January 9, 2020

Browser zero day: Update your Firefox right now!

By John E Dunn

Just two days after releasing Firefox 72, Mozilla has issued an update to patch a critical zero-day flaw.

According to an advisory on Mozilla’s website, the issue identified as CVE-2019-17026 is a type confusion bug affecting Firefox’s IonMonkey JavaScript Just-in-Time (JIT) compiler.

Simply put, a JIT compiler takes JavaScript source code, as you’ll find in most web pages these days, and converts it to executable computer code, so that the JavaScript runs directly inside Firefox as if it were a built-in part of the app.

This typically improves performance, often noticeably.

Ironically, most modern apps implement what’s called DEP, short for Data Execution Prevention, a threat mitigation that helps stop crooks from sending over what looks like innocent data but then tricking the app into running that data as if it were an already-trusted program.

(Code that’s disguised as data is known in the jargon as shellcode.)

DEP means that once a program is running, the data it consumes – especially if it originates from an untrusted source – can’t be turned into executing code, whether accidentally or otherwise.

But JIT compilers have to exempt themselves from DEP controls, because converting data to code and running it is precisely what they do – and that’s why crooks love to probe for flaws in JIT systems.

Read more at https://nakedsecurity.sophos.com/2020/01/09/browser-zero-day-update-your-firefox-right-now/

Apple’s scanning iCloud photos for child abuse image

By Lisa Vaas

Apple has confirmed that it’s automatically scanning images backed up to iCloud to ferret out child abuse images.

As the Telegraph reports, Apple chief privacy officer Jane Horvath, speaking at the Consumer Electronics Show in Las Vegas this week, said that this is the way that it’s helping to fight child exploitation, as opposed to breaking encryption.

[Compromising encryption is] not the way we’re solving these issues… We are utilizing some technologies to help screen for child sexual abuse material.

Horvath’s comments make sense in the context of the back-and-forth over breaking end-to-end encryption. Last month, during a Senate Judiciary Committee hearing that was attended by Apple and Facebook representatives who testified about the worth of encryption that hasn’t been weakened, Sen. Lindsey Graham asserted his belief that unbroken encryption provides a “safe haven” for child abusers:

You’re going to find a way to do this or we’re going to do this for you.

We’re not going to live in a world where a bunch of child abusers have a safe haven to practice their craft. Period. End of discussion.

Though some say that Apple’s strenuous Privacy-R-Us marketing campaign is hypocritical, it’s certainly earned a lot of punches on its frequent-court-appearance card when it comes to fighting off demands to break its encryption.

How, then, does its allegiance to privacy jibe with the automatic scanning of users’ iCloud content?

Read more at https://nakedsecurity.sophos.com/2020/01/09/apples-scanning-icloud-photos-for-child-abuse-images/

Google voice Assistant gets new privacy ‘undo’ commands

By John E Dunn

Google’s controversial voice Assistant is getting a series of new commands designed to work like privacy-centric ‘undo’ buttons.

Assistant, of course, is inside an estimated one billion devices, including Android smartphones, countless brands of home smart speaker, and TV sets based on the Android OS.

But these are only the pioneers for an expanding AI empire. This year Assistant should start popping up in headphones, soundbars, ‘smart’ computer displays and, via Android Auto, more motor cars.

If this sounds oppressive, you could be in for a tough few years because Assistant (and rivals Alexa, Siri, Cortana, and Samsung’s Bixby) – could soon be in anything and everything a human being might reasonably expect to perform a task.

And yet 2019 was the year Google finally got the message that the system’s hidden risks might quickly become the sort of privacy itch that is hard to scratch if it’s not careful.

This included controversies over who might be listening to recordings without users having given consent. Others have likened it to a poorly regulated privacy-killing genie Google won’t voluntarily put back in the bottle.

Read more at https://nakedsecurity.sophos.com/2020/01/09/google-voice-assistant-gets-new-privacy-undo-commands/

FBI asks Apple to help it unlock iPhones of naval base shooter

By Lisa Vaas

The FBI has asked Apple to help it unlock two iPhones that belonged to the murderer Mohammed Saeed Alshamrani, who shot and killed three young US Navy students in a shooting spree at a Florida naval base last month.

Alshamrani also injured eight others before he himself was shot to death.

Late on Monday, FBI General Counsel Dana Boente sent the letter to Apple’s general counsel. The letter hasn’t been made public, but the FBI shared it with NBC, which first reported on it.

In the letter, the FBI said that it’s got a subpoena allowing it to search content on the iPhones, both of which are password-protected (and one of which Alshamrani reportedly shot and damaged, further complicating forensics on the device and its data). But so far, investigators haven’t had any luck at guessing the passcodes, the letter said.

And yes, the FBI has tried the tactics it used when it was trying to unlock the iPhone of San Bernardino terrorist Syed Farook. Namely, the bureau says that it’s asked for help from other federal agencies – it sent the iPhones to the FBI’s crime lab in Quantico, Virginia – and from experts in other countries, as well as “familiar contacts in the third-party vendor community.”

That could be a reference to the tool that the FBI used to finally break into Farook’s encrypted phone and thereby render moot the FBI versus Apple legal battle over encryption.

Though the killer was believed to have been acting alone, the FBI said in its letter that it’s not ruling anything out before the investigation is complete:

Even though the shooter is dead, [agents want to search his phones] out of an abundance of caution.

Apple sent a statement to NBC saying that it’s helping the government:

We have the greatest respect for law enforcement and have always worked cooperatively to help in their investigations. When the FBI requested information from us relating to this case a month ago, we gave them all of the data in our possession and we will continue to support them with the data we have available.

Read more at https://nakedsecurity.sophos.com/2020/01/09/fbi-asks-apple-to-help-it-unlock-iphones-of-naval-base-shooter/

Google’s Project Zero highlights patch quality with policy tweak

By Danny Bradbury

Google’s Project Zero bug-hunting team has tweaked its 90-day responsible disclosure policy to help improve the quality and adoption of vendor patches.

Project Zero is a group of researchers that looks for zero-day vulnerabilities in technology products and services. When it finds a bug, the team informs the vendor responsible for the product and opens an internal bug report known as a tracker, shielded from public view.

The vendor then has 90 days to fix the bug before Project Zero lifts the veil. This policy, known as responsible disclosure, sits at the midpoint compared to other organizations. US CERT, for example, goes public 45 days after discovering a bug, while the Zero Day Initiative waits 120 days.

Google says that 97.7% of the bugs it reports are fixed within deadline, up from the 95.5% that it reported in the period between February 2015 and July 2019. So now, it’s expanding its focus from faster bug fixes to better ones. With that in mind, the Project Zero team has outlined some changes to its disclosure policy that it hopes will tighten up its handling of security bugs.

The most significant sees it switch to a standard policy of disclosing a vulnerability after 90 days. In the past, it has used that cutoff as the latest possible disclosure time, but has revealed a bug as soon as a vendor announced a fix. Now, in an effort to ensure that vendors thoroughly test their patches rather than rushing them out the door, it will wait for the full 90-day period before disclosing a flaw, even if the vendor has fixed it weeks beforehand.

Holding off on public bug reports should also make it easier to get patches out to users. Google explained:

…some vendors hold the view that our disclosures prior to significant patch adoption are harmful. Though we disagree (since this information is already public and being used by attackers per our FAQ here), under this new policy, we expect that vendors with this view will be incentivized to patch faster, as faster patches will allow them “additional time” for patch adoption.

Read more at https://nakedsecurity.sophos.com/2020/01/09/googles-project-zero-highlights-patch-quality-with-policy-tweak/

REvil ransomware exploiting VPN flaws made public last April

By John E Dunn

Researchers report flaws, vendors issue patches, organizations apply them – and everyone lives happily ever after. Right?

Not always. Sometimes, the middle element of that chain – the bit where organizations apply patches – can takes months to happen. Sometimes it doesn’t happen at all.

It’s a relaxed patching cycle that has become security’s unaffordable luxury.

Take, for instance, this week’s revelation by researcher Kevin Beaumont that serious vulnerabilities in Pulse Secure’s Zero Trust business VPN (virtual private network) system are being exploited to break into company networks to install the REvil (Sodinokibi) ransomware.

His evidence comprises anecdotal reports from victims mentioning unpatched Pulse Secure VPN systems being used as a way in by REvil. Something he has since seen for himself:

I’ve now seen an incident where they can prove Pulse Secure was used to gain access to the network.

Read more at https://nakedsecurity.sophos.com/2020/01/08/revil-ransomware-exploiting-vpn-flaws-made-public-last-april/

US warns of Iranian cyber threat

By Danny Bradbury

The US Department of Homeland Security has issued a total of three warnings in the last few days encouraging people to be on the alert for physical and cyber-attacks from Iran. The announcements follow the US killing of Qasem Soleimani, the commander of Iran’s IRGC-Quds Force. The warnings directly address IT professionals with advice on how to secure their networks against Iranian attack.

On Monday, the Cybersecurity and Infrastructure Security Agency (CISA), which is an agency within the DHS, released the latest publication in its CISA Insights series, which provides background information on cybersecurity threats to the US.

Without explicitly mentioning Soleimani’s killing, it referred to “recent Iran-US tensions” creating a heightened risk of retaliatory acts against the US and its global interests. Organizations should be on the lookout for potential threats, especially if they represent strategic targets such as finance, energy, or telecommunications, it said. Iranian attackers could launch attacks targeting intellectual property or mount disinformation campaigns, it said, while also raising the spectre of physical attacks using improvised explosive devices or unmanned drones.

The publication added:

Review your organization from an outside perspective and ask the tough questions – are you attractive to Iran and its proxies because of your business model, who your customers and competitors are, or what you stand for?

The same day, CISA also issued an alert specifically targeting IT pros that warned of a potential Iranian cyber response to the military strike. It recommended five actions that IT professionals could take to protect themselves, focusing on a mixture of vulnerability mitigation and incident preparation.

Read more at https://nakedsecurity.sophos.com/2020/01/08/us-warns-of-iranian-cyber-threat/

Facebook bans deepfakes, but not cheapfakes or shallowfakes

By Lisa Vaas

Facebook has banned deepfakes.

No, strike that – make it, Facebook has banned some doctored videos, but only the ones made with fancy-schmancy technologies, such as artificial intelligence (AI), in a way that an average person wouldn’t easily spot.

What the policy doesn’t appear to cover: videos made with simple video-editing software, or what disinformation researchers call “cheapfakes” or “shallowfakes.”

The new policy

Facebook laid out its new policy in a blog post on Monday. Monika Bickert, the company’s vice president for global policy management, said that while these videos are still rare, they present “a significant challenge for our industry and society as their use increases.”

She said that going forward, Facebook is going to remove “misleading manipulated media” that’s been “edited or synthesized” beyond minor clarity/quality tweaks, in ways that an average person can’t detect and which would depict subjects as convincingly saying words that they actually didn’t utter.

Another criteria for removal is that part about fancy-schmany editing techniques, when a video…

…is the product of artificial intelligence or machine learning that merges, replaces or superimposes content onto a video, making it appear to be authentic.

Deepfake non-consensual porn made up 96% of the total number of deepfake videos online as of the first half of 2019, according to Deeptrace, a company that uses deep learning and computer vision for detecting and monitoring deepfakes.

Read more at https://nakedsecurity.sophos.com/2020/01/08/facebook-bans-deepfakes-but-not-cheapfakes-or-shallowfakes/

‘Maze’ ransomware threatens data exposure unless $6m ransom paid

By John E Dunn

What’s the most effective way to fight back against a large ransomware attack?

Normally, the answer would be technical or organizational, but a new type of ransomware called Maze seems to have stirred up a very different response in one of its recent victims – bring in the lawyers and try to sue the gang behind it.

The victim this time was US cable and wire manufacturer Southwire, which last week filed a civil suit against Maze’s mysterious makers in Georgia Federal court.

This mentions a big attack involving Maze, which we know from the company’s Twitter account happened on 11 December 2019.

Given that the attackers are unknown – referred to only as “John Doe” in legal filings – this might sound like a fool’s errand. But it seems it is the way the ‘Maze Crew’ attempted to extort Southwire that led to such unorthodox tactics.

According to Bleeping Computer, the sum demanded from Southwire was 850 Bitcoins, equivalent to around $6 million.

That sounds like a lot to supply some encryption keys to unlock scrambled data, but the demand was backed by a second and more sinister threat – if the sum wasn’t paid the data would be released publicly.

That ransomware attackers can steal as well as encrypt data isn’t a new phenomenon but the possibility that sensitive data might be revealed to the world is potentially more damaging than any short-term disruption caused by the malware.

And yet, despite the seriousness of this threat, it seems that Southwire declined to pay.

Read more at https://nakedsecurity.sophos.com/2020/01/07/maze-ransomware-threatens-data-exposure-unless-6m-ransom-paid/

US military branches ban TikTok following Pentagon’s warning

By Lisa Vaas

Last month, the Pentagon told US military to steer clear of what it sees as a national-security landmine: the singing/dancing/jokey TikTok platform.

Tell your Department of Defense employees not to download it, and wipe it if it’s already on their devices, the Defense Information Systems Agency recommended.

Some military outfits have snapped to attention and heeded the call. A number of military branches in the US have now banned the popular Chinese-owned social media app on government-issued smartphones, and some have even discouraged members of the armed forces from using it on their personal devices.

From an email sent on Friday by Marine Corps spokesman Capt. Christopher Harrison to the New York Times:

Marine Corps Forces Cyberspace Command has blocked TikTok from government-issued mobile devices. This decision is consistent with our efforts to proactively address existing and emerging threats as we secure and defend our network. This block only applies to government-issued mobile devices.

In December 2019, the Air Force amn/nco/snco Facebook page posted an email from Naval Network Warfare Command that called TikTok a “cybersecurity threat” and told users to uninstall it from their iPhones and iPads:

TikTok is a cybersecurity threat. Users are instructed NOT to install the application on their mobile device. DO NOT install Tiktok on your Government furnished mobile device. If you have this application on your device, remove it immediately.

The response of one Facebook user: “It’s amazing they actually have to be told not to do this.”

An Air Force spokeswoman noted that it’s not just TikTok that has the military worried:

The threats posed by social media are not unique to TikTok (though they may certainly be greater on that platform), and DoD personnel must be cautious when making any public or social media post.

All DoD personnel take annual cyber-awareness training that covers the threats that social media can pose, as well as annual operations security training that covers the broader issue of safeguarding information.

Read more at https://nakedsecurity.sophos.com/2020/01/07/us-military-branches-ban-tiktok-following-pentagons-warning/


Advanced Computer Services of Central Florida

Centrally located in Winter Haven, we serve residential and business clients in and around Polk County.

9 Camellia Drive
Winter Haven, FL 33880

Our Promise to You

Plain language, no tech-talk

We will never try to over-sell you a product you don't need.

Advanced Computer Services of Central Florida is your local, hometown computer service and repair company that can do more than just fix your PC.  We offer highly skilled professionals who can be counted on to give you sound advice on upgrades, software and hardware, commercial & residential networks, hardwire or secure wireless.

No trip charges within Polk County

No after-hours or weekend fees

$45.00/hr Residential

$65.00/hr Commercial - free system evaluation