Microsoft Offers Rewards of Up to $20,000 in New Xbox Bug Bounty Program

Program is the latest the tech giant has launched that pay users and security researchers to find vulnerabilities in its numerous products.

Microsoft is offering rewards of up to $20,000 for finding vulnerabilities in its Xbox gaming platform through its latest bug bounty program unveiled this week.

The Xbox Bounty Program is open to gamers, security researchers and basically anyone who can help the tech giant identify security vulnerabilities in the Xbox Live network and services and share them with the Xbox team, Chloé Brown, a Microsoft Security Response Center program manager, said in a blog post Thursday.

“Since launching in 2002, the Xbox network has enabled millions of users to share their common love of gaming on a safe and secure service,” she wrote in the post. “The bounty program supplements our existing investments in security development and testing to uncover and remediate vulnerabilities which have a direct and demonstrable impact on the security of Xbox customers.”

The minimum award for identifying an Xbox bug is $500. As is always the case in its bug-bounty programs, Microsoft will award submissions at the company’s discretion and pay “based on the severity and impact of the vulnerability and the quality of the submission,” according to the program’s guidelines.

If early reception to the new program is any indication, researchers welcome the opportunity to be paid for hacking the Xbox platform, as they already have been doing it for free.

“Absolutely get in on this if you want fun research,” Tweeted Kevin Beaumont, a self-appointed “cybersecurity bore.” Beaumont said he already has launched a man-in-the-middle attack on his own Xbox One and found “some really interesting things going on,” adding that “more research would be good as I couldn’t find anything for it on Google.”

DIY Xbox hackers should be warned, however, that Microsoft has rather strict rules and conditions for what type of Xbox bugs the company will pay researchers to identify and what type won’t be included in the reward system. The company also posted a list outlining the impact of a vulnerability versus the award for which it’s eligible.

The type of vulnerabilities that could cause the impact that would warrant an award from the company are: cross site scripting (XSS); cross site request forgery (CSRF); insecure direct object references; insecure deserialization; injection vulnerabilities; server-side code execution; significant security misconfiguration (when not caused by user); and using a component with known vulnerabilities (when demonstrated with a working proof of concept).

Microsoft also prohibits a number of actions under its new Xbox bounty program, including any kind of DoS testing, performing automated testing of services that generates significant amounts of traffic, or gaining access to any data that does not entirely belong to the user.

“For example, you are allowed and encouraged to create a small number of test accounts for the purpose of demonstrating and proving cross-account access,” according to the program rules. “However, it is prohibited to use one of these accounts to access the data of a legitimate customer or account.”

The XBox program is the latest Microsoft is offering to enlist the public to help it identify security holes in its products. The company already has a significant number of bounty programs for its broad range of products, including for its online servicesidentity solutions such as Azure ActiveDirectory; and Hyper-V hypervisor.

A $20,000 peak bounty is about the average top end of the scale for Microsoft’s various bounty programs. While some of the company’s reward programs offer a maximum of $15,000 for identifying vulnerabilities, several offer rewards in the hundreds of thousands of dollars.

The highest possible reward someone can win from Microsoft for identifying a vulnerability in one of its products is $300,000 for finding a bug in its Microsoft Azure cloud services.

Wawa Breach May Have Affected More Than 30 Million Customers

Hefty collection of U.S. and international payment cards from the incident revealed in December found up for sale on dark-web marketplace Joker’s Stash.

A recent dump of payment card information being sold on a popular online fraud marketplace suggests that more than 30 million payment cards may have been affected by a malware attack and data breach at Wawa convenience stores and gas stations that was first revealed in December.

The Joker’s Stash marketplace–one of the largest and most notorious dark web marketplaces for buying stolen payment card data—began uploading card data Monday from a major breach dubbed “BIGBADABOOM—III,” researchers from New York-based fraud intelligence company Gemini Advisory revealed in a report.

“Gemini determined that the point of compromise for BIGBADABOOM-III is Wawa, an East Coast-based convenience store and gas station,” Gemini researchers Stas Alforov and Christopher Thomas wrote in the report, published Monday. “The company first discovered the breach on December 10, 2019.”

Joker’s Stash began advertising in December that it would upload a sizeable collection of U.S., European and global cards–including geolocation data listing the cardholder’s state, city, and ZIP Code–on Jan. 27. The marketplace boasted that the collection would include 30 million U.S. records across more than 40 states, as well as more than 1 million international  records from more than 100 different countries, researchers wrote.

Joker’s Stash apparently made good on its promise, but so far only has uploaded a portion of the entire haul, according to Gemini. The median price of U.S. payment-card records from the breach is currently $17, with some of the international records priced as high as $210 per card, researchers said.

“Apart from banks with a nationwide presence, only financial institutions along the East Coast have significant exposure,” Alforov and Thomas added.

The day after Gemini released its report, Wawa acknowledged that the company “became aware of reports of criminal attempts to sell some customer payment card information” from the December breach, according to a press statement.

“We have alerted our payment card processor, payment card brands and card issuers to heighten fraud monitoring activities to help further protect any customer information,” the company said. “We continue to work closely with federal law enforcement in connection with their ongoing investigation to determine the scope of the disclosure of Wawa-specific customer payment card data.”

While Wawa—which operates mainly in Delaware, Florida, Maryland, New Jersey, Pennsylvania, Virginia and Washington, D.C.—discovered the breach in December, bad actors were collecting data for almost 10 months using malware on Wawa’s in-store payment processing system, the company said at the time. The malware first infected in-store payment processing systems after March 4; by April 22, most store systems—more than 850 in total—had been affected.

While Wawa has the most locations in New Jersey and Pennsylvania, the highest exposure of cards on Joker’s Stash currently comes from Wawa locations in Florida, followed by Pennsylvania, according to Gemini.

Overall, the Joker’s Stash collection suggests that the Wawa breach has the dubious honor of being among some of the largest payment-card breaches of all time, joining other, more widely known retail companies, according to Gemini researchers.

“It is comparable to Home Depot’s 2014 breach exposing 50 million customers’ data or to Target’s 2013 breach exposing 40 million sets of payment card data,” Alforov and Thomas wrote.

While it remains to be seen the financial affect Wawa will feel from the breach, historically such incidents cost the companies affected a considerable sum of money. Home Depot, for instance, lost $43 million in investigation and recovery costs, and eventually agreed to pay $19.5 million in compensation for the more than 50 million cardholders affected by its 2014 breach.

In a spot of good news for Wawa customers who may have been affected by the December breach, payment-card dumps like the one found on Joker’s Stash are not in very high demand in the dark web world, Alforov and Thomas noted.

“This may be due to the breached merchant’s public statement or to security researchers’ quick identification of the point of compromise,” they wrote, adding that the marketplace uses the breaches for credibility or publicity purposes to maintain a reputation “as the most notorious vendor of compromised payment cards.”

Zoom Fixes Flaw Opening Meetings to Hackers

Zoom has patched a flaw that could have allowed attackers to guess a meeting ID and enter a meeting.

NEW ORLEANS – Enterprise video conferencing firm Zoom has issued a bevy of security fixes after researchers said the company’s platform used weak authentication that made it possible for adversaries to join active meetings.

The issue stems from Zoom’s conference meetings not requiring a “meeting password” by default, which is a password assigned to Zoom attendees for what is calls a meeting room. If meeting creators do not enable a “meeting password,” the only thing securing the meetings are Meeting IDs, which are 9, 10, or 11 digit meeting identifying numbers.

Research unveiled the research Tuesday here at CPX 360, a security event hosted by Check Point Security. The report revealed that it’s possible to correctly predict valid meeting IDs, due to Zoom identifying meeting IDs as “valid” or “invalid” when they are input into the meeting URL. This could open the door to third-party actors eventually being able to guess a meeting ID and enter a conferencing session, said researchers with Check Point Software that presented the research.

“Brute forcing this [meeting ID] range is very hard is you have no feedback from Zoom, but Zoom made a mistake where a tag would identify if meeting IDs are valid or not when users input meeting IDs to the meeting URL,” Yaniv Balmas, head of cyber research for Check Point Software, told Threatpost. “An adversary with intermediate skills could unlock this attack.”

Predicting Meeting IDs

Researchers were able to pre-generate a list of 1,000 randomly-generated, potentially valid meeting IDs. They then took the random IDs and checked them against the URL string used for joining Zoom meetings ((https://zoom.us/j/{MEETING_ID}).

If they paired an ID against the “Join Meeting” URL and it was incorrect, the output would say “invalid Meeting ID;” however, if a valid meeting ID was found, the output would say “Valid Meeting ID found” and list the meeting for which it was validated.

CPX 360

Specifically, the “div” element of the output shows whether a meeting ID is valid or not: “We discovered a fast and easy way to check this based on the following ‘div’ element present in the HTML Body of the returned response, when accessing ‘Join Meeting’ URL,” researchers said.

In this manner, researchers were able to predict 4 percent of randomly generated meeting IDs, “which is a very high chance of success.”

An actual attack has some caveats. While a bad actor could discover a valid meeting ID, they would not know who the meeting URL belongs to or when the meeting would take place, making it nearly impossible to launch targeted attacks. Also, if a threat actor were to enter a meeting, their presence would show, potentially outing them on the call. However, if no one on the meeting notices their presence, such an attack could allow bad actors to snoop in on potentially private meetings and view business documents or presentations.

Mitigations

Researchers said that they contacted Zoom on July 22, 2019 regarding the issue: “Zoom representatives were very collaborative and responded quickly to our emails,” they said.

CPX 360

In response, Zoom now has added passwords by default to any scheduled meetings. In addition Zoom also added features enabling users to add a password to already-scheduled future meeting, and enforce password settings at the account level by an account admin.

Zoom will also no longer automatically indicate if a meeting ID is valid or invalid when a page loads – instead, the page will merely load and attempt to join the meeting (this will bar a bad actor for quickly narrowing the pool of meeting IDs). And, repeated attempts to scan for meeting IDs can cause a device to be blocked “for a period of time.”

“The privacy and security of Zoom’s users is our top priority,” a Zoom spokesperson told Threatpost. “The issue was addressed in August of 2019, and we have continued to add additional features and functionalities to further strengthen our platform. We thank the Check Point team for sharing their research and collaborating with us.”

Video Conferencing Flaws

It’s not the first time that vulnerabilities have been discovered in conferencing systems.

In 2018, a serious vulnerability was discovered in Zoom’s desktop conferencing application could allow a remote attacker to hijack screen controls and kick attendees out of meetings. Last year, a zero-day vulnerability in the Zoom client for Mac allows a malicious website to hijack a user’s web camera without their permission.

Cisco Systems just last week also fixed a high-severity vulnerability in its popular Webex video conferencing platform, which could let strangers barge in on password-protected meetings – no authentication necessary.


Cyber Crime To Go: Study Finds E-Scooters Vulnerable To Hacks, Data Theft

SAN ANTONIO — E-scooters for easy urban travel have become immensely popular over the past few years, popping up in essentially every major city in the United States. The growing trend of commuters and others zipping in and out of traffic has already led to some concerns regarding pedestrian safety, but now a new study has revealed another problem posed by the rise of e-scooters. Researchers from the University of Texas an San Antonio say that the very technology that makes these scooters so convenient is also very susceptible to potential hacks and data breaches.

The study’s authors predict hackers could potentially carry out a variety of attacks, including eavesdropping on riders, taking control of GPS systems to direct scooter users to different locations, denial of service attacks, and data theft.

“We were already investigating the risks posed by these micromobility vehicles to pedestrians’ safety. During that study, we also realized that besides significant safety concerns, this new transportation paradigm brings forth new cybersecurity and privacy risks as well,” comments study author Murtuza Jadliwala, an assistant professor in the UTSA Department of Computer Science, in a release.

“We’ve identified and outlined a variety of weak points or attack surfaces in the current ride-sharing, or micromobility, ecosystem that could potentially be exploited by malicious adversaries right from inferring the riders’ private data to causing economic losses to service providers and remotely controlling the vehicles’ behavior and operation,” Jadliwala says.

Many current e-scooter models communicate with riders’ smartphones via a Bluetooth Low Energy channel. It’s entirely plausible a person with malicious intentions could access those wireless channels and view data exchanges between the scooter and riders’ smartphone app. All things considered, this can be accomplished rather easily and cheaply using readily available software and tools like Ubertooth and WireShark.

Furthermore, the majority of people who sign up to use e-scooters end up handing over a variety of sensitive, personal data besides simple billing information. Most e-scooter companies automatically collect data such as location and individual vehicle information. All of that data could potentially be pieced together to formulate an individual rider profile encompassing a person’s typical daily preferred route, interests, and the location of both their home and workplace.

“Cities are experiencing explosive population growth. Micromobility promises to transport people in a more sustainable, faster and economical fashion,” Jadliwala concludes. “To ensure that this industry stays viable, companies should think not only about rider and pedestrian safety but also how to protect consumers and themselves from significant cybersecurity and privacy threats enabled by this new technology.”

