Pipka, the newly discovered web skimming script can remove every trace from host website after execution, making it almost impossible to detect.

The research team from Visa’s Payment Fraud Disruption (PFD) discovered this new skimming script on the website of a merchant located in North America, though the website had been previously infected with Inter, another popular card skimmer. And on further investigation by the team, it uncovered about 16 other merchant websites that are also infected with Pipka.

Albeit, web payment skimming attack has been popular lately, owing to the rise of Magecart which shopping cart skimmers attacked over a dozen retailers. But despite running the same skimmer, these groups used a different technique and method to inject the malicious script into targeted sites.

What is Web Skimming?

The theft of card details from eCommerce sites through the use of malicious scripts injected into the websites, is known as Web skimming. While the scripts are injected into the retailer's checkout pages to steal credit card information as customers enter their card details on purchase of an item.

And some notable skimming attacks were those waged by Magecart, which is an umbrella organization made up of a dozen groups that have been targeting e-commerce sites of several major organizations, including Ticketmaster and British Airways, over the past 12 months.

The cases involving Magecart, according to security researchers had the attackers re-inject the malicious script into retailers check-out websites, even after been detected by the security teams.

How is Pipka different from Magecart?

Unlike Magecart, Pipka is very customizable, allowing attackers to configure which form fields exactly they are targeting to steal its data. And the stolen data is also stored as a cookie in encrypted form, which is then ex-filtrated to their command-and-control server.

The attackers can target even two-step checkout pages by configuring fields for both the billing data and payment account data, which makes it most interesting, with its ability to remove all traces, by deleting itself from the webpage after execution.

How to Protect Your e-Commerce site from Pipka

It is advised that website administrators should add recurring checks in eCommerce environments for communications with any known skimmers' command-and-control servers. This is to enable them to regularly scan their websites for malware, and to vet the content delivery networks and any other third-party code loaded by partners onto their websites.

Other measures is to ensure the shopping cart software are up-to-date and patched, and using of strong passwords, including the limiting of access to the administrative portal and using an external checkout solutions.

How newly discovered Web Skimming script, Pipka can run undetected

The proliferation of smartphone has massively impacted on the business environment in Nigeria, with several mobile payment platforms jostling for the consumers' wallet. Whether making payment for utility bills or transfer of funds to friends and family, there are many mobile apps to take care of that, and Nigerians are getting used to these mobile payment systems.

While there are some old players like Interswitch with its Quickteller platform and Paga, but we'd be considering the two new comers that have shown great potentials, namely PalmPay and OPay.

The entrance of these two mobile mobile platforms is considered a good opportunity for fintech startup businesses and perhaps it will be the major reason for the disruption that is expected to happen in the banking sector.

About PalmPay

PalmPay is headquartered in the UK, and offers packages of mobile-based financial services, which includes bill payments, rewards programs and discounted airtime purchase.

The company has just recently launched into the Nigerian market, haven raised a $40 million seed funding round led by the Chinese smartphone maker Transsion Holdings. PalmPay got the approval of the Central Bank of Nigeria (CBN) to operate as a licensed mobile money operator in July 2019 and during the pilot phase, the mobile payments venture registered about 100,000 users, with 1 million transactions processed, according to the company's spokesperson.

Its initial focus will be mainly on mobile payments, though the sector has lately become a bit crowded — with hundreds of startups already competing for Nigeria’s fintech space, looking to bring scalable mobile money solutions for the country’s financial problems.

About OPay

OPay, which is an offshoot of Opera Group, also the owners of the renown mobile browser, Opera Mini, is also targeting the unbanked Nigerians and also offering bike and tricycle hailing services, along with quick loans and food delivery. OPay is sort of a super mobile app that seems to have the services every Nigeria may ever require.

The mobile payment platform, OPay is perhaps born from the acquisition of PayCom by Opera in 2017, and serves to help propel the company's vision for open, connected Internet world to build products that will remove the barriers to impede people from getting online.

Opera already boasts of facilitating the bringing of about half of Africa’s internet population online, that's out of the 464,923,169 Web users in Africa, Opera claims about 120 million people are using its mobile applications.

How OPay and PalmPay will Impact mobile payments in Nigeria

Both OPay and PalmPay have heavy backings from multinationals, and so their financial muscles are not in any doubts. PalmPay has got Visa partnership, allowing them to deliver Visa products on top of their customers' wallet, like linking their wallet to Visa products and have access to completely unbanked users with the whole of the Visa network.

While OPay already have a plethora of customers from its other services like OFood, ORide, OTrike and also the newer services, like OKash, OBus and Owealth, that are still gearing up for full operations. OPay definitely offer what people are interested in, such as ride-hailing business for Lagos commuters with government-approved bikes, buses and even tricycles, and also providing insurance cover for both the drivers and riders.

PalmPay, on the other hand, have some strategic advantage which includes Reeve’s leadership experience in Africa, Transsion’s support and network (makers of Tecno, Infinix and Itel mobile phones), and partnership with Visa.

Now, the battle line has been drawn for the leadership of the Nigerian mobile money ecosystem, and most definitely, the would-be leader will be coming from one of the above.

PalmPay vs OPay: Battle for Nigerians wallet by Money Apps and Reward Systems

Microsoft has unified the Configuration Manager (ConfigMgr) with Intune unified endpoint management (UEM) platform, which combination is now known as Endpoint Manager, with users able to access all within a single interface.

While ConfigMgr and Intune have played almost same role, serving as on-premises and cloud management tools, and also co-management options to the provision and deployment of secure endpoints and applications across the enterprise. But with Endpoint Manager, Microsoft is looking at the convergence of Intune and ConfigMgr functionality to offer seamless, end-to-end management solution devoid of the complexity of disruption in productivity.

The Endpoint Manager provides transformative management and security to meet customers peculiar needs, which is available everywhere and also helpful in their future migration to the cloud.

Additionally, Microsoft Endpoint Manager include the following: Desktop Analytics and Device Management Admin Center (DMAC), along with the simplification of licensing, as it seeks to make the licensing to Intune equally available to ConfigMgr customers in co-managing their Windows devices.

For customers who wish to manage non-Windows devices with Microsoft Endpoint Manager, they will need to first purchase either an Intune license, EMS (Enterprise Mobility & Security) license, or a Microsoft 365 E3 or higher license, according to the company.

The roll out of Endpoint Manager, including all the features and capabilities will start over the coming months for supported products.

Microsoft's unification of Configuration Manager (ConfigMgr) and UEM platform

Delegated Credentials for TLS, is the technical specifications for new cryptographic protocol announced by Mozilla, in conjunction with Cloudflare, Facebook, and some other members of IETF community.

The new cryptographic protocol will prevent the misuse of stolen certificates by the reduction on maximum validity period of such certificate to a short period of time, like days or even hours, instead of several years. It is a rather simplified way to make certificates "short-lived" without necessarily sacrificing the reliability of the secure connections.

While HTTPS-protected website provides its TLS certificate to the web browser for confirmation of identity before the actual exchange of information, including passwords and other sensitive data, such certificates are expected to last for the entire validity period, but some certificate can go bad before its expiration date for different reasons.

And the main reason a certificate can go bad before expiration, is when the secret private key corresponding to the certificate has been stolen, or the certificate was issued fraudulently, allowing attackers to impersonate the targeted server or spy on encrypted connections via man-in-the-middle attack.

There are over 70% of websites on the Internet currently using TLS certificates to establish secure route of HTTPS communication between the servers and visitors, which ensures the privacy and integrity of data being exchanged, so obtaining TLS certificate from any Certificate Authority (CA) need to be trusted by all major browsers.

Now, the major tech companies like Google, Facebook, and Cloudflare do offer services from several different servers scattered all over the world, and distribute private certificate keys to every one of the servers, which process increases the risk of compromise.

The compromise of certificate before its expiration date, allows only one option for the website operator, that is to request for the certificate authority to revoke the certificate and reissue new one in its place with a different private key.

But the revocation mechanisms are equally broken in practice, because the browsers should normally be able to promptly detect none-trusted certificates so as to proactively prevent users from getting connected to a compromised server, until it gets a new valid certificate.

So modern browsers either use cached validation of a certificate for awhile or assume it is still valid in cases the browser did not receive a valid response from the CA or encounter connection error. In order to further reduce this time frame, most web companies have already started experimenting on certificates with shorter validation period, after which the browser will reject them instead of waiting for revocation signal.

The problem with this experiments is that the CA is separate organization, which a website server would need to fetch new certificates from more frequently, and there's no reliable way for the companies to continuously rotate certificates after every hours or few days.

The IETF community members sort to tackle the issue by proposing for the Delegated Credentials for TLS, as a new cryptographic protocol that will balance the trade-off processes. So now, instead of the deployment of the actual private key to all servers by the CA, the companies can now generate it internally, and deploy as delegated credentials.

How the Delegated Credentials For TLS will boost TLS Protocol Security

Google has entered into partnership with some mobile security companies, which it calls ‘App Defense Alliance‘ to help in early detection of malicious apps targeting its mobile software, Android.

While the Internet giant is for the first time, seeking the help of third-party security companies in making Android more secure, by detecting potential threats in apps and also improve security for the ecosystem.

Google is enlisting the help of Zimperium, ESET and Lookout in forming the App Defense Alliance, with the aim of tackling one of Android's major problem, with malicious apps affecting users on the mobile platform every now and then.

The new initiative is to combat the menace and ensure that the mobile users are better protected, as the safety of its users is paramount in the effort to stop malicious apps from reaching those devices.

