Right to Privacy aFundamental Right, Says Supreme Court in Unanimous Verdict

The written judgment, which overrules the 1961 Kharak Singh verdict, will be available this afternoon.

New Delhi: A nine-judge bench of the Supreme Court has ruled that Indians enjoy a fundamental right to privacy, that it is intrinsic to life and liberty and thus comes under Article 21 of the Indian constitution.

On Thursday, the bench, led by Chief Justice J.S. Khehar, pronounced a unanimous judgement even if the separate judges had slightly different arguments as to how privacy is intrinsic to right to life and liberty.

The bench comprised Khehar and Justices J. Chelameswar, S.A. Bobde, R.K. Agrawal, Rohinton Nariman, A.M. Sapre, D.Y. Chandrachud, Sanjay Kishan Kaul and S. Abdul Nazeer.

In declaring privacy to be a fundamental right, the Supreme Court has overruled verdicts given in the M.P. Sharma case in 1958 and the Kharak Singh case in 1961, both of which said that the right to privacy is not protected under the Indian constitution.

The court’s written judgement will be made available later in the afternoon and this story will be updated with details on whether it chose to sketch the contours of a right to privacy or detail how it may or may not be restricted in various applications.

The petitioners, former Karnataka high court judge Justice K.S. Puttaswamy and others, had contended that the biometric data and iris scan that was being collected for issuing Aadhaar cards violated the citizen’s fundamental right to privacy as their personal data was not being protected and was vulnerable to exposure and misuse.

Arguments on behalf of the petitioners were made by senior advocates Gopal Subramanium, Shaym Divan, Sajan Poovaya, Arvind Grover and Indira Jaising, and former attorney general Soli Sorabjee.

The petitioners had argued that right to life under Article 21 of the constitution would include the right to privacy though it is not expressly stated in the constitution. It was also argued that privacy is a broader concept and data sharing is only one aspect of privacy. Subramanium had argued, “Privacy is about the freedom of thought, conscience and individual autonomy and none of the fundamental rights can be exercised without assuming certain sense of privacy”.

He also said the state is under an affirmative obligation to protect the fundamental rights of its citizens. “Liberty is fundamental to democracy and citizens cannot exist without privacy.”  

Sorabjee had added that “Privacy is not explicitly laid out in the constitution. But that does not mean the right does not exist as it has be deduced from the constitution”. He also argued that the freedom of the press has been derived from Article 19 and similarly, the right to privacy can be derived broadly from Article 21.

In the age of the internet, a person should have control on how much he should put forward and not be compelled. There hardly exists any data protection in the digital age, inevitably leading to a compromise in privacy. During the course of arguments, it was brought to the court’s attention that Union finance minister Arun Jaitley, during discussions in the Rajya Sabha on the Aadhaar Bill in March 2016, had said that the right to privacy was a fundamental right, but now the government is claiming the opposite.

Subramanium had said, “Privacy is a broader concept and data sharing is only one aspect of privacy. Privacy is about the freedom of thought, conscience, and individual autonomy and none of the fundamental rights can be exercised without assuming certain sense of privacy”. He added that the state is under an affirmative obligation to protect the fundamental rights of citizens. He said, “Liberty existed prior to constitutional era and the law had merely recognised its existence. Liberty, which is fundamental to democracy and citizens, cannot exist without privacy”.

Attorney general’s arguments for Centre

On behalf of the Centre, attorney general K.K. Venugopal, however, had brought to the notice of the court that an eight-judge bench in 1954 and a six-judge bench in 1962 had categorically ruled that the right to privacy was not a fundamental right. He also said that such a right had not been expressly provided in the constitution, though under the British Common Law, the right to privacy was a fundamental right. He maintained that the right to privacy is not a fundamental right to be claimed either under Article 21 (right to life), Article 14 (right to equality) or Article 19 (freedom of speech and expression).

