Pupils in Scotland struggle to get online amid Microsoft issue

Pupils across Scotland have been experiencing problems accessing Microsoft Teams as the majority move to home learning.

A number of schools, pupils and parents have reported the technology running slowly or not at all.

It is one of the main platforms being used for remote learning with schools shut until at least the beginning of February.

Create an Uptime Monitor for Your Websites With 'Upptime' Tool and GitHub [No Server Needed] [Ed: Debdut Chakraborty is propping up Microsoft's proprietary software monopoly; we should advise people to delete GitHub, not embrace "Extensions" and "Hooks"... otherwise we help Microsoft merely attack Free software with vendor lock-in and yet worse things.]

An Introduction to InnerSource[Ed: FOSSlife Team (LPI) is propping up a Microsoft-connected attack on FOSS]

Microsoft says [crackers] viewed source code as part of SolarWinds attack

Microsoft made the announcement as part of its investigation into findings last week, first reported by The Washington Post, that Russian [attackers] responsible for one of the biggest cyber incidents in U.S. history had compromised Microsoft cloud customers as part of the attack on IT company SolarWinds.

Microsoft Says Suspected Russian [Atackers] Viewed Source Code

Microsoft had previously said it, too, had received a malicious update of software from information technology provider SolarWinds Corp. that was used to breach government agencies and companies around the world. The details of the campaign are still largely unknown, including how many organizations were victimized and what was taken by the [crackers]. Bloomberg News reported in December that investigators have determined at least 200 organizations were attacked as part of the campaign.

SolarWinds [Crackers] Accessed Microsoft Source Code, Microsoft Says

Source code, the underlying set of instructions that run a piece of software or operating system, is typically among a technology company's most closely guarded secrets, and Microsoft has historically been particularly careful about protecting it.

It is not clear how much or what parts of Microsoft's source code repositories the [attackers] were able to access, but the disclosure suggests that the [attackers] who used software company SolarWinds as a springboard to break into sensitive U.S. government networks also had an interest in discovering the inner workings of Microsoft products as well.

SolarWinds [attackers] accessed Microsoft source code, the company says

It is not clear how much or what parts of Microsoft's source code repositories the [crackers] were able to access, but the disclosure suggests that the [attackers] who used software company SolarWinds as a springboard to break into sensitive U.S. government networks also had an interest in discovering the inner workings of Microsoft products as well.

SolarWinds [crackers] accessed Microsoft source code, the company says

Three people briefed on the matter said Microsoft had known for days that the source code had been accessed. A Microsoft spokesman said security employees had been working “around the clock” and that “when there is actionable information to share, they have published and shared it.”

Microsoft rushes out fix for critical Windows 10 bug

A new critical bug appears to have emerged in Windows 10, which is crashing some computers when they run the chkdsk command.

It appears that this bug is affecting Windows 10 running the latest update (December 2020), which was released by Microsoft to fix numerous problems. Instead, as Windows Latest reports, some users have found that when they run the Check Disk tool (also known as chkdsk), their PCs crash, and the dreaded Blue Screen of Death appears.

Microsoft Azure breach left thousands of customer records exposed

Thanks to questionable security practises by an app developer, more than half a million sensitive documents of its customers were exposed on the Internet. The documents were housed in an unprotected Microsoft Azure blob storage and could be viewed by anyone with the direct address of the files, without any kind of authentication.

Azure Blob storage is a feature of Microsoft Azure that allows users to store large amounts of unstructured data on Microsoft's data storage platform.

The unsecured blob was managed by Surrey-based app developer Probase and according to The Register, it contained 587,000 files, ranging from backed-up emails to letters, spreadsheets, screenshots, and more.

Security updates for Tuesday

Security updates have been issued by CentOS (kernel and thunderbird), Debian (openjdk-8 and webkit2gtk), Fedora (gdm, mingw-openjpeg2, and openjpeg2), Mageia (compat-openssl10, golang-googlecode-net, mbedtls, openssl, and virtualbox), openSUSE (ovmf and xen), Red Hat (kernel, mariadb-connector-c, mariadb:10.3, postgresql:10, and postgresql:9.6), and SUSE (ardana-cassandra, ardana-mq, ardana-osconfig, ardana-tempest, crowbar-core, crowbar-openstack, grafana, influxdb, openstack-cinder, openstack-heat, openstack-heat-gbp, openstack-heat-templates, openstack-horizon-plugin-gbp-ui, openstack-ironic-python-agent, openstack-manila, openstack-neutron, openstack-neutron-gbp, openstack-neutron-vpnaas, openstack-nova, python-Jinja2, python-pysaml2, python-pytest, python-urllib3, release-notes-suse-openstack-cloud, spark, ceph, crowbar-core, crowbar-openstack, grafana, influxdb, openstack-heat-templates, openstack-nova, python-Jinja2, firefox, java-1_7_0-ibm, java-1_7_1-ibm, PackageKit, and thunderbird).

