evaluating a startup called Elemental Technologies, a potential acquisition to help with a major expansion of its streaming video service, known today as Amazon Prime Video. Based in Portland, Ore., Elemental made software for compressing massive video files and formatting them for different devices. Its technology had helped stream the Olympic Games online, communicate with the International Space Station, and funnel drone footage to the Central Intelligence Agency.

…

The Facebook hack is even worse than was at first clear, the company has admitted. The site had already admitted that a hole in its code would allow people to gain access to any account, in a problem that affected some 50 million users. But it later said that the problem would also affect its ‘Facebook Login’ service, which allows other apps to use people’s Facebook account to login.

…

Nearly 50m Facebook accounts were compromised by an attack that gave hackers the ability to take over users’ accounts, Facebook revealed on Friday. The breach was discovered by Facebook engineers on Tuesday 25 September, the company said, and patched on Thursday. Users whose accounts were affected will be notified by Facebook.

Those users will be logged out of their accounts and required to log back in. The security breach is believed to be the largest in Facebook’s history and is particularly severe because the attackers stole “access tokens”, a kind of security key that allows users to stay logged into Facebook over multiple browsing sessions without entering their password every time. Possessing a token allows an attacker to take full control of the victim’s account, including logging into third-party applications that use Facebook Login.

…

This morning, news broke that a massive data breach has exposed the personal information of 50 million Facebook users to hackers. A company blog reports that nearly 90 million users were forced to log out out of their accounts as a security precaution and provided little detail on what personal information attackers were able to access. Shortly after, reports began to circulate on Twitter that Facebook was blocking a Guardian story about the breach from being posted on its platform: Within minutes, additional reports began to circulate that an Associated Press story about the breach was being blocked as well: Internet users and journalists struggled to make sense of why Facebook was censoring this massive news story for over an hour until reports once again surfaced on Twitter suggesting that the block had been resolved: While it appears as though Facebookâs effort to block the story was an anti-SPAM glitch, itâs hard to imagine how this day could have gone much worse for Facebook.

…

The breach, revealed last year, granted hackers access to the personal information of 57 million riders and drivers. Uber paid the hackers $100,000 to delete the data and keep the breach quiet, rather than report the incident. Uber has agreed to pay $148 million in connection with a 2016 data breach and subsequent cover-up, according to the California Attorney General’s office.

…

The National Security Operations Center at NSA, photographed in 2012—the nerve center of the NSA’s ‘signals intelligence’ monitoring. A former NSA coder has been sentenced to 66 months in prison for bringing home the code that drove much of the NSA’s signals intelligence operations. Nghia Hoang Pho, a 68-year-old former National Security Agency employee who worked in the NSA’s Tailored Access Operations (TAO) division, was sentenced today to 66 months in prison for willful, unauthorized removal and retention of classified documents and material from his workplace—material that included hacking tools that were likely part of the code dumped by the individual or group known as Shadowbrokers in the summer of 2016.

…

As it has done with the issues of online privacy and restoring net neutrality, California becomes the first state to act to secure the Internet of Things. It’s back to the future time again for California. Having adopted the nation’s toughest online privacy protection measure and restored state-level net neutrality protections that are tougher on ISPs than the FCC regulations, the Golden State’s Legislature has just sent a bill to the governor’s desk for signature that would make California the first state to attempt IoT security governance.

…