Crazy, I'm crazy for feeling so buggy ... then Microsoft called it off

Subject: General Tech | May 9, 2017 - 12:43 PM |
Tagged: security essentials, security, microsoft, fud, endpoint, defender

You have probably already read about the bug which effects all Microsoft's security programs, from basic home apps like Defender through to professional level Forefront Security for SharePoint discovered by Google Project Zero researchers.  It was certainly a bad one, utilizing the act of scanning a file for malware as the infection vector, striking similar to the way some viruses hijack our own immune systems. 

The good news is that Microsoft started pushing out a fix for the bug on Monday; as the bug was hinted at publicly on Friday someone must have put in a long weekend.  This quick turnaround is very nice to see and demonstrates the usefulness of publicly announcing the existence of a threat, without revealing the details to the public immediately.  Bug bounty programs are a good thing but if they involve NDAs it can lead to delays in resolutions as there is little pressure on the software developers to push out an immediate fix.  As The Register states, responsibly disclosing the existence of a bug, especially a major one such as this, you get a quick turn around like we saw from Microsoft. 

Update if you got 'em!

8867.Microsoft_5F00_Logo_2D00_for_2D00_screen.jpg

"On the second point, well, we hate to break it to you but all software has bugs – especially Microsoft's code. There are any number of horrible remote code execution flaws in Windows and Office right now, sitting there waiting for white and black hats to find and exploit. Being told, yes, there is definitely a bad bug lurking in among the ones and zeroes doesn't make you less secure."

Here is some more Tech News from around the web:

Tech Talk

 

Source: The Register

Google doesn't seem to mind SilverPush and your phones surreptitious addiction to advertisments

Subject: General Tech | May 5, 2017 - 01:29 PM |
Tagged: fud, silverpush, security

In 2015 we learned enough about SilverPush to worry security wonks about its ability to track your phone without your knowledge.  Several hundred apps available on the Google Play store have SilverPush and do not inform users that the apps utilize that software to track your whereabouts without your knowledge which would seem to be in direct contravention of Google's stated requirements.  That is more upsetting than the actual tracking.

SilverPush laden apps listen for tones broadcast at 18kHz to 20kHz which is inaudible to the vast majority of humanity.  When they receive that tone the app which has SilverPush sends out a signal which can be used to locate you, to track your progress through a store or to verify that you are watching a particular advertisement.  The creators of the software stopped development back in 2015 and have found this revelation rather confusing according to Ars Technica.

index.png

"Almost a year after app developer SilverPush vowed to kill its privacy-threatening software that used inaudible sound embedded into TV commercials to covertly track phone users, the technology is more popular than ever, with more than 200 Android apps that have been downloaded millions of times from the official Google Play market, according to a recently published research paper."

Here is some more Tech News from around the web:

Tech Talk

Source: Ars Technica

Microsoft won't teach an old, or possibly deceased dog new tricks

Subject: General Tech | March 31, 2017 - 12:45 PM |
Tagged: microsoft, server 2003, security

Microsoft is once again putting sales ahead of customer security, although it is for a 10 to 14 year old operating system which they officially pulled the plug on almost two years ago.  Sadly the end of support did not have any impact on the infrastructure budget allocations of tens of thousands of businesses and so Server 2003 remained in use.  Security researchers spotted an attack last year which exploits a vulnerability in IIS WebDAV which will allow a buffer overflow attack to succeed.  Predictably Microsoft's answer is that you should buy a brand new server OS, with hardware upgrade costs likely to be required as well.  Thankfully there is a patch available from a third party, which you can check out over at The Register

It is a dream, but perhaps this might convince some bean counters that an infrastructure upgrade might be a reasonable investment.

Penny-pinch.jpg

"Microsoft will not patch a critical security hole recently found and exploited in IIS 6 on Windows Server 2003 R2 – the operating system it stopped supporting roughly two years ago."

