Roundup Here’s your weekend rapid-fire roundup of infosec news, ahead of next week’s RSA Conference, beyond what we’ve already covered.
Hutchins’ trial date set: After 18 months in legal limbo in America, Brit malware reverse-engineer Marcus Hutchins, who halted the 2017 Wannacry ransomware outbreak, this week learned he will go before a jury in July.
Hutchins was cuffed in August 2017 in Las Vegas by the FBI, shortly after the global WannaCry infection, and was soon-after formally accused of developing the Kronos banking trojan. He denies any wrongdoing. Since being released on bail, Hutchins has been stuck living on the California coast, and unable to return home to England.
His trial by jury, in a Wisconsin federal district court, is now due to start on July 8. Hutchins has until mid-June to change his plea to guilty, if he so wishes, and have his sentence lessened slightly as a result of avoiding a full-blown expensive trial. His defense costs may hit seven figures, and he is seeking donations to defray costs.
Patch Adobe ColdFusion, Cisco WebEx, Nvidia drivers: Adobe on Friday issued an emergency security update for ColdFusion versions 2018, 2016 and 11 to address a vulnerability (CVE-2019-7816) that can be exploited to execute malicious code on an at-risk installation. This flaw is being targeted right now in the wild by miscreants, we’re told.
“This attack requires the ability to upload executable code to a web-accessible directory, and then execute that code via an HTTP request,” Adobe noted. “Restricting requests to directories where uploaded files are stored will mitigate this attack.”
Also, you probably want to patch Cisco Webex Meetings Desktop App and Cisco Webex Productivity Tools for Windows to address a vulnerability (CVE-2019-1674) that can be exploited to “allow an authenticated, local attacker to execute arbitrary commands as a privileged user.” And Nvidia has emitted a bunch of security fixes to close off arbitrary code execution flaws and escalation-of-privilege blunders, as well as crashes.
Microsoft quietly warms up Google’s Spectre V2 mitigation: In a Windows 10 build 1809 update, KB4482887, issued late this week, Microsoft enabled support for Google’s Retpoline mitigation against Spectre Variant 2 in its kernel, among other bug fixes.
Up until now, Microsoft has relied on processor microcode updates to prevent malware from exploiting Spectre V2 CPU flaws to steal passwords and other secrets from the operating system and other applications. Said microcode patches, simply put, involve repeatedly flushing processor caches to thwart attacks, whereas Retpoline is much more elegant: it changes how software calls subroutines so that it cannot be exploited via Spectre V2.
Crucially, Google’s approach incurs much less of a performance hit than flushing caches all the time, though it requires software be recompiled using the technique. That left Microsoft in a bind: it had to rebuild, or patch on the fly, its operating system to make use of Google’s breakthrough, and that still left third-party closed-source kernel-mode drivers vulnerable to exploitation. Until now, Retpoline has remained disabled by default in Windows 10 for the vast majority of users, who rely instead on microcode patches, though it has been available to some Insider testers.
Now, with this update, the latest edition of Windows 10 can use fast Retpoline where possible, and fall back to slow cache flushing when it can’t due to vulnerable third-party drivers and so on. Retpoline has about a two-per-cent overhead, whereas the microcode approach is many times that, depending on the workload.
Microsoft, refreshingly, goes into much more technical detail on the changes here. Essentially, if you’re running Windows 10 build 1809, aka the big October 2018 upgrade, look out for this update and install it once you’re happy with it, so as to eventually benefit from Retpoline’s performance boost. The changes are also expected to be baked into Windows 10 19H1, due out this Spring.
It also sounds as though Microsoft will gradually enable Retpoline for users, taking it nice and slow rather than breaking tens or hundreds of millions of installations at once, because it involves fundamentally changing the way its operating system branches to subroutines. “Over the coming months, we will enable Retpoline as part of phased rollout via cloud configuration,” the biz explained in its tech notes. “Due to the complexity of the implementation and changes involved, we are only enabling Retpoline performance benefits for Windows 10, version 1809 and later releases.”
D’oh Jones! News database exposed online: A copy of Dow Jones’ Watchlist – a paid-for database of news articles and other public sources on politicians, terrorists, criminals, their friends and families, and other such interesting folks – was accidentally left facing the internet. The poorly secured AWS Elasticsearch data silo, containing 2,418,862 records, has since been hidden from view.
“This data is entirely derived from publicly available sources,” a Dow Jones spokesperson told Bob Diachenko, who discovered the cockup and flagged it up this week. “At this time our review suggests this resulted from an authorized third party’s misconfiguration of an AWS server, and the data is no longer available.”
“It has been a blast working on this project over the past 18 months, but to be completely honest, it isn’t economically viable anymore,” its operators wrote this week.
“The drop in hash rate (over 50%) after the last Monero hard fork hit us hard. So did the ‘crash’ of the crypto-currency market with the value of XMR depreciating over 85% within a year. This and the announced hard fork and algorithm update of the Monero network on March 9 has lead us to the conclusion that we need to discontinue Coinhive.
“Thus, mining will not be operable anymore after March 8, 2019. Your dashboards will still be accessible until April 30, 2019 so you will be able to initiate your payouts if your balance is above the minimum payout threshold.”
Huawei bean-counter extradition hearing green-light: Canadian authorities have decided to put America’s extradition request for Huawei CFO Meng Wanzhou before a judge. The hearing is set to take place on March 6.
DEF CON call for papers: This year’s DEF CON hacking conference is now accepting proposals for talks, and has offered to cover hotel bills for up to three nights.
DDoS-for-hire bloke ‘fesses up: Sergiy P. Usatyuk, 20, of Orland Park, Illinois, in the US, pleaded guilty this week to conspiracy to cause damage to internet-connected computers by launching distributed-denial-of-service attacks against victim’s internet connections and websites in exchange for money. Usatyuk and a co-conspirator banked more than $550,000 from knocking netizens and organizations offline, according to prosecutors.
DNSSEC push renewed: DNS overlord ICANN has urged net admins to deploy DNSSEC technology to protect websites from being hijacked by miscreants, following a spate of domain takeovers. These hijackings are typically the result of crooks breaking into weakly secured domain registrar user accounts, rather than exploiting underlying protocols and systems.
Pubs, hotels’ payment systems hacked: If you’ve paid for anything at these bars, restaurants, and hotels in America between January 3 and 24 this year, using a debit or credit card, then the details – the cardholder’s name, card number, card expiration date, and CVV – were probably snaffled by malware on the payment systems, and siphoned off to fraudsters.
The affected businesses are spread out over Arizona, Minnesota, Louisiana, Iowa, Missouri, North and South Dakota, Texas, Wisconsin, Tennessee, Oregon, California, Colorado, and Ohio. ®
Cloud Security: From Start Point to End Point