STE WILLIAMS

Heaps of Windows 10 internal builds, private source code leak online

Jun
24

Exclusive A massive trove of Microsoft’s internal Windows operating system builds and chunks of its core source code have leaked online.

The data – some 32TB of official and non-public installation images and software blueprints that compress down to 8TB – were uploaded to betaarchive.com, the latest load of files provided just earlier this week. It is believed the confidential data in this dump was exfiltrated from Microsoft’s in-house systems around March this year.

The leaked code is Microsoft’s Shared Source Kit: according to people who have seen its contents, it includes the source to the base Windows 10 hardware drivers plus Redmond’s PnP code, its USB and Wi-Fi stacks, its storage drivers, and ARM-specific OneCore kernel code.

Anyone who has this information can scour it for security vulnerabilities, which could be exploited to hack Windows systems worldwide. The code runs at the heart of the operating system, at some of its most trusted levels. It is supposed to be for Microsoft, hardware manufacturers, and select customers’ eyes only.

Leaked … Screenshot of a Beta Archives posting announcing on Monday, June 19, the addition of Microsoft’s confidential source code archive

In addition to this, top-secret builds of Windows 10 and Windows Server 2016, none of which have been released to the public, have been leaked among copies of officially released versions. The confidential Windows team-only internal builds were created by Microsoft engineers for bug-hunting and testing purposes, and include private debugging symbols that are usually stripped out for public releases.

This software includes, for example, prerelease Windows 10 “Redstone” builds and unreleased 64-bit ARM flavors of Windows. There are, we think, too many versions now dumped online for Microsoft to revoke via its Secure Boot mechanism, meaning the tech giant can’t use its firmware security mechanisms to prevent people booting the prerelease operating systems.

Also in the leak are multiple versions of Microsoft’s Windows 10 Mobile Adaptation Kit, a confidential software toolset to get the operating system running on various portable and mobile devices.

Netizens with access to Beta Archive’s private repo of material can, even now, still get hold of the divulged data completely for free. It is being described by some as a bigger leak than the Windows 2000 source code blab in 2004.

A spokesperson for Microsoft said: “Our review confirms that these files are actually a portion of the source code from the Shared Source Initiative and is used by OEMs and partners.” ®

Updated to add

Beta Archive’s administrators are in the process of removing non-public Microsoft components and builds from its FTP server and its forums.

For example, all mention of the Shared Source Kit has been erased from its June 19 post. We took some screenshots before any material was scrubbed from sight. You’ll notice from the screenshot above in the article and the forum post that the source kit has disappeared between the Microsoft Windows 10 Debug Symbols and Diamond Monster 3D II Starter Pack.

The source kit is supposed to be available to only “qualified customers, enterprises, governments, and partners for debugging and reference purposes.”

In a statement, Beta Archive said: “The ‘Shared Source Kit’ folder did exist on the FTP until [The Register’s] article came to light. We have removed it from our FTP and listings pending further review just in case we missed something in our initial release. We currently have no plans to restore it until a full review of its contents is carried out and it is deemed acceptable under our rules.”

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/06/23/windows_10_leak/

AES-256 keys sniffed in seconds using €200 of kit a few inches away

Jun
24

Sideband attacks that monitor a computer’s electromagnetic output to snaffle passwords are nothing new. They usually require direct access to the target system and a lot of expensive machinery – but no longer.

Researchers at Fox‑IT have managed to wirelessly extract secret AES-256 encryption keys from a distance of one metre (3.3 feet) – using €200 (~US$224) worth of parts obtained from a standard electronics store – just by measuring electromagnetic radiation. At that distance sniffing the keys over the air took five minutes, but if an attacker got within 30 centimetres (11.8 inches) of a device, the extraction time is cut down to just 50 seconds.

The research team used a simple loop antenna, attached it to an external amplifier and bandpass filters bought online, and then plugged it into a software defined radio USB stick they bought for €20. The entire cost of the setup was less than €200 and the device could be hidden in a jacket or laptop case.

