MSFT X GITHUB: Cruft Thereof
Recently purchased Github (now owned by Microsoft Corporation (NASDAQ: MSFT) apparently forgot (or neglected) to renew it's content delivery network's certificate, breaking what was once the developer's best friend. Cruft always wins over competence - both operational or developmental - and so it goes...
$500k: Miscreants Flog Zoom 0Days (One for Windows, One For macOS)
via Vice reporter Lorenzo Franceschi-Bicchierai, comes this outstanding news piece on the Zoom video-conference 0day hacks debacle, the miscreants thereto; and of course, there's this. h/t
LTE Insecurity Cruft
via Charlie Osborne writing for ZD-Net's Zero Day, comes the news of a flaw in famously-claimed-to-be-secure LTE evirons, where miscreants-of-the-day can fraudulently subscribe to services on behalf of witless users. Heretofore granted the Prime Annoyance of February Award - but, in reality, this is a particularly troublesome impersonation flaw that must-needs remediation. Read It and Weep For Your Mobile Security My Friends, In the Land Where Flaws (Apparently) Never Ends...
US DOE OIG Report: Thousands of Severe Security Flaws Discovered
via the DOE's Office of Inspector General, comes critically important news in a highly troubling US DOE OIG Report, for the DOE, energy consumers in the United States and interconnected energy firms servicing the energy requirements of neighboring countries (Canada and Estados Unidos Mexicanos) in North America.
"Throughout fiscal year 2019, management made 54 recommendations to programs and sites related to improving the Department’s cybersecurity program. Furthermore, in some instances, management provided opportunities for improvement at locations reviewed but did not issue formal recommendations" - via the DOE's Office of Inspector General scathing report
Microsoft Decides To Finally Block Additional Files In OWA, Subsequently Provides Workarounds To Carry On Transmitting Them
via Zeljka Zorz, Managing Editor at HelpNet Security, comes news of Microsoft Corporation's (NASDAQ: MSFT) dollar-short-and-day-late decision to block an additional forty additional file types from their deeply flawed Outlook on the Web product... Oh, and thanks for the work arounds...
'Microsoft also pointed out that blocked files can still be sent and received, either by renaming them (and making the recipient change the name again), compressing them into an archive file, or saving them to the cloud or to a secure network share server and sending the link to them.' - via Zeljka Zorz, Managing Editor at HelpNet Security, comes news
Introduction to the Finite State Supply Chain Assessment of Huawei →
NolaCon 2019, Chris Holt's 'Formula For A Bug Bounty Program'
Information Security Hubris: The Cruft of Wipro
Sterling example of both the Hubris and Cruft of Wipro's information security practices. Would you trust the Indian outsourcing company with your organizations' information security? At one time, the answer may have been an affirmative response, but is that still the case?
Apache Server Bug Coughs Up Root
Charles Fol(the bug discoverer, and Security Engineer at Ambionics and maintainer of PHPGGC: PHP Generic Gadget Chains), has published his data related to this highly critical root level bug. This as a pernicious attack against the root environment of your web servers (when executing Apache binaries, that is), worthy of immediate (if not sooner...) remediation (by patch to the released 2019-04-01 Apache HTTP version 2.4.390). Oh, and by the way, there are an estimated (by Rapid7) 2 million vulnerable systems floating around on our beloved interwebs... Here's Dan Goodin's take on the issue as well. Get Crackin'.
Rather Than Focusing On Fixing Lame Windows Update System, Microsoft CEO Targets New Electronic Cricket Bat
Smart Move - Satya - Smart Move Now, what was it you were going to do about the October Creators Update for Windows 10 nagging problem of deleting user documents and other files en mass? Was this a redirection marketing tactic to deflect attention from the recent rash of Microsft Windows Update failures plaguing Redmond; or is it a Lack of Focus Mr. Nadella? (Update: News from Martin Brinkmann at GHacks that the file deletion issue is reportedly fixed). To be fair, an inability to service operating system updates robustly is not just a Microsoft Corporation (Nasdaq: MSFT) failure, this SNAFU is a hallmark of the so-called Android 'ecosystem' as well. Oh, and I'm a cricket fan as well. Enjoy.
Rob's Right... →
As the quality of Apple Inc. (Nasdaq: AAPL) software continues to drop, significant annoyances - with direct latency effects in the macOS operating system - are evident. In this case, relatively high numbers of line items displaying 13th month errors in a wide (if not all) number of applications are being written to the console logs; with of course, the expected disk and/or memory related effects. Shameful.
JHutchins' SharknAT&To →
Folks, gird yourselves for the truly horrifying... Read the superlative security reportage by jhutchins at NoMotion, in which, the good Hutchins details the cruft-laden, and fundamentally idiotic practice of hard-coding accounts in low-end routerland. Behold SharknAT&To, and more, much more... Today's Must Read. H/T
"When evidence of the problems described in this report were first noticed, it almost seemed hard to believe. However, for those familiar with the technical history of Arris and their careless lingering of hardcoded accounts on their products, this report will sadly come as no surprise. For everyone else, prepare to be horrified." - via NoMotions' jhutchins
Flush The Cruft
Mozilla Firefox Certificate Cache Coughs Up Credentials →
Meanwhile, in cruft news...
A Tale of Cruftery
First discovered by security researcher Alexander Klink, and discussed on his shift or die blog, the leakage documentation he has amassed is a tour de force in correct handling of the discovery. Mozilla's response has been a tad lackadaisical and (disappointlingly) still in telemetry data gathering mode as of this post.
The Workaround
Superb work by Alexander; nonetheless, he does suggest regular cleansing your browser user profile (if you are so unlucky as to be using the browser under scrutiny, yet most likely, a good idea on any browser). There are many tools available that deal with the cache cleaning task (both scripted and manual, GUI-based and not, both in-built and otherwise). Enjoy the cruft. H/T
Microsoft Begins Selling Windows 10 Telemetry →
News, of Microsoft Corporation (NasdaqGS: MSFT) selling of customer telemetry on Windows 10 has come to light via Martin Kauffman on GHacks. Martin superlatively details the phenomenal audacity of Microsoft in the matter of selling usage information; and, while not surprising, just another indicator of the onerous feet-of-clay syndrome now evident in Redmond. Oh, and by-the-way, the data being shared is with a security firm, simply astounding. As always, you be the judge.
SAMRi10 and NetCease, Preventative Medicine for Windows Cruft
News of two (SAMRi10, NetCease) Microsoft Corporation (NasdaqGS: MSFT) PowerShell scripts from Itai Grady providing at least some preventative Windows 10 medicine in the on-going battle against Windows Cruft.