In a similar move, Microsoft has also integrated third-party mobile threat defense systems with its unified endpoint management (UEM), Intune platform, which will enable corporate customers to detect an unenrolled smartphone or tablet that's potentially infected by malware.

These moves will be generally helpful for enterprises with BYOD (bring-your-own device) policies, in that they can now be able to effectively block access to enterprise systems on devices flagged by the mobile threat defense software.

Albeit, the App Defense Alliance will adopt a proactive approach towards harmful apps, along with Google Play Protect service that scan installed apps on Android device, making double sure that potentially harmful apps are detected before been published on the Play Store.

Google, as part of the alliance, will integrate Play Protect Detection system with the partners’ scanning engines, which results to multi-monitoring systems to detect and prevent malicious apps from getting to the Play Store.

While Microsoft already offers threat defense system for enterprise PCs through the Microsoft Defender firewall, which makes it a natural evolution to offer it for Android and iOS devices. Google involving third-party security companies, on its part, shows it truly wants to make the Android ecosystem more secure.

Google Enters ‘App Defense Alliance’ to help detect Malicious Android Apps

Microsoft had earlier offered a glimpse of the virtual assistant, Cortana in the workplace, now the company has fully targeted it for duties in its growing portfolio of productivity tools.

First off, Microsoft brings a hands-free way to follow up on emails, with Cortana offering a summary of all new emails a user has received in the past 24 hours, with an estimation of how long it will take to read them all. Now, the AI voice assistant can highlight changes to the calendar and potentially be able to schedule events for that day, via the integration with Outlook’s Calendar app.

Cortana will also be able to inform you on how long emails have been sitting in the inbox, and additional information such as the identity of the sender or if the email contains any attachments, including links and embedded files.

Gartner Research had predicted that over 25 percent of digital workers will be using virtual assistants on daily basis starting from 2021; and this is opportunity for SMBs to employ virtual assistant technology in the daily auxiliary office processes, which in turn will give them more time to attend to other customers issues, as it will reduce delays in communications.

Microsoft has touted the Play My Emails feature as more like a conversation with ones personal assistant than just basic conversion of email from text to audio. By simply saying “Hey, Cortana” a user can interrupt the readout to give further commands (such as skipping messages, or flagging email for later reading or archiving them) or even to dictate the email response using the natural voice and language recognition.

No doubt, Microsoft is having a vantage position to win in the race for Office dominance, as it already boasts of the most popular business apps with Office 365, with currently over 200 million monthly active users globally. However, Microsoft will have to prove it can truly deliver on the promise of more natural conversations.

Microsoft has even added a masculine voice option to Cortana for interactions, and users can easily access the option from the Outlook app’s settings. While a scheduler feature is currently in preview and hopefully, will be generally available next year.

Additional features coming soon to Cortana, includes: ability to send daily briefing email with summary of upcoming meetings and relevant documents, also set up meetings with new Scheduler feature and simply by “cc-ing” Cortana into a mail, a user can ask the AI assistant to book a call or locate a meeting room and it will present a series of options based on availability.

Microsoft AI-powered voice assistant, Cortana makes further inroad into Workplace

Microsoft's web-based version of its Code Editor, Visual Studio Online, which was previously in a private testing with select developers, has now been opened to the public.

The new online editor, Visual Studio Online, will enable developers to quickly configure a development environment for their repositories and also work on their code. It provides a cloud-powered development environments, capable of handling long-term project, or even a short-term task, on a browser-based editor that's accessible anywhere.

Visual Studio Online, among other things will bring the benefits of DevOps, such as reliability and scalability, which typically worked for production workloads, to the development environments.

It not only allow development environments customization per project, but also layers on individual personalization to make the Cloud-hosted environments feel more natural to use. The Online editor also allow developers to leverage all the tools, processes and configurations that they've already come to love and rely on the best of both worlds.

Besides the cloud-hosted environments, Visual Studio Online allows you to register and connect own self-hosted environments, or an environment you've already perfectly tuned and recorded some of the benefits of Visual Studio Online, all for free.

And every Visual Studio Online environment has been carefully crafted with the needs of specific project or task, which can either be accomplished automatically with smart-configuration features, or you can finely tune environments using JSON and Dockerfile configuration overrides.

These dynamic environments are also quick to create, reproducible and reliable - enabling easy onboarding for team members to your project, and you can get started on new projects that otherwise would be cumbersome to try out before now.

Additionally, the reproducible development environments practically eliminates the so-called Works on my machine issue.

Microsoft releases the Online Version of the Code Editor, Visual Studio Online

NFC works with Android Beam, which service allows Android devices to send images, videos, and other files, or even apps, to another nearby device using Near-Field Communication radio waves, alternative to WiFi and Bluetooth technology.

