Interesting Tech News from June, 2020
This is a monthly column of curated tech news, highlighting interesting and/or valuable tech developments from the past month, which are impacting our society directly or indirectly. It also gives some vague sense of the trajectory that the technology as a whole is taking. The aim is to share the information concisely, in an easy to understand manner, help you fill some gaps on what you might have missed & learn something new.
AN EASY ACCOUNT HIJACKING ATTACK MADE POSSIBLE BY A BASIC BUT A CRITICAL SIGN-IN-WITH-APPLE BUG
Sign in with Apple is a privacy focused service similar to sign in with Facebook or sign in with Google. It was introduced by Apple just last year. The idea is that users logged in to an Apple device can quickly sign in to an App e.g Airbnb, if it is integrated with the Sign-in-with-Apple service.
Here is the scenario:
An attacker signs into the App such as Airbnb, using his Apple ID. The App is integrated with Sign-in-with-Apple service. In this step the attacker receives a JWT (JSON Web Token). This token is critical for signing into the Airbnb service.
The attacker then modifies this token and adds victim’s Apple ID instead of his.
Surprisingly and shockingly this modified JWT successfully gets verified by the Apple Authentication Servers as well as the App servers, allowing the attacker to hijack the account.
The impact of this bug is quite significant. For example, services such as Airbnb, Dropbox, Spotify etc. are integrated with Sign-in-with-Apple. If these apps did not have 2nd factor authentication or other security checks in place, an attacker could have hijacked accounts on these apps. All you need is victim’s Apple ID.
The bug was found by Bhavuk Jain. Technical details are on his blog. He was paid $100,000 by Apple under the Apple Security Bounty Programme.
Apple has fixed the flaw. Nobody knows what the actual fix was, but by looking at the technical details of the bug, one could assume that most probably Apple has added further verification steps for JWT, such as verifying the email address and/or generating a hash with the email included, which would invalidate the hash if the email address were to change.
GOOGLE’S ADVANCED PROTECTION PROGRAMME COMES TO NEST & BECOMES SEAMLESS FOR APPLE DEVICES
Advanced Protection Programme (APP) goes further than 2 factor authentication that Google offers for its accounts. When APP is enabled on your google account, you are protected by an additional layer of security while signing in, by requiring you to use either a physical security key or security key using your smartphone. Turning it on is easy and it’s a free service. The only expense you will incur is buying the physical security keys.
Google Nest users will now be able to use Advanced Protection on their Nest accounts. Previously, Google accounts enabled with Advanced Protection did not allow Nest devices to be added to this account apparently.
Apple in iOS 13.3 added support for FIDO2 compliant physical security keys last year. Taking advantage of this update, Google APP on iOS will now allow you to use more types of security keys, which was previously either not possible or not straightforward.
SONY REVEALS PS5
It will launch around same period as Xbox Series X, which is going to be near Christmas 2020.
PS5 Digital Edition won’t have an optical drive and will be less expensive than PS5 with the drive. In this day and age, having an optical drive still makes sense, as it’s not uncommon to find households with slow internet speeds.
Hardware wise PS5 is not far apart from Xbox Series X. Both are using AMD’s CPUs and GPUs. Both are using fast SSDs offering substantially faster loading speeds.
Ray Tracing, support for 120 fps frame rate with 120 Hz output is something that was expected.
Design can be controversial. Would you be able to place it vertically or you are going to have to put it side ways. It depends on your setup.
How good is the cooling architecture? Would it sound like a Jet Engine like PS4? Only time would tell.
Overall it seems like an impressive machine. Specs only tell half of the story. At the end of the day what matters is how the games developed and optimized for the specific hardware perform and Sony doesn’t have shortage of exclusive games being developed for its platform.
After 7 years of PS4, upgrade from playstation enthusiasts is likely because of what the machine has under the hood and what it’s capable of playing.
SLACK AND AMAZON STRATEGIC PARTNERSHIP CHALLENGES MICROSOFT
Slack needs to scale and cloud is the most viable option available to do it fast and reliably. It also needs better Voice and Video calling features. Of course Slack will not be comfortable using Azure, because of its competition with Microsoft Teams. Amazon’s AWS is a perfect fit. The deal between the two, as reported by theverge, builds some interesting strategic partnerships, which in the long run is going to help both companies.
