Windows Server 2003 Bug Found – No Patch From Microsoft
A vulnerability has been discovered in Windows Server 2003 running IIS6 by two security researchers at the South China University of Technology, but Microsoft said it won't issue a patch even though up to 600,000 servers could be running the unsupported software.
The researchers posted a proof-of-concept exploit for the zero-day to Github. The flaw is a zero-day buffer overflow vulnerability (CVE-2017-7269) which has been traced to an improper validation of an ‘IF' header in a PROPFIND request.
“A remote attacker could exploit this vulnerability in the IIS WebDAV Component with a crafted request using PROPFIND method. Successful exploitation could result in denial of service condition or arbitrary code execution in the context of the user running the application,” said Virendra Bisht, a vulnerability researcher at Trend Micro.
He added that other threat actors are now in the stages of creating malicious code based on the original proof-of-concept (PoC).
The affected versions of the web server software have not been supported since 2015 – Microsoft said it was unlikely to patch the affected code.
"This issue does not affect currently supported versions," said a Microsoft spokesperson. "We continue to recommend that customers upgrade to our latest operating systems and benefit from robust, modern protection."
If you are still running Windows Server 2003, you are long past the point where you should have upgraded.
WikiLeaks Reveals CIA Source Code
WikiLeaks published hundreds of more files from the Vault 7 series today which, it claims, show how CIA can mask its hacking attacks to make it look like it came from other countries, including Russia, China, North Korea and Iran.
Dubbed "Marble," the part 3 of CIA files contains 676 source code files of a secret anti-forensic Marble Framework, which is basically an obfuscator or a packer used to hide the true source of CIA malware.
The CIA's Marble Framework tool includes a variety of different algorithm with foreign language text intentionally inserted into the malware source code to fool security analysts and falsely attribute attacks to the wrong nation.
The leaked files indicate that the Marble's source code includes Chinese, Russian, Korean, Arabic and Farsi languages, as well as English, which shows that the CIA has engaged in clever hacking games.
Insurance Company Files Lawsuit, Says General Liability Policy Does Not Cover Data Breach
St. Paul Fire & Marine Insurance has filed a lawsuit against Rosen Millennium Technology Group, a sister company to Rosen Hotels & Resorts, seeking a judge's confirmation that the insurance company is not responsible for paying costs related to a data breach of the hotel's pointof-sale system. Rosen was fined USD 2.4 million by payment card companies and others regarding the breach. Rosen filed for reimbursement of the expense under its general liability policy. St. Paul maintains that the data breach and its financial consequences are not covered by the general liability policy.
This is why it is important for you to have a Cyber Liability Policy from your insurance carrier to cover these types of things.
IoT (Internet of Things)
The fact that U.S. intelligence agencies have the ability to use Internet connected devices such as your refrigerator, baby camera, or WiFi Access Point as spy tools may or may not be surprising, depending on one's level of cynicism. But the fact that these household items can be easily hacked, even without advanced tools, places consumers in the unenviable position of not knowing the cyber protection level of their smart products – nor who is responsible if and when something negative happens.
The mountain of evidence available proving Internet of Things (IoT) devices are not only vulnerable, but being regularly hacked might be tall enough to scare off the most intrepid mountain climber. Between the March WikiLeaks reveal that the CIA used everydayconnected devices to gather intelligence, to the Mirai attacks in 2016 that recruited webcams into a botnet army that helped knock parts of the internet offline, the problem is serious and growing.
There are 6.4 billion IoT devices in use right now with this figure expected to hit 20 billion by 2020, according to the most recent numbers from Gartner. These gadgets can be found populating every product category – from cars to washing machines to light bulbs. But despite the huge numbers and omnipresence, testing for cybersecurity is still in its early stages.
In fact, there are few guidelines in place for vendors to use to either test their own products against an industry standard or to inform consumers that a product is cyber safe.
One of the world's most well-known product testers, Underwriters Laboratories (UL), is attempting to fill this gap by delivering cybersecurity validation for IoT devices through its Cybersecurity Assurance Program (CAP). The initiative is designed to help vendors minimize cybersecurity risks by assessing software vulnerabilities and weaknesses, minimizing exploitation, addressing known malware, reviewing security controls and increasing security awareness. Not to mention, help consumers who are looking to purchase secure products.
Major Spammer Accidentally Leaks Data on a Billion People
Its bad enough we have to worry about spam emails promising discount medications and other shady deals. Now we have to be concerned that the spammers don’t accidentally leak user data they probably dubiously obtained.
A huge email marketing organization called River City Media failed to safeguard backups of its database of 1.34 billion email accounts, resulting in all that user information being available for anyone to see.
Chris Vickery, a MacKeeper security researcher, wrote Monday that he discovered the unsecured user data in January and worked with security organization Spamhaus and cybersecurity news site CSO Online to further investigate the data breach.
Get Data Sheet, Fortune’s technology newsletter.
Vickery said he traced the “leaky files” to the spamming operation, which he said “masquerades as a legitimate marketing firm while, per their own documentation, being responsible for up to a billion daily email sends.”
He wrote that the River City Media was able to obtain “email accounts, full names, IP addresses, and often physical address” from over a billion people through its spam operation that involves emails promising “credit checks, education opportunities, and sweepstakes.”
The database of user information is so big, Vickery wrote, “chances are that you, or at least someone you know, is affected.”
CSO Online, which helped Vickery in his investigation, has a detailed account on the spam operations of River City Media and how it accidentally leaked its database. The gist of the data breach is that River City Media workers failed to properly configure its backup system, which led to Vickery discovering the user data.
So, I would suggest that you take some time this weekend and change all of your passwords just to be on the safe side. The data breaches are getting out of hand and if you have changed your password recently, that narrows down your chance of being hacked substantially.
Computer Networks of Roanoke, Inc.
Hank Wagner
hank.wagner@computernetworksinc.com
757-333-3299 x232
Stop Using Passwords
Passwords are something you use almost every day, from accessing your email or banking online to purchasing goods or accessing your smartphone. However, passwords are also one of your weakest points; if someone learns or guesses your password they can access your accounts as you, allowing them to transfer your money, read your emails, or steal your identity. That is why strong passwords are essential to protecting yourself. However, passwords have typically been confusing, hard to remember, and difficult to type. In this newsletter, you will learn how to create strong passwords, called passphrases, which are easy for you to remember and simple to type.
The challenge we all face is that cyber attackers have developed sophisticated and effective methods to brute force (automated guessing) passwords. This means bad guys can compromise your passwords if they are weak or easy to guess. An important step to protecting yourself is to use strong passwords. Typically, this is done by creating complex passwords; however, these can be hard to remember, confusing, and difficult to type. Instead, we recommend you use passphrases--a series of random words or a sentence. The more characters your passphrase has, the stronger it is. The advantage is these are much easier to remember and type, but still hard for cyber attackers to hack. Here are two different examples:
Sustain-Easily-Imprison
Time for tea at 1:23
What makes these passphrases so strong is not only are they long, but they use capital letters and symbols. (Remember, spaces and punctuation are symbols.) At the same time, these passphrases are also easy to remember and type.
You can make your passphrase even stronger if you want to by replacing letters with numbers or symbols, such as replacing the letter ‘a’ with the ‘@’ symbol or the letter ‘o’ with the number zero. If a website or program limits the number of characters you can use in a password, use the maximum number of characters allowed.
