Does this look infected to you? Google launches a SAMBA app for Android

Subject: General Tech | July 10, 2017 - 12:52 PM | Jeremy Hellstrom
Tagged: wannacrypt, petya, security, samba, smbv1, google, andriod

If you missed out on having all your files encrypted and the chance to send bitcoin to a bunch of misanthropes who have no plans on unencrypting those files after you do, then download this new app from Google Play!  Then you can enable SMBv1 on all your other machines so your Android can share the virus amongst your other machines, perhaps you could even share this unforgettable experience  with your friends and family.  Do you really trust that the patches applied to this outdated network file sharing protocol will protect from the next wave of attacks or will you follow the advice from Microsoft's Ned Pyle that The Register quoted, "Stop using SMBv1".  There are a lot of other ways to share your files, most are even more effective than SMBv1 and are certainly more secure.

"This made Google's decision so odd, The Register wondered if the app were faking the Google brand, but no: the source code linked from the app is at the Chocolate Factory's GitHub repo."

Here is some more Tech News from around the web:

Tech Talk

• Microsoft 365 bundles Windows 10 and Office for SMBs and enterprises @ The Inquirer
• 48-year-old Multics OS comes back to life on the Raspberry Pi @ The Inquirer
• Someone's phishing US nuke power stations. So far, no kaboom @ The Register
• The Palaeontology of Cyberattacks by Vitaly Kamluk @ TechARP
• The BitScout Free Cyber Forensics Tool @ TechARP
• Eugene Kaspersky Interview : No Kremlin Ties! @ TechARP
• A Poor-Man’s Laser CNC Engraver @ Hack a Day

Change that default RasPi password, unless you meant to be donating cryptocurrency

Subject: General Tech | June 13, 2017 - 12:31 PM | Jeremy Hellstrom
Tagged: security, cryptocurrency, Raspberry Pi

If you are using a Raspberry Pi and did not set up two factor authentication or even worse, never changed the default passwords on the system then there is a very good chance you are mining for someone other than yourself.  There is a new piece of malware out there, in addition to the many which already exist, targeting Raspberry Pi machines and recruiting them into a mining group, instead of the usual usage which is to enlist them in a botnet for DDOS attacks.  Hack a Day has some additional suggestions, over and above the glaringly obvious recommendation to not keep default passwords; at least in this particular case they are not hard coded into the system.

"According to Russian security site [Dr.Web], there’s a new malware called Linux.MulDrop.14 striking Raspberry Pi computers. In a separate posting, the site examines two different Pi-based trojans including Linux.MulDrop.14. That trojan uses your Pi to mine some form of cryptocurrency. The other trojan sets up a proxy server."

Here is some more Tech News from around the web:

Tech Talk

• Ta-ta, security: Bungling Tata devs leaked banks' code on public GitHub repo, says IT bloke @ The Register
• Why Ethereum Is Outpacing Bitcoin @ Slashdot
• WiMax routers from Huawei and ZTE are vulnerable to authentication bypass attacks @ The Inquirer
• Mac ransomware author is giving away malicious code to script kiddies @ The Register
• Biostar, ASRock, Colorful see rising demand for mining motherboards, says paper @ DigiTimes
• Move over, Stuxnet: Industroyer malware linked to Kiev blackouts @ The Register

Windows 10 S ... the S could stand for secure

Subject: General Tech | June 9, 2017 - 02:29 PM | Jeremy Hellstrom
Tagged: Windows 10 S, security

Microsoft recently pointed out that their new lite version of Windows 10 for students, Windows 10 S, is completely immune to all known malware.  This does make sense, the OS is simply unable to install anything that is not from the Windows Store, which does not host any official malware, even if some of the available programs are not entirely useful.  That security will last as long as no one figures out a way to fake the file validation and the connection to Microsoft's online store, or manages to get a malware infected file approved for sale on the store.  Apple has had some experience which prove that is not an impossibility.   Pop by Slashdot for more.

You could also chose to go with the OS of choice for financial institutions and various other industries, Windows XP Embedded with the Enhanced Write Filter.  Generally secure and can be reset with a simple reboot ... in most cases.

"However, if you want to guarantee your safety from ransomware, then Microsoft points out there's an even more secure option to consider -- Windows 10 S. The new, hardened Windows 10 variant only runs apps from the Windows Store, which means it can't run programs from outside Microsoft's ecosystem, and that includes malware. Which is why, as Microsoft says, "No known ransomware works against Windows 10 S."

Here is some more Tech News from around the web:

Tech Talk

• Computex 2017: Corsair goes high-concept @
• Blackberry KeyOne consumer alert: You bend it, you break it @ The Inquirer
• Linksys WRT3200ACM AC3200 Wireless Router @ Kitguru
• Skype Retires Older Apps for Windows, Linux @ Slashdot
• COUGAR ARMOR Gaming Chair Review @ NikKTech

AI to the rescue? Microsoft assimilates the security company Hexadite

Subject: General Tech | June 8, 2017 - 12:42 PM | Jeremy Hellstrom
Tagged: microsoft, hexadite, windows defender, security

If you have never heard of Hexadite you are not alone, the online security company was formed in 2014, headquartered in Boston but based in Tel-Aviv.  As it was just purchased by Microsoft for around $100 million so they can integrate Hexadite's Automated Incident Response Solution into their Windows Defender Advanced Threat Protection.  AIRS is not antivirus software, instead it is a tool that integrates with existing software and monitors for any alerts.  Once an alert is detected the tool automatically investigates that alert and searches for solutions, in theory saving your security teams sanity by vastly reducing the number of alerts they must deal with directly.  It will be interesting to see if this has an effect on the perception of companies and users as to the effectiveness of Windows Defender. 

More over at The Inquirer.

"Hexadite's technology and talent will augment our existing capabilities and enable our ability to add new tools and services to Microsoft's robust enterprise security offerings."

Here is some more Tech News from around the web:

Tech Talk

• Museum of Failure will help us learn from our 404s @ The Inquirer
• Raspberry Pi Malware Mines BitCoin @ Hack a Day
• AMD Threadripper and Vega: Luke and Leo discuss @ Kitguru
• MediaTek considers placing chip orders with Globalfoundries @ DigiTimes
• Pop-up Android adware uses social engineering to resist deletion @ The Register

Coming as a shock to no one, Wannacry can exploit Windows 10

Subject: General Tech | June 7, 2017 - 12:42 PM | Jeremy Hellstrom
Tagged: wannacry, windows 10, security

If you have an unpatched Windows installation you are vulnerable to the SMBv1 exploit, except perhaps if you are still on WinXP in which case your machine is more likely to crash than to start encrypting. Do yourself a favour and head to Microsoft to manually download the patch appropriate for your OS and run it, if you already have it then it will tell you so, otherwise it will repair the vulnerability.  The version of Wannacry and its progenitor, EternalBlue, which is making life miserable for users and techs everywhere does not currently go after Win10 machines but you can read how it can easily be modified to do so over at Slashdot.

"The publicly available version of EternalBlue leaked by the ShadowBrokers targets only Windows XP and Windows 7 machines. Researchers at RiskSense who created the Windows 10 version of the attack were able to bypass mitigations introduced by Microsoft that thwart memory-based code-execution attacks."

Here is some more Tech News from around the web:

Tech Talk

• Microsoft slaps down Kaspersky's Windows 10 antitrust complaint @ The Inquirer
• LifeTrak Zoom HRV Wearable Body Computer
• Fujitsu PC biz tie-in with Lenovo to happen 'soon' @ The Register
• Why You Must Patch the New Linux sudo Security Hole @ Linux.com
• Foxconn, Amazon, Apple join Toshiba chip plant feeding frenzy @ The Register
• iOS 11 ain't coming to the iPhone 5, iPhone 5C or iPad 4 @ The Inquirer
• TRENDnet TV-NVR104K 4-Channel HD PoE NVR Kit Review @ NikKTech

OneLogin Reports Breach in Security

Subject: General Tech | June 2, 2017 - 01:50 AM | Scott Michaud
Tagged: onelogin, security

If you use OneLogin to manage your passwords, then you will want to check your email, which I’m assuming is they way they’ll contact customers, and see if they have any advice. (Although, now that the attack is public, be careful of spoof emails.) The password management company was recently accessed by a malicious entity, and data was copied. OneLogin claims that they encrypt sensitive data, however they also state that it’s possible the intruder also gained access to the ability to decrypt it, but they also may not have.

The attack occurred on their US-based Amazon Web Services (AWS) instance. Apparently, OneLogin noticed several servers being created without authorization, so they considered those API keys compromised and shut down the servers.

There’s not much else to report at the moment. Check out the OneLogin blog to see what they find out as they find it out.

Samba Developers Release Patch For Remote Code Execution Vulnerability (CVE-2017-7494)

Subject: General Tech | May 28, 2017 - 07:10 PM | Tim Verry
Tagged: samba, linux, ransomware, security, networking

Last week, the development team behind Samba – popular software suite used on Linux and Unix clients and servers that uses TCP/IP protocol for file and print sharing to SMB/CIFS clients (including Microsoft Windows) – released a security advisory along with patches for a remote code execution hole that has been present in Samba for seven years since the release of Samba 3.5.0 in March 2010. The vulnerability, classified under CVE-2017-7494, allows an attacker to upload malicious code to a Samba server and get the server to run the code by sending a malformed IPC request that references the local file path. The Samba server will run the code in the malicious shared library (.so) file even though it is from an untrusted remote source.

The bad news is that this is a fairly serious flaw that could lead to an attacker successfully holding a business or home user’s files (including backups!) at ransom, stealing data, or using the now owned file server to attack other network resources that trust the file server. If not securely configured (e.g. allowing anonymous writes), the attack could even be wormable which would allow it to self-replicate across the network or Internet. Further, while various security firms have slightly different numbers, they all seem to agree that around 100,000 Internet-accessible machines are running vulnerable versions of Samba.

It is not all bad news though, and in some respects this vulnerability is not as big of an issue as the WannaCry ransomware and EternalBlue SMB vulnerability because in order to successfully exploit the Samba flaw an attacker needs to obtain credentials to upload the malicious code to the file share(s) which need to be writeable in the first place and not running as noexec under a SELinux policy. Also, attackers need to know or guess the local path name of the files on the file share to send the malformed IPC request. More importantly, the Samba team released three security releases (4.6.4, 4.5.10, and 4.4.14) for the newer branches and is working with OS distributions on providing patches for older Samba versions. For systems that cannot be updated or patched, there is also a workaround that can be implemented by modifying the global Samba config file to contain the setting “nt pipe support = no”. While this will break some expected Windows functionality (mainly machines will not be able to access null shares and will need to use the specific share path rather than just the server path), it will make it so that Samba will not accept the malicious requests.

Perhaps the most worrying aspect of this vulnerability is that security researchers estimate that up to 90% of the vulnerable Internet-connected Samba endpoints do not have a direct patch or update available yet and may not ever get one. While the enterprise hardware and even bigger consumer and SMB hardware providers will provide support for this in the form of patches or firmware updates, there is a sea of home routers, NAS boxes, file and print servers, and IoT devices running on home networks that are not open to user updates and may not ever get firmware updates. The best thing to do in this scenario according to the security advisory (if you can’t just not use it or replace it with different hardware that can be patched or isn’t affected of course) is to not expose it to the Internet. There would still be a risk of it being exploited should someone get a virus on a client machine through email, malicious downloads, or social engineering though. Considering these home NAS devices are usually used as destinations for backups, the risk of ransomware not only infecting client machines but also the main file share and network backups is scary. I have always been a fan of offline and/or cloud backups and in these modern times they are more important than ever with the rise of ransomware and other profit motivated viruses.

If you are not sure if your network is affected, there are tools being made available (including a Metasploit module, nmap scripts, and Internet scans) to help you determine that and reduce your attack surface using that information by updating to the latest security release, applying patches, updating, using SELinux policies to prevent the server from executing files itself, and preventing them from communicating with the Internet in order of effectiveness.

All that is to say don’t panic, stay vigilant, and make sure your important data is properly backed up and secured as much as possible!

Pot, meet kettle. Is it worse to hoard exploits or patches?

Subject: General Tech | May 16, 2017 - 01:27 PM | Jeremy Hellstrom
Tagged: security, microsoft

Microsoft and the NSA have each been blaming the other for the ability of WannaCrypt to utilize a vulnerability in SMBv1 to spread.  Microsoft considers the NSA's decision not to share the vulnerabilities which their Eternalblue tool utilizes with Microsoft and various other security companies to be the cause of this particular outbreak.  Conversely, the fact is that while Microsoft developed patches to address this vulnerability for versions of Windows including WinXP, Server 2003, and Windows 8 RT back in March, they did not release the patches for legacy OSes until the outbreak was well underway. 

Perhaps the most compelling proof of blame is the number of systems which should not have been vulnerable but were hit due to the fact that the available patches were never installed. 

These three problems, the NSA wanting to hoard vulnerabilities so they can exploit them for espionage, Microsoft ending support of older products because they are a business and do not find it profitable to support products a decade or more after release and users not taking advantage of available updates have left us in the pickle we find ourselves in this week.  On the plus side this outbreak does have people patching, so we have that going for us.

"Speaking of hoarding, though, it's emerged Microsoft was itself stockpiling software – critical security patches for months."

Here is some more Tech News from around the web:

Tech Talk

• Ransomware scum have already unleashed kill-switch-free WannaCry‬pt‪ variant @ The Register
• Intel, Samsung join Apple, FTC firing squad against rival Qualcomm @ The Register
• TSMC capacity utilization ramping up @ DigiTimes