Category Archives: Technology Lab

Microsoft bringing EMET back as a built-in part of Windows 10

Enlarge / The new security analytics dashboard. (credit: Microsoft)

The Windows 10 Fall Creators Update will include EMET-like capabilities managed through a new feature called Windows Defender Exploit Guard.

Microsoft's EMET, the Enhanced Mitigation Experience Toolkit, was a useful tool for hardening Windows systems. It used a range of techniques—some built in to Windows, some part of EMET itself—to make exploitable security flaws harder to reliably exploit. The idea being that, even if coding bugs should occur, turning those bugs into actual security issues should be made as difficult as possible.

With Windows 10, however, EMET's development was essentially cancelled. Although Microsoft made sure the program ran on Windows 10, the company said that EMET was superfluous on its latest operating system. Some protections formerly provided by EMET had been built into the core operating system itself, and Windows 10 offered additional protections far beyond the scope of what EMET could do.

Read 6 remaining paragraphs | Comments

Ohio Gov. Kasich’s website, dozens of others defaced using year-old exploit

Enlarge

The official website of Ohio Governor John Kasich and the site of Ohio First Lady Karen Kasich were defaced on June 25 by a group calling itself Team System DZ. The group is a known pro-Islamic State "hacktivist" group that has repeatedly had its social media accounts suspended for posting IS propaganda videos and other activity. Kasich's site was but one of a number of state and local government websites that were hijacked by Team System DZ early this week, all of which had one thing in common: they were running on an outdated version of the DotNetNuke (DNN) content management platform.

DNN Platform is a popular content management system (particularly with state and local governments) based on Windows Server and the ASP.NET framework for Microsoft Internet Information Server. DNN Platform is open source and available for free—making it attractive to government agencies looking for something low cost that fits into their existing Windows Server-heavy organizations. A review of the HTML source of each of the sites attacked by Team System DZ showed that they were running a vulnerable version of the content management system DNN Platform—version 7.0, which was released in 2015.

A critical security update issued by DNN in May of 2016 warned that an attacker could exploit vulnerabilities to create new "superuser" accounts through the content management system, giving them unfettered remote access to modify websites. DNN urged customers to upgrade to the latest version of the software at the time. A May 2015 alert also warned that an attacker could use the software's Installation Wizard page for some server configurations to create new user accounts on the Windows Server host.

Read 4 remaining paragraphs | Comments

A new ransomware outbreak similar to WCry is shutting down computers worldwide

Enlarge / This is the note that's left on computers infected by PetyaWrap. (credit: Eset)

A new ransomware attack similar to last month's self-replicating WCry outbreak is sweeping the world with at least 80 large companies infected, reportedly including drug maker Merck, international shipping company Maersk, law firm DLA Piper, UK advertising firm WPP, and snack food maker Mondelez International. It has attacked at least 2,000 computers, according to one security company.

PetyaWrap, as some researchers are calling the ransomware, uses the same potent National Security Agency exploit that allowed WCry to paralyze hospitals, shipping companies, and train stations in a matter of hours on May 12. EternalBlue, as the exploit was code-named by its NSA developers, was published in April by a still-unknown group calling itself the Shadow Brokers. The leak gave people with only moderate technical skills a powerful vehicle for delivering virtually any kind of digital warhead. Microsoft patched the underlying vulnerability in Windows 7 and 8.1 in March, and in a rare move the company issued fixes for unsupported Windows versions 24 hours after the WCry outbreak. That meant infections were only possible on machines that were running outdated versions of the OS.

While some researchers said PetyaWrap was a new version of the long-established Petya ransomware, researchers from antivirus provider Kaspersky Lab said that preliminary findings showed it was, in fact, a new piece of malware that had never been seen before. Kaspersky said that it at least 2,000 computers that use its AV products had already been attacked by it.

Read 6 remaining paragraphs | Comments

Comcast and Charter could invest in Sprint’s network, resell Sprint data

Enlarge (credit: Mike Mozart)

Comcast and Charter have reportedly started negotiating with Sprint, as the two biggest cable companies in the US explore the possibility of buying the wireless carrier or investing in its network.

Comcast and Charter last month announced an agreement to cooperate in their plans to sell mobile phone service, an agreement that also forbids each company from making wireless acquisitions and investments without the other's consent for one year. Yesterday, The Wall Street Journal reported that "Sprint has entered into exclusive talks with Charter Communications Inc. and Comcast Corp. as the cable companies explore a deal that could bolster their plans to offer wireless service, according to people familiar with the matter."

There are a couple different arrangements being considered. In one, the cable companies would invest in "improving Sprint’s network in exchange for favorable terms to offer wireless service using the carrier’s network," possibly by taking an equity stake.

Read 9 remaining paragraphs | Comments

Google must stop demoting competitors in search results, EU rules

Enlarge (credit: John Thys/AFP/Getty Images)

Google has been gut-punched by the European Commission for abusing its search monopoly to squeeze out other players on the Web. Europe's competition commissioner, Margrethe Vestager, had been expected to hit Google with a fine of around €1 billion, but the actual number is far larger: €2.42 billion, the largest anti-monopoly fine ever issued.

In addition to the fine, Google will be required to change its search algorithm so that every competing service is fairly crawled, indexed, ranked, and displayed. If Google fails to remedy its anti-competitive conduct within 90 days it will face daily penalty payments of up to 5 percent of the daily worldwide turnover of Google's parent company Alphabet. The commission's full statement on the decision makes for quite damning reading.

Google, as reported by the AFP news agency, "respectfully disagrees" with the EU's fine and is considering an appeal. We have asked Google for comment and will update this story when it responds.

