….oh wait…Windows 10 Critical Bug
The more things change, the more they stay same.
….oh wait…Windows 10 Critical Bug
The more things change, the more they stay same.
New Windows 10 ‘Extraordinarily Serious’ Security Warning For 900 Million Users
On January 14, 2020, Microsoft released software fixes to address 49 vulnerabilities as part of their monthly Patch Tuesday announcement. Among the vulnerabilities patched were critical weaknesses in Windows CryptoAPI, Windows Remote Desktop Gateway (RD Gateway), and Windows Remote Desktop Client. An attacker could remotely exploit these vulnerabilities to decrypt, modify, or inject data on user connections. SourceL CISA is Update #1.
The bug is considered as bad as it gets. Neuberger said the agency [NSA] took an unprecedented step by reporting the bug, instead of hoarding the vulnerability and using it for its offensive tools and operations. Source: Read more
Update #1 Here is the CISA Advisory https://www.us-cert.gov/ncas/alerts/aa20-014a
Update #2 Win7 and Win8 – it does not appear they are affected.
Mozilla Foundation released a CRITICAL patch to Firefox to patch an actively exploited vulnerability.
Incorrect alias information in IonMonkey JIT compiler for setting array elements could lead to a type confusion. We are aware of targeted attacks in the wild abusing this flaw.
Well it happened again. Caveat Emptor – not everything you download is goodness. The app, which pitches itself as a customizable emoji keyboard, contains hidden code that covertly makes premium content purchases without any user notification or permission.
Malicious code slipped into a popular Android keyboard app racked up millions of dollars in fraudulent charges for unlucky punters.
The Secure-D research team with mobile security specialist Upstream Systems reports this week that as much as $18m in bogus fees were run up by ai.type, an on-screen keyboard replacement that has an estimated 40 million downloads through the official Android Play Store – where it has since been removed – and other third-party stores.
Secure-D claims the app, which pitches itself as a customizable emoji keyboard, contains hidden code that covertly makes premium content purchases without any user notification or permission. In addition to the bill cramming, the app engages in ad and click fraud, we’re told, in some cases disguising its traffic as coming from other legitimate Android applications.
“The app has been delivering millions of invisible ads and fake clicks, while delivering genuine user data about real views, clicks and purchases to ad networks,” Secure-D says of the rogue app. “Ai.type carries out some of its activity hiding under other identities, including disguising itself to spoof popular apps such as Soundcloud.”
The Register has reached out to ai.type’s developers for comment, and has yet to hear back.
Interestingly, Secure-D says that most of the fraudulent charges occurred in July after the app was removed from the Play Store in June – though at the time it remained in third-party souks and installed on millions of devices – suggesting the people behind the malware decided to cash in while they still could.
According to the researchers, the components responsible for the bogus charges are not part of the keyboard itself, but rather are in software development frameworks bundled into the app. Those kits activate and click on ads to sign users up for the premium services and generate fake traffic with the aim of collecting commissions.
“These SDKs [software development kits] navigate to the ads via a series of redirections and automatically perform clicks to trigger the subscriptions. This is committed in the background so that normal users will not realize it is taking place,” explained Secure-D head Dimitris Maniatis.
“In addition, the SDKs obfuscate the relevant links and download additional code from external sources to complicate detection even from sophisticated analysis techniques.”
Anyone who is using the ai.type keyboard would be well advised to delete it ASAP. As it is no longer in the Play Store there is no risk of new infections there, but anyone using third-party services should avoid downloading the keyboard if they see it
Well I get it – convenience. But using a password manager browser extension is foolish. So is using a cloud based storage vault. While a password manager is better than sticky notes, in many respects, a failure can be catastrophic. What is better? L4 Networks has always recommended an offline password manager (non cloud based), store the database locally, use PKI encryption and/or Key File in addition to a password on the database, do not use a web extension for the password manager, and never store sensitive logins for banks, credit cards, etc. in a “browsers” database.
This issue was in Chrome and Opera
Developers of the LastPass password manager have patched a vulnerability that made it possible for websites to steal credentials for the last account the user logged into using the Chrome or Opera extension.
The vulnerability was discovered late last month by Google Project Zero researcher Tavis Ormandy, who privately reported it to LastPass. In a write-up that became public on Sunday, Ormandy said the flaw stemmed from the way the extension generated popup windows. In certain situations, websites could produce a popup by creating an HTML iframe that linked to the Lastpass popupfilltab.html window rather than through the expected procedure of calling a function called do_popupregister(). In some cases, this unexpected method caused the popups to open with a password of the most recently visited site.
“Because do_popupregister() is never called, ftd_get_frameparenturl() just uses the last cached value in g_popup_url_by_tabid for the current tab,” Ormandy wrote. “That means via some clickjacking, you can leak the credentials for the previous site logged in for the current tab.”
Clickjacking is a class of attack that conceals the true destination of the site or resource displayed in a Web link. In its most common form, clickjacking attacks place a malicious link in a transparent layer on top of a visible link that looks innocuous. Users who click on the link open the malicious page or resource rather than the one that appears to be safe.
“This will prompt if you try to clickjack filling in or copying credentials though, because frame_and_topdoc_has_same_domain() returns false,” Ormandy continued. “This is possible to bypass, because you can make them match by finding a site that will iframe an untrusted page.”
The researcher then showed how a bypass might work by combining two domains into a single URLs such as:
In a series of updates, Ormandy described easier ways to carry out the attack. He also described three other weaknesses he found in the extensions, including:
the handle_hotkey() didn’t check for trusted events, allowing sites to generate arbitrary hotkey events
a bug that allowed attackers to disable several security checks by putting the string “https://login.streetscape.com” in code
a routine called LP_iscrossdomainok() that could bypass other security checks
On Friday, LastPass published a post that said the bugs had been fixed and described the “limited set of circumstances” required for the flaws to be exploited.
“To exploit this bug, a series of actions would need to be taken by a LastPass user including filling a password with the LastPass icon, then visiting a compromised or malicious site and finally being tricked into clicking on the page several times,” LastPass representative Ferenc Kun wrote. “This exploit may result in the last site credentials filled by LastPass to be exposed. We quickly worked to develop a fix and verified the solution was comprehensive with Tavis.”
Don’t ditch your password manager just yet
The vulnerability underscores the drawback of password managers, a tool that many security practitioners say is essential for good security hygiene. By making it easy to generate and store a strong password that’s unique for every account, password managers offer a crucial alternative to password reuse. Password managers also make it much easier to use passwords that are truly strong, since users need not memorize them. In the event that a website breach exposes user passwords in cryptographically protected form, the chances of someone being able to crack the hash are slim, since the plaintext password is strong. Even in the event that the website breach leaks passwords in plaintext, the password manager ensures that only a single account is compromised.
The downside to password managers is that if or when they fail, the results can be severe. It’s not unusual for some people to use password managers to store hundreds of passwords, some for banking, 401k, and email accounts. In the event of a password-manager hack, there’s the risk that the credentials for multiple accounts can be exposed. On the whole, I still recommend most people use password managers unless they devise another technique to generate and store strong passwords that are unique to every account.
One way to reduce the damage that can occur in the event of a password manager hack is to use multi-factor authentication whenever possible. By far, the cross-industry WebAuthn is the most secure and user-friendly form of MFA, but time-based one-time-password generated by authenticator apps are also relatively secure. And despite the criticism SMS-based MFA gets—for good reason, by the way—even meager protection would likely be enough to protect most people against account takeovers.
The LastPass bug was fixed in version 4.33.0. The extension update should automatically install on users’ computers, but it’s not a bad idea to check. While LastPass said the bug was limited to the Chrome and Opera browsers, the company has deployed the update to all browsers as a precaution.
From the Electronic Frontier Foundation (EEF)
Abstract – summary
It’s never about privacy
If the Privacy Sandbox won’t actually help users, why is Google proposing all these changes?
Google can probably see which way the wind is blowing. Safari’s Intelligent Tracking Prevention and Firefox’s Enhanced Tracking Protection have severely curtailed third-party trackers’ access to data. Meanwhile, users and lawmakers continue to demand stronger privacy protections from Big Tech. While Chrome still dominates the browser market, Google might suspect that the days of unlimited access to third-party cookies are numbered.
As a result, Google has apparently decided to defend its business model on two fronts. First, it’s continuing to argue that third-party cookies are actually fine, and companies like Apple and Mozilla who would restrict trackers’ access to user data will end up harming user privacy. This argument is absurd. But unfortunately, as long as Chrome remains the most popular browser in the world, Google will be able to single-handedly dictate whether cookies remain a viable option for tracking most users.
At the same time, Google seems to be hedging its bets. The “Privacy Sandbox” proposals for conversion measurement, FLoC, and PIGIN are each aimed at replacing one of the existing ways that third-party cookies are used for targeted ads. Google is brainstorming ways to continue serving targeted ads in a post-third-party-cookie world. If cookies go the way of the pop-up ad, Google’s targeting business will continue as usual.
The Sandbox isn’t about your privacy. It’s about Google’s bottom line. At the end of the day, Google is an advertising company that happens to make a browser.
Full Article Here – an excellent read
A 21-year-old man from Vancouver, Wash. has pleaded guilty to federal hacking charges tied to his role in operating the “Satori” botnet, a crime machine powered by hacked Internet of Things (IoT) devices that was built to conduct massive denial-of-service attacks targeting Internet service providers, online gaming platforms and Web hosting companies.
Kenneth Currin Schuchman pleaded guilty to one count of aiding and abetting computer intrusions. Between July 2017 and October 2018, Schuchman was part of a conspiracy with at least two other unnamed individuals to develop and use Satori in large scale online attacks designed to flood their targets with so much junk Internet traffic that the targets became unreachable by legitimate visitors.
According to his plea agreement, Schuchman — who went by the online aliases “Nexus” and “Nexus-Zeta” — worked with at least two other individuals to build and use the Satori botnet, which harnessed the collective bandwidth of approximately 100,000 hacked IoT devices by exploiting vulnerabilities in various wireless routers, digital video recorders, Internet-connected security cameras, and fiber-optic networking devices.
Satori was originally based on the leaked source code for Mirai, a powerful IoT botnet that first appeared in the summer of 2016 and was responsible for some of the largest denial-of-service attacks ever recorded (including a 620 Gbps attack that took KrebsOnSecurity offline for almost four days).
Maybe if Capital One stopped practicing age discrimination and hired more experience IT workers (problem at numerous companies btw), it could have avoided the breach. In my opinion, this breach should result in crippling fines and C-suite execs being held criminally liable. Of course that will never happen in the U.S.
A hacker raided Capital One’s cloud storage buckets and stole personal information on 106 million credit card applicants in America and Canada.
The swiped data includes 140,000 US social security numbers and 80,000 bank account numbers, we’re told, as well as one million Canadian social insurance numbers, plus names, addresses, phone numbers, dates of birth, and reported incomes.
The pilfered data was submitted to Capital One by credit card hopefuls between 2005 and early 2019. The info was siphoned between March this year and July 17, and Capital One learned of the intrusion on July 19.
Seattle software engineer Paige A. Thompson, aka “erratic,” aka 0xA3A97B6C on Twitter, was suspected of nicking the data, and was collared by the FBI at her home on Monday this week. The 33-year-old has already appeared in court, charged with violating the US Computer Fraud and Abuse Act. She will remain in custody until her next hearing on August 1.
According to the Feds in their court paperwork [PDF], Thompson broke into Capital One’s cloud-hosted storage, believed to be Amazon Web Services’ S3 buckets, and downloaded their contents.
The financial giant said the intruder exploited a “configuration vulnerability,” while the Feds said a “firewall misconfiguration permitted commands to reach and be executed” by Capital One’s cloud-based storage servers. US prosecutors said the thief slipped past a “misconfigured web application firewall.”
Either way, someone using VPN service IPredator and the anonymizing Tor network illegally accessed the bank’s in-the-cloud systems, and downloaded citizens’ private data. This “misconfiguration” has since been fixed.
Thompson was, for what it’s worth, an engineer at Amazon Web Services, specifically on its cloud storage systems, between 2015 and 2016, and worked on various software projects in her spare time as well as running her own server-hosting outfit…
Q: What happened?
A: If the terms of the settlement are approved by a court, the Federal Trade Commission says Equifax will be required to spend up to $425 million helping consumers who can demonstrate they were financially harmed by the breach. The company also will provide up to 10 years of free credit monitoring to those who had their data exposed.
Q: What about the rest of the money in the settlement?
A: An as-yet undisclosed amount will go to pay lawyers fees for the plaintiffs.
Q: $650 million seems like a lot. Is that some kind of record?
A: If not, it’s pretty close. The New York Times reported earlier today that it was thought to be the largest settlement ever paid by a company over a data breach, but that statement doesn’t appear anywhere in their current story.
Q: Hang on…148 million affected consumers…out of that $425 million pot that comes to just $2.87 per victim, right?
A: That’s one way of looking at it. But as always, the devil is in the details. You won’t see a penny or any other benefit unless you do something about it, and how much you end up costing the company (within certain limits) is up to you.
The Times reports that the proposed settlement assumes that only around seven million people will sign up for their credit monitoring offers. “If more do, Equifax’s costs for providing it could rise meaningfully,” the story observes.
Q: Okay. What can I do?
A: You can visit www.equifaxbreachsettlement.com, although none of this will be official or on offer until a court approves the settlement.
Q: Uh, that doesn’t look like Equifax’s site…
A: Good eyes! It’s not. It’s run by a third party. But we should probably just be grateful for that; given Equifax’s total dumpster fire of a public response to the breach, the company has shown itself incapable of operating (let alone securing) a properly functioning Web site.
Q: What can I get out of this?
A: In a nutshell, affected consumers are eligible to apply for one or more remedies, including:
–Free credit monitoring: At least three years of credit monitoring via all three major bureaus simultaneously, including Equifax, Experian and Trans Union. The settlement also envisions up to six more years of single bureau monitoring through Experian. Or, if you don’t want to take advantage of the credit monitoring offers, you can opt instead for a $125 cash payment. You can’t get both.
–Reimbursement: …For the time you spent remedying identity theft or misuse of your personal information caused by the breach, or purchasing credit monitoring or credit reports. This is capped at 20 total hours at $25 per hour ($500). Total cash reimbursement payment will not exceed $20,000 per consumer.
–Help with ongoing identity theft issues: Up to seven years of “free assisted identity restoration services.” Again, the existing breach settlement page is light on specifics there.
Q: Does this cover my kids/dependents, too?
A: The FTC says if you were a minor in May 2017 (when Equifax first learned of the breach), you are eligible for a total of 18 years of free credit monitoring.
Q: How do I take advantage of any of these?
A: You can’t yet. The settlement has to be approved first. The settlement Web site says to check back again later. In addition to checking the breach settlement site periodically, consumers can sign up with the FTC to receive email updates about this settlement.
Update: The eligibility site is now active, at this link.
The settlement site said consumers also can call 1-833-759-2982 for more information. Press #2 on your phone’s keypad if you want to skip the 1-minute preamble and get straight into the queue to speak with a real person.
KrebsOnSecurity dialed in to ask for more details on the “free assisted identity restoration services,” and the person who took my call said they’d need to have some basic information about me in order to proceed. He said they needed my name, address and phone number to proceed. I gave him a number and a name, and after checking with someone he came back and said the restoration services would be offered by Equifax, but confirmed that affected consumers would still have to apply for it.
He added that the Equifaxbreachsettlement.com site will soon include a feature that lets visitors check to see if they’re eligible, but also confirmed that just checking eligibility won’t entitle one to any of the above benefits: Consumers will still need to file a claim through the site (when it’s available to do so).
Well the real issue is that company is allowed to continue operations. It should have been wound down and the C-suite execs held liable, perhaps criminally liable.
….and as Brian’s and my Senator, Sen. Mark Warner (D-Va.) said
“Americans don’t choose to have companies like Equifax collecting their data – by the nature of their business models, credit bureaus collect your personal information whether you want them to or not. In light of that, the penalties for failing to secure that data should be appropriately steep. While I’m happy to see that customers who have been harmed as a result of Equifax’s shoddy cybersecurity practices will see some compensation, we need structural reforms and increased oversight of credit reporting agencies in order to make sure that this never happens again.”
Until real teeth are in breach laws which hold c-suite executives criminal liable and such breach threatens the survival of the company, nothing will change. Even the EU general data protection regulation does not go far enough (but much further than the laughable U.S. regs.)
For the second time this year the US Coast Guard has issued a warning about the cybersecurity practices aboard commercial sea vessels. Full US Guard Alert Here
To us in Cyber Security, the recommendations are fairly standard. But for the Maritime industry, it seems new.
In order to improve the resilience of vessels and facilities, and to protect the safety of the waterways in
which they operate, the U.S. Coast Guard strongly recommends that vessel and facility owners,
operators and other responsible parties take the following basic measures to improve their
- Segment Networks. “Flat” networks allow an adversary to easily maneuver to any system
connected to that network. Segment your networks into “subnetworks” to make it harder for an
adversary to gain access to essential systems and equipment.
- Per-user Profiles & Passwords. Eliminate the use of generic log-in credentials for multiple
personnel. Create network profiles for each employee. Require employees to enter a password
and/or insert an ID card to log on to onboard equipment. Limit access/privileges to only those
levels necessary to allow each user to do his or her job. Administrator accounts should be used
sparingly and only when necessary.
- Be Wary of External Media. This incident revealed that it is common practice for cargo data to
be transferred at the pier, via USB drive. Those USB drives were routinely plugged directly into
the ship’s computers without prior scanning for malware. It is critical that any external media is
scanned for malware on a standalone system before being plugged into any shipboard network.
Never run executable media from an untrusted source.
- Install Basic Antivirus Software. Basic cyber hygiene can stop incidents before they impact
operations. Install and routinely update basic antivirus software.
- Don’t Forget to Patch. Patching is no small task, but it is the core of cyber hygiene.
Vulnerabilities impacting operating systems and applications are constantly changing – patching
is critical to effective cybersecurity.
Maintaining effective cybersecurity is not just an IT issue, but is rather a fundamental operational
imperative in the 21st century maritime environment. The Coast Guard therefore strongly encourages
l vessel and facility owners and operators to conduct cybersecurity assessments to better understand
he extent of their cyber vulnerabilities.
We recommend using a full UTM Firewall on all commercial vessels that have internet connectivity. In addition, individual connected endpoint devices, need to have active anti-malware software installed and running. L4 Networks can help! Contact Us Please.