Skip to content

Monthly Archives: March 2018

Security Microsoft patches patch for Meltdown bug patch: Windows 7, Server 2008 rushed an emergency fix

Previously we reported that the latest Meltdown Patch broke networking in Win7 and Server 2008. Now, if you’re using Windows 7 or Server 2008 R2 and have applied Microsoft’s Meltdown patches, you’ll want to grab and install today’s (29-Mar 2018) out-of-band update for CVE-2018-1038 here.

We did this on a Win7 VM we have and it seemed to work and not break the network as the previous release did.

As the article concludes and one we follow here

In other words, Microsoft has just had to put out a patch for a patch for a patch. Hardly inspiring stuff, but we suppose the old Microsoft adage remains true – never trust a Redmond product until version three at the earliest. On the other hand, writing kernel-level memory management code is an absolute bastard at times, so you have to afford the devs some sympathy.

Full Article Follows

Quote

Microsoft today issued an emergency security update to correct a security update it issued earlier this month to correct a security update it issued in January and February.

In January and February, Redmond emitted fixes for Windows 7 and Server 2008 R2 machines to counter the Meltdown chip-level vulnerability in modern Intel x64 processors. Unfortunately, those patches blew a gaping hole in the operating systems: normal applications and logged-in users could now access and modify any part of physical RAM, and gain complete control over a box, with the updates installed.

Rather than stop programs and non-administrators from exploiting Meltdown to extract passwords and other secrets from protected kernel memory, the fixes on Windows 7 and Server 2008 R2 instead granted full read-write privileges to system RAM.

Roll on March, and Microsoft pushed out fixes on Patch Tuesday to correct those January and February updates to close the security vulnerability it accidentally opened.

Except that March update didn’t fully seal the deal: the bug remained in the kernel, and was exploitable by malicious software and users.
Total Meltdown

Now, if you’re using Windows 7 or Server 2008 R2 and have applied Microsoft’s Meltdown patches, you’ll want to grab and install today’s out-of-band update for CVE-2018-1038.

Swedish researcher Ulf Frisk discovered the January and February Meltdown mitigations for Win7 and Server 2008 R2 were broken, and went public with his findings once the March Patch Tuesday had kicked off. As it turns out, this month’s updates did not fully fix things, and Microsoft has had to scramble to remedy what was now a zero-day vulnerability in Windows 7 and Server 2008.

In other words, Microsoft has just had to put out a patch for a patch for a patch. Hardly inspiring stuff, but we suppose the old Microsoft adage remains true – never trust a Redmond product until version three at the earliest. On the other hand, writing kernel-level memory management code is an absolute bastard at times, so you have to afford the devs some sympathy.

How Local Governments Can Prevent Cyberattacks

Quote

The recent cyberattack on Atlanta, in which the municipal government’s computers and related services were held hostage by a ransomware attack, is a reminder that local governments are particularly vulnerable to these and other cyberthreats.

Local governments of all sizes and locations now own and operate a wide and growing array of internet-connected technology systems: employee-issued laptops, motion sensors on light poles and under pavement, mapping and informational systems inside police cars, online citizen-engagement tools and much more.

Most local governments in the United States don’t have a strong grasp of the policies and procedures they should implement to protect their technology systems from attacks. This is especially concerning because the threat of a cyberattack is the most important cybersecurity problem they face, according to a survey conducted by the organization I work for, the International City/County Management Association, and the University of Maryland, Baltimore County.

Forty-four percent of local governments report that they regularly face cyberattacks, on either an hourly or daily basis. More troubling is the high percentage of governments that do not know how often they are attacked (28 percent) or breached (41 percent). Further, a majority of local governments do not catalog or count attacks (54 percent).

This statistic alone is disturbing because SIEMS EM (Security Information and Event Management) local & cloud base have been available for well over 12 years. I know this because I implemented a 3rd party vendor SIEM ’06. Before then and even today, there were numerous open source utilities availability to flag anomalies from logs. We run a small site and on average our logs show attacks attempts every few minutes. Municipalities are larger and offer more lucrative targets and offer larger attack surfaces to miscreants.