Read 5 remaining paragraphs | Comments

Latest high-severity flaw in Windows Defender highlights the dark side of AV

(credit: Microsoft)

Microsoft recently patched a critical vulnerability in its ubiquitous built-in antivirus engine. The vulnerability could have allowed attackers to execute malicious code by luring users to a booby-trapped website or attaching a booby-trapped file to an e-mail or instant message.

A targeted user who had real-time protection turned on wasn't required to click on the booby-trapped file or take any other action other than visit the malicious website or receive the malicious e-mail or instant message. Even when real-time protection was off, malicious files would be executed shortly after a scheduled scan started. The ease was the result of the vulnerable x86 emulator not being protected by a security sandbox and being remotely accessible to attackers by design. That's according to Tavis Ormandy, the Google Project Zero researcher who discovered the vulnerability and explained it in a report published Friday.

Ormandy said he identified the flaw almost immediately after developing a fuzzer for the Windows Defender component. Fuzzing is a software testing technique that locates bugs by subjecting an application to corrupted data and other types of malformed or otherwise unexpected input.

Read 6 remaining paragraphs | Comments

Skylake, Kaby Lake chips have a crash bug with hyperthreading enabled

Enlarge / A Kaby Lake desktop CPU, not that you can tell the difference in a press shot. (credit: Intel)

Under certain conditions, systems with Skylake or Kaby Lake processors can crash due to a bug that occurs when hyperthreading is enabled. Intel has fixed the bug in a microcode update, but until and unless you install the update, the recommendation is that hyperthreading be disabled in the system firmware.

All Skylake and Kaby Lake processors appear to be affected, with one exception. While the brand-new Skylake-X chips still contain the flaw, their Kaby Lake X counterparts are listed by Intel as being fixed and unaffected.

Systems with the bad hardware will need the microcode fix. The fix appears to have been published back in May, but, as is common with such fixes, there was little to no fanfare around the release. The nature of the flaw and the fact that it has been addressed only came to light this weekend courtesy of a notification from the Debian Linux distribution. This lack of publicity is in spite of all the bug reports pointing to the issue—albeit weird, hard-to-pin-down bug reports, with code that doesn't crash every single time.

Read 6 remaining paragraphs | Comments

Some beers, anger at former employer, and root access add up to a year in prison

(credit: Alan Stanton)

The Internet of Things' "security through obscurity" has been proven once again to not be terribly secure thanks to an angry and possibly inebriated ex-employee. Adam Flanagan, a former radio frequency engineer for a company that manufactures remote meter reading equipment for utilities, was convicted on June 15 in Philadelphia after pleading guilty to two counts of "unauthorized access to a protected computer and thereby recklessly causing damage." Flanagan admitted that after being fired by his employer, he used information about systems he had worked on to disable meter reading equipment at several water utilities. In at least one case, Flanagan also changed the default password to an obscenity.

Flanagan's employer was not named in court documents. According to a plea agreement filing, Flanagan worked on a team that installed tower gateway base stations (TGBs)—communications hubs mounted on poles distributed across a utility's service area to communicate with smart meters. His work was apparently not up to his former employer's standards, however. In March of 2013, he received a poor annual performance review and was placed on a "performance improvement plan." He failed to meet expectations and was terminated in November of 2013.

Over the next few months, TGBs that Flanagan's employer had installed for a number of municipal water departments "developed problems," the Justice Department's sentencing memo stated. In December of 2013, employees of the water authority in Kennebec, Maine, found they couldn't connect to the utility's TGBs. This was a system Flanagan had installed, but the problems could not be directly attributed to him because the logs for the system weren't checked until February of 2014. By then, data from December had already been purged.

Read 4 remaining paragraphs | Comments

Ringless voicemail spam won’t be exempt from anti-robocall rules

Enlarge / The FCC was asked to decide whether this ringless voicemail technology should be subject to anti-robocall rules. (credit: Stratics Networks)

A petition to exempt ringless voicemails from anti-robocall rules has been withdrawn after heavy opposition.

In March, a marketing company called All About the Message petitioned the Federal Communications Commission for a ruling that would prevent anti-robocall rules from applying to ringless voicemails. But the company withdrew its petition without explanation in a letter to the FCC last week, even though the commission hadn't yet ruled on the matter.

As the name suggests, a ringless voicemail is the delivery of a voice message to a voicemail box without ringing the recipient's phone. The now-withdrawn petition asked the FCC to declare that this type of message does not count as a "call" under the Telephone Consumer Protection Act (TCPA), which prohibits non-emergency calls made with auto-dialers, artificial voices, or prerecorded voices without the "prior express consent of the called party."

Read 5 remaining paragraphs | Comments

32TB of Windows 10 beta builds, driver source code leaked [Updated]

Enlarge (credit: Rural Learning Center)

32TB of unreleased, private Windows 10 builds, along with source code for certain parts of the driver stack, have been leaked to BetaArchive, reports The Register.

The dump appears to contain a number of Windows 10 builds from the development of codenamed Redstone 2. Redstone 2 was released earlier this year, branded as the Creators Update.

Some of these builds are said to include private debug symbols. Microsoft routinely releases debug symbols for Windows; the symbols contain additional information not found in the compiled Windows binaries that helps software developers identify which functions their code is calling. The symbols normally released are public symbols; while they identify many (though not all) functions and data structures, they don't contain information about each function's variables or parameters. The private symbols, in contrast, contain much more extensive information, giving much more insight into what each piece of code is doing and how it's doing it.

Read 5 remaining paragraphs | Comments