Microsoft says it will fix an Internet Explorer security bug under active attack

Microsoft has confirmed a security flaw affecting Internet Explorer is currently being used by hackers, but that it has no immediate plans to fix.

In a late-evening tweet, US-CERT, the division of Homeland Security tasked with reporting on major security flaws, tweeted a link to a security advisory detailing the bug, describing it as “being exploited in the wild.”

Microsoft said all supported versions of Windows are affected by the flaw, including Windows 7, which after this week no longer receives security updates.

The vulnerability was found in how Internet Explorer handles memory. An attacker could use the flaw to remotely run malicious code on an affected computer, such as tricking a user into opening a malicious website from a search query or a link sent by email.

It’s believed to be a similar vulnerability as one disclosed by Mozilla, the maker of the Firefox browser, earlier this week. Both Microsoft and Mozilla credited Qihoo 360, a China-based security research team, with finding flaws under active attack. Earlier in the week, Qihoo 360 reportedly deleted a tweet referencing a similar flaw in Internet Explorer.

Neither Qihoo, Microsoft, nor Mozilla said how attackers were exploiting the bug, who the attackers were, or who was being targeted. The U.S. government’s cybersecurity advisory unit also issued a warning about current exploitation.

Microsoft told TechCrunch that it was was “aware of limited targeted attacks” and was “working on a fix,” but that it was unlikely to release a patch until its next round of monthly security fixes — scheduled for February 11.

Microsoft assigned the bug with a common vulnerability identifier, CVE-2020-0674, but specific details of the bug have yet to be released.

When reached, a Microsoft spokesperson did not comment.

Microsoft says it will fix an Internet Explorer security bug under active attack

Microsoft has confirmed a security flaw affecting Internet Explorer is currently being used by hackers, but that it has no immediate plans to fix.

In a late-evening tweet, US-CERT, the division of Homeland Security tasked with reporting on major security flaws, tweeted a link to a security advisory detailing the bug, describing it as “being exploited in the wild.”

Microsoft said all supported versions of Windows are affected by the flaw, including Windows 7, which after this week no longer receives security updates.

The vulnerability was found in how Internet Explorer handles memory. An attacker could use the flaw to remotely run malicious code on an affected computer, such as tricking a user into opening a malicious website from a search query or a link sent by email.

It’s believed to be a similar vulnerability as one disclosed by Mozilla, the maker of the Firefox browser, earlier this week. Both Microsoft and Mozilla credited Qihoo 360, a China-based security research team, with finding flaws under active attack. Earlier in the week, Qihoo 360 reportedly deleted a tweet referencing a similar flaw in Internet Explorer.

Neither Qihoo, Microsoft, nor Mozilla said how attackers were exploiting the bug, who the attackers were, or who was being targeted. The U.S. government’s cybersecurity advisory unit also issued a warning about current exploitation.

Microsoft told TechCrunch that it was was “aware of limited targeted attacks” and was “working on a fix,” but that it was unlikely to release a patch until its next round of monthly security fixes — scheduled for February 11.

Microsoft assigned the bug with a common vulnerability identifier, CVE-2020-0674, but specific details of the bug have yet to be released.

When reached, a Microsoft spokesperson did not comment.

The US government should stop demanding tech companies compromise on encryption

In a tweet late Tuesday, President Trump criticized Apple for refusing “to unlock phones used by killers, drug dealers and other violent criminal elements.” Trump was specifically referring to a locked iPhone that belonged to a Saudi airman who killed three U.S sailors in an attack on a Florida base in December.

It’s only the latest example of the government trying to gain access to a terror suspect’s device it claims it can’t access because of the encryption that scrambles the device’s data without the owner’s passcode.

The government spent the past week bartering for Apple’s help. Apple said it had given to investigators “gigabytes of information,” including “iCloud backups, account information and transactional data for multiple accounts.” In every instance it received a legal demand, Apple said it “responded with all of the information” it had. But U.S. Attorney General William Barr accused Apple of not giving investigators “any substantive assistance” in unlocking the phone.

