Patch time! Microsoft warns of new worm-ready RDP bugs

By Danny Bradbury

Microsoft’s Patch Tuesday bought some very bad news yesterday: more wormable RDP vulnerabilities, this time affecting Windows 10 users.

CVE-2019-1181 and -1182 are critical vulnerabilities in Remote Desktop Services (formerly Windows Terminal) that are wormable – similar to the BlueKeep vulnerability that people have already created exploits for. Wormable means that the exploit could, in theory, be used not only to break into one computer but also to spread itself onwards from there.

These new vulnerabilities, which Microsoft found while it was hardening RDS, can be exploited without user interaction by sending a specially-crafted remote desktop protocol (RDP) message to RDS. Once in, an attacker could install programs, change or delete data, create new accounts with full user rights, and more. CVE-2019-1222 and -1226 also address these flaws.

Unlike BlueKeep, these new RDP vulnerabilities affect Windows 10, including server versions, as well as Windows 7 SP1, Windows Server 2008 R2 SP1, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2.

Microsoft said that these vulnerabilities haven’t yet been exploited in the wild, but urged customers to get ahead of the game by patching quickly:

It is important that affected systems are patched as quickly as possible because of the elevated risks associated with wormable vulnerabilities like these, and downloads for these can be found in the Microsoft Security Update Guide.

Computers with network level authentication (NLA) are partly protected, because crooks would need to authenticate before making a request, meaning that an attack couldn’t spread without human interaction on NLA-enabled systems.

Read more at https://nakedsecurity.sophos.com/2019/08/14/microsoft-warns-of-new-worm-ready-rdp-bugs/

Facebook got humans to listen in on some Messenger voice chats

By Lisa Vaas

Facebook has been collecting some voice chats on Messenger and paying contractors to listen to and transcribe them, Bloomberg reported on Tuesday after hearing from rattled contractors who thought that lack of user notification was unethical.

This is past tense: on Tuesday, Facebook said it knocked it off “more than a week ago” following the scrutiny that Apple and Google have gotten over doing the same thing. Bloomberg quoted a statement in which Facebook confirmed that yes, it had been transcribing users’ audio, but that it’s “paused” the practice:

Much like Apple and Google, we paused human review of audio more than a week ago.

Facebook didn’t say if or when it might resume. The company did say, however, that the eavesdropping was opt-in: only users who chose the option in Messenger would have had their voice chats transcribed. The purpose was to vet Facebook’s artificial intelligence’s (AI’s) ability to correctly interpret the voice messages, which, Facebook says, were anonymized.

They’re all doing it – or at least, they were

Facebook is far from the only tech giant to get its human employees to listen in on voice snippets in order to fine-tune their AI and voice recognition technologies: Google, Apple, Microsoft and Amazon have all been doing it.

In April, Bloomberg reported that Amazon employs thousands of people around the world to work on improving its Alexa digital assistant, which powers its line of Echo speakers. Amazon has confirmed that it keeps these recordings indefinitely instead of deleting the data.

It’s sometimes mundane work. It’s sometimes disturbing: contractors and employees have reported hearing what they interpret as sexual assault, children screaming for help, and other recordings that users would be very unlikely to willingly share.

Read more at https://nakedsecurity.sophos.com/2019/08/15/facebook-got-humans-to-listen-in-on-some-messenger-voice-chats/

Hacking forum spills rival’s 321,000-member database

By John E Dunn

When users of hacking forums turn on each other, expect things to get messy quickly.

The latest site to find itself on the receiving end of this phenomenon is Cracked.to which last Friday reportedly found its database of 321,000 members and 749,161 unique email addresses leaked on rival site, RaidForums.

We can say that with confidence because by Monday the compromised accounts had become another statistic on the Have I Been Pwned (HIBP) breach database – the industry’s go-to for news of such incidents.

That dated the breach to 21 July, with the stolen data also including things anyone frequenting a forum of this type would rather not be out in the open such as “IP addresses, passwords, private messages, usernames.”

As Ars Technica points out, this isn’t likely to be as serious a data breach as it would be for a more mainstream website.

IP addresses will likely be anonymized using Tor with account email addresses that probably won’t identify the users behind them – this is a cagey hacking forum after all.

As for password security, according to the site’s breach warning, it appears that months before the breach an admin at Cracked.to realized the danger of using weak hashing:

We have changed the hashing algorithm of passwords from myBB default (MD5) to something more advanced a few months ago, which makes it almost impossible to decrypt your passwords.

Read more at https://nakedsecurity.sophos.com/2019/08/15/hacking-forum-spills-rivals-321000-member-database/

‘NULL’ license plate gets security researcher $12K in tickets

By Lisa Vaas

A vanity plate reading “NULL” sounded good to security researcher/hacker “Droogie,” at least in theory: maybe it would make his plate invisible to Automatic License Plate Reader (ALPR) systems?!

Maybe entering the characters – NULL is the marker used in structured query system (SQL) databases in order to indicate that a data value doesn’t exist – would just return error messages when his plate was spotted during one of his traffic violations…?

That’s not what happened, he told an audience at the recent Defcon security conference. Instead, $12,000 in traffic violation fines happened.

Forbes quoted Droogie as he reminisced about his initial expectations:

[I thought,] ‘I’m gonna be invisible’. Instead, I got all the tickets.

As the Guardian reports, every single speeding ticket earned by cars that lacked valid license plates wound up getting assigned to Droogie’s car – turning it into a veritable NULL bucket.

I’m not paying those, Droogie told Defconners. An unsympathetic Los Angeles police department had initially told him that the only solution was to change his license plate.

But why should he? He didn’t do anything wrong. He had checked with California’s Division of Motor Vehicles (DMV), found that the “NULL” vanity plate was surprisingly available, and registered it without any problem – “no bugs or anything.”

Read more at https://nakedsecurity.sophos.com/2019/08/15/null-license-plate-gets-security-researcher-12k-in-tickets/