Microsoft won't teach an old, or possibly deceased dog new tricks

Subject: General Tech | March 31, 2017 - 12:45 PM |
Tagged: microsoft, server 2003, security

Microsoft is once again putting sales ahead of customer security, although it is for a 10 to 14 year old operating system which they officially pulled the plug on almost two years ago.  Sadly the end of support did not have any impact on the infrastructure budget allocations of tens of thousands of businesses and so Server 2003 remained in use.  Security researchers spotted an attack last year which exploits a vulnerability in IIS WebDAV which will allow a buffer overflow attack to succeed.  Predictably Microsoft's answer is that you should buy a brand new server OS, with hardware upgrade costs likely to be required as well.  Thankfully there is a patch available from a third party, which you can check out over at The Register

It is a dream, but perhaps this might convince some bean counters that an infrastructure upgrade might be a reasonable investment.

Penny-pinch.jpg

"Microsoft will not patch a critical security hole recently found and exploited in IIS 6 on Windows Server 2003 R2 – the operating system it stopped supporting roughly two years ago."

Here is some more Tech News from around the web:

Tech Talk

 

Source: The Register

Enable Flash for a $5 FedEx coupon?

Subject: General Tech | March 27, 2017 - 12:40 PM |
Tagged: security, flash, fedex, coupon

FedEx seems to be indicating they are not quite ready for Adobe Flash to go away, by offering certain customers a $5.00 coupon to enable it.  This was likely triggered by the mass migration of browsers from Adobe's much beleaguered media program; Chrome only loads Flash content after user intervention and both Edge and Firefox will soon discontinue support as well.  The offer is for FedEx Office Print customers but you can certainly take a peek yourself if you want to try it, though The Register cautions against abusing it lest we all lose the benefit.  There is a link to download Flash on FedEx's website but if you do decide to update or install Flash we would suggest you head straight to Adobe to get it.

FedEx.jpg

"The offer's being made to users of FedEx Office Print, the custom printing tentacle of the transport company. FedEx Office Print lets customers design posters, signs, manuals, banners and even promotional magnets."

Here is some more Tech News from around the web:

Tech Talk

 

Source: The Register

That's not ominous; so called crimeware installed in 10 industrial plants

Subject: General Tech | March 23, 2017 - 12:43 PM |
Tagged: security, siemens, crimeware

This story at The Register raises more than a few concerns, the first of which being that Dragos, the industrial cybersecurity firm which detected the infection called it crimeware.  This is a lovely term for the media to try to explain why computer security is important but carries little valuable information for those wondering exactly this breach entails.  We are all well aware that malware and viruses are used for criminal purposes; not for the benefit of the users who get infected.

It gets better, the infected code was first detected in 2013 and was flagged a false positive.  This infected software has been installed on the Siemens programmable logic controllers of at least 10 industrial plants and in some cases for at least four years.  The insecurity of Internet of Big Things is much scarier than the issues with the IoT, a hacked camera can ruin a person or families day, a hacked power grid has ruined the day of entire countries.

"The cyber-nasty is packaged as software to be installed on Siemens programmable logic controllers (PLC), we're told. At least 10 industrial plants – seven in the US – were found running the infected software, a study by industrial cybersecurity firm Dragos claims."

Here is some more Tech News from around the web:

Tech Talk

Source: The Register

Industrial strength hacking

Subject: General Tech | March 16, 2017 - 12:51 PM |
Tagged: iot, scary, scada, security, ics

The Register posted a cheerful article today, discussing the security of the other Internet of Things, which they have dubbed the Internet of Big Things.  Botnets formed out of compromised toasters, refrigerators and webcams is one thing; taking over power stations and industrial equipment is quite another.  Citizens of the Ukraine know the dangers all too well, having had their power grid taken offline once in 2015 and again more recently by nefarious means.  Take a read through to learn about how vulnerabilities in systems such as the Industrial Control System and Supervisory Control and Data Acquisition could be used to cause significant harm, as well as a search engine reassuringly named Shodan. 

SHODAN.jpg

"The Internet of Big Things exists because it makes perfect sense to have accessibility to equipment from afar. Industrial systems are complex, specialist items and for many such systems it’s common for there to be only a handful of qualified maintenance staff in the country, continent or world."

Here is some more Tech News from around the web:

Tech Talk

Source: The Register

Is working in computer security bad for your sanity?

Subject: General Tech | March 9, 2017 - 12:58 PM |
Tagged: Kaspersky, antivirus, security, Threat de Toilette

If you are not aware of the story of John McAfee, who created the popular antivirus software before leaving to live a far more interesting life you should read up on it.  Those who work in online and information security will have some sympathy for his decision as the job is rather thankless and not exactly something you can effectively use as a topic of conversation at a party.  Kaspersky Labs may now be showing signs of distress after launching their new perfume line, Threat de Toilette.  Yes, perfume. 

There is a method to their madness if you read past the first few paragraphs on The Register.  The perfume line is being advertised by fashion bloggers, who have reason to want their online information to be secure as it is the source of their livelihood and who have an audience which is not particularly knowledgeable about keeping themselves safe online.  It is an intriguing way to try to spread the word about online security; here's hoping it helps at least a few people.

20170306173445-580x358.jpg

"The thing is, while Kaspersky is possibly talking crap about the perfume, it does manage to squeeze in a lot of good advice about security and the personal protection of it. Why it would send this to us is another mystery."

Here is some more Tech News from around the web:

Tech Talk

Source: The Register

The first Cyber Grand Challenge; using AI to hunt bugs. What could go wrong?

Subject: General Tech | February 6, 2017 - 01:36 PM |
Tagged: darpa, ai, security, Usenix Enigma 2017

DARPA hosted the first Cyber Grand Challenge last summer, in which the software from seven machine learning projects competed to find and patch vulnerabilities in a network, and to attack each other.  While the specific vulnerabilities discovered have not been made public you can read a bit about what was revealed about the contest at Usenix Enigma 2017 over at The Register.  For instance, one of the programs managed to find a flaw in the OS all the machines were running on and then hack into another to steal data.  A different machine noticed this occurring and patched itself on the fly, making sure that it was protected from that particular attack.  Also worth noting is that the entire contest was over in 20 minutes. 

enigma-logo.png

"The exact nature of these new bug types remains under wraps, although we hear that at least one involves exploitable vulnerabilities in data queues."

Here is some more Tech News from around the web:

Tech Talk

 

Source: The Register

Dropbox now offering randomly accessible memories

Subject: General Tech | January 24, 2017 - 12:35 PM |
Tagged: security, dropbox

Dropbox has been around long enough that you see it used in a variety of situations, sharing recipes, press releases and holiday snaps, all perfectly reasonable scenarios.  Unfortunately you also see it used as an alternative to SFTP in business, as some clients and executives are less afraid of the pretty blue colours than they are of the folder lists and text that FTP programs present. 

This can present a security problem and possible legal risk as the terms and conditions Dropbox sets may not exactly match what you and your client agreed to.  Case and point today is the news that many users were gifted with a trip down memory lane as files deleted from Dropbox years ago suddenly made a reappearance.  Dropbox states in their retention policy that files which are deleted should be unrecoverable after 30 days but it seems we have more proof that the Cloud never truly forgets.  Think back to what you, or people you know, might have shared on Dropbox and consider it coming back to haunt you a decade down the line before you upload.  You can follow the links from [H]ard|OCP back to the initial forum report and Dropbox's response.

f5821a10f83327805232a4bf2ccb3036.jpg

"This article is merely entertaining if you stay within the headline, but it becomes disturbing once you get into the story and realize that Dropbox’s policy is to keep deleted files only for 30 days. Ever the cynic, I will go ahead and consider the possibility that the file hosting service has been consciously keeping files around forever."

Here is some more Tech News from around the web:

Tech Talk

Source: [H]ard|OCP

Symantec's Sorta Secure Sockets Layer

Subject: General Tech | January 23, 2017 - 12:21 PM |
Tagged: SSL, security, symantec

Symantec may not have chosen their partners wisely as once again we see some questionable SSL certs being released into the wild by one of their audited partners.  For a while last week, some rather questionable domains had Symantec issued SSLs, offering a wide variety of possible attack vectors for anyone nefarious enough to take advantage of the fact.  Thankfully this does not happen often, though The Inquirer points out that it is nothing new, as it casts doubt on how secure an SSL site actually is.  Symantec promises to investigate what happened and release that information publicly; we can only hope they also learn from it.

symantecnewlogo.0.png

"Andrew Ayer of certificate vendor and wrangler SSLMate went public with his discovery last week. The mis-issued certs were issued for example.com, and a bunch of variations of test.com (test1.com, test2.com and so on)."

Here is some more Tech News from around the web:

Tech Talk

Source: The Register

Practice safe programming

Subject: General Tech | January 18, 2017 - 12:39 PM |
Tagged: security, mostly harmless, google play, andriod

Fallible is a security firm which developed an automated tool for reverse engineering Android apps and used it to take a look at a large portion of the top apps on Google Play.  They found quite a few things that really should not have been there, including keys to Amazon Web Services which would grant them the ability to start and stop instances under the developers account.  In total they found 2500 apps with at least some sensitive information contained within them, in many cases those keys were necessary for the proper functioning of the app but in some cases they were secrets which did not need to be there.  Follow The Register's advice and think long and hard before hard coding keys into any apps you might be developing.

index.png

"A security firm has reverse engineered 16,000 Android apps on Google's Play store and found that over 304 contain sensitive secret keys."

Here is some more Tech News from around the web:

Tech Talk

Source: The Register

Hack inflight entertainment crashes planes! Ya, not so much ya nutter

Subject: General Tech | December 20, 2016 - 01:04 PM |
Tagged: security, fud

You will probably see a headline picked up from the Telegraph warning of how hackers can use the in-flight entertainment systems to cause planes to crash; please ignore it.  Pilots do not generally log into a secret part of the interface on your setback screen to control the airplane, they have a separate system which is not about to be overridden by someone screwing with that system.  On the other hand they could force everyone to watch a Rob Schneider movie, which might be worse.  The Inquirer also suggests playing with cabin lighting or broadcasting fake announcements, as annoying as the teenager chatting away on the phone next to you or the child screaming in the background.  There were some reasonable suggestions in the article, which you can see here.

images.jpg

"LADIES AND GENTLEMEN, THIS IS YOUR PILOT SPEAKING. It turns out that hackers may be able to fiddle with the in-flight entertainment system on board and take control of the plane."

Here is some more Tech News from around the web:

Tech Talk

Source: The Inquirer