Computer News & Safety – Harry Waldron

“Foreshadow” is a new  side-channel vulnerability (similar to what we see with “Meltdown” and “Spectre.”) and researchers have recently discovered it is potentially vulnerable

https://mcpmag.com/articles/2018/08/16/intel-alarm-foreshadow-cpu-attacks.aspx

https://foreshadowattack.eu/

Researchers from Microsoft, Intel and Red Hat this week turned the spotlight on a newly discovered execution side-channel attack method they’ve dubbed “Foreshadow.”  Researchers notified Intel of Foreshadow, also known as the “L1 Terminal Fault” (L1TF), on Jan. 3 this year.

The L1TF attack methods potentially can affect Intel Core and Intel Xeon processors only. However, attackers need to have access to a system or they need to be able to run code on a machine for the attacks to be carried out. Fixing the vulnerability requires applying both firmware and operating system updates, which are expected to have few performance degradations for most users.

There are no active exploits known as yet for the L1TF attack methods. The vulnerabilities have already been assigned common vulnerability and CVEs:

* CVE-2018-3615 “for attacking SGX”
* CVE-2018-3620 “for attacking the OS Kernel and SMM mode”
* CVE-2018-3646 “for attacking virtual machines”

A new “Linux like” console capability called “ConPTY” is coming in Redstone 5 (FALL 2018 release) as shared in following article

https://redmondmag.com/articles/2018/08/16/windows-10-console-apps-support.aspx

Microsoft is bringing a pseudoconsole to Windows 10, which will make it easier for developers to connect their command-line and graphical user interface (GUI)-based applications.  In a “back to the future” moment, inspired by Unix and Linux (*NIX), the next version of Windows 10 will include a Windows Pseudo Console, known as “ConPTY.” Microsoft is promising that the Windows Pseudo Console will facilitate terminal-style communications for apps without Windows getting in the way.

Unlike *NIX operating systems, Windows currently lacks a pseudoconsole. It doesn’t speak the “text/VT” language that was used to support terminal communications in *NIX operating systems. As a consequence, Windows currently “obstructs third-party consoles and server apps.”  Turner indicated that the Windows Pseudo Console in Windows 10 will fix problems currently associated with connecting command-line applications in Windows.

It will support “all Command-Line and/or GUI applications that communicate with Command-Line applications,” “Using the new ConPTY infrastructure, third party Consoles can now communicate directly with modern and traditional Command-Line applications, and speak text/VT with all of them,” Turner described Microsoft’s switch to the ConPTY API as “perhaps one of the most fundamental, and liberating, changes that’s happened to the Windows Command-Line in several years … if not decades!”

PC Magazine shares an in-depth review of the new Wireless 5G that will be forthcoming as a standard offering, in the next few years

https://www.pcmag.com/article/345387/what-is-5g

AT&T, Verizon, and other carriers will start to launch 5G networks this year. But what exactly is 5G, and how fast is it compared with 4G? Here’s what we know so far. At the end of 2017, the wireless industry came up with the first official 5G standard. AT&T plans to launch mobile 5G in the US this year, Verizon says it will launch 5G for homes, and both T-Mobile and Sprint say that they’re launching 5G phones early next year.

But a standard doesn’t mean that all 5G will work the same—or that we even know what applications 5G will enable. There will be slow but responsive 5G, and fast 5G with limited coverage. Let us take you down the 5G rabbit hole to give you a picture of what the upcoming 5G world will be like.

1G, 2G, 3G, 4G, 5G — The G in 5G means it’s a generation of wireless technology. While most generations have technically been defined by their data transmission speeds, each has also been marked by a break in encoding methods, or “air interfaces,” which make it incompatible with the previous generation.  1G was analog cellular. 2G technologies, such as CDMA, GSM, and TDMA, were the first generation of digital cellular technologies. 3G technologies, such as EVDO, HSPA, and UMTS, brought speeds from 200kbps to a few megabits per second. 4G technologies, such as WiMAX and LTE, were the next incompatible leap forward, and they are now scaling up to hundreds of megabits and even gigabit-level speeds.

