A 20 year old design flaw in Windows has just been patched & it requires some major re-working of the software. Attackers compromise Forbes.com & why Facebook’s new ThreatExchange platform could be a great idea.

Plus a great batch of feedback, our answers & much much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

— Show Notes: —

Critical Microsoft Vulnerabilities

• “In this month’s Patch Tuesday, Microsoft has released nine security bulletins to address 56 unique vulnerabilities in Microsoft Windows, Microsoft Office, Internet Explorer, and Microsoft Server software.”
• The two higher priority fixes are MS15-011 (dubbed JASBUG) and MS15-014
• What makes these vulnerabilities special, is that they are not the usual problem with the “implementation” of a protocol or feature. They are actually a design flaw in windows, that required Microsoft to invent entirely new features to solve. These new features needed to be tested against all supported versions and configurations of windows, and a process had to be developed and documented for deploying the new feature
• Most corporate network security features in Windows are deployed via “Group Policies”
• One of those group policies, is SMB signing, which makes a client verify the identity of a remote server before trusted it
• The MS15-014 bug allows an attacker to interfere with the application of the group policy, leaving the SMB signing feature off
• Then when a user tries to run a trusted program from a network server, they instead connect to the malactors server and run a malicious program
• MS15-011 is related, and is actually a catch-22
• During the process where the windows client downloads the group policy from the domain controller, authentication is not enforced (as this is set via the group policy, which needs to be downloaded first)
• As part of the group policy download, the client also runs a series of scripts from the domain controller (login.cmd, login.bat, etc)
• This means a malactor could use a man-in-the-middle position to replace the group policy with one that reduces the security of the machine, and cause the users’ system to run any commands they want
• To solve this issue, Microsoft has introduced a new feature to require “Mutual Authentication”
• This feature is enabled by… you guessed it, Group Policy
• So clients must make one last insecure connection to the domain controller, at which point they will verify the identity of the domain controller before accepting any future group policy from anyone
• It is unclear if fresh installs of windows will be vulnerable the first time they connect to the domain
• Microsoft is not patching Windows XP, Windows 2000, nor Windows Server 2000 and 2003
• MS15-011 was found by JAS Global Advisors which “found the bug while working on a project for ICANN looking into security issues surrounding the release of new generic Top Level Domains and Top Level Domains. The Group Policy issue was discovered during the research phase of this project, but is unrelated to new gTLDs or TLDs”
• “It certainly doesn’t work universally and it depends on some funky misconfigurations and happenstance. But it works frequently enough to be of concern,” the JAS advisory said. “We will release the specifics of the other attack scenarios we’re aware of at some future point, but for now it’s important that folks patch and not become complacent because of a perceived on-LAN requirement. It’s not a strict requirement. Go patch.”
• “Not only are Windows clients too trusting of the responses they get back from DNS, they can also be fairly easily tricked into downgrading to unauthenticated and unencrypted transit protocols (like WebDav over http)”
• Microsoft rolled out a new feature to address the vulnerabilities called UNC Hardened Access, which ensures the right authentication and in-transit encryption is carried out.
• “Instead of being subject to the OS “trying too hard” to make communication work, the UNC infrastructure within Windows now allows the higher layer resource requestor to specify whether Mutual Authentication, Integrity, and/or Privacy are required for the communication,” Schmidt said. “This is the right, general-purpose solution to this problem.”
• “Schmidt said there is an outstanding issue that Microsoft has not addressed wherein Active Directory clients could leak DNS requests to the open Internet. The Internet’s DNS infrastructure, he said, will try to resolve those queries as it would any other and provide pointers to the right sources, rather than a result from the local AD controller for an enterprise domain, for example. He said during JAS’ research, more than 200,000 AD reached out to JAS via a series of customized DNS registrations”
• Additional Coverage: Krebs on Security
• Additional Coverage: Threat Post
• Additional Coverage: Naked Security

Attackers compromise Forbes.com and uses IE and Flash zero days

• “A Chinese APT group was able to chain together two zero day vulnerabilities, one against Adobe’s Flash Player and one against Microsoft’s Internet Explorer 9, to compromise a popular news site late last year“
• “The group’s aim was to gain access to computers at several U.S. defense and financial firms by setting up a watering hole attack on the site that would go on to drop a malicious .DLL”
• It is not clear how the Forbes.com site was actually compromised
• The flash powered “thought of the day” widget was changed to redirect to a malicious .swf flash file, which would exploit an Adobe Flash 0-day to take control of the visitors system
• The flaw also optionally used an IE9+ ASLR bypass to ensure it could infect the machine even if it had additional attack mitigation features enabled
• “While the Adobe bug, a buffer overflow (CVE-2014-9163) was patched back on Dec. 9, the ASLR mitigation bypass (CVE-2015-0071) was one of many patched yesterday in Microsoft’s monthly Patch Tuesday round of patches, an update that was especially heavy on Internet Explorer fixes.”
• The release of the details was timed to coincide with Microsoft’s release of a patch for the IE9 ASLR bypass
• Researcher Post – Invincea
• Researcher Post – iSightPartners

Facebook launches ThreatExchange

• Facebook has launched a new information sharing platform to allow IT companies to share details and signatures of the evolving attacks they see against their networks and users
• Some early members of the platform include: Pinterest, Yahoo, Tumblr, Twitter, Bitly and Dropbox
• “The cost is free, and most of the heavy lifting is done by Facebook’s infrastructure. The platform developers were also cognizant of some of the concerns enterprises have about sharing threat data, from both a competitive and risk management standpoint. Privacy controls are built in to ThreatExchange that not only sanitize information provided by members, but also allows contributors to share data with all of the exchange’s members, or only particular subsets. In addition to threat information shared by contributors, open source threat intelligence feeds are pulled into the platform”
• “Facebook hopes the initial partner list grows to include other technology companies with a large Internet footprint. Microsoft, for example, has developed its own information sharing platform called Interflow, while the FBI announced last winter that it was releasing an unclassified version of its malware repository in the hopes of spurring public-private sharing of threat data”
• “If some reasonably large Internet properties cooperate on attacks they’ve seen and responded to, the vast majority of the Internet will be safer,” Hammell said. “We want to bring in more companies like that and eventually broaden it beyond big companies to smaller web properties and researchers. We want to create a forum where we can share attack and threat information in an easy way and share it with as many who want to receive it”
• “The classic example is an attack you’re investigating where only you and a few companies are targeted,” Hammell explained. “They can collaborate together on that particular attack and share data, but perhaps they don’t feel it’s appropriate to go wider because it may tip their hand and alert the attacker, or it would not be beneficial to the investigation if others started poking at the infrastructure and possibly disrupt the work they’re doing. It’s an important scenario to get right.”

Feedback:

• Question on Z(ed)FS

• Question on refurbished servers

• Backing Up Your NAS – Protect Your NAS Data

• Virtualizing PFsense

Round Up:

• Chinese bitcoin mine. Man those computers are dusty.
• Patch your car! BMW releases fix for 2.2 million cars that could allow an attacker to unlock the car and perform other functions
• How Canadian Spies Infiltrated the Internet’s Core to Watch What You Do Online
• Mozilla to enforce extension signing soon – will help prevent Man-in-the-Browser attacks
• TurboTax suspendes online filing after spike in tax fraud
• Gas pump monitoring system hacked with anonymous tagline
• Trend Jacking: Phishers pounce on Anthem Breach and try to trick people into disclosing information
• New information points to fact that Anthem breach may have started in April 2014
• Samsung’s smart TVs are inserting unwanted ads into users’ own movies

The post Group Problemcy | TechSNAP 201 first appeared on Jupiter Broadcasting.

Microsoft is building a new browser in-house that is rumored to work and look a lot more like Chrome & Firefox. The FBI has a lead on the Lizard Squad & who won big in the gadget sales over the holidays.

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Video Feed | Torrent Feed

Become a supporter on Patreon

Show Notes:

Microsoft is building a new browser as part of its Windows 10 push | ZDNet

There’s been talk for a while that Microsoft was going to make some big changes to Internet Explorer in the Windows 10 time frame, making IE “Spartan” look and feel more like Chrome and Firefox.

It turns out that what’s actually happening is Microsoft is building a new browser, codenamed Spartan, which is not IE 12 — at least according to a couple of sources of mine.

Spartan is still going to use Microsoft’s Chakra JavaScript engine and Microsoft’s Trident rendering engine (not WebKit), sources say. As Neowin’s Brad Sams reported back in September, the coming browser will look and feel more like Chrome and Firefox and will support extensions. Sams also reported on December 29 that Microsoft has two different versions of Trident in the works, which also seemingly supports the claim that the company has two different Trident-based browsers.

However, if my sources are right, Spartan is not IE 12. Instead, Spartan is a new, light-weight browser Microsoft is building.

FBI Allegedly Investigating Lizard Squad Member Over Xbox Live, PSN Attacks

The FBI is actively investigating a member of the hacker collective that claimed responsibility for recent high-profile cyberattacks on Microsoft and Sony properties, according to multiple sources with knowledge of the investigation and the attacks. A member of the Lizard Squad hacking group, who goes by the alias “ryanc” or Ryan, allegedly garnered the attention of a special agent with the Federal Bureau of Investigation after speaking with the media about Lizard Squad’s Christmas-day attacks on Xbox Live and the PlayStation Network.

The Interview Online Sales – Business Insider

Sony announced Sunday night that “The Interview” was downloaded or rented online more than 2 million times, generating over $15 million in sales.

After initially pulling the movie from theaters, Sony decided to release it online instead. “The Interview” premiered December 24 on YouTube, Google Play, Xbox Video, and Sony’s own site, SeeTheInterview.com.

On Sunday, Apple made the movie available for rent or purchase on iTunes.

“The Interview” costs $14.99 to own or $5.99 to rent.

A source familiar with the movie’s online sales told Business Insider the “vast majority” of rentals and downloads came from Google Play and YouTube.

Meanwhile, “The Interview” was pirated an estimated 1.5 million times in its first two days, according to Torrent Freak.

Apple and Apps Dominated Christmas 2014 | Flurry

Flurry examined these new device activations to understand what types of devices consumers are exchanging for the holidays, and with which types of apps they are filling them. Since the beginning of the mobile revolution, Christmas Day has seen the highest number of new device activations and app installs each year, and 2014 was no exception. Flurry examined data from the more than 600,000 apps.

Apple accounted for 51% of the new device activations worldwide Flurry recognized in the week leading up to and including Christmas Day (December 19th – 25th). Samsung held the #2 position with 18% of new device activations, and Microsoft (Nokia) rounded out the top three with 5.8% share for mostly Lumia devices. After the top three manufacturers, the device market becomes increasingly fragmented with only Sony and LG commanding more than one percent share of new activations on Christmas Day. Up-and-comers Xiaomi, Huawei, and HTC all had less than one percent share on Christmas Day. One reason is surely their popularity in Asian markets where December 25th is not the biggest gift-giving day of the year.

6 Terabyte Hard Drive Round-Up: WD Red, WD Green and Seagate Enterprise 6TB

For a while, 4TB drives were the top end of what was available in the market but recently Seagate, HGST, and Western Digital announced breakthroughs in areal density and other technologies, that enabled the advent of the 6 Terabyte hard drive. This round-up looks at three offerings in the market currently, with a WD Red 6TB drive, WD Green and a Seagate 6TB Enterprise class model. Though the WD drives only sport a 5400RPM spindle speed, due to their increased areal density of 1TB platters, they’re still able to put up respectable performance. Though the Seagate Enterprise Capacity 6TB (also known as the Constellation ES series) drive offers the best performance at 7200 RPM, it comes at nearly a $200 price premium. Still, at anywhere from .04 to .07 per GiB, you can’t beat the bulk storage value of these new high capacity 6TB HDDs.

The post Microsoft goes Spartan | Tech Talk Today 110 first appeared on Jupiter Broadcasting.

A zero day flaw has Microsoft scrambling, and the banking hack that only requires a nice jacket.

Then it’s a great big batch of your questions, our answers, and much much more!

On this week’s TechSNAP.

Thanks to:

— Show Notes: —

Crooks Hijack Retirement Funds Via Social Security Administration Portal

• Traditional SSA fraud involves identity thieves tricking the beneficiary’s bank into diverting the payments to another account, either through Social Security’s 800 number or through a financial institution, or through Treasury’s Direct Express program
• The newer version of this fraud involves the abuse of the SSA’s my Social Security Web portal
• The SSA added the ability to change direct deposit information via their my Social Security Web portal. Shortly thereafter, the agency began receiving complaints that identity thieves were using the portal to hijack the benefits of individuals who had not yet created an account at the site.
• As of August 23, 2013, the SSA has received 18,417 allegations of possibly fraudulent mySocialSecurity account activity.
• There is no suggestion that SSA’s systems have been compromised; this is an identity theft scheme aimed at redirecting existing benefits, often to prepaid debit cards.” – via Jonathan Lasher, assistant inspector general for external relations at the SSA’s Office of Inspector General.
• Banks usually will alert customers if the beneficiary account for SSA payments is changed. But she said those communications typically are sent via snail mail.
• Many customers will overlook such notices.
• If you receive direct deposits from the Social Security Administration but haven’t yet registered at the agency’s new online account management portal, now would be a good time take care of that.
• Because it’s possible to create just one my Social Security account per Social Security number, registering an account on the portal is one basic way that consumers can avoid becoming victims of this scam.
• In Canada, registering on the Canada Revenue Agency’s website, requires information from your previous years tax returns, and an activation code is snail mailed to you

Microsoft warns of a 0day in all versions of Internet Explorer, working on a patch for IE 6 – 11

• The flaw in question makes remote code execution possible if you browse to a website containing malicious content for your specific browser type
• Actively being exploited against IE8 and 9
• Use-after-free vulnerability in the SetMouseCapture implementation in mshtml.dll in Microsoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code via crafted JavaScript strings, as demonstrated by use of an ms-help: URL that triggers loading of hxds.dll.
• The vulnerability exists in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated. The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer. An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website.
• The company is offering the following workarounds and mitigations:
• Apply the Microsoft Fix it solution, \”CVE-2013-3893 MSHTML Shim Workaround,\” that prevents exploitation of this issue. Note: This ‘fixit’ solution only works for 32bit versions of IE
• Set Internet and local intranet security zone settings to \”High\” to block ActiveX Controls and Active Scripting in these zones.
• Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and local intranet security zones.
• CVE-2013-3893
• Additional Coverage

Cyber Police Arrest 12 Over Santander Bank Heist Plot

• The Metropolitan Police’s Central e-Crime Unit (PCeU) has arrested 12 men as part of an investigation into an “audacious” plot to take control of a Santander Banking computer.
• The PCeU is committed to tackling cyber-crime and the damage it can cause to individuals, organisations and the wider economy.”
• According to the police, the group sent a man in dressed as a maintenance engineer, who managed to attach a IP-KVM (keyboard video mouse) device to a machine in the bank, allowing the attackers to remotely carry out actions on the computer
• The men, aged between 23 and 50, were arrested yesterday, whilst searches were carried out addresses in Westminster, Hounslow, Hillingdon, Brent, Richmond and Slou

Feedback

• Worried about listentobitcoin.com Malware

• FreeNAS NFS Mount FAIL

10.1.10.254:/mnt/fart /mnt/nfs nfs auto,noatime,nolock,defaults,user=1001 0 0

• Fingerprint reader and Software vs Hardware RAID

• I have several questions for the double show. I hope you\’ll discus them all.

• DNS + Rasberry Pi Questions

• Contacts Sync

Round Up:

iOS 7 Swamps the Internet

• Traffic Spotlight: iOS 7 Pre-Launch
• iOS7 release traffic

• iOS 7 downloads causing network outages at several school campuses, activation server failures

• Hackers crowdfund bounty to hack iPhone 5S fingerprint scanner

• Netflix exec: Canada’s broadband caps “almost a human rights violation”
• Abandoned NHS IT system costing British tax payers over 10 billion GBP
• Today we announce OpenZFS: the truly open source successor to the ZFS project.
• pfSense 2.1-RELEASE now available!
• SSD failure rate only 1.5% per year, compared to 5% for HDDs
• USB Condoms now for sale, protect your devices from evil charging ports
• Honey docs – Service creates fake documents on your computer, and notifies you if anyone ever tries to access them
• Schneier on Security: New NSA Leak Shows MITM Attacks Against Major Internet Services

The post Gentlemen, Start Your NGINX | TechSNAP 128 first appeared on Jupiter Broadcasting.

A security breach become a lesson for us all. We’ll make some lemonade from a bad situation, and arm you with what you need to protect your self.

Plus Demonoid users get phished, a batch of your questions, and much much more.

On this week’s TechSNAP.

Thanks to:

GoDaddy.com Use our code tech249 to score .COM for $2.49! 32% off your ENTIRE first order just use our code go32off3 until the end of the month!

Support the Show:

   

Support the Show: