Browser automation script.
Roundup Here are a handful of security happenings in the past week that are worth noting – aside from what The Reg has already covered.
Microsoft extends Windows 7 support*
With everyone up in arms about the potential for hackers to influence the upcoming 2020 US presidential elections, Microsoft is offering to help local governments secure their older voting machines that are based on the obsolete Windows 7 platform.
This will allow admins to download and install all security updates for Windows 7 ahead of the elections to close up potential entry points for hackers wishing to tamper with vote totals.
*But only for voting machines.
US Air Force opens cloud security contract for bidding
Government cloud contractors will be happy to hear the US Air Force is open to bids for a new IT modernization program worth $95m.
NextGov reports the deal will look to create a single system capable of monitoring and cataloguing information on cybersecurity incidents.
The new project is parter of a larger Air Force IT overhaul program known as LevelUP, which is aimed at bringing the military branch’s systems into the cloud.
Facebook wipes out even more data-slurping devs
The Social Network has emitted an update on its ongoing purge of developers who use its platform to harvest the personal information of users.
“It is important to understand that the apps that have been suspended are associated with about 400 developers,” Facebook said on Friday.
“This is not necessarily an indication that these apps were posing a threat to people. Many were not live but were still in their testing phase when we suspended them.”
Some, including Oregon’s tech-savvy Democratic Senator “Silicon” Ron Wyden, weren’t particularly impressed.
Sen. @RonWyden: “This wasn’t some accident. Facebook put up a neon sign that said ‘Free Private Data,’ and let app developers have their fill of Americans’ personal info. The FTC needs to hold Mark Zuckerberg personally responsible” https://t.co/V8mWdrftxd w/ @TonyRomm
— Drew Harwell (@drewharwell) September 20, 2019
ESET details Stealth Falcon backdoor
Researchers with ESET this week introduced a newly discovered backdoor being used with the Falcon hacking operation.
The backdoor is notable in that it uses a little-known function in Windows called BITS (background intelligent transfer services) to quietly handle communications between the infected machines and the command and control servers.
“Compared to traditional communication via API functions, the BITS mechanism is exposed through a COM interface and thus is harder to detect,” ESET explained.
“Moreover, this design is reliable and stealthy, and more likely to be permitted by host firewalls.”
It is an attack you most likely will never face. The Stealth Falcon attacks have been primarily looking to infect political activists and journalists operating out of the Middle East.
Still, if you want a more detailed look into a very interesting piece of malware, ESET’s full report can be read here.
Windows NTFS prone to file-guessing bug
One bug not addressed in this month’s Patch Tuesday bundle was this file enumeration error in the Windows NT File System.
Researcher John “hyp3rlinx” Page discovered that anyone with an ordinary user account on a drive using NTFS could potentially take advantage of a quirk in the error reporting system of Windows to figure out what protected files are on a machine.
“Standard account users attempting to open another users files or folders that do not contain a valid extension or dot ‘.’ in its filename are always issued the expected ‘Access is denied’ system error message,” Page explained.
“However, for files that contain a (dot) in the filename and that also don’t exist, the system echoes the following attacker friendly warning: ‘The system cannot find the file’.”
“This error message inconsistency allows attackers to infer files EXIST, because any other time we would get ‘The system cannot find the file’.”
While the flaw could be useful to hackers performing recon by trying to map out what files are on a machine and where, it wasn’t quite severe enough to qualify as a security vulnerability in Microsoft’s book and Page was told his discovery “does not meet the bar for security servicing.”
Online pizza order ends in SWAT team call
A prankster looking to pull a fast one may have gotten more than they bargained for (or perhaps exactly what they wanted) when a phony message hidden within a pizza order ended in a massive police incident.
A Domino’s Pizza shop in San Diego received a seemingly normal mobile order on September 10, until one of the employees noticed that someone had put a message into the order claiming that a person was being held hostage at the pizza’s destination (a home in nearby Sherman Heights.)
This led the outlet to notify the police, who sent officers in tactical gear to clear out and search the home. They eventually concluded the call was a hoax and the people at the house had no idea what was going on.
No word on whether they got the pizza.
US-CERT dissects new North Korean malware
The United States Computer Emergency Readiness Team (US-CERT) has said it has a new sample of malware appearing to have originated in North Korea. Known as “Badcall” and “Electricfish”, the malware is believed to be the work of the Hidden Cobra hacking operation campaign that has sought to plunder cash to funnel in to North Korea.
Suspected “hack” was a Fortnite update
Security writer Stilgherrian uncovered this story from the 2018 Commonwealth games: days before the games were set to start, admins noticed an unusually high spike in network traffic and figured someone was attacking the event’s network with a DDoS flood.
As it turned out, the spike was actually just nearby users downloading a larger-than-usual update to the MMO shooter Fortnite, both a testament to the popularity of the game at the time and the interesting traffic patterns it generated.
Researcher uncovers Uber security hole
AppSecure has detailed a flaw it discovered in Uber that could have potentially allowed a determined attacker to hijack a user’s account.
It turns out the API Uber uses to handle the Uber user ID (UUID) numbers is insecure. An attacker who was able to get the user’s phone number or email address could create an API request that would return the UUID. That UUID could then be used to potentially steal authentication tokens that would allow the attacker to hijack the user’s account.
Or, they could use the phone number and email address to phish/socially engineer the user into just handing over their password.
The bug has since been patched by Uber without any reports of in-the-wild exploits.
Twitter axes thousands of accounts in political influence crackdown
Twitter has said it wiped around 10,000 accounts in Europe, the Middle East, Asia, and South America that were attempting to spread disinformation and sway public opinion on political topics.
“Going forward, we will continue to enhance and refine our approach to disclosing state-affiliated information operations on our service,” the blue bird tweeted.
The eBay eBabe returns
Almost a fortnight ago, Microsoft and eBay found themselves in an embarrassing spot when an Outlook bug resulted in a mostly naked woman appearing as the avatar for eBay UK’s mail account.
Those who “missed out” on the incident got treated to a repeat performance last week, it seems.
She’s returned with today’s update! pic.twitter.com/CCXnthkCPP
— Matthew (@matthew_r_1987) September 18, 2019
Microsoft advised anyone still having this problem to update the App via the App Store. ®