March 18, 2020
VMware patches virtualisation bugs
By Danny Bradbury
Virtualisation company VMware patched two bugs this week that affected a large proportion of its client-side virtual machines (VMs).
VMware made its name offering server virtualisation products that recreate server hardware in software, allowing admins to run many virtual servers on the same physical box at once. Most ‘type one’ server hypervisors, including VMware’s, run directly on the bare metal instead of an installed operating system.
The company also has another strand to its business, though: ‘type two’ hypervisors that enable people to run guest operating systems in virtual machines (VMs) on their client devices, too. These let you run Windows or Linux on a Mac, for example. They work differently, running on top of the client operating system as applications, meaning that you don’t have to replace your core operating system to run VMs.
Finally, its desktop virtualisation system, called Horizon, puts the whole desktop environment on a server so that users can access it from anywhere.
Between them, these bugs affect all of these services in some way. CVE-2020-3950, which VMware gives as a CVSS v3 store of 7.3, affects version 11 of Fusion, its type 2 hypervisor for Macs. It’s a privilege elevation vulnerability stemming from the improper use of setuid binaries (setuid is a *nix tool that lets users run certain programs with elevated privileges). It also affects two other programs for the Mac: Versions 5 and prior of the Horizon client that lets Mac users log into virtual Horizon desktops, and version 11 and prior of the Virtual Machine Remote Console that lets Mac users access remote virtual machines.
Read more at https://nakedsecurity.sophos.com/2020/03/18/vmware-patches-virtualisation-bugs/
Uber to file federal suit against LA over users’ real-time location data
By Lisa Vaas
Uber is poised to file a federal lawsuit over Los Angeles’s demands for what the company (as well as privacy advocates and, presumably, state law) consider to be the city’s privacy-invading demands for real-time location data of its users.
Uber provided an embargoed draft of the lawsuit, which a spokesperson said the company will file later this week.
Uber had already threatened to sue the city in October 2019 after the LA Department of Transportation (LADOT) instituted data demands on ride-hailing, scooter/bike-sharing companies. Uber wound up delaying that suit as it tried to hash things out with the city. LADOT suspended Uber’s permit, but it still allowed Uber to operate its scooters during the discussions.
Uber had presented a compromise: we’ll give you location data, but only 24 hours after trips start and stop, it proposed. That will give LADOT data to use for traffic planning, but it won’t affect user privacy, Uber said. As well, it would, at least potentially, give the company at least a small window of time in which to challenge a specific LADOT request, which is impossible to do when the city demands data in real-time.
According to its federal lawsuit, that wasn’t good enough for LADOT. Uber’s counsel said in the suit that they suspect that the proposal merely galled LADOT. At any rate, on 25 October 2019, LADOT suspended Uber-owned JUMP’s permit and ordered its bikes and scooters off the streets lest they be swept up by the city’s trash collectors.
What’s so special about real-time data, unless – this is Uber’s speculation – perhaps for surveillance purposes?
This isn’t an answer – LADOT hasn’t been able to give one – but in general, LA wants the data for a new data standard called the Mobility Data Specification (MDS).
MDS is based on a standard set of application programming interfaces (APIs) through which mobility companies are required to provide real-time information about how many of their vehicles are in use at any given time, where they are at all times, their physical condition, anonymized trip start and stop times, destinations, and routes, among other data. Besides LA, other cities now using MDS to collect data to manage their own dockless vehicles include Seattle; Austin and San Jose in Texas; Santa Monica, CA; Providence, RI; and Louisville, KY.
DDoS attack on US Health agency part of coordinated campaign
By John E Dunn
Just because a website offers critical public information about the COVID-19 virus pandemic doesn’t mean Distributed Denial of Service (DDoS) attackers won’t be out to get it.
It’s a point underscored by the news that on Sunday cybercriminals attempted to disrupt the US Department of Health and Human Services (HHS) website using an unidentified flood of DDoS traffic.
The HHS site is one of the first ports of call for US citizens looking for a range of health information, including HHS announcements and links to COVID-19 updates from the Centers for Disease Control and Prevention (CDC).
It seems attackers – later described by officials as a “foreign actor” – twigged its importance too.
According to a Bloomberg report, the attack slowed the site but didn’t cause it to go offline. DDoS attacks come in different sizes and types and it’s not been revealed which methods were used beyond the fact the attacks lasted for hours.
HHS spokesperson Caitlin Oakley told Bloomberg:
On Sunday, we became aware of a significant increase in activity on HHS cyber infrastructure and are fully operational as we actively investigate the matter.
These days, DDoS attacks are not the potent weapon they once were, primarily because large websites are protected by a newer generation of defense’s trained on a number of large attacks, hijacking a widening range of protocols.
Read more at https://nakedsecurity.sophos.com/2020/03/18/ddos-attack-on-us-health-agency-part-of-coordinated-campaign/
Human traffickers use social media oversharing to gain victims’ trust
By Lisa Vaas
Does your life suck?
If so, like many of us, you may have posted about your money troubles, your low self-esteem, or your relationship problems on social media or dating sites. But while it may feel good to vent, and while such posts may garner sympathy that can soothe the pain, the FBI is warning that human traffickers are attracted to the details of our misery like bees to honey.
On Monday, the FBI’s online crime division – the Internet Crime Complaint Center (IC3) – issued a warning that human traffickers are increasingly using online platforms, including popular social media and dating platforms, to recruit and to advertise sex trafficking victims.
They’re also increasingly harvesting personally identifiable information (PII) by putting up fake job listings, the IC3 warned in January, and are recruiting labor trafficking victims who are “bought, sold, and smuggled like modern-day slaves,” the FBI says:
Human trafficking victims are beaten, starved, deceived, and forced into sex work or agricultural, domestic, restaurant, or factory jobs with little to no pay.
Many of us in the US unknowingly encounter trafficking victims as we go about our days, the FBI says, given that both the perpetrators and their prey come from all backgrounds and work in all areas. The bureau says that victims have been recovered in rural areas, small towns, the suburbs, and large cities.
Have you gotten an offer from somebody who said they were recruiting for a job? Or perhaps they claimed to be a modeling agent? Those are some of the fronts that traffickers hide behind, the FBI says, and it often starts with online grooming as they offer opportunities for a better life or a better job.
Human traffickers target vulnerable individuals by preying on their personal situations. Online platforms make it easier for traffickers to find potential victims, especially those who post personal information, such as their financial hardships, their struggles with low self-esteem, or their family problems.
Human traffickers target and recruit their victims by appearing to offer help, or pretending to be a friend or potential romantic partner. They leverage their victims’ vulnerabilities and coerce them to meet in person. After establishing a false sense of trust, traffickers may force victims into sex work or forced labor.
As the FBI warned in August 2019, it’s also seen an increase in recruitment of money mules through dating sites.
Read more at https://nakedsecurity.sophos.com/2020/03/18/human-traffickers-use-social-media-oversharing-to-gain-victims-trust/