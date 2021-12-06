Security Issues and Proprietary Blunders
Another data-leaking Spectre bug found, smashes Intel, Arm defenses
Intel this month published an advisory to address a novel Spectre v2 vulnerability in its processors that can be exploited by malware to steal data from memory that should otherwise be off limits.
Arm said a number of its processor cores are also affected by this security flaw, and like Intel, its hardware defenses can't block it outright, leaving developers to implement software-level mitigations.
Developer sabotages own npm module prompting open-source supply chain security questions [Ed: Misses the point that Microsoft was shipping this malware]
The node-ipc developer attempt to protest Russia's attack on Ukraine has the unintended consequence of casting more doubt in software supply chain integrity.
Exotic Lily is a business-like access broker for ransomware gangs [Ed: Microsoft Windows TCO]
TAG initially detected Exotic Lily – which the researchers describe as a "resourceful, financially motivated threat actor" – in September 2021 exploiting a zero-day flaw in Microsoft MSHTML (tracked as CVE-2021-40444). Further investigation discovered that the group was acting as an IAB working with a Russian gang known as FIN12 by cybersecurity vendors Mandiant and FireEye, Wizard Spider by CrowdStrike, and DEV-0193 by Microsoft.
Linux botnet exploits Log4j flaw to hijack Arm, x86 systems [Ed: If you refused to patch your system for over 3 months]
Researchers at Chinese internet security company Qihoo's 360's Network Security Research Lab discovered the botnet family, which they dubbed B1txor20, as it was infecting hosts via the Log4j vulnerability. It primarily targets Linux Arm and 64-bit x86 systems. Compromised devices are commandeered, and brought into the network as remote-control bots, hence the term botnet.
Cyclops Blink malware sets up shop in ASUS routers • The Register
It's not clear exactly right now how the malware gets onto a device, though it probably involves exploiting a default admin password to gain access via an enabled remote management service. According to Trend Micro's Cyclops Blink technical analysis, once the modular malware, written in C, has been injected into the gateway and is running, it sets itself up and renames its process to "[ktest]" presumably to appear as a Linux kernel thread.
OpenSSL patches crash-me bug triggered by rogue certs
A bug in OpenSSL certificate parsing leaves systems open to denial-of-service attacks from anyone wielding an explicit curve.
The vulnerability stems from a bug in the BN_mod_sqrt() function, which the OpenSSL team said is used to parse certificates that "contain elliptic curve public keys in compressed form or explicit elliptic curve parameters with a base point encoded in compressed form." As it turns out, all you need to do to trigger an infinite loop in BN_mod_sqrt() is hand an OpenSSL-based application or service a certificate with invalid explicit curve parameters.
This parsing happens prior to verification of the certificate's signature. Slip a bad certificate to any app or server using BN_mod_sqrt() to parse certs, and the software will get caught in the loop and stop working.
Reg reader blasts Virgin Media's email password policy • The Register
A Register reader has raised concerns over UK ISP Virgin Media's password policies after discovering he couldn't set a password longer than 10 characters or one that includes non-alphanumeric characters.
Our reader Nick told us he was facing repeated attempts to take control of an @virgin.net email account he owns – adding that the company's password policy left him vulnerable to what he described as a sustained brute-forcing attack.
Quantum computing cybersecurity research gets $715k grant • The Register
America's National Science Foundation has signaled yet again how important it thinks quantum computing is with a six-figure grant to Penn State.
The $715,000 grant is heading to Swaroop Ghosh, associate professor at Penn State School of Electrical Engineering and Computer Science. Ghosh plans to use the funding to close gaps in quantum computing security and create a post-secondary quantum computing curriculum.
Deere unlawfully withholds repair tools and info, FTC told • The Register
Twelve farm labor, advocacy, and repair groups filed a complaint last week with the US Federal Trade Commission claiming that agricultural equipment maker Deere & Company has unlawfully refused to provide the software and technical data necessary to repair its machinery.
The groups include National Farmers Union, Iowa Farmers Union, Missouri Farmers Union, Montana Farmers Union, Nebraska Farmers Union, Ohio Farmers Union, Wisconsin Farmers Union, Farm Action, the U.S. Public Interest Research Group, the Illinois Public Interest Research Group, the Digital Right to Repair Coalition, and iFixit.
Openness of Oracle licensing and audit tools questioned [Ed: Proprietary software has nothing to do with "openness"]
Oracle customers can only use its licensing tools after the company has started to talk to them about software audits or offered license advice. Meanwhile, third-party tools that have been verified by Oracle do not help users in terms of license compliance.
CISOs face 'perfect storm' of ransomware and state-supported cybercrime [Ed: This is primarily a Microsoft issue; ransomware affects Windows over 90% or over 95% of the time, depending on which companies surveys that]
With not just ransomware gangs raiding network after network, but nation states consciously turning a blind eye to it, today's chief information security officers are caught in a "perfect storm," says Cybereason CSO Sam Curry.
AMD confirms Ryzen chips' stuttering performance on Windows 10, 11 [Ed: Windows is technically worse than GNU/Linux, but Microsoft makes up for it by bribing everyone and resorting to other forms of corruption]
AMD has confirmed there is a performance problem with some of its Zen-family processors and Microsoft's operating systems.