This is not just an American problem. Last month, at a conference in Tel Aviv, Tamir Pardo, the former head of Mossad, Israel’s national intelligence agency, said that most local government leaders around the world do not fully understand how serious a threat cyberattacks are and have not imaginatively assessed the consequences of inaction. He described cyberthreats as “soft nuclear weapons” that one day may be used to start and finish a war without firing a shot.

So what should local governments do to improve their cybersecurity apparatus to help prevent or mitigate damage from future attacks like the one experienced in Atlanta, or from those contemplated by Mr. Pardo?

First, local leaders must create a culture of cybersecurity that imagines worst-case scenarios and explores a range of solutions to mitigate threats to the ecosystem of local government technology. This should involve prioritizing funding for cybersecurity, establishing stronger cybersecurity policies and training employees in cybersecurity protocols. Success will require collaboration with local elected officials, internet-technology and cybersecurity staff members, department managers and end users.

We like to advise that cyber security is 75% user education & 25% technology

Cybersecurity is more than just the I.T. department’s problem. It must now also be a top priority along the entire chain of elected and appointed officials in and around local governments. Preventing and mitigating the effects of future attacks will require intergovernmental cooperation, because localities work together across state lines and collaborate with the federal government on crucial tasks like running elections, managing transportation and sharing intelligence.

Most technological advances are transforming local governments for the better, moving them from inefficient and costly paper systems to digital systems that allow for better analysis and understanding of policy decisions. The science of analytics and big data promises even greater leaps for local governments in evidence-based policymaking. These exciting developments may one day radically alter the ways that traditional local government services are financed, operated and managed.

But we cannot get lost in the excitement. We must actively prepare for cyberthreats of the sort that have been demonstrated in places like Atlanta. If smart cities and communities are the brightly lit days of the increasingly connected world of local government technology, cyberattacks are the dark and stormy nights. We don’t need to halt technological deployments and evolution, but we do need to recognize that cybersecurity is an essential counterpart.

AT&T/Verizon lobbyists to “aggressively” sue states that enact net neutrality

Quote

The dangers of oligopolies. More than anything else the internet needs is trust busters.

A lobby group that represents AT&T, Verizon, and other telcos plans to sue states and cities that try to enforce net neutrality rules.

USTelecom, the lobby group, made its intentions clear yesterday in a blog post titled, “All Americans Deserve Equal Rights Online.”

Yeah – All Americans == all their fellow oligopolists

“Broadband providers have worked hard over the past 20 years to deploy ever more sophisticated, faster and higher-capacity networks, and uphold net neutrality protections for all,” USTelecom CEO Jonathan Spalter wrote. “To continue this important work, there is no question we will aggressively challenge state or municipal attempts to fracture the federal regulatory structure that made all this progress possible.”

The USTelecom board of directors includes AT&T, Verizon, Frontier, CenturyLink, Windstream, and other telcos. The group’s membership “ranges from the nation’s largest telecom companies to small rural cooperatives.”

Microsoft’s Windows 7 Meltdown fixes from January, February made PCs MORE INSECURE

Quote

You’ll want to install the March update. Like right now – if you can avoid broken networking

In other words you choice is prevent data theft, or have working networking. Wow, as this article concludes, it is indeed a Tough choice

Update: A user in the comments to this article stated

The March cumulative updates have been pulled by Microsoft for Windows 7 and 2008R2 due to the networking bug, although still available if you are using WSUS / SCCM and fancy a gamble. You can still get hold of them direct from the Windows Update Catalog but read the KB articles first as they now say you have to run a script first to ensure you don’t lose networking.

HHmmm that needs to verified. Below is the full article:

Microsoft’s Windows 7 Meltdown fixes from January, February made PCs MORE INSECURE
You’ll want to install the March update. Like right now – if you can avoid broken networking
By Shaun Nichols in San Francisco 28 Mar 2018 at 00:21
59 Reg comments SHARE ▼
Embarrassed/exhausted man sits in front of laptop in hipstery office. Photo by Shutterstock

Microsoft’s January and February security fixes for Intel’s Meltdown processor vulnerability opened up an even worse security hole on Windows 7 PCs and Server 2008 R2 boxes.

This is according to researcher Ulf Frisk, who previously found glaring shortcomings in Apple’s FileVault disk encryption system.

We’re told Redmond’s early Meltdown fixes for 64-bit Windows 7 and Server 2008 R2 left a crucial kernel memory table readable and writable for normal user processes. This, in turn, means any malware on those vulnerable machines, or any logged-in user, can manipulate the operating system’s memory map, gain administrator-level privileges, and extract and modify any information in RAM.

Ouch!

The Meltdown chip-level bug allows malicious software, or unscrupulous logged-in users, on a modern Intel-powered machine to read passwords, personal information, and other secrets from protected kernel memory. But the security fixes from Microsoft for the bug, on Windows 7 and Server 2008 R2, issued in January and February, ended up granting normal programs read and write access to all of physical memory.
Sunk by its own hand

According to Frisk, who backed up his claim with a detailed breakdown and a proof-of-concept exploit, the problem boils down to a single bit accidentally set by the kernel in a CPU page table entry. This bit enabled read-write user-mode access to the top-level page table itself.

On Windows 7 and Server 2008 that PML4 table is at a fixed address, so it can always be found and modified by exploit code. With that key permission bit flipped from supervisor-only to any-user, the table allowed all processes to modify said table, and thus pull up and write to memory addresses they are not supposed to reach.

Think of these tables as a telephone directory for the CPU, letting it know where memory is located and what can access it. Microsoft’s programmers accidentally left the top-level table marked completely open for user-mode programs to alter, allowing them to rewrite the computer’s directory of memory mappings.

Further proof-of-concept code can be found here.
Total meltdown

“Windows 7 already did the hard work of mapping in the required memory into every running process,” Frisk explained. “Exploitation was just a matter of read and write to already mapped in-process virtual memory. No fancy APIs or syscalls required – just standard read and write!”

Windows 8.x and Windows 10 aren’t affected. The March 13 Patch Tuesday updates contain a fix that addresses this permission bit cockup for affected versions, we’re told.

Microsoft did not respond to a request for comment on the matter.

In short, patch your Windows 7 and Server 2008 R2 machines with the latest security updates to protect against this OS flaw, otherwise any processes or users can tamper with and steal data from physical RAM, and give themselves admin-level control. Or don’t apply any of the Meltdown fixes and allow programs to read from kernel memory.
Networking not working

Fingers crossed your system isn’t among those that will suffer networking woes caused by the March security patches. Microsoft’s security updates this month broke static IP address and vNIC settings on select installations, knocking unlucky virtual machines, servers, and clients offline.

For example, with patch set KB4088878 for Windows 7 and Server 2008 R2, Redmond admitted:

A new Ethernet virtual Network Interface Card (vNIC) that has default settings may replace the previously existing vNIC, causing network issues after you apply this update. Any custom settings on the previous vNIC persist in the registry but are unused. Microsoft is working on a resolution and will provide an update in an upcoming release.

Static IP address settings are lost after you apply this update. Microsoft is working on a resolution and will provide an update in an upcoming release.

Prevent data theft, or have working networking. Tough choice.

Internet of insecure Things: Software still riddled with security holes

Quote

An audit of the security of IoT mobile applications available on official stores has found that tech to safeguard the world of connected things remains outstandingly mediocre.

Pradeo Security put a representative sample of 100 iOS and Android applications developed to manage connected objects (heaters, lights, door-locks, baby monitors, CCTV etc) through their paces.

Researchers at the mobile security firm found that around one in seven (15 per cent) applications sourced from the Google Play and Apple App Store were vulnerable to takeover. Hijacking was a risk because these apps were discovered to be defenceless against bugs that might lend themselves to man-in-the-middle attacks.

Four in five of the tested applications carry vulnerabilities, with an average of 15 per application.

Security
Internet of insecure Things: Software still riddled with security holes
Which means devices could be pwned by crooks
By John Leyden 28 Mar 2018 at 15:29
15 Reg comments SHARE ▼

An audit of the security of IoT mobile applications available on official stores has found that tech to safeguard the world of connected things remains outstandingly mediocre.

Pradeo Security put a representative sample of 100 iOS and Android applications developed to manage connected objects (heaters, lights, door-locks, baby monitors, CCTV etc) through their paces.

Researchers at the mobile security firm found that around one in seven (15 per cent) applications sourced from the Google Play and Apple App Store were vulnerable to takeover. Hijacking was a risk because these apps were discovered to be defenceless against bugs that might lend themselves to man-in-the-middle attacks.

Four in five of the tested applications carry vulnerabilities, with an average of 15 per application.

Around one in 12 (8 per cent) of applications phoned home or otherwise connected to uncertified servers. “Among these, some [certificates] have expired and are available for sale. Anyone buying them could access all the data they receive,” Pradeo warns.

Pradeo’s team also discovered that the vast majority of the apps leaked the data they processed. Failings in this area were many and varied.

Application file content: 81 per cent of applications
Hardware information (device manufacturer, commercial name, battery status…): 73 per cent
Device information (OS version number…): 73 per cent
Temporary files: 38 per cent
Phone network information (service provider, country code…): 27 per cent
Video and audio records: 19 per cent
Files coming from app static data: 19 per cent
Geolocation: 12 per cent
Network information (IP address, 2D address, Wi-Fi connection state): 12 per cent
Device identifiers (IMEI): 8 per cent

Pradeo Security said it had notified the vendors involved about the security problems it uncovered in their kit

..Misuse Of Facebook User Data Will Happen Again And Again

Once again, the Onion nails it!

Quote

Mark Zuckerberg Promises That Misuse Of Facebook User Data Will Happen Again And Again

MENLO PARK, CA—In an effort to demonstrate the social media platform’s total commitment to profits, Mark Zuckerberg took to his personal Facebook page Thursday to promise that the company’s misuse of personal data will, as of now, happen again and again. “We have a responsibility to our users, and if we can’t repeatedly betray your trust and sell your private information to the highest bidder, then we don’t deserve to serve you,” said Zuckerberg in his first public statement on the matter, adding that users should feel confident that the social network would do everything in its power to exploit them, through both third-party applications and partnerships with shadowy marketing firms willing to pay any price Facebook asks. “In 2013, a Cambridge University researcher named Alexandr Kogan stole personal data through a personality quiz, and since then, we’ve worked tirelessly to ensure it can be distributed everywhere, for as long as we exist. I invented Facebook, and at the end of the day, I’m solely responsible for what information is regularly released to unknown, unauthorized sources on this platform.” According to reports, Zuckerberg then announced that Facebook would soon be adding new privacy tools to provide users with the false sense that they had any control

Facebook sever ties to data brokers

Quote

The Social Network™ all-but-admits its previous legalese for developers was useless

Facebook has outlined a set of changes to its platform that impact developers and data brokers.

Facebook has a program called “Partner Categories” that it tells advertisers will let them “further refine your targeting based on information compiled by … partners, such as offline demographic and behavioural information like homeownership or purchase history.”

The partners Facebook uses are Acxiom, CCC Marketing, Epsilon, Experian, Oracle Data Cloud and Quantium.

Graham Mudd, a Facebook product marketing director, said that using such providers to refine ad targeting “is common industry practice” but that Facebook feels “this step, winding down over the next six months, will help improve people’s privacy on Facebook.”

On its own platform, Facebook has promised new fine print for business-to-business applications, complete with “rigorous policies and terms”. Which kind of admits some of Facebook’s past fine print was floppy. Perhaps floppy enough to let data flow to Cambridge Analytica and beyond?

Also notable is a change that means apps that provides access to lists of a user’s friends will now be reviewed by Facebook.

So there you have it. No real change. They can’t change. Facebook needs to sell data like Starbooks needs to sell coffee. It is their business and you are their product. They will continue to mine and map your information with their third party partners to create highly targeted ads.

Want it to stop? Delete your Facebook Account now would be a good start.

Facebook Inspired Killings

This is an article from Oct 2017. While I have excerpted it here, but think it is worth a complete read (see Quote). It is an excellent article that I feel shows the complexity and human cost side of Facebook.

Quote

… But while the focus on Russia is understandable, Facebook has been much less vocal about the abuse of its services in other parts of the world, where the stakes can be much higher than an election.
..
the ethnic cleansing of Rohingya Muslims, an ethnic minority in Myanmar that has been subjected to brutal violence and mass displacement. Violence against the Rohingya has been fueled, in part, by misinformation and anti-Rohingya propaganda spread on Facebook, which is used as a primary news source by many people in the country. Doctored photos and unfounded rumors have gone viral on Facebook, including many shared by official government and military accounts….In Myanmar, the rise in anti-Rohingya sentiment coincided with a huge boom in social media use that was partly attributable to Facebook itself. In 2016, the company partnered with MPT, the state-run telecom company, to give subscribers access to its Free Basics program. Free Basics includes a limited suite of internet services, including Facebook, that can be used without counting toward a cellphone data plan. As a result, the number of Facebook users in Myanmar has skyrocketed to more than 30 million today from 2 million in 2014.

In India, where internet use has also surged in recent years, WhatsApp, the popular Facebook-owned messaging app, has been inundated with rumors, hoaxes and false stories. In May, the Jharkhand region in Eastern India was destabilized by a viral WhatsApp message that falsely claimed that gangs in the area were abducting children. The message incited widespread panic and led to a rash of retaliatory lynchings, in which at least seven people were beaten to death. A local filmmaker, Vinay Purty, told the Hindustan Times that many of the local villagers simply believed the abduction myth was real, since it came from WhatsApp….
The company has made many attempts to educate users about the dangers of misinformation. In India and Malaysia, it has taken out newspaper ads with tips for spotting false news. In Myanmar, it has partnered with local organizations to distribute printed copies of its community standards, as well as created educational materials to teach citizens about proper online behavior.

But these efforts, as well-intentioned as they may be, have not stopped the violence, and Facebook does not appear to have made them a top priority. The company has no office in Myanmar, and neither Mr. Zuckerberg nor Ms. Sandberg has made any public statements about the Rohingya crisis.

Facebook has argued that the benefits of providing internet access to international users will ultimately outweigh the costs. Adam Mosseri, a Facebook vice president who oversees the News Feed, told a journalism gathering this month, “In the end, I don’t think we as a human race will regret the internet.” Mr. Zuckerberg echoed that sentiment in a 2013 manifesto titled “Is Connectivity a Human Right?,” in which he said that bringing the world’s population online would be “one of the most important things we all do in our lifetimes.”

That optimism may be cold comfort to people in places like South Sudan. Despite being one of the poorest and least-wired countries in the world, with only around 20 percent of its citizens connected to the internet, the African nation has become a hotbed of social media misinformation. As BuzzFeed News has reported, political operatives inside and outside the country have used Facebook posts to spread rumors and incite anger between rival factions, fostering violence that threatens to escalate into a civil war. A United Nations report last year determined that in South Sudan, “social media has been used by partisans on all sides, including some senior government officials, to exaggerate incidents, spread falsehoods and veiled threats, or post outright messages of incitement.”

Peter Thiel Employee Helped Cambridge Analytica Before It Harvested Data

Quote

I think this story shows that the Facebook data mining is the tip of the iceberg. It will drag in Google and others.

As a start-up called Cambridge Analytica sought to harvest the Facebook data of tens of millions of Americans in summer 2014, the company received help from at least one employee at Palantir Technologies, a top Silicon Valley contractor to American spy agencies and the Pentagon.

It was a Palantir employee in London, working closely with the data scientists building Cambridge’s psychological profiling technology, who suggested the scientists create their own app — a mobile-phone-based personality quiz — to gain access to Facebook users’ friend networks, according to documents obtained by The New York Times.

Cambridge ultimately took a similar approach. By early summer, the company found a university researcher to harvest data using a personality questionnaire and Facebook app. The researcher scraped private data from over 50 million Facebook users — and Cambridge Analytica went into business selling so-called psychometric profiles of American voters, setting itself on a collision course with regulators and lawmakers in the United States and Britain.

The revelations pulled Palantir — co-founded by the wealthy libertarian Peter Thiel — into the furor surrounding Cambridge, which improperly obtained Facebook data to build analytical tools it deployed on behalf of Donald J. Trump and other Republican candidates in 2016. Mr. Thiel, a supporter of President Trump, serves on the board at Facebook.

The connections between Palantir and Cambridge Analytica were thrust into the spotlight by Mr. Wylie’s testimony on Tuesday. Both companies are linked to tech-driven billionaires who backed Mr. Trump’s campaign: Cambridge is chiefly owned by Robert Mercer, the computer scientist and hedge fund magnate, while Palantir was co-founded in 2003 by Mr. Thiel, who was an initial investor in Facebook.

Google Link?

A former intern at SCL — Sophie Schmidt, the daughter of Eric Schmidt, then Google’s executive chairman — urged the company to link up with Palantir, according to Mr. Wylie’s testimony and a June 2013 email viewed by The Times.

“Ever come across Palantir. Amusingly Eric Schmidt’s daughter was an intern with us and is trying to push us towards them?” one SCL employee wrote to a colleague in the email.

Ms. Schmidt did not respond to requests for comment, nor did a spokesman for Cambridge Analytica.

In an interview this month with The Times, Mr. Wylie said that Palantir employees were eager to learn more about using Facebook data and psychographics. Those discussions continued through spring 2014, according to Mr. Wylie.

Mr. Wylie said that he and Mr. Nix visited Palantir’s London office on Soho Square. One side was set up like a high-security office, Mr. Wylie said, with separate rooms that could be entered only with particular codes. The other side, he said, was like a tech start-up — “weird inspirational quotes and stuff on the wall and free beer, and there’s a Ping-Pong table.”

Mr. Chmieliauskas continued to communicate with Mr. Wylie’s team in 2014, as the Cambridge employees were locked in protracted negotiations with a researcher at Cambridge University, Michal Kosinski, to obtain Facebook data through an app Mr. Kosinski had built. The data was crucial to efficiently scale up Cambridge’s psychometrics products so they could be used in elections and for corporate clients.

“I had left field idea,” Mr. Chmieliauskas wrote in May 2014. “What about replicating the work of the cambridge prof as a mobile app that connects to facebook?” Reproducing the app, Mr. Chmieliauskas wrote, “could be a valuable leverage negotiating with the guy.”

Those negotiations failed. But Mr. Wylie struck gold with another Cambridge researcher, the Russian-American psychologist Aleksandr Kogan, who built his own personality quiz app for Facebook. Over subsequent months, Dr. Kogan’s work helped Cambridge develop psychological profiles of millions of American voters.

One can only hope this will broaden the understanding of what “you are the product” means to free services peddled by big tech. Then again…..

See What Google Has on You

Want to see what Google has on you, well My Activity will do that. I love the innocent picture. Oh how sweet. Google working for to make a better experience. What bollocks. At every step of trying to delete your data, you get pop-ups warning you how bad what you are trying to do is (along with more innocent pictures).

Here is the real picture (lower right) that should be posted.

 

 

To be fair, if you ignore all the pretty happy warnings “do no harm” nonense warnings, you can turn a lot stuff off. That said, can you trust them? I can’t.