But, what about root passwords?

If you’ve walked long enough into your enterprise identity management journey you might reach this question: How will root passwords be managed? Having centralized user and group IDs, your access policies—Host Based Access Control (HBAC) and Role Based Access Control (RBAC)—in Red Hat Identity Management (IdM) or any similar solution might still leave root passwords unmanaged.

[...]

While there is a resemblance in some of these examples and the public cloud’s approach in having no root password set, and shifting the privileged access to users other than root, there is one big difference. Many physical and virtual provisioning workflows for on-prem will include setting up a default root password for a variety of reasons, but those reasons are beyond the scope of this blog post.

Kali Linux: The Last 12 Months (2019/2020) & Looking forwards (2021)

As the end of the year is coming up (some may say not quickly enough), we want to take a few minutes and recap on our roadmap 2019/2020 post.

At a higher level, the last 12 months of Kali Linux (outside of the normal release items – e.g. packages updates), Kali has had various refreshes, switches and additional new features added.

Josh Bressers: Episode 248 – Door 23: How to report 1000 security flaws

Josh and Kurt talk about how to file 1000 security flaws. One is easy, scale is hard.

The State of Safety Certification of Platforms

A lot has been written about safety “certification” of platforms. As the number of applications involving human safety increases in markets such as avionics, automotive, industrial, etc., the importance of the functional safety certification of software that controls key functions has never been greater. There are several standards that govern the safety certification of software like DO-178, SEAL, ISO26262, and IEC61508. It is the best known and perhaps the most rigorous is the DO-178 standard that is governed by the FAA for commercial avionics software. A look “under-the-hood” into the process of safety certification reveals many interesting facts.

As the leader of an engineering team that is working on certifying code for deployment on big programs like the Joint Strike Fighter, I thought it would be interesting to share the next level of what is involved. Let me start with a datapoint. The average time to get a single line of source certified to DO-178 DAL A Standard (used for the most critical system functions in aircraft and helicopters) may take 2-3 hours. So, that means that every 2,000 lines of code takes one year to certify. How many applications these days have as little as 2,000 lines of code?

Google Blames Gmail, YouTube Outage on Error in User ID System

Google diagnosed a widespread outage that knocked out major services earlier this week, such as Gmail and YouTube, as a mistake with its system for identifying people online.

Alphabet Inc.’s Google has several tools that enable it to verify and track logged-in users. In October, the company began moving those tools to a new file storage system, and in the process misreported portions of the data, according to a Friday post. That caused several of its services to go down for 47 minutes Monday morning, a rare technical misstep.

Windows 10 updates cause CorsairVBusDriver BSOD crash loop

Microsoft has delivered a partial fix for this nagging Windows 10 bug

Microsoft has released a partial fix for a known issue affecting Windows 10 devices with certain audio drivers for Conexant and Synaptics devices. The issue has been under investigation since May this year.

Attackers in compromised US system at least since mid-2019: report

Malicious attackers, who were exposed as having hit a number of government and private sector entities through software made by Texas firm SolarWinds, appear to have gained access to that firm's network as early as mid-2019, Yahoo! News claims.

Suspected Russian [attack]: Was it an epic cyber attack or spy operation?

But for many current and former American officials, that’s not the right way to look at it. By [cracking] into dozens of corporations and government agencies, they say, the [crackers] have pulled off a stunning and distressing feat of espionage. But they note that it’s just the sort of cyber spying that the American National Security Agency attempts on a regular basis against Russia, China and any number of foreign adversaries.

It might constitute an attack if the intruders destroyed data, for example, or used their access to do damage in the physical world, say, by shutting down power grids. But breaking into unclassified government and corporate networks? Reading other people’s emails? That’s spying.

Exploiting a stack-based buffer overflow in practice

In my previous post, I detailed a fun method of obtaining root access on the Zyxel VMG8825-T50 router, which required physical access to the device and authenticated access to the web interface.

In this post, I will detail the exploitation of a vulnerability that could potentially result in unauthenticated RCE as root, given LAN access only. This vulnerability was also found on the VMG8825-T50 router, but it turns out to be present in multiple other Zyxel devices.