Pipka, the newly discovered web skimming script can remove every trace from host website after execution, making it almost impossible to detect.

The research team from Visa’s Payment Fraud Disruption (PFD) discovered this new skimming script on the website of a merchant located in North America, though the website had been previously infected with Inter, another popular card skimmer. And on further investigation by the team, it uncovered about 16 other merchant websites that are also infected with Pipka.

Albeit, web payment skimming attack has been popular lately, owing to the rise of Magecart which shopping cart skimmers attacked over a dozen retailers. But despite running the same skimmer, these groups used a different technique and method to inject the malicious script into targeted sites.

What is Web Skimming?



The theft of card details from eCommerce sites through the use of malicious scripts injected into the websites, is known as Web skimming. While the scripts are injected into the retailer's checkout pages to steal credit card information as customers enter their card details on purchase of an item.

And some notable skimming attacks were those waged by Magecart, which is an umbrella organization made up of a dozen groups that have been targeting e-commerce sites of several major organizations, including Ticketmaster and British Airways, over the past 12 months.

The cases involving Magecart, according to security researchers had the attackers re-inject the malicious script into retailers check-out websites, even after been detected by the security teams.

How is Pipka different from Magecart?



Unlike Magecart, Pipka is very customizable, allowing attackers to configure which form fields exactly they are targeting to steal its data. And the stolen data is also stored as a cookie in encrypted form, which is then ex-filtrated to their command-and-control server.

The attackers can target even two-step checkout pages by configuring fields for both the billing data and payment account data, which makes it most interesting, with its ability to remove all traces, by deleting itself from the webpage after execution.

How to Protect Your e-Commerce site from Pipka



It is advised that website administrators should add recurring checks in eCommerce environments for communications with any known skimmers' command-and-control servers. This is to enable them to regularly scan their websites for malware, and to vet the content delivery networks and any other third-party code loaded by partners onto their websites.

Other measures is to ensure the shopping cart software are up-to-date and patched, and using of strong passwords, including the limiting of access to the administrative portal and using an external checkout solutions.

How newly discovered Web Skimming script, Pipka can run undetected



The proliferation of smartphone has massively impacted on the business environment in Nigeria, with several mobile payment platforms jostling for the consumers' wallet. Whether making payment for utility bills or transfer of funds to friends and family, there are many mobile apps to take care of that, and Nigerians are getting used to these mobile payment systems.

While there are some old players like Interswitch with its Quickteller platform and Paga, but we'd be considering the two new comers that have shown great potentials, namely PalmPay and OPay.

The entrance of these two mobile mobile platforms is considered a good opportunity for fintech startup businesses and perhaps it will be the major reason for the disruption that is expected to happen in the banking sector.

About PalmPay



PalmPay is headquartered in the UK, and offers packages of mobile-based financial services, which includes bill payments, rewards programs and discounted airtime purchase.



The company has just recently launched into the Nigerian market, haven raised a $40 million seed funding round led by the Chinese smartphone maker Transsion Holdings. PalmPay got the approval of the Central Bank of Nigeria (CBN) to operate as a licensed mobile money operator in July 2019 and during the pilot phase, the mobile payments venture registered about 100,000 users, with 1 million transactions processed, according to the company's spokesperson.

Its initial focus will be mainly on mobile payments, though the sector has lately become a bit crowded — with hundreds of startups already competing for Nigeria’s fintech space, looking to bring scalable mobile money solutions for the country’s financial problems.

About OPay



OPay, which is an offshoot of Opera Group, also the owners of the renown mobile browser, Opera Mini, is also targeting the unbanked Nigerians and also offering bike and tricycle hailing services, along with quick loans and food delivery. OPay is sort of a super mobile app that seems to have the services every Nigeria may ever require.



The mobile payment platform, OPay is perhaps born from the acquisition of PayCom by Opera in 2017, and serves to help propel the company's vision for open, connected Internet world to build products that will remove the barriers to impede people from getting online.

Opera already boasts of facilitating the bringing of about half of Africa’s internet population online, that's out of the 464,923,169 Web users in Africa, Opera claims about 120 million people are using its mobile applications.

How OPay and PalmPay will Impact mobile payments in Nigeria



Both OPay and PalmPay have heavy backings from multinationals, and so their financial muscles are not in any doubts. PalmPay has got Visa partnership, allowing them to deliver Visa products on top of their customers' wallet, like linking their wallet to Visa products and have access to completely unbanked users with the whole of the Visa network.

While OPay already have a plethora of customers from its other services like OFood, ORide, OTrike and also the newer services, like OKash, OBus and Owealth, that are still gearing up for full operations. OPay definitely offer what people are interested in, such as ride-hailing business for Lagos commuters with government-approved bikes, buses and even tricycles, and also providing insurance cover for both the drivers and riders.

PalmPay, on the other hand, have some strategic advantage which includes Reeve’s leadership experience in Africa, Transsion’s support and network (makers of Tecno, Infinix and Itel mobile phones), and partnership with Visa.

Now, the battle line has been drawn for the leadership of the Nigerian mobile money ecosystem, and most definitely, the would-be leader will be coming from one of the above.

PalmPay vs OPay: Battle for Nigerians wallet by Money Apps and Reward Systems



Microsoft has unified the Configuration Manager (ConfigMgr) with Intune unified endpoint management (UEM) platform, which combination is now known as Endpoint Manager, with users able to access all within a single interface.

While ConfigMgr and Intune have played almost same role, serving as on-premises and cloud management tools, and also co-management options to the provision and deployment of secure endpoints and applications across the enterprise. But with Endpoint Manager, Microsoft is looking at the convergence of Intune and ConfigMgr functionality to offer seamless, end-to-end management solution devoid of the complexity of disruption in productivity.

The Endpoint Manager provides transformative management and security to meet customers peculiar needs, which is available everywhere and also helpful in their future migration to the cloud.

Additionally, Microsoft Endpoint Manager include the following: Desktop Analytics and Device Management Admin Center (DMAC), along with the simplification of licensing, as it seeks to make the licensing to Intune equally available to ConfigMgr customers in co-managing their Windows devices.

For customers who wish to manage non-Windows devices with Microsoft Endpoint Manager, they will need to first purchase either an Intune license, EMS (Enterprise Mobility & Security) license, or a Microsoft 365 E3 or higher license, according to the company.

The roll out of Endpoint Manager, including all the features and capabilities will start over the coming months for supported products.

Microsoft's unification of Configuration Manager (ConfigMgr) and UEM platform



Delegated Credentials for TLS, is the technical specifications for new cryptographic protocol announced by Mozilla, in conjunction with Cloudflare, Facebook, and some other members of IETF community.

The new cryptographic protocol will prevent the misuse of stolen certificates by the reduction on maximum validity period of such certificate to a short period of time, like days or even hours, instead of several years. It is a rather simplified way to make certificates "short-lived" without necessarily sacrificing the reliability of the secure connections.

