Daily Archives: February 11, 2020

Tens of millions of biz Dell PCs smacked by privilege-escalation bug in bundled troubleshooting tool

Posted on by

Dell has copped to a flaw in SupportAssist – a Windows-based troubleshooting program preinstalled on nearly every one of its newer devices running the OS – that allows local hackers to load malicious files with admin privileges.

The company has issued an advisory about the flaw, warning that a locally authenticated low-privilege user could exploit the vuln to load arbitrary DLLs by the SupportAssist binaries, resulting in the privileged execution of malware.

SupportAssist scans the system’s hardware and software, and when an issue is detected, it sends the necessary system state information to Dell for troubleshooting to begin.

This type of vulnerability is fairly common, but typically requires admin privileges to exploit, so isn’t generally considered a serious security threat. But Cyberark’s Eran Shimony, who discovered the bug, said that in this case, SupportAssist attempts to load a DLL from a directory that a regular (non-admin) user can write into.

“Therefore, a malicious non-privileged user can write a DLL that would be loaded by DellSupportAssist, effectively gaining code execution inside software that runs with NT AUTHORITY\System privileges,” Shimony told The Reg.

“This is because you can write a code entry inside a function called DLLMain (in the malicious DLL) that would be called immediately upon loading. This code piece would run in the privilege level of the host process.”

The flaw (CVE-2020-5316), which has a severity rating of “high”, affects Dell SupportAssist for business PCs version 2.1.3 or earlier and for home PCs version 3.4 or earlier.

Business users need to update to version 2.1.4 for and home desk jockeys should roll over to version 3.4.1 to get the fixes.

Source: Tens of millions of biz Dell PCs smacked by privilege-escalation bug in bundled troubleshooting tool • The Register

Super-leaker Snowden punts free PDF* of tell-all NSA book with censored parts about China restored, underlined

Posted on by

Snowden’s bestseller Permanent Record is now available as a free download in Chinese after Communist Party censors cut out all the parts of the former IT admin’s memoir referring to China’s Great Firewall censorship system. The Great Firewall is one of the main means, in the digital era, by which the party maintains its iron grip on the world’s most populous nation’s internet viewing.

Thumbing his nose at the communists, Snowden has today released a 400-page PDF of the entire book – complete with the deleted sections restored and underlined so ordinary Chinese can see precisely what their ruling class doesn’t want them to read about.

In case Snowden’s embedded tweet above disappears at some point in the future, the PDF is hosted at a.temporaryrecord.com. Readers not fluent in Simplified Chinese will be disappointed to learn that they’ll have to pay for the book – even though doing so will end up enriching the US government and the NSA rather than Snowden himself. Although he’s banked his advance, royalties will go to Uncle Sam.

Source: Super-leaker Snowden punts free PDF* of tell-all NSA book with censored parts about China restored, underlined • The Register

Antarctica Just Set a New Temperature Record

Posted on by

It’s positively balmy in Antarctica. The National Meteorological Service of Argentina announced on Twitter that its Esperanza weather station recorded a new high for the continent: 18.3 degrees Celsius (64.9 degrees Fahrenheit).

The previous temperature record for Antarctica was set on March 24, 2015, when this same weather station recorded 17.5 degrees Celsius (63.5 degrees Fahrenheit) near the northern tip of the Antarctic Peninsula closest to South America. Antarctica may be one of the coldest zones on Earth, but it’s also one of the fastest-warming places: The World Meteorological Organization reports that the peninsula has warmed almost 3 degrees Celsius (5.4 degrees Fahrenheit) over the last half-century.

Source: Antarctica Just Set a New Temperature Record

Uncle Sam tells F-35B allies they probably won’t make minimum viable product unless they fly them a whole lot more

Posted on by

The US Department of Defense’s Director of Operational Test and Evaluation (DOTE) warned that the multinational F-35B fighter jet fleet is lagging behind a key flight-hours metric needed to show maintenance maturity.

On top of that, the supersonic stealth jet project’s move towards Agile methodology for “minimum viable product” (MVP)-phased development of critical flight and weapons software every six months is a “high risk” strategy, according to DOTE.

The F-35B fleet worldwide needs to rack up 75,000 flight hours before DOTE thinks it has gathered enough data to meet the contract spec. Currently the B model has just 45,000 hours across the board – and with HMS Queen Elizabeth due to deploy to the Pacific next year with two squadrons of F-35Bs aboard, this could mean the aircraft carrier will set sail with jets that haven’t met their required reliability standard. So far the B fleet is unable to meet its target of flying for 12 hours or more between critical failures.

Software development processes used to build F-35 software also fall under DOTE’s remit, and the auditor is not impressed by what it saw.

In its report (PDF, 14 pages), DOTE said it “assesses the MVP and ‘agile’ process as high risk due to limited time to evaluate representative IDT/OT data before fielding the software,” adding:

Testing will not be able to fully assess fielding configuration of the integrated aircraft, software, weapons, mission data, and ALIS capabilities prior to fielding. The aggressive 6-month development and fielding cycle limits time for adequate regression testing and has resulted in significant problems being discovered in the field.

ALIS is the F-35’s notorious maintenance software. Last seen on El Reg having been given Internet Explorer 11 compatibility two years ago, we now learn from DOTE that version 3.6, which was intended to be the Windows 10-compatible version with “cybersecurity improvements” will now no longer be developed. Instead the F-35 Joint Project Office, the US military unit in charge of F-35 development, “announced it plans to release capabilities via smaller, more frequent service pack updates.”

This, wailed DOTE, “increases timeline uncertainty and schedule risk for corrections to ALIS deficiencies, particularly those associated with cybersecurity and deploying Windows 10.”

Comically, the F-35 JPO has also drunk the DevOps Kool-Aid for these ALIS service packs – giving it the genuine codename “Mad Hatter”. DOTE appeared unsure whether Mad Hatter was DevOps-based or agile, however, commenting: “It is unclear that new approaches, such as ALIS NEXT and ‘Mad Hatter’ will sufficiently improve ALIS, or if more resources are needed.”

Source: Uncle Sam tells F-35B allies they’ll have to fly the things a lot more if they want to help out around South China Sea • The Register

More sadness in the article

Instagram-Scraping Clearview AI Wants To Sell Its Facial Recognition Software To Authoritarian Regimes

Posted on by

As legal pressures and US lawmaker scrutiny mounts, Clearview AI, the facial recognition company that claims to have a database of more than 3 billion photos scraped from websites and social media, is looking to grow around the world.

A document obtained via a public records request reveals that Clearview has been touting a “rapid international expansion” to prospective clients using a map that highlights how it either has expanded, or plans to expand, to at least 22 more countries, some of which have committed human rights abuses.

The document, part of a presentation given to the North Miami Police Department in November 2019, includes the United Arab Emirates, a country historically hostile to political dissidents, and Qatar and Singapore, the penal codes of which criminalize homosexuality.

Clearview CEO Hoan Ton-That declined to explain whether Clearview is currently working in these countries or hopes to work in them. He did confirm that the company, which had previously claimed that it was working with 600 law enforcement agencies, has relationships with two countries on the map.

Source: Instagram-Scraping Clearview AI Wants To Sell Its Facial Recognition Software To Authoritarian Regimes

Almost Every Website You Visit Records Exactly How Your Mouse Moves

Posted on by

When you visit any website, its owner will know where you click, what you type, and how you move your mouse. That’s how websites work: In order to perform actions based on user input, they have to know what that input is.

On its own, that information isn’t all that useful, but many websites today use a service that pulls all of this data together to create session replays of a user’s every move. The result is a video that feels like standing over a user’s shoulder and watching them use the site directly — and what sites can glean from these sorts of tracking tools may surprise you.

Session replay services have been around for over a decade and are widely used. One service, called FullStory, lists popular sites like Zillow, TeeSpring, and Jane as clients on its website. Another, called LogRocket, boasts Airbnb, Reddit, and CarFax, and a third called Inspectlet lists Shopify, ABC, and eBay among its users. They bill themselves as tools for designing sites that are easy to use and increase desired user behavior, such as buying an item. If many users add items to their cart, but then abandon the purchase at a certain rough part of the checkout process, for instance, the service helps site owners figure out how to change the site’s design to nudge users over the checkout line.

Source: Almost Every Website You Visit Records Exactly How Your Mouse Moves

Block these kinds of sites using things like ublock origin, privacy badger, ghostery, facebook container, chameleon, noscript

US gov buys all US cell phone location data, wants to use it for deportations

Posted on by

The American Civil Liberties Union plans to fight newly revealed practices by the Department of Homeland Security which used commercially available cell phone location data to track suspected illegal immigrants.

“DHS should not be accessing our location information without a warrant, regardless whether they obtain it by paying or for free. The failure to get a warrant undermines Supreme Court precedent establishing that the government must demonstrate probable cause to a judge before getting some of our most sensitive information, especially our cell phone location history,” said Nathan Freed Wessler, a staff attorney with the ACLU’s Speech, Privacy, and Technology Project.

Earlier today, The Wall Street Journal reported that Homeland Security, through its Immigration and Customs Enforcement (ICE) and Customs and Border Protection (CBP) agencies, was buying geolocation data from commercial entities to investigate suspects of alleged immigration violations.

The location data, which aggregators acquire from cellphone apps, including games, weather, shopping and search services, is being used by Homeland Security to detect undocumented immigrants and others entering the U.S. unlawfully, the Journal reported.

According to privacy experts interviewed by the Journal, because the data is publicly available for purchase, the government practices don’t appear to violate the law — despite being what may be the largest dragnet ever conducted by the U.S. government using the aggregated data of its citizens.

It’s also an example of how the commercial surveillance apparatus put in place by private corporations in Democratic societies can be legally accessed by state agencies to create the same kind of surveillance networks used in more authoritarian countries like China, India and Russia.

“This is a classic situation where creeping commercial surveillance in the private sector is now bleeding directly over into government,” Alan Butler, general counsel of the Electronic Privacy Information Center, a think tank that pushes for stronger privacy laws, told the newspaper.

