STE WILLIAMS

‘Furious’ gunwoman opens fire at YouTube HQ, three people shot

Final update A woman armed with a handgun opened fire today at the headquarters of YouTube, shooting three people. She was found dead after turning her gun on herself.

The shooting happened just before 1pm Pacific Time at the video-sharing giant’s offices in San Bruno, California, the city’s cops confirmed to El Reg.

San Francisco General Hospital treated a 36-year-old man, who is in a critical condition, and two women, aged 32 and 27, who are in serious and fair conditions respectively. All three had been shot.

Another woman, understood to be the shooter, died of self-inflicted gunshot wounds near the YouTube campus. Identified locally as 38-year-old Nasim Aghdam, she was, according to her family, “angry” that YouTube had stopped paying her for her online videos and taken down her material.

“There is no equal growth opportunity on YouTube or any other video sharing site, your channel will grow if they want to,” Aghdam wrote on her website. “YouTube filtered my channels to keep them from getting views.”

Aghdam’s family had reported her missing, after she disappeared for two days, and was found sleeping in her car. Her father, Ismail, said he warned police she had developed a hatred for YouTube and may target the organization.

Chaos in Silicon Valley

Immediately after gunfire echoed around the campus, a few hundred staff fled the site, some with their hands up as the cops arrived. Officers described the scene as chaotic. One witness claimed as many as 20 shots were fired. The website’s base, at 901 Cherry Avenue in the small city, was quickly surrounded by cops, with the public told to stay away.

Some employees barricaded themselves in their offices after someone triggered a fire alarm and reports spread of a shooting on an outside patio during lunch. A number of calls flooded the 911 emergency line.

One YouTube manager reported seeing blood on the floor and stairs before being evacuated and ushered to safety by police.

“We are coordinating with authorities,” a spokesperson for YouTube said.

“We advised all other employees in the Bay Area, and people with meetings scheduled, to stay away from the area, and that there is no need to take any action. We have provided employees a helpline.”

Meanwhile, Lavrusik, one of the YouTube staff quoted above, had their Twitter account temporarily hijacked by miscreants to tweet out fake news about the shooting, until Twitter staff restored access. ®

Final update

According to San Bruno Police Chief Ed Barberini, officers arrived on the scene at 12.48pm to the sight of scores of techies fleeing the campus. A woman, suspected of being the shooter, appeared to have killed herself.

Two of the other wounded people were found in what was described as “an adjacent business” – this may well be a separate building on the YouTube campus, or the Carl’s Jr burger joint next door. One had been shot in the leg, and was initially treated by restaurant staff using a makeshift tourniquet.

One of the other shooting victims was found wounded in front of the main YouTube building. A fourth person hurt their ankle while fleeing the HQ. The whole incident is now under investigation.

Google CEO Sundar Pichai commented: “There are no words to describe the tragedy that occurred today. [YouTube boss] Susan Wojcicki and I are focused on supporting our employees and the YouTube community through this difficult time together. Thank you to the police and first responders for their efforts, and to all for messages of support.”

District Attorney George Gascón said in a statement:

A shooting has once again rocked a community, and those with the authority to reduce gun violence in this country have once again offered nothing more than thoughts and prayers. Rightwing lawmakers crow about law and order while bending at the knee for the NRA – the industry flacks for the ultimate threat to public safety. The hypocrisy is lost on no one. This country will continue to suffer from disproportionate levels of gun deaths and mass shootings until the lawmakers who are holding up commonsense gun reform stop talking out of both sides of their mouth and make public safety a priority.

Meanwhile, the president offered his prayers:

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/04/03/youtube_hq_active_shooter/

  • 04/04/2018
  • adm

Hold the phone: Mystery fake cell towers spotted slurping comms around Washington DC

The US Department of Homeland Security (DHS) says it has detected strange fake cellphone towers – known as IMSI catchers – in America’s capital.

These devices, which can masquerade as real phone masts to track people’s movements and potentially eavesdrop on calls and texts, represent a real and growing security risk, the agency said.

And whoever is operating them in Washington DC is, we’re told, a mystery to Uncle Sam’s g-men.

DHS official Christopher Krebs dropped this mild bombshell in a a March 26 letter sent to Senator Ron Wyden (D-OR), a memo that was made public this week.

On November 17 last year, Wyden sent several questions to Homeland Security about whether it had any evidence of foreign IMSI catchers operating in the Washington DC area.

International Mobile Subscriber Identity (IMSI) catchers, such as Harris Corporation’s StingRay, are devices that pretend to be cell towers in order to collect device identifiers (metadata) and potentially communication data – some devices can force phones to downgrade to 2G mode to make content interception easier. Security researchers have demonstrated that texts and calls can be collected using this type of gear.

They’re used around the country by the cops and Feds, but concern has been growing that they’re also used for eavesdropping by foreign spies, private miscreants, and other malicious parties.

Anomalous

In answer to Wyden’s query, the DHS said its National Protections and Programs Directorate (NPPD) “has observed anomalous activity in the National Capital that appears to be consistent with International Mobile Subscriber Identity (IMSI) catchers.”

But beyond that, NPPD hasn’t yet identified specific devices nor attributed their use to specific entities. The agency says it has made other federal agencies aware of its findings.

The Federal Communications Commission has been aware of the issue since at least 2014 when it formed a task force to crack down on unauthorized use of cell tower simulators. The escalating concerns about unknown parties eavesdropping on public and government communications suggest the FCC inquiry hasn’t accomplished much.

Senator Wyden also asked whether the DHS has the capability to detect 4G/LTE IMSI catchers, capable of surveilling recent model phones.

The NPPD responded that it’s not aware how it would detect such technology and that if detection tech exists, the DHS would require funding for software, hardware, and personnel to do so.

According to the American Civil Liberties Union, 73 agencies in 25 states and the District of Columbia own IMSI catchers, though the advocacy organization suggests the devices may be more widespread because government agencies often conceal such purchases.

As for the number of devices operated by foreign spies and the like, that’s still being worked out. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/04/03/imsi_catcher_stingray_washington_dc/

  • 04/04/2018
  • adm

Intel admits a load of its CPUs have Spectre v2 flaw that can’t be fixed

Intel has issued new a new “microcode revision guidance” that confesses it won’t address the Meltdown and Spectre design flaws in all of its vulnerable processors – in some cases because it’s too tricky to remove the Spectre v2 class of vulnerabilities.

The new guidance, issued April 2, adds a “stopped” status to Intel’s “production status” category in its array of available Meltdown and Spectre security updates. “Stopped” indicates there will be no microcode patch to kill off Meltdown and Spectre.

The guidance explains that a chipset earns “stopped” status because, “after a comprehensive investigation of the microarchitectures and microcode capabilities for these products, Intel has determined to not release microcode updates for these products for one or more reasons.”

Those reasons are given as:

Thus, if a chip family falls under one of those categories – such as Intel can’t easily fix Spectre v2 in the design, or customers don’t think the hardware will be exploited – it gets a “stopped” sticker. To leverage the vulnerabilities, malware needs to be running on a system, so if the computer is totally closed off from the outside world, administrators may feel it’s not worth the hassle applying messy microcode, operating system, or application updates.

“Stopped” CPUs that won’t therefore get a fix are in the Bloomfield, Bloomfield Xeon, Clarksfield, Gulftown, Harpertown Xeon C0 and E0, Jasper Forest, Penryn/QC, SoFIA 3GR, Wolfdale, Wolfdale Xeon, Yorkfield, and Yorkfield Xeon families. The new list includes various Xeons, Core CPUs, Pentiums, Celerons, and Atoms – just about everything Intel makes.

Most the CPUs listed above are oldies that went on sale between 2007 and 2011, so it is likely few remain in normal use.

Intel has not revealed which of the “stopped” CPUs listed can’t be mitigated at all, and which Chipzilla can’t be bothered finishing patches for. We’ve asked Intel to provide that list, and will update this story if the biz replies.

Woo-yay, Meltdown CPU fixes are here. Now, Spectre flaws will haunt tech industry for years

READ MORE

There’s some good news in the tweaked guidance: the Arrandale, Clarkdale, Lynnfield, Nehalem, and Westmere families that were previously un-patched now have working fixes available in production, apparently.

“We’ve now completed release of microcode updates for Intel microprocessor products launched in the last 9+ years that required protection against the side-channel vulnerabilities discovered by Google Project Zero,” an Intel spokesperson told The Reg.

“However, as indicated in our latest microcode revision guidance, we will not be providing updated microcode for a select number of older platforms for several reasons, including limited ecosystem support and customer feedback.”

Now all Intel has to do is sort out a bunch of lawsuits, make sure future products don’t have similar problems, combat a revved-up-and-righteous AMD and Qualcomm in the data centre, find a way to get PC buyers interested in new kit again, and make sure it doesn’t flub emerging markets like IoT and 5G like it flubbed the billion-a-year mobile CPU market. ®

PS: Chipzilla today launched some eighth-gen Core i9 parts for laptops. These are allegedly free of Spectre and Meltdown.

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/04/04/intel_says_some_cpus_with_spectre_v2_cant_be_fixed/

  • 04/04/2018
  • adm

Mad March Meltdown! Microsoft’s patch for a patch for a patch may need another patch

Days after Microsoft released its third attempt at a fix for the Meltdown security vulnerability in Intel’s modern processors, system administrators say many of their 64-bit Windows 7 and Server 2008 R2 boxes are still unable to be properly patched.

Pseudo-anonymous Reg reader Lawrence Birdman, who administers around 120 Windows 7 x64 PCs, says all but four of his machines haven’t been able to get the most recent update – the software tweak appearing as “not applicable” for the computers in WSUS (Windows Server Update Services).

The out-of-band emergency update, KB4100480, was released by Microsoft last week to supplement a patch released in early March to address severe vulnerabilities accidentally introduced by Redmond’s engineers in their January and February security updates for Meltdown on Windows 7 and Windows Server 2008 R2.

That early March update attempted to kill off security bug CVE-2018-1038, introduced in January’s Meltdown patch, but it wasn’t entirely effective, hence the need to grab and install KB4100480.

Unfortunately, our reader says, something appears to be wrong with WSUS, and some 116 machines under his care, systems that have both the January and February security updates that contain the vulnerability, are being told they cannot get this latest fix.

“The problem is that they’re showing as ‘not applicable’ for all but 4 of my 120 win7 x64 machines,” Birdman told us.

“So even though I’ve approved the update, it’s not getting applied to the machines that need it, because the ‘update needed’ detection appears to be buggy.”

Chocolate teapot

We asked Microsoft about the issue and, in true Redmond fashion, received the following useless statement in response: “The update is available to WSUS customers, who can download and import it into WSUS from the catalog.”

Perhaps the patch is being rolled out gradually, so some people aren’t getting it, but in any case, the Windows giant can’t be bothered explaining, leaving confused customers in the dark.

Other admins are also seeing similar problems: discussion threads on Woody Leonhard’s Windows-watching website have popped up on the matter, with many saying that though they realize their machines are in need of the patch for the patch for the patch, they can’t seem to get WSUS to apply it.

“Of approximately 200 Windows Server 2008 R2 systems all of which have installed more than at least one of the qualifying Jan-Mar updates, only 18 are showing that KB4100480 is applicable,” wrote one techie.

“On top of that, since we do utilize WSUS, nearly all of those 200 systems are patched identically.”

Microsoft’s next scheduled security release is the April 10 monthly update bundle. ®

PS: There’s now a hot fix available for Windows 7 and Server 2008 R2 users who find the latest security updates knacker their networking settings.

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/04/03/microsoft_windows_meltdown_patch_saga/

  • 03/04/2018
  • adm

Do(ug)h! Half-baked security at Panera Bread spills customer data

The website for restaurant chain Panera Bread has made the personal information for customers’ online accounts available for takeout since August last year, according to security researcher Dylan Houlihan.

The all-your-can-eat menu on its website offered online account holders’ full names, home addresses, email addresses, dietary preferences, usernames, phone numbers, birthdays and the trailing four digits of saved credit cards to anyone able to construct a simple web query.

It’s not clear whether anyone took advantage of this moveable data feast – no actual data theft has been alleged – but eight months after initially alerting the bread biz, Houlihan finally managed to get the culinary company to close its data buffet on Monday by publishing evidence of his findings on Pastebin and alerting the media.

Houlihan, tired of being ignored by Panera’s security team, posted about Panera’s unpalatable security on Medium, alongside screenshots of email correspondence with Panera Bread’s information security director, Mike Gustavison.

“Despite an explicit acknowledgement of the issue and a promise to fix it, Panera Bread sat on the vulnerability and, as far as I can tell, did nothing about it for eight months,” Houlihan wrote.

Once reports about the issue started to appear, Panera Bread CIO John Meister attempted to minimize the data exposure by telling Fox News fewer than 10,000 accounts were potentially affected.

That figure prompted challenged by independent security reporter Brian Krebs, who put the number initially at 7 million and subsequently revised his estimate to 37 million.

Other security researchers have since chimed in to point out subpar settings affecting other parts of Panera’s website.

Fetching millions of accounts via query could be a challenge if Panera used a more secure non-intuitive account numbering scheme.

But Panera implemented the opposite: an easily guessable account numbering scheme by which anyone with basic coding skills could hit the account API endpoint – https://delivery.panerabread.com/foundation-api/users/uramp/1234567 – and iterate through every database entry.

As the now removed Pastebin post explained, “Panera Bread uses sequential integers for account IDs, which means that if your goal is to gather as much information as you can instead about someone, you can simply increment through the accounts and collect as much as you’d like, up to and including the entire database.”

The Register asked Panera Bread for comment but we’ve not heard back. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/04/03/panera_bread_security/

  • 03/04/2018
  • adm

‘Gunwoman’ opens fire at YouTube HQ, three rushed to hospital

Updated A shooter, believed to be a woman, has opened fire at the headquarters of YouTube in San Bruno, California, injuring at least three people. She was found dead at the scene.

The city’s cops confirmed to The Register the Silicon Valley offices of the video-sharing giant experienced an active shooting today just before 1pm Pacific Time.

San Francisco General Hospital is treating a 36-year-old man, who is in a critical condition, and two women, aged 32 and 27, who are in serious and fair condition respectively. All three have gunshot injuries.

Another women, understood to be the shooter, died of apparent self-inflicted gunshot wounds near the YouTube campus.

A few hundred staff fled the site, some with their hands up after the cops arrived. One witness claimed as many as 20 shots were fired. The website’s base, at 901 Cherry Avenue in the small city, was surrounded by officers, with the public told to stay away. The FBI are on standby.

Earlier, some employees barricaded themselves in their offices after someone triggered a fire alarm and reports spread of a shooting during lunch on an outside patio. A number of calls flooded the 911 emergency line.

One YouTube manager reported seeing blood on the floor and stairs before being evacuated and ushered to safety by police.

“We are coordinating with authorities,” a spokesperson for YouTube said.

“We advised all other employees in the Bay Area, and people with meetings scheduled, to stay away from the area, and that there is no need to take any action. We have provided employees a helpline.”

There is no confirmation of any motive, although it is speculated a woman opened fire on her boyfriend. Google-owned YouTube has been in and out of the news over its handling of trolls and fake news regarding a high-school shooting in Florida.

Updated to add

According to San Bruno Police Chief Ed Barberini, officers arrived on the scene at 12.48pm, and found a total of four people injured as described above.

Of those, one was a woman dead from an apparent self-inflicted gunshot wound, and is believed to be the shooter. Two of those injured were found in what was described as “an adjacent business” – this may well be a separate building on the YouTube campus, or the Carl’s Jr burger joint next door.

Barberini stopped short of declaring that woman to be the shooter, though the police chief did say the incident is now an investigation.

This is a developing story. We will update it with more information as it arrives.

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/04/03/youtube_hq_active_shooter/

  • 03/04/2018
  • adm

Francisco Partners Buys Bomgar

Private equity firm Francisco Partners plans to acquire Bomgar, a privileged access and identity management company.

Francisco Partners (FP), a tech-focused private equity firm based in San Francisco, has confirmed plans to acquire Bomgar from Thoma Bravo. FP reports the identity management company will strengthen its cybersecurity portfolio.

Bomgar was founded in 2003 and has built its business around defending endpoints and privileged credentials. Its privileged access management and remote support tools have 13,000 customers around the world. Most recently, Bomgar acquired Lieberman Software, a provider of privileged identity and credential management systems.

Privileged identity and access management is an increasingly important area for businesses, says Brian Decker, partner and head of security investing at Francisco Partners, in a statement. FP intends to leverage Bomgar’s position to grow within a part of the market that’s critical to the enterprise.

Terms of the deal were not disclosed. Read more details here.

Interop ITX 2018

Join Dark Reading LIVE for two cybersecurity summits at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the security track here. Register with Promo Code DR200 and save $200.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/operations/francisco-partners-buys-bomgar-/d/d-id/1331438?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

  • 03/04/2018
  • adm

Medical Device Security Startup Launches

Cynerio lands multi-million dollar funding round.

A new startup officially launched in the medical device security sector today and announced multi-million dollar funding rounds from Elron and Accelmed.

Cynerio – co-founded by Leon Lerman, CEO, formerly with RSA Security and Israel’s 8200 unit, and Daniel Brodie, CTO – offers a platform that provides visibility into medical device behavior on the network to detect and halt nefarious activity.

“For attackers, medical devices are easy targets, as the devices aren’t built with security in mind and healthcare security teams have limited ability to protect these devices with traditional IT security solutions that are more focused on standard platforms,” Lerman said in a statement. “Our technology offers a comprehensive solution, purposely built to protect the medical device ecosystem and their sensitive data.”

Amichai Shulman, co-founder and former CTO of Imperva, serves as an advisor to the company. Specifics on Cynerio’s funding round were not made public.

Read more here.

Interop ITX 2018

Join Dark Reading LIVE for an intensive Security Pro Summit at Interop IT X and learn from the industry’s most knowledgeable IT security experts. Check out the agenda here.Register with Promo Code DR200 and save $200.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/risk/medical-device-security-startup-launches/d/d-id/1331444?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

  • 03/04/2018
  • adm

New Attack Vector Shows Dangers of S3 Sleep Mode

Researchers at Black Hat Asia demonstrated how they can compromise the security of a machine as it powers down and wakes up.

Two researchers at Black Hat Asia last month gave computers a reason to sleep with one eye open in their demo of “S3 Sleep,” a new attack vector used to subvert the Intel Trusted eXecution Environment (TXT). A flaw in Intel TXT lets hackers compromise a machine as it wakes up.

Intel TXT is the hardware-based functionality that supports the dynamic root-of-trust measurement (DRTM) and validates the platform’s trustworthiness during boot and launch. This attack targets trusted boot (tBoot), a reference implementation of Intel TXT normally used in server environments. tBoot is an open-source project that protects the virtual machine monitor (VMM) and operating system.

Senior security researcher Seunghun Han and security researcher Jun-Hyeok Park, both with the National Security Research Institute of South Korea, presented an exploit of the “Lost Pointer” vulnerability (CVE-2017-16837), a software flaw in tBoot. This specific attack vector has never been reported, the two said at Black Hat, and attackers only need root privilege to do it.

Researchers have investigated Intel TXT and tBoot before, the researchers explained. However, previous studies have only focused on the boot process. This one focuses on the sleeping and waking up sequence of tBoot, and how attackers could exploit a machine as it reactivates.

Securing the sleep states

Sure, you could avoid this kind of attack by keeping machines running constantly, so Han started their Black Hat session by pointing out the financial reasons for sleep mode. “Power consumption is cost,” Han explained. “Many companies worry about power consumption for their products because lower power consumption means a lower electricity fee.”

Shutting down machines dramatically reduces power consumption; however, reactivating all of their components poses a security risk. As the computer wakes up, restarting its many parts takes time and security devices might be temporarily shut down for part of the process.

PC, laptop, and server environments supporting advanced configuration and power interface (ACPI) have six sleeping states to gradually reduce power consumption as the machine shuts down. The states go from S0 to S5 as the CPU, devices, and RAM go into full sleep mode. Power to the CPU and devices is cut off at the S3 phase of sleep.

“Because of power-off, their states need to be restored and reinitialized for waking up,” says Han. “If we intercept sleep and waking up, we can do something interesting.”

There are boot protection mechanisms, Park says. The secure boot of the Unified Extensible Firmware Interface (UEFI) checks a cryptographic signature of the binary prior to execution, and stops it if the executable file lacks a valid signature. “Measured boot” measures a hash of the binary prior to execution and stores the measurement to the Trusted Platform Module (TPM).

TPM is a hardware security device widely deployed in commercial devices, Han says. It’s designed with a random number generator, encryption functions, and Platform Configuration Registers (PCRs), which store hashes and can be used to seal data like Bitlocker, he explains.

The danger of sleep mode

When the system wakes up, it should turn on the security functions of the CPU and recover the PCRs of the TPM. However, because of the Lost Pointer flaw, tBoot doesn’t measure all function pointers. Certain pointers in tBoot are not validated and can cause arbitrary code execution.

By exploiting the Lost Pointer flaw on a machine in S3 sleep mode, Han and Park found they can forge PCR values while a system sleeps and wakes up. If they can make the PCR variables whatever they want, attackers can subvert the Intel TXT security mechanism.

The researchers advise updating your tBoot to the latest version, or disabling the sleep feature in the BIOS, to protect against this kind of attack.

Related Content:

Interop ITX 2018

Join Dark Reading LIVE for two cybersecurity summits at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the security track here. Register with Promo Code DR200 and save $200.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/new-attack-vector-shows-dangers-of-s3-sleep-mode/d/d-id/1331445?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

  • 03/04/2018
  • adm

7 Deadly Security Sins of Web Applications

The top ways organizations open themselves up to damaging Web app attacks.PreviousNext

Image Source: Adobe Stock (Pavel Ignatov)

Image Source: Adobe Stock (Pavel Ignatov)

Web application attacks are on the rise, according to recent figures from Akamai, which logged a 10% increase in attacks from Q4 of 2016 to the same time period in 2017.

“The vast majority of web application attacks are the result of untargeted scans looking for any vulnerable system, but a few are directed attempts to compromise a specific target,” writes Martin McKeay, senior security advocate for the firm, within its most recent State of the Internet Security report. “In either case, they are so frequent and so ‘noisy’ — in other words, difficult to accurately detect — that many organizations are struggling to simply keep their web application firewalls running effectively, and do not have the spare cycles to worry about what their systems might be missing.”

The bottom line is that organizations need to improve their secure coding practices to reduce their risk in their arena. This list highlights some of the biggest risks organizations open themselves up to when it comes to their Web apps. 

 

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full BioPreviousNext

Article source: https://www.darkreading.com/cloud/7-deadly-security-sins-of-web-applications/d/d-id/1331353?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

  • 03/04/2018
  • adm