While HTTPS-protected website provides its TLS certificate to the web browser for confirmation of identity before the actual exchange of information, including passwords and other sensitive data, such certificates are expected to last for the entire validity period, but some certificate can go bad before its expiration date for different reasons.

And the main reason a certificate can go bad before expiration, is when the secret private key corresponding to the certificate has been stolen, or the certificate was issued fraudulently, allowing attackers to impersonate the targeted server or spy on encrypted connections via man-in-the-middle attack.

There are over 70% of websites on the Internet currently using TLS certificates to establish secure route of HTTPS communication between the servers and visitors, which ensures the privacy and integrity of data being exchanged, so obtaining TLS certificate from any Certificate Authority (CA) need to be trusted by all major browsers.

Now, the major tech companies like Google, Facebook, and Cloudflare do offer services from several different servers scattered all over the world, and distribute private certificate keys to every one of the servers, which process increases the risk of compromise.

The compromise of certificate before its expiration date, allows only one option for the website operator, that is to request for the certificate authority to revoke the certificate and reissue new one in its place with a different private key.

But the revocation mechanisms are equally broken in practice, because the browsers should normally be able to promptly detect none-trusted certificates so as to proactively prevent users from getting connected to a compromised server, until it gets a new valid certificate.

So modern browsers either use cached validation of a certificate for awhile or assume it is still valid in cases the browser did not receive a valid response from the CA or encounter connection error. In order to further reduce this time frame, most web companies have already started experimenting on certificates with shorter validation period, after which the browser will reject them instead of waiting for revocation signal.

The problem with this experiments is that the CA is separate organization, which a website server would need to fetch new certificates from more frequently, and there's no reliable way for the companies to continuously rotate certificates after every hours or few days.

The IETF community members sort to tackle the issue by proposing for the Delegated Credentials for TLS, as a new cryptographic protocol that will balance the trade-off processes. So now, instead of the deployment of the actual private key to all servers by the CA, the companies can now generate it internally, and deploy as delegated credentials.

How the Delegated Credentials For TLS will boost TLS Protocol Security



Google has entered into partnership with some mobile security companies, which it calls ‘App Defense Alliance‘ to help in early detection of malicious apps targeting its mobile software, Android.

While the Internet giant is for the first time, seeking the help of third-party security companies in making Android more secure, by detecting potential threats in apps and also improve security for the ecosystem.

Google is enlisting the help of Zimperium, ESET and Lookout in forming the App Defense Alliance, with the aim of tackling one of Android's major problem, with malicious apps affecting users on the mobile platform every now and then.

The new initiative is to combat the menace and ensure that the mobile users are better protected, as the safety of its users is paramount in the effort to stop malicious apps from reaching those devices.



In a similar move, Microsoft has also integrated third-party mobile threat defense systems with its unified endpoint management (UEM), Intune platform, which will enable corporate customers to detect an unenrolled smartphone or tablet that's potentially infected by malware.

These moves will be generally helpful for enterprises with BYOD (bring-your-own device) policies, in that they can now be able to effectively block access to enterprise systems on devices flagged by the mobile threat defense software.

Albeit, the App Defense Alliance will adopt a proactive approach towards harmful apps, along with Google Play Protect service that scan installed apps on Android device, making double sure that potentially harmful apps are detected before been published on the Play Store.

Google, as part of the alliance, will integrate Play Protect Detection system with the partners’ scanning engines, which results to multi-monitoring systems to detect and prevent malicious apps from getting to the Play Store.

While Microsoft already offers threat defense system for enterprise PCs through the Microsoft Defender firewall, which makes it a natural evolution to offer it for Android and iOS devices. Google involving third-party security companies, on its part, shows it truly wants to make the Android ecosystem more secure.

Google Enters ‘App Defense Alliance’ to help detect Malicious Android Apps



Microsoft had earlier offered a glimpse of the virtual assistant, Cortana in the workplace, now the company has fully targeted it for duties in its growing portfolio of productivity tools.

First off, Microsoft brings a hands-free way to follow up on emails, with Cortana offering a summary of all new emails a user has received in the past 24 hours, with an estimation of how long it will take to read them all. Now, the AI voice assistant can highlight changes to the calendar and potentially be able to schedule events for that day, via the integration with Outlook’s Calendar app.

Cortana will also be able to inform you on how long emails have been sitting in the inbox, and additional information such as the identity of the sender or if the email contains any attachments, including links and embedded files.

Gartner Research had predicted that over 25 percent of digital workers will be using virtual assistants on daily basis starting from 2021; and this is opportunity for SMBs to employ virtual assistant technology in the daily auxiliary office processes, which in turn will give them more time to attend to other customers issues, as it will reduce delays in communications.



Microsoft has touted the Play My Emails feature as more like a conversation with ones personal assistant than just basic conversion of email from text to audio. By simply saying “Hey, Cortana” a user can interrupt the readout to give further commands (such as skipping messages, or flagging email for later reading or archiving them) or even to dictate the email response using the natural voice and language recognition.

No doubt, Microsoft is having a vantage position to win in the race for Office dominance, as it already boasts of the most popular business apps with Office 365, with currently over 200 million monthly active users globally. However, Microsoft will have to prove it can truly deliver on the promise of more natural conversations.

Microsoft has even added a masculine voice option to Cortana for interactions, and users can easily access the option from the Outlook app’s settings. While a scheduler feature is currently in preview and hopefully, will be generally available next year.

Additional features coming soon to Cortana, includes: ability to send daily briefing email with summary of upcoming meetings and relevant documents, also set up meetings with new Scheduler feature and simply by “cc-ing” Cortana into a mail, a user can ask the AI assistant to book a call or locate a meeting room and it will present a series of options based on availability.

Microsoft AI-powered voice assistant, Cortana makes further inroad into Workplace



Microsoft's web-based version of its Code Editor, Visual Studio Online, which was previously in a private testing with select developers, has now been opened to the public.

The new online editor, Visual Studio Online, will enable developers to quickly configure a development environment for their repositories and also work on their code. It provides a cloud-powered development environments, capable of handling long-term project, or even a short-term task, on a browser-based editor that's accessible anywhere.

Visual Studio Online, among other things will bring the benefits of DevOps, such as reliability and scalability, which typically worked for production workloads, to the development environments.



It not only allow development environments customization per project, but also layers on individual personalization to make the Cloud-hosted environments feel more natural to use. The Online editor also allow developers to leverage all the tools, processes and configurations that they've already come to love and rely on the best of both worlds.

Besides the cloud-hosted environments, Visual Studio Online allows you to register and connect own self-hosted environments, or an environment you've already perfectly tuned and recorded some of the benefits of Visual Studio Online, all for free.

And every Visual Studio Online environment has been carefully crafted with the needs of specific project or task, which can either be accomplished automatically with smart-configuration features, or you can finely tune environments using JSON and Dockerfile configuration overrides.

These dynamic environments are also quick to create, reproducible and reliable - enabling easy onboarding for team members to your project, and you can get started on new projects that otherwise would be cumbersome to try out before now.

Additionally, the reproducible development environments practically eliminates the so-called Works on my machine issue.

Microsoft releases the Online Version of the Code Editor, Visual Studio Online



NFC works with Android Beam, which service allows Android devices to send images, videos, and other files, or even apps, to another nearby device using Near-Field Communication radio waves, alternative to WiFi and Bluetooth technology.

While files sent via NFC beaming results a prompt on the receiving device asking for permission to install the file from an unknown source, but starting with Android 8 (Oreo) and above, if you send an app to someone via NFC beaming, no such prompt appears and the installation of the app happens in just a tap.

Google displays a warning whenever an Android user tries to install app that is not directly downloaded from Play Store, the bug is that on Android Oreo and above devices, NFC beaming does not explicitly require users' permission, whether they wish to go ahead with installation of app from unknown sources.



Albeit, some certain apps such as Dropbox app and Google Chrome are whitelisted and can be installed without the security warnings or notification.

The reasons this bug is such a big deal, is that new Android devices have the NFC feature enabled by default and wouldn’t even show if the feature is active on your smartphone. It works once you hold two devices in close proximity, between 4cm or 1.5 inches apart, so if a hacker needs to send malware to your Android device, he only needs to bring his smartphone close to your device.

Google acknowledged the bug (CVE-2019-2114) as affecting Android devices running Android 8.0 (Oreo) or above by allowing anyone, including bad actors to send malware discreetly to smartphone via NFC beaming.

The company has promptly released a fix, and by removing the NFC Beaming feature from whitelisted apps. However, it is advised that you turn off the NFC feature and Android Beam on your device, and users should update their Android OS to the latest software if available for their device.

How To Protect Your Android Smartphone from the NFC beaming bug



Google has issued a warning to Chrome users to urgently upgrade their browser, with Chrome 78.0.3904.87 release, containing a patch for two highly severe vulnerabilities, one of which is already been actively exploited in the wild by attackers to hijack PCs.

According to the Chrome security team, both issues are use-after-free vulnerabilities, with the first affecting Chrome's audio component (CVE-2019-13720) while the second vulnerability resides in the PDFium (CVE-2019-13721) library, for Windows, Mac, and Linux computers.

While a use-after-free vulnerability is class of memory corruption issues that allows modification of data in the PC memory, enabling an attacker to gain privilege to an affected system. And both flaws could allow remote attackers to gain privileges on Chrome browser by convincing targeted users into visiting maliciously crafted website, enabling them to run arbitrary code on the affected system.

The discovery of the flaws was credited to Kaspersky researchers, Anton Ivanov and Alexey Kulaev, with the audio component in Chrome application already been exploited in the wild, though it is not yet clear which specific hackers or group are targeting the flaw.

Kaspersky also traced the exploit to a compromised Korean-language news portal, which the attackers haven installed the first stage malware on the target systems after exploiting Chrome vulnerability (CVE-2019-13720), then connects to a remote command-and-control server to download final payload.

Google also released urgent security patches for Chrome to fix other use-after-free vulnerabilities in different components of the web browser, with the most severe of which allow remote hackers to take control of affected system.

Chrome users are advised to update the software on their systems, and whenever possible, as a non-privileged user in order to diminish the effects of any attack exploiting the zero-day vulnerability. Albeit, Chrome browser update happens automatically, and notifies users about the latest available version, but still users are recommended to trigger the update process by going to menu: Help → About Google Chrome.

Warnings: Two Chrome vulnerabilities actively Exploited in the wild to hijack PCs



Google has touted Site Isolation in Chrome 77 on desktop as capable of defending against significantly stronger attacks; even in scenario where the renderer process is compromised, such as Universal Cross-Site Scripting (UXSS) logic errors.

The security mechanism initially targeted Spectre-like attacks which leads to data leaks from given renderer process, but starting with Chrome 77, Site Isolation will be able to handle severe attacks whereby the renderer process is completely compromised through security bugs, such as bugs related to memory corruption or UXSS logic errors.

What this means is that Google has extended the advanced defensive technology to protect against such attacks as exploiting vulnerabilities in the browser's rendering engine, Blink.

The site isolation works by limiting Blink rendering engine process to pages from a single website, thus effectively isolating a rendered page from other sites. And as malicious websites try to exploit a vulnerability, the attack site would be denied access, so the hackers won't be able to access users' data, such as corporate information.

Albeit, a bug might allow an attacker to run arbitrary native code within the sandboxed renderer process, given that an attacker exploited a known memory corruption bug in Chrome's rendering engine, and it can no longer be constrained by the security checks in Blink.

But, Chrome's browser process understands what website the renderer is processing at a time, so it will restrict cookies, passwords, and other site data from the entire process, making it far more difficult for attackers to steal cross-site data.

Also, the Android version of Chrome 77 sports the site isolation technology, which on previous versions wasn't enabled, but only for desktop. And for the desktop platforms, isolation is turned on for all sites, while for Chrome on Android isolation happens per site basis, and only active for websites that process sensitive data.

The feature starts with Chrome 77 for Android, and is enabled for about 99% of users running Android devices with a RAM of at least 2GB, and a 1% holdback for monitoring performance.

Google takes Site Isolation a notch higher in Chrome 77 against attacks



Opera Software has launched a new platform for Small and Medium Enterprises (SMEs), Oleads that will help them to leverage on web presence to increase awareness about their business and ramp up sales.

While Opera OLeads brings unique tools to SMEs to maximize their online presence for rapid digital transformation and to scale their business, as most SME operates offline business models. With Opera OLeads, Nigerian SMEs can easily create mobile websites and landing pages for marketing campaigns, which integrates seamlessly with their contextual advertising platform.

OLeads does not require programming or design skills, and the user-friendly interface allows just any business owner to create website from scratch, with the large number of free templates, and drag and drop components that even non-techies can use to create website in less than five minutes.



SMEs can also choose from a wide variety of custom-made website templates to personalize their website according to the individual needs and goals of their business. The easy drag and drop text inputs, images and call-to-action modules, means that SMEs can have their business running in minutes, and they are able to manage the data generated from their website.

The platform which made debut in September 2019, now has about 3,000 Nigerian businesses onboard in just one month. This milestone by OLeads is an indication of Opera's strong position in the Nigerian advertising market as a hugely trusted platform that has won the heart of its users in a relatively short period of time.

Opera's ambitions for accelerating the digital transformation of African is insatiable, with a user base of nearly 120 million African users out of its global user base of 350 million. This stats include those using the popular Opera Mini and Opera browsers, and also the standalone news application, Opera News.

