All posts by Connor Jones

Microsoft launches bug bounty programme Chromium-based Edge


Connor Jones

21 Aug, 2019

Microsoft has launched a fresh bug bounty programme specifically for its Chromium-based Edge browser, offering rewards double the value of its previous HTML Edge version.

The maximum reward for hunters finding significant flaws in the latest version of its flagship browser has increased to $30,000 for the most critical vulnerabilities.

Other issues will be judged by their significance, depending on how impactful the flaw is to future versions of Edge, with hunters being rewarded from $1,000 upwards.

The launch of the latest bug bounty programme coincides with the launch of the beta preview of the next Edge version and will work hand-in-hand with Microsoft’s Researcher Recognition Program.

The initiative acts somewhat like a loyalty card for bug hunters who follow Microsoft’s vulnerability disclosure process: Points are awarded for every bug they report and these points can be multiplied depending on the product on which they’re found.

A bug found in Azure or Windows Defender, for example, is eligible for a 3x points multiplier whereas Edge on Chromium gets a mere 2x multiplier – GitHub and LinkedIn receive none.

Once a hunter accrues enough points, they “may be recognised in our public leaderboard and rankings, annual Most Valuable MSRC Security Researcher list, and invited to participate in exclusive events and programs,” said Microsoft.

The program will also run alongside the pre-existing bug bounty for the HTML version of Edge, which offers rewards of between $500 – $15,000.

“Vulnerabilities that reproduce in the latest, fully patched version of Windows (including Windows 10, Windows 7 SP1 or Windows 8.1) or MacOS may be eligible for the Microsoft Edge Insider bounty program,” said Microsoft. “Windows Insider Preview is not required.”

Since the browser is powered using Chromium, the new bug bounty programme will support the Chrome Vulnerability Reward Program “so any report that reproduces on the latest version of Microsoft Edge but not Chrome will be reviewed for bounty eligibility based on severity, impact, and report quality,” it added.

The Chrome Vulnerability Reward Program currently offers rewards ranging vastly from $500 to $150,000 with the greatest rewards likely to be issued for bugs found in Chrome OS.

Apple also announced the expansion of its bug bounty programme at Black Hat 2019 in August, making it the most lucrative bounty program in tech.

In addition to dishing out special iPhones to select bug hunters, making it easier for them to investigate the flagship Apple device, it announced a maximum reward for bugs of up to $1.5 million.

Back in March, an Argentinian teenage bug hunter became the first in the world to earn $1 million from lawfully finding and disclosing bugs in bounty programs. He reported more than 1,600 bugs – notable inclusions were major issues with Twitter’s and Verizon’s products.

The majority of Chrome extension installs are split across these 13 apps


Connor Jones

5 Aug, 2019

Google’s Chrome extension store is said to be dominated by just a handful of popular applications, with the majority of its application selection having fewer than 1,000 installs, according to a new study.

Figures released from Extension Monitor show that although Chrome now boasts over 1 billion extension installs, only 13 apps have over 10 million installs each.

Of the 188,000 extensions that make up the store, it’s believed as much as 87% of these have fewer than 1,000 installs, including 24% that have either one or zero installs. The figures also show that around half of all extensions have been installed less than 16 times.

Security was a common theme identified when looking at the most downloaded extensions – adblockers, antivirus applications, password managers and VPNs dominated the list of most popular extensions. Other prominent categories included communications and shopping.

Well-known apps such as Grammarly, Adblock, Honey, Avast Online Security, Skype and Google Translate dominated the top spots. LastPass and Google Hangouts were among the apps just shy of the 10 million mark.

The 10 million club:

  • Cisco Webex Extension
  • Google Translate
  • Avast Online Security
  • Adobe Acrobat
  • Grammarly for Chrome
  • Adblock Plus – free ad blocker
  • Pinterest Save Button
  • Skype
  • AdBlock
  • Avast SafePrice
  • uBlock Origin
  • Honey
  • Tampermonkey

Even though a large proportion of extensions have a comparably low install-base, it’s the extensions in this bracket that are often the most malicious, which collectively can still target a large number of users. Last month we reported that some Google Chrome extensions harvest user data as part of a “murky data economy” and then sell that data onto Fortune 500 companies.

The scheme was thought to have affected up to 4 million users across the various extensions, most of which had thousands of installs each, although some exceeded one million. The sensitive data was then accessible by anyone who was willing to pay a fee as small as $49.

In response, Google pointed users to its policy changes made in June 2019 and how it plans to make the Chrome Web Store more secure, a policy that’s since been slammed by the Electronic Frontier Foundation (EFF).

The organisation said that the changes would do nothing to secure the Web Store as they don’t address the APIs used by extensions to aggregate and sell data. Instead, the EFF claims Google should simply enforce existing policy properly.

“Ultimately, users need to have the autonomy to install the extensions of their choice to shape their browsing experience, and the ability to make informed decisions about the risks of using a particular extension,” said the EFF. “Better review of extensions in Chrome Web Store would promote informed choice far better than limiting the capabilities of powerful, legitimate extensions.”

JEDI contract put on hold after intense lobbying efforts


Connor Jones

2 Aug, 2019

The $10 billion JEDI contract to supply cloud computing services to the Pentagon has been halted after an aggressive lobbying campaign from rival tech companies.

According to CNN, which first reported the story, an inside campaign was allegedly carried out to dissuade President Trump from choosing Amazon’s AWS as the winner of the contract.

Amazon and Microsoft are currently the only two companies in the race after Oracle and IBM were knocked out of the running months ago, but a one-page document was given to Trump which appears to visually outline Amazon’s ten-year plan for cloud monopolisation.

The document is identical to one created by Oracle’s top Washington lobbyist, Kenneth Glueck, an executive vice president with the company, Glueck told CNN.

CNN remarked that the document delivered to Trump, which may have been the deciding factor in delaying the JEDI contract due to be announced this month, was designed to play up to the feud between Trump and Amazon CEO Jeff Bezos.

“So sorry to hear the news about Jeff Bozo being taken down by a competitor whose reporting, I understand, is far more accurate than the reporting in his lobbyist newspaper, the Amazon Washington Post,” tweeted Trump in relation to Bezos’ divorce at the time. “Hopefully the paper will soon be placed in better & more responsible hands!”

Defence Secretary Mark Esper is currently investigating allegations of unfairness in the awarding of the contract, according to Pentagon spokeswoman Elissa Smith.

“Keeping his promise to Members of Congress and the American public, Secretary Esper is looking at the Joint Enterprise Defense Infrastructure (JEDI) program,” Smith said in a statement on Thursday to Reuters. “No decision will be made on the program until he has completed his examination.”

Speculation surrounding the treatment of AWS in the contract’s bidding process has raged on for months, some have argued that the nature of the contract itself favours AWS and the services it offers.

Reports also suggest that Senator Mark Rubio penned a letter to national security advisor John Bolton requesting the contract be delayed.

“I respectfully request that you direct the delay of an award until all efforts are concluded in addition to evaluating all bids in a fair and open process in order to provide the competition necessary to obtain the best cost and best technology for its cloud computing needs,” Rubio reportedly wrote.

The Joint Enterprise Defence Infrastructure (JEDI) contract is worth $10 billion and the project to renovate the Pentagon’s IT infrastructure into a contemporary cloud-based one could span 10 years.

Microsoft is killing off Skype for business


Connor Jones

31 Jul, 2019

Microsoft is calling time on Skype for Business Online’s as the company tries to promote the adoption of Microsoft Teams.

Support for the collaboration platform will be terminated on 31 July 2021, just 10 years after it was acquired by the Redmond giant. Every new Microsoft 365 customer will be onboarded to Microsoft Teams by default from 1 Septemeber 2019, with no option to select Skype for Business Online instead.

Microsoft said that current Skype for Business Online customers won’t experience any change in service and will be able to add new users as needed until the termination date.

“Over the last two years, we’ve worked closely with customers to refine Teams, and we now feel we’re at the point that we can confidently recommend it as an upgrade to all Skype for Business Online customers,” said James Skay, senior product marketing manager at Microsoft.

