Skip to content

Microsoft’s Windows 7 Meltdown fixes from January, February made PCs MORE INSECURE

Quote

You’ll want to install the March update. Like right now – if you can avoid broken networking

In other words you choice is prevent data theft, or have working networking. Wow, as this article concludes, it is indeed a Tough choice

Update: A user in the comments to this article stated

The March cumulative updates have been pulled by Microsoft for Windows 7 and 2008R2 due to the networking bug, although still available if you are using WSUS / SCCM and fancy a gamble. You can still get hold of them direct from the Windows Update Catalog but read the KB articles first as they now say you have to run a script first to ensure you don’t lose networking.

HHmmm that needs to verified. Below is the full article:

Microsoft’s Windows 7 Meltdown fixes from January, February made PCs MORE INSECURE
You’ll want to install the March update. Like right now – if you can avoid broken networking
By Shaun Nichols in San Francisco 28 Mar 2018 at 00:21
59 Reg comments SHARE ▼
Embarrassed/exhausted man sits in front of laptop in hipstery office. Photo by Shutterstock

Microsoft’s January and February security fixes for Intel’s Meltdown processor vulnerability opened up an even worse security hole on Windows 7 PCs and Server 2008 R2 boxes.

This is according to researcher Ulf Frisk, who previously found glaring shortcomings in Apple’s FileVault disk encryption system.

We’re told Redmond’s early Meltdown fixes for 64-bit Windows 7 and Server 2008 R2 left a crucial kernel memory table readable and writable for normal user processes. This, in turn, means any malware on those vulnerable machines, or any logged-in user, can manipulate the operating system’s memory map, gain administrator-level privileges, and extract and modify any information in RAM.

Ouch!

The Meltdown chip-level bug allows malicious software, or unscrupulous logged-in users, on a modern Intel-powered machine to read passwords, personal information, and other secrets from protected kernel memory. But the security fixes from Microsoft for the bug, on Windows 7 and Server 2008 R2, issued in January and February, ended up granting normal programs read and write access to all of physical memory.
Sunk by its own hand

According to Frisk, who backed up his claim with a detailed breakdown and a proof-of-concept exploit, the problem boils down to a single bit accidentally set by the kernel in a CPU page table entry. This bit enabled read-write user-mode access to the top-level page table itself.

On Windows 7 and Server 2008 that PML4 table is at a fixed address, so it can always be found and modified by exploit code. With that key permission bit flipped from supervisor-only to any-user, the table allowed all processes to modify said table, and thus pull up and write to memory addresses they are not supposed to reach.

Think of these tables as a telephone directory for the CPU, letting it know where memory is located and what can access it. Microsoft’s programmers accidentally left the top-level table marked completely open for user-mode programs to alter, allowing them to rewrite the computer’s directory of memory mappings.

Further proof-of-concept code can be found here.
Total meltdown

“Windows 7 already did the hard work of mapping in the required memory into every running process,” Frisk explained. “Exploitation was just a matter of read and write to already mapped in-process virtual memory. No fancy APIs or syscalls required – just standard read and write!”

Windows 8.x and Windows 10 aren’t affected. The March 13 Patch Tuesday updates contain a fix that addresses this permission bit cockup for affected versions, we’re told.

Microsoft did not respond to a request for comment on the matter.

In short, patch your Windows 7 and Server 2008 R2 machines with the latest security updates to protect against this OS flaw, otherwise any processes or users can tamper with and steal data from physical RAM, and give themselves admin-level control. Or don’t apply any of the Meltdown fixes and allow programs to read from kernel memory.
Networking not working

Fingers crossed your system isn’t among those that will suffer networking woes caused by the March security patches. Microsoft’s security updates this month broke static IP address and vNIC settings on select installations, knocking unlucky virtual machines, servers, and clients offline.

For example, with patch set KB4088878 for Windows 7 and Server 2008 R2, Redmond admitted:

A new Ethernet virtual Network Interface Card (vNIC) that has default settings may replace the previously existing vNIC, causing network issues after you apply this update. Any custom settings on the previous vNIC persist in the registry but are unused. Microsoft is working on a resolution and will provide an update in an upcoming release.