It was asserted that the concept of privacy is a notional one and not a fundamental right enshrined in the constitution. He claimed that privacy is too vague to qualify as a fundamental right. He had said that there is no right to privacy and that privacy is only a sociological notion, not a legal concept. “Every aspect of it does not qualify as a fundamental right, as privacy also includes the subtext of liberty. No need to recognise privacy as an independent right. Defining the contours of privacy is not possible. Privacy is as good a notion as pursuit of happiness,” he had said.

Venugopal said, “If privacy were to be declared a fundamental right, then it can be a qualified right.” He asked the judges to state that only some aspects of privacy are fundamental, not all, and it is a limited fundamental right that can be taken away in legitimate state interest. He said that in developing countries, something as amorphous as privacy could not be a fundamental right, that other fundamental rights such as food, clothing, shelter etc. override the right to privacy.

The attorney general also made clear that the right to privacy cannot fall in the bracket of fundamental rights as there are binding decisions of larger benches that it is only a common law right evolved through judicial pronouncements. “The government said Aadhaar would not fall under the right to privacy. We can’t say every encroachment of privacy is to be elevated to fundamental right. The claim to liberty has to subordinate itself to right to life of others,” he said. On Aadhaar, he referred to the World Bank’s statement that an identity system should be followed by every developing country.

Beware of Windows/MacOS/Linux Virus SpreadingThrough Facebook Messenger

If you came across any Facebook message with a video link sent by anyone, even your friend — just don’t click on it.

Security researchers at Kaspersky Lab have spotted an ongoing cross-platform campaign on Facebook Messenger, where users receive a video link that redirects them to a fake website, luring them to install malicious software.

Although it is still unclear how the malware spreads, researchers believe spammers are using compromised accounts, hijacked browsers, or clickjacking techniques to spread the malicious link.

The attackers make use of social engineering to trick users into clicking the video link, which purports to be from one of their Facebook friends, with the message that reads "< your friend name > Video" followed by a bit.ly link, as shown.

Here's How this Cross-Platform Malware Works:

The URL redirects victims to a Google doc that displays a dynamically generated video thumbnail, like a playable movie, based on the sender's images, which if clicked, further redirects users to another customised landing page depending upon their browser and operating system.

For example, Mozilla Firefox users on Windows are redirected to a website displaying a fake Flash Player Update notice, and then offered a Windows executable, which is flagged as adware software.

Google Chrome users are redirected to a website that masquerades as YouTube with similar YouTube logo, which displays a fake error message popup, tricking victims into downloading a malicious Chrome extension from the Google Web Store.

The extension actually is a downloader that downloads a file of attacker's choice to the victim's computer.

"At the time of writing, the file which should have been downloaded was not available," David Jacoby, a chief security researcher from Kaspersky Lab, writes in a blog post published today.

"One interesting finding is that the Chrome Extension has log files from the developers displaying usernames. It is unclear if this is related to the campaign, but it is still an amusing piece of information."

Users of Apple Mac OS X Safari ends up on a web page similar to when using Firefox, but it was customised for MacOS users with a fake update for Flash Media Player, which if clicked, downloads an OSX executable .dmg file, which is also adware.

Same in case of Linux, user redirects to another landing page designed for Linux users.

The attackers behind the campaign are not actually infecting users of all platform with any banking Trojan or exploit kits, but with adware to make a lot of money by generating revenue from ads.

Spam campaigns on Facebook are quite common. A few years ago, researchers found cyber criminals using boobytrapped .JPG image files to hide their malware in order to infect Facebook users with variants of the Locky ransomware, which encrypts all files on the infected PC until a ransom is paid.

To keep yourself safe, you are advised not to get curious to look at images or video links sent by anyone, even your friend, without verifying it with them, and always keep your antivirus software up-to-date.

A Company Offers $500,000 For Secure Messaging Apps Zero-Day Exploits

How much does your privacy cost?

It will soon be sold for half a Million US dollars.

A controversial company specialises in acquiring and reselling zero-day exploits is ready to pay up to US$500,000 for working zero-day vulnerabilities targeting popular secure messenger applications, such as Signal, Telegram and WhatsApp.

Zerodium announced a new pricing structure on Wednesday, paying out $500,000 for fully functional remote code execution (RCE) and local privilege escalation (LPE) vulnerabilities in Signal, WhatsApp, iMessage, Viber, Facebook Messenger, WeChat, and Telegram.

The payouts for all these secure messengers have been increased after tech companies introduced end-to-end encryption in their apps, making it more difficult for anyone to compromise their messaging platforms.

The same payout is offered for remote code execution and local privilege escalation security flaws in default mobile email applications.

Launched in 2015, Zerodium is a Washington, DC-based premium exploit acquisition platform by the infamous French-based company Vupen that buys and sells zero-day exploits to government agencies around the world.

The maximum bounty offered by the company remains for Apple's iOS devices with $1.5 million offeredto anyone who can pull off a remote jailbreak of iOS devices without any user interaction, and $1 million for those that require user interaction.

This payout was set last year when Zerodium raised the price for a remote iOS 10 jailbreaks from $1 Million to $1.5 Million, which is more than seven times what Apple is offering (up to $200,000) for iOS zero-days via its bug bounty program.

Zerodium Zero-Day Hit-list:

Zerodium's payout for other new exploit categories for servers and desktop computers include:

·         Up to $300,000 for a Windows 10 exploit that requires no user interaction

·         Up to $150,000 for Apache Web Server

·         Up to $100,000 for Microsoft Outlook

·         Up to $80,000 for Mozilla Thunderbird

·         Up to $80,000 for VMware escapes

·         Up to $30,000 for USB code execution

Zerodium has also raised the prices the company will pay for a range of other exploits, which include:

·         Chrome RCE and LPE for Windows—from $80,000 to $150,000

·         PHP Web programming language RCE—from $50,000 to $100,000

·         RCE in OpenSSL crypto library used to implement TLS—from $50,000 to $100,000

·         Microsoft Exchange Server RCE—from $40,000 to $100,000

·         RCE and LPE in the TOR version of Firefox for Linux—from $30,000 to $100,000

·         RCE and LPE in the TOR version of Firefox for Windows—from $30,000 to $80,000

The zero-day market has long been a lucrative business for private firms that regularly offer more payouts for undisclosed security vulnerabilities than big technology companies.

Companies like Zerodium and Exodus Intelligence who deal in zero-days are the primary cause of incidents like WannaCry and NotPetya, wherein unpatched vulnerabilities held by NSA for years were used after a notorious hacking group, called Shadow Brokers leaked them in public.

Hackers will get the payout within a week of submitting the zero-day vulnerabilities along with a working proof-of-concept, though we recommend you to submit them to the affected vendors because it's a matter of time when some black hat finds and uses them against you and wide audience.

WireX DDoS Botnet: An Army of Thousands ofHacked Android SmartPhones

Do you believe that just because you have downloaded an app from the official app store, you're safe from malware?

Think twice before believing it.

A team of security researchers from several security firms have uncovered a new, widespread botnet that consists of tens of thousands of hacked Android smartphones.

Dubbed WireX, detected as "Android Clicker," the botnet network primarily includes infected Android devices running one of the hundreds of malicious apps installed from Google Play Store and is designed to conduct massive application layer DDoS attacks.

Researchers from different Internet technology and security companies—which includes Akamai, CloudFlare, Flashpoint, Google, Oracle Dyn, RiskIQ, Team Cymru—spotted a series of cyber attacks earlier this month, and they collaborated to combat it.

Although Android malware campaigns are quite common these days and this newly discovered campaign is also not that much sophisticated, I am quite impressed with the way multiple security firms—where half of them are competitors—came together and shared information to take down a botnet.

WireX botnet was used to launch minor DDoS attacks earlier this month, but after mid-August, the attacks began to escalate.

The "WireX" botnet had already infected over 120,000 Android smartphones at its peak earlier this month, and on 17th August, researchers noticed a massive DDoS attack (primarily HTTP GET requests) originated from more than 70,000 infected mobile devices from over 100 countries.

If your website has been DDoSed, look for the following pattern of User-Agent strings to check if it was WireX botnet:

After further investigation, security researchers identified more than 300 malicious apps on Google’s official Play Store, many of which purported to be media, video players, ringtones, or tools for storage managers and app stores, which include the malicious WireX code.

Just like many malicious apps, WireX apps do not act maliciously immediately after the installation in order to evade detection and make their ways to Google Play Store.

Instead, WireX apps wait patiently for commands from its command and control servers located at multiple subdomains of "axclick.store."

Google has identified and already blocked most of 300 WireX apps, which were mostly downloaded by users in Russia, China, and other Asian countries, although the WireX botnet is still active on a small scale.

If your device is running a newer version of the Android operating system that includes Google's Play Protect feature, the company will automatically remove WireX apps from your device, if you have one installed.

Play Protect is Google's newly launched security feature that uses machine learning and app usage analysis to remove (uninstall) malicious apps from users Android smartphones to prevent further harm.

Also, it is highly recommended to install apps from reputed and verified developers, even when downloading from Google official Play Store and avoid installing unnecessary apps.

Additionally, you are strongly advised to always keep a good antivirus app on your mobile device that can detect and block malicious apps before they can infect your device, and always keep your device and apps up-to-date.

Android malware continues to evolve with more sophisticated and never-seen-before attack vectors and capabilities with every passing day.

Just at the beginning of this week, Google removed over 500 Android apps utilising the rogue SDK—that secretly distribute spyware to users—from its Play Store marketplace.

Last month, we also saw first Android malware with code injecting capabilities making rounds on Google Play Store.

A few days after that, researchers discovered another malicious Android SDK ads library, dubbed "Xavier," found installed on more than 800 different apps that had been downloaded millions of times from Google Play Store.

Beware!Viral Sarahah App Secretly Steals Your Entire Contact List

Are you also one of those 18 Million users using SARAHAH?

You should beware of this app because the anonymous feedback application may not be as private as it really sounds.

Sarahah is a newly launched app that has become one of the hottest iPhone and Android apps in the past couple of weeks, allowing its users to sign up to receive anonymised, candid messages from other Sarahah users.

However, it turns out that the app silently uploads users' phone contacts to the company's servers for no good reason, spotted by security analyst Zachary Julian.

When an Android or iOS user downloads and installs the app for the first time, the app immediately harvests and uploads all phone numbers and email addresses from the user's address book, according to The Intercept.

While an app requesting access to the user's phonebook is quite common if the app provides any feature that works with contacts, no such functionality in Sarahah is available right now.

"The privacy policy specifically states that if it plans to use your data, it'll ask for your consent, while the app's entry in Google's Play Store does indicate the app will access contacts, that's not enough consent to justify sending all of those contacts over without any kind of specific notification"

However, the creator of Sarahah, Zain al-Abidin Tawfiq, responded to the story by saying his app actually harvests and uploads the contacts from users to the company's servers for a feature that will be implemented at a later time.

Tawfiq said that users' contact lists are being uploaded "for a planned 'find your friends' feature," which was "delayed due to a technical issue" and was accidentally not removed from the Sarahah's current version.

Tawfiq also assured its users that "the data request will be removed on next update" to the app and that Sarahah's servers do not "currently host contacts," which is, of course, impossible to verify.

Sarahah took the Internet by storm within few weeks, making the app the third most downloaded free application software for iPhones and iPads. The app has already been downloaded by an estimated 18 Million users from Apple and Google’s online stores.

However, you can still use Sarahah by blocking the app from accessing your contacts, without risking your contacts to be uploaded to its servers.

Since newer Android operating systems (starting with Android 6.0 Marshmallow) do allow users to limit permissions for apps, users can limit permissions so that apps do not gain access to contacts or other information that doesn't have anything to do with the app's functioning.

To do so, Go to Settings → Personal → Apps, now under Configuration App, open App permission and limit permission of apps you like.

