Skip to content

Nick L

Where Countries Are Tinderboxes and Facebook Is a Match

If you have a facebook account and have a shred of decency, you should delete your facebook account. If your businesses on facebook, get off and send the message. This company needs to be buried as they are out of control and have serious blood on their hands. Stop supporting them.

“A reconstruction of Sri Lanka’s descent into violence, based on interviews with officials, victims and ordinary users caught up in online anger, found that Facebook’s newsfeed played a central role in nearly every step from rumor to killing. Facebook officials, they say, ignored repeated warnings of the potential for violence, resisting pressure to hire moderators or establish emergency points of contact.”

Quote

False rumors set Buddhist against Muslim in Sri Lanka, the most recent in a global spate of violence fanned by social media.

MEDAMAHANUWARA, Sri Lanka — Past the end of a remote mountain road, down a rutted dirt track, in a concrete house that lacked running water but bristled with smartphones, 13 members of an extended family were glued to Facebook. And they were furious.

A family member, a truck driver, had died after a beating the month before. It was a traffic dispute that had turned violent, the authorities said. But on Facebook, rumors swirled that his assailants were part of a Muslim plot to wipe out the country’s Buddhist majority.

“We don’t want to look at it because it’s so painful,” H.M. Lal, a cousin of the victim, said as family members nodded. “But in our hearts there is a desire for revenge that has built.”

The rumors, they believed, were true. Still, the family, which is Buddhist, did not join in when Sinhalese-language Facebook groups, goaded on by extremists with wide followings on the platform, planned attacks on Muslims, burning a man to death.

But they had shared and could recite the viral Facebook memes constructing an alternate reality of nefarious Muslim plots. Mr. Lal called them “the embers beneath the ashes” of Sinhalese anger.

We came to this house to try to understand the forces of social disruption that have followed Facebook’s rapid expansion in the developing world, whose markets represent the company’s financial future. For months, we had been tracking riots and lynchings around the world linked to misinformation and hate speech on Facebook, which pushes whatever content keeps users on the site longest — a potentially damaging practice in countries with weak institutions.

Time and again, communal hatreds overrun the newsfeed — the primary portal for news and information for many users — unchecked as local media are displaced by Facebook and governments find themselves with little leverage over the company. Some users, energized by hate speech and misinformation, plot real-world attacks.

A reconstruction of Sri Lanka’s descent into violence, based on interviews with officials, victims and ordinary users caught up in online anger, found that Facebook’s newsfeed played a central role in nearly every step from rumor to killing. Facebook officials, they say, ignored repeated warnings of the potential for violence, resisting pressure to hire moderators or establish emergency points of contact.

Read the full article

Yahoo Mail – The “OATH” to spy and track you

“Yahoo is now part of Oath, the media and tech company behind today’s top news, sports and entertainment sites and apps.”

..and behind overt violations of your privacy

This includes: analyzing content and information when you use our services (including emails, instant messages, posts, photos, attachments, and other communications), linking your activity on other sites and apps with information we have about you, and providing anonymized and/or aggregated reports to other parties regarding user trends. …sharing Data with Verizon. Oath and its affiliates may share the information we receive with Verizon.

Verizon – another bad actor when it comes to privacy and acting like a monopoly

And of course, like Facebook, they buy other data sources, combine it and build a profile on you

Information from Others. We collect information about you when we receive it from other users, third-parties, and affiliates, such as:

When you connect your account to third-party services or sign in using a third-party partner (like Facebook or Twitter).
From publicly-available sources.
From advertisers about your experiences or interactions with their offerings.
When we obtain information from third-parties or other companies, such as those that use our Services. This may include your activity on other sites and apps as well as information those third-parties provide to you or us.
We may also receive information from Verizon and will honor the choices Verizon customers have made about the uses of this information when we receive and use this data.

The details — full privacy policy here

Just say no to Yahoo and OATH which includes AOL

ROKU = SPYWARE

Roku has updated their privacy policy. It is awful.

B. Information collected automatically

When you use the Roku Services, we and our partners may use unique device identifiers, cookies, pixel tags, web beacons and other similar technologies to receive and store information on an automated basis.

What this means

[They} collect usage data such as your search history (including letters you key in for searches, and utterances provided if you choose to use voice-enabled functions such as voice search (if available on your Roku Device)), search results, content and advertisements you select and view, including through use of automatic content recognition technology (ACR) (see “Smart TV Experience and ACR on Roku TVs” (Part I, Section B-4) and “Choices regarding Smart TV Experience and ACR on Roku TVs” (Part IV, Section E), below), and content settings and preferences, channels you add and view, including time and duration in the channels, and other usage statistics….

Third parties who provide us with analytics services for the Roku Services may also automatically collect some of the information described above, including, for example, IP address, access times, browser type and language, device type, device identifiers and Wi-Fi information…

We may receive data about you from data providers and combine it with the data that we collect from you.

You don’t like, They will charge you a fee

If you have a Roku account, you may view and update certain contact and billing information we have about you by logging into your account on Roku.com. If you otherwise wish to ask for access, correction, or deletion of any of your personal information held by us or a change in the way we use your information (for which we reserve the right to charge you a fee, as permitted by applicable law), please contact us at: customer.advocate@roku.com. However, Roku may decline requests that are unreasonable, prohibited by law, or are not required to be honored by applicable law.

Oh and this cop out…

At this time there is no accepted standard for how to respond to Do Not Track signals, and we do not respond to such signals.

After all this I logged into my Roku account and tried to find the privacy and/or opt-out links. Not there! The only way is to reset your identifier, but that is temporary as the new identifier starts a new collection process.

Bottom line — use a NON Smart TV and build your own KODI box.

Full ROKU Privacy statement is here for the US

Still Using Yahoo Mail? Maybe time to stop

Quote

Yahoo and AOL’s privacy policy lets them plunder your emails for ads

TECH COMPANY and porridge ingredient for lispers Oath has updated its privacy policy, and it seems it’s all policy and no privacy.

As you may recall, Oath is a group of companies made up primarily of Yahoo and AOL. Keen to find some way of making some actual ruddy money, it appears that targeted adverts in its mail services are going to be a big part of it.

If we’ve learned one thing over the past month or so, it’s that targeted adverts require access to users’ personal data.

And sure enough, the new privacy policy introduces ‘scanning’ of emails for the purposes or finding just the right thing to annoy you with.

Let’s look at some of the really scary bits.

Firstly it says that it “analyses and stores all communications content, including email content from incoming and outgoing mail,” so it can “deliver, personalise and develop relevant features, content, advertising and Services.”

Yahoo did that already, but now it applies to AOL too.

If there was any clearer indication that this is a bad thing, it’s that Google had already stopped doing this for Gmail as a reflection of public opinion turning against this invasion of privacy.

The Oath group can also “analyse your content and other information (including emails, instant messages, posts photos, attachments, and other communications),” and even check up on your spending habits with the somewhat chilling analysis of “user content around certain interactions with financial institutions.”

The company says that it has automated systems to take out anything to identify you, but at the same time, those same systems are going to be used potentially to identify and tag your pictures. So… what’s up with that?

The fact that the company has decided to do this now, when the issue is so embedded in the news already and moral panic is rising, suggests that Oath has no choice in doing something like this to maintain profitability.

Thing is, you do. Yahoo, particularly, has been a security nightmare for a long time over its email service and if you’re still using it, then perhaps its time to take another look at whether it’s time to take a step back and question if it’s time for a change.

Whois is dead as Europe hands DNS overlord ICANN its arse

Quote

In a letter [PDF] sent this week to DNS overseer ICANN, Europe’s data protection authorities have effectively killed off the current service, noting that it breaks the law and so will be illegal come 25 May, when GDPR comes into force.

The letter also has harsh words for ICANN’s proposed interim solution, criticizing its vagueness and noting it needs to include explicit wording about what can be done with registrant data, as well as introduce auditing and compliance functions to make sure the data isn’t being abused.

ICANN now has a little over a month to come up with a replacement to the decades-old service that covers millions of domain names and lists the personal contact details of domain registrants, including their name, email and telephone number.

Security Microsoft patches patch for Meltdown bug patch: Windows 7, Server 2008 rushed an emergency fix

Previously we reported that the latest Meltdown Patch broke networking in Win7 and Server 2008. Now, if you’re using Windows 7 or Server 2008 R2 and have applied Microsoft’s Meltdown patches, you’ll want to grab and install today’s (29-Mar 2018) out-of-band update for CVE-2018-1038 here.

We did this on a Win7 VM we have and it seemed to work and not break the network as the previous release did.

As the article concludes and one we follow here

In other words, Microsoft has just had to put out a patch for a patch for a patch. Hardly inspiring stuff, but we suppose the old Microsoft adage remains true – never trust a Redmond product until version three at the earliest. On the other hand, writing kernel-level memory management code is an absolute bastard at times, so you have to afford the devs some sympathy.

Full Article Follows

Quote

Microsoft today issued an emergency security update to correct a security update it issued earlier this month to correct a security update it issued in January and February.

In January and February, Redmond emitted fixes for Windows 7 and Server 2008 R2 machines to counter the Meltdown chip-level vulnerability in modern Intel x64 processors. Unfortunately, those patches blew a gaping hole in the operating systems: normal applications and logged-in users could now access and modify any part of physical RAM, and gain complete control over a box, with the updates installed.

Rather than stop programs and non-administrators from exploiting Meltdown to extract passwords and other secrets from protected kernel memory, the fixes on Windows 7 and Server 2008 R2 instead granted full read-write privileges to system RAM.

Roll on March, and Microsoft pushed out fixes on Patch Tuesday to correct those January and February updates to close the security vulnerability it accidentally opened.

Except that March update didn’t fully seal the deal: the bug remained in the kernel, and was exploitable by malicious software and users.
Total Meltdown

Now, if you’re using Windows 7 or Server 2008 R2 and have applied Microsoft’s Meltdown patches, you’ll want to grab and install today’s out-of-band update for CVE-2018-1038.

Swedish researcher Ulf Frisk discovered the January and February Meltdown mitigations for Win7 and Server 2008 R2 were broken, and went public with his findings once the March Patch Tuesday had kicked off. As it turns out, this month’s updates did not fully fix things, and Microsoft has had to scramble to remedy what was now a zero-day vulnerability in Windows 7 and Server 2008.

In other words, Microsoft has just had to put out a patch for a patch for a patch. Hardly inspiring stuff, but we suppose the old Microsoft adage remains true – never trust a Redmond product until version three at the earliest. On the other hand, writing kernel-level memory management code is an absolute bastard at times, so you have to afford the devs some sympathy.

How Local Governments Can Prevent Cyberattacks

Quote

The recent cyberattack on Atlanta, in which the municipal government’s computers and related services were held hostage by a ransomware attack, is a reminder that local governments are particularly vulnerable to these and other cyberthreats.

Local governments of all sizes and locations now own and operate a wide and growing array of internet-connected technology systems: employee-issued laptops, motion sensors on light poles and under pavement, mapping and informational systems inside police cars, online citizen-engagement tools and much more.

Most local governments in the United States don’t have a strong grasp of the policies and procedures they should implement to protect their technology systems from attacks. This is especially concerning because the threat of a cyberattack is the most important cybersecurity problem they face, according to a survey conducted by the organization I work for, the International City/County Management Association, and the University of Maryland, Baltimore County.

Forty-four percent of local governments report that they regularly face cyberattacks, on either an hourly or daily basis. More troubling is the high percentage of governments that do not know how often they are attacked (28 percent) or breached (41 percent). Further, a majority of local governments do not catalog or count attacks (54 percent).

This statistic alone is disturbing because SIEMS EM (Security Information and Event Management) local & cloud base have been available for well over 12 years. I know this because I implemented a 3rd party vendor SIEM ’06. Before then and even today, there were numerous open source utilities availability to flag anomalies from logs. We run a small site and on average our logs show attacks attempts every few minutes. Municipalities are larger and offer more lucrative targets and offer larger attack surfaces to miscreants.

This is not just an American problem. Last month, at a conference in Tel Aviv, Tamir Pardo, the former head of Mossad, Israel’s national intelligence agency, said that most local government leaders around the world do not fully understand how serious a threat cyberattacks are and have not imaginatively assessed the consequences of inaction. He described cyberthreats as “soft nuclear weapons” that one day may be used to start and finish a war without firing a shot.

So what should local governments do to improve their cybersecurity apparatus to help prevent or mitigate damage from future attacks like the one experienced in Atlanta, or from those contemplated by Mr. Pardo?

First, local leaders must create a culture of cybersecurity that imagines worst-case scenarios and explores a range of solutions to mitigate threats to the ecosystem of local government technology. This should involve prioritizing funding for cybersecurity, establishing stronger cybersecurity policies and training employees in cybersecurity protocols. Success will require collaboration with local elected officials, internet-technology and cybersecurity staff members, department managers and end users.

We like to advise that cyber security is 75% user education & 25% technology

Cybersecurity is more than just the I.T. department’s problem. It must now also be a top priority along the entire chain of elected and appointed officials in and around local governments. Preventing and mitigating the effects of future attacks will require intergovernmental cooperation, because localities work together across state lines and collaborate with the federal government on crucial tasks like running elections, managing transportation and sharing intelligence.

Most technological advances are transforming local governments for the better, moving them from inefficient and costly paper systems to digital systems that allow for better analysis and understanding of policy decisions. The science of analytics and big data promises even greater leaps for local governments in evidence-based policymaking. These exciting developments may one day radically alter the ways that traditional local government services are financed, operated and managed.

But we cannot get lost in the excitement. We must actively prepare for cyberthreats of the sort that have been demonstrated in places like Atlanta. If smart cities and communities are the brightly lit days of the increasingly connected world of local government technology, cyberattacks are the dark and stormy nights. We don’t need to halt technological deployments and evolution, but we do need to recognize that cybersecurity is an essential counterpart.

AT&T/Verizon lobbyists to “aggressively” sue states that enact net neutrality

Quote

The dangers of oligopolies. More than anything else the internet needs is trust busters.

A lobby group that represents AT&T, Verizon, and other telcos plans to sue states and cities that try to enforce net neutrality rules.

USTelecom, the lobby group, made its intentions clear yesterday in a blog post titled, “All Americans Deserve Equal Rights Online.”

Yeah – All Americans == all their fellow oligopolists

“Broadband providers have worked hard over the past 20 years to deploy ever more sophisticated, faster and higher-capacity networks, and uphold net neutrality protections for all,” USTelecom CEO Jonathan Spalter wrote. “To continue this important work, there is no question we will aggressively challenge state or municipal attempts to fracture the federal regulatory structure that made all this progress possible.”

The USTelecom board of directors includes AT&T, Verizon, Frontier, CenturyLink, Windstream, and other telcos. The group’s membership “ranges from the nation’s largest telecom companies to small rural cooperatives.”

Microsoft’s Windows 7 Meltdown fixes from January, February made PCs MORE INSECURE

Quote

You’ll want to install the March update. Like right now – if you can avoid broken networking

In other words you choice is prevent data theft, or have working networking. Wow, as this article concludes, it is indeed a Tough choice

Update: A user in the comments to this article stated

The March cumulative updates have been pulled by Microsoft for Windows 7 and 2008R2 due to the networking bug, although still available if you are using WSUS / SCCM and fancy a gamble. You can still get hold of them direct from the Windows Update Catalog but read the KB articles first as they now say you have to run a script first to ensure you don’t lose networking.

HHmmm that needs to verified. Below is the full article:

Microsoft’s Windows 7 Meltdown fixes from January, February made PCs MORE INSECURE
You’ll want to install the March update. Like right now – if you can avoid broken networking
By Shaun Nichols in San Francisco 28 Mar 2018 at 00:21
59 Reg comments SHARE ▼
Embarrassed/exhausted man sits in front of laptop in hipstery office. Photo by Shutterstock

Microsoft’s January and February security fixes for Intel’s Meltdown processor vulnerability opened up an even worse security hole on Windows 7 PCs and Server 2008 R2 boxes.

This is according to researcher Ulf Frisk, who previously found glaring shortcomings in Apple’s FileVault disk encryption system.

We’re told Redmond’s early Meltdown fixes for 64-bit Windows 7 and Server 2008 R2 left a crucial kernel memory table readable and writable for normal user processes. This, in turn, means any malware on those vulnerable machines, or any logged-in user, can manipulate the operating system’s memory map, gain administrator-level privileges, and extract and modify any information in RAM.

Ouch!

The Meltdown chip-level bug allows malicious software, or unscrupulous logged-in users, on a modern Intel-powered machine to read passwords, personal information, and other secrets from protected kernel memory. But the security fixes from Microsoft for the bug, on Windows 7 and Server 2008 R2, issued in January and February, ended up granting normal programs read and write access to all of physical memory.
Sunk by its own hand

According to Frisk, who backed up his claim with a detailed breakdown and a proof-of-concept exploit, the problem boils down to a single bit accidentally set by the kernel in a CPU page table entry. This bit enabled read-write user-mode access to the top-level page table itself.

On Windows 7 and Server 2008 that PML4 table is at a fixed address, so it can always be found and modified by exploit code. With that key permission bit flipped from supervisor-only to any-user, the table allowed all processes to modify said table, and thus pull up and write to memory addresses they are not supposed to reach.

Think of these tables as a telephone directory for the CPU, letting it know where memory is located and what can access it. Microsoft’s programmers accidentally left the top-level table marked completely open for user-mode programs to alter, allowing them to rewrite the computer’s directory of memory mappings.

Further proof-of-concept code can be found here.
Total meltdown

“Windows 7 already did the hard work of mapping in the required memory into every running process,” Frisk explained. “Exploitation was just a matter of read and write to already mapped in-process virtual memory. No fancy APIs or syscalls required – just standard read and write!”

Windows 8.x and Windows 10 aren’t affected. The March 13 Patch Tuesday updates contain a fix that addresses this permission bit cockup for affected versions, we’re told.

Microsoft did not respond to a request for comment on the matter.

In short, patch your Windows 7 and Server 2008 R2 machines with the latest security updates to protect against this OS flaw, otherwise any processes or users can tamper with and steal data from physical RAM, and give themselves admin-level control. Or don’t apply any of the Meltdown fixes and allow programs to read from kernel memory.
Networking not working

Fingers crossed your system isn’t among those that will suffer networking woes caused by the March security patches. Microsoft’s security updates this month broke static IP address and vNIC settings on select installations, knocking unlucky virtual machines, servers, and clients offline.

For example, with patch set KB4088878 for Windows 7 and Server 2008 R2, Redmond admitted:

A new Ethernet virtual Network Interface Card (vNIC) that has default settings may replace the previously existing vNIC, causing network issues after you apply this update. Any custom settings on the previous vNIC persist in the registry but are unused. Microsoft is working on a resolution and will provide an update in an upcoming release.

Static IP address settings are lost after you apply this update. Microsoft is working on a resolution and will provide an update in an upcoming release.

Prevent data theft, or have working networking. Tough choice.

Internet of insecure Things: Software still riddled with security holes

Quote

An audit of the security of IoT mobile applications available on official stores has found that tech to safeguard the world of connected things remains outstandingly mediocre.

Pradeo Security put a representative sample of 100 iOS and Android applications developed to manage connected objects (heaters, lights, door-locks, baby monitors, CCTV etc) through their paces.

Researchers at the mobile security firm found that around one in seven (15 per cent) applications sourced from the Google Play and Apple App Store were vulnerable to takeover. Hijacking was a risk because these apps were discovered to be defenceless against bugs that might lend themselves to man-in-the-middle attacks.

Four in five of the tested applications carry vulnerabilities, with an average of 15 per application.

Security
Internet of insecure Things: Software still riddled with security holes
Which means devices could be pwned by crooks
By John Leyden 28 Mar 2018 at 15:29
15 Reg comments SHARE ▼

An audit of the security of IoT mobile applications available on official stores has found that tech to safeguard the world of connected things remains outstandingly mediocre.

Pradeo Security put a representative sample of 100 iOS and Android applications developed to manage connected objects (heaters, lights, door-locks, baby monitors, CCTV etc) through their paces.

Researchers at the mobile security firm found that around one in seven (15 per cent) applications sourced from the Google Play and Apple App Store were vulnerable to takeover. Hijacking was a risk because these apps were discovered to be defenceless against bugs that might lend themselves to man-in-the-middle attacks.

Four in five of the tested applications carry vulnerabilities, with an average of 15 per application.

Around one in 12 (8 per cent) of applications phoned home or otherwise connected to uncertified servers. “Among these, some [certificates] have expired and are available for sale. Anyone buying them could access all the data they receive,” Pradeo warns.

Pradeo’s team also discovered that the vast majority of the apps leaked the data they processed. Failings in this area were many and varied.

Application file content: 81 per cent of applications
Hardware information (device manufacturer, commercial name, battery status…): 73 per cent
Device information (OS version number…): 73 per cent
Temporary files: 38 per cent
Phone network information (service provider, country code…): 27 per cent
Video and audio records: 19 per cent
Files coming from app static data: 19 per cent
Geolocation: 12 per cent
Network information (IP address, 2D address, Wi-Fi connection state): 12 per cent
Device identifiers (IMEI): 8 per cent

Pradeo Security said it had notified the vendors involved about the security problems it uncovered in their kit