The company's new growth plans for Africa includes the expansion of its product portfolio beyond mobile apps and the introduction of new innovative online marketing services such as Opera Ads and OList.

Opera launches Oleads to Empower SMEs with Multi-dimensional leads



Google always accompany Chrome updates with release notes aimed at highlighting the upcoming changes, additions, enhancements and modifications, especially for enterprises that are planned for the browser.

While Chrome has continued to dominate the browser market, with about 69% of the world's user share, which is calculated as a measure of monthly browser activity by Net Applications. Google's browser, Chrome has eclipsed even the closest rivals like Firefox, with Mozilla now fighting for left overs, and the erstwhile browser leader, Microsoft haven adopted Chromium technology to align with Google in order to still remain relevant.

Chrome is currently used same way that Microsoft's Internet Explorer (IE) 6 was back in the days, where developers primarily optimize their web contents for Chrome, leaving out later tweaking for rivals.

Google is the undisputed champion of modern web standards, and in its effort to make the web standards to work across the different browsers, have led the industry effort to modernize the web, and that effort is what has enabled Google to advance its services like Gmail, G Suite (formerly, Google Apps) and other productivity tools.

What's coming in next versions of Chrome?



Google promised to launch a baked-in hacked-password alert system in Chrome, that will automatically alert users whose details have been compromised, which feature may be similar to the Firefox Monitor which functions more like Troy Hunt’s "Have I Been Pwned", allowing users to search for login details on the service to see if the details are released in a data breach.

The Chrome build that leads to Stable, Chrome 78 Beta, also the less-reliable Chrome 79 Canary for Windows and macOS, already sports the new password checker system, though hidden behind a setting in the options menu.



Google has joined the DNS-over-HTTPS (DoH) bandwagon, which protocol is hyped as a new way to secure communications between DNS (Domain Name Service) server and the browser. The company has announced plans to implement DNS-over-HTTPS (DoH) in the next version of its browser, Chrome 78 with option of choosing the corresponding DoH server to use for DNS resolution.

This is coming on the heels of Mozilla's already running support for DoH in the main Firefox release for a small percentage of its users, and promise of making it available for all users. While the support for DoH started with Firefox 62 to improve the way the browser interacts with DNS, using encrypted networking to obtain DNS information from the server.

Starting with Chrome 79, Google will commence the trial for DoH, whereby DNS requests from users will automatically be switched to pre-selected DNS provider's DoH service if available.



Google has also laid out plans to deprecate legacy versions of the Transport Layer Security (TLS) 1.0 and 1.1 cryptographic protocol that is used to encrypt communications between the browsers and website servers. Beginning from Jan. 13, 2020, Chrome 79 will start displaying "Your connection to this site is not fully secure" whenever a user connects to a site running the outdated protocols.

Google will equally stop supporting FTP (File Transfer Protocol) which is an outdated protocol that transfers files over unencrypted connection, starting with Chrome 80 and recommends that IT administrators should move to native FTP clients instead.

What's new in the latest Chrome update & Google's plans for the future



EdTech is now commonplace in the world of education, and with each passing year, educators have come to embrace more of EdTech tools for use in the classroom. Educators who haven't embraced technology in the classroom are missing out on so much functionality, as these tools give teachers much ease when teaching big classes.

The tools are designed to engage and inspire students in the class. Unlike the traditional classroom setup, now, educators can ensure every student in their class participates. This is because the tools enable personalized learning. The one-fits-all paradigm no longer works for a teacher who's working towards exclusivity.

Nowadays, teachers are able to provide their students with the right information at the right time and in the right way. Technologies like AI, as well as analytics gives educators the insights they need to personalize learning for every student. Private as well as public institutions are banking on EdTech because it has shown great potential in the few years it has been around.

As a college student, you have access to every resource you need to make your college life less challenging. Click here if you want to take a break from writing.

Top 3 Technological Trends in Education for 2019



1. Smartboards: Smartboards help teachers make classes as interactive as possible. This tool allows the educator to apply different styles of writing to achieve their end goal. Students can interact with the Smartboard for better retention of information. The board accommodates both visual and tactile learners who are in a given class.

Teachers can use images and videos to illustrate complex concepts. The best part is the board accommodates audio contributions from the class. This way, a student can later listen to lessons to get what the teacher was trying to explain. These digital whiteboards eliminate the hassle of using chalks and markers.

This is a versatile tool that every school should consider investing in because it customizes learning for all students.

2. Artificial Intelligence (AI): AI continues to thrive in the educational sphere as it’s the key to personalized learning in classrooms. Teachers can easily streamline instructions to ensure every student understands what is required of them. Thanks to AI, Machine Learning (ML) can be used to evaluate the competence of different students.

Identifying each student’s weak areas is how teachers can help improve the overall performance of an institution. Educators now have an easy time introducing supporting materials to schools.

AI also helps teachers as they can offload many of the mundane tasks to machines. This way, every teacher has enough time to track the progress of each student. Technology companies are introducing Machine Learning algorithms that help educators develop personalized study guides.

With interactive questions, students don’t just do tests to pass, but to find out their weak areas. This way, every student knows which areas require further reading. Every student today can create their own digital bookshelf and read from the comfort of their dorm rooms.

3. Augmented and Virtual Reality: Thanks to Augmented and Virtual Reality, teachers can use realistic scenarios to illustrate concepts in class. VR helps educators establish a digital environment that can transform into whatever a teacher wants it to be.

This is exactly what a class needs for students to achieve high comprehension and better information retention.

Conclusion



Every school needs to have these three trending technologies to enhance the learning environment. Students need technologies that prompt interaction, so they can learn from one another.

Top 3 Exciting Educational Technology Trends to Watch in 2019



The Rich Communications Services (RCS), a robust messaging standard comes as an upgrade to SMS and MMS, bringing features found in third-party services like WhatsApp to basic text messaging, such as real-time typing and read notifications, location update, and emoticons support.

While the standard was initially formed by group of leading mobile industry players in 2007, and officially adopted by GSMA in 2008 with a Steering Committee established, the GSMA later entered into partnership with Google and 15 global carriers to push the adoption of Rich Communication Services (RCS).

Now, the following mobile carriers in the United States, namely Verizon, Sprint, AT&T and T-Mobile have finally gotten the approval to offer a universal cross-carrier communication standard for the next-generation RCS messaging service.

The leading mobile carriers will replace SMS with RCS mobile messaging standard, and are already working with interest groups and other connected mobile companies to deploy the new RCS standard in text messaging app for Android phones which is expected to be fully launched by 2020.



This joint venture is dubbed the Cross Carrier Messaging Initiative (CCMI), and meant to deliver the Rich Communications Service (RCS) industry standard to consumers of the four carriers in the United States and subsequently to the global markets.