“Teams isn’t just an upgrade for Skype for Business Online, it’s a powerful tool that opens the door to an entirely new way of doing business,” he added.

Microsoft has listed a range of product investments it will be making to ensure an easy migration to Teams for businesses that are firmly settled with Skype for Business Online.

One of these will be the upcoming interoperability between Skype for Business Online and Microsoft Teams, coming in the first quarter of 2020. The update will allow customers on both platforms to communicate via calls and text chats.

Other feature requests from Skype for Business Online users will also be honoured in future Teams updates, such as DynamicE911 which forwards detailed location data when making an emergency phone call directly from the platform. Shorter data retention periods will also be in Teams by the end of 2019, so data that shouldn’t remain on the service will be wiped when the user needs it to be.

Contact centre integration and compliance recording solutions are also in Teams already. First announced at Microsoft’s Inspire event earlier this month, recording software used by businesses for regulatory compliance, liability protection and quality assurance is now supported in Teams with more partnerships in the pipeline.

Teams has so far been a very successful product for Microsoft. Earlier this month, the company announced that it has more active users than its main rival Slack, just two years after launching the platform.

Azure revenue surpasses Windows for the first time


Connor Jones

19 Jul, 2019

Microsoft’s cloud business revenue has surpassed income from its Windows arm for the first time ever, with the company’s fourth-quarter financial results demonstrating the strength of its cloud infrastructure and services.  

It’s just one of the many areas that defied analyst expectations as the Redmond-based company excelled across the board, posting revenue hikes in nearly all areas of the business.

There are no exact figures to illustrate how well Azure is doing specifically because Microsoft bundles the figures into its umbrella “intelligent cloud business”. However, the revenue for the company’s cloud arm increased 19% to $11.4 billion, narrowly beating Windows in its “personal computing” business which made $11.3 billion – an increase of 4%.

The prioritisation of cloud services began when Sadya Nadella took the reigns in Redmond back in 2014 and ever since, all-things-cloud have been driving the company’s revenue. 

The one division in decline was Microsoft’s gaming business which pulled down the revenue score for its Personal Computing arm – handing the lead to Intelligent Cloud. Overall gaming revenue declined 10% with Xbox software and services down 3%.

Other than the minor blip in gaming, the future looks healthy for Microsoft. It continues to build on its lead as the world’s most valuable company, a revelation which it announced in April after it surpassed Apple and became valued at over $1 trillion for the first time ever – a feat achieved in no small part to its ever-booming cloud growth.

“It was a record fiscal year for Microsoft, a result of our deep partnerships with leading companies in every industry,” said Satya Nadella, chief executive officer of Microsoft. “Every day we work alongside our customers to help them build their own digital capability – innovating with them, creating new businesses with them, and earning their trust.

“This commitment to our customers’ success is resulting in larger, multi-year commercial cloud agreements and growing momentum across every layer of our technology stack,” he added.

Microsoft currently sits in second place in terms of its market share for cloud business, with Amazon Web Services (AWS) commanding a majority lead. According to Canalys, AWS dominates with a 32.8% market share, Microsoft’s Azure comes in with 14.6% and Google Cloud, which recently pivoted towards hybrid cloud, has 9.9%.

Thousands of sites fall to Magecart ‘spray and pray’ attack


Connor Jones

12 Jul, 2019

More than 17,000 domains have been compromised in an attack launched by the prolific hacking group Magecart, according to attack surface management firm RiskIQ.

The attack preys upon websites with leaky Amazon S3 buckets, an attack method seen all too often despite them now being protected by default. The researchers said that anyone with an AWS account could read or write files in the affected buckets.

The attackers scanned the web for misconfigured buckets to see if they had any Javascript files they could download and add their skimming code, overwriting the script on the bucket.

Magecart was trying to run scripts on websites to glean and make off with payment information that can then be sold on for profit. It wasn’t just smaller websites affected by the attack, some of the 17,000+ compromised websites fell into the top 2,000 Alex rankings.

The problem with the attacker’s methodology is this type of skimming attacks rarely works on payment pages of websites, which makes the chance of a successful attack low compared to a more considered, targeted approach.

But the Magecart group could still enjoy “a substantial return on investment” due to the range of the attack. “The ease of compromise that comes from finding public S3 buckets means that even if only a fraction of their skimmer injections returns payment data, it will be worth it,” said Yonathan Klijnsma, threat researcher at RiskIQ, in a blog post.

“Perhaps most importantly, the widespread nature of this attack illustrates just how easy it is to compromise a vast quantity of websites at once with scripts stored in misconfigured S3 buckets,” he added. “Without greater awareness and an increased effort to implement the security controls needed to protect the content stored in these buckets from theft or alteration by malicious attackers, there will be more – and more impactful – attacks using techniques similar to the ones outlined in this blog.”

Exploiting misconfigured Amazon S3 buckets is a common attack method used time and again by opportunistic cyber criminals.

Earlier in the year, Facebook apps Cultura Collectiva and At the Pool became victims of a similar attack, with the cyber criminals making off with 540 million records, including users’ names, IDs and comments made through Facebook’s social integration.

“Like any other security procedure, security policies are a good mechanism for protecting the access to your S3 Bucket, but it needs to be used the right way,” said Boris Cipot, senior security engineer at Synopsys. “It has to be understood, and the user needs to know what they are doing when applying those policies to their buckets.

“Unfortunately, misconfigured policies then can lead to examples like those where the attacker can identify buckets with those misconfigured policies and modify the content on them,” he added. “Every user should have a good understanding of what they’re doing, but if this is not possible, leave it to professionals that know how to handle security.

“On the other hand it would be nice to see if Amazon could make a policy screening functionality were they could identify such misconfigured policies and warn the user – or in some cases even forbid the usage of loose policies.”

Other notable examples of devastating attacks made possible by leaky buckets include the leak of data belonging 120 American households by Experian. The NSA, WWE and Accenture also suffered similar attacks.

The future looks bright, however. According to reports, since Amazon enabled encryption for buckets by default, the number of exposed files has plummeted to less than 2,000 whereas the number was in the region of 16 million beforehand.

Cloud database management set to soar in coming years


Connor Jones

1 Jul, 2019

The trend involving databases being used for analytics under the ever-popular software as a service (SaaS) model will see 75% of all databases being deployed or migrated to a cloud platform, according to Gartner’s latest predictions.

The IT analyst house also said that just 5% of these will ever be considered by owners to be taken back into on-premise infrastructure as businesses continue to realise the benefits of widespread cloud adoption.

“According to inquiries with Gartner clients, organisations are developing and deploying new applications in the cloud and moving existing assets at an increasing rate, and we believe this will continue to increase,” said Donald Feinberg, distinguished research vice president at Gartner.

“We also believe this begins with systems for data management solutions for analytics (DMSA) use cases — such as data warehousing, data lakes and other use cases where data is used for analytics, artificial intelligence (AI) and machine learning (ML).

“Increasingly, operational systems are also moving to the cloud, especially with conversion to the SaaS application model.”

Research from Gartner shows that worldwide revenue from database management systems was up a significant 18.4% to $46 million and cloud database management systems accounted for 68% of that.

The company also notes that Microsoft and AWS account for more than 75% of the total market growth, indicating a trend towards cloud service providers becoming the new data management platform.

On-premise infrastructure rarely offers built-in capabilities to support cloud integration which is why its growth isn’t as vibrant as its cloud counterparts. The industry is growing, but at a much slower rate and not because of new on-premise deployments, but because of price increases and forced upgrades.

“Ultimately what this shows is that the prominence of the CSP infrastructure, its native offerings, and the third-party offerings that run on them is assured,” said Feinberg. “A recent Gartner cloud adoption survey showed that of those on the public cloud, 81% were using more than one CSP.

“The cloud ecosystem is expanding beyond the scope of a single CSP — to multiple CSPs — for most cloud consumers,” he added.

The UK is adopting the cloud more than others in the EU, according to figures from Eurostat published late last year.

A sixth-place ranking among EU countries for cloud adoption is primarily due to the high rate of British enterprises using some form of cloud service.

British businesses beat the average EU country in this regard by a significant margin, with 41.9% using at least one cloud service compared to the average of 26.2% – a figure beaten only by a handful of Scandinavian nations, Denmark, Sweden and Finland among them. 

Microsoft warns of remote execution exploit in Excel


Connor Jones

27 Jun, 2019

A new vulnerability in a Microsoft Excel business intelligence tool has been found to give attackers an opportunity to remotely launch malware and take over a user’s system.

Researchers at Mimecast discovered a vulnerability in Power Query (PQ), a powerful and scalable business intelligence tool in Microsoft Excel that allows users to integrate spreadsheets with other areas of their, business such as external databases, text documents and web pages.

The vulnerability is based on a method of data communication between applications which is used across the Microsoft Office suite called Dynamic Data Exchange (DDE). DDE attacks are nothing new, many successful malware campaigns have used the method to compromise documents, however, this particular attack grants perpetrators significant admin privileges.

“In an email attack scenario, an attacker could leverage the DDE protocol by sending a specially crafted file to the user and then convincing the user to open the file, typically by way of an enticement in an email,” said Microsoft. “The attacker would have to convince the user to disable Protected Mode and click through one or more additional prompts.”

Using the exploit, attackers can fingerprint individual systems belonging to victims, allowing them to deliver harmful code that appears harmless to both sandboxes and other security software the victim may be running.

Mimecast researcher Ofir Shlomo also said that the Power Query exploit could be used to launch sophisticated attacks, difficult-to-detect attacks the combine several attack surfaces.

“Using Power Query, attackers could embed malicious content in a separate data source, and then load the content into the spreadsheet when it is opened,” said Shlomo in a research blog shared with IT Pro. “The malicious code could be used to drop and execute malware that can compromise the user’s machine.”

DDE attacks are infamous for targeting enterprises due to their widespread reliance on Microsoft Office software in workplaces around the world.

APT28 and APT37, Russian and North Korean-linked hacking groups respectively, have both used the technique to good effect in recent years, with other groups utilising malformed Word documents for use in spear phishing campaigns.

“Such attacks are usually hard to detect and gives threat actors more chances to compromise the victim’s host,” said Shlomo. “Using the potential weakness in Power Query, attackers could potentially embed any malicious payload that as designed won’t be saved inside the document itself but downloaded from the web when the document is opened.”

Mimecast approached and disclosed the issue with Microsoft when they discovered it as part of Microsoft’s Coordinated Vulnerability Disclosure process. While Microsoft has yet to offer a fix for the issue, they did share a workaround.

Microsoft published an advisory document (advisory 4053440) that offers tips and guidance on how to secure applications when they process DDE fields. This includes instructions on how to create custom registry entries for Office and other methods too, each with benefits and drawbacks listed.

“Attackers are looking to subvert the detections that victims have,” said Shlomo. “While there is a chance that this kind of attack may be detected over time as threat intelligence is shared between various security experts and information sharing platforms, Mimecast strongly recommends all Microsoft Excel customers implement the workarounds suggested by Microsoft as the potential threat to these Microsoft users is real and the exploit could be damaging.”

NASCAR revs up its video business with AWS


Connor Jones

5 Jun, 2019

The National Association for Stock Car Auto Racing (NASCAR) has partnered with AWS to utilise the cloud giant’s artificial intelligence and machine learning tools to automate the database categorisation of 70 years worth of video.

In the run-up to the airing of its online series ‘This Moment in NASCAR History’, the sport that packs deafening stadiums has 18-petabytes of video to migrate to an AWS archive where the processing will take place.

“Speed and efficiency are key in racing and business which is why we chose AWS – the cloud with unmatched performance, the most comprehensive set of services, and the fastest pace of innovation – to accelerate our migration to the cloud,” said Craig Neeb, executive vice president of innovation and development, NASCAR.

“Leveraging AWS to power our new video series gives our highly engaged fans a historical look at our sport while providing a sneak peek at the initial results of this exciting collaboration,” he added.

Using Amazon Rekognition, the platform’s AI-driven image and video analysis tool, NASCAR hopes to automate the tagging of video metadata for its huge catalogue of multimedia to save time searching for specific clips.

Metadata is attributed to stored multimedia files which makes it easier for someone to search for it in a database. For example, a type of metadata attributed to a given video would include the race date, competition, the drivers involved, location and other information that would differentiate it from other clips.

Making a series that joins clips of races throughout the years would take a long time to manually search through petabytes of video.

“By using AWS’s services, NASCAR expects to save thousands of hours of manual search time each year, and will be able to easily surface flashbacks like Dale Earnhardt Sr.’s 1987 ‘Pass in the Grass’ or Denny Hamlin’s 2016 Daytona 500 photo finish, and quickly deliver these to fans via video clips on NASCAR.com and social media channels,” read an AWS statement.

NASCAR also plans to use Amazon SageMaker to train deep learning models against its footage spanning decades to enhance the metadata tagging and video analytics capabilities.

The sport will also be using Amazon Transcribe, automatic speech recognition service, to caption and timestamp every word of speech in the archived videos which will facilitate easy searchability further.

“AWS’s unmatched portfolio of cloud services gives NASCAR the most flexible and powerful tools to bring new elements of the sport to live broadcasts of races,” said Mike Clayville, vice resident, worldwide commercial sales at AWS.

BT partners with Juniper on unified cloud network platform


Connor Jones

3 Jun, 2019

BT has partnered with Juniper Networks to support with the core infrastructure that will underpin the rollout of its upcoming unified cloud networking platform.

The platform will unify BT’s networks including 5G, Wi-Fi and fixed-line into one virtualised service which will enable more efficient infrastructure management and deployment.

The new unified platform will supposedly allow BT to “create new and exciting converged services bringing mobile, Wi-Fi, and fixed network services together”.

The platform’s infrastructure will be build to a common framework, allowing it to be shared across BT’s offices nationally and globally.

The platform will be used by a range of BT’s arms such as voice, mobile core, radio/access, ISP, TV and IT services and deploying the platform company-wide will cut costs and streamline operations.

“This move to a single cloud-driven network infrastructure will enable BT to offer a wider range of services, faster and more efficiently to customers in the UK and around the world,” said Neil McRae, chief architect, BT. “We chose Juniper to be our trusted partner to underpin this Network Cloud infrastructure based on the ability to deliver a proven solution immediately, so we can hit the ground running.”

“Being able to integrate seamlessly with other partners and solutions and aligning with our roadmap to an automated and programmable network is also important,” he added.

We’re told that the project will facilitate the advent of new applications and workloads for the telecoms giant and evolve its existing ones including converged fixed and mobile services and faster time-to-market for internet access delivery.

“By leveraging the ‘beach-front property’ it has in central offices around the globe, BT can optimise the business value that 5G’s bandwidth and connectivity brings,” said Bikash Koley, chief technology officer, Juniper Networks.

“The move to an integrated telco cloud platform brings always-on reliability, along with enhanced automation capabilities, to help improve business continuity and increase time-to-market while doing so in a cost-effective manner,” he added.

BT has undergone a change in leadership this year and faces challenges in almost all areas of its business, according to its annual financial overview.

EE’s business has been carrying the telco, it’s the only arm of the company that is posting profits in an “unfavourable telecoms market”. Its revenue slip for the year has been attributed to the decline in traditional landline calls with a seemingly unrelenting shift to voice over IP.

In order to capitalise on new business angles such as IoT, cloud and SD-WAN, BT admits greater investment is needed and this will most likely hinder its short-term revenue targets but it could be pay off in the long term.

“Our aim is to deliver the best converged network and be the leader in fixed ultrafast and mobile 5G networks,” said Jensen. “We are increasingly confident in the environment for investment in the UK.”

EE launched its 5G network last week, becoming the first telecoms company in the UK to do so. It’s available in six major cities and speeds of 1Gbps are promised “for some users”.