All posts by Rene Millman

Malware found on popular Facebook, Instagram and Vimeo browser extensions


Rene Millman

17 Dec, 2020

Malware hidden in at least 28 third-party Google Chrome and Microsoft Edge extensions has been discovered by security researchers.

The malware has the functionality to redirect user’s traffic to ads or phishing sites and to steal people’s personal data, such as birth dates, email addresses, and active devices, according to a report released by cybersecurity firm Avast.

Researchers have said that up to three million users could be affected by the malware.

The malware in question masquerades as legitimate extensions that help download videos from Instagram, Facebook, Vimeo, and other social platforms. The researchers have identified malicious code in the JavaScript-based extensions that allow the plugins to download further malware onto a user’s PC. 

The threat was first spotted last month, but researchers believe the extensions could have been active for years without anyone noticing.

Users have also reported that these extensions are manipulating their internet experience and redirecting them to other websites. Anytime a user clicks on a link, the extensions send information about the click to the attacker’s control server, which can optionally send a command to redirect the victim from the real link target to a new hijacked URL before later redirecting them to the actual website they wanted to visit.

“The actors also exfiltrate and collect the user’s birth dates, email addresses, and device information, including first sign-in time, last login time, name of the device, operating system, used browser and its version, even IP addresses (which could be used to find the approximate geographical location history of the user),” the report said.

Researchers added that the objective behind this is to monetize the traffic itself. For every redirection to a third-party domain, the cyber criminals would receive a payment. Nonetheless, the extension also has the capability to redirect users to ads or phishing sites.

“Our hypothesis is that either the extensions were deliberately created with the malware built-in, or the author waited for the extensions to become popular, and then pushed an update containing the malware. It could also be that the author sold the original extensions to someone else after creating them, and then the buyer introduced the malware afterwards,” said Jan Rubín, malware researcher at Avast.

At this moment, the infected extensions are still available for download. Avast has contacted the Microsoft and Google Chrome teams to report them. Both Microsoft and Google confirmed they are currently looking into the issue. Users are recommended to disable or uninstall the extensions for now until the problem is resolved.

Extensions mentioned in the report, many of which are still available to download, include: Direct Message for Instagram, DM for Instagram, Downloader for Instagram, App Phone for Instagram, Universal Video Downloader, Vimeo Video Downloader, Volume Controller, Spotify Music Downloader, and Video Downloader for YouTube.

Google-Qualcomm partnership makes four years of Android update a reality


Rene Millman

17 Dec, 2020

Android phones in the future will support up to four new OS versions thanks to a collaboration between Google and Qualcomm.

All new mobile platforms with Qualcomm silicon will get four OS version updates and four years of security updates, according to a blog post by Google engineers.

In 2017, Google changed Android to be more modular and enabling easier updates. This move, known as Project Treble, split the OS framework and device-specific low-level software (called the vendor implementation).

While this was good for device manufacturers, it introduced “additional complexity” for chipmakers.

“For each SoC model, the SoC manufacturers now needed to create multiple combinations of vendor implementations to support OEMs who would use that chipset to launch new devices and deploy OS upgrades on previously launched devices,” said Google engineers.

They added that the result was that three years beyond the launch of a chipset, the SoC vendor would have to support up to six combinations of OS framework software and vendor implementations – something that resulted in enormous engineering costs.

The new solution now extends the “no-retroactivity principle” to the SoCs as well as to devices. “With this change, the SoC provider would be able to support Android with the same vendor implementations on their SoCs for device launches as well as upgrades.”

Over the last year, Google has worked with Qualcomm so that “all new Qualcomm mobile platforms that take advantage of the no-retroactivity principle for SoCs will support four Android OS versions and four years of security updates”.

This means that a device will ship with the initial Android OS and then will receive 3 additional software updates over the course of its life. Security updates will extend for an additional year, to cover the final software launch, bringing the total lifespan to four years.

Engineers added that all Qualcomm customers will be able to “take advantage of this stability to further lower both the costs of upgrades as well as launches and can now support their devices for longer periods of time”.

The move will see Google reusing the same OS framework across multiple Qualcomm chipsets. It added that this would “dramatically” lower the number of OS framework and vendor implementation combinations that Qualcomm has to support across their mobile platforms and results in lowered engineering, development, and deployment costs.

Google said that the change would be taking effect with all SoCs launching with Android 11 and later.

Golang XML parser vulnerability could enable SAML authentication bypass


Rene Millman

15 Dec, 2020

Security researchers have disclosed three critical vulnerabilities within the XML parser of the Go programming language that could allow hackers to completely bypass the SAML authentication that features in many popular web applications.

The flaws were discovered earlier in the year by cloud collaboration provider Mattermost. It has been working alongside Go’s internal security team since August on addressing these vulnerabilities, as well as with organisations and individuals downstream projects.

All three revolve around the way Go processes XML documents over multiple rounds of parsing, allowing attackers to use specific XML markup language to trick systems. According to a blog post by Juho Nurminen, product security engineer at Mattermost, there are several potential security problems created by these flaws, with one of the most significant being the risk it introduces to the integrity of the web-based SAML single sign-on (SSO) standard.

The first flaw, CVE-2020-29509, is an XML attribute instability in Go’s encoding/xml. An affected SAML implementation can interpret a SAML Assertion as signed, but then proceed to read values from an unsigned part of the same document due to namespace mutations between signature verification and data access. This can lead to full authentication bypass and arbitrary privilege escalation within the scope of a SAML Service Provider.

The other two vulnerabilities – designated CVE-2020-29510 and CVE-2020-29511, respectively – can also be exploited to fully bypass authentication. The former is an XML directive instability while the latter is an XML element instability.

“As evident from the titles, the vulnerabilities are closely related. The core issue is the same in all three: maliciously crafted XML markup mutates during round-trips through Go’s decoder and encoder implementations,” said Nurminen. “In other words, passing XML through Go’s decoder and encoder doesn’t preserve its semantics.”

“Because of these vulnerabilities, Go-based SAML implementations are in many cases open to tampering by an attacker: by injecting malicious markup to a correctly signed SAML message, it’s possible to make it still appear correctly signed, but change its semantics to convey a different identity than the original document.”

“The actual impact of these XML round-trip vulnerabilities of course varies by use case,” he said, “but in SAML SSO it’s easy to understand: if your SAML messages can be altered to say you’re someone you’re not, the result is arbitrary privilege escalation within the scope of the SAML Service Provider, or in some cases even complete authentication bypass.”

At present, it has not been possible to patch the vulnerabilities, despite significant efforts by the Go security team, although the Go team has reported that it hopes to introduce some changes in future versions of the language to address them.

There are, however, mitigations in place. Mattermost identified three major open-source SAML implementations which are vulnerable to these flaws:  Dex SAML Connector, github.com/crewjam/saml and github.com/russellhaering/gosaml2. The company has already collaborated with the maintainers of these projects, and patches are now available for all three. Mattermost says it has also privately contacted the maintainers of “significant applications and products” that rely on impacted SAML implementations, and any organisations within that group are advised to start patching as soon as possible.

In addition, it has also open-sourced an XML validation library that can be used as a workaround until a more permanent solution is established. Nurminen noted that refactoring code to avoid encoding round-trips may be an acceptable long-term solution, although he conceded that this would not be possible in all cases.  

Google buys Actifio to bring backup and disaster recovery to Google Cloud


Rene Millman

3 Dec, 2020

Google has announced it will acquire disaster recovery firm Actifio in a bid to boost its Google Cloud business. Terms of the deal were undisclosed.

Actifio provides customers with the opportunity to protect virtual copies of data in their native format, manage these copies throughout their entire lifecycle, and use these copies for scenarios such as development and test.