Reports of stuttering performance under Windows 10 and 11 on some Ryzen systems have been rumbling for a while now and it appears the problem is lurking within Firmware Trusted Platform Module (fTPM) used in a number of AMD's chips.
Singapore uncovers four critical vulnerabilities in Riverbed software
Specifically, the insecure code is in Dynamic Sampling Agent, which is the collection component of AppInternals. Versions affected, according to a CVE record, include 10.x, versions prior to 12.13.0, and versions prior to 11.8.8. Aternity's advisory about the security holes is locked behind a customer login page. We've asked the vendor for more information.
-
Perfect Dark director leaves The Initiative [Ed: Microsoft kills everything it touches]
SAP community website leaks member data to savvy users [Ed: SAP is not a community but a malicious proprietary software company that leaks out details of its serfs]
A website for SAP's Customer Influence programs is exposing member data, creating the possibility for targeted social-engineering attacks.
At the time of publication, the website is no longer accessible.
The programs are designed to help customers and long-standing users make suggestions to SAP about how it can improve its products and add new features. Ideas for future development can be submitted, debated, and voted on before being taken up by the German software giant.
-
Google Maps stopped working properly for hours • The Register
Google Maps Platform services went missing for a few hours on Friday as various APIs fell over.
Around 0847 am PDT (1347 UTC), users of Google Maps Platform services began reporting problems. These surfaced on crowdsourced reporting sites like DownDetector.com and on the Maps Platform Status Page.
UK criminal defense lawyer hadn't patched when ransomware hit [Ed: Microsoft TCO in action]
Criminal defense law firm Tuckers Solicitors is facing a fine from the UK's data watchdog for failing to properly secure data that included information on case proceedings which was scooped up in a ransomware attack in 2020.
[...]
The Microsoft Exchange server was out of action and two days' worth of emails were lost, as detailed by the company blog at the time.
Kaspersky CEO says no evidence for German warning about his firm [Ed: With proprietary software there is never evidence because it is secret and thus, by default, untrustworthy. Germany should be banning all software software, no matter its nationality.]
A warning by the German Federal Office of Information Security against the use of Kaspersky products had no technical advice or objective evidence to back it up, the chief executive of the Russian security firm says.
New US law: Cyberattacks to be reported within 72 hours [Ed: They wrongly assume that each attack means a breach; this is the Microsoft mindset because its software is unsafe by design.]
A US bill that would require critical infrastructure operators to report cyberattacks within 72 hours is headed to President Joe Biden's desk to be signed into law.
CafePress fined for covering up 2019 customer info leak [Ed: When you outsource your shop]
The FTC wants the former owner of CafePress to cough up $500,000 after the customizable merch bazaar not only tried to cover up a major computer security breach involving millions of netizens, it failed to safeguard customers' personal information.
In a complaint [PDF] filed against CafePress former owner Residual Pumpkin Entity and PlanetArt, which bought the platform in 2020, the FTC alleges multiple instances of shoddy security practices at the online biz. In a settlement proposed by the US watchdog, Residual Pumpkin will pay up the half-million dollars.
Azure flaw allowed users to control others' accounts [Ed: Only fools use clown computing. The biggest of fools choose Microsoft for that.]
Microsoft has acknowledged the existence of a flaw in its Azure cloud computing service that allowed users full access to other users' accounts.
The flaw was dubbed “AutoWarp” by Orca Security, which discovered and reported it.
The vulnerability only impacted users of the Azure Automation Service. That service allows Azure users to use PowerShell or Python to write runbooks that automate many actions within Azure. "Trigger automation from ITSM, DevOps and monitoring systems to fulfil requests and ensure continuous delivery and management," suggests Microsoft’s product info page.
The Automation Service doesn't let just anyone initiate actions on your Azure rig: you need to link it to a managed identity that has the relevant permissions.
-
Microsoft patches critical remote-code-exec hole in Exchange Server and others [Ed: Far more coverage about local privilege escalation in Linux than "remote-code-exec" in Microsoft (yes, remote; you don't need a user account)]
Microsoft slides ads into Windows Insiders' File Explorer [Ed: How to make Windows users even more brainwashed and dumber]
Microsoft appears to be experimenting with more adverts in Windows 11 after eagle-eyed Insider users spotted helpful hints turning up in File Explorer.
Windows Insider Florian posted a screenshot of the ads, and other unpaid testers said they noticed similar hints lurking in the Dev Channel build, with one ad suggesting users visit Microsoft's Office website to look at PowerPoint templates.
Our sacrificial Dev Channel machine (currently running 22572.201 – yet another servicing pipeline test) does not show the messages, suggesting that Microsoft is performing some sort of A/B testing and we're simply not on the list.
Microsoft fixes OneDrive file reset bug on Windows • The Register
Lurking within this month's Patch Tuesday batch of updates is a fix for a Windows issue in which locally synchronized OneDrive data was not always deleted during a reset.
The bug, which turned up in the Windows release health dashboard in February, is an ironic one, considering the disastrous October 2018 roll out of Windows 10, which infamously gave users extra disk space by quietly wiping their data.
This latest issue, which hit both Windows 10 and 11, manifested for some users by letting locally synced OneDrive data linger even when a user selected the "remove everything" option during a reset. More seriously for administrators, the issue could also occur after a remote reset initiated by a Mobile Device Management (MDM) application (such as Intune, itself the subject of some news this week), thus defeating the point of the function.