They used this kit to record the radio signals generated by the power consumption of the SmartFusion2 target system running an ARM Cortex-M3-powered chip. By measuring the leakage between the Cortex processor and the AHB bus, the data showed the peaks and troughs of consumption as the encryption process was carried out.

By running a different encryption run on a test rig, the researchers mapped out how the power consumption related to individual bytes of information. That allowed them to take guesses at the 256 possible values of a single byte and the correct choice showed the highest power spike.

“Using this approach only requires us to spend a few seconds guessing the correct value for each byte in turn (256 options per byte, for 32 bytes – so a total of 8,192 guesses),” they wrote [PDF]. “In contrast, a direct brute-force attack on AES‑256 would require 2256 guesses and would not complete before the end of the universe.”

The electromagnetic signals drop off rapidly the farther away you are from the target, but the researchers still managed the extraction from a distance of one metre, even though it took much longer to do so. Spending more on the equipment, however, would increase the range and speed of the attack.

“In practice this setup is well suited to attacking network encryption appliances,” they wrote. “Many of these targets perform bulk encryption (possibly with attacker-controlled data) and the ciphertext is often easily captured from elsewhere in the network. This again underscores the need for deep expertise and defense-in-depth when designing high assurance systems.”

There are, of course, some caveats. The tests took place under laboratory conditions, rather than in a busy office or server room where other signals might interfere with the data collection. But it’s an interesting example of how an attack previously thought of as unfeasible due to cost and distance has been made easier by smarter and cheaper technology. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/06/23/aes_256_cracked_50_seconds_200_kit/

Not Apr 1: Google stops scanning your Gmail to sling targeted ads at you

Jun
24

Google has said it will no longer scan the content of Gmail messages to sell targeted adverts to users of the free service.

The Chocolate Factory made the announcement in a blog post on Friday touting the success of its G Suite, the cloud apps service for business. G Suite is ad-free and doesn’t scan content – for the obvious reason that businesses wouldn’t be very keen on that – and now Google says it will make the free Gmail service scanning-free too.

“G Suite’s Gmail is already not used as input for ads personalization, and Google has decided to follow suit later this year in our free consumer Gmail service,” it said.

“Consumer Gmail content will not be used or scanned for any ads personalization after this change. This decision brings Gmail ads in line with how we personalize ads for other Google products. Ads shown are based on users’ settings. Users can change those settings at any time, including disabling ads personalization.”

The Gmail scanning system was highly controversial ever since it was introduced in 2004, but the advantages of the service were clear. At the time, most webmail accounts offered pitiful amounts of storage – 2MB for Hotmail, for example – while Google was offering a gigabyte and promised to increase that later.

While people weren’t particularly enamored with the idea of having their emails automatically scanned, they certainly liked the storage enough to continue using it. Nevertheless, Microsoft’s advertising whiz kids used the practice as a stick to beat Google with – albeit to very limited effect.

Youtube Video

But Google’s not going to stop pushing targeted ads – it’ll just get the information to do this from your searches, YouTube watching habits, Android phone and every time you use any other Google service. And Google will still be doing some Gmail scanning to offer up its Smart Replies suggestions at the end of the messages. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/06/23/google_stops_scanning_gmail_messages/

32TB of Windows 10 internal builds, core source code leak online

Jun
24

Exclusive A massive trove of Microsoft’s internal Windows operating system builds and chunks of its core source code have leaked online.

The data – some 32TB of official and non-public installation images and software blueprints that compress down to 8TB – were uploaded to betaarchive.com, the latest load of files provided just earlier this week. It is believed the confidential data in this dump was exfiltrated from Microsoft’s in-house systems around March this year.

The leaked code is Microsoft’s Shared Source Kit: according to people who have seen its contents, it includes the source to the base Windows 10 hardware drivers plus Redmond’s PnP code, its USB and Wi-Fi stacks, its storage drivers, and ARM-specific OneCore kernel code.

Anyone who has this information can scour it for security vulnerabilities, which could be exploited to hack Windows systems worldwide. The code runs at the heart of the operating system, at some of its most trusted levels.

Leaked … Screenshot of a Beta Archives posting announcing on Monday, June 19, the addition of Microsoft’s confidential source code archive

In addition to this, top-secret builds of Windows 10 and Windows Server 2016, none of which have been released to the public, have been leaked among copies of officially released versions. The confidential Windows team-only internal builds were created by Microsoft engineers for bug-hunting and testing purposes, and include private debugging symbols that are usually stripped out for public releases.

This software includes, for example, prerelease Windows 10 “Redstone” builds and unreleased 64-bit ARM flavors of Windows. There are, we think, too many versions now dumped online for Microsoft to revoke via its Secure Boot mechanism, meaning the tech giant can’t use its firmware security mechanisms to prevent people booting the prerelease operating systems.

Also in the leak are multiple versions of Microsoft’s Windows 10 Mobile Adaptation Kit, a confidential software toolset to get the operating system running on various portable and mobile devices.

Netizens with access to Beta Archive’s private repo of material can, even now, still get hold of the divulged data completely for free. It is being described by some as a bigger leak than the Windows 2000 source code blab in 2004.

Spokespeople for Microsoft declined to comment. ®

Updated to add

Beta Archive’s administrators are in the process of removing non-public Microsoft components and builds from its FTP server and its forums.

For example, all mention of the Shared Source Kit has been erased from its June 19 post. We took some screenshots before any material was scrubbed from sight. You’ll notice from the screenshot above in the article and the forum post that the source kit has disappeared between the Microsoft Windows 10 Debug Symbols and Diamond Monster 3D II Starter Pack.

The source kit is supposed to be available to only “qualified customers, enterprises, governments, and partners for debugging and reference purposes.”

In a statement, Beta Archive said: “The ‘Shared Source Kit’ folder did exist on the FTP until [The Register’s] article came to light. We have removed it from our FTP and listings pending further review just in case we missed something in our initial release. We currently have no plans to restore it until a full review of its contents is carried out and it is deemed acceptable under our rules.”

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/06/23/windows_10_leak/

US Secretary of State: Я буду работать с Россией по вопросам кибербезопасности

Jun
24

Analysis US Secretary of State Rex Tillerson has expressed a willingness to work directly with Russia on cybersecurity and other issues.

The proposed partnership is surprising, given the continued controversy over allegations that the Russians interfered with last year’s US presidential election – a serious accusation at the center of an ongoing Congressional inquiry.

Secretary of State Tillerson reportedly wants to work with Russia on attempts to deescalate the Syrian civil war and North Korea’s missile program, in addition to cybersecurity. The first of these ambitions is particularly difficult in the wake of Russia’s belligerent warning that it was prepared to treat US warplanes as potential targets following a recent attack on a Syrian regime aircraft.

Tillerson’s efforts in attempting to mend fences with the former Cold War foe could help ease pressure on US cyber infrastructure, which many top officials and strategists consider vulnerable.

Bill Hagestad, a former US Marine Corps lieutenant colonel turned cyber conflict author and researcher, told El Reg that although “willingness to collaborate, communicate and cooperate at the cyber-strategic level” between the two super-powers would be a positive objective, the US still needs to tread carefully.

“The willingness to work together if stated as the commander’s intent at the Secretary of State level promotes positive tactical actions at all levels of both governmental agencies and the military – essentially a directive and guideline for future cyber cooperation,” Hagestad explained.

“The caveat is that both sides must mutually agree and abide by the rules of engagement, based upon trust in each other and confidence that in the absence of attribution confirmation, those on the front lines, eg, mouse and keyboard, will always strive to act appropriately.

“Conversely, if the strategic level is agreed upon, and one side or the other agrees but acts surreptitiously and in a deceitful way for exclusive self-gain – well then the whole concept of cyber cooperation is for naught,” Hagestad warned, saying that establishing trust in cyberspace, especially with Russia, is fraught with difficulties.

“In the case of Russia, any nation state must carefully be aware of their proclivity for taking advantage of such cooperation, especially in the cyber domain – and even more distinctly when it comes to the Russian use of cyber in conjunction with combined arms such as espionage, kinetic means, and physical invasion of a sovereign state – eg, Estonia and Ukraine.” ®

PS: President Obama ordered US government hackers to plant spyware in Russia’s key networks amid intelligence that the Kremlin was working hard on derailing America’s elections, it was reported today.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/06/23/tillerson_to_work_with_putin/

AES-256 crypto cracked in 50 secs using €200 of kit one metre away

Jun
24

Sideband attacks that monitor a computer’s electromagnetic output to snaffle passwords are nothing new. They usually require direct access to the target system and a lot of expensive machinery – but no longer.

Researchers at Fox‑IT have managed to crack AES (Advanced Encryption Standard) 256 encryption keys from a distance of 1 metre (3.3 feet) – using €200 (~US$224) worth of parts obtained from a standard electronics store – just by measuring electromagnetic radiation. At that distance cracking the keys took five minutes, but if an attacker got within 30 centimetres (11.8 inches) of a device, the cracking time is cut down to just 50 seconds.

The research team used a simple loop antenna, attached it to an external amplifier and bandpass filters bought online, and then plugged it into a software defined radio USB stick they bought for €20. The entire cost of the setup was less than €200 and the device could be hidden in a jacket or laptop case.

They used this kit to record the radio signals generated by the power consumption of the SmartFusion2 target system running an AMD Cortex M3 chip. By measuring the leakage between the Cortex processor and the AHB bus, the data showed the peaks and troughs of consumption as the encryption process was carried out.

By running a different encryption run on a test rig, the researchers mapped out how the power consumption related to individual bytes of information. That allowed them to take guesses at the 256 possible values of a single byte and the correct choice showed the highest power spike.

“Using this approach only requires us to spend a few seconds guessing the correct value for each byte in turn (256 options per byte, for 32 bytes – so a total of 8,192 guesses),” they wrote [PDF]. “In contrast, a direct brute-force attack on AES‑256 would require 2256 guesses and would not complete before the end of the universe.”

The electromagnetic signals drop off rapidly the farther away you are from the target, but the researchers still managed the crack from a distance of one metre, even though it took much longer to do so. Spending more on the equipment, however, would increase the range and speed of the attack.

“In practice this setup is well suited to attacking network encryption appliances,” they wrote. “Many of these targets perform bulk encryption (possibly with attacker-controlled data) and the ciphertext is often easily captured from elsewhere in the network. This again underscores the need for deep expertise and defense-in-depth when designing high assurance systems.”

There are, of course, some caveats. The tests took place under laboratory conditions, rather than in a busy office or server room where other signals might interfere with the data collection. But it’s an interesting example of how an attack previously thought of as unfeasible due to cost and distance has been made easier by smarter and cheaper technology. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/06/23/aes_256_cracked_50_seconds_200_kit/

Anthem to shell out $115m in largest-ever data theft settlement

Jun
24

Health insurer Anthem has today agreed to pay $115m to settle a class-action suit brought on by its 2015 cyber-theft of 78.8 million records.

The settlement fund will be used to cover damage costs incurred by people who had personal information including their names, dates of birth, addresses, and medical ID numbers stolen when, in 2015, Anthem was hit by hackers.

While credit card details and medical records were not accessed, the exposed personal information was serious enough that credit monitoring services have been given to affected customers.

Now, after two years of legal wrangling, a settlement package has been agreed on and put forward for court approval. Judge Lucy Koh will review the proposal and sign off on the deal or send it back to be re-written.

“After two years of intensive litigation and hard work by the parties, we are pleased that consumers who were affected by this data breach will be protected going forward and compensated for past losses,” lead attorney Eve Cervantez said.

As is usually the case with settlements, Anthem will not have to admit to any wrongdoing.

If you were one of those hit by the intrusion, don’t expect a big payout. Plenty of others will be getting their cuts first. According to the terms of the settlement, a full third of the package ($37,950,000) has been earmarked to cover attorney fees.

An additional $17m will be paid out to Experian, who is handling the credit and identity monitoring services for victims. Any taxes the government levies on the $115m payout will also be deducted from the fund itself.

After all that, people affected will be able to fill out the necessary forms to claim a share of the settlement, including coverage of out-of-pocket expenses they have incurred from the breach (but only up to $15m – beyond that no more out-of-pocket claims will be accepted).

The timeline for submitting claims will be decided after (and if) the settlement deal is approved. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/06/24/anthem_115m_largestever_data_theft_settlement/

Russia ‘targeted 21 states’ during US election campaign, says official

Jun
23

During the recent US Senate Intelligence Committee hearings on Russian interference in US elections Jeannette Manfra, the acting deputy under-secretary for cybersecurity and communications, provided the soundbite of the day:

As of right now we have evidence of election related systems in 21 states that were targeted.

What neither Manfra nor others testifying would share, in open session at least, was how the Russians targeted the election systems, nor how successful they were. She did, however, concede that there is no evidence that any attempt was made to penetrate state voting systems and alter results. In her opinion, the decentralized nature of the US elections would make it “virtually impossible” to do so without being detected.

The senators were not pleased with the reluctance of Manfra and others to reveal additional details – the who, what, where, why, and how of the targeting – beyond the declaration that the activity was owned by Russia. So we are left to pull back the covers ourselves.

We turn to the unauthorized leak of the top secret NSA analysis on the Russian General Staff Main Intelligence Directorate (GRU) and their activities targeting the US election. The existence of this report became known when Reality Winner provided it to The Intercept. The NSA analysis, taken at face value, called out how the Russians “targeted US election via phishing attacks”.

Now to be clear, the information in the analysis was not especially noteworthy from a technological standpoint. What is interesting is the finding on how the  information was used cumulatively to move on to the next target.  The analytic document contained a redacted image that outlined the spear-phishing campaign and made clear which information was known, and what is being deduced.

Spearphishing Diagram

The analysis indicates a phish email that was sent from [email protected] to 122 separate recipients, all associated with local government organizations, across up to 21 states. Last year, both Illinois and Arizona were told that their election offices or employees had been affected by a Russian effort.

The Arizona incident, in August 2016, at first seemed to be inconsequential. As the Washington Post reported at the time, Arizona’s secretary of state, Michele Reagan, shut down the voter registration system for nearly a week following a call from the FBI that a “credible” threat existed. It turned out that no compromise of the state’s systems had occurred, nor that of any Arizona county. A single election official in Gila County, Arizona, had had their username and password compromised when “a worker may have inadvertently downloaded a virus”. However, the username/password combination would only have provided access to the Gila County voting registration system.

The Illinois incident in July 2016, however, was more substantive. Thomas Kyle, director of voting and registration systems for the Illinois State Board of Elections, sent an email to all state election officials acknowledging that the breach had occurred on July 12 2016. Subsequently we learned the voter registration information for a “small percentage” of voters had indeed been accessed, but not altered or deleted.

Then, in August 2016, the FBI published an FBI Flash Alert, Targeting Activity Against State Board of Election Systems. The similarity between the FBI Flash Alert and the Illinois email? They both described how the actors could inject SQL database queries into state’s systems. Given the timing of the outreach by the FBI, the incidents in both states appear to be consistent with the “targeting” that both Manfra and the NSA describe in their analysis.

Add to this the contemporaneous activities that were going on at the Democratic National Committee, whose dirty laundry was put on show by the Fancy Bear hacker group, and it seems clear that the Russians were busy in the summer of 2016. Interestingly, we learned from homeland security secretary Jeh Johnson, during a separate hearing that the DNC had turned away both the FBI and Homeland Security, instead relying on a private company to get to the bottom of who had ravaged their systems.

Despite all this, we would expect Russian president Vladimir Putin to deny the Russian hand has been involved. And yes, he he did not disappoint.

Hackers are free people. They are like artists. If they are in a good mood, they get up in the morning and begin painting their pictures. Hackers are the same. They wake up in the morning, they read about some developments in international affairs, and if they have a patriotic mindset, then they try to make their own contribution the way they consider right into the fight against those who have bad things to say about Russia.

Whether it is acknowledged or not, what the Russians have demonstrated is their active campaign to sow doubt and uncertainty in the US election (and those of other nations) has been successful. And one thing’s for sure: this is not the last we’ve heard about the Russian meddling in the US election process, and if predictions are correct, it isn’t the last we’ve seen of their meddling either.


Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/ic-puya9_Zs/

Russia ‘targeted 21 states’ during US election campaign, says official

Jun
23

During the recent US Senate Intelligence Committee hearings on Russian interference in US elections Jeannette Manfra, the acting deputy under-secretary for cybersecurity and communications, provided the soundbite of the day:

As of right now we have evidence of election related systems in 21 states that were targeted.

What neither Manfra nor others testifying would share, in open session at least, was how the Russians targeted the election systems, nor how successful they were. She did, however, concede that there is no evidence that any attempt was made to penetrate state voting systems and alter results. In her opinion, the decentralized nature of the US elections would make it “virtually impossible” to do so without being detected.

The senators were not pleased with the reluctance of Manfra and others to reveal additional details – the who, what, where, why, and how of the targeting – beyond the declaration that the activity was owned by Russia. So we are left to pull back the covers ourselves.

We turn to the unauthorized leak of the top secret NSA analysis on the Russian General Staff Main Intelligence Directorate (GRU) and their activities targeting the US election. The existence of this report became known when Reality Winner provided it to The Intercept. The NSA analysis, taken at face value, called out how the Russians “targeted US election via phishing attacks”.

Now to be clear, the information in the analysis was not especially noteworthy from a technological standpoint. What is interesting is the finding on how the  information was used cumulatively to move on to the next target.  The analytic document contained a redacted image that outlined the spear-phishing campaign and made clear which information was known, and what is being deduced.

Spearphishing Diagram

The analysis indicates a phish email that was sent from [email protected] to 122 separate recipients, all associated with local government organizations, across up to 21 states. Last year, both Illinois and Arizona were told that their election offices or employees had been affected by a Russian effort.

The Arizona incident, in August 2016, at first seemed to be inconsequential. As the Washington Post reported at the time, Arizona’s secretary of state, Michele Reagan, shut down the voter registration system for nearly a week following a call from the FBI that a “credible” threat existed. It turned out that no compromise of the state’s systems had occurred, nor that of any Arizona county. A single election official in Gila County, Arizona, had had their username and password compromised when “a worker may have inadvertently downloaded a virus”. However, the username/password combination would only have provided access to the Gila County voting registration system.

The Illinois incident in July 2016, however, was more substantive. Thomas Kyle, director of voting and registration systems for the Illinois State Board of Elections, sent an email to all state election officials acknowledging that the breach had occurred on July 12 2016. Subsequently we learned the voter registration information for a “small percentage” of voters had indeed been accessed, but not altered or deleted.

Then, in August 2016, the FBI published an FBI Flash Alert, Targeting Activity Against State Board of Election Systems. The similarity between the FBI Flash Alert and the Illinois email? They both described how the actors could inject SQL database queries into state’s systems. Given the timing of the outreach by the FBI, the incidents in both states appear to be consistent with the “targeting” that both Manfra and the NSA describe in their analysis.

Add to this the contemporaneous activities that were going on at the Democratic National Committee, whose dirty laundry was put on show by the Fancy Bear hacker group, and it seems clear that the Russians were busy in the summer of 2016. Interestingly, we learned from homeland security secretary Jeh Johnson, during a separate hearing that the DNC had turned away both the FBI and Homeland Security, instead relying on a private company to get to the bottom of who had ravaged their systems.

Despite all this, we would expect Russian president Vladimir Putin to deny the Russian hand has been involved. And yes, he he did not disappoint.

Hackers are free people. They are like artists. If they are in a good mood, they get up in the morning and begin painting their pictures. Hackers are the same. They wake up in the morning, they read about some developments in international affairs, and if they have a patriotic mindset, then they try to make their own contribution the way they consider right into the fight against those who have bad things to say about Russia.

Whether it is acknowledged or not, what the Russians have demonstrated is their active campaign to sow doubt and uncertainty in the US election (and those of other nations) has been successful. And one thing’s for sure: this is not the last we’ve heard about the Russian meddling in the US election process, and if predictions are correct, it isn’t the last we’ve seen of their meddling either.


Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/ic-puya9_Zs/

News in brief: drone chiefs urge regulation; Microsoft drops SMB1; Virgin router warning

Jun
23

Your daily round-up of some of the other stories in the news

Drone chiefs call for regulations

Drone industry chiefs were due to meet President Trump at the White House this week – and were expected to call for more regulation.

The meetings, which were due to start on Thursday, are to focus on regulations for emerging technologies including 5G, artificial intelligence and drones. They include executives from organisations including ATT, drone-maker PrecisionHawk and venture capitalist firms.

Michael Chasen, chief executive of PrecisionHawk, told Recode that “the drone industry is one of the few industries where we need more regulations, not less”. That’s because the FAA hasn’t yet produced rules that would make it legal to carry out commercial activities such as delivering packages.

Greg McNeal of mapping software company AirMap told Recode: “We asked why autonomous cars weighing 3,500lb can drive next to hundreds of pedestrians, but a 3lb drone can’t fly over people. The FAA follows a legacy approach to regulating aviation that requires everyone to ask for permission.”

Microsoft to retire SMB1

The next version of Windows will not include SMB1, the protocol that facilitated the spread of the WannaCry ransomware outbreak in May.

The change is already rolling out to members of Microsoft’s Windows Insider programme – the shift will feature in Build 16226 of Windows 10.

In a Windows Insider blogpost, Dona Sarker said: “As part of a multi-year security plan, we are removing the SMB1 networking protocol from Windows by default. This build has this change, however the change only affects clean installations of Windows, not upgrades.”

Microsoft has been urging users to ditch that protocol since before the WannaCry outbreak: Ned Pyle said, loud and clear, back in September last year that “SMB1 isn’t safe”.

He added in his Technet post: “The original SMB1 protocol is nearly 30 years old, and like much of the software made in the 80s, it was designed for a world that no longer exists. A world without malicious actors, without vast sets of important data, without near-universal computer usage. Frankly, its naivete is staggering when viewed though modern eyes. I blame the West Coast hippy lifestyle.”

For users who aren’t early-adopter nerds on the Windows Insider programme, the change will come when the Redstone 3 – or Fall Creators’ Update – rolls out.

Virgin customers warned on routers

Are you a Virgin Media customer in the UK with the Super Hub 2 router? If so, you’re among the 800,000 or so users who probably needs to change both the Wi-Fi password and the password to access the router’s configuration pages.

The warning came after research by the consumer association Which? found that the router model’s default passwords were insecure: the Wi-Fi password is easily cracked, according to Which?, and once on the network, the default admin password is the same for all devices.

Which? criticised a number of devices that Naked Security has flagged up in the past, including the CloudPets teddy whose user accounts had been breached, and insecure IoT security cameras.

Virgin said it was offering affected customers the option to upgrade to a newer router – the Super Hub 3 – and added: “The security of our network and of our customers is of paramount importance to us.”

Catch up with all of today’s stories on Naked Security


Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/1uLI5moX7l8/