Source: ACLU says it’ll fight DHS efforts to use app locations for deportations | TechCrunch

Software error exposes the ID numbers, birthdays and genders for 1.26 million Danish citizens, 1/5th of the population

Posted on by

A software error in Denmark’s government tax portal has accidentally exposed the personal identification (CPR) numbers for 1.26 million Danish citizens, a fifth of the country’s total population.

The error lasted for five years (between February 2, 2015, and January 24, 2020) before it was discovered, Danish media reported last week.

The software error and the subsequent leak was discovered following an audit by the Danish Agency for Development and Simplification (Udviklings-og Forenklingsstyrelsen, or UFST).

According to the UFST, the error occurred on TastSelv Borger, the Danish tax administration’s official self-service portal where Danish citizens go to file and pay taxes online.

Government officials said the portal contained a software bug that every time a user updated account details in the portal’s settings section, their CPR number would be added to the URL.

The URL would then be collected by analytics services running on the site — in this case, Adobe and Google.

According to the UFST, details for more than 1.2 million Danish tax-payers were exposed by this bug and were inadvertently collected by the analytics providers.

CPR numbers are important in Denmark. They are mandatory for opening bank accounts, getting phone numbers, and many other basic operations.

CPR numbers also leak details about a user. They consist of ten digits, where the first six are a citizen’s birth date. They also leak details about an owner’s gender (if the last digit is odd, the owner is male, if the last digit is even, then the owner is a female).

[…]

Denmark is the third Scandinavian government to suffer a security incident in the last few years. In 2015, the Swedish Transport Agency (STA) allowed several sensitive databases to be uploaded to the cloud and accessed by unvetted Serbian IT professionals. In 2018, a hacker group stole healthcare data for more than half of Norway’s population.

Source: Software error exposes the ID numbers for 1.26 million Danish citizens | ZDNet

How to Remove Windows 10’s Annoying Ads Masquerading as ‘Suggestions’

Posted on by

In a perfect world, every new computer with Windows 10 on it—or every new installation of Windows 10—would arrive free of annoying applications and other bloatware that few people need. (Sorry, Candy Crush Saga.) It would also be free of annoying advertising. While that’s not to say that Microsoft is dropping big banners for Coke or something in your OS, it is frustrating to see it shilling for its Edge browser in your Start Menu.

[…]

To disable these silly suggestions, pull up your Windows 10 Settings menu. From there, click on Personalization, and then click on the Start option in the left-hand sidebar. Look for the following option and disable it: “Show suggestions occasionally in Start”

And while you’re in the Settings app, click on Lock screen. If you aren’t already using a picture or a slideshow as the background, select that, and then deselect the option to “Get fun facts, tips, and more from Windows and Cortana on your lock screen.” In other words, you don’t want to get spammed with suggestions or ads.

Finally, head back to the main Settings screen and click on System. From there, click on “Notifications & actions” in the left-hand sidebar. Because Windows can sometimes get a little spammy and/or advertise you Microsoft products via notifications, you’ll want to uncheck “Get tips, tricks, and suggestions as you use Windows” to cut that out of your digital life.

Source: How to Remove Windows 10’s Annoying Ads Masquerading as ‘Suggestions’

Israeli Voters: Data of All 6.5 Million Voters Leaked

Posted on by

A software flaw exposed the personal data of every eligible voter in Israel — including full names, addresses and identity card numbers for 6.5 million people — raising concerns about identity theft and electoral manipulation, three weeks before the country’s national election.

The security lapse was tied to a mobile app used by Prime Minister Benjamin Netanyahu and his Likud party to communicate with voters, offering news and information about the March 2 election. Until it was fixed, the flaw made it possible, without advanced technical skills, to view and download the government’s entire voter registry, though it was unclear how many people did so.

[…]

It came less than a week after another app helped make a fiasco of the Democratic presidential caucuses in Iowa, casting serious doubts on the figures that were belatedly reported. That app had been privately developed for the party, had not been tested by independent experts, and had been kept secret by the party until weeks before the caucuses.

The personal information of almost every adult in Bulgaria was stolen last year from a government database by hackers suspected of being Russian, and there were cyberattacks in 2017 on Britain’s health care system and the government of Bangladesh that the United States and others have blamed on North Korea. Cyberattacks on companies like the credit agency Equifax, the Marriott International hotel company and Yahoo have exposed the personal data of vast numbers of people.

[…]

Explaining the ease with which the voter information could be accessed, Ran Bar-Zik, the programmer who revealed the breach, explained that visitors to the Elector app’s website could right-click to “view source,” an action that reveals the code behind a web page.

That page of code included the user names and passwords of site administrators with access to the voter registry, and using those credentials would allow anyone to view and download the information. Mr. Bar-Zik, a software developer for Verizon Media who wrote the Sunday article in Haaretz, said he chose the name and password of the Likud party administrator and logged in.

“Jackpot!” he said in an interview on Monday. “Everything was in front of me!”

Source: Israeli Voters: Data of All 6.5 Million Voters Leaked – The New York Times

So – yes, centralised databases. What a great idea. Not.