While files sent via NFC beaming results a prompt on the receiving device asking for permission to install the file from an unknown source, but starting with Android 8 (Oreo) and above, if you send an app to someone via NFC beaming, no such prompt appears and the installation of the app happens in just a tap.

Google displays a warning whenever an Android user tries to install app that is not directly downloaded from Play Store, the bug is that on Android Oreo and above devices, NFC beaming does not explicitly require users' permission, whether they wish to go ahead with installation of app from unknown sources.

Albeit, some certain apps such as Dropbox app and Google Chrome are whitelisted and can be installed without the security warnings or notification.

The reasons this bug is such a big deal, is that new Android devices have the NFC feature enabled by default and wouldn’t even show if the feature is active on your smartphone. It works once you hold two devices in close proximity, between 4cm or 1.5 inches apart, so if a hacker needs to send malware to your Android device, he only needs to bring his smartphone close to your device.

Google acknowledged the bug (CVE-2019-2114) as affecting Android devices running Android 8.0 (Oreo) or above by allowing anyone, including bad actors to send malware discreetly to smartphone via NFC beaming.

The company has promptly released a fix, and by removing the NFC Beaming feature from whitelisted apps. However, it is advised that you turn off the NFC feature and Android Beam on your device, and users should update their Android OS to the latest software if available for their device.

How To Protect Your Android Smartphone from the NFC beaming bug

Google has issued a warning to Chrome users to urgently upgrade their browser, with Chrome 78.0.3904.87 release, containing a patch for two highly severe vulnerabilities, one of which is already been actively exploited in the wild by attackers to hijack PCs.

According to the Chrome security team, both issues are use-after-free vulnerabilities, with the first affecting Chrome's audio component (CVE-2019-13720) while the second vulnerability resides in the PDFium (CVE-2019-13721) library, for Windows, Mac, and Linux computers.

While a use-after-free vulnerability is class of memory corruption issues that allows modification of data in the PC memory, enabling an attacker to gain privilege to an affected system. And both flaws could allow remote attackers to gain privileges on Chrome browser by convincing targeted users into visiting maliciously crafted website, enabling them to run arbitrary code on the affected system.

The discovery of the flaws was credited to Kaspersky researchers, Anton Ivanov and Alexey Kulaev, with the audio component in Chrome application already been exploited in the wild, though it is not yet clear which specific hackers or group are targeting the flaw.

Kaspersky also traced the exploit to a compromised Korean-language news portal, which the attackers haven installed the first stage malware on the target systems after exploiting Chrome vulnerability (CVE-2019-13720), then connects to a remote command-and-control server to download final payload.

Google also released urgent security patches for Chrome to fix other use-after-free vulnerabilities in different components of the web browser, with the most severe of which allow remote hackers to take control of affected system.

Chrome users are advised to update the software on their systems, and whenever possible, as a non-privileged user in order to diminish the effects of any attack exploiting the zero-day vulnerability. Albeit, Chrome browser update happens automatically, and notifies users about the latest available version, but still users are recommended to trigger the update process by going to menu: Help → About Google Chrome.

Warnings: Two Chrome vulnerabilities actively Exploited in the wild to hijack PCs

Google has touted Site Isolation in Chrome 77 on desktop as capable of defending against significantly stronger attacks; even in scenario where the renderer process is compromised, such as Universal Cross-Site Scripting (UXSS) logic errors.

The security mechanism initially targeted Spectre-like attacks which leads to data leaks from given renderer process, but starting with Chrome 77, Site Isolation will be able to handle severe attacks whereby the renderer process is completely compromised through security bugs, such as bugs related to memory corruption or UXSS logic errors.

What this means is that Google has extended the advanced defensive technology to protect against such attacks as exploiting vulnerabilities in the browser's rendering engine, Blink.

The site isolation works by limiting Blink rendering engine process to pages from a single website, thus effectively isolating a rendered page from other sites. And as malicious websites try to exploit a vulnerability, the attack site would be denied access, so the hackers won't be able to access users' data, such as corporate information.

Albeit, a bug might allow an attacker to run arbitrary native code within the sandboxed renderer process, given that an attacker exploited a known memory corruption bug in Chrome's rendering engine, and it can no longer be constrained by the security checks in Blink.

But, Chrome's browser process understands what website the renderer is processing at a time, so it will restrict cookies, passwords, and other site data from the entire process, making it far more difficult for attackers to steal cross-site data.

Also, the Android version of Chrome 77 sports the site isolation technology, which on previous versions wasn't enabled, but only for desktop. And for the desktop platforms, isolation is turned on for all sites, while for Chrome on Android isolation happens per site basis, and only active for websites that process sensitive data.

The feature starts with Chrome 77 for Android, and is enabled for about 99% of users running Android devices with a RAM of at least 2GB, and a 1% holdback for monitoring performance.

Google takes Site Isolation a notch higher in Chrome 77 against attacks