The company’s technology can deal with data stored in several different environments such as SAP HANA, Oracle, Microsoft SQL Server, PostgreSQL, and MySQL, virtual machines (VMs) in VMware, Hyper-V, physical servers, and Google Compute Engine.

Google said the acquisition would “help us to better serve enterprises as they deploy and manage business-critical workloads, including in hybrid scenarios.”

The company added that it was committed to “supporting our backup and disaster recovery technology and channel partner ecosystem, providing customers with a variety of options so they can choose the solution that best fits their needs.”

“We know that customers have many options when it comes to cloud solutions, including backup and DR, and the acquisition of Actifio will help us to better serve enterprises as they deploy and manage business-critical workloads, including in hybrid scenarios,” said Brad Calder, VP of engineering at Google in the blog post.

Ash Ashutosh, CEO at Actifio said that backup and recovery are essential to enterprise cloud adoption and, “together with Google Cloud, we are well-positioned to serve the needs of data-driven customers across industries.”

“The market for backup and DR services is large and growing, as enterprise customers focus more attention on protecting the value of their data as they accelerate their digital transformations,” said Matt Eastwood, Senior Vice President of Infrastructure Research at IDC.

“We think it is a positive move for Google Cloud to increase their focus in this area.”

Microsoft Teams no longer works on Internet Explorer


Rene Millman

30 Nov, 2020

Millions of Internet Explorer users will be locked out of Microsoft Teams unless they upgrade to Microsoft’s Edge browser instead.

Starting today, the web conferencing service will no longer be available on the legacy browser. The move was announced earlier in the year as part of a push by Microsoft to get people to upgrade to its Chromium-based Edge browser before IE reaches end of life in 2021

Microsoft warns that if users try and access Teams on the unsupported browser, it will display a message explaining the issue and the session limitations. The message also encourages the user to download and use the Teams desktop client or to upgrade to Microsoft Edge, which has been designed to offer “faster and more responsive web access to greater sets of features in everyday toolsets like Outlook, Teams, SharePoint, and more”.

In addition to losing Teams, Internet Explorer is also set to lose access to Microsoft 365. Support for the service on IE11 draws to a close on 17 August 2021, while the legacy version of Microsoft Edge will also reach end of support on 9 March next year.

These changes were announced in a blog post earlier this year. “We’re announcing that Microsoft 365 apps and services will no longer support Internet Explorer 11 (IE 11) by this time next year,” the company said. “Beginning November 30 2020, the Microsoft Teams web app will no longer support IE 11. Beginning August 17 2021, the remaining Microsoft 365 apps and services will no longer support IE 11,” the firm said.

“This means that after the above dates, customers will have a degraded experience or will be unable to connect to Microsoft 365 apps and services on IE 11. For degraded experiences, new Microsoft 365 features will not be available or certain features may cease to work when accessing the app or service via IE 11.

“While we know this change will be difficult for some customers, we believe that customers will get the most out of Microsoft 365 when using the new Microsoft Edge. We are committed to helping make this transition as smooth as possible,” the company added.

The move comes as Microsoft attempts to standardise its online offering around Chromium-based browsers such as Edge and Google Chrome.

Windows 10 might soon be able to run Android apps


Rene Millman

30 Nov, 2020

Windows 10 might soon be able to run Android thanks to a new piece of software that Microsoft is reportedly developing.

Called Project Latte, the software could enable Android apps to run on Microsoft’s operating system with little or no code changes. These apps could be packaged as an MSIX package, a Windows app format that is used to install applications on the OS. 

According to Windows Central, Project Latte is similar to WSL 2 (Windows Subsystem for Linux), which brought Linux applications to the Windows 10 operating system. It claims the tech could appear as soon as late 2021, and that Android apps could be offered through the Microsoft Store for quick deployment.

The project would go beyond previous efforts by Microsoft to bring Android apps to the platform. It already has Your Phone, which streams apps from Samsung phones to Windows 10. However, that requires a phone to be tethered to a Windows PC; Project Latte would no longer require such actions.

The report noted that such apps would not be able to use Google Play Services support as Google restricts this to native Android and Chrome OS devices. This means that Android apps would have to be changed to remove these bits of code before being able to run on Windows 10.

This is not the first time that Microsoft has attempted to bring Android apps to Windows. In 2016, the company pulled the plug on Project Astoria, a tool to allow app developers to port their existing iOS or Android app with minimal or even no code changes.

Red Hat pushes hybrid cloud to the edge


Rene Millman

18 Nov, 2020

Red Hat has unveiled new edge capabilities for Red Hat Enterprise Linux. The firm has also expanded the number of supported environments for Red Hat OpenShift, including leading public clouds and multiple data centre architectures, like IBM Z and Power Systems.

At this year’s KubeCon + CloudNativeCon, Red Hat launched several edge-focused updates to Red Hat Enterprise Linux, including the rapid creation of operating system images for the edge through the Image Builder capability. 

The firm said this would enable IT organisations to create purpose-built images optimized for architectural challenges inherent to edge computing but customized for the needs of a given deployment.

Red Hat also unveiled remote device update mirroring to stage and apply updates at the next device reboot or power cycle, helping limit downtime and manual intervention from IT response teams.

The edge update sports over-the-air updates that transfer less data while still pushing necessary code. Red Hat aims this update at sites with limited or intermittent connectivity. 

Another feature announced is Intelligent rollback built on OSTree capabilities, enabling users to provide workload-specific health checks to detect conflicts or code issues. When it detects a problem, it automatically reverts the image to the last good update to prevent unnecessary downtime at the edge.

Red Hat also announced updates to Red Hat OpenShift 4.6 intended to help enterprises accelerate cloud-native application development. The latest update to OpenShift Serverless with Red Hat OpenShift Serverless 1.11 brings full support for Knative eventing, enabling containerized applications to consume only the resources they need at a given time, which prevents over- or under-consumption.

There is also a Red Hat build of Quarkus, a Kubernetes-native Java stack fully supported by Red Hat. With a single Red Hat OpenShift subscription, customers now have full access to Quarkus, enabling developers to repurpose mission-critical Java applications on Kubernetes, backed by Red Hat’s enterprise support.

Red Hat OpenShift 4.6 now includes new edge computing features with remote worker nodes, extending processing power to space-constrained environments. This enables IT organizations to scale remotely while maintaining centralized operations and management.

OpenShift 4.6 will also extend capabilities for public-sector Kubernetes deployments, including availability on AWS GovCloud and Azure Government Cloud, extended OpenSCAP support and more. 

Further extending OpenShift’s reach into the public cloud domain is Azure Red Hat OpenShift, a jointly-managed, engineered and supported offering on Microsoft Azure backed by Microsoft and Red Hat’s expertise. A similar service is expected to launch on AWS with joint management and support from Red Hat and Amazon.

Microsoft 365 outage blamed on botched network driver update


Rene Millman

6 Nov, 2020

A network driver problem resulted in some users being unable to access their Exchange Online mailboxes on Microsoft 365 for approximately 12 hours.
In a tweet on 5 November at 8.13PM, Microsoft said that it was investigating an issue “wherein some users may be unable to access their mailboxes through Exchange Online via all connection methods”.
Around an hour later, it discovered that a recent service update to a portion of its infrastructure was “causing impact to mailbox access via Exchange Online from any connection method”. It then identified a network driver issue as the underlying cause of the outage.

However, in the early morning on 6 November, Microsoft admitted that the fix was “taking longer than anticipated”.
“Concurrently, we’re narrowing down alternate mitigation options for faster relief to customers.”
It was another two hours after that tweet when Microsoft finally found a solution and began rolling out a fix. It was only until three hours ago at the time of writing that Microsoft finally confirmed that the initial problem had been fixed for all users.
Just over a month ago, Microsoft suffered a global outage leaving users being unable to access their Outlook accounts. As reported by Cloud Pro, Microsoft blamed that outage on a configuration update to components that route user requests. This led to the company “reverting” the update and monitoring the service to ensure it came back up again.
This outage was the second in a week for Microsoft following an issue that caused Azure, Outlook, Office, Power Platform, Dynamics365, and Microsoft Teams to be down for around five hours.

Hackers target flaws in PBX system to hijack VoIP calls


Rene Millman

6 Nov, 2020

Cyber criminals have launched a new campaign that targets Sangoma PBX, an open source web GUI that manages communications toolkit Asterisk, security researchers have said.

The attack exploits CVE-2019-19006, a critical vulnerability in Sangoma private branch exchange (PBX), which grants the attacker admin access to the system and gives them control over its functions.

Nearly 1,200 organisations worldwide over past 12 months are said to have been targeted, with the main purpose of the campaign being to lift phone numbers and gain live access to compromised VoIP services, according to a blog by researchers at Check Point Software.

Countries targeted include the Netherlands, Belgium, US, Columbia, and Germany. However, over half of the attacks so far have been aimed at companies based in the UK, in industries such as government, military, insurance, finance, and manufacturing.

“While investigating the exploitations, researchers identified several online profiles associated with private Facebook groups that deal with VoIP, and more specifically, SIP server exploitation,” said researchers Ido Solomon, Ori Hamama and Omer Ventura, in a joint blog post. 

They added that investigations into the source of the attacks suggested that most hackers were based in Gaza, the West Bank, and Egypt.

It was also concluded that the group has mostly tried to gain access to phone numbers, and sell these on to other groups, and grant access to compromised VoIP services “to the highest bidders, who can then exploit those services for their own purposes”.

Researchers said that hackers could also use the compromised systems to support further attacks, such as using the system resources for cryptocurrency mining, spreading laterally across the company network, or launching attacks on outside targets, while masquerading as representatives from the compromised company.

Companies using vulnerable systems have been urged to change all default passwords and analyse call billings on a regular basis as well as applying patches to close the CVE-2019-19006 vulnerability that hackers are exploiting.

AWS launches next-gen GPU instances for machine learning


Rene Millman

4 Nov, 2020

AWS has launched its latest GPU-equipped instances aimed at machine learning and high-performance computing (HPC) workloads.

Called P4d, the new instances come ten years the first set of GPU instances were launched. They feature Intel Cascade Lake processors and eight of Nvidia’s A100 Tensor Core GPUs. These connect via NVLink with support for Nvidia GPUDirect and offer 2.5 PetaFLOPS of floating-point performance and 320GB of high-bandwidth GPU memory.

AWS claimed that the instances offer 2.5x the deep learning performance, and up to 60% lower cost to train when compared to P3 instances.

In addition, the P4 instances include 1.1TB of system memory and 8TB of NVME-based SSD storage with up to 16 gigabytes of read throughput per second. The instances can combine over 4,000 GPUs into an on-demand EC2 UltraCluster. 

Among the use cases touted by AWS for these instances include supercomputer-scale machine learning and HPC workloads: natural language processing, object detection & classification, scene understanding, seismic analysis, weather forecasting, financial modelling, etc. 

The P4 instances are available in one size (p4d.24xlarge) and can be launched in the US East (N.Virginia) and US West (Oregon) Regions with immediate effect.

Among the companies that have already been working with the P4 instances include Toyota Research Institute (TRI), GE Healthcare and Aon.

“At TRI, we’re working to build a future where everyone has the freedom to move,” said Mike Garrison, technical lead, Infrastructure Engineering at TRI.

“The previous generation P3 instances helped us reduce our time to train machine learning models from days to hours and we are looking forward to utilizing P4d instances, as the additional GPU memory and more efficient float formats will allow our machine learning team to train with more complex models at an even faster speed.”

Its on-demand price will be $32.77 per hour, going down to approximately $20 per hour for one-year reserved instances, and $11.57 for three-year reserved instances.