Remember Microsoft's "Patch Tuesday" security update with all the critical security fixes? Sophos is telling its users to roll it back if they want to be able to boot their computer.
These are the same patches that protect servers against the latest Intel exploits.
In an advisory note published over the weekend, Sophos admitted the latest batch of Windows updates are causing the machines of some people using its antivirus software to hang on boot, getting stuck while displaying the message "Configuring 30%".
Its advice on what to do is pretty blunt: uninstall the Windows update. Specifically, revert KB4499164 and KB4499165.
The problem with that advice is that the patches are intended to mitigate a nasty vulnerability which permits unauthenticated remote code execution through the Remote Desktop Service. We pointed out last week that the issue is so serious that Microsoft has even released patches for its long-unsupported operating systems, Windows 2003 and XP. Sophos themselves have also reiterated the severity of this exploit. Yet their advice remains: remove the fix.
Microsoft is taking this bug very seriously, saying the vulnerability could be abused to spread a worm similar to the way WannaCry propagated networks a couple years back.
So far nobody has seen an in-the-wild use of the exploit for this vulnerability identified by Microsoft, but in this day and age it's only a question of time, especially now that miscreants know about the issue.
"Sophos is working diligently on determining the issue and will provide ongoing customer guidance." In other words, they're being vague about what the problem is, and how long it will be before they fix it for their users.
Sent to us by: Roy W. Nash
Baltimore's ransomware nightmare could last weeks more, with big consequences as houses can't be sold and bills can't be paid while city networks are shuttered.
It's been nearly two weeks since the City of Baltimore's networks were shut down in response to a ransomware attack, and there's still no end in sight to the attack's impact. It may be weeks more before the city's services return to something resembling normal—manual workarounds are being put in place to handle some services now, but the city's water billing and other payment systems remain offline, as well as most of the city's email and much of the government's phone systems.
Unlike the City of Atlanta—which suffered from a Samsam ransomware attack in March of 2018—Baltimore has no insurance to cover the cost of a cyber attack. So the cost of cleaning up the RobbinHood ransomware, which will far exceed the approximately $70,000 the ransomware operators demanded, will be borne entirely by Baltimore's citizens.
Baltimore's information security manager warned of the need for such a policy during budget hearings last year. But the final budget did not include funds for that policy, nor did it include funding for expanded security training for city employees, or other strategic investments that were part of the mayor's strategic plan for the city's information technology infrastructure.
City officials have provided few details about the extent of the attack, as the city is cooperating with an FBI investigation. But it appears that the ransomware was triggered on some systems in the early hours of May 7, when email service was suddenly interrupted. The city's response to the attack has thrown many city services into disorder or shut them down entirely.
The attack was first reported by Baltimore's Department of Public Works, when the department's official Twitter account announced that its email access was cut off, and it reported phones and other systems were affected soon afterward. As it became clear what was happening, the city's Office of Information Technology team shut down nearly all of the city's non-emergency systems to prevent the further spread of the attack. It’s not clear how widespread the ransomware was within the network, but the city's email and IP-based phones were among the systems affected.
The mayor's Office of Information Technology has been struggling to regain its footing over the past two years after a string of fired chief information officers—four consecutive CIOs were fired or forced to resign over a period of five years. Frank Johnson, who now holds the titles of both CIO and Chief Digital Officer for the city, was hired in November 2017 after leaving a position as a regional vice president of sales for Intel. Johnson led the development of a digital strategy for the city that aimed to bring Baltimore's IT spending more in line with those of similarly sized cities and transform its IT practices. According to a 2018 strategy document, Baltimore spends about half of what other cities budget for IT, and the Office of Information Technology only controls about one percent of the total budget.
The city's primary website is hosted on Amazon Web Services and operated by a contractor. But the city almost lost that website earlier this month too... but not because of ransomware: the contract for operating the site had expired, and the city was delinquent in its payments.
Sent to us by: Roy W. Nash
South Korea wants to switch government computers to Linux based software, ditching Microsoft Windows in the process.
The country’s Ministry of the Interior and Safety believe that migrating away from Microsoft Windows will lower costs and reduce reliance on a single operating system.
With 2020 bringing the end of “free” support for Windows 7, a system widely used throughout the South Korean government, the timing is prudent.
There’s no word yet on what sort of Linux distribution South Korea might use or whether the government would create its own), but there are a few hurdles Linux needs to clear first...
Although Linux is free-to-use for anybody, even governments, moving to a Linux-based OS is not a cost-free endeavour. In fact, the Ministry expects switching to Linux will cost a cool $655 million US. That takes into account the price of implementation, transition, and the purchase of new PCs.
The Ministry plans to test-run Linux on its systems to check for compatibility and security issues. And if no major issues are encountered during the pilot run then Linux systems will roll-out more widely — potentially serving as the catalyst for more governments to adopt Linux.
Whether South Korea switches to Linux in the end or not, it’s nice that Linux is being viewed as a viable, practical choice by those in charge.
Sent to us by: Roy W. Nash
Google admitted Tuesday its paid-for G Suite of cloudy apps aimed at businesses stored some user passwords in encrypted plaintext.
Hashing is a standard industry practice that protects credentials by scrambling them using a one-way encryption algorithm. Administrators of accounts affected by the security blunder were warned via email that, in certain circumstances, passwords had not been hashed.
Google was at pains to stress it was the enterprise non-consumer version of G Suite affected, that there were no signs of misuse of the passwords, and that the passwords were encrypted at rest on disk – though, because they were not hashed, their sensitive content was not fully secured.
Suzanne Frey, Google VP of engineering and cloud trust, explains of the administrator's ability to change user passwords, "We made an error when implementing this functionality back in 2005: The admin console stored a copy of the unhashed password. This practice did not live up to our standards. To be clear, these passwords remained in our secure encrypted infrastructure. This issue has been fixed and we have seen no evidence of improper access to or misuse of the affected passwords."
Further, she went on to advise of a second flaw, this one in the user login system saying, "we discovered that starting in January 2019 we had inadvertently stored a subset of unhashed passwords in our secure encrypted infrastructure. These passwords were stored for a maximum of 14 days. This issue has been fixed and, again, we have seen no evidence of improper access to or misuse of the affected passwords. We will continue with our security audits to ensure this is an isolated incident."
Google has already begun changing passwords for affected accounts that have not already done so.
Sent to us by: Roy W. Nash