Is the Y2K bug alive after all?

By Paul Ducklin

Right at the end of 2019, we wrote about the “decade-ending Y2K bug that wasn’t” in a serious article with a humorous side.

In that article, we described a perennial “gotcha” facing Java programmers faced with the simple task of printing out the year.

If you tell Java to treat the date as four digits by using the abbreviation YYYY, which is a very common way of denoting the year in all sorts of other apps, you will get the right answer most of the time…

…but in some years, the answer comes out exactly one year off for just a few days at the start or the end of the calendar year.

Memories of the Y2K bug!

Y2K, or the millennium bug, was where programs that tried to save memory by storing dates as “99” instead of “1999” got confused at the end of 1999, because the sum 99+1 rolls back to 00 when you only have two digits to play with.

But it turns out that the Java bug that people were comparing to Y2K was a completely different beast.

The bug in the Java case is that Java’s shorthand to denote the current year in four digits is yyyy, and not YYYY – it really matters whether you use capital letters or not.

Confusingly, and for many people, surprisingly, the text YYYY in a Java program denotes the year in which at least half of the current week lies, as used for things like payroll and weekly accounts.

So if there are an odd few days at the start or end of a year, they’re transferred to the previous or following year when you count in weeks to do your accounts.

Read more at https://nakedsecurity.sophos.com/2020/01/10/is-the-y2k-bug-alive-after-all/

Hackers use system weakness to rattle doors on Citrix systems

By Danny Bradbury

Attackers are using a serious bug in Citrix products to scan the internet for weaknesses, according to experts.

The flaw, CVE-2019-19781, affects the company’s NetScaler ADC Application Delivery Controller and its Citrix Gateway. The first product is a piece of network equipment that ensures online applications perform well, using load balancing and application monitoring. The second provides remote access to applications on a company’s network or in the cloud. An attacker could use the bug to execute arbitrary code, according to Citrix, which published an advisory on 17 December.

Positive Technologies, which wrote a report of the bug on 23 December, warned that 80,000 companies were at risk. NIST gave it a 9.8 (Critical) CVSS 3.0 score.

A bug that lets attackers execute arbitrary code without even needing an account is particularly serious. Positive Technologies explained:

This vulnerability allows any unauthorized attacker to not only access published applications, but also attack other resources of the company’s internal network from the Citrix server.

Although Citrix hasn’t released details of the bug in its advisory, several researchers have suggested that it is a directory traversal vulnerability that allows someone from the outside to reach a directory that they shouldn’t access.

There are no known proof-of-concept exploits at the moment, but the SANS Internet Storm Center demonstrated on 31 December its ability to exploit weaknesses in the code and upload files to the system without “any special tools or advanced skills”.

Read more at https://nakedsecurity.sophos.com/2020/01/10/hackers-use-system-weakness-to-rattle-doors-on-citrix-systems/

Ransomware pounces on California schools, Las Vegas trounces attack

By Lisa Vaas

We’ve got some bad ransomware news, and we’ve got some good, cyberattack-THWARTED! news.

First, the bad: over the holiday break, crooks who are so morally bankrupt that they target the organizations that serve children pounced on schools in the US city of Pittsburg, California.

On Monday, the superintendent of Pittsburg Unified School District, Janet Schulze, put up a message about the ransomware attack on the district’s Facebook page.

She said that any and all affected and potentially affected servers had been taken offline, leaving the district’s school system without email or internet access. Phones were working, though, and the plan was to forge ahead and open school on Tuesday.

Twenty-eight minutes later, Schulze put up an update, saying that the show would indeed go on, but old-school style: sans laptops, sans internet.

We are all set for school tomorrow! We will be teaching and learning like ‘back in the day’??…without laptops and internet. Our schools have access to student information and our phones are working. We still are not able to receive email, so please call your child’s school if needed.

As of Monday, the district was working with two external IT firms and attorneys who, Schulze said, are all specialists in this kind of e-misery. She also said that the district had notified law enforcement and that the investigation and repair work were still underway.

The cybersecurity teams that are helping the school system to get back on its feet hadn’t detected any compromise of personal data as of Monday.

Cut off from the internet and email, the district’s secondary schools were given an extension – until Monday 13 January – to enter first-semester grades into the grading system. A slice of good news: the cafeteria wasn’t affected and could therefore be counted on to dish up meals for the hungry students.

Schulze didn’t give any indication as to what ransom the crooks are demanding, nor whether or not the district plans to fork anything over.

Read more at https://nakedsecurity.sophos.com/2020/01/10/ransomware-pounces-on-california-schools-las-vegas-trounces-attack/