Slack will be moving its voice and video features to Amazon’s Online Meetings, Video Conferencing & Team Collaboration platform called Amazon Chime.
Amazon will be rolling out Slack to all of its employees. This will make Amazon Slack’s biggest customer, putting IBM in the 2nd place.
Slack is committing to using AWS as a preferred cloud service.
MAJOR US CELL NETWORK OUTAGE OR A MASSIVE CYBER ATTACK
The major outage started around early afternoon on Monday June 15. Pretty soon it became a hot topic on the internet and people started to jump in with their opinions.
Anonymous with over 16 million followers tweets that US is under a major DDoS attack.
People enthusiastically started to share sites like digitalattackmap.com alluding to the fact that it might be a DDoS attack.
Politicians started to chime in and used this DDoS attack to express discontentment at the establishment.
What was the actual cause?
T-Mobile attributed the cause to a 3rd party fibre circuit failure. This can and does happen occasionally to all the major networks providers but the customers don’t feel it because that’s when network redundancy comes to the rescue. However, in this case even the redundant network didn’t work as expected. This caused a traffic spike to network supporting VoLTE traffic and resulted in the outage due to capacity issues.
Furthermore, if it was a DDoS attack major Internet Exchanges would have seen a traffic spike as tweeted by Matthew from Cloudflare.
Cloudflare also noted that they did not see errors or abnormal traffic from one of their VPN solutions to impacted services.
APPLE WWDC 2020- INTERESTING ANNOUNCEMENTS
Apple officially confirmed its transition to Apple silicon from Intel. It makes sense as it will now help Apple create a common architecture across all Apple products.
macOS Big Sur coming this fall will feature new iOS like neumorphic design. Updated Notification Centre, privacy focused Safari, iOS like Control centre are some of the highlights. Not every mac hardware will be able to run this new OS though.
In Safari 14 you will now be able to log into supported sites with biometric verification i.e. Face ID or Touch ID. Option to use physical security keys was previously available, but biometric option was not available.
iOS 14 will also go though a major design change. Your iPhone will start to look more like a Windows phone (if you choose to), as in iOS 14 you will have the ability to customize widgets and apps, giving them appearance of Windows Live like tiles.
You will also be able to change your default mail and browser app in iOS14.
You will able to experience surround sound on AirPods Pro by utilizing spatial audio software feature on iOS14. Additionally AirPods will be able to switch seamlessly between Apple devices.
Using iPhone or Apple Watch as a digital key to unlock and start your car through CarPlay will become a reality with the launch of iOS14.
Discover/use partial App functionality without having to download and install the full app using App Clip feature. Think of using the parking app, but only very briefly. This will certainly help declutter your phone, without having to permanently install the app and leave it sitting on your home screen.
iPadOS14 will also feature new design enhancements such as search from anywhere, compact and less disruptive notifications from FaceTime & phone calls.
You will enjoy more integrated experience with Apple Pencil using iPadOS14, such as automatic conversion of handwritten notes to text, features to recognize hand written phone numbers etc.
ARKit4 will enable developers to pin AR experiences to specific geographic coordinates, which will make AR more realistic.
All iPads running version 13, will be able to upgrade to iPadOS14.
Battery optimization feature will come to AirPods as well.
In addition there was unveiling of TvOS14 and WatchOS7 as well.
You can find out more about these new features on Apple Website.
MAJOR CYBER ATTACKS DISCOVERED IN THE MONTH OF JUNE, 2020
Honda operations worldwide were disrupted by a major cyber attack. What caused it? There is nothing conclusive, however there are theories circulating around suggesting a possible ransomware attack carried out by exploiting publicly accessible RDP sessions as a possible attack vector.
A medical research institution at University of California, paid $1.14m (initial demand was $3m) to hackers from Netwalker for unlocking important academic data, that Netwalker had encrypted. IT staff had to unplug computers to keep the attack from spreading. Payment was made in bitcoins.
Amazon revealed that its Amazon Shield mitigated 2.3 Tbps DDoS attack, largest ever. Previously largest recorded DDoS attack was 1.7 Tbps. The attack made use of CLDAP protocol (LDAP alternative), which can amplify the attack up to 70 times.
Australia also came under Cyber Attack from a state based actor according to the PM. The attack was termed as sophisticated. Apparently the attack took advantage of vulnerabilities found in the publicly exposed infrastructure.
Ransomware named Tycoon, compiled in JIMAGE file format, which can go largely undetected because it rarely gets scanned by the anti-malware software, was used to attack an European educational institution. The code was capable of running on both Linux and Windows.
32 million downloads of deceptive Chrome extensions by unsuspecting users, could have led to siphoning off of user browser history and other sensitive data. Although Google removed more than 70 malicious add-ons after being alerted, however why Google did not detect and remove this on its own is concerning.
NOTABLE TECH ACQUISITIONS IN JUNE, 2020
Equinix, which specializes in Data Centre business, is buying 13 Bell Canada Data Centres for almost $1billion CAD. Through this acquisition Equinix will gain 600 customers, in addition to expanding its DC footprint in Canada.
Pittsburgh based Argo AI which specializes in self-driving vehicle systems and high definition maps, completes a $2.6 billion deal with VW. Argo AI is backed by Ford Motor Company as well.
Square’s acquisition of Verse will help it expand its peer-to-peer send & receive cash service to Europe. Before it was limited to UK and US only through Cash App.
Apple acquires Fleetsmith, which provides tools to help IT manage Apple devices remotely.
There’s no letting up in Big Tech firms acquiring autonomous driving startups. Amazon is reportedly acquiring Zoox startup for $1 billion. Zoox specializes in bidirectional self driving vehicle technology.
To complement Microsoft’s existing Azure IoT Security, Microsoft acquires CyberX, which specializes in security of IoT networks.
OTHER TECH NEWS FROM JUNE 2020
Bell Canada launches Canada’s largest 5G network in Montreal, GTA, Calgary, Edmonton & Vancouver area.
Sonos, which is known for wireless sound bars and home theatre systems, is going to fork its software. They have renamed their app to Sonos S1 Controller, which is going to support older Sonos products. This app won’t be compatible with products released after May 2020.
Zoom revenue grew by 169% due to COVID-19 lockdown.
Zoom reversed its decision after a backlash, of not providing end-to-end encryption to its free customers.
Huawei will not be 5G vendor for the big three Canadian Telecommunication Giants. Bell and Telus will go with Ericsson and Nokia, while Rogers decided to use Ericsson equipment back in 2018.
Facebook’s tool to transfer photos or videos to Google Photos is now available globally. More details here.
If you are a Dropbox Plus customer paying $9.99 per month, soon you will have access to additional features such as a) able to manage your passwords b) cloud backup for Mac or Windows c) a virtual safety deposit box for your important documents and d) a family account for sharing.
Apple has been quietly adding some big upgrades to its maps. Such as real time transit information i.e. actual service times based on live feeds, not just scheduled time; is now available for whole of Canada, most of the UK, Sweden etc. Check out this 9to5mac article for more information.
Microsoft, Amazon and IBM taking a more strict stance on their Facial Recognition technology, with IBM abandoning its work on the technology.
Canada along with other countries such as Saudi Arabia, Italy, Denmark will be using Apple & Google API for contact tracing.
Fintech digital payment German firm Wirecard files for insolvency.
Amazon cloud launched beta version of Honeycode service designed to help non-coders build Mobile & Web Apps without having to write code. The apps built using this service will cater for specific business needs such as managing data related to customers, inventory etc.
Microsoft is permanently closing its retail stores across the world.
Google is making TLS1.3 a default option for its Cloud CDN and LoadBalancer customers to enhance security and performance. Google made this move after a positive TLS 1.3 experience on its other services such gmail, chrome etc.
China launched its final satellite into Beidou constellation, which means China now has its own fully working GPS system; an alternative to US GPS.
I hope you enjoyed reading this article as much as I enjoyed writing it and I hope it helped you fill in some gaps. Thanks. See you in August.