Static IP address settings are lost after you apply this update. Microsoft is working on a resolution and will provide an update in an upcoming release.

Prevent data theft, or have working networking. Tough choice.

Internet of insecure Things: Software still riddled with security holes

Quote

An audit of the security of IoT mobile applications available on official stores has found that tech to safeguard the world of connected things remains outstandingly mediocre.

Pradeo Security put a representative sample of 100 iOS and Android applications developed to manage connected objects (heaters, lights, door-locks, baby monitors, CCTV etc) through their paces.

Researchers at the mobile security firm found that around one in seven (15 per cent) applications sourced from the Google Play and Apple App Store were vulnerable to takeover. Hijacking was a risk because these apps were discovered to be defenceless against bugs that might lend themselves to man-in-the-middle attacks.

Four in five of the tested applications carry vulnerabilities, with an average of 15 per application.

Security
Internet of insecure Things: Software still riddled with security holes
Which means devices could be pwned by crooks
By John Leyden 28 Mar 2018 at 15:29
15 Reg comments SHARE ▼

An audit of the security of IoT mobile applications available on official stores has found that tech to safeguard the world of connected things remains outstandingly mediocre.

Pradeo Security put a representative sample of 100 iOS and Android applications developed to manage connected objects (heaters, lights, door-locks, baby monitors, CCTV etc) through their paces.

Researchers at the mobile security firm found that around one in seven (15 per cent) applications sourced from the Google Play and Apple App Store were vulnerable to takeover. Hijacking was a risk because these apps were discovered to be defenceless against bugs that might lend themselves to man-in-the-middle attacks.

Four in five of the tested applications carry vulnerabilities, with an average of 15 per application.

Around one in 12 (8 per cent) of applications phoned home or otherwise connected to uncertified servers. “Among these, some [certificates] have expired and are available for sale. Anyone buying them could access all the data they receive,” Pradeo warns.

Pradeo’s team also discovered that the vast majority of the apps leaked the data they processed. Failings in this area were many and varied.

Application file content: 81 per cent of applications
Hardware information (device manufacturer, commercial name, battery status…): 73 per cent
Device information (OS version number…): 73 per cent
Temporary files: 38 per cent
Phone network information (service provider, country code…): 27 per cent
Video and audio records: 19 per cent
Files coming from app static data: 19 per cent
Geolocation: 12 per cent
Network information (IP address, 2D address, Wi-Fi connection state): 12 per cent
Device identifiers (IMEI): 8 per cent

Pradeo Security said it had notified the vendors involved about the security problems it uncovered in their kit

..Misuse Of Facebook User Data Will Happen Again And Again

Once again, the Onion nails it!

Quote

Mark Zuckerberg Promises That Misuse Of Facebook User Data Will Happen Again And Again

MENLO PARK, CA—In an effort to demonstrate the social media platform’s total commitment to profits, Mark Zuckerberg took to his personal Facebook page Thursday to promise that the company’s misuse of personal data will, as of now, happen again and again. “We have a responsibility to our users, and if we can’t repeatedly betray your trust and sell your private information to the highest bidder, then we don’t deserve to serve you,” said Zuckerberg in his first public statement on the matter, adding that users should feel confident that the social network would do everything in its power to exploit them, through both third-party applications and partnerships with shadowy marketing firms willing to pay any price Facebook asks. “In 2013, a Cambridge University researcher named Alexandr Kogan stole personal data through a personality quiz, and since then, we’ve worked tirelessly to ensure it can be distributed everywhere, for as long as we exist. I invented Facebook, and at the end of the day, I’m solely responsible for what information is regularly released to unknown, unauthorized sources on this platform.” According to reports, Zuckerberg then announced that Facebook would soon be adding new privacy tools to provide users with the false sense that they had any control

Facebook sever ties to data brokers

Quote

The Social Network™ all-but-admits its previous legalese for developers was useless

Facebook has outlined a set of changes to its platform that impact developers and data brokers.

