Article 43
Microsoft And Windows
Monday, May 29, 2023
The Worst Computer Nightmares - Hardware Hacks
“The most striking aspect of this report is that this UEFI implant seems to have been used in the wild since the end of 2016 - long before UEFI attacks started being publicly described,” Kaspersky researchers wrote. “This discovery begs a final question: If this is what the attackers were using back then, what are they using today?”
- Discovery of new UEFI rootkit exposes an ugly truth: The attacks are invisible to us---
Stealthy UEFI malware bypassing Secure Boot enabled by unpatchable Windows flaw
BlackLotus represents a major milestone in the continuing evolution of UEFI bootkits.
By Dan Goodin
ArsTechnica
March 6, 2023
Researchers on Wednesday announced a major cybersecurity find - the world’s first-known instance of real-world malware that can hijack a computer’s boot process even when Secure Boot and other advanced protections are enabled and running on fully updated versions of Windows.
Dubbed BlackLotus, the malware is whats known as a UEFI bootkit. These sophisticated pieces of malware target the UEFI - short for UNIFIED EXTENSIBLE FIRMWARE INTERFACE - the low-level and complex chain of firmware responsible for booting up virtually every modern computer. As the mechanism that bridges a PC’s device firmware with its operating system, the UEFI is an OS in its own right. Its located in an SPI-connected flash storage chip soldered onto the computer motherboard, making it difficult to inspect or patch. Previously discovered bootkits such as COSMICSTRAND, MOSIACREGRESSOR, and MOONBOUNCE work by targeting the UEFI firmware stored in the flash storage chip. Others, including BlackLotus, target the software stored in the EFI SYSTEM PARTITION.
Because the UEFI is the first thing to run when a computer is turned on, it influences the OS, security apps, and all other software that follows. These traits make the UEFI the perfect place to launch malware. When successful, UEFI bootkits disable OS security mechanisms and ensure that a computer remains infected with stealthy malware that runs at the kernel mode or user mode, even after the operating system is reinstalled or a hard drive is replaced.
As appealing as it is to threat actors to install NEARLY INVISIBLE malware that has kernel-level access, there are a few formidable hurdles standing in their way. One is the requirement that they first hack the device and gain administrator system rights, either by exploiting one or more vulnerabilities in the OS or apps or by tricking a user into installing trojanized software. Only after this high bar is cleared can the threat actor attempt an installation of the bootkit.
---
New Hardware Vulnerability Discovered in Intel Processors
Anonymous Hackers
May 28, 2023
In a significant development that has sent shockwaves through the technology industry, a new hardware vulnerability has been discovered in Intel processors. This vulnerability has raised concerns about the security and privacy of millions of computer systems worldwide.
The flaw, dubbed “SpectraStrike,” was first identified by a team of security researchers at a leading cybersecurity firm. SpectraStrike is said to affect a wide range of Intel processors, including both consumer-grade and enterprise-level chips. This vulnerability allows malicious actors to exploit the speculative execution feature of Intel processors, potentially leading to unauthorized access to sensitive information.
Speculative execution is a performance optimization technique used by modern processors, including Intel’s, to predict and execute future instructions. However, SpectraStrike takes advantage of flaws in the implementation of this feature, allowing hackers to bypass security measures and access data that should be protected.
The exact scope and impact of this vulnerability are still being investigated, but initial findings indicate that it could potentially expose sensitive data such as passwords, encryption keys, and personal information. Cybersecurity experts warn that this could have severe implications for individuals, businesses, and even government agencies relying on Intel processors. Intel has acknowledged the existence of the SpectraStrike vulnerability and is actively working to develop and release security patches and firmware updates to mitigate the risk. The company has urged all affected users to keep their systems up to date and apply the necessary updates as soon as they become available.
Meanwhile, organizations across various sectors are closely monitoring the situation and taking necessary precautions to safeguard their systems. The cybersecurity community has mobilized efforts to analyze and understand the vulnerability further, working towards developing additional security measures to protect vulnerable systems.
This latest hardware vulnerability in Intel processors comes on the heels of previous incidents, such as Meltdown and Spectre, which exposed similar flaws in computer hardware. The SpectraStrike vulnerability highlights the ongoing challenge faced by the technology industry to stay ahead of increasingly sophisticated cyber threats.
As the investigation unfolds, it is crucial for individuals and organizations to remain vigilant and follow recommended security practices. This includes regularly updating software, using strong and unique passwords, and implementing multi-factor authentication where possible.
The implications of the SpectraStrike vulnerability are far-reaching, with potential repercussions for global cybersecurity. It serves as a reminder that constant vigilance and proactive measures are essential to protect sensitive information in an ever-evolving digital landscape. Further updates on the SpectraStrike vulnerability and mitigation efforts will be provided as new information becomes available. Stay tuned for the latest developments on this critical issue.
Section Privacy And Rights • Section Microsoft And Windows •
View (0) comment(s) or add a new one •
Printable view • Link to this article •
Home •
Wednesday, May 17, 2023
Still Looking For Reasons To Keep Away From Windows? Part 23
Google has clarified its email scanning practices in a terms of service update, informing users that incoming and outgoing emails are analysed by automated software.
- Gmail Snooping, 2014---
Microsoft is scanning the inside of password-protected zip files for malware
If you think a password prevents scanning in the cloud, think again.
By Dan Goodin
ARS Technica
May 16, 2023
Microsoft cloud services are scanning for malware by peeking inside users’ zip files, even when they’re protected by a password, several users reported on Mastodon on Monday.
Compressing file contents into archived zip files has long been a tactic threat actors use to conceal malware spreading through email or downloads. Eventually, some threat actors adapted by protecting their malicious zip files with a password the end user must type when converting the file back to its original form. Microsoft is one-upping this move by attempting to bypass password protection in zip files and, when successful, scanning them for malicious code.
While analysis of password-protected files in Microsoft cloud environments is well-known to some people, it came as a surprise to Andrew Brandt. The security researcher has long archived malware inside password-protected zip files before exchanging them with other researchers through SharePoint. On Monday, he took to Mastodon to report that the Microsoft collaboration tool had recently flagged a zip file, which had been protected with the password “infected.”
“While I totally understand doing this for anyone other than a malware analyst, this kind of nosy, get-inside-your-business way of handling this is going to become a big problem for people like me who need to send their colleagues malware samples,” BRANDT WROTE. “The available space to do this just keeps shrinking and it will impact the ability of malware researchers to do their jobs.”
Fellow researcher Kevin Beaumont joined the discussion to say that Microsoft has multiple methods for scanning the contents of password-protected zip files and uses them not just on files stored in SharePoint but all its 365 cloud services. One way is to extract any possible passwords from the bodies of an email or the name of the file itself. Another is by testing the file to see if its protected with one of the passwords contained in a list.
“If you mail yourself something and type something like ‘ZIP password is Soph0s’, ZIP up EICAR and ZIP password it with Soph0s, it’ll find (the) password, extract and find (and feed MS detection),” he wrote.
Brandt said that last year Microsoft’s OneDrive started backing up malicious files he had stored in one of his Windows folders after creating an exception (i.e., allow listing) in his endpoint security tools. He later discovered that once the files made their way to OneDrive, they were wiped off of his laptop hard drive and detected as malware in his OneDrive account.
“I lost the whole bunch,” he said.
Brandt then started archiving malicious files in zip files protected with the password “infected.” Up until last week, he said, SharePoint didn’t flag the files. Now it is.
Microsoft representatives acknowledged receipt of an email asking about the practices of bypassing password protection of files stored in its cloud services. The company didn’t follow up with an answer.
A Google representative said the company doesn’t scan password-protected zip files, though Gmail does flag them when users receive such a file. My work account managed by Google Workspace also prevented me from sending a password-protected zip file.
The practice illustrates the fine line online services often walk when attempting to protect end users from common threats while also respecting privacy. As Brandt notes, actively cracking a password-protected zip file feels invasive. At the same time, this practice almost surely has prevented large numbers of users from falling prey to social engineering attacks attempting to infect their computers.
One other thing readers should remember: password-protected zip files provide minimal assurance that content inside the archives can’t be read. As Beaumont noted, ZipCrypto, the default means for encrypting zip files in Windows, is TRIVIAL TO OVERRIDE. A more dependable way is to use an AES-256 encryptor built into many archive programs when creating 7z files.
Section Privacy And Rights • Section Microsoft And Windows •
View (0) comment(s) or add a new one •
Printable view • Link to this article •
Home •
Thursday, April 22, 2021
Legalized Hacking 2
Judge Rules FBI Can Hack Into Exchange Servers
By Trevor Collins
Security Simplified
April 21, 2021
For the last few months, we have seen Exchange Servers fall to vulnerabilities from the HAFNIUN attacks. Even after Microsoft released patches for the serious flaws, we continue to see attacks on Exchange Servers and hear of more Exchange Servers becoming compromised. This shouldnt be news as many publications including our own have covered these vulnerabilities extensively. Additionally, Microsoft released their patches over a month ago. Yet in a recent report the FBI has found many compromised Exchange servers that still have various threat actor’s webshells installed.
Last week though, THE FBI took it a step further. In a court-approved action, the FBI identified compromised servers, connected to the servers through the webshell, and removed the malicious webshell left behind by the original threat actors. We can easily criticize the administrators who have allowed their exchange servers to stay compromised for so long, but it doesn’t excuse the FBI from connecting into these exchange servers. They don’t need individual warrants to connect to these devices according to the previously SEALED COURT DOCUMENT. This gives precedent for the FBI to access any server and make changes on these servers with just a blanket warrant. I see this as a clear violation of property rights. One could argue that the FBI helped fix the server, but property rights don’t have a stipulation that the government can access your property if they intend to help you. For example, if somebody put graffiti on the side of a business, the FBI does not have the right to cover over the graffiti without the owner’s permission.
Administrators choose their software based on the features and security it provides. A Microsoft Exchange Server and the host operating system protects the server from any unauthorized change. When we buy the software, we expect that only authorized users can make changes on the servers and unauthorized users cannot. This creates a requirement for explicit permission for access. If you must bypass the normal expected route to make changes on the Exchange Server, then you do not have explicit permission to make these changes from the owner. The FBI has performed similar attacks in the past with the Coreflood botnet. This time though, it looks like they connected directly into the Exchange Server to delete the webshell where in comparison they removed Coreflood by sending a command to delete itself from the command and control infrastructure they had previously taken over.
Ultimately the court did not agree with me and gave an excessively wide warrant to the FBI. They could have asked for a warrant to identify the owners of the servers, but they didnt do this as far as we know. We have no way of knowing exactly how the FBI did this or what IP addresses they used.
The good news is, you can protect yourself from this happening to you by keeping your infrastructure secure in the first place. Protect your servers by ensuring they are updated. More importantly though, the FBI shouldn’t access servers they don’t own and haven’t actually committed a crime.
Section Privacy And Rights • Section Microsoft And Windows •
View (0) comment(s) or add a new one •
Printable view • Link to this article •
Home •
Tuesday, June 04, 2019
Still Looking For Reasons To Keep Away From Windows? Part 22
Russia’s Would-Be Windows Replacement Gets a Security Upgrade
By Patrick Tucker
Defense One
May 28, 2019
For sensitive communications, the Russian government aims to replace the ubiquitous Microsoft operating system with a bespoke flavor of Linux, a sign of the country’s growing IT independence.
For the first time, Russia has granted its highest security rating to a domestically developed operating system deeming ASTRA LINUX suitable for communications of “special importance” across the military and the rest of the government. The designation clears the way for Russian intelligence and military workers who had been using Microsoft products on office computers to use Astra Linux instead.
There is hope that the domestic OS [operating system] will be able to replace the Microsoft product. “Of course, this is good news for the Russian market,” said German Klimenko, former IT advisor to Russian President Vladimir Putin and chairman of the board of Russia’s Digital Economy Development Fund, a venture capital fund run by the government. Klimenko spoke to the Russian newspaper Izvestia on Friday.
Although Russian officials used Windows for secure communications, they heavily modified the software and subjected Windows-equipped PCs to lengthy and rigorous security checks before putting the computers in use. The testing and analysis was to satisfy concerns that vulnerabilities in MICROSOFT OPERATING SYSTEMS could be patched to prevent hacking from countries like the United States. Such evaluations could take three years, according to the newspaper.
A variant of the popular Linux open-source operating system, Astra Linux has been developed over the past decade by Scientific/Manufacturing Enterprise Rusbitech. In January 2018, the Russian Ministry of Defense said it intended to switch to Astra Linux as soon as it met the necessary security standards. Before that, the software had been on some automated control systems, such as the kind sometimes found on air defense systems and some airborne computer systems.
It’s another example of Russia’s self-imposed IT exile, along with the efforts to disconnect the country from the global Internet by 2021 and to create its own domain name service.
“The Russian government doesn’t trust systems developed by foreign companies to handle sensitive data, due to fears of espionage through those systems,"” said Justin Sherman, Cybersecurity Policy Fellow at New America. Using domestically produced technologies to manage sensitive data is just another component of the Kremlin’s broader interest in exercising more autonomy over the digital machines and communications within its borders.
Sam Bendett, research analyst with the “Center for Naval Analyses” International Affairs Group, said, One of the main sticking points for the Russian government was the fact that imported operating systems had vulnerabilities and back doors that Moscow thought could be exploited by international intelligence agencies. This is essentially Russia ensuring its cybersecurity against potential intrusions.
It’s unsurprising that Moscow distrusts Microsoft software, given that Russian-developed malware, like the NotPetya virus used against energy targets in Ukraine, exploits vulnerabilities in Windows.
Sherman says that while the Russian government may find Astra Linux a suitable substitute for Windows, its not a serious competitor anyplace else. There’s no particular reason for others to use this bespoke variant of Linux. Also suspicion of Russian software has been rising internationally. The country’s most successful and recognized software company, Kaspersky, can no longer sell its wares to the U.S. government. Last May, the cybersecurity firm opened a “transparency lab” in Switzerland in an attempt to assuage jittery European customers.
“If this operating system were to be marketed outside of Russia, the prospects likely aren’t great,” Sherman said. Astra Linux doesn’t exactly have worldwide foothold compared to the systems its replacing within Russia, and this is only compounded by the fact that just as the Russian government has security concerns about software made in other countries - Other countries may very well have security concerns about using software made in Russia and endorsed by the Russian government.
But, says Bendett, a potential client list for Russian software does exist outside of Russia, just as there is for Russian anti-aircraft systems. “There is a growing list of nations that will probably want to have its main government and military systems run on an OS from a nation more friendly to their interest like Syria.. or other countries where Russia is seeking to make inroads. So the possibility for export definitely exists.”
Section Privacy And Rights • Section Microsoft And Windows •
View (0) comment(s) or add a new one •
Printable view • Link to this article •
Home •
Sunday, August 02, 2015
Still Looking For Reasons To Keep Away From Windows? Part 21
Microsoft collects information about you, your devices, applications and networks, and your use of those devices, applications and networks. Examples of data we collect include your name, email address, preferences and interests; browsing, search and file history; phone call and SMS data; device configuration and sensor data; and application usage.
Windows 10 spies on you by default
By Shannon Stapleton
Reuters
July 31, 2015
Microsoft’s new Windows 10 operating system is immensely popular, with 14 million downloads in just two days. The price of the free upgrade may just be your privacy, though, as changing Windows 10’s intrusive default settings is difficult.
Technology journalists and bloggers are singing Windows 10s praises, often using the words such as “amazing,” “glorious” and “fantastic.” The operating system has been described as faster, smoother and more user-friendly than any previous version of Windows. According to Wired magazine, more than 14 million people have DOWNLOADED their upgrade since the system was released on Wednesday.
While the upgrade is currently free of charge to owners of licensed copies of Windows 8 and Windows 7, it does come at a price. Several tech bloggers have warned that the privacy settings in the operating system are invasive by default, and that changing them involves over a dozen different screens and an external website.
According to Zach Epstein of BGR News, all of Windows 10s features that could be considered invasions of privacy are enabled by default. Signing in with your Microsoft email account means Windows is reading your emails, contacts and calendar data. The new Edge browser serves you personalized ads. Solitaire now comes with ads. Using Cortana - the voice-driven assistant that represents Redmond’s answer to Apple’s Siri - reportedly “plays fast and loose with your data.”
“I am pretty surprised by the far-reaching data collection that Microsoft seems to want,” web developer Jonathan Porta wrote on his blog. “I am even more surprised by the fact that the settings all default to incredibly intrusive. I am certain that most individuals will just accept the defaults and have no idea how much information they are giving away.”
As examples, Porta cited Microsoft having access to contacts, calendar details, and"other associated input data” such as “typing” and “inking” by default. The operating system also wants access to user locations and location history, both of which could be provided not just to Microsoft, but to its “trusted partners.”
“Who are the trusted partners? By whom are they trusted? I am certainly not the one doing any trusting right now,” Porta wrote, describing the default privacy options as “vague and bordering on scary.”
Alec Meer of the “Rock, Paper, Shotgun” blog POINTED OUT this passage in Microsoft’s 12,000-word, 45-page terms of use agreement:
“We will access, disclose and preserve personal data, including your content (such as the content of your emails, other private communications or files in private folders), when we have a good faith belief that doing so is necessary to.”
While most people are used to ads as the price of accessing free content, writes Meer, Microsoft is not making it clear enough that they are gathering and storing vast amounts of data on your computing habits,ԓ not just browser data.
Opting out of all these default settings requires navigating 13 different screens and a separate website, the bloggers have found.
Meer was underwhelmed with Microsoft executives claims of transparency and easily understandable terms of use. ԒThere is no world in which 45 pages of policy documents and opt-out settings split across 13 different Settings screens and an external website constitutes real transparency,ӑ he wrote.
Tracking and harvesting user data has been a business model for many tech giants. Privacy advocates have raised concerns over GoogleҔs combing of emails, Apples Siri, and FacebookҒs tracking cookies that keep monitoring peoples browser activity in order to personalize advertising and content.
Section Privacy And Rights • Section Microsoft And Windows •
View (0) comment(s) or add a new one •
Printable view • Link to this article •
Home •
