Monthly Archives: April 2014

DHS warns against using Internet Explorer until bug is patched

A vulnerability discovered in Internet Explorer over the weekend is serious—serious enough that the Department of Homeland Security is advising users to stop using it until it’s been patched.

On Monday, the United States Computer Emergency Readiness Team (US-CERT), part of the U.S. Department of Homeland Security, weighed in.

“US-CERT is aware of active exploitation of a use-after-free vulnerability in Microsoft Internet Explorer,” it said in a bulletin. “This vulnerability affects IE versions 6 through 11 and could lead to the complete compromise of an affected system.

“US-CERT recommends that users and administrators enable Microsoft EMET where possible and consider employing an alternative web browser until an official update is available.” Enhanced Mitigation Experience Toolkit (EMET) is a Microsoft utility that helps prevent vulnerabilities in software from being successfully exploited, and can be downloaded here. It supports every Microsoft operating system from Windows 7 on up.

Microsoft has yet to decide whether it will issue an emergency patch in the coming days or wait for patch Tuesday on May 13 to repair supported versions of IE.

The new remote code execution vulnerability, dubbed CVE-2014-1776, has the potential to give hackers the same user rights as the current user. That means a successful attacker who infects a PC running as administrator would have a wide variety of attack open to them such as installing more malware on the system, creating new user accounts, and changing or deleting data stored on the target PC.

Windows XP is especially vulnerable, given that Microsoft discontinued support for the OS earlier this month.

 

Via: pcworld

IE zero-day flaw unpatched on XP

Barely three weeks after Microsoft shut-off patching support for Windows XP and a new zero-day flaw for Internet Explorer is likely to go unpatched on the dated operating system.

In a security advisory note post published over the weekend, Microsoft revealed that the remote code execution vulnerability affects versions of Internet Explorer from 6 through to 11 – with these running on all versions of Windows from Vista to 8 and Windows Server 2003 to 2012 R2.

 

What’s most worrying about the flaw however is that – should a user click on a malicious phishing link – it potentially allows hackers to access memory data on a user’s computer or even install and delete programmes if the user has administrative user rights.

 

Microsoft explains more: “An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website.”

 

The Redmond software giant is now investigating and has assigned the vulnerability an official name of CVE-2014-1776.

 

“On completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a solution through our monthly security update release process, or an out-of-cycle security update, depending on customer needs.”

 

This ‘appropriate action’ is likely to entail patches for more recent versions of Windows and Windows Server, but the one notable absence in all this is Windows XP, which went end-of-life on April 8.

 

With many businesses still running the 12-year old operating system, Microsoft admitted that it’s likely to result in ‘targeted attacks’ – although some companies are now paying the firm roughly £120 per machine per year for extended support.

 

“At this time we are aware of limited, targeted attacks. We encourage customers to follow the suggested mitigations outlined in the security advisory while an update is finalised”, said a spokesman.

Independent security researcher Graham Cluley said that the vulnerability will probably remain unpatched on Windows XP.

“That’s not because it’s immune to attack. It’s because Microsoft released its last ever security patches for Windows XP on 8 April 2014,” wrote Cluley in a blog post.

“As such, this is worth saying out loud: If you are still running Windows XP you will never receive a patch for this zero-day vulnerability,” he said.

Anti-virus maker Symantec also spotted the vulnerability while FireEye – which protects against advanced persistent threats – has since blogged how the zero-day bypasses Microsoft’s ASLR (Address Space Layout Randomization) and DEP (Data Execution Prevention) security protections. The firm added that NetMarketShare stats suggest that the vulnerability affects approximately a half of the browser market.

Pedro Bustamante, director of special projects at Malwarebytes, believes that companies that are yet to upgrade to Windows 7 could be targeted by spam and phishing attacks.

 

“The interim risk to people and businesses using IE 6 to 11, until MS pushes out a patch, is worrying,” he said in an email to SCMagazineUK.com.

 

“However, there is also an ongoing problem that anyone still using XP will be completely exposed as long as they continue to use the OS, as there will never be a patch.  This is worrying because it can put a significant amount of personal data at risk from highly stealthy attacks, including bank details and other private information.

 

“Businesses using IE should remain ultra-cautious as they will obviously hold a far greater cache of potentially sensitive information. In large organisations, the default advice of switching to another browser may be difficult to administer. Therefore, if you are running a corporate network, this is a prime opportunity to ensure all software updates are applied, anti-malware and anti-virus definitions are current and increased vigilance around spam and phishing.

 

All is not lost for organisations still reliant on the OS though; Microsoft has advised firms to deploy version 4.1 of The Enhanced Mitigation Experience Toolkit (EMET) as the software “helps mitigate the exploitation of this vulnerability by adding additional protection layers that make the vulnerability harder to exploit.”

Furthermore, it has advised companies to switch on IE’s Enhanced Protected Mode, or set security settings to “High” to stop ActiveX controls – something anti-virus vendor ESET also advises.

 

“Firstly, don’t panic. The known attacks at present are limited in scope and volume. Being reasonably careful about which sites you visit is in itself likely to reduce the risk. On the other hand, users shouldn’t lapse into complacency,”  said ESET senior research fellow David Harley in an email to SCMagazineUK.com.

“Setting IE Active Scripting and ActiveX to prompt can be mildly irritating for a user, but it does seems to reduce the attack surface if you actually disallow it on prompt, unless you know you need it, or try disabling it altogether.

“The simplest route is to set IE security levels to ‘high’, or use Enhanced Protected Mode in IE versions that support it. As a way of generally decreasing the attack surface on an unsupported OS, Windows XP users should already be setting IE security level to ‘high’.”

 

 

Via: scmagazineuk

Comcast And Time Warner Cable To Divest 3.9 Million Subscribers Through Charter Deal

Comcast announced it’s reached a deal to divest 3.9 million cable subscribers through a series of transactions with Charter Communications that it hopes will improve the chances of getting approval for its $45 billion acquisition of Time Warner Cable.

The divestiture would be contingent on the approval of Comcast’s Time Warner Cable acquisition, and would occur after the close of that transaction. In keeping with Comcast’s pitch to regulators, the deal would lower its combined customer base below 30 percent market share for multichannel video subscribers in the U.S.

The deal actually has three components:

  • Charter will acquire 1.4 million Time Warner Cable subscribers, which will increase its customer base to 5.7 million subscribers and make it the #2 cable provider in the U.S., behind the combined Comcast-Time Warner Cable entity.
  • The companies will each transfer about 1.6 million Time Warner Cable customers and 1.6 million Charter customers in an exchange to improve the geographic presence of each.
  • Comcast will create an independent company (for now labeled SpinCo) that will include approximately 2.5 million existing Comcast customers. Comcast shareholders will own two-thirds of the new, publicly traded company, while Charter will own one-third of it. The new company will have a nine-person board with six independent directors and three that are designated by Charter. Comcast won’t have any ownership interest or control of the new company.

This is probably a good time to remind you that Comcast Cable CEO Neil Smit will be at Disrupt NY in about a week. We’ll be asking him all sorts of questions about the Time Warner Cable deal, the recent back-and-forth with Netflix, and what Comcast thinks about the new net neutrality rules. You can buy tickets here.

 

Via: techcrunch

Netflix Arrives On Cable Providers’ TiVo DVRs In The U.S. For The First Time

Keep your friends, close, but your enemies closer – that might be the mantra running through the heads of cable execs at Atlantic Broadband, Grande Communications and RCN, U.S. regional cable providers who are the first such companies in the U.S. to offer Netflix access bundled with TV service. Subscribers will still have to have their own Netflix accounts, Engadget reports, but now there’s a Netflix app built right into the TiVo DVRs offered by those cable providers mentioned above, with content that lives right alongside broadcast and cable channels.

Netflix has done this before in other markets, but it’s the first time that the streaming video-on-demand service has gotten this cozy with cable providers in the U.S. Of course, cable providers are also often Internet providers, so it makes sense for those companies to want to offer their customers what they want for their connections, and judging by the U.S. streaming video stats, Netflix is definitely high on those lists.

A report by the Wall Street Journal from October of last year suggested Comcast and Suddenlink were in talks to put Netflix on their own TiVo DVRs, which would represent the first major cable provider biting the bullet. At this point, it seems inevitable, it’s probably just a matter of working out terms that are amenable to everyone – and maybe making sure there are as few ruffled feathers as possible among traditional broadcast network providers.

 

Via: techcrunch

Google+ Is Walking Dead

Google’s Vic Gundotra announced that he would be leaving the company after eight years. The first obvious question is where this leaves Google+, Gundotra’s baby and primary project for the past several of those years.

What we’re hearing from multiple sources is that Google+ will no longer be considered a product, but a platform — essentially ending its competition with other social networks like Facebook and Twitter.

A Google representative has vehemently denied these claims. “Today’s news has no impact on our Google+ strategy — we have an incredibly talented team that will continue to build great user experiences across Google+, Hangouts and Photos.”

According to two sources, Google has apparently been reshuffling the teams that used to form the core of Google+, a group numbering between 1,000 and 1,200 employees. We hear that there’s a new building on campus, so many of those people are getting moved physically, as well — not necessarily due to Gundotra’s departure.

As part of these staff changes, the Google Hangouts team will be moving to the Android team, and it’s likely that the photos team will follow, these people said. Basically, talent will be shifting away from the Google+ kingdom and towards Android as a platform, we’re hearing.

We’ve heard Google has not yet decided what to do with the teams not going to Android, and that Google+ is not “officially” dead, more like walking dead: “When you fire the top dog and take away all resources it is what it is.” It will take copious amounts of work for it to un-zombie, if that’s even a possibility.

It’s not clear, according to our sources’ intel, where the rest of the employees will go, but the assumption is that Larry Page will follow Mark Zuckerberg’s lead at Facebook and send the bulk of them to mobile roles.

This would telegraph a major acceleration of mobile efforts in general, rather than G+. The teams will apparently be building “widgets,” which take advantage of Google+ as a platform, rather than a focus on G+ as its own integral product.

One big change for Google+ is that there will no longer be a policy of “required” Google+ integrations for Google products, something that has become de rigueur for most product updates.

One impetus of this was that the YouTube integration with Google+ did not go well, something that the public recognized through the comments blowback, but that was also seen inside the company as a rocky move.

That doesn’t mean that all G+ integrations will go away, though. Gmail will continue to have it, but there may be some scaling back that keeps the “sign-on” aspects without the heavy-handed pasting over of G+.

We’ve heard that there were tensions between Gundotra and others inside the company, especially surrounding the “forced” integrations of Google+ into products like YouTube and Gmail. Apparently, once each of those integrations was made, they were initially being claimed as “active user” wins until Page stepped in and made a distinction.

Taking Gundotra’s place inside Google will be David Besbris, though we hear that parts of Google+ are under “the person responsible for Chrome,” according to one source. It’s not clear if this is Sundar Pichai, Google’s head of Chrome and Android, or why this would happen. “It’s complicated,” our source said. Google PR denies this account.

We’ve heard that the acquisition of WhatsApp by Facebook may have been a factor in the phasing out of Gundotra’s grand experiment. There was a perception that Google had missed the “biggest acquisition in the social space.” Though another source tells us that Google knew what was up with WhatsApp but simply didn’t want to pay out for it.

Google+ is and always has been about turning every Google user into a signed-in Google user, period. If true, these changes dovetail with that focus going forward, with Google+ acting as a backbone rather than a front-end service. That being said, there are a ton of really interesting things going on in Google+ like its efforts in imaging. Having the photos team integrate the technologies backing Google+ photos tightly into the Android camera product, for instance, could be a net win for Android users.

In the long run, the issues with Google+ didn’t especially stem from the design of the product itself, but more from the way it interjected itself into your day-to-day Google experience like some unwelcome hairy spider. Perhaps these changes will scale back the grating party crashing?

One of Gundotra’s final G+ posts was “On my way to +Coachella.”

 

Via: techcrunch

Bank of England to helm pen-testing effort for UK’s finance sector

The Bank of England, which helped oversee a cyber readiness exercise last year for London’s finance sector, now plans to lead a large-scale penetration testing effort, according to reports.

A Monday Financial Times article revealed that the coming cyber threat and vulnerability management exercise will “build on the lessons” of last year’s “Waking Shark II” simulated cyber attacks in the city.

The program would, for the first time, allow authorities to oversee penetration testing and “ethical hacking” efforts, in an attempt to close vulnerabilities affecting UK organizations’ computer systems, FT reported. The paper also revealed that The Royal Bank of Scotland, UK insurers and the London Stock Exchange are likely to participate in the exercise.

While the Bank of England declined to comment on the plans, FT reported that the bank had already conducted a pilot exercise, according to unnamed sources familiar with the initiative.

 

Via: scmagazine

‘Unauthorized’ media contact a fireable offense for U.S. intel employees

United States intelligence employees who have “unauthorized” contact with the media could lose their jobs.

A directive signed on Sunday by James Clapper, director of national intelligence, prohibits intel officials from providing “substantive information” to the media without the approval of an agency chief or public affairs official, according to a recent report by The Guardian.

The cases that involve unapproved contact with the media will at a minimum “be handled in the same manner as a security violation,” the directive reads. Clapper’s spokesman said that the new media policy is meant to serve as an example that the intelligence sector of the government can “police” itself.

He added that the new orders are in no way tied to the Edward Snowden leaks, which have fueled media skepticism toward the intelligence community.

 

Via: scmagazine

Brazilian president signs internet ‘Bill of Rights’ into law

While attending a conference on the future of internet governance, Brazil’s president, Dilma Rousseff, signed legislation into effect that pioneers an internet “Bill of Rights” for the country.

The bill, called “Marco Civil,” was enacted on Wednesday at the NetMundial conference in Sao Paulo, just a day after Brazil’s Senate approved the measure. According to the Associated Press, a major provision of the law limits the online data collection practices of firms taking up Brazilians’ information, including major players like Google and Facebook.

Of note, the legislation instructs service providers to make sure that email can only be read by senders and their intended recipients – a measure that, if violated, could result in fines and other penalties levied by the country, the AP reported.

With its enactment, the law invokes net neutrality, data privacy and freedom of expression protections for online users.

Support of the legislation picked up steam after Snowden leaks revealed last September that President Rousseff was the target of National Security Agency (NSA) spying. At the time, Rousseff condemned the actions before international leaders at a U.N. General Assembly.

On Wednesday, Ed McNicholas, a co-leader of Sidley Austin’s privacy, data security, and information law practice, told SCMagazine.com that the legislation would be “helpful” as guidance for major U.S. firms, but hold less impact from a legal perspective here.

“Most large multinational companies already have robust privacy programs and functions in place,” McNicholas said. “In the sense that this adds a specific requirement to those programs, it will be helpful, but not particularly, impactful.

“With respect to the NSA, and the concerns that Mr. Snowden raised, this will have very little, if any, impact. The United States, like every other country has an intelligence service, and each service will protect their national interest regardless of this bill,” he said.

Steven Watt, a senior staff attorney for the human rights program at the American Civil Liberties Union (ACLU), said in an interview that the bill was a step forward, though no answer to the glaring issue of unfettered government surveillance.

“Obviously, it’s not going to stop NSA spying, but it’s going to put pressure on [companies] to comply with laws in other countries, and that’s a good thing,” Watt said.

 

 

Via: scmagazine

Apple pushes out critical security fixes for OS X, iOS and Apple TV

Apple has been listening!

Half-listening, anyway.

It’s been said for some time – in articles and in podcasts – that Apple would do well to become both regular and frequent with its updates.

Regular means having some algorithmic predictability for non-emergency updates, such as “always on Tuesday.”

And frequent, in our book, means monthly or thereabouts.

Oracle and Adobe update quarterly, which probably isn’t swift enough these days.

Microsoft famously does updates every month; Firefox updates every six weeks, which, coincidentally but happily for fans of Douglas Adams, is a 42 day cycle.

We’ll suggest six weeks as a minimum frequency, and Tuesdays as a regularity beacon, simply because people are used to Patch Tuesday.

Frequency means you get in the habit of not making your users wait for important fixes, and regularity means you get in the habit of never letting your coding-and-testing operations slip.

Anyway, Apple seems to be getting somewhere towards half way there.

You still can’t tell when you’re going to get your next update, but serious security fixes do seem to be coming more frequently these days.

Like the latest round of patches, published on 22 April 2014 (a Tuesday, as it happens) for Apple OS X, Apple iOS and Apple TV.


Apple TV goes from 6.1 to 6.1.1 and iOS goes from 7.1 to 7.1.1, while OS X versions keep their old numbers but receive Security Update 2014-002.

As with other recent OS X updates, only Lion (10.7), Mountain Lion (10.8) and Mavericks (10.9) get patches.

Dont shoot the messenger, but Snow Leopard (10.6) gets nothing, and is once again at least unofficially unsupported.

It’s possible, of course, that none of the patches are necessary on 10.6, just as there are fixes that apply only to 10.9 and aren’t needed on 10.7 and 10.8.

But at least some of the updates – for example, updates to third party open source components such as Ruby – look as though they aren’t tied to specific OS X versions.

Interestingly, the OS X Security Update also includes Safari 7.0.3, already delivered as an update of its own at the start of April 2014.

So if you skipped that Safari update, which wouldn’t have been wise given the number of remote code execution holes that were fixed (26 in all), you’ll catch up now.

The fixes in Safari 7.0.3 include patches for the remote code execution holes at the recent PWN2OWN competition in Vancouver, Canada.

Those fixes are now now also available to iOS and Apple TV users, with a big update to WebKit, the web rendering engine used in all of Apple’s browser versions, desktop and mobile.

Sadly, some of the security holes fixed in this round of updates have been present since last year, and probably should have been patched long ago, during previous updates.

The scripting language Ruby, for example, patched on OS X in this update, leaps forward from the June 2013 release to the February 2014 version.

The Ruby update closes a remote code execution hole, CVE-2013-4164, that was patched in Ruby itself back in November last year.


Mavericks users have received two lots of security patches since November 2013, with 10.9.1 arriving in December 2013 and 10.9.2 in February 2014.

Similarly, Lion and Mountain Lion users got Security Update 2014-011 in February 2014.

Why then, you have to wonder, was the Ruby patch made to wait so long?

Similarly, why was a critical bug in the sudo command ignored for at least six months by Apple in 2013, even though the bug made it possible for just about any user or process already on the system to grant itself root privileges at will?

Clearly, a regular and frequent update regimen alone wouldn’t solve this problem of laggy Apple patches, but it would provide a clear set of deadlines and target dates for Apple’s security team.

You have to think, “That would surely do no harm.”

By the way, we recommend applying this round of updates sooner, rather than later.


The patches fix multiple holes on all platforms, including some attacks that can be combined dangerously, such as bypassing Address Space Layout Randomisation (ASLR), escaping from sandbox protection, getting control of the browser with booby-trapped JPEG (image) files, and grabbing almighty system power from an otherwise unprivileged process.

A remote code execution bug that can be triggered by a web-borne image to give an external attacker administrative privilege…

…is about as patch worthy as it gets!

 

Via: sophos

AT&T Launches $500M Joint Venture To Invest In The Next Netflix

There’s a new $500 million pool of potential capital floating around earmarked for the creation of over-the-top video services, thanks to AT&T and Chernin Group, who have collaborated on the new venture (via GigaOM). The team-up aims to pool resources from the two companies to “acquire, invest in and launch” OTT video services, including subscription VOD businesses that operate similarly to Netflix.

Chernin Group already has some experience in this area; the company run by News Corp. vet Peter Chernin took over a majority stake in Crunchyroll, which is essentially the Netflix for anime, late last year. That majority stake will now fall under control of the new venture, meaning AT&T is now also a majority stakeholder in the on demand provider of animated content sourced primarily from Asia.

The big news here, though, is that AT&T is actively pursuing the creation, acquisition or development of a Netflix-killer – or at least of specialty services designed to compete on the same playing field. It’s a sign that the network provider is betting on an OTT model as a likely eventual successor for terrestrial content delivery methods like broadcast TV. Recruiting Chernin Group as its strategic partner in pursuit of that end means that it recognizes this is an area where it needs outside help, rather than something it can try to do alone. AT&T does have the content delivery chops to help optimize the experience, however.

AT&T’s chances of building or incubating a true Netflix-killer are small, but it could make for some strong specialist offerings in the same vein, and ultimately, that’s going to be good for users looking for some new paradigm to replace the broken cable and satellite bundle model.

 

Via: techcrunch