Using LabVIEW? Unpatched Flaw Allows Hackersto Hijack Your Computer

If you're an engineer and use LabVIEW software to design machines or industrial equipments, you should be very suspicious while opening any VI (virtual instrument) file.

LabVIEW, developed by American company National Instruments, is a visual programming language and powerful system-design tool that is being used worldwide in hundreds of fields and provides engineers with a simple environment to build measurement or control systems

Security researchers from Cisco's Talos Security Intelligence have discovered a critical vulnerability in LabVIEW software that could allow attackers to execute malicious code on a target computer, giving them full control of the system.

Identified as CVE-2017-2779, the code execution vulnerability could be triggered by opening a specially crafted VI file, a proprietary file format used by LabVIEW.

The vulnerability originates because of memory corruption issue in the RSRC segment parsing functionality of LabVIEW.

Modulating the values within the RSRC segment of a VI file causes a controlled looping condition, which results in an arbitrary null write.

"A specially crafted LabVIEW virtual instrument file (with the *.vi extension) can cause an attacker controlled looping condition resulting in an arbitrary null write," Talos researchers explain. 

"An attacker controlled VI file can be used to trigger this vulnerability and can potentially result in code execution."

Talos researchers have successfully tested the vulnerability on LabVIEW 2016 version 16.0, but National Instruments has refused to consider this issue as a vulnerability in their product and had no plans to release any patch to address the flaw.

However, the issue should not be ignored, because the threat vector is almost similar to many previously disclosed Microsoft Office vulnerabilities, in which victims got compromised after opening malicious MS Word file received via an email or downloaded from the Internet.

"The consequences of a successful compromise of a system that interacts with the physical world, such as a data acquisition and control systems, may be critical to safety," the researchers write. 

"Organisations that deploy such systems, even as pilot projects, should be aware of the risk posed by vulnerabilities such as these and adequately protect systems."

Since there is no patch available, the LabVIEW users are left with only one option—be very careful while opening any VI file you receive via an email.

For more technical details about the vulnerability, you can head on to Cisco Talos' advisory.

ChinaEnforces Real-Name Policy to Regulate Online Comments

If you reside in China, your Internet life within the borders will soon be even more challenging.

Last Friday, China's top Internet regulator announced a new set of rules that would force citizens to post comments using their real-world identities on Internet forums and other web platforms.

Yes, you heard that right. Anonymity is about to die in the country.

The Cyberspace Administration of China (CAC) will start officially enforcing the new rules starting from October 1, 2017, requiring websites operators and service providers of online forums to request and verify real names and other personal information from users when they register and must immediately report illegal content to the authorities.

According to the CAC, the following content would be considered unlawful and forbidden from being published online:

·         Opposing the basic principles as defined in the Constitution

·         Endangering national security

·         Damaging nation's honor and interests

·         Inciting national hatred, ethnic discrimination and undermining national unity

·         Undermining nation's religious policies and promoting cults

·         Spreading rumours, disrupting social order and destroying social stability

·         Spreading pornography, gambling, violence, murder, terror or abetting a crime

·         Insulting or slandering others and infringing upon others

·         Any other content that is prohibited by laws and administrative regulations

Well, the list covers almost everything.

While China has already enforced "real-name registration" rules on the leading online platforms like WeChat and Weibo for a few years, the latest regulations would cover the remaining parts of the online world, including online communities and discussion forums.

The new rules will be imposed on websites, smartphone apps, interactive communications platforms, and any communication platform that features news or functions to "mobilise society." In fact, news sites even have to moderate comments before publishing.

These new regulations follow China's 14-month-long crackdown on VPN (Virtual Private Networks), which requires VPN service providers in the country to obtain prior government approval, making most VPN vendors in the country of 730 million Internet users illegal.

Late last month, Apple also removed some VPN apps, including ExpressVPN and Star VPN, from its official Chinese app store to comply with the government crackdown that will remain in place until March 31, 2018.