Microsoft fixes web server DDoS bug

By Danny Bradbury

Microsoft has fixed a bug that could have led to distributed denial of service (DDoS) attacks on its web server software.

The flaw lay in the way that Internet Information Server (IIS) processed requests sent using HTTP/2.

Ratified in 2015, HTTP/2 is an enhanced version of the original HTTP standard that includes better flow control and handles a wider variety of connections between clients and servers.

Flow control in HTTP/2 enables a client computer to describe how it wants to receive information from the sender so that it can work more efficiently.

For example, you might ask your browser to stream a high-bandwidth video, but then pause the video halfway through.

With HTTP/2, the browser can use flow control to pause the delivery and buffering of the video and concentrate on downloading something else that is suddenly more important, such as a real-time ticker update.

Read more at https://nakedsecurity.sophos.com/2019/02/22/microsoft-fixes-ddos-bug-in-its-web-server/

Flash “security bypass” list hidden in Microsoft Edge browser

By John E Dunn

Until this month, Microsoft’s Windows 10 Edge browser could skip over its own “Are you sure?” warnings about Flash content on 58 websites, thanks to a bypass list kept hidden from users.

Google Project Zero researcher Ivan Fratric said he stumbled on the list last November when he analysed domain hashes inside the edgehtml­plugin­policy.bin file.

Fratric eventually resolved 56 of the 58 hashes to be a bypass list of domains that included Facebook, MSN, Deezer, and Yahoo Japan, which all contain some legacy Flash content.

Having a bypass list built into Edge is risky, says Fratric.

Flash is well-known for vulnerabilities, which is why users are regularly reminded either to run it only when necessary or, better still, not run it at all.

Although the setting had limitations (the content must be hosted on the same domain or larger than 398×298 pixels), Fratric said he was alarmed at the reasoning behind having a list of this sort inside Edge that users know nothing about.

Read more at https://nakedsecurity.sophos.com/2019/02/22/flash-security-bypass-list-hidden-in-edge/

Facebook lets Android users block location tracking

By Lisa Vaas

Last week, CNBC reported that Facebook looks up users’ location data when it thinks they’re a threat to the company’s employees or facilities.

Until recently, granting an Android app access to your location was an all-or-nothing deal: you either had to turn off location and prevent the app from seeing your location at all, or you had to grant it full use of your location, even when you weren’t using the app.

That’s how Android works: Google requires that apps get permission to use your location, but unlike iOS, it doesn’t offer an option to share your location only when the app is in use.

This all changed on Wednesday this week when Facebook announced that it will be updating its location controls on Android to give people more choice over how the company collects location information and how the platform stores it.

Facebook said that it’s not making any changes to the choices that users have previously made, nor is it collecting any new information as a result of the update.

Read more at https://nakedsecurity.sophos.com/2019/02/22/facebook-lets-android-users-block-location-tracking/

Facebook hoax? Can you sniff out gas station card skimmers using Bluetooth?

By Lisa Vaas

There’s a “helpful tip” making the Facebook rounds, and it’s a little bit helpful but a lot not so much.

It’s about using Bluetooth to detect credit card skimmers at gas stations:

Here is a helpful tip:

When you pull up to a gas station to fill your car. Search your phone for Bluetooth devices. If a sequence of letters and a sequence of numbers shows up in your device list do not pay at the pump. One of the pumps have a card reader installed. All card readers are Bluetooth.

The post refers to a card “reader,” but what it means is card “skimmer.”

The first is a legal way for you to pay, while the latter is a piece of thief-ware, be it a plastic gadget clumsily glued on to the face of an ATM or gas pump or technology that’s installed internally.

Credit card skimmers are devices that capture details from a payment card’s magnetic stripe, then (sometimes) beam them out via Bluetooth to nearby crooks.

The “sometimes” is just one thing that makes this viral post less than helpful.

Security journalist Brian Krebs has cataloged all sorts of skimmers, including some that send information to fraudsters’ phones via text message.

Read more at https://nakedsecurity.sophos.com/2019/02/20/can-you-really-sniff-out-gas-station-skimmers-with-your-phone/