Here is some more Tech News from around the web:

Tech Talk

 

Source: The Register

Enable Flash for a $5 FedEx coupon?

Subject: General Tech | March 27, 2017 - 12:40 PM |
Tagged: security, flash, fedex, coupon

FedEx seems to be indicating they are not quite ready for Adobe Flash to go away, by offering certain customers a $5.00 coupon to enable it.  This was likely triggered by the mass migration of browsers from Adobe's much beleaguered media program; Chrome only loads Flash content after user intervention and both Edge and Firefox will soon discontinue support as well.  The offer is for FedEx Office Print customers but you can certainly take a peek yourself if you want to try it, though The Register cautions against abusing it lest we all lose the benefit.  There is a link to download Flash on FedEx's website but if you do decide to update or install Flash we would suggest you head straight to Adobe to get it.

FedEx.jpg

"The offer's being made to users of FedEx Office Print, the custom printing tentacle of the transport company. FedEx Office Print lets customers design posters, signs, manuals, banners and even promotional magnets."

Here is some more Tech News from around the web:

Tech Talk

 

Source: The Register

That's not ominous; so called crimeware installed in 10 industrial plants

Subject: General Tech | March 23, 2017 - 12:43 PM |
Tagged: security, siemens, crimeware

This story at The Register raises more than a few concerns, the first of which being that Dragos, the industrial cybersecurity firm which detected the infection called it crimeware.  This is a lovely term for the media to try to explain why computer security is important but carries little valuable information for those wondering exactly this breach entails.  We are all well aware that malware and viruses are used for criminal purposes; not for the benefit of the users who get infected.

It gets better, the infected code was first detected in 2013 and was flagged a false positive.  This infected software has been installed on the Siemens programmable logic controllers of at least 10 industrial plants and in some cases for at least four years.  The insecurity of Internet of Big Things is much scarier than the issues with the IoT, a hacked camera can ruin a person or families day, a hacked power grid has ruined the day of entire countries.

"The cyber-nasty is packaged as software to be installed on Siemens programmable logic controllers (PLC), we're told. At least 10 industrial plants – seven in the US – were found running the infected software, a study by industrial cybersecurity firm Dragos claims."

Here is some more Tech News from around the web:

Tech Talk

Source: The Register

Industrial strength hacking

Subject: General Tech | March 16, 2017 - 12:51 PM |
Tagged: iot, scary, scada, security, ics

The Register posted a cheerful article today, discussing the security of the other Internet of Things, which they have dubbed the Internet of Big Things.  Botnets formed out of compromised toasters, refrigerators and webcams is one thing; taking over power stations and industrial equipment is quite another.  Citizens of the Ukraine know the dangers all too well, having had their power grid taken offline once in 2015 and again more recently by nefarious means.  Take a read through to learn about how vulnerabilities in systems such as the Industrial Control System and Supervisory Control and Data Acquisition could be used to cause significant harm, as well as a search engine reassuringly named Shodan. 

SHODAN.jpg

"The Internet of Big Things exists because it makes perfect sense to have accessibility to equipment from afar. Industrial systems are complex, specialist items and for many such systems it’s common for there to be only a handful of qualified maintenance staff in the country, continent or world."

Here is some more Tech News from around the web:

Tech Talk

Source: The Register

Is working in computer security bad for your sanity?

Subject: General Tech | March 9, 2017 - 12:58 PM |
Tagged: Kaspersky, antivirus, security, Threat de Toilette

If you are not aware of the story of John McAfee, who created the popular antivirus software before leaving to live a far more interesting life you should read up on it.  Those who work in online and information security will have some sympathy for his decision as the job is rather thankless and not exactly something you can effectively use as a topic of conversation at a party.  Kaspersky Labs may now be showing signs of distress after launching their new perfume line, Threat de Toilette.  Yes, perfume. 

There is a method to their madness if you read past the first few paragraphs on The Register.  The perfume line is being advertised by fashion bloggers, who have reason to want their online information to be secure as it is the source of their livelihood and who have an audience which is not particularly knowledgeable about keeping themselves safe online.  It is an intriguing way to try to spread the word about online security; here's hoping it helps at least a few people.

20170306173445-580x358.jpg

"The thing is, while Kaspersky is possibly talking crap about the perfume, it does manage to squeeze in a lot of good advice about security and the personal protection of it. Why it would send this to us is another mystery."

Here is some more Tech News from around the web:

Tech Talk

Source: The Register

The first Cyber Grand Challenge; using AI to hunt bugs. What could go wrong?

Subject: General Tech | February 6, 2017 - 01:36 PM |
Tagged: darpa, ai, security, Usenix Enigma 2017

DARPA hosted the first Cyber Grand Challenge last summer, in which the software from seven machine learning projects competed to find and patch vulnerabilities in a network, and to attack each other.  While the specific vulnerabilities discovered have not been made public you can read a bit about what was revealed about the contest at Usenix Enigma 2017 over at The Register.  For instance, one of the programs managed to find a flaw in the OS all the machines were running on and then hack into another to steal data.  A different machine noticed this occurring and patched itself on the fly, making sure that it was protected from that particular attack.  Also worth noting is that the entire contest was over in 20 minutes. 

enigma-logo.png

"The exact nature of these new bug types remains under wraps, although we hear that at least one involves exploitable vulnerabilities in data queues."

Here is some more Tech News from around the web:

Tech Talk

 

Source: The Register

Dropbox now offering randomly accessible memories

Subject: General Tech | January 24, 2017 - 12:35 PM |
Tagged: security, dropbox

Dropbox has been around long enough that you see it used in a variety of situations, sharing recipes, press releases and holiday snaps, all perfectly reasonable scenarios.  Unfortunately you also see it used as an alternative to SFTP in business, as some clients and executives are less afraid of the pretty blue colours than they are of the folder lists and text that FTP programs present. 

This can present a security problem and possible legal risk as the terms and conditions Dropbox sets may not exactly match what you and your client agreed to.  Case and point today is the news that many users were gifted with a trip down memory lane as files deleted from Dropbox years ago suddenly made a reappearance.  Dropbox states in their retention policy that files which are deleted should be unrecoverable after 30 days but it seems we have more proof that the Cloud never truly forgets.  Think back to what you, or people you know, might have shared on Dropbox and consider it coming back to haunt you a decade down the line before you upload.  You can follow the links from [H]ard|OCP back to the initial forum report and Dropbox's response.

f5821a10f83327805232a4bf2ccb3036.jpg

"This article is merely entertaining if you stay within the headline, but it becomes disturbing once you get into the story and realize that Dropbox’s policy is to keep deleted files only for 30 days. Ever the cynic, I will go ahead and consider the possibility that the file hosting service has been consciously keeping files around forever."

Here is some more Tech News from around the web:

Tech Talk

Source: [H]ard|OCP

Symantec's Sorta Secure Sockets Layer

Subject: General Tech | January 23, 2017 - 12:21 PM |
Tagged: SSL, security, symantec

Symantec may not have chosen their partners wisely as once again we see some questionable SSL certs being released into the wild by one of their audited partners.  For a while last week, some rather questionable domains had Symantec issued SSLs, offering a wide variety of possible attack vectors for anyone nefarious enough to take advantage of the fact.  Thankfully this does not happen often, though The Inquirer points out that it is nothing new, as it casts doubt on how secure an SSL site actually is.  Symantec promises to investigate what happened and release that information publicly; we can only hope they also learn from it.

symantecnewlogo.0.png

"Andrew Ayer of certificate vendor and wrangler SSLMate went public with his discovery last week. The mis-issued certs were issued for example.com, and a bunch of variations of test.com (test1.com, test2.com and so on)."

Here is some more Tech News from around the web:

Tech Talk

Source: The Register