Fool me once, shame on me ... Chrome gives Symantec the cold shoulder

Subject: General Tech | September 12, 2017 - 02:29 PM |
Tagged: chrome, symantec, security

The original issue dates back two years ago, when a serious security issue was discovered effecting all Norton and Symantec products which allowed an attacker to easily infect your Windows kernel without any user interaction.  Following that revelation were a round of firings at Symantec which were intended to reassure customers and security experts which were somewhat successful, until earlier this year.  In January it was discovered that Symantec provided digital certificates to verify the authenticity of several questionable sites, including ones never authorized by ICANN.  This has been enough for Google; Chrome will no longer trust older Symantec certs in version 66 and will not trust any as of version 70.  The Inquirer provides a full timeline here.

1406048971_Symantec-Logo.png

"The decision to remove Symantec certificates came as a result of the discovery of a dodgy certificate in 2015, leading to a fuller investigation that brought forward more issues with security at the beginning of this year."

Here is some more Tech News from around the web:

Tech Talk

 

Source: The Inquirer

Your Roomba is spying on you and that fridge sure looks suspicious

Subject: General Tech | July 25, 2017 - 02:54 PM |
Tagged: security, roomba, irobot, greed

It should be obvious to most that the new generation of Roombas builds up and saves a map of your house, that is how it memorizes how to navigate your floors to vacuum them.  One would also think it was obvious that this information should remain private; unfortunately iRobot does not seem to understand this.  They are in discussion with Apple, Amazon and Alphabet to determine a price at which iRobot will sell them the map of the parts of your house which your Roomba has traversed.  This should be somewhat disturbing to Roomba owners and likely very exciting to anyone who likes to wander univited into other people's homes.  The security of the data is not likely to be difficult to overcome for a motivated and skilled individual so keep that in mind if you are shopping for a robot vacuum.  You can pop by The Inquirer to read iRobot chief executive Colin Angle's bizarre response to tweets from concerned customers.

vacuuming-money.jpg

"VACUUM CLEANER COMPANY iRobot, responsible for the 'smart' Roomba vacuum, is considering doing something really dumb - selling user mapping data to companies that would hand over how your house is laid out."

Here is some more Tech News from around the web:

Tech Talk

 

Source: The Inquirer

Devil's Ivy, a voyeurs dream come true

Subject: General Tech | July 20, 2017 - 03:50 PM |
Tagged: iot, Devil's Ivy, cameras, security, gSOAP

gSOAP is a open-source code library which allows hardware to be configured and controlled via web connections and is used by hundreds of companies including Axis, Microsoft, IBM, Adobe and Xerox.  It has a vulnerability which allows an attacker to trigger a stack overflow by sending a specific POST command over port 80 to a device, which in the case of cameras allows you to watch the live feed.  The vulnerability was patched in an update to gSOAP so future products will not have this issue, however any camera built on that library which currently in use is vulnerable.  The manufacturers would have to create an update to their own software and push it out to all the cameras currently in use to resolve this issue, and if there is one thing we know for sure about IoT products, it is that these patches do not tend to be created, let alone pushed out.

For more depressing details you can pop by The Register.

images.jpg

"Security researchers investigating internet-connected video cameras have uncovered a bug that could conceivably leave millions of devices open to easy pwnage."

Here is some more Tech News from around the web:

Tech Talk

 

Source: The Register

Does this look infected to you? Google launches a SAMBA app for Android

Subject: General Tech | July 10, 2017 - 12:52 PM |
Tagged: wannacrypt, petya, security, samba, smbv1, google, andriod

If you missed out on having all your files encrypted and the chance to send bitcoin to a bunch of misanthropes who have no plans on unencrypting those files after you do, then download this new app from Google Play!  Then you can enable SMBv1 on all your other machines so your Android can share the virus amongst your other machines, perhaps you could even share this unforgettable experience  with your friends and family.  Do you really trust that the patches applied to this outdated network file sharing protocol will protect from the next wave of attacks or will you follow the advice from Microsoft's Ned Pyle that The Register quoted, "Stop using SMBv1".  There are a lot of other ways to share your files, most are even more effective than SMBv1 and are certainly more secure.

seriously.png

"This made Google's decision so odd, The Register wondered if the app were faking the Google brand, but no: the source code linked from the app is at the Chocolate Factory's GitHub repo."

