*** The Security News Thread ***

[Dragonfly]

why is why you have no idea what a password manager is

why is it that you are too fooking stupid to understand what kind of security issues they bring,

you and Harry are the prime examples of fooking fools who think they know their shit when they fooking don't and pose a security threat in their silly organizations by using fooking tools they shouldn't fooking use

I mean fooking priceless,

you belong to the fooking school of Indian IT fucks, with Harry the best in class

[harrybarracuda]

Still waiting for the gallic fag to hack my easy password. It seems he learned his lesson from the last time he got his well worn arse handed to him on a plate.

[baldrick]

Still waiting for the gallic fag to hack my easy password

still waiting for the quebecois to finish being humped by a baby fur seal and say somthing other than

" you all don't know what you are talking about , but I do "

and then not saying anything

which is why he is dismissed as a fool

[Dragonfly]

Still waiting for the gallic fag to hack my easy password.

fook harry, we all know you are a fooking thick corporate shill, told your fooking password ages ago, deal the fook with it

now be a fooking good boy and tell us like a grown man that it wasn't it, and best of all, fooking prove it

[Dragonfly]

which is why he is dismissed as a fool

oh that's fooking take the cake, you fooling Aussie retard, you lecturing me about being a fool, and yet you use a fooking password manager like a fooking tool

I mean you couldn't make that shit up, fooking IT idiots lecturing others on good IT practice when they can't even fooking get it right for a fooking password

who the fook they are kidding those 2 idiots,

go back to your room, your mum will call when diner is ready, you fooking retard

[lom]

Tell you what fuckhead, I've even made it easy for you. I've set it to an eight character dictionary word.

PASSWORD

[harrybarracuda]

Tell you what fuckhead, I've even made it easy for you. I've set it to an eight character dictionary word.

PASSWORD

Actually I set it to "Incorrect".

So when I type it wrong, it says "Your password is incorrect".

[lom]

Actually I set it to "Incorrect".

Can you count the number of characters for me?

Personally I use strong passwords like "straw12berry34jam"

[harrybarracuda]

"Put it in the cloud" they said. "It will all be secure" they said.

Ooops.

June 27, 2016
Microsoft Office 365 hit with massive Cerber ransomware attack, report

Millions of Microsoft Office 365 users were potentially exposed to a massive zero-day Cerber ransomware attack last week that not only included a ransom note, but an audio warning informing victims that their files were encrypted.

Steven Toole, a researcher for the cloud-security firm Avanan, blogged that his company saw the first attack roll in at 6:44 a.m. on June 22 and that at least 57 percent of all Office 365 customers received at least one phishing attempt that contained the infected attachment. While Avanan did not supply a specific number of those possibly hit, Microsoft reported in its first quarter 2016 earnings report that there are 18.2 million Office 365 subscribers.

In a unique twist, the ransom note was accompanied by an audio file explaining the attack and how to regain access to the files. Toole said it took Microsoft more than 24 hours to detect the attack and start blocking the attachment. The attacker asked for a ransom totaling 1.4 bitcoin, or about $500, for the decryption key.

“This attack seems to be a variation of a virus originally detected on network mail servers back in early March of this year," Toole wrote. "As it respawned into a second life, this time Cerber was widely distributed after its originator was apparently able to easily confirm that the virus was able to bypass the Office 365 built-in security tools through a private Office 365 mail account.”

Microsoft did not reply by press time to an SCMagazine.com request for further information regarding the attack.

Microsoft Office 365 hit with massive Cerber ransomware attack, report

[Dragonfly]

I guess security is not MS strong point,

it has been what ? 25 years of security breach on Windows, what would we expect otherwise from Microsoft Cloud solutions ?

security cloud indeed, not security firewall

[harrybarracuda]

I guess security is not MS strong point,

it has been what ? 25 years of security breach on Windows, what would we expect otherwise from Microsoft Cloud solutions ?

security cloud indeed, not security firewall

Buttplug it's a given that the only people that think Microsoft are good at security are them.

Long may it last, easy money.

[Dragonfly]

weren't you advocating some blog from a MS "security" expert only a few days ago ?

guess, not much of a security expert with the track records of MS

Mr password manager who takes security advice from MS security experts

[harrybarracuda]

weren't you advocating some blog from a MS "security" expert only a few days ago ?

I don't know what that means Buttplug, you'll have to try and explain it in English.

Which blog? And how does one "advocate" it?

[Dragonfly]

let me dig out that for you, harry

[baldrick]

buttsecs , what do you know about security

anyone who tries to tell you that one OS is more secure than another is a clueless sh1tspeaker

Which blog

his medications are causing him confusion and he meant me quoting Bruce Schneier - https://en.wikipedia.org/wiki/Bruce_Schneier

our kisser of speleological gerbils seems to like to display his lack of knowledge

[Dragonfly]

buttsecs , what do you know about security

a bit more than you and Mr Password Manager for a start,

[Dragonfly]

his medications are causing him confusion and he meant me quoting Bruce Schneier

it's hard to tell you 2 idiotic fools apart some time, some retardation level

[baldrick]

a bit more than you and Mr Password Manager for a start

you make these statements and back them up with your buttsecs exploit and you wonder why noone takes you seriously

[Dragonfly]

you make these statements and back them up with your buttsecs exploit and you wonder why noone takes you seriously

I understand TD is your life and your online reputation means more than anything,

but it's a fooking forum for fun, who gives a shit if you take me seriously or not. You are not paying my bills last time I checked, retard.

[harrybarracuda]

you make these statements and back them up with your buttsecs exploit and you wonder why noone takes you seriously

I understand TD is your life and your online reputation means more than anything,

but it's a fooking forum for fun, who gives a shit if you take me seriously or not.

*IF*?

*OR* not?

No fucker takes you seriously, you cum guzzling poofter.

[Dragonfly]

No fucker takes you seriously, you cum guzzling poofter.

and no one will for you now, Mr fooking Password Manager

[Neo]

Malware hits millions of Android phones - BBC News

[harrybarracuda]

Firmware Flaw Affects Lenovo ThinkPads, Other PC Makers' Hardware


By Wayne Rash | Posted 2016-07-05

NEWS ANALYSIS: A new zero-day vulnerability may also affect computers from other makers that used similar Intel UEFI reference code to create their BIOS firmware.


Lenovo has confirmed that reports of a critical vulnerability in the UEFI (unified extensible firmware interface) in its ThinkPad computers are accurate and it is currently investigating the problem.

Lenovo released a statement on June 30 verifying there is a vulnerability in the ThinkPad's System Management Mode (SMM) BIOS that was introduced by one of its independent BIOS vendors. However, Lenovo hasn't specified what range of ThinkPad models likely are affected by the vulnerability.

The UEFI is a current version of what used to be called the BIOS (basic input output system), which forms an interface between the computer hardware and the operating system, such as Microsoft Windows. The current practice is that the IBVs (independent BIOS vendors) work from reference code provided by the CPU manufacturer and then develops machine-specific code that provides the rest of the machine-specific interface.

Normally, machines using similar processors and chipsets will use the same reference code. This means that while the vulnerability could have been introduced by the IBV, it's also possible it was introduced by Intel when it created the reference code.

The vulnerability was found by an independent security researcher Dmytro Oleksiuk, who published details on GitHub, a software development collaboration site. Oleksiuk said in his posting that the vulnerability, which he has named ThinkPwn, allows the running of arbitrary SMM code. This enables an attacker to disable Flash write protection and then allow malware infection of the platform firmware. This, in turn, allows an attacker to disable Secure Boot and Virtual Secure Mode on Windows 10.

By embedding malware in the system firmware, an attacker can avoid detection by antimalware software. Furthermore, the malware may be difficult or impossible to remove. Oleksiuk noted in his GitHub entry that the vulnerability apparently was fixed by Intel in 2014, but because there was no public announcement, the vulnerability was never removed by computer makers that were using the earlier version in their UEFI code.

Further research by Oleksiuk and others appears to indicate that Lenovo isn't the only computer maker affected by the same bug. Independent security researcher Alex James reported in a series of Tweets that he found the same vulnerability on some HP laptop computers and in the firmware for some Gigabyte Technology motherboards.

The vulnerability was discovered so recently that the full extent of the problem is unknown. But because Intel and the independent BIOS vendors likely used similar reference code and UEFI software as much as possible, the problem is likely to be much more widespread than just the three makers that are currently known.

While Lenovo has acknowledged that the vulnerability exists, there's more to attacking a computer than the existence of a vulnerability. At the very least, there needs to be a means of delivering it.

For the ThinkPwn bug, the primary means of delivery needs to be a USB memory stick. Then, the computer needs to be booted from that drive before any malware can be initiated.

Analyst Jack Gold said the first thing business users should do is find out whether their anti-malware products will detect software that's trying to perform an exploit using the vulnerability. However, Gold said that because any exploit would be running in the firmware, he suspects that current antimalware apps would not find it.

Gold also said that because any exploit would probably need to be installed on a machine via physical access to its USB port, it's not an easy thing to do. His advice to IT managers: “Be mindful of this, stay up to date, but I wouldn't consider this a huge risk.”

But that doesn't mean that there's no risk at all. Oleksiuk has said in some of his public statements that he believes it would be possible to create a malware attack that would take advantage of the ThinkPwn vulnerability. But even if the exploit could be spread through malware, that doesn't necessarily raise the risk much.

The reason the risk is limited is because the UEFI is written specifically for each type of machine, and for an exploit to work, it would have to target this specific type as well. For this reason, a Lenovo exploit wouldn't work on a HP laptop, even if it had the same vulnerability.

What should the computer makers do about this vulnerability? The obvious answer is they can ask their BIOS vendors to create a new UEFI package using Intel reference code written after the vulnerability was fixed and then distribute a BIOS update.

But of course it's easy to say that a BIOS update would solve the problem, but issuing such an update can be very complex to current hardware owners. Worse, trusting individual owners to update the BIOS in their computers is a dangerous proposition. Done wrong, the result could effectively kill the computer, preventing it from ever working again.

Of more concern is Oleksiuk's suggestion that the ThinkPwn exploit was applied in malware. While such a malware attack would be very difficult because it would require the malware to detect the type of machine it was infecting, such sophisticated malware already has been created to attack other types of vulnerabilities. This means creating such malware to attack machines with different UEFI code is possible.

While there's no reason to panic about the possibility of malware aimed at your computers' BIOS, you also can't afford to drop your guard. Instead, keep in touch with Lenovo or whichever vendor builds your computers and find out if there is a vulnerability. If there is, you need to fix it as soon as possible.

Firmware Flaw Affects Lenovo ThinkPads, Other PC Makers' Hardware

[baldrick]

how to block third party cookies

How to Block Third-Party Cookies in Every Web Browser

and stop third party javascript

New attack steals SSNs, e-mail addresses, and more from HTTPS pages | Ars Technica

Van Goethem said the only mitigation he knows of is to disable the third-party cookies, since responses sent by the HTTPS site are no longer associated with the victim. At the moment, most Web browsers by default enable the receipt of third-party cookies, and some online services don't work unless third-party cookies are allowed.

[harrybarracuda]

Black Hat: Do USB Keys Left in Parking Lots Get Picked Up?
By Sean Michael Kerner | Posted 2016-08-04

Will people pick up randomly placed USB keys and stick them in their PCs? A Google researcher who tested this out found surprising results.

LAS VEGAS—In the information security business, there is a longstanding myth that users will pick up random USB keys that can easily infect their machines. That's an urban legend that Elie Bursztein, anti-fraud and abuse research team lead at Google, put to the test and detailed in an amusing session at the Black Hat USA conference here.

Rather than just randomly drop USB drives, Bursztein developed a whole process that involved placing 297 keys at various locations on the University of Illinois campus. Bursztein worked with campus officials and didn't deploy malware on any of the USB keys, but rather included a simple HTML file for tracking as well as a follow-up survey for victims so they can learn what they did wrong.

Bursztein built an application on Google App Engine with a mobile tracking app for Android to manage the process. Not all the keys were identical, as Bursztein used five different labels in an attempt to see if different messages would affect the pick-up rate. Among the messages was one titled "final exam results" and one labeled "confidential." Each of the keys had a number of HTML links in them as well as links to pictures.

To add further diversity to the study, Bursztein placed the keys in various locations around the university campus—including in the parking lot, just outside a building doorway, in a hallway, in a classroom and in a common room.

Surprisingly, 46 percent of the dropped keys "phoned home," according to Bursztein, meaning someone picked up the key, plugged it into a computer and clicked a link.
Bursztein said he found no statistically significant variation across the different keys or even the drop locations.

Bursztein's experiment included a survey that 62 people who picked up the keys ended up filling out; 68 percent of those respondents said they picked up the keys because they wanted to return the drive, while 18 percent said that they were just curious. As it turns out, 54 people did follow instructions on the drive and returned it to Bursztein.

He emphasized that his USB drop wasn't malicious, but real hackers wouldn't be as kind and likely would infect users with malware. He suggested that awareness and security training is likely a good thing, as it's important to teach people to be mindful of what they plug into their computers. Additionally, Bursztein recommended that organizations physically block the USB ports on sensitive computers in order to minimize risk.

"You don't pick up food from the floor and eat it. You might get poisoned. So don't pick up random USB keys, either," Bursztein said.

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

Black Hat: Do Randomly Placed USB Keys Get Picked Up?