But RCS-based messages aren't end-to-end encrypted, and Apple, one of the leading mobile player, seems to have no interest in RCS as it already offers more than the technology is promising on iMessage.

The above points have hindered the general adoption of the standard, coupled with complicated mobile carrier and phone maker policies, with carriers and service providers offering to implement non-universal specifications for RCS standard, which limits the RCS-based messages only to the subscribers of the networks.

On the security front, RCS involves message verification and certification mechanisms which ensures that users interact with legitimate brands, thus protecting them from fraudulent activities from impersonators, or phishing attacks. Additionally, RCS message traffic via the device and network can be protected using SIP-over-TLS encryption protocol.

The new RCS technology is really exciting because it brings the capabilities of messaging systems like Apple's iMessage and special services such as Telegram to basic SMS regardless of device. Also, the RCS capabilities expand beyond messaging, as it works with contacts app, for instance, it can enable you to see who else in your phonebook has got support for the new technology.

GSMA moves to replace SMS/MMS with RCS Messaging Standard by 2020



Google had earlier promised the ability to search for items on Google Drive directly from the browser, and now, with Chrome 78, the feature will be rolling out to G Suite customers to search for files on Google Drive from the address bar.

The latest version of the world's most popular browser, Chrome 78, also include patches for about 37 security vulnerabilities, and new customization options for the tab page. Chrome 78 replaces the pointer's position with text boxes when hung over the tab, which is dubbed "tab hover cards" - and helpful when the tab bar is overloaded and there isn't a room for distinguishing the labels.

As Google's norm for new features, they are distributed in stages; as such the rolling out of the new functionality will come in stages so if any problem occurs, it won't impact everyone.

G Suite users will be able to search for Google Drive files that they've got access to from the address bar, which according to Google their input will search through both titles and document contents, and the most relevant documents will surface based on their history, as contained in the Chrome-in-the-enterprise documentation.

It includes all the following business accounts: G Suite Enterprise, or G Suite Enterprise for Education, and G Suite Business, while the feature will be active by default, but can be changed from the 'Google Drive search suggestions' setting in the G Suite admin console.

Among the expected new features, is the "Force Dark Mode" which is enabled for those who don't seem to have enough of the dark mode, and would rather have all websites support it from an operating system's dark mode setup; and by simply flipping from light to dark — Chrome will invert all websites to dark mode.

G Suite customers gets access to Google Drive from Chrome address bar



Mozilla has gone all out against social media trackers, with Firefox 70 blocking all cross-site tracking cookies from social media sites like Facebook, LinkedIn, and Twitter; also allowing you to view everything that has been blocked through the Privacy Protection report.

The latest version of the open source browser, Firefox 70 builds on the Enhanced Tracking Protection that made debut on the previous version Firefox 69, where Mozilla turns the protection on by default for all the browser users. Now, the security and privacy features have been expanded to thwart all social media trackers.

While the social media trackers will be blocked by default on Firefox 70, you’ll also get to see what trackers are blocked and a quick overview of data breaches that your associated email address has been involved in recently.

The Lockwise integration continuously scans for password and database dumps that might contain your leaked credentials by comparing a hash of your passwords to passwords in the leaks, and also makes sure that you don't have to worry about the Firefox maker, or its workers, having access to your password.

Additionally, Mozilla has made it easier to generate secure passwords with Firefox 70 for new accounts, or secure saved passwords when logging in via the Lockwise feature. You’ll be prompted to allow Lockwise auto generate a safe and secure password, which can be saved directly in the browser.

And for already existing accounts, you can simply right click in the password field to access the securely generated passwords through the fill out option.

Also, Firefox 70 afford Windows users to get to use WebRender, as the feature has been opened up by Mozilla to those with PCs running Intel integrated graphics and display resolution lower than 1920-by-1200 pixels; and bringing improvements for battery life on Mac.

All other new features, and security fixes on Firefox 70 are available in the Release Notes, and given that Firefox update happens at the background, the changes will be automatic, but users can manually upgrade the browser via the hamburger menu to Help —> About Firefox, which the download should begin immediately.

Firefox 70 kills Facebook tracking and lets you track all Social media trackers



Google uses the build tool called Blaze internally for automated building and testing of software; and the company later released it as an open-source project with the name Bazel, which is an anagram of Blaze.

Bazel will allow developers to build and test software for multiple platforms across a wide range of languages, with supported platforms including: Windows, MacOS, and Linux. While the major difference from other such build tools is that Bazel rebuilds only what is essential, and does it faster, with incremental builds enabled, allowing advanced local/distributed caching, dependency analysis, and parallel execution.

The new tool leverages on the uniform extension language called Starlark, which was formerly known as Skylark, and it's positioned for faster build speeds, with builds that are fully scalable.

Additional to the open source build tool support for a variety of languages and platforms, is also support for TensorFlow machine learning library and the Angular web framework, with semantic versioning that starts from Bazel 1.x releases that will be backward compatible to Bazel 1.0.

There will also be window of at least three months between new releases of Bazel, with some minor monthly releases.

Bazel was born of Google's needs for highly scalable builds, and was open sourced back in 2015, the company hopes that Bazel could fulfill similar needs in the broader software development landscape.

Google Bazel to enable Developers Automate the building and testing of software



Opera 65 Beta released on October 17 supports DNS-over-HTTPS (DoH) protocol, which feature helps to encrypt DNS traffic, and increase users' privacy and security by protecting against eavesdropping and manipulation of DNS data through man-in-the-middle attacks.

While Cybersecurity Experts have vehemently opposed the DNS-over-HTTPS protocol because actually, DoH doesn't prevent ISPs from tracking its user, and it renders enterprise cyber-security set ups weak, as it overwrites the centrally-imposed DNS settings to allow employees to use DoH to bypass any DNS-based traffic filtering solutions.

And the fact that DNS traffic is centralized to a few DoH resolvers, there's the problem of DoH's impact on the DNS ecosystem itself, with the decentralized network of servers giving way to new layer of DoH resolvers, which sits on top of the existing DNS layer.

Opera also decided to default the DNS resolver to Cloudflare for the test, which path was equally followed by Mozilla, the Firefox browser maker, having Cloudflare to power the DNS over HTTPS functionality of the Firefox browser, which was received with lots of criticism, as most security researchers believed the idea of domiciling all the DNS traffic to Cloudflare, is a bad idea.

Google took a different route in implementing DNS over HTTPS on Chrome browser, by allowing the availability of several DNS providers in the test, instead of domiciling all DNS traffic to Cloudflare.

The DNS queries on Opera browser will go through Cloudflare servers, and for requests that cannot be handled by Cloudflare, will have to go through the local DNS server by allowing the browser to connect to local resources.

Albeit, the Opera DNS-over-HTTPS feature is not enabled by default, the user will have to enable it by navigating to opera://flags/#opera-doh in the web browser's address bar. Then the right experimental flag will be loaded on the internal opera://flags page directly.

But you can also load opera://flags and directly search for Secure DNS to set the Secure DNS (DNS over HTTPS) flag to Enabled. And you'll have to restart the Opera web browser for it to take effect.

Opera Software, however did not prioritize privacy in the documentations, rather the company has only entered into a deal with Cloudflare to limit data exposure, usage and retention when a user enables the service.

Opera 65 beta default of DNS-over-HTTPS to Cloudflare’s 1.1.1.1 server



Bike hailing business is gaining a huge traction in Lagos, as Nigeria's commercial nerve center with a population of over 20 million people is notorious for traffic congestion. And how best for commuters to beat the traffic, if not through a good old bike ride -popularly known as Okada, in the local parlance!

While there are about half a dozen bike hailing services in Nigeria, the bike hailing startups are still saddled with the problem of unregulated market in Lagos, and as such, are vulnerable to some issues that may affect their future operations, if nothing urgent is done about it.

Okada, on the other hand, are not quite difficult to pick up anywhere in Lagos; as they are everywhere and you just have to wave at them to stop and haggle with the riders until an agreed price that's acceptable is reached.

Top Bike hailing Service in Lagos



ORide



ORide is a bike hailing service launched under Opera OPay, which aims to make commute around Lagos more easier. The service was officially launched on May 27, 2019. But unlike the taxi hailing services like Uber and Taxify, it is not designed with the convenience of peer-to-peer ride sharing, rather ORide is only a means to navigate the Lagos traffic.



To access the ORide service, you'll have to go through the OPay app, which though the UI is not a very user-friendly, sure gets the job done. It requires that you first download the OPay app from the Play store to your Android phone, and create an account, which will send SMS code for authentication when you try to log into the app for any extended period.

The obvious advantage of ORide over others is that they have a more spread of riders, making it easy to get a rider on any commute. But the fact that it uses the OPay wallet can be a bit stressful, given that you must create an account, even when you want to take just a short trip.

MAX



Max is a bike hailing service that assures a stressful experience as the app is pretty easy to use and ensures good user friendly interface. Though the maps integration appeared a little scrumpy, but on the good side, you'd only have to wait about three minutes to be connected to a rider, referred to as "Champion” on the service.



The con of this service is mainly the dearth of riders, as getting a champion can take as much as 25 minutes, which if you’re in a haste or stranded at a place, that could be a problem, but waiting in the comfort of your house may not be the worst proposition.

Gokada



Gokada is yet another bike hailing service in Lagos that promises an easier experience with their recent re-branding. You simply download and install the app, and you are good to go!



Gokada works more with verified and trained professional bikers to provide better service experiences to riders. In other words, you know exactly what you'll be getting, unlike the regular okada bikes who are largely unpredictable and mostly untrained in good service delivery.

Bikes will long remain relevant, as mainly due to unsuitable road networks and unavailability of effective traffic planning, commuters will always tend to find alternative transport systems to ply through the deplorable roads, which also adds to the fact that they'd get to beat the frantic traffic jam as well.

Top Bike Hailing Service in Lagos to make your Commute easier



Microsoft has announced the general availability of Tamper Protection, a security addition designed to protect Microsoft ATP customers against unauthorized changes to their security settings.

While there are growing attempts by bad actors to disable Windows Defender Antivirus to stop the security service all together, or turn off behavior monitoring and script scanning by going after real-time protection settings like the OnAccessProtection policies.

The tamper protection feature is designed to protect against such malicious and unauthorized changes to the security mechanisms, and thus ensure that endpoint security is maintained against malware and threats that are directed at the Enterprise.

Enabling the Tamper protection will prevent unwanted changes to security settings such as the core anti-malware scanning feature of Microsoft Defender ATP next generation protection, Cloud-delivered protection, IOAV (IE Downloads and Outlook Express Attachments initiated), and Behavior monitoring, which also works with real-time protection to analyze and determine threat scenarios.

Additionally, the Security intelligence updates used by Windows Defender Antivirus to detect latest threats are protected from modification, either by local admins or by any malicious application.

The new security feature, which has been in testing for sometime now within Windows Insider program, is a result of extensive research into modern attack patterns and the evolving threat landscape, along with consistent engagement with partners and feedback from Microsoft customers.

Tamper Protection is deployed and managed centrally through Microsoft Intune, which procedure is similar to how endpoint security settings are managed, and can be enabled for an organization, user groups or through devices.

Microsoft releases Tamper protection for Defender ATP Enterprise customers



Google introduced 'Site Isolation' in Chrome for desktop in 2018, which feature brings additional line of defense by ensuring that the pages from different websites are opened in different sandbox processes on the browser.

The security feature was enabled by default in the web browser starting with the release of Chrome 67, in a bid to thwart the infamous Spectre and Meltdown attack, and also protect against many other online threats. With the browser getting its own isolated process, it will become harder for malicious websites to access cross-site data using such side-channel vulnerability.

While the Google research team in a proof-of-concept demonstrated how an attacker could employ JavaScript to read the address space of a Chrome process, via the open tab, and also access site credentials that was opened. The Site Isolation feature will help to protect all types of sensitive data, including cookies, stored passwords, network data, stored authentication, and also cross-origin messaging that aid sites to securely relay messages across domains.

The availability of the feature for Android starts with Chrome 77, and has been enabled for about 99% of users running Android devices with a RAM of at least 2GB, and a 1% holdback for monitoring performance.

Albeit, the site isolation in Chrome for Android doesn't sandbox all the websites, unlike what is the case with Chrome for desktops; it protect only highly-sensitive information websites where users credentials are entered or accessed. But you can forcefully enable the protection to isolate all sites by an opt-in to full Site Isolation on chrome://flags/#enable-site-per-process settings page.

And once the feature is active for a user, Chrome will keep list of isolated sites stored locally on the user's device, which will help the browser to automatically turn on the feature whenever the user revisit any of the sites.

Google extends Sandbox Security mechanism to Chrome for Android



Facebook introduced the "Data Abuse Bounty" program as a reward system last year, which anyone that reports valid incidence of its apps collecting users' data in violation of its data policies, gets a price reward.

But given its vast ecosystem with millions of third-party apps, only a few of the developers have implemented a vulnerability disclosure program, thereby making them unable to offer bug bounty rewards to security researchers for responsibly reporting bugs in the apps, which in turn has limited the program.

Now, Facebook in a move to encourage the developers of third-party apps to take security more serious by setting up a vulnerability disclosure program, has expanded the program to include third-party apps and to pay security researchers for disclosing bugs in third-party apps.

Facebook's earlier expansion of the bounty program for third-party apps was only valid on submissions for exposure of Facebook users' tokens that compromises the login details for a third-party app using Facebook.

The expansion now include all third-party apps on its ecosystem, and requires that all such third-party app developers should set up vulnerability disclosure policy to help the researchers to be eligible for rewards when bugs are found in their code and claim it from Facebook.

While the scope is to reward valid bug reports in third-party apps or websites that directly integrate with Facebook if the bugs are discovered through pen-testing authorized by the third-party rather than just passively observing the vulnerability.

Facebook promises to issue rewards based on the validity of bugs reported and some other factors which are indicated in their terms, with minimum reward of $500 Bounty.

Facebook to pay Security Researchers for disclosing Bugs in Third-party apps



Mozilla has disabled the execution of inline JavaScripts on Firefox as a defense against code injection attacks, by implementing strict Content Security Policies (CSP) that ensure all scripts are executed only when loaded from a packaged resource within the internal protocol.

The execution of inline scripts and also the potentially dangerous eval-like functions for Firefox inbuilt "about: pages" have often served as gateway to very sensitive preferences and settings on the browser, which in turn presents huge security risks. So Mozilla's blockade is an effort to mitigate such class of potential cross-site scripting (XSS) issues in the browser.

And given that web pages are written in HTML/JavaScript which in the security context of the browser, are also prone to such code injection attacks, and fully capable of allowing remote attackers to inject and execute arbitrary code by cross-site scripting attacks.

Albeit, the changes won't directly affect how websites work on the Firefox browser, but according to Mozilla, it will closely audit and evaluate the usage of harmful functions in third-party extensions and other inbuilt mechanisms.

Mozilla has promptly rewritten all use of eval-like functions from the system privileged contexts and parent processes in the codebase of Firefox browser. Additionally, the company has also added eval() assertions to disallow the use of eval() function and its derivatives in system-privileged script contexts.

Mozilla disables Inline JavaScript Execution on Firefox browser



There is a zero-day vulnerability affecting a component that comes inbuilt with Apple's software, iTunes and iCloud for Windows, which exploitation causes it to evade detection by antivirus.

While the vulnerability stems from Bonjour updater, the zero-configuration networking (zeroconf) implementation of communication protocol that works in the background to automate low-level network tasks, such as downloading future updates of Apple software.

The protocol is a set of technologies which automatically creates usable computer network based on the TCP/IP when PCs or other network peripherals are interconnected, without requiring special configuration servers or any manual operator intervention. Bonjour updater is installed as separate program on PCs, so simply uninstalling Apple iTunes and iCloud doesn't actually remove it, that is the more reason it remain installed on numerous Windows PCs still not updated, and silently running behind the scene.

The zero-day vulnerability exploitation of the Bonjour was disclosed by researchers from Morphisec Labs, made possible when an attacker targeted an unnamed organization in the automotive industry with the BitPaymer ransomware.

And the component was exploitable by the unquoted service path vulnerability, which is a common software flaw that occurs when an executable contains spaces in filename and so, it's not enclosed in the quote tags ("") as required. Therefore the unquoted service path vulnerability is exploitable by simply planting a malicious file to the parent path to trick legit applications into executing the malicious programs to evade detection.

Apple, however has released the fix in iCloud for Windows 7.14, iCloud for Windows 10.7, and iTunes 12.10.1 for Windows to patch the vulnerability. It is recommended that all Windows users with either iTunes or iCloud installed should update to the latest software to ensure their security.

Why You need to Update Apple iTunes and iCloud on Windows PC?



Facebook launched Workplace in 2016, as a collaboration platform that offer standard chat functions and the ability to share files, including photos and videos, also voice clips, between employees within an organization.

And the first update to Workplace allow users to interact with external partners and agencies, with the capability of up to 50 participants to engage in group conversations within the application, via text, voice and video. While the next update to the chat app, was support for communication between workers in separate organizations.

Facebook subsequently launched features such as pinned threads, to make it easier for users to keep track of chats, coupled with the ability to pin important messages at the top of the app, up to 15 messages. And the “do not disturb” mode to allow employees turn off alerts and notifications when busy or away, with “replies” feature that enable direct responses to individual chat within a broader conversation.

Now, Facebook is working on bringing its Portal video hardware to the office with a dedicated Workplace app, which is one among a handful of other updates to the enterprise collaboration platform.

The Portal video display supports video calls between Facebook Messenger and WhatsApp, and utilizes an AI powered “smart camera” that tracks both body movements of the speakers engaging in the call. With the incorporation of Workplace app, Portal would be able to connect workers in an organization as well.

What that means is that Workplace on Portal will facilitate communication not only with friends, but with colleagues at work, in a more secure and safer platform; also users will be able to call other Portal device right from their mobile phone if they are on the go or via their PC or iPads in the office.

The first Portal device shipments started with 54,000 units in 2018, with the period measured from the time those devices were first released in November, meaning that shipments was completed at the end of the year.

Facebook has scheduled next shipment as demand has gone up in 2019, the company announced new devices last month and harping on the potential for the displays to come in handy in the office, as more Workplace customers have requested trials of Portal devices and have commenced testing in their organizations.

Facebook continues its push for Workplace adoption with Portal in the Office



The modern camera offerings with many megapixels, not withstanding, you'd still need a nifty image resize tool to bring out the exact copy of image required for professional image processes.

That is where AI Image Enlarger comes to play, available for Mac and Windows, the super-unique tool uses artificial intelligence (AI) capabilities to enhance small or low-resolution images/photos, making it easy for you to upscale your images. And the beauty of the AI capabilities is that your resized images does not loose its original quality, as it guarantees an even smarter and sharper image than what's obtainable before, and the best part - it's available for FREE.

The AI Image Enlarger software which comes absolutely free, is fully capable of enlarging any small definition image to high definition without losing quality, based on machine learning and AI technology which it packs into its processes.

Unique Features of AI Image Enlarger Software



  • Easy to use User Interface
  • Utilizes Machine learning and AI technology
  • Simple Drag & Drop Option for uploading image
  • Easily Convert Images from Low Definition to High Definition
  • Support for Windows and Mac Computer


AI Image Enlarger software employs hundreds of thousands HD photos to teach its deep learning system, thereby enabling the AI solution to analyze images and be able to add missing details during the enlargement process.

Steps to Convert Images from Low Definition to High Definition



First, go to the official AI Image Enlarger software website and download the software to your Windows or Mac computer. And note that the software is fully compatible with Windows 7/8/10 & Mac OS X and newer versions.

Then create an account for the software and log into your account on the Windows/Mac software.



Now, it is time to upload your image, but before that you should note the file limits as follows:

1. Image must be less than 3MB
2. Image should not be more than 800 width x 750 height
3. And Only .jpg, .jpeg, and .png extensions are currently supported

Once you upload your image, then choose from the styles namely: Artwork, Photo, Face, and High-Grade. You can also enlarge it twice or 4x the size of the original uploaded image, without loosing the original image quality.



After you have chosen a style, then click on submit which will provide a preview of your image. If you are satisfied with the final output, then click on the Download button to get your enlarged image, all for free.

Our Verdict!



The AI Image Enlarger software is perhaps best for quick and easy image enlargement, with the great perk of AI capabilities that makes the procedure almost effortless, and the best part is that you don’t need to pay for the software.

Additionally, you also get to enlarge your image without having to go through any rigorous study on how to use the photo editing software, as the tool is so easy to use, that even a newbie in photo editing won't have an issue.

AI Image Enlarger Review: Freely Enlarge Low Resolution Images with AI Solutions



Opera Software has hopped unto the browser tracking protection bandwagon with Opera 64 bringing the open-source EasyPrivacy Tracking Protection support to bolster privacy.

While EasyPrivacy is an open-source and optional supplementary filter list that removes all forms of tracking from the Web, including bugs, tracking cookies/scripts and data collectors, thereby ensuring better protection for users information, and bolster online privacy.

The growing issue of privacy violations with latest web tracking technologies evading browser privacy add-on has been rampant, which tracking is especially useful for ads targeting campaigns despite that it invade users privacy.

Opera's tracking protection system powered by EasyPrivacy Tracking Protection, is comparable to a similarly-named ad blocking list that support AdBlock and AdBlock Plus extensions, though the new tracking protection employed by Opera will emphasize more on the performance rather than just privacy.

The Opera browser is known for its speed, so any component that will undermine that fastness isn't going to be supported, hence Opera 64 is more private and at the same time more faster, which the company touted as helping users save a lot of time simply by switching on the tracker blocker.

Albeit, that's truly a general reality for all such browsers with ad blocker, as using an advertisement filter or blocker usually ensures speed bolster by not downloading the chunk of ads content, such as images or other components of the display advertisements.

Opera Software claims the speed gain for Opera 64 is up to 23% - and coupled with Opera's built-in ad blocker, which feature also improves on the users' privacy.

Opera 64 brings open-source EasyPrivacy Tracking Protection to bolster privacy



Microsoft has commenced the testing of Phone app for Windows 10 with Windows Insiders, which feature is to allow users to make phone calls right on their PCs without the use of mobile phone.

While the company had earlier explained the functionalities of the phone app for Windows 10 at the Samsung Unpacked event in August, and also demonstrated it in a live demo at last week’s Surface event.

Now, Microsoft has begun testing it with the Windows Insider community, and the feature will gradually roll out on 19H1 builds or newer, so may likely take a few more days to be available inside the Your Phone app.



The phone call feature adds to the growing list of capabilities Microsoft is bringing to Your Phone app, which includes; ability to receive incoming phone calls on PC and initiating same from your PC using only the in-app dialer or contact list. And easily decline any incoming phone calls on PC with custom text or directly sent to your phone’s voicemail.

Additionally, you can access all your recent call history on PC, and by clicking on specific call, it will auto populate the number on the call dialer screen, and you can seamlessly transfer calls between your PC and mobile phone.

For a peek at what build is in the Insider ring, simply head over to Flight Hub or check out the documentation here including a complete list of features and updates that have rolled out as part of the Insider flights for current development cycle.

The feature is expected to roll out to all users in Fall 2020, when Your Phone app would be running all the latest additions, and the fact that Microsoft will be opening up the new features without limiting it only to its own devices, is perhaps a thing of delight.

Microsoft begins testing of Phone app call for Windows 10 with Insiders



The earlier reported flaw in Signal Messenger that allowed just anyone, including malicious actors to initiate an auto-connect call without the receiver's interaction, has now been fixed.

While Signal boasts of a cross-platform encryption system that's touted as one of the world's most secure, but the recent flaw proved that no application is completely hackproof, which according to Google’s Project Zero team, the bug affected audio calls only, as the video option requires manual enabling for incoming calls.

The flaw could only be exploited when the receiver fails to answer audio call over Signal, which eventually will enforce the incoming call to be automatically answered from the receiver's end.



Google’s Project Zero team, which discovered the flaw, added that Signal experienced the remote attack surface due to the limitations in WebRTC, which design flaw also affected the iOS version of the app, but was unexploitable because the call is not completed owing to an error in unexpected sequence of states in the user interface.

Signal has now fixed the crucial flaw for the Android app, as the eavesdropping flaw couldn't be exploited on the iOS version of the messaging app, so it is recommended that all users should update to the latest version of the app on the Play store.

Signal fixes the Messenger bug that allow Hackers to Auto-connect calls



Mozilla and Google have scheduled to implement DNS-over-HTTPS protocol on their respective browsers, with Firefox already rolling out the feature and for Chrome, it has been scheduled to roll out later this year.

While the DNS-over-HTTPS (DoH) protocol works by altering the normal DNS, which queries are made in plaintext from a given app to the DNS server, using settings on the local operating system received from network provider. But DoH attempts to change all these, as it encrypts the DNS queries, disguised as regular HTTPS traffic and sent to DoH-capable special DNS servers, which then resolve the DNS query and reply back in an encrypted form to the user.

The experts think DoH isn't foolproof in ensuring users' privacy, as actually DoH doesn't prevent ISPs from tracking a user, and it weakens enterprise cyber-security set ups, which in turn helps criminals. And the fact that DoH centralizes DNS traffic to a few DoH resolvers, there's the problem of DoH's impact on DNS ecosystem itself, with the decentralized network of servers, giving way to created new layer of DoH resolvers, which sits on top of existing DNS layer.

The main point against DoH is its impact on enterprises, with system administrators using local DNS servers or DNS-based software to monitor local traffic, which prevent users from accessing non-office related sites, and also minimizes malware domains. As DoH creates a mechanism that overwrites the centrally-imposed DNS settings to allow employees to use DoH to bypass any DNS-based traffic filtering solutions, effectively separating DoH from the operating system's regular settings.

Thus, IT administrators will need to keep an eye on the DNS settings across the various operating systems to prevent DNS hijack attacks, with hundreds of apps running their own unique DoH settings, this will be a herculean task for the administrators.

Additionally, If DoH is widely deployed, bypassing enterprise filters by employees to access blocked content, as traffic to certain malware domains are blocked within the enterprises, will become easy.

Albeit, the security researchers understand the need to protect DNS queries from snoopers, and have recommended DNSSEC and DNS-over-TLS (DoT), which is a similar protocol to DoH, but encrypts the DNS connection rather than hiding the traffic within HTTPS.

Though, DoT have its own disadvantages, but the researchers believe DoT would cause far less problems, and all ISPs deploying DoT will significantly help ensure better privacy and security with the decentralization, while advising companies to look at alternative methods of blocking its outgoing traffic that doesn't rely only on DNS data.

Why Cybersecurity Experts oppose the DNS-over-HTTPS protocol?