Facebook has a program called “Partner Categories” that it tells advertisers will let them “further refine your targeting based on information compiled by … partners, such as offline demographic and behavioural information like homeownership or purchase history.”

The partners Facebook uses are Acxiom, CCC Marketing, Epsilon, Experian, Oracle Data Cloud and Quantium.

Graham Mudd, a Facebook product marketing director, said that using such providers to refine ad targeting “is common industry practice” but that Facebook feels “this step, winding down over the next six months, will help improve people’s privacy on Facebook.”

On its own platform, Facebook has promised new fine print for business-to-business applications, complete with “rigorous policies and terms”. Which kind of admits some of Facebook’s past fine print was floppy. Perhaps floppy enough to let data flow to Cambridge Analytica and beyond?

Also notable is a change that means apps that provides access to lists of a user’s friends will now be reviewed by Facebook.

So there you have it. No real change. They can’t change. Facebook needs to sell data like Starbooks needs to sell coffee. It is their business and you are their product. They will continue to mine and map your information with their third party partners to create highly targeted ads.

Want it to stop? Delete your Facebook Account now would be a good start.

Facebook Inspired Killings

This is an article from Oct 2017. While I have excerpted it here, but think it is worth a complete read (see Quote). It is an excellent article that I feel shows the complexity and human cost side of Facebook.

Quote

… But while the focus on Russia is understandable, Facebook has been much less vocal about the abuse of its services in other parts of the world, where the stakes can be much higher than an election.
..
the ethnic cleansing of Rohingya Muslims, an ethnic minority in Myanmar that has been subjected to brutal violence and mass displacement. Violence against the Rohingya has been fueled, in part, by misinformation and anti-Rohingya propaganda spread on Facebook, which is used as a primary news source by many people in the country. Doctored photos and unfounded rumors have gone viral on Facebook, including many shared by official government and military accounts….In Myanmar, the rise in anti-Rohingya sentiment coincided with a huge boom in social media use that was partly attributable to Facebook itself. In 2016, the company partnered with MPT, the state-run telecom company, to give subscribers access to its Free Basics program. Free Basics includes a limited suite of internet services, including Facebook, that can be used without counting toward a cellphone data plan. As a result, the number of Facebook users in Myanmar has skyrocketed to more than 30 million today from 2 million in 2014.

In India, where internet use has also surged in recent years, WhatsApp, the popular Facebook-owned messaging app, has been inundated with rumors, hoaxes and false stories. In May, the Jharkhand region in Eastern India was destabilized by a viral WhatsApp message that falsely claimed that gangs in the area were abducting children. The message incited widespread panic and led to a rash of retaliatory lynchings, in which at least seven people were beaten to death. A local filmmaker, Vinay Purty, told the Hindustan Times that many of the local villagers simply believed the abduction myth was real, since it came from WhatsApp….
The company has made many attempts to educate users about the dangers of misinformation. In India and Malaysia, it has taken out newspaper ads with tips for spotting false news. In Myanmar, it has partnered with local organizations to distribute printed copies of its community standards, as well as created educational materials to teach citizens about proper online behavior.

But these efforts, as well-intentioned as they may be, have not stopped the violence, and Facebook does not appear to have made them a top priority. The company has no office in Myanmar, and neither Mr. Zuckerberg nor Ms. Sandberg has made any public statements about the Rohingya crisis.

Facebook has argued that the benefits of providing internet access to international users will ultimately outweigh the costs. Adam Mosseri, a Facebook vice president who oversees the News Feed, told a journalism gathering this month, “In the end, I don’t think we as a human race will regret the internet.” Mr. Zuckerberg echoed that sentiment in a 2013 manifesto titled “Is Connectivity a Human Right?,” in which he said that bringing the world’s population online would be “one of the most important things we all do in our lifetimes.”

That optimism may be cold comfort to people in places like South Sudan. Despite being one of the poorest and least-wired countries in the world, with only around 20 percent of its citizens connected to the internet, the African nation has become a hotbed of social media misinformation. As BuzzFeed News has reported, political operatives inside and outside the country have used Facebook posts to spread rumors and incite anger between rival factions, fostering violence that threatens to escalate into a civil war. A United Nations report last year determined that in South Sudan, “social media has been used by partisans on all sides, including some senior government officials, to exaggerate incidents, spread falsehoods and veiled threats, or post outright messages of incitement.”

