*** The Security News Thread ***

[harrybarracuda]

Make sure you do your updates this month, there are a few 0-day nasties floating around.

[harrybarracuda]

WiFi firmware bug affects laptops, smartphones, routers, gaming devices

List of impacted devices includes PS4, Xbox One, Samsung Chromebooks, and Microsoft Surface devices.

"The researcher says the firmware function to scan for new WiFi networks launches automatically every five minutes, making exploitation trivial. All an attacker has to do is send malformed WiFi packets to any device with a Marvell Avastar WiFi chipset and wait until the function launches, to execute malicious code and take over the device."

https://www.zdnet.com/article/wifi-f...aming-devices/

[harrybarracuda]

Bug allows Facetime users to listen to and, in some cases, watch a person before they answer call

Apple is working to fix the issue.


A BUG IN Apple’s FaceTime app allows users to listen to audio from the phone of the person they are calling before the person has accepted or rejected the call.


The bug was first reported by tech website 9to5Mac.

To trigger the bug, while making a FaceTime call, swipe up from the bottom of the screen and tap Add Person and add your own phone number here.

This allows you to start a group FaceTime call including yourself and the audio of the person you originally called, even if they haven’t answered the call.

https://www.thejournal.ie/facetime-bug-4464349-Jan2019/

[harrybarracuda]

A NEW GOOGLE CHROME EXTENSION WILL DETECT YOUR UNSAFE PASSWORDS

DATA BREACHES THAT compromise people's usernames and passwords have become so common, and used in crime for so long, that millions of stolen credential pairs have actually become practically worthless to criminals, circulating online for free. And that doesn't even begin to scratch the surface of the more current credentials sold on the black market. All of this means that it's increasingly difficult to keep track of which of your passwords you need to change. So Google has devised a Chrome extension to watch your back.

On Tuesday, the company is announcing "Password Checkup," which runs in Chrome all the time as you go about your daily web browsing, and checks passwords you enter on all sites against a database of known compromised passwords. Password Checkup isn't a password manager, gauge of how weak or strong your passwords are, or source of advice. It just sits quietly until it detects a credential pair that is known to be exposed, and then it shows a warning. That's it.

The tool is unobtrusive by design, so you'll actually pay attention to it when it notices genuine risks. If you've been feeling overwhelmed by all the news of data breaches and cybercrime over the last few years, Password Checkup is meant as an easy way to take back some control.
Watchdog

Google accounts tend to be particularly sensitive, because they are often the key to a person's email address. So the company has already been grappling with notifying users when their Google credentials are compromised—not because Google was hacked, but because people reuse passwords on multiple sites.

Google relies on a database of compromised credentials that totals about four billion unique usernames and passwords, gathered from troves its security teams access online as they go about their larger threat detection research for the company. Google says it hasn't ever bought stolen credentials, and that it doesn't currently collaborate with other security-minded aggregators like Have I Been Pwned, a service maintained by the security researcher Troy Hunt. The company does accept donations of stolen credentials from researchers, though.

The company has already uses that stash to force Google users to abandon exposed passwords. And other Google divisions, like Nest, are working on features to prevent exposed password reuse, because of problems with account takeovers.

"We've reset something like 110 million passwords on Google accounts because of massive breaches and other data exposures," says Elie Bursztein, who leads the anti-abuse research team at Google. "The idea is, can we have a way to do it everywhere? It works in the background and then after 10 seconds you may get a warning that says 'hey, this is part of a data breach, you should consider changing your password'. We want it to be 100 percent if we show it to you you have to change it."

Google's database is always growing, but appears to have some holes. When I tested Password Checkup with a login that I know has been compromised in breaches (so I have one account I haven't updated yet, what are you gonna do) it didn't flag it.

Bursztein and Kurt Thomas, a Google security and anti-abuse research scientist note that they've skewed toward zero false positives so they aren't accidentally giving users warnings based on similar, but slightly different passwords or the same password that was compromised for a different person, but not you. And they emphasize that while the company is releasing Password Checkup as a regular Chrome extension for people to start using, it's still an experiment and isn't necessarily finalized.
Check Mate

The researchers are anticipating controversy—or "a conversation" as they often call it— about a crucial question that you may have by now, too: If Password Checkup is running quietly on Chrome all the time with the express goal of monitoring your login credentials, isn't Google going to end up with a terrifying trove of all your passwords? And if so, couldn't attackers find a way to compromise Password Checkup to grab tons of current credentials, track you, or infiltrate Google's database of stolen data?

"There are four threats we had to think about when designing the system," Thomas says. "The first is that Google never learns your username and password in the process. Another one is we don’t want to tell you about anyone else’s usernames and passwords that don’t belong to you. And we need to prevent somebody from brute forcing the system. We don’t want you to start guessing random usernames and passwords. And the last is we don’t want any sort of trackable identifier for the user that would reveal any information."

It wouldn't be feasible on multiple levels for Google to check the credentials without any data leaving the user's device at all. Instead, the company collaborated with cryptographers at Stanford University to devise layers of encryption and hashing—protective data scrambling—that combine to protect the data as it traverses the internet. First of all, the entire database is scrambled with a hashing function called Argon 2, a robust, well-regarded scheme, as a deterrent against an attacker compromising the database or attempting to pull credentials out of the Chrome extension.

Rather than have you download the entire database, the researchers devised a scheme for downloading a smaller subset, or partition, of the data without revealing too much about your specific username and password. When you log into a site, Password Checkup generates a hash of your username and password on your device, and then sends a snippet of it to Google. The system then uses this prefix to create the smaller subset of breached username and password data to download onto your device. "This provides a strong anonymity set where there’s basically hundreds of thousands of usernames and passwords that would fall into that prefix, but we have no idea which they are," Thomas says. "When you sign in you send that little prefix to Google and we give you every account that we know to download."

To index into your subset of the database, your device signs your encrypted username and password with a key only it knows and sends it to Google. Next the company signs it with its own secret key, then sends it back to your device, which decrypts it with its key. After this handshake is complete, the data is finally in the right state of encryption and hashing to do a compatible local lookup on your device against the portion of the database you've downloaded. The idea is that everything is encrypted all the time to make the data as indecipherable and useless to a potential attacker—or Google itself—as possible at every phase.
Details Matter

Google plans to release an academic paper about the tool with Stanford researchers that details its underlying protocols and cryptographic principles for public vetting.

When asked about the idea of a browser extension that attempts to monitor passwords in a cryptographically secure and private way, Johns Hopkins cryptographer Matthew Green said, "It's possible. It could be done securely, I think. I think. But details matter." Green notes that such a scheme would need to be executed essentially perfectly and would have a number of crucial areas where it could fall short. "If a lot of people will be using it—it's a little scary, frankly," he says.

With such a desperate need for easily understandable breach information and advice, a lot of people very easily could start using Password Checkup quickly. So it will be incumbent upon Google to actually continue improving the extension's security based on community feedback—both from users and cryptographers.

https://www.wired.com/story/password...ome-extension/

[harrybarracuda]

Windows 7 may be creakingly old now, but it is still widely used. While large numbers of consumers have migrated to Windows 10, there are still plenty of organizations that are clinging to the old operating system out of a sense of nostalgia, an unwillingness to upgrade, lack of funds for upgrading, or legacy requirements.

As of January 14, 2020, Microsoft will no longer be providing support or security updates for Windows 7 -- apart from for those who are willing to pay for it. The company is offering up to three years of Windows 7 Extended Security Updates (ESU), and pricing has just been revealed.

Details of pricing have been shared by ZDNet, and they are predictably high. Extended Security Updates will only be available to Windows 7 Professional and Windows 7 Enterprise customers, and the cost doubles on a year-by-year basis. For the first year (January 2020-21), Windows Enterprise customers can expect to pay $25 per device, rising to $100 in the third year. For Windows 7 Professional, the starting figure is $50 per device, rising to $200.

ZDNet's Mary Jo Foley explains:

For Windows 10 Enterprise and Microsoft 365 customers, Microsoft will provide Windows 7 ESUs as an "add-on," according to information Microsoft seemingly shared with partners and its field sales people. Year one (January 2020 to 2021), that add-on will cost $25 per device for that set of users. Year two (January 2021 to 2022) that price goes up to $50 per device. And Year three (January 2022 to January 2023) it goes up to $100 per device. To qualify for this pricing tier, customers can be running Pro as long as they are considered "active customers" of Windows Enterprise in volume licensing.

For users who decide to stick with Windows 10 Pro rather than Windows 10 Enterprise, those ESU prices are significantly higher. Year one, Windows 7 ESUs will cost those Windows 7 Pro customers $50 per device; Year 2, $100 per device; and Year 3, $200 per device, according to information Microsoft seemingly shared with its partners and field sales people.

There is a hint that bulk discounts could be available, which would be good news for organizations with large number of computers still to be upgraded to Windows 10. With a total cost of up to $350 per system, things could get expensive. A Microsoft spokesperson says: "Customers would need to work with their Microsoft account team for details on pricing".

https://betanews.com/2019/02/06/micr...dates-pricing/

[David48atTD]

Block and Defer Windows 10 Updates

The first thing you can do to avoid getting the above update problems and more is to take over the control when your Windows 10 updates.
This way you can hold off getting updates the moment Microsoft rolls them out, monitor the news for a bit to see if any major errors crop up, then manually do the update yourself.


Recently, Windows Insiders revealed that an update is coming to Windows 10 (around April 2019) which will allow all Windows users (including Home users) to pause updates by up to seven days. In the meantime, if you’re on Windows 10 Pro, enterprise, Education or S, you can postpone updates by going to
... Settings -> Update & Security -> Windows Update. Here, select the option ‘Choose when updates are installed’ and pick the number of days you’d like to delay it by.


There’s another way to take control of Windows 10 updates – depending on whether you have the Home or Pro version of the OS – and we have a guide that takes you through disabling and scheduling Windows 10 updates.


---

How to Roll Back Windows 10 Updates

After every major update Windows 10 gives you a ten-day window to roll back to a previous version of Windows. It’s a useful feature and should give you enough time to judge whether you have a problematic update. Of course, this won’t recover your files if Windows 10 deletes them, but at least you’ll be on a more stable version of the OS.




To do this, go to Windows 10 Settings, then click “Update & security -> Recovery.”

Below “Reset this PC” you should see the option to “go back to the previous version of Windows 10.”

Click “Get started,” then follow the steps to roll back Windows 10.

Again, this option is only available for ten days after a Windows 10 build update.


https://www.maketecheasier.com/lates...date-problems/

[harrybarracuda]

1H19 - the next release - is the dog's bollocks.

[harrybarracuda]

Edge secretly disables security mechanism on Facebook


A hidden whitelist in Microsoft Edge is allowing Facebook to execute Flash Player content without authorization.


Adobe’s soon-to-be-deprecated media plugin is notorious for being insecure, riddled with bugs, and leaving users vulnerable to cyber-attacks.

As a response, browsers severed their ties with the once-popular tech and enabled Click2Play, meaning websites are not allowed to execute Flash without users’ permission.

However, a hidden whitelist discovered by a Google Project Zero researcher has revealed that a number of domains have been able to bypass Click2Play in Microsoft’s Edge browser.

The file – c:\Windows\system32\edgehtmlpluginpolicy.bin – contains a default whitelist of domains that can bypass Click2Play and load Flash content without permission.

This issue was discovered by Ivan Fratric, who disclosed the flaw on November 26, before going public after a 90-day disclosure deadline.

https://portswigger.net/daily-swig/e...sm-on-facebook

[harrybarracuda]

I find it hard to believe 500 million people are using this piece of shit, but if you are, ditch it and switch to 7Zip.

Security experts at Check Point have disclosed technical details of a critical vulnerability in the popular file compression software WinRAR.

Experts at Check Point discovered the logical bug in WinRAR by using the WinAFL fuzzer and found a way to exploit it to gain full control over a target computer.


Over 500 million users worldwide use the popular software and are potentially affected by the flaw that affects all versions of released in the last 19 years.

The flaw is an “Absolute Path Traversal” issue in the library that could be exploited to execute arbitrary code by using a specially-crafted file archive.

<snip>


The worst aspect of the story is that WinRAR development team had lost the source code of the UNACEV2.dll library in 2005. The way to approach the problem is drastic, the team stop using the UNACEV2.dll and released WINRar version 5.70 beta 1 that doesn’t support the ACE format.

Don’t waste your time, install this new version of the software and do not open compressed archives with WINRAR that were received from unknown sources.

https://securityaffairs.co/wordpress...ical-flaw.html

[harrybarracuda]

A Chrome add-on called Video Downloader (or Video Downloader Plus) has a serious cross-site scripting flaw.

If you use it, check that you're on the latest, recent version which fixed it.

https://thehackerblog.com/video-down...loit-detailed/

[harrybarracuda]

A straight rip off of Chrome's Password Checkup add-on, but anything to stops breaches is a good thing.

Mozilla Firefox 67 to Warn About Breached Sites Using New Add-On


Firefox Monitor is a Mozilla service that has partnered with Have I been Pwned to alert users when their email address has been discovered in a data breach. In the past, Firefox Monitor was a standalone service, but starting in Firefox 67 it will now be included as an extension.


As part of a test in November 2018, Mozilla started displaying notifications to Firefox users when they visited a site that historically has had a data breach. You can see an example of one of these breach notifications below.



As spotted by Techdows.com, starting in the current Firefox Nightly build for version 67, Firefox Monitor will now be integrated as a system extension.



While the extension is automatically installed in the Nightly build, it won't be enabled by default. For those who wish to test this new feature, you can go into about:config and add a new setting called extensions.fxmonitor.enabled as shown below.

https://www.bleepingcomputer.com/new...ng-new-add-on/

[OhOh]

A Chrome add-on called Video Downloader (or Video Downloader Plus) has a serious cross-site scripting flaw.

Has the Firefox version been affected?

[harrybarracuda]

Has the Firefox version been affected?

I don't know but just make certain that you're on the latest version to be sure.

[harrybarracuda]

From the horse's mouth:

Are you a Google Chrome browser user? Be alert!

Earlier today, a dangerous Zero-Day Vulnerability was found in Google Chrome.

Google Chrome’s Desktop Engineering and Security Lead, John Schuh tweeted :


“Also, seriously, update your Chrome installs... like right this minute.”

[Takeovers]

Received this email. Way above the usual spam, had a good laugh. You got to admit it has some style.




Hello!

I have very bad news for you.
21/10/2018 - on this day I hacked your OS and got full access to your account jxxx@yyy.somewhere

So, you can change the password, yes... But my malware intercepts it every time.

How I made it:
In the software of the router, through which you went online, was a vulnerability.
I just hacked this router and placed my malicious code on it.
When you went online, my trojan was installed on the OS of your device.

After that, I made a full dump of your disk (I have all your address book, history of viewing sites, all files, phone numbers and addresses of all your contacts).

A month ago, I wanted to lock your device and ask for a not big amount of btc to unlock.
But I looked at the sites that you regularly visit, and I was shocked by what I saw!!!
I'm talk you about sites for adults.

I want to say - you are a BIG pervert. Your fantasy is shifted far away from the normal course!

And I got an idea....
I made a screenshot of the adult sites where you have fun (do you understand what it is about, huh?).
After that, I made a screenshot of your joys (using the camera of your device) and glued them together.
Turned out amazing! You are so spectacular!

I'm know that you would not like to show these screenshots to your friends, relatives or colleagues.
I think $758 is a very, very small amount for my silence.
Besides, I have been spying on you for so long, having spent a lot of time!

Pay ONLY in Bitcoins!
My BTC wallet: 1H1K8MfLEJgjCCfDEkTJmv9GJjD3XzEFGR

You do not know how to use bitcoins?
Enter a query in any search engine: "how to replenish btc wallet".
It's extremely easy

For this payment I give you two days (48 hours).
As soon as this letter is opened, the timer will work.

After payment, my virus and dirty screenshots with your enjoys will be self-destruct automatically.
If I do not receive from you the specified amount, then your device will be locked, and all your contacts will receive a screenshots with your "enjoys".

I hope you understand your situation.
- Do not try to find and destroy my virus! (All your data, files and screenshots is already uploaded to a remote server)
- Do not try to contact me (this is not feasible, I sent you an email from your account)
- Various security services will not help you; formatting a disk or destroying a device will not help, since your data is already on a remote server.

P.S. You are not my single victim. so, I guarantee you that I will not disturb you again after payment!
This is the word of honor hacker

I also ask you to regularly update your antiviruses in the future. This way you will no longer fall into a similar situation.

Do not hold evil! I just do my job.
Have a nice day!

[baldrick]

I made a screenshot of the adult sites where you have fun (do you understand what it is about, huh?).
After that, I made a screenshot of your joys (using the camera of your device) and glued them together.
Turned out amazing! You are so spectacular!

it sounds like he wants a date

a couple of years ago several moroccon villages were making a living out of extorting moneys for similar ruses with middle eastern computer users



but more important is the discovery of malware infecting a sh1t load of apps on googles play store - list of apps at the bottom of the linked page - they all have in common that they used an infected library which they probably did not realise had been covertly modified

mostly driving simulator games

though I imagine some of our teakdorians will have this app installed

com.mustache.beard.editor Beard mustache hairstyle changer Editor

Check Point researchers from the Mobile Threat Team have discovered a new adware campaign on the Google Play Store. This particular strain of Adware was found in 206 applications, and the combined download count has reached almost 150 million. Google was swiftly notified and removed the infected applications from the Google Play Store.

https://research.checkpoint.com/simb...n-google-play/

[Takeovers]

but more important is the discovery of malware infecting a sh1t load of apps on googles play store - list of apps at the bottom of the linked page - they all have in common that they used an infected library which they probably did not realise had been covertly modified

I am quite confident there is no malware involved. Just this funny email. He has nothing on me.

[baldrick]

yes - it is just a mass mail

the android malware is a different story and I added it as security news

[harrybarracuda]

It's called "Sextortion". A mate of mine from CM emailed me in a panic about receiving one.

I had to explain to him that it would be a bit difficult to video him knocking one out to Xhamster when he hasn't got a fucking webcam of any kind.

[baldrick]

this is not for you harry - I know you have proudly released all your self abuse videos to the WWF to stop monkeys wanking in public zoos

the morrocan's actually did/do have video - they faked video chat with the lebenese , syrian , jordanian using pr0n vids from the web fed to skype and recorded the boys fapping and then threatened to show it to their mothers

they had / still have a thriving business running

Oued Zem

In the meantime, go to the 'business' for many scammers still good. There are even real sextortion gangs who take about 80 000 per year. In the dusty, poor town driving many BMWs and Mercedes around. Ten years ago there were four exchange offices in the town and two banks. Today there are forty and fifteen respectively.

[harrybarracuda]

Yes there are real scams but they normally involving engaging the victim with a fake profile or some whore.

But the email scams are different.

[harrybarracuda]

Norsk Hydro hit bad by a ransomware attack.

The Norwegian National Security Authority (NNSA), the state agency in charge of cybersecurity, said the attack used a virus known as LockerGoga, a relatively new strain of so-called ransomware which encrypts computer files and demands payment to unlock them.

https://www.reuters.com/article/us-n...-idUSKCN1R00NJ

[Buckaroo Banzai]

Make sure you do your updates this month, there are a few 0-day nasties floating around.

every time i see a win 10 update I get anxiety attacks.
Just did my Win 10 update, now the battery status icon is gone from my tray. I have to keep on going to my settings to check on the status of my laptop battery. Went to YouTube for fixes, seems like the "config Sys" command from MS DOS days is rearing its ugly head, don't want to start messing with settings I don't understand, Looks like I will have to take my laptop in the shop for someone who knows what they are doing to fix. Any recommends on a shop in Khon Kaen?
Next laptop will be a Mack. Tired of windows.

[baldrick]

I install classic shell on win 10

Classic Shell: Downloads

get your desktop back to a no frills GUI

[Buckaroo Banzai]

I install classic shell on win 10

Classic Shell: Downloads

get your desktop back to a no frills GUI

did a litle search and found "classic start" also , would such programs restore my battery status icon? that's all I want.