Buttigieg’s CISO resigns, leaving no known cybersecurity chiefs among the 2020 candidates

Presidential candidate Pete Buttigieg has lost his campaign’s chief information security officer, citing “differences” with the campaign over its security practices.

Mick Baccio, who served under the former South Bend mayor’s campaign for the White House, left his position earlier this month.

The Wall Street Journal first reported the news. TechCrunch also confirmed Baccio’s resignation, who left less than a year after joining the Buttigieg campaign.

“I had fundamental philosophical differences with campaign management regarding the architecture and scope of the information security program,” Baccio told TechCrunch.

“We thank him for the work he did to protect our campaign against attacks,” said Buttigieg spokesperson Chris Meagher. The spokesperson said that the campaign had retained a new security firm, but would not say which company.

Baccio was the only known staffer to oversee cybersecurity out of all the presidential campaigns. News of his departure comes at a time just months to go before millions of Americans are set to vote in the 2020 presidential campaign.

But concerns have been raised about the overall security posture of the candidates’ campaigns, as well as voting and election infrastructure across the United States, ahead of the vote.

A report from a government watchdog last March said Homeland Security “does not have dedicated staff” focused on election infrastructure. Since then, security researchers found many of the largest voting districts are vulnerable to simple cyberattacks, such as sending malicious emails designed to look like a legitimate message, a type of tactic used by Russian operatives during the 2016 presidential election.

In October, Iran-backed hackers unsuccessfully targeted President Trump’s re-election campaign.

Cloudflare is giving away its security tools to US political campaigns

Network security giant Cloudflare said it will provide its free security tools and services to U.S. political campaigns, as part of its efforts to secure upcoming elections against cyberattacks and election interference.

The company said its new Cloudflare for Campaigns offering will include distributed denial-of-service attack mitigation, load balancing for campaign websites, a website firewall, and anti-bot protections.

It’s an expansion of the company’s security offering for journalists, civil rights activists and humanitarian groups under its Project Galileo, which aims to protect against disruptive cyberattacks. The project later expanded to smaller state and local government sites in 2018, with an aim of protecting servers containing voter registration data and other election infrastructure from attacks.

Now the company is offering its security services to 11 of the 17 presidential campaigns, it said, but wants to ensure that its offering is “available to the largest campaigns are also available to smaller campaigns as well.”

Cloudflare’s co-founder and chief executive Matthew Prince said there was a “clear need” to help campaigns secure not only their public facing websites but also their internal data security.

The company said it’s working with the non-partisan, non-profit organization Defending Digital Campaigns to provide its services to campaigns. Last year the Federal Elections Commission changed the rules to allow political campaigns to receive discounted cybersecurity assistance, which was previously a campaign finance violation.

Microsoft and NSA say a security bug affects millions of Windows 10 computers

Microsoft has released a security patch for a dangerous vulnerability affecting hundreds of millions of computers running Windows 10.

The vulnerability is found in a decades-old Windows cryptographic component, known as CryptoAPI. The component has a range of functions, one of which allows developers to digitally sign their software, proving that the software has not been tampered with. But the bug may allow attackers to spoof legitimate software, potentially making it easier to run malicious software — like ransomware — on a vulnerable computer.

“The user would have no way of knowing the file was malicious, because the digital signature would appear to be from a trusted provider,” Microsoft said.

CERT-CC, the the vulnerability disclosure center at Carnegie Mellon University, said in its advisory that the bug can also be used to intercept and modify HTTPS (or TLS) communications.

Microsoft said it found no evidence to show that the bug has been actively exploited by attackers, and classified the bug as “important.”

Independent security journalist Brian Krebs first reported details of the bug.

The National Security Agency confirmed in a call with reporters that it found the vulnerability and turned over the details to Microsoft, allowing the company to build and ready a fix.

