Fixing a vulnerability is NOT supposed to make it go from BAD to WORSE - Security researcher found that Microsoft's security fixes to Windows 7 PCs for the Meltdown flaw—which could allow attackers to read kernel memory at a speed of 120 KBps—is now allowing attackers to read the same kernel memory at a speed of Gbps, making the issue even worse on Windows 7 PCs and Server 2008 R2 boxes.

The discovery is the latest issue surrounding Meltdown and Spectre patches that were sometimes found incomplete and sometimes broken, making problems such as spontaneous reboots and other 'unpredictable' system behavior on affected PCs.

All attackers have to do is to write their own Page Table Entries (PTEs) into the page tables in order to access arbitrary physical memory.


https://thehackernews.com/2018/03/microsofts-meltdown-vulnerability.html

Your Mac could be storing your Disk encryption password in the System Log!!! (Password Bug #3)

Previously,
Bug#1 -  Mac used your password as your password hint.

Bug#2 - Trying to logon as root with a blank root password would inadvertently enable the root account, and leave it enabled with no password

https://nakedsecurity.sophos.com/2018/03/28/yet-another-apple-password-leak-how-to-avoid-it/

Did you know that you can fool Apple Camera App with a malicious QR Code

The article in the link below has a QR Code and you can test it. 

The URL parser of the camera app has a problem here detecting the hostname in this URL

Imagine someone popping codes on posters on public transit, banks, shops, cafes, and so on, that pretend to lead to a legit website, but really go to password-collecting fake sites, or malicious pages that attempt to download and run malware.

This issue was reported to the Apple security team on December 23, 2017 and as of Monday remained unfixed.

https://www.theregister.co.uk/2018/03/27/apple_ios_camera_app_qr_codes

Microsoft might BAN you for offensive language (in XBox, Skype, Office or if Cortana thinks it heard it)

Now, what would be considered  offensive language? and what would they do If I, used a word from foreign language that could sound offensive in English

The ban hammer could also fall if Cortana is listening at the wrong moment or if documents and files hosted on Microsoft services violate Microsoft’s amended terms

Offensive language is fairly vague. Offensive to whom? What my granny might find offensive and what I might find offensive could be vastly different. But how would Microsoft even know if you had truly been “offensive”? Well, that part falls under Code of Conduct Enforcement, which states, “When investigating alleged violations of these Terms, Microsoft reserves the right to review Your Content in order to resolve the issue.”

Microsoft did add, “However, we cannot monitor the entire Services and make no attempt to do so.”

I’m not sure that will make you feel better, as another portion states that Microsoft “may also block delivery of a communication (like email, file sharing or instant message) to or from the Services in an effort to enforce these Terms or we may remove or refuse to publish Your Content for any reason.”


https://www.csoonline.com/article/3264658/privacy/microsoft-to-ban-offensive-language-from-skype-xbox-office-and-other-services.amp.html

Did you know: 20% of Web traffic is from Bad Bots, About 74% could evade detection and Account takeover attacks occur two to three times per month on the average website,

• Gambling companies and airlines suffer from higher proportions of bad bot traffic than other industries, with 53.1% and 43.9%.
• About 74% of bad bot traffic is made up of moderate or sophisticated bots, which evade detection by distributing their attacks over multiple IP addresses or simulating human behavior such as mouse movements and mobile swipes.
• E-commerce, healthcare and ticketing websites meanwhile suffer from highly sophisticated bots, which are difficult to detect.

https://www.infosecurity-magazine.com/news/bad-bots-make-up-a-fifth-of-all/

You know DevOps, do you know Secure DevOps - Get this free poster from SANS

As always it is a single doc that captures the essense

https://www.sans.org/security-resources/posters/appsec/secure-devops-toolchain-swat-checklist-60

IMPORTANT - Let's say you are smart and you use your phone for 2 step SMS authentication but, you can still be vulnerable because of "Number Port-out Scams"

“You may not know this has happened until you notice your mobile device has lost service,”. “Then, you may notice loss of access to important accounts as the attacker changes passwords, steals your money, and gains access to other pieces of your personal information.”

Identity thieves can   “port” your mobile number out to another provider.Once in control of the mobile number, thieves can request any second factor that is sent to the newly activated device, such as a one-time code sent via text message or or an automated call that reads the one-time code aloud

Fraudsters can call a customer service specialist at a mobile provider and pose as the target, providing the mark’s static identifiers like name, date of birth, social security number and other information. Often this is enough to have a target’s calls temporarily forwarded to another number, or ported to a different provider’s network.


https://krebsonsecurity.com/2018/02/how-to-fight-mobile-number-port-out-scams/

5 year old vulnerability exploited by cryptominer - Common sense approach is to patch all Internet facing systems and isolate/semi-isolate internal systems if they can't be patched.

A security vulnerability that is nearly 5 years old has now become the favorite tool of hackers as they are using it to infect Linux servers with crypto mining malware. The vulnerability that is being exploited in this cryptojacking campaign is classified as CVE-2013-2618. The miner is an altered XMRig tool, which is a legitimate, open-source Monero miner.

