Connect with us

Sports

Four wormable bugs in newer versions of Windows need your attention now

Published

on


The word

Microsoft is warning of a four new Windows vulnerabilities that are “wormable,” meaning they can be exploited to spread malware from one vulnerable computer to another without any user action in much the way the self-replicating WannaCry and NotPetya outbreaks did in 2017.

Similar to the so-called BlueKeep vulnerability Microsoft patched in May, the four bugs the company patched on Tuesday reside in Remote Desktop Services, which allow a user to take control of a remote computer or virtual machine over a network connection. The bugs—indexed as CVE-2019-1181, CVE-2019-1182, CVE-2019-1222, and CVE-2019-1226—make it possible to for unauthenticated attackers to execute malicious code by sending a specially crafted message when a protection known as Network Level Authentication is turned off, as many administrators in large organizations often do.

In such networks, it’s possible for exploits to ricochet from computer to computer. Leaving NLA on makes it harder for attacks to spread, since attackers must first have network credentials. The growing use of hacking tools such as Mimikatz, however, often enables attackers to surreptitiously obtain the needed credentials.

The race begins

Unlike BlueKeep—which affected only unsupported Windows versions or versions close to being unsupported—the bugs disclosed on Tuesday affect newer versions, specifically Windows 7, 8, and 10 and Server 2008, 2012, 2016, and 2019. That puts a much larger and potentially more sensitive fleet of computers at risk. Microsoft rated severity of the vulnerabilities as 9.7 and 9.8 out of a possible 10. The company also said the chances of in-the-wild exploitation are “more likely.”

“The vulnerabilities include the latest versions of Windows, not just older versions like in BlueKeep,” independent security researcher Kevin Beaumont told Ars. “There will be a race between organizations to patch systems before people reverse engineer the vulnerability from the patches to learn how to exploit them. My message would be: keep calm and patch.”

Windows machines that have automatic updating enabled should receive the patch within hours if they haven’t already. Installing Tuesday’s patches is the single most effective way to ensure computers and the networks they’re connected to are safe against worms that exploit the newly described vulnerabilities. For people or organizations that can’t update immediately, a good mitigation is to “enable NLA and leave it enabled for all external and internal systems,” Beaumont said in a blog post.

Enabling NLA doesn’t provide an absolute defense against attacks. As noted earlier, attackers who manage to obtain network credentials can still exploit the vulnerabilities to execute code of their choice. Still, turning on NLA significantly increases the requirement, since the exploits can completely bypass the authentication mechanism built into Remote Desktop Services itself.

Harden the RDS

According to a blog post published Tuesday by Director of Incident Response at the Microsoft Security Response Center Simon Pope, Microsoft researchers discovered the vulnerabilities on their own during a security review designed to harden the RDS. The exercise also led to Microsoft finding several less-severe vulnerabilities in RDS or the Remote Desktop Protocol that’s used to make RDS work. Pope said there’s no evidence any of the vulnerabilities were known to a third party.

The exercise came three months after the patching of BlueKeep, which was reported to Microsoft by the UK’s National Cyber Security Center. It’s possible—although Pope gave no indication—that the review came in response to that tip from the NCSC.

Some security researchers have speculated the original source of BlueKeep vulnerability report was the Government Communications Headquarters, the UK’s counterpart to the National Security Agency, as part of a vulnerabilities equity process that calls for bugs to be disclosed once their value to national security has diminished.

“So it’ll be ironic if the GCHQ VEP killed a RDP bug because it only affect [sic] old boxes but then MS audited all of RDP and killed one of their goto new hotness bugs,” Dave Aitel, a former NSA hacker who now heads security firm Immunity wrote on Twitter. “(Another good reason not to kill bugs).”

Aitel later acknowledged the theory “may be totally crazy! :)”

Whatever the case, the four wormable bugs disclosed Tuesday represent a threat not just to the Internet but to the health care, shipping, transportation, and other industries that rely on it. Administrators and engineers would do well to devote as much time as necessary to researching the vulnerabilities to ensure they aren’t exploited the way WannaCry and NotPetya were two years ago.





Source link

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Sports

Fitbit targets 1 million new users with Singapore government tie-up

Published

on

By


(Reuters) – Fitbit Inc (FIT.N) said on Wednesday it signed a contract with the Singapore government to provide fitness trackers and services in a health program it said could reach up to one million users.

FILE PHOTO: Visitors walk past an advertising billboard for Fitbit Ionic watches at the IFA Electronics Show in Berlin, Germany, September 1, 2017. REUTERS/Fabrizio Bensch

Fitbit will supply its trackers free of charge on the condition users spend S$10 ($7.22) each month, for a year, on the company’s premium subscription.

“The program’s goal is to ultimately reach up to one million people,” a spokeswoman for Fitbit said in an email.

The company’s shares closed up 2% on Wednesday on the New York Stock Exchange.

The program could be a boost for the San Francisco-based wearables pioneer, which has seen its shares sink in the past two years in the face of competition from Apple (AAPL.O), Samsung Electronics (005930.KS) and a raft of cheaper rivals.

“This is Fitbit’s first major integration of a digital health platform and wearables into a national public health program globally,” the company said in a statement.

Singapore, a city-state of 5.6 million people, has the longest life expectancy in the world and widespread access to healthcare. However, the government has raised concerns about relatively high rates of heart disease and diabetes among its fast-ageing population.

Subscribers will receive personalized health advice and nudges to encourage physical activity, healthy eating and better sleep, said Zee Yoong Kang, chief executive of Singapore’s Health Promotion Board (HPB).

Fitbit said the program, which begins in October, will ask users if they consent to share their data with the HPB, which will use the information for health promotions.

Fitbit was among several bidders, an HPB spokeswoman said.

“There were many bidders and some were significant international players,” she said, adding that Fitbit had set the target for one million users.

Apple was among those vying for the bid, Fitbit Chief Executive James Park told CNBC here

Reporting by Neha Malara, Munsif Vengattil in Bengaluru and John Geddie; Editing by Marguerita Choy, Patrick Graham and Darren Schuettler



Source link

Continue Reading

Sports

Want Tokyo Olympic tickets? No problem if you have $60,000

Published

on

By



TOKYO (AP) — Having trouble getting tickets for next year’s Tokyo Olympics?

That’s no problem if you have $60,000 to spare.

Tokyo Olympic organizers are offering high-end hospitality packages to Japan residents with prices soaring to 6.35 million yen — about $60,000. This is good for the opening and closing ceremony, nine days of track and field with luxury seating and sumptuous dining. Low-end packages dip down to about $1,500 for one session at a less popular event.

Tokyo is shaping up as a very pricey Olympics.

Ticket demand is unprecedented, so unofficial re-selling likely will flourish. Hotel rates are soaring. And getting here will be costly, particularly for people traveling from the Americas and Europe.

“I don’t know if I can afford to go to the Olympics,” Brant Feldman, a Los Angeles-based sports agent, told The Associated Press. He’s attended seven straight Olympics and represents American and Canadian athletes for AGM Sports. “For the average family right now to head to the Olympics, it’s going to be the most expensive in history.”

Organizers of the 2020 Tokyo Olympics say the luxurious hospitality packages are an “opportunity for family, friends and business contacts” to enjoy the games. In the words of organizers, here’s what’s included with the tickets:

— specially selected Champagne, sake and beers

— gourmet dining menu prepared by top international chefs

— fine wines chosen by our sommelier

— elegant commemorative souvenir VIP access pass

— first-class personal service capable of dealing with any request

— event host and celebrity guests appearances.

Hospitality packages, of course, are aimed at the wealthy, targeting executives who treat the Olympics as a venue for doing business and schmoozing with sports as an alluring sideshow.

There’s also an old-fashioned way for residents of Japan to get scarce tickets: a so-called “second-chance” lottery that closed Monday. Results will be announced next month, and another lottery for Japan residents will be held in the fall.

For now, those living outside Japan must go through Authorized Ticket Resellers , which are deluged with unprecedented demand. They also offer high-end packages and are allowed to tack on a 20% service charge to each ticket. And many of the best tickets are tied to expensive hotels.

A random search of well-known hotel booking sites by AP found prices for most 3-4-star hotels between $1,000-1,500 per night with few available. There have been complaints that many hotels are canceling previous reservations to secure the markup.

Even Japan’s famous capsule hotels — or sleep pods — will cost more to crawl inside with prices up three or four times on booking sites.

In a statement to AP, Tokyo organizers said they are working with “the government and the accommodation industry and travel industry in order to control prices.”

Quoting a government report, organizers say there are 300,000 rooms “in different classes” in Tokyo and in neighboring prefectures.

Olympic athletes are guaranteed housing and have access to a few tickets for event sessions in which they participate. After that, family and friends are on their own.

“If your son or daughter qualifies for the Olympics in 2020, I don’t know how any of those families are going to be able to afford the airline tickets, the Airbnb, the hotels, or get the tickets,” Feldman said.

Those planning to wait until the last minute to book rooms, which sometimes become available because organizers typically overestimate the number of rooms needed and the number of foreign visitors, could miss out.

It may not happen this time.

Tokyo’s demand is driven partly by a giant metropolitan area of 35 million, its safe streets, and long-time support for the Olympics.

Australia-based Kingdom Sports Group, an official reseller that deals primarily with Asia and Africa, said on a social media site that Tokyo is “30 times more popular” than London was in 2012. London is often seen as the benchmark for Olympic interest.

Ken Hanscom, a ticketing expert who runs Los Angeles-based TicketManager, told AP “this is the biggest (Olympic) demand ever — by far.”

The big winner could be the Paralympics, which open a few weeks after the Olympics close on Aug. 9, 2020. The lottery in Japan for the Paralympics started on Thursday with 2.3 million tickets available.

Just over 80% of Japan residents who applied got nothing in the first Olympic ticket lottery earlier this year. Of those who landed tickets in June, many got far fewer than they expected.

Organizers say 3.22 million tickets were sold in the first phase. Demand appears to exceed supply by at least 10 times. Another 680,000 tickets are available in this lottery, but only for those who were shut out the first time.

Tokyo organizers say there are 7.8 million tickets for the Olympics. They estimate between 70-80% will go to the general public in Japan. The difference between the larger and smaller percentage is 780,000 tickets, giving organizers flexibility in how tickets are distributed.

The remaining tickets are sold abroad, or go to sponsors, national Olympic committees, and sports federations.

Organizers hope to earn $800 million from ticket sales, a big chuck of income for the privately funded, $5.6 billion operating budget.

A report released last year by the national government’s Board of Audit said Japan is likely to spend $25 billion overall to prepare the games. This is public money, except for the operating budget. Organizers dispute the figure and say it’s about $12 billion, though what are Olympics costs — and what are not — is subject to heated debate.

Tokyo projected total costs of about $7.5 billion in its winning bid for the games in 2013.

___

More AP sports: https://apnews.com/apf-sports and https://twitter.com/AP_Sports

___

Stephen Wade on Twitter: http://twitter.com/StephenWadeAP





Source link

Continue Reading

Sports

T-Mobile hit by hours-long nationwide outage – TechCrunch

Published

on

By


T-Mobile customers across the U.S. said they couldn’t make calls or send text messages following an outage.

We tested with a T-Mobile phone in the office. Both calls to and from the T-Mobile phone failed. When we tried to send a text message, it said the message could not be sent. Access to mobile data appeared to be unaffected.

The outage began around 6pm ET.

Users took to social media to complain about the outage. Users across the U.S. said they were affected. A T-Mobile support account said the cell giant “engaged our engineers and are working on a resolution.”

In a tweet two hours into the outage, chief executive John Legere acknowledged the company was struggling to get back online but noted that the company had “already started to see signs of recovery.”

By 10:34pm ET, the issue had been resolved, tweeted T-Mobile chief technology officer Neville Ray, without saying what caused the four-hour long outage.

T-Mobile is the third largest cell carrier after Verizon (which owns TechCrunch) and AT&T. The company had its proposed $26.5 billion merger with Sprint approved by the Federal Communications Commission, despite a stream of state attorneys general lining up to block the deal.

Updated with acknowledgement by chief executive John Legere, and later from Neville Ray.





Source link

Continue Reading

Trending

We use cookies in order to give you the best possible experience on our website. By continuing to use this site, you agree to our use of cookies.
Accept