Here is some more Tech News from around the web:

Tech Talk

 

Source: The Register

Change that default RasPi password, unless you meant to be donating cryptocurrency

Subject: General Tech | June 13, 2017 - 12:31 PM |
Tagged: security, cryptocurrency, Raspberry Pi

If you are using a Raspberry Pi and did not set up two factor authentication or even worse, never changed the default passwords on the system then there is a very good chance you are mining for someone other than yourself.  There is a new piece of malware out there, in addition to the many which already exist, targeting Raspberry Pi machines and recruiting them into a mining group, instead of the usual usage which is to enlist them in a botnet for DDOS attacks.  Hack a Day has some additional suggestions, over and above the glaringly obvious recommendation to not keep default passwords; at least in this particular case they are not hard coded into the system.

ethereum.jpg

"According to Russian security site [Dr.Web], there’s a new malware called Linux.MulDrop.14 striking Raspberry Pi computers. In a separate posting, the site examines two different Pi-based trojans including Linux.MulDrop.14. That trojan uses your Pi to mine some form of cryptocurrency. The other trojan sets up a proxy server."

Here is some more Tech News from around the web:

Tech Talk

Source: Hack a Day

Windows 10 S ... the S could stand for secure

Subject: General Tech | June 9, 2017 - 02:29 PM |
Tagged: Windows 10 S, security

Microsoft recently pointed out that their new lite version of Windows 10 for students, Windows 10 S, is completely immune to all known malware.  This does make sense, the OS is simply unable to install anything that is not from the Windows Store, which does not host any official malware, even if some of the available programs are not entirely useful.  That security will last as long as no one figures out a way to fake the file validation and the connection to Microsoft's online store, or manages to get a malware infected file approved for sale on the store.  Apple has had some experience which prove that is not an impossibility.   Pop by Slashdot for more.

You could also chose to go with the OS of choice for financial institutions and various other industries, Windows XP Embedded with the Enhanced Write Filter.  Generally secure and can be reset with a simple reboot ... in most cases.

windows-apps-topic.png

"However, if you want to guarantee your safety from ransomware, then Microsoft points out there's an even more secure option to consider -- Windows 10 S. The new, hardened Windows 10 variant only runs apps from the Windows Store, which means it can't run programs from outside Microsoft's ecosystem, and that includes malware. Which is why, as Microsoft says, "No known ransomware works against Windows 10 S."

Here is some more Tech News from around the web:

Tech Talk

Source: Slashdot

AI to the rescue? Microsoft assimilates the security company Hexadite

Subject: General Tech | June 8, 2017 - 12:42 PM |
Tagged: microsoft, hexadite, windows defender, security

If you have never heard of Hexadite you are not alone, the online security company was formed in 2014, headquartered in Boston but based in Tel-Aviv.  As it was just purchased by Microsoft for around $100 million so they can integrate Hexadite's Automated Incident Response Solution into their Windows Defender Advanced Threat Protection.  AIRS is not antivirus software, instead it is a tool that integrates with existing software and monitors for any alerts.  Once an alert is detected the tool automatically investigates that alert and searches for solutions, in theory saving your security teams sanity by vastly reducing the number of alerts they must deal with directly.  It will be interesting to see if this has an effect on the perception of companies and users as to the effectiveness of Windows Defender. 

More over at The Inquirer.

Capture.PNG

"Hexadite's technology and talent will augment our existing capabilities and enable our ability to add new tools and services to Microsoft's robust enterprise security offerings."

Here is some more Tech News from around the web:

Tech Talk

 

Source: The Inquirer

Coming as a shock to no one, Wannacry can exploit Windows 10

Subject: General Tech | June 7, 2017 - 12:42 PM |
Tagged: wannacry, windows 10, security

If you have an unpatched Windows installation you are vulnerable to the SMBv1 exploit, except perhaps if you are still on WinXP in which case your machine is more likely to crash than to start encrypting. Do yourself a favour and head to Microsoft to manually download the patch appropriate for your OS and run it, if you already have it then it will tell you so, otherwise it will repair the vulnerability.  The version of Wannacry and its progenitor, EternalBlue, which is making life miserable for users and techs everywhere does not currently go after Win10 machines but you can read how it can easily be modified to do so over at Slashdot.

banner-datarecovery-cryingLady-416x260.jpg

"The publicly available version of EternalBlue leaked by the ShadowBrokers targets only Windows XP and Windows 7 machines. Researchers at RiskSense who created the Windows 10 version of the attack were able to bypass mitigations introduced by Microsoft that thwart memory-based code-execution attacks."

Here is some more Tech News from around the web:

Tech Talk

 

Source: Slashdot

OneLogin Reports Breach in Security

Subject: General Tech | June 2, 2017 - 01:50 AM |
Tagged: onelogin, security

If you use OneLogin to manage your passwords, then you will want to check your email, which I’m assuming is they way they’ll contact customers, and see if they have any advice. (Although, now that the attack is public, be careful of spoof emails.) The password management company was recently accessed by a malicious entity, and data was copied. OneLogin claims that they encrypt sensitive data, however they also state that it’s possible the intruder also gained access to the ability to decrypt it, but they also may not have.

onelogin-2017-devices.png

The attack occurred on their US-based Amazon Web Services (AWS) instance. Apparently, OneLogin noticed several servers being created without authorization, so they considered those API keys compromised and shut down the servers.

There’s not much else to report at the moment. Check out the OneLogin blog to see what they find out as they find it out.

Source: OneLogin

Samba Developers Release Patch For Remote Code Execution Vulnerability (CVE-2017-7494)

Subject: General Tech | May 28, 2017 - 07:10 PM |
Tagged: samba, linux, ransomware, security, networking

Last week, the development team behind Samba – popular software suite used on Linux and Unix clients and servers that uses TCP/IP protocol for file and print sharing to SMB/CIFS clients (including Microsoft Windows) – released a security advisory along with patches for a remote code execution hole that has been present in Samba for seven years since the release of Samba 3.5.0 in March 2010. The vulnerability, classified under CVE-2017-7494, allows an attacker to upload malicious code to a Samba server and get the server to run the code by sending a malformed IPC request that references the local file path. The Samba server will run the code in the malicious shared library (.so) file even though it is from an untrusted remote source.

Samba logo.jpg

The bad news is that this is a fairly serious flaw that could lead to an attacker successfully holding a business or home user’s files (including backups!) at ransom, stealing data, or using the now owned file server to attack other network resources that trust the file server. If not securely configured (e.g. allowing anonymous writes), the attack could even be wormable which would allow it to self-replicate across the network or Internet. Further, while various security firms have slightly different numbers, they all seem to agree that around 100,000 Internet-accessible machines are running vulnerable versions of Samba.

It is not all bad news though, and in some respects this vulnerability is not as big of an issue as the WannaCry ransomware and EternalBlue SMB vulnerability because in order to successfully exploit the Samba flaw an attacker needs to obtain credentials to upload the malicious code to the file share(s) which need to be writeable in the first place and not running as noexec under a SELinux policy. Also, attackers need to know or guess the local path name of the files on the file share to send the malformed IPC request. More importantly, the Samba team released three security releases (4.6.4, 4.5.10, and 4.4.14) for the newer branches and is working with OS distributions on providing patches for older Samba versions. For systems that cannot be updated or patched, there is also a workaround that can be implemented by modifying the global Samba config file to contain the setting “nt pipe support = no”. While this will break some expected Windows functionality (mainly machines will not be able to access null shares and will need to use the specific share path rather than just the server path), it will make it so that Samba will not accept the malicious requests.

Perhaps the most worrying aspect of this vulnerability is that security researchers estimate that up to 90% of the vulnerable Internet-connected Samba endpoints do not have a direct patch or update available yet and may not ever get one. While the enterprise hardware and even bigger consumer and SMB hardware providers will provide support for this in the form of patches or firmware updates, there is a sea of home routers, NAS boxes, file and print servers, and IoT devices running on home networks that are not open to user updates and may not ever get firmware updates. The best thing to do in this scenario according to the security advisory (if you can’t just not use it or replace it with different hardware that can be patched or isn’t affected of course) is to not expose it to the Internet. There would still be a risk of it being exploited should someone get a virus on a client machine through email, malicious downloads, or social engineering though. Considering these home NAS devices are usually used as destinations for backups, the risk of ransomware not only infecting client machines but also the main file share and network backups is scary. I have always been a fan of offline and/or cloud backups and in these modern times they are more important than ever with the rise of ransomware and other profit motivated viruses.

If you are not sure if your network is affected, there are tools being made available (including a Metasploit module, nmap scripts, and Internet scans) to help you determine that and reduce your attack surface using that information by updating to the latest security release, applying patches, updating, using SELinux policies to prevent the server from executing files itself, and preventing them from communicating with the Internet in order of effectiveness.

All that is to say don’t panic, stay vigilant, and make sure your important data is properly backed up and secured as much as possible!

Source: Samba.org