U.S. Government Announces Critical Warning For Microsoft Windows Users

The United States Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) has gone public with a warning to Microsoft Windows users regarding a critical security vulnerability. By issuing the "update now" warning, CISA has joined the likes of Microsoft itself and the National Security Agency (NSA) in warning Windows users of the danger from the BlueKeep vulnerability.

This latest warning, and many would argue the one with most gravitas, comes hot on the heels of Yaniv Balmas, the global head of cyber research at security vendor Check Point, telling me in an interview for SC Magazine UK that "it's now a race against the clock by cyber criminals which makes this vulnerability a ticking cyber bomb." Balmas also predicted that it will only be "a matter of weeks" before attackers started exploiting BlueKeep.

The CISA alert appears to confirm this, stating that it has, "coordinated with external stakeholders and determined that Windows 2000 is vulnerable to BlueKeep." That it can confirm a remote code execution on Windows 2000 might not sound too frightening, this is an old operating system after all, it would be unwise to classify this as an exercise in fear, uncertainty and doubt. Until now, the exploits that have been developed, at least those seen in operation, did nothing more than crash the computer. Achieving remote code execution brings the specter of the BlueKeep worm into view as it brings control of infected machines to the attacker.

Netflix uncovers SACK Panic vuln that can bork Linux-based systems

Microsoft & Pentagon are quietly hijacking US elections (by Lee Camp)

Good news, folks! We have found the answer to the American rigged and rotten election system.
The most trustworthy of corporations recently announced it is going to selflessly and patriotically secure our elections. It’s a small company run by vegans and powered by love. It goes by the name “Microsoft.” (You’re forgiven for never having heard of it.)

The recent headlines were grandiose and thrilling:

“Microsoft offers software tools to secure elections.”

“Microsoft aims to modernize and secure voting with ElectionGuard.”

Could anything be safer than software christened “ElectionGuard™”?! It has “guard” right there in the name. It’s as strong and trustworthy as the little-known Crotch Guard™ – an actual oil meant to be sprayed on one’s junk. I’m unclear as to why one sprays it on one’s junk, but perhaps it’s to secure your erections? (Because they’ve been micro-soft?)

Netflix Researchers Just Fixed 4 Severe Linux And FreeBSD Vulnerabilities

Netflix Uncovers TCP Bugs Within The Linux & FreeBSD Kernels

As Netflix's first security bulletin for 2019, they warned of TCP-based remote denial of service vulnerabilities affecting both Linux and FreeBSD. These vulnerabilities are rated "critical" but already being corrected within the latest Git code.

Microsoft Warns about Worm Attacking Exim Servers on Azure [Ed: Microsoft should also warn "customers" of Windows back doors for the NSA, but it does not (this one was patched ages ago; the Microsoft back doors aren't). Shouldn't Microsoft ask its proxies and partners, as usual, to come up with buzzwords and logos and Web sites for bugs in FOSS, then talk about how FOSS is the end of the world?]

The Highly Dangerous 'Triton' [Attackers] Have Probed the US Grid [Ed: It's Windows]

 

Over the past several months, security analysts at the Electric Information Sharing and Analysis Center (E-ISAC) and the critical-infrastructure security firm Dragos have been tracking a group of sophisticated [attackers] carrying out broad scans of dozens of US power grid targets, apparently looking for entry points into their networks. Scanning alone hardly represents a serious threat. But these [attackers], known as Xenotime—or sometimes as the Triton actor, after their signature malware—have a particularly dark history. The Triton malware was designed to disable the so-called safety-instrument systems at Saudi Arabian oil refinery Petro Rabigh in a 2017 cyberattack, with the apparent aim of crippling equipment that monitors for leaks, explosions, or other catastrophic physical events. Dragos has called Xenotime "easily the most dangerous threat activity publicly known."

A Researcher Found a Bunch of Voting Machine Passwords Online

A little more than a week ago, the Department of Homeland Security confirmed that it was going to forensically analyze computer equipment associated with part of the 2016 elections in North Carolina in association with questions about Russian hacking. The news prompted an information security researcher to announce that he’d found evidence of other election security issues in North Carolina last fall, which he’d kept quiet until now.

Chris Vickery, the director of cyber-risk research at UpGuard, a cybersecurity services firm, tweeted June 7 that he had found an unlocked online repository that contained what he said were passwords for touchscreen voting machines. The repository, he said, also contained other information, including serial numbers for machines that had modems, which theoretically could have allowed them to connect to the internet.

Vickery said that after he found the open repository in September 2018, he immediately told state officials, who locked the file. State officials have told Mother Jones that the passwords were nearly 10 years old and encrypted—a claim disputed by Vickery and a Democratic technology consultant in North Carolina—but admitted that the file shouldn’t have been publicly available online.

TPM now stands for Tiny Platform Module: TCG shrinks crypto chip to secure all the Things [Ed: Misusing the word "trust" to obliterate computer freedom and general-purpose computing]

The Trusted Computing Group (TCG), a nonprofit developing hardware-based cybersecurity tools, has started work on the "world's tiniest" Trusted Platform Module (TPM).

TPMs are silicon gizmos designed to protect devices by verifying the integrity of essential software – like firmware and BIOS − and making sure no dodgy code has been injected into the system prior to boot.

These are widely used to protect servers. Now TCG wants to adopt the technology for devices that are so small that the inclusion of a full TPM chip might be impractical due to cost, space and power considerations.

The first tiny TPM prototype, codenamed Radicle, was demonstrated last week at a TCG members' meeting in Warsaw, Poland.

[...]

We have to mention that for years, TCG and its TPMs were criticised by the open-source software community, which suspected the tech could be used for vendor lock-in – GNU father Richard Stallman called trusted computing "treacherous computing", but it looks like his worst fears have not come to pass.

That doesn't mean TPMs haven't seen their share of dark days: back in 2017, it emerged that security chips made by Infineon contained a serious flaw, with experts estimating that 25 to 30 per cent of all TPMs used globally were open to attack.

What Is a Buffer Overflow

A buffer overflow vulnerability occurs when you give a program too much data. The excess data corrupts nearby space in memory and may alter other data. As a result, the program might report an error or behave differently. Such vulnerabilities are also called buffer overrun.

Some programming languages are more susceptible to buffer overflow issues, such as C and C++. This is because these are low-level languages that rely on the developer to allocate memory. Most common languages used on the web such as PHP, Java, JavaScript or Python, are much less prone to buffer overflow exploits because they manage memory allocation on behalf of the developer. However, they are not completely safe: some of them allow direct memory manipulation and they often use core functions that are written in C/C++.

Any iPhone can be hacked

Apple’s so called secure iPhones can be turned over by US coppers using a service promoted by an Israeli security contractor.

Cellebrite publicly announced a new version of its product known as a Universal Forensic Extraction Device or UFED, one that it's calling UFED Premium. In marketing that update, it says that the tool can now unlock any iOS device cops can lay their hands on, including those running iOS 12.3.

Cellebrite claims UFED Premium can extract files from many recent Android phones as well, including the Samsung Galaxy S9 but no-one ever called them secure and safe.

What is unusual is that Cellebrite is making  broad claims about turning over Apple gear. This is not a cat-and-mouse claim where they exploit a tiny flaw which one day might be fixed. It would appear that Cellebrite has its paw on a real howler.

Cellebrite Claims It Can Unlock ‘Any’ iPhone And iPad, 1.4 Billion Apple Devices Hackable

Israel-based Cellebrite has announced a new version of its system Universal Forensic Extraction Device (UFED) — UFED Premium — which is capable of unlocking any iPhone, high-end Android device, or an iPad.

The forensics company has suggested that UFED Premium is meant to help the police in unlocking iPhones and Android smartphones and getting data from locked smartphones.

Web-based DNA sequencers getting compromised through old, unpatched flaw

DnaLIMS is developed by Colorado-based dnaTools. It provides software tools for processing and managing DNA sequencing requests.

These tools use browsers to access a UNIX-based web server on the local network, which is responsible for managing all aspects of DNA sequencing.

A simple Google search shows that dnaLIMS is used by a number of scientific, academic and medical institutions.

Generrate Cryptographically Secure RANDOM PASSWORD

DMARC, mailing list, yahoo and gmail

Gmail was blocking one person’s email via our list (he sent that using Yahoo and from his iPhone client), and caused more than 1700 gmail users in our list in the nomail block unless they check for the mailman’s email and click to reenable their membership.

I panicked for a couple of minutes and then started manually clicking on the mailman2 UI for each user to unblock them. However, that was too many clicks. Suddenly I remembered the suggestion from Saptak about using JavaScript to do this kind of work. Even though I tried to learn JavaScript 4 times and failed happily, I thought a bit searching on Duckduckgo and search/replace within example code can help me out.

Tired of #$%& passwords? Single Sign-on could be savior

So how is single sign-on more secure, if Facebook is in charge? It's not, say security experts. "They’ve shown they can’t be trusted with our information," says Rudis.

Are SSO Buttons Like “Sign-in With Apple” Better Than Passwords?

Apple recently announced a new product that could prevent users from giving away their email ID to every other site on the internet. It’s expected to launch sometime later in 2019.

Called “Sign-in with Apple,” it is similar to other Single Sign-on services provided by Google and Facebook. The button lets you login to websites without creating a new user account every time.

App Makers Are Mixed on ‘Sign In With Apple’

But other app makers have mixed feelings on what Apple has proposed. I spoke to a variety of developers who make apps for iOS and Android, one of whom asked to remain anonymous because they aren’t authorized to speak on behalf of their employer. Some are skeptical that Sign In with Apple will offer a solution dramatically different from what’s already available through Facebook or Google. Apple’s infamous opacity around new products means the app makers don’t have many answers yet as to how Apple’s sign in mechanism is going to impact their apps. And one app maker went as far as referring to Apple’s demand that its sign-in system be offered if any other sign-in systems are shown as “petty.”

Chinese Cyberattack Hits Telegram, App Used by Hong Kong Protesters

“This case was not an exception,” he wrote.

The Hong Kong police made their own move to limit digital communications. On Tuesday night, as demonstrators gathered near Hong Kong’s legislative building, the authorities arrested the administrator of a Telegram chat group with 20,000 members, even though he was at his home miles from the protest site.

Security News This Week: Telegram Says China Is Behind DDoS

As protests erupted in the streets of Hong Kong this week, over a proposed law that would allow criminal suspects to be extradited to mainland China, the secure messaging app Telegram was hit with a massive DDoS attack. The company tweeted on Wednesday that it was under attack. Then the app’s founder and CEO Pavel Durov followed up and suggested the culprits were Chinese state actors. He tweeted that the IP addresses for the attackers were coming from China. “Historically, all state actor-sized DDoS (200-400 Gb/s of junk) we experienced coincided in time with protests in Hong Kong (coordinated on @telegram). This case was not an exception,” he added. As Reuters notes, Telegram was DDoSed during protests in China in 2015, as well. Hong Kong does not face the strict [Internet] censorship that exists in mainland China, although activists have expressed concern about increased pressure from Beijing on the region.

Nextcloud signs public letter, opposing German plan to force decryption of chat

Industry Watch: Of open source, data breaches and speed [Ed: And proprietary software is a lot less suitable for security and privacy purposes because there are surveillance 'features' disguised and back doors too]

Open-source software helps developers work faster and smarter, as they don’t have to ‘re-invent the wheel’ every time create an application. They just need to be sure the license attached to that software allows them to use the component the way they want. They also need to stay on top of that application, so if the component changes, or an API changes, their application isn’t affected and they are still in compliance.

Data protection is also something organizations must get serious about. While the GDPR only affects users in the European Union, it’s only a matter of time before those or similar regulations are in place in the U.S. and elsewhere. Companies should get a jump on that by doing a thorough audit of their data, to know they are prepared to be compliant with whatever comes down from the statehouses or from Washington, D.C.

On the speed side, the benefits of Agile and DevOps are clear. These methodologies enable companies to bring new software products to market faster, with the result of getting a jump on the competition, working more efficiently and ultimately serving your customers.

Unfortunately, these efforts are usually done by different teams of developers, database administrators and security experts. If the Equifax and Facebook breaches have taught us anything, it’s that you can’t expect developers to be security experts, and you can’t expect DB admins to understand the ramifications on the business when data is misunderstood.

It will take a coordinated approach to IT to achieve business goals while not leaving the company — and its IP and PII data — exposed.

VLC patches critical flaws through EU open source bug bounty program

More than 30 security issues have been fixed in VLC, the popular open source media player, with developers praising an EU-funded bug bounty program for helping produce its most secure update yet.

VLC media player, created by the software non-profit VideoLAN, was found to have 33 vulnerabilities within various versions, including two that were considered critical.

An out-of-bounds write was one of the severe vulnerabilities found to affect all VLC versions, and a stack buffer overflow was also discovered in VLC 4.0.

Less severe vulnerabilities consisted of out-of-band reads, heap overflows, NULL-dereference, and use-after-free bugs.

An updated version, VLC 3.0.7, has since been released for users to download.

VLC Player Gets Patched for Two High Severity Bugs

Asigra FreeNAS plugin brings open source data protection [Ed: Some openwashing of proprietary software]

Asigra is trying to capture FreeNAS users with a free-to-try plugin version of its backup software.

The Asigra FreeNAS plugin released this week allows customers to turn their iXsystems FreeNAS storage systems into backup targets. It encrypts and deduplicates data before it is sent to the FreeNAS system. The plugin also detects and quarantines malware and ransomware so that it doesn't get backed up.

TrueCommand Brings Single Pane of Glass Management to TrueNAS and FreeNAS Fleets

WSO2 and Ping Identity Partner to Provide Comprehensive, AI-Powered Cyber-Attack Protection for APIs

The Open Source Cookbook: A Baker’s Guide to Modern Application Development

Let’s begin our cookbook by selecting our recipe. I’ve had some phenomenal baked goods, and I’ve had some not-so-phenomenal baked goods (there is rarely a bad baked good). But I’ve been surprised before, by a croissant from a diner that didn’t taste like the one from the local French bakery, or by a buttercream frosting at a supermarket that just didn’t have the same delicate touch as the one I make at home. In each case, I expected the same as I had before – by title – yet encountered a much different experience. When selecting your recipes, it’s important to understand which type of a particular food you are expecting to make, or you may be met with a different taste when you finish than you were hoping for when you began.

[...]

As with cooking, when incorporating open source components into applications, it’s important to understand origin and evolution of what you’re baking into your software. Carefully review your open source component versions, and evaluate the community’s activity in order to have the greatest chance possible to predict the possible technical debt you may inherit.