Monthly Archives: July 2017
Microsoft has launched a new Windows Bounty Program, designed to expand its existing security bug bounty programs. While the software giant has previously paid out $100,000 for Windows 8.1 bugs, this new program will see the software giant pay out far more for serious Hyper-V flaws in Windows 10 or Windows Server operating systems.
Microsoft will now pay up to $250,000 for severe Hyper-V vulnerabilities, and security bugs in Microsoft Edge or Windows 10 preview builds will fetch up to $15,000. “Security is always changing and we prioritize different types of vulnerabilities at different points in time,” explains a Microsoft spokesperson in a blog post. “Microsoft strongly believes in the value of the bug bounties, and we trust that it serves to enhance our security capabilities.”
The new Windows Bounty Program launched last week, and will continue indefinitely at Microsoft’s discretion. Any critical or important flaws that affect Windows and a variety of individual features will receive a bounty. Facebook, Google, Apple, Uber, and a variety of other tech companies all offer bug bounties, and they’re designed to tempt researchers into disclosing vulnerabilities early to prevent widespread cyber-attacks.
There’s lots of money to be made here! Last year, a 10-year-old — who is not even old enough to sign up on Facebook — impressed Mark Zuckerberg by hacking Instagram, the photo-sharing application owned by Facebook. The Helsinki-based boy genius, called Jani, received $10,000 from Facebook for identifying a security bug.
Since the Facebook Bug Bounty Program launched in 2011, Facebook has awarded over $4.3 million to more than 800 researchers. The program determines the payout based on a bug’s risk, rather than how complex it may be. In 2015 alone, 210 researchers received $936,000 with an average payout of $1,780.
Earlier this month authorities seized the Dark Web marketplace AlphaBay, an online black market that peddled everything from heroin to stolen identity and credit card data. But it wasn’t until today, when the U.S. Justice Department held a press conference to detail the AlphaBay takedown that the other shoe dropped: For the past month, Police in The Netherlands have been operating Hansa Market, a competing Dark Web bazaar that enjoyed a massive influx of new customers immediately after the AlphaBay takedown.
The normal home page for the dark Web market Hansa has been replaced by this message from U.S. law enforcement authorities.
U.S. Attorney General Jeff Sessions called the AlphaBay closure “the largest takedown in world history,” targeting some 40,000 vendors who marketed a quarter-million listings for illegal drugs to more than 200,000 customers.
“By far, most of this activity was in illegal drugs, pouring fuel on the fire of a national drug epidemic,” Sessions said. “As of earlier this year, 122 vendors advertised Fentanyl. 238 advertised heroin. We know of several Americans who were killed by drugs on AlphaBay.”
Andrew McCabe, acting director of the FBI, said AlphaBay was roughly 10 times the size of the Silk Road, a similar dark market that was shuttered in a global law enforcement sting in October 2013.
As impressive as those stats may be, the real coup in this law enforcement operation became evident when Rob Wainwright, director of the European law enforcement organization Europol, detailed how the closure of AlphaBay caused a virtual stampede of former AlphaBay buyers and sellers taking their business to Hansa Market, which had been quietly and completely taken over by Dutch police one month earlier — on June 20.
“What this meant…was that we could identify and disrupt the regular criminal activity that was happening on Hansa Market but also sweep up all of those new users that were displaced from AlphaBay and looking for a new trading plot form for their criminal activities,” Wainwright told the
media at today’s press conference, which seemed more interested in asking Attorney General Sessions about a recent verbal thrashing from President Trump.
“In fact, they flocked to Hansa in droves,” Wainwright continued. “We recorded an eight times increase in the number of human users on Hansa immediately following the takedown of AlphaBay. Since the undercover operation to take over Hansa market by the Dutch Police, usernames and passwords of thousands of buyers and sellers of illicit commodities have been identified and are the subject of follow-up investigations by Europol and our partner agencies.”
On July 5, the same day that AlphaBay went offline, authorities in Thailand arrested Alexandre Cazes — a 25-year-old Canadian citizen living in Thailand — on suspicion of being the creator and administrator of AlphaBay. He was charged with racketeering, conspiracy to distribute narcotics, conspiracy to commit identity theft and money laundering, among other alleged crimes.
Law enforcement authorities in the US and abroad also seized millions of dollars worth of Bitcoin and other assets allegedly belonging to Cazes, including four Lamborghini’s and three properties.
However, law enforcement officials never got a chance to extradite Cazes to the United States to face trial. Cazes, who allegedly went by the nicknames “Alpha02” and “Admin,” reportedly committed suicide while still in custody in Thailand.
Online discussions dedicated to the demise of AlphaBay, Hansa and other Dark Web markets — such as this megathread over at Reddit — observe that law enforcement officials may have won this battle with their clever moves, but that another drug bazaar will simply step in to fill the vacuum.
Ronnie Tokazowski, a senior analyst at New York City-based threat intelligence firm Flashpoint, said the actions by the Dutch and American authorities could make it more difficult for established vendors from AlphaBay and Hansa to build a presence using the same identities at alternative Dark Web marketplaces.
Vendors on Dark Web markets tend to re-use the same nickname across multiple marketplaces, partly so that other cybercriminals won’t try to assume and abuse their good names on other forums, but also because a reputation for quality customer service means everything on these marketplaces and is worth a pretty penny.
Tokazowski said even if top vendors from AlphaBay/Hansa already have a solid reputation among buyers on other marketplaces, some of those vendors may choose to walk away from their former identities and start anew.
“One of the things [the Dutch Police and FBI] mentioned was they were going after other markets using some of the several thousand password credentials they had from AlphaBay and Hansa, as a way to get access to vendor accounts,” on other marketplaces, he said. “These actions are really going to have a lot of people asking who they can trust.”
“There are dozens of these Dark Web markets, people will start to scatter to them, and it will be interesting to see who steps up to become the next AlphaBay,” Tokazowski continued. “But if people were re-using usernames and passwords across dark markets, it’s going to be a bad day for them. And from a vendor perspective, [the takedowns] make it harder for sellers to transfer reputation to another market.”
For more on how the Dutch Police’s National High Tech Crimes Unit (NHTCU) quietly assumed control over the Hansa Market, check out this story.
Thanks to REDDIT and KrebsOnSecurity for this valuable information
If you haven’t deleted your decade-plus old Myspace account yet, now may be the time to do it. As it turns out, it’s been embarrassingly easy for someone to break into and steal any account on the site. Security researcher Leigh-Anne Galloway posted details of the flaw on her blog after months of trying to get Myspace to fix it — and hearing nothing back from the company.
The flaw came from Myspace’s account recovery page, which was meant to let people regain access to an account they’ve lost the password to. The page asked for the account holder’s name, username, original email address, and birthday. But it turned out, you really only needed to know someone’s birthday in order to gain access to their account.
The account holder’s name and username are both publicly listed on their profile page. And Myspace’s account recovery form didn’t actually check to see if you entered the correct email address. The Verge tested the flaw on a newly created dummy account and was able to confirm this. That meant the only detail you actually had to know is the account holder’s birthday, and in a lot of cases, that isn’t exactly hard to find with a little bit of research.
As soon as you provided that info, Myspace logged you into the account, prompting you to set a new password and giving you the ability to change the account’s associated email address and birthdate, letting you steal that account for good.
Of course, at this point, it’s not like all that many people (anyone?) are still using Myspace. Many years after being crushed by Facebook, Myspace moved away from being a social network and pivoted into being a news aggregator and a series of profile pages for musicians. You’re supposed to be able to play music from those pages – some people have success with this and many others complain it doesn’t work. I tested it myself and found it works fine in Internet Explorer 11.
Time Inc. purchased Myspace last year, mostly just so it could get some associated ad technology.
Even though people aren’t using Myspace much anymore, its poor security practices still matter, since it’s not alone in being so lax about account protections. Myspace is an example of the kind of sloppy security many sites suffer from, poor implementation of controls, lack of user input validation, and zero accountability. If there is a possibility that you still have an account on Myspace, I recommend you delete your account immediately.
Many years ago (April 1992 release), Microsoft had a product called Windows for Workgroups. That name made it clear that Windows was different in your office than it was at home. Back then, of course, Microsoft had two versions of Windows. The DOS-based home system, Windows 3.1, which was in use up through Windows XP and the DOS-free Windows NT version. Windows 2000 (February 2000) was the last edition of the OS that was solely aimed at business, even then home users were seeing some advantages to using the more stable “business” version of Windows.
Now things have moved on and there’s one core operating system across not just home and work PCs, but that same core runs Microsoft’s mobile platform and the Xbox One. Windows 10 is more readily adopted by users of all types and we’re just starting to see the benefits of all these platforms running on the same operating system kernel. We’re also starting to see problems.
Business users upgrading to Windows 10 isn’t without its concerns. There’s the ongoing issue of Microsoft’s telemetry which automatically sends information about you and your PC to Microsoft. If this privacy issue does worry you, you can turn it off, but it’s not entirely business friendly. Then there’s the issue of advertisements popping up in Windows 10 and the fact that Microsoft thinks it’s cool to stuff new installs with Candy Crush. These are not business compatible applications and I recall that back in the day, business owners were up in arms over all Windows PC’s coming pre-installed with Solitaire, MineSweeper and Tetris and FreeCell to name just a few.
The recent leak suggests that Microsoft will bring in something called “Windows 10 Pro for Workstations” although it might actually be called “Windows Pro for Advanced PCs” which will help Microsoft move away from the stigma of Windows 10.
The new OS will have a couple of different features:
•Workstation mode enhanced performance – using the multi-core server CPUs to deliver better performance when working on demanding tasks.
•Resilient file system storage – ReFS is Microsoft’s improved file system that was introduced with Windows Server 2012. Support for this was introduced in Windows 8.1 and you can use it now, in Windows 10 if you like. There’s a setup process which involves building a mirror set and formatting them with the new file system. This may be useful for anyone who has to work with a lot of data.
•Faster file sharing – uses SMBDirect to move files quickly and with minimal overhead. Obviously useful in businesses where data is moving about quickly, and a sticky problem with the current version of Windows.
•Expanded hardware support – have 4 CPUs and 6TB of memory in one system. Windows 10 Pro currently only handles 2 CPU’s
Will it help? Probably. Windows 10 is great and offers a lot to home users. On the other hand, I can see why businesses might not be so keen. Some of that is perhaps based on things that aren’t really a big problem, and some will be legitimate concerns (like employees wasting work time on Candy Crush) that Windows for Workstations might address.
Microsoft still needs to win over businesses to Windows 10 or it’s sitting on a ticking support time bomb, and we’ve recently seen how well older versions of Windows work out in business environments – more ransomware attacks anyone. With Windows 7 a short 2 years away from its final curtain call – Microsoft is working hard to get all of its ducks in a row beforehand.
Thanks to the Verge for information on this leak: