Skip to content

Security News

Security Microsoft patches patch for Meltdown bug patch: Windows 7, Server 2008 rushed an emergency fix

Previously we reported that the latest Meltdown Patch broke networking in Win7 and Server 2008. Now, if you’re using Windows 7 or Server 2008 R2 and have applied Microsoft’s Meltdown patches, you’ll want to grab and install today’s (29-Mar 2018) out-of-band update for CVE-2018-1038 here.

We did this on a Win7 VM we have and it seemed to work and not break the network as the previous release did.

As the article concludes and one we follow here

In other words, Microsoft has just had to put out a patch for a patch for a patch. Hardly inspiring stuff, but we suppose the old Microsoft adage remains true – never trust a Redmond product until version three at the earliest. On the other hand, writing kernel-level memory management code is an absolute bastard at times, so you have to afford the devs some sympathy.

Full Article Follows

Quote

Microsoft today issued an emergency security update to correct a security update it issued earlier this month to correct a security update it issued in January and February.

In January and February, Redmond emitted fixes for Windows 7 and Server 2008 R2 machines to counter the Meltdown chip-level vulnerability in modern Intel x64 processors. Unfortunately, those patches blew a gaping hole in the operating systems: normal applications and logged-in users could now access and modify any part of physical RAM, and gain complete control over a box, with the updates installed.

Rather than stop programs and non-administrators from exploiting Meltdown to extract passwords and other secrets from protected kernel memory, the fixes on Windows 7 and Server 2008 R2 instead granted full read-write privileges to system RAM.

Roll on March, and Microsoft pushed out fixes on Patch Tuesday to correct those January and February updates to close the security vulnerability it accidentally opened.

Except that March update didn’t fully seal the deal: the bug remained in the kernel, and was exploitable by malicious software and users.
Total Meltdown

Now, if you’re using Windows 7 or Server 2008 R2 and have applied Microsoft’s Meltdown patches, you’ll want to grab and install today’s out-of-band update for CVE-2018-1038.

Swedish researcher Ulf Frisk discovered the January and February Meltdown mitigations for Win7 and Server 2008 R2 were broken, and went public with his findings once the March Patch Tuesday had kicked off. As it turns out, this month’s updates did not fully fix things, and Microsoft has had to scramble to remedy what was now a zero-day vulnerability in Windows 7 and Server 2008.

In other words, Microsoft has just had to put out a patch for a patch for a patch. Hardly inspiring stuff, but we suppose the old Microsoft adage remains true – never trust a Redmond product until version three at the earliest. On the other hand, writing kernel-level memory management code is an absolute bastard at times, so you have to afford the devs some sympathy.

How Local Governments Can Prevent Cyberattacks

Quote

The recent cyberattack on Atlanta, in which the municipal government’s computers and related services were held hostage by a ransomware attack, is a reminder that local governments are particularly vulnerable to these and other cyberthreats.

Local governments of all sizes and locations now own and operate a wide and growing array of internet-connected technology systems: employee-issued laptops, motion sensors on light poles and under pavement, mapping and informational systems inside police cars, online citizen-engagement tools and much more.

Most local governments in the United States don’t have a strong grasp of the policies and procedures they should implement to protect their technology systems from attacks. This is especially concerning because the threat of a cyberattack is the most important cybersecurity problem they face, according to a survey conducted by the organization I work for, the International City/County Management Association, and the University of Maryland, Baltimore County.

Forty-four percent of local governments report that they regularly face cyberattacks, on either an hourly or daily basis. More troubling is the high percentage of governments that do not know how often they are attacked (28 percent) or breached (41 percent). Further, a majority of local governments do not catalog or count attacks (54 percent).

This statistic alone is disturbing because SIEMS EM (Security Information and Event Management) local & cloud base have been available for well over 12 years. I know this because I implemented a 3rd party vendor SIEM ’06. Before then and even today, there were numerous open source utilities availability to flag anomalies from logs. We run a small site and on average our logs show attacks attempts every few minutes. Municipalities are larger and offer more lucrative targets and offer larger attack surfaces to miscreants.

This is not just an American problem. Last month, at a conference in Tel Aviv, Tamir Pardo, the former head of Mossad, Israel’s national intelligence agency, said that most local government leaders around the world do not fully understand how serious a threat cyberattacks are and have not imaginatively assessed the consequences of inaction. He described cyberthreats as “soft nuclear weapons” that one day may be used to start and finish a war without firing a shot.

So what should local governments do to improve their cybersecurity apparatus to help prevent or mitigate damage from future attacks like the one experienced in Atlanta, or from those contemplated by Mr. Pardo?

First, local leaders must create a culture of cybersecurity that imagines worst-case scenarios and explores a range of solutions to mitigate threats to the ecosystem of local government technology. This should involve prioritizing funding for cybersecurity, establishing stronger cybersecurity policies and training employees in cybersecurity protocols. Success will require collaboration with local elected officials, internet-technology and cybersecurity staff members, department managers and end users.

We like to advise that cyber security is 75% user education & 25% technology

Cybersecurity is more than just the I.T. department’s problem. It must now also be a top priority along the entire chain of elected and appointed officials in and around local governments. Preventing and mitigating the effects of future attacks will require intergovernmental cooperation, because localities work together across state lines and collaborate with the federal government on crucial tasks like running elections, managing transportation and sharing intelligence.

Most technological advances are transforming local governments for the better, moving them from inefficient and costly paper systems to digital systems that allow for better analysis and understanding of policy decisions. The science of analytics and big data promises even greater leaps for local governments in evidence-based policymaking. These exciting developments may one day radically alter the ways that traditional local government services are financed, operated and managed.

But we cannot get lost in the excitement. We must actively prepare for cyberthreats of the sort that have been demonstrated in places like Atlanta. If smart cities and communities are the brightly lit days of the increasingly connected world of local government technology, cyberattacks are the dark and stormy nights. We don’t need to halt technological deployments and evolution, but we do need to recognize that cybersecurity is an essential counterpart.

Microsoft’s Windows 7 Meltdown fixes from January, February made PCs MORE INSECURE

Quote

You’ll want to install the March update. Like right now – if you can avoid broken networking

In other words you choice is prevent data theft, or have working networking. Wow, as this article concludes, it is indeed a Tough choice

Update: A user in the comments to this article stated

The March cumulative updates have been pulled by Microsoft for Windows 7 and 2008R2 due to the networking bug, although still available if you are using WSUS / SCCM and fancy a gamble. You can still get hold of them direct from the Windows Update Catalog but read the KB articles first as they now say you have to run a script first to ensure you don’t lose networking.

HHmmm that needs to verified. Below is the full article:

Microsoft’s Windows 7 Meltdown fixes from January, February made PCs MORE INSECURE
You’ll want to install the March update. Like right now – if you can avoid broken networking
By Shaun Nichols in San Francisco 28 Mar 2018 at 00:21
59 Reg comments SHARE ▼
Embarrassed/exhausted man sits in front of laptop in hipstery office. Photo by Shutterstock

Microsoft’s January and February security fixes for Intel’s Meltdown processor vulnerability opened up an even worse security hole on Windows 7 PCs and Server 2008 R2 boxes.

This is according to researcher Ulf Frisk, who previously found glaring shortcomings in Apple’s FileVault disk encryption system.

We’re told Redmond’s early Meltdown fixes for 64-bit Windows 7 and Server 2008 R2 left a crucial kernel memory table readable and writable for normal user processes. This, in turn, means any malware on those vulnerable machines, or any logged-in user, can manipulate the operating system’s memory map, gain administrator-level privileges, and extract and modify any information in RAM.

Ouch!

The Meltdown chip-level bug allows malicious software, or unscrupulous logged-in users, on a modern Intel-powered machine to read passwords, personal information, and other secrets from protected kernel memory. But the security fixes from Microsoft for the bug, on Windows 7 and Server 2008 R2, issued in January and February, ended up granting normal programs read and write access to all of physical memory.
Sunk by its own hand

According to Frisk, who backed up his claim with a detailed breakdown and a proof-of-concept exploit, the problem boils down to a single bit accidentally set by the kernel in a CPU page table entry. This bit enabled read-write user-mode access to the top-level page table itself.

On Windows 7 and Server 2008 that PML4 table is at a fixed address, so it can always be found and modified by exploit code. With that key permission bit flipped from supervisor-only to any-user, the table allowed all processes to modify said table, and thus pull up and write to memory addresses they are not supposed to reach.

Think of these tables as a telephone directory for the CPU, letting it know where memory is located and what can access it. Microsoft’s programmers accidentally left the top-level table marked completely open for user-mode programs to alter, allowing them to rewrite the computer’s directory of memory mappings.

Further proof-of-concept code can be found here.
Total meltdown

“Windows 7 already did the hard work of mapping in the required memory into every running process,” Frisk explained. “Exploitation was just a matter of read and write to already mapped in-process virtual memory. No fancy APIs or syscalls required – just standard read and write!”

Windows 8.x and Windows 10 aren’t affected. The March 13 Patch Tuesday updates contain a fix that addresses this permission bit cockup for affected versions, we’re told.

Microsoft did not respond to a request for comment on the matter.

In short, patch your Windows 7 and Server 2008 R2 machines with the latest security updates to protect against this OS flaw, otherwise any processes or users can tamper with and steal data from physical RAM, and give themselves admin-level control. Or don’t apply any of the Meltdown fixes and allow programs to read from kernel memory.
Networking not working

Fingers crossed your system isn’t among those that will suffer networking woes caused by the March security patches. Microsoft’s security updates this month broke static IP address and vNIC settings on select installations, knocking unlucky virtual machines, servers, and clients offline.

For example, with patch set KB4088878 for Windows 7 and Server 2008 R2, Redmond admitted:

A new Ethernet virtual Network Interface Card (vNIC) that has default settings may replace the previously existing vNIC, causing network issues after you apply this update. Any custom settings on the previous vNIC persist in the registry but are unused. Microsoft is working on a resolution and will provide an update in an upcoming release.

Static IP address settings are lost after you apply this update. Microsoft is working on a resolution and will provide an update in an upcoming release.

Prevent data theft, or have working networking. Tough choice.

See What Google Has on You

Want to see what Google has on you, well My Activity will do that. I love the innocent picture. Oh how sweet. Google working for to make a better experience. What bollocks. At every step of trying to delete your data, you get pop-ups warning you how bad what you are trying to do is (along with more innocent pictures).

Here is the real picture (lower right) that should be posted.

 

 

To be fair, if you ignore all the pretty happy warnings “do no harm” nonense warnings, you can turn a lot stuff off. That said, can you trust them? I can’t.

TLS 1.3 internet crypto approved

Quote

A much-needed update to internet security has finally passed at the Internet Engineering Task Force (IETF), after four years and 28 drafts.

Internet engineers meeting in London, England, approved the updated TLS 1.3 protocol despite a wave of last-minute concerns that it could cause networking nightmares.

TLS 1.3 won unanimous approval (well, one “no objection” amid the yeses), paving the way for its widespread implementation and use in software and products from Oracle’s Java to Google’s Chrome browser.


Under TLS 1.2 this is a fairly lengthy process that can take as much as half-a-second:

The client says hi to the server and offers a range of strong encryption systems it can work with
The server says hi back, explains which encryption system it will use and sends an encryption key
The client takes that key and uses it to encrypt and send back a random series of letters
Together they use this exchange to create two new keys: a master key and a session key – the master key being stronger; the session key weaker.
The client then says which encryption system it plans to use for the weaker, session key – which allows data to be sent much faster because it doesn’t have to be processed as much
The server acknowledges that system will be used, and then the two start sharing the actual information that the whole exchange is about

TLS 1.3 speeds that whole process up by bundling several steps together:

The client says hi, here’s the systems I plan to use
The server gets back saying hi, ok let’s use them, here’s my key, we should be good to go
The client responds saying, yep that all looks good, here are the session keys

As well as being faster, TLS 1.3 is much more secure because it ditches many of the older encryption algorithms that TLS 1.2 supports that over the years people have managed to find holes in. Effectively the older crypto-systems potentially allowed miscreants to figure out what previous keys had been used (called “non-forward secrecy”) and so decrypt previous conversations.

Facebook Leak or OMG – you mean facebook has my data?

Well unless you live under a rock, Facebook has been caught once again with their pants down. Lets see…

LONDON — As the upstart voter-profiling company Cambridge Analytica prepared to wade into the 2014 American midterm elections, it had a problem.

The firm had secured a $15 million investment from Robert Mercer, the wealthy Republican donor, and wooed his political adviser, Stephen K. Bannon, with the promise of tools that could identify the personalities of American voters and influence their behavior. But it did not have the data to make its new products work.

So the firm harvested private information from the Facebook profiles of more than 50 million users without their permission, according to former Cambridge employees, associates and documents, making it one of the largest data leaks in the social network’s history. The breach allowed the company to exploit the private social media activity of a huge swath of the American electorate, developing techniques that underpinned its work on President Trump’s campaign in 2016.


But the full scale of the data leak involving Americans has not been previously disclosed — and Facebook, until now, has not acknowledged it. Interviews with a half-dozen former employees and contractors, and a review of the firm’s emails and documents, have revealed that Cambridge not only relied on the private Facebook data but still possesses most or all of the trove.

Read more

Oh I am so shocked, SHOCKED I Say

And today learned that Cambridge Analytica Suspends C.E.O. Amid Facebook Data Scandal

Cambridge Analytica, the political data firm with ties to President Trump’s 2016 campaign, suspended its chief executive, Alexander Nix, on Tuesday, amid the furor over the access it gained to private information on more than 50 million Facebook users.

The decision came after a television broadcast in which Mr. Nix was recorded suggesting that the company had used seduction and bribery to entrap politicians and influence foreign elections.

The suspension marked a new low point for the fortunes of Cambridge Analytica and for Mr. Nix, who spent much of the past year making bold claims about the role his outfit played in the election of Mr. Trump. The company, founded by Stephen K. Bannon and Robert Mercer, a wealthy Republican donor who has put at least $15 million into it, offered tools that it claimed could identify the personalities of American voters and influence their behavior.

So-called psychographic modeling techniques, which were built in part with the data harvested from Facebook, underpinned Cambridge Analytica’s work for the Trump campaign in 2016. Mr. Nix once called the practice “our secret sauce,” though some have questioned its effectiveness.

But in recent days, the firm has found itself under increased scrutiny from lawmakers, regulators and prosecutors in the United States and Britain following reports in The New York Times and The Observer of London that the firm had harvested the Facebook data, and that it still had a copy of the information.

Read more

As I said before, anyone who uses facebook, has an Alexa, smart TVs (for the clueless) and so forth really needs to get educated on privacy and IT Security. I will copy and post the “Whips” excellent comment to this article

Let’s be clear here: Facebook doesn’t steal our data; we give it to them, one Like at a time.

For decades, Europe has had a Data Protection Directive that runs circles around the U.S.’s, such as it is–and it’s about to get even stronger with the GDPR, which will improve user control over our own data.

Instead of Americans spewing moral outrage at the weekly corporate affront (last week Experian, this week Facebook, next week who knows), why not grow up and demand a national approach to data protection?

Lets Encrypt/Certbot

Been busy updating and moving our server last few weeks so not much time for posting. I did try out Lets Encrypt. My experience is mixed. I wanted to put it on our *non store* sites like this one. (On our store we use a real paid for cert.) They seem to have a lot of issues with timeouts and no real solution. We were able to hit their limits. For every timeout we encountered, they had actually issued a cert, but we never got it.

It is a nice idea, but it is not with out controversy. Here is a good article:

Lets Encrypt Good, Bad, Ugly

Equifax finds 2.4 million more folk hit by breach

Well here is **no** surprise.
Quote

Embattled credit-reporting company Equifax has done some data crunching and discovered another 2.4 million people that had their information slurped by hackers.

The biz, which was subject to one of the biggest data breaches in US history last May, has already had to revise up the number of affected individuals.

The total stood at 145 million in the US and hundreds of thousands in the UK and Canada – but it’s now found a few more people that previously escaped its “forensic” testings.

In a statement released today, Equifax said that ongoing analysis of the stolen data had allowed it to confirm the identities of an additional 2.4 million folks in the US who had partial driving licence information taken.

“This information was partial because, in the vast majority of cases, it did not include consumers’ home addresses, or their respective driver’s license states, dates of issuance, or expiration dates,” the statement said.

Malicious Chrome extension is next to impossible to manually remove

Quote

Proving once again that Google Chrome extensions are the Achilles heel of what’s arguably the Internet’s most secure browser, a researcher has documented a malicious add-on that tricks users into installing it and then, he said, is nearly impossible for most to manually uninstall. It was available for download on Google servers until Wednesday, 19 days after it was privately reported to Google security officials, a researcher said.

Once installed, an app called “Tiempo en colombia en vivo” prevents users from accessing the list of installed Chrome extensions by redirecting requests to chrome://apps/?r=extensions instead of chrome://extensions/, the page that lists all installed extensions and provides an interface for temporarily disabling or uninstalling them. Malwarebytes researcher Pieter Arntz said he experimented with a variety of hacks—including disabling JavaScript in the browser, starting Chrome with all extensions disabled, and renaming the folder where extensions are stored—none of them worked. Removing the extension proved so difficult that he ultimately advised users to run the free version of Malwarebytes and let it automatically remove the add-on.

When Arntz installed the extension on a test machine, Chrome spontaneously clicked on dozens of YouTube videos, an indication that inflating the number of views was among the things it did. The researcher hasn’t ruled out the possibility that the add-on did more malicious things because the amount of obfuscated JavaScript it contained made a comprehensive analysis too time consuming. The researcher provided additional details in a blog post published Thursday.

Tiempo en colombia en vivo racked up almost 11,000 installs before Google removed it, but it may have found its way onto still more computers. That’s because a variety of abusive websites are using a technique that tricks inexperienced users into installing the extension. As Malwarebytes explained in late 2016, the forced install trick uses JavaScript to provide a dialog box that says visitors must install the extension before they can leave the page. Clicking cancel or closing the tab produces an unending series of variations on that message. Arntz said he privately reported the extension to Google on December 29 and that it remained available on the Chrome Store until Wednesday.

Arntz said he found a Firefox extension that also resisted user attempts to uninstall it, but the block was relatively easy to bypass. The researcher has yet to find any indication the add-on was available in the Firefox Extensions store.

Once again Caveat Emptor: Just because it is an app store, doesn’t mean its not malware.

Spectre and Meltdown Vulnerabilities

From our Partner ESET

On Wednesday, January 3rd, security researchers released details on vulnerabilities in several common processor designs. Some of these vulnerabilities specifically affect Intel chips, while other vulnerabilities are present in almost all AMD, ARM and Intel chips.  These weaknesses may place sensitive system data at risk of exposure to attackers.

As stated by researchers, there are theoretical ways that antivirus software could detect the problem. However, detection would have an extremely negative impact on device performance, and significantly influence user experience; it would be a less effective approach than prevention. Therefore, we are recommending that users take the following steps:

  • Keep track of any related patches for their systems and apply them as soon as possible
  • Keep all other software updated, including web browsers
  • Be on the lookout for phishing emails, which are still the number one way for hackers to get a foothold on your computer

More details are available in the following links: