1324 stories
·
2 followers

Cryptic Rumblings Ahead of First 2020 Patch Tuesday

2 Shares

Sources tell KrebsOnSecurity that Microsoft Corp. is slated to release a software update on Tuesday to fix an extraordinarily serious security vulnerability in a core cryptographic component present in all versions of Windows. Those sources say Microsoft has quietly shipped a patch for the bug to branches of the U.S. military and to other high-value customers/targets that manage key Internet infrastructure, and that those organizations have been asked to sign agreements preventing them from disclosing details of the flaw prior to Jan. 14, the first Patch Tuesday of 2020.

According to sources, the vulnerability in question resides in a Windows component known as crypt32.dll, a Windows module that Microsoft says handles “certificate and cryptographic messaging functions in the CryptoAPI.” The Microsoft CryptoAPI provides services that enables developers to secure Windows-based applications using cryptography, and includes functionality for encrypting and decrypting data using digital certificates.

A critical vulnerability in this Windows component could have wide-ranging security implications for a number of important Windows functions, including authentication on Windows desktops and servers, the protection of sensitive data handled by Microsoft’s Internet Explorer/Edge browsers, as well as a number of third-party applications and tools.

Equally concerning, a flaw in crypt32.dll might also be abused to spoof the digital signature tied to a specific piece of software. Such a weakness could be exploited by attackers to make malware appear to be a benign program that was produced and signed by a legitimate software company.

This component was introduced into Windows more than 20 years ago — back in Windows NT 4.0. Consequently, all versions of Windows are likely affected (including Windows XP, which is no longer being supported with patches from Microsoft).

Microsoft has not yet responded to requests for comment. However, KrebsOnSecurity has heard rumblings from several sources over the past 48 hours that this Patch Tuesday (tomorrow) will include a doozy of an update that will need to be addressed immediately by all organizations running Windows.

Will Dormann, a security researcher who authors many of the vulnerability reports for the CERT Coordination Center (CERT-CC), tweeted today that “people should perhaps pay very close attention to installing tomorrow’s Microsoft Patch Tuesday updates in a timely manner. Even more so than others. I don’t know…just call it a hunch?” Dormann declined to elaborate on that teaser.

It could be that the timing and topic here (cryptography) is nothing more than a coincidence, but KrebsOnSecurity today received a heads up from the U.S. National Security Agency (NSA) stating that NSA’s Director of Cybersecurity Anne Neuberger is slated to host a call on Jan. 14 with the news media that “will provide advanced notification of a current NSA cybersecurity issue.”

The NSA’s public affairs folks did not respond to requests for more information on the nature or purpose of the discussion. The invitation from the agency said only that the call “reflects NSA’s efforts to enhance dialogue with industry partners regarding its work in the cybersecurity domain.”

Stay tuned for tomorrow’s coverage of Patch Tuesday and possibly more information on this particular vulnerability.

Read the whole story
AndrewTerry
14 days ago
reply
Brackley (UK)
Share this story
Delete

Build Your Own Apple I Replica with SmartyKit

1 Share
The Apple I was the original Apple computer built by Steve Jobs and Steve Wozniak, so naturally every Apple fanatic has dreamed of playing around with an Apple I or even having their own. But you won’t need to keep dreaming, because you’ll be able to build your own DIY Apple 1 replica thanks to ... Read More
Read the whole story
AndrewTerry
15 days ago
reply
Brackley (UK)
Share this story
Delete

Apple's new privacy settings vexes trackers ↦

1 Share

George P. Slefo reports for Ad Age on how the tracking industry is reacting to Apple’s iOS 13 lockdown of apps using Bluetooth and Wi-Fi as tracking proxies. It’s a fine overview, but this is the paragraph that struck me:

The move might also strengthen the position of companies such as X-Mode, which get users’ permission to collect location data by plugging into various apps that have legitimate use cases for capturing location. The company, for example, has an earthquake alert app, making it more likely that a user would be willing to share their location. Others, such as Foursquare, gather location data through owned-and-operated consumer apps such as City Guide, Swarm and Placed.

Something to be aware of: Just because an app you’re using has a legitimate reason to track your location doesn’t mean that it won’t use that information to build a profile about you. Ad trackers will buy or build apps that have legitimate uses that require location data—and then use that data to build a profile.

With iOS 13 I find that I am being very aggressive about denying Bluetooth access and location data to most third-party apps. It’s also worth remembering only to use weather and security apps from trustworthy developers, since they’ll be getting your valuable location data.

[Hat tip: Six Colors subscriber Warren Pena.]

[Read on Six Colors.]

Read the whole story
AndrewTerry
112 days ago
reply
Brackley (UK)
Share this story
Delete

How to Open a VMDK File in VirtualBox

1 Share
Need to open a VMDK file in VirtualBox? This article will show you how to setup and use a VMDK virtual machine file with VirtualBox. This particular tutorial is demonstrated on a Mac, but using a VMDK with VirtualBox this way should work the same on Windows and Linux too. VMDK is short for Virtual ... Read More
Read the whole story
AndrewTerry
166 days ago
reply
Brackley (UK)
Share this story
Delete

Exploiting GDPR to Get Private Information

1 Share

A researcher abused the GDPR to get information on his fiancee:

It is one of the first tests of its kind to exploit the EU's General Data Protection Regulation (GDPR), which came into force in May 2018. The law shortened the time organisations had to respond to data requests, added new types of information they have to provide, and increased the potential penalty for non-compliance.

"Generally if it was an extremely large company -- especially tech ones -- they tended to do really well," he told the BBC.

"Small companies tended to ignore me.

"But the kind of mid-sized businesses that knew about GDPR, but maybe didn't have much of a specialised process [to handle requests], failed."

He declined to identify the organisations that had mishandled the requests, but said they had included:

  • a UK hotel chain that shared a complete record of his partner's overnight stays

  • two UK rail companies that provided records of all the journeys she had taken with them over several years

  • a US-based educational company that handed over her high school grades, mother's maiden name and the results of a criminal background check survey.
Read the whole story
AndrewTerry
166 days ago
reply
Brackley (UK)
Share this story
Delete

How Privacy Laws Hurt Defendants

2 Shares

Rebecca Wexler has an interesting op-ed about an inadvertent harm that privacy laws can cause: while law enforcement can often access third-party data to aid in prosecution, the accused don't have the same level of access to aid in their defense:

The proposed privacy laws would make this situation worse. Lawmakers may not have set out to make the criminal process even more unfair, but the unjust result is not surprising. When lawmakers propose privacy bills to protect sensitive information, law enforcement agencies lobby for exceptions so they can continue to access the information. Few lobby for the accused to have similar rights. Just as the privacy interests of poor, minority and heavily policed communities are often ignored in the lawmaking process, so too are the interests of criminal defendants, many from those same communities.

In criminal cases, both the prosecution and the accused have a right to subpoena evidence so that juries can hear both sides of the case. The new privacy bills need to ensure that law enforcement and defense investigators operate under the same rules when they subpoena digital data. If lawmakers believe otherwise, they should have to explain and justify that view.

For more detail, see her paper.

Read the whole story
AndrewTerry
174 days ago
reply
Brackley (UK)
Share this story
Delete
Next Page of Stories