Only two years ago the spy agency was criticized for finding and using a Windows vulnerability to conduct surveillance instead of alerting Microsoft to the flaw. The agency used the vulnerability to create an exploit, known as EternalBlue, as a way to secretly backdoor vulnerable computers. But the exploit was later leaked and was used to infect thousands of computers with the WannaCry ransomware, causing millions of dollars’ worth of damage.

Anne Neuberger, NSA’s director of cybersecurity, told TechCrunch that once the vulnerability was discovered, it went through the vulnerabilities equities process, a decision-making process used by the government to determine if it should retain control of the flaw for use in offensive security operations or if it should be disclosed to the vendor. It’s not known if the NSA used the bug for offensive operations before it was reported to Microsoft.

“It’s encouraging to see such a critical vulnerability turned over to vendors rather than weaponized.”

Neuberger confirmed Microsoft’s findings that NSA had not seen attackers actively exploiting the bug.

Jake Williams, a former NSA hacker and founder of Rendition Infosec, told TechCrunch that it was “encouraging” that the flaw was turned over “rather than weaponized.”

“This one is a bug that would likely be easier for governments to use than the common hacker,” he said. “This would have been an ideal exploit to couple with man in the middle network access.”

Microsoft is said to have released patches for Windows 10 and Windows Server 2016, which is also affected, to the U.S. government, military and other high-profile companies ahead of Tuesday’s release to the wider public, amid fears that the bug would be abused and vulnerable computers could come under active attack.

The software giant kept a tight circle around the details of the vulnerabilities, with few at the company fully aware of their existence, sources told TechCrunch. Only a few outside the company and the NSA — such as the government’s cybersecurity advisory unit Cybersecurity and Infrastructure Security Agency — were briefed.

CISA also issued a directive, compelling federal agencies to patch the vulnerabilities.

Williams said this now-patched flaw is like “a skeleton key for bypassing any number of endpoint security controls,” he told TechCrunch.

Skilled attackers have long tried to pass off their malware as legitimate software, in some cases by obtaining and stealing certificates. Last year, attackers stole a certificate belonging to computer maker Asus to sign a backdoored version of its software update tool. By pushing the tool to the company’s own servers, “hundreds of thousands” of Asus customers were compromised as a result.

When certificates are lost or stolen, they can be used to impersonate the app maker, allowing them to sign malicious software and make it look like it came from the original developer.

Dmitri Alperovitch, co-founder and chief technology officer at security firm CrowdStrike, said in a tweet that the NSA-discovered bug was a “critical issue.”

“Everyone should patch. Do not wait,” he said.

Amazon has fired an employee for leaking user email addresses and phone numbers

Amazon has fired an employee after it shared user email address and phone number with a third-party “in violation of our policies,” according to an email seen by TechCrunch.

The email, which was sent to customers on Friday afternoon, said the employee was “terminated” and the company is supporting law enforcement in their prosecution.

“No other information related to your account was shared. This is not a result of anything you have done, and there is no need for you to take any action,” the email read to customers.

But little else is known about the employee, when the information was shared and with whom, and how many customers are affected. Amazon confirmed the authenticity of the email it sent to customers on Friday, but a spokesperson did not comment beyond what was in the email.

It’s not the first time it’s happened. Amazon was just as vague about a similar breach of email addresses last year, in which Amazon declined to comment further.

In a separate incident, Amazon said this week that it fired four employee at Ring, one of the retail giant’s smart camera and door bell subsidiaries. Ring said it fired the employees for improperly viewing video footage from customer cameras.

 

A billion medical images are exposed online, as doctors ignore warnings

Every day, millions of new medical images containing the personal health information of patients are spilling out onto the internet.

Hundreds of hospitals, medical offices and imaging centers are running insecure storage systems, allowing anyone with an internet connection and free-to-download software to access over 1 billion medical images of patients across the world.

About half of all the exposed images, which include X-rays, ultrasounds and CT scans, belong to patients in the United States.

Yet despite warnings from security researchers who have spent weeks alerting hospitals and doctors’ offices to the problem, many have ignored their warnings and continue to expose their patients’ private health information.

“It seems to get worse every day,” said Dirk Schrader, who led the research at Germany-based security firm Greenbone Networks, which has been monitoring the number of exposed servers for the past year.

The problem is well-documented. Greenbone found 24 million patient exams storing more than 720 million medical images in September, which first unearthed the scale of the problem as reported by ProPublica. Two months later, the number of exposed servers had increased by more than half, to 35 million patient exams, exposing 1.19 billion scans and representing a considerable violation of patient privacy.

But the problem shows little sign of abating. “The amount of data exposed is still rising, even considering the amount of data taken offline due to our disclosures,” said Schrader.

If doctors fail to take action, he said the number of exposed medical images will hit a new high “in no time.”

Over a billion medical images remain exposed. Experts say the number is getting worse, not better. (Image: supplied)

Researchers say the problem is caused by a common weakness found on the servers used by hospitals, doctors’ offices and radiology centers to store patient medical images.

A decades-old file format and industry standard known as DICOM was designed to make it easier for medical practitioners to store medical images in a single file and share them with other medical practices. DICOM images can be viewed using any of the free-to-use apps, as would any radiologist. DICOM images are typically stored in a picture archiving and communications system, known as a PACS server, allowing for easy storage and sharing. But many doctors’ offices disregard security best practices and connect their PACS server directly to the internet without a password.

These unprotected servers not only expose medical imaging but also patient personal health information. Many patient scans include cover sheets baked into the DICOM file, including the patient’s name, date of birth and sensitive information about their diagnoses. In some cases, hospitals use a patient’s Social Security number to identify patients in these systems.

Lucas Lundgren, a Sweden-based security researcher, spent part of last year looking at the extent of exposed medical image data. In November, he demonstrated to TechCrunch how easy it was for anyone to view medical data from exposed servers. In just a few minutes, he found one of the largest hospitals in Los Angeles exposing tens of thousands of patients’ scans dating back several years. The server was later secured.

Some of the largest hospitals and imaging centers in the United States are the biggest culprits of exposing medical data. Schrader said the exposed data puts patients at risk of becoming “perfect victims for medical insurance fraud.”

Yet, patients are unaware that their data could be exposed on the internet for anyone to find.

The Mighty, which examined the effect on patients, found exposed medical information puts patients at a greater risk of insurance fraud and identity theft. Exposed data can also erode the relationship between patients and their doctors, leading to patients becoming less willing to share potentially pertinent information.

As part of our investigation, we found a number of U.S. imaging centers storing decades of patient scans.

One patient, whose information was exposed following a visit to an emergency room in Florida last year, described her exposed medical data as “scary” and “uncomfortable.” Another with a chronic illness had regular scans at a hospital in California over a period of 30 years. And one unprotected server at one of the largest military hospitals in the United States exposed the names of military personnel and medical images.

But even in cases of patients with only one or a handful of medical images, the exposed data can be used to infer a picture of a person’s health, including illnesses and injuries.

Many patient scans include cover sheets containing personal health information baked into the file. (Image: supplied)

In an effort to get the servers secured, Greenbone contacted more than a hundred organizations last month about their exposed servers. Many of the smaller organizations subsequently secured their systems, resulting in a small drop in the overall number of exposed images. But when the security company contacted the 10 largest organizations, which accounted for about one-in-five of all exposed medical images, Schrader said there was “no response at all.”

Greenbone privately shared names of the organizations to allow TechCrunch to follow up with each medical office, including a health provider with three hospitals in New York, a radiology company in Florida with a dozen locations and a major California-based hospital. (We’re not naming the affected organizations to limit the risk of exposing patient data.)

Only one organization secured its servers. Northeast Radiology, a partner of Alliance Radiology, had the largest cache of exposed medical data in the U.S., according to Greenbone’s data, with more than 61 million images on about 1.2 million patients across its five offices. The server was secured only after TechCrunch followed up a month after Greenbone first warned the organization of the exposure.

Alliance spokesperson Tracy Weise declined to comment.

Schrader said if the remaining affected organizations took their exposed systems off the internet, almost 600 million images would “disappear” from the internet.

Experts who have warned about exposed servers for years say medical practices have few excuses. Yisroel Mirsky, a security researcher who has studied security vulnerabilities in medical equipment, said last year that security features set out by the standards body that created and maintains the DICOM standard have “largely been ignored” by the device manufacturers.

Schrader did not lay blame on the device manufacturers. Instead, he said it was “pure negligence” that doctor’s offices failed to properly configure and secure their servers.

Lucia Savage, a former senior privacy official at the U.S. Department of Health and Human Services, said more has to be done to improve security across the healthcare industry — especially at the level of smaller organizations that lack resources.

“If the data is personal health information, it is required to be secured from unauthorized access, which includes finding it on the internet,” said Savage. “There is an equal obligation to lock the file room that contains your paper medical records as there is to secure digital health information,” she said.

Medical records and personal health data are highly protected under U.S. law. The Health Insurance Portability and Accountability Act (HIPAA) created the “security rule,” which included technical and physical safeguards designed to protect electronic personal health information by ensuring the data is kept private and secure. The law also holds healthcare providers accountable for any security lapses. Running afoul of the law can lead to severe penalties.

“As Health and Human Services aggressively pushes to permit a wider range of parties to have access to the sensitive health information of American patients without traditional privacy protections attaching to that information, HHS’s inattention to this particular incident becomes even more troubling.”
Sen. Mark Warner (D-VA)

The government last year fined one Tennessee-based medical imaging company $3 million for inadvertently exposing a server containing over 300,000 protected patient data.

Deven McGraw, who was the top privacy official in the Health and Human Services’ enforcement arm — the Office of Civil Rights, said if security assistance was more available to smaller providers, the government could focus its enforcement efforts on providers that willfully ignore their security obligations.

“Government enforcement is important, as is guidance and support for lower resourced providers and easy-to-deploy solutions that are built into the technology,” said McGraw. “It may be too big of a problem for any single law enforcement agency to truly put a dent in.”

Since the scale of exposed medical servers was first revealed in September, Sen. Mark Warner (D-VA) called for answers from Health and Human Services. Warner acknowledged that the number of U.S.-based exposed servers had decreased — 16 servers storing 31 million images — but told TechCrunch that “more needs to be done.”

“To my knowledge, Health and Human Services has done nothing about it,” Warner told TechCrunch. “As Health and Human Services aggressively pushes to permit a wider range of parties to have access to the sensitive health information of American patients without traditional privacy protections attached to that information, HHS’s inattention to this particular incident becomes even more troubling,” he added.

Health and Human Services’ Office for Civil Rights said it does not comment on individual cases but defended its enforcement actions.

“OCR has taken enforcement action in the past to address violations concerning unprotected storage servers, and continues robust enforcement of the HIPAA rules,” said the spokesperson.

“We will continue doing our best to improve the global situation of unprotected systems,” said Schrader. But he said there was not much more he can do beyond warn organizations of their exposed servers.

“Then it’s a question for the regulators,” he said.

Mozilla says a new Firefox security bug is under active attack

Mozilla has warned Firefox users to update their browser to the latest version after security researchers found a vulnerability that hackers were actively exploiting in “targeted attacks” against users.

The vulnerability, found by Chinese security company Qihoo 360, was found in Firefox’s just-in-time compiler. The compiler is tasked with speeding up performance of JavaScript to make websites load faster. But researchers found that the bug could allow malicious JavaScript to run outside of the browser on the host computer.

In practical terms, that means an attacker can quietly break into a victim’s computer by tricking the victim into accessing a website running malicious JavaScript code.

But Qihoo did not say precisely how the bug was exploited, who the attackers were, or who was targeted.

Browser vulnerabilities are a hot commodity in security circles as they can be used to infect vulnerable computers — often silently and without the user noticing — and be used to deliver malware or ransomware. Browsers are also a target for nation states and governments and their use of surveillance tools, known as network investigative techniques — or NITs. These vulnerability-exploiting tools have been used by federal agents to spy on and catch criminals. But these tools have drawn ire from the security community because the feds’ failure to disclose the bugs to the software makers could result in bad actors exploiting the same vulnerabilities for malicious purposes.

Mozilla issued the security advisory for Firefox 72, which had only been out for two days before the vulnerability was found.

Homeland Security’s cyber advisory unit, the Cybersecurity and Infrastructure Security Agency, also issued a security warning, advising users to update to Firefox 72.0.1, which fixes the vulnerability. Little information was given about the bug, only that it could be used to “take control of an affected system.”

Firefox users can update their browser from the settings.

Homeland Security warns businesses to brace for Iranian cyberattacks

Homeland Security is warning U.S. companies to “consider and assess” the possible impacts and threat of a cyberattack on their businesses following heightened tensions with Iran.

It’s the first official guidance published by the government’s dedicated cyber advisory unit, the Cybersecurity and Infrastructure Security Agency, just days after the killing of a leading Iranian military commander, Qasem Soleimani. The U.S. government had accused Soleimani of targeting and killing U.S. personnel across the Middle East.

Soleimani, an Iranian general who was slated as second-in-command in Iran’s leadership, was killed on Friday by a U.S drone strike authorized by President Trump. The same drone strike killed Abu Mahdi al-Muhandis, a deputy in a coalition of Iran-backed militias in neighboring Iraq.

In its latest advisory, posted Monday, CISA said that the increased geopolitical tensions “may result in cyber and physical attacks against the homeland and also destructive hybrid attacks by proxies against U.S. targets and interests abroad.”

The agency said Iran and its allies could launch “disruptive and destructive cyber operations” against strategic targets, such as phone and energy companies, and also carry out “cyber-enabled espionage” that aim to better understand U.S. foreign policy decision making.

CISA also warned of disinformation campaigns, as well as kinetic attacks — including bombings. Companies should take precautions in the event of cyberattacks — such as setting up offline backups, the agency advised.

The warnings come shortly after security experts in the private sector warned of the possibility of retaliatory action following the drone strikes.

“We will probably see an uptick in espionage, primarily focused on government systems, as Iranian actors seek to gather intelligence and better understand the dynamic geopolitical environment,” said John Hultquist, director of intelligence analysis at cybersecurity firm FireEye. “We also anticipate disruptive and destructive cyberattacks against the private sphere,” he said.

Iran is one of the world’s most powerful adversaries in cyberspace, experts say.

Tehran has a considerable arsenal of offensive cyber tools, including wipers — malware designed to infiltrate computers and destroy data. Hackers associated with Iran have been active in targeting facilities in the Middle East in recent years. Dmitri Alperovitch, who co-founded security firm Crowdstrike, said in a tweet that Iran may target critical infrastructure, such as energy grids and financial institutions.

More recently, Microsoft said it had notified thousands of customers over the past year who have been targeted by nation-state attackers, including hackers associated with Iran. The software and services giant previously took legal action against Iranian-controlled domains in an effort to disrupt their cyber activities. In October, Microsoft said Iranian hackers targeted a 2020 presidential candidate, which Reuters later confirmed was President Trump’s reelection campaign.

The move to assassinate Soleimani was widely panned by both opponents and allies of the Trump administration. Critics say the government had not thought of the consequences of the strike, including both Iranian retaliation with kinetic force but also cyberattacks.

Sen. Ron Wyden, a senior lawmaker on the Senate Intelligence Committee, said the killing was “a reckless escalation that will take us further down the road to ruinous war.” Meanwhile in a lengthy tweet thread, Rep. Elissa Slotkin, a former CIA analyst who served under President Bush, also criticized the action.