It is basically a flaw that was identified years ago (in April 2013), in Cacti’s Network Weathermap plug-in.

The key targets of this campaign are publicly accessible x86-64 Linux webservers, while the scope of the attack is not limited to any single destination since webservers across the globe are being targeted. Japan, China, Taiwan and the US are identified as the top targets.

https://www.hackread.com/vulnerability-used-for-monero-mining-on-linux-servers/

Android Users - Don't fall prey to the new malware shows up as QR reading Utility in App Store

.
This malware not only pops up advertising web pages, but can also send Android notifications, including clickable links, to lure you into generating ad revenue for the criminals.

First, the apps were, at least on the surface, what they claimed: six were QR code reading apps; one was a so-called “smart compass”.

Second, the crooks didn’t fire up the adware part of their apps right away, lurking innocently for a few hours before unleashing a barrage of ads.

Third, the adware part of each app was embedded in what looks at first sight like a standard Android programming library that was itself embedded in the app.



https://nakedsecurity.sophos.com/2018/03/23/crooks-infiltrate-google-play-with-malware-lurking-in-qr-reading-utilities/

In case you have Expedia/Orbitz account - Keep an eye on your credit card statements

The unauthorised intruders may have accessed the personal data of approximately 880,000 customers, including the following information:
•customers’ payment card details
•customers’ full names
•customers’ dates of birth
•customers’ gender
•customers’ email addresses
•customers’ physical addresses
•customers’ billing addresses
•customers’ phone numbers

The data is said to be related to purchases made in the first six months of 2016 for Orbitz platform customers, and between January 1 2016 and December 22 2017 for “certain partners’ customers.”


https://www.tripwire.com/state-of-security/security-data-protection/orbitz-data-breach/

AMD Flaw - Result of simple programming flaws, unclear security boundaries, and insufficient security testing.

• All exploits require the ability to run an executable as admin (no physical access is required)
• MASTERKEY additionally requires issuing a BIOS update + reboot

Potential technical impact

• Code execution in the PSP and SMM (no visibility to typical security products)
• Persistence across OS reinstallation and BIOS updates
• Block or infect further BIOS updates, or brick the device
• Bypass Windows Credential Guard
• Bypass Secure Encrypted Virtualization (SEV)
• Bypass Secure Boot
• Bypass or attack security features implemented on top of the PSP (e.g., fTPM)

https://blog.trailofbits.com/2018/03/15/amd-flaws-technical-summary/

Try to make a few extra bucks, before disclosing that your company has been breached. (not good)

A former Equifax executive, who sold nearly $1 million worth of shares before the company’s massive data breach was made public, has been charged with insider trading

According to the SEC’s complaint, Jun Ying, who was next in line to be the company’s global CIO, allegedly used confidential information entrusted to him by the company to conclude that Equifax had suffered a serious breach.

https://www.grahamcluley.com/ex-equifax-exec-charged-with-insider-trading-after-selling-1-million-worth-of-stock-before-data-breach-disclosure/

Are you ready for TLS 1.3?

It is faster and more secure than 1.2 and drops support for obsolete ciphers and algorithms

• RC4 Steam Cipher
• RSA Key Transport
• SHA-1 Hash Function
• CBC Mode Ciphers
• MD5 Algorithm
• Various Diffie-Hellman groups
• EXPORT-strength ciphers
• DES
• 3DES

https://www.thesslstore.com/blog/tls-1-3-everything-possibly-needed-know/

MS Patch Tuesday - 15 marked critical. - My three most important advise - Patch, Patch, Patch

One of the most significant patches was a vulnerability in Microsoft's Credential Security Support Provider protocol (CredSSP) which could allow a hacker to gain control of a domain server and other systems in the network

Microsoft also patched a remote code execution flaw in Windows Shell that requires the user to download and open a malicious file in order to exploit it along with Meltdown and Spectre patches covering 32-bit versions of Windows 7 and 8.1, as well as Server 2008 and 2012.

https://www.scmagazine.com/this-months-patch-tuesday-fixed-bug-that-could-exploit-authentication-in-microsoft-remote-desktop-protocol/article/750777/

"Coffeeminer" - Not a new Starbucks menu item. - open-source toolkit that will inject rogue cryptomining code into Wi-Fi traffic automatically. Before you think it is OK, you should know the difference between "Cryptmining" and "Cryptojacking"

Cryptomining – performing the zillions of cryptographic calculations you need to earn hot-topic cryptocurrencies such as Bitcoin, Monero or Ethereum – is a massive global industry these days

Cryptojacking - Get familiar with this term as it might start showing up in  news
Break into someone’s network and install cryptomining software onto their computers so you can steal their electricity and CPU power – laptops are good, servers are better, and supercomputers are the best of all.

There’s even a malware family known as WannaMine – a portmanteau name that borrows the “Wanna” from the exploit-based spreading technique of the WannaCry ransomware worm, and “Mine” from, well, from the process of cryptomining.


cryptojacking is a clear and present danger:

1. There’s a reputational cost. What else did the crooks implant during the breach? 
2. There’s a regulatory cost. What happens after you report the breach, which you’ll need to do? 
3. There’s an opportunity cost. How many customers couldn’t access your services because the crooks were using all your processing power?

https://nakedsecurity.sophos.com/2018/03/09/cryptomining-versus-cryptojacking-whats-the-difference/

2018 is a bad year for Intel - SGX can help attackers hide and execute malware without requiring any root privileges, or operating system modifications

Schwarz says his malware does not exploit any vulnerability in SGX. Rather it takes advantage of the fact that Intel considers software-based side-channel attacks on SGX as not possible and therefore out of scope. Side channel attacks gather and use information about some aspect of a system's physical operation to attack and expose sensitive data.

SGX is a security mechanism that Intel introduced with its Skylake processor architecture. It is designed to protect code and data from leaks and disclosure. As Schwarz notes in a technical paper, SGX uses secure enclaves working in hardware-isolated memory areas to protect application secrets from hardware attacks. Such enclaves can be used to securely store hardware-encrypted passwords, password managers, cryptographic keys, bitcoin wallets, and other secrets.

The exploit against SGX itself is harder to mount than a regular zero-day exploit, Schwarz concedes. But for someone with a background in micro-architectural attacks, it is perfectly doable

https://www.darkreading.com/vulnerabilities---threats/intel-sgx-can-be-used-to-hide-execute-malware/d/d-id/1331211?

Did your Oculus’s Rift headsets have stopped working - minor issue, they just forgot to update an expired certificate (really ???)

Someone at Oculus screwed up pretty badly today: An expired certificate appears to have soft-bricked all of the company’s Rift VR headsets, with users still unable to fire up software on the devices and no word of an incoming fix from the company yet.

The embarrassing issue has left the company’s flagship device unusable. This comes as the company continues to deliver major software updates that it announced at its most recent developer conference.

https://techcrunch.com/2018/03/07/all-of-oculuss-rift-headsets-have-stopped-working-due-to-an-expired-certificate/

Alexa laughs - Why is it creepy?, I thought it was due to an extra dose of AI

Your Alexa-enabled device may lapse into a sudden fit of giggles


But reported situations of unprompted laughter in silent homes are obviously quite creepy. Some users have resorted to unplugging their Echo devices to ensure that Alexa cannot interject anything, ominous or not

https://arstechnica.com/gadgets/2018/03/unprompted-creepy-laughing-from-alexa-is-freaking-out-echo-users/

Cars with Internet bring Internet related risks to cars - Are the car manufacturers ready for the challenge?

Many parts of cars — like the accelerator pedal or the turn signal — are designed to feel mechanical despite being run by tiny microprocessors that are connected through a network within the vehicle. Even so, vehicle software security hasn't really been a concern because cars have always been isolated and self-contained entities

Now that they connect to the Internet, they expose a new attack surface


Autonomous driving isn't limited to making knowledge workers' windshield time more productive. Logistics companies, for example, will benefit tremendously from autonomous vehicles, but imagine an attacker compromising and shutting down those vehicles: the results would be disastrous not only to the logistics company but to all of the businesses that rely on them as a vendor

https://www.darkreading.com/endpoint/connected-cars-pose-new-security-challenges/a/d-id/1331166?_mc=sm_dr&hootPostID=55d0e82932ac4cae8ebf0aee77f0657e

Does your phone support 4G LTE - What can hackers do - Nothing much just Spy, Track, Spoof and Spam

A new research paper  recently published by researchers at Purdue University and the University of Iowa details 10 new cyber attacks against the 4G LTE

1. Authentication Synchronization Failure Attack
2. Traceability Attack
3. Numb Attack
4. Authentication Relay Attack
5. Detach/Downgrade Attack
6. Paging Channel Hijacking Attack
7. Stealthy Kicking-off Attack
8. Panic Attack
9. Energy Depletion Attack
10. Linkability Attack

https://thehackernews.com/2018/03/4g-lte-network-hacking.html

Fileless Malware is coming - Are you ready? Here are a few pointers that could help

1. Patching
2. Least Privilege (App and User)
3. Restrict PowerShell (Constraint Language Mode)
4. Blacklisting / Redirect - Site / URL
5. Behavior Monitoring(Super Users)
6. Human Error (Training )

http://www.computerweekly.com/opinion/Security-Think-Tank-How-to-tackle-fileless-malware-attacks

A web service running as root user - This happened for HTTPS certificate reseller (Trustico). Guess what - their website goes down. I wonder why?

The vulnerability could be leveraged by miscreants to execute arbitrary commands on the website's host server. A lack of input sanitization allowed carefully crafted commands, submitted as a URL in a web form, to be run on the underlying Linux-powered system, as root no less, meaning anyone who found and exploited the bug could take over the dot-com's web servers.

On Thursday morning, Serbian security researcher Predrag Cujanović tweeted details of a critical flaw in Trustico's website. The site was pulled offline – it just returns a 503 error



https://www.theregister.co.uk/2018/03/01/trustico_website_offline/