The study is set to be presented at the proceedings of the 2nd ACM Workshop on Automotive and Aerial Vehicle Security (AutoSec 2020).

https://www.studyfinds.org/cyber-crime-to-go-study-finds-e-scooters-vulnerable-to-hacks-data-theft/

Spike in Texas cyber attacks against municipalities has City of SA in constant defense mode

“Up to 95% of incidents are driven by human error,” IT director said

SAN ANTONIO – Six months ago, cybercriminals attacked local government agencies in 23 Texas cities. The statewide attack brought the Lone Star State to the front and center of the discussion about cybercrime.

“Municipalities are always a target because we have very complex systems, broad responsibilities. Here in San Antonio, we have more than 40 departments and city services, almost 13,000 employees,” said City of San Antonio IT Director and Chief Information Officer Craig Hopkins.

Ransomware attacks in 23 Texas cities have officials taking preventive measures

Hopkins said he consistently prioritizes cybersecurity for those reasons and instead of training employees once a year, he sends out information once a month.

“Up to 95% of the incidents we have are usually driven by human error,” he said.

Hopkins teaches city employees about the main types of cyberattacks. He said “phishing” is the most common.

“Phishing basically says, ‘I want you to click on a link, and I want you to give up some information that you may not normally give. I can take over one account, and then I can impersonate you inside of your organization and move horizontally,’” Hopkins said.

He then explained a concept called “whaling.”

“Think of that as a big fish. People of a certain title, city manager, the chief financial officer — targeting them because if you can impersonate them, you can create influence over other people, so financial scams tend to come out,” Hopkins said.

Hopkins also warned about physical security, which can include people looking over your shoulder at confidential information, people calling your phone pretending to be someone else or people piggybacking into facilities where employees use an access card.

He said he could not go into specific technicalities of the city’s protective system, but he said all businesses should be taking preventive measures, especially agencies or companies with outdated systems.

https://www.ksat.com/news/local/2020/01/21/spike-in-texas-cyberattacks-against-municipalities-has-city-of-sa-in-constant-defense-mode/

Google: Flaws in Apple’s Private-Browsing Technology Allow for Third-Party Tracking

New research outlines vulnerabilities in Safari’s Intelligent Tracking Protection that can reveal user browsing behavior to third parties.

Technology Apple designed for its Safari web browser to protect users from being tracked when they surf the web may actually do just the opposite, according to new research from Google.

Google researchers have identified a number of security flaws in Safari’s Intelligent Tracking Protection that allow people’s browsing behavior to be tracked by third parties, according to a report published in the Financial Times (FT) Wednesday. The research will soon be disclosed publicly, the report said.

The research is a major blow to Apple’s commitment to user privacy, as the company long has claimed it is better than its rivals at protecting its customers’ data and web-browsing practices.

Google researchers discovered five different types of potential attack on the vulnerabilities they found in ITP that could allow for third parties like digital advertisers to obtain “sensitive private information about the user’s browsing habits,” according to the report.

Among those issues with ITP is a feature that stores information about websites visited by the user, Google researchers said. A flaw in the technology also could potentially allow hackers to “create a persistent fingerprint that will follow the user around the web,” according to the report.

Other vulnerabilities Google researchers discovered in ITP allowed third parties to observe what individual users were searching for on search engine pages, they said.

Apple added ITP to Safari in 2017 to protect user activity from being tracked by third parties. At the time the tool was seen as a boon for enhancing the privacy of users, and it inspired Google and other browser makers to make changes to their own products to limit third-party tracking.

Apple claims it already has addressed the flaws disclosed in the forthcoming Google research, according to the FT report. Indeed, Apple already was aware of issues in ITP and updated its WebKit browser engine in December with “enhancements” without disclosing any specific flaws.

That update was outlined in a blog post by Apple privacy engineer John Wilander, who thanked Google researchers “for sending us a report in which they explore both the ability to detect when web content is treated differently by tracking prevention and the bad things that are possible with such detection,” he wrote.

“Their responsible disclosure practice allowed us to design and test the changes detailed above, Wilander said at the time.

The forthcoming Google research is certainly not the first time the tech giant has called out Apple for security flaws in the company’s software, as the rival companies long have sparred over which offers safer and more secure technology to consumers.

In August, Google’s Project Zero team disclosed a total of 14 iPhone vulnerabilities — including two that were zero-days when discovered — that were targeted by five exploit chains in a watering hole attack that has lasted years. The watering holes delivered a spyware implant that can steal private data like iMessages, photos and GPS location in real time, Google researcher Ian Beer said at the time.

Apple later accused Google of spreading misinformation and fear over the vulnerabilities and the risk involved, needlessly panicking iPhone customers over flaws Apple already had patched that also were limited in scope to less than a dozen websites focused on content related to the Uighur ethic minority community in northwestern China.

Microsoft Leaves 250M Customer Service Records Open to the Web

The trove of information is potentially a scammer’s bonanza.

UPDATE

Misconfigured Microsoft cloud databases containing 14 years of customer support logs exposed 250 million records to the open internet for 25 days. The account info dates back as far as 2005 and is as recent as December 2019 — and exposes Microsoft customers to phishing and tech scams.

Microsoft said it is in the process of notifying affected customers.

The Comparitech security research team said that it ran across five Elasticsearch servers that had been indexed by search engine BinaryEdge, each with an identical copy of the database. The database contained a wealth of phishing- and scam-ready information in plain text, including: Customer email addresses, IP addresses and physical locations, descriptions of customer service claims and cases, case numbers, resolutions and remarks, and internal notes marked “confidential.”

In short, it’s everything a cybercriminal would need to mount a convincing and large-scale fraud effort, Comparitech researcher Paul Bischoff wrote in a posting on Wednesday.

“The data could be valuable to tech support scammers, in particular,” he said. “Tech support scams entail a scammer contacting users and pretending to be a Microsoft support representative. These types of scams are quite prevalent, and even when scammers don’t have any personal information about their targets, they often impersonate Microsoft staff. Microsoft Windows is, after all, the most popular operating system in the world.”

Other personally identifiable information (PII) – email aliases (i.e., names), contract numbers and, crucially, payment information – was redacted, which Microsoft said is done via an automated privacy-check process.

All five servers were exposed to the open internet, with no password required. Researcher Bob Diachenko, who collaborated with Comparitech on the discovery, notified Microsoft, which locked them down about two days after they were discovered, according to the posting.

Both Microsoft and Comparitech said there was no indication as to whether the insecure data was accessed by additional third parties.

Microsoft Says Exposure was Limited

Microsoft, for its part, released further details in its own blog posting on Wednesday, noting that the data was exposed to anyone with internet access for about 25 days over the holidays.

“Our investigation has determined that a change made to the database’s network security group on December 5, 2019 contained misconfigured security rules that enabled exposure of the data,” the security team wrote.

It added, “Upon notification of the issue, engineers remediated the configuration on December 31, 2019 to restrict the database and prevent unauthorized access. This issue was specific to an internal database used for support case analytics and does not represent an exposure of our commercial cloud services.”

Microsoft added that it has begun notifying affected customers – of which there are presumably millions.

“Microsoft customers and Windows users should be on the lookout for…scams via phone and email,” Comparitech’s Bischoff said. “Remember that Microsoft never proactively reaches out to users to solve their tech problems—users must approach Microsoft for help first. Microsoft employees will not ask for your password or request that you install remote desktop applications like TeamViewer. These are common tactics among tech scammers.”

At least one researcher questioned the security and privacy protections that Microsoft had in place.

“This incident shows some concerning issues with the way data security was handled,” Fausto Oliveira, principal security architect at Acceptto, told Threatpost. “These are the more worrying facts that arise from this incident: Access to the data was not protected using (at least) username and passwords, although for this level of confidentiality I would expect it to be protected using multifactor aithentication; not all data was encrypted; data about a customer is being retained well past what I would think reasonable — 14 years’ worth of support data strikes as beyond a sensible data retention interval; from the disclosure, the threat surface was exposed for 25 days, although Microsoft found no evidence of malicious use, it is quite a long interval of exposure; and poor governance. If the correct policies and processes where enforced effectively, this type of event should be near impossible to occur.”

Security Deja-Vu

Microsoft tech support has been in the cyber-spotlight before, after the computing giant announced a breach stemming from the compromise of a support agent’s credentials. This enabled individuals outside Microsoft to access the victims’ email account-related information – including email addresses, folder names, email subject lines and recipient email addresses.

Meanwhile, cloud database misconfigurations – even by tech giants and cloud specialists – have become a bit of an epidemic. Adobe for instance in October exposed subscription records for nearly 7.5 million Adobe Creative Cloud users. The service offers cloud-based access to popular Adobe products such as Photoshop, Lightroom, Illustrator, InDesign, Premiere Pro, Audition, After Effects and others.

“The most recent Microsoft data breach adds to almost weekly reports – at least since mid-2019 – of similar occurrences in large companies all over the world,” Rui Lopes, engineering and technical support director at Panda Security, told Threatpost. “What’s more, we know more than 50 percent of these incidents are caused by deliberate malicious attacks rather than human error – and they cost up to 27 percent more for that reason. Companies in any industry and of any size should build and implement solid data control strategies, allowing them not only to avoid direct financial losses but also the costly impact on reputation and client trust.”

The Verizon 2019 Data Breach Incident Report (DBIR) in May found that misconfiguration of cloud-based file storage accounted for a fifth (21 percent) of data exposures in the previous 12 months that were caused by errors. In all, cloud storage mishaps exposed a whopping 60 million records in the DBIR dataset.

“On a positive note, I want to highlight that the Microsoft staff reacted in a rapid manner once they were warned about the incident and that their disclosure process worked,” Oliveira told Threatpost. “The security controls that Microsoft has selected after the incident are all reasonable, however, for an organization of this size and importance, I would expect them to be already in place, especially when dealing with customer data.”

This post was updated at 12:45 ET on Jan. 22, 2020 to incorporate third-party commentary and to update the exposure window.

Microsoft Zero-Day Actively Exploited, Patch Forthcoming

CVE-2020-0674 is a critical flaw for most Internet Explorer versions, allowing remote code execution and complete takeover.

An unpatched remote code-execution vulnerability in Internet Explorer is being actively exploited in the wild, Microsoft has announced. It’s working on a patch. In the meantime, workarounds are available.

The bug (CVE-2020-0674) which is listed as critical in severity for IE 11, and moderate for IE 9 and IE 10, exists in the way that the jscript.dll scripting engine handles objects in memory in the browser, according to Microsoft’s advisory, issued Friday.

The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user – meaning that an adversary could gain the same user rights as the current user.

“If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system,” Microsoft explained. “An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”

An attack could be carried out using a malicious website designed to exploit the vulnerability through IE, the advisory noted. Threat actors could lure victims to the site by sending an email, through watering-hole techniques, via malicious documents containing a web link and other social-engineering efforts.

There is a workaround available from Microsoft, as well as a micropatch from 0patch, released on Tuesday.

Darkhotel APT Active Attacks

The in-the-wild attacks are likely the work of the Chinese APT known as Darkhotel, according to the researchers at Qihoo 360 who found the bug.

“The impact [could be] no less than the damage caused by the previous WannaCry ransomware virus,” the security firm said in a Chinese-language web advisory. “At present, it is judged from the details and characteristics of the captured attacks that the zero-day vulnerability of IE browser is suspected to have come from the Peninsula’s APT organization, Darkhotel.”

Darkhotel was first identified in 2014 by Kaspersky researchers, who said the group had been active since at least 2007. The group is known for targeting diplomats and corporate executives via Wi-Fi networks at luxury hotels – but it has widened its targeting over the years, while continuing to leverage zero-day vulnerabilities and exploits.

In this case, Darkhotel is using Office documents for targeted attacks, according to Qihoo 360.

“The attacker’s in-field exploitation embeds the vulnerability in an Office document, and users will be successful when they open an Office document or browse the web,” the firm warned. “Once the user opens the malicious document carrying the vulnerability, he will browse the malicious webpage and execute the attack program. The user is not even aware that the device has been controlled. The attacker can take the opportunity to implant ransomware, monitor and monitor, and steal sensitive information And so on.”

Patch and Workaround

While Microsoft is aware of “limited targeted attacks,” a patch won’t be released until next month’s Patch Tuesday, according to the computing giant.

“Our standard policy is to release security updates on Update Tuesday, the second Tuesday of each month. This predictable schedule allows for partner quality assurance and IT planning, which helps maintain the Windows ecosystem as a reliable, secure choice for our customers,” it said.

One of the reasons the sense of urgency may be less than one would expect with a zero-day is the fact that all supported versions of IE in their default configuration use Jscrip9.dll as their scripting engine, which is not vulnerable to the flaw. However, the issue affects versions of IE being used in Windows 7, which reached end-of-life last week and therefore no longer supported. Qihoo 360 warned that this install base in particular is at risk.

For those that do use jscript.dll, Microsoft detailed a workaround that involves using administrative commands to restrict access to the scripting library. It’s not ideal however: It could result in reduced functionality for components or features that rely on jscript.dll.

“For example, depending on the environment, this could include client configurations that leverage proxy automatic configuration scripts (PAC scripts),” Microsoft said. “These features and others may be impacted.”

Also, users will need to revert this workaround in order to install any future patches or updates.

The team at 0patch has meanwhile released micropatch this week that implements the workaround while addressing some of the downsides.

0patch@0patch

We are planning to issue a micropatch for CVE-2020-0674 next week which will prevent Internet Explorer from loading jscript.dll, effectively implementing Microsoft’s workaround but without some unwanted side effects such as breaking the sfc command.
(cont)107:32 AM – Jan 19, 2020Twitter Ads info and privacySee 0patch’s other Tweets

“Because the provided workaround has multiple negative side effects, and because it is likely that Windows 7 and Windows Server 2008 R2 users without Extended Security Updates will not get the patch at all (their support ended this month), we decided to provide a micropatch that simulates the workaround without its negative side effects,” the company said in a blog. “Microsoft’s workaround comprises setting permissions on jscript.dll such that nobody will be able to read it. This workaround has an expected negative side effect that if you’re using a web application that employs legacy JScript (and can as such only be used with Internet Explorer), this application will no longer work in your browser.”

According to 0patch, other negative side effects of the workaround that the micropatch avoids are:


US Could Appoint a Cyber security Leader for Each State

The USA is considering legislation that would protect local governments by requiring the appointment of a cybersecurity leader for each state.

Backers of the Cybersecurity State Coordinator Act of 2020 say the proposed law will improve intelligence sharing between state and federal governments and speed up incident response times in the event of a cyber-attack.

Under the legislation, the director of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency would be tasked with appointing an employee of the agency in each state to serve as cybersecurity state coordinator. 

Money to create these positions would come from the federal government, which would be required to ring-fence the necessary funding. 

The role of each state coordinator would be multifaceted, combining elements of training, advisory work, and program development.

Each leader would serve as a principal federal cybersecurity risk advisor, coordinating efforts to prepare for, respond to, and remediate cyber-attacks. Another core responsibility would be to raise awareness of the financial, technical, and operational resources available to nonfederal entities from the federal government.

Coordinators would be expected to support training, exercises, and planning for continuity of operations to expedite as swift a recovery as possible from cybersecurity incidents. Furthermore, they would be called on to assist nonfederal entities in developing and coordinating vulnerability disclosure programs consistent with federal and information security industry standards.

“State, local, Tribal, and territorial entities face a growing threat from advanced persistent threat actors, hostile nation states, criminal groups, and other malicious cyber actors,” reads the bill. “There is an urgent need for greater engagement and expertise from the Federal Government to help these entities build their resilience and defenses.”

The bill, which has attracted bi-partisan support, was introduced by Senators Maggie Hassan and Gary Peters and is co-sponsored by senators John Cornyn of Texas and Rob Portman of Ohio.

Portman said: “This bipartisan bill, which creates a cybersecurity state coordinator position, would help bolster state and local governments’ cybersecurity by facilitating their relationship with the federal government to ensure they know what preventative resources are available to them as well as who to turn to if an attack occurs.”

https://www.infosecurity-magazine.com/news/us-state-cybersecurity-leader-act/

Youth Teaching Tech To Seniors Fosters Generational Connections

The United States now has 46 million people age 65 or older. That’s a record number, according to a study by the Pew Research Center.

More of these senior citizens are adopting technology, but most also say they need help using new electronic devices such as smart phones. Falling behind on technology puts seniors at risk for social isolation, which makes them vulnerable to poor health and earlier death. It’s also expensive. A study by AARP found isolation is associated with nearly $7 billion in additional annual spending by Medicare.

A startup company in Albuquerque has made matching tech-savvy young people with seniors its mission. Teeniors coaches them on using smartphones, computers and tablets.

Founder Trish Lopez pitched the idea at a startup weekend for women entrepreneurs in 2015 after realizing that her mother needed help.

“She’d lose a password, she’d lose a document and then she didn’t know some simple commands like Control Z that could undo everything she had just done,” Lopez said. “And so she would start all over again.”

As a new mom herself and busy with work, Lopez said she wanted to be able send someone to help her mother.

“But also, I wished I had the patience to help her in the way I wanted to,” she said.

Patience and listening are some of the fundamental skills young people learn as Teeniors, and the program has served more than 3,000 seniors in New Mexico. It added a nonprofit arm in 2018 and has landed grants from Comcast and Facebook to serve those who can’t afford to pay. The mission, Lopez said, is to empower senior citizens.

“I think that’s why we’ve been so successful,” she said. “The intergenerational learning experience is really remarkable and that’s why I always say the main service we provide is not tech support. It is human connection.”

Lopez has seen many Teeniors flourish through those connections. She has also seen many seniors break down when a Teenior helps them understand technology that seemed beyond their comprehension.

That was certainly true for Camilla Dorcey, 76. She was talking to a friend recently in her home in northeast Albuquerque about a new car she was getting that day. But not long ago, that routine task was beyond her, said Dorcey who at one time struggled using her smartphone.

“People would be ringing me and I didn’t know how to answer it,” Dorcey said. “I’d be crying and frustrated and feeling totally useless and old.”

The Pew study found that 4 in 10 seniors own smartphones, but they often lack confidence in learning and using these devices. Dorcey is a retired teacher from Lesotho, Africa, who lived all over the world before moving to Albuquerque with her second husband. When he died suddenly, she was left alone and isolated, too ashamed to admit she didn’t know how to answer her new phone. She tried to get help at stores, but clerks were mystified why she was confused.

“They said ‘Oh a child’ — I hate that phrase — ‘a child could do this,” Dorcey said. “But they never gave me a child.’

Dorcey found a Teenior instead, who helped her download WhatsApp. Now she talks to family and friends regularly in Africa and Europe for free. On the last day of 2019, she greeted friends in England enthusiastically over the app, wishing them a happy new year.

“Oh it’s amazing,” Dorcey said. “I can see them. I can talk to them. It’s really been great. I feel free again.”

Tess Reynolds, 17, is the Teenior who helped Dorcey. Reynolds said she can relate to seniors who may need more time to learn because she has a learning disability and people used to push her to finish her schoolwork more quickly.

“So I know how it feels to be rushed,” Reynolds said. “I want to make sure that doesn’t happen.”

The experience of working for Teeniors has also convinced Reynolds that she wants to become a senior home health aide.

“And this is such a great help to really become what you want to be,” she said.

At a Teeniors event in December at a senior center about 40 minutes south of Albuquerque, 21-year-old Kendra Gonzales was helping Linda Haverty add a photo of a friend to her contacts list.

“I went from a flip top to this. It was like going from a tank to a Ferrari,” said Haverty, who is 81. “And the next time it was Facebook. I’m still struggling with social media. And Kendra’s wonderful.”

Haverty’s family is scattered around the Midwest and she said keeping up on technology is vital to staying connected to them.

“Yesterday I was going through Facebook and found out I have a great-grandson that was born on my birthday…and I didn’t know about it,” she said.

Gonzales has been with Teeniors for four years. It helped her land jobs and decide on a career in public service. She’s working toward a criminal justice degree, and through Teeniors she learned skills such as public speaking and coaching.

“[I learned] things that I don’t think the school system helped me with,” Gonzales said. “This has helped me more, in a great way.”

Trish Lopez never anticipated how Teeniors would affect the young people she employs. It’s not just teaching them tech skills, but also soft skills employers need such as emotional intelligence, problem-solving and communication. Their feedback has surprised her.

“Some of them believe it’s helped them overcome their depression and anxiety and struggles in their personal relationships,” she said. “Just the work of being a Teenior, for the small amount of hours they do it every month, has made an enormous impact on their lives.”

Yannick Hutchinson, 24, just graduated with an architecture degree and said being part of Teeniors will help him learn to communicate better with clients. It also helped when he was struggling with depression.

“It was definitely something that pulled me back from that dark, dark area,” he said. “It was nice, it was a breath of fresh air.”

Lopez had considered dropping him from the coaching pool after he was late several times and that’s when Hutchinson opened up about his struggles.

“We definitely worked it out and I definitely feel I’m more of an asset to this organization now,” he said. “I need to understand I’m being counted on by people and I need to be responsible for that.”

Variations of the Teeniors model exist around the country, according to Generations United, based in Washington, D.C. Executive Director Donna Butts said intergenerational programs offer alternatives to our tendency to segregate people by age.

“We really are much stronger when we’re together and value the wisdom of older adults and the energy and new experience of young people,” she said.

Butts adds that since America’s older generation is disproportionately white compared to the younger population, there are real risks to such segregation.

“And that can be really, really harmful when we have generations that don’t look like each other, they don’t know each other and they don’t understand why they need to invest in each other,” she said.

She said intergenerational programs can overcome those barriers. That was certainly true for Camilla Dorcey.

“I think Teeniors are maybe seeing old people as not totally ready to be put in the grave,” she said. “For me, it’s making me think teenagers should not all be in jail. We’re beginning to see a connection between humans of a different age.”
Copyright 2020 KUNM. To see more, visit KUNM.

https://www.tpr.org/post/youth-teaching-tech-seniors-fosters-generational-connections