Monthly Archives: November 2016

The FBI has served up a redacted version of the warrant it requested to deposit identity-exposing malware on the computers of those who used private TorMail accounts to visit child pornography sites hidden on the dark web.

The takeaway: it looks like the agency exceeded the bounds of its warrant, and may have indiscriminately infected others who had nothing to do with child porn.

As ACLU principal technologist Christopher Soghoian told Motherboard,

While the warrant authorized hacking with a scalpel, the FBI delivered their malware to TorMail users with a grenade.

The background, according to Motherboard: Back in 2013, the FBI seized servers belonging to Freedom Hosting, then a well-known host of dark websites and services, many child pornography sites among them.

Rather than instantly shutting down Freedom Hosting’s sites, the FBI requested a federal warrant to “deploy a network investigative technique (NIT) – a piece of malware – designed to obtain the real IP address” of visitors.

Soon thereafter, reported WIRED, an error page began appearing in place of the login page of the TorMail application. Those error pages downloaded the FBI’s malware – but the download occurred before a user logged into TorMail or any other Freedom Hosting site.

To critics like Soghoian, such targeting seemed to go far beyond any reasonable warrant. It was likely to reveal the identities of individuals who were guilty of no crime.

They might have been journalists or dissidents using TorMail to communicate privately, not there to visit a Freedom Hosting-based child porn site or illegal drug emporium.

Whilst there is undoubtedly a lot of criminal activity on the dark web there are also plenty of people using it for entirely legitimate purposes too.

Before we had access to the warrant, it was hard to tell whether it may have been exceeded – but now we do have access.

Twenty-three child pornography sites were targeted, and over 300 specific usernames. But the warrant specifically targeted those who’ve logged into any of those sites “by entering a username and password,” or otherwise entered “any sections of any of Websites 1¬23 where child pornography may be accessed, or upload[ed]…”

In other words, the judge authorized FBI agents only to infect computers that were clearly seeking, accessing, or sharing child pornography. But users received the FBI’s “NIT” before they did so, or even demonstrated intent to do so.

The FBI’s response? Motherboard quotes agency spokesman Christopher Allen:

As a matter of practice the FBI narrowly tailors warrants, and we do not exceed the scope of those warrants.

Ongoing battles over the FBI’s use of malware against Tor users remain controversial. In April, we covered one judge’s decision to toss evidence because the FBI’s warrant was granted by a federal magistrate judge for a case outside her jurisdiction.

In May, we covered another case where evidence was excluded because the government wouldn’t turn over its exploit code for defendant’s examination.

If in fact the FBI exceeded its warrant in the current case – and especially if it hasn’t told the judge the full extent of its activities, as Soghoian suspects – the courts won’t be pleased.

Nevertheless, rules changes to make it easier to get NIT warrants against users of illicit Tor sites are still rolling towards their December 1st implementation date.

via:  nakedsecurity

Over a month ago we reported about two critical zero-day vulnerabilities in the world’s 2nd most popular database management software MySQL:

• MySQL Remote Root Code Execution (CVE-2016-6662)
• Privilege Escalation (CVE-2016-6663)

At that time, Polish security researcher Dawid Golunski of Legal Hackers who discovered these vulnerabilities published technical details and proof-of-concept exploit code for the first bug only and promised to release details of the second bug (CVE-2016-6663) later.

 
On Tuesday, Golunski has released proof-of-concept (POC) exploits for two vulnerabilities:

One is the previously promised critical privilege escalation vulnerability (CVE-2016-6663), and another is a new root privilege escalation bug (CVE-2016-6664) that could allow an attacker to take full control over the database.

 
Both the vulnerabilities affect MySQL version 5.5.51 and earlier, MySQL version 5.6.32 and earlier, and MySQL version 5.7.14 and earlier, as well as MySQL forks — Percona Server and MariaDB.

Privilege Escalation/Race Condition Bug (CVE-2016-6663)

The more severe of the two is the race condition bug (CVE-2016-6663) that can allow a low-privileged account (with CREATE/INSERT/SELECT grants) with access to the affected database to escalate their privileges and execute arbitrary code as the database system user (i.e. ‘mysql’).
Once exploited, an attacker could successfully gain access to all databases within the affected database server.

Root Privilege Escalation (CVE-2016-6664)

Another critical flaw in MySQL database is a root privilege escalation bug that could allow attackers with ‘MySQL system user’ privilege to further escalate their privileges to root user, allowing them to fully compromise the system.

The issue actually stems from unsafe file handling of error logs and other files, which comes under MySQL system user privileges, allowing it to be replaced with an arbitrary system file, which opens the door to root privileges.

 
What’s more troublesome? An attacker with a low-privileged account can also achieve root privilege by first exploiting the Privilege Escalation flaw (CVE-2016-6663) to become ‘MySQL system user’ and thus allow attackers to fully compromise the targeted server.

 
All these vulnerabilities could be exploited in shared hosting environments where users are assigned access to separate databases. By exploiting the flaws, they could gain access to all databases.

 
Golunski has published the proof-of-concept exploit code (Exploit 1, Exploit 2) for both the flaws and will soon upload videos.
MySQL has fixed the vulnerabilities and all of the patches ultimately found their way into Oracle’s quarterly Critical Patch Update last month.

 
Administrators are strongly advised to apply patches as soon as possible in order to avoid hackers seeking to exploit the vulnerabilities.

 
If you are unable to immediately apply patches, then as a temporary mitigation you can also disable symbolic link support within your database server configuration to this setting — my.cnf to symbolic-links = 0 — in an attempt to protect yourself against cyber attacks.

via:  thehackernews

Microsoft followed through and today patched a zero day vulnerability being exploited in public attacks that was publicly disclosed by Google researchers two weeks ago.

The victims have yet to have been identified, but Microsoft did accuse the Sofacy APT gang of carrying out the attacks. Sofacy is generally thought to have ties to Russian military intelligence and its targets are strategic, such as government and diplomatic agencies, military and defense contractors, and public policy think-tanks.

Google’s disclosure on Oct. 31 came 10 days after it privately reported the vulnerability to Microsoft, along with a Flash zero day to Adobe also used in these attacks.

Adobe patched the Flash vulnerability with an emergency update released on Oct. 26, but Microsoft failed to publicly acknowledge the bug until only after Google publicly disclosed. Google’s internal policy gives vendors seven days to publicly report or patch vulnerabilities being actively exploited.

Google said the vulnerability is a local privilege escalation in the Windows kernel that leads to a sandbox escape.

“It can be triggered via the win32k.sys system call NtSetWindowLongPtr() for the index GWLP_ID on a window handle with GWL_STYLE set to WS_CHILD,” Google’s Neel Mehta and Billy Leonard said in their disclosure.

The attackers chained this bug and the Flash zero day in order to get on targeted computers. The sandbox escape allows the attacker to run code in kernel mode.

“Microsoft implemented new exploit mitigations in the Windows 10 Anniversary Update version of the win32k kernel component,” Microsoft said in its bulletin, MS16-135. “These Windows 10 Anniversary Update mitigations, which were developed based on proactive internal research, stop all observed in-the-wild instances of this exploit.

” MS16-135 also patched two other elevation of privilege vulnerabilities in the Windows kernel (CVE-2016-7215 and CVE-2016-7246), as well as an information disclosure bug in the kernel that opens the door for a kernel ASLR bypass (CVE-2016-7214), and a separate information disclosure bug in the Windows browser.sys kernel-mode driver (CVE-2016-7218).

Six of the 14 bulletins put out by Microsoft today are rated critical. One, MS16-132, included another vulnerability under attack in the Windows Graphics Component. Microsoft said a remote code execution Open Type Font vulnerability was patched in the Windows font library. That bulletin patched three other flaws, including an information disclosure flaw in Open Type Font, specifically in the ATMFD component, which leaks enough information to carry out a further compromise. Also addressed was a remote code execution memory corruption vulnerabilities in Windows Animation Manager and Windows Media Foundation.

Microsoft also provided cumulative updates for its browsers, Edge and Internet Explorer. The Edge update, MS16-129, patched 17 vulnerabilities, most of which lead to remote code execution. Two of the flaws, CVE-2016-7209 and CVE-2016-7199, were publicly disclosed, Microsoft said, but not used in in-the-wild attacks. The second disclosed bug was also patched in the Internet Explorer update, MS16-142, which patched seven CVEs.

