Connect with us

Cyber Security

NSA reveals to Microsoft critical Windows 10 flaw

Avatar

Published

on

Microsoft reportedly acted on an NSA warning creating and issuing a secret out-of-band patch to the military and other high-value targets fixing CVE-2020-0601, a vulnerability affecting a core cryptographic component present in all versions of Windows.

Published reports stated that the NSA informed Microsoft of the vulnerability and this knowledge enabled Microsoft to quickly fix the problem and push out a patch, which was released to the general public today. Cybersecurity execs called the vulnerability a potential “force multiplier” for an attack and heaped praise on the NSA for telling Microsoft, a move that has not always taken place previously.

Synopsis said the patch for CVE-2020-0601 for the crypt32.dll was pushed out prior to today’s normal Patch Tuesday security rollout, although at this time the security firm does not have many details on the vulnerability itself.

“This is
serious news, as the crypt32.dll is a module needed for securing the Microsoft
Operating Systems. We still don’t know precisely what the bug is and how easily
it could be exploited, as that hasn’t been fully disclosed yet, but there are
some pointers online that can give us an idea,” said Boris Cipot, a senior security
engineer with Synopsys.

Renaud Deraison, co-founder and CTO, Tenable, fully expects cybercriminals intent on ransomware and phishing attacks to take advantage of this vulnerability, adding that it is an excellent turn of events that the NSA informed Microsoft. However, with the security patch in place computer’s can be secured.

“CVE-2020-0601
hits at the very trust we have in today’s digital computing environments —
trust to authenticate binaries and trust that our ciphered communications are
properly protected. The flaw would enable an attacker, among other things, to
exploit how Windows verifies cryptographic trust, enabling them to deliver
executable code and making it look like it came from a trusted source,” he
said.

Cipot strongly recommended implementing the crypt32.dll patch as soon as its available and he also warned that malicious actors may attempt to take advantage of this issue, but perhaps not in the way one would expect, and to only download an update from Microsoft’s Update and Security section in Windows 10.

The fact
that the NSA reported this to Microsoft, unlike Eternal Blue, was an
interesting move, said Rick Holland, CISO, vice president of strategy at
Digital Shadows.

“I’d be
interested to understand what makes this exploit worth reporting to Microsoft
instead of keeping for their personal arsenal as they have in the past. It
could be because many of those previous tools leaked and have caused widespread
damage across multiple organizations. It could be because there was a concern
others would find this vulnerability themselves and it was dangerous enough to
warrant remediation instead of weaponizing,” he said.

Automox’s Senior Technical Product Manager Richard Melick optimistically hoped the NSA’s actions in this case indicate a sign of growth at an agency that is better known in cyber circles for hoarding vulnerabilities for use against enemies.

“While it is
relatively uncommon for a vulnerability of this severity to make it through the
NSA’s Equities process and not be weaponized and kept secret for its offensive
capabilities, it does allude to a possible shift in mentality. The agency has
caught a lot of bad publicity with recent ransomware infections that were made
possible by EternalBlue in cities such as Baltimore and Atlanta,” he said.

“Importantly,
users are also urged not to trust website or emails with links that offer
patches for the crypot32.dll. Phishers prey on announcements of security flaws
and design campaigns aimed at exploiting people’s desire to patch a
vulnerability as soon as possible,” he said.

This is in
addition to a very busy Patch Tuesday for Microsoft which saw it start to wind
down support for Windows 7 and roll out patches
for 47 vulnerabilities, seven rated as critical.

Jimmy
Graham, Qualys’ director of product management, pointed out Win32k patches CVE-2019-1468
and CVE-2019-145 for workstations and the remote code execution vulnerability CVE-2019-1471
is patched in Hyper-V that would allow an authenticated user on a guest system
to run arbitrary code on the host system.

CVE-2019-1349
and CVE-2019-1469 were at the top of Melick’s list with the former receiving needing
to receive an extra bit of attention.

“CVE-2019-1349
is a remote code execution exploit that exists when Git for Visual Studio
client improperly sanitizes input. As Visual Studio is one of the most popular
development environments used today to design and build applications, this
exploit puts engineering organizations on the front lines of a potential attack,”
he said.

Some of the critical
rated issues are remote code execution problems in CVE-2020-0603, in ASP.NET
Core; CVE-2020-0605 in various versions of Microsoft .NET Framework and CVE-2020-0609
in Windows Server 2019, 2016, 2012 and 2012 R2.

Source: https://www.scmagazine.com/home/security-news/vulnerabilities/nsa-reveals-to-microsoft-critical-windows-10-flaw/

Cyber Security

Pending Data Protection and Security Laws At-A-Glance: APAC

Avatar

Published

on

In our continuing quest to provide a global overview of cyber-related legislation and regulation we have focused on the latest laws protecting PII in the United States, Regulation through Global Data Protection and Security Laws, and APAC Data Protection and Security Laws. This is an overview of 3 soon-to-be-enacted regulations that will change the APAC data privacy legal landscape.

CHINA

On June 1, 2021, the National Standard of Information Security Technology – Guidelines on Personal Information Security Impact Assessment will go into effect. According to global law firm Detons, “The Guidance aims to guide the assessment of the potential impacts on individuals’ rights and interests as well as the effectiveness of security protective measures adopted when carrying out personal information processing activities, which is similar to the data protection impact assessment (“DPIA”) under the EU General Data Protection Regulation (GDPR).”

Draft PIPL

On October 21, 2020, a draft PRC Personal Information Protection Law (Draft PIPL) was published for review. Similar in many ways to GDPR, the PIPL, if passed, will require:

  • Organizations outside China that fall within the PIPL’s scope are required to appoint representatives or establish entities within China responsible for the protection of personal information
  • Personal Information Processors are required to perform and maintain a record of risk assessments where processing activity may have a significant impact on individuals, including international transfers of personal information, processing of sensitive personal information, automated decision-making, and disclosure of personal information to third parties.
  • That the processing of personal information must be lawful. In other words, there must be a legal basis for processing data such as consent
  • Individuals are informed that processing is happening, to restrict or object to the processing of their data, and to obtain a copy of, update, or delete their information.

Furthermore, it outlines strict requirements for international transfers of personal information. In addition, penalties for noncompliance have yet to be finalized but are so far rather austere. Proposed sanctions include the suspension of business activities and revocation of business permits or licences, the “blacklisting” of companies and fines up to 5% of a company’s yearly earnings. 

JAPAN

On June 5, 2020, the Japanese legislature passed several amendments (“Amendment Act”) to the Act on Protection of Personal Information of Japan (“APPI”) created to expand protections for personal data and impose new obligations on all businesses that use personal data for business purposes, including non-profit organizations.

Slated to go into effect the spring of 2022, one of the major changes it will bring about are new provisions expanding an individual’s rights to require the deletion or disclosure of personal information (‘PI’):

  • where there is a possibility of violating the data subject’s rights or legitimate interests
  • in the event of a breach of the APPI via transfer to a 3rd party
  • to include short-term data which is kept for 6 months or less; and
  • allowing the data subject to request the format of the disclosure of their data, including in a digital format.

India

Inspired by GDPR, India’s Personal Data Protection Bill (PDP) was introduced to overhaul India’s current data protection regulations outlined in the Information Technology Act of 2000. As that act was mainly concerned with ensuring the legal recognition of e-commerce within India, it does not include specific legislation on data protection aside from establishing the right to compensation for improper disclosure of personal information.

According to the bill’s preamble, the goal of PDP is to “create a collective culture that fosters a free and fair digital economy, respecting the informational privacy of individuals, and ensuring empowerment, progress and innovation through digital governance and inclusion.” Similar to GDPR, PDP establishes data privacy as a fundamental right and calls for the creation of an independent new regulatory authority, the Data Protection Authority (DPA), to carry out this law. 

In terms of how PDP and GDPR differ, you can find a comprehensive comparison of the two laws here. In summary though, the differences can be boiled down into 3 key areas:

  • India’s central government retains the power to exempt any government agency from the bill’s requirements for reasons such as national security.
  • The government now has the right to order firms to share any of the non-personal data they collect with the government
  • Personal and sensitive data must be stored and processed in India. Though there are exceptions to these rules, PDP’s restrictive regulations pose a number of challenges for organizations looking to do business in India and are, therefore, one of the most hotly contested provisions in the bill. 

Though DLA Piper expects the law to go into effect in late 2021, other legal experts aren’t so sure. Ongoing backlash pertaining to a number of its more restrictive provisions have resulted in multiple revisions and delays.  In addition to the issues surrounding data localization mentioned before, the bill “has also attracted criticism on various grounds such as the exceptions created for the state, the limited checks imposed on state surveillance, and regarding various deficiencies in the structures and processes of the proposed Data Protection Authority,” according to The Hindu

Coinsmart. Beste Bitcoin-Börse in Europa
Source: https://www.cshub.com/executive-decisions/articles/pending-data-protection-and-security-laws-at-a-glance-apac

Continue Reading

Cyber Security

Wormable Windows Bug Opens Door to DoS, RCE

Avatar

Published

on

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

Coinsmart. Beste Bitcoin-Börse in Europa
Source: https://threatpost.com/wormable-windows-bug-dos-rce/166057/

Continue Reading

Cyber Security

GitHub Prepares to Move Beyond Passwords

Avatar

Published

on

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

Coinsmart. Beste Bitcoin-Börse in Europa
Source: https://threatpost.com/github-security-keys-passwords/166054/

Continue Reading

Cyber Security

Hackers Leverage Adobe Zero-Day Bug Impacting Acrobat Reader

Avatar

Published

on

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

Coinsmart. Beste Bitcoin-Börse in Europa
Source: https://threatpost.com/adobe-zero-day-bug-acrobat-reader/166044/

Continue Reading
SaaS10 mins ago

SaaS10 mins ago

SaaS10 mins ago

SaaS10 mins ago

SaaS10 mins ago

SaaS10 mins ago

SaaS10 mins ago

SaaS10 mins ago

SaaS10 mins ago

SaaS10 mins ago

Bioengineer34 mins ago

NTU study of ancient corals in Indonesia reveals slowest earthquake ever recorded

PR Newswire34 mins ago

Zymo Research veröffentlicht Open-Source-Bioinformatik-Pipeline für die Erkennung von SARS-CoV-2-Varianten in Abwässern

Cleantech36 mins ago

California Governor Gavin Newsom Expands Drought Declaration to 41 Counties

NEWATLAS45 mins ago

World’s smallest single-chip system can be injected into the body

PR Newswire46 mins ago

HTC VIVE Takes Business and Consumer VR to the Next Level with Two New VR Headsets and a Dedicated Suite of Professional Tools

Blockchain49 mins ago

QAN Raises $2.1 Million in Venture Capital to Build DeFi Ecosystem

Blockchain49 mins ago

Balancer V2 is Live Promising Lower Fees and Improved Experience

Blockchain49 mins ago

Palantir Accepts Bitcoin for Payments and Considers Adding BTC to Balance Sheet

Blockchain49 mins ago

eBay Now Allows the Sale of NFTs on its Platform

Blockchain50 mins ago

Hackers Attack Instagram Accounts in Malta and Require Bitcoin Ransom

Aviation56 mins ago

Australia’s Borders May Not Fully Reopen Until Mid-2022

Blockchain56 mins ago

Mining Bitcoin: How to Mine Bitcoin

Automotive56 mins ago

New Tesla Model S Plaid photos reveal small update to the yoke steering wheel

PR Newswire56 mins ago

Global Ammonium Carbonate Market- Avantor Inc., BASF SE, HAYAKAWA & Co. Ltd., among others to contribute to the market growth

PR Newswire57 mins ago

Dodge & Cox lanserar Dodge & Cox Worldwide Funds Emerging Markets Stock Fund

Blockchain1 hour ago

eBay now NFT marketplace

Blockchain1 hour ago

Yearn Finance surges 45% as it joins dog pack with WOOFY

PR Newswire1 hour ago

Acronis Cyber Foundation expande a presença para o Peru, abrindo sua primeira sala de aula de informática na região

PR Newswire1 hour ago

Pangaea Logistics Solutions Ltd. Reports Financial Results for the Quarter Ended March 31, 2021

Blockchain1 hour ago

CryptoPunks NFTs Sell For $16.9 Million At Christie’s Auction

Trending