How 5G Works — Like other cellular networks, 5G networks use a system of cell sites that divide their territory into sectors and send encoded data through radio waves. Each cell site must be connected to a network backbone, whether through a wired or wireless backhaul connection.  5G networks will use a type of encoding called OFDM, which is similar to the encoding that 4G LTE uses. The air interface will be designed for much lower latency and greater flexibility than LTE, though.  The standard will work all the way from low frequencies to high, but it gets the most benefit over 4G at higher frequencies. 5G may also transmit data over the unlicensed frequencies currently used for Wi-Fi, without conflicting with existing Wi-Fi networks.

The ISC highlights 2 current public exploits circulating “in the wild” and prompt patching actions will help better protect home & corporate users 

https://isc.sans.edu/forums/diary/Microsoft+August+2018+Patch+Tuesday/23986/

https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39

https://blog.talosintelligence.com/2018/08/ms-tuesday.html

This month, Microsoft fixes 63 vulnerabilities. 2 of which have been publicly disclosed:

CVE-2018-8414 : This is the “Settings.ms” issue. These files were introduced in Windows 8, and they are used to create shortcuts to specific settings pages. The XML instructions for the link can lead to code execution and the user is not warned before opening the files. This has been widely exploited. For details, see the report by SpecterOps:

CVE-2018-8373: Not a lot of details here other than the fact that this is yet another scripting engine memory corruption issue. There have been plenty like it, so exploit writers likely have already a game plan how to write yet another exploit for this problem.

Below are key resources documenting this recent monthly Microsoft Patch Tuesday release

https://isc.sans.edu/forums/diary/Microsoft+August+2018+Patch+Tuesday/23986/

https://patchtuesdaydashboard.com/

https://blog.talosintelligence.com/2018/08/ms-tuesday.html

https://portal.msrc.microsoft.com/en-us/security-guidance/summary

Microsoft released its monthly set of security advisories today for vulnerabilities that have been identified and addressed in various products. This month’s advisory release addresses 62 new vulnerabilities, 20 of which are rated “critical,” 38 that are rated “important,” one that is rated moderate and one that is rated as low severity. These vulnerabilities impact Windows Operating System, Edge and Internet Explorer, along with several other products.

In addition to the 60 vulnerabilities referenced above, Microsoft has also released a critical update advisory, ADV180020 which addresses the vulnerabilities described in the Adobe Flash Security Bulletin APSB18-25.  This month, Microsoft is addressing 20 vulnerabilities that are rated “critical.” Talos believes 10 of these are notable and require prompt attention.

The John Maxwell leadership training center shares value of adding joining local peer groups for continuing education and professional growth.  I have been a part of local professional organizations (ASM, DPMA, CPCU, etc.) as well as national associations & they are indeed valuable for your career

http://johnmaxwellcompany.com/blog/peer-groups-can-offer-perspective-and-a-safe-space-against-the-isolation-of-the-c-suite

A supportive peer group of professionals in similar positions, meeting regularly, can encourage the consistent and healthy growth of others in the group. For a typical executive, the desire to set goals comes naturally, but the motivation to stay on track towards those goals can be a challenge. A peer group can help its members dissuade self-doubt and develop an achievable plan to hit their targets.

1. Sharing = Success …. We all fail. But in each failure comes the ability to not only learn from that mistake, but also to help others learn. In a peer group, stories of not only wins, but also losses are shared, as it is more important to contribute something to help others than to keep a potentially embarrassing story in a bubble. Sharing failures can help senior executives understand their own experiences and render their failures into an investment in someone else’s success.  But if these same executives remain isolated from their peer group, they can repeat the mistakes others have made and continue to repeat their own mistakes.

2. From a group comes personal accountability …. The most effective form of accountability is external accountability. When you need to answer to a group of peers that you respect, it’s motivating. It’s a simple fact that it’s easier to disappoint yourself than it is to disappoint others. A peer group makes accountability convenient, regular and important enough to help you stick to your goals.  Remember, leadership is a process. There is no end goal or status that can be achieved. It requires continual nurturing, learning, discovery and refinement. When you join a peer group, you’re connecting to a long-term program with the relationships that develop into a lasting history. This allows members of the group to see patterns, or point out opportunities that might be missed or forgotten.

The new “P” or “9” version will be launched for Google Pixel devices next week. Key details of release are noted in following article by CNET:

https://www.cnet.com/news/android-pie-is-here-coming-to-google-pixel-phones-first/

The next generation of Android is on its way. And you guessed it — the P is for Pie. Android Pie, the new version of Google’s mobile operating system, previously called Android P, comes first to the search giant’s Pixel smartphones starting Monday.   Google typically names its new flavors of Android alphabetically and after something sugary. For example, the previous Android version was called Oreo. Before that was Nougat, preceded by Marshmallow and Lollipop. Officially, Google is calling it Android 9 Pie, or just Android 9.

Android is the dominant mobile operating system on the planet, powering almost 9 out of every 10 smartphones shipped globally. So updates in the software could eventually signal changes for how most of the world uses its phones. Android Pie mostly focuses on behind-the-scenes improvements designed to make Android phones work faster while saving precious battery life.

One big update in Android Pie is support for notches — those little cutouts on phones with screens that span most of the phone face, popularized by Apple’s iPhone X. Android Pie’s notch support doesn’t mean that every future Android phone will have this cut-out design, but it does mean Google has made it easier for apps to work smoothly on phones that happen to have notched screens.

For smartphone addicts, Android 9 introduces tools aimed at something that might seem counterintuitive for Google: Tools to help you use your phone less. A new dashboard tells you how much time you’ve spent using your phone, and the time you’ve spent in individual apps. You’ll also be able to set time limits on how much you use certain apps

This is an excellent corporate resource designed to prevent & circumvent email phishing attacks, especially for the new cloud offerings like Office 365 & Microsoft 365 

https://blogs.technet.microsoft.com/cloudready/2018/07/31/introduction-email-phishing-protection-guide-enhancing-your-organizations-security-posture/

The Email Phishing Protection Guide is a multi-part blog series written to walk you through the setup of many security focused features you may already own in Microsoft Windows, Microsoft Office 365, and Microsoft Azure. By implementing some or all of these items, an organization will increase their security posture against phishing email attacks designed to steal user identities. This guide is written for system administrators with skills ranging from beginner to expert.

Email Phishing Protection Guide Index:

Introduction: Email Phishing Protection Guide – Enhancing Your Organization’s Security Posture

Part 1: Customize the Office 365 Logon Portal

Part 2: Training Users with the Office 365 Attack Simulator

Part 3: Deploy Multi Factor Authentication (MFA)

Part 4: Deploy Windows Hello

Part 5: Define Country and Region Logon Restrictions for Office 365 and Azure Services

Part 6: Deploy Outlook Plug-in to Report Suspicious Emails

Part 7: Deploy ATP Anti-Phishing Policies

Part 8: Deploy ATP Safe Link Policies

Part 9: Deploy ATP Safe Attachment Policies

Part 10: Deploy and Enforce Smart Screen for Microsoft Edge, Microsoft Internet Explorer and Google Chrome

Part 11: Monitor Phishing and SPAM Attacks in Office 365

These are excellent “lesson plans” designed as lesson plans for teachers. Actually in review, the value of training content could help anyone better learn privacy & saftety in a highly public setting.

https://www.pcmag.com/news/362896/facebook-serves-up-internet-101-lessons-for-kids

https://www.facebook.com/safety/educators

Heads up, teachers: Facebook just launched a new Digital Literacy Library with lesson plans designed to teach young people how to behave responsibly online.

The 18 lessons, aimed at kids and teens ages 11 through 18, cover topics such as

1. privacy
2. what’s appropriate and not appropriate to share online
3. respecting others online
4. best practices for strong passwords
5. the risks of public Wi-Fi
6. threats such as phishing and spam
7. how to use social media to raise awareness for a cause of interest
        etc. …

Microsoft Surface models are reviewed in this informative article by Verge

https://www.theverge.com/2018/8/2/17608116/microsoft-surface-pick-right-for-you

The family of Surface computers is now large enough to cause a bit of confusion for those who are thinking about buying one.  Is the small Surface Go the best fit for your workload? Perhaps the detachable Surface Book 2 is a better choice, despite being more expensive, because of its included keyboard and optional discrete graphics? While these devices look somewhat similar at first blush, there are some pretty stark differences that you should know about.

PROS/CONS for these products are covered in this review

1. Microsoft Surface Go
2. Microsoft Surface Pro
3. Microsoft Surface Book 2
4. Surface Laptop
5. Microsoft Surface Studio