MS16-130 patched three critical Windows bugs, a remote code execution flaw in the way Windows’ image file loading handles malformed image files, along with two elevation of privilege flaws in Windows IME and Windows Task Scheduler.

Another remote code execution vulnerability was addressed in MS16-131 in the Microsoft Video Control component. The remaining critical bulletin is the Adobe Flash Player update for IE and Edge; Adobe released an update today for Flash Player patching nine remote code execution flaws in the software.

Though rated important by Microsoft, an Office bulletin, MS16-133, also merits attention because it patches a dozen vulnerabilities including 10 that lead to remote code execution. None of the Office bugs are being publicly attacked, Microsoft said.

Microsoft also patched SQL Server, addressing a half-dozen elevation of privilege and information disclosure vulnerabilities in MS16-136. Three of the EoP bugs are in the SQL Server RDBMS engine, along with a cross-site scripting flaw in SQL Server MDS, an information disclosure issue in SQL Analysis Services, and another EoP issue in the SQL Server Engine Server Agent.

“The top priority for most administrators will be to quickly deploy fixes for browsers, graphics components, and Office. All of these components are affected by one or more code execution vulnerabilities Microsoft has classified as highly exploitable,” said Craig Young, security researcher at Tripwire. “These are of the highest priority due to the fact that the vulnerabilities can potentially be triggered through normal web browsing activities giving an external attacker a way into networks.”

The remaining bulletins are also rated important:

MS16-134 patches 10 elevation of privilege flaws in the Windows Common Log File System (CLFS)

MS16-137 patches three vulnerabilities in Windows NTLM, Virtual Secure Mode and Local Security Authority Subsystem Service

MS16-138 patches four elevation of privilege vulnerabilities in the Windows Virtual Hard Disk Driver

MS16-139 patches a local Windows kernel elevation of privilege flaw in how the Windows Kernel API enforces permissions

MS16-140 patches a security feature bypass in the Windows Secure Boot component; an attacker could disable code integrity checks and allow test-signed executables and drivers to be loaded.

via:  threatpost

The open source Kubernetes container management project is probably the most popular of the various competing container management services available today. The Cloud Native Compute Foundation, which plays host to the open source side of Kubernetes, is hosting its first Kubernetes conferencethis week and unsurprisingly, we’ll see quite a bit of container-related news in the next few days.

First up is Microsoft, which is not only making the source code of the engine at the core of its Azure Container Service (ACS) available, but also launching a preview of its native integration of Kubernetes for ACS. In addition, Microsoft is also continuing to bet on Mesosphere’s DC/OS and updating that service to the latest release of DC/OS.

“Containers are the next evolution in virtualization, enabling organizations to be more agile than ever before,” writes Corey Sanders, Microsoft’s Director of Compute for Azure, in today’s announcement. “I see this from customers every day! They can write their app once and deploy everywhere, whether dev, test or production. Containers can run on any hardware, on any cloud, and in any environment without modification. In short, they offer a truly open and portable solution for agile DevOps.”

Microsoft continues its strategy of offering its users a choice of container orchestration platforms (Docker Swarm, DC/OS, Kubernetes). As for Kubernetes, Microsoft already supported this Google-incubated container management platform on its infrastructure for the last two years. “Today, we are taking this support even further and announcing the preview release of Kubernetes on Azure Container Service,” writes Sanders. “This deeper and native support of Kubernetes will provide you another fully open source choice for your container orchestration engine on Azure.”

Microsoft also today announced that it will launch a preview of the Azure Container Registry, a private repository for container images, on November 14. You could already set up your own private Docker Registry on Azure, but that was a manual process and left the management of the repository infrastructure to the developer. Given that both Amazon and Google already offer this feature, it’s no surprise that Microsoft is now joining the fray as well.

In addition, Microsoft also today announced that it will build more tools for deploying multi-container Linux applications from its developer tools like Visual Studio, Visual Studio Team Service, and the free and open Visual Studio Code editor on November 14.

via:  techcrunch

Minecraft, having already come to just about every other platform, is now on Apple TV, or will be soon at any rate. Well, that’s pretty much the news!

Tim Cook announced it at the Apple live event, after mentioning the thousands of apps and games already available for the platform. This isn’t Pocket Edition, as originally thought but a new version called Minecraft: Apple TV Edition. Same code base as the others, and it should be similar, though timing for new features will likely differ from the other versions.

It shouldn’t come as too much of a surprise — Microsoft has been big on interoperability and ubiquity lately, and Minecraft is a great ambassador. It’s pretty much this generation’s “Doom,” in that it’ll be ported to every single platform it can be, even hilariously impractical ones.

via:  techcrunch

A new iMessage app from the music-focused social network SoundShare will now let you share entire tracks with your friends over text messaging. Of course, there are already a number of ways to text friends your favorite music, thanks to the launch of the iMessage App Store. Apple Music has a built-in iMessage app, for example, and Pandora also rolled out one of its own earlier this month. However, these apps are limited because they work best for those who are already using the given service, or have the appropriate app installed.

Pandora’s iMessage app will kick non-users over the App Store to download it, if the recipient doesn’t have its app installed on their device. Plus, because it’s a music radio service, when your friend taps the track you’ve sent, it only plays a 30-second sample.

And if you want to interact with the track further, you tap it to start a Pandora artist station. This isn’t exactly the ideal way to share a song you want your friend to listen to it in its entirety.

SoundShare’s app works around the problem of people using different music services by giving your friend the option as to where they want to hear the song.

By default, the recipient can choose to launch the song’s video on YouTube; stream it through Apple Music, if they’re a subscriber; or launch iTunes to hear the preview, and optionally purchase it or the album.

Unfortunately, though SoundShare itself works with Spotify (Premium) and Deezer, these are not options in the iMessage app – you can only launch the track to stream in full on SoundShare, if you’ve previously connected Spotify or Deezer to your SoundShare account.

The new iMessage app arrived in a recent update to SoundShare’s flagship iOS app, which debuted earlier this year. The main application offers a music social network of sorts, where you can find and follow others, create collaborative playlists, or view your friends’ playlists – no matter which music service they’ve chosen to use.

But the iMessage app is what makes SoundShare worth the install, really. It’s a better experience than just texting a YouTube link, which is what many people do today when sharing music over text messaging.

Once installed, you can access SoundShare from the apps screen in iMessage. The interface offers a list of the Top 100 songs on its social network, which is useful if you want to see what’s trending and popular. However, it doesn’t have separate sections for songs by genre or new releases. Instead, you just type in what you’re looking for using the search bar, then tap the song to send it to your friend.

The result is a much improved experience for the recipient versus getting a YouTube link, as SoundShare displays an image thumbnail alongside a link that will offer all the streaming options.

SoundShare’s new iMessage app is a free download from the iTunes App Store, and works on iOS 10 and higher.

via:  techcrunch

Hulu has partnered with Disney and 21st Century Fox for its upcoming live TV streaming service, launching next year. The deals involve Fox’s news, entertainment, sports, and other properties, along with Disney’s portfolio of networks from is ABC Television Group and ESPN, among other things. In total, the two agreements will bring more than 35 TV networks to Hulu’s live TV service.

What this means for consumers who are considering cutting the cord with pay TV is that they’ll gain access to two of the top broadcast networks, Fox and ABC, on Hulu’s new streaming platform.

In terms of sports, the two deals will include Fox Sports networks (Fox Sports 1 and 2), BTN, ESPN networks, including ESPN1, ESPN2, ESPN3, ESPNU, ESPN-SEC, and Fox’s regional sports networks in dozens of markets. Meanwhile, other popular cable TV channels will also be included, like Disney Channel, Disney XD, Disney Junior, Fox News, Fox Business, Freeform, FX, FXX, FXM, National Geographic and Nat Geo Wild.

The addition of ESPN is especially notable, in light of the competitive landscape, which today includes Sling TV, PlayStation Vue, and AT&T’s forthcoming DirecTV Now service, for example. In fact, Sling TV made headway with a number of cord cutters when it first debuted as being the only way to access ESPN’s content without a subscription to a cable or satellite TV service. That has changed over time, however, as PlayStation Vue added the network back in March of this year. And DirecTV Now has also confirmed that Disney channels, ESPN and ABC will be a part of its lineup when it launches.

The announcement comes on top of earlier news from Hulu that it had also signed agreements with Time Warner for live and on-demand streaming of its networks, including TNT, TBS, CNN, Cartoon Network, Adult Swim, truTV, Boomerang, and Turner Classic Movies.

The bigger picture here is that it doesn’t appear that these live TV streaming rivals will end up competing in terms of content and channel lineups – they’ll be trying to woo consumers based on other factors, like pricing, number of concurrent streams, multi-platform support and overall user experience. While AT&T’s DirecTV Now may have the edge in terms of tying its service to AT&T’s cellular network, offering things like streams that don’t count towards data usage, for example, where Hulu may have an edge is the user interface.

Though not as well-designed as Netflix, nor anywhere near as good at recommendations, Hulu’s interface is at least easy to navigate and use. The same cannot be said for Sling TV, however, despite upgrades. And it’s unclear how DirecTV’s service will stand up, in comparison.

Hulu also has invested in some exclusive content, like The Mindy Project, The Path, 11.22.63, Difficult People, and its Golden Globe-nominated series, Casual, which could give it the edge, as well.

via: techcrunch

Kensington Exclusively Launches Security Solution for the New Microsoft Surface Studio — The Industry Standard for Physical Device Security and Member of the “Designed for Surface” Program Introduces the Kensington Locking Kit to Keep the Device Secure.

Kensington, announced the introduction of the Kensington Locking Kit for Surface Studio, the only physical security product available for the groundbreaking new device announced by Microsoft® on October 26.
The locking kit consists of a security slot adapter for the Surface Studio, a MiniSaver™ Keyed Lock with a 5-foot carbon steel cable, and two keys. The lock adapter attaches to the bottom of the Surface Studio and is designed with a Kensington Mini Security Slot. When combined, the adapter and MiniSaver lock will protect the Surface Studio from theft.

“We are extremely proud to introduce the Kensington Locking Kit for Surface Studio,” said Rob Humphrey, Director of Global Product Management, Security, Kensington. “Due to the design of the Surface Studio, Microsoft had very specific needs when it came to a security solution, and Kensington engineers worked collaboratively with Microsoft on finding a solution. Not only did it have to be strong, it had to complement the design of the Surface Studio, and our engineers have delivered in every way possible.”
In 2015, in conjunction with the launch of Kensington’s BlackBelt 1st Degree Rugged Case for Surface Pro 3, the company announced its participation in the Microsoft “Designed for Surface” Program, which empowers the organization to develop Surface-specific accessories for business and consumer use. The goal of the program is to provide third-party hardware accessory manufacturers specific technical guidance to help create exceptional accessories that work seamlessly with Surface devices. Microsoft created the program to address the growing demand for Surface accessories for use in business, at home, and on the go.
The Kensington Locking Kit for Surface Studio will be available for order on December 15.

• Surface Studio Lock Adapter: Built for strength and designed specifically to provide security for the groundbreaking device to thwart theft.

• MiniSaver Keyed Lock: Featuring Cleat™ Locking Technology, the retracting “claws” grab on to the internal sides of the lock adapter, creating a strong connection to help ensure your Surface Studio stays where it belongs.

• Push-Button Design: Allows for one-handed engagement into the lock adapter, quickly and easily attaching the lock inside the Kensington Mini Security Slot.

• Pivot and Rotate Cable: Special hinge creates great freedom of movement, eliminating awkward angles and allowing you to insert your key with complete ease.

• Carbon Steel Cable: Offering the same level of cut-resistance and theft-resistance as thicker cables, the carbon steel cable with plastic sheath offers security and greater mobility with 5 feet of cable.

• Verified & Tested: Engineered to Kensington’s rigorous specifications and third-party standards in torque/pull, foreign implements, lock lifecycle, corrosion, key strength and other environmental conditions.

• Register & Retrieve: Kensington’s online key registration program that allows for quick, secure and easy key replacement if it ever gets lost or stolen.

via:  enterprise-security-today

LastPass, the password manager owned by LogMeIn, is making a core component of its service free.

LastPass helps improve password security by allowing users to generate random passwords and storing them securely, so users don’t have to worry about password reuse leading to one of their accounts being breached.

The company’s payment model has always been sort of frustrating — users could access the the browser extension for free but had to pay a $12 annual fee to take their passwords with them on mobile. Other password managers such as 1Password follow a similar pay-for-mobile model, but making the same service cost a different amount depending on what device it’s accessed from seemed nonsensical.

LastPass has added other paid features over the years that make the Premium subscription worthwhile, and under the new plan, the division between paid and free services makes a lot more sense. LastPass Premium users will still pay a subscription to access family password sharing, two-factor authentication methods like YubiKey and Sesame, encrypted file storage, fingerprint identification on desktop, priority customer support and an ad-free password vault. Free services will now include two-factor authentication, password generation and sync, and access from unlimited devices.

Basically, LastPass is now charging only for enhanced features rather than convenient access. The company also earns revenue from its enterprise offerings.

LastPass says that the change is motivated by a commitment to bringing password security to the masses. “Today’s reality is that people’s digital lives are increasingly in the cloud — and inherently span countless personal and work devices. We believe that to truly benefit from the security and convenience of a password manager, it should be available whenever and wherever you need it,” LastPass vice president Joe Siegrist said in a statement. “By offering LastPass for free across all your devices, we’re making it that much easier for everyone to make good password habits the norm, while resetting the expectations of what a great password management experience should be in a multi-device world.”

But the pricing change might also be intended to lure users from other paid password management services. LogMeIn CEO Bill Wagner said on an earnings call last week that free users drive revenue for LastPass because they often convert to Premium services or serve as referrals for enterprise business opportunities.

“LastPass is proving to be a great new on-ramp to the LogMeIn franchise, attracting millions of free users, many of whom will either upgrade to a paid account or lead us to an enterprise opportunity. And we saw this play out in the quarter with a six-figure deal to one of the nation’s largest commercial banks. We believe it is early days for cloud-based identity and that we have a big near-term opportunity to capture significant share by making LastPass even easier to use and increasing its awareness in the market,” Wagner explained.

Since LastPass was purchased by LogMeIn last year for $110 million, its rankings in the App Store and Google Play have remained virtually unchanged, according to the analyst service App Annie. Steady rankings are a good sign, and making the basics of LastPass available free of charge might help those rankings improve.

Users who are already paying for LastPass won’t have their subscriptions cancelled. Premium users get all the additional features, including YubiKey authentication and file storage, and LastPass doesn’t want to automatically cut people off from those tools. So to switch over to the Free model, users need to cancel their subscription when it comes up for renewal. Users who just signed up for Premium within the last 30 days are eligible for refunds.

via:  techcrunch

Microsoft open sourced its next-gen hyperscale cloud hardware design and contributed it to the Open Compute Project (OCP). Microsoft joined the OCP, which also includes Facebook, Google, Intel, IBM, Rackspace and many other cloud vendors, back in 2014. Over the last two years, it already contributed a number of server, networking and data center designs.

With this new contribution, Project Olympus, it’s taking a slightly different approach to open source hardware, however. Instead of contributing designs that are already finalized, which is the traditional approach to open sourcing this kind of work, the Project Olympus designs aren’t production-ready yet. The idea here is to ensure that the community can actually collaborate in the design process.

“We’ve learned a tremendous amount from our deep collaboration with the OCP Foundation and the open source community over the past few years,” Azure Hardware Infrastructure GM Kushagra Vaid writes in today’s announcement. “An important realization is that open source hardware development is currently not as agile and iterative as open source software.” By giving the community early access to the designs, Microsoft hopes it can “decrease the time to market for new product offerings and lower investment costs.”

The Project Olympus designs include a new motherboard and high-availability power supply with included batteries, a server chassis with a high-density storage expansion, and a new power distribution unit for the server racks that hold these (or other) machines. The designs are meant to be modular to give potential customers the ability to use them inside their own existing data center configurations.

OCP servers at Facebook

“Microsoft is opening the door to a new era of open source hardware development. Project Olympus, the re-imagined collaboration model and the way they’re bringing it to market, is unprecedented in the history of OCP and open source datacenter hardware,” said Bill Carter, the Chief Technology Officer of the Open Compute Project Foundation, in a statement today.

Microsoft, just like Facebook and other OCP members, is making extensive use of OCP hardware in its own data centers. Microsoft says over 90 percent of the servers it purchases are based on OCP-contributed specifications. At Facebook, which incubated this project, virtually all of the servers are Open Compute machines. Google also joined the OCP earlier this year, but market leader Amazon — a company that isn’t exactly known for its open source work to begin with — remains a no-show.

via: techcrunch