My Weekly RoundUp #94

Trump’s ban for Huawei, and towel day!

Cybersecurity

PoC Exploit For Unpatched Windows 10 Zero-Day Flaw Published Online

An anonymous hacker with an online alias “SandboxEscaper” today released proof-of-concept (PoC) exploit code for a new zero-day vulnerability affecting Windows 10 operating system—that’s his/her 5th publicly disclosed Windows zero-day exploit [1, 2, 3] in less than a year.

Published on GitHub, the new Windows 10 zero-day vulnerability is a privilege escalation issue that could allow a local attacker or malware to gain and run code with administrative system privileges on the targeted machines, eventually allowing the attacker to gain full control of the machine.

The vulnerability resides in Task Scheduler, a utility that enables Windows users to schedule the launch of programs or scripts at a predefined time or after specified time intervals.

SandboxEscaper’s exploit code makes use of SchRpcRegisterTask, a method in Task Scheduler to register tasks with the server, which doesn’t properly check for permissions and can, therefore, be used to set an arbitrary DACL (discretionary access control list) permission.

https://thehackernews.com/2019/05/windows-zero-day-vulnerability.html
https://github.com/SandboxEscaper/polarbearrepo/tree/master/bearlpe

Technology

US Tech Giants Google, Intel, Qualcomm, Broadcom Break Up With Huawei

Google has reportedly suspended all businesses with the world’s second-biggest smartphone maker, Huawei, and revoked its Android license effective immediately—a move that will have a drastic impact on Huawei devices across the globe.

Revoking Android license means Huawei future smartphones will no longer have access to Android updates and apps like Gmail or the Play Store, as well as Google technical support beyond services that are publicly available via open source licensing, Reuters report.

Why? That’s because last week, U.S. President Donald Trump signed an executive order declaring a national emergency banning foreign companies—over surveillance fear—from doing telecommunication business in the United States without the government’s approval.

https://thehackernews.com/2019/05/google-intel-huawei.html

Google will block Huawei from using Android and its services

Google has suspended some business with Huawei after Trump’s ban on the Chinese telco giant.
In November, The Wall Street Journal reported that the US Government is urging its allies to exclude Huawei from critical infrastructure and 5G architectures.
The United States is highlighting the risks for national security in case of adoption of Huawei equipment and is inviting internet providers and telco operators in allied countries to ban Huawei.

https://securityaffairs.co/wordpress/85872/security/google-blocks-huawei.html

Huawei responds to Google’s Android ban and explains what will happen to its Android phones

“Huawei will continue to provide security updates and after-sales services to all existing Huawei and Honor smartphone and tablet products, covering those that have been sold and that are still in stock globally,” a Huawei spokesman told Reuters via email. “We will continue to build a safe and sustainable software ecosystem, in order to provide the best experience for all users globally.”

In other words, if you already own a Huawei phone, then you’re going to get software updates, and you get to keep access to the Play Store. Unreleased models, however, might ship only run the open-source version of Android, deprived of Play Store access, at least until the Trump administration reverses the ban.

https://bgr.com/2019/05/20/usa-vs-huawei-android-updates-status-and-smartphone-parts-supply-ban/

IBM 360 Model 20 Rescue and Restoration

In late April of 2019 Adam Bradley and Chris Blackburn were sitting in a pub on a Monday night when Chris happened across a somewhat unusual eBay listing for an IBM 360 Model 20. This eBay listing was unusual mainly because it didn’t actually list the computer as an IBM 360, but rather as an “seltene Anlage “Puma Computer IBM 2020” which roughly translates from German into “rare plant “Puma Computer IBM 2020”.

https://ibms360.co.uk/?page_id=22

Privacy

Google stored business customers’ passwords in plaintext on its servers… for 14 years

Google has admitted that some of its business customers of G Suite (formerly known as Google Apps) had their passwords stored on the company’s internal servers for 14 years in plaintext.
Although Google says it has seen “no evidence of improper access to or misuse of” the sloppily-stored credentials, the tech giant says it is contacting affected users to ensure that passwords are reset.
In a blog post Google admits that way back in 2005 it made a mistake when coding a password recovery feature in the G Suite admin console which caused unscrambled plaintext passwords to be stored on its servers.
That goof means that any Google employee who had access to the servers where the unprotected passwords were stored could have accessed the highly sensitive credentials.

https://businessinsights.bitdefender.com/google-stored-business-customers-passwords-in-plaintext-on-its-servers-for-14-years

German Minister Wants Secure Messengers To Decrypt Chats

Germany’s Interior Minister Horst Seehofer purportedly wants to force messaging providers such as WhatsApp, Telegram, and Threema to provide plain text chats to law enforcement agencies on a court order as reported by Der Spiegel and from a number of other German news outlets.
This means that the leader of the Christian Social Union (CDU) basically wants to ban messaging end-to-end encryption since for keeping cleartext logs of encrypted chats the apps would either have to be injected with some sort of backdoor or the encryption removed altogether.
Seehofer is also known for his “zero tolerance” policy toward criminals and for calling for “video surveillance at every hot spot in the country” according to Deutsche Welle.

https://www.bleepingcomputer.com/news/security/german-minister-wants-secure-messengers-to-decrypt-chats/

Unsecure Chtrbox AWS database exposes data on 49 million Instagram influencers, accounts

An unsecured Chtrbox database hosted by Amazon Web Services (AWS) and discovered by security researcher Anurag Sen has exposed the records of more than 49 million Instagram influencers.
Data scraped from the accounts include bios, account details like number of followers, location information, email addresses, phone numbers and profile pictures as well as a calculated valuation of each account, according to a TechCrunch report.
Chtrbox, based in Mumbai, pays influencers, including celebrities, to post sponsored content.

https://www.scmagazine.com/home/security-news/privacy-compliance/unsecure-chtrbox-aws-database-exposes-data-on-49-million-instagram-influencers-accounts/

The ad-supported internet is broken, inefficient and a privacy nightmare. Let’s fix it!

Like millions of other people, you use messaging apps, social media, share, read and watch content on your phone or computer. If that’s the case then hundreds of AdTech companies collect and exchange your data every single day. AdTech, a short form of advertisement technology, is a catch-all term that describes tools and services that connect advertisers with target audiences and publishers. It’s also a multi-billion-dollar industry that is facing investigations by Data Protection Authorities and complaints by organisations like Privacy International. So, what’s the problem with AdTech and why are we challenging the industry now?

https://privacyinternational.org/long-read/2967/ad-supported-internet-broken-inefficient-and-privacy-nightmare-lets-fix-it

Thanks to Facebook, Your Cellphone Company Is Watching You More Closely Than Ever

A confidential Facebook document reviewed by The Intercept shows that the social network courts carriers, along with phone makers — some 100 different companies in 50 countries — by offering the use of even more surveillance data, pulled straight from your smartphone by Facebook itself.
Offered to select Facebook partners, the data includes not just technical information about Facebook members’ devices and use of Wi-Fi and cellular networks, but also their past locations, interests, and even their social groups. This data is sourced not just from the company’s main iOS and Android apps, but from Instagram and Messenger as well. The data has been used by Facebook partners to assess their standing against competitors, including customers lost to and won from them, but also for more controversial uses like racially targeted ads.


Technology

Persistence of Chaos: Laptop infected with world’s most dangerous malware up for sale

A laptop infected with six of the most dangerous viruses and malware that have caused around $95bn (£74bn) of damage has been put up for auction.
The Samsung NC10-14GB 10.2-inch blue netbook has been isolated and is incapable of connecting to the internet to prevent its contents getting out.

The current highest bid at the New York-based anonymous auction – which is being billed as a piece of art – is $1,130,500 (£900,000).

https://news.sky.com/story/persistence-of-chaos-laptop-infected-with-worlds-most-dangerous-malware-up-for-sale-11725622

SciFi

Magister Espresso Orchestra – Towel Day

Towel Day” is a video clip directed by Valeria Cozzarini on the music by Alessandro Sbrogiò performed by the Magister Espresso Orchestra conducted by Denis Feletto. It celebrates in Italy the “Towel Day”, a worldwide event happening on the 25th of May for Douglas Adams’s fans and lovers to commemorate his work: a towel, beer, and nuts, is what a space traveller must have while waiting for the destruction of planet Earth by the terrible Vogons. With its visionary and psychedelic approach, this video is a tangle of references to Adams’ masterpiece “Hitchhiker guide to the galaxy”, intersecting ingredients from his colourful imaginary universe. The video shows musicians on their galactic journeys, wearing housecoats and towels, on Chesterfield sofas, among dolphins and teapots, space cocktails and shaken phones. The “Guide” gives the travellers in the universe the most important advise: Don’t panic!.

https://www.youtube.com/watch?v=vr7-BPpJxlY

George R. R. Martin on the “Game of Thrones” Finale

Will the book ending be different compared to the show’s?

How will it all end? I hear people asking.   The same ending as the show?  Different?
Well… yes.  And no.  And yes.   And no.   And yes.   And no.   And yes.
I am working in a very different medium than David and Dan, never forget.   They had six hours for this final season.   I expect these last two books of mine will fill 3000 manuscript pages between them before I’m done… and if more pages and chapters and scenes are needed, I’ll add them.   And of course the butterfly effect will be at work as well; those of you who follow this Not A Blog will know that I’ve been talking about that since season one.   There are characters who never made it onto the screen at all, and others who died in the show but still live in the books… so if nothing else, the readers will learn what happened to Jeyne Poole, Lady Stoneheart, Penny and her pig, Skahaz Shavepate, Arianne Martell, Darkstar, Victarion Greyjoy, Ser Garlan the Gallant, Aegon VI, and a myriad of other characters both great and small that viewers of the show never had the chance to meet.   And yes, there will be unicorns… of a sort…

http://georgerrmartin.com/notablog/2019/05/20/an-ending/

Star Trek: Picard – Official Teaser Trailer

The first trailer for CBS All Access’ Star Trek: Picard is here, and Picard is no longer a part of Starfleet. But why? I guess we’ll have to watch the series to find out!

https://www.geeksaresexy.net/2019/05/23/the-first-trailer-for-star-trek-picard-is-here/

Comments

This site uses Akismet to reduce spam. Learn how your comment data is processed.