Peter Thiel Employee Helped Cambridge Analytica Before It Harvested Data

Quote

I think this story shows that the Facebook data mining is the tip of the iceberg. It will drag in Google and others.

As a start-up called Cambridge Analytica sought to harvest the Facebook data of tens of millions of Americans in summer 2014, the company received help from at least one employee at Palantir Technologies, a top Silicon Valley contractor to American spy agencies and the Pentagon.

It was a Palantir employee in London, working closely with the data scientists building Cambridge’s psychological profiling technology, who suggested the scientists create their own app — a mobile-phone-based personality quiz — to gain access to Facebook users’ friend networks, according to documents obtained by The New York Times.

Cambridge ultimately took a similar approach. By early summer, the company found a university researcher to harvest data using a personality questionnaire and Facebook app. The researcher scraped private data from over 50 million Facebook users — and Cambridge Analytica went into business selling so-called psychometric profiles of American voters, setting itself on a collision course with regulators and lawmakers in the United States and Britain.

The revelations pulled Palantir — co-founded by the wealthy libertarian Peter Thiel — into the furor surrounding Cambridge, which improperly obtained Facebook data to build analytical tools it deployed on behalf of Donald J. Trump and other Republican candidates in 2016. Mr. Thiel, a supporter of President Trump, serves on the board at Facebook.

The connections between Palantir and Cambridge Analytica were thrust into the spotlight by Mr. Wylie’s testimony on Tuesday. Both companies are linked to tech-driven billionaires who backed Mr. Trump’s campaign: Cambridge is chiefly owned by Robert Mercer, the computer scientist and hedge fund magnate, while Palantir was co-founded in 2003 by Mr. Thiel, who was an initial investor in Facebook.

Google Link?

A former intern at SCL — Sophie Schmidt, the daughter of Eric Schmidt, then Google’s executive chairman — urged the company to link up with Palantir, according to Mr. Wylie’s testimony and a June 2013 email viewed by The Times.

“Ever come across Palantir. Amusingly Eric Schmidt’s daughter was an intern with us and is trying to push us towards them?” one SCL employee wrote to a colleague in the email.

Ms. Schmidt did not respond to requests for comment, nor did a spokesman for Cambridge Analytica.

In an interview this month with The Times, Mr. Wylie said that Palantir employees were eager to learn more about using Facebook data and psychographics. Those discussions continued through spring 2014, according to Mr. Wylie.

Mr. Wylie said that he and Mr. Nix visited Palantir’s London office on Soho Square. One side was set up like a high-security office, Mr. Wylie said, with separate rooms that could be entered only with particular codes. The other side, he said, was like a tech start-up — “weird inspirational quotes and stuff on the wall and free beer, and there’s a Ping-Pong table.”

Mr. Chmieliauskas continued to communicate with Mr. Wylie’s team in 2014, as the Cambridge employees were locked in protracted negotiations with a researcher at Cambridge University, Michal Kosinski, to obtain Facebook data through an app Mr. Kosinski had built. The data was crucial to efficiently scale up Cambridge’s psychometrics products so they could be used in elections and for corporate clients.

“I had left field idea,” Mr. Chmieliauskas wrote in May 2014. “What about replicating the work of the cambridge prof as a mobile app that connects to facebook?” Reproducing the app, Mr. Chmieliauskas wrote, “could be a valuable leverage negotiating with the guy.”

Those negotiations failed. But Mr. Wylie struck gold with another Cambridge researcher, the Russian-American psychologist Aleksandr Kogan, who built his own personality quiz app for Facebook. Over subsequent months, Dr. Kogan’s work helped Cambridge develop psychological profiles of millions of American voters.

One can only hope this will broaden the understanding of what “you are the product” means to free services peddled by big tech. Then again…..

See What Google Has on You

Want to see what Google has on you, well My Activity will do that. I love the innocent picture. Oh how sweet. Google working for to make a better experience. What bollocks. At every step of trying to delete your data, you get pop-ups warning you how bad what you are trying to do is (along with more innocent pictures).

Here is the real picture (lower right) that should be posted.

 

 

To be fair, if you ignore all the pretty happy warnings “do no harm” nonense warnings, you can turn a lot stuff off. That said, can you trust them? I can’t.

Security Mozilla pulls ads from Facebook after spat over privacy controls

Quote

The Mozilla Foundation has expressed its discomfort at the Cambridge Analytica revelations by pulling its ads from Facebook.

While the disappearance of Mozilla’s modest ad spend is hardly going to bring down The Social Network™, the organisation’s decision to “pause” its Facebook advertising came after Zuckerland tried to assure Mozilla that the conditions that prevailed in 2015 (when Cambridge Analytica breached its terms of service) had long been addressed.

On March 20, Mozilla made this statement on the scandal, asking Facebook to protect privacy “by default” [Good luck with that one – Ed], and saying its app permissions leave “billions of its users vulnerable without knowing it”.

Mozilla also launched a petition against apps that access data on people other than that of the individual who installed an app. Facebook apparently took exception to that. Here’s what Mozilla added on March 22:

Facebook reached out to us to discuss how we characterized their settings and to tell us that our original blog post overstated the scope of data sharing with app developers. What we described is an accurate characterization of what appears in Facebook’s settings.

What Facebook told us is that what we have written below is only true generally for third-party apps prior to 2015. Again, this isn’t clear in the user-facing tools and we think this needs to be fixed.

….
The Society’s position statement says the data-slurp, micro-targeting, psychographics and exploitation “raise questions about the possibility that Facebook data has been, or is being used improperly elsewhere. ISBA is asking Facebook for a full account of further potential issues so that advertisers can take appropriate measures.

TLS 1.3 internet crypto approved

Quote

A much-needed update to internet security has finally passed at the Internet Engineering Task Force (IETF), after four years and 28 drafts.

Internet engineers meeting in London, England, approved the updated TLS 1.3 protocol despite a wave of last-minute concerns that it could cause networking nightmares.

TLS 1.3 won unanimous approval (well, one “no objection” amid the yeses), paving the way for its widespread implementation and use in software and products from Oracle’s Java to Google’s Chrome browser.


Under TLS 1.2 this is a fairly lengthy process that can take as much as half-a-second:

The client says hi to the server and offers a range of strong encryption systems it can work with
The server says hi back, explains which encryption system it will use and sends an encryption key
The client takes that key and uses it to encrypt and send back a random series of letters
Together they use this exchange to create two new keys: a master key and a session key – the master key being stronger; the session key weaker.
The client then says which encryption system it plans to use for the weaker, session key – which allows data to be sent much faster because it doesn’t have to be processed as much
The server acknowledges that system will be used, and then the two start sharing the actual information that the whole exchange is about

TLS 1.3 speeds that whole process up by bundling several steps together:

The client says hi, here’s the systems I plan to use
The server gets back saying hi, ok let’s use them, here’s my key, we should be good to go
The client responds saying, yep that all looks good, here are the session keys

As well as being faster, TLS 1.3 is much more secure because it ditches many of the older encryption algorithms that TLS 1.2 supports that over the years people have managed to find holes in. Effectively the older crypto-systems potentially allowed miscreants to figure out what previous keys had been used (called “non-forward secrecy”) and so decrypt previous conversations.

Facebook’s Mark Zuckerberg Vows to Bolster Privacy Amid Cambridge

Sounds like bullshit to me. And how can he even do this. This is his business: harvesting and selling his user’s personal data by offering a honeypot free service to clueless (and some not so clueless) users?

After several days of silence, amid a growing chorus of criticism, Facebook chief executive Mark Zuckerberg publicly addressed the misuse of data belonging to 50 million users of the social network.

“We have a responsibility to protect your data,” Mr. Zuckerberg said Wednesday in a Facebook post, his preferred means of communication, “and if we can’t then we don’t deserve to serve you.”

Wait – you don’t serve your users..they serve you Zucky

Read more