Microsoft dismisses new Windows RDP ‘bug’ as a feature

By Danny Bradbury

Researchers have found an unexpected behavior in a Windows feature designed to protect remote sessions that could allow attackers to take control of them.

The issue, discovered by Joe Tammariello at the CERT Coordination Center (CERT) at Carnegie Mellon’s Software Engineering Institute, is documented as CVE-2019-9510. It stems from Network Level Authentication (NLA), which is a feature that you can use to protect Windows installations that have the Remote Desktop Protocol (RDP) enabled. NLA stops anyone from remotely logging into the Windows computer by requiring them to authenticate first.

Starting with Windows 10 release 1803 in April 2019, and with Windows Server 2019, Microsoft changed the way NLA works. Now, the authentication mechanism caches the client’s login credentials on the RDP host so that it can quickly log the client in again if it loses connectivity. The change enables an attacker to circumvent a Windows lock screen, warns CERT/CC, which disclosed the issue, in an advisory.

Let’s say you remotely log in to a Windows box using RDP. Then, you lock that remote desktop to stop an attacker from accessing it from your machine while you leave the room.

The attacker could interrupt the network connection between the local machine and the remote Windows box and then reestablish it, by unplugging the network cable and plugging it in again (or disabling and re-enabling Wi-Fi).

Read more at https://nakedsecurity.sophos.com/2019/06/06/microsoft-dismisses-new-windows-rdp-bug-as-a-feature/

YouTube bans kids live-streaming without an adult present

By Lisa Vaas

In yet another step to scrape pedophiles off the bottom of its shoe, YouTube announced on Monday that it’s banning youngsters from live-streaming without adult supervision and that it’s limiting recommendations of videos that depict “minors in risky situations.”

In February, YouTube disabled comments on millions of videos featuring minors, in response to reports that creeps were leaving disgustingly sexual comments on videos featuring kids doing things like yoga or gymnastics, or playing games such as Twister.

At the same time, YouTube also implemented a classifier – a machine learning tool that helps to identify specific types of content – that it says helped it remove a significant number of violative comments.

It didn’t catch them all. On Monday, the New York Times published a writeup of research showing that YouTube’s automated recommendation system (which suggests what to watch next and which drives most of YouTube’s billions of views) was, months after the move to disable comments on kids’ videos, suggesting videos of partially clothed kids (think two-piece swimsuits) to users who watched “other videos of prepubescent, partially clothed children.”

Three researchers at Harvard’s Berkman Klein Center for Internet and Society – Jonas Kaiser, Yasodara Córdova and Adrian Rauchfleisch – stumbled onto the videos while looking into YouTube’s impact in Brazil, the Times reports.

Read more at https://nakedsecurity.sophos.com/2019/06/06/youtube-bans-kids-live-streaming-without-an-adult-present/

Gang charged with $19 million iPhone scam

By Lisa Vaas

A gang in New York allegedly spent the past seven years using the ripped-off identities of cellphone subscribers to steal $19 million worth of iPhones, according to a now-unsealed complaint originally filed by federal prosecutors at the end of April 2019.

The six defendants have been charged with felony counts of mail fraud, conspiracy, and aggravated identity theft.

New York City Police Department (NYPD) detective Armando Coutinh, from the NYPD-FBI Joint Major Theft Task Force, said in the complaint that the ring of alleged fraudsters kept it up from at least 2012 to the present, selling new devices – mostly iPhones – through fencing operations.

A simple plan

Here’s how it worked, Coutinh explained: the fraud ring members would break into the accounts of existing cellphone subscribers and add their names as “authorized users.” Later on, they used stolen personally identifying information (PII) instead of their own names to cook up new, fraudulent accounts.

Then, they’d “upgrade” their phones, paying only a pittance, or nothing at all, in-store and putting the rest of the purchase price on pay-by-month plans on the identity theft victims’ dime.

The victims included both the service providers, which typically picked up the cost of the stolen phones, and the customers whose identities were stolen and/or whose accounts were broken into. The complaint didn’t specify which providers were targeted, nor how many people were defrauded.

Using the stolen PII, the fraudsters created fake ID cards and fraudulent credit and debit cards. Using those cards, they’d pose as legitimate subscribers and fan out across the country to waltz into phone stores for their “upgrades.”

Read more at https://nakedsecurity.sophos.com/2019/06/06/gang-charged-with-19-million-iphone-scam/