Pot, meet kettle. Is it worse to hoard exploits or patches?

Subject: General Tech | May 16, 2017 - 01:27 PM |
Tagged: security, microsoft

Microsoft and the NSA have each been blaming the other for the ability of WannaCrypt to utilize a vulnerability in SMBv1 to spread.  Microsoft considers the NSA's decision not to share the vulnerabilities which their Eternalblue tool utilizes with Microsoft and various other security companies to be the cause of this particular outbreak.  Conversely, the fact is that while Microsoft developed patches to address this vulnerability for versions of Windows including WinXP, Server 2003, and Windows 8 RT back in March, they did not release the patches for legacy OSes until the outbreak was well underway. 

Perhaps the most compelling proof of blame is the number of systems which should not have been vulnerable but were hit due to the fact that the available patches were never installed. 

These three problems, the NSA wanting to hoard vulnerabilities so they can exploit them for espionage, Microsoft ending support of older products because they are a business and do not find it profitable to support products a decade or more after release and users not taking advantage of available updates have left us in the pickle we find ourselves in this week.  On the plus side this outbreak does have people patching, so we have that going for us.

fingerpointing.jpg

"Speaking of hoarding, though, it's emerged Microsoft was itself stockpiling software – critical security patches for months."

Here is some more Tech News from around the web:

Tech Talk

 

Source: The Register

Patch that HP laptop ASAP

Subject: General Tech | May 12, 2017 - 02:05 PM |
Tagged: hp, keylogger, security

The poorly thought out feature HP added to their audio driver in some past models of laptops can now be removed. The previous driver listened for a certain key to be depressed actually recorded all keystrokes made by the user and stored the information in plain text under the Public profile.  The file was deleted each time the computer restarted but could still exist in backups, you should check for MicTray.log in those backups.  Slashdot reported this morning that HP has released a fixed driver which you should grab from Windows Update or HP.com immediately.

h_z507OY.jpg

"HP says it has a fix for a flaw that caused a number of its PC models to keep a log of each keystroke a customer was entering. The issue, caused by problematic code in an audio driver, affected PC models from 2015 and 2016."

Here is some more Tech News from around the web:

Tech Talk

Source: Slashdot

Crazy, I'm crazy for feeling so buggy ... then Microsoft called it off

Subject: General Tech | May 9, 2017 - 12:43 PM |
Tagged: security essentials, security, microsoft, fud, endpoint, defender

You have probably already read about the bug which effects all Microsoft's security programs, from basic home apps like Defender through to professional level Forefront Security for SharePoint discovered by Google Project Zero researchers.  It was certainly a bad one, utilizing the act of scanning a file for malware as the infection vector, striking similar to the way some viruses hijack our own immune systems. 

The good news is that Microsoft started pushing out a fix for the bug on Monday; as the bug was hinted at publicly on Friday someone must have put in a long weekend.  This quick turnaround is very nice to see and demonstrates the usefulness of publicly announcing the existence of a threat, without revealing the details to the public immediately.  Bug bounty programs are a good thing but if they involve NDAs it can lead to delays in resolutions as there is little pressure on the software developers to push out an immediate fix.  As The Register states, responsibly disclosing the existence of a bug, especially a major one such as this, you get a quick turn around like we saw from Microsoft. 

Update if you got 'em!

8867.Microsoft_5F00_Logo_2D00_for_2D00_screen.jpg

"On the second point, well, we hate to break it to you but all software has bugs – especially Microsoft's code. There are any number of horrible remote code execution flaws in Windows and Office right now, sitting there waiting for white and black hats to find and exploit. Being told, yes, there is definitely a bad bug lurking in among the ones and zeroes doesn't make you less secure."

Here is some more Tech News from around the web:

Tech Talk

 

Source: The Register

Google doesn't seem to mind SilverPush and your phones surreptitious addiction to advertisments

Subject: General Tech | May 5, 2017 - 01:29 PM |
Tagged: fud, silverpush, security

In 2015 we learned enough about SilverPush to worry security wonks about its ability to track your phone without your knowledge.  Several hundred apps available on the Google Play store have SilverPush and do not inform users that the apps utilize that software to track your whereabouts without your knowledge which would seem to be in direct contravention of Google's stated requirements.  That is more upsetting than the actual tracking.

SilverPush laden apps listen for tones broadcast at 18kHz to 20kHz which is inaudible to the vast majority of humanity.  When they receive that tone the app which has SilverPush sends out a signal which can be used to locate you, to track your progress through a store or to verify that you are watching a particular advertisement.  The creators of the software stopped development back in 2015 and have found this revelation rather confusing according to Ars Technica.

index.png

"Almost a year after app developer SilverPush vowed to kill its privacy-threatening software that used inaudible sound embedded into TV commercials to covertly track phone users, the technology is more popular than ever, with more than 200 Android apps that have been downloaded millions of times from the official Google Play market, according to a recently published research paper."

Here is some more Tech News from around the web:

Tech Talk

Source: Ars Technica

Microsoft won't teach an old, or possibly deceased dog new tricks

Subject: General Tech | March 31, 2017 - 12:45 PM |
Tagged: microsoft, server 2003, security

Microsoft is once again putting sales ahead of customer security, although it is for a 10 to 14 year old operating system which they officially pulled the plug on almost two years ago.  Sadly the end of support did not have any impact on the infrastructure budget allocations of tens of thousands of businesses and so Server 2003 remained in use.  Security researchers spotted an attack last year which exploits a vulnerability in IIS WebDAV which will allow a buffer overflow attack to succeed.  Predictably Microsoft's answer is that you should buy a brand new server OS, with hardware upgrade costs likely to be required as well.  Thankfully there is a patch available from a third party, which you can check out over at The Register

It is a dream, but perhaps this might convince some bean counters that an infrastructure upgrade might be a reasonable investment.

Penny-pinch.jpg

"Microsoft will not patch a critical security hole recently found and exploited in IIS 6 on Windows Server 2003 R2 – the operating system it stopped supporting roughly two years ago."

Here is some more Tech News from around the web:

Tech Talk

 

Source: The Register

Enable Flash for a $5 FedEx coupon?

Subject: General Tech | March 27, 2017 - 12:40 PM |
Tagged: security, flash, fedex, coupon

FedEx seems to be indicating they are not quite ready for Adobe Flash to go away, by offering certain customers a $5.00 coupon to enable it.  This was likely triggered by the mass migration of browsers from Adobe's much beleaguered media program; Chrome only loads Flash content after user intervention and both Edge and Firefox will soon discontinue support as well.  The offer is for FedEx Office Print customers but you can certainly take a peek yourself if you want to try it, though The Register cautions against abusing it lest we all lose the benefit.  There is a link to download Flash on FedEx's website but if you do decide to update or install Flash we would suggest you head straight to Adobe to get it.

FedEx.jpg

"The offer's being made to users of FedEx Office Print, the custom printing tentacle of the transport company. FedEx Office Print lets customers design posters, signs, manuals, banners and even promotional magnets."

Here is some more Tech News from around the web:

Tech Talk

 

Source: The Register

That's not ominous; so called crimeware installed in 10 industrial plants

Subject: General Tech | March 23, 2017 - 12:43 PM |
Tagged: security, siemens, crimeware

This story at The Register raises more than a few concerns, the first of which being that Dragos, the industrial cybersecurity firm which detected the infection called it crimeware.  This is a lovely term for the media to try to explain why computer security is important but carries little valuable information for those wondering exactly this breach entails.  We are all well aware that malware and viruses are used for criminal purposes; not for the benefit of the users who get infected.

It gets better, the infected code was first detected in 2013 and was flagged a false positive.  This infected software has been installed on the Siemens programmable logic controllers of at least 10 industrial plants and in some cases for at least four years.  The insecurity of Internet of Big Things is much scarier than the issues with the IoT, a hacked camera can ruin a person or families day, a hacked power grid has ruined the day of entire countries.

"The cyber-nasty is packaged as software to be installed on Siemens programmable logic controllers (PLC), we're told. At least 10 industrial plants – seven in the US – were found running the infected software, a study by industrial cybersecurity firm Dragos claims."

Here is some more Tech News from around the web:

Tech Talk

Source: The Register

Industrial strength hacking

Subject: General Tech | March 16, 2017 - 12:51 PM |
Tagged: iot, scary, scada, security, ics

The Register posted a cheerful article today, discussing the security of the other Internet of Things, which they have dubbed the Internet of Big Things.  Botnets formed out of compromised toasters, refrigerators and webcams is one thing; taking over power stations and industrial equipment is quite another.  Citizens of the Ukraine know the dangers all too well, having had their power grid taken offline once in 2015 and again more recently by nefarious means.  Take a read through to learn about how vulnerabilities in systems such as the Industrial Control System and Supervisory Control and Data Acquisition could be used to cause significant harm, as well as a search engine reassuringly named Shodan. 

SHODAN.jpg

"The Internet of Big Things exists because it makes perfect sense to have accessibility to equipment from afar. Industrial systems are complex, specialist items and for many such systems it’s common for there to be only a handful of qualified maintenance staff in the country, continent or world."

Here is some more Tech News from around the web:

Tech Talk

Source: The Register

Is working in computer security bad for your sanity?

Subject: General Tech | March 9, 2017 - 12:58 PM |
Tagged: Kaspersky, antivirus, security, Threat de Toilette

If you are not aware of the story of John McAfee, who created the popular antivirus software before leaving to live a far more interesting life you should read up on it.  Those who work in online and information security will have some sympathy for his decision as the job is rather thankless and not exactly something you can effectively use as a topic of conversation at a party.  Kaspersky Labs may now be showing signs of distress after launching their new perfume line, Threat de Toilette.  Yes, perfume. 

There is a method to their madness if you read past the first few paragraphs on The Register.  The perfume line is being advertised by fashion bloggers, who have reason to want their online information to be secure as it is the source of their livelihood and who have an audience which is not particularly knowledgeable about keeping themselves safe online.  It is an intriguing way to try to spread the word about online security; here's hoping it helps at least a few people.

20170306173445-580x358.jpg

"The thing is, while Kaspersky is possibly talking crap about the perfume, it does manage to squeeze in a lot of good advice about security and the personal protection of it. Why it would send this to us is another mystery."

Here is some more Tech News from around the web:

Tech Talk

Source: The Register

The first Cyber Grand Challenge; using AI to hunt bugs. What could go wrong?

Subject: General Tech | February 6, 2017 - 01:36 PM |
Tagged: darpa, ai, security, Usenix Enigma 2017

DARPA hosted the first Cyber Grand Challenge last summer, in which the software from seven machine learning projects competed to find and patch vulnerabilities in a network, and to attack each other.  While the specific vulnerabilities discovered have not been made public you can read a bit about what was revealed about the contest at Usenix Enigma 2017 over at The Register.  For instance, one of the programs managed to find a flaw in the OS all the machines were running on and then hack into another to steal data.  A different machine noticed this occurring and patched itself on the fly, making sure that it was protected from that particular attack.  Also worth noting is that the entire contest was over in 20 minutes. 

enigma-logo.png

"The exact nature of these new bug types remains under wraps, although we hear that at least one involves exploitable vulnerabilities in data queues."

Here is some more Tech News